Embed Size (px)
DESCRIPTION
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security. Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including: 1. State-sponsored espionage and sabotage of computer networks 2. Monster DDoS attacks 3. The loss of visibility and control created by IT consumerization and the cloud 4. The password debacle 5. Insider threats
Citation preview
5 CyberSecurity Challenges for 2013
Stated Sponsored Computer Intrusions
Monster DDOS Attacks
Loss of Visibility and Control created by IT Consumerization and the Cloud
The Password Debacle
The Insider Threat
© 2012 Lancope, Inc. All rights reserved.3
State Sponsored Computer Intrusions
Sykipot– Spread by spear phishing emails with malicious attachments– Targets smartcard credentials
Flame– Extremely complicated malware– Used a counterfeit digital certificate to impersonate Windows Update– Certificate was generated with a previously unknown MD5 collision attack
Shamoon– Targeted the energy sector– Destroyed infected systems
Gauss– Related to Stuxnet, Duqu, and Flame
Council on Foreign Relations Waterhole– Targeted victims with specific language settings
Red October– More that 1,000 modules!
© 2012 Lancope, Inc. All rights reserved.4
0-Day Vulnerabilities
A Zero Day vulnerability is a security vulnerability that attackers have access to before it is publicly disclosed.– Sophisticated attackers often search for previously unknown vulnerabilities– Because these vulnerabilities are not publicly disclosed, they cannot be patched, and
Intrusion Prevention Systems usually cannot detect attacks that target them.
Research paper by Symantec Research labs published in October, 2012– Retrospective look at a large archive of old binary files from Anti-Virus customers– Identified 18 0-Day vulnerabilities that were exploited in the wild– 11 were previously not known to have been exploited before public disclosure– The vulnerabilites were exploited for up to 30 months before public disclosure– On average, the vulnerabilities were exploited for 312 days before public disclosure
© 2012 Lancope, Inc. All rights reserved.5
Protection Strategies
Less Sophisticated:Downloads publicly available attack toolsTargets known/disclosed vulnerabilitiesUses off the shelf malware toolkits
More Sophisticated:Discovers 0-day vulnerabilities
Attacks tested against IDS productsMalware tested against A/V products
Audit, Patch, and ProtectClose known vulnerabilities
Block known attacksDetect known malware
Safety in Numbers
TARGETED
MORE
Sophisticated, Targeted Attacks?
© 2012 Lancope, Inc. All rights reserved.6
Visibility through out the Kill Chain
A sophisticated attack on a network involves a series of steps Traditional thinking views any system compromise as a successful breach Any successful action taken to stop an infection prior to data exfiltration can be
considered a win This is the Kill Chain concept introduced by Mike Cloppert at Lockheed Controls should be put in place at each stage of the chain
ReconExploitation
(Social Engineering?)Initial
Infection
Internal Pivot
Data Preparation
& Exfiltration
Command and
Control
© 2012 Lancope, Inc. All rights reserved.7
Monster DDOS Attacks
IBM X-Force – 300% Increase in DDOS Backscatter from ‘08 to ’11
Prolexic (Q3 2011 to Q3 2012):– 88% increase in total attacks– 230% increase in average attack bandwidth
DDoS Attacks against US Banks– 60 GBPS– itsoknoproblembro– Launched from servers– Claimed by Izz ad-Din al-Qassam Cyber Fighters– Attacker?
Financial Criminals? Protest Rally? Statecraft?
© 2012 Lancope, Inc. All rights reserved.8
Addressing Monster DDOS Attacks
Have a plan in place before the day that attacks begin! – Plan should cover different classes of DDoS attacks– Quick reactions require visibility and process– Test human processes and not just technology
Large DDoS Attacks must be cleaned in the network and not at the customer premise
Application Layer DDoS Attacks can be difficult to mitigate with network based services– Lack of application awareness– Traffic evades scrubber’s heuristics
© 2012 Lancope, Inc. All rights reserved.9
IT Consumerization and the Cloud
We used to have a three tiered strategy:– Establish and protect the perimeter (Firewalls, IPS, etc)
Inbound attacks from the Internet Drive by Downloads
– Focus on hardening servers with critical data– Protect the endpoint (HIDS/AV)
Mobile Laptops USB Keys
Employee owned devices can’t be protected with endpoint agents
Applications with critical data are moving outside the Perimeter– Loss of visibility into who accessed what, when and how
10
2013 is the year to demand our visibility back!
Cloud Services can provide authentication logs, netflow – They may not have architected their services this way, but it is technically feasible
Netflow can provide visibility into private clouds Identity aware Netflow provides a way to monitor mobile devices
User Name MAC Address Device Type
Bob.Smith8c:77:12:a5:64:05
(SamsungElectronics Co.,Ltd)
Android
John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
When a mobile device is acting up it is critical to be able to connect network transactions with the person who has the physical device.
© 2012 Lancope, Inc. All rights reserved.11
The Password Debacle
2012 was a banner year for breaches that disclosed large numbers of usernames and passwords or password hashes – LinkedIn, eHarmony, Formspring, Adobe, Yahoo, Nvidia, Gamigo, etc…– Millions of passwords had to be reset
Cloud services make it easy to spin up large brute force password cracking efforts – www.cloudcracker.com
Passwords are too short!– Minimum secure password length in 2010 = 12 Characters (GTRI)
Passwords are not going anywhere soon. – Multifactor auth isn’t foolproof either!
© 2012 Lancope, Inc. All rights reserved.12
Living with Passwords
Our policies are killing us!– Password policies can be complied with in meaningless ways– Passphrases are easier to remember if they don’t need special characters – Some systems have maximum password lengths!– The way to find weak passwords is to actually crack your hashes
Personal Solutions– Password Vaults (Eggs in one basket)– Different passwords for different classes of services (Work, Sensitive, Fun)– A physical notebook?
Be prepared for attackers to enter the network with valid credentials – Mandiant M-Trends Report – 100% of attackers used valid credentials– Are you monitoring the behavior of legitimate users?
The Insider Threat
• Internal Threats was ranked the #1 security concern closely followed by APT
o Respondents who ranked Insider Threats as their #1 security concern also had the highest increase in network traffic due to additional mobile devices.
Security Concern RankingInsider Threats 1APTs (Directed Attacks) 2IT Consumerization / User Mobility / BYOD 3Virtualization / Cloud Computing 4Compliance 5
14
CERT Research on Insider Threat
CERT Insider Threat Research
12 years of history Over 700 insider threat
cases
IT Sabotage– Average: $1.7 million– Median: $50,000
IP Theft– Average: $13.5 million– Median: $337,000
15
Combating Insider Threat is a multidisciplinary challenge
IT
HR Legal
IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.
Legal: Are policies in place? Are they realistic? Does legal support IT practices? HR: Who is coming and going? Who has workplace issues? Are there soft solutions? IT: Is the privacy of end users adequately protected? What impact on workplace harmony are policies, monitoring, and enforcement having? Are you applying policies consistently?
© 2012 Lancope, Inc. All rights reserved.16
5 Recommendations for Managing Insider Threats
1. IT cannot resolve insider threat problems alone.
2. Create checks and balances for system and network administrators.
3. Work with management to identify disgruntled employees.
4. Have a comprehensive process for terminating employee access to the network.
5. Pay attention to audit trails of system accesses and network activity around employment termination.
© 2012 Lancope, Inc. All rights reserved.18
StealthWatch Labs Intelligence Center
http://lancope.com/SLIC @stealth_labs
Get Engaged with Lancope
Follow us at @Lancope and
@NetFlowNinjas
Subscribe to Lancope updates at
http://feeds.feedburner.com/NetflowNinjas
Attend complimentary
Seminarshttp://www.lancope.com/news-events/university-of-netflow/
Join NetFlow Ninjashttp://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
Access StealthLabs Intelligence Center
(SLIC) Reportshttp://lancope.com/SLIC
Download “NetFlow Security Monitoring for
Dummies” http://www.lancope.com/netflow-for-dummies/
© 2012 Lancope, Inc. All rights reserved.19
Please email [email protected] or
![ROI in the age of keyword not provided [Mozinar]](https://img.pdfslide.us/doc/110x75/53eabc7a8d7f7289708b51f7/roi-in-the-age-of-keyword-not-provided-mozinar.jpg)
