Transcript CyberCrime 2010

Cybercrime 2010
Attack Methodologies and Proactive Defense
by Gary S. Miliefsky, FMDHS, CISSP®
1
About Me
• Started writing code at 13 (that used to be a big
deal  - remember when 64k was a lot of
memory?)
• Member of ISC2.org and a CISSP®
• Founding Member, US Department of Homeland
Security (DHS)
• On the Advisory Board of MITRE on the CVE
Program (CVE.mitre.org)
• Founding Board Member, National Information
Security Group (NAISG.org)
2
Agenda
• Crime vs. Cybercrime
• Where are the Cybercrime Magnets?
• Why Nothing with an IP Address Is Secure
• Traditional Countermeasures All Fail!
• A New Paradigm in Proactive Defense
• New Methods to Combat Attackers
• Q&A
3
Traditional Crime vs.. Cybercrime
4
Cybercrime – Purely “Digital” Paradigm
5
PrivacyRights.org
• More than 350M Personally Identifiable Information
(PII) records for more than 300M citizens in
America. How many have been lost, hacked and
stolen?
According to PrivacyRights.org, the total
number of records containing sensitive
personal information involved in security
breaches in the U.S. since January 2005:
353,388,460
• Still think you are secure?
• Still believe your anti-virus and firewall can truly
secure your network or your personal computer?
6
What Is Malware?
• Virus
• Trojan
• Worm
• Rootkit
• Botnet
• Zombie
• Keylogger
• Adware
• Spyware
BLENDED THREATS
…designed mostly for Cybercrime
and Cyberterrorism….
7
Malware Magnets
• Social Networking Sites
At least ½ of the Top 100 sites, particularly social-networking
sites such as Facebook or YouTube, support user-generated
content, which is becoming a significant way to disseminate
malware and conduct fraud.
On Facebook, MySpace and other social-networking sites,
there’s an explicit sense of trust.
• On-line Bill Payment Sites
Criminals seized control of the CheckFree Web site and
attempted to re-direct users to a Web site hosted in Ukraine
that tried to install malware on victims’ computers. CheckFree
has more than 24 million customers and controls 70 to 80% of
the on-line bill-payment market.
8
Malware Magnets (Cont.)
• USB-enabled computers
New Malware is specifically designed to propagate across USB
sticks. For example, the picture frame you just bought at
Walmart using a USB connection might have come with zeroday malware from China.
• Telecommuters using laptops and VPN tunnels
Cable networks are loaded with peer attackers. Most likely, a
trusted telecommuter is using an insecure, hacked laptop with
a key logger coming in “securely” into your network through
an encrypted VPN tunnel.
9
The “Cloud” Is a
Cybercrime Magnet
• Cloud computing has shifted the paradigm for risk.
• The Cloud offers low overhead in return for powerful
remote business functionality.
• In return, you face the risk of data leakage, Cloud
attacks and Cloud infections.
• You won’t know if and when it happens because of
the remote aspects and the pervasive nature of the
Cloud.
10
Wireless Networking
• WEP was easy to crack; now WPA is also…
Recently deployed tools such as Back Track v4.0
allow you to break wireless encryption by attacking
the smaller 24-bit session initiation key and then
gaining full “trusted” access to a wireless router.
• Wireless Routers have Critical Flaws (CVEs)
Now you can break into the admin interface of a
wireless router by sending malformed packets from
your laptop and pringles can…not worrying about
the encryption, see NVD.NIST.GOV and type in
11
“wireless”
VoIP Communications
• Dozens of voice over IP (VoIP) holes….known as
Common Vulnerabilities and Exposures (CVEs)
• Take over the administrative console remotely by
exploiting one of many CVEs
• Launch a Man in the Middle attack:
Voice over Misconfigured IP Telephony (aka VOMIT)
– use a TCP/IP wireshark/ethertrace:
a) save a “dump” file of network traffic
b) then run the file through this tool and get a .WAV
file to play back conversations…
12
Blackberry? iPhone? iTouch? iPad?
• Do they really belong on the “corporate” network?
• How do you know when they come and go?
• How do you stop them from bringing malware into
the network?
• How do you stop them from being used to steal or
leak confidential data?
13
Why Nothing with an IP Address Is Secure
• No device is safe – all IP-based devices are
exposed to exploitation:
It
It
It
It
It
is a target
can be spoofed
can be infected
can be remotely controlled
is probably already infected
14
Traditional Countermeasures All Fail!
• Anti-virus = One to seven days BEHIND the
current malware threat. Usually infected without
knowing it.
• Firewall = Easily circumvented or used as part of
an exploit because of their exploitable holes (CVEs)
• Intrusion Detection System (IDS) = Detects odd
or mal traffic AFTER the infected system or hacker
system has breached the gates.
15
Traditional Countermeasures All Fail!
16
The Root Cause of Exploitation - CVEs
•
Common Vulnerabilities and Exposures (CVEs)
1. Although there might be 9,000,000 signatures in your
McAfee or Symantec anti-virus scanner database (and
growing exponentially), there are only 36,000 CVEs. If
you close just one CVE, for example, you can block more
than 90,000 variants of the W32 malware.
2. If you aren’t visiting http://nvd.nist.gov to see what kind
of exploitable holes you have in your network, cyber
criminals CERTAINLY are…
3. Everything with an IP address has a CVE, you need to
figure out which ones are critical holes and how to patch,
reconfigure and remove them—i.e. system hardening.
…and MALWARE LOVES TO EXPLOIT THESE HOLES…
17
Zero-Day Malware Is Running Rampant
New Malware that exists
without a known
signature is Zero Day.
Sometimes it takes
weeks before major
vendors have fully
tested samples and
written a signature test.
18
A New Paradigm in Proactive Defense
• Understanding the Four Ds
Detect – awareness of a threat
Deter – preempting exploitation
Defend – fighting in real time
Defeat – winning the battle!
19
A New Paradigm in Proactive Defense
• Understanding The Risk Formula
R=T+V+A
(R)isk = (T)hreats + (V)ulnerabilities + (A)ssets
Threats = Cybercriminals, malware, malicious insiders
Vulnerabilities = Weaknesses that threats exploit
Assets = People, property, your network, devices, etc.
20
Proactive Defense = 4Ds x R
• You’ll never be 100% secure but you can
dramatically reduce your risk and
proactively defend your organization:
4Ds x R = [4Ds x T] +[4Ds x V] + [4Ds x A]
Proactively Containing and Controlling Threats,
Vulnerabilities and Assets
21
Proactive Defense = 4Ds x R
• Threats need to be detected, deterred, defended against
and defeated in real time or expect DOWN-TIME.
• Vulnerabilities need to be detected, deterred, defended
against and defeated (i.e. removed – system hardening,
reconfiguration, patching, etc.) as quickly as possible or
expect to be EXPLOITED.
• Assets need to be controlled – which ones gain access to
your network/infrastructure and those that are trusted
but weak or infected need to be quarantined in real time
or expect MALWARE PROPOGATION.
22
Employee Awareness & Training
Training Sessions
1.
Invite employees to a quarterly “lunch and learn” training
session.
2.
Give them “bite-sized” nuggets of best practice
information.
3.
Give an award once per year to the best INFOSEC
compliant employee who has shown an initiative to be
proactive with your security policies.
4.
If you can keep them interested, they will take some of
the knowledge you are imparting into their daily routines.
That's the real goal.
23
Employee Awareness & Training (Cont.)
Campaigns
1.
You should begin a campaign to educate all employees in
your organization to join your mission to protect
corporate information.
2.
Create your own “security broadcast channel” via e-mail
or really-simple syndication (RSS) and get the message
out to your corporate work force.
3.
You can also give them “security smart” tips or alert them
to a new phishing scam or that the corporation had to let
go of an individual who was attempting to steal corporate
information.
4.
Keeping the entire team in the loop will help bolster the
corporate security posture.
24
Employee Awareness & Training (Cont.)
Posters and other Awareness Tools
1.
See if you can get some INFOSEC awareness posters from
one of the security awareness training companies.
2.
There are other tools you can use like little postcards with
dos and don'ts of best practices for the employees that
they can pin up in their offices as reminders.
3.
The bottom line: Knowledge is power so start
empowering your fellow employees to gain a basic
toehold in what they should and shouldn't do. This will
help you in your mission of more uptime and fewer
compliance headaches.
…which all results in more productivity, more revenues and job
security for everyone.
25
Corporate Security Policies
My favorite security models are:
• The powerful COBIT model at http://www.isaca.org
• The e-tail/retail oriented PCI model from the PCI Security
Standards Council at
https://www.pcisecuritystandards.org/
• The extremely comprehensive international model called
ISO27001/17799 from http://www.iso.org/
Any of these models will be a great starting point.
26
Cryptomania! Is S0 1mP0rt3nt
1.
There’s an old saying “loose lips sink ships.”
2.
The best practice is to look at all aspects of electronic
communications and data manipulation throughout your
enterprise. That should include all instant messaging, file
transfer, chat, e-mail, on-line meetings and webinars plus all
data creation, change, storage, deletion and retrieval.
3.
How are customer records stored? How are electronic
versions of other confidential information protected? Backing
up the data is not enough.
4.
Set up a VPN for external network access. Make sure the
systems that access your network through the encrypted
tunnel are also not the weakest links in your infrastructure—
deploy HIPS on endpoints.
27
Cryptomania! Is S0 1mP0rt3nt (Cont.)
5.
You can encrypt everything from your hard drives to your
e-mail sessions to your file transfers.
6.
There are numerous free tools out there like
http://www.truecrypt.org for hard drives and
http://www.openssl.org for Web, e-mail and instant
messaging, plus the grand-daddy of free encryption at
http://www.openpgp.org (PGP = Pretty Good Privacy).
7.
You'll need policies in place for key storage and password
access so if ever the keys and passwords are lost by the
end-users, you'll have a way back in to decrypt the
information, reset the keys or change the passwords.
8.
You might find out that some of the servers and services you
are running already offer encryption if you simply check the
box and turn on this feature.
28
PAC – Who Has Your Back?
• Piggybacking and Tailgating are a major
physical security risks—hence the need for
more intelligent physical access control
(PAC), so:
1. Make sure your PAC solution shares data over the network
to you and (potentially) to your NAC solution.
2. Make sure your PAC solution uses two-factor authentication.
3. Make sure that if your TCP/IP connections go down, the PAC
system still functions mechanically with accessible
local logs.
29
NAC Attack – Watch That MAC!
•
Because so many exploits happen behind
firewalls, you need to consider deploying
Network Access Control (NAC). Simply put,
NAC determines who belongs on your
network and who does not, so:
1. Make sure your NAC solution doesn’t telegraph to
exploiters (i.e. “welcome to NAC portal…please wait,
installing XYZ corp trust agent v3.1)
2. Make sure it has a way to deal with non Windows®
systems (hubs, switches, routers, Blackberrys, iPhones,
etc…)—it needs to be holistic.
3. Try to find a non-inline or “out-of-band” appliance solution
and avoid costly, hard-to-manage hacked “agents.”
30
UBAP – User Behavior Anomaly Prevention
• How do you control the behavior of your users, now
that you let them on the network?
• Why shutoff access to youtube, ebay or myspace
when you can manage their bandwidth QoS settings
and make it painfully slow for them?
• If you block, they will find workarounds but if you
let it work, painfully, they might just get back to
work.
• Look for solutions that are INLINE and allow you to
granularly dig into and control user application and
31
traffic behavior.
These HIPS Don’t Lie
•
Because so many Windows systems are
compromised—especially laptops, you need to
consider host-based intrusion prevention
systems (HIPS). Simply put, HIPS blocks
malicious software from functioning:
1. The evolution of anti-virus will always be a newer, faster
signature testing engine (even if they try to add HIPS)
that’s one step behind the latest malware attack.
2. Look for a purely HIPS solution that blocks Zero-Day
malware without signature updates (heuristically).
3. It should help mitigate malware propagation, quarantine
malware in real time and not be a CPU or memory hog,
making the end-user PC unusable.
32
Summary
• Crime vs. Cybercrime - same concept, different
“vehicle” or medium – physical vs. digital…
• Web sites, e-mails, instant messaging, soft phones,
portable devices are all malware magnets!
• If you have an IP address, you are NOT secure.
• Traditional countermeasures all fail!
• Don’t forget the “Four Ds” and the “Risk Formula.”
• Consider new methods to combat attackers.
To win the Cyberwar, you need to reduce risk, PROACTIVELY!
33
Thoughts for the Day…
• You will never be 100% secure and you can NEVER
block or prevent all intrusions so focus on
INTRUSION DEFENSE and RISK MANAGEMENT– i.e.
expect it to happen – use the 4Ds and the Risk
Formula to contain the damage, if any.
• Document your security activities…be vigilant!
• Be preemptive, be proactive—get one step ahead of
the next threat…
34
QUESTIONS?
Cybercrime 2010
Attack Methodologies and Proactive Defense
by Gary S. Miliefsky, FMDHS, CISSP®
35