Transcript Cyber Crime’s New Era: Protecting Your Company from the Criminal Exploitation of the Internet John Frazzini Secure Systems Integration Corporation.

Cyber Crime’s New Era:
Protecting Your Company from the
Criminal Exploitation of the Internet
John Frazzini
Secure Systems Integration Corporation
Agenda
 Overview of the Cyber Threat Landscape
• Geopolitical Threats
China & Asia
Russia/former Eastern Block, Pro Islamic groups
Cyber-terrorism/Pro-Terrorist Groups
• Technical Threats
Malicious Code
Web Application Security
• Future Threat Trends: Convergence of geopolitical activity,
technical threats
• Industry Trends?
• What can you do?
What do you determine to be the most
significant cyber threat to your enterprise?
1.
Cyber crime
2.
Malicious code activity
3.
Insiders
4.
Support for security
initiatives
30%
1
30%
2
20%
20%
3
4
Pro-China Hacking
• China Eagle Union: possibly the
largest organized hacker group in the
world; branches all over China;
hundreds of core members; possibly
thousands of supporters
• Most are highly nationalistic, revel in
their support of government policies
• Many seeking to do something
"great" for China, become part of the
elite
• View real or perceived "slights"
against China very seriously; Japan
and US likely primary targets during
key dates (i.e anniversaries, national
holidays, etc.)
Former Soviet Union and E. European
Criminal Elements and Hacking
• Hacker culture in former Soviet Union (FSU) very extensive and
complex
• Reported large-scale bank frauds in FSU using hackers and
corrupt insider
• Many Russian organized crime groups believed to have
"computer departments" with professional hackers
• Stolen credit card hacking ("kreditki") huge in FSU - bazaars for
hacker-carders
• Use of fake Internet shops widespread; also spam and
pornography geared to lure victims
• Alleged sophisticated hacker attacks against some ATMs in FSU
Russia: “The Stealth Group”
• A hacker “sect” - first of its kind in the world
•
dedicated to authoring destructive viruses; Stealth is a
small, tight group; has undergone some internal strife in
2002
• Led by LovinGOD, anarchist, pro-terrorism
•
LovinGOD shows strong sympathy for terrorism in general;
approved of 9-11
•
Could make his services available to al Qaeda
• Requirements for membership - one must be anti-social (no
strong ties to family or an employer) and able to write an
undetectable Windows virus
Pro-Terrorist Hackers
• Prior to Iraq war, press indicated a “ten-fold increase” in
pro-terrorist hacking
• Trend is correct, BUT a misinterpretation of some
defacement data (see recent report on Pro-terrorist
hacking)
• Pro-terrorist defacements began to rise sharply in October
2002
• Better trend analysis for pro-terrorist defacement attacks is
monitoring .il (primarily anti-Israel defacements)
Hacker Culture: Brazil
• Very active hacker population
• Hundreds of .br hacker-related
websites
• Many of the most prolific defacers are
Brazilian
• Brazil Hackers Sabotage (BHS) has
defaced thousands of websites
globally.
• BHS is top-tier defacement group in
the world, according to the
defacement-tracking Web site Zone.H.
Emerging Technical Threats
Malicious Code
• Slammer was only proof of concept; no payload, but
spread globally in 10 minutes.
• Blended Threats: infects multiple platforms in various
ways; Warhol worms will spread very quickly.
• Unpatched/unknown Vulnerabilities: usually predates
automated attack worm (Code Red, Nimda, etc.)
• Highly targeted services: DNS (BIND), HTTP and HTTPS
(Apache, IIS, OpenSSL), SSH, SQL (Slammer)
Emerging Technical Threats, II
Web Application Security
• Generally, Web application is the easiest way to penetrate
network and gain access.
• Typical point security solutions (firewalls, IDS, etc.) are not
effective in detecting/preventing Web application attacks.
• IDS is not well developed for latest Web Application attacks
• SSL does nothing to protect against these attacks
• SQL Injection, Cross-Site Scripting, Poor User Session
Management
Emerging Technical Threats, III.
•
•
Cross-site Scripting (XSS)
SQL Injection
• All relatively easy to exploit.
• Can result in an online user’s web application
account being hijacked, data being compromised
• Fairly High Profile Press Cases: Hotmail.com,
Yahoo.com, Verizon, etc.
• Prevalent disclosure among security mailing lists
“Warhol Worms”
• It is well known that active worms such as Code Red
and Nimda have the potential to spread very quickly, on
the order of minutes to hours.
• Hyper-virulent active worms, capable of infecting all
vulnerable hosts in approximately 15 minutes to an
hour.
• "Warhol Worms“ use optimized scanning routines, hitlist scanning for initial propagation, and permutation
scanning for complete, self coordinated coverage, could
cause maximum damage before people could respond.
• The potential mayhem is staggering.
What priority does your organization give
to security?
30%
1.
Very high
2.
High
3.
Somewhat
4.
Not a priority
1
30%
2
20%
20%
3
4
How effective is the response?
• Past: Technological solutions have been
provided to this “technical” problem
• Future: People, Process and Technology…
• Key: Effective management of cyber threats
and risk
Future Trends, Threats
Last year’s Sobig.f represents
significant shift
•
Convergence of malicious code activity in support of mass
financial criminal activity – criminal intent
•
•
•
Future: more sophisticated, organized mass victimization
Historical focus of hacking activity now transformed
Sobig.g intent?
Who do you think is responsible for
stopping cyber attacks?
30%
1.
The government
2.
Independent
organizations (CERT /
Mitre CVE)
3.
Security companies
4.
You
1
30%
2
20%
20%
3
4
Industry Trends: Two Views
“Self Defending” Networks and
Infrastructure
•
•
•
Cisco’s Acquisition of Okena
Juniper’s Acquisition of Netscreen
Microsoft’s Acquisition of anti-virus
capability
Industry Trends (continued)
Next Generation Solution Set
•
•
•
•
Automated Vulnerability Remediation
Security & Risk Management Systems
Event Correlation Capabilities
Intrusion Prevention Systems (?)
What can you do?
Time is not on your side!
•
•
6 months – 100 days, on average (one year ago)
•
Blaster (RPC Vuln) 2 days probing, 5 days public
exploit, 10 days fully functional exploit
•
Lion Worm 1/29/01 Zero Day - Bind8 Buffer
Overflow
MS RPC Vuln MS 03-039 6 days exploit/highly
functional executable by Trojan author
What can you do?, II
Proactively prepare for attacks
•
Identify and understand how future threats will
impact your infrastructure and more importantly
your type of business. Formulate a plan to mitigate
these threats before they attack.
•
Formulate a proactive remediation strategy based
on risk tolerance.
•
Shift from total reliance on technology-based
solutions, Defense-in-Depth.
What can you do?, III
• Proactively prepare for attacks
 Build security into your automated business
processes. Focus on business process
solutions.
 Participate in law enforcement/government
initiatives.
What is the primary business driver for your
organization signing off on security solutions?
30%
1.
It’s the “right thing to do”
2.
Regulatory compliance
3.
Bottom line justification
4.
Just takes your word for it
1
30%
2
20%
20%
3
4
Thank you.
Questions, comments?
John Frazzini
CEO
Secure Systems Integration Corporation
[email protected]