ibm global services © 2007 ibm corporation ibm internet security systems ahead of the threat. ™...

IBM Global Services

Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation

IBM Internet Security SystemsAhead of the threat.™

Scott Lupfer, CISSP

Principal Security Architect

2007 NASACT ConferenceThe Threat of Cyber Crime: Are you ready?

IBM Internet Security Systems

© 2007 IBM Corporation2 Adaptive Security Planning 8/14/07

Would you rather have…?

$1000 1GB USB Travel Drive



How Valuable Is Your Information?

Man pleads guilty to conspiring to commit trade secret theft from Corning, Inc.–http://www.cybercrime.gov/linPlea.pdf

Former computer contractor pleads guilty to hacking Daimler Chrysler parts distribution wireless network

–http://www.cybercrime.gov/johnsPlea.pdf

Ex-employee of The Coca Cola Company and co-defendant sentenced for stealing trade secrets

–http://www.cybercrime.gov/williamsSent.pdf

Massive Insider Breach at DuPont–Employee copies files containing $400M worth of trade secrets–Resigns to go to competitor



Information is Currency

FBI estimates businesses lose $67.2B annually due to computer related crimes

Online sales (B2C) will be USD $329B by 2010*

Identify fraud cost consumers $52.6B in most recent estimate

“Information is itself the target. Information is the world’s new currency.”—Ralph Basham, Director, United States Secret Service

* Forrester Research: US eCommerce 2005 to 2010



Forms and Methods of Cyber Crime



Information for Sale

‘Fund Transfer’ Trojan………………..$1000-$5000

Credit card number with PIN…………………..$500

Driver’s license or birth certificate…………...$150

Social Security card……………………………..$100

Credit Card #, security code & exp…………$7-$25

USA Today: Cybercrime Flourishes in Online Hacker Forums 10/11/2006

http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-10-11-cybercrime-hacker-forums_x.htm



2006 IC3 Annual Report – Online Fraud

Estimated $198M lost in 2006

Nigerian Letter Fraud (419 scam)

–Average of $5100 per incident

Number of complaints were down, but costs were up

Moral? Still money to be made



Data Loss Incidents Number of Incidents

–327

Number of personal information records lost–100,453,730–Recent study found that cost is $182 per record lost

More information–http://www.privacyrights.org/ar/ChronDataBreaches.htm

TJX Companies –45.6M credit and debit card numbers–Fraudulent transactions confirmed–News coverage is continuing–Culprit?

Pfizer–17,000 present and former employees–Culprit?

Department of Veterans Affairs–Laptop containing personal information of 26.5M veterans stolen



Data Loss Issues

There is little accountability

Data is not properly classified

Data is not properly controlled and audited

The value of data is not properly understood

IBM Global Services



How Did This Happen to Me?



What We Know As technology evolves, so does the complexity of a potential

threat

Our online presence is increasing daily

Corporations use technology to meet business needs

Consumers use new technology when:

–It increases convenience

–It is affordable

–It provides entertainment

–They then introduce these technologies in the workplace



Vulnerabilities Exist Due To

Errors in programming

Errors in system configuration

Misuse of technology

Human trust

Human greed

Poor education and policies



Vulnerability Disclosure in 2006 10,000Projected

In 2007

14,000Projected

In 2008



User Trust and Human Greed Phishing and Pharming

–“Verify your account information and password”

–“Please visit this website and login to keep your account active”



“Live” Phishing

“Live” Phishing

–Some banks still ask me to repeat my credit card/account number, social security number, and other info

–This must change

How dangerous are “loose lips” to the corporation?



Hackers have immense resources

5-11% of internet connected devices are compromised

–Between 32mil and 71mil world-wide

–Liberal estimates are as many 150 million

Everything is for sale

–Phishing toolkits

–0-day vulnerabilities

–Personal information

Hundreds of millions are in play



An explosion of innovation in Malicious Code…



Preparing the Attack Enterprise computers

–Many are infected with bots that bypass traditional defenses

–Variants make the “arms race” hard to keep up with

Home user/Consumer

–Victims are “targets of opportunity”

–Home broadband is largely un/under-secured

–Anyone can be a victim

These “botnets” or compromised systems are then used for the real attack



The Targeted Attack

Goals:

– Discover intellectual property

– Access critical or confidential data

– Cause significant damage or outages

– Control systems

Attackers have the motivation and desire to take time

Need to only find a single hole

Attack critical systems or data



Advantages for Online Attackers

No need to be physically present

Crimes can be committed across geographies and borders

Highly coordinated, high speed attacks

Crimes have historically been largely underreported

Numerous methods can be used for a single crime

How much information can be harvested from a publicly available system?

–Hotel business center

–Cybercafe

IBM Global Services



Emerging Threats Due to New Business Models



Emerging Threats

Browser based concerns

–Like inviting a thief into your home

Designer malware

–Malicious software for specific purpose

Spearphishing

–Targets members of an organization



Emerging Threats

Virtualization

–Software and hardware are targets

–Rootkits and trojans

–Application and infrastructure attack

VoIP weaknesses and risks

–Eavesdropping on the network, replay calls

–Access voicemail on servers

Mobile security threats

–SMS/MMS

–Bluetooth

–Software vulnerabilities



Bluetooth

John Hering, Flexilis

– BlueSniper Rifle

– Scan and Snarf from 1.08 miles

– 700 vulnerable phones in 90 mins at E3

Bluesnarfing

Bluetracking

Bluebugging

Bluespam / Bluejacking

http://www.npr.org/templates/story/story.php?storyId=4599106

IBM Global Services





New take on old threats

Data security

–Where is your data stored?

–Are all of those systems properly protected?

–Do you own all of the systems?•Google <company> confidential

–Client side applications•Peer to peer file sharing•Public calendars•Free mail and office applications

–Portable storage•USB drives• iPod (really?)

IBM Global Services



So What Can Be Done?



What do I protect first?

Understand your digital assets:

–Identify and Prioritize Business Assets

–Map Relevant Risk to Critical Assets

–Plan Protection Steps and Risk Mitigation Requirements

–Use Pertinent Information to Determine Effect or Compliance



Business Risk Management



Classify Data and Assets

Limit access to who NEEDS it

Know WHAT they do with it

Know WHERE they store it

VALUE the data and assets

Apply appropriate protection and education



Don’t Forget The Embedded Systems

SCADA, Critical Infrastructure

Document Management Systems

Vending Machines

Elevators

Healthcare Equipment

Automated Teller Machines



Quick Exercise

Think: “If I control information or a critical system how powerful do I become?”



Thank You!

Scott Lupfer, CISSP

Principal Security Architect


[email protected]

ibm global services © 2007 ibm corporation ibm internet security systems ahead of the threat. ™...

Documents

social security card

security code exp

ibm global services

information http

competitor slide

credit card number

recent estimate information

stealing trade secrets