it security and cybercrime - how theory transforms into best practice? arthur keleti
TRANSCRIPT
IT Security and Cybercrime - How theory transforms into best practice?Arthur Keleti
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 2
Agenda
• Threats (Cybercrime)• What is cybercrime from the practical point of view?• What are the main risk factors, threats?• Trends and problems in the EU
• Solutions (IT Security)• How regulation materializes in the real world?• Size, role, place of the IT Security organization locally• Who are the role players of IT Security and where are the frontlines?• What is the classic security procedure?• Minimizing or eliminating risk in real life? IT Security solutions• IT Seurity spending• Future trends
THREATS AND CYBERCRIME
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 4
What that could be?
Land object
Width: ~6 m
Height: ~7 m
Age: 2000 years
Length: 6.400 km
The Big Wall of China
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 5
Many changes, development on the wallA thousand year of buildingWatchtowers in 400 m distance14 gatesContinuous guard shifts on full length
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 6
The 1st gate: Shanhaiguan Gateway
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 7
The 1st gate: Shanhaiguan Gateway
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 8
Weak point: the humanWu Sangui general: the most trusted, most faithful strategist guarded the 1st gate.There was a rebel among inhabitants. Wu’s “service” maid was kidnapped.Wu, thinking he would get back his lady he willingly opened the gate for two thousand hundred mandurian horsemen.That put an end to the rule of the Ming dynasty.
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 9
What is cybercrime from the practical point of view?
• It is “complicated” > simply 'crime' with some sort of 'computer' or 'cyber' aspect
• The Council of Europe's Cybercrime Treaty uses the term 'cybercrime' to refer to offenses ranging from criminal activity against data to content and copyright infringement [Krone, 2005]
• [Zeviar-Geese, 1997-98] suggest that the definition is including activities such as fraud, unauthorized access, child pornography, and cyberstalking
• The United Nations Manual on the Prevention and Control of Computer Related Crime includes fraud, forgery, and unauthorized access [United Nations, 1995] in its cybercrime definition
• Symantec says: any crime that is committed using a computer or network, or hardware device
Source: Symantec
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 10
What is cybercrime from the practical point of view?
Type I cybercrime has the following characteristics:• It is generally a single event from the perspective of the victim. For
example, the victim unknowingly downloads a Trojan horse which installs a keystroke logger on his or her machine.
• It is often facilitated by crimeware programs such as keystroke loggers, viruses, rootkits or Trojan horses.
• Software flaws or vulnerabilities often provide the foothold for the attacker.
• Examples of this type of cybercrime include but are not limited to phishing, theft or manipulation of data or services via hacking or viruses, identity theft, and bank or e-commerce fraud.
Source: Symantec
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 11
What is cybercrime from the practical point of view?
Type II cybercrime has the following characteristics:• At the other end of the spectrum, includes, but is not limited to
activities such as cyberstalking and harassment, child predation, extortion, blackmail, stock market manipulation, complex corporate espionage, and planning or carrying out terrorist activities
• It is generally an on-going series of events, involving repeated interactions with the target. For example, the target is contacted in a chat room by someone who, over time, attempts to establish a relationship. Eventually, the criminal exploits the relationship.
• It is generally facilitated by programs that do not fit into under the classification crimeware. For example, conversations may take place using IM (instant messaging) clients. Source: Symantec
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 12
Barclays chairman’s identity stolen
Marcus Agius, chairman of board at Barclays Bank was a victim ofidentity theft and fraud of 10.000 GBP. The amount was withdrawnfrom his account using a credit card trick.
The thief collected personal data of Aqius and used them to deceive a help desk operator to send him a new credit card as if he was Mr Aqius himself. The card was sent to him. The guy took the card to a high street branch of Barclays and withdrew the amount.
"It was down to human error. Procedures were not followed fully and we have learned from it," Barclaycard told the BBC.
…Experts have already warned that 2008 will be a bumper year for identity fraudsters.
http://www.pcw.co.uk/vnunet/news/2207085/barclays-chairman-identityBy Iain Thomson, vnunet.com, 11 Jan 2008
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 13
How hacker work? Real life example of hacking into FBI’s National Crime Information Center in 6 hours, Chris Goggans – pen.testerSource: http://www.infosecnews.org/hypermail/0805/14877.html, May 27., 2008
1. Goggans (PatchAdvisor Inc.) during a routine network scan, he discovered a series of unpatched vulnerabilities in the civilian government agency's Web server.
2. He used a hole in the Web server to pull down usernames and passwords that were reused on a host of enterprise systems.
3. In those systems, he found further account details that allowed him to get Windows domain administrator privileges -- a classic escalation-of-privileges attack.
4. Using this privileged access, he was able to gain full control of almost all Windows-based systems in the enterprise, including workstations used by the on-site police force.
5. He noticed that several police workstations had a second networking card installed that used the SNA protocol to directly talk to an IBM mainframe.
6. By covertly installing remote control software on those workstations, he found programs on their desktops that automatically connected the workstations to the FBI's NCIC database.
7. "That software, coupled with a keystroke capture program, would allow an attacker to grab the credentials needed to log into the FBI's National Crime Information Center database," Goggans says.
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 14
Cybercime – two things to knowNo.1. • Don’t care about regulations
• Don’t know borders or continents• Are awake when we are asleep• Know a lot more about IT than a regular
IT employee• Tend to erase their tracks• Target more and more precisely• Capable of unleashing attack/intelligence
powers that could be beyond our resource capacity to block
HackersAgencies
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 15
• Know more about our organization than anybody else
• Are part of critical business procedures• Are difficult to manage 100% properly
from the HR point of view• Differ widely in IT knowledge and in level
of education• Tend to be negligent towards regulations
and controls affecting their freedom• Are more naive than suspicious
Employees
Cybercime – two things to knowNo.2.
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 16
Summary Threat Timeline 2008
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 17
Current Threats 2008
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 18
Trends and threats in the EU
• Data theft represents the primary information security threat – more significant than either viruses or hacker infiltration
• Of all possible results of compromised information security, the threat of leakage of confidential information is keeping more members of the IT department (93%) awake at night than any other
• Europe’s primary data leakage channels are identified as portable storage devices, e-mail, and Internet-based channels such as web-mail and forums
• Only 11% of those surveyed were confident their company’s information security had not been breached over the last year
• The lack of industry standards is highlighted as the primary obstacle (42%) to wider implementation of anti-leakage technologies
Source: InfoWatch Internal IT Threats in Europe 2006
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 19
Trends and threats in the EU (top threats)
Source: InfoWatchInternal IT Threatsin Europe 2006
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 20
Trends and threats in the EU (internal vs. external)
Source: InfoWatchInternal IT Threatsin Europe 2006
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 21
Trends and threats in the EU (internal threats)
Source: InfoWatchInternal IT Threatsin Europe 2006
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 22
Trends and threats in the EU (primary information leakage concerns)
Source: InfoWatchInternal IT Threatsin Europe 2006
SOLUTIONS (IT SECURITY)
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 24
How regulation materializes in the real world?
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 25
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 26
Management (CEO)
IT
Security I.
Riport
Budget
Budget
Financial
Security II.
BudgetRiport
Risk Assessm.
Security III.
BudgetRiport
Phys. sec.
Security IV.
BudgetRiport
Security V.
BudgetRiport
Global IT Security
Riport
Budget
Size, role, place of the IT Security organization locally
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 27
Changing of roles
Full IT Securitysystem
operation
Outer, seasonalcontrol
Development and controlof criteria system
Making of internaldocumentation
Ongoingcontrol
of operation
Responsibility
Regular checkof system logs
Operation of certainsystems related to
IT Securityi.e. IDAM
Operation of certainIT Security systems
Ie. Firewalls
Handling ofincidents,
prevention,development
0.5 1 1-2 2 2-3 4 5-7 8-9
Size (headcount) Outsourcing possibilities
Part of operation Separate divisionLone ranger Separate div. / shared budget
Cost
Position
3
Size, role, place of the IT Security organization locally
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 28
Who are the role players of IT Security and where are the frontlines?
Role player
Role player’s duty and motivation
the system… the function… procedures… users…
IT operationie. CIO
is working well,is efficient
is available,could be used
in operation,are fast,are reported
are kings
Developerie. CDO
must change,improves
to be made,is comfortable
are part of the application
to be happy,limits reached
IT Securityie. CSO
is secure,will NOT change
is controlled,is monitored
is controlled,is monitored
faults blocked,are restrained
Company and organizational motifs, its will and strategy
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 29
What is the classic security procedure? Where are the possibilities of outsourcing?
AssessmentAssessmentMethods ie. CobITMethods ie. CobIT
Tools ie. CarismaTools ie. Carisma
ActionsActions DocsDocsTechnologyTechnologyPolicies
BCP, DRPOperation
documentation…
PoliciesBCP, DRPOperation
documentation…
ProceduresProcedures
Firewall, IPS, PKI,
AntivirusLoganal.
…
Firewall, IPS, PKI,
AntivirusLoganal.
…
MonitoringMonitoring
ControlControl
ReportReport
FeedbackFeedback
Potential of outsource
Outsource
Regulations ie. PSZÁF,laws, company policiesRegulations ie. PSZÁF,laws, company policies
Risk assessementRisk assessement
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 30
What are the typical IT Security technology areas?IT Security solutions
Risk assessment and vulnerability management
Ethical hacking and social engineering
Audit of security configuration on servers and clients
Antivirus (client, server, gateway, content filter) – appliance and software solutions
Firewall systems (two defense lines, diff. technology)
Intrusion Prevention System (IPS) – host and gateway side
End-point security solutions
Digital signature and PKI (Public Key Infrastructure)
Policy enforcement
Data Leak Protection solution (ie. Harddrive encryption or USB port protection)
Log analyzing and incident handling (SIEM) solution
Identity and Access, Rights management solutions (IDAM)
What are they good for?
To know where probs. are?
To find probs. from outside
To know if they are secure.
To shield against viruses and other malware.
To block attacks
To detect attempts of exploit
To prevent theft of data
To provide non repudiation
To keep those rules on track
To protect the data on move, at rest, in use
To find out what’s happening
To regulate access, rights
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 31
Gartner says: Markets Converging: Endpoint Security, IAM and SWG
Endpoint Protection Platform
AntivirusPersonal Firewalls
Host Intrusion Prevention
Data Loss PreventionDisk and Data Encryption
NAC
Endpoint SecurityIdentity Access
Management
DirectoryUser Provisioning
WorkflowIdentity Auditing/ReportingWeb Access Management
IAM Suites
Internet Gateway Security
URL FilteringMalicious Code FilteringWeb Application-Level
Control
Secure Web Gateway Suite
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 32
Outer, frame-layer
Laws
Standards
Audits
Internal regulations
Financial possibilities
The most important
1992. LXIII. act on protecting personal data and publicly available information.
simply speaking DATA PROTECTION act and its extension
2003. XLVIII. act as a modification of 1992. LXIII. act
ISO/IEC 17799:2000, BS 7799-1:1999 és BS 7799-2:1999, MSZ ISO/IEC
17799:2006, MSZE 17799-2:2004, Cobit
Data Leakage Problem
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 33
Abstraction layer
Data routes
Processes
Users, people
Roles, duties
Administrators
Data…
• how much value they represent for the company? Is their protection efficient?
• who would get access to them and what could be done to them?
• are there properly developed rules, processes to handle them?
• classification? Where do they materilaze, where and for how long we store them?
• access? Information should be available to those who need them for completing their tasks.
• Not to store them unnecessary but have them promptly available in need.
Data Leakage Problem
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 34
Te
chn
olo
gy
lay
er
Data Leakage Problem
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 35
Abstraction layer Technology layer
Servers
Laptops
Mobileequipments
Configuration
Application
Databases
Data Leakage ProblemOuter, frame-layer
Laws
Standards
Audits
Financial possibilities
Data routes
Processes
Users, people
Roles, duties
Administrators
Internal regulations
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 36
Outer, frame-layer Abstraction layer
Developing a control environment for handling of data Preparation of datamapping
ie. Data – data owner,Financial factors of risks
ie. Frequency of accessRequired availability
IT Security classification of data
Developing a control environment for handling of data Developing a policy environment
ie. Roles, duties, responsibilitiesRegulation of Data Classification Procedures
ie. Handling of classified dataCreation, Handling, Access, Deletion,
Modification, Archiving
Benefits and results
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 37
Te
chn
olo
gy
lay
er
1. Encryption of mobile equipments and personal computersFor protecting certain areas:well known PGP, Utimaco or full disc encryption:Pointsec (Checkpoint), McAfee, Utimaco etc.
2. It is important to follow the data on move in order to block data leakage.
Mobile tools (ie. USB):a Pointsec (Checkpoint), McAfee, Utimaco, Microsoft etc.Complex national developments:pl. EagleEyeOS, ISeeSec for Hungary
3. Content Monitoring and Filtering Websense és Surfcontrol
Data Loss Prevetion solutions
McAfee Data Loss Prevention
4. Continuously monitoring the logs of applications
SIEM category:SymantecAttachmate (NetIQ)EMC (RSA enVision)Cisco (Mars)
Benefits and results
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 38
Te
chn
olo
gy
lay
er
Source: Gartner Hype Cycle for Data and Application Security, 2007
Benefits and results
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 39
SSDistributorDistributor
SystemintegratorSystemintegrator
Laws, rules etc.
Laws, rules etc.
ClientClient
ControlPSZÁFControlPSZÁF
ConsultantConsultant
VendorVendor
Strategy, shareholderStrategy, shareholder
Strategy, shareholder
Strategy, shareholder
Technological and worldwide trends
Technological and worldwide trends
Real risksReal risks
Strategy, shareholder
Strategy, shareholder
Sector specific
standardsie. ISO, Cobit,
BASEL II
Sector specific
standardsie. ISO, Cobit,
BASEL IIControl
ÁSZControl
ÁSZ
Other control authorities
ie. NHH
Other control authorities
ie. NHH
FinancialFinancial TelcoTelcoGovernmentalGovernmental IndustryIndustry
Roles and how they affect each other? Europe, Hungary 2008
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 40
Budget? Just how much we should spend on IT Security?
• It depends on the role• If one operates IT Security, he needs shifts, professional knowledge, certification
(vendor + CISA, CISSP) Managable and measurable security. That is definitively not cheap.
• If one “just” analyses logs and monitors the IT Security components operated by someone else, he needs the eye of a professional and some technology to get the most out of logs and available resources, that’s not cheap but requires less people to deal with
• What market researches say• A middle size company should spend at least 15-20% of their IT budget on IT security.• That’s a lot. Today, most of those companies are not spending that much here in
Hungary.
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 41
EMEA IT Security Services Market Overview (according to Gartner 01.2008)
• The IT 2008 security services market is expected to increase about 9% compared with 2007.
• Spending on IT security services will reach $8.7 billion by 2010. • IT management services will be the fastest-growing sector, while the
more-sizable consulting services segment is expected to grow at a much-lower rate.
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 42
Forecast: IT Security Services, EMEA, 2004-2010 (according to Gartner)
0 1,000 2,000 3,000 4,000
2004
2005
2006
2007
2008
2009
2010
Millions of Dollars
IT Management
Development andIntegrationConsulting
Software Support
Hardware Maintenanceand Support
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 43
Questions?Thank You for keeping with us!
[email protected]@yahoo.com
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 44
Course questions
1. What is the most significant, top threat for EU IT Security? (one answer applies)
• A. Data theft• B. Virus attacks• C. Spam attacks• D. Malware problems
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 45
Course questions
2. What source most of the attacks were coming from at a typical organization in EU in 2006? (one answer applies)
• A. Internal attacks (80%)• B. Internal attacks (55%)• C. External attacks (55%)• D. External attacks (75%)
KFKI Rendszerintegrációs Zrt., 2009, Keleti Arthur 46
Course questions
3. What would You think the best place is for IT Security division in the organizational chart? (one answer applies)
• A. Under IT operation, CIO• B. Under CEO, management• C. Under Financial department• D. Under Physical Decurity division