public sector cybersecurity – do we really have to worry? · 6/27/2015 · 2016 internet...

Public Sector Cybersecurity – Do we really have to worry?

Robert Myles, CISSP, CISM Strategist North American State & Local Government

Robert Myles, CISSP, CISM

• USCG – Retired

• Recovering CISO with 15 years in Health Care, Academia & Financial services

• Public Safety Practice Manager, National responsibility for Federal, State, Local Government

• 28 Years in Information Security

• 28 years in Health Care

• 36 years in IT

• CISSP (2001), CISM (2004)

• IACP, APCO, AAMVA, NFCA, NCJA, NASCIO, IJIS, MS-ISAC CyberSecurity Taskforce

2 Copyright © 2016 Symantec Corporation

2016 Internet Security Threat Report • Symantec’s Global Intelligence Network is made up of more than 63.8 million attack

sensors and records thousands of events per second. The network monitors threat activity in more than 157 countries and territories

• Symantec’s vulnerability database includes more than 74,180 recorded vulnerabilities from more than 23,980 vendors

• Symantec processes more than 9 billion email messages each month and filters more than 1.8 billion web requests each day

• The Symantec Internet Security Threat Report (ISTR) provides a deep dive into this data, examining multiple aspects of today’s threat landscape – from targeted attacks, smartphone threats, social media scams, and Internet of Things vulnerabilities, as well as attackers’ tactics, motivations, and behaviors

2016 Internet Security Threat Report Volume 21


Key Findings – Government • Government organizations targeted for attack were most likely to be targeted at least three

more times throughout the year

• The public administration sector ranked fourth when looking at the number of incidents reported, accounting for 5.6% of breaches in 2015

• Data breaches in this sector accounted for nearly 28 million of the identities exposed in 2015, ranking the sector number three overall

• 64.7% of government data breaches were a result of data being made public accidentally

• The most common attack type seen by all sensors in the government and critical infrastructure sectors related to attacks on web servers – accounting for 98.4% of all attacks



5

Social Media

6

Social Media

7

Social Media

8

Social Media

9

Social Media

10

Social Media

1. IDC, Digital Universe study, December 2012 2. IDC, Worldwide Disk-Based Data Protection and Recovery 2012-2016 Forecast, December 2012

1.2ZB 7.9ZB

40ZB 61.8%

THE WORLD’S DATA IN 2010

THE WORLD’S DATA BY 2015

THE WORLD’S DATA BY 2020

UNSTRUCTURED DATA GROWTH RATE TO 2014

11

So How Big is Your Data? • Byte of data = Grain of Rice

• KiloByte = Cup of Rice

• MegaByte = 8 Bags of Rice

• GigaByte = 3 Shipping Containers of Rice

• TeraByte = 2 Container Ships of Rice

• PetaByte = Covers Manhattan in Rice

• ExaByte = Covers the UK in Rice (3x)

• ZettaByte = Fills the Pacific Ocean in Rice David Wellman @ Myriad Genetics

12

Where is your Data?

http://thedatamap.org/ 13

http://thedatamap.org/

Where is your Data?

http://thedatamap.org/ 14

http://thedatamap.org/

CYBERCRIME – TO CYBERWAR

16

FBI reports that “hackers linked to Anonymous have secretly accessed US

government computers and stolen sensitive information in a campaign

that began almost a year ago”

In March 2012, Chinese hackers reportedly gained access to designs of

more than two dozen major U.S. weapons systems and stole data from

100 companies

In 2010 Computer Worm Attacks Iran’s Nuclear Facilities

16

Specialization of Skill In The Attack Chain

17

Reconnaissance: Know your Targets

Incursion: Gain Access

Discovery: Create a Map to the Asset

Capture: Take Control of the Asset

Exfiltration: Steal or Destroy Asset

17

The statistics aren’t surprising

18

INCREASE IN ZERO-DAY VULNERABILITIES DISCOVERED 125% HAVE ROGUE CLOUD DEPLOYMENTS2 77% UNPATCHED CRITICAL WEB APPLICATION 75% AVERAGE # OF DAYS TO DISCOVER A BREACH4 256

The statistics aren’t surprising

19

OF ORGANIZATIONS HAVE >25 INCIDENTS EACH MONTH1 60% HAVE ROGUE CLOUD DEPLOYMENTS2 77% INCREASE IN MOBILE MALWARE LAST YEAR3 6X AVERAGE # OF DAYS TO DISCOVER A BREACH4 243

Password Attacks are Piling Up

20 October 6th, 2014

IoT is not a new problem, but an ongoing one

23

INTERNET OF THINGS

Internet of Things and Privacy

26

1 in 4 68%

end users admit to not know what access they gave away when agreeing to terms of the app

were willing to trade privacy for a free app

Source: 2014 Norton Global Survey

In 2009 there were

2,361,414

new piece of malware created.

That’s

1 Million 179 Thousand a day.

In 2015 that number was

430,555,582


27

Zero-Days 2016 Internet Security Threat Report Volume 21

28

2006

14

2007 2008 2009 2010 2011 2012 0

2

4

6

8

10

12

14

16

13

15

9

12

14

8

Zero-Day Vulnerabilities

2016 Internet Security Threat Report Volume 21 29

2013 2014

24 23

2015

54

Hackers Unleash Trove of Data from Hacking Team


30

• HackingTeam (HT) had zero days in Adobe Flash, Internet Explorer and Microsoft Windows

CVE Affected Product First Notice Patch Date

CVE-2015-5119 Adobe Flash July 7 July 8 CVE-2015-5122 Adobe Flash July 10 July 14 CVE-2015-5123 Adobe Flash July 10 July 14 CVE-2015-2425 Internet Explorer July 14 July 14 CVE-2015-2426 Microsoft Windows July 20 July 20 CVE-2015-2387 Microsoft Windows July 8 July 14

Targeted Attacks


31

2012 2013 2014

• Recipients per Campaign

• Average Number of Email Attacks Per Campaign

• Campaigns

Targeted Attack Campaigns


32

2015

300

600

900

1,200

1,500 150

120

90

60

30 12

25 29

122

111

23 18

11

1,305

841 779

408

55% increase


33

Org Size

2015 Risk Ratio

2015 Risk Ratio as Percentage

Attacks per Org

Large Enterprises

2,500+ Employees

1 in 2.7 38% 3.6

Medium Business

251–2,500 Employees

1 in 6.8 15% 2.2

Small Business

(SMB) 1–250

Employees

1 in 40.5 3% 2.1

Spear-Phishing Attacks by Size of Targeted Organization

Breaches 2016 Internet Security Threat Report Volume 21

34

232

93

552

348 429

0

100

200

300

400

500

600

2011 2012 2013 2014 2015

MIL

LIO

N


Total Identities Exposed

+23%

500

+30%

ESTIMATED

Mega Breaches 2015


36

Vulnerabilities 2016 Internet Security Threat Report Volume 21

37


38

“The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a “popular website content management software” that had not been updated to patch known vulnerabilities. These vulnerabilities allow them to install the Brobot malware on affected servers.”


The Alleged Attackers Used DDoS Attacks

How does ransomware get in?

EXPLOIT KITS MALICIOUS EMAIL ATTACHMENTS

MALICIOUS LINKS IN EMAILS

Infected website or malicious ad via exploit kit

STEP 1 User visits compromised website, which is often a trusted location.

STEP 3 Exploit kit web page loads and determines best route to infect user.

STEP 4 Exploit kit takes advantage of vulnerable software.

STEP 5 Exploit kit delivers ransomware payload.

STEP 6 Victim’s sensitive files are encrypted and held for ransom.

STEP 2 Malicious code redirects to exploit kit landing page. OR Malicious advertisement silently redirects to malicious web page.

© 2016, Palo Alto Networks. Confidential and Proprietary.

Compromised Microsoft Word document

STEP 1 Targeted email with infected Microsoft® Office Word document delivered to user.

STEP 2 User opens Word document, thinking it is a legitimate file.

STEP 3 Office macros run, downloading ransomware from URLs within the document.

STEP 4 Victim’s sensitive files are encrypted and held for ransom.


Ransomware attack vectors

OVER THE NETWORK Infection vectors like web and email

SAAS-BASED APPLICATIONS File-sharing applications

DIRECTLY TO THE ENDPOINT Off-premise or targeted attack


REDUCE THE ATTACK

SURFACE

1 PREVENT KNOWN

THREATS

2 IDENTIFY &

PREVENT UNKNOWN THREATS

3

IT relevant, coordinated security, prevention oriented platform

Automatically turn unknown threats to known

Reprogram the network with new protections


Seek first to gain visibility and reduce the attack surface

Gain full visibility and block unknown traffic 1 Enforce application and user-based controls 2 Stop dangerous file-types 3

4 Implement endpoint policy aligned to your risk

REDUCE THE ATTACK

SURFACE


Prevent known threats

Stop known exploits, malware & command-and-control traffic 1 Block access to malicious and phishing URLs 2 Scan for known malware on SaaS-based applications 3

4 Block known malware & exploits on the endpoint

PREVENT KNOWN

THREATS


Prevent unknown threats: Understand the power of context

Detect and analyze unknown threats in files and URL 1 Update the protections across the organization and prevent previously unknown threats 2 Add context to threats and create proactive protections and mitigation 3

4 Block unknown malware & exploits on the endpoint

IDENTIFY & BLOCK

UNKNOWN THREATS


1 Be in the right position

2 Both virtual and physical

3 Best-of-breed security technologies

4 Multiple detection techniques

5 Global Analysis and threat knowledge

6 Control all, with the ability to reprogram in seconds

Requirements for an integrated prevention platform

DISRUPT ADVANCED ATTACKS

LIFECYCLE


Network & Cloud Ransomware Prevention

Across Multiple Attack Vectors

and Attack Surfaces

Is Only Possible With an

Integrated Security Platform

SaaS Applications

Endpoint

Exploit kits Email attachments Links in emails

Why does this matter? Global threat intelligence sharing


Network & Cloud

SaaS Applications

Endpoint

Coordinated prevention of ransomware, network


Block unknown traffic

Disallow dangerous attachments

Block malicious URLs

Evaluate encrypted traffic

Examine email attachments for

malware or exploits

Examine unknown URLs for malicious

activity

Global threat intelligence sharing


Network & Cloud

SaaS Applications

Endpoint

Coordinated prevention of ransomware, SaaS


Block storage or transmission of files containing

exploits

Scan cloud storage for

malicious files

Scan cloud storage for

malicious files



Network & Cloud

SaaS Applications

Endpoint

Coordinated prevention of ransomware, endpoint


Prevent all exploits, including

zero-days

Block execution of malicious

attachments

Prevent drive-by downloads of

malware

Block execution of malware

Prevent exploitation of email software

itself

Block exploitation of browser

vulnerabilities



RansomWare Summary

• Ransomware has evolved from an “annoyance” into a serious threat The number of Ransomware families continue to grow in number and sophistication As a result the Ransom Demand has also grown

• No one is immune, but Businesses are firmly in the sights of attackers

• Attackers use “persistent” techniques across several Threat Vectors

• To reduce your Risk to Ransomware attacks you need to: Reduce the Attack Surface, Prevent Known Threats & ID and Block Unknown Threats

• Information Sharing amongst trusted peers is essential to quickly address emerging threats

ISACs DHS Automated Information Sharing Program Private Sector Cyber Threat Alliance

53 © 2016, Palo Alto Networks. Confidential and Proprietary.

Professionalization of Cyber Crime


54

Top 5 most Frequently Exploited Zero-Day Vulnerabilities


55

Rank Name 2015 Percentage

1 Adobe Flash Player CVE-2015-0313 81% 2 Adobe Flash Player CVE-2015-5119 14% 3 Adobe Flash Player CVE-2015-5122 5%

4 Heap-Based Buffer Overflow aka ‘Ghost’ CVE-2015-0235 <1%

5 Adobe Flash Player CVE-2015-3113 <1%

Adobe Releases Out-of-Band Patch For Flash Vulnerability

• On June 23, Adobe released an out-of-band patch for a critical zero day vulnerability, designated CVE-2015-3113

• Within a week, five of the most well known exploit kits had integrated this vulnerability into their platforms


56

Exploit Kit First Seen

Magnitude June 27, 2015

Angler June 29, 2015

Nuclear July 1, 2015

RIG July 1, 2015

Neutrino July 1, 2015

Butterfly – The Attackers Tools


57

• Hacktool.Bannerjack – use to locate vulnerable server on local network

• Hacktool.Multipurpose – basic network enumeration, hides activity by editing logs, deleting file, etc.

• Hacktool.Eventlog – parses event logs, dumps content, deletes entries

Hacktool.MultiPurpose


58

Butterfly – Command & Control Operations


59

Mail Server Content

Management Systems

C&C Server

C&C Server

C&C Server

Butterfly – Command & Control Operations


60

Mail Server Content

Management Systems C&C

Server

• C&C run from virtual OS • Virtual OS Encrypted • Server Logs are wiped


61

Tech Support Scams – Outbound Call Centers (Boiler Rooms) to Support the Scam

Hello sir, Your computer is infected. Please purchase a support plan for $75 so we can help you…

TeslaCrypt Ransomware – Technical Support Available


62

Dridex Gang - Number of Known Spam Runs Per Day


63

When Cyber Criminals

Work in Call Centers, Write Documentation and Take the Weekends Off

You Know its a Profession


64

65

So Why aren’t our defense Working?

Compliance 66

Risk Management and Compliance Maturity From a reactive to a sustainable, business-driven approach

“What was the root cause of the healthcare organizations’ data breach” Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, The Ponemon Institute, May 2015

67

Comply with Key Mandates; Base Security Controls

Stay Ahead of Threats

Risk Assessment Driving Priorities

Sustainable Risk Management Program

Business Priorities Driving Security Strategy

Copyright © 2014 Symantec Corporation 68

The strategies of the past will not support the infrastructure of today

and for the future

FERPA GLBA

SOX FISMA

HIPAA Privacy HIPAA Security

PCI ARRA/HITECH

HIPAA Omnibus Rule CJIS IRS 1075



and for the future

FERPA GLBA

SOX FISMA


PCI ARRA/HITECH


Auditing & Accountability Physical Security

Personnel Security

Information Integrity

Media Protection Configuration Management

Security Awareness Training

Access Control

Incident Response Identification & Authentication

Formal Audits

Information Exchange Agreements

Mobile Devices

71

How do I effectively Defend my Organization?

Roadmap to Effective Security

• Appoint Information Security Officer (CISO)

• Policy implementation and review

• Asset Identification – H/W & S/W

• Data Governance & Classification

• Risk Assessment

• Vulnerability Assessment

• Training & Awareness

• Information Exchange Agreements

• Build Defense-In-Depth

72

What are the Five most Important Risk Management Areas?

73

Five Critical Capabilities for Managing Risk

• H/W Asset Management

• S/W Asset management

• Configuration Management

• Vulnerability Management

• Malware Defenses

74

SANS Top 20 Critical Security Controls - Version 5 • 1: Inventory of Authorized and Unauthorized Devices

• 2: Inventory of Authorized and Unauthorized Software

• 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

• 4: Continuous Vulnerability Assessment and Remediation

• 5: Malware Defenses

• 6: Application Software Security

• 7: Wireless Access Control

• 8: Data Recovery Capability

• 9: Security Skills Assessment and Appropriate Training to Fill Gaps

• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

75

• 11: Limitation and Control of Network Ports, Protocols, and Services

• 12: Controlled Use of Administrative Privileges

• 13: Boundary Defense

• 14: Maintenance, Monitoring, and Analysis of Audit Logs

• 15: Controlled Access Based on the Need to Know

• 16: Account Monitoring and Control

• 17: Data Protection

• 18: Incident Response and Management

• 19: Secure Network Engineering

• 20: Penetration Tests and Red Team Exercises

https://www.sans.org/critical-security-controls/control/1
























H/W Asset Management – Discovery – Unknown assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

76

S/W Asset management

– S/W Discovery

– Data Governance

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

77

Configuration Management

• All H/W Platforms

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

78

Vulnerability Management

• Include Mobile Devices

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

79

80

Adopt a Framework to Manage your Risk

NIST Cybersecurity Framework

• Mandated by an Executive Order President Obama signed in February of 2012.

• Will contain a “set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks.”

• Sets out a common structure for managing cybersecurity risk that:

o is flexible and adaptable; and

o can be used by all organizations, whether they already have a cybersecurity program or are just establishing one.

• Developed by NIST through lengthy and collaborative engagement with the private sector – a great example of a productive public-private partnership.

• Symantec played key role throughout development of the Framework

• Released February 12, 2014.

81

What is the CSF?

• Start with what it is not: – it is not a standard, a set of controls, or a checklist.

• Instead, it is a tool that can help organizations – assess and improve their cybersecurity programs; or – build one if they have not already done so.

• Use is voluntary (except within some USG agencies)

• Not meant to replace existing security programs or practices, but rather to supplement them.

82

CSF Structure

83

Sample with Informative References • No new Controls were created for CSF

• Informative References not exhaustive, organizations free to implement other standards, guidelines, and practices.

84

CSF Tiers

• Tier 1: Partial – The organization: • Has not yet implemented a formal, threat-aware risk management process to determine a prioritized list of

cybersecurity activities.

• Tier 2: Risk Informed – The organization: • Uses a formal, threat-aware risk management process to develop a Profile of the Framework.

• Tier 3: Repeatable – The organization: • Updates its Profile based on regular application of its risk management process to respond to a changing

cybersecurity landscape.

• Tier 4: Adaptive – The organization: • Updates its Profile based on predictive indicators derived from previous and anticipated cybersecurity

activities.

85

CSF Profile

• Where you are, where you want to be, gaps to progress

86

Who will use CSF?

• Participation is Voluntary

• Targeted towards US “Critical Infrastructure”

• Many “Early Adopters” – Financial, Utilities – Symantec

• White House has said it will make mandatory for Federal Government – But no official document yet

87

Incentives to drive use

• Incentives under consideration –Cybersecurity Insurance –Grants –Process Preference –Liability Limitation –Streamline Regulations –Public Recognition –Rate Recovery for Price Regulated Industries –Cybersecurity Research

88

Best Practices – Implement UNIFIED SECURITY

89

Don’t get caught flat-footed

Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.

Employ a strong security posture

Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.

Prepare for the worst Incident management ensures your security framework is optimized, measureable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.

Provide ongoing education and training

Establish guidelines and company policies and procedures for protecting sensitive data on personal and corporate devices. Regularly assess internal investigation teams—and run practice drills—to ensure you have the skills necessary to effectively combat cyber threats.

Develop a Unified Security Practice

90

Threat Protection

SERVERS GATEWAYS

Information Protection

DATA ACCESS ENDPOINTS

Managed Security Services

Incident Response

Security Simulation

DeepSight Intelligence

Cyber Security Services

CTA Defined

*Launched 2014

The Cyber Threat Alliance is a group of cyber security practitioners from organizations that have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and/or their customers.

Founders

Contributors


CTA Advantage

Raising collective situational awareness about advanced threats: motivations, tactics and the bad actors behind them Provide automatic deployment of prevention controls on adversaries and campaigns maximizing members defensive capabilities Collaborative intelligence research and joint publications on high profile threats


• Rethinking security: the industry must cooperate Competitors uniting to protect the ecosystem

• Crowdsource threat intelligence sharing and collaborative analytics for the complete threat story Greater volume/diversity of data gives a better picture of what is happening around the world

• Advantage moves to our side as we connect the dots Enhanced defenses as we attack the battlefield

• We don’t compete on the data intelligence – we compete on what we do with it How does our technology differentiate us?

Changing the Game


If it's Connected,

it's Vulnerable

Know the risks. 94

Stay Informed

symantec.com/threatreport

Security Response Website

Twitter.com/threatintel

95

http://www.symantec.com/threatreport

http://www.symantec.com/security_response/

http://www.twitter.com/threatintel

Thank You Robert Myles, CISSP, CISM Strategist - State & Local Government North America

@RobertMyles [email protected]

http://www.linkedin.com/in/robertmyles/

public sector cybersecurity – do we really have to worry? · 6/27/2015 · 2016 internet...

Documents