public sector cybersecurity – do we really have to worry? · 6/27/2015 · 2016 internet...
TRANSCRIPT
Public Sector Cybersecurity – Do we really have to worry?
Robert Myles, CISSP, CISM Strategist North American State & Local Government
Robert Myles, CISSP, CISM
• USCG – Retired
• Recovering CISO with 15 years in Health Care, Academia & Financial services
• Public Safety Practice Manager, National responsibility for Federal, State, Local Government
• 28 Years in Information Security
• 28 years in Health Care
• 36 years in IT
• CISSP (2001), CISM (2004)
• IACP, APCO, AAMVA, NFCA, NCJA, NASCIO, IJIS, MS-ISAC CyberSecurity Taskforce
2 Copyright © 2016 Symantec Corporation
2016 Internet Security Threat Report • Symantec’s Global Intelligence Network is made up of more than 63.8 million attack
sensors and records thousands of events per second. The network monitors threat activity in more than 157 countries and territories
• Symantec’s vulnerability database includes more than 74,180 recorded vulnerabilities from more than 23,980 vendors
• Symantec processes more than 9 billion email messages each month and filters more than 1.8 billion web requests each day
• The Symantec Internet Security Threat Report (ISTR) provides a deep dive into this data, examining multiple aspects of today’s threat landscape – from targeted attacks, smartphone threats, social media scams, and Internet of Things vulnerabilities, as well as attackers’ tactics, motivations, and behaviors
2016 Internet Security Threat Report Volume 21
3 Copyright © 2016 Symantec Corporation
Key Findings – Government • Government organizations targeted for attack were most likely to be targeted at least three
more times throughout the year
• The public administration sector ranked fourth when looking at the number of incidents reported, accounting for 5.6% of breaches in 2015
• Data breaches in this sector accounted for nearly 28 million of the identities exposed in 2015, ranking the sector number three overall
• 64.7% of government data breaches were a result of data being made public accidentally
• The most common attack type seen by all sensors in the government and critical infrastructure sectors related to attacks on web servers – accounting for 98.4% of all attacks
2016 Internet Security Threat Report Volume 21
4 Copyright © 2016 Symantec Corporation
5
Social Media
6
Social Media
7
Social Media
8
Social Media
9
Social Media
10
Social Media
1. IDC, Digital Universe study, December 2012 2. IDC, Worldwide Disk-Based Data Protection and Recovery 2012-2016 Forecast, December 2012
1.2ZB 7.9ZB
40ZB 61.8%
THE WORLD’S DATA IN 2010
THE WORLD’S DATA BY 2015
THE WORLD’S DATA BY 2020
UNSTRUCTURED DATA GROWTH RATE TO 2014
11
So How Big is Your Data? • Byte of data = Grain of Rice
• KiloByte = Cup of Rice
• MegaByte = 8 Bags of Rice
• GigaByte = 3 Shipping Containers of Rice
• TeraByte = 2 Container Ships of Rice
• PetaByte = Covers Manhattan in Rice
• ExaByte = Covers the UK in Rice (3x)
• ZettaByte = Fills the Pacific Ocean in Rice David Wellman @ Myriad Genetics
12
CYBERCRIME – TO CYBERWAR
16
FBI reports that “hackers linked to Anonymous have secretly accessed US
government computers and stolen sensitive information in a campaign
that began almost a year ago”
In March 2012, Chinese hackers reportedly gained access to designs of
more than two dozen major U.S. weapons systems and stole data from
100 companies
In 2010 Computer Worm Attacks Iran’s Nuclear Facilities
16
Specialization of Skill In The Attack Chain
17
Reconnaissance: Know your Targets
Incursion: Gain Access
Discovery: Create a Map to the Asset
Capture: Take Control of the Asset
Exfiltration: Steal or Destroy Asset
17
The statistics aren’t surprising
18
INCREASE IN ZERO-DAY VULNERABILITIES DISCOVERED 125% HAVE ROGUE CLOUD DEPLOYMENTS2 77% UNPATCHED CRITICAL WEB APPLICATION 75% AVERAGE # OF DAYS TO DISCOVER A BREACH4 256
The statistics aren’t surprising
19
OF ORGANIZATIONS HAVE >25 INCIDENTS EACH MONTH1 60% HAVE ROGUE CLOUD DEPLOYMENTS2 77% INCREASE IN MOBILE MALWARE LAST YEAR3 6X AVERAGE # OF DAYS TO DISCOVER A BREACH4 243
Password Attacks are Piling Up
20 October 6th, 2014
Password Attacks are Piling Up
21 October 6th, 2014
Password Attacks are Piling Up
22 October 6th, 2014
IoT is not a new problem, but an ongoing one
23
INTERNET OF THINGS
INTERNET OF THINGS
Internet of Things and Privacy
26
1 in 4 68%
end users admit to not know what access they gave away when agreeing to terms of the app
were willing to trade privacy for a free app
Source: 2014 Norton Global Survey
In 2009 there were
2,361,414
new piece of malware created.
That’s
1 Million 179 Thousand a day.
In 2015 that number was
430,555,582
2016 Internet Security Threat Report Volume 21
27
Zero-Days 2016 Internet Security Threat Report Volume 21
28
2006
14
2007 2008 2009 2010 2011 2012 0
2
4
6
8
10
12
14
16
13
15
9
12
14
8
Zero-Day Vulnerabilities
2016 Internet Security Threat Report Volume 21 29
2013 2014
24 23
2015
54
Hackers Unleash Trove of Data from Hacking Team
2016 Internet Security Threat Report Volume 21
30
• HackingTeam (HT) had zero days in Adobe Flash, Internet Explorer and Microsoft Windows
CVE Affected Product First Notice Patch Date
CVE-2015-5119 Adobe Flash July 7 July 8 CVE-2015-5122 Adobe Flash July 10 July 14 CVE-2015-5123 Adobe Flash July 10 July 14 CVE-2015-2425 Internet Explorer July 14 July 14 CVE-2015-2426 Microsoft Windows July 20 July 20 CVE-2015-2387 Microsoft Windows July 8 July 14
Targeted Attacks
2016 Internet Security Threat Report Volume 21
31
2012 2013 2014
• Recipients per Campaign
• Average Number of Email Attacks Per Campaign
• Campaigns
Targeted Attack Campaigns
2016 Internet Security Threat Report Volume 21
32
2015
300
600
900
1,200
1,500 150
120
90
60
30 12
25 29
122
111
23 18
11
1,305
841 779
408
55% increase
2016 Internet Security Threat Report Volume 21
33
Org Size
2015 Risk Ratio
2015 Risk Ratio as Percentage
Attacks per Org
Large Enterprises
2,500+ Employees
1 in 2.7 38% 3.6
Medium Business
251–2,500 Employees
1 in 6.8 15% 2.2
Small Business
(SMB) 1–250
Employees
1 in 40.5 3% 2.1
Spear-Phishing Attacks by Size of Targeted Organization
Breaches 2016 Internet Security Threat Report Volume 21
34
232
93
552
348 429
0
100
200
300
400
500
600
2011 2012 2013 2014 2015
MIL
LIO
N
2016 Internet Security Threat Report Volume 21 35
Total Identities Exposed
+23%
500
+30%
ESTIMATED
Mega Breaches 2015
2016 Internet Security Threat Report Volume 21
36
Vulnerabilities 2016 Internet Security Threat Report Volume 21
37
2016 Internet Security Threat Report Volume 21
38
“The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a “popular website content management software” that had not been updated to patch known vulnerabilities. These vulnerabilities allow them to install the Brobot malware on affected servers.”
2016 Internet Security Threat Report Volume 21 39
The Alleged Attackers Used DDoS Attacks
How does ransomware get in?
EXPLOIT KITS MALICIOUS EMAIL ATTACHMENTS
MALICIOUS LINKS IN EMAILS
Infected website or malicious ad via exploit kit
STEP 1 User visits compromised website, which is often a trusted location.
STEP 3 Exploit kit web page loads and determines best route to infect user.
STEP 4 Exploit kit takes advantage of vulnerable software.
STEP 5 Exploit kit delivers ransomware payload.
STEP 6 Victim’s sensitive files are encrypted and held for ransom.
STEP 2 Malicious code redirects to exploit kit landing page. OR Malicious advertisement silently redirects to malicious web page.
© 2016, Palo Alto Networks. Confidential and Proprietary.
Compromised Microsoft Word document
STEP 1 Targeted email with infected Microsoft® Office Word document delivered to user.
STEP 2 User opens Word document, thinking it is a legitimate file.
STEP 3 Office macros run, downloading ransomware from URLs within the document.
STEP 4 Victim’s sensitive files are encrypted and held for ransom.
© 2016, Palo Alto Networks. Confidential and Proprietary.
Ransomware attack vectors
OVER THE NETWORK Infection vectors like web and email
SAAS-BASED APPLICATIONS File-sharing applications
DIRECTLY TO THE ENDPOINT Off-premise or targeted attack
© 2016, Palo Alto Networks. Confidential and Proprietary.
REDUCE THE ATTACK
SURFACE
1 PREVENT KNOWN
THREATS
2 IDENTIFY &
PREVENT UNKNOWN THREATS
3
IT relevant, coordinated security, prevention oriented platform
Automatically turn unknown threats to known
Reprogram the network with new protections
© 2016, Palo Alto Networks. Confidential and Proprietary.
Seek first to gain visibility and reduce the attack surface
Gain full visibility and block unknown traffic 1 Enforce application and user-based controls 2 Stop dangerous file-types 3
4 Implement endpoint policy aligned to your risk
REDUCE THE ATTACK
SURFACE
© 2016, Palo Alto Networks. Confidential and Proprietary.
Prevent known threats
Stop known exploits, malware & command-and-control traffic 1 Block access to malicious and phishing URLs 2 Scan for known malware on SaaS-based applications 3
4 Block known malware & exploits on the endpoint
PREVENT KNOWN
THREATS
© 2016, Palo Alto Networks. Confidential and Proprietary.
Prevent unknown threats: Understand the power of context
Detect and analyze unknown threats in files and URL 1 Update the protections across the organization and prevent previously unknown threats 2 Add context to threats and create proactive protections and mitigation 3
4 Block unknown malware & exploits on the endpoint
IDENTIFY & BLOCK
UNKNOWN THREATS
© 2016, Palo Alto Networks. Confidential and Proprietary.
1 Be in the right position
2 Both virtual and physical
3 Best-of-breed security technologies
4 Multiple detection techniques
5 Global Analysis and threat knowledge
6 Control all, with the ability to reprogram in seconds
Requirements for an integrated prevention platform
DISRUPT ADVANCED ATTACKS
LIFECYCLE
© 2016, Palo Alto Networks. Confidential and Proprietary.
Network & Cloud Ransomware Prevention
Across Multiple Attack Vectors
and Attack Surfaces
Is Only Possible With an
Integrated Security Platform
SaaS Applications
Endpoint
Exploit kits Email attachments Links in emails
Why does this matter? Global threat intelligence sharing
© 2016, Palo Alto Networks. Confidential and Proprietary.
Network & Cloud
SaaS Applications
Endpoint
Coordinated prevention of ransomware, network
Exploit kits Email attachments Links in emails
Block unknown traffic
Disallow dangerous attachments
Block malicious URLs
Evaluate encrypted traffic
Examine email attachments for
malware or exploits
Examine unknown URLs for malicious
activity
Global threat intelligence sharing
© 2016, Palo Alto Networks. Confidential and Proprietary.
Network & Cloud
SaaS Applications
Endpoint
Coordinated prevention of ransomware, SaaS
Exploit kits Email attachments Links in emails
Block storage or transmission of files containing
exploits
Scan cloud storage for
malicious files
Scan cloud storage for
malicious files
Global threat intelligence sharing
© 2016, Palo Alto Networks. Confidential and Proprietary.
Network & Cloud
SaaS Applications
Endpoint
Coordinated prevention of ransomware, endpoint
Exploit kits Email attachments Links in emails
Prevent all exploits, including
zero-days
Block execution of malicious
attachments
Prevent drive-by downloads of
malware
Block execution of malware
Prevent exploitation of email software
itself
Block exploitation of browser
vulnerabilities
Global threat intelligence sharing
© 2016, Palo Alto Networks. Confidential and Proprietary.
RansomWare Summary
• Ransomware has evolved from an “annoyance” into a serious threat The number of Ransomware families continue to grow in number and sophistication As a result the Ransom Demand has also grown
• No one is immune, but Businesses are firmly in the sights of attackers
• Attackers use “persistent” techniques across several Threat Vectors
• To reduce your Risk to Ransomware attacks you need to: Reduce the Attack Surface, Prevent Known Threats & ID and Block Unknown Threats
• Information Sharing amongst trusted peers is essential to quickly address emerging threats
ISACs DHS Automated Information Sharing Program Private Sector Cyber Threat Alliance
53 © 2016, Palo Alto Networks. Confidential and Proprietary.
Professionalization of Cyber Crime
2016 Internet Security Threat Report Volume 21
54
Top 5 most Frequently Exploited Zero-Day Vulnerabilities
2016 Internet Security Threat Report Volume 21
55
Rank Name 2015 Percentage
1 Adobe Flash Player CVE-2015-0313 81% 2 Adobe Flash Player CVE-2015-5119 14% 3 Adobe Flash Player CVE-2015-5122 5%
4 Heap-Based Buffer Overflow aka ‘Ghost’ CVE-2015-0235 <1%
5 Adobe Flash Player CVE-2015-3113 <1%
Adobe Releases Out-of-Band Patch For Flash Vulnerability
• On June 23, Adobe released an out-of-band patch for a critical zero day vulnerability, designated CVE-2015-3113
• Within a week, five of the most well known exploit kits had integrated this vulnerability into their platforms
2016 Internet Security Threat Report Volume 21
56
Exploit Kit First Seen
Magnitude June 27, 2015
Angler June 29, 2015
Nuclear July 1, 2015
RIG July 1, 2015
Neutrino July 1, 2015
Butterfly – The Attackers Tools
2016 Internet Security Threat Report Volume 21
57
• Hacktool.Bannerjack – use to locate vulnerable server on local network
• Hacktool.Multipurpose – basic network enumeration, hides activity by editing logs, deleting file, etc.
• Hacktool.Eventlog – parses event logs, dumps content, deletes entries
Hacktool.MultiPurpose
2016 Internet Security Threat Report Volume 21
58
Butterfly – Command & Control Operations
2016 Internet Security Threat Report Volume 21
59
Mail Server Content
Management Systems
C&C Server
C&C Server
C&C Server
Butterfly – Command & Control Operations
2016 Internet Security Threat Report Volume 21
60
Mail Server Content
Management Systems C&C
Server
• C&C run from virtual OS • Virtual OS Encrypted • Server Logs are wiped
2016 Internet Security Threat Report Volume 21
61
Tech Support Scams – Outbound Call Centers (Boiler Rooms) to Support the Scam
Hello sir, Your computer is infected. Please purchase a support plan for $75 so we can help you…
TeslaCrypt Ransomware – Technical Support Available
2016 Internet Security Threat Report Volume 21
62
Dridex Gang - Number of Known Spam Runs Per Day
2016 Internet Security Threat Report Volume 21
63
When Cyber Criminals
Work in Call Centers, Write Documentation and Take the Weekends Off
You Know its a Profession
2016 Internet Security Threat Report Volume 21
64
65
So Why aren’t our defense Working?
Compliance 66
Risk Management and Compliance Maturity From a reactive to a sustainable, business-driven approach
“What was the root cause of the healthcare organizations’ data breach” Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, The Ponemon Institute, May 2015
67
Comply with Key Mandates; Base Security Controls
Stay Ahead of Threats
Risk Assessment Driving Priorities
Sustainable Risk Management Program
Business Priorities Driving Security Strategy
Copyright © 2014 Symantec Corporation 68
The strategies of the past will not support the infrastructure of today
and for the future
FERPA GLBA
SOX FISMA
HIPAA Privacy HIPAA Security
PCI ARRA/HITECH
HIPAA Omnibus Rule CJIS IRS 1075
Copyright © 2014 Symantec Corporation 69
The strategies of the past will not support the infrastructure of today
and for the future
FERPA GLBA
SOX FISMA
HIPAA Privacy HIPAA Security
PCI ARRA/HITECH
HIPAA Omnibus Rule CJIS IRS 1075
Auditing & Accountability Physical Security
Personnel Security
Information Integrity
Media Protection Configuration Management
Security Awareness Training
Access Control
Incident Response Identification & Authentication
Formal Audits
Information Exchange Agreements
Mobile Devices
Copyright © 2014 Symantec Corporation 70
The strategies of the past will not support the infrastructure of today
and for the future
FERPA GLBA
SOX FISMA
HIPAA Privacy HIPAA Security
PCI ARRA/HITECH
HIPAA Omnibus Rule CJIS IRS 1075
Auditing & Accountability Physical Security
Personnel Security
Information Integrity
Media Protection Configuration Management
Security Awareness Training
Access Control
Incident Response Identification & Authentication
Formal Audits
Information Exchange Agreements
Mobile Devices
71
How do I effectively Defend my Organization?
Roadmap to Effective Security
• Appoint Information Security Officer (CISO)
• Policy implementation and review
• Asset Identification – H/W & S/W
• Data Governance & Classification
• Risk Assessment
• Vulnerability Assessment
• Training & Awareness
• Information Exchange Agreements
• Build Defense-In-Depth
72
What are the Five most Important Risk Management Areas?
73
Five Critical Capabilities for Managing Risk
• H/W Asset Management
• S/W Asset management
• Configuration Management
• Vulnerability Management
• Malware Defenses
74
SANS Top 20 Critical Security Controls - Version 5 • 1: Inventory of Authorized and Unauthorized Devices
• 2: Inventory of Authorized and Unauthorized Software
• 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• 4: Continuous Vulnerability Assessment and Remediation
• 5: Malware Defenses
• 6: Application Software Security
• 7: Wireless Access Control
• 8: Data Recovery Capability
• 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
75
• 11: Limitation and Control of Network Ports, Protocols, and Services
• 12: Controlled Use of Administrative Privileges
• 13: Boundary Defense
• 14: Maintenance, Monitoring, and Analysis of Audit Logs
• 15: Controlled Access Based on the Need to Know
• 16: Account Monitoring and Control
• 17: Data Protection
• 18: Incident Response and Management
• 19: Secure Network Engineering
• 20: Penetration Tests and Red Team Exercises
H/W Asset Management – Discovery – Unknown assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
76
S/W Asset management
– S/W Discovery
– Data Governance
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
77
Configuration Management
• All H/W Platforms
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
78
Vulnerability Management
• Include Mobile Devices
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
79
80
Adopt a Framework to Manage your Risk
NIST Cybersecurity Framework
• Mandated by an Executive Order President Obama signed in February of 2012.
• Will contain a “set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks.”
• Sets out a common structure for managing cybersecurity risk that:
o is flexible and adaptable; and
o can be used by all organizations, whether they already have a cybersecurity program or are just establishing one.
• Developed by NIST through lengthy and collaborative engagement with the private sector – a great example of a productive public-private partnership.
• Symantec played key role throughout development of the Framework
• Released February 12, 2014.
81
What is the CSF?
• Start with what it is not: – it is not a standard, a set of controls, or a checklist.
• Instead, it is a tool that can help organizations – assess and improve their cybersecurity programs; or – build one if they have not already done so.
• Use is voluntary (except within some USG agencies)
• Not meant to replace existing security programs or practices, but rather to supplement them.
82
CSF Structure
83
Sample with Informative References • No new Controls were created for CSF
• Informative References not exhaustive, organizations free to implement other standards, guidelines, and practices.
84
CSF Tiers
• Tier 1: Partial – The organization: • Has not yet implemented a formal, threat-aware risk management process to determine a prioritized list of
cybersecurity activities.
• Tier 2: Risk Informed – The organization: • Uses a formal, threat-aware risk management process to develop a Profile of the Framework.
• Tier 3: Repeatable – The organization: • Updates its Profile based on regular application of its risk management process to respond to a changing
cybersecurity landscape.
• Tier 4: Adaptive – The organization: • Updates its Profile based on predictive indicators derived from previous and anticipated cybersecurity
activities.
85
CSF Profile
• Where you are, where you want to be, gaps to progress
86
Who will use CSF?
• Participation is Voluntary
• Targeted towards US “Critical Infrastructure”
• Many “Early Adopters” – Financial, Utilities – Symantec
• White House has said it will make mandatory for Federal Government – But no official document yet
87
Incentives to drive use
• Incentives under consideration –Cybersecurity Insurance –Grants –Process Preference –Liability Limitation –Streamline Regulations –Public Recognition –Rate Recovery for Price Regulated Industries –Cybersecurity Research
88
Best Practices – Implement UNIFIED SECURITY
89
Don’t get caught flat-footed
Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.
Employ a strong security posture
Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.
Prepare for the worst Incident management ensures your security framework is optimized, measureable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.
Provide ongoing education and training
Establish guidelines and company policies and procedures for protecting sensitive data on personal and corporate devices. Regularly assess internal investigation teams—and run practice drills—to ensure you have the skills necessary to effectively combat cyber threats.
Develop a Unified Security Practice
90
Threat Protection
SERVERS GATEWAYS
Information Protection
DATA ACCESS ENDPOINTS
Managed Security Services
Incident Response
Security Simulation
DeepSight Intelligence
Cyber Security Services
CTA Defined
*Launched 2014
The Cyber Threat Alliance is a group of cyber security practitioners from organizations that have chosen to work together in good faith to share threat information for the purpose of improving defenses against advanced cyber adversaries across member organizations and/or their customers.
Founders
Contributors
© 2016, Palo Alto Networks. Confidential and Proprietary.
CTA Advantage
Raising collective situational awareness about advanced threats: motivations, tactics and the bad actors behind them Provide automatic deployment of prevention controls on adversaries and campaigns maximizing members defensive capabilities Collaborative intelligence research and joint publications on high profile threats
© 2016, Palo Alto Networks. Confidential and Proprietary.
• Rethinking security: the industry must cooperate Competitors uniting to protect the ecosystem
• Crowdsource threat intelligence sharing and collaborative analytics for the complete threat story Greater volume/diversity of data gives a better picture of what is happening around the world
• Advantage moves to our side as we connect the dots Enhanced defenses as we attack the battlefield
• We don’t compete on the data intelligence – we compete on what we do with it How does our technology differentiate us?
Changing the Game
© 2016, Palo Alto Networks. Confidential and Proprietary.
If it's Connected,
it's Vulnerable
Know the risks. 94
Stay Informed
symantec.com/threatreport
Security Response Website
Twitter.com/threatintel
95
Thank You Robert Myles, CISSP, CISM Strategist - State & Local Government North America
@RobertMyles [email protected]
http://www.linkedin.com/in/robertmyles/