what every employee should know about cyber securit - david o'berry
DESCRIPTION
Los Angeles DGS 2013 presentationWhat Every Employee Should Know About Cyber Securityby David O'BerryTRANSCRIPT
McAfee Confidential—Internal Use Only
Real World Security: Current Threat and Mitigation State
“What We All Need To Know”
September 6, 2013
David O’Berry CISSP-ISSAP, ISSMP, CSSLP, CRISC, CRMP, MCNE Strategic Technologies McAfee Office of the CTO (OCTO)
McAfee Confidential—Internal Use Only
• David O’Berry, Previously Director of Strategic Development and ITS for SC Probation, Parole, & Pardon Services
– During my 19+ years with South Carolina – MS-ISAC Executive Board – SC Security Domain Chairman and Collaboration TL – Midland’s ISSA Chapter Founder and President – Trusted Computing Group’s Customer Advisory
Council (TNC-CAC) – Chairman, TOG’s “Improving The Digital EcoSytem
Workgroup” – Chapters Published on IF-MAP, SCAP, TNC and
Standard’s Based Defense/Mitigation (ISMH 09,10,11)
• My Previous Life’s Work and the IT Environment – 800+ users, rapidly growing ext. user-base (1000s) – 100% Mobile capable – Plan started in 2002 – 26 – 30+ Full-time IT including development ,
engineering, help desk, & remote support – Decentralized work force
• Heterogeneous and Open Standards Deployments
– Core: McAfee, Dell, Juniper, APC – Network: Juniper, BlueCoat, Citrix, Imprivata – Data: McAfee EEPC, Device Control, Host DLP – Endpoint: McAfee AV, HIPS, Policy Auditor – Management: McAfee’s ePolicy Platform, STRM,
NSM Manager, Cacti & other “Open Source” products 2
McAfee Confidential—Internal Use Only
BETTER SECURITY SOLUTIONS & PRODUCTS
POWER EFFICIENT PERFORMANCE
INTERNET CONNECTIVITY
SECURITY
THE THIRD PILLAR OF COMPUTING
McAfee Confidential—Internal Use Only
Threat Radar = Answering The Question Why?
• Industrial Threats Will Mature
• Hacktivism: Reboot or be Marginalized
• Windows 8: BIOS and Hardware Attacks
• Mobile Botnets, Rootkits, and Attack Surface…Oh MY!
• Rogue CERTs: Rooting Trust
McAfee Confidential—Internal Use Only
Full Year 2012 Threat Report – Yikes! Key Trends
Source: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2012.pdf
• Android targeted malware spiked with newly discovered samples doubling in Q4
• Master Boot Record attacks on the PC storage stack increased 27%
• New PC malware returned to its historic growth trend with known samples now totaling more than 110 million
• Signed malware samples hit the “hockey stick” inflection point doubling in three months
• Suspect URLs which are becoming the primary distribution mechanism for malware increased 70% in Q4
• A new Advanced Persistent Threat (APT) known as Blitzkrieg appeared that targets financial services firms and their
customers
McAfee Confidential—Internal Use Only
Trends Continuing in Q2 - 2013
Aggressive attacks on Android based mobile devices Material expansion of malicious/infected websites High volume spam campaigns against big pharma; but mostly outside of the North America Extensive use of ransomware to drive up currency extraction Operation Troy efforts/residual activity continues in South Korea Digitally signed malware samples increased 50% to 1.2M samples
McAfee Confidential—Internal Use Only
Global Malware Vision - Scary
(Collection) “The Zoo”
End of 2010
(cumulative)
End of 2011
(cumulative)
End of 2012
(cumulative)
Added in
Q2-2012 Q3-2012 Q4-2012 January 2013
February 2013
Malware Zoo 54,200,000 76,600,000 113,600,000 +9,300,000 +8,600,000 +12,100,000 +4,000,000 +5,300,000
Autorun 5,600,000 8,000,000 12,000,000 +1,240,000 +865,000 +1,300,000 +426,000 +656,000
Exploits 1,820,000 3,000,000 5,400,000 +698,000 +387,000 +868,000 +423,000 +344,000
FakeAV, Scareware
5,500,000 9,200,000 13,100,000 +981,000 +980,000 +1,184,000 +358,000 +313,000
Macintosh 2,160 3,250 4,200 320 210 180 +50 +90
Mobile (*) 14,500 43,000 1,073,000 +52,000 +195,000 +768,000 +111,000 +104,000
PWS & Keyloggers
11,389,000 15,547,000 22,300,000 +1,865,000 +1,662,000 +1,871,000 +655,000 +629,000
Ransomware 132,000 365,000 1,066,000 +151,000 +218,000 +227,000 +66,000 +71,000
Rootkits 1,986,000 2,931,000 3,874,000 +266,000 +276,000 +179,000 +65,000 +55,000
Unix Like 52,000 56,000 64,000 +1,370 +2,020 +3,400 +790 +940
(*): Mobile malware and Potentially Unwanted Program binaries with libraries, unpacked and repacked samples.
McAfee Confidential—Internal Use Only
The Great Zoo: McAfee Known Malware
Q1/Q2-2011: +12.1 million samples Q3/Q4-2011: +10.3 million samples Q1/Q2-2012: +16.3 million samples Q3/Q4-2012: +20.7 million samples
February 28, 2013: we reach 123 million samples (110k new and unique malicious binaries classified daily)
McAfee Confidential—Internal Use Only
Quarter per Quarter Exploits Detection
McAfee Confidential—Internal Use Only
Quarter per Quarter FakeAlert/Scareware
McAfee Confidential—Internal Use Only
Quarter per Quarter Rootkits Detection
McAfee Confidential—Internal Use Only
Quarter per Quarter Mobile Detection
McAfee Confidential—Internal Use Only
Quarter per Quarter Ransomware Detection
McAfee Confidential—Internal Use Only
Quarter per Quarter Password Stealer & Keylogger Detection
McAfee Confidential—Internal Use Only
Economic Model of the Attack
Daily new malware threats 10,000 More Malware
Variations
Active new zombies per month 4m Attack Target
Users vs. Machines
New malicious website detected
30 Seconds
Malware is obfuscated 85%
Web 2.0 is the Catalyst!
Toolkits & Obfuscation
Of all threats have been financially motivated
90%
McAfee Confidential—Internal Use Only
A Better Biz Model Than Most Companies…
A newcomer: Vector Bot 32-64 Bit
[+] Bin Price : 1000 EUR [+] Payment Only Via LR
McAfee Confidential—Internal Use Only
And…here…we…go
McAfee Confidential—Internal Use Only
Vulnerabilities – Fuel to the Fire
Overview of vulnerabilities patched by Microsoft
Source: François Paget – McAfee Labs
McAfee Confidential—Internal Use Only
Vulnerabilities - …more
Overview of vulnerabilities patched by Apple
Source: François Paget – McAfee Labs
McAfee Confidential—Internal Use Only
The Company We All LOVE…
Overview of Adobe Vulnerabilities
Source: François Paget – McAfee Labs
McAfee Confidential—Internal Use Only
Trends To Help You Sleep Better…?!?!?!
Source: https://www.nsslabs.com/news/press-releases/nss-labs-vulnerability-threat-report-sees-significant-rise-vulnerability
Research shows overall vulnerability disclosures rose a staggering 26% in 2012; vulnerabilities in SCADA systems protecting critical infrastructure have
skyrocketed 600% since 2010.
McAfee Confidential—Internal Use Only
ZEUS = 34zY B0tN3Tz Zeus / Zbot Strains
• The source code for Zeus was leaked on the internet in May 2011. • Available on forums, rapid-share, and torrents if you search for it. • Anyone with compiling skills can create infinite Zeus variants. • In a 3 year period, we’ve seen 25,165,306 unique samples. • You read that right, that is over 25 million Zeus variants • Averaging 120,000 – 200,000 new Zeus variants per month for a while now.
Source: Thomas, Vinoo
McAfee Confidential—Internal Use Only
State Sponsored Hacking Matters Cyberattack leaves natural gas pipelines vulnerable to sabotage
From December 2011 through June 2012, cyberspies targeted 23 gas pipeline companies with e-mails crafted to deceive key personnel into clicking on malicious links or file attachments that let the attackers slip into company networks, says the
Department of Homeland Security (DHS) report.
The report does not mention China, but the digital signatures of the attacks have been identified by independent cybersecurity researchers as belonging to a particular
espionage group recently linked to China’s military.
Source: http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage
McAfee Confidential—Internal Use Only
The leading network threat this quarter came via Microsoft remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting
attacks. These two attacks are very much remote in nature, meaning they can be launched at selected targets around the globe.
Network Threat Trends Developers, Developers Developers!!!!
Browser 15%
0%
CGI Command Execution
12%
Cross-Site Scripting
19% Remote
Procedure Call 26%
Others 7%
SQL Injection 21%
Top Network Threat by Type
McAfee Confidential—Internal Use Only
Sad and Scary Numbers?
80% Of CISOs See Employees As The Greatest Data Threat
73% Of Data Breaches Come From Internal Sources
77% Unable To Audit Or Quantify Loss After A Data Breach
Survey: Dark Reading/InformationWeek Survey: MIS Training Institute at CISO Summit McAfee DatagateReport. Produced by DataMonitor (survey of 1400 IT professionals across UK, US, DR, DE, and Australia)
McAfee Confidential—Internal Use Only
This was THEN… Literally in Black and White!!!
McAfee Confidential—Internal Use Only
Next generation data centers - the utility computing vision
switched fabric
processing elements
storage elements
infrastructure on demand
internet
intranet
access tier
web tier
application tier
database tier
edge routers
routing switches authentication, DNS,
intrusion detect, VPN web cache 1st level firewall
2nd level firewall
load balancing switches
web servers
web page storage (NAS)
database SQL servers
storage area network (SAN)
application servers
files (NAS)
switches
switches
large scale virtualized utility fabric
provides application services to millions of users Multi-tiered applications
McAfee Confidential—Internal Use Only
I/O Memory Disk Network
Display
Virtual Machine
Operating System
Applications/RDBMS
CPU
AV HIPS
BIOS
Infect OS with APT’s resulting in threats hidden
from security products
Traditional attacks—and defenses—focused
primarily on the application layer
Rogue peripherals & firmware bypassing all
other security measures
Attack and disable security products and
hence all protection
Compromise virtual machine and
hence all guest machines within
“Ultimate APT’s” compromise
devices below OS, either before or after shipment
Threats Rapidly Moving Down the Stack
McAfee Confidential—Internal Use Only
And They Wonder Why We Seldom Sleep Peacefully…?
McAfee Confidential—Internal Use Only
Around the World Social Media Popularity
Source: http://resources.infosecinstitute.com/social-media-use-in-the-military-sector/
200 million announced on February 14 ?
McAfee Confidential—Internal Use Only
Hacktivism Networks Will Continue to Evolve
McAfee believes the historical “Anonymous” syndicate will reinvent itself or die out. The people leading digital disruptions will become better engaged with the people leading physical demonstrations. For political and ideological ends, the private lives of public figures—politicians, industry leaders, judges, and law-enforcement and security officers—will be disclosed this year more than in the past. Some hacktivists will operate along the same lines as the various “cyberarmies” that primarily flourish in nondemocratic or nonsecular states.
.
.
McAfee Confidential—Internal Use Only
Anonymous + SCADA
McAfee Confidential—Internal Use Only
Industrial Attacks Will Mature
Siemens PLCs
Nuclear Enrichment Centrifuges
Stuxnet Proliferation
Stuxnet proved that malicious code can create a real world, kinetic response. Recent incidents directed at water utilities in the United States show that these facilities are of increasing interest to attackers. The more attention is focused on SCADA and infrastructure systems, the more insecurity seems to come to light. We expect to see this insecurity lead to greater threats through exploit toolkits and frameworks as well as the increased targeting of utilities and energy ICS systems in particular.
McAfee Confidential—Internal Use Only
Around the World Mandiant accuses of hacking the People's Liberation Army Unit 61398
Source: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
The report, by Mandiant, identifies the People's Liberation Army's (PLA)
Shanghai-based Unit 61398 as the most likely perpetrators of the hacking. The company said it believed the unit had
carried out "sustained" attacks on a wide range of industries.
"The nature of Unit 61398's work is
considered by China to be a state secret; however, we believe it engages in
harmful computer network operations," Mandiant said. "It is time to acknowledge
the threat that is originating in China, and we wanted to do our part to arm and prepare security professionals to combat
that threat effectively."
McAfee Confidential—Internal Use Only
Anonymous Doxing
McAfee Confidential—Internal Use Only
The Goal of Radical Consumerization is…?
Secure
Access to a
Ubiquitous
Computing
Environment
The Mobility “Explosion”!
McAfee Confidential—Internal Use Only
FROM
TO
to 50 Billion
McAfee Confidential—Internal Use Only
Lost Smartphone Protection Employees consistently fail to protect their mobile devices
4%
5%
11%
17%
19%
31%
57%
0% 10% 20% 30% 40% 50% 60%
Other
Anti-virus/anti-malware
Client firewall
Password or keypad lock
Encryption
Anti-theft device
No protection
McAfee Confidential—Internal Use Only
Rogue Certificates
• Threats such as Flame, Stuxnet, and Duqu used rogue certificates to great effect to evade detection. Although this is not the first time we have seen this behavior (fake AV, certain Zeus variants, Conficker, and even some old Symbian malware used them), we expect to see this trend increase in 2012 and beyond.
• We need to be aware and very concerned about the implications of large-scale rogue certificates on the whitelisting and application control technologies that use these certs.
• Wide-scale targeting of certificate authorities and the broader use of fraudulent, yet valid digital certificates has ramifications for public-key infrastructure, secure browsing, and transactions
McAfee Confidential—Internal Use Only
Countermeasures Trends: Intelligence, Response, and Red Teams
Partnerships for information sharing
Extensive Red Teaming and SE Testing
Develop Operational Readiness
Focus on OSINT analysis and Forensics
Extensive Internal CERT Team investments
McAfee Confidential—Internal Use Only
Coordinated Security
Routing Server or
Cloud Security IDS Switching Wireless Firewalls
IPAM
SIM / SEM
Asset Management
System
AAA
ICS/SCADA
Security
Physical
Security
Endpoint
Security
(via NAC)
Open Infterfaces
IF-MAP Protocol
Nitro, ePO, MAP Servers
McAfee Confidential—Internal Use Only
• The New Biz World Requires More Devices (Mobile etc.) Therefore Usually More Work
• Nothing Is Getting Easier
• Endpoints And Flowpoints Were/Are Unmanageable With Technology That Does Not Scale From A Visibility Perspective
• Standardize Where/What You Can
• BOTH Modularity And Scalability Of Both Product And Aggregator Of Relevant Data Required
• Slow Adoption Of Standard Solutions Cripples Innovation and Impacts Efficiency of the Overall Digital Ecosystem Safety
• We Are All Part Of One Organism In This Digital Ecosystem
• Immune System Concept, If Extremities Get An Infection It Can Easily Become Systemic
• “Digital Feudalism” or Castle And Moat Were Reasonable In The Past
• Now The “Barbarians” Can Draft Your Citizens, Dogs, Cats, Livestock, Refrigerators, etc. Into Service Against You
• Bad Security Threatens Innovation Which In Turn Threatens Productivity
• Don’t Give Anyone An Excuse – No to So…
42
The Industry - Refocused