Post on 02-Jan-2016
description
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Information Security Risk Briefing May 2, 2005
William HarrodVP Intelligence Division
CybertrustWilliam.Harrod@cybertrust.com
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Agenda
•Welcome & True Confessions
•Who is Cybertrust?
•PITAC Report
•What is wrong with our thinking?
•Risk Models That Work
•Good Data
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Who is Cybertrust ?
WildList Organization firewall wizards
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
4,000 Corporate Clients
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Set Security Product Standards since 1989Track and Measure RisksLead Security IndustriesTest and Certify Products Anti-Virus Products ~100% Firewall Products ~100% Cryptography Products ~100% IPSec, 70% SSL IDS, IPS, Vuln Assessment, wireless……Significant access to security vendor’s expertise 160+ Security Product and Internet Vendors,
400+ Products Meet every vendor every 90 days, Mail lists, web
boardsContinuous Product Testing
ICSA - the De Facto Standard
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
1.2 million remote IP address scans
2.5 million internal IP address scans
1.2 million lines of security
code analyzed
Online Guardian
Hundreds of millions of
security events analyzed and
correlated
Thousands of IPs
Penetration Tested
Intel –Tracks
thousands of sources
daily
Hundreds of Internet malware
sensors watched
400 Usenet groups
followed
200 GBs Web data collected
and analyzed
10,000 Web sites
monitored
IS/Recon - 10,000 hackers
tracked
WildListTracks
malcode in the wild
Monthly Intelligence Activities
Cybertrust - Unmatched Security Intelligence108 Dedicated People
CyberIntelligenceCyberIntelligence
Daily Intelligence Activities
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Cybertrust Global Risk Index 2000-2004Index Scores by Category - 2000-2004
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Electronic
Malcode
Inside
Linear (Malcode)
Linear (Electronic)
Linear (Inside)
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
400,000 Attacks against Corporate Servers
According to a study just published by Zone-H, ATTACKS against Corporate Servers rose by 36% in 2004 to nearly 400,000 attacks.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Successful Web Site Hacks
0
500
1000
1500
2000
2500
1999 2000 2001 2002 2003 2004 2005
Daily rate of successful web site hacks
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
0
5000
10000
15000
20000
25000
Unix (Source 1)
Windows (Source 1)
Sum (Source 1)
Unix trend
Win32 Trend
Global average Trend
2004 Web Site defacement trends by OS:
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Probes per day against average single IP address
0
50
100
150
200
250
300
350
1999 2000 2001 2002 2003 2004
Often a reconnaissance or fingerprinting of active devices in order to assemble a target list for hacking vulnerable devices
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Growth in Malicious Code
WildList Growth
0
100
200
300
400
500
600
700
800
Sep-03
Oct-03
Nov-03
Dec-03
Jan-04
Feb-04
Mar-04
Apr-04
May-04
Jun-04
Jul-04
Aug-04
Top
Bottom
Linear (Bottom)
Linear (Top)
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
0
100
200
300
400
500
600
700
1999 2000 2001 2002 2003 2004
New Attack Code Monthly
'Owned' Computers x10,000
6.5 Million
2004 was the Year of the Bot
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
2004 was also the Year of Malicious Mail
0
10
20
30
40
50
60
70
80
Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Jul-04
Misuse as % ofEmail
Spam, Spyware, Worms, Virus, Phishing, Extortion, Scams…
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
How Vulnerable Are You?If yours is an average U.S. corporation here’s what your network is experiencing this week.
About a dozen computers somewhere in your organization encountered a computer virus, worm, or spyware.
Three people scrounged through desks and drawers looking for someone else’s password. One of them succeeded and used it.
On average six sexually explicit graphics were mailed or shared among some of your users in the past week. There is a 50-50 chance that some of these are stored on your network.
At least one person experimented with a “hacking” tool or technique on the general computers, servers, and databases inside your network in the past month.
Despite all the press and focus on hacking and viruses, there is a 65% likelihood that the next security breach your staff deals with will come from an insider.
Statistics provided by ICSA Labs
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
First some good news:Economics is on our side; cheap hardware firewalls, smarter network interface cards (NICs), routers,, strong authentication, and end-to-end encryption (e.g., SSL, SSH, VPNs) will be used to hide operating system vulnerabilities, privileged controls, sensitive applications, and gratuitous functionality from the public networks.
Compliance and regulatory requirements will drive security as a business issue.
Driven by demand from their customers and competition and example from AOL, retail ISPs are taking more responsibility for protecting their customers and for protecting the rest of us from rude behavior by their users.
While users will continue to compromise perimeter controls with tunnels and click on strange files and icons, default use and automatic update of scanners, and controls to limit connectivity of systems that are not current will make us collectively resistant to viruses.
Rogue hackers are losing their Robin Hood image and public sympathy, attracting law enforcement attention, being identified, indicted, prosecuted, convicted, and sentenced to jail.
There is an emerging consensus that rewarding hackers with jobs encourages more hackers without reforming anyone.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
But also some bad news:
•Hacking is no longer trivial but serious, no longer for loners but for teams, no longer for fun but for profit, no longer mischievous but malicious and criminal, no longer amusing but frightening.
•The Internet is seriously compromised by contaminated machines.
•Anonymity in the Internet is now a commodity for sale.
•Users will continue to compromise perimeter controls with tunnels and by clicking on strange files and icons. (IM, P2P)•Rate of discovery of buffer-overflow vulnerabilities is going up and the time to exploitation is going down.
•We will continue to try and patch and fix our way to security; we will enjoy the same lack of success.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
More bad news:
Spam now accounts for a significant part of the load for the Internet and more than half of e-mail.
Phishing is just the latest demonstration that the chain of trust is broken – things aren’t what they appear to be.
The transport layer can no longer be relied upon for security.
Connectivity trumps security.
Viruses and worms are becoming more sophisticated, successful, and malicious. They are used to compromise systems, insert remote controls, key-stroke grabbers and other spyware, covert agents ("bots"), and backdoors. They are a standard tool in the crackers kit.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Insider Threat StudyStudy by CERT, US Secret Service and CSO Magazine
Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise.
87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents
78% of the incidents, the insiders were authorized users with active computer accounts.
81% were premeditated. Furthermore, in most cases, others had knowledge of the insider’s intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Insider Threat Study (cont.)
81% were motivated by financial gain, rather than a desire to harm the company or information system.
Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in “hacking” and 27% had come to the attention of a supervisor or co-worker prior to the incident.
Insider incidents were detected by internal, as well as external, individuals – including customers.
The impact of nearly all insider incidents in the banking and finance sector was financial loss for the victim organization: in 30% of the cases the financial loss exceeded $500,000. Many victim organizations incurred harm to multiple aspects of the organization.
83% were executed physically from within the insider’s organization and took place during normal business hours.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Predictions 1, 3, 5 years out
•Malicious code will continue to get worse, particularly for corporations with mobile users, novice users, and extended enterprise connections.
•Phishing will continue to get worse over the next year.
•Spyware and remote controlled “Bots” will continue to cost organizations more money and result in increasing risks for loss of proprietary and customer data.
•The slow adoption of Microsoft XP SP2 (< 5-10% adoption) reduces the benefits of the security advancements available from it, and minimizes the “immunity” factor.
•Mobile phones will be one of the growing targets for malicious code.
•Instant Messaging is now being used to spread malicious code and spyware.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Predictions 1, 3, 5 years out
•Database attacks. “Follow the Money” - the direct attacks are going for the money, and databases are the vault. These attacks include multiple vectors involving web applications, database configurations and access controls, insiders threats and storage area network security.
•Immerging technologies entering the environment too quickly, before they mature and stabilize. Wireless, P2P, VoIP, IM, MP3 players, IPv6 are only a few examples. Technologies are quickly allowed to enter the enterprise. This allows a multitude of unknown and zero day vulnerabilities, mis-configuration, user and admin errors, and attack vectors in the environment.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Recommendations
•Adopt restrictive policies.
•Avoid gratuitous functionality.
•Scan at the perimeter and the desktop, in both directions; refuse all unexpected attachments.
•Close your networks to all but registered (and current) devices and users.
•Measure the state of your networks, systems, and applications; measure the performance of their managers and users.
•Layer your defenses; do not rely on a brittle perimeter and a soft center.
•Strengthen accountability with end-to-end encryption, strong authentication, and an integrated audit trail.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
PITAC Report
“Cyber Security: A Crisis of Prioritization”President’s Information Technology
Advisory Committee Report
http://www.nitrd.gov/pitac/reports