Top Security Trends for 2014

Amichai Shulman, CTO, Imperva

Agenda

§  Introduction §  2013 forecast scorecard §  2014 security trends § Summary and conclusion § Q&A

Amichai Shulman – CTO, Imperva

§ Speaker at industry events •  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on information security •  Technion - Israel Institute of Technology

§  Former security consultant to banks and financial services firms

§  Leads the Imperva Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities

§  Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

2013 Forecast Scorecard

Trend Score

1 Hack%vism gets process driven C

2 Government malware goes commercial B+

3 Black clouds on the horizon B+

4 Community policing A

5 APT targets the li?le guy A

#1 - 3rd Party is “No Party”

Known Vulnerabilities: The Known Knowns

§  There are known knowns; these are things we know that we know…

•  Donald Rumsfeld, U.S. Secretary of Defense, February 2002

§  3rd Party Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)

Rich Attack Surface

According to Veracode: •  Up to 70% of internally developed code originates outside of the

development team •  28% of assessed applications are identified as created by a 3rd

Security Falls Between the Cracks

§ Application developers •  Introduce 3rd party code into the system •  Not responsible for 3rd party code security (or

quality) •  Not responsible for run-time configuration of 3rd

party components

§  IT operations •  Not always aware of 3rd party components

§  Web server type is more visible than a library

•  Reluctant to change configuration settings that might impact application behavior

2014 Forecast: Bigger! Stronger! Faster!

§ Bigger! – More Vulnerabilities! § Stronger! – As a result of the

of the vulnerabilities’ market richness, attackers will create vulnerabilities “mash-ups,” combining several different vulnerabilities together

§  Faster! – Shorter time from vulnerabilities’ full disclosure to exploits in the wild

Source: http://cdn.thinksteroids.com

Bigger! Disclosure Rate Increases

§ More software + more security researchers + more bounty programs = more vulnerabilities’ disclosures

§ CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014

Stronger! Vulnerabilities “Mash-Up”

§  Take several “cheap” (low CVSS impact score) known vulnerabilities •  CVE-2010-3065: PHP

§  NIST assigned impact score: 2.9

•  CVE-2011-2505: PHPMyAdmin session modification vulnerability §  NIST assigned impact score: 4.9

§  To create a shining exploit •  PHPMyAdmin full server takeover exploit •  Effective impact score: a perfect 10

§ Read more on Imperva’s HII report: http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf

Stronger! 1 + 1 = 3

Faster! Vulnerability Weaponization

§ Since a vulnerability has a limited time span, attackers strive for a faster vulnerability weaponization

§ We had witnessed weaponization time cut from weeks to days

§  Infrastructure is the key to fast weaponization •  Exploit code is often publicly available •  Dormant botnets are ready to launch the attack •  Command and Control (C2) servers and zombies support

§  Dynamic content §  Dynamic targets

#2 - Server Based APT Alternative

Web Servers Infection is the New Black

§ Goals of infecting corporate work stations •  Harness computing resources

§  Network bandwidth to be used in DDoS attacks

§  CPU power to mine Bitcoins

•  Use as a bridgehead into the corporate datacenter

§ Both goals are better achieved by targeting web servers •  More powerful •  Inherently connected to the corporate datacenter

Traditional Infiltration Attack

Why Start with Web Servers?

§ Easier reconnaissance •  Detect type and components, discover vulnerabilities

§ Accept inbound communications from the Internet (by definition) •  Direct attack, no need for “human factor” •  Remote control becomes easier •  Attacker identity

§  Land (almost) directly into the data center •  No need for “lateral movement”

§ Wide outgoing pipe •  Exfiltration made easier

Means and Opportunity

§ Many code execution / full server takeover vulnerabilities exist

§ Most are easy to weaponize and exploit §  In 2013, the following environments were vulnerable to

such attacks •  ColdFusion •  Apache Struts •  vBulletin (TA) •  Jboss (TA) •  PHP

http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html

Warning Signs

2014 Forecast: Server Based APTs

§ We expect more APT operations to happen through server compromise

§ Such attacks have even a smaller footprint than existing APT techniques •  Initial infection •  Lateral movement •  Exfiltration

§ Public disclosure will probably arrive 2015

#3 - Ad Networks = Added Risk

Reality Check 1

§ Malware infected PCs = potential income § Plenty of ways to monetize (KrebsOnSecurity)

Source: http://krebsonsecurity.com

Reality Check 2

§  Infected mobile devices are even more valuable § Can do anything a PC does, therefore can be monetized

the same way § Additionally, can send “premium SMS” – a very effective

and direct monetization method

Source: http://thenextweb.com

Black Market Economy 101

§  Infected end points are valuable §  Therefore, driving traffic for infecting site is valuable § Sample price list for geo-location profiled traffic (per

thousand unique visitors; Credit: Webroot blog):

Source: http://webrootblog.files.wordpress.com

Malware + Advertising = Malvertising

§ Paying someone to show your content is an already established business practice

§  It’s called advertising! § And when the content is

malicious it’s Malvertising §  Targeted advertising is very

efficient § And so is targeted

malvertising Source: http://bluebattinghelmet.files.wordpress.com

Malvertising so 2010…

Source: http://upload.wikimedia.org

The Main Door is (Pretty Much) Locked

§ Vendors closely monitor their app shops for malware § Result: attackers cannot directly upload malicious apps

2014 Forecast: Year of Mobile Malvertising

§ Dynamic content to already installed apps does not go through the app shop

§ Supply - mobile app vendors •  Have many users •  Do not have a way to monetize on the traffic •  Eager for advertising revenues

§ Demand – cyber criminals •  Have malicious content •  Look for alternative delivery to end users, as market is blocked •  Eager for traffic

§ Outcome: Mobile Malvertising

BadNews Ad Network Infected Apps

Source: https://blog.lookout.com

The Ad Market is Very Complex

§ Complex environment is a hotbed for attackers

§ Many opportunities for the attacker to attack •  Can choose the weakest link •  Can move to the next target

when denied

§ App makers have a vast “deniability region”

Source: http://ad-exchange.fr

#4 - (Finally) Cloud Data Breaches

We are Not in Kansas Anymore Toto!

§ Demand •  SaaS and DBaaS are becoming mainstream •  Not early adapters anymore •  Less technical oriented organizations •  Test and pilot deployments become production •  Dial moves from “nice to have” applications to “mission critical”

applications

§ Supply •  Many new providers •  Smaller, less experienced organizations •  Carpe Diem

§  I wanted an app of my own but ended up building a cloud service

Everybody Is Doing It

§ According to Verizon ‘2013 State of the Enterprise Cloud Report’ (January 2012 – June 2013) •  The use of cloud-based storage has increased by 90 percent •  Organizations are now running external-facing and critical

business applications in the cloud – production applications now account for 60 percent of cloud usage

Hiding in the Fog

§ Outsourcing data MISTAKEN for outsourcing responsibility

§  Low number of breaches §  False sense of safety

Ball Waiting for the Player

§  Traditional RDBMS services •  Used as C&C and dropper infrastructure by cyber criminals •  Security attitude is not adapted to cloud reality •  See our “Assessing the Threat Landscape of DBaaS” HII for

more details

§ Big Data services •  Innovative •  Smaller providers •  Using innovative technologies with little to no security built-in •  Widely adopted by web application startup community, often

storing personal information

Warning Signs and Wakeup Calls

2014 Forecast: Cloud Breaches Increase

§ We expect to see a significant increase in cloud service data breaches •  SaaS •  DBaaS

§ We expect to see a growing use of DBaaS by attackers. It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’ trend

#5 – Commercial Malware for Data Centers

Advanced Threat – State Sponsored

Stuxnet • Manual

intelligence • Advanced

malware attack

Doqu • Automatic intelligence

Rocra • Both • See

Red October: The Hunt For the Data

Growing Criminal Interest

Commercialization of Military Technologies

§ Advanced threat malware capabilities flow into criminal malware •  Technology – modular code, two tier C&C, include data access

and handling code •  Target – enterprise internals

§ Examples •  Narilam – destroys business application databases •  Malware targeting business application (SAP) spotted

Built-in Database Access

§ Our december 2013 HII shows commercial malware using DBaaS as infrastructure

§ Data store accessing capabilities §  Mevade – using an integrated services language based on SQL, called

WQL (SQL for Windows Management Interface) to query the target system's database to learn the security settings.

§  Shylock – SQLlite - Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history.

§  Kulouz – SQLlite to access browser data repositories for sensitive information, such as credentials

§  Database access malware was used in SK Comms data breach

2014 Forecast: Datacenter is the Goal

§ We are the tipping point and in 2014 we will see active automated attacks against enterprise data centers •  Infection methods are more effective than ever •  Malware infrastructure is mature and ready •  Criminal use cases are staring to show up

§ We expect business applications to become first class target for criminals •  Easier to manipulate •  The internal version of “web application attacks”

Summary and Conclusion

Summary

§ Our five trends for 2014 •  3rd party vulnerability exploit – bigger, stronger, faster •  Web server compromise – alternative to APT •  Ad network infections – more targeted, mobile oriented •  Cloud breaches – sharp rise in actual incidents •  Commercial malware – criminals are after your data center

§ Attackers focus their attention on getting into the data center – physical or virtual

§ Attackers prefer to use the front door (web servers) but at the same time are constantly improving on the alternatives (malware and infection methods)

Recommendations

§ Protect your front door protection •  Web Application Firewalls are not “nice to have” •  SDLC and patching fail in modern software and threat

environments

§  Improve your internal DATA controls •  Enhance visibility to data access, both structured and

unstructured •  Introduce capabilities to detect abusive access to data center

resources

§ Evaluate solutions for your cloud data repositories •  Perform better due diligence of providers

Bottom Line

§ Balance your security budget to reflect the need for more data protection over end-point and network perimeter protection

Webinar Materials

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

www.imperva.com

Top Security Trends for 2014

Technology

Transcript of Top Security Trends for 2014

Top 5 BYOD & Mobile Security Trends of 2016

Top trends driving IT security in 2014 Daniel Ayoub, CISSP, CISM, CISA Product Manager, IPS Dell | Network Security 2014.

2017 Security Trends - AhnLab, Inc.download.ahnlab.com/global/brochure/Security_Trends_2018...2017 Security Trends Top 5 Security Trends to Remember from 2017 Acceleration of Mobile

Top Trends 2010

Top Trends - Overall

Top trends-2012

Top trends driving IT security in 2014

The Top Password Security Trends

Top Security Trends for 2013

THE 2017 CYBER SECURITY REALITY - VMware€¦ · Top Security Market Trends Pose Challenges increasingly sophisticated malware and targeted ... Security professionals also grapple

Auditing After a - Institute of Internal Auditors security Trends in 2013 Are we learning from Cyber Security Trends? Open Web Application Security Project (OWASP) 9 Top 5 Vulnerabilities

Security Trends

Trends in Retails Security Systems and Retail Security trends in India

Top 10 trends 2014 8 Top 10 trends 2014 - World Economic Forum

Top Enterprise Security Trends of 2017

Top 10 Risk & Compliance Trends & Predictions for 2020...Trends & Predictions for 2020 Carrie Penman, Chief Risk & Compliance Officer| NAVEX Global ... •Network security •Software

Information Security Trends The Information Security Process Information Security Trends Emiliano Kargieman ek@corest.com.

Top 9 Data Security Trends for 2012

Mkb TOP Trends

Top Trends Shaping the Beverage Alcohol Marketbeverageforum.com/images/2016presentations/Workshop3_AcloholTren… · Top Trends Shaping the Beverage Alcohol ... Top Trends Shaping