Information Security Risk Briefing May 2, 2005

© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary

Information Security Risk Briefing May 2, 2005

William HarrodVP Intelligence Division

[email protected]


Agenda

•Welcome & True Confessions

•Who is Cybertrust?

•PITAC Report

•What is wrong with our thinking?

•Risk Models That Work

•Good Data


Who is Cybertrust ?

WildList Organization firewall wizards


4,000 Corporate Clients


Set Security Product Standards since 1989Track and Measure RisksLead Security IndustriesTest and Certify Products Anti-Virus Products ~100% Firewall Products ~100% Cryptography Products ~100% IPSec, 70% SSL IDS, IPS, Vuln Assessment, wireless……Significant access to security vendor’s expertise 160+ Security Product and Internet Vendors,

400+ Products Meet every vendor every 90 days, Mail lists, web

boardsContinuous Product Testing

ICSA - the De Facto Standard


1.2 million remote IP address scans

2.5 million internal IP address scans

1.2 million lines of security

code analyzed

Online Guardian

Hundreds of millions of

security events analyzed and

correlated

Thousands of IPs

Penetration Tested

Intel –Tracks

thousands of sources

daily

Hundreds of Internet malware

sensors watched

400 Usenet groups

followed

200 GBs Web data collected

and analyzed

10,000 Web sites

monitored

IS/Recon - 10,000 hackers

tracked

WildListTracks

malcode in the wild

Monthly Intelligence Activities

Cybertrust - Unmatched Security Intelligence108 Dedicated People

CyberIntelligenceCyberIntelligence

Daily Intelligence Activities


Cybertrust Global Risk Index 2000-2004Index Scores by Category - 2000-2004

0

200

400

600

800

1000

1200

1400

1600

1800

2000

Electronic

Malcode

Inside

Linear (Malcode)

Linear (Electronic)

Linear (Inside)


400,000 Attacks against Corporate Servers

According to a study just published by Zone-H, ATTACKS against Corporate Servers rose by 36% in 2004 to nearly 400,000 attacks.


Successful Web Site Hacks

0

500

1000

1500

2000

2500

1999 2000 2001 2002 2003 2004 2005

Daily rate of successful web site hacks


0

5000

10000

15000

20000

25000

Unix (Source 1)

Windows (Source 1)

Sum (Source 1)

Unix trend

Win32 Trend

Global average Trend

2004 Web Site defacement trends by OS:


Probes per day against average single IP address

0

50

100

150

200

250

300

350

1999 2000 2001 2002 2003 2004

Often a reconnaissance or fingerprinting of active devices in order to assemble a target list for hacking vulnerable devices


Growth in Malicious Code

WildList Growth

0

100

200

300

400

500

600

700

800

Sep-03

Oct-03

Nov-03

Dec-03

Jan-04

Feb-04

Mar-04

Apr-04

May-04

Jun-04

Jul-04

Aug-04

Top

Bottom

Linear (Bottom)

Linear (Top)


0

100

200

300

400

500

600

700

1999 2000 2001 2002 2003 2004

New Attack Code Monthly

'Owned' Computers x10,000

6.5 Million

2004 was the Year of the Bot


2004 was also the Year of Malicious Mail

0

10

20

30

40

50

60

70

80

Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Jul-04

Misuse as % ofEmail

Spam, Spyware, Worms, Virus, Phishing, Extortion, Scams…


How Vulnerable Are You?If yours is an average U.S. corporation here’s what your network is experiencing this week.

About a dozen computers somewhere in your organization encountered a computer virus, worm, or spyware.

Three people scrounged through desks and drawers looking for someone else’s password. One of them succeeded and used it.

On average six sexually explicit graphics were mailed or shared among some of your users in the past week. There is a 50-50 chance that some of these are stored on your network.

At least one person experimented with a “hacking” tool or technique on the general computers, servers, and databases inside your network in the past month.

Despite all the press and focus on hacking and viruses, there is a 65% likelihood that the next security breach your staff deals with will come from an insider.

Statistics provided by ICSA Labs


First some good news:Economics is on our side; cheap hardware firewalls, smarter network interface cards (NICs), routers,, strong authentication, and end-to-end encryption (e.g., SSL, SSH, VPNs) will be used to hide operating system vulnerabilities, privileged controls, sensitive applications, and gratuitous functionality from the public networks.

Compliance and regulatory requirements will drive security as a business issue.

Driven by demand from their customers and competition and example from AOL, retail ISPs are taking more responsibility for protecting their customers and for protecting the rest of us from rude behavior by their users.

While users will continue to compromise perimeter controls with tunnels and click on strange files and icons, default use and automatic update of scanners, and controls to limit connectivity of systems that are not current will make us collectively resistant to viruses.

Rogue hackers are losing their Robin Hood image and public sympathy, attracting law enforcement attention, being identified, indicted, prosecuted, convicted, and sentenced to jail.

There is an emerging consensus that rewarding hackers with jobs encourages more hackers without reforming anyone.


But also some bad news:

•Hacking is no longer trivial but serious, no longer for loners but for teams, no longer for fun but for profit, no longer mischievous but malicious and criminal, no longer amusing but frightening.

•The Internet is seriously compromised by contaminated machines.

•Anonymity in the Internet is now a commodity for sale.

•Users will continue to compromise perimeter controls with tunnels and by clicking on strange files and icons. (IM, P2P)•Rate of discovery of buffer-overflow vulnerabilities is going up and the time to exploitation is going down.

•We will continue to try and patch and fix our way to security; we will enjoy the same lack of success.


More bad news:

Spam now accounts for a significant part of the load for the Internet and more than half of e-mail.

Phishing is just the latest demonstration that the chain of trust is broken – things aren’t what they appear to be.

The transport layer can no longer be relied upon for security.

Connectivity trumps security.

Viruses and worms are becoming more sophisticated, successful, and malicious. They are used to compromise systems, insert remote controls, key-stroke grabbers and other spyware, covert agents ("bots"), and backdoors. They are a standard tool in the crackers kit.


Insider Threat StudyStudy by CERT, US Secret Service and CSO Magazine

Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise.

87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents

78% of the incidents, the insiders were authorized users with active computer accounts.

81% were premeditated. Furthermore, in most cases, others had knowledge of the insider’s intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.


Insider Threat Study (cont.)

81% were motivated by financial gain, rather than a desire to harm the company or information system.

Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in “hacking” and 27% had come to the attention of a supervisor or co-worker prior to the incident.

Insider incidents were detected by internal, as well as external, individuals – including customers.

The impact of nearly all insider incidents in the banking and finance sector was financial loss for the victim organization: in 30% of the cases the financial loss exceeded $500,000. Many victim organizations incurred harm to multiple aspects of the organization.

83% were executed physically from within the insider’s organization and took place during normal business hours.


Predictions 1, 3, 5 years out

•Malicious code will continue to get worse, particularly for corporations with mobile users, novice users, and extended enterprise connections.

•Phishing will continue to get worse over the next year.

•Spyware and remote controlled “Bots” will continue to cost organizations more money and result in increasing risks for loss of proprietary and customer data.

•The slow adoption of Microsoft XP SP2 (< 5-10% adoption) reduces the benefits of the security advancements available from it, and minimizes the “immunity” factor.

•Mobile phones will be one of the growing targets for malicious code.

•Instant Messaging is now being used to spread malicious code and spyware.


Predictions 1, 3, 5 years out

•Database attacks. “Follow the Money” - the direct attacks are going for the money, and databases are the vault. These attacks include multiple vectors involving web applications, database configurations and access controls, insiders threats and storage area network security.

•Immerging technologies entering the environment too quickly, before they mature and stabilize. Wireless, P2P, VoIP, IM, MP3 players, IPv6 are only a few examples. Technologies are quickly allowed to enter the enterprise. This allows a multitude of unknown and zero day vulnerabilities, mis-configuration, user and admin errors, and attack vectors in the environment.


Recommendations

•Adopt restrictive policies.

•Avoid gratuitous functionality.

•Scan at the perimeter and the desktop, in both directions; refuse all unexpected attachments.

•Close your networks to all but registered (and current) devices and users.

•Measure the state of your networks, systems, and applications; measure the performance of their managers and users.

•Layer your defenses; do not rely on a brittle perimeter and a soft center.

•Strengthen accountability with end-to-end encryption, strong authentication, and an integrated audit trail.


PITAC Report

“Cyber Security: A Crisis of Prioritization”President’s Information Technology

Advisory Committee Report

http://www.nitrd.gov/pitac/reports

Information Security Risk Briefing May 2, 2005

Documents

Transcript of Information Security Risk Briefing May 2, 2005