Confidential and Proprietary - All Rights Reserved

Thought leaders in digital conflict

Introduction to Cyber Threats 2013

Confidential and Proprietary - All Rights Reserved

Thought leaders in digital conflict

Cyber IntelligenceTraining

Opening

Computer technology is what has defined modern life! For decades now the computer industry has struggled to understand cyber threats, evaluate the risks to individuals and organizations (including nation-states), and define an implement appropriate response capabilities.

The vast majority of cyber security experts believe that a well-resourced adversary will more often than not be successful in attacking systems!

3

Opening

Cyber attacks are a clear and present danger and the potential for both accidental and deliberate breaches of sensitive information is a growing concern.

Cyber attacks include acts of cyber war, terrorism, espionage, crime, protest, vandalism, and more!

How do you plan to deal with this growing threat?

4

Opening

Cyber threats abound in the highly connected world of today. There are even kitchen refrigerators that are not connected to the Internet as well as smart medicine cabinets that read RFIDs and compare the to daily medication routines as well as monitoring for outdate meds.

A Google search on cyber threats brings back over 5.75 million results. With so much out coverage why are we still so vulnerable?

5

Opening

Cybercrime, broadly defined as any crime that uses a computer, is a global problem

that affects the government, corporations, and individuals. It can take a variety of forms, from online fraud, to cyber stalking, to data theft. A 2010 report from Norton found that nearly two-thirds of people worldwide have been the victim of cybercrime.

A 2009 study done by McAfee shows cybercrime, including data theft and security breaches, may have cost global businesses as much as $1 trillion globally.

6

Issue Modeling

Modeled Interaction 300,000,000

Lines of Code (LoC)(Server BIOS,OS, and Application + User PC BIOS, OS and Browser)

3 errors per 1000 lines of code (eKLoC) 300,000(after all testing standard 3 and 5 errors per KLoC)

Vulnerability Modeling 1,500 (model 1 in 20 can be exploited for access)

7

Server

UserCan you image the total lines of code if you were to include this?

Now Consider This!

• The menu of possibilities for (vehicle) hackers is extensive: Computer diagnostics to tell you if anything is wrong, systems to tell you how much pressure is in your tires, how many miles you have left in your fuel tank, whether your door or trunk is ajar, whether somebody is behind you when you put it in reverse, to manage your anti-lock brakes and your anti-theft device; an OnStar satellite system that can start your car remotely, that will notify the company if you're in an accident, including whether one or more of your airbags went off, that will let On-Star remotely shut down your car if it is stolen. In most vehicles, a computer even controls the throttle. And that is only a partial list.

8

More

• WatchGuard hopes it is wrong in this prediction. But with more computing devices embedded in cars, phones, TVs and even medical devices, digitally dealt death is not only possible, it’s plausible. Security is still often an afterthought when developing innovative technical systems. Criminals, hacktivists, and even nation-states are launching increasingly targeted cyber-attacks, resulting in the destruction of physical equipment. Most recently, a researcher even showed how to wirelessly deliver an 830 volt shock to an insecure pacemaker, proving that digital attacks can have a real-world impact.

9

How bad is it?

• Some 68 percent of organizations surveyed stated that preventive measures are going by the wayside, owing to workload.

• The recent recession had organizations cutting staff to maintain profitability and that impacted the availability of IT workers to perform routine functions.

– In many cases standard maintenance, upgrades and patching fell behind!

10

How bad is it?

• The current state of cyber insecurity is accurately reflected in this recent incident.

– More than €36 million euros ($47 million) were stolen from some 30,000 bank accounts in Europe in a cyber attack dubbed "Eurograbber.”

– The investigation continues but like most the international transfer of funds through multiple countries outside of the EU complicates the issue!

11

The financial services sector is by far the best at cyber security at this time. They have had the most experience when it comes to

cyber attacks!

How bad is it?

• One clear indicator of the threat is the sheer volume of breaches. Cyber attacks on federal computer systems have increased more than 250% over the last two years, according to the Homeland Security Department. 

• “There are about 1,000 security people in the U.S. who have the specialized security skills to operate effectively in cyber space. We need 10,000 to 30,000” stated Jim Gosler NSA Visiting Scientist and founding director of the CIA’s Clandestine Information Technology Office.

• In 2011, the National Institute of Standards and Technology described the need for 700,000 cyber security workers in the United States alone by 2015.

12

Resource Shortage

• A 2012 report by Forrester Consulting revealed some concerning insights into the availability of security resources. There appears to be a shortage of properly skilled cyber security workers.

13

Industry Insight

• Steve AdegbiteDirector, Cyber Security Strategies, Lockheed Martin

– “With any large, complex enterprise you’re always going to find weaknesses. It’s very hard to get an end-to-end view of the enterprise, and therefore hard to get a handle on just what is on the network and what weaknesses there are.”

14

Industry Insight

• Tim McKnightVice President and Chief Information Security Officer, Northrop Grumman Corporation

– “If you do 80 percent of security right you’ll stop 90 percent of attacks, but I don’t agree that most organizations actually get to 80 percent because IT can be a complex environment.”

15

What You’re Facing

10 Biggest cyber security threats for 2013

1. Botnets

2. Targeted Malware

3. Social Engineering

4. Advanced Persistent Threats

5. Ransomware/Cyber Extortion

6. Bring Your Own Device (BYOD)

7. Government sponsored attacks

8. Terrorist conducting cyber attacks

9. Internal threats (actions and inaction)

10.Failures due to lack of cyber security strategy16

#2 New Malware Strains

17

0

5

10

15

20

25

30

35

2007 2008 2009 2010 2011 2012*

Million

#4 Advanced Persistent Threats

• Advanced Persistent Threat (APT) refers to a long-term pattern of targeted cyber attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital.

• The entry point for espionage activities is often the unsuspecting end-user or weak perimeter security. APT is likely to remain high through 2013 and possibly beyond.

• APTs are the cyber weapon of choice to gain insider information, cyber espionage will remain a consistent threat.

18

#9 Internal Threats

• You must realize that 80% of all successful cyber attacks comes directly or indirectly from inside an organization.

– Indirect Attack • Spear phishing is a deceptive communication (e-mail, text or

tweet) targeting a specific individual inside of companies, seeking to obtain unauthorized access to confidential data. Spear phishing attempts are more likely to be conducted by perpetrators seeking financial gain, trade secrets or sensitive information. Spear phishing is often the nexus to cyber espionage and will continue to grow.

19

Biggest Challenge

• Many organizations are currently out of touch with the current state of cyber insecurity. There are a number of reasons for this!

• The biggest challenge you face is the extreme range of scope and scales at which security problems arise.

• Another major threat is that of the rapid and continuous growth of cyber crime. Criminals' tactics need to be better understood in order to protect our systems.

• This is the fist step in addressing that problem.

20

Situation Awareness

In Q4 2012 the Federal Bureau of Investigation (FBI) issued a warning about malware that attempts to trick users into paying a fine. The (fraudulent) claim is that the FBI collected audio, video, and other devices recordings that prove illegal computer activity.

The malware issues a "Threat of Prosecution Reminder“ to the email recipients

21

FBI’s eScam List - http://www.fbi.gov/scams-safety/e-scams

Supporting Information

1. http://www.defense.gov/news/d20110714cyber.pdf

2. http://csrc.nist.gov/nissc/1998/proceedings/paperD6.pdf

3. http://www.gtcybersecuritysummit.com/pdf/2013ThreatsReport.pdf

4. http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf

5. http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf

6. https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/Certification_Programs/CSSLP/ISC2_WPIV.pdf

22

Realistic View

Security experts’ most notable predictions for the this year include the continued rise of targeted attacks, cyber-espionage and nation-state cyber-attacks, the evolving role of hacktivism (Anonymous), the development of controversial 'legal' surveillance tools and the increase in cyber criminal attacks targeting cloud-based services.

Targeted attacks on businesses have only become a prevalent threat within the last few years.

How prepared are you for these threats?

23

Top 5 Cyber Security Misconceptions

1. Misconception - I’m safe because I never shop online

2. Misconception - I’m safe because the website is secure

3. Misconception - I’m safe because I have anti-virus protection

4. Misconception - I’m safe because it’s easy to recognize fake sites

5. Misconception – Social networking sites are safe enough; no need to worry

24

Closing Statement

All software has unknown vulnerabilities that can be exploited which is the basis for the vast majority of cyber threats. This is why cyber security threats represents one of the most serious national security, public safety, and economic challenges that faces our nation.

This is a first step to increasing you contribution or our national security as well as the security of your systems. Everyone has a role to play and can contribute to improving systems security.

25

Questions – Comments - Concerns

?

?

??

???

??

??

?

?

??

?

?

?

?

??

??

?

?

?

?

?

?

?

?

?

?? ?