ibm global services © 2007 ibm corporation ibm internet security systems ahead of the threat. ™...
Post on 26-Dec-2015
218 Views
Preview:
TRANSCRIPT
IBM Global Services
Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Scott Lupfer, CISSP
Principal Security Architect
2007 NASACT ConferenceThe Threat of Cyber Crime: Are you ready?
IBM Internet Security Systems
© 2007 IBM Corporation2 Adaptive Security Planning 8/14/07
Would you rather have…?
$1000 1GB USB Travel Drive
IBM Internet Security Systems
© 2007 IBM Corporation3 Adaptive Security Planning 8/14/07
How Valuable Is Your Information?
Man pleads guilty to conspiring to commit trade secret theft from Corning, Inc.–http://www.cybercrime.gov/linPlea.pdf
Former computer contractor pleads guilty to hacking Daimler Chrysler parts distribution wireless network
–http://www.cybercrime.gov/johnsPlea.pdf
Ex-employee of The Coca Cola Company and co-defendant sentenced for stealing trade secrets
–http://www.cybercrime.gov/williamsSent.pdf
Massive Insider Breach at DuPont–Employee copies files containing $400M worth of trade secrets–Resigns to go to competitor
IBM Internet Security Systems
© 2007 IBM Corporation4 Adaptive Security Planning 8/14/07
Information is Currency
FBI estimates businesses lose $67.2B annually due to computer related crimes
Online sales (B2C) will be USD $329B by 2010*
Identify fraud cost consumers $52.6B in most recent estimate
“Information is itself the target. Information is the world’s new currency.”—Ralph Basham, Director, United States Secret Service
* Forrester Research: US eCommerce 2005 to 2010
IBM Internet Security Systems
© 2007 IBM Corporation5 Adaptive Security Planning 8/14/07
Forms and Methods of Cyber Crime
IBM Internet Security Systems
© 2007 IBM Corporation6 Adaptive Security Planning 8/14/07
Information for Sale
‘Fund Transfer’ Trojan………………..$1000-$5000
Credit card number with PIN…………………..$500
Driver’s license or birth certificate…………...$150
Social Security card……………………………..$100
Credit Card #, security code & exp…………$7-$25
USA Today: Cybercrime Flourishes in Online Hacker Forums 10/11/2006
http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-10-11-cybercrime-hacker-forums_x.htm
IBM Internet Security Systems
© 2007 IBM Corporation7 Adaptive Security Planning 8/14/07
2006 IC3 Annual Report – Online Fraud
Estimated $198M lost in 2006
Nigerian Letter Fraud (419 scam)
–Average of $5100 per incident
Number of complaints were down, but costs were up
Moral? Still money to be made
IBM Internet Security Systems
© 2007 IBM Corporation8 Adaptive Security Planning 8/14/07
Data Loss Incidents Number of Incidents
–327
Number of personal information records lost–100,453,730–Recent study found that cost is $182 per record lost
More information–http://www.privacyrights.org/ar/ChronDataBreaches.htm
TJX Companies –45.6M credit and debit card numbers–Fraudulent transactions confirmed–News coverage is continuing–Culprit?
Pfizer–17,000 present and former employees–Culprit?
Department of Veterans Affairs–Laptop containing personal information of 26.5M veterans stolen
IBM Internet Security Systems
© 2007 IBM Corporation9 Adaptive Security Planning 8/14/07
Data Loss Issues
There is little accountability
Data is not properly classified
Data is not properly controlled and audited
The value of data is not properly understood
IBM Global Services
Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
How Did This Happen to Me?
IBM Internet Security Systems
© 2007 IBM Corporation11 Adaptive Security Planning 8/14/07
What We Know As technology evolves, so does the complexity of a potential
threat
Our online presence is increasing daily
Corporations use technology to meet business needs
Consumers use new technology when:
–It increases convenience
–It is affordable
–It provides entertainment
–They then introduce these technologies in the workplace
IBM Internet Security Systems
© 2007 IBM Corporation12 Adaptive Security Planning 8/14/07
Vulnerabilities Exist Due To
Errors in programming
Errors in system configuration
Misuse of technology
Human trust
Human greed
Poor education and policies
IBM Internet Security Systems
© 2007 IBM Corporation13 Adaptive Security Planning 8/14/07
Vulnerability Disclosure in 2006 10,000Projected
In 2007
14,000Projected
In 2008
IBM Internet Security Systems
© 2007 IBM Corporation14 Adaptive Security Planning 8/14/07
User Trust and Human Greed Phishing and Pharming
–“Verify your account information and password”
–“Please visit this website and login to keep your account active”
IBM Internet Security Systems
© 2007 IBM Corporation17 Adaptive Security Planning 8/14/07
“Live” Phishing
“Live” Phishing
–Some banks still ask me to repeat my credit card/account number, social security number, and other info
–This must change
How dangerous are “loose lips” to the corporation?
IBM Internet Security Systems
© 2007 IBM Corporation18 Adaptive Security Planning 8/14/07
Hackers have immense resources
5-11% of internet connected devices are compromised
–Between 32mil and 71mil world-wide
–Liberal estimates are as many 150 million
Everything is for sale
–Phishing toolkits
–0-day vulnerabilities
–Personal information
Hundreds of millions are in play
IBM Internet Security Systems
© 2007 IBM Corporation19 Adaptive Security Planning 8/14/07
An explosion of innovation in Malicious Code…
IBM Internet Security Systems
© 2007 IBM Corporation20 Adaptive Security Planning 8/14/07
Preparing the Attack Enterprise computers
–Many are infected with bots that bypass traditional defenses
–Variants make the “arms race” hard to keep up with
Home user/Consumer
–Victims are “targets of opportunity”
–Home broadband is largely un/under-secured
–Anyone can be a victim
These “botnets” or compromised systems are then used for the real attack
IBM Internet Security Systems
© 2007 IBM Corporation21 Adaptive Security Planning 8/14/07
The Targeted Attack
Goals:
– Discover intellectual property
– Access critical or confidential data
– Cause significant damage or outages
– Control systems
Attackers have the motivation and desire to take time
Need to only find a single hole
Attack critical systems or data
IBM Internet Security Systems
© 2007 IBM Corporation22 Adaptive Security Planning 8/14/07
Advantages for Online Attackers
No need to be physically present
Crimes can be committed across geographies and borders
Highly coordinated, high speed attacks
Crimes have historically been largely underreported
Numerous methods can be used for a single crime
How much information can be harvested from a publicly available system?
–Hotel business center
–Cybercafe
IBM Global Services
Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
Emerging Threats Due to New Business Models
IBM Internet Security Systems
© 2007 IBM Corporation24 Adaptive Security Planning 8/14/07
Emerging Threats
Browser based concerns
–Like inviting a thief into your home
Designer malware
–Malicious software for specific purpose
Spearphishing
–Targets members of an organization
IBM Internet Security Systems
© 2007 IBM Corporation25 Adaptive Security Planning 8/14/07
Emerging Threats
Virtualization
–Software and hardware are targets
–Rootkits and trojans
–Application and infrastructure attack
VoIP weaknesses and risks
–Eavesdropping on the network, replay calls
–Access voicemail on servers
Mobile security threats
–SMS/MMS
–Bluetooth
–Software vulnerabilities
IBM Internet Security Systems
© 2007 IBM Corporation26 Adaptive Security Planning 8/14/07
Bluetooth
John Hering, Flexilis
– BlueSniper Rifle
– Scan and Snarf from 1.08 miles
– 700 vulnerable phones in 90 mins at E3
Bluesnarfing
Bluetracking
Bluebugging
Bluespam / Bluejacking
http://www.npr.org/templates/story/story.php?storyId=4599106
IBM Global Services
Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
IBM Internet Security Systems
© 2007 IBM Corporation28 Adaptive Security Planning 8/14/07
New take on old threats
Data security
–Where is your data stored?
–Are all of those systems properly protected?
–Do you own all of the systems?•Google <company> confidential
–Client side applications•Peer to peer file sharing•Public calendars•Free mail and office applications
–Portable storage•USB drives• iPod (really?)
IBM Global Services
Adaptive Security Planning August 14, 2007 © 2007 IBM Corporation
IBM Internet Security SystemsAhead of the threat.™
So What Can Be Done?
IBM Internet Security Systems
© 2007 IBM Corporation30 Adaptive Security Planning 8/14/07
What do I protect first?
Understand your digital assets:
–Identify and Prioritize Business Assets
–Map Relevant Risk to Critical Assets
–Plan Protection Steps and Risk Mitigation Requirements
–Use Pertinent Information to Determine Effect or Compliance
IBM Internet Security Systems
© 2007 IBM Corporation31 Adaptive Security Planning 8/14/07
Business Risk Management
IBM Internet Security Systems
© 2007 IBM Corporation32 Adaptive Security Planning 8/14/07
Classify Data and Assets
Limit access to who NEEDS it
Know WHAT they do with it
Know WHERE they store it
VALUE the data and assets
Apply appropriate protection and education
IBM Internet Security Systems
© 2007 IBM Corporation33 Adaptive Security Planning 8/14/07
Don’t Forget The Embedded Systems
SCADA, Critical Infrastructure
Document Management Systems
Vending Machines
Elevators
Healthcare Equipment
Automated Teller Machines
IBM Internet Security Systems
© 2007 IBM Corporation34 Adaptive Security Planning 8/14/07
Quick Exercise
Think: “If I control information or a critical system how powerful do I become?”
top related