Cybersecurity Threats and Trends for 2015

SpeakerJay RanadeCISSP, ISSAP, CISM, CISA, CRISC, CGEIT, CBCP, CIA, CRMA, HCISPPNew York Cityjayranade@aol.comjayranade@nyu.eduRanadej@stjohns.eduCell +1-917-971-9786

Instructor Introduction

9/14/2015 2

Jay is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called “Jay Ranade Series” with more than 7 million copies in print. His books have been translated in German, Portuguese, Spanish, Japanese, Korean, and Chinese. The New York Times critically acclaimed his book called the “Best of Byte”. He is currently working on a number of books on various subjects such as Business Continuity, Operational Risk Management, and IT Risk Management.

Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee (2005-2007).

He teaches graduate-level classes on Information Security Management, Ethical Risk Management, and Enterprise Risk Management at New York University. He also teaches accounting information systems, IT auditing, internal auditing, security/forensics, and Operational Risk Management at St. John’s University.

IT SECURITY THREATS AND RISKS9/14/2015 3

Security

9/14/2015 4

• Security is about– Confidentiality– Integrity– Availability

• Loss of any one of these affects security• 2015 emergent and emerging threats affect

all three• Predictions are predictions

– It is like weather prediction, high probability, not certainty

Cyber Threats- Spear Phishing

• Spear Phishing Attacks– Deceptive communications e.g. email, text, or tweet targeting a specific

individual– To access personal or sensitive data– Not from random hackers but perpetrators seeking financial gains, trade

secrets etc– Link to cyber espionage and APT

• Control: Targeted Awareness Training

Mobile Threats

• Cause of Mobile Browsers Threats– Web address bar not available due to small screen– SSL certificates not displayed, can not authenticate source

• Mobile Threat Vector– Mobile devices do not get regular patches in general– OS sometimes same as phone manufacturing date version

• Android and iOS Targeting– ZitMo (Zeus in the mobile) for Android mobile malware

9/14/2015 6

Mobile Threats cntd.

9/14/2015 7

• Attacking Critical Systems through mobile– When you charge phone through USB drive

• Recording keystrokes by smart phone– Malware has no icons– Accuracy is about 95 percent– Phone has to be on the desk

• Smart phones – Can download key loggers– Affects if policy is BYOD

• Control is “all executions origination through mobile device go through virtual desktop”

– NFC (near field communications) for credit cards, can transfer viruses to smart phone or steal information

Botnets

• Botnets for Lead Generation for Marketing– Not for password stealing anymore– Collect name, address, age, gender, financial worth – Up to $30 for a qualified lead– Auto generation of sophisticated fraud scams

• Botnets to Find Entry Points– Affect availability aspect of CIA– Identify compromised machines for DDOS attack (zombies)– 4th of July, 2009 attacks on US and South Korea installations– Zombies do not know they are zombies

9/14/2015 8

Botnets cntd.

• Decentralized Botnet Command and Control (C2) Architecture– Decentralized C2 architecture, hard to detect

• Botnet Take Downs (Good News)– Taking away criminal human capital– From security professionals mutual collaboration

• Controls: ISP collaboration for DDoS attacks

9/14/2015 9

DNS Service and Certificate Attacks

• Goal is to compromise certificate authorities (CAs)– DNS provisioning systems compromised – Attackers can create fake banking applications– Difficult to detect– Attackers place man-in-the-middle– E.g. DigiNotar CA breach in 2011, Handle of COMODOhacker seized CA

servers, and create fraudulent certificates

• Flame malware– Skywiper malware (2012), affects Windows only, targeted attacks– Spreads via LAN, USB stick

• Record screen shots, keyboard activity, network traffic, Skype conversations etc

• Turn computers into “bluetooth” beacons

9/14/2015 10

Advanced Persistent Attacks• What is APT

– Network attack where one stays undetected for long time

• Not what, but who?– Persistence of attacker rather than their sophistication– Goal is to extract information (exfiltration)– Attacker adapts to Incidence response and tools– Attack can last months– Control: DiD and user awareness

• Exploitation can affect organization for years

• End Users Weakest Link in APT– Entry point is end-user or weak perimeter security– You can not patch end-users – One of the top threats of 2015

9/14/2015 11

Clouds Threat• iCloud users on BYOD devices

– Organization’s data could be in the cloud from smart phone– Threat vector could develop infrastructure in cloud using online

development tools and exploit hidden C2-based attacks

• External Cloud Threats– Data ownership, data transcending national boundaries– Discovery risk– BC risk– Chain of custody risk– Network ownership– Symmetric Cryptography and key management– Out-of-business risk

9/14/2015 12

National State Conflicts• Cyber Vector New Multiplier in Nation-State Conflicts

• APT Could Attack Infrastructures

• Defense has to be threat based, else it is ineffective– Most of defenses are vulnerability-based

• Controls– DiD and response to evolving threats– Vulnerability lifecycle management– End-point protection– IDS/IPS– Security training

9/14/2015 13

Application Level Threats

• 78 percent of attacks are due to web facing application weakness, not firewall weakness

• OWASP-10 threats– SQL Injection attacks– XSS– Broken Authentication in session management– Insecure direct object reference– CSRF (cross site request forgery)

9/14/2015 14

Memory Scraping Threat• Memory scraping or Ram scraping

– Prevalent for credit card records, passwords, PINs, keys in memory

• Focus on client side attacks rather than server side attacks– Data stays clear text when used in RAM

• Does the process sanitize sensitive information?– Browsers leave sensitive information in memory

• Control: Zero-ize memory buffers before process terminated

9/14/2015 15

RSD Loss

• Sensitive data on RSD• CD, DVD, Flash drive, smart phone• Loss of RSD and its data• Controls

– Policy – need to know and do download– symmetric key encryption– Remote destruction of data

9/14/2015 16

DDoS Attacks • How It Happens? What It Is?

– Botnets/Zombies Overwhelm A Device Or Network– C2 May Be Elsewhere (July 2009 Attacks)

• Five Ways To Deal With DDoS1. Response Plan With ISP2. Onsite DDoS Defense

• Defense In Front Of Application And DB Servers Needed To Deflect 3. Know Your Customers (KYC)

• To Avert Application Layer Attack, Do Real Time Legitimate Customer Analysis

4. Have Continuous Vigilance• Monitor, Recognize Attack, Respond

9/14/2015 17

Internal Threats

• 76 percent of attacks are internal• Internal attack bypass network layer and start at OS layer• Controls

– IAA with 2-factor authentication– RBAC (aka N-DAC) will reduce such attacks– H-IDS on each server is the last and ONLY line of defense in internal threats

9/14/2015 18

Malware

• Duqu (w32.duqu) – RAT for stealing information from infected computers

• Alureon rootkit– Persists even after reinstall on Windows 7– Embedded in a major vendor’s network firmware

9/14/2015 19

Zero Day Attacks

• Growing market– High demand for vulnerabilities – underground auctions

• IPv6 for zero day attacks (next slide)– Understand IPv6

• Polymorphic, Metamorphic, Multi-platform flashworm– Polymorphic changes signatures continuously– Metamorphic - similar– Flashworm- contained in Java Script used for attack

9/14/2015 20

IPv6

• VPN leaks on dual stack networks– Organizations moving to IPv6– VPN client and server software lagging behind in updates– Results in “traffic leaks”, attack may result in transmission in cleartext over

local networks– Only if target system is dual stacked

• Control– Do not allow firewall policy to allow IPv6 traffic directly in/out, Allow IPv6

ONLY via VPN

9/14/2015 21

SSL Malware• SSL/TLS malware transmitted via HTTPS• NSD (network security devices) need to get data in cleartext• Servers authenticate themselves using x.509 certificate to NSD,

clients authenticate to server using username/PW• How exploit happens• Controls

– Exploit controls– SSL 3.0, TLS 1.2

9/14/2015 22

Mobile Hardware attack

• Keyboard Vibration Attack– Mobile device placed near keyboard can imbibe keyboard vibrations to

identify words being typed with 80 percent accuracy– Good for targeted attack (M&A)

• Control– Don’t place mobile on the desk

Social Engineering Attacks• Improved social engineering attacks

– Inducing users on clicking questionable links– Installing malicious software– External attackers almost gaining as internal vantage

• Security for humans– Path of least resistance for attackers– 2015 the year of social engineering

• Malware delivery– Zero day attacks through email exploits

• Controls– Awareness training– Thin client (organization wide major adoption)

Wireless Security

• WiFi proliferation• GAP in the WAP• Control

– Encrypted transmission– Don’t use WEP or WPA, only use WPA2– No broadcast of SSID– WAR driving to detect rogue wireless networks

Virtualization- Server and Desktop

• Server side issues– Rogue VM, control = policy– SoD, Control = Segregation of admn. and production traffic– Root protection, controls = patching and configuration Management– Access to hypervisor, control = Firewall between console and hypervisor– Don’t give developers admn. rights for a VM partition– BC/DR risk

• Desktop issues– Client side sandboxing

Ransomware

• Malware used for extortion– San Francisco network engineer case– Symmetric encryption of disk drives by the perpetrator

• Attacker locks down systems by encryption – Then asks for compensation– After restoration, data integrity questionable– Such attacks predicted in 2015 by NJ DHS

Data Leakage- Unstructured Data

• Organizations have data classification policies– Confidential, private, Internal use only, public etc– For structured data– Not for unstructured data embedded in emails

• Data leakage in unstructured storage and transmission

• Control– Data tagging– Sender’s accountability policy

ICS - SCADA Attacks• SCADA

– Supervisory control and data acquisition– Almost every ICS is SCADA controlled– Gas pipelines, power utilities, water utilities, nuclear

power plants– CIP is at stake

• Control is air gap SCADA systems– Social engineering compromises that

• Example– STUXNET– LNK files, response system compromise,

Major Causes of Cyberattacks• Two major causes

– Open and outdated vulnerabilities– Wrong configurations

• Modus Operandi of Cyber Attack Path– Compromise first PF Firewall– Compromise bastion host – Compromise second firewall– Compromise N-IDS– Compromise H-IDS– Install root kit on server– Try to clear log traces of compromise– Open one of the less used ports from inside– And leave

What is on the rise?• Malicious code , worms• Web-based attacks• Web-application attacks/ injection attacks• Botnets attacks for mobile computing and clouds• Phishing• Exploit kits• Data breaches• Physical damage theft and loss• Insider threat• Information leakage• Identity theft and related fraud• Cyber espionage

What is on the decline?• Denial of service• SPAM as a gradual decline• Ransomware and scareware

Security Controls – SANS 20• 20 Critical Security Controls - Version 4.0• Critical Control 1: Inventory of Authorized and Unauthorized Devices• Critical Control 2: Inventory of Authorized and Unauthorized Software• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and

Servers• Critical Control 4: Continuous Vulnerability Assessment and Remediation• Critical Control 5: Malware Defenses• Critical Control 6: Application Software Security• Critical Control 7: Wireless Device Control• Critical Control 8: Data Recovery Capability• Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services• Critical Control 12: Controlled Use of Administrative Privileges• Critical Control 13: Boundary Defense• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs• Critical Control 15: Controlled Access Based on the Need to Know• Critical Control 16: Account Monitoring and Control• Critical Control 17: Data Loss Prevention• Critical Control 18: Incident Response and Management• Critical Control 19: Secure Network Engineering• Critical Control 20: Penetration Tests and Red Team Exercises

9/14/2015 33

General Controls• Defense in Depth

– Prevention is the rule

• Awareness and Training– End users are the biggest risk

• Strong Access Controls– IAA

• OWASP-10 Considerations• Incidence Response Management• Encryption• Protect Data at Rest, Movement, Processing, and Disposal

9/14/2015 34

Questions

• Can write short questions to Jay Ranade at– jayranade@aol.com– jayranade@nyu.edu– ranadej@stjohns.edu

• Recommendation: IT Security and cyber risk are moving targets. Keep up-to-date with new threats and vulnerabilities

9/14/2015 35