larry moore, cissp cisamedia.govtech.net › govtech_website › events › presentation… · top...
TRANSCRIPT
Larry Moore, CISSP CISA
Top Ten vulnerabilities for 2011:pApplication VulnerabilitiesWeak InfrastructureImproper planning and responseImproper planning and responseMalwareMobile DevicesSocial MediaSocial EngineeringOutside AttackersInternal Employees and ContractorsCloud Services
S i lSome issues overlap
HospitalityHospitalityRetailFinancial ServicesFinancial ServicesGovernmentManufacturingManufacturing
Verizon 2011 Data Breach Investigations ReportVerizon 2011 Data Breach Investigations Report
L d ll b i ff t dLarge and small businesses are affected
Have someone dedicated to “sweat the small stuff” regarding securityDefense in depth
Never rely on one specific roadblockNever rely on one specific roadblockCritical factors for protection:
ConfidentialityIntegrityIntegrityAvailabilityIt’s all about Protecting the Data
Authentication – the last line of defenseSecurity awarenessTest test and test againTest, test and test again
Build security into the business:yGovernanceTechnicalProcedural
Seven Tenets of Good Security (Marcus Ranumand Fred Avolio)
Minimalism – Simple over complexMinimalism Simple over complexReductionism – Remove unneeded objectsRestriction – Remove unneeded usersAuditability – Gather information and reviewAuditability – Gather information and reviewAccountability – Take appropriate action for violationsConfigurability – Set to the organization's policyExaminability Open standardsExaminability – Open standards
“Old school” still worksWeb applications
Cross-site scriptingI j tiInjectionsRedirected and forwards not validatedSQL injectionUnencrypted channels
SoftwareBuffer overflowsBuffer overflowsImproper or no data verificationCritical passwords stored in the data segment
h d lUnpatched applications
ExampleExamplePublic Broadcasting System
Attackers have cracked the PBS website and posted a phony story claiming dead rapper Tupac Shakur was alive in New ZealandPosted on the “PBS News Hour” web site.The attack was an apparent retaliation against a recent “Frontline” investigative news segment on the recent WikiLeaks issueWikiLeaks issue.
Passwords: the weakest linkCommonly used passwords are available on the InternetUnencrypted passwords, if stolen, enable attackers to
i t i f tiaccess private informationForgotten passwords
Security questions are often used for forgotten Security questions are often used for forgotten passwords. However, these questions are often available on social networking sites
Bi th d t h t id Birth date, home town, maiden nameDivorce is common (unfortunately) so ex-spouse may have informationSecurity questions should be unique to the individual
Open Web Application Security Project(OWASP) Top 1010:
InjectionCross-Site Scripting (XSS)B k A th ti ti d S i M tBroken Authentication and Session ManagementInsecure DirectObject ReferencesCross-Site Request Forgery (CSRF)Security MisconfigurationSecurity MisconfigurationInsecure Cryptographic StorageFailure to Restrict URL AccessInsufficient Transport Layer ProtectionInsufficient Transport Layer ProtectionUnvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP Top Ten Project_ p_ _ j
SAFECode Development Practices:pThreat modelingUse least privilegeImplement sandboxingp gMinimize the use of unsafe strings and buffer functionsValidate input and output to mitigate common vulnerabilitiesUse robust integer operations for dynamic memory allocations and array offsetsUse anti-cross site scripting (XSS) libraryUse canonical data formats
http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdfp
Examples:Examples:Princeton researchers have filed a 158 page report on the ease of replacing their ROMs and winning yourself an election.
http://www.engadget.com/2008/10/24/princeton-publishes-how-to-guide-for-hacking-sequoia-e-voting-p g g q gma/ (2008)
Recommendations:Recommendations:Run at least privilegeTest and review all web applicationsppEnforce data limitationsMonitor application useTrain developers in current code vulnerabilities and mitigationPermit only authorized softwarePermit only authorized softwareApplication and code reviewsVerify data ALWAYS!y
Password recommendations:Large entropy and length is bestEnforce password expiration datesDon’t use passwords to relate to youDon t use passwords to relate to you
Favorite sport teamsComplexity is preferred, even if user has to write down password provided that written password is hidden and password, provided that written password is hidden and locked
Under keyboards and behind monitors don’t countS it ti h ld b t i f ti t il bl Security questions should be to information not available on public recordsAlternative: provide one-time passwords to users th h lt ti i ti ( t l h )through alternative communication (e.g. telephone)
PhysicalyNo locksWeak user endpoints
Logical:Logical:Failure to protect the data at multiple levels:
TransportStorage (database, file)
Failure to design with security in mindFailure to monitor the network and serversFailure to adequately update systems
Antivirus updatesPatchesPatches
ExamplespPhysical
Skimming: Inserting a keypad over a legitimate keypad for the purpose of obtaining user provided keypad for the purpose of obtaining user-provided information
ATM’s, POS systemsL gi lLogical
Data leakageFiresheep: An extension for Mozilla Firefox web browser
hi h i t t t d t ffi ( ft i l t ffi ) which intercepts unencrypted traffic (often wireless traffic) to specific website such as Twitter or Facebook. This enables the attacker to obtain login credentials from the victim.victim.
SonySonyNineteen known attacks in 2011.Most attacks are exploited because Sony never p ytightened internal cyber security.New web site: http://hassonybeenhackedthisweek.com
Sony (continued)y ( )Activity:
June 8: Using SQL injection, an attacker exchanged 278,000 points on “My Sony Club” for a value of roughly p y y g y$3,500.June 6: Attacker releases 54MB of source code to SCE Devnet, Sony’s computer entertainment developer networknetwork.May 23: One of Sony’s databases was released.May 21: Intruder accessed the customer rewards site, getting away with gift points totaling roughly $1 225getting away with gift points totaling roughly $1,225.
Personal records exposed: May 2, May 7, May 21 and June 5. Names, birth dates, mother’s maiden name etcname, etc
SANS Top 20 Critical Security Controls:p yInventory of authorized and unauthorized devicesInventory of authorized and unauthorized softwareSecure configurations for hardware and software on Secure configurations for hardware and software on machinesSecure configurations for network devicesB d d fBoundary defenseMaintenance, monitoring and analysis of audit logsApplication software securityControlled use of administrative privilegesControlled access based on need to knowContinuous vulnerability assessment and remediationContinuous vulnerability assessment and remediation
SANS Top 20 Critical Security Controls (continued):p y ( )Account monitoring and controlMalware defensesLimitation and control of network ports, protocols and servicesp , pWireless device controlData loss protectionSecure network engineeringSecure network engineeringPenetration tests and red team exercisesIncident response capabilityData recovery capabilityData recovery capabilitySecurity skills assessment and appropriate training to fill gaps
http://www.sans.org/critical-security-controls/
Incident ResponseIncident ResponseCarnegie-Mellon university offers training in Community Emergency Response Team (CERT) Security Incident Handler
http://www.sei.cmu.edu/certification/security/csih/
DocumentationDocumentationNIST Computer Security Incident Handling Guide 800-61
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
PoliciesPoliciesNonexistent or outdatedGapsp
ProceduresNot regularly followed
Incident responseLack of management supportNo resources or experience
“Proper planning prevents poor performance.”Verizon 2011 Data Breach Investigations Report
ExamplesExamplesPolicies
Personal data is often identified as Confidential but other types of data are sometimes forgotten
Encryption keysProceduresProcedures
Accounts and firewall settings not auditedChange management not properly implemented
Incident responseIncident response and business continuity looks great on paper but they rarely work out as designedon paper but they rarely work out as designed
Recommendations:Recommendations:Review all policies annually
Review with all departments especially Legal and HRCommunicate all directives with staff, especially staff that oversees confidential information or interfaces directly with the publicinterfaces directly with the public
Get documented acknowledgementTest all security incident and business continuity y yplans at least annually
“Table top” exercisesC b t h t d b DHSCyberstorm, hosted by DHS
Types: Viruses, worms, trojan horsesTypes: Viruses, worms, trojan horsesMalware is one of the most common attack vectors and, unfortunately, have improvedOperating system and software complexity increases the chance of malware to succeed
M t i f ti tMost common infection vectorsInjected by remote attackerE mailE-mailWeb/InternetPortable media
Malware has its rewards:“The study of more than 1,000 senior IT executives from a wide range of corporations in the United States U K Japan China India Brazil and the States, U.K., Japan, China, India, Brazil and the Middle East, revealed that intellectual capital often has little to no protection. Moreover, cybercriminals have found that trade secrets marketing plans and have found that trade secrets, marketing plans and research and development findings is oftentimes worth more money than personal data, such as credit card numbers and bank credentials”credit card numbers and bank credentialsSC Magazine
http://www.scmagazineus.com/corporate-data-is-f b i / i l /199420/new-target-of-cybercrime/article/199420/
RecommendationsEstablish policies to minimize the possibility of malware infection
Proper e-mail usageFlash drive restrictionsFlash drive restrictionsSecurity awareness training
Maintain updates on patch management and AV updatesMaintain an effective incident response plan to address p pmalwareReimage infected machines, malware removal tools may not be effective
No guarantee that the malware was removedNo guarantee that the malware was removedPublications:
NIST Publication 800-83: “Guide to Malware Incident Prevention and Handling “Prevention and Handling
Examples: smartphones, iPads, laptopsExamples: smartphones, iPads, laptopsConvenience and functionality invite attacks
Employers often prefer features over securityEmployers often prefer features over securityCyber-criminals see the potential benefit in mobile phone attacks and are trying new p y gtechniques
Attacks will increase over the next few years
Recommendations:Recommendations:Enforce password policies and automatic lockoutsDisable wireless access points when not in usepProhibit unauthorized softwareDisable application auto-runReport missing or stolen devices ASAPUse encryption to protect sensitive data
Wh l di k ti i f d b t d t i il bl Whole disk encryption is preferred but data is available if machine is active. Data is encrypted only when machine is off or in “Hibernate” mode
NIST: SP 800-111, 800-121, 800-122, 800-124
Facebook, LinkedIn, Twitter, etc.Facebook, LinkedIn, Twitter, etc.Problems:
Data breachesData breachesData leakage
Examples:pPlentyofFish.com experienced a data breach that exposed user names, phone numbers and
t d dunencrypted passwordshttp://blogs.forbes.com/kashmirhill/2011/01/31/online-dating-site-plentyoffish-hacked-and-why-reporters-g p y y pfriending-sources-on-facebook-can-be-a-bad-thing/
Recommendations:Recommendations:Social media policy
Disclosing company data on personal accountsRepresenting themselves, not their companyIdentify social engineering
R i bli i l di itReview public social media sitesNotify employees of risks regarding social media
Social engineering works:Social engineering works:“How to disappear : erase your digital footprint, leave false trails, and vanish without a trace” by Frank Ahearn
Information can be easily obtained through employees through coercion, bribery, praise, etc.g , y, p ,People remain the weakest linkHelp desks are often prime targets. People want to h l d ft di l t h i f tihelp and often disclose too much information.
Recommendations:PoliciesTraining to identify fraudulent e-mails, web sites, etc.E-mails:
Don’t click on the link, Google itSend and receive e-mails in text formatBeware of Phishing: acquiring sensitive information by masquerading as a trustworthy entity
Phishing is on the rissePhishing is on the risseWeb sites
Review URL’s. Misspellings are intentional.Use SSL if possible
Other terms:Other terms:Cyber espionageAdvanced persistent threat (APT)p ( )Cyber activism and hactivism
SourcesIndividualsGovernmentsOrganized groups
Types of attacks, whatever it takes
Hacking may now be considered an act of war:Hacking may now be considered an act of war:“The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.”y
Wall Street Journal; “Cyber Combat: Act of War,” May 31, 2011
S h d h ff i f Stuxnet showed the effectiveness of remote attacks
State-sponsored hacking:State sponsored hacking:North Korea
Secretive North Korea is scouring its universities for computer prodigies to send overseas for training as part of a plan to expand its cyber warfare unit, a defector said on Wednesday, underscoring the y gincreased risk of cyber attacks.
http://www.reuters.com/article/2011/06/01/us-korea-north-hackers-idUSTRE7501U420110601
State-sponsored hacking (continued):p g ( )China’s Blue Hacker Army
Last week China’s Defense Ministry confirmed its existence It’s a highly trained elite cyber wing of the existence. It s a highly-trained, elite cyber wing of the People’s Liberation Army. It’s got just about 30 online soldiers. And its stated purpose is two-fold. The first –to defend the country from cyber attacks. The second –to defend the country from cyber attacks. The second to fire off its own online barrages in case of war.
http://business.blogs.cnn.com/2011/06/03/china-blue-hacker-army/y/
China was suspected in the recent attack against Google although no evidence exists of the actual attacker.attacker.
Operation Night DragonOperation Night DragonDating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a p gcompetitive advantage to another party.
http://krypt3ia.wordpress.com/2011/02/28/operation night dragon nothing new but it bears somen-night-dragon-nothing-new-but-it-bears-some-repeating/SQL injection and other injectionsSpear phishing (social engineering)
Professional hackers, cyber crime pays:Professional hackers, cyber crime pays:“As a result of the inability to define and calculate losses, the best that the government and private sector can offer are estimates. Over the past five years, estimates of the costs of cyber crime to the U.S. economy have ranged from millions to hundreds of y gbillions. A 2010 study conducted by the PonemonInstitute estimated that the median annual cost of cyber crime to an individual victim organization cyber crime to an individual victim organization ranges from $1 million to $52 million.”
Cyber crime pays (continued):y p y ( )“According to a 2011 publication released by Javelin Strategy and Research, the annual cost of identity theft is $37 billion. This includes all forms of identity theft, not y ,just cyber means. The Internet Crime Complaint Center (IC3), which aggregates self-reported complaints of cyber crime, reports that in 2010, identity theft schemes made
9 8 f ll b i ”up 9.8 percent of all cyber crime.”Gordon M. Snow Assistant Director, FBI Cyber Division; Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism Washington D C ; Subcommittee on Crime and Terrorism Washington, D.C.; April 12, 2011http://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorismresponding to the threat of cyber crime and terrorism
Insider threats have remained steady for some ytime but is still a big concern.Data loss
Malicious activityAccessing accounts that should be disabledInjecting malware “behind the lines”Injecting malware behind the linesSurfing inappropriate web sites
AccidentsL f i i l i f iLoss of critical informationInadvertent actionsVictims of scams (Phishing)( g)
Malicious activity:Malicious activity:According to news reports, a BofA employee with access to accountholder information allegedly leaked personally identifiable information…to a ring of criminals. With that information, the fraudsters reportedly hijacked e-mail addresses, cell phone p y j , pnumbers and possibly more, keeping consumers in the dark about new accounts and checks that had been ordered in their namesbeen ordered in their names.
http://www.bankinfosecurity.com/articles.php?art_id=3673&rf=2011-05-25-eb
Accidental, examplesAccidental, examplesTexas Comptroller’s Office
The Office of the Texas Comptroller is in the process of notifying 3.5 million individuals that their personal information was exposed after being stored on a publicly accessible server. The compromised records p y pcontained names, mailing addresses, dates of birth, driver’s license numbers and Social Security numbers, more than enough to fall within the category of g g yprotected personally identifiable information (PII).
http://cyberinsecure.com/data-breach-at-texas-comptroller-office-35-million-people-details-publicly-p p p p yaccessible-for-over-a-year/
Recommendations:Recommendations:Effective policies and proper security awareness training
Teach employees how to spot and be wary of suspicious e-mails, web sites, etc.
Disable user accounts immediately for users who Disable user accounts immediately for users who violate company policyReview user and contractor accountsConduct exercises
“The cloud” is cost-effective for legitimate The cloud is cost effective for legitimate users but the same holds true for attackers.
Some of Sony’s breaches were through y gAmazon.com’s servers.Amazon’s cloud services are open to everyone—good and badgood and bad.Attackers can utilize the cloud to hide their tracks.
Types:ypInfrastructure-as-a-service (IaaS)
Computer infrastructure is provided, usually a platform virtualization environment or space for platform virtualization environment or space for equipment
Platform-as-a-service (PaaS)P id i l di i Provides computer support including operating systems
More basic than SaaSSoftware –as-a-service (SaaS)
Provides full support such as applications and operating systemsp g y
RecommendationsInitial contract
Write security requirements into the contractWho has root access privileges?Advanced notification of patchesOpting out of patchesRollbacksEnsure settings are unchanged after modificationsEnsure settings are unchanged after modifications
Separating data from the infrastructureWho is in charge of what?
Compliance requirementsp qProof of complianceCompliance is still your responsibility!
Using internal auditorsImplement metrics
RecommendationsRecommendationsBreach notification
What if another company is breached?Will investigations be possible?
Make sure you know where your data is locatedB k d Backup and recovery
How do you know it’s effective?Test!Test!
What if the cloud provider goes bankrupt?
VirtualizationVirtualizationOne accepted solution but virtualization is not without its risks
Cloudburst: a tool that exploits the hypervisor to access data outside of the VM environment
Kostya Kortchinskyy yVideo buffer exploited to access information outside the VM environment
Senator Patrick Leahy Renews Push For Data yPrivacy Legislation
http://leahy.senate.gov/press/press_releases/release/?id=31e641c0-013e-4abc-8148-2c4f04ac3a86
Propsed new data breach reporting law[A] new Federal law was proposed that would require organizations that collect personal information on 10,000
l d i 12 th i d t t d t people during any 12-month period to report data breaches. Multiple laws like this exist on a state level. The goal of the proposed law is to bring clarity to these conflicting laws while also providing fine guidelines to g p g gthe Federal government.
http://www.teamshatter.com/topics/general/team-shatter-exclusive/highlights-of-new-proposed-data-breach-reporting law/reporting-law/
FederalWhite House Releases Cybersecurity Legislative Proposal
http://www huntonprivacyblog com/2011/05/articleshttp://www.huntonprivacyblog.com/2011/05/articles/information-security/white-house-releases-cybersecurity-legislative-proposal/
TTexasTexas Legislature Passes Anti-Bullying Law
http://nationalcybersecurity.net/texas-legislature-http://nationalcybersecurity.net/texas legislaturepasses-anti-bullying-law/
Texas Administrative Codehttp://info sos state tx us/tachttp://info.sos.state.tx.us/tac
Collaboration between the private and public Collaboration between the private and public sectors
*-ISAC: Informaton Sharing and Analysis Centerg yMS-ISAC, FS-ISAC, etc.
Local organizations: Infragard, ISSA, ISACA