Larry Moore, CISSP CISA

Top Ten vulnerabilities for 2011:pApplication VulnerabilitiesWeak InfrastructureImproper planning and responseImproper planning and responseMalwareMobile DevicesSocial MediaSocial EngineeringOutside AttackersInternal Employees and ContractorsCloud Services

S i lSome issues overlap

HospitalityHospitalityRetailFinancial ServicesFinancial ServicesGovernmentManufacturingManufacturing

Verizon 2011 Data Breach Investigations ReportVerizon 2011 Data Breach Investigations Report

L d ll b i ff t dLarge and small businesses are affected

Have someone dedicated to “sweat the small stuff” regarding securityDefense in depth

Never rely on one specific roadblockNever rely on one specific roadblockCritical factors for protection:

ConfidentialityIntegrityIntegrityAvailabilityIt’s all about Protecting the Data

Authentication – the last line of defenseSecurity awarenessTest test and test againTest, test and test again

Build security into the business:yGovernanceTechnicalProcedural

Seven Tenets of Good Security (Marcus Ranumand Fred Avolio)

Minimalism – Simple over complexMinimalism Simple over complexReductionism – Remove unneeded objectsRestriction – Remove unneeded usersAuditability – Gather information and reviewAuditability – Gather information and reviewAccountability – Take appropriate action for violationsConfigurability – Set to the organization's policyExaminability Open standardsExaminability – Open standards

“Old school” still worksWeb applications

Cross-site scriptingI j tiInjectionsRedirected and forwards not validatedSQL injectionUnencrypted channels

SoftwareBuffer overflowsBuffer overflowsImproper or no data verificationCritical passwords stored in the data segment

h d lUnpatched applications

ExampleExamplePublic Broadcasting System

Attackers have cracked the PBS website and posted a phony story claiming dead rapper Tupac Shakur was alive in New ZealandPosted on the “PBS News Hour” web site.The attack was an apparent retaliation against a recent “Frontline” investigative news segment on the recent WikiLeaks issueWikiLeaks issue.

Passwords: the weakest linkCommonly used passwords are available on the InternetUnencrypted passwords, if stolen, enable attackers to

i t i f tiaccess private informationForgotten passwords

Security questions are often used for forgotten Security questions are often used for forgotten passwords. However, these questions are often available on social networking sites

Bi th d t h t id Birth date, home town, maiden nameDivorce is common (unfortunately) so ex-spouse may have informationSecurity questions should be unique to the individual

Open Web Application Security Project(OWASP) Top 1010:

InjectionCross-Site Scripting (XSS)B k A th ti ti d S i M tBroken Authentication and Session ManagementInsecure DirectObject ReferencesCross-Site Request Forgery (CSRF)Security MisconfigurationSecurity MisconfigurationInsecure Cryptographic StorageFailure to Restrict URL AccessInsufficient Transport Layer ProtectionInsufficient Transport Layer ProtectionUnvalidated Redirects and Forwards

https://www.owasp.org/index.php/Category:OWASP Top Ten Project_ p_ _ j

SAFECode Development Practices:pThreat modelingUse least privilegeImplement sandboxingp gMinimize the use of unsafe strings and buffer functionsValidate input and output to mitigate common vulnerabilitiesUse robust integer operations for dynamic memory allocations and array offsetsUse anti-cross site scripting (XSS) libraryUse canonical data formats

http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdfp

Examples:Examples:Princeton researchers have filed a 158 page report on the ease of replacing their ROMs and winning yourself an election.

http://www.engadget.com/2008/10/24/princeton-publishes-how-to-guide-for-hacking-sequoia-e-voting-p g g q gma/ (2008)

Recommendations:Recommendations:Run at least privilegeTest and review all web applicationsppEnforce data limitationsMonitor application useTrain developers in current code vulnerabilities and mitigationPermit only authorized softwarePermit only authorized softwareApplication and code reviewsVerify data ALWAYS!y

Password recommendations:Large entropy and length is bestEnforce password expiration datesDon’t use passwords to relate to youDon t use passwords to relate to you

Favorite sport teamsComplexity is preferred, even if user has to write down password provided that written password is hidden and password, provided that written password is hidden and locked

Under keyboards and behind monitors don’t countS it ti h ld b t i f ti t il bl Security questions should be to information not available on public recordsAlternative: provide one-time passwords to users th h lt ti i ti ( t l h )through alternative communication (e.g. telephone)

PhysicalyNo locksWeak user endpoints

Logical:Logical:Failure to protect the data at multiple levels:

TransportStorage (database, file)

Failure to design with security in mindFailure to monitor the network and serversFailure to adequately update systems

Antivirus updatesPatchesPatches

ExamplespPhysical

Skimming: Inserting a keypad over a legitimate keypad for the purpose of obtaining user provided keypad for the purpose of obtaining user-provided information

ATM’s, POS systemsL gi lLogical

Data leakageFiresheep: An extension for Mozilla Firefox web browser

hi h i t t t d t ffi ( ft i l t ffi ) which intercepts unencrypted traffic (often wireless traffic) to specific website such as Twitter or Facebook. This enables the attacker to obtain login credentials from the victim.victim.

SonySonyNineteen known attacks in 2011.Most attacks are exploited because Sony never p ytightened internal cyber security.New web site: http://hassonybeenhackedthisweek.com

Sony (continued)y ( )Activity:

June 8: Using SQL injection, an attacker exchanged 278,000 points on “My Sony Club” for a value of roughly p y y g y$3,500.June 6: Attacker releases 54MB of source code to SCE Devnet, Sony’s computer entertainment developer networknetwork.May 23: One of Sony’s databases was released.May 21: Intruder accessed the customer rewards site, getting away with gift points totaling roughly $1 225getting away with gift points totaling roughly $1,225.

Personal records exposed: May 2, May 7, May 21 and June 5. Names, birth dates, mother’s maiden name etcname, etc

SANS Top 20 Critical Security Controls:p yInventory of authorized and unauthorized devicesInventory of authorized and unauthorized softwareSecure configurations for hardware and software on Secure configurations for hardware and software on machinesSecure configurations for network devicesB d d fBoundary defenseMaintenance, monitoring and analysis of audit logsApplication software securityControlled use of administrative privilegesControlled access based on need to knowContinuous vulnerability assessment and remediationContinuous vulnerability assessment and remediation

SANS Top 20 Critical Security Controls (continued):p y ( )Account monitoring and controlMalware defensesLimitation and control of network ports, protocols and servicesp , pWireless device controlData loss protectionSecure network engineeringSecure network engineeringPenetration tests and red team exercisesIncident response capabilityData recovery capabilityData recovery capabilitySecurity skills assessment and appropriate training to fill gaps

http://www.sans.org/critical-security-controls/

Incident ResponseIncident ResponseCarnegie-Mellon university offers training in Community Emergency Response Team (CERT) Security Incident Handler

http://www.sei.cmu.edu/certification/security/csih/

DocumentationDocumentationNIST Computer Security Incident Handling Guide 800-61

http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

PoliciesPoliciesNonexistent or outdatedGapsp

ProceduresNot regularly followed

Incident responseLack of management supportNo resources or experience

“Proper planning prevents poor performance.”Verizon 2011 Data Breach Investigations Report

ExamplesExamplesPolicies

Personal data is often identified as Confidential but other types of data are sometimes forgotten

Encryption keysProceduresProcedures

Accounts and firewall settings not auditedChange management not properly implemented

Incident responseIncident response and business continuity looks great on paper but they rarely work out as designedon paper but they rarely work out as designed

Recommendations:Recommendations:Review all policies annually

Review with all departments especially Legal and HRCommunicate all directives with staff, especially staff that oversees confidential information or interfaces directly with the publicinterfaces directly with the public

Get documented acknowledgementTest all security incident and business continuity y yplans at least annually

“Table top” exercisesC b t h t d b DHSCyberstorm, hosted by DHS

Types: Viruses, worms, trojan horsesTypes: Viruses, worms, trojan horsesMalware is one of the most common attack vectors and, unfortunately, have improvedOperating system and software complexity increases the chance of malware to succeed

M t i f ti tMost common infection vectorsInjected by remote attackerE mailE-mailWeb/InternetPortable media

Malware has its rewards:“The study of more than 1,000 senior IT executives from a wide range of corporations in the United States U K Japan China India Brazil and the States, U.K., Japan, China, India, Brazil and the Middle East, revealed that intellectual capital often has little to no protection. Moreover, cybercriminals have found that trade secrets marketing plans and have found that trade secrets, marketing plans and research and development findings is oftentimes worth more money than personal data, such as credit card numbers and bank credentials”credit card numbers and bank credentialsSC Magazine

http://www.scmagazineus.com/corporate-data-is-f b i / i l /199420/new-target-of-cybercrime/article/199420/

RecommendationsEstablish policies to minimize the possibility of malware infection

Proper e-mail usageFlash drive restrictionsFlash drive restrictionsSecurity awareness training

Maintain updates on patch management and AV updatesMaintain an effective incident response plan to address p pmalwareReimage infected machines, malware removal tools may not be effective

No guarantee that the malware was removedNo guarantee that the malware was removedPublications:

NIST Publication 800-83: “Guide to Malware Incident Prevention and Handling “Prevention and Handling

Examples: smartphones, iPads, laptopsExamples: smartphones, iPads, laptopsConvenience and functionality invite attacks

Employers often prefer features over securityEmployers often prefer features over securityCyber-criminals see the potential benefit in mobile phone attacks and are trying new p y gtechniques

Attacks will increase over the next few years

Recommendations:Recommendations:Enforce password policies and automatic lockoutsDisable wireless access points when not in usepProhibit unauthorized softwareDisable application auto-runReport missing or stolen devices ASAPUse encryption to protect sensitive data

Wh l di k ti i f d b t d t i il bl Whole disk encryption is preferred but data is available if machine is active. Data is encrypted only when machine is off or in “Hibernate” mode

NIST: SP 800-111, 800-121, 800-122, 800-124

Facebook, LinkedIn, Twitter, etc.Facebook, LinkedIn, Twitter, etc.Problems:

Data breachesData breachesData leakage

Examples:pPlentyofFish.com experienced a data breach that exposed user names, phone numbers and

t d dunencrypted passwordshttp://blogs.forbes.com/kashmirhill/2011/01/31/online-dating-site-plentyoffish-hacked-and-why-reporters-g p y y pfriending-sources-on-facebook-can-be-a-bad-thing/

Recommendations:Recommendations:Social media policy

Disclosing company data on personal accountsRepresenting themselves, not their companyIdentify social engineering

R i bli i l di itReview public social media sitesNotify employees of risks regarding social media

Social engineering works:Social engineering works:“How to disappear : erase your digital footprint, leave false trails, and vanish without a trace” by Frank Ahearn

Information can be easily obtained through employees through coercion, bribery, praise, etc.g , y, p ,People remain the weakest linkHelp desks are often prime targets. People want to h l d ft di l t h i f tihelp and often disclose too much information.

Recommendations:PoliciesTraining to identify fraudulent e-mails, web sites, etc.E-mails:

Don’t click on the link, Google itSend and receive e-mails in text formatBeware of Phishing: acquiring sensitive information by masquerading as a trustworthy entity

Phishing is on the rissePhishing is on the risseWeb sites

Review URL’s. Misspellings are intentional.Use SSL if possible

Other terms:Other terms:Cyber espionageAdvanced persistent threat (APT)p ( )Cyber activism and hactivism

SourcesIndividualsGovernmentsOrganized groups

Types of attacks, whatever it takes

Hacking may now be considered an act of war:Hacking may now be considered an act of war:“The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.”y

Wall Street Journal; “Cyber Combat: Act of War,” May 31, 2011

S h d h ff i f Stuxnet showed the effectiveness of remote attacks

State-sponsored hacking:State sponsored hacking:North Korea

Secretive North Korea is scouring its universities for computer prodigies to send overseas for training as part of a plan to expand its cyber warfare unit, a defector said on Wednesday, underscoring the y gincreased risk of cyber attacks.

http://www.reuters.com/article/2011/06/01/us-korea-north-hackers-idUSTRE7501U420110601

State-sponsored hacking (continued):p g ( )China’s Blue Hacker Army

Last week China’s Defense Ministry confirmed its existence It’s a highly trained elite cyber wing of the existence. It s a highly-trained, elite cyber wing of the People’s Liberation Army. It’s got just about 30 online soldiers. And its stated purpose is two-fold. The first –to defend the country from cyber attacks. The second –to defend the country from cyber attacks. The second to fire off its own online barrages in case of war.

http://business.blogs.cnn.com/2011/06/03/china-blue-hacker-army/y/

China was suspected in the recent attack against Google although no evidence exists of the actual attacker.attacker.

Operation Night DragonOperation Night DragonDating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a p gcompetitive advantage to another party.

http://krypt3ia.wordpress.com/2011/02/28/operation night dragon nothing new but it bears somen-night-dragon-nothing-new-but-it-bears-some-repeating/SQL injection and other injectionsSpear phishing (social engineering)

Professional hackers, cyber crime pays:Professional hackers, cyber crime pays:“As a result of the inability to define and calculate losses, the best that the government and private sector can offer are estimates. Over the past five years, estimates of the costs of cyber crime to the U.S. economy have ranged from millions to hundreds of y gbillions. A 2010 study conducted by the PonemonInstitute estimated that the median annual cost of cyber crime to an individual victim organization cyber crime to an individual victim organization ranges from $1 million to $52 million.”

Cyber crime pays (continued):y p y ( )“According to a 2011 publication released by Javelin Strategy and Research, the annual cost of identity theft is $37 billion. This includes all forms of identity theft, not y ,just cyber means. The Internet Crime Complaint Center (IC3), which aggregates self-reported complaints of cyber crime, reports that in 2010, identity theft schemes made

9 8 f ll b i ”up 9.8 percent of all cyber crime.”Gordon M. Snow Assistant Director, FBI Cyber Division; Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Terrorism Washington D C ; Subcommittee on Crime and Terrorism Washington, D.C.; April 12, 2011http://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorismresponding to the threat of cyber crime and terrorism

Insider threats have remained steady for some ytime but is still a big concern.Data loss

Malicious activityAccessing accounts that should be disabledInjecting malware “behind the lines”Injecting malware behind the linesSurfing inappropriate web sites

AccidentsL f i i l i f iLoss of critical informationInadvertent actionsVictims of scams (Phishing)( g)

Malicious activity:Malicious activity:According to news reports, a BofA employee with access to accountholder information allegedly leaked personally identifiable information…to a ring of criminals. With that information, the fraudsters reportedly hijacked e-mail addresses, cell phone p y j , pnumbers and possibly more, keeping consumers in the dark about new accounts and checks that had been ordered in their namesbeen ordered in their names.

http://www.bankinfosecurity.com/articles.php?art_id=3673&rf=2011-05-25-eb

Accidental, examplesAccidental, examplesTexas Comptroller’s Office

The Office of the Texas Comptroller is in the process of notifying 3.5 million individuals that their personal information was exposed after being stored on a publicly accessible server. The compromised records p y pcontained names, mailing addresses, dates of birth, driver’s license numbers and Social Security numbers, more than enough to fall within the category of g g yprotected personally identifiable information (PII).

http://cyberinsecure.com/data-breach-at-texas-comptroller-office-35-million-people-details-publicly-p p p p yaccessible-for-over-a-year/

Recommendations:Recommendations:Effective policies and proper security awareness training

Teach employees how to spot and be wary of suspicious e-mails, web sites, etc.

Disable user accounts immediately for users who Disable user accounts immediately for users who violate company policyReview user and contractor accountsConduct exercises

“The cloud” is cost-effective for legitimate The cloud is cost effective for legitimate users but the same holds true for attackers.

Some of Sony’s breaches were through y gAmazon.com’s servers.Amazon’s cloud services are open to everyone—good and badgood and bad.Attackers can utilize the cloud to hide their tracks.

Types:ypInfrastructure-as-a-service (IaaS)

Computer infrastructure is provided, usually a platform virtualization environment or space for platform virtualization environment or space for equipment

Platform-as-a-service (PaaS)P id i l di i Provides computer support including operating systems

More basic than SaaSSoftware –as-a-service (SaaS)

Provides full support such as applications and operating systemsp g y

RecommendationsInitial contract

Write security requirements into the contractWho has root access privileges?Advanced notification of patchesOpting out of patchesRollbacksEnsure settings are unchanged after modificationsEnsure settings are unchanged after modifications

Separating data from the infrastructureWho is in charge of what?

Compliance requirementsp qProof of complianceCompliance is still your responsibility!

Using internal auditorsImplement metrics

RecommendationsRecommendationsBreach notification

What if another company is breached?Will investigations be possible?

Make sure you know where your data is locatedB k d Backup and recovery

How do you know it’s effective?Test!Test!

What if the cloud provider goes bankrupt?

VirtualizationVirtualizationOne accepted solution but virtualization is not without its risks

Cloudburst: a tool that exploits the hypervisor to access data outside of the VM environment

Kostya Kortchinskyy yVideo buffer exploited to access information outside the VM environment

Senator Patrick Leahy Renews Push For Data yPrivacy Legislation

http://leahy.senate.gov/press/press_releases/release/?id=31e641c0-013e-4abc-8148-2c4f04ac3a86

Propsed new data breach reporting law[A] new Federal law was proposed that would require organizations that collect personal information on 10,000

l d i 12 th i d t t d t people during any 12-month period to report data breaches. Multiple laws like this exist on a state level. The goal of the proposed law is to bring clarity to these conflicting laws while also providing fine guidelines to g p g gthe Federal government.

http://www.teamshatter.com/topics/general/team-shatter-exclusive/highlights-of-new-proposed-data-breach-reporting law/reporting-law/

FederalWhite House Releases Cybersecurity Legislative Proposal

http://www huntonprivacyblog com/2011/05/articleshttp://www.huntonprivacyblog.com/2011/05/articles/information-security/white-house-releases-cybersecurity-legislative-proposal/

TTexasTexas Legislature Passes Anti-Bullying Law

http://nationalcybersecurity.net/texas-legislature-http://nationalcybersecurity.net/texas legislaturepasses-anti-bullying-law/

Texas Administrative Codehttp://info sos state tx us/tachttp://info.sos.state.tx.us/tac

Collaboration between the private and public Collaboration between the private and public sectors

*-ISAC: Informaton Sharing and Analysis Centerg yMS-ISAC, FS-ISAC, etc.

Local organizations: Infragard, ISSA, ISACA

Questions?Questions?lmmoore@sbcglobal.netg