What Every Employee Should Know About Cyber Securit - David O'Berry

Real World Security: Current Threat and Mitigation State What We All Need To Know
David OBerry CISSP-ISSAP, ISSMP, CSSLP, CRISC, CRMP, MCNE Strategic Technologies McAfee Office of the CTO (OCTO)
September 6, 2013
McAfee ConfidentialInternal Use Only
David OBerry, Previously Director of Strategic Development and ITS for SC Probation, Parole, & Pardon Services During my 19+ years with South Carolina MS-ISAC Executive Board SC Security Domain Chairman and Collaboration TL Midlands ISSA Chapter Founder and President Trusted Computing Groups Customer Advisory Council (TNC-CAC) Chairman, TOGs Improving The Digital EcoSytem Workgroup Chapters Published on IF-MAP, SCAP, TNC and Standards Based Defense/Mitigation (ISMH 09,10,11) My Previous Lifes Work and the IT Environment 800+ users, rapidly growing ext. user-base (1000s) 100% Mobile capable Plan started in 2002 26 30+ Full-time IT including development , engineering, help desk, & remote support Decentralized work force Heterogeneous and Open Standards Deployments Core: McAfee, Dell, Juniper, APC Network: Juniper, BlueCoat, Citrix, Imprivata Data: McAfee EEPC, Device Control, Host DLP Endpoint: McAfee AV, HIPS, Policy Auditor Management: McAfees ePolicy Platform, STRM, NSM Manager, Cacti & other Open Source products
2 McAfee ConfidentialInternal Use Only
BETTER SECURITY SOLUTIONS & PRODUCTS
POWER EFFICIENT PERFORMANCE
INTERNET CONNECTIVITY
SECURITY
THE THIRD PILLAR OF COMPUTING
Threat Radar = Answering The Question Why?
Industrial Threats Will Mature
Hacktivism: Reboot or be Marginalized
Windows 8: BIOS and Hardware Attacks
Mobile Botnets, Rootkits, and Attack SurfaceOh MY!
Rogue CERTs: Rooting Trust

Full Year 2012 Threat Report Yikes!

Key Trends
Android targeted malware spiked with newly discovered samples doubling in Q4 Master Boot Record attacks on the PC storage stack increased 27% New PC malware returned to its historic growth trend with known samples now totaling more than 110 million Signed malware samples hit the hockey stick inflection point doubling in three months Suspect URLs which are becoming the primary distribution mechanism for malware increased 70% in Q4 A new Advanced Persistent Threat (APT) known as Blitzkrieg appeared that targets financial services firms and their customers
Source: http://www.mcafee.com/us/resources/reports/rpquarterly-threat-q4-2012.pdf
Trends Continuing in Q2 - 2013

Aggressive attacks on Android based mobile devices Material expansion of malicious/infected websites High volume spam campaigns against big pharma; but mostly outside of the North America Extensive use of ransomware to drive up currency extraction Operation Troy efforts/residual activity continues in South Korea Digitally signed malware samples increased 50% to 1.2M samples
Global Malware Vision - Scary

(Collection) The Zoo End of 2010 End of 2011 End of 2012 Q2-2012 Q3-2012 Added in
(cumulative) (cumulative) (cumulative)
Q4-2012
January 2013 +4,000,000 +426,000 +423,000 +358,000 +50 +111,000 +655,000 +66,000 +65,000 +790
February 2013 +5,300,000 +656,000 +344,000 +313,000 +90 +104,000 +629,000 +71,000 +55,000 +940
Malware Zoo Autorun Exploits FakeAV, Scareware Macintosh Mobile (*) PWS & Keyloggers Ransomware Rootkits Unix Like
54,200,000 5,600,000 1,820,000 5,500,000 2,160 14,500 11,389,000 132,000 1,986,000 52,000
76,600,000 8,000,000 3,000,000 9,200,000 3,250 43,000 15,547,000 365,000 2,931,000 56,000
113,600,000 +9,300,000 +8,600,000 +12,100,000 12,000,000 5,400,000 13,100,000 4,200 1,073,000 22,300,000 1,066,000 3,874,000 64,000 +1,240,000 +698,000 +981,000 320 +52,000 +865,000 +387,000 +980,000 210 +195,000 +1,300,000 +868,000 +1,184,000 180 +768,000 +1,871,000 +227,000 +179,000 +3,400
+1,865,000 +1,662,000 +151,000 +266,000 +1,370 +218,000 +276,000 +2,020
(*): Mobile malware and Potentially Unwanted Program binaries with libraries, unpacked and repacked samples.
The Great Zoo: McAfee Known Malware

February 28, 2013: we reach 123 million samples (110k new and unique malicious binaries classified daily)
Q1/Q2-2011: Q3/Q4-2011: Q1/Q2-2012: Q3/Q4-2012:
+12.1 +10.3 +16.3 +20.7
million million million million
samples samples samples samples
Quarter per Quarter Exploits Detection
Quarter per Quarter FakeAlert/Scareware
Quarter per Quarter Rootkits Detection
Quarter per Quarter Mobile Detection
Quarter per Quarter Ransomware Detection
Quarter per Quarter Password Stealer & Keylogger Detection
Economic Model of the Attack

More Malware Variations
10,000
Daily new malware threats
New malicious Seconds website detected
30
90%
Of all threats have been financially motivated
Web 2.0 is the Catalyst!
Toolkits & Obfuscation
85%
Malware is obfuscated
zombies 4m Active new per month
Attack Target Users vs. Machines

A Better Biz Model Than Most Companies

A newcomer: Vector Bot 32-64 Bit
[+] Bin Price : 1000 EUR [+] Payment Only Via LR
Andherewego
Vulnerabilities Fuel to the Fire

Overview of vulnerabilities patched by Microsoft
Source: Franois Paget McAfee Labs
Vulnerabilities - more
Overview of vulnerabilities patched by Apple
The Company We All LOVE

Overview of Adobe Vulnerabilities
Trends To Help You Sleep Better?!?!?!

Research shows overall vulnerability disclosures rose a staggering 26% in 2012; vulnerabilities in SCADA systems protecting critical infrastructure have skyrocketed 600% since 2010.
Source: https://www.nsslabs.com/news/press-releases/nss-labs-vulnerabilitythreat-report-sees-significant-rise-vulnerability
ZEUS = 34zY B0tN3Tz

Zeus / Zbot Strains
The source code for Zeus was leaked on the internet in May 2011. Available on forums, rapid-share, and torrents if you search for it. Anyone with compiling skills can create infinite Zeus variants. In a 3 year period, weve seen 25,165,306 unique samples. You read that right, that is over 25 million Zeus variants Averaging 120,000 200,000 new Zeus variants per month for a while now.
Source: Thomas, Vinoo
State Sponsored Hacking Matters

Cyberattack leaves natural gas pipelines vulnerable to sabotage
From December 2011 through June 2012, cyberspies targeted 23 gas pipeline companies with e-mails crafted to deceive key personnel into clicking on malicious links or file attachments that let the attackers slip into company networks, says the Department of Homeland Security (DHS) report. The report does not mention China, but the digital signatures of the attacks have been identified by independent cybersecurity researchers as belonging to a particular espionage group recently linked to Chinas military.
Source: http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leavesnatural-gas-pipelines-vulnerable-to-sabotage
Network Threat Trends Developers, Developers Developers!!!!

The leading network threat this quarter came via Microsoft remote procedure calls. This was followed by a very close race between SQL-injection and cross-site scripting attacks. These two attacks are very much remote in nature, meaning they can be launched at selected targets around the globe.
Top Network Threat by Type

SQL Injection 21%
Others 7%
Browser 15%
0%
CGI Command Execution 12%
Remote Procedure Call 26%
Cross-Site Scripting 19%
Sad and Scary Numbers?
80% 73% 77%
Of CISOs See Employees As The Greatest Data Threat Of Data Breaches Come From Internal Sources Unable To Audit Or Quantify Loss After A Data Breach
Survey: Dark Reading/InformationWeek Survey: MIS Training Institute at CISO Summit McAfee DatagateReport. Produced by DataMonitor (survey of 1400 IT professionals across UK, US, DR, DE, and Australia)
This was THEN Literally in Black and White!!!
Next generation data centers - the utility computing vision

internet access tier
authentication, DNS, intrusion detect, VPN processing switched web cache edge routers routing switches
storage 1st level firewall

load balancing switches web servers
elements web tier
fabric
elements
web page storage (NAS)
2nd level firewall switches application servers
application tier
files (NAS)
switches
large scale virtualized utility fabric provides application services to millions of users
infrastructure on demand database database SQL servers tier

storage area network (SAN)
intranet
Multi-tiered applications
Threats Rapidly Moving Down the Stack

Applications/RDBM S
AV HIPS
Traditional attacksand defensesfocused primarily on the application layer
Attack and disable security products and hence all protection
Operating System
Infect OS with APTs resulting in threats hidden from security products
Compromise virtual machine and hence all guest machines within

I/O
Virtual Machine
Memory Disk Networ k Display
Rogue peripherals & firmware bypassing all other security measures
Ultimate APTs compromise devices below OS, either before or after shipment
BIOS
CPU
And They Wonder Why We Seldom Sleep Peacefully?
Around the World

Social Media Popularity
200 million announced on February 14 ?
Source: http://resources.infosecinstitute.com/social-media-use-in-the-militarysector/
Hacktivism Networks Will Continue to Evolve

McAfee believes the historical Anonymous syndicate will reinvent itself or die out. The people leading digital disruptions will become better engaged with the people leading physical demonstrations. For political and ideological ends, the private lives of public figurespoliticians, industry leaders, judges, and lawenforcement and security officerswill be disclosed this year more than in the past. Some hacktivists will operate along the same lines as the various cyberarmies that primarily flourish in nondemocratic or nonsecular states. . .
Anonymous + SCADA
Industrial Attacks Will Mature

Stuxnet proved that malicious code can create a real world, kinetic response. Recent incidents directed at water utilities in the United States show that these facilities are of increasing interest to attackers. The more attention is focused on SCADA and infrastructure systems, the more insecurity seems to come to light. We expect to see this insecurity lead to greater threats through exploit toolkits and frameworks as well as the increased targeting of utilities and energy ICS systems in particular.
Stuxnet Proliferation
Siemens PLCs Nuclear Enrichment Centrifuges

Around the World

Mandiant accuses of hacking the People's Liberation Army Unit 61398
The report, by Mandiant, identifies the People's Liberation Army's (PLA) Shanghai-based Unit 61398 as the most likely perpetrators of the hacking. The company said it believed the unit had carried out "sustained" attacks on a wide range of industries. "The nature of Unit 61398's work is considered by China to be a state secret; however, we believe it engages in harmful computer network operations," Mandiant said. "It is time to acknowledge the threat that is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively."
Source: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
Anonymous Doxing
The Mobility Explosion!

The Goal of Radical Consumerization is?
Secure
Ubiquitous
Environment
Access to a
Computing
TO FROM
to 50 Billion
Lost Smartphone Protection

Employees consistently fail to protect their mobile devices
No protection
57%
Anti-theft device
31%
Encryption
19%
Password or keypad lock
17%
Client firewall
11%
Anti-virus/anti-malware
5%
Other 0%
4% 10% 20% 30% 40% 50% 60%
Rogue Certificates
Threats such as Flame, Stuxnet, and Duqu used rogue certificates to great effect to evade detection. Although this is not the first time we have seen this behavior (fake AV, certain Zeus variants, Conficker, and even some old Symbian malware used them), we expect to see this trend increase in 2012 and beyond. We need to be aware and very concerned about the implications of large-scale rogue certificates on the whitelisting and application control technologies that use these certs. Wide-scale targeting of certificate authorities and the broader use of fraudulent, yet valid digital certificates has ramifications for public-key infrastructure, secure browsing, and transactions
Countermeasures Trends: Intelligence, Response, and Red Teams

Extensive Red Teaming and SE Testing Develop Operational Readiness Focus on OSINT analysis and Forensics Extensive Internal CERT Team investments Partnerships for information sharing
Coordinated Security
Asset Management System Endpoint Security (via NAC)
SIM / SEM Nitro, ePO, MAP Servers IPAM
Open Infterfaces IF-MAP Protocol
Physical Security ICS/SCADA Security AAA
Routing
IDS
Server or Cloud Security
Switching
Wireless
Firewalls
The Industry - Refocused

The New Biz World Requires More Devices (Mobile etc.) Therefore Usually More Work Nothing Is Getting Easier Endpoints And Flowpoints Were/Are Unmanageable With Technology That Does Not Scale From A Visibility Perspective Standardize Where/What You Can BOTH Modularity And Scalability Of Both Product And Aggregator Of Relevant Data Required Slow Adoption Of Standard Solutions Cripples Innovation and Impacts Efficiency of the Overall Digital Ecosystem Safety We Are All Part Of One Organism In This Digital Ecosystem Immune System Concept, If Extremities Get An Infection It Can Easily Become Systemic Digital Feudalism or Castle And Moat Were Reasonable In The Past Now The Barbarians Can Draft Your Citizens, Dogs, Cats, Livestock, Refrigerators, etc. Into Service Against You Bad Security Threatens Innovation Which In Turn Threatens Productivity Dont Give Anyone An Excuse No to So
42

What Every Employee Should Know About Cyber Securit - David O'Berry

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

What Every Employee Should Know About Cyber Securit - David O'Berry

Enviado por

Direitos autorais:

Formatos disponíveis

Real World Security: Current Threat and Mitigation State What We All Need To Know

McAfee ConfidentialInternal Use Only

2 McAfee ConfidentialInternal Use Only

BETTER SECURITY SOLUTIONS & PRODUCTS

POWER EFFICIENT PERFORMANCE

THE THIRD PILLAR OF COMPUTING

McAfee ConfidentialInternal Use Only

Threat Radar = Answering The Question Why?

Industrial Threats Will Mature

Hacktivism: Reboot or be Marginalized

Windows 8: BIOS and Hardware Attacks

Mobile Botnets, Rootkits, and Attack SurfaceOh MY!

Rogue CERTs: Rooting Trust

Full Year 2012 Threat Report Yikes!

McAfee ConfidentialInternal Use Only

Trends Continuing in Q2 - 2013

McAfee ConfidentialInternal Use Only

Global Malware Vision - Scary

(cumulative) (cumulative) (cumulative)

+1,865,000 +1,662,000 +151,000 +266,000 +1,370 +218,000 +276,000 +2,020

The Great Zoo: McAfee Known Malware

Q1/Q2-2011: Q3/Q4-2011: Q1/Q2-2012: Q3/Q4-2012:

+12.1 +10.3 +16.3 +20.7

million million million million

samples samples samples samples

McAfee ConfidentialInternal Use Only

Quarter per Quarter Exploits Detection

McAfee ConfidentialInternal Use Only

Quarter per Quarter FakeAlert/Scareware

McAfee ConfidentialInternal Use Only

Quarter per Quarter Rootkits Detection

McAfee ConfidentialInternal Use Only

Quarter per Quarter Mobile Detection

McAfee ConfidentialInternal Use Only

Quarter per Quarter Ransomware Detection

McAfee ConfidentialInternal Use Only

Quarter per Quarter Password Stealer & Keylogger Detection

McAfee ConfidentialInternal Use Only

Economic Model of the Attack

Daily new malware threats

New malicious Seconds website detected

Web 2.0 is the Catalyst!

Toolkits & Obfuscation

zombies 4m Active new per month

Attack Target Users vs. Machines

A Better Biz Model Than Most Companies

[+] Bin Price : 1000 EUR [+] Payment Only Via LR

McAfee ConfidentialInternal Use Only

McAfee ConfidentialInternal Use Only

Vulnerabilities Fuel to the Fire

Source: Franois Paget McAfee Labs

McAfee ConfidentialInternal Use Only

Source: Franois Paget McAfee Labs

McAfee ConfidentialInternal Use Only

The Company We All LOVE

Source: Franois Paget McAfee Labs

McAfee ConfidentialInternal Use Only

Trends To Help You Sleep Better?!?!?!

McAfee ConfidentialInternal Use Only

ZEUS = 34zY B0tN3Tz

Source: Thomas, Vinoo

McAfee ConfidentialInternal Use Only

State Sponsored Hacking Matters