Top 5 Security Trends for 2010

basheddockSoftware and s/w Development

Feb 21, 2014 (3 years and 5 months ago)

85 views

Top 5 Security Trends for 2010

Noa

Bar
-
Yosef
, Security Research Engineer,
Imperva


Focuses on
Application Data Security and Compliance


Application Defense Center (ADC)

+
Research organization headed by Amichai Shulman

+
Security analysis

+
Vulnerability discovery

+
Compliance expertise

+
Threat research

+
Education



Imperva

Background

MS

Agenda


Scorecard for 2009 Security Trends


2010 Top Security Trends

+
Emerging threats, vendor security notification policies, and new
security tactics

+
Strategies to mitigate today’s security threats


Q&A

BC

Trend

Score

1

Disclosure becoming irresponsible

A
-

2

Economics to affect threat level

A

3

Surge of cloud related threats

C

4

Evolution of automated attacks

A+

5

Increased threat business
applications (e.g. SAP)

C

6

Proliferation of CSRF

D

Scorecard for 2009 Security Trends

#1
-

The Industrialization of Hacking


Hacking is becoming
a profitable

industry


The foundations of any industry can be
identified within hacking

+
Building layered roles (supply chain)

+
Horizontal expertise

+
Resource optimization

+
Automation


Individual or political hacking haven’t
ceased; but they have become a secondary
threat

The Industrialization of Hacking

Layered Roles


Detect vulnerabilities and develop
exploits

+
Hardcore “hackers” with strong technical
capabilities

+
Keep clean of actual targets

+
Provide the building blocks for others


Grow botnets

+
Groups devoted to controlling as many
zombies as possible

+
Complex operations (will discuss later)

+
Provide zombies from the botnet for use
by perpetrators

The Industrialization of Hacking

Layered Roles (cont.)


Exploit targets

+
Groups that make use of zombies for various purposes

+
Send spam

+
Collect data

+
Inflict
DoS


Consumers

+
Monetize information


Credit card fraud


Identity theft

+
Advertize through spam

+
Blackmail

The Industrialization of Hacking

Resource Optimization


“Nothing is thrown to the garbage”


Each workstation or application, once
compromised, is exploited in one way or
another as part of the industrial food chain


Compromised Applications

+
Direct value (fund transfer, credit card information,
etc.)

+
Indirect value (credentials to other systems)

+
Malware distribution

+
Blackhat SEO

+
Command & Control

The Industrialization of Hacking

Resource Optimization (cont.)


Workstations

+
Keylogger for grabbing credentials

+
Specialized malware for man
-
in
-
the
-
browser attacks

+
General purpose Trojan to use as part of a botnet

+
Relay into internal networks

The Industrialization of Hacking

Automation


Core of the industrial process


growing botnets and
exploiting targets


is mostly automated


Selecting target applications through search engines


Compromise applications using captured zombies

+
Configuration and commands distributed through forums and web
pages


Sometimes the compromise is
through search engine abuse

The Industrialization of Hacking

Automation (cont.)


Templates and kits exist for everything

+
Remote file include

+
Phishing of various applications

+
Botnet

client (ASPROX, Zeus,
Clampi
, etc.)


Looking at the numbers from attack campaigns
clearly shows the power of automation

+
Last month we have heard of 132K sites
compromised in one campaign

+
We have tracked a similar campaign 3 weeks prior
and saw the same flaw exploited in the same way
over hundreds of sites


Techniques are becoming more sophisticated

+
Randomized DNS in order to avoid C&C hijacking

The Industrialization of Hacking

Our Advice


We are no longer fighting the script kiddies or sporadic
hacking attempts


we are fighting Hackers Inc.


Cannot hide from the problem.

+
Small and large applications alike

+
Servers or workstations

+
It’s not personal.


Smaller organizations

+
Must start paying attention to application security

+
Either directly or through their hosting providers


Organizations must look for tools to help them detect and
mitigate automation properly

#2


From Application Security to Data Security


The 90s’ were all about network related security problems
(connecting enterprise networks to the Internet) and network
security solutions (Network Firewall)


Throughout this decade we’ve seen a shift of activity towards
web application attacks

+
Network security becomes commodity and network attacks are
harder to execute

+
At the turn of the century eCommerce and online services took a
steep climb. Attacker motivation increases as applications expose
more information and more functionality.

+
It is far easier to access data through applications designed to
manipulate it

From application security to data security

Web Application Security is No Longer Enough


Internal threat still prominent


Many internal applications are not web based


Web application security can be effectively applied to major
internal applications but not all of them


Many time internal users have (authorized) direct access to
the database


Once data from application flows into a workstation its on the
loose


Regulations require that specific types of data be tracked

From applications security to data security

Continuous Data Security


Track access to sensitive and regulated data throughout its
lifecycle


Basic information lifecycle

+
Most sensitive and regulated data can be traced back to structured
storage (SQL databases)

+
Sensitive information may be transformed into unstructured format
and placed in document storage and management system (File
shares, MS Sharepoint, EMC Documentum)

+
Data is processed in workstations and may leave the enterprise
boundaries through email, WebMail, file transfer and physical media



Controls around individual data repositories

+
Database access monitoring

+
File activity monitoring


Controls to track data in process

+
Next generation of DLP products

+
Integrate with DRM


Collaboration between data security products

+
Policies expressed in terms of information type based on content,
rather than table and file names

+
Track specific pieces of information as they leave the database, flow
through web applications, transformed into files and flow through
outgoing channels.

From applications security to data security

Our Advice

#3


Social networks expose larger societies


Past: Specific parts of the population

+
Young adults of the Internet generation


Today / Future: Everyone and their
dog have a Facebook account

+
Younger, immature audience


Kids making their first steps into the virtual
society

+
Conservative adult community


People who otherwise have very conservative
web access behavior

+
Senior community


People whose trust models are deeply rooted
in the old world (my grandmother)

Social networks expose larger societies

Pandemic Threats


There are three distinctive pillars to social
networks that make them a perfect fit for
online pandemic threats:

+
Huge crowds

+
Inherently expose personal information

+
Built
-
in mechanisms for implicit and explicit trust
generation between loosely coupled individuals


Attackers can push their “merchandise” to larger
unsuspecting crowds with higher than ever success rates

+
Use the implicit trust

+
Abuses the abundance of personal information to create more trust

Social networks expose larger societies

The Evolution of an Octopus


Social networks are becoming social platforms

+
Integrating MMORPG (e.g. Farmville), 3
rd

party apps

+
More opportunities for trust abuse


ClickJacking through Farmville gifts

+
Less control over the robustness of integrated applications


Integrating social networks into other domains

+
Google, Bing and Yahoo! integrating Twitter and Facebook results

+
Promoting malware just became
much easier!

Social networks expose larger societies

The Evolution of an Octopus


Integrating social networks into enterprise

+
HR systems, CRM systems

+
Creating a Mobius strip of information, mixing



internal and external trust

Dear Amichai,


We'd like your help to spread the word about our open jobs. If you follow the link below and install this application on your

Fa
cebook profile page, your friends will be able to see, apply and forward our jobs. The best part is that if your friend, or a

fr
iend of a friend, applies for a job and is hired, you will automatically get credit for the employee referral through Jobvite
. Y
ou will be eligible for the referral bonus.


To install the application, please follow this link:

here


Best regards,


Douglas


Dear John,


We'd like your help to spread the word about our open jobs. If you follow the link
below and install this application on your
Facebook

profile page, your friends will
be able to see, apply and forward our jobs. The best part is that if your friend, or a
friend of a friend, applies for a job and is hired, you will automatically get credit for
the employee referral through
Jobvite
. You will be eligible for the referral bonus.


To install the application, please follow this link:

here


Best regards,


Sue



Social networks are all about novelty

+
We can expect them to rush new features out at the expense of
security

+
As more 3
rd

party apps are created we cannot expect those to
consider any security at all


We need tools to help us evaluate trust in huge, dynamic,
virtual societies

+
These are starting to show up as research projects or initial offering
from various vendors


Security tools and policies should be able to build on these
trust systems

Social networks expose larger societies

Our Advice
-

Redefining Trust

#4


Credentials are the New Credit Card Numbers


Dramatic surge in the number of data compromise incidents

+
Credit card numbers

+
Personal details


Price levels per single stolen record are constantly dropping

+
Attackers are looking for more profitable targets


We clearly see an increased level of activity around hacking
user credentials for online applications

Application credentials are the new CCNs

Motivation


Credit card numbers are harder to monetize

+
Need to purchase goods and cash those out


Personal details are even harder to monetize

+
Cannot be used in masses

+
Require additional fraud (involving identity theft)


The premise of application credentials

+
Easier to monetize

+
Higher value per record

Application credentials are the new CCNs

Motivation (cont.)


Financial applications

+
Can be easily converted into hard cash through online transactions
(fund transfers, stock trading, etc.)


Enterprise in the cloud (SalesForce.com, GoogleDocs, etc.)

+
Access to sensitive commercial information

+
Can be traded for money, used for fraudulent transactions and even
blackmail


Web mail

+
Direct access to personal details

+
Further access to the above mentioned applications

+
SPAM

Application credentials are the new CCNs

Tools of the Trade


Keyloggers

+
Cleartext passwords

+
Once a computer is infected quality data is flowing in

+
Requires massive infected botnets


Phishing attacks

+
Cleartext passwords

+
Low quality data

+
Low success rates


Application compromise (e.g. SQL injection)

+
Sometimes digested password that need further cracking

+
High quality data

+
Huge numbers



Application credentials are the new CCNs

Our Advice


Protect you web facing applications

+
Defeat attacks


Store digested passwords

+
Defeat exposure in case of compromise


Use safe password recovery procedures

+
Avoid automatic leveraging of another compromise


Include two factor authentication

+
When possible

#5


Proactive Security


To date the security concept has been largely reactive

+
Wait for a vulnerability to be disclosed

+
Create a signature (or some other security rule)

+
Cross reference requests against these attack methods, regardless of
their context in time or source


As a consequence security decisions are becoming more
difficult and resource consumption (machine as well as
human) is growing

+
Distinguishing “bad” requests from “good” requests based on request
content alone becomes more difficult and more time consuming

+
Not only machine resources but also human resources as more
decisions cannot be taken automatically

+
This is completely inadequate in world of growing attack rates

Proactive security

Tired of Being a Sitting Duck?


Rather than waiting to be attacked, security research teams
start to proactively look for attacker activity as it is being
initialised over the network


Traditionally used for longer term research, proactive
intelligence operations can be used for immediate security
value:

+
Identify compromised computers being actively exploited to launch
attacks

+
Quickly identify attack campaigns at their early stages

+
Discover 0 day vulnerabilities in the wild rather than in the lab

+
Identify targets of upcoming attacks in advance

Proactive security

Military Intelligence is a Contradiction in Terms*


There are different techniques for gathering timely
intelligence

+
Some techniques, especially related to the SPAM domain have
already been in use for a couple of years


Some technique are based on a network of sensors. Three
basic types of sensors

+
Setting up targets for attacks (fake web applications, mailboxes to
receive spam, etc.)

+
Setting up communication channels for use by attackers (anonymous
proxies, TOR relays)

+
Network sniffers in strategic locations

+
Tap into C&C servers

*Groucho Marx

Proactive security

Military Intelligence (cont.)


Other techniques are more laborious

+
Reverse engineering of new malware to identify C&C servers

+
Hijack domain names intended for use by botnets

+
Tap into hacker discussions in forums and


Existing projects and commercial offerings for various types of
threats (sample):

+
Dshield (General reputation for IPs)

+
ShadowServer (Botnet oriented)

+
Cyveillance (Phishing and compromised servers)

+
Project Honeypot (Spam related)


Proactive security

Our Advice


Engaging in proactive security requires
substantial research resources


don’t expect
to do it yourself


Some solutions (mainly around endpoint
security) are incorporating data obtained
through proactive security


Next generation of enterprise solutions will
include integration of data obtained from
proactive security projects and providers


Add proactive security to your wish list when
looking at enterprise solutions

Security Trends that just missed the Top 5

Questions & Answers

ADC Data Security Webinar Series