• Save
Emerging Threats (2012 San Diego)
 

Emerging Threats (2012 San Diego)

on

  • 1,192 views

Just as the work of security professionals continues to evolve, so do threats and vulnerabilities. This session discusses their impact; how and why threats are evolving, future trends, and how ...

Just as the work of security professionals continues to evolve, so do threats and vulnerabilities. This session discusses their impact; how and why threats are evolving, future trends, and how professionals can manage these threats. “Emerging Threats” will take a holistic look at cybersecurity risks and factors— the motivations of criminals and cyber crime, activists, malware and botnet operators, social engineering, attack toolkits, the changing environment created by mobile and personal devices, cloud computing and virtual environments, government, law enforcement, and regulatory environments for enterprises—and consider how these elements can influence current and future security decisions. Suggested enhancements in security designs, architectures, policies, and processes will be presented to assist decision makers, security, and network professionals in adapting to these dynamic and emerging threa

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4356

Statistics

Views

Total Views
1,192
Views on SlideShare
1,192
Embed Views
0

Actions

Likes
3
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Emerging Threats (2012 San Diego) Emerging Threats (2012 San Diego) Presentation Transcript

    • Emerging Threats Session ID BRKSEC-2001BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • AgendaCisco Security Intelligence Operations: Who, What, Where, When and How?Cyber Risk Highlights and Emerging Threats for 2011-2012 RecommendationsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
    • Who, What, Where, When and How?BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
    • “Security isnt a stand-alone area. Security is something that has to be embedded in our strategy, it has to be embedded in our technology, it has to be automated."John ChambersPresident and CEO, Cisco Systems, Inc.
    • Cisco Security Intelligence OperationsInform, Protect, Respond  Cisco Security Intelligence Operations:  Global Threat Operations Centers  Security Research & Operations  Remote Managed Services  Corporate Security Programs Office, Global Policy & Government Affairs  SensorBase  Global in scope  Holistic in network, content, physical & geopolitical securityBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
    • 4 TB 700,000+ DATA RECEIVED PER DAY GLOBALLY DEPLOYED DEVICES30B 100M 35%WEB REQUESTS EMAIL MESSAGES WORLDWIDE TRAFFIC SensorBase Threat Operations Center Dynamic Updates BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
    • $100M SPENT IN DYNAMIC RESEARCH 24x7x365 AND DEVELOPMENT GLOBAL OPERATIONS500ENGINEERS, TECHNICIANS 40+ 80+ LANGUAGES PHD’S, CCIE, CISSP, GIACAND RESEARCHERS SensorBase Threat Operations Center Dynamic Updates BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
    • 3 to 5 3,300+ MINUTE UPDATES SIGNATURES PRODUCED20+ 200+ 8M+PUBLICATIONS PRODUCED PARAMETERS CHECKED RULES CREATED DAILY SensorBase Threat Operations Center Dynamic Updates BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
    • VENDORS NIST TOC’s Physical CERTs ISACs RMS SANS Incident Response Internal Groups Security Operations CSPO FIRST IronPort Cisco SIO BugTraq Applied External Security Internal Intelligence OSVDB Research Security ResearchFull Disclosure PSIRT Social Networks IPS Researchers ScanSafe BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
    • What We Watch: Seven Categories ofCyber Risk 1. Cyber Vulnerabilities and Threats – Vendor Agnostic 2. Physical – Backhoes, Anchors, Weather, Surveillance systems 3. Legal – Governance, Compliance, Regulatory, Legal cases 4. Trust – Confidentiality, Integrity, Reputation, Encryption, Certificates 5. Identity – Authentication, Access Controls, Provisioning, PII 6. Human – Social Behaviors, Education, Awareness, Web 2.0 7. Geopolitical – Political, Business, Economics Risk = Vulnerability x Threat x ImpactBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
    • Cisco Security Intelligence Operationswww.cisco.com/go/securityBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
    • Top Security Challenges“The Triad of Triads: one of those aspects most often causing them themost significant fits”. (John N. Stewart, vice president and chief securityofficer for Cisco)1) The Actors: Individuals, Organized groups, the impromptu individuals/groups2) Technology Platforms: collaboration, mobility and virtualization3) Economics: QoS, IT Criticality, business and customer delivery, …..BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
    • Cyber Security Top Ten 2012 Web Exploits: SQL Injection / Cross-site Scripting Botnet proliferation Data Loss, Intellectual Property Protection, Big Data Social Networks / Web 2.0 /BYOD Cloud and Virtualization Transient Trust Wireless Networks Denial of Service Attacks (DoS / DDoS) Targeted and Persistent Attacks New Technologies: IPv6/DNSSEC DeploymentsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
    • Criminal Activity
    • Cisco Cybercrime Return On Investment(CROI) Matrix * Financially motivated cybercrime operationsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
    • CRIO Potentials Mass Account Compromise ‒ Data theft table scraps – Newcomer to this years matrix ‒ Stepping stone attacks ‒ Criminal Big Data operations ‒ Hacking PBX VoIP and Telephony Abuse ‒ SMB targeting ‒ Vishing scams (voice phone-based ‒ International/Long distance, phishing) ‒ Caller ID Spoofing Premium rate callsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
    • CROI Rising Stars ‒ Financial malware success Money Mules ‒ Localized relationships ‒ One in three is successful ‒ New comer this year, potential last Mobile Devices ‒ Focus on where the users are year ‒ Malicious Apps Cloud Infrastructure Hacking ‒ Hack one to get them all (Virtual, Hosted) ‒ Hypervisor vulnerabilitiesBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
    • A Day in the Life of a Money MuleI need a job! Mule is abandoned or arrested Recruited and passed to handler Handler collects or other mules transfer again Mule withdraws funds Handler coordinates and send via transfer Handler transfers from operators provides mule to mule instructions to open accountsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
    • Comscore Smartphone Metrics Top Smartphone Platforms 3 Month Avg. Ending Dec. 2011 vs. 3 Month Avg. Ending Sep. 2011 Total U.S. Smartphone Subscribers Ages 13+ Source: comScore MobiLensWhat? Google Apple 44.8% 27.4% 47.3% 29.6% 2.5 2.2 RIM 18.9% 16.0% -2.9 Microsoft 5.6% 4.7% -0.9 Symbian 1.8% 1.4% -0.4 Mobile Content Usage 3 Month Avg. Ending Dec. 2011 vs. 3 Month Avg. Ending Sep. 2011 Total U.S. Mobile Subscribers (Smartphone & Non-Smartphone) Ages 13+ Source: comScore MobiLens Sent text message to another phone 71.1% 74.3% 3.2 Used downloaded apps Used browser 42.5% 42.9% 47.6% 47.5% 5.1 4.6 How? Accessed social networking site or blog 31.5% 35.3% 3.8 Played Games 28.8% 31.4% 2.6 Listened to music on mobile phone 20.9% 23.8% 2.9BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
    • The ‘Apps’ are the Criminals EyesApp Stores and Download Security Models Apple – tightly controlled RIM – tightly controlled Microsoft - proprietary controlled Android – Wide open, few checks, customer /third party response Third Party sites: no guarantees or supportCheck the app permissions when you download and installBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
    • CROI Cash Cows Data Theft Trojans, Web Exploits Two Rising Stars moved to Cash Cows Trojan and Web Exploit toolkits allows everyone in the action ‒ In its many forms Click/Redirect Fraud ‒ redirect or DNS cache posioning ‒ compromise the legitimate advertisers ‒ antivirus, registry cleaners, speed Spyware/Scareware and performance, mass phishing techniquesBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
    • Web Malware 2011Making it easier: Blackhole, Neosploit, Phoenix, Ramnit, Random JSBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
    • CROI Dogs ‒ Two new entries this year Pharma spam, Advanced Fee Fraud ‒ Both impacted by spam improvements, ‒ Risk is up, return is down arrests, botnet prosecution ‒ largely wins for user awareness, education Phishing 1.0, Social Network Attacks ‒ Slowly, people are becoming less trusting and privacy improvements ‒ Good noise and mischief maker, DDoS but not a good money makerBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
    • Global Spam Update – Dramatic DeclineBotnet Takedowns and ArrestsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
    • Global Spam Update – Shift to Developing Global annual spam volumes 140 Top Spam Senders by Country, (Bn/Mo), 2011 Source: Cisco IronPort dropped in 2011 120 Known spam rates decreased 100 Indonesia Continue to focus and spike on 80 United States targeted events Russian Federation 60 Spam Shift During 2011: Rwanda 1) India 40 British Indian Ocean Territory 2) Russian Federation 20 3) Vietnam 4/5) Republic of 0 January February March Korea / IndonesiaBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    • Next Generation Spam Subject: DHL Tracking NR 56679186. Message Body: Growing in sophistication Hello! Unfortunately we failed to deliver the postal package which was sent on - More targeted masses the 11th of February in time because the addressees address is inexact. Please print out the invoice copy attached and collect the package at our - Blending email and web department. DHL Customer Services. New vectors include: - SMS vishing Subject: Your package has arrived! - IM SPAM (SPIM) Message Body: Dear client Extensive social engineering Your package has arrived. The tracking # is : 8B89C50840F242F1 and can be used at : http://www.ups.com/tracking/tracking.html 3rd Generation SPAM doesn’t The shipping invoice can be downloaded from : embed malcode, but is tied to http://www.ups.com/tracking/invoices/download.aspx?invoice_id=8B8 9C50840F242F1 web exploits Thank you, United Parcel Service Users still open spam and click *** This is an automatically generated email, please do not reply *** linksBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    • Spammers Get Social Scammers trick social network users into “liking” an intriguing Facebook page, allowing the scammers to access to user profilesBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    • Phishing and Its Variants Traditional phishing still in use, but limited Spear-phishing: - Targeted phishing - IT Admins - Specific job roles - Specific companies Whaling - Phishing attempts specifically targeting a high value target - C level execs, managersBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    • BYOD, Social Networks and Web 2.0
    • Cisco Connected World Technology ReportChanging Attitudes and Behaviors 89% of college students surveyed check their Facebook page at least once a day; 73% of young professionals do so as well. 71% share the view that company-issued devices should be available for both work and play because “work time often blends with personal time … It’s the way it is today and the way it will be in the future.” 50% of students expect to do the same using their personal mobile devices. 77% have multiple devices, such as a laptop and a smartphone or multiple phones and computers. Facebook and Twitter are not the only game in town: Qzone in China, VKontakte in Russia and former Soviet-bloc countries, Orkut in Brazil, and Mixi in JapanBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    • Cisco Connected World Technology ReportChanging Attitudes and Behaviors 70% of employees admitted to breaking policy with varying regularity (the most common reason was to get their work done) 61% believe they are not responsible for protecting information on devices 80% said their company’s IT policy on social media was either outdated or weren’t sure if such a policy existed 56% of employees have allowed others to use their computers without supervision 81% of college students believe they should be able to choose the devices they need to do their jobs Full Connected World Technology Report Chapters 1-3: http://www.cisco.com/en/US/netsol/ns1120/index.htmlBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
    • BYOD at Cisco 8,144 2,104 iPad Cius 12,290 BlackBerry Devices 6,700+ -1.6% Growth Linux Desktops 2,185 Other Devices -3.8% Growth 87,000+ Windows PCs 5,234 Android Devices +9.5% Growth 12,000+ 20,581 Apple Macs iPhones 3.9% GrowthBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
    • Social NetworkingOpportunity and Vulnerability Business and network expansion Privacy, Identity, Trust, IP protection Small World Relationships The criminals are already there: Koobface, Ramnit, false security warnings, tinyurls, transient trust, anonymized data reconstruction, compromised accounts, ‘Like’ jacking Policy and User Awareness: users are there, organizations are still trying to catch up Who is the customer?BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
    • Acceptable Use Policies (AUP) What Many Have: - Unrealistic Laundry List of Do Not Do’s - Unenforceable - “We said not to do it” What Many Need: - Leaner, stronger, enforceable - Short list of must not do (P2P, Spam, Pornography, Gambling) - Every item must be technically enforceable User Awareness and Education - Top threat vectors: email, browsing, appsBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
    • Vulnerabilities
    • Vulnerability Activity 2011 Code execution is the Vulnerability and Threat Categoriesvulnerability of choice 0 100 200 300 400 500 600 700 Buffer Overflow Information Disclosure also Denial of Serviceincreasing Arbitrary Code Execution 2009 Cross-Site Scripting Cross-site scripting and the Privilege Escalation 2010Cross-site Forgery Requests Information Disclosure 2011(CSRF) still major players Software Fault (Vul) Directory Traversal Not here? Unauthorized Access SQL Injections 150/month Spoofing steady for 2011 Format StringBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
    • Vulnerability Trends Cumulative Annual Alert Totals 6000 5500 5000 4500 2010 4000 2011 3500 2012 3000 2500 Alerts 2000 1500 1000 500 0 1 2 3 4 5 6 7 8 9 10 11 12 Month  Trend of declining vulnerability reports reversed in 2011 with a slight 3% increase over 2010  Trend increasing in 2012 with a 17% increase in Q1BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
    • Government Regulation, Oversight andPolitics  Arab Spring, activism, critical infrastructure threats  Cyber security organizations, military cyber warfare, offensive security  Increased regulation to require security  Increased oversight (HIPAA, HITECH) audits, fines, law enforcement  Intellectual property, copyright and trademark protections  Consumer and privacy protection  Global merging of regulations, privacy and consumer protectionBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
    • The Coreflood Takedown 2001 2005 2011Coreflood detected Fraud reported Coreflood Seized  On April 13, 2011 the US FBI and DOJ sought: - Filed a civilian complaint (against 22 “John Does”) - Obtained seizure warrants (for C&C servers & DNS Domains), and obtained restraining orders (auth ISC to sub new C&C servers)  Seizing & operating servers allows FBI to locate infected computers: - ISC operating under FBI supervision - Estimates 2.3 M infected computers worldwide - ~1.8 M infected computers in the US •http://newhaven.fbi.gov/dojpressrel/pressrel11/nh041311.htm BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
    • Botnet TakedownsSetting Legal, Not Technical, Precedents  McColo (Nov 2008)  Ozdok/Mega-D (Nov 2009)  Lethic (Jan 2010)  Mariposa (Mar 2010)  Pushdo/Cutwail (Aug 2010)  Waladec (Oct 2010)  Rustock (March 2011)  Coreflood (Apr 2011)  Kelios/Hlux (Sep 2011)  DNSChanger (Nov 2011)  Zeus (March 2012)*  Kelios/Hlux.B (March 2012) *RICO, Civil case legal takedownBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
    • Protecting the GridBalancing New Technologies and Old Challenges Supervisory Control And Data Alternative Supplier Acquisition Software Complexity Systems & Vulnerabilities (SCADA) Power Generation Phasor Trust Measurement Units (PMU) Power Distribution Privacy Smart Meters Residential Use Commercial Use Smart Appliances, plug-in Energy Efficiency, Distributed Hybrid Vehicles, etc,… Generation & StorageBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
    • Geopolitical: Activists/Hactivists  A global, community and social problem  Rely on intimidation and anonymity  Motivated by political, social and religious agendas  Technical aspects well understood: - LOIC: Low Orbit Ion Cannon - TCP, UDP, HTML packet flooding - Doesn’t include anonymization  DDoS increased throughout 2011 60-80/month  The most common DoS remains the self-inflicted/human error  Unsuspecting contributors?  So-called “hacktivism” was responsible for 58 percent of all data stolen in 2011. (Verizon’s 2012 Data Breach Investigations Report)BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
    • Distributed Denial of Service Attacks One Click Attacks: Simple to Sophsiticated, Free to Fee ‒ TCP, UDP, HTTP flood LOIC: Low Orbit Ion Cannon ‒ Anonymous (not so much) ‒ "Hivemind" feature for remote/central control, botnet ‒ Social network campaigns to control fool users in to joining DDoS ‒ HTTP flood only HOIC: High Orbit Ion Cannon ‒ Boost Scripts: Evasion, randomizationBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
    • Passwords and Authentication The problem of weak, guessable, and too many passwords Secondary authentication has its own weaknesses: secret questions? Multi-Factor Authentication: RSA SecurID Incident: SecurID architecture has 6 elements, 3 at RSA + 3 at client; attacker needs total of three to compromise Two factor authentication adding device or location, SMS one-time passwords…improving but heavily depends on implementation controls Password Management Software; Keepass, 1Password, LastPass…BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
    • Watch List for 2012 Certificate authority security/SSL certificates Big data deployments IPv6 deployments Cloud deployments and attacks Hactivism turns criminal Offensive securityBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
    • 2012 Security Action Items Assess the totality of your network (John N. Stewart, vice president and chief security officer for Cisco) Re-evaluate your acceptable use policy and business code of conduct (Gavin Reid, Cisco CSIRT manager) Determine what data must be protected (David Paschich, web security product manager for Cisco) Know where your data is and understand how (and if) it is being secured (Scott Olechowski, threat research manager for Cisco) Assess user education practices (David Evans, chief futurist for Cisco)BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
    • 2012 Security Action Items (cont.) Use egress monitoring (Jeff Shipley, manager for Cisco Security Research and Operations) Prepare for the inevitability of BYOD (Nasrin Rezai, senior director of security architecture and chief security officer for Cisco’s Collaboration Business Group) Create an incident response plan (Pat Calhoun, vice president, general manager of Cisco’s Secure Network Services Business Unit) Implement security measures to help compensate for lack of control over social networks (Rajneesh Chopra, director of product management, Cisco Security Technology Group) Monitor the dynamic risk landscape and keep users informed (Ofer Elzam, integrated security solutions architect for Cisco)BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
    • Recommended SessionsSessions BRKSEC-2009 - Securing Cloud Computing BRKSEC-2010 - The State of Web Security: Attack and ResponseLabs LTRSEC-2015 - • 敢⁲楁楫䵤⠠ 合気道) Academy: Basic and Advanced Network Threat Defense, Countermeasures, and Controls LTRSEC-2016 - • 敢⁲楁楫䵤⠠ 合気道) Academy: Firewall Network Threat Defense, Countermeasures, and Controls LTRSEC-3033 - • 敢⁲楁楫䵤⠠ 合気道) Academy: IPv6 Network Threat Defense, Countermeasures, and ControlsPartner Case Study BRKPCS-4473 - Cisco Computer Security Incident Response Team: Real NetFlow Use Case with Lancope’s StealthWatch BRKPCS-4380 - Creating a Big-Data Strategy for SecurityBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don’t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! ‒ Facebook: https://www.facebook.com/ciscoliveus Follow Cisco Live! using social media: ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
    • BRKSEC-2001 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public