Zapobieganie włamaniom w świetle Aurory, Stuxnet, AnonymousRobert MichalskiSecurity Tiger Team
Agenda• 10,000 meters view• Let’s get into some „lies”• Where is my PS3 data?• What does it mean to me?• Lessons learned
2010 – Military grade op targets 2009 – “Advanced SCADA gear in Iran Stuxnet Persistent Threat” for industrial espionage AuroraBusiness Impact / National impact 2000 – Worm + Social Complexity / Sophistication / Engineering. Spreads WW in 1 day. ~50M infections, $5.5B in damage. 2005/6 – Hackers Georgia compromise 2008 – Cyber ~45M credit / attacks 1988 – debit cards Estonia coordinated first with “real” Internet invasion 1978 – worm TJX first spam incident 2000 – DoS attacks on hits 393 Yahoo, eBay, users CNN, Amazon 2007 – DDoS & Dell attacks during Iloveyou row with Russia target Mafiaboy critical infrastructure Morris DEC Worm Spam 1980 1985 1990 1995 2000 2005 2010 TERRORISTS SCRIPT KIDDIES SEMI-PROS INDUSTRIAL Misguided Individuals ESPIONAGE ORGANIZED NATION STATES BLACKHATS CRIME AMATEUR GROUPS
Vendors Reporting the Largest Number of VulnerabilityDisclosures in Historys Vulnerability disclosures up 27%. • Web applications continue to be the largest category of disclosure.s Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.
Patches Still Unavailable for Many Vulnerabilitiess 44% of all vulnerabilities disclosed Patch Release Timing – First 8 Weeks of 2010 in 2010 had no vendor-supplied patches to remedy the vulnerability. s Most patches become available for most vulnerabilities at the same time that they are publicly disclosed. s However some vulnerabilities are publicly disclosed for many weeks before patches are released.
Public Exploit Exposures Up in 2010s Public exploit disclosures up 21% in 2010 versus 2009 • Approximately 14.9% of the vulnerabilities disclosed in 2010 had public exploits, which is down slightly from the 15.7% last year • However more vulnerabilities were disclosed this year, so the total number of exploits increased. • The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability.
Exploit Effort vs. Potential Rewards Economics continue to play heavily into the exploitation probability of a vulnerabilitys All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.s The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.
Top Attacks seen by X-Force in 2010s Automated SQL Injection attackss Lateral scanning of the entire Internet for services with weak passwordss The SQL Slammer worm was responsible for a huge amount of malicious traffic in 2010 but traffic levels dropped off significantly in March, 2011. (For more info see the Frequency-X Blog.)
Web App Vulnerabilities Continue to Dominates Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.s Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.
SQL Injection Attacks• During each of the past three years, there has been a globally scaled SQL injection attack some time during the months of May through August.• The anatomy of these attacks is generally the same: they target .ASP pages that are vulnerable to SQL injection. 2008 2009 2010
Real World Conclusions from Web App Assessmentss In 2010, for the first time, we now find that Cross-Site Request Forgery (CRSF) vulnerabilities are more likely to be found in our testing than Cross- Site Scripting (XSS) vulnerabilities.s XSS and SQL injection are both attributed directly to a lack of input control. The likelihood of finding it in 2010 is more than 60%.
Client-Side Vulnerabilities: Web Browser, Document Reader & Multimedia Player Vulnerabilities Continue to Impact End Userss Web browsers and their plug-ins continue to be the largest category of client-side vulnerabilities.s 2010 saw an increase in the volume of disclosures in document readers and editors as well as multimedia players.
The SONY Breach• If you havent heard, the breach included; – 100+ Million data base records of undisclosed content – loss of 10 Million credit card numbers and supporting customer data – their $$$$ transactional website has been down for a month+ – the breach is expected to cost them 1.5 billion dollars - http://www.totaltele.com/view.aspx?ID=464556 – new breaches reported over time• There have been many rumors about how the attack was achieved. – many have said it had something to do with an insider – it has been said that it was straight SQL injection etc. – it has been said that ANONYMOUS did it because they warned Sony that they were sending customer data in the clear and Sony ignored them. So Anonymous decided it was time to teach them a lesson.
If I give my credit card to a web site, I want at a minimum:• Mandatory web app security assesment including code review• Vulenerability managment program• IPS looking out for malicious activity• Server protection on my web server and my database servers• DAM looking out for my database access• DLP protection in my network
Perimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Insiders (DBAs, developers, outsourcers, etc.)Outsourcing Stolen Credentials (Zeus,Web-Facing Apps etc.)Legacy AppIntegration/SOA Employee Self-Service, Partners & Suppliers
Security Testing Technologies Combination Delivers a Comprehensive SolutionStatic Code Analysis = Whitebox•Scanning source code for securityissues Total Potential Security Issues Dynamic Analysis = Blackbox Static Best Dynamic Analysis Coverage AnalysisPerforming security analysis of a compiled application
Vulnerability Management in action Explore web site / os / Identify Vulnerabilities ranked Advanced remediation, fixapplication to detect flaws after severity and show how it recommendations and security was identified enablement 18
IBM Intrusion Prevention System Intrusion prevention just got smarter with extensible protectionbacked by the power of X- Force Client-Side Application Web Application Threat Detection & Virtual Patch Data Security Application Control Protection Protection PreventionWhat It Does: What It Does: What It Does: What It Does: What It Does: What It Does:Shields vulnerabilities Protects end users Protects web applications Detects and prevents Monitors and identifies Manages control offrom exploitation against attacks targeting against sophisticated entire classes of threats unencrypted personally unauthorized applicationsindependent of a applications used application-level attacks as opposed to a specific identifiable information and risks within definedsoftware patch, and everyday such as such as SQL Injection, exploit or vulnerability. (PII) and other segments of the network,enables a responsible Microsoft Office, Adobe XSS (Cross-site confidential information such as ActiveXpatch management PDF, Multimedia files and scripting), PHP file- Why Important: for data awareness. Also fingerprinting, Peer Toprocess that can be Web browsers. includes, CSRF (Cross- Eliminates need of provides capability to Peer, Instant Messaging,adhered to without fear of site request forgery). constant signature explore data flow through and tunneling.a breach Why Important: updates. Protection the network to help At the end of 2010, Why Important: includes the proprietary determine if any potential Why Important:Why Important: vulnerabilities, which Expands security Shellcode Heuristics risks exist. Enforces networkAt the end of affect personal capabilities to meet both (SCH) technology, which application and service2010, 44% of all computers, represent the compliance requirements has an unbeatable track Why Important: access based onvulnerabilities disclosed second-largest category and threat evolution. record of protecting Flexible and scalable corporate policy andduring the year had no of vulnerability against zero day customized data search governance.vendor-supplied patches disclosures and vulnerabilities. criteria; serves as aavailable to remedy the represent about a fifth of complement to datavulnerability. all vulnerability security strategy. disclosures.
IBM Virtual Server Protection for VMware Integrated threat protection for VMware ESX and ESXiHelps to be more secure, compliant and cost-effective by delivering integrated and optimizedsecurity for virtual data centers. IBM Virtual Server Protection for VMware s VMsafe Integration s Firewall and Intrusion Prevention s Rootkit Detection/Prevention s Inter-VM Traffic Analysis s Automated Protection for Mobile VMs (VMotion) s Virtual Network Segment Protection s Virtual Network-Level Protection s Virtual Infrastructure Auditing (Privileged User) s Virtual Network Access Control
Non-Invasive, Real-Time Database Security & Monitoring• Continuously monitors all database activities • Supports Separation of Duties (including local access by superusers) • Activity logs can’t be erased by attackers• Heterogeneous, cross-DBMS solution or DBAs• Does not rely on native DBMS logs • Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)• Minimal performance impact (2-3%)• No DBMS or application changes • Granular, real-time policies & auditing • Who, what, when, where, how
Enterprise Content Protection (ECP) aka DLP• Automated discovery of sensitive content, classifying / tagging of files• Policy-based enforcement of data protection policy (notify, block, encrypt, remove, relocate)• Close the gap between user action and automated policy-enforced action• Endpoint – Network – Server / Data Center• Key Business Partners: – Fidelis Security Systems – Verdasys
Lessons learned and what to do next• Hacking is more organized, well funded and highly motived then ever• Economics and politics play an important role in the exploitation schemes• There is no such a thing as a magic sliver bullet• We need multilayered approach• We all need to work closely and do our homework
How to get more info about IBM Security Solutions?• Contact me !!!• IBM X-Force Blog & Reports!!! – http://blogs.iss.net/ – https://www.ibm.com/services/us/iss/xforce/trendreports/• IBM Institiute for Advanced Security – http://www.instituteforadvancedsecurity.com/• IBM Security Solutions YouTube channel – http://www.youtube.com/user/IBMSecuritySolutions• IBM Security Solutions Tweeter – https://twitter.com/#!/ibmsecurity• IBM Redbooks / Redpapers regarding security – http://www.redbooks.ibm.com 24
IBM Security Solutions Function / Capability Candidate IBM Solutions1. Establish the Cloud infrastructure: • IBM Tivoli Service Automation Manager • IBM Tivoli Monitoring • IBM Service Delivery Manager • IBM Cloud Architecture / Design Services2. Establish and Enforce Security Policy & • IBM Professional Security ServicesGovernance Structure • IBM Tivoli Security Policy Manager • IBM Websphere Datapower SOA Appliance • IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium3. Discover & Categorize Information Assets • IBM InfoSphere Optim • IBM InfoSphere Guardium4. Establish & Manage Identities and Access • IBM Tivoli Identity Manager • IBM Tivoli Access Manager • IBM Tivoli Federated Identity Manager • IBM Tivoli Security Incident & Event Manager • IBM Privileged Identity Management5. Manage Information Access • IBM InfoSphere Guardium
IBM Security Solutions Function / Capability Candidate IBM Solutions6. Cyber Defense • IBM AppScan • IBM Managed Security Services • IBM Proventia Threat Mitigation Products • IBM Tivoli Endpoint Manager (BigFix) • IBM Security Virtual Server Protection • IBM X-Force Threat Analysis Service (XFTAS)7. Physical Security • IBM Physical Security Services – Digital Video Surveillance8. COP / Situational Awareness / Compliance • IBM Tivoli Security Incident & Event ManagerReporting • IBM InfoSphere Guardium • IBM Tivoli Monitoring • IBM Proventia Management SiteProtector • IBM Tivoli Netcool OMNIbus9. Advanced Analytics / Intuitive Situational • IBM ResearchAwareness / Sense and Respond Cyber Defense • IBM InfoSphere Streams • IBM CognosNow • IBM Tivoli Service Automation Manager • IBM Service Delivery Manager