Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Zapobieganie włamaniom w świetle Aurory, Stuxnet, Anonymous. Robert Michalski Security Tiger Team


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Zapobieganie włamaniom w świetle Aurory, Stuxnet, AnonymousRobert MichalskiSecurity Tiger Team
  • 2. Agenda• 10,000 meters view• Let’s get into some „lies”• Where is my PS3 data?• What does it mean to me?• Lessons learned
  • 3. 2010 – Military grade op targets 2009 – “Advanced SCADA gear in Iran Stuxnet Persistent Threat” for industrial espionage AuroraBusiness Impact / National impact 2000 – Worm + Social Complexity / Sophistication / Engineering. Spreads WW in 1 day. ~50M infections, $5.5B in damage. 2005/6 – Hackers Georgia compromise 2008 – Cyber ~45M credit / attacks 1988 – debit cards Estonia coordinated first with “real” Internet invasion 1978 – worm TJX first spam incident 2000 – DoS attacks on hits 393 Yahoo, eBay, users CNN, Amazon 2007 – DDoS & Dell attacks during Iloveyou row with Russia target Mafiaboy critical infrastructure Morris DEC Worm Spam 1980 1985 1990 1995 2000 2005 2010 TERRORISTS SCRIPT KIDDIES SEMI-PROS INDUSTRIAL Misguided Individuals ESPIONAGE ORGANIZED NATION STATES BLACKHATS CRIME AMATEUR GROUPS
  • 4. Vendors Reporting the Largest Number of VulnerabilityDisclosures in Historys Vulnerability disclosures up 27%. • Web applications continue to be the largest category of disclosure.s Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.
  • 5. Patches Still Unavailable for Many Vulnerabilitiess 44% of all vulnerabilities disclosed Patch Release Timing – First 8 Weeks of 2010 in 2010 had no vendor-supplied patches to remedy the vulnerability. s Most patches become available for most vulnerabilities at the same time that they are publicly disclosed. s However some vulnerabilities are publicly disclosed for many weeks before patches are released.
  • 6. Public Exploit Exposures Up in 2010s Public exploit disclosures up 21% in 2010 versus 2009 • Approximately 14.9% of the vulnerabilities disclosed in 2010 had public exploits, which is down slightly from the 15.7% last year • However more vulnerabilities were disclosed this year, so the total number of exploits increased. • The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability.
  • 7. Exploit Effort vs. Potential Rewards Economics continue to play heavily into the exploitation probability of a vulnerabilitys All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients.s The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB keys.
  • 8. Top Attacks seen by X-Force in 2010s Automated SQL Injection attackss Lateral scanning of the entire Internet for services with weak passwordss The SQL Slammer worm was responsible for a huge amount of malicious traffic in 2010 but traffic levels dropped off significantly in March, 2011. (For more info see the Frequency-X Blog.)
  • 9. Web App Vulnerabilities Continue to Dominates Nearly half (49%) of all vulnerabilities are Web application vulnerabilities.s Cross-Site Scripting & SQL injection vulnerabilities continue to dominate.
  • 10. SQL Injection Attacks• During each of the past three years, there has been a globally scaled SQL injection attack some time during the months of May through August.• The anatomy of these attacks is generally the same: they target .ASP pages that are vulnerable to SQL injection. 2008 2009 2010
  • 11. Real World Conclusions from Web App Assessmentss In 2010, for the first time, we now find that Cross-Site Request Forgery (CRSF) vulnerabilities are more likely to be found in our testing than Cross- Site Scripting (XSS) vulnerabilities.s XSS and SQL injection are both attributed directly to a lack of input control. The likelihood of finding it in 2010 is more than 60%.
  • 12. Client-Side Vulnerabilities: Web Browser, Document Reader & Multimedia Player Vulnerabilities Continue to Impact End Userss Web browsers and their plug-ins continue to be the largest category of client-side vulnerabilities.s 2010 saw an increase in the volume of disclosures in document readers and editors as well as multimedia players.
  • 13. Suspicious Web Pages and Files ShowNo Sign of Warnings Obfuscation activity continued to increase during 2010.s Attackers never cease to find new ways to disguise their malicious traffic via JavaScript and PDF obfuscation. • Obfuscation is a technique used by software developers and attackers alike to hide or mask the code used to develop their applications.
  • 14. The SONY Breach• If you havent heard, the breach included; – 100+ Million data base records of undisclosed content – loss of 10 Million credit card numbers and supporting customer data – their $$$$ transactional website has been down for a month+ – the breach is expected to cost them 1.5 billion dollars - – new breaches reported over time• There have been many rumors about how the attack was achieved. – many have said it had something to do with an insider – it has been said that it was straight SQL injection etc. – it has been said that ANONYMOUS did it because they warned Sony that they were sending customer data in the clear and Sony ignored them. So Anonymous decided it was time to teach them a lesson.
  • 15. If I give my credit card to a web site, I want at a minimum:• Mandatory web app security assesment including code review• Vulenerability managment program• IPS looking out for malicious activity• Server protection on my web server and my database servers• DAM looking out for my database access• DLP protection in my network
  • 16. Perimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Insiders (DBAs, developers, outsourcers, etc.)Outsourcing Stolen Credentials (Zeus,Web-Facing Apps etc.)Legacy AppIntegration/SOA Employee Self-Service, Partners & Suppliers
  • 17. Security Testing Technologies Combination Delivers a Comprehensive SolutionStatic Code Analysis = Whitebox•Scanning source code for securityissues Total Potential Security Issues Dynamic Analysis = Blackbox Static Best Dynamic Analysis Coverage AnalysisPerforming security analysis of a compiled application
  • 18. Vulnerability Management in action Explore web site / os / Identify Vulnerabilities ranked Advanced remediation, fixapplication to detect flaws after severity and show how it recommendations and security was identified enablement 18
  • 19. IBM Intrusion Prevention System Intrusion prevention just got smarter with extensible protectionbacked by the power of X- Force Client-Side Application Web Application Threat Detection & Virtual Patch Data Security Application Control Protection Protection PreventionWhat It Does: What It Does: What It Does: What It Does: What It Does: What It Does:Shields vulnerabilities Protects end users Protects web applications Detects and prevents Monitors and identifies Manages control offrom exploitation against attacks targeting against sophisticated entire classes of threats unencrypted personally unauthorized applicationsindependent of a applications used application-level attacks as opposed to a specific identifiable information and risks within definedsoftware patch, and everyday such as such as SQL Injection, exploit or vulnerability. (PII) and other segments of the network,enables a responsible Microsoft Office, Adobe XSS (Cross-site confidential information such as ActiveXpatch management PDF, Multimedia files and scripting), PHP file- Why Important: for data awareness. Also fingerprinting, Peer Toprocess that can be Web browsers. includes, CSRF (Cross- Eliminates need of provides capability to Peer, Instant Messaging,adhered to without fear of site request forgery). constant signature explore data flow through and tunneling.a breach Why Important: updates. Protection the network to help At the end of 2010, Why Important: includes the proprietary determine if any potential Why Important:Why Important: vulnerabilities, which Expands security Shellcode Heuristics risks exist. Enforces networkAt the end of affect personal capabilities to meet both (SCH) technology, which application and service2010, 44% of all computers, represent the compliance requirements has an unbeatable track Why Important: access based onvulnerabilities disclosed second-largest category and threat evolution. record of protecting Flexible and scalable corporate policy andduring the year had no of vulnerability against zero day customized data search governance.vendor-supplied patches disclosures and vulnerabilities. criteria; serves as aavailable to remedy the represent about a fifth of complement to datavulnerability. all vulnerability security strategy. disclosures.
  • 20. IBM Virtual Server Protection for VMware Integrated threat protection for VMware ESX and ESXiHelps to be more secure, compliant and cost-effective by delivering integrated and optimizedsecurity for virtual data centers. IBM Virtual Server Protection for VMware s VMsafe Integration s Firewall and Intrusion Prevention s Rootkit Detection/Prevention s Inter-VM Traffic Analysis s Automated Protection for Mobile VMs (VMotion) s Virtual Network Segment Protection s Virtual Network-Level Protection s Virtual Infrastructure Auditing (Privileged User) s Virtual Network Access Control
  • 21. Non-Invasive, Real-Time Database Security & Monitoring• Continuously monitors all database activities • Supports Separation of Duties (including local access by superusers) • Activity logs can’t be erased by attackers• Heterogeneous, cross-DBMS solution or DBAs• Does not rely on native DBMS logs • Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.)• Minimal performance impact (2-3%)• No DBMS or application changes • Granular, real-time policies & auditing • Who, what, when, where, how
  • 22. Enterprise Content Protection (ECP) aka DLP• Automated discovery of sensitive content, classifying / tagging of files• Policy-based enforcement of data protection policy (notify, block, encrypt, remove, relocate)• Close the gap between user action and automated policy-enforced action• Endpoint – Network – Server / Data Center• Key Business Partners: – Fidelis Security Systems – Verdasys
  • 23. Lessons learned and what to do next• Hacking is more organized, well funded and highly motived then ever• Economics and politics play an important role in the exploitation schemes• There is no such a thing as a magic sliver bullet• We need multilayered approach• We all need to work closely and do our homework
  • 24. How to get more info about IBM Security Solutions?• Contact me !!!• IBM X-Force Blog & Reports!!! – –• IBM Institiute for Advanced Security –• IBM Security Solutions YouTube channel –• IBM Security Solutions Tweeter –!/ibmsecurity• IBM Redbooks / Redpapers regarding security – 24
  • 25. 25
  • 26. IBM Security Solutions Function / Capability Candidate IBM Solutions1. Establish the Cloud infrastructure: • IBM Tivoli Service Automation Manager • IBM Tivoli Monitoring • IBM Service Delivery Manager • IBM Cloud Architecture / Design Services2. Establish and Enforce Security Policy & • IBM Professional Security ServicesGovernance Structure • IBM Tivoli Security Policy Manager • IBM Websphere Datapower SOA Appliance • IBM Tivoli Security Incident & Event Manager • IBM InfoSphere Guardium3. Discover & Categorize Information Assets • IBM InfoSphere Optim • IBM InfoSphere Guardium4. Establish & Manage Identities and Access • IBM Tivoli Identity Manager • IBM Tivoli Access Manager • IBM Tivoli Federated Identity Manager • IBM Tivoli Security Incident & Event Manager • IBM Privileged Identity Management5. Manage Information Access • IBM InfoSphere Guardium
  • 27. IBM Security Solutions Function / Capability Candidate IBM Solutions6. Cyber Defense • IBM AppScan • IBM Managed Security Services • IBM Proventia Threat Mitigation Products • IBM Tivoli Endpoint Manager (BigFix) • IBM Security Virtual Server Protection • IBM X-Force Threat Analysis Service (XFTAS)7. Physical Security • IBM Physical Security Services – Digital Video Surveillance8. COP / Situational Awareness / Compliance • IBM Tivoli Security Incident & Event ManagerReporting • IBM InfoSphere Guardium • IBM Tivoli Monitoring • IBM Proventia Management SiteProtector • IBM Tivoli Netcool OMNIbus9. Advanced Analytics / Intuitive Situational • IBM ResearchAwareness / Sense and Respond Cyber Defense • IBM InfoSphere Streams • IBM CognosNow • IBM Tivoli Service Automation Manager • IBM Service Delivery Manager