Your SlideShare is downloading. ×
0
Top Security Trends for 2014
Amichai Shulman, CTO, Imperva

1

© 2013 Imperva, Inc. All rights reserved.
Agenda
§  Introduction
§  2013 forecast scorecard
§  2014 security trends
§  Summary and conclusion
§  Q&A

2

© 2013...
Amichai Shulman – CTO, Imperva
§  Speaker at industry events
•  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on...
2013 Forecast Scorecard

Trend

Score

1

C

2

Government	
  malware	
  goes	
  commercial

B+

3

Black	
  clouds	
  on	...
#1 - 3rd Party is “No Party”

5

© 2013 Imperva, Inc. All rights reserved.
Known Vulnerabilities: The Known Knowns
§  There are known knowns; these are things we know that
we know…
•  Donald Rumsf...
Rich Attack Surface
According to Veracode:
•  Up to 70% of internally developed code originates outside of the
development...
Security Falls Between the Cracks
§  Application developers
•  Introduce 3rd party code into the system
•  Not responsibl...
2014 Forecast: Bigger! Stronger! Faster!
§  Bigger! – More Vulnerabilities!
§  Stronger! – As a result of the
of the vul...
Bigger! Disclosure Rate Increases
§  More software + more security researchers + more
bounty programs = more vulnerabilit...
Stronger! Vulnerabilities “Mash-Up”
§  Take several “cheap” (low CVSS impact score) known
vulnerabilities
•  CVE-2010-306...
Stronger! 1 + 1 = 3

12

© 2013 Imperva, Inc. All rights reserved.
Faster! Vulnerability Weaponization
§  Since a vulnerability has a limited time span, attackers
strive for a faster vulne...
#2 - Server Based APT Alternative

14

© 2013 Imperva, Inc. All rights reserved.
Web Servers Infection is the New Black
§  Goals of infecting corporate work stations
•  Harness computing resources
§  N...
Traditional Infiltration Attack

16

© 2013 Imperva, Inc. All rights reserved.
Why Start with Web Servers?
§  Easier reconnaissance
•  Detect type and components, discover vulnerabilities

§  Accept ...
Means and Opportunity
§  Many code execution / full server takeover vulnerabilities
exist
§  Most are easy to weaponize ...
Warning Signs

19

© 2013 Imperva, Inc. All rights reserved.
Warning Signs

20

© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Server Based APTs
§  We expect more APT operations to happen through
server compromise
§  Such attacks ha...
#3 - Ad Networks = Added Risk

22

© 2013 Imperva, Inc. All rights reserved.
Reality Check 1
§  Malware infected PCs = potential income
§  Plenty of ways to monetize (KrebsOnSecurity)

Source: http...
Reality Check 2
§  Infected mobile devices are even more valuable
§  Can do anything a PC does, therefore can be monetiz...
Black Market Economy 101
§  Infected end points are valuable
§  Therefore, driving traffic for infecting site is valuabl...
Malware + Advertising = Malvertising
§  Paying someone to show
your content is an already
established business
practice
§...
Malvertising so 2010…

27

© 2013 Imperva, Inc. All rights reserved.
Not!

Source: http://upload.wikimedia.org

28

© 2013 Imperva, Inc. All rights reserved.
Not!

Source: http://upload.wikimedia.org

29

© 2013 Imperva, Inc. All rights reserved.
The Main Door is (Pretty Much) Locked
§  Vendors closely monitor their app shops for malware
§  Result: attackers cannot...
2014 Forecast: Year of Mobile Malvertising
§  Dynamic content to already installed apps does not go
through the app shop
...
BadNews Ad Network Infected Apps

Source: https://blog.lookout.com

32

© 2013 Imperva, Inc. All rights reserved.
The Ad Market is Very Complex
§  Complex environment is a
hotbed for attackers
§  Many opportunities for the
attacker to...
#4 - (Finally) Cloud Data Breaches

34

© 2013 Imperva, Inc. All rights reserved.
We are Not in Kansas Anymore Toto!
§  Demand
•  SaaS and DBaaS are becoming mainstream
•  Not early adapters anymore
•  L...
Everybody Is Doing It
§  According to Verizon ‘2013 State of the Enterprise Cloud
Report’ (January 2012 – June 2013)
•  T...
Hiding in the Fog
§  Outsourcing data MISTAKEN for outsourcing
responsibility
§  Low number of breaches
§  False sense ...
Ball Waiting for the Player
§  Traditional RDBMS services
•  Used as C&C and dropper infrastructure by cyber criminals
• ...
Warning Signs and Wakeup Calls

39

© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls

40

© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls

41

© 2013 Imperva, Inc. All rights reserved.
Warning Signs and Wakeup Calls

42

© 2013 Imperva, Inc. All rights reserved.
2014 Forecast: Cloud Breaches Increase
§  We expect to see a significant increase in cloud service
data breaches
•  SaaS
...
#5 – Commercial Malware for Data
Centers

44

© 2013 Imperva, Inc. All rights reserved.
Advanced Threat – State Sponsored

Stuxnet

•  Manual
intelligence
•  Advanced
malware attack

Doqu

•  Automatic
intellig...
Growing Criminal Interest

46

© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest

47

© 2013 Imperva, Inc. All rights reserved.
Growing Criminal Interest

48

© 2013 Imperva, Inc. All rights reserved.
Commercialization of Military Technologies
§  Advanced threat malware capabilities flow into criminal
malware
•  Technolo...
Built-in Database Access
§  Our december 2013 HII shows commercial malware
using DBaaS as infrastructure
§  Data store a...
2014 Forecast: Datacenter is the Goal
§  We are the tipping point and in 2014 we will see active
automated attacks agains...
Summary and Conclusion

52

© 2013 Imperva, Inc. All rights reserved.
Summary
§  Our five trends for 2014
•  3rd party vulnerability exploit – bigger, stronger, faster
•  Web server compromis...
Recommendations
§  Protect your front door protection
•  Web Application Firewalls are not “nice to have”
•  SDLC and pat...
Bottom Line
§  Balance your security budget to reflect the need for more
data protection over end-point and network perim...
Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Post-Webinar
Discussions

Webinar
Record...
www.imperva.com

57

© 2013 Imperva, Inc. All rights reserved.
Upcoming SlideShare
Loading in...5
×

Top Security Trends for 2014

1,488

Published on

Imperva's dedicated research organization, the Application Defense Center (ADC), constantly monitors hackers - and their attack methods - to isolate the most relevant attack campaigns. Based on this research data, the ADC has identified the top trends poised to have the most significant impact on the security landscape in 2014. This presentation outlines the trends that will resonate across the globe in the upcoming year like the return of compromised web servers, the rise of cloud platform breaches, and the spread of 3rd party application vulnerabilities.

Published in: Technology
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,488
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
127
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide

Transcript of "Top Security Trends for 2014"

  1. 1. Top Security Trends for 2014 Amichai Shulman, CTO, Imperva 1 © 2013 Imperva, Inc. All rights reserved.
  2. 2. Agenda §  Introduction §  2013 forecast scorecard §  2014 security trends §  Summary and conclusion §  Q&A 2 © 2013 Imperva, Inc. All rights reserved.
  3. 3. Amichai Shulman – CTO, Imperva §  Speaker at industry events •  RSA, Appsec, Info Security UK, Black Hat §  Lecturer on information security •  Technion - Israel Institute of Technology §  Former security consultant to banks and financial services firms §  Leads the Imperva Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities §  Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” 3 © 2013 Imperva, Inc. All rights reserved.
  4. 4. 2013 Forecast Scorecard Trend Score 1 C 2 Government  malware  goes  commercial B+ 3 Black  clouds  on  the  horizon B+ 4 Community  policing A 5 4 Hack%vism  gets  process  driven   APT  targets  the  li?le  guy A © 2013 Imperva, Inc. All rights reserved.
  5. 5. #1 - 3rd Party is “No Party” 5 © 2013 Imperva, Inc. All rights reserved.
  6. 6. Known Vulnerabilities: The Known Knowns §  There are known knowns; these are things we know that we know… •  Donald Rumsfeld, U.S. Secretary of Defense, February 2002 §  3rd Party Known vulnerabilities Vulnerable components (e.g., framework libraries) can be identified and exploited (OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities) 6 © 2013 Imperva, Inc. All rights reserved.
  7. 7. Rich Attack Surface According to Veracode: •  Up to 70% of internally developed code originates outside of the development team •  28% of assessed applications are identified as created by a 3rd party 7 © 2013 Imperva, Inc. All rights reserved.
  8. 8. Security Falls Between the Cracks §  Application developers •  Introduce 3rd party code into the system •  Not responsible for 3rd party code security (or quality) •  Not responsible for run-time configuration of 3rd party components §  IT operations •  Not always aware of 3rd party components §  Web server type is more visible than a library •  Reluctant to change configuration settings that might impact application behavior 8 © 2013 Imperva, Inc. All rights reserved.
  9. 9. 2014 Forecast: Bigger! Stronger! Faster! §  Bigger! – More Vulnerabilities! §  Stronger! – As a result of the of the vulnerabilities’ market richness, attackers will create vulnerabilities “mash-ups,” combining several different vulnerabilities together §  Faster! – Shorter time from vulnerabilities’ full disclosure to exploits in the wild Source: http://cdn.thinksteroids.com 9 © 2013 Imperva, Inc. All rights reserved.
  10. 10. Bigger! Disclosure Rate Increases §  More software + more security researchers + more bounty programs = more vulnerabilities’ disclosures §  CVE IDs Enumeration syntax was changed to track more than 10,000 vulnerabilities in a single year, starting on 2014 10 © 2013 Imperva, Inc. All rights reserved.
  11. 11. Stronger! Vulnerabilities “Mash-Up” §  Take several “cheap” (low CVSS impact score) known vulnerabilities •  CVE-2010-3065: PHP §  NIST assigned impact score: 2.9 •  CVE-2011-2505: PHPMyAdmin session modification vulnerability §  NIST assigned impact score: 4.9 §  To create a shining exploit •  PHPMyAdmin full server takeover exploit •  Effective impact score: a perfect 10 §  Read more on Imperva’s HII report: http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf 11 © 2013 Imperva, Inc. All rights reserved.
  12. 12. Stronger! 1 + 1 = 3 12 © 2013 Imperva, Inc. All rights reserved.
  13. 13. Faster! Vulnerability Weaponization §  Since a vulnerability has a limited time span, attackers strive for a faster vulnerability weaponization §  We had witnessed weaponization time cut from weeks to days §  Infrastructure is the key to fast weaponization •  Exploit code is often publicly available •  Dormant botnets are ready to launch the attack •  Command and Control (C2) servers and zombies support §  Dynamic content §  Dynamic targets 13 © 2013 Imperva, Inc. All rights reserved.
  14. 14. #2 - Server Based APT Alternative 14 © 2013 Imperva, Inc. All rights reserved.
  15. 15. Web Servers Infection is the New Black §  Goals of infecting corporate work stations •  Harness computing resources §  Network bandwidth to be used in DDoS attacks §  CPU power to mine Bitcoins •  Use as a bridgehead into the corporate datacenter §  Both goals are better achieved by targeting web servers •  More powerful •  Inherently connected to the corporate datacenter 15 © 2013 Imperva, Inc. All rights reserved.
  16. 16. Traditional Infiltration Attack 16 © 2013 Imperva, Inc. All rights reserved.
  17. 17. Why Start with Web Servers? §  Easier reconnaissance •  Detect type and components, discover vulnerabilities §  Accept inbound communications from the Internet (by definition) •  Direct attack, no need for “human factor” •  Remote control becomes easier •  Attacker identity §  Land (almost) directly into the data center •  No need for “lateral movement” §  Wide outgoing pipe •  Exfiltration made easier 17 © 2013 Imperva, Inc. All rights reserved.
  18. 18. Means and Opportunity §  Many code execution / full server takeover vulnerabilities exist §  Most are easy to weaponize and exploit §  In 2013, the following environments were vulnerable to such attacks •  ColdFusion •  Apache Struts •  vBulletin (TA) •  Jboss (TA) •  PHP http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html 18 © 2013 Imperva, Inc. All rights reserved.
  19. 19. Warning Signs 19 © 2013 Imperva, Inc. All rights reserved.
  20. 20. Warning Signs 20 © 2013 Imperva, Inc. All rights reserved.
  21. 21. 2014 Forecast: Server Based APTs §  We expect more APT operations to happen through server compromise §  Such attacks have even a smaller footprint than existing APT techniques •  Initial infection •  Lateral movement •  Exfiltration §  Public disclosure will probably arrive 2015 21 © 2013 Imperva, Inc. All rights reserved.
  22. 22. #3 - Ad Networks = Added Risk 22 © 2013 Imperva, Inc. All rights reserved.
  23. 23. Reality Check 1 §  Malware infected PCs = potential income §  Plenty of ways to monetize (KrebsOnSecurity) Source: http://krebsonsecurity.com 23 © 2013 Imperva, Inc. All rights reserved.
  24. 24. Reality Check 2 §  Infected mobile devices are even more valuable §  Can do anything a PC does, therefore can be monetized the same way §  Additionally, can send “premium SMS” – a very effective and direct monetization method Source: http://thenextweb.com 24 © 2013 Imperva, Inc. All rights reserved.
  25. 25. Black Market Economy 101 §  Infected end points are valuable §  Therefore, driving traffic for infecting site is valuable §  Sample price list for geo-location profiled traffic (per thousand unique visitors; Credit: Webroot blog): Source: http://webrootblog.files.wordpress.com 25 © 2013 Imperva, Inc. All rights reserved.
  26. 26. Malware + Advertising = Malvertising §  Paying someone to show your content is an already established business practice §  It’s called advertising! §  And when the content is malicious it’s Malvertising §  Targeted advertising is very efficient §  And so is targeted malvertising 26 © 2013 Imperva, Inc. All rights reserved. Source: http://bluebattinghelmet.files.wordpress.com
  27. 27. Malvertising so 2010… 27 © 2013 Imperva, Inc. All rights reserved.
  28. 28. Not! Source: http://upload.wikimedia.org 28 © 2013 Imperva, Inc. All rights reserved.
  29. 29. Not! Source: http://upload.wikimedia.org 29 © 2013 Imperva, Inc. All rights reserved.
  30. 30. The Main Door is (Pretty Much) Locked §  Vendors closely monitor their app shops for malware §  Result: attackers cannot directly upload malicious apps 30 © 2013 Imperva, Inc. All rights reserved.
  31. 31. 2014 Forecast: Year of Mobile Malvertising §  Dynamic content to already installed apps does not go through the app shop §  Supply - mobile app vendors •  Have many users •  Do not have a way to monetize on the traffic •  Eager for advertising revenues §  Demand – cyber criminals •  Have malicious content •  Look for alternative delivery to end users, as market is blocked •  Eager for traffic §  Outcome: Mobile Malvertising 31 © 2013 Imperva, Inc. All rights reserved.
  32. 32. BadNews Ad Network Infected Apps Source: https://blog.lookout.com 32 © 2013 Imperva, Inc. All rights reserved.
  33. 33. The Ad Market is Very Complex §  Complex environment is a hotbed for attackers §  Many opportunities for the attacker to attack •  Can choose the weakest link •  Can move to the next target when denied §  App makers have a vast “deniability region” 33 © 2013 Imperva, Inc. All rights reserved. Source: http://ad-exchange.fr
  34. 34. #4 - (Finally) Cloud Data Breaches 34 © 2013 Imperva, Inc. All rights reserved.
  35. 35. We are Not in Kansas Anymore Toto! §  Demand •  SaaS and DBaaS are becoming mainstream •  Not early adapters anymore •  Less technical oriented organizations •  Test and pilot deployments become production •  Dial moves from “nice to have” applications to “mission critical” applications §  Supply •  Many new providers •  Smaller, less experienced organizations •  Carpe Diem §  I wanted an app of my own but ended up building a cloud service 35 © 2013 Imperva, Inc. All rights reserved.
  36. 36. Everybody Is Doing It §  According to Verizon ‘2013 State of the Enterprise Cloud Report’ (January 2012 – June 2013) •  The use of cloud-based storage has increased by 90 percent •  Organizations are now running external-facing and critical business applications in the cloud – production applications now account for 60 percent of cloud usage 36 © 2013 Imperva, Inc. All rights reserved.
  37. 37. Hiding in the Fog §  Outsourcing data MISTAKEN for outsourcing responsibility §  Low number of breaches §  False sense of safety 37 © 2013 Imperva, Inc. All rights reserved.
  38. 38. Ball Waiting for the Player §  Traditional RDBMS services •  Used as C&C and dropper infrastructure by cyber criminals •  Security attitude is not adapted to cloud reality •  See our “Assessing the Threat Landscape of DBaaS” HII for more details §  Big Data services •  Innovative •  Smaller providers •  Using innovative technologies with little to no security built-in •  Widely adopted by web application startup community, often storing personal information 38 © 2013 Imperva, Inc. All rights reserved.
  39. 39. Warning Signs and Wakeup Calls 39 © 2013 Imperva, Inc. All rights reserved.
  40. 40. Warning Signs and Wakeup Calls 40 © 2013 Imperva, Inc. All rights reserved.
  41. 41. Warning Signs and Wakeup Calls 41 © 2013 Imperva, Inc. All rights reserved.
  42. 42. Warning Signs and Wakeup Calls 42 © 2013 Imperva, Inc. All rights reserved.
  43. 43. 2014 Forecast: Cloud Breaches Increase §  We expect to see a significant increase in cloud service data breaches •  SaaS •  DBaaS §  We expect to see a growing use of DBaaS by attackers. It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’ trend 43 © 2013 Imperva, Inc. All rights reserved.
  44. 44. #5 – Commercial Malware for Data Centers 44 © 2013 Imperva, Inc. All rights reserved.
  45. 45. Advanced Threat – State Sponsored Stuxnet •  Manual intelligence •  Advanced malware attack Doqu •  Automatic intelligence Rocra 45 © 2013 Imperva, Inc. All rights reserved. •  Both •  See Red October: The Hunt For the Data
  46. 46. Growing Criminal Interest 46 © 2013 Imperva, Inc. All rights reserved.
  47. 47. Growing Criminal Interest 47 © 2013 Imperva, Inc. All rights reserved.
  48. 48. Growing Criminal Interest 48 © 2013 Imperva, Inc. All rights reserved.
  49. 49. Commercialization of Military Technologies §  Advanced threat malware capabilities flow into criminal malware •  Technology – modular code, two tier C&C, include data access and handling code •  Target – enterprise internals §  Examples •  Narilam – destroys business application databases •  Malware targeting business application (SAP) spotted 49 © 2013 Imperva, Inc. All rights reserved.
  50. 50. Built-in Database Access §  Our december 2013 HII shows commercial malware using DBaaS as infrastructure §  Data store accessing capabilities §  Mevade – using an integrated services language based on SQL, called WQL (SQL for Windows Management Interface) to query the target system's database to learn the security settings. §  Shylock – SQLlite - Any messages that Skype sends are stored in Skype's main.db file, which is a standard SQLite database. Shylock accesses this database and deletes its messages and file transfers so that the user could not find them in the history. §  Kulouz – SQLlite to access browser data repositories for sensitive information, such as credentials §  Database access malware was used in SK Comms data breach 50 © 2013 Imperva, Inc. All rights reserved.
  51. 51. 2014 Forecast: Datacenter is the Goal §  We are the tipping point and in 2014 we will see active automated attacks against enterprise data centers •  Infection methods are more effective than ever •  Malware infrastructure is mature and ready •  Criminal use cases are staring to show up §  We expect business applications to become first class target for criminals •  Easier to manipulate •  The internal version of “web application attacks” 51 © 2013 Imperva, Inc. All rights reserved.
  52. 52. Summary and Conclusion 52 © 2013 Imperva, Inc. All rights reserved.
  53. 53. Summary §  Our five trends for 2014 •  3rd party vulnerability exploit – bigger, stronger, faster •  Web server compromise – alternative to APT •  Ad network infections – more targeted, mobile oriented •  Cloud breaches – sharp rise in actual incidents •  Commercial malware – criminals are after your data center §  Attackers focus their attention on getting into the data center – physical or virtual §  Attackers prefer to use the front door (web servers) but at the same time are constantly improving on the alternatives (malware and infection methods) 53 © 2013 Imperva, Inc. All rights reserved.
  54. 54. Recommendations §  Protect your front door protection •  Web Application Firewalls are not “nice to have” •  SDLC and patching fail in modern software and threat environments §  Improve your internal DATA controls •  Enhance visibility to data access, both structured and unstructured •  Introduce capabilities to detect abusive access to data center resources §  Evaluate solutions for your cloud data repositories •  Perform better due diligence of providers 54 © 2013 Imperva, Inc. All rights reserved.
  55. 55. Bottom Line §  Balance your security budget to reflect the need for more data protection over end-point and network perimeter protection 55 © 2013 Imperva, Inc. All rights reserved.
  56. 56. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Post-Webinar Discussions Webinar Recording Link 56 Answers to Attendee Questions Join Group © 2013 Imperva, Inc. All rights reserved.
  57. 57. www.imperva.com 57 © 2013 Imperva, Inc. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×