5 Cyber Security Challenges
for 2013
Tom Cross, Director of Security Research
tcross@lancope.com
(770) 225-6557
5 CyberSecurity Challenges for 2013
 Stated Sponsored Computer Intrusions
 Monster DDOS Attacks
 Loss of Visibility and...
State Sponsored Computer Intrusions
 Sykipot
– Spread by spear phishing emails with malicious attachments
– Targets smart...
0-Day Vulnerabilities
 A Zero Day vulnerability is a security vulnerability that attackers have access to
before it is pu...
Protection Strategies
© 2012 Lancope, Inc. All rights reserved.5
Less Sophisticated:
Downloads publicly available attack t...
Visibility through out the Kill Chain
 A sophisticated attack on a network involves a series of steps
 Traditional think...
Monster DDOS Attacks
 IBM X-Force – 300% Increase in DDOS Backscatter from ‘08 to ’11
 Prolexic (Q3 2011 to Q3 2012):
– ...
Addressing Monster DDOS Attacks
 Have a plan in place before the day that attacks begin!
– Plan should cover different cl...
IT Consumerization and the Cloud
 We used to have a three tiered strategy:
– Establish and protect the perimeter (Firewal...
2013 is the year to demand our visibility back!
 Cloud Services can provide authentication logs, netflow
– They may not h...
The Password Debacle
 2012 was a banner year for breaches that disclosed large numbers of
usernames and passwords or pass...
Living with Passwords
 Our policies are killing us!
– Password policies can be complied with in meaningless ways
– Passph...
The Insider Threat
• Internal Threats was ranked the #1 security concern closely followed by APT
o Respondents who ranked ...
CERT Research on Insider Threat
14
CERT Insider Threat Research
 12 years of history
 Over 700 insider threat
cases
 IT...
Combating Insider Threat is a multidisciplinary challenge
IT
HR Legal
 IT cannot address insider threat by itself
– Peopl...
5 Recommendations for Managing Insider Threats
1. IT cannot resolve insider threat problems alone.
2. Create checks and ba...
Thank You
Tom Cross
Director of Security Research
tcross@lancope.com
(770) 225-6557
StealthWatch Labs Intelligence Center
© 2012 Lancope, Inc. All rights reserved.18
http://lancope.com/SLIC @stealth_labs
Get Engaged with Lancope
Follow us at
@Lancope and
@NetFlowNinjas
Subscribe to Lancope
updates at
http://feeds.feedburner....
Upcoming SlideShare
Loading in …5
×

Challenges2013

373 views
280 views

Published on

With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.

Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:

1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
373
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Challenges2013

  1. 1. 5 Cyber Security Challenges for 2013 Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557
  2. 2. 5 CyberSecurity Challenges for 2013  Stated Sponsored Computer Intrusions  Monster DDOS Attacks  Loss of Visibility and Control created by IT Consumerization and the Cloud  The Password Debacle  The Insider Threat
  3. 3. State Sponsored Computer Intrusions  Sykipot – Spread by spear phishing emails with malicious attachments – Targets smartcard credentials  Flame – Extremely complicated malware – Used a counterfeit digital certificate to impersonate Windows Update – Certificate was generated with a previously unknown MD5 collision attack  Shamoon – Targeted the energy sector – Destroyed infected systems  Gauss – Related to Stuxnet, Duqu, and Flame  Council on Foreign Relations Waterhole – Targeted victims with specific language settings  Red October – More that 1,000 modules! © 2012 Lancope, Inc. All rights reserved.3
  4. 4. 0-Day Vulnerabilities  A Zero Day vulnerability is a security vulnerability that attackers have access to before it is publicly disclosed. – Sophisticated attackers often search for previously unknown vulnerabilities – Because these vulnerabilities are not publicly disclosed, they cannot be patched, and Intrusion Prevention Systems usually cannot detect attacks that target them.  Research paper by Symantec Research labs published in October, 2012 – Retrospective look at a large archive of old binary files from Anti-Virus customers – Identified 18 0-Day vulnerabilities that were exploited in the wild – 11 were previously not known to have been exploited before public disclosure – The vulnerabilites were exploited for up to 30 months before public disclosure – On average, the vulnerabilities were exploited for 312 days before public disclosure © 2012 Lancope, Inc. All rights reserved.4
  5. 5. Protection Strategies © 2012 Lancope, Inc. All rights reserved.5 Less Sophisticated: Downloads publicly available attack tools Targets known/disclosed vulnerabilities Uses off the shelf malware toolkits More Sophisticated: Discovers 0-day vulnerabilities Attacks tested against IDS products Malware tested against A/V products Audit, Patch, and Protect Close known vulnerabilities Block known attacks Detect known malware Safety in Numbers T A R G E T E D M O R E Sophisticated, Targeted Attacks?
  6. 6. Visibility through out the Kill Chain  A sophisticated attack on a network involves a series of steps  Traditional thinking views any system compromise as a successful breach  Any successful action taken to stop an infection prior to data exfiltration can be considered a win  This is the Kill Chain concept introduced by Mike Cloppert at Lockheed  Controls should be put in place at each stage of the chain © 2012 Lancope, Inc. All rights reserved.6 Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control
  7. 7. Monster DDOS Attacks  IBM X-Force – 300% Increase in DDOS Backscatter from ‘08 to ’11  Prolexic (Q3 2011 to Q3 2012): – 88% increase in total attacks – 230% increase in average attack bandwidth  DDoS Attacks against US Banks – 60 GBPS – itsoknoproblembro – Launched from servers – Claimed by Izz ad-Din al-Qassam Cyber Fighters – Attacker? Financial Criminals? Protest Rally? Statecraft? © 2012 Lancope, Inc. All rights reserved.7
  8. 8. Addressing Monster DDOS Attacks  Have a plan in place before the day that attacks begin! – Plan should cover different classes of DDoS attacks – Quick reactions require visibility and process – Test human processes and not just technology  Large DDoS Attacks must be cleaned in the network and not at the customer premise  Application Layer DDoS Attacks can be difficult to mitigate with network based services – Lack of application awareness – Traffic evades scrubber’s heuristics © 2012 Lancope, Inc. All rights reserved.8
  9. 9. IT Consumerization and the Cloud  We used to have a three tiered strategy: – Establish and protect the perimeter (Firewalls, IPS, etc) Inbound attacks from the Internet Drive by Downloads – Focus on hardening servers with critical data – Protect the endpoint (HIDS/AV) Mobile Laptops USB Keys  Employee owned devices can’t be protected with endpoint agents  Applications with critical data are moving outside the Perimeter – Loss of visibility into who accessed what, when and how © 2012 Lancope, Inc. All rights reserved.9
  10. 10. 2013 is the year to demand our visibility back!  Cloud Services can provide authentication logs, netflow – They may not have architected their services this way, but it is technically feasible  Netflow can provide visibility into private clouds  Identity aware Netflow provides a way to monitor mobile devices 10 User Name MAC Address Device Type Bob.Smith 8c:77:12:a5:64:05 (Samsung Electronics Co.,Ltd) Android John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone When a mobile device is acting up it is critical to be able to connect network transactions with the person who has the physical device.
  11. 11. The Password Debacle  2012 was a banner year for breaches that disclosed large numbers of usernames and passwords or password hashes – LinkedIn, eHarmony, Formspring, Adobe, Yahoo, Nvidia, Gamigo, etc… – Millions of passwords had to be reset  Cloud services make it easy to spin up large brute force password cracking efforts – www.cloudcracker.com  Passwords are too short! – Minimum secure password length in 2010 = 12 Characters (GTRI)  Passwords are not going anywhere soon. – Multifactor auth isn’t foolproof either! © 2012 Lancope, Inc. All rights reserved.11
  12. 12. Living with Passwords  Our policies are killing us! – Password policies can be complied with in meaningless ways – Passphrases are easier to remember if they don’t need special characters – Some systems have maximum password lengths! – The way to find weak passwords is to actually crack your hashes  Personal Solutions – Password Vaults (Eggs in one basket) – Different passwords for different classes of services (Work, Sensitive, Fun) – A physical notebook?  Be prepared for attackers to enter the network with valid credentials – Mandiant M-Trends Report – 100% of attackers used valid credentials – Are you monitoring the behavior of legitimate users? © 2012 Lancope, Inc. All rights reserved.12
  13. 13. The Insider Threat • Internal Threats was ranked the #1 security concern closely followed by APT o Respondents who ranked Insider Threats as their #1 security concern also had the highest increase in network traffic due to additional mobile devices. Security Concern Ranking Insider Threats 1 APTs (DirectedAttacks) 2 IT Consumerization/ User Mobility / BYOD 3 Virtualization/ CloudComputing 4 Compliance 5
  14. 14. CERT Research on Insider Threat 14 CERT Insider Threat Research  12 years of history  Over 700 insider threat cases  IT Sabotage – Average: $1.7 million – Median: $50,000  IP Theft – Average: $13.5 million – Median: $337,000
  15. 15. Combating Insider Threat is a multidisciplinary challenge IT HR Legal  IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues.  Legal: Are policies in place? Are they realistic? Does legal support IT practices?  HR: Who is coming and going? Who has workplace issues? Are there soft solutions?  IT: Is the privacy of end users adequately protected?  What impact on workplace harmony are policies, monitoring, and enforcement having?  Are you applying policies consistently? 15
  16. 16. 5 Recommendations for Managing Insider Threats 1. IT cannot resolve insider threat problems alone. 2. Create checks and balances for system and network administrators. 3. Work with management to identify disgruntled employees. 4. Have a comprehensive process for terminating employee access to the network. 5. Pay attention to audit trails of system accesses and network activity around employment termination. © 2012 Lancope, Inc. All rights reserved.16
  17. 17. Thank You Tom Cross Director of Security Research tcross@lancope.com (770) 225-6557
  18. 18. StealthWatch Labs Intelligence Center © 2012 Lancope, Inc. All rights reserved.18 http://lancope.com/SLIC @stealth_labs
  19. 19. Get Engaged with Lancope Follow us at @Lancope and @NetFlowNinjas Subscribe to Lancope updates at http://feeds.feedburner.com/N etflowNinjas Attend complimentary Seminars http://www.lancope.com/ne ws-events/university-of- netflow/ Join NetFlow Ninjas http://www.linkedin.com/grou ps/NetFlow-Ninjas- 2261596/about Access StealthLabs Intelligence Center (SLIC) Reports http://lancope.com/SLIC Download “NetFlow Security Monitoring for Dummies” http://www.lancope.com/netflow- for-dummies/ © 2012 Lancope, Inc. All rights reserved.19 Please email sales@lancope.com or

×