• Save
Cyber security 2013
Upcoming SlideShare
Loading in...5
×
 

Cyber security 2013

on

  • 682 views

סוגי סיכונים, דרכי התמודדות, כלים והמלצות STKI

סוגי סיכונים, דרכי התמודדות, כלים והמלצות STKI

Statistics

Views

Total Views
682
Views on SlideShare
682
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
2

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cyber security 2013 Cyber security 2013 Presentation Transcript

  • ChangingData CenterSTKISummit2013IT at the crossroads:Lead, follow or get out of the waySigal RussinCyber and Security
  • Your Text hereYour Text hereShahar Maor’s work Copyright 2012 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 3Cyber and Security• The Dangers: Blackhole- Hacking as a Service APT1• Solutions/ Tools: Categorization of solutions Cyber Intelligence HoneyPot• Recommendations
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 413 of the biggest security mythsSource: http://www.infoworld.com
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 5What clients said about Cyber Security:• Helps in getting more budget• We certainly see more sophisticated attacks• Attackers are studying our site architecture and looking for vulnerabilities• We changed our basic concept – now we start by assuming someone has alreadypenetrated our organization• Nothing is changed• We need help form IDF Government• Bottom line is “press coverage” and reputation• Cyber vs. traditional BCPDRP event• We made “secondaryreduced site” ready for activation• At least 25% of home users are infected• The most difficult task is to identify you are under attack (and not stopping the attack)
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 6Generic Cyber Attacks61. IndividualsGroups2. CriminalNationalisticbackground3. Lots of intervals4. Lots of targets5. Common tools
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 7Distributed Denial Of Service (DDOS)71. Targets websites,internet lines etc.2. Legitimate traffic3. Many differentsources4. From all over theworld5. Perfect timing
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 8
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 9Advanced and Persistent Threat (APT)91. Group/ Org./State2. Ideological/Nationalisticbackground3. Multi-layeredattack4. Targeted5. Variety oftools6. Impossible todetect in realtime(???)
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 10APT Example –BIT9
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 11Zero day attack• A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits apreviously unknown vulnerability in a computer application, meaning that theattack occurs on "day zero" of awareness of the vulnerability.• This means that the developers have had zero days to address and patch thevulnerability. Zero-day exploits (actual software that uses a security hole tocarry out an attack) are used or shared by attackers before the developer ofthe target software knows about the vulnerability. (Wikipedia)• The meaning- no signature !• Hackers can easily modify “known threats” and eliminate the signature11
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 12Zero Day Attack Example
  • 13Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraphBlackhole:Hacking as a Service An exploit kit is a tool used byattackers to get their softwareinstalled on a victim’s PC. Their business is to create andsell exploit kits as a service toother cybercriminals. Blackhole redirects and exploitsites represent 28% of all webthreats detected by SophosLabs.Sigal Russin’s work Copyright@2013 Do not remove source or attribution from any slide, graph or portion of graph
  • 14Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraphBlackhole: Today’smalware market leaderSigal Russin’s work Copyright@2013 Do not remove source or attribution from any slide, graph or portion of graph1) Web browser with malicious code3) Landing page - control user web trafficCredit page; Adobe; Java; Flash …2) Spam messages
  • 15Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraphProtect yourself against BlackholeSigal Russin’s work Copyright@2013 Do not remove source or attribution from any slide, graph or portion of graphThe initialcontact eitherby email orcompromisedwebsiteRedirectionto the attacksite whichprobes forweaknessesDelivery ofthe exploititself andthe resultingmalwaredropSpam filtersWeb filtersPatchingSource: SophosLabs
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 16APT1o A single organization of operators that has conducted a cyber espionage campaignagainst a broad range of victims since at least 2006.o APT1 has systematically stolen hundreds of terabytes of data from at least 141organizations spanning 20 major industries.87%English is thenativelanguage97%AttackInfrastructureused IPaddressesregistered1,849 of the1,905(97%)RemoteDesktopsessions817 of the832 (98%)IP addressesloggingSource: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 17APT1 Puts the “Persistent” in APT2006 20092007 2008 2013201220112010
  • 18Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraph
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 19“Hop Points”Source: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf1) WEBC2 backdoors - HTML tags or comments2) Standard Backdoors - HTTP Protocols3) Legitimate VPN credentials- Stolen usernames& passwords4) Log in to web portals - only restricted websitesand web-based email systems
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 20Source: 2013 data breach investigations report –Verizon
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 21The last frontier : HW (low level SW) attacks• Imagine your Cisco router tells everything to your enemy?• Imagine “Microsoft update” tells everything to you enemy?• These kind of attacks are developed by countries
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 22“From the outside” categorySource: IBM 2012SandBox
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 23"From the inside” categorySource: IBM 2012CyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 24Moving Security Closer To The TargetSource: IBM 201280%of securitybudgetSandBox
  • 25Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraphCyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 26CyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 27Cyber IntelligenceManaged service of: Hacking Forums Sham Monitoring and Analysis Patches DistributionSystem of employeeprofile and behaviors inthe business using existinglogs2bsecureAmanSecozCyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 28Cyber Intelligence Outside your businessProtectionCompanies who analyze world-class attacksand release patches for each segmentPreventionCyber Business Intelligence2bsecure; Aman ; SecozCyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 29Cyber Intelligence Inside your businessEndpointBehavior AnalysisHbGary ECATNetwork ReplayForensicsNetwitness SOLERASandboxSimulationFireye *Palo AltoDDOSProtectionCHECKPOINT;ARBORFORTINET;RADWARE
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 30HoneypotFAKE
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 31Honeypot & Honeynet“A honeypot is an information system resource whose value liesin unauthorized or illicit use of that resource”. Wikipedia.org• Has no production value; anything goingto/from a honeypot is likely a probe, attackor compromise1• Used for monitoring, detecting and analysingattacks2• Does not solve a specific problem. Instead,they are highly flexible tools with differentapplications to security.3 CyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 32Honeypots Classification• Easy to implement and operate• Most commonProduction Honeypots• Study and identify new attacks• Difficult implementation• A lot of dataResearch Honeypots• Digital system/information resource• Unauthorized accessHoneytokensCyberSecurity
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 33Location and StrategySource:White Paper: Honeypots- Reto Baumann, Christian PlattnerFront NetworkNo connectionto real networkCatchemployeethreaten
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 34HoneyPot Tools• designed to protect the system better and give the administratoradvantages over attackers. The idea is to mislead the attackers byrunning DTK, it has more potential holes available for attackers.DTK - freetools• can run on unix & windows. It allows you to create a differentvirtual machines on one computer. You can set it to run as aservice such as FTP or SMTP. It allows the user to simulate anoperating system.Honeyd• designed to address the attackers used Search engines ashacking. GHH emulates application real network and allowshackers to join the many search engines. Honey trap is connectedto a file settings register which records everything defined in thesystem settings.Google HackHoneypot
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 35
  • Pini Cohen and Sigal Russinswork Copyright@2013Do not remove source orattribution from any slide, graphor portion of graph 36What are we responsible for?Organizational Level
  • 37Pini Cohen and Sigal Russins workCopyright@2013Do not remove source or attributionfrom any slide, graph or portion ofgraphRecommendations1) Install fast patches2) Education- Employee awareness3) Training4) Forensics process5) Strong authentication- segregation of duties6) Focus on behaviors inside your business – explore andanalyze. CyberSecurity
  • Thanks for your patience and hope you enjoyed38Pini Cohen and Sigal Russins work Copyright@2013Do not remove source or attribution from any slide, graph or portion of graph