Security Trends and Predictions 2008 Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance. CSO Summit Moscow, March 24-25, 2008

Who is Anton? Chief “Evangelist” @ LogLogic (San Jose, CA) Formerly Chief Security Strategist @ netForensics Book author : “Security Warrior”, “Hacker’s Challenge 3”, “PCI Compliance”, “Know Your Enemy 2”, “ISM” Presentations: SANS, CSI, FBI, USMA, CESG (UK) Involved with security standards: CEE, CVSS, OVAL Security blogger – www.securitywarrior.org

Chief “Evangelist” @ LogLogic (San Jose, CA)

Formerly Chief Security Strategist @ netForensics

Book author : “Security Warrior”, “Hacker’s Challenge 3”, “PCI Compliance”, “Know Your Enemy 2”, “ISM”

Presentations: SANS, CSI, FBI, USMA, CESG (UK)

Involved with security standards: CEE, CVSS, OVAL

Security blogger – www.securitywarrior.org

Today’s Outline Where is security now? How security got to where it is now? What will happen next? How will we deal with it?

Where is security now?

How security got to where it is now?

What will happen next?

How will we deal with it?

Key theme: Compliance and Security Why do you wear seat belts for fear of $50 fine, but do not wear them out of fear for your life?

Trends: 1990s Explosive global malware : Blaster, Slammer, ILoveYou Server exploits : IIS is a kind of Swiss cheese Hacking for fun and fame…mostly : system penetrations, DDoS “for fun” Buffer overflows everywhere Purchasing : Incident-driven (or F.U.D.-based)

Explosive global malware : Blaster, Slammer, ILoveYou

Server exploits : IIS is a kind of Swiss cheese

Hacking for fun and fame…mostly : system penetrations, DDoS “for fun”

Buffer overflows everywhere

Purchasing : Incident-driven (or F.U.D.-based)

Trends: Early 2000s Small circulation commercial malware , spyware (but lots of it!) Bots : “ industrial revolution ” in hacking Web and “Web 2.0” attacks Rapid rise of client-side attacks Hacking for money : Phishing, Spam, DDoS for ransom, etc Purchasing : Incident-driven + regulatory purchasing + some “best practices”

Small circulation commercial malware , spyware (but lots of it!)

Bots : “ industrial revolution ” in hacking

Web and “Web 2.0” attacks

Rapid rise of client-side attacks

Hacking for money : Phishing, Spam, DDoS for ransom, etc

Purchasing : Incident-driven + regulatory purchasing + some “best practices”

Trends: Late 2000s – Near Future Mobile malware? Cell/mobile phones, PDAs, New Technologies : VOIP, “Web 2.0”, etc More application and web application hacking: Attackers focus more on data , less on infrastructure Purchasing: Mostly regulatory + “best practices” + some incident-driven

Mobile malware? Cell/mobile phones, PDAs,

New Technologies : VOIP, “Web 2.0”, etc

More application and web application hacking:

Attackers focus more on data , less on infrastructure

Purchasing: Mostly regulatory + “best practices” + some incident-driven

Meet the Defenses of Today Anti-virus / anti-spyware Firewalls and “firewalling” network gear Network intrusion detection (IDS) Network intrusion prevention and UTM Host (mostly server) intrusion prevention Vulnerability scanners Encryption Multi-factor authentication Security awareness System hardening and patch management

Anti-virus / anti-spyware

Firewalls and “firewalling” network gear

Network intrusion detection (IDS)

Network intrusion prevention and UTM

Host (mostly server) intrusion prevention

Vulnerability scanners

Encryption

Multi-factor authentication

Security awareness

System hardening and patch management

A Question! But Do These Really Work?

But Do These Really Work?

Attacks vs Defenses? “ Security Is Just As Bad as It Can Be, but No Worse !” (Marcus Ranum) Q: So, Do Our Defenses Match the Attacks? A: We Don’t Know! Corollary: neither buyers nor sellers know …

“ Security Is Just As Bad as It Can Be, but No Worse !” (Marcus Ranum)

Q: So, Do Our Defenses Match the Attacks?

A: We Don’t Know!

Corollary: neither buyers nor sellers know …

Meet the Defenses of Tomorrow Best prediction: more of the same! More encryption (including bad !) everywhere Secure coding ? Code analysis tools? XML firewalls? VOIP defenses? HIPS NG with full behavior blocking Auditing Everything? Logs, Logs, Logs! Mobile anti-malware?

Best prediction: more of the same!

More encryption (including bad !) everywhere

Secure coding ? Code analysis tools?

XML firewalls? VOIP defenses?

HIPS NG with full behavior blocking

Auditing Everything? Logs, Logs, Logs!

Mobile anti-malware?

Meet the “Security Laws” of Today (US) Sarbanes – Oxley, GLBA, etc HIPAA, FISMA PCI DSS ISO2700x, ITIL, COBIT, etc Standards: CVSS, CEE, OVAL, etc Trend : control assurance , audit, proof of “due diligence”, documentation, processes, breach disclosure, privacy

Sarbanes – Oxley, GLBA, etc

HIPAA, FISMA

PCI DSS

ISO2700x, ITIL, COBIT, etc

Standards: CVSS, CEE, OVAL, etc

Trend : control assurance , audit, proof of “due diligence”, documentation, processes, breach disclosure, privacy

Meet the Security Laws of Tomorrow ? Trend : the rise and subsequent fall of the “checkbox security,” more data governance laws

?

Trend : the rise and subsequent fall of the “checkbox security,” more data governance laws

Predictions 2008: Platform security Windows 2008 makes us secure = no . Increase in Mac hacking = yes. Web application hacking still grows = yes 0days use becomes ‘normal’ = yes

Windows 2008 makes us secure = no .

Increase in Mac hacking = yes.

Web application hacking still grows = yes

0days use becomes ‘normal’ = yes

Predictions 2008

Predictions 2008

Predictions 2008: Hacking Loss of trust towards Internet sites = yes A massive data theft to dwarf TJX = yes Major utility/SCADA hack = no (not yet) Cyber-terrorism = no (again, not yet!)

Loss of trust towards Internet sites = yes

A massive data theft to dwarf TJX = yes

Major utility/SCADA hack = no (not yet)

Cyber-terrorism = no (again, not yet!)

Predictions 2008: Malware The year of mobile malware = no More fun bots = yes (bots are “evil IT automation”) Fewer worms and viruses = yes (why write one if you can make money off bots?) Facebook malware/malicious app = yes .

The year of mobile malware = no

More fun bots = yes (bots are “evil IT automation”)

Fewer worms and viruses = yes (why write one if you can make money off bots?)

Facebook malware/malicious app = yes .

Predictions 2008: Compliance and RM PCI DSS continues its march = yes . ISO17799, ITIL, COBIT frameworks = maybe Will we know what risk management actually is in IT security = no .

PCI DSS continues its march = yes .

ISO17799, ITIL, COBIT frameworks = maybe

Will we know what risk management actually is in IT security = no .

Predictions 2008: Security Defenses Full disk encryption becomes popular = no. More whitelisting for host and network security = yes (but combined with blacklisting) Secure coding becomes mainstream = no NAC adoption = some Academic security research stays ridiculous = yes

Full disk encryption becomes popular = no.

More whitelisting for host and network security = yes (but combined with blacklisting)

Secure coding becomes mainstream = no

NAC adoption = some

Academic security research stays ridiculous = yes

Final Thoughts Security is here not because of “TCP/IP” or Mr Bill G. It is here because of humans  New technologies -> new attacks -> new defenses: endless cycle Following “ checkbox security ” of the near future -> protected as much as the next guy -> get 0wned as much as him  Now go review your incident response plans!

Security is here not because of “TCP/IP” or Mr Bill G. It is here because of humans 

New technologies -> new attacks -> new defenses: endless cycle

Following “ checkbox security ” of the near future -> protected as much as the next guy -> get 0wned as much as him 

Now go review your incident response plans!

Thank You For Attending!!! Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org Chief Logging Evangelist LogLogic, Inc Author of “Security Warrior” book (O’Reilly 2004) and “PCI Compliance (2008) – www.securitywarrior.org See www.info-secure.org for my papers, books, reviews and other security resources related to security and logs

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA

http://www.chuvakin.org

Chief Logging Evangelist

LogLogic, Inc

Author of “Security Warrior” book (O’Reilly 2004) and “PCI Compliance (2008) – www.securitywarrior.org

See www.info-secure.org for my papers, books, reviews and other security resources related to security and logs

Thank You Q & A СПАСИБО ЗА ВНИМАНИЕ