Current Emerging Threats

  • 366 views
Uploaded on

Presentation presented at UC Davis conference June 2011 at a University of California wide Security Conference

Presentation presented at UC Davis conference June 2011 at a University of California wide Security Conference

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
366
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Current and Emerging Security Threats Doug Nomura [email_address] June 16 2011
  • 2.  
  • 3. Confidential information has been removed from this slide.
  • 4.
    • We’ve only 45 minutes
    • This is a rapid overview
    • Questions and comments are welcome at the end
  • 5. Agenda
    • 2007 Predictions
    • Who and what
    • Recent hacks
    • Current threats
    • Mobile
    • Cloud
    • Future
  • 6. Doug’s IT Security Symposium 2007 Predictions
    • Mobile
    • Web 2.0
    • Quality of code
      • Robust programming
    • The use of security tools for bad purposes
  • 7. What are the “some” categories of the active Black Hats
    • Rogue Hackers
    • Hacktivists
    • Organized groups
      • Criminal
      • State Sponsored
  • 8. What are some of their goals?
    • Political or Social statement
    • Prank or Practical joke
    • Information for financial gain
      • Intellectual Property
      • Personal Information
  • 9. What are some of the Current Threats
    • SQL Injection
    • Cross Site Scripting (XSS)
    • Buffer Overflow
    • Passwords - DBMS
    • SSM
    • Legacy Data
  • 10. SQL Injection “An Oldie but Goodie”
    • Recent known Hacks
      • Barracuda Networks, Sun, Mysql.com and Sony and Epsilon
    • Will continue to escalate
      • Easy to access tools
    • Easy to prevent
      • Parametermized queries
      • Stored Procedures
      • Least User privileges
    • Malware
  • 11. Cross Site Scripting (XSS)
    • Leading attack on websites
    • Notable Hacks
      • Twitter, Myspace, Facebook. Hotmail, Sony
    • Mitigation
      • owasp.org
    • Will continue to escalate
      • owasp.org
  • 12. Buffer Overflow
    • Notable exploits
      • Morris Worm, SQL Slammer
    • Many apps have been vulnerable
      • Adobe, Microsoft
    • Mitigation
      • https://www.owasp.org/index.php/Buffer_Overflow
      • See Matt Bishop’s Presentation
  • 13. Passwords for DBMS
    • Applicationsecurity.com
    • Blank/default
      • Number one
  • 14. The Takeaway... • Quality of the code • “ Robust Programming” to quote Matt Bishop
  • 15. Sloppy Security Management
    • Outdated security software
    • Not following through on policies
      • Data breach discovered months after compromised - 40-60%
  • 16.  
  • 17.  
  • 18. Confidential information has been removed from this slide.
  • 19. Confidential information has been removed from this slide.
  • 20. Legacy Data
    • Deployment of significant legacy data
      • legal, research
    • Sensitive information redacted
    • ISO 27038 - Standards for digital redaction
  • 21. Legacy Data
    • Important information
    • Scanned documents
    • Protect yourself
  • 22. Redacted
  • 23. Not Redacted Confidential information has been removed from this slide.
  • 24. Not Redacted Confidential information has been removed from this slide.
  • 25. Malware “ ...the release rate of malicious code and other unwanted programs may be exceeding that of legitmate software applications...’ - Symantec Corp. in 2008 Reference: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf
  • 26. Malware “ Malware has just posted its busiest quarter in history” “ McAfee Labs identified more than 6 million unique malware samples!” - McAfee, Inc. on the state of malware Q1 2011 Reference: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2011.pdf
  • 27. Malware
    • Malicious code designed to attack networks, computers or files
    • Disruption and financial gain
    • Do it yourself kits
  • 28. Malware
    • Social Networking is huge target
      • Facebook - Charlie Sheen
    • Files
      • PDF
    • Computers
      • United States is the number one target
      • Many computers are infected
        • Statistics of infected machines varies
  • 29. Social Engineering
    • Exploitation of trust or environment to gain information
    • Analog
      • “I need your password”
    • Digital
      • “I need your password”
  • 30. Social Engineering
    • Social Engineering made easy
      • Social Engineer’s Toolkit
  • 31. Recent Gmail Breach
  • 32. SET Clone
  • 33. Complacency Confidential information has been removed from this slide.
  • 34. Web 2.0 Example: Twitter, FaceBook Technical Exploitation of code Passwords Passive enumeration Users careless of information being broadcast
  • 35. Example of Passive Enumeration on Twitter Reminder: Moving sale at my house this Sunday. 123 Unknown Drive Silicon Valley 9:26 AM Feb 10th, 2009 from web is selling her Epson 9600 lg. format printer + lots of ink. 3:00 PM Feb 2nd, 2009 f rom web
  • 36. Cloud Computing
    • Insider threats
    • Breach at the interface
    • Easy to use for bad purposes
      • Botnet, password/keycracking/CAPTCHA solving farms
    • Account hijacking
      • Need better authentication/no shared ereds
  • 37. Mobile Security
    • Mobile Malware
    • Social Engineering
    • The carriers
    • Loss and theft
      • “Hey, can I borrow your ______?”
  • 38. The Rise of the Crimekits
    • Source of dozens have been released
    • Expect an increase in attacks
  • 39. Directed Malware
    • MacDefender
    • Weyland-Yutani Bot
      • $1000
      • Linux
      • IOS
  • 40. Advanced Persistent Threat APT
    • Advanced
      • Lots of resources available
    • Persistent
      • Yes
    • Threat
      • Yes
  • 41. Advanced Persistent Threats
    • Organized and well financed
    • Tend to threaten governments and companies
    • Will become more sophisticated
      • Able to hire coders for lots of money
  • 42. Advanced Persistent Threat
  • 43. Looking Forward
    • Complacency
    • Crimekits
    • Mobile
    • Legacy hardware - redeployed
      • Routers, Firewalls
      • Infected firmware
  • 44. Conclusions
    • Majority of breaches are avoidable
    • Education of the threats is key
    • Complacency is a huge factor
      • IT
      • Users
    • Be diligent
  • 45. The End [email_address]