Dealing with security threats
    A more connected world than what you think…..

    Ilias Chantzos
    Director EMEA & AP...
Agenda
• A bit about Symantec and where 
  the information comes from
• The current threat landscape
  – Threats to govern...
Symantec Global Presence
                                                    Global Intelligence Network (GIN)
   ATTACK A...
How Likely Is It?
   To be struck by lightening?                          To be bitten by a snake?



                    ...
The current threat landscape
    Threats to Government and CIIP



Presentation Identifier Goes Here    5
Malicious code is installed…

• Over 60% of all malicious code detected by Symantec discovered in 2008.
       • Over 90% ...
Information is at risk
 Majority of data breaches in   More than half of breaches
Education (27%), followed by     (57%) d...
Threat Activity Trends - Malicious Activity

• In 2008 the United States was the top country for malicious activity
 (raw ...
Governments Are Prime Targets
     Certain contact and account data were taken, including user IDs and
    passwords, emai...
Different threat scenarios
• Collect intelligence on the infrastructure
   – To attack the infrastructure
   – To determin...
Causing problems to the navy
Stopping the airforce




                        12
Information leaking
Using COTS to collect intelligence
DDoS on Estonia some stats
                                    • Attack Duration:                •Peak saw traffic
• 128 U...
Cyber defense and shooting warfare
• Why blow something up?
  – If you can use it to collect intelligence
  – If you can d...
Taking down the traffic grid
Energy supply and distribution
    1999 SCADA failure in Bellingham
    Washington ¼ mil gal of gasoline




             ...
Attacking the energy grid
Collecting OSINT
A Real And Present Danger
Suddenly the blue screen of death has a different meaning……..



                               ...
Current and future trends
• Hacking is for fortune not for fame
• Attackers become more sophisticated and 
  well invested...
Threats to consumer…….



Presentation Identifier Goes Here   23
Stolen information is sold

  • Credit card information (32%) and bank account credentials (19%)
            continue to b...
Website compromise

  • Attackers locate and compromise a high-traffic site through a vulnerability
                specif...
Vulnerability Trends
               Browser plug-in vulnerabilities
• Vulnerabilities in Web browser plug-ins are frequent...
Vulnerability Trends
           Unpatched vulnerabilities by vendor
 • In 2008, there were 112 unpatched vulnerabilities a...
Malicious Code Trends Types

• Trojans made up 68 percent of the volume of the top 50 malicious code
   samples reported i...
Malicious Code Trends
                    Propagation mechanisms
• 66% of potential malicious code infections propagated a...
Spam
                       Country of Origin
 • Over the past year, Symantec observed a 192 percent increase in
   spam d...
Spam
                         Categories

• Internet-related spam was the top category with 24% followed by
              ...
An example how to exploit a users

                         Phisher

                                                     ...
Anatomy of a security breach



Presentation Identifier Goes Here   33
Anatomy of a breach

                              Disruption of operations




Large-scale                               ...
Well‐Meaning Insider

                               Hacker




                                              “Well-Meanin...
Targeted Attacks
1                          2                         3                         4




    INCURSION       ...
Malicious Insiders
                                                 Home
                                                C...
Operationalising security……



Presentation Identifier Goes Here   38
Establishing In‐depth Defense
   Future government                                    Interconnected networks
            ...
Collecting intelligence – Real time 
         situation awareness
what enables the wise sovereign and 
 the  good  general...
Conficker/Downadup – Cumlative




           Source – Conficker Working Group and Shadowserver
How to Stop Security Breaches


    Protect
                         Automate review     Identify threats in
  information...
Thank you!
    Ilias_chantzos@symantec.com




    Copyright © 2010 Symantec Corporation. All rights reserved. Symantec an...
Upcoming SlideShare
Loading in …5
×

Dealing With Security Threats

1,398 views
1,296 views

Published on

Presentation by Symantec.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,398
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
52
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dealing With Security Threats

  1. 1. Dealing with security threats A more connected world than what you think….. Ilias Chantzos Director EMEA & APJ Government Relations Kenya 9 March 2010 1
  2. 2. Agenda • A bit about Symantec and where  the information comes from • The current threat landscape – Threats to government and national  security/CIIP – Threats to consumers – Examples • Anatomy of a security breach • Operationalising security
  3. 3. Symantec Global Presence Global Intelligence Network (GIN) ATTACK ACTIVITY MALCODE INTELLIGENCE VULNERABILITIES SPAM / PHISHING • 240,000 sensors •130M+ clients, servers,    • 32,000+ vulnerabilities • 2.5M decoy accounts • 200+ countries gateways • 11,000 vendors ‐72k  techs • 8B+ emails analyzed daily Gotheburg, Sweden Aschheim, Germany Reading, Green Park, GBR Wiesbaden, Germany Calgary, Alberta, CA Ratingen, Germany Dublin, Ireland Warsaw, Poland Roseville, MN Shannon, Ireland Seattle, WA Bloomfield Hills, MI Toronto, CA Zaltbommel, NLD Springfield, OR Englewood, CO Brussels, Belgium Milan, Italy Newton/Waltham, MA San Francisco, CA Herndon, VA Seoul, South Korea Oak Brook, IL Madrid, Spain Beijing, China Mountain View, CA Alexandria, VA Tokyo, Japan Orem, UT Cupertino, CA Durham, NC Dallas, TX Atlanta, Georgia Chengdu, China Shanghai, China Santa Monica, CA Houston, TX Heathrow, FL Riyadh, Saudi Arabia Dubai, UAE San Luis Obispo, CA Culver City, CA Austin Texas Miami, FL Taipei, Taiwan Mumbai, India Hong Kong, China Mexico City, Mexico Pune, India Chennai, India Singapore Brisbane, Aus Sao Paola, Brazil Sandton, South Africa Sydney, Aus Buenos Aires, Argentina Melbourne, Aus 4 MSS Security  11 Security  Research  29 Global Support  Operations Centers Centers Centers Government – Commercial ‐ Consumer 3
  4. 4. How Likely Is It? To be struck by lightening? To be bitten by a snake? 1 in 2.6M 1 in 42M To be in car accident? ? To be attacked online? 1 in 300 1 in 5 4
  5. 5. The current threat landscape Threats to Government and CIIP Presentation Identifier Goes Here 5
  6. 6. Malicious code is installed… • Over 60% of all malicious code detected by Symantec discovered in 2008. • Over 90% of threats are threats to confidential information. 6 6
  7. 7. Information is at risk Majority of data breaches in More than half of breaches Education (27%), followed by (57%) due to theft or loss, Government (20%) and followed by insecure policy Healthcare (15%) (21%) 7
  8. 8. Threat Activity Trends - Malicious Activity • In 2008 the United States was the top country for malicious activity (raw numbers) with 23% of the overall proportion. China was ranked second with 9%. • As Internet and broadband grows in certain countries their share of malicious activity also grows. 8 8
  9. 9. Governments Are Prime Targets Certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. Data breach at federal government jobsite USAJobs.gov Hackers breached the site, then modified it to redirect users to a rogue URL that in turn directed attack code against their systems. Government travel site GovTrip.gov users suffer malware attacks Administrators … were forced to withdraw the page after it was defaced by more than 170 people over a frenzied few hours. Defra website using Wiki editing techniques defaced Shortly after police confiscated the group's servers, DoS attacks took the official government website and the Swedish national police site offline. The attacks were assumed to be a reprisal from disgruntled Pirate Bay users. DoS attacks on Swedish policy and official government website 9
  10. 10. Different threat scenarios • Collect intelligence on the infrastructure – To attack the infrastructure – To determine the location of valuable  information • Collect intelligence – Capture  and extract information – Intercept communications and ciphers • Disable the infrastructure – That you have already infiltrated – Directly attack it from outside • Collect OSINT • Conduct Psyops • Achieve information dominance by  communicating your own message
  11. 11. Causing problems to the navy
  12. 12. Stopping the airforce 12
  13. 13. Information leaking
  14. 14. Using COTS to collect intelligence
  15. 15. DDoS on Estonia some stats • Attack Duration: •Peak saw traffic • 128 Unique DDoS  equivalent of 5000 Attacks: 17 attacks – Less than 1 minute clicks per second – 115 – ICMP Floods 78 attacks – 1 minute ~ 1 hour •Attacks stopped at 16 attacks – 1 hour ~ 5 hours Midnight – 4 – TCP SYN Floods – 9 – Generic Traffic  8 attacks – 5 hours ~ 9 hours •Tactics shifted as weaknesses emerged Floods 7 attacks – 10 hours or more Source = ArborSert •Swamped web sites 80 associated with Government Ministries, Banks, Newspapers & • Daily Attack Rate: 60 Broadcasters – 03/05/2007 = 21 40 •Emergency Services – 04/05/2007 = 17 20 Number disabled for at least 1 hour – 08/05/2007 = 31 0 •Access was cut to – 09/05/2007 = 58 07 07 07 07 07 07 07 07 07 sites outside of Estonia 20 20 20 20 20 20 20 20 20 5/ 5/ 5/ 5/ 5/ 5/ 5/ 5/ 5/ /0 /0 /0 /0 /0 /0 /0 /0 /0 – 11/05/2007 = 1 in order to keep local 03 04 05 06 07 08 09 10 11 Attack Intensity access available Source = ArborSert 15
  16. 16. Cyber defense and shooting warfare • Why blow something up? – If you can use it to collect intelligence – If you can disable it when you want – If you can use it afterwards again • Russian attack in Georgia – Information‐intelligence is power – Preceded by cyber attack – Psychological effect/operations – Information dominance  – Propaganda
  17. 17. Taking down the traffic grid
  18. 18. Energy supply and distribution 1999 SCADA failure in Bellingham Washington ¼ mil gal of gasoline 18
  19. 19. Attacking the energy grid
  20. 20. Collecting OSINT
  21. 21. A Real And Present Danger Suddenly the blue screen of death has a different meaning…….. FOOD, WATER, ENERGY SEA, AIR, ROAD & RAIL TRAFFIC IT & TELECOMS FINANCE MILITARY 21
  22. 22. Current and future trends • Hacking is for fortune not for fame • Attackers become more sophisticated and  well invested • Target is confidential information • Attack techniques increase in  sophistication and stealth – Single use malware – Evasion techniques (web and coding) • Increased sophistication of botnets • Virtual worlds and social engineering • Critical infrastructure protection  dependant on Internet Security
  23. 23. Threats to consumer……. Presentation Identifier Goes Here 23
  24. 24. Stolen information is sold • Credit card information (32%) and bank account credentials (19%) continue to be the most frequently advertised items. • The price range of credit cards remained consistent in 2008, ranging from $0.06 to $30 per card number. • Compromised email accounts can provide access to other confidential information and additional resources. 24 24
  25. 25. Website compromise • Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts. • Once the site is compromised, attackers modify pages so malicious content is served to visitors. Site-specific vulnerabilities Web application vulnerabilities 25 25
  26. 26. Vulnerability Trends Browser plug-in vulnerabilities • Vulnerabilities in Web browser plug-ins are frequently exploited to install malicious software. • Memory corruption vulnerabilities again made up the majority of the type of vulnerabilities in browser plug-in technologies for 2008, with 272 vulnerabilities classified as such. 26 26
  27. 27. Vulnerability Trends Unpatched vulnerabilities by vendor • In 2008, there were 112 unpatched vulnerabilities affecting enterprise-class vendors compared to 144 in 2007. • Microsoft had the most, with a total of 46 unpatched vulnerabilities. • Of the 112 unpatched enterprise vulnerabilities, 37 were low severity, 71 were medium severity, and 4 were high severity. 27 27
  28. 28. Malicious Code Trends Types • Trojans made up 68 percent of the volume of the top 50 malicious code samples reported in 2008, a minor decrease from 69 percent in 2007. • Worms increased slightly from 26% in 2007 to 29% in 2008. • The percentage of back doors decreased from 21% to 15% in the current period. 28 28
  29. 29. Malicious Code Trends Propagation mechanisms • 66% of potential malicious code infections propagated as shared executable files, up significantly from 44% in 2007. • Malicious code using P2P file sharing protocols declined from 17% in 2007 to 10% in 2008. 29 29
  30. 30. Spam Country of Origin • Over the past year, Symantec observed a 192 percent increase in spam detected across the Internet as a whole, from 119.6 billion messages in 2007 to 349.6 billion in 2008. • In 2008, bot networks were responsible for the distribution of approximately 90 percent of all spam email. • Russia, Turkey, and Brazil experienced significant increases in spam volume this year. 30 30
  31. 31. Spam Categories • Internet-related spam was the top category with 24% followed by commercial product spam with 19% • Financial spam relatively constant at 16%. 31 31
  32. 32. An example how to exploit a users Phisher Cashier Spammer Fraud Website Egg Drop (+ Trojan horse) Server Bot -Herder Phishing Messages Victims
  33. 33. Anatomy of a security breach Presentation Identifier Goes Here 33
  34. 34. Anatomy of a breach Disruption of operations Large-scale Defacing DDoS attacks websites Organized Well Meaning Malicious Criminal Insider Insider Malware outbreaks within Stealthy ex-filtration or unintended protected perimeter loss of confidential data 34
  35. 35. Well‐Meaning Insider Hacker “Well-Meaning Insider” Breach Sources 1. Data on servers & desktops Desktop Firewall 2. Lost/stolen laptops, mobile devices 3. Email, Web mail, removable devices Server 4. Third‐party data loss incidents Employee 5. Business processes  35
  36. 36. Targeted Attacks 1 2 3 4 INCURSION DISCOVERY CAPTURE EXFILTRATION Attacker breaks in via  Map organization’s  Access data on  Confidential data sent to  targeted malware,  systems unprotected systems hacker team in the clear,  improper credentials or  wrapped in encrypted  SQL injection Automatically find  Install root kits to  packets or  in zipped  confidential data capture network data files with passwords 36
  37. 37. Malicious Insiders Home Computer IM Firewall Malicious Insider: Four Types Unhappy Webmail Employee 1. White collar criminals Email 2. Terminated employees Mobile 3. Career builders Device 4. Industrial spies Unhappy CD/DVD Employee USB 37
  38. 38. Operationalising security…… Presentation Identifier Goes Here 38
  39. 39. Establishing In‐depth Defense Future government Interconnected networks Traditional ‘Bastion’ require in-depth, capabilities are built on security models do not proactive & agile defense interconnected systems effectively support such at the periphery and the and effective information agile, interconnected endpoint of infrastructure sharing networks and information 39
  40. 40. Collecting intelligence – Real time  situation awareness what enables the wise sovereign and  the  good  general  to  strike  and  conquer,  and  achieve  things  beyond the reach of ordinary men,  is foreknowledge  SUN TZU – on the Art of War 40
  41. 41. Conficker/Downadup – Cumlative Source – Conficker Working Group and Shadowserver
  42. 42. How to Stop Security Breaches Protect Automate review Identify threats in information of entitlements real time proactively Integrate security Prevent data Stop targeted operations exfiltration attacks 42
  43. 43. Thank you! Ilias_chantzos@symantec.com Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in  the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,  are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Presentation Identifier Goes Here 43

×