David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht


Published on

Current Cyber Threat Challenges

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

  1. 1. Infosecurity.nl 2010 Current Cyber Threat Challenges 3 November 2010 www.pwc.com
  2. 2. PwC Contents 2 Real threats in the real world Targeting Sensitive Data with Commercial Value Targeting Sensitive Data with Economic Value Public-Private Partnership Considerations as we go forward
  3. 3. PwC Real threats in the real world 3
  4. 4. PwC Risks we face • Significant threat profile, like never before in history; • Adversaries that are patient, meticulous, smart; • Sophisticated attackers hold access to environments, undetected for months, even years; and • Require new thinking related to how we protect and manage sensitive data. Infosecurity.nl 2010 4
  5. 5. PwC Threat Continuum Infosecurity.nl 2010 5 Source Motivation Amateur attackers • Thrill • Bragging rights Criminal groups • Bot-network Operators • Phishers/Spammers • Malware authors • Industrial spies/competitors • Financial profit - Fraud - Blackmail - Bot recruitment - Trusted launch pad for further infrastructure attacks - Identity and intellectual property theft - Industrial espionage “Insiders” • Employees • Business partners • Retaliation • Financial profit Foreign state- sponsored agents • Economic Espionage • Disrupt supply, communications, and economic infrastructures ThreatContinuum
  6. 6. PwC Common failures that enable the attackers 1. Don’t know where sensitive data is located; 2. Don’t properly utilize monitoring and investigative tools; 3. Failure to address/shut down known security vulnerabilities; and 4. Have suboptimal Organizational design. Infosecurity.nl 2010 6
  7. 7. PwC Targeting Sensitive Data with Commercial Value 7
  8. 8. Attack Diagram 8 Infosecurity.nl 2010
  9. 9. PwC Hypothetical Attack Overview Preparation and Reconnaissance Slide 9 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities • Identify Potential Targets: Use search engines and browse web sites to identify potential targets • Prepare Tools: Write custom applications and assemble publicly available tools to bypass antivirus • Identify Initial Entry Point: Test identified websites for SQL injection vulnerabilities to gain access to the target network Timeline 13 Days Impact • Read/Write access to database records • Administrative privileges to database OS • Ability to initiate connections to other internal systems • Recode web applications to accept a white list of characters and filter all unnecessary characters • Use unprivileged accounts for databases • Perform web application security assessments Slide 9 Infosecurity.nl 2010
  10. 10. PwC Hypothetical Attack Overview Initial Compromise Slide 10 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Information Gathering: Craft SQL queries to obtain database structure and contained data •Exploit Database Links: Identify linked databases and search the databases for sensitive data or credit/debit card data •Upload Tools through SQL Injection: Upload malicious tools to database servers to obtain Domain Administrator password and target other systems Timeline 12 Days13 Days Impact • Identified dozens of databases with sensitive personal or business data or credit/debit card data • Obtained Domain Administrator privileges Slide 10
  11. 11. PwC Hypothetical Attack Overview Expand Footprint Slide 11 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Establish presence in environment: Push custom developed network sniffer or other custom hacker tools onto dozens of systems to understand network topology and system traffic •Upload Web Based Tools: Upload custom web pages to external web servers to perform command and control functions on tools on internal systems •Exfiltrate data: Obtain target data •Locate Business Critical Hardware: Identify system (HSM) that creates encrypted PIN numbers Timeline 3 Days12 Days13 Days Impact • Attackers able to authenticate with privileged access to Windows systems Slide 11 Infosecurity.nl 2010
  12. 12. PwC Hypothetical Attack Overview Execute Attack Slide 12 Preparation and Reconnaissance Initial Compromise Expand Footprint Execute Attack Major Activities •Initiate Attack on HSM: Obtain clear text PIN numbers by attacking HSM device. Reverse engineer/decode sensitive encrypted data and/or gain control of wire transfer authorization process •Manipulate Financial Account Values: Use custom web pages on external web servers to modify internal database values such as the balance and transaction limits to assist in financial fraud •Distribute compromised payment cards •Set up recipient accounts to obtain fraudulent proceeds Timeline • Initiate unauthorized ATM withdrawals or transactions • Unauthorized ACH wires issued Impact 3 Days12 Days13 Days 4 Days Slide 12 Infosecurity.nl 2010
  13. 13. PwC Targeting Data with Economic Value 13
  14. 14. PwC Infosecurity.nl 2010 14
  15. 15. PwC Public Private Partnership 15
  16. 16. PwC Public-Private Partnership Examples across this Continuum • Collaboration with law enforcement; • Collaboration with select corporate peers (Google example); • Collaboration among Financial Services in US (FS-ISAC - hundreds of Companies sharing information about critical threats to systems within the financial services sector); • Collaboration among industry (US Department of Defense); and • Collaboration to protect National Critical Infrastructure (US Department of Homeland Security). Infosecurity.nl 2010 16
  17. 17. PwC Considerations as we go forward 17
  18. 18. PwC Considerations as we go forward 1: Sensitive Data • Inventory and prioritize sensitive data; • Include electronic communication among key component of the definition of sensitive data; and • Enhance vigilance around the protection of these assets. Key takeaways: 18 Infosecurity.nl 2010
  19. 19. PwC Considerations as we go forward 2: Technical • Increase visibility into live memory on user systems; • Increase vigilance on Domain Controller logs; • Increase focus on analysis of outbound traffic (look for large outbound RAR files); • Perform ongoing audits of key personnel (i.e., M&A team) – look for web based mail login from machines not normally used by employee; and • Automate the above to minimize human time commitment. Key takeaways: 19 Infosecurity.nl 2010
  20. 20. PwC Considerations as we go forward 3: Organizational • Cyber security, and the CISO or equivalent, should be independent of IT and the CIO; • Cyber security should have deep insight into business operations to be effective: if the CEO is traveling outside the US or if a 10-person team is working on a deal in Country X, cyber security should be aware; and • Applying cyber security based on business operations will likely require a broader perspective than most technical oriented types are capable, making cyber security ripe for alignment under the CSO. Key takeaways: 20 Infosecurity.nl 2010
  21. 21. PwC PwC - Who we are • PwC has greater than 160,000 in greater than 150 countries. We focus on audit and assurance, tax and advisory services. We help our clients resolve complex issues and identify opportunities. • PwC is a leading provider of security advisory and assessment services. Our Global Security practice has more than 2,100 professionals helping our clients solve complex security challenges. • PwC was recognized by the Forrester Wave Vendor Summary as a leader in information security and IT risk consulting. • PwC has assisted Fortune 500 companies in responding to security breaches, including network and system forensics, containment, and remediation activities. 21 Infosecurity.nl 2010
  22. 22. Sincere thanks for your time. © 2010 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure in whole or in part of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.