The document discusses the evolution of network security over time as networks have become more complex and connected. It describes how early networks were simpler but grew larger and became virtualized and located in multiple cloud environments. This trend of increased connectivity between all kinds of devices and systems from any location creates new security challenges. The document advocates for increased security automation through standards and highlights some recent cyber attacks to demonstrate ongoing threats. It suggests collaboratively sharing ideas and brainstorming as ways to improve network security defenses.

1. The Evolution of Network Security:
How Networks Are Still Getting Hacked
Omar Santos, PSIRT - Security Research and Operations
os@cisco.com
1

2. DO YOU REMEMBER?
2

3. … it was so easy “back in the day”…
3

4. SIMPLE NETWORKS
4

5. BECAME BIGGER 5

6. AND BIGGER 6

7. AND BIGGER 7

8. …and then we got “virtualized”
8

9. 9

10. 10

11. …and then we got “many clouds”
11

12. 12

13. 13

14. 14

15. …WHAT ELSE IS CHANGING?
15

16. social media
marketer big data
scientists
3 rd Degree Black Belt Security Ninja
Cyber Warrior
16

17. …we all know about BYOD
17

18. Modern workers—
particularly young
“Millennials”—want the
freedom to browse the web
not only when and how
they want to, but also with
the devices they choose.
18

19. …What ELSE?
19

20. EVERYTHING WILL BE CONNECTED
20

23. …the ANY to ANY dilemma:
• People to Machine
• Machine to Machine
• People to People
• From Any Device
• From Any Location
• At Any Time
• Data from Any Data Center
and from Any Cloud
23

24. …but in this new “trend” I am not only talking
about these
24

25. …but in this new “trend” I am not only talking
about these
25

26. 26

27. Meters pre-configured Objective Function DAO advertises IPv6
with Utility Network (SSID) Rank = Minimum ETX address of meter and
X.509 Cert, EUI-64 ID (pre-configured) parents
802.15.4 Rx Signal Meters only maintain
Strength Indicator used to default route to DODAG
qualify ETX root
DHCPv6 Client used for
address autoconfiguration
RPL in non-storing mode
DHCPv6 Relay function Root generates source
passes all requests to routes when needed
FAR (DODAG root)
DHCPv6 requests passed
to DHCP server
RPL run-time parameters
configured at DODAG root
using DIO message

28. 28

29. 29

30. 30

31. …AND THERE IS SDN
31

32. Basic Definitions
What Is Software Defined Network (SDN)? What Is OpenFlow?
“…In the SDN architecture, the control and data planes are “…open standard that enables researchers
decoupled, network intelligence and state are logically to run experimental protocols in campus networks. Provides
centralized, and the underlying network infrastructure is standard hook for researchers to run experiments, without
abstracted from the applications…” exposing internal working of vendor devices…”
Source: www.opennetworking.org Source: www.opennetworking.org
What is OpenStack? What is Overlay Network?
Opensource software for building public Overlay network is created on existing network infrastructure
and private Clouds; includes Compute (Nova), Networking (physical and/or virtual) using a network protocol. Examples of
(Quantum) and Storage (Swift) services. overlay network protocol are: MPLS, LISP, OTV and VXLAN
Source: www.openstack.org

33. In an SDN network, the controller could
potentially be seen as a single point of
failure risk for the network.
If the controller is attacked, the entire
network it controls is potentially at risk.
33

34. 34

35. 35

36. Cloud
Internet of Everything
Identity
Privacy
Social Media APT
Mobility BYOD
Advanced Malware
Big Data
Next Gen Data Centers Social Engineering
36

37. Video
Cloud Data Center
Consolidation
Service
Campus
Mobility/ Provider Virtualization
BYOD & Cloud
Branch Business Continuity
Security
Disaster Recovery
Data Center
CAPACITY COMPLEXITY COST
“Do I have the right “How do I simplify “How can I be operationally
performance to scale?” deployments?” efficient?”
The IT Management Challenge: “Is My Network Ready?

38. Video
Cloud Data Center
Consolidation
Service
Campus
Mobility/ Provider Virtualization
BYOD & Cloud
Branch Business Continuity
Security
Disaster Recovery
Data Center
CAPACITY COMPLEXITY COST
“Do I have the right “How do I simplify “How can I be operationally
performance to scale?” deployments?” efficient?”
The Security Staff Challenge: “Is My Network Secure?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

39. Source: Cisco’s Annual Security Report
39

40. HOW CAN I BECOME MORE EFFICIENT
AUTOMATION?
40

41. Security Automation Evolution
The perception of the security automation evolution
Robust support for relevant
Security Automation standards to ensure multi-layer
interoperability / standards interoperability
CLOSED SOLUTIONS EVOLVING MATURITY MATURE IMPLEMENTATIONS
PAST FUTURE
WE ARE ABOUT HERE

42. Vulnerability Machine Readable Content
Cisco is committed to protect customers by sharing critical security-related
information in different formats.
OVAL: Cisco IOS Vulnerability Assessment Common Vulnerability Reporting
• Cisco PSIRT is including Open Vulnerability and Framework (CVRF)
Assessment Language (OVAL) definitions in • In addition to OVAL definitions, PSIRT is
Cisco IOS security advisories. also publishing CVRF content for all Cisco
• OVAL provides a structured and standard security advisories.
machine-readable content that allows • CVRF allows vendors to publish security
customers to quickly consume security advisories in an XML (machine-readable)
vulnerability information and identify affected format.
devices. • CVRF has been designed by the Industry
• OVAL can also be used to verify that the Consortium for Advancement of Security
patches or fixes that resolve such on the Internet (ICASI), of which Cisco is a
vulnerabilities were successfully installed. member and took a major role in its
• OVAL content can be downloaded from each development.
Cisco IOS security advisories

43. Top Android Malware Types
Android malware encounters grew 2,577%
over 2012
However, mobile malware only makes up a
small percentage of total web malware
encounters.
Source: Cisco’s Annual Security Report
43

44. Monthly Major Content Types
2012
Source: Cisco’s Annual Security Report
44

45. Exploit “Content Types”
2012
Source: Cisco’s Annual Security Report
45

46. http://eromang.zataz.com/uploads/oracle-java-exploits-0days-timeline.html 46

47. New or Old Attacks?
47

48. RED OCTOBER (aka ROCRA)
Large-scale cyber espionage campaign discovered by
researchers from Kaspersky Lab.
Very clever attacks that many are now claiming have been
taking place for more than five years!
Compared with other malware that has been associated with
cyber espionage such as Duqu, Flame, and Gauss.
http://blogs.cisco.com/security/red-october-in-january-the-cyber-espionage-era 48

49. RED OCTOBER (aka ROCRA)
Some of the Vulns:
CVE-2009-3129 -- Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution
CVE-2010-3333 - Microsoft Office Rich Text Format Content Processing Buffer Overflow
CVE-2012-0158 - Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution
CVE-2011-3544 - Oracle Java Applet Rhino Script Engine arbitrary code execution vulnerability
Network Device Configuration Harvesting
Malware contained a large list of hardcoded commonly-used SNMP community strings that were
used to attack infrastructure devices.
+ credential information collected from Word and Excel Documents on affected systems
49

50. Just one example: OPERATION ABABIL
Huge DDoS attack (volumetrics) campaign which was aimed at U.S.-based
financial institutions.
50

51. “Weaponization” of
Modern Evasion
Techniques
51

52. ANY GOOD NEWS?
WHY DID I COME TO THIS
TRIANGLE BDPA MEETING
52

53. Well, SPAM traffic went down
last year… Does that count?
53

54. It’s still a good tool for many
cybercriminals to expose
users to malware and
facilitate a wide range of
scams.
54

55. EVEN OUR VULN REPORT
DATABASES GET PWNED!
55

56. 56

57. Go Back!
We failed when we tried to fix
cyber security!
Cyber Security
57

58. SO HOW CAN WE IMPROVE?
58

59. Sharing Ideas & Brainstorming
59

60. THANK YOU!
60