Seminário: Dia Internacional da Segurança em Informática "A Internet e os Paradoxos do Controle de Segurança"
Dia: 30 de Novembro de 2009
Auditório - 4ª andar Edifício da FIESP
Saão Paulo, SP
Apresentação do diretor de resposta a incidentes em segurança de computadores da Microsoft Andrew Cushman no Seminário "A Internet e os paradoxos do controle da segurança"
Seminário de Segurança em Informática - Apresentação Andrew Cushman
1. Securing Critical Infrastructures
Andrew Cushman
Sr. Director Security Strategy
Trustworthy Computing – Security
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Trustworthy Infrastructure Programs and Policy
2. Intro – Who Am I ?
• Joined Microsoft in 1990
Click to edit Master text styles
• Worked level MSMoney, IIS, and now Security
– Second
on
• Previously Patch Tuesday & BlueHat
Third level
– Fourth level
• Now Focused level End to End Trust
Fifth on
Trustworthy Computing -
Security Group
Security Security Critical Security
Security Software
Engineering Science & Infra- Research
Response Integrity
Policy Engineering structure Community
Trustworthy Infrastructure Programs & Policy
3. Agenda
• Click to edit Master text styles
Traditional Critical Infrastructure Protection Definition
– Second level
• The Evolvinglevel Landscape
Third
Risk
• Microsoft’sFourth level
– Critical Infrastructure Protection Program
Fifth
– Trustworthy Policy level
– Resilient Operations
– Investments in Innovation
• Government Engagement Programs and Resources
Trustworthy Infrastructure Programs & Policy
4. Global Critical Infrastructure
Critical infrastructures are generally thought of as the key
Click to edit Master text styles
– Second level
systems, services, and functions whose disruption or
Third level
destruction would have a debilitating impact on public
– safety, commerce, and/or national security.
health andFourth level
Fifth
These include: level
– Communications
– Energy
– Banking
– Transportation
– Public health and safety
– Essential government services
Trustworthy Infrastructure Programs and Policy
5. Critical Infrastructure
Cyber
Reliance on IT Security
Click to edit Master text styles
– Second level
Third level
Key physical and cyber level
– Fourth systems,
services, and functions
Fifth level
Critical Cyber Systems
Software, hardware, and services
functioning as intended
Trustworthy Infrastructure Programs and Policy
6. Users in the World Today
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
As of July 2008, 1,463,632,361 people worldwide use the Internet
Trustworthy Infrastructure Programs & Policy
Source: http://www.internetworldstats.com/stats.htm
7. Users are Changing
General Growth International Growth
More than 250 million active users More than 50 translations available on the site, with more
More than 120 million users log on to Facebook at than 40 in development
Click to edit Master text styles
least once each day About 70% of Facebook users are outside the United States
More than two-thirds of Facebook users are outside Platform
–
of college Second level More than one million developers and entrepreneurs from
The fastest growing demographic is those 35 years more than 180 countries
old and older
Third level Every month, more than 70% of Facebook users engage with
–
User Engagement Fourth level Platform applications
Average user has 120 friends on the site More than 350,000 active applications currently on
Fifth level
More than 5 billion minutes are spent on Facebook Facebook Platform
each day (worldwide) More than 200 applications have more than one million
More than 30 million users update their statuses at monthly active users
least once each day
More than 8 million users become fans of Pages Mobile
each day There are more than 30 million active users currently
Applications accessing Facebook through their mobile devices.
More than 1 billion photos uploaded to the site People that use Facebook on their mobile devices are
each month almost 50% more active on Facebook than non-mobile
More than 10 million videos uploaded each month users.
More than 1 billion pieces of content (web links, There are more than 150 mobile operators in 50 countries
news stories, blog posts, notes, photos, etc.) shared working to deploy and promote Facebook mobile products
each week
More than 2.5 million events created each month
More than 45 million active user groups exist on the
site Trustworthy Infrastructure Programs & Policy
8. Threats Facing Global Operations
Exponential Growth of IDs Increasingly Sophisticated Malware
Identity and access management challenging Anti-malware alone is not sufficient
160,000
Click to edit Master text styles
B2C 120,000
Number of variants from over
7,000 malware families (1H07)
B2E
– Second level
Number of Digital IDs
B2B 80,000
mobility
Third level Internet 40,000
0
– Fourth level
client/server Fifth level
mainframe
Pre-1980s 1980s 1990s 2000s Source: Microsoft Security Intelligence Report (January – June 2007)
Crime On The Rise Attacks Getting More Sophisticated
Largest segment by Traditional defenses are inadequate
$ spent on defense
National Interest Largest area by Spy
$ lost User
Examples:
Fastest GUI • Spyware
Personal Gain Thief growing
Applications • Rootkits
segment
Drivers • Application attacks
Trespasser
Personal Fame • Phishing/Social
O/S
engineering
Largest area by Author Hardware
Vandal volume
Curiosity Physical
Script-Kiddy Amateur Expert Specialist Trustworthy Infrastructure Programs and Policy
9. Malware in the World Today
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Trustworthy Infrastructure Programs & Policy
Source: Microsoft Security Intelligence Report v6
10. Malware Infection Rates – Brasil MSRT Data
• Brazil heat map index (CCM) is 23.9, up 81.8% from 2H07
– i.e. 24 systems infected for every 1,000 systems MSRT executed on
• World to edit Master text styles
Click wide average is 10.0 with 22.7% increase since 2H07
– Second level
Lowest Infection Rates Highest Infection Rates
Third levelLocation 1H08 2H07 % Chg. Location 1H08 2H07 % Chg.
Japan 1.8 1.5 22.8 Afghanistan 76.4 58.8 29.9
– Fourth level
Rwanda 4.2 4.2 0.3 Bahrain 29.2 28.2 3.4
5.2 4.1 25.7 Morocco 27.8 31.3 -11.4
Austria
Fifth level
Germany 5.3 4.4 19.7
Albania 25.4 30.7 -17.4
Finland 5.7 3.8 50.9 Mongolia 24.7 29.9 -17.6
New Zealand 6.0 3.8 58.4 Brazil 23.9 13.2 81.8
India 6.2 5.5 12.3 Iraq 23.6 23.8 -1.1
Malaysia 6.3 4.6 35.6 Dominican Republic 23.2 24.5 -5.2
Latvia 6.3 5.1 22.9 Egypt 22.5 24.3 -7.5
Indonesia 6.4 6.9 -7.0 Saudi Arabia 22.3 22.2 0.4
China 6.6 4.7 41.1 Tunisia 21.9 15.9 37.3
Uruguay 6.6 5.6 17.6 Turkey 21.9 25.9 -15.4
Denmark 6.8 4.9 38.7 Jordan 21.6 20.4 5.5
Australia 6.9 4.9 41.7 Former Yugoslav 21.1 16.3
Switzerland 6.9 5.5 26.4 Republic of Macedonia 29.8
Hong SAR 7.0 6.1 15.1 Lebanon 20.2 20.6 -1.8
Czech Republic 7.1 5 41.6 Yemen 20.1 17.7 13.7
Italy 7.1 5.3 34.5 Portugal 19.6 14.9 31.7
Ireland 7.3 5.3 36.4 Algeria 19.5 22.2 -12.2
Philippines 7.4 7.3 2.0 Libya 19.5 17.3 13.1
Belarus 7.6 7.1 7.0 Mexico 17.3 14.8 17.0
Singapore 7.6 5.0 52.2 United Arab Emirates 17.3 18.2 -4.8
Sweden 7.6 6.1 25.3 Monaco 17.0 13.7 23.7
Argentina 7.7 6.6 16.6 Serbia 16.6 11.8 41.4
Netherlands 7.8 5.9 32.3Trustworthy Infrastructure Programs and Policy
Bosnia and Herzegovina 16.3 12.8 27.5
Jamaica 16.3 15.0 8.9
11. Malware Trends Around the Globe
Misc
Misc. Trojans Trojans
Trojans 24.7% 28.5% 39.0%
Click to edit Master text styles
Germany
– France
Second level
Misc. Potentially
Norway
ThirdUnwanted SW
level
20.8% Trojan Trojan
Downloaders
– Fourth level Downloaders &
& Droppers
Droppers 24.4%
22.2%
Fifth level
Misc Trojans Misc.
28.5% Potentially
Unwanted
SW
UK Hungary Italy 23.3%
Other Trojan Misc Trojans
Trojan
Trojans Downloaders & 23.0%
Downloaders &
19.6 % Droppers 25.9%
Droppers 23.6%
Worms Misc Trojans
32.2 % 29.4%
Russia China Trojans US
Trojan
17.9 %
Downloaders & Trojan Misc.
Droppers 14.3% Downloaders & Critical Infrastructure Protecti
Potentially
Droppers 24.4% Unwanted SW
32.5%
12. Top Threats in Brasil
Disinfected Threats by Category in 1H08
Click to edit Master text1H08 Disinfection Machines in Brazil, by
styles category
Category – Second Infected computers
level PWS and Monitoring
Backdoor Spyware
Tools
Other Trojans Third level
1,294,084
3.1%
1.7%
0.4%
Virus All Other
Worm – Fourth level Trojan Downloader
246,470
1.9% 0.8% Exploit
and Dropper 0.1%
Other PUS
Fifth level
185,305
5.5%
Adware
Adware 181,405 8.2%
Trojan Downloader and
Dropper 122,010 Other PUS
8.4% Other Trojans
Backdoor 69,289 58.6%
Worm
Virus 43,079 11.2%
PWS and Monitoring Tools 37,775
Spyware 9,705
Exploit 2,381
All Other 17,853
Trustworthy Infrastructure Programs and Policy
13. Microsoft's Vision for Critical
Infrastructure Protection
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Trustworthy Infrastructure Programs & Policy
14. Infrastructure Protection
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
National Strategies
Directives/Policies
Policy
Responses Emergency Response Plans
Trustworthy Infrastructure Programs and Policy
15. Complexity and Critical Infrastructures
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Policy
Decision
Maker
Source: modified from Guarding Our Future Protecting Our Nation ’s Infrastructure Trustworthy Infrastructure Programs and Policy
Toffler Associates 2008
16. CIP Continuum
Outlines edit Master text
Click to three distinct styles
functions to create a critical
– Second level
infrastructure protection
capability level
Third
– Fourth level
Emphasizes the importance
of engaging with the private
Fifth level
sector to effectively plan,
manage, respond, and
protect
Guides the development of
programs that can evolve in
a dynamic environment
Trustworthy Infrastructure Programs and Policy
17. Trustworthy Plans and Policies
Policy Elements Sample Statement
Click to edit Master text styles
– Second level Critical information infrastructure (CII) provide the essential services that enable
Critical modern information societies and economies. Some CII support critical functions
Third level and essential services so vital that the incapacitation, exploitation, or destruction,
Infrastructure
through natural disaster, technological failure, accidents or intentional attacks
–
Importance Fourth could have a debilitating effect on national security and economic well-being.
level
Fifth level
Critical A combination of all-hazards threats (e.g., natural disaster, technological failure,
accidents or intentional attacks) and vulnerabilities, and the potential resulting
Infrastructure Risks debilitating effects on national security and economic well-being.
CIP Resiliency Prevent or minimize disruptions to critical information infrastructures, no matter
the source, and thereby help to protect the people, the economy, essential
Policy Goal/ human and government services, and national security. In the event disruptions
Statement do occur, they should be infrequent, of minimal duration, and manageable.
Public-Private Implementing the National CIIP framework includes government entities as well
as voluntary public-private partnerships involving corporate and
Partnerships nongovernmental organizations.
Trustworthy Infrastructure Programs and Policy
18. Trustworthy Plans and Policies –
International Telecommunications Union
national approach toedit Masterraising awareness
A Click to cybersecurity includes text styles
about existing cyber risks, creating national structures to address
– Second level
cybersecurity, and establishing the necessary relationships that
Five Elements of a National Cyber
may be utilized to address events that occur. Assessing risk,
implementing Third level
mitigation measures, and managing Security Capability
consequences are also part of a national cybersecurity program.
–
Fourth level
A good national cybersecurity program will help protect a Developing a National Strategy for
nation’s economy from disruption by contributing to continuity
Fifth level Cybersecurity
planning across sectors, protecting the information that is stored
in information systems, preserving public confidence, Establishing National Government–
maintaining national security, and ensuring public health and Industry Collaboration
safety.
Deterring Cybercrime
International Telecommunications Union Creating National Incident
January 2008
Management Capabilities
Promoting a National Culture of
Cybersecurity
Trustworthy Infrastructure Programs and Policy
19. Trustworthy Plans and Policies –
European Union
[…]Click to edit Master text styles
ICT systems, services, networks and Challenge/
Action Plan
infrastructures […] form a vital part of European Pillar
– Second level
economy and society, either providing essential
goods and services or constituting the • Baseline of [CERT] capabilities and services for
Third level
underpinning platform of other critical pan-European cooperation
Preparedness
infrastructures. They are typically regarded as • European Public Private Partnership for
–
Fourth level
critical information infrastructures (CIIs) as their
and
Resilience (EP3R)
prevention
• European Forum for information sharing
Fifth level
disruption or destruction would have a serious
between Member States
impact on vital societal functions. Recent
examples include the large-scale cyber-attacks Detection • European Information Sharing and Alert
targeting Estonia in 2007 and the breaks of and response System (EISAS)
transcontinental cables in 2008.
• National contingency planning and exercises.
European Commission Communication on CIIP • Pan-European exercises on large-scale
Mitigation
Mar 2009 network security incidents
and recovery
• Reinforced cooperation between
National/Governmental CERTs
• Internet resilience and stability
International
• Global exercises on recovery and mitigation of
cooperation
large scale Internet incidents
Criteria for
• ICT sector specific criteria
the ICT sector
Trustworthy Infrastructure Programs and Policy
20. Trustworthy Plans and Policies –
United States
The globally-interconnected digital information and
Click to edit Master text styles Table 1: Near-Term Action Plan
communications infrastructure known as “cyberspace”
underpins almost every facet of modern society and provides
–Second level
critical support for the U.S. economy, civil infrastructure, public
1. Appoint a cybersecurity policy official responsible for
coordinating the Nation’s cybersecurity policies and
safety, and national security. This technology has transformed
Third level
the global economy and connected people in ways never
activities; establish a strong NSC directorate, under the
direction of the cybersecurity policy official dual-hatted to
–
Fourth level
imagined. Yet, cybersecurity risks pose some of the most serious
the NSC and the NEC, to coordinate interagency
economic and national security challenges of the 21st Century.
development of cybersecurity-related strategy and policy.
Fifth level
[...] It is the fundamental responsibility of our government to
address strategic vulnerabilities in cyberspace and ensure that 2. Prepare for the President’s approval an updated national
the United States and the world realize the full potential of the strategy to secure the information and communications
information technology revolution. infrastructure. This strategy should include continued
evaluation of CNCI activities and, where appropriate, build
White House Cyberspace Policy Review on its successes.
May 2009
3. Designate cybersecurity as one of the President’s key
management priorities and establish performance metrics.
4. Designate a privacy and civil liberties official to the NSC
cybersecurity directorate.
…..
10. Build a cybersecurity-based identity management vision
and strategy that addresses privacy and civil liberties
interests, leveraging privacy-enhancing technologies for the
Nation.
Trustworthy Infrastructure Programs and Policy
21. Resilient Operations
Click to edit Master text styles
– Second level
Third level
Respond and
– Fourth level Assess Risk
Effective Recover Proactive
Fifth level
Operational and
Risk Strategic
Management Monitor and Risk
Manage Risk
Detect Management
Trustworthy Infrastructure Programs and Policy
22. Resilient Operations –
Strategic Risk Management
Microsoft CII Risk
Optimizes edit Master text styles Management Methodology
Click to limited resources
to protect the most critical
– Second level
infrastructure level
Third
Determine Risk Management
Scope
Focuses on Fourth level
–
infrastructure
objects Identify Critical Information
– Assets Fifth level
Infrastructure Functions
– Locations
Analyze Critical Function
– Systems
Value Chain and
– Functions Interdependencies
Based on defined
methodology strategies Assess Critical Function Risk
– Bottom up
– Top-down Prioritize and Treat Critical
Function Risk
Trustworthy Infrastructure Programs and Policy
23. Resilient Operations –
Operational Risk Management
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Trustworthy Infrastructure Programs and Policy
24. Resilient Operations –
Critical Infrastructure Exercises
Value
Click to Awareness
Builds
edit Master text styles
– Second level
Promotes Partnerships
Third level
Improves Information-Sharing
– Fourth level
Identifies Preparedness Gaps
Addresses Fifth level Collaboration
Gaps through
Microsoft's Critical Infrastructure Resiliency
Exercise Guide
A detailed, step-by-step, “how-to” process to plan,
conduct, and learn from critical infrastructure
exercises.
Suggestions for how to carry out each step in an
exercise,
Background materials, references, templates, and
PowerPoint briefings related to each step of the
exercise process.
Trustworthy Infrastructure Programs and Policy
25. Investments in Innovation
Click to edit Master text styles
–
Practices
Second level
Programs
• Security Development • Microsoft Active
Third Lifecycle (SDL)
level Protection Program
• Risk Management
– Fourth level (MAPP)
Frameworks • Government Security
Fifth level
• Exercise Guide Program
• SAFECode & ICASI
Research Education
• Botnet Mitigation • Security Intelligence
• Secure Internet Report
Protocols • Security Curriculum
• Community Guidance
Information
Management
Trustworthy Infrastructure Programs & Policy
26. Evolving Communications
Advance
MSRC Notification
Blog Microsoft
Click to edit Master text styles Security
Security Response
– Second level
Alliance
Advisory level
Third
– Fourth level CSO
Fifth level Council
Microsoft
Security Bulletin MMPC
Blog
Webcast
SVRD
Blog
CSO Call Microsoft
Active
Protections
Program SDL Blog
Trustworthy Infrastructure Programs and Policy
27. Investments in Innovation –
Developing Secure Software
Click to edit Master text styles
Three publications
– Second level
Software Assurance: An
Third level Overview of Current Industry
Dedicated to increasing trust in
– Fourth level Best Practices
information andFifth level
communications Fundamental Practices for Secure
Software Design
technology products and services and Development
through the advancement of proven The Software Supply Chain
software assurance methods Integrity Framework: Defining
Consists of six members (EMC, Risks and Responsibilities for
Securing Software in the Global
Juniper, Microsoft, Nokia, SAP, and Supply Chain
Symantec) An International Advisory Board to
Co-chaired by Microsoft and Nokia guide global efforts
Trustworthy Infrastructure Programs & Policy
28. Investments in Innovation –
Coordinating multi-vendor response
Click to edit Master text styles
– Second level
Developing operational
Third level coordination and thought
– Fourth level leadership products
Enhances the global security landscape
Fifth level
by driving excellence and innovation in The Unified Security
security response practices; and by Incident Response Plan
enabling its members to proactively (USIRP)
collaborate to analyze, mitigate, and A new paper on security
resolve multi-vendor, global security response planning with the
challenges working title of Certainties
for an Uncertain Future:
Made up of five companies currently Building Tomorrow’s
(Cisco, IBM, Intel, Juniper, Microsoft) Security Response Today
Trustworthy Infrastructure Programs & Policy
29. Shaping innovative CIP approaches
Click to edit Master text styles
– Second level
Third level
– Fourth level
Fifth level
Trustworthy Infrastructure Programs & Policy
31. Click to edit Master text styles IT Underground
– Second level DIMVA
T2 CCC
Third level
What the hack
– Fourth level BlackHat Europe
Fifth level
EUSec
Metricon
ShmooCon
HotSec POC
Ph Neutral
Usenix PacSec
HOPE DeepSec
CanSecWest BlackHat Japan
BlackHat DC Hackivity
Layer 1 RSA USA XCon VNSec
Hack .Lu
ToorCon SANS HITB
BlackHat USA BCS
PakCon
Security Opus Defcon G -Con Identity Summit
SC &I
Congreso De Seguridad
HITB
H 2H Conference
BlackHat Asia KiwiCon
YSTS
FIRST
SyScAn AusCERT
BA-Con
Bellua Asia RUXCON
ekoPartye
Trustworthy Infrastructure Programs and Policy