David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

Infosecurity.nl 2010
Current Cyber Threat
Challenges
3 November 2010
www.pwc.com

PwC
Contents
2
Real threats in the real world
Targeting Sensitive Data with Commercial Value
Targeting Sensitive Data with Economic Value
Public-Private Partnership
Considerations as we go forward

PwC
Real threats in the real world
3

PwC
Risks we face
• Significant threat profile, like never before in
history;
• Adversaries that are patient, meticulous, smart;
• Sophisticated attackers hold access to
environments, undetected for months, even
years; and
• Require new thinking related to how we protect
and manage sensitive data.
4

PwC
Threat Continuum
5
Source Motivation
Amateur attackers • Thrill
• Bragging rights
Criminal groups
• Bot-network
Operators
• Phishers/Spammers
• Malware authors
• Industrial
spies/competitors
• Financial profit
- Fraud
- Blackmail
- Bot recruitment
- Trusted launch pad for further infrastructure
attacks
- Identity and intellectual property theft
- Industrial espionage
“Insiders”
• Employees
• Business partners
• Retaliation
• Financial profit
Foreign state-
sponsored agents
• Economic Espionage
• Disrupt supply, communications, and economic
infrastructures
ThreatContinuum

PwC
Common failures that enable the attackers
1. Don’t know where sensitive data is located;
2. Don’t properly utilize monitoring and
investigative tools;
3. Failure to address/shut down known security
vulnerabilities; and
4. Have suboptimal Organizational design.
6

PwC
Targeting Sensitive Data with
Commercial Value
7

Attack Diagram
8

PwC
Hypothetical Attack Overview
Preparation and Reconnaissance
Slide 9
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
• Identify Potential Targets: Use search engines
and browse web sites to identify potential targets
• Prepare Tools: Write custom applications and
assemble publicly available tools to bypass antivirus
• Identify Initial Entry Point: Test identified
websites for SQL injection vulnerabilities to gain
access to the target network
Timeline
13 Days
Impact
• Read/Write access to database records
• Administrative privileges to database OS
• Ability to initiate connections to other internal
systems
• Recode web applications to accept a white list of
characters and filter all unnecessary characters
• Use unprivileged accounts for databases
• Perform web application security assessments
Slide 9

PwC
Initial Compromise
Slide 10
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Information Gathering: Craft SQL queries to
obtain database structure and contained data
•Exploit Database Links: Identify linked databases
and search the databases for sensitive data or
credit/debit card data
•Upload Tools through SQL Injection: Upload
malicious tools to database servers to obtain Domain
Administrator password and target other systems
Timeline
12 Days13 Days
Impact
• Identified dozens of databases with sensitive
personal or business data or credit/debit card
data
• Obtained Domain Administrator privileges
Slide 10

PwC
Expand Footprint
Slide 11
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Establish presence in environment: Push custom
developed network sniffer or other custom hacker
tools onto dozens of systems to understand network
topology and system traffic
•Upload Web Based Tools: Upload custom web
pages to external web servers to perform command
and control functions on tools on internal systems
•Exfiltrate data: Obtain target data
•Locate Business Critical Hardware: Identify
system (HSM) that creates encrypted PIN numbers
Timeline
3 Days12 Days13 Days
Impact
• Attackers able to authenticate with privileged
access to Windows systems
Slide 11

PwC
Execute Attack
Slide 12
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Initiate Attack on HSM: Obtain clear text PIN
numbers by attacking HSM device. Reverse
engineer/decode sensitive encrypted data and/or
gain control of wire transfer authorization process
•Manipulate Financial Account Values: Use
custom web pages on external web servers to
modify internal database values such as the balance
and transaction limits to assist in financial fraud
•Distribute compromised payment cards
•Set up recipient accounts to obtain fraudulent
proceeds
Timeline
• Initiate unauthorized ATM withdrawals or
transactions
• Unauthorized ACH wires issued
Impact
3 Days12 Days13 Days 4 Days
Slide 12

PwC
Targeting Data with Economic Value
13

PwC
Public Private Partnership
15

PwC
Public-Private Partnership
Examples across this Continuum
• Collaboration with law enforcement;
• Collaboration with select corporate peers (Google example);
• Collaboration among Financial Services in US (FS-ISAC - hundreds
of Companies sharing information about critical threats to systems
within the financial services sector);
• Collaboration among industry (US Department of Defense); and
• Collaboration to protect National Critical Infrastructure (US
Department of Homeland Security).
16

PwC
17

PwC
1: Sensitive Data
• Inventory and prioritize sensitive data;
• Include electronic communication among key
component of the definition of sensitive data; and
• Enhance vigilance around the protection of these
assets.
Key takeaways:
18

PwC
2: Technical
• Increase visibility into live memory on user
systems;
• Increase vigilance on Domain Controller
logs;
• Increase focus on analysis of outbound
traffic (look for large outbound RAR files);
• Perform ongoing audits of key personnel
(i.e., M&A team) – look for web based mail
login from machines not normally used by
employee; and
• Automate the above to minimize human
time commitment.
Key takeaways:
19

PwC
3: Organizational
• Cyber security, and the CISO or equivalent,
should be independent of IT and the CIO;
• Cyber security should have deep insight into
business operations to be effective: if the CEO is
traveling outside the US or if a 10-person team is
working on a deal in Country X, cyber security
should be aware; and
• Applying cyber security based on business
operations will likely require a broader
perspective than most technical oriented types
are capable, making cyber security ripe for
alignment under the CSO.
Key takeaways:
20

PwC
PwC - Who we are
• PwC has greater than 160,000 in greater than
150 countries. We focus on audit and
assurance, tax and advisory services. We help
our clients resolve complex issues and identify
opportunities.
• PwC is a leading provider of security advisory
and assessment services. Our Global Security
practice has more than 2,100 professionals
helping our clients solve complex security
challenges.
• PwC was recognized by the Forrester Wave
Vendor Summary as a leader in information
security and IT risk consulting.
• PwC has assisted Fortune 500 companies in
responding to security breaches, including
network and system forensics, containment,
and remediation activities.
21

Sincere thanks for your time.
© 2010 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability
partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal
entity. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and
confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed in whole or in part by
the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure in whole or in part of this information without the express written
permission of PricewaterhouseCoopers LLP is prohibited.

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

More Related Content

What's hot

Similar to David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

More from Infosecurity2010

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht