This document summarizes an information security presentation about emerging threats to infrastructure. It discusses growing malware threats, how attacks are carried out through social engineering and exploiting vulnerabilities, and advanced persistent threats targeting critical systems. It emphasizes that compliance does not equal security and organizations must focus on proactive security practices like patching, user awareness training, and incident response planning to defend against sophisticated attacks.

1. Emerging Threats to InfrastructureJorge OrchillesSecurity AnalystNorth Florida ISACA

2. About Your SpeakerInformation Technology for over 7 years

3. Security Operations Center Analyst – Terremark Worldwide, Inc (NASDAQ: TMRK)

4. Consultant by night – Orchilles Consulting

5. Master of Science in Management Information Systems – Florida International University

6. Author – Microsoft Windows 7 Administrator’s Reference (Syngress)

7. Certifications – GCIH, CCDA, CSSDS, MCTS, MCP, Security+

8. Organizations:

9. VP of South Florida ISSA

10. Hack Miami

11. OWASP

12. InfraGard

13. Miami Electronic Crimes Task ForceAbout TerremarkLeading global provider of managed IT servicesColocationNetwork & ConnectivityManaged HostingCloud ComputingInformation SecurityData Services & Disaster RecoveryAccess to more than 160 global network carriersVMware Service Provider of the Year 2009

14. NAP of the Americas750,000 square foot purpose-built data centerGlobal connectivity from >160 carriers100% SLAs on power and environmentalsHome to critical Internet infrastructure

16. Security Operations Center (SOC)24/7 monitoringIDS/IPSLog AggregationNetwork Analysis/ Deep Packet InspectionManaged FirewallNetwork ForensicsDB MonitoringScanningFile integrity monitoringCompliance reporting

17. Industry ReportsSANS Top Cyber Security Threats – September 2009Verizon Business 2009 Data Breach Study – April 2009Symantec State of Security Report – 2010US CertSANS Internet Storm Center – http://isc.sans.org/

18. News and Media Resources:Data Loss Database - http://datalossdb.org/PrivacyRights.orgSome that were reported:Heartland Payment Systems (130+ million – 1/2009)Oklahoma Dept of Human Service (1 million – 4/2009)University of California (160,000 – 5/2009)Network Solutions (573,000 – 7/2009)U.S. Military Veterans Administration (76 million – 10/2009)BlueCross BlueShield of Tennessee (187,000 – 10/2009)Google (1/2010)Many others?

19. AgendaKnow your enemyWho is your enemy?What are they after?How are they attacking?Know yourselfWhat are you defending?Who are you defending?How do we defend?It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle. – Sun Tzu

20. Know your enemy

21. Who is attacking?Organized Crime

22. Well Meaning Insider

23. Malicious Insider

24. Script KiddiesAttacker Motivation (botnets)Storm(Botnet)2007Srizbi(Botnet)2007Rustock(Botnet)2007Kracken(Botnet)2008Vandalism and publicity“Hacktivism”Attack RiskFinancially motivatedNimda(Installed Trojan)2001CodeRed(Defacing IIS web servers)2001Slammer(Attacking SQL websites)2003Agobot(DoS Botnet)Republican website DoS2004Estonia’s Web SitesDoS2007Georgia Web sitesDoS2008July 2009 Cyber AttacksUS & KoreaBlaster(Attacking Microsoft web site)2003200920012005

25. From where are they attacking?

26. What are they after? What are we defending?

27. Know yourselfUsers

28. They are going to click on EVERYTHING

29. On a mission to explore the entire Internet.

30. The Internet is so massively big and EVIL!Security is not a major concernThey never get in trouble“It was just a pop-up”They “think” they know when they are being attacked

31. Anatomy of an AttackReconnaissanceSocial NetworksJob PostingsScanningTargeted against usersSpear PhishingSpamSocial NetworksExploiting – initial intrusion into networkMaintaining Access Establish backdoor – outbound connectionObtain user credentialsInstall various malwarePrivilege escalation/ Lateral Movement/ Data ExfiltrationErase tracks

32. How are they attacking?Application vulnerabilities exceed OS vulnerabilitiesAdobe Reader 0 daysAdobe Flash 0 daysApple QuickTimeMicrosoft OfficeGrowing Malware

33. Growing Malware ThreatNew threats per day: ~30,000New signatures per day:~3,500Total as of September 1, 2009: 2,739,919Signature based Anti-Virus and IDS will not catch it all!

34. How are they attacking?Professionally targeted to weakest links

35. Poorly configured Web servers

36. Vulnerable publishing platforms

37. Un-patched Internet-facing databases

38. Obfuscated JavaScript code inserted on hacked Web pages

39. Redirects to remote server hosting exploits

40. Serves custom malware based on Windows OS version, browser version, patch level, vulnerable third party apps

41. Fires exploits simultaneously at IE, WinZip, Java, QuickTime, ActiveX controls, even Firefox … until exploit hits target

42. Payload: Backdoor Trojans, password stealers, banker Trojans, spam bots

43. This is the work of highly skilled, well-organized cyber criminalsA Facebook Attack In ActionNet-Worm.Win32.KoobfaceCreated in July 2008

44. Variants still squirming in 2009Net-worm that exploits trust on Facebook and Myspace

45. Live DemoAttacker – BackTrack 4 LiveCD and SETPerform recon on company to obtain email address of ISACA presentation participantCreate malicious PDF file and configure it to call attacker when opened.Email ISACA presentation participantVictimRunning Windows XP Federal Desktop Core Configuration with all Windows Updates and Anti-Virus signaturesRunning Adobe Reader 9.0 latest version is 9.3.0User is very conscience about security and does not open files from people he/she does not know.Will open ISACA presentation because it has very valuable materialPray to demo gods!

46. How do we let this happening?Lack of user awarenessPoorly protected infrastructurePatch everything, not just OS but applicationsPoorly protected dataPoorly enforced IT/Security PolicySecurity tools deployed don’t just work

47. What is Advanced Persistent Threat? Term coined by U.S. Air Force for Chinese Related IntrusionsAttacks conducted by well funded and organized groupsProfessionals not script kiddies!MotivationEconomic, Financial, and Political against US government and commercial entitiesTargeted attacksCustom MalwareConstant AggressorNetwork OccupationPersistent Access to networkThis is not new! Over 5 years seeing this activity!

48. Why is APT Successful? Victims and targets are not aware of these attacksGood that Google disclosed?Information Security Defenses Don’t Work!APT evades:Anti-Virus signaturesIDS signaturesNetwork appliances (firewall, IPS, etc)Security Operations?APT remains undetected once inside the network!

49. Case Study: Heartland They were PCI Compliant!~ 130 million credit cards compromisedNotified by 3rd party!Attackers had persistent long-term accessPossible initial entrance through WEP or even open Wireless Access Point.Used targeted (custom) malware to propagateThey were PCI Compliant!!Why was the only “early indicator” the resulting fraud? -Anton Chuvakin

50. Compliance ≠ SecurityBlame TrustWave?No way! Not fair to TrustWave!Was compliance or PCI designed to make systems secure?Is that even possible?Although Compliance is not Security are more companies more secure now because of compliance?Is this even a compliance issue?

51. The Challenge!Are you willing to be proactive about security?Ask these 5 key questions:What data is being collected, transacted on, transmitted, or stored, and for what purpose?How are authentication and authorization being accomplished?What are the communications channels between each component of the system and do they cross any network boundaries?Does the solution involve: an Application Service Provider, data in the Cloud, an externally facing service?Are there any regulatory laws, statutes, and/or compliance that must be met?

52. You can make a difference!Think architecturally about securityFollow Project Life Cycle processAsk the 5 key questions on all projectsEnsure implementation of requirementsGrow your security knowledgeEvangelize information security in your area

53. Tips for Computer use at HomeSeparate computer for online bankingSeparate compute for the kidsSet strong administrator passwordsUse a second limited user accountTurn the computer off when not using itApply operating system AND application patchesDon’t use wireless for online bankingUse a strong password for online banking accounts and do not use this password ANYWHERE else

54. ConclusionYou will get compromised!Plan accordingly – incident response planningFocus on securing the data and the access to itSecure the user environmentPatch OS and applications User awareness trainingNot just a form to signTest the users!

55. Questions?Jorge Orchillesjorchilles@terremark.comTwitter: jorgeorchilleshttp://www.orchilles.comPodcast: SMBMinute.com