3. Defining Year of Security
● More than 4 billion records were leaked in 2016
– More than the combined total from the 2 past years
– But...
– 12% decrease in attacks in 2016 compared to 2015
– 48% decrease in security incidents in 2016
compared to 2015
4. Huge Impact on Real World
● Panama Paper
– Prime Minister of Iceland stepped down
● Hillary Clinton email controversy
– President Trump
● Ukraine's power outage
– Took place during an ongoing Russian-Ukrainian war
– BlackEnergy3 is used by Sandworm team
● First bank ATMs cashed out
– Thailand and Europe
5.
6. ● Phishing
– First step to attack
● Malware
– Ransomware
● SQL Injection (SQLi)
– Yahoo / Linkedin / Dropbox leak
● Distributed Denial of Service (DDoS)
– Not long ago, 100Gbps attacks were unprecedented
– But...
– DNS provider, Dyn was attacked by Mirai botnet
– France-based hosting provider OVH was hit by 1Tbps DDoS attack, Dec 2016
– 650Gbps DDoS attach from Leet botnet
– China Great Cannon
● Undisclosed
– Exploits that do not yet have defined signature or cannot be remediated by a software patch
7. ● Among malicious attachment to spam, ransomware accounted
for the vast majority – 85%
● Hollywood hospital pays 40 bitcons to unlock encrypted files
8. Record Numbers of Vulnerability
disclosures
● Web application vulnerability disclosures
made up 22% of the total in 2016
9. Top Attack Types
● Inject unexpected items
– SQLi, OS CMDi
● Manipulate data structures
– Buffer overflow
● Indicator
– Either an attempted or a successful attack
● Employ probabilistic techiques
– Brute-force password attack
●
Engage in deceptive interaction
– Phishing
11. High-Level Trend
● Slow and steady wins the race
● Cyber gangs sharpen the focus on business
accounts
● Commercial malware making the rounds
● Venturing into additional cybercrime realms
13. OWASP
● Open Web Application Security Project
● Free and open software security community
● OWASPBWA
– Broken Web Applications produces a virtual
machine running a variety of applications with
known vulnerabilities
– https://sourceforge.net/projects/owaspbwa/files/