Transcript 1 - ICTWeek.uz

Countermeasures for Recent Attack Trends
I. Recent Attack Trends
II. Countermeasures
2016. 9. 22
Copyright © LG CNS
It is strictly prohibited to copy, distribute, or use this document, in part or in whole, without the prior consent of LG CNS
I. Recent Attack Trends
1. Changing Trends of Cyber Attack
How have cyber attacks been evolved in recent?
① Increase of crime-type and intelligent personalized attack :
Ransomware1), APT2)
② Easier hacking due to the black market activation
③ Attacks in targeting certain individuals, companies, and the national
④ Emergence of the new type attacks : Cloud, IoT Devices
⑤ Physical damage caused by cyber attacks on life, equipment, etc.
1) Ransomware : Ransom + Software, attacks requiring money for decrypting after encrypting information in files
2) APT(Advanced Persistent Threat) : Sophisticated forms of cyber-attacks combining various techniques utilizing the collected information for a specific
long-term for certain targets
1 / 12
I. Recent Attack Trends
2. Increase of crime and intelligent attack
① Increase of APT Attack
Intelligent Continuous Targeting Attack … APT
Invasion
Search
Collection
APT Major Incidents Case
Leakage
 NH Network Attack (’11-Apr)
• Paralysis due to deleting data
in server (lasting 18 days)
Malware
infection in
vendor’s
operating pc
 3ㆍ20 Cyber Terror (’13-Mar)
Step
• Business paralysis due to
deleting data in server and
PCs of main broadcasters and
financial institutes
Description
1
Infect vulnerable systems with malware
2
Plan next step after getting IT infra
information
3
Collecting data after occupying important
server and getting control
4
External transfer of collected data or
destroy system operation
 Enterprise Companies /
Public Bodies Hacking (’16-Jun)
• Information leakage using SW
weakness
2 / 12
Spread
malicious code
through
vaccine server
Spread
malicious code
through asset
management
SW
I. Recent Attack Trends
2. Increase of crime and intelligent attack
② Increase of Ransomware
My information as ransom … Ransomware
Major Incidents Case of Ransomware
 Client Ransomware Incident (’15-Apr)
• Distribution of ransomware after hacking Ad
server of IT community site “Clien”
 PPOMPPU Ransomware Incident (’16-Jun)
• Spreading malicious code inserted in
community site for the IT equipment sales
and promotional advertisement
‘Ransomware’ Hacking Spread
• Increased attacks requiring money for decrypting
after encrypting computer files
• Expansion through internet community such as
“Clien”, “PPOMPPU”
 Immediate infection when users using
vulnerable OS & web browser to access web
site.
• Step : 1. Infection => 2. Encryption / Restriction
=> 3. Requiring Money
 Vast damage due to access to company pc by
IT staff
3 / 12
I. Recent Attack Trends
3. Black market activation
Anyone can hack easily by using various kinds of hacking tools and hacking knowledge sharing
over the Internet.
Hacking Ad on Web Board
DDoS Attack Tool Sales Site
4 / 12
I. Recent Attack Trends
4. Attacks in targeting
Attacks in targeting certain individuals, companies, and the national are increasing.
Major Case in Korea (’13 6.25 Cyber Terror)
1
Increase of Hacktivism
Hacktivism = Hacker + Activism
Falsification of The Blue House
 Using vulnerability of file
upload in home page
 Estimated to be
preparing a long period
of time
2
Major Government Site Shut Down
• Invading Indonesian government network and
shutting down servers by Portugal hackers to aim
independence of East Timor
 Using the way to attack through malicious
script installed in web site
3
• After rejecting the request for closing Ashley
Madison which encourages extra marital affairs,
hackers have posted on the internet the personal
data of some 32 million.
Data Spill (with home page falsification)
 Saenuri Party Members : about 2.5 million
 Military Personnel : about 0.3 million
5 / 12
I. Recent Attack Trends
5. New type attacks
IoT device is emerging as a target of cyber attacks, and the attack is getting diversified as IoT
devices are increasing.
Device, Fetch / Update Difficulty
Used by Infection Route for Malicious Code
• Finding Iron
Hacking Tool
– ’13-Oct.
Security Defenseless
• Kettle Hacking Tool after Iron – ’13-Nov.
Free Wi-Fi
• ‘Vulnerability' Wi-FI, Defenseless against Hacking
– ’15-March
• Malicious Code
Infection during
charging electronic
cigarette
– ’14-Nov.
• Security comprehensive countermeasures
KISA
Manufacturer
ISP
User
providing security weakness
Fetch / Update
Fetch / Update
6 / 12
I. Recent Attack Trends
6. Physical damage caused by cyber attacks
Through attacks on cars, building control equipment, factory automation equipment, medical
equipment, etc. it is possible to affect life circumstances.
Areas that hackers recently like
• Can control cars with only 15$ ‘Hacking Board’
- ’14-Feb.
• ‘Drone Hacking’, hijacking – ’15-Apr
Target
for
Attack
Attack
using
Drone
• Hacking a moving car ‘Control in my mind’ – ’15Jul - GM ‘Grand Cherokee’
• Drone ‘Hacking’ available for wireless network
- ’15-Aug
• Tesla Vehicle, Vulnerable to hacking – ’15-Aug
7 / 12
II. Countermeasures
1. Overview
To respond to intelligent cyber attack, there need activities for improving security awareness
among members in parallel with minimizing security vulnerability, enhancing cyber attack
detection system, and reinforcing account and access control.
Minimize security vulnerability
Reinforce access control


Apply development security system
- Diagnose web / app / device, etc.


Block operator PC from internet
- Apply net segmentation (logical/physical)

Apply prompt security patch (OS & S/W)

Construct backup & recovery system(DR)

Keep updated vaccine pattern and
Block harmful website

Reinforce account/password management

Reinforce access control / certification

Train and secure manpower for information
security

Familiarize activities for information security
- Regular training for improving awareness
- Simulation training for responding security
accident

Enhance diagnosis and surveillance system
Response
System



Enhance security control and monitoring
(Detect and block Zombie PC)
Introduce anomaly analysis system
(analyze user/malignant code)
Improve security awareness
Enhance cyber attack detection
8 / 12
II. Countermeasures
2. Security Process for Development
When developing new system or changing system, security vulnerability should be minimized by
applying security process for development which composes of secure coding training, checking
source code vulnerability, peer review, etc.
 Needs of Security Process for Development
 Security Process for Development
Start
1. Response to a new kind of vulnerability and
hacking techniques during development
2. Response to continuous change of program
- Program change during operation
- Developing temporary page
3. Configuration change during operation :
Version up, fault or error, etc.
Security
Organization
Deciding
Inspection
Target
P
R
O
Developing
C
E Development (Secure
Coding
S Organization
Training)
S
Potential vulnerability and
hacking risk are increasing
as time passes.
Source
Inspection
vulnerability
Organization
diagnosis
9 / 12
End
Acceptance
Test
Action on
Weakness
Third Party
Diagnosis
(Simulation
Hacking)
Inspecting
Execution
II. Countermeasures
3. Network segmentation
Network segmentation is becoming increasingly necessary as the threats of data theft and
attacks on critical systems such as APT continue to grow. Either physical or logical segmentation
with the technology of virtualization can be adoptable for network segmentation.
 Needs
To prevent data theft
 Methods
 Physical segmentation
• Prevent data theft and attacks through
internet by segmentation between trusted and
untrusted network area.
To prevent APT attacks
• Separate network physically
trusted network area.
between trusted and un
• Method : 2 computers (each connected separated
network) per an operator w/ a KVM switch.
 Logical segmentation
• Separate network logically by virtualization
• Minimize spreading malicious code by network
segmentation. Attacks such as APT through
internet cannot affect to the trusted network.
• Methods
Type
Description
Remark
• Multiple OS
PC
Implement
• Apply solution
virtualiza virtualization on each
for
tion
PC
virtualization
 To support Compliance
• Comply regulations such as “Korea Information
Communications Network Act”. PC which can
access individual data have to have a isolated
network from the internet by the Act.
Server Generate computers • Normal PC
virtualiza from a server with
• Zero Client
tion
VDI technology
10 / 12
II. Countermeasures
4. Enhanced Security Detection System for APT Attack
It is possible to rapidly detect new malware infection PC, which is the main cause for recent
cyber attack, by deploying detection and response system for unknown malware.
 APT Detection System
Malicious Code
Blocking
Malicious Code
Internal N/W
Area
Internet
Detecting
Zombie PC
N/W Forensic
1 Monitoring Malware Infection PC
2
• Monitoring and Analyzing Malicious
Code
• Tracking Infection PC
• Detecting Zero-Day Malicious Code
by analyzing behavior through
virtualization technology
Network Forensic
• Detailed analysis of invasion
accident signs and abnormal
traffic
11 / 12
Infection PCs
with Malicious Code
3
Malicious Code Blocking
• Blocking flow of malicious code and
controlling web traffic
• Blocking flow from messenger, P2P,
etc.
Better if there were a cure-all ...

Prevention : Exercise, Eating Habits,

Prevention : Train/Promotion, Continuous
Fetch/Update …
Stop smoking/drinking …

Detection : Checkup

Detection : Security Control, Monitoring …

Action : Medicine, Surgery, Injection ...

Action : Access Control, Account Management …
12 / 12
Q&A
[email protected]
- 13 / 11 -