Transcript document

SECURITY 2010
BREACHES AND MALWARE AND PHISH (OH, MY!)
Kathleen R. Kimball, MS, CISSP, CISM
Senior Director, Security Operations & Services
Information Technology Services
[email protected]; (814) 863-9533
March 1, 2011
AGENDA
• Security 2010 Globally
• Security 2010 at Penn State (both Negative and
Positive)
• Summary
• Questions
Penn State is subject to global trends in (in)security…
WEB-BASED SECURITY THREATS
SOBERING NUMBERS
• From Websense Security Labs 2010 Threat Report:
• A 111.4% increase in the number of malicious Web sites from
2009 to 2010
• 79.9% of malicious Web sites were compromised legitimate sites
• 52% of data-stealing attacks were conducted over the Web
• 84.3% of all e-mail was spam
• Searching the Web for breaking/current news was more likely to
cause a compromised computer than searching for “objectionable
content”
SOPHOS ANALYSIS
• Sophos Security Threat Report 2011
• Web remains the biggest vehicle for malware
• A high number are legitimate web sites serving malware or hosted
malvertisements. Examples:
• Farm Town (game)
• Google sponsored links
• Celebrity Twitter feeds
SYMANTEC…
• Internet Security Threat Report, Volume XV, April 2010
• Of the top attacked vulnerabilities observed in 2009, 4 out of 5 were
client side vulnerabilities that were frequently attacked by web-based
attacks
• Most frequent vectors – Internet Explorer and applications that
process PDF files
• Crimeware kits developed for sale by the malware code writers. (Zeus kit
for as little as $700)
• Inexperienced “bad guys” can buy a kit and produce a custom attack
easily
• Over 90,000 unique variants of the Zeus toolkit observed
AND THE VERIZON BUSINESS RISK TEAM…
• 2010 Data Breach Investigations Report (in
Cooperation with the US Secret Service), July 2010
• Organized criminal groups were responsible for 85
percent of all stolen data in 2009
• Hacking and malware were responsible for over 95
percent of all data compromised
• 85 percent of attacks are not highly difficult
The local Security landscape…
SECURITY 2010 AT PENN STATE
PENN STATE – 2010 EXPERIENCE
• >12,000,000 hostile probes daily, not even counting the latest web-based
threats – the older attacks are still there
• 2,525 fully compromised systems detected by the University’s Intrusion
Detection architecture
• Up 43% from 2009
• 854 of these were on University wired networks (not Residence Hall,
wireless or modem-connected)
• Lowest Budget Unit total – 0 compromises (8 units)
• Highest Budget Unit total – 120 compromises
• 1025 compromised Access accounts detected – a 57% increase from 2009
PENN STATE EXPERIENCE (CONTINUED)
• Copyright Infringement is a little bit different animal, but here are the figures:
• 26 different copyright holders or their representatives reported infringement
by Penn State users in 2010
• Growth in Complaints Handled:
• 2008 – 874
• 2009 – 1127
• 2010 – 1459
ON THE POSITIVE SIDE
•
Intrusion Detection instance at the border tuned to look specifically for web-based attacks
• ~135,000 packets per second analyzed on average
• ~2.4 Gb per second on average
• ~20,000 – 40,000 alerts daily
•
More than 139,000 overtly hostile sites dynamically blocked on an average day
•
More than 50 local intrusion detection sensors within units throughout the University,
operated on their behalf by Security Operations and Services
•
Generic header intrusion detection and correlation pinpoints additional attacks

32 TB of header data is about 12 days

~39,000,000 lines of logs a day

34 compute queues in cluster
WHAT CAN USERS DO?
• Remove sensitive information from computers
• PII – SSNs, Credit Card Numbers, Bank account
numbers
• Mortgage statements
• Tax documents
• Personal health records
OTHER: WHAT CAN USERS DO?
• Run in least privilege mode
• 81% of Critical Microsoft
vulnerabilities are mitigated by
operating without administrator rights.
• Of the total published Microsoft
vulnerabilities, 64% are mitigated by
removing administrator rights.
BeyondTrust 2010 MS Vulnerability Report
THE BOTTOM LINE
It’s no longer a question of “if” your computer is compromised – it’s a
matter of WHEN your computer is compromised. Will cause a re-thinking
of how we protect data and systems. Meanwhile the standard guidance
still applies:
•Browsing can be dangerous
•Scan and remove PII
•Practice least privilege
•Patch and update Operating System and applications as required when
new patches or updates are released
•Use current anti-virus (though only about 30% effective)
•Utilize unit policies
Unfortunate Case Study
A user’s PII scan results show just under 14,000
hits of PII. The user is busy and closes the
scanning console anticipating remediation at a
later date. SIX times, the same thing continues
to occur; the user is busy and closes the
console.
Two months later the computer is
compromised. Data mining unveils over 6,000+
unique PII instances.
Negative Media Attention
• From an alumnus: “I received a great education
at Penn State, but my life could be potentially
ruined because of this. I’m very disappointed in
Penn State.”
• From the mother of a former student: “How
could a school that’s supposed to be as great as
Penn State is let this happen?”
• From a one-time student: “So now my Social
Security number has been severely
compromised by Penn State’s lack of attention to
security, and I have to pay the consequences.”
FINANCIAL BURDEN
Forensic Investigation/Data Mining
Address Search
Notification Services (mailing)
APPROXIMATE COSTS
$3500+
$500 batch + $.35/record
$1500+
Research Funding
PRICELESS
Reputation
PRICELESS
SUMMARY
• Penn State is not immune to the somewhat sorry state
of computer and network security globally
• If you browse, you will at some point be compromised.
(Expansion of the web-based threat)
• Attacks are expanding quickly in both number and
sophistication. Organized crime is a major factor.
• While it may not be enough, users need to do all they
can to protect assets and to be aware of the current
environment
QUESTIONS??
• Go forth and compute wisely….