Transcript The Solution has Become the Problem

Information Security
Risk Briefing
May 2, 2005
William Harrod
VP Intelligence Division
Cybertrust
[email protected]
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Agenda
•Welcome & True Confessions
•Who is Cybertrust?
•PITAC Report
•What is wrong with our thinking?
•Risk Models That Work
•Good Data
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Who is Cybertrust ?
WildList Organization
firewall wizards
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
4,000 Corporate Clients
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
ICSA - the De Facto Standard
Set Security Product Standards since 1989
Track and Measure Risks
Lead Security Industries
Test and Certify Products
 Anti-Virus Products ~100%
 Firewall Products ~100%
 Cryptography Products ~100% IPSec, 70% SSL
 IDS, IPS, Vuln Assessment, wireless……
Significant access to security vendor’s expertise
 160+ Security Product and Internet Vendors,
400+ Products
 Meet every vendor every 90 days, Mail lists,
web boards
Continuous Product Testing
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Cybertrust - Unmatched Security Intelligence
108 Dedicated People
Monthly Intelligence Activities
2.5 million
internal IP
address
scans
1.2 million
lines of
security
code
analyzed
1.2 million
remote IP
address
scans
Hundreds of
millions of
security events
analyzed and
correlated
Thousands of
IPs
Penetration
Tested
CyberIntelligence
Intel –
Tracks
thousands
of sources
daily
10,000 Web
sites
monitored
Online
Guardian
400 Usenet
groups
followed
WildList
IS/Recon 10,000 hackers
tracked
Tracks
malcode in
the wild
200 GBs
Web data
collected
and
analyzed
Hundreds of
Internet malware
sensors
watched
Daily Intelligence Activities
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Cybertrust Global Risk Index 2000-2004
Index Scores by Category - 2000-2004
2000
1800
1600
1400
1200
1000
800
600
400
200
Ja
n00
Ap
r00
Ju
l-0
0
O
ct
-0
0
Ja
n01
Ap
r01
Ju
l-0
O 1
ct
-0
1
Ja
n0
Ap 2
r02
Ju
l-0
O 2
ct
-0
2
Ja
n0
Ap 3
r03
Ju
l-0
3
O
ct
-0
3
Ja
n04
Ap
r04
Ju
l-0
4
O
ct
-0
4
0
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Electronic
Malcode
Inside
Linear (Malcode)
Linear (Electronic)
Linear (Inside)
400,000 Attacks against Corporate Servers
According to a study just published by Zone-H, ATTACKS
against Corporate Servers rose by 36% in 2004 to nearly
400,000 attacks.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Successful Web Site Hacks
Daily rate of successful web site hacks
2500
2000
1500
1000
500
0
1999
2000
2001
2002
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
2003
2004
2005
2004 Web Site defacement trends by OS:
25000
20000
Unix (Source 1)
Windows (Source 1)
15000
Sum (Source 1)
Unix trend
10000
Win32 Trend
5000
Global average Trend
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
be
r
No
ve
m
be
r
Se
pt
em
Ju
ly
ay
M
ar
ch
M
Ja
nu
a
ry
0
Probes per day against average single IP address
Often a reconnaissance or fingerprinting
of active devices in order to assemble a
target list for hacking vulnerable devices
350
300
250
200
150
100
50
0
1999
2000
2001
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
2002
2003
2004
Growth in Malicious Code
WildList Growth
800
700
600
500
Top
Bottom
400
Linear (Bottom)
Linear (Top)
300
200
100
0
Sep- Oct- Nov- Dec- Jan- Feb- Mar- Apr- May- Jun03
03
03
03
04
04
04
04
04
04
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Jul04
Aug04
2004 was the Year of the Bot
6.5 Million
700
600
500
New Attack Code Monthly
'Owned' Computers x10,000
400
300
200
100
0
1999
2000
2001
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
2002
2003
2004
2004 was also the Year of Malicious Mail
Spam, Spyware, Worms, Virus, Phishing, Extortion, Scams…
80
70
Misuse as % of
Email
60
50
40
30
20
10
0
Jan-04 Feb-04 Mar-04 Apr-04 May-04 Jun-04 Jul-04
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
How Vulnerable Are You?
If yours is an average U.S. corporation here’s what your
network is experiencing this week.
About a dozen computers somewhere in your organization
encountered a computer virus, worm, or spyware.
Three people scrounged through desks and drawers looking for
someone else’s password. One of them succeeded and used it.
On average six sexually explicit graphics were mailed or shared
among some of your users in the past week. There is a 50-50 chance
that some of these are stored on your network.
At least one person experimented with a “hacking” tool or technique
on the general computers, servers, and databases inside your
network in the past month.
Despite all the press and focus on hacking and viruses, there is a
65% likelihood that the next security breach your staff deals with will
come from an insider.
Statistics provided by ICSA Labs
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
First some good news:
Economics is on our side; cheap hardware firewalls, smarter network
interface cards (NICs), routers,, strong authentication, and end-to-end
encryption (e.g., SSL, SSH, VPNs) will be used to hide operating
system vulnerabilities, privileged controls, sensitive applications,
and gratuitous functionality from the public networks.
Compliance and regulatory requirements will drive security as a
business issue.
Driven by demand from their customers and competition and example
from AOL, retail ISPs are taking more responsibility for protecting their
customers and for protecting the rest of us from rude behavior by their
users.
While users will continue to compromise perimeter controls with tunnels
and click on strange files and icons, default use and automatic update of
scanners, and controls to limit connectivity of systems that are not current
will make us collectively resistant to viruses.
Rogue hackers are losing their Robin Hood image and public sympathy,
attracting law enforcement attention, being identified, indicted,
prosecuted, convicted, and sentenced to jail.
There is an emerging consensus that rewarding hackers with jobs
encourages more hackers without reforming anyone.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
But also some bad news:
•Hacking is no longer trivial but serious, no longer for
loners but for teams, no longer for fun but for profit, no
longer mischievous but malicious and criminal, no longer
amusing but frightening.
•The Internet is seriously compromised by contaminated
machines.
•Anonymity in the Internet is now a commodity for sale.
•Users will continue to compromise perimeter controls with
tunnels and by clicking on strange files and icons. (IM, P2P)
•Rate of discovery of buffer-overflow vulnerabilities is
going up and the time to exploitation is going down.
•We will continue to try and patch and fix our way to security;
we will enjoy the same lack of success.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
More bad news:
Spam now accounts for a significant part of the load for
the Internet and more than half of e-mail.
Phishing is just the latest demonstration that the chain of
trust is broken – things aren’t what they appear to be.
The transport layer can no longer be relied upon for security.
Connectivity trumps security.
Viruses and worms are becoming more sophisticated,
successful, and malicious. They are used to compromise
systems, insert remote controls, key-stroke grabbers and
other spyware, covert agents ("bots"), and backdoors. They
are a standard tool in the crackers kit.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Insider Threat Study
Study by CERT, US Secret Service and CSO Magazine
Most of the incidents in the banking and finance sector were not
technically sophisticated or complex. They typically involved the
exploitation of non-technical vulnerabilities such as business
rules or organization policies (rather than vulnerabilities in an
information system or network) by individuals who had little or
no technical expertise.
87% of the cases the insiders employed simple, legitimate user
commands to carry out the incidents
78% of the incidents, the insiders were authorized users with
active computer accounts.
81% were premeditated. Furthermore, in most cases, others had
knowledge of the insider’s intentions, plans, and/or activities.
Those who knew were often directly involved in the planning or
stood to benefit from the activity.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Insider Threat Study (cont.)
81% were motivated by financial gain, rather than a desire to harm the
company or information system.
Insiders in this report fit no common profile. Only 23% held a technical
position, 13% had a demonstrated interest in “hacking” and 27% had
come to the attention of a supervisor or co-worker prior to the
incident.
Insider incidents were detected by internal, as well as external,
individuals – including customers.
The impact of nearly all insider incidents in the banking and finance
sector was financial loss for the victim organization: in 30% of the
cases the financial loss exceeded $500,000. Many victim organizations
incurred harm to multiple aspects of the organization.
83% were executed physically from within the insider’s organization
and took place during normal business hours.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Predictions 1, 3, 5 years out
•Malicious code will continue to get worse, particularly for
corporations with mobile users, novice users, and extended
enterprise connections.
•Phishing will continue to get worse over the next year.
•Spyware and remote controlled “Bots” will continue to cost
organizations more money and result in increasing risks for
loss of proprietary and customer data.
•The slow adoption of Microsoft XP SP2 (< 5-10% adoption)
reduces the benefits of the security advancements available
from it, and minimizes the “immunity” factor.
•Mobile phones will be one of the growing targets for
malicious code.
•Instant Messaging is now being used to spread malicious
code and spyware.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Predictions 1, 3, 5 years out
•Database attacks. “Follow the Money” - the direct attacks
are going for the money, and databases are the vault. These
attacks include multiple vectors involving web applications,
database configurations and access controls, insiders threats
and storage area network security.
•Immerging technologies entering the environment too
quickly, before they mature and stabilize. Wireless, P2P,
VoIP, IM, MP3 players, IPv6 are only a few examples.
Technologies are quickly allowed to enter the enterprise. This
allows a multitude of unknown and zero day vulnerabilities,
mis-configuration, user and admin errors, and attack vectors
in the environment.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
Recommendations
•Adopt restrictive policies.
•Avoid gratuitous functionality.
•Scan at the perimeter and the desktop, in both directions;
refuse all unexpected attachments.
•Close your networks to all but registered (and current)
devices and users.
•Measure the state of your networks, systems, and
applications; measure the performance of their managers and
users.
•Layer your defenses; do not rely on a brittle perimeter and a
soft center.
•Strengthen accountability with end-to-end encryption, strong
authentication, and an integrated audit trail.
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary
PITAC Report
“Cyber Security: A Crisis of Prioritization”
President’s Information Technology
Advisory Committee Report
http://www.nitrd.gov/pitac/reports
© 2004 Cybertrust Corporation. All rights reserved. Confidential and Proprietary