1. Evidence Solutions, Inc.
Security Threat Update - The Newest Threats and How to Protect Against Them
Faculty:
Scott Greene of
Evidence Solutions, Inc.

2. If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization.
- Gerald Weinberg

3. Protect the Information
Provide Access

4. Rank
Securities Technology
ASI
M86
Daily Finance
SANS 1
Mobile Devices
Default or Weak Passwords
Targeted Attacks
Mobile Threats
Targeted Malware 2
C-Level Targets
SQL Injection
Social Media Scams
Embedded Hardware
Lack of Incident Response 3
Social Media Cyber Threats
Excessive Priveledges
Mobile Malware
Virtual Currency
IPv6 4
You are infected
Too many DBMS features on
Third Party Exploits
OS Advances Steer Hackers
ARM
(Mobile) Hacking 5
Physical Can Be Digital
Broken Configuration Management
Exploit Kits & Malware
URL Hijacking
Social Engineering 6
Cloud Computing
Buffer Overflows
Compromised Websites
Rogue Certs
Social Media 7
Breaches will be shared
Prviledge Escalation
Botnets
Cyber War
Compliance 8
Zero Day Threats will increase
Denial of Service
Malware Spam
Hactivism
Monitoring 9
Insiders
Unpatched DBMS
Sporting Event Scams
Legalized Spam
Wireless Security 10
Greater Regulation
Unencrpyted data
Cloud Service Attacks
Industrial Attacks
1. The exponential growth of mobile devices drives an exponential growth in security risks.
Threat assessment: Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks.
Threat response: Force all communications from employees’ and managers’ portable devices through the corporate network, Wansley says. Allow no retransmission of any content obtained from within the network, through such devices. Except through monitoring software.
2. Increased C-suite targeting.
Threat assessment: Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them.
Threat response: Train executives not to post any personal information to social media or other public websites. Screen all incoming mail to top executives for signs of “social engineering” through messages that appear to come from friends. Scan all messages for odd command and control instructions and extraneous lumps of code.
3. Growing use of social media will contribute to personal cyber threats. Threat assessment: A profile or comment on a social media platform – even by the CEO’s son or sister -- can help hackers build an information portfolio that could be used for a future attack.
Threat response: Establish as a policy that senior executives and their relatives must not post to public sites any information that indicates personal interests that can be used to build profiles or guess passwords and other authenticating access information. Use available site monitoring software to cull and, when possible, remove any new information about executives – or “superusers” on your network. If your “superusers” are gamed, you will lose control of the operations of basic functions.
4. Your company is already infected, and you’ll have to learn to live with it – under control.
Threat assessment: Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection – the focus of cyber security tactics increasingly must be to analyze, detect and expunge threats inside your system.
Threat response: Spend as much time filtering communications inside your network as you do communications coming in to your firewall or trying to pass through your perimeter. Scan servers inside your network constantly for inexplicable files or fragments of code. Institute a ‘dynamic defense’: Appoint around-the-clock security cops to observe and predict what new tactics are being used to put unauthorized code inside your network and replicate it.
5. Everything physical can be digital.
Threat assessment: The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem.
Threat response: Create awareness inside your organization that no photos or other images of any sort should be captured inside the walls of your offices, without management supervision. That smartphone photo might actually be capturing usernames and passwords posted on cubicle walls. Or it may provide fodder for messages that will look like they are coming from trusted insiders, but aren’t.
6. More firms will use cloud computing.
Threat assessment: The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing. Threat response: Create ‘vaults’ to protect your assets, particularly something as valuable as algorithms. Lock down access to servers, except through two encrypted keys being used simultaneously by two different authorized users. Require biometric authentication before those users can employ and deploy their keys.
7. Global systemic risk will include cyber risk.
Threat assessment: As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets. Threat response: Filter incoming messages, in SWIFT or FIX protocols as stringently as any message. Or more. Look for unexplained code tucked in in hard-to-notice spots. Look for non-standard formatting of messages. Look for extraneous code attached to the messages. Look for stuff that looks like commands. In fact, screen traffic flow from trading partners, market data vendors or other known partners as stringently as any traffic from inside. Audit the security procedures of any exchange, trading partner or vendor you allow to connect with your network.
8. Zero-day malware (malicious software) and organized attacks will continue to increase.
Threat assessment: Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today. Threat response: Put in place tools to watch for known “signatures” of malicious software. But develop an internal task force that watches trends and is charged with out-thinking and out-flanking the most brilliant of outsiders. Assume that every threat coming your way has no known signature. And has been months, if not years, in development.
9. Insider threats are real.
Threat assessment: The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat – a long-term, sophisticated and patient attack -- and other attempts to take advantage of existing systems. Threat response: Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access. Data needs to be classified by its value to the firm, with the most important data being accessible only to the most valued manager. Biometric authentication is required. But, even then, not even the most valued manager should be allowed to make changes without secondary approval. Monitoring software should keep track 24x7 of all interactions from any source or individual of any piece of the crown jewels.
10. Increased regulatory scrutiny.
Threat assessment: In October, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material. Threat response: Establish security standards that exceed all industry standards. Start 10. Increased regulatory scrutiny.
Threat assessment: In October, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material.
Threat response: Establish security standards that exceed all industry standards. Start with ISO/IEC 27002, an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).
information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).
Weak Passwords… What more needs to be said?
SQL Injection. These happen on the outside but more frequently they are happening from inside the Perimeter. Most organizations are focusing on the perimeter and believing that the data is safe.
Excessive Priveledges cannot always be addressed. Sometimes those are controlled by the software vendor. Releases and updates and software vendors who are compliant with SOX, HIPPA and PCI are helping. Review database privileges often. Consult with vendors regarding same.
Users & programmers are notorious about turning on features that they don’t need…
Anonymous will continued to attack organizations. Sony, Lockheed Martin and RSA are just the beginning. RSA was originally attacked by . An attachment exploited an Adobe Flash but and installed a back door and other components.
Social media scams exist for Facebook, LinkedIn, YouTube, Twitter and even Google+. They simply dupe users into clicking on links.
Mobile malware continues to grow. Zeus and Spyeye are now on the Android platform. Some variants of the Morto worm spread on PCs via RDP.

5. Threats March 30, 2012: Utah Department of Health Cause: Records leak
780,000 personal health records exposed
Cause:
Weak password on server

7. Spam & Attack Mitigation

8. Spam & Attack Mitigation
Log unsuccessful attempts, both incoming and outgoing. Spear phishers often have to guess the mail format (i.e. etc) therefore it is likely the mail server will reject mis-formatted s.

9. Spam & Attack Mitigation
This is likely the first sign your organization may be targeted.
By reviewing logs shortly after trigger events, it is possible to learn whether attempts are being made and thus new rule sets can be created to block the sender and alert the individual they are being targeted.

10. Spam & Attack Mitigation
If it is determined there is an attack against an individual or group occurring, notify the individual or group.

11. Spam Mitigation

12. Spam Mitigation

13. Spam Mitigation

15. Mobile Devices Including, but not limited to: Cellular phones
Smartphones
Tablets
Laptops

16. Mobile Device Dangers

20. Mobile Device Dangers What Happens when a Smartphone is lost:
Symantec did a study where they “lost” 50 cell phones in 5 cities….
72% of people tried to access photos
57% tried to open a file named "Saved Passwords“
43% tried to open an app named "Online Banking.“
Only 50% of the finders attempted to reunite the phone with its owner.

21. Mobile Device Dangers
There is a dramatic increase in malware designed to attack mobile devices that run Android.
The total number of identified threats to Android devices more than quadrupled in the first quarter of 2012, reaching 8,000.
Part of that increase, however, came from improved detection.

22. Mobile Phone Dangers
Most mobile malware aimed at Android did not come from apps offered through the Google Play app marketplace.

23. Smart Phone Management
Mobile Device Management (MDM)
This product line secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.
MDM typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices: mobile phones, smartphones, tablets, etc.

24. Smart Phone Management
This applies to both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers.

25. Smart Phone Management
MDM abilities include:
Inventory
Updates
Diagnostics
Backup & Restore
Asset Tracking
Password Enforcement
Encryption
Remote Control / Management
Remote Lock
Remote Wiping
Software Installation
Locating and Bread-crumbing
Software Whitelist / Blacklist
Corp Data Tracking

26. Smart Phone Management
Issues:
User Consent / Policy
General Policy
Eligibility
Acceptable Use
Financial Responsibility
Program Management
Equipment

27. Smart Phone Management
Acceptable use:
While driving a motor vehicle
Personal Use
Use in Accordance with COMPANY Code of Conduct

28. Smart Phone Management
Issues:
Sandboxing of corporate data
Makes employees feel good
Rooting ( some systems try to detect it )
Corporate data into a vault or sandbox – Employees know that if they leave the won’t lose all the rest of their stuff

29. Solutions Microsoft Exchange Active Synch (EAS) Websense
Blackberry Enterprise Server

31. Instant Messaging (IM)
Text
Webcams
Voice
Files

32. Instant Messaging (IM)
Vulnerabilities
Sending / Receiving sensitive data
Viruses aimed at IM ( Choke Virus )
Antivirus tools at the gateway do not detect IM traffic and there for will not see viruses that are received by users.
Hackers have used IM networks to deliver:
Phishing attempts
Poison URL's
Virus-laden files
These deliveries are done by:
Sending of Files that users execute
Could be viruses, trojans or spyware
The use of "socially engineered" text & web addresses that entice the recipient to open a URL that then downloads malicious code.

33. Instant Messaging (IM)
The IM Security Center, a collaboration between security companies and corporations, has tracked attacks over IM since 2003 and shows well over 1000 distinct attacks over the public IM networks.
Since 2007 there has been a steady increase in IM attacks
While still small, IM attacks continue to growth with the increased usage of IM.
Couple that with the adoption of IM in the workplace makes IM an attractive vector for hackers
Individuals and companies must take precautions to avoid infection.

34. Peer to Peer Networks (P2P)
Local shared network resources
Location specific
Wide area peer to peer networking software
Anywhere in the world

35. Peer to Peer Networks (P2P)
Many peer-to-peer networks are under constant attack in a variety of ways:
Poisoning attacks by supplying files with enticing names.
Man-in-Middle (the attacker intercepts files by obtaining the communication between two different users. Attackers can go on to change the information or simply pass it on untouched. This is all done undetected)

36. Peer to Peer Networks (P2P)
Polluting attacks by inserting "bad" chunks/packets into a valid file on the network ( sometimes done by man in the middle )
Defection attacks (attaching to networks where security is lax)
Malware in the peer-to-peer network software itself. The software is distributed containing spyware or trojans
Denial of service attacks

37. Peer to Peer Networks (P2P)
Identity attacks ( tracking down the users of the network and harassing or legally attacking them)
Spamming (sending unsolicited information across the network--not necessarily as a denial of service attack and not necessarily )
Sybil attacks (one malicious identity that can be presented as multiple identities allowing the attacker to control a whole portion of the network)

38. Peer to Peer Networks (P2P)
Personal information is at risk because users expose certain files by putting them in shared document folders.
These documents are at risk are due to misplaced files, confusing interface design, Incentive to share a large number of files, general laziness on the part of the user, wizards designed to determine media folders, and poor organization habits.

39. Peer to Peer Networks (P2P)
Future Risks:
Second generation Peer-to-Peer file sharing software now has the ability to search indexes using file names and information that is associated with the files. This makes it easy for the searching of “Bank Account” information.
These can also search using Regular Expressions:
1=\<5\d\d\d[\-\. ](\d\d\d\d[\-\. ]){2}\d\d\d\d\>

41. RSA InsecureIDs & Lockheed
Lockheed said:
“our systems remain secure”
No customer data was compromised
No Employee personal data has been compromised.
No such assurance was given for
proprietary data
military systems data

42. RSA InsecureIDs
As reported by The Christian Science Monitor, a DOD document states: "Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an 'act of war,' according to new Defense Department cyberwarfare policies that have yet to be officially unveiled."

43. RSA InsecureIDs
Going back to just passwords, but making them strong ones and authenticating the endpoint
Making sure that the machine being signed in from by a user is the normal machine used by the user.

44. Google Hack
Google announced that hackers have gone after specifically targeted U.S. government officials and military personnel Gmail users.
Why would government leaders use Gmail in the first place? U.S. government officials, after all, have access to official government systems that have layer after layer of security.
So how does Gmail, Google's cloud-based service, come into play?

45. Google Vulnerabilities
Eight vulnerabilities in Google services were revealed during the Hack in the Box conference in Amsterdam on Thursday 5/24/2012
That same group claims to have discovered more than 100 such bugs over the past few months.

46. Bot Nets
"bots" are a type of malware that allows an attacker to take control over an affected computer.
Also known as "Web robots", bots are usually part of a network of infected machines linked by the internet.
These victim machines make up a “Bot Net” that stretch across the globe.

47. Bot Nets
Since a bot infected computer follows its master's orders and are generally referred to as "zombies".
Cybercriminals that control these bots are called bot-herders or bot-masters.
It is hard to detect bots on your network. Until they leap into action.

48. Bot Nets
Bot Nets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal.
Conficker / Downadup Worm

49. Bot Nets
"Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets."
--Wendi Whitmore, special agent, Air Force Office of Special Investigations

50. In October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee's laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant's computer

52. BYOD Policy
Allowing employees to use their personal mobile devices for work-related tasks provides advantages:
less laptop lugging
easier connectivity
potentially better interfaces

53. BYOD Policy
It can also help an organization financially when the organization doesn’t have to pay for:
Smartphones
Tablets
Data plans

54. BYOD Policy The risks of BYOD including security vulnerabilities
support costs
liability issues

55. BYOD Policy
Organization that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it.

56. BYOD Policy Defining a BYOD policy:
1) define the scope of control the business expects to maintain over employee-owned devices.
At one end of the spectrum, a business could treat devices as if they were corporate assets in return for allowing employees access to IT resources from their personal devices. The other extreme is to assume no control over the devices themselves and instead focus on access controls and limiting risks such as leaving corporate data on BYOD devices. The optimal BYOD policy may lie somewhere between these two poles.

57. BYOD Policy 2) Acceptable use corporate IT resources on mobile devices
Require VPN access
minimal security controls on the device
the need for company-provided components
Secure Sockets Layer (SSL) certificates for authentication
rights of the organization to alter the device (e.g., to remotely wipe a lost or stolen device).

58. BYOD Policy 2) acceptable use Encryption of data
Prohibit storage of business data
Prohibit storage of passwords
etc
Acceptable-use policies could require the use of a virtual private network when accessing corporate systems and prohibit the storage of passwords to business applications. Security controls might also require the use of encryption for stored data, device password protection and registration of devices with a mobile device management (MDM) system. Employees should be informed of all aspects of the BYOD policy and agree to them.
Written policies and employee consent are not enough to protect a company’s information assets. Even well-intentioned employees can make mistakes, such as forgetting to set a device password or downloading confidential information over an unencrypted session. Mobile device policies should have an enforcement mechanism to ensure that they are applied consistently.
Enforcing a BYOD policy
Chances are that some of your company’s existing applications can enforce a BYOD policy. But before you try to use these apps, consider two key questions: “Are these applications sufficient to meet all enforcement requirements?” and “How difficult is it to manage mobile devices with these applications?” Consider the widely used ActiveSync.
ActiveSync provides for policy enforcement, but mobile device manufacturers have not always supported all ActiveSync enforcement mechanisms. Microsoft has established an ActiveSync logo program to encourage standard criteria for a minimum level of policy enforcement. Qualified devices must support automatic discovery, remote wipe, required password, minimum password length, timeout without user input and a maximum number of failed attempts among others. If enforcement mechanisms are sufficient and your employees are using supported devices, ActiveSync could address your BYOD policy needs.
Third-party MDM applications can support a wide array of BYOD policy enforcement operations including full lifecycle management, app inventory control, data protection, certificate distribution, device configuration and lockdown.
BYOD policy enforcement begins with provisioning. MDM apps can help ensure consistent configuration of devices, install applications and create accounts on self-service management portals. If your policies limit the apps that can be deployed on a BYOD device, use an MDM system that provides for unauthorized app detection.
Most MDM applications support remote wiping, but completely wiping a device is drastic and, in many cases, may not be necessary. MDM apps can selectively wipe data, allowing device administrators to delete corporate data while leaving personal data intact.
Your BYOD policy may require that all devices accessing corporate systems must be registered with your IT department and configured with an SSL certificate for authentication. MDMs that support certificate distribution can minimize management headaches for this operation.
MDM systems can further ease the burden by reporting on expired certificates, revoked certificates and other certificate management concerns.
Finally, look for MDM apps to provide device configuration and lockdown functions. For some users, for example, you may wish to lock down cameras, Bluetooth, GPS and Wi-Fi. If you specify an encryption policy, investigate an MDM that can enforce this policy on both fixed storage and Secure Digital cards.
A good BYOD policy has two characteristics: Policies are clearly defined, and they are enforced. A BYOD policy should address acceptable use, security controls and the rights of the business to alter the device. Existing enterprise applications, such as Microsoft Exchange ActiveSync and certificate management systems, may be sufficient for enforcing policies. If you require more control over devices and the ability to generate management reports about BYOD use, an MDM system may be a better option.

60. Unauthorized Hardware
Hackers are constantly looking for targets. Unprotected systems that are attached to networks.
Do you know what’s on your network?
Users add things to networks all the time.
Inventory often
Control what is attached
Do not hook up a system until it is configured

61. Unauthorized Hardware
Solutions
Maintain accurate inventory of physical systems as they relate to your Asset Inventory
Include:
IP Address
Mac Address
Device Name
Purpose
Owner / Manager responsible

62. Unauthorized Hardware
Solutions
Use and test Network Inventory software and / or hardware
Test the operation often with a known rogue machine
Test the delay before the machines are quarantined and users confronted.

63. Unauthorized Hardware
Solutions
When alerts are received treat them as important
Safeguard the accurate database created by the software.
Compare the software database with the physical asset list.
Implement configuration management systems to ensure that all systems are safely patched.

64. Unauthorized Software
Hackers & Bots are looking for software to compromise as well.
Do you know what is on your user’s machines?
Have and manage to a White List of accepted software
Document all exceptions

65. Unauthorized Software
Solutions
Maintain accurate inventory of acceptable software
Include:
Manufacturer
Version
If an exception:
Device Name
Purpose
Owner / Manager responsible

66. Unauthorized Software
Solutions:
Install software inventory & Management tools
Requirements should be:
For Operating Systems
Version
Patches installed
For Applications
Type
Manufacturer
Patch Level

67. Unauthorized Software
Solutions
Install software inventory & management tools
The most effective tools include:
Hash of known good versions
Can prevent execution of anything not on the ‘White List’
Can validate the location of the file in the file system
Allowed users

68. Unauthorized Software
Solutions
Operating Systems
Consistency is key
Drivers should all be signed
Should only be from the manufacturers of the device installed.

69. Harden Workstations & Servers
Systems that are installed, hooked up and not properly secured pose a significant threat.

70. Harden Workstations & Servers
Solutions
Ideally have your hardware vendor setup the machines with an image that is created / updated on a regular basis.
Install from a secure server that contains updated images of what should be on a machine.

71. Harden Workstations & Servers
Solutions
Remove all extraneous users that come with the OS
Shutdown and remove all extra services
Shut down all unused ports
Install local Firewall software & configure

72. Harden Workstations & Servers
Solutions
Run assessment programs regularly
Test with systems that aren’t configured correctly
Test by injecting systems that are configured correctly

73. Harden Devices
Secure configurations of network devices such as firewalls, routers, and switches. While on the radar are rarely double checked after configuration.
Hackers have automated tools looking for holes in the perimeter as well as in internal devices.

74. Harden Devices Secure Firewall Configurations Auditing
75% of firewalls have rules that are not required
50% of those are dangerous

75. Harden Devices Solutions Create a standard configuration document
Follow the standard configuration document
Filter all un-needed services
Exceptions, when required, should have a time limit or a review period
Log log log
Monitor & review

76. Harden Devices Solutions Use penetration tools regularly
Test from the outside world & the inside world
All devices should use encrypted configuration logins
Use separate physical networks where possible
Use VLANs where physically separating the networks is not possible.

77. "A network of hackers, most based in China, have been making up to 70,000 attempts a day to break into the NYPD's computer system, the city's Commissioner, Raymond Kelly, revealed Wednesday.”

78. Log Log Log
Many incidents can be readily revealed with a bit of logging and analysis those logs.

79. Logs
Solutions
Almost everything that has a log should have the log turned on.
Logs should include:
Date/time
Source IP
Destination IP
Port
Etc

80. Logs
Solutions
Use standard SYSLOG entries or use software that converts logs to a common log format.
Store logs for a while – space & DVDs are cheap
Create systems & procedures for analyzing logs.
These systems should have ‘normal’ items and ‘abnormal’ items

81. Logs Solutions All remote access logging:
should be in detail
Should be rigorously analyzed.
All security alerts should be logged.
Workstation
Servers
Devices

82. Logs Solutions Use unified time Border devices
This allows logs to be matched up across many devices and / or networks.
Border devices
Should log verbosely
Should log all traffic
Blocked
Allowed

83. Logs Solutions Logs should be secured
Logs should be exported & saved on Write Once devices. or
Logs should be written to dedicated logging servers.
The dedicated logging servers with separate security credentials

84. Logs Solutions Test the logs and review after:
Normal / acceptable traffic
Push the system
Attempt to penetrate the network.
Inside
Outside
Compare and correlate the data on all of the logs for validity.

85. Logs Solutions Review Test Logs everyday
Use automated tools to analyze large amounts of data.
Test
Attack a system
Test the response time.
Discovery
Action taken to attack

87. Malware
6 million+ unique malware samples were identified in the first quarter of 2011, a 26% increase from Q1 of 2010 and far exceeding any first quarter in malware history.
70,000 new malware strains are detected every day.

88. Malware
McAfee says that PC malware had its "busiest quarter in recent history," in their quarterly security report released Wednesday 5/23/2012.

89. Malware
Malware targeting Apple computers also continued to rise steadily. New malware for the Mac exploded in the second quarter of 2011, but this last quarter saw the most new cases since then with about 250.

90. What exactly is a RootKit?
A rootkit is a software/hardware application that enables continued priveileged access to a computer while actively concealing its presence from authorized users and administrators.

91. What exactly is a RootKit?
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

92. Persistent Rootkits
Persistent rootkits activate each time the system boots.
Persistant RootKits start automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and they execute without user intervention.

93. Memory-Based Rootkits
Memory-based rootkits have no persistent code and therefore does not survive a reboot.

94. User-mode Rootkits
These rootkits usually intercept user centered Operating System information and provide results that prevent the user from seeing the RootKit executable files and libraries.
In this case Windows native API serves as the interface between user-mode client software and kernel-mode services.
The most sophisticated user-mode rootkits intercept File System, Registry, and System Process functions of the Native Winows API preventing the detection of the RootKit.

95. Kernel-mode Rootkits
These RootKits are usually the most powerful since they can intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data.
Kernal RootKits hiding their presence by removing the process from the kernel's list of active processes. These Rootkits will be normally be absent from the Task Manager.

96. A Brief History of RootKits
The first Windows RootKit called NTRootkit appeared in 1999 in NT
HackerDefender followed in 2003.
The first Mac rootkit targeting OS X appeared in 2009
And the Stuxnet worm was the first to target programmable logic controllers (PLC).

97. And then there was:
The Sony BMG copy protection rootkit

99. Our protected environments
Classic Perimeter
Firewall
ACL (port and web filter)
IDS / NIPS / HIDS
Proxy
Patch Control
Personal Fire Walls
ACL Access Point Control ( access control list )
IDS – Intrusion Detection System
NIPS – Network Intrusion Protection System
HIDS – Host Intrusion Detection System

100. Our Protected Environments…
Rootkits still penetrate
Even proxies, Websense, IE lockdowns are not a perfect solution
Volume so high and attackers so sophisticated, that a tiny percentage gets through…

101. Our Protected Environments…
It is estimated that:
In a 24 hour period
Of 44K web sessions
Accessing 10K hosts
Approx 20 web exploits were discovered
So What? .04%? Big deal!

102. Limit Administrators
All too often users are granted “Administrator” privileges on networks, servers & workstations. When they do have this access associated with one of their accounts, they tend to use the account with Administrative privileges.

103. Limit Administrators Solutions
Monitor and log all users that need ‘administrator’ ( and Super User ) access.
Create multiple accounts for such users and encourage them to use the ‘administrator’ capable user only when required by their job.
Require such users to have STRONG passwords.

104. Limit Administrators Solutions
Remote ‘administrator’ access should be prevented.
Once connected with a non-administrator account users can login to additional systems with their ‘administrator’ account.
Audit / confirm
Audit all users with ‘Administrator’ capabilities often.
Remove such privileges when they are no longer needed by the user.

105. Limit Administrators Solutions Audit / confirm
Review logs to ensure that users are not abusing the rules:
Reading with their privileged accounts
Browsing the Internet
Educate ‘Administrator’ users about social engineering techniques
Attempt to Social Engineer ‘Administrator’ users.

106. Limit Administrators Solutions
Require two factor authentication for all Administrator accounts
Use roles / groups to segregate responsibilities
Workstation Administrators only have access to administration of workstations, laptops, etc
Domains administrators only have administrator access to servers

107. Limit Administrators Solutions Audit Processes
Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required.
Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

108. Limit Administrators Solutions Audit Processes
Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required.
Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

109. Limit Administrators
Make being logged in as an administrator as annoying as you can
No access
No Web Access
1 minute to lock machine in Screen Saver

111. People People People
Organizations with educated users have fewer problems.
Threats to organizations
Social engineering
Sloppy users
End users are fooled into opening attachments and loading software from untrusted sites, visiting web sites where they are infected and more.
System administrators are also fooled like normal users but are also tested when:
unauthorized accounts are set up on their systems, when unauthorized equipment is attached, when large amounts of data are exfiltrated.

112. People People People Threats to organizations Sloppy users
System administrators are also fooled like normal users but are also tested when:
unauthorized accounts are set up on their systems
unauthorized equipment is attached
when large amounts of data are exfiltrated.
Security operators and analysts are hit with new and innovative attacks with:
sophisticated privilege escalation
Redirection
other attacks along with a continuous stream of more traditional attacks. ( They get distracted )

113. People People People Threats to organizations Sloppy users
Application programmers are tested by criminals who find and exploit the vulnerabilities they leave in their code.
Stubborn Organizations
System owners are tested when they are asked to invest in cyber security but are unaware or refuse to accept the devastating impact a compromise and data exfiltration or data alteration would have on their mission

114. Social Engineering Methods
1) call help desk to find out the secret questions with a non target
2) They gather up the target’s secret question answers.
3) once they have that they get the help desk to change the password
4) then they call the target and inform them about the change

115. Social Engineering Methods QUICK CHANGE
1) help the user change their password by intimating that you are from the help desk
2) and then tell the user not to reveal their current password for security purposes

116. Social Engineering Methods
give out usb flash drive with malicious code
get a keylogger with bluetooth

117. Social Media Policy Single person or limited persons who can post
Policy about what they can post

118. On the Internet…. Nobody knows you’re a dog.
And increasingly, nobody knows you’re a hacker.

119. Events & Social Engineering
Just over one year ago:
Osama Bin Laden's Death a Party for Spammers, Fake AV Scammers

120. Events & Social Engineering
This year:
Month
Date
Event
Location
May
18-19
G8 Summit
Camp David
20-21
NATO Summit
Chicago, IL
June
18-20
G-20 Summit
Los Cabos, Mexico
July
August
27 to 12
Summer Olympics
London
27-30
Republican National Conv.
Tampa, FL
September
03-06
Democratic National Conv.
Charlotte, NC
November
Asia Pacific Economic Summit
Russky Island

121. Events & Social Engineering
Based on history, malicious persons will capitalize on these high profile events to collect intelligence, distribute spam and/or draw attention to ideological causes.
Some foreign intelligence services will likely use socially engineered spear-phishing s to masquerade as a trustworthy entity and target individuals affiliated with these events.

122. Events & Social Engineering
Normally targeting begins as early as months before the event and may continue until weeks after the event concludes.

123. Events & Social Engineering
These targeted activities are an effort to collect economic and political strategies, talking points, and related intelligence related to the event of countries and key personalities in attendance in order to negotiate and compete from a position of strength.

124. Events & Social Engineering
These events may also become prime spam content for criminals seeking financial gain.
The spam may be used to distribute malware or phish PII or financial information.
Phishing and scams imitating official 2012 Olympic correspondence or offering tickets have already begun circulating in the wild.

125. Events & Social Engineering
Lastly, hacktivists have defaced and disrupted the websites of conference related financial, corporate, and government entities to promote their ideological positions.
It is probable that hacktivists will conduct similar activities during the summits.

126. Mitigation
Train user to be wary of unsolicited attachments, even from people you know - Just because an message looks like it came from a familiar source, malicious persons often "spoof" the return address, making it look like the message came from someone else.

127. Mitigation
Check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This also includes messages that appear to be from your Internet Service Provider (ISP) or software vendor claiming to include patches or anti-virus software. ISPs and software vendors do not send patches or software in .

128. Mitigation
Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see US-CERT Security Tip ST04-006, Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

129. Mitigation
Teach your employees to trust their instincts - If or attachment seem suspicious, don't open it, even if your antivirus software indicates that the message is virus free.
Attackers are constantly releasing “zero-days” and most likely your anti-virus software does not have a signature for it yet.

130. Top 25 Programming Errors
CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation
It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations.
CWE-116: Improper Encoding or Escaping of Output
Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days.
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
If attackers can influence the SQL that you use to communicate with your database, then they can.
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications.
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers.

131. Top 25 Programming Errors
CATEGORY: Insecure Interaction Between Components
CWE-319: Cleartext Transmission of Sensitive Information
If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many systems and components. If Sent in clear text is it intercept-able.
CWE-352: Cross-Site Request Forgery (CSRF)
With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim sends data from his browser to your site for someone else.
CWE-362: Race Condition
Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable.
CWE-209: Error Message Information Leak
If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data that allows a hacker entry into your database.

132. Top 25 Programming Errors
CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're asking for trouble.
CWE-642: External Control of Critical State Data
There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can access temporary data and modify it, they may be able to pass parameters and information that they should not be able to.
CWE-73: External Control of File Name or Path
When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could send files and information that they should not normally be able to send.
CWE-426: Untrusted Search Path
If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time.
CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when you can pass additional ‘dynamic’ code to the application for it to run.

133. Top 25 Programming Errors
CATEGORY: Risky Resource Management
CWE-494: Download of Code Without Integrity Check
You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious.
CWE-404: Improper Resource Shutdown or Release
When your precious system resources have reached their end-of-life, you need to remove, release, shut down properly to allow the system to use those resources.
CWE-665: Improper Initialization
Just as you should start your day with a healthy breakfast, proper initialization helps to ensure that code will run properly.
CWE-682: Incorrect Calculation
When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. Over flows etc.

134. Top 25 Programming Errors
CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)
If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise unauthorized functionality that you only intended for restricted users.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers. Use Standard Encryption routines and algorithms
CWE-259: Hard-Coded Password
Hard-coding a secret account and password into your software's authentication module is an easy thing to hack. Further it prevents readily changeable passwords.
CWE-732: Insecure Permission Assignment for Critical Resource
If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become accessible to the world.

135. Top 25 Programming Errors
CATEGORY: Porous Defenses
CWE-330: Use of Insufficiently Random Values
If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank. Imagine how quickly a Las Vegas casino would go out of business if gamblers could predict the next roll of the dice, spin of the wheel, or turn of the card.
CWE-250: Execution with Unnecessary Privileges
Spider Man said “With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky.
CWE-602: Client-Side Enforcement of Server-Side Security
Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls. Servers should have the same security as the client.

136. Top 25 Programming Errors
Resources to Help Eliminate The Top 25 Errors
cwe.mitre.org/top25/

137. Multi Factor Authentication
Biometrics
Key cards
RSA Keys

138. Miscellaneous topics Internal hackers
filtering of at the border or beyond
flash drives
Open Source applications
user level threats

139. Resources
Microsoft’s Web Application Configuration Analyzer (just released 2.0)
Scans IIS servers
Hosted applications
SQL Server instances for common security issues and mis-configurations.

140. Resources Foundstone ( a McAfee organization ) Google diggity
Bing diggity
Stach & Liu used Google trends:
Stachliu.com/index.php/resources/tools/googlehackingtools

141. Resources Free Windows rootkit detection tools:
Sysinternals Rootkit Revealer
Avast! Antivirus
Sophos Anti-Rootkit
F-Secure Blacklight
MalwareBytes
HijackThis
Kaspersky removal tool

142. Resources
Infragard
NIST

143. Disclaimer
Scott Greene, Evidence Solutions are not recommending that you leave your current job to find one of the following jobs:

144. Top 20 Coolest Jobs in IT
1 Information Security Crime Investigator/Forensics Expert
2 System, Network, and/or Web Penetration Tester
3 Forensic Analyst
4 Incident Responder
5 Security Architect
6 Malware Analyst
7 Network Security Engineer
8 Security Analyst
9 Computer Crime Investigator

145. Top 20 Coolest Jobs in IT 10 CISO/ISO or Director of Security
11 Application Penetration Tester
12 Security Operations Center Analyst
13 Prosecutor Specializing in Information Security Crime
14 Technical Director and Deputy CISO
15 Intrusion Analyst
16 Vulnerability Researcher/ Exploit Developer
17 Security Auditor
18 Security-savvy Software Developer
19 Security Maven in an Application Developer Organization
20 Disaster Recovery/Business Continuity Analyst/Manager

146. Computers are like Old Testament gods; lots of rules and no mercy.
- Joseph Campbell

147. The Million Dollar Homepage is a website conceived in 2005 by 21-year-old student Alex Tew from Wiltshire, England, to raise money for his university education. The home page consists of a million pixels arranged in a 1000 × 1000 pixel grid; the image-based links on it were sold for $1 per pixel in 10 × 10 blocks.

148. Evalution
I value your comments. Please fill in your evaluation form found at the end of your packet.

149. Scott Greene: Other topics available
Computer Forensics
Computer Forensics for Defense Attorneys
Personal Privacy in the Information Age
High Technology: Just where is technology going?
Bypassing Security: How They Steal Company Data
Fundamentals of Digital Forensics
Technology Forensics: Theory & Potential... is it Science or Art?
Technology Forensics: Case Examples
Technology Forensics: Intellectual property and identity theft
Technology Forensics: Hardware and Software tools / Show and Tell
Portable Devices Issues and Answers: A discussion about cell phones and the stories they can tell.
Anti-Digital Forensics. Or is it Digital Anti-Forensics?
Data Security and Confidentiality Issues
The digital Smoking Gun

150. Evidence Solutions, Inc
Contact Information
Scott Greene, SCFE
Evidence Solutions, Inc