Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evidence Solutions, Inc.

Similar presentations

Presentation on theme: "Evidence Solutions, Inc."— Presentation transcript:

1 Evidence Solutions, Inc.
Security Threat Update - The Newest Threats and How to Protect Against Them Faculty: Scott Greene of Evidence Solutions, Inc.

2 If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization. - Gerald Weinberg

3 Protect the Information
Provide Access

4 Rank Securities Technology ASI M86 Daily Finance SANS 1 Mobile Devices Default or Weak Passwords Targeted Attacks Mobile Threats Targeted Malware 2 C-Level Targets SQL Injection Social Media Scams Embedded Hardware Lack of Incident Response 3 Social Media Cyber Threats Excessive Priveledges Mobile Malware Virtual Currency IPv6 4 You are infected Too many DBMS features on Third Party Exploits OS Advances Steer Hackers ARM (Mobile) Hacking 5 Physical Can Be Digital Broken Configuration Management Exploit Kits & Malware URL Hijacking Social Engineering 6 Cloud Computing Buffer Overflows Compromised Websites Rogue Certs Social Media 7 Breaches will be shared Prviledge Escalation Botnets Cyber War Compliance 8 Zero Day Threats will increase Denial of Service Malware Spam Hactivism Monitoring 9 Insiders Unpatched DBMS Sporting Event Scams Legalized Spam Wireless Security 10 Greater Regulation Unencrpyted data Cloud Service Attacks Industrial Attacks 1. The exponential growth of mobile devices drives an exponential growth in security risks. Threat assessment: Every new smart phone, tablet or other mobile device, opens another window for a cyber attack, as each creates another vulnerable access point to networks. Threat response: Force all communications from employees’ and managers’ portable devices through the corporate network, Wansley says. Allow no retransmission of any content obtained from within the network, through such devices. Except through monitoring software. 2. Increased C-suite targeting. Threat assessment: Senior executives are no longer invisible online. Firms should assume that hackers already have a complete profile of their executive suite and the junior staff members who have access to them. Threat response: Train executives not to post any personal information to social media or other public websites. Screen all incoming mail to top executives for signs of “social engineering” through messages that appear to come from friends. Scan all messages for odd command and control instructions and extraneous lumps of code. 3. Growing use of social media will contribute to personal cyber threats. Threat assessment: A profile or comment on a social media platform – even by the CEO’s son or sister -- can help hackers build an information portfolio that could be used for a future attack. Threat response: Establish as a policy that senior executives and their relatives must not post to public sites any information that indicates personal interests that can be used to build profiles or guess passwords and other authenticating access information. Use available site monitoring software to cull and, when possible, remove any new information about executives – or “superusers” on your network. If your “superusers” are gamed, you will lose control of the operations of basic functions. 4. Your company is already infected, and you’ll have to learn to live with it – under control. Threat assessment: Security should remain a priority, but today’s risks and threats are so widespread that it will become impossible to have complete protection – the focus of cyber security tactics increasingly must be to analyze, detect and expunge threats inside your system. Threat response: Spend as much time filtering communications inside your network as you do communications coming in to your firewall or trying to pass through your perimeter. Scan servers inside your network constantly for inexplicable files or fragments of code. Institute a ‘dynamic defense’: Appoint around-the-clock security cops to observe and predict what new tactics are being used to put unauthorized code inside your network and replicate it. 5. Everything physical can be digital. Threat assessment: The written notes on a piece of paper, the report binder and even the pictures on the wall can be copied in digital format and gleaned for the tools to allow a hacktivist-type of security violation, and increasingly this will be a problem. Threat response: Create awareness inside your organization that no photos or other images of any sort should be captured inside the walls of your offices, without management supervision. That smartphone photo might actually be capturing usernames and passwords posted on cubicle walls. Or it may provide fodder for messages that will look like they are coming from trusted insiders, but aren’t. 6. More firms will use cloud computing. Threat assessment: The significant cost savings and efficiencies of cloud computing are compelling companies to migrate to the cloud. A well designed architecture and operational security planning will enable organizations to effectively manage the risks of cloud computing. Threat response: Create ‘vaults’ to protect your assets, particularly something as valuable as algorithms. Lock down access to servers, except through two encrypted keys being used simultaneously by two different authorized users. Require biometric authentication before those users can employ and deploy their keys. 7. Global systemic risk will include cyber risk. Threat assessment: As banks and investment firms continue on the path to globalization, they will become increasingly inter-connected. A security breach at one firm can create negative ripple effects that greatly impact systemic risk in financial markets. Threat response: Filter incoming messages, in SWIFT or FIX protocols as stringently as any message. Or more. Look for unexplained code tucked in in hard-to-notice spots. Look for non-standard formatting of messages. Look for extraneous code attached to the messages. Look for stuff that looks like commands. In fact, screen traffic flow from trading partners, market data vendors or other known partners as stringently as any traffic from inside. Audit the security procedures of any exchange, trading partner or vendor you allow to connect with your network. 8. Zero-day malware (malicious software) and organized attacks will continue to increase. Threat assessment: Like a vicious, insidious virus that mutates, the tools of cyber criminals adapt and change constantly, rendering the latest defenses useless. Firms need to be prepared to adapt quickly as well to zero-day malware and the tactics of organized crime and foreign adversaries that are increasingly used today. Threat response: Put in place tools to watch for known “signatures” of malicious software. But develop an internal task force that watches trends and is charged with out-thinking and out-flanking the most brilliant of outsiders. Assume that every threat coming your way has no known signature. And has been months, if not years, in development. 9. Insider threats are real. Threat assessment: The accidental insider breach will continue to be the primary source of compromise for the Advanced Persistent Threat – a long-term, sophisticated and patient attack -- and other attempts to take advantage of existing systems. Threat response: Organizations need to focus on security awareness training and internal monitoring to detect intentional and accidental insider access. Data needs to be classified by its value to the firm, with the most important data being accessible only to the most valued manager. Biometric authentication is required. But, even then, not even the most valued manager should be allowed to make changes without secondary approval. Monitoring software should keep track 24x7 of all interactions from any source or individual of any piece of the crown jewels. 10. Increased regulatory scrutiny. Threat assessment: In October, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material. Threat response: Establish security standards that exceed all industry standards. Start 10. Increased regulatory scrutiny. Threat assessment: In October, the Securities and Exchange Commission introduced guidelines that require companies to report incidents that result, or could possibly result in, cyber theft or a risk of compromised data considered material. Threat response: Establish security standards that exceed all industry standards. Start with ISO/IEC 27002, an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). Weak Passwords… What more needs to be said? SQL Injection. These happen on the outside but more frequently they are happening from inside the Perimeter. Most organizations are focusing on the perimeter and believing that the data is safe. Excessive Priveledges cannot always be addressed. Sometimes those are controlled by the software vendor. Releases and updates and software vendors who are compliant with SOX, HIPPA and PCI are helping. Review database privileges often. Consult with vendors regarding same. Users & programmers are notorious about turning on features that they don’t need… Anonymous will continued to attack organizations. Sony, Lockheed Martin and RSA are just the beginning. RSA was originally attacked by . An attachment exploited an Adobe Flash but and installed a back door and other components. Social media scams exist for Facebook, LinkedIn, YouTube, Twitter and even Google+. They simply dupe users into clicking on links. Mobile malware continues to grow. Zeus and Spyeye are now on the Android platform. Some variants of the Morto worm spread on PCs via RDP.

5 Threats March 30, 2012: Utah Department of Health Cause: Records leak
780,000 personal health records exposed Cause: Weak password on server


7 Spam & Attack Mitigation

8 Spam & Attack Mitigation
Log unsuccessful attempts, both incoming and outgoing. Spear phishers often have to guess the mail format (i.e. etc) therefore it is likely the mail server will reject mis-formatted s.

9 Spam & Attack Mitigation
This is likely the first sign your organization may be targeted. By reviewing logs shortly after trigger events, it is possible to learn whether attempts are being made and thus new rule sets can be created to block the sender and alert the individual they are being targeted.

10 Spam & Attack Mitigation
If it is determined there is an attack against an individual or group occurring, notify the individual or group.

11 Spam Mitigation

12 Spam Mitigation

13 Spam Mitigation


15 Mobile Devices Including, but not limited to: Cellular phones
Smartphones Tablets Laptops

16 Mobile Device Dangers




20 Mobile Device Dangers What Happens when a Smartphone is lost:
Symantec did a study where they “lost” 50 cell phones in 5 cities…. 72% of people tried to access photos 57% tried to open a file named "Saved Passwords“ 43% tried to open an app named "Online Banking.“ Only 50% of the finders attempted to reunite the phone with its owner.

21 Mobile Device Dangers There is a dramatic increase in malware designed to attack mobile devices that run Android. The total number of identified threats to Android devices more than quadrupled in the first quarter of 2012, reaching 8,000. Part of that increase, however, came from improved detection.

22 Mobile Phone Dangers Most mobile malware aimed at Android did not come from apps offered through the Google Play app marketplace.

23 Smart Phone Management
Mobile Device Management (MDM) This product line secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises. MDM typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices: mobile phones, smartphones, tablets, etc.

24 Smart Phone Management
This applies to both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers.

25 Smart Phone Management
MDM abilities include: Inventory Updates Diagnostics Backup & Restore Asset Tracking Password Enforcement Encryption Remote Control / Management Remote Lock Remote Wiping Software Installation Locating and Bread-crumbing Software Whitelist / Blacklist Corp Data Tracking

26 Smart Phone Management
Issues: User Consent / Policy General Policy Eligibility Acceptable Use Financial Responsibility Program Management Equipment

27 Smart Phone Management
Acceptable use: While driving a motor vehicle Personal Use Use in Accordance with COMPANY Code of Conduct

28 Smart Phone Management
Issues: Sandboxing of corporate data Makes employees feel good Rooting ( some systems try to detect it ) Corporate data into a vault or sandbox – Employees know that if they leave the won’t lose all the rest of their stuff

29 Solutions Microsoft Exchange Active Synch (EAS) Websense
Blackberry Enterprise Server


31 Instant Messaging (IM)
Text Webcams Voice Files

32 Instant Messaging (IM)
Vulnerabilities Sending / Receiving sensitive data Viruses aimed at IM ( Choke Virus ) Antivirus tools at the gateway do not detect IM traffic and there for will not see viruses that are received by users. Hackers have used IM networks to deliver: Phishing attempts Poison URL's Virus-laden files These deliveries are done by: Sending of Files that users execute Could be viruses, trojans or spyware The use of "socially engineered" text & web addresses that entice the recipient to open a URL that then downloads malicious code.

33 Instant Messaging (IM)
The IM Security Center, a collaboration between security companies and corporations, has tracked attacks over IM since 2003 and shows well over 1000 distinct attacks over the public IM networks. Since 2007 there has been a steady increase in IM attacks While still small, IM attacks continue to growth with the increased usage of IM. Couple that with the adoption of IM in the workplace makes IM an attractive vector for hackers Individuals and companies must take precautions to avoid infection.

34 Peer to Peer Networks (P2P)
Local shared network resources Location specific Wide area peer to peer networking software Anywhere in the world

35 Peer to Peer Networks (P2P)
Many peer-to-peer networks are under constant attack in a variety of ways: Poisoning attacks by supplying files with enticing names. Man-in-Middle (the attacker intercepts files by obtaining the communication between two different users. Attackers can go on to change the information or simply pass it on untouched. This is all done undetected)

36 Peer to Peer Networks (P2P)
Polluting attacks by inserting "bad" chunks/packets into a valid file on the network ( sometimes done by man in the middle ) Defection attacks (attaching to networks where security is lax) Malware in the peer-to-peer network software itself. The software is distributed containing spyware or trojans Denial of service attacks

37 Peer to Peer Networks (P2P)
Identity attacks ( tracking down the users of the network and harassing or legally attacking them) Spamming (sending unsolicited information across the network--not necessarily as a denial of service attack and not necessarily ) Sybil attacks (one malicious identity that can be presented as multiple identities allowing the attacker to control a whole portion of the network)

38 Peer to Peer Networks (P2P)
Personal information is at risk because users expose certain files by putting them in shared document folders. These documents are at risk are due to misplaced files, confusing interface design, Incentive to share a large number of files, general laziness on the part of the user, wizards designed to determine media folders, and poor organization habits.

39 Peer to Peer Networks (P2P)
Future Risks: Second generation Peer-to-Peer file sharing software now has the ability to search indexes using file names and information that is associated with the files. This makes it easy for the searching of “Bank Account” information. These can also search using Regular Expressions: 1=\<5\d\d\d[\-\. ](\d\d\d\d[\-\. ]){2}\d\d\d\d\>


41 RSA InsecureIDs & Lockheed
Lockheed said: “our systems remain secure” No customer data was compromised No Employee personal data has been compromised. No such assurance was given for proprietary data military systems data

42 RSA InsecureIDs As reported by The Christian Science Monitor, a DOD document states: "Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an 'act of war,' according to new Defense Department cyberwarfare policies that have yet to be officially unveiled."

43 RSA InsecureIDs Going back to just passwords, but making them strong ones and authenticating the endpoint Making sure that the machine being signed in from by a user is the normal machine used by the user.

44 Google Hack Google announced that hackers have gone after specifically targeted U.S. government officials and military personnel Gmail users. Why would government leaders use Gmail in the first place? U.S. government officials, after all, have access to official government systems that have layer after layer of security. So how does Gmail, Google's cloud-based service, come into play?

45 Google Vulnerabilities
Eight vulnerabilities in Google services were revealed during the Hack in the Box conference in Amsterdam on Thursday 5/24/2012 That same group claims to have discovered more than 100 such bugs over the past few months.

46 Bot Nets "bots" are a type of malware that allows an attacker to take control over an affected computer. Also known as "Web robots", bots are usually part of a network of infected machines linked by the internet. These victim machines make up a “Bot Net” that stretch across the globe.

47 Bot Nets Since a bot infected computer follows its master's orders and are generally referred to as "zombies". Cybercriminals that control these bots are called bot-herders or bot-masters. It is hard to detect bots on your network. Until they leap into action.

48 Bot Nets Bot Nets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal. Conficker / Downadup Worm

49 Bot Nets "Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets." --Wendi Whitmore, special agent, Air Force Office of Special Investigations

50 In October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee's laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant's computer


52 BYOD Policy Allowing employees to use their personal mobile devices for work-related tasks provides advantages: less laptop lugging easier connectivity potentially better interfaces

53 BYOD Policy It can also help an organization financially when the organization doesn’t have to pay for: Smartphones Tablets Data plans

54 BYOD Policy The risks of BYOD including security vulnerabilities
support costs liability issues

55 BYOD Policy Organization that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it.

56 BYOD Policy Defining a BYOD policy:
1) define the scope of control the business expects to maintain over employee-owned devices. At one end of the spectrum, a business could treat devices as if they were corporate assets in return for allowing employees access to IT resources from their personal devices. The other extreme is to assume no control over the devices themselves and instead focus on access controls and limiting risks such as leaving corporate data on BYOD devices. The optimal BYOD policy may lie somewhere between these two poles.

57 BYOD Policy 2) Acceptable use corporate IT resources on mobile devices
Require VPN access minimal security controls on the device the need for company-provided components Secure Sockets Layer (SSL) certificates for authentication rights of the organization to alter the device (e.g., to remotely wipe a lost or stolen device).

58 BYOD Policy 2) acceptable use Encryption of data
Prohibit storage of business data Prohibit storage of passwords etc Acceptable-use policies could require the use of a virtual private network when accessing corporate systems and prohibit the storage of passwords to business applications. Security controls might also require the use of encryption for stored data, device password protection and registration of devices with a mobile device management (MDM) system. Employees should be informed of all aspects of the BYOD policy and agree to them. Written policies and employee consent are not enough to protect a company’s information assets. Even well-intentioned employees can make mistakes, such as forgetting to set a device password or downloading confidential information over an unencrypted session. Mobile device policies should have an enforcement mechanism to ensure that they are applied consistently. Enforcing a BYOD policy Chances are that some of your company’s existing applications can enforce a BYOD policy. But before you try to use these apps, consider two key questions: “Are these applications sufficient to meet all enforcement requirements?” and “How difficult is it to manage mobile devices with these applications?” Consider the widely used ActiveSync. ActiveSync provides for policy enforcement, but mobile device manufacturers have not always supported all ActiveSync enforcement mechanisms. Microsoft has established an ActiveSync logo program to encourage standard criteria for a minimum level of policy enforcement. Qualified devices must support automatic discovery, remote wipe, required password, minimum password length, timeout without user input and a maximum number of failed attempts among others. If enforcement mechanisms are sufficient and your employees are using supported devices, ActiveSync could address your BYOD policy needs. Third-party MDM applications can support a wide array of BYOD policy enforcement operations including full lifecycle management, app inventory control, data protection, certificate distribution, device configuration and lockdown. BYOD policy enforcement begins with provisioning. MDM apps can help ensure consistent configuration of devices, install applications and create accounts on self-service management portals. If your policies limit the apps that can be deployed on a BYOD device, use an MDM system that provides for unauthorized app detection. Most MDM applications support remote wiping, but completely wiping a device is drastic and, in many cases, may not be necessary. MDM apps can selectively wipe data, allowing device administrators to delete corporate data while leaving personal data intact. Your BYOD policy may require that all devices accessing corporate systems must be registered with your IT department and configured with an SSL certificate for authentication. MDMs that support certificate distribution can minimize management headaches for this operation. MDM systems can further ease the burden by reporting on expired certificates, revoked certificates and other certificate management concerns. Finally, look for MDM apps to provide device configuration and lockdown functions. For some users, for example, you may wish to lock down cameras, Bluetooth, GPS and Wi-Fi. If you specify an encryption policy, investigate an MDM that can enforce this policy on both fixed storage and Secure Digital cards. A good BYOD policy has two characteristics: Policies are clearly defined, and they are enforced. A BYOD policy should address acceptable use, security controls and the rights of the business to alter the device. Existing enterprise applications, such as Microsoft Exchange ActiveSync and certificate management systems, may be sufficient for enforcing policies. If you require more control over devices and the ability to generate management reports about BYOD use, an MDM system may be a better option.


60 Unauthorized Hardware
Hackers are constantly looking for targets. Unprotected systems that are attached to networks. Do you know what’s on your network? Users add things to networks all the time. Inventory often Control what is attached Do not hook up a system until it is configured

61 Unauthorized Hardware
Solutions Maintain accurate inventory of physical systems as they relate to your Asset Inventory Include: IP Address Mac Address Device Name Purpose Owner / Manager responsible

62 Unauthorized Hardware
Solutions Use and test Network Inventory software and / or hardware Test the operation often with a known rogue machine Test the delay before the machines are quarantined and users confronted.

63 Unauthorized Hardware
Solutions When alerts are received treat them as important Safeguard the accurate database created by the software. Compare the software database with the physical asset list. Implement configuration management systems to ensure that all systems are safely patched.

64 Unauthorized Software
Hackers & Bots are looking for software to compromise as well. Do you know what is on your user’s machines? Have and manage to a White List of accepted software Document all exceptions

65 Unauthorized Software
Solutions Maintain accurate inventory of acceptable software Include: Manufacturer Version If an exception: Device Name Purpose Owner / Manager responsible

66 Unauthorized Software
Solutions: Install software inventory & Management tools Requirements should be: For Operating Systems Version Patches installed For Applications Type Manufacturer Patch Level

67 Unauthorized Software
Solutions Install software inventory & management tools The most effective tools include: Hash of known good versions Can prevent execution of anything not on the ‘White List’ Can validate the location of the file in the file system Allowed users

68 Unauthorized Software
Solutions Operating Systems Consistency is key Drivers should all be signed Should only be from the manufacturers of the device installed.

69 Harden Workstations & Servers
Systems that are installed, hooked up and not properly secured pose a significant threat.

70 Harden Workstations & Servers
Solutions Ideally have your hardware vendor setup the machines with an image that is created / updated on a regular basis. Install from a secure server that contains updated images of what should be on a machine.

71 Harden Workstations & Servers
Solutions Remove all extraneous users that come with the OS Shutdown and remove all extra services Shut down all unused ports Install local Firewall software & configure

72 Harden Workstations & Servers
Solutions Run assessment programs regularly Test with systems that aren’t configured correctly Test by injecting systems that are configured correctly

73 Harden Devices Secure configurations of network devices such as firewalls, routers, and switches. While on the radar are rarely double checked after configuration. Hackers have automated tools looking for holes in the perimeter as well as in internal devices.

74 Harden Devices Secure Firewall Configurations Auditing
75% of firewalls have rules that are not required 50% of those are dangerous

75 Harden Devices Solutions Create a standard configuration document
Follow the standard configuration document Filter all un-needed services Exceptions, when required, should have a time limit or a review period Log log log Monitor & review

76 Harden Devices Solutions Use penetration tools regularly
Test from the outside world & the inside world All devices should use encrypted configuration logins Use separate physical networks where possible Use VLANs where physically separating the networks is not possible.

77 "A network of hackers, most based in China, have been making up to 70,000 attempts a day to break into the NYPD's computer system, the city's Commissioner, Raymond Kelly, revealed Wednesday.”

78 Log Log Log Many incidents can be readily revealed with a bit of logging and analysis those logs.

79 Logs Solutions Almost everything that has a log should have the log turned on. Logs should include: Date/time Source IP Destination IP Port Etc

80 Logs Solutions Use standard SYSLOG entries or use software that converts logs to a common log format. Store logs for a while – space & DVDs are cheap Create systems & procedures for analyzing logs. These systems should have ‘normal’ items and ‘abnormal’ items

81 Logs Solutions All remote access logging:
should be in detail Should be rigorously analyzed. All security alerts should be logged. Workstation Servers Devices

82 Logs Solutions Use unified time Border devices
This allows logs to be matched up across many devices and / or networks. Border devices Should log verbosely Should log all traffic Blocked Allowed

83 Logs Solutions Logs should be secured
Logs should be exported & saved on Write Once devices. or Logs should be written to dedicated logging servers. The dedicated logging servers with separate security credentials

84 Logs Solutions Test the logs and review after:
Normal / acceptable traffic Push the system Attempt to penetrate the network. Inside Outside Compare and correlate the data on all of the logs for validity.

85 Logs Solutions Review Test Logs everyday
Use automated tools to analyze large amounts of data. Test Attack a system Test the response time. Discovery Action taken to attack


87 Malware 6 million+ unique malware samples were identified in the first quarter of 2011, a 26% increase from Q1 of 2010 and far exceeding any first quarter in malware history. 70,000 new malware strains are detected every day.

88 Malware McAfee says that PC malware had its "busiest quarter in recent history," in their quarterly security report released Wednesday 5/23/2012.

89 Malware Malware targeting Apple computers also continued to rise steadily. New malware for the Mac exploded in the second quarter of 2011, but this last quarter saw the most new cases since then with about 250.

90 What exactly is a RootKit?
A rootkit is a software/hardware application that enables continued priveileged access to a computer while actively concealing its presence from authorized users and administrators.

91 What exactly is a RootKit?
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

92 Persistent Rootkits Persistent rootkits activate each time the system boots. Persistant RootKits start automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and they execute without user intervention.

93 Memory-Based Rootkits
Memory-based rootkits have no persistent code and therefore does not survive a reboot.

94 User-mode Rootkits These rootkits usually intercept user centered Operating System information and provide results that prevent the user from seeing the RootKit executable files and libraries. In this case Windows native API serves as the interface between user-mode client software and kernel-mode services. The most sophisticated user-mode rootkits intercept File System, Registry, and System Process functions of the Native Winows API preventing the detection of the RootKit.

95 Kernel-mode Rootkits These RootKits are usually the most powerful since they can intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data. Kernal RootKits hiding their presence by removing the process from the kernel's list of active processes. These Rootkits will be normally be absent from the Task Manager.

96 A Brief History of RootKits
The first Windows RootKit called NTRootkit appeared in 1999 in NT HackerDefender followed in 2003. The first Mac rootkit targeting OS X appeared in 2009 And the Stuxnet worm was the first to target programmable logic controllers (PLC).

97 And then there was: The Sony BMG copy protection rootkit


99 Our protected environments
Classic Perimeter Firewall ACL (port and web filter) IDS / NIPS / HIDS Proxy Patch Control Personal Fire Walls ACL Access Point Control ( access control list ) IDS – Intrusion Detection System NIPS – Network Intrusion Protection System HIDS – Host Intrusion Detection System

100 Our Protected Environments…
Rootkits still penetrate Even proxies, Websense, IE lockdowns are not a perfect solution Volume so high and attackers so sophisticated, that a tiny percentage gets through…

101 Our Protected Environments…
It is estimated that: In a 24 hour period Of 44K web sessions Accessing 10K hosts Approx 20 web exploits were discovered So What? .04%? Big deal!

102 Limit Administrators All too often users are granted “Administrator” privileges on networks, servers & workstations. When they do have this access associated with one of their accounts, they tend to use the account with Administrative privileges.

103 Limit Administrators Solutions
Monitor and log all users that need ‘administrator’ ( and Super User ) access. Create multiple accounts for such users and encourage them to use the ‘administrator’ capable user only when required by their job. Require such users to have STRONG passwords.

104 Limit Administrators Solutions
Remote ‘administrator’ access should be prevented. Once connected with a non-administrator account users can login to additional systems with their ‘administrator’ account. Audit / confirm Audit all users with ‘Administrator’ capabilities often. Remove such privileges when they are no longer needed by the user.

105 Limit Administrators Solutions Audit / confirm
Review logs to ensure that users are not abusing the rules: Reading with their privileged accounts Browsing the Internet Educate ‘Administrator’ users about social engineering techniques Attempt to Social Engineer ‘Administrator’ users.

106 Limit Administrators Solutions
Require two factor authentication for all Administrator accounts Use roles / groups to segregate responsibilities Workstation Administrators only have access to administration of workstations, laptops, etc Domains administrators only have administrator access to servers

107 Limit Administrators Solutions Audit Processes
Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required. Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

108 Limit Administrators Solutions Audit Processes
Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required. Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

109 Limit Administrators Make being logged in as an administrator as annoying as you can No access No Web Access 1 minute to lock machine in Screen Saver


111 People People People Organizations with educated users have fewer problems. Threats to organizations Social engineering Sloppy users End users are fooled into opening attachments and loading software from untrusted sites, visiting web sites where they are infected and more. System administrators are also fooled like normal users but are also tested when: unauthorized accounts are set up on their systems, when unauthorized equipment is attached, when large amounts of data are exfiltrated.

112 People People People Threats to organizations Sloppy users
System administrators are also fooled like normal users but are also tested when: unauthorized accounts are set up on their systems unauthorized equipment is attached when large amounts of data are exfiltrated. Security operators and analysts are hit with new and innovative attacks with: sophisticated privilege escalation Redirection other attacks along with a continuous stream of more traditional attacks. ( They get distracted )

113 People People People Threats to organizations Sloppy users
Application programmers are tested by criminals who find and exploit the vulnerabilities they leave in their code. Stubborn Organizations System owners are tested when they are asked to invest in cyber security but are unaware or refuse to accept the devastating impact a compromise and data exfiltration or data alteration would have on their mission

114 Social Engineering Methods
1) call help desk to find out the secret questions with a non target 2) They gather up the target’s secret question answers. 3) once they have that they get the help desk to change the password 4) then they call the target and inform them about the change

115 Social Engineering Methods QUICK CHANGE
1) help the user change their password by intimating that you are from the help desk 2) and then tell the user not to reveal their current password for security purposes

116 Social Engineering Methods
give out usb flash drive with malicious code get a keylogger with bluetooth

117 Social Media Policy Single person or limited persons who can post
Policy about what they can post

118 On the Internet…. Nobody knows you’re a dog.
And increasingly, nobody knows you’re a hacker.

119 Events & Social Engineering
Just over one year ago: Osama Bin Laden's Death a Party for Spammers, Fake AV Scammers

120 Events & Social Engineering
This year: Month Date Event Location May 18-19 G8 Summit Camp David 20-21 NATO Summit Chicago, IL June 18-20 G-20 Summit Los Cabos, Mexico July August 27 to 12 Summer Olympics London 27-30 Republican National Conv. Tampa, FL September 03-06 Democratic National Conv. Charlotte, NC November Asia Pacific Economic Summit Russky Island

121 Events & Social Engineering
Based on history, malicious persons will capitalize on these high profile events to collect intelligence, distribute spam and/or draw attention to ideological causes. Some foreign intelligence services will likely use socially engineered spear-phishing s to masquerade as a trustworthy entity and target individuals affiliated with these events.

122 Events & Social Engineering
Normally targeting begins as early as months before the event and may continue until weeks after the event concludes.

123 Events & Social Engineering
These targeted activities are an effort to collect economic and political strategies, talking points, and related intelligence related to the event of countries and key personalities in attendance in order to negotiate and compete from a position of strength.

124 Events & Social Engineering
These events may also become prime spam content for criminals seeking financial gain. The spam may be used to distribute malware or phish PII or financial information. Phishing and scams imitating official 2012 Olympic correspondence or offering tickets have already begun circulating in the wild.

125 Events & Social Engineering
Lastly, hacktivists have defaced and disrupted the websites of conference related financial, corporate, and government entities to promote their ideological positions. It is probable that hacktivists will conduct similar activities during the summits.

126 Mitigation Train user to be wary of unsolicited attachments, even from people you know - Just because an message looks like it came from a familiar source, malicious persons often "spoof" the return address, making it look like the message came from someone else.

127 Mitigation Check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This also includes messages that appear to be from your Internet Service Provider (ISP) or software vendor claiming to include patches or anti-virus software. ISPs and software vendors do not send patches or software in .

128 Mitigation Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see US-CERT Security Tip ST04-006, Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

129 Mitigation Teach your employees to trust their instincts - If or attachment seem suspicious, don't open it, even if your antivirus software indicates that the message is virus free. Attackers are constantly releasing “zero-days” and most likely your anti-virus software does not have a signature for it yet.

130 Top 25 Programming Errors
CATEGORY: Insecure Interaction Between Components CWE-20: Improper Input Validation It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations. CWE-116: Improper Encoding or Escaping of Output Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days. CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') If attackers can influence the SQL that you use to communicate with your database, then they can. CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers.

131 Top 25 Programming Errors
CATEGORY: Insecure Interaction Between Components CWE-319: Cleartext Transmission of Sensitive Information If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many systems and components. If Sent in clear text is it intercept-able. CWE-352: Cross-Site Request Forgery (CSRF) With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim sends data from his browser to your site for someone else. CWE-362: Race Condition Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable. CWE-209: Error Message Information Leak If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data that allows a hacker entry into your database.

132 Top 25 Programming Errors
CATEGORY: Risky Resource Management CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're asking for trouble. CWE-642: External Control of Critical State Data There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can access temporary data and modify it, they may be able to pass parameters and information that they should not be able to. CWE-73: External Control of File Name or Path When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could send files and information that they should not normally be able to send. CWE-426: Untrusted Search Path If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time. CWE-94: Failure to Control Generation of Code (aka 'Code Injection') For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when you can pass additional ‘dynamic’ code to the application for it to run.

133 Top 25 Programming Errors
CATEGORY: Risky Resource Management CWE-494: Download of Code Without Integrity Check You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. CWE-404: Improper Resource Shutdown or Release When your precious system resources have reached their end-of-life, you need to remove, release, shut down properly to allow the system to use those resources. CWE-665: Improper Initialization Just as you should start your day with a healthy breakfast, proper initialization helps to ensure that code will run properly. CWE-682: Incorrect Calculation When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. Over flows etc.

134 Top 25 Programming Errors
CATEGORY: Porous Defenses CWE-285: Improper Access Control (Authorization) If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise unauthorized functionality that you only intended for restricted users. CWE-327: Use of a Broken or Risky Cryptographic Algorithm You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers. Use Standard Encryption routines and algorithms CWE-259: Hard-Coded Password Hard-coding a secret account and password into your software's authentication module is an easy thing to hack. Further it prevents readily changeable passwords. CWE-732: Insecure Permission Assignment for Critical Resource If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become accessible to the world.

135 Top 25 Programming Errors
CATEGORY: Porous Defenses CWE-330: Use of Insufficiently Random Values If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank. Imagine how quickly a Las Vegas casino would go out of business if gamblers could predict the next roll of the dice, spin of the wheel, or turn of the card. CWE-250: Execution with Unnecessary Privileges Spider Man said “With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky. CWE-602: Client-Side Enforcement of Server-Side Security Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls. Servers should have the same security as the client.

136 Top 25 Programming Errors
Resources to Help Eliminate The Top 25 Errors

137 Multi Factor Authentication
Biometrics Key cards RSA Keys

138 Miscellaneous topics Internal hackers
filtering of at the border or beyond flash drives Open Source applications user level threats

139 Resources Microsoft’s Web Application Configuration Analyzer (just released 2.0) Scans IIS servers Hosted applications SQL Server instances for common security issues and mis-configurations.

140 Resources Foundstone ( a McAfee organization ) Google diggity
Bing diggity Stach & Liu used Google trends:

141 Resources Free Windows rootkit detection tools:
Sysinternals Rootkit Revealer Avast! Antivirus Sophos Anti-Rootkit F-Secure Blacklight MalwareBytes HijackThis Kaspersky removal tool

142 Resources Infragard NIST

143 Disclaimer Scott Greene, Evidence Solutions are not recommending that you leave your current job to find one of the following jobs:

144 Top 20 Coolest Jobs in IT 1 Information Security Crime Investigator/Forensics Expert 2 System, Network, and/or Web Penetration Tester 3 Forensic Analyst 4 Incident Responder 5 Security Architect 6 Malware Analyst 7 Network Security Engineer 8 Security Analyst 9 Computer Crime Investigator

145 Top 20 Coolest Jobs in IT 10 CISO/ISO or Director of Security
11 Application Penetration Tester 12 Security Operations Center Analyst 13 Prosecutor Specializing in Information Security Crime 14 Technical Director and Deputy CISO 15 Intrusion Analyst 16 Vulnerability Researcher/ Exploit Developer 17 Security Auditor 18 Security-savvy Software Developer 19 Security Maven in an Application Developer Organization 20 Disaster Recovery/Business Continuity Analyst/Manager

146 Computers are like Old Testament gods; lots of rules and no mercy.
- Joseph Campbell

147 The Million Dollar Homepage is a website conceived in 2005 by 21-year-old student Alex Tew from Wiltshire, England, to raise money for his university education. The home page consists of a million pixels arranged in a 1000 × 1000 pixel grid; the image-based links on it were sold for $1 per pixel in 10 × 10 blocks.

148 Evalution I value your comments. Please fill in your evaluation form found at the end of your packet.

149 Scott Greene: Other topics available
Computer Forensics Computer Forensics for Defense Attorneys Personal Privacy in the Information Age High Technology: Just where is technology going? Bypassing Security: How They Steal Company Data Fundamentals of Digital Forensics Technology Forensics: Theory & Potential... is it Science or Art? Technology Forensics: Case Examples Technology Forensics: Intellectual property and identity theft Technology Forensics: Hardware and Software tools / Show and Tell Portable Devices Issues and Answers: A discussion about cell phones and the stories they can tell. Anti-Digital Forensics. Or is it Digital Anti-Forensics? Data Security and Confidentiality Issues The digital Smoking Gun

150 Evidence Solutions, Inc
Contact Information Scott Greene, SCFE Evidence Solutions, Inc

Download ppt "Evidence Solutions, Inc."

Similar presentations

Ads by Google