Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Transcription

1 Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix

2 Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to protect?

3 Internet Usage Facts Billion people are online (around 40%)

4 Internet Usage Facts 2014

5 Global Submarine Cables

6 Cybercrime Facts 80 % of all cybercrime activities are organized online credit card fraud, identity theft, responding to a phishing attempt, and unauthorized access to an account vary to up to 17% of online population for 21 countries (under 5% for car theft and robbery) Private sector in Europe report between 2 and 16% of data breach due to intrusion or phishing More than one million unique IP addresses globally functioned as botnet command and control servers

7 Computer-related acts for financial gain or harm NY Times: A worldwide gang of criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe

8 Criminal tools the botnet Botnets (a term derived from the words robot and network ) consist of a network of interconnected, remote-controlled computers generally infected with malicious software that turns the infected systems into socalled bots, robots, or zombies.

9 System Administrators Responsibilities 63% of security deficiencies are 3 rd party Remote administration Password weakness and reuse Lack of properly configured firewall Lack of support Software updates

10 Detection In the past two years, attacks have grown significantly in complexity, rendering the majority of off the shelf detection solutions, such as commercial antivirus programs, ineffective. In addition, due to advanced subterfuge techniques, malware often goes unnoticed by systems administrators.

11 Infiltration Remote Control (RC) Scan of RC ports (RDP, termserv, VNC, etc.) Use default/weak credentials Dynamic Web content SQL injections (more than 15 years) - Any application that fails to properly handle user-supplied input is at risk Bulk extraction of data (personal records, cardholder data, etc.) Data modification and deletion Weak/default Credentials

12 Propagation Open default administrative shares %SYSTEMROOT% (prior Windows XP SP3) Use of legitimate administrative remote access utilities UNC, NET USE Use of remote command utilities Psexec, winexe Discovery of the attack Security event log (ID 5145, 5140) Ntuser.dat Web browser history

13 Aggregation

14 Exfiltration (the gateway) Firewall without egress rules Lack of filtering in internal networks

15 Financial Espionage Hacktivism Attacker Motivations

16 Techniques Used Embedded Malware Fake SSL Certificates A Trojan called Mediyes was discovered on more than 5,000 computers, mainly in Western Europe. It was signed with a fake Symantec VeriSign digital certificate issued to Conpavi AG, which is known to work with Swiss government agencies.

17 Web client Attack Trends HTML/Java Script -> plug-in attacks Adobe Acrobat Reader Adobe Flash Player Oracle Java MS Office

18 Mail-based Attacks 2 billion users 140 billions s per day SPAM 75,2% of organizations inbound 10% of SPAM are malicious 7% of SPAN have link to malicious website Phishing 0,17% of SPAM

19 Targeted Attacks Often start with Social Engineering Context Research Attachments/Links Example: About 20 individuals from a defense industry firm were subject to an attack that featured a loaded PDF file that claimed to be an Employee Satisfaction Survey. The PDF file exploited a zero-day flaw.

20 How to protect against Attacks? gateways with spam filters, antivirus and content filtering Filtering or suspicious attachments, including executables, HTML files and password- protected archives Keeping client machines patched Web security gateways for checking clicked links and landing pages Antivirus software on client machines User education on the nature of attacks

21 How to Protect (1/2)? Establish security policies Apply firewall egress rules Apply deep network protection (ACLs, port security, etc.) Do not use vendor default username/password Web Application Protection (WAF, code review) Up to date client software and domain policies (NAC, Mobile Device Management) Regular execution of security awareness trainings Regular penetration testing and security audits

22 How to Protect (2/2)? Protect your computers against security threats (SWG, AV, Web filtering, etc.) Use 2 factor authentication (smart cards, PKI, HSM) Write secure software code (code review) Up to date server system and application software Physical access policies and restrictions Implement Security Information and Event Management (SIEM) Build Security Management System

23 Magic Quadrant SIEM 2014

24 IBM Qradar SIEM Log Management Turn-key log management and reporting SME to Enterprise Upgradeable to enterprise SIEM SIEM Log, flow, vulnerability & identity correlation Sophisticated asset profiling Offense management and workflow Configuration & Vulnerability Management Network security configuration monitoring Vulnerability prioritization Predictive threat modeling & simulation Network Activity & Anomaly Detection Network analytics Behavioral anomaly detection Fully integrated in SIEM Network and Application Visibility Layer 7 application monitoring Content capture for deep insight & forensics Physical and virtual environments

25 Context and Correlation Drive Deepest Insight Security Devices Servers & Mainframes Network & Virtual Activity Database Activity Application Activity Configuration Info Vulnerability & Threat Users & Identities Event Correlation Logs Flows IP Reputation Geo Location Activity Baselining & Anomaly Detection User Activity Database Activity Application Activity Network Activity True Offense Offense Identification Credibility Severity Relevance Suspected Incidents Extensive Data Sources Deep + Intelligence = Exceptionally Accurate and Actionable Insight

26 Q & A