The Changing Landscape: CyberSecurity in 2011

Transcription

1 The Changing Landscape: CyberSecurity in 2011 Jim Hietala VP, Security 44 Montgomery Street Suite 960 San Francisco, CA USA Tel Cell

2 Agenda Review of Cybersecurity current state: changing threats, vulnerabilities, attack types Changing business requirements, technological shifts Work to be done Open Group security program

3 IT Security Challenges Insider threat Symantec survey, 79% take data upon leaving External attacks Mass indiscriminate attacks Targeted attacks Hybrids

4 Recent Cybersecurity Incidents Successful compromise of Google and 30 other companies Compromises of numerous oil companies, London Stock Exchange, NASDAQ Stuxnet attack Leveraged four 0 day vulnerabilities Ongoing Trojan attacks on online banking customers Wikileaks

5 Threats & Attackers, Then and Now 1980 s: Now: Profit motivated criminals Global, leverage freely available tools Sophisticated attackers and attacks

6 Wikileaks Highlights Numerous Fundamental Security Problems Insider privilege abuse Poor access control Ready availability of DDoS toolkits, and attacks against Amazon, PayPal by sympathizers Targeted hack attack against security firm that conducted Wikileaks investigation, HBGary, by Anonymous group 6

7 Political, Hacktivism, Cyberwar

8 Advanced Persistent Threat

9 Website Attacks Retail example: Heartland, TJX, 7-eleven, Hannaford, Dave & Buster s Impact: 130M+ credit card records stolen, extensive credit card fraud, massive costs to banks to reissue cards Attack Methodology: They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only. They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server. They obtain valid Windows credentials by using fgdump or a similar tool. They install network "sniffers" to identify card data and systems involved They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks. They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs. They use WinRAR to compress the information they pilfer from the compromised networks.

10 Infected Websites Doubled in 2010 Drive-by downloads on legitimate Web sites have become the most popular method for delivering malicious programs Overtaking the use of spam and attachments (Growth in Websites infected

11 Hacking for Profit Black market price per stolen credit card has dropped from $10-16/card in 2007, to less than.50/card today, due to over supply Can also buy site logins to hacked sites

12 Monetizing Cybercrime, Malware Trojan malware(delivered via spam, viruses, websites) used to capture login credentials to bank accounts Funds transferred to money mules incountry, who transfer $ to perpetrators in originating country

13 Ramnicu Valcea: Hackerville

14 Predicted ROI on Cybercrime Techniques

15 How Real is the Threat? CIA Director Leon Panetta: "The potential for the next Pearl Harbor could very well be a cyber-attack Director of National Intelligence James Clapper: "This threat is increasing in scope and scale, and its impact is difficult to overstate."

16 Discussion What is the experience of Indian IT organizations with respect to CyberSecurity Threats and Attacks?

17 Threat Takeaways Consumers, businesses doing online banking are targets Anyone with high value information (IP, sensitive, confidential, research, credit cards) is a target Need to be on top of our security management games Regular patching is mandatory Reducing attack surfaces through vulnerabilities Relying on perimeter security (alone) is unwise Checklist-based infosec management isn t enoughmany ISO27001 certified companies have shown up in headlines lately for breaches

18 Agenda Review of Cybersecurity current state: changing threats, vulnerabilities, attack types Changing business requirements, technological shifts Work to be done Open Group security program

19 New Technologies Causing Security Concerns Web 2.0 Consumerization of IT, growth in mobile devices Virtualization Cloud computing

20 Business Requirements Affecting Security Greater access for non-employees E-commerce Collaboration Downsizing Outsourcing and offshoring

21 Traditional Security Architectures Status quo is locationcentric security Protection placed at the edge or perimeter of the network New threats and threat vectors = new security point solutions Consequence is that there are now over 1,000 vendors of security point solutions (C) The Open Group

22 Perimeter Security Failures Maginot Line and the Fall of France, 1940 US High Tech Border Fence w/ Mexico Abandoned as too costly, ineffective in

23 De-perimeterization Timeline Drivers: Cost, flexibility, faster working Full de-perimeterised working Connectivity Drivers: B2B & B2C integration, flexibility, M&A Drivers: Low cost and feature rich devices Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration Toda y Drivers: Outsourcing and off-shoring External Working VPN based External collaboration [Private connections] Internet Connectivity Web, , Telnet, FTP Connectivity for Internet Effective breakdown of perimeter Connected LANs interoperating protocols Local Area Networks Islands by technology Stand-alone Computing [Mainframe, Mini, PC s] Time Copyright (C) 23 The Open Group 2011

24 Cloud Security and Risks to C-I-A

25 Agenda Review of Cybersecurity current state: changing threats, vulnerabilities, attack types Changing business requirements, technological shifts Work to be done Open Group security program

26 IT Industry Issues Incentives don t favor secure software products take your best shot with a prototype, immediately get it to market, iterate quickly, Guy Kawasaki, The Art of the Start One sided software license agreements with little buyer recourse By clicking the I agree button you are agreeing to act as crash test dummies without any chance of holding the software manufacturer to account for injuries, harm, damage, or loss, David Rice, Geekonomics

27 General Security Issues Lack of independent information about controls effectiveness 100+ security technology niches, which provide the best ROSI, and provide best protection? Debate over how to best manage information security Risk-based vs. best practices approach Best practices/checklist methods (ISO27001) are important, but insufficient Need for continuous improvement framework with metrics

28 Specific Areas for Improvement Secure Architecture: Build security into architectures vs. adding later Training software developers in secure coding, SDL Better guidance on developing secure architectures, how to use TOGAF and SABSA to do so, and how to develop secure web apps Information Security Management: Prioritizing, selecting appropriate security controls Making information security management more scientific, with maturity models & metrics, tie security to business objectives Easing the burden of risk, compliance, and audit Identity issues vis a vis cloud, enterprise identity stores Better industry support for assuring that commercial products are built with integrity

29 Agenda Review of Cybersecurity current state: changing threats, vulnerabilities, attack types Changing business requirements, technological shifts Work to be done Open Group security program

30 Security Forum Vision & Mission The Open Group: Boundaryless Information Flow, achieved through global interoperability in a secure, reliable and timely manner The Open Group Security Forum: To facilitate the rapid development of secure architectures supporting boundaryless information flow through: Development of industry standards, either independently or through co-operation (adopt, adapt, publish) Developing guides, business rationales & scenarios, use cases Developing reference and common system architectures, and support services Dept. Work & Pensions, UK

31 Secure Architecture Integrating security into enterprise architectures, TOGAF Revised Enterprise Security Architecture SABSA/TOGAF integration project Collaboration Oriented Architecture Secure Mobile Architecture Cloud Security Reference Architecture work in Cloud Computing Working Group

32 Information Security Management ISM3: Information Security Management Maturity Model New technical standard using metrics and a maturity model approach to managing information security Enhances ISO27001/2, adds business value context Audit, compliance, risk Audit & Logging: Update to XDAS standard, aligning with MITRE CEE ACEML compliance standard, to automate compliance configuration and reporting Risk Management: Risk Taxonomy Standard, Risk Assessment Methodologies Technical Guide, ISO Cookbook

33 Jericho Forum Thought leadership around de-perimeterization, guidance as to what to do about it Publications: Commandments, position papers, Collaboration Oriented Architecture Framework, Cloud Cube Model New Mission/Vision: Secure Collaboration in Cloud Computing New projects: COA (Security) Reference Architecture for TOGAF, COA Framework standard, Cloud Use Cases: business scenarios Commandments Self Assessment Scheme Security requirements in Cloud Computing Identity & Access Management in de-perimeterized environments New Liaison Cloud Security Alliance 33 (C) The Open Group March 2011

34 Some Members of Jericho

35 Real Time and Embedded Systems Forum Secure Operating Systems Multiple Independent Level of Security (MILS) Significant MILS work ongoing in the Real Time Forum to remove barriers to adoption, and accelerate progress Software assurance activities (C) The Open Group

36 Open Trusted Technology Forum Overview (OTTF) v1.5 Build with Integrity Buy with Confidence Note: OTTF Materials are copyrights of The Open Group All information presented is subject to change

37 Open Trusted Technology Forum Membership As of February, 2011

38 Need to Work Together to Develop Expectations for a Trusted Commercial off the Shelf (COTS) IT Product What are the Realistic, Consumable, Affordable Industry Best Practices? Good Commercial Product Helpful information that builds understanding of the product What s in it ( source code and origin/pedigree) How was it built (development and manufacturing) How will it be sustained from an OEM perspective What management, process and quality controls were applied What are the meaningful supply chain considerations What variability, and volatility of sub-processes and supply should be expected (opportunistic component sourcing and contract fabrication) What other measures of goodness can be used or leveraged Not a substitute for CC, NIST, or ITU; Interoperability or protocol level compliance or certification

39 The Technology Supply Chain Integrity Challenge Perceived increase in sophistication and severity of cybersecurity attacks worldwide Potential for vulnerabilities introduced by use of technology provided through the global supply chain Governments and organizations buy products from companies they trust, but those companies usually do not manufacture all the components of their products The forum is being formed in response to the need to establish industry best practices that will help understand and reduce risks posed by the globalization of the technology supply chain

40 What Problems Are We Solving? Commercial technology comprises key components of our critical infrastructure It s become necessary to understand; The potential integrity risks that may be inherited from supply chains, both for software and hardware, and how the original equipment manufacturer (OEM) assesses and manages these risks; Practices that can mitigate potential risks of significant supply chain attacks; Risks to confidentiality, integrity, and availability of a customer s environment or critical infrastructure as a result of procurement by customers of counterfeit components and products; Which software or technology development or engineering practices can help reduce product security and integrity risks; How product assurance and risk is managed through the adoption of industry best practices and recognized international and open industry standards.

41 The OTTF will respond to these industry challenges by Reducing risks that may be introduced from global supply chain providers Identifying manufacturing practices and checkpoints throughout the lifecycle that mitigate risk from uncontrolled, unprotected development methods and engineering procedures Develop conformance and accreditation criteria for trusted technology providers that will instill trust and confidence in both providers and consumers Work with the global community to develop responsible and realistic procurement policies that mitigate the risks introduced from supply chain vulnerabilities for all governments and vertical industries

42 O-TTPF Best Practice Categories Best Practice Categories Product Engineering / Development Method Secure Engineering / Development Method Supply Chain Management Method Definition Trusted technology providers utilize and internalize the application of a wellformed and documented development (or manufacturing) method or process. Secure development methods include techniques such as secure code design reviews or threat modeling, risk assessment and tooling for detecting, fixing, and mitigating vulnerabilities in both software and hardware. They might also include run-time protection measures; or monitoring and corrective actions for third-party component vulnerabilities or risks. Product design may also employ ways to ensure authenticity and protection from counterfeit components and use run-time execution protection measures; for example, the use of code signing. Trusted technology providers manage their supply chains through the application of defined, monitored, and validated supply chain processes. These practices seek to ensure the integrity of the supply chain throughout product design, sourcing, fabrication delivery, support, and end-of-life. Product Evaluation Methods A Trusted Supplier submits Information Assurance (IA) and IA-enabled products to one or more mutually recognized standards-based evaluation processes to determine the fulfilment of particular security properties, to levels of assurance appropriate to the application of the product depending on the needs of the market. (Common Criteria is an example of one such process).

43 Benefits of O-TTPF to Providers and Consumers The ability to work collaboratively with peer organizations, suppliers and customers to define, review and approve the best approaches developing a more trustworthy global technology supply chain Industry members of the TTF can directly interact with government acquisition leaders through their participation in the forum and government members can interact with their suppliers in an open, neutral forum Market differentiation through the future accreditation program, and status as an organization that contributes to the Forum Members can network with their peers in similar organizations around the globe and help harmonize global technology supply chain initiatives The TTF is intended to benefit technology buyers across all industries concerned with secure development practices and supply chain management, including government and defense, transportation, healthcare and financial services

44 O-TTPF Press Coverage

45 Summary IT security undergoing a profound transformation in threats, business drivers, and in security architectures Move from perimeter towards information-centric security Customers, vendors need help in sorting out what this means The Open Group has numerous forums and working groups working on IT and Cybersecurity challenges Work products include standards, frameworks, guides that educate, inform, accelerate market for secure IT From a supply-chain standpoint, Trusted Technology Forum is a natural place for Indian companies to get involved in Open Group security activities

46 Questions? Jim Hietala, VP, Security, The Open Group Twitter: jim_hietala