Society for Information Management

Transcription

1 Society for Information Management The Projected Top 5 Security Issues of 2010 Steve Erdman CSO and Staff Security Consultant of SecureState Network +, MCP

2 Precursor 2009 has been a difficult year in Information Security 1. Network Solutions 573,000 Credit and Debit Accounts Compromised 2. California University Personal Information of 160,000 Current and Former Students and Alumni may have been Comprised 3. Virginia Department of Health Social Engineering Millions of Pharmaceutical Records Compromised 4. Heartland 130 Million Records Compromised

3 Prominent Security Breaches of 2009 Attackers are coming up with new and innovative ways of stealing EVERYONE s data Cyber attacks are at a such elevated level that the pentagon has engaged top hackers in an effort to protect the United States from additional threats SecureState has seen more breaches occur in 2009 alone than all the previous years combined The topics discussed here are not made-up or created as scare tactics. These are real-world scenarios from the trenches and occur on a regular basis

4 Top 5 List Web Application Attacks Client Side Attacks Lack of System Hardening Lack of Patch Management Firewall Exploitation In no specific order Copyright 2009 SecureState

5 Web Application Attacks Copyright 2009 SecureState

6 Web Applications It is estimated that over 80% of all attacks from the internet come through the web application layer. Web Application History In the late 90 s early 2000 s, web applications were static and contained very little information or functionality. With today s demands of Web 2.0, and more user-friendly web applications, web-sites are the new avenue of attack for hackers. Attackers are smart, they no longer go through conventional means and have created new methods to gain access Case Study: Astalavista.com and Astalavista.net have been around for several years and were a hackers playground for viruses, worms, illegal activity, and valid security professionals. It was recently hacked by an elite security group and all of its information stolen. The entire website was also deleted, including all backup data.

7 Top 10 Web Application Vulnerabilities 1) Cross Site Scripting 2) Injection Flaws 3) Malicious File Execution 4) Insecure Direct Object Reference 5) Cross Site Request Forgery 6) Information Leakage and Improper Error Handling 7) Broken Authentication and Session Management 8) Insecure Cryptographic Storage 9) Insecure Communications 10) Failure to Restrict URL Access

8 Demo on Web Application Hacking Demo

9 Protection Security Assessments (Grey, Black, and White Box Reviews) Web Application Firewalls (DotDefender, Netscaler, modsecurity, etc.) Secure Coding Practices Developer Training Web Application Scan (AppScan, WebInspect, Accunetix, etc.) Copyright 2009 SecureState

10 Client Side Attacks

11 User Awareness Client Side Attack is the art of conning someone for trust, establishing a bond, and ultimately gaining information that shouldn t be disclosed Social Engineering Typically we go after usernames and passwords, or have the individual click on a repair executable which is really malicious software We get to do social engineering on a regular basis, and we are ONE HUNDRED percent successful in obtaining sensitive information We also drop off CDs that say Latest 2009 MP3 Hits or USB thumb drives, all loaded with malicious software The human element is always the weakest when attacking an organization

12 The Fraud Triangle Yale University Study: Opportunity If all Three things are present 60% will steal 20% will not steal 20% will steal regardless Need / Pressure Rationalization Copyright 2009 SecureState

13 Demo on Social Engineering Demo

14 Protection Security Assessments (Dedicated Social Engineering Attacks) User Awareness Program Policies and Procedures in Place Hold Users Accountable

15 Lack Of System Hardening

16 What is System Hardening? Start by Performing a Business Impact Analysis (BIA) A BIA is the process of evaluating a company's security architecture and auditing the configuration of their systems in order to develop and deploy hardening procedures to secure their critical resources Since most systems are dedicated to one or two functions, reduction of possible attack vectors is done by the removal of any software, user accounts, or services that are not needed and required by the planned system functions

17 Protection Create MSBs (Minimum Security Baselines) for all networked devices Remove unnecessary services Remove unnecessary user accounts Apply all applicable patches Ensure no vulnerabilities

18 Locking Down Users Firewalls and anti-virus are no defense against acts of data theft and corruption from within your organization 20% of breaches this year occurred because of malicious insiders 22% of these breaches occurred because of privilege misuse Cannot manage device-level activity via Group Policy

19 Some Common Endpoint Threats Rogue Wireless Access Points Keystroke Loggers Contractor With Latest Worm or Virus on Laptop Instant Messaging

20 Protection Users Should be Running Under Least Privilege Security Context HIPS (Host Intrusion Prevention System) Installed Windows Firewall is Enabled When not Attached to Corporate Network Lock down Wireless Configuration Tools or Disable Wireless Totally Employ Device Level Protection (PGP Endpoint Device Control, Symantec) Hard Disk Encryption (PointSec, TruCrypt, etc.)

21 Lack of Patch Management

22 Patch Management Patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system Reported that 90% of the security exploits are carried out through vulnerabilities for which there are known patches MS in the wild

23 Protection WSUS (Windows Environment) Free! Patch Management Software (Shavlik, Lumension, BigFix, etc.) Policies and Procedures updated to reflect patch management initiative

24 Keep Up To Date with Latest Exploits Exploit - a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized) vulnerabilities identified in Q3 of % of these vulnerabilities allowed for remote code execution Trend moving toward browser based exploits Copyright 2009 SecureState

25 Demo on Buffer Overflows Demo

26 Protection Run Internal/External Vulnerability Scans (Nessus, Qualys, etc.) Security Focus/MilWorm HIPS

27 Firewall Exploitation

28 Egress/Ingress Filtering Egress Filtering - the practice of monitoring and potentially restricting the flow of information OUTBOUND from one network to another Ingress Filtering - the practice of monitoring and potentially restricting the flow of information INBOUND from one network to another DDoS attacks against networks as well as from networks May find yourself the subject of a law enforcement investigation despite the fact that you did nothing wrong

29 Video on Egress/Ingress Filtering Copyright 2009 SecureState

30 Protection Firewall ruleset reviews IDS/IPS Systems No outbound traffic bears a source IP address not assigned to your network (this is the basic egress filtering rule) No outbound traffic bears a private (non-routable) IP address (this should be true anyway, but it's a good idea to block and log this type of traffic to determine the source of the error) Deny all unless explicitly allowed

31 Block Problematic Country IP Ranges Blocking the more prolific spam/hacking sources by country may be a very good way to reduce the amount of malicious traffic hitting your network Inbound traffic from some countries is completely worthless and puts strain on resources and is often the primary source of abuse 27.89% of all malware detected by PC Tools' Threat Expert comes from Russia China was found to produce 26.52%

32 The World Threat Chart 1. Russia 27.89% 2. China 26.52% 3. United States 9.98% 4. Brazil 6.77% 5. Ukraine 5.45% 6. United Kingdom 5.34% 7. France 3.81% 8. Germany 2.14% 9. Sweden - 1.6% 10. Spain 1.37%

33 VIDEO ON China/Russia Hack Demo

34 Multi-Tiered DMZ s Just like the floor plans for a house, the architecture is the most important thing to having a secure network Many organizations today implement network devices based on business urgency rather than security Many times external applications are connecting to databases located within the internal network Network Security and Architecture Reviews

35 Example Multi-Tiered DMZ

36 Where to go from here

37 Information Security Information Security is reactive in nature Security professionals are always catching up to a new method an attacker creates or exposes Taking a pro-active approach in ensuring that the attack avenues are properly protected ensures any organizations loss of revenue and reputation is much less likely Information Security is dynamic and always changing As attackers change, Information Security professionals have to ensure that they change as well Regular assessments ensure that the information security program is fully functioning and changing with the times

38 Questions? That s it!