Why The Security You Bought Yesterday, Won t Save You Today

9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst

About Us Ian Robertson - CISSP, CCNP www.cybersecurityguy.com ian@cybersecurityguy.com Michael Gough - CISSP, CISA www.hackerhurricane.com www.dontclickonthat.com HackerHurricane.com 2

Agenda Common Attacks Today Typical Network Security Controls Why the Typical Controls Won t Work Against Today s Common Attacks Why The Security You Bought Yesterday Won t Save You Today What You Can Do To Shore Up Your Defenses Many for Little or No Money! HackerHurricane.com 3

Security Research and Statistics Verizon Data Breach Report PandaLabs Reports Hands-On Experience HackerHurricane.com 5

Breach Threats Threat Agents by % Records Breached External Agents Hacking Malware Internal Agents Misuse Social Error Partner Agents Physical* 3% 3% 3% 1% 1% 1% 94% 94% 98% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Source: Verizon 2010 Data Breach Investigations Report HackerHurricane.com 6

Breach Threat Vectors Top Hacking and Malware Vectors by % Records Breached SQL Injection 89% Web Drive-By Downloads 19% Web User-Initiated Exploit 9% Source: Verizon 2010 Data Breach Investigations Report 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% HackerHurricane.com 7

Malware and USB Flash Drives HackerHurricane.com 8

Who s Behind It? Highly motivated Has time and resources Wants what you have Source: Verizon 2010 Data Breach Investigations Report HackerHurricane.com 9

What Do They Want? Anything they can use to get or make money Financial Accounts Sensitive Personal Information Confidential Records Information they can use for other purposes HackerHurricane.com 10

Who s Discovering It? HackerHurricane.com Source: Verizon 2010 Data Breach Investigations Report11

How Long Does It Take to Discover? Source: Verizon 2010 Data Breach Investigations Report HackerHurricane.com 12

How Long Does It Take to Discover? 156 Days on Average Source: Trustwave Global Security Report 2010 HackerHurricane.com 13

But Don t We Have Logs? Absolutely! Useful for SQL Injection Less useful for malware Not really being leveraged who wants to look at them? Who does look at them? Show of hands! Source: Verizon 2010 Data Breach Investigations Report HackerHurricane.com 14

Typical Attacks Today Organized Crime for Financial Gain SQL Injection User Web-Based Attacks USB Flash Drives We Aren t Catching Them (Until It s Too Late) HackerHurricane.com 15

Typical Network Security Controls Firewall Intrusion Detection/Prevention System Web Filter SPAM Blocker (SMTP E-mail Gateway) Anti-Virus (Anti-Malware) Account Passwords (Old School) HackerHurricane.com 17

Typical Network Security Controls Firewall Allows only certain traffic to come into and go out of your network from/to the Internet Typically allows web, email and DNS in/out of your network from/to the Internet Intrusion Detection/Prevention System Monitors your network traffic for suspicious activity Typically is set to monitor traffic at your Internet perimeter (in front of or behind your firewall) HackerHurricane.com 18

Typical Network Security Controls Web Filter Blocks websites based upon categorical filter (gambling, sex, social websites, etc.) Typically blocks websites that would violate HR policies SPAM Blocker Blocks e-mail based upon keywords (e.g. v!agra), sender info, block list, or heuristical analysis Typically blocks incoming e-mail at the Internet perimeter (SMTP e-mail gateway) HackerHurricane.com 19

Typical Network Security Controls Anti-Malware Blocks software which is identified in a signature database from running Typically scans for signature patterns when files are accessed, with full scans on occasion. Account Passwords Allows authorized users to log in Typically doesn t enforce strong passwords and may have easy-to-guess password reset questions HackerHurricane.com 20

Typical Network Security Controls from a Hacker s Perspective Perimeter Controls (Firewall, IDS, Web Filter, SPAM Blocker) Your Data (Yum!) Internal Controls (Anti-Malware)

SQL Injection Attacks Involves tricking a web application into executing database commands it wasn t intended to by using user-input form fields. HackerHurricane.com 23

SQL Injection Example SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM MASTER_DATABASE WHERE LAST_NAME = [USER INPUT] AND RECORD_TYPE = PUBLIC ; HackerHurricane.com 24

SQL Injection Example SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM MASTER_DATABASE WHERE LAST_NAME = * ;-- AND RECORD_TYPE = PUBLIC ; HackerHurricane.com 25

SQL Injection vs. Common Controls Firewall Intrusion Detection/Prevention System Web Filter SPAM Blocker Anti-Malware Account Passwords Access is allowed to your web X application. Most won t detect this, and those that do generate nearly constant alerts and are ignored. Most are completely blind X to HTTPS websites. Access is allowed to your web X application. X Not e-mail based. X Not malware. Often doesn t need any, but attacks can be combined with a compromised user X account. HackerHurricane.com 26

User Web-Based Attacks Exploits a vulnerability in software that automatically runs when you browse a website Java, Flash, Acrobat, QuickTime, IE, FireFox Frequently uses 0-Day exploits (new and unknown) Exploits are hosted on the attacker s website or on legitimate, compromised websites Legitimate advertising used (big $ s involved organized crime) Initial download grabs other malware after the initial infection (which is what your anti-virus is often detecting, if anything) 100% User initiated result of user clicking/browsing HackerHurricane.com 27

Firewall Intrusion Detection/Prevention System Web Filter SPAM Blocker Anti-Malware Account Passwords User Web-Based Attacks vs. Common Controls Users are allowed to access websites X through the firewall. Looks like normal web browsing and doesn t have signatures for new malware. Most are completely blind to X HTTPS websites. Approved sites are compromised and X hosting malware. X Not e-mail based. X Doesn t detect 0-day malware. X Uses the user s account permissions. HackerHurricane.com 28

USB Flash Drives USB Flash Drives are easily infected on home and third party computers with lesser security controls By default, Windows XP and Vista will automatically execute files when they are plugged in (Windows 7 default is disabled) Executes using the logged-in user permissions Known to have been intentionally planted to gain access to systems Would your users pick them up and plug them in? Show of hands! HackerHurricane.com 29

USB Flash Drives vs. Common Controls Firewall X The firewall doesn t see this as it s not network-based. Intrusion Detection/Prevention System X This IDS doesn t see this as it s not network-based. Host-based IDS/IPS aren t likely to have signatures for it. Web Filter X The web filter doesn t see this as it s not network-based. SPAM Blocker X Not e-mail based. Anti-Malware? Doesn t detect 0-day malware. May detect older malware. Account Passwords X Uses the user s account permissions. HackerHurricane.com 30

SQL Injection What To Do Find out where your weaknesses are Fix and/or monitor them (in priority order) Prevent future coding errors from getting introduced Test on a regular basis HackerHurricane.com 32

SQL Injection Action Plan 1. Find out where your weaknesses are. A. Make a list of your applications that are Internetfacing and use database credentials that allow them to access Sensitive Personal Information. B. Use security professionals to perform penetration tests against these applications. C. Check the password recovery/reset functionality on these applications to see if they can be easily recovered/reset. HackerHurricane.com 33

SQL Injection Action Plan 2. Fix and/or monitor them (in priority order) A. Remove unnecessary access to the SPI if the application doesn t need it by changing database credentials and permissions (easiest) B. Have developers re-write the code C. Log, alert and respond to critical messages (SQL syntax errors, administrator account login failures, etc.) D. Create/update your Incident Response Plan so you know what immediate action to take if you get any of these alerts HackerHurricane.com 34

SQL Injection Action Plan 3. Prevent future coding errors from getting introduced A. Train developers on secure code development (Google, local OWASP chapter, and OWASP resources, SANS courses, Austin BSides and LASCON conferences) B. Ensure database administrators are assigning unique accounts with limited privileges for each application C. Implement a code review process to include security D. Have developers perform security testing as part of code unit testing (IBM AppScan, HP WebInspect, FindBugs, manual, etc.) E. Have security professionals perform penetration testing prior to production implementation HackerHurricane.com 35

SQL Injection Action Plan 4. Test on a regular basis. A. Have security professionals perform penetration testing of all your Internet-facing web applications on an annual basis. HackerHurricane.com 36

User Web-Based Attacks What You Should Do Find out where your weaknesses are Fix your weaknesses Prevent future infections HackerHurricane.com 37

User Web-Based Attacks Action Plan 1. Find out where your weaknesses are A. Perform a full malware scan on all your systems and identify those that are infected B. Maintain an accurate hardware and software inventory for every machine on your network C. Make a list of all the web-executable software you have (Java, QuickTime, Adobe Reader, Flash, RealPlayer, etc.) D. Identify all users who have Administrative privileges E. Identify all the categories of websites that are allowed which aren t needed for business purposes F. Identify any systems which haven t been hardened HackerHurricane.com 38

User Web-Based Attacks Action Plan 2. Fix your weaknesses A. Re-image any computer which is suspected or confirmed to have an infection no exceptions! B. Patch all web-executable software immediately C. Remove Administrative rights from user accounts (as much as possible) D. Block websites that aren t needed for business purposes (especially advertising sites) E. Limit user s time on the web F. Harden your systems (start with the Federal Desktop Core Configuration standard USGCB or CIS) HackerHurricane.com 39

User Web-Based Attacks Action Plan 3. Prevent future infections A. Perform routine full malware scans on all your systems B. Monitor security and vendor mailing lists for vulnerabilities, workarounds and patches and apply them immediately (absolutely no less than once a month) C. Harden all systems before they are ever deployed D. Don t deploy new users with Administrative privileges (unless you must) E. Consider using FireFox and/or Chrome browsers w/ add-ons such as NoScript and AdBlock (requires user training) F. Train users to avoid clicking on bad links (bad search results, spoofed links) G. Teach users Don t Click on That HackerHurricane.com 40

USB Flash Drives What You Should Do Follow the User Web-Based Action Plan items, plus 4. Disable AutoRun/AutoPlay on all of your Windows systems (part of system hardening) 5. Identify all users who require the use of USB Flash Drives. 6. Disable the USB ports for all users those who don t (a Windows registry key) 7. Provide all those who do with an encrypted flash drive (e.g. IronKey) 8. Implement a policy prohibiting the use of personal flash drives in your organization s computers, and vice-versa HackerHurricane.com 41

In Closing You now know the major issues and how to fix them in priority order some for little or no money. So it s up to you. Don t let your network be a HackerHurricane.com 42

Q & A This presentation, along with other valuable security tips, can be found at: www.hackerhurricane.com HackerHurricane.com 43