Emerging Security Technological Threats Jamie Gillespie Training and Education Team Leader, AusCERT
About AusCERT Australia s national CERT Collect, monitor, advise on threats and vulnerabilities Incident response coordination and assistance CERT training for countries and companies Independent, university-based, non-government and not-for-profit Chair of APCERT Close collaboration with the AHTCC Other collaborations national and international
What We re Seeing Now Malicious code Network scanning Device compromise Denial of Service Impersonation and Identify theft Rapid adoption of new technologies
Malicious code Malicious code represents one of the most well known threats Including the classic: Viruses Worms Trojans Increasingly blurred line: Spyware Adware Marketing research (Eg. MarketScore)
AV Detection Rates Source: NBSO Nic.br Security Office Brazilian CERT
Network Scanning Network scanning is an ever increasing problem Usually a precursor to attacks/compromises Password brute force attacks, against SSH services, are increasingly effective and relevant Mass scanning by worms, botnets or similar large scale automation can lead to denial of service Increases the cost of detecting incidents and providing effective security management due to increased noise
Device Compromise Device compromise is a continually ongoing occurrence, with automated compromise tools now the standard The technical barrier to entry into this arena is now quite low, anyone can download the tools Majority are end user devices, but vast number are corporate, academic and government devices Not just simple PCs and servers but also network devices such as access points, firewalls, routers and switches The impact to organisations includes theft of information, corruption of information, brand damage, legislative breaches and potential third party liability issues.
Denial of Service Denial of Service attacks have a long history ranging from on box attacks through to the more widely known network attacks BotNets have been used to for significant denial of service attacks, in excess of sustained 400Mbit / second for months on end Seen as a threat that will continue to evolve and emerge, coupled with increasingly sophisticated botnets and financially motivation
Impersonation Impersonation and identity theft is a current and significant threat, both to individuals and organisations Individuals Email spoofing Account compromise Full identity theft Organisations Email spoofing Site duplication and redirection Hijacking of domains and network traffic
Rapid Adoption Rapid adoption of new technologies by both attackers and organisations often increases base level of risk Organisations Often no well established standards or best practices for new technologies Often implemented as a pilot with security to come later Design oversights or lack of inherent security controls Attackers Utilise cutting edge techniques and share them in a non-competitive manner Have time to research and develop attacks and exploits this is essentially their business. This contrasts with the reactive process of most corporates
Future Threats Attacks to lower percentage platforms Linux Mac OS X Just because software/device has less vulnerabilities, doesn t mean it s safe 0.01% Vulnerable 99.99% Safe
Future Threats Mobile malicious code More specifically, multi-purpose mobile devices ~100 million smart phones Symbian marketshare >70% (10% in US) Nokia, Siemens, Samsung, Sony Ericson, Motorola, and more Windows marketshare <10% 20 mobile malware at end of 2004, >120 end of 2005 Vectors Bluetooth, MMS, Web downloads More to come SMS, IM, P2P, malicious web sites Copyright 2006 AusCERT
Future Threats Wireless networks Obviously the classical network abuse Network used (externally) to commit crime Security, but not secure VoIP Most of the same old threats But a lack of the same old protection Trunking and mixing of traffic Gateways connected to PSTN
Future Threats Identify theft Classic ID theft on the increase Schools carry different details Students aren t always students, but their details remain constant Removable mass storage ipods/mp3 Players, USB, mobiles, games Ingress of malicious/illegal material Where does it go? Egress of internal data Where does it go? And what was it anyways?
Future Threats Insiders They already have access Profiling is next to impossible Even for corporates Frequency and impact are unknown Detection requires a good eye And maybe a couple tricks up your sleeve
2006 Australian Computer Crime and Security Survey
Methodology ACNielsen conducted the survey and collated the results Mail out to 2,024 Australian IT managers in public and private sector organisations (+ TISN + others contacted via email) 389 respondents (17% response rate) 238 paper + 151 online submissions
What s the good news? Across most categories of electronic attack, computer crime and abuse, there is a reduction in activity reported Fewer financial losses for most respondents 19% of those that reported computer crime to law enforcement resulted in charges being laid There will be a high demand for skilled, experienced information security professionals in future!
What s the bad news? More bad news than good news Across most categories there was a reduction in the reported use of security policies and procedures IT security standards security technologies and Level of staff qualifications/training
What s the bad news? Higher level of vulnerabilities that resulted in electronic attacks than before: Exploitation of unpatched or unprotected software vulnerabilities (63% vs 40% in 2005) Inadequate staff training and education in security practices and procedures (53% in 2006 vs 47% in 2005) Exploitation of misconfigured operating systems, applications or network devices (50% in 2006 vs 27% in 2005)
What s the bad news? 21% reported trojan or rootkit infections (no prior visibility on this figure) Very high considering this malware does not self-propagate 45% reported virus or worm infections Still most common form of electronic attack
What s the same (still not good) Copyright 2006 AusCERT The computer security management challenges have been almost constant over 4 years Changing users behaviour and attitudes re computer security 60% Configuration management 47% Keeping up to date with the latest threats and vulnerabilities 46% Only 10% managing all computer security issues reasonably well
What s the same (still not good) Copyright 2006 AusCERT A high level of dissatisfaction with the level of qualifications and training for IT security staff 65% thought their organisations needed to improve training and education 53% thought that lack of adequate staff training and education in security policies and procedures contributed to the harmful electronic attacks
What s interesting CNI organisations reported lower levels of electronic attack and computer crime than non-cni organisations But they acknowledge many of the same information security management challenges as their non-cni counterparts Public sector organisations reported higher levels of electronic attack than private sector organisations
What s interesting Discrepancy between attack types and technology security counter-measures 90% have spam filters 99% have AV software 66% have procedural controls against malicious software But 45% reported virus or worm infections But 21% reported trojan or rootkit infections
What we don t know Why fewer attacks are being reported Why fewer readiness to protect factors are being deployed Security policies and procedures IT security standards Security technologies/counter-measures Training and education of staff Spending on IT security
What we don t know Whether reductions in the level of readiness to protect factors has impaired organisation s ability to detect attacks Whether changes in sample composition has affected the results Larger proportion of smaller sized organisations Larger proportion of organisations that may not be high users of IT What level of dependency and usage the respondents have on their information systems
What we do know High level of dissatisfaction with level of training and qualifications of IT security staff 90% of organisations face challenges or difficulties associated with some aspect of information security management Most are dissatisfied with the level of spending on information security More respondents perceive that harmful electronic attacks against their organisations were motivated by illicit financial gain (20% in 2006 vs 10% 2005)
Key messages Given the level of dissatisfaction with adequacy of staffing resources, training, IT security spending and general information security management challenges overall, organisations ability to manage their information security looks increasingly difficult
Key messages Despite some contradictory results, AusCERT and law enforcement continue to see worsening levels of Internet based attacks motivated by illicit financial gain, including online ID theft attacks compromising computers for use in botnets to support other forms of cyber attack (spam, DDOS extortion, ID theft) Predict these types of attacks will begin to impact on all e-commerce and e-government agencies and their users/customers in future At the organisation level, now is the time to strengthen not reduce readiness to protect factors Importantly, more must be done at the national level by government, industry and vendors to better address the problems identified
www.auscert.org.au/crimesurvey Copyright 2006 AusCERT
QUESTIONS