Information Security Risk Briefing May 2, 2005 William Harrod VP Intelligence Division Cybertrust William.Harrod@cybertrust.com
Agenda • Welcome & True Confessions • Who is Cybertrust? • PITAC Report • What is wrong with our thinking? • Risk Models That Work • Good Data
Who is Cybertrust ? WildList Organization firewall wizards
ICSA - the De Facto Standard • Set Security Product Standards since 1989 • Track and Measure Risks • Lead Security Industries • Test and Certify Products • Anti-Virus Products ~100% • Firewall Products ~100% • Cryptography Products ~100% IPSec, 70% SSL • IDS, IPS, Vuln Assessment, wireless…… • Significant access to security vendor’s expertise • 160+ Security Product and Internet Vendors, 400+ Products • Meet every vendor every 90 days, Mail lists, web boards • Continuous Product Testing
Cybertrust - Unmatched Security Intelligence108 Dedicated People Monthly Intelligence Activities 2.5 million internal IP address scans Thousands of IPs Penetration Tested 1.2 million lines of security code analyzed Online Guardian Hundreds of millions of security events analyzed and correlated 1.2 million remote IP address scans CyberIntelligence Intel – Tracks thousands of sources daily 400 Usenet groups followed Hundreds of Internet malware sensors watched 200 GBs Web data collected and analyzed IS/Recon - 10,000 hackers tracked WildList Tracks malcode in the wild 10,000 Web sites monitored Daily Intelligence Activities
400,000 Attacks against Corporate Servers According to a study just published by Zone-H, ATTACKS against Corporate Servers rose by 36% in 2004 to nearly 400,000 attacks.
Successful Web Site Hacks Daily rate of successful web site hacks
Probes per dayagainst average single IP address Often a reconnaissance or fingerprinting of active devices in order to assemble a target list for hacking vulnerable devices
2004 was the Year of the Bot 6.5 Million
2004 was also the Year of Malicious Mail Spam, Spyware, Worms, Virus, Phishing, Extortion, Scams…
How Vulnerable Are You? • If yours is an average U.S. corporation here’s what your network is experiencing this week. About a dozen computers somewhere in your organization encountered a computer virus, worm, or spyware. Three people scrounged through desks and drawers looking for someone else’s password. One of them succeeded and used it. On average six sexually explicit graphics were mailed or shared among some of your users in the past week. There is a 50-50 chance that some of these are stored on your network. At least one person experimented with a “hacking” tool or technique on the general computers, servers, and databases inside your network in the past month. Despite all the press and focus on hacking and viruses, there is a 65% likelihood that the next security breach your staff deals with will come from an insider. Statistics provided by ICSA Labs
First some good news: • Economics is on our side; cheap hardware firewalls, smarter network interface cards (NICs), routers,, strong authentication, and end-to-end encryption (e.g., SSL, SSH, VPNs) will be used to hideoperating system vulnerabilities, privileged controls, sensitive applications, and gratuitous functionality from the public networks. • Compliance and regulatory requirements will drive security as a business issue. • Driven by demand from their customers and competition and example from AOL, retail ISPs are taking more responsibility for protecting their customers and for protecting the rest of us from rude behavior by their users. • While users will continue to compromise perimeter controls with tunnels and click on strange files and icons, default use and automatic update of scanners, and controls to limit connectivity of systems that are not current will make us collectively resistant to viruses. • Rogue hackers are losing their Robin Hood image and public sympathy, attracting law enforcement attention, being identified, indicted, prosecuted, convicted, and sentenced to jail. • There is an emerging consensus that rewarding hackers with jobs encourages more hackers without reforming anyone.
But also some bad news: • Hacking is no longer trivial but serious, no longer for loners but for teams, no longer for fun but for profit, no longer mischievous but malicious and criminal, no longer amusing but frightening. • The Internet is seriously compromised by contaminated machines. • Anonymity in the Internet is now a commodity for sale. • Users will continue to compromise perimeter controls with tunnels and by clicking on strange files and icons. (IM, P2P) • Rate of discovery of buffer-overflow vulnerabilities is going up and the time to exploitation is goingdown. • We will continue to try and patch and fix our way to security; we will enjoy the same lack of success.
More bad news: • Spam now accounts for a significant part of the load for the Internet and more than half of e-mail. • Phishing is just the latest demonstration that the chain of trust is broken – things aren’t what they appear to be. • The transport layer can no longer be relied upon for security. • Connectivity trumps security. • Viruses and worms are becoming more sophisticated, successful, and malicious. They are used to compromise systems, insert remote controls, key-stroke grabbers and other spyware, covert agents ("bots"), and backdoors. They are a standard tool in the crackers kit.
Insider Threat Study • Study by CERT, US Secret Service and CSO Magazine • Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. • 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents • 78% of the incidents, the insiders were authorized users with active computer accounts. • 81% were premeditated. Furthermore, in most cases, others had knowledge of the insider’s intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.
Insider Threat Study (cont.) • 81% were motivated by financial gain, rather than a desire to harm the company or information system. • Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in “hacking” and 27% had come to the attention of a supervisor or co-worker prior to the incident. • Insider incidents were detected by internal, as well as external, individuals – including customers. • The impact of nearly all insider incidents in the banking and finance sector was financial loss for the victim organization: in 30% of the cases the financial loss exceeded $500,000. Many victim organizations incurred harm to multiple aspects of the organization. • 83% were executed physically from within the insider’s organization and took place during normal business hours.
Predictions 1, 3, 5 years out • Malicious code will continue to get worse, particularly for corporations with mobile users, novice users, and extended enterprise connections. • Phishing will continue to get worse over the next year. • Spyware and remote controlled “Bots” will continue to cost organizations more money and result in increasing risks for loss of proprietary and customer data. • The slow adoption of Microsoft XP SP2 (< 5-10% adoption) reduces the benefits of the security advancements available from it, and minimizes the “immunity” factor. • Mobile phones will be one of the growing targets for malicious code. • Instant Messaging is now being used to spread malicious code and spyware.
Predictions 1, 3, 5 years out • Database attacks. “Follow the Money” - the direct attacks are going for the money, and databases are the vault. These attacks include multiple vectors involving web applications, database configurations and access controls, insiders threats and storage area network security. • Immerging technologies entering the environment too quickly, before they mature and stabilize. Wireless, P2P, VoIP, IM, MP3 players, IPv6 are only a few examples. Technologies are quickly allowed to enter the enterprise. This allows a multitude of unknown and zero day vulnerabilities, mis-configuration, user and admin errors, and attack vectors in the environment.
Recommendations • Adopt restrictive policies. • Avoid gratuitous functionality. • Scan at the perimeter and the desktop, in both directions; refuse all unexpected attachments. • Close your networks to all but registered (and current) devices and users. • Measure the state of your networks, systems, and applications; measure the performance of their managers and users. • Layer your defenses; do not rely on a brittle perimeter and a soft center. • Strengthen accountability with end-to-end encryption, strong authentication, and an integrated audit trail.
PITAC Report • “Cyber Security: A Crisis of Prioritization” • President’s Information Technology • Advisory Committee Report • http://www.nitrd.gov/pitac/reports