1 / 36

CYBERCRIME

CYBERCRIME. The Actors, Their Actions, and What They're After. Wade H. Baker wade.baker@verizonbusiness.com. Assumptions. GOALS: You want to BE secure (enough) You want to KNOW you are secure You need to PROVE you are secure CONSTRAINTS: You have limited RESOURCES

wanda-pearson
Download Presentation

CYBERCRIME

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CYBERCRIME The Actors, Their Actions, and What They're After Wade H. Baker wade.baker@verizonbusiness.com

  2. Assumptions GOALS: You want to BE secure (enough) You want to KNOW you are secure You need to PROVE you are secure CONSTRAINTS: You have limited RESOURCES You have limited DATA

  3. RISK Intel: What We Do Collection Distribution Analysis External Data Products Personnel Public Risk Intel Team Internal Data (Products & Services)

  4. RISK Intel: Internal Data Knowledge Practice Products & Services Framework = ∑ Goal: Every product and service creates revenue but also contributes and consumes intelligence ∫ √ Models Data ∩

  5. “If you can’t measure… InfoSec Data

  6. …you can’t manage You want to BE secure (enough) You want to KNOW you are secure You need to PROVE you are secure

  7. Results are based upon practices Practices are based upon beliefs Beliefs are based upon data Therefore Data drives results by changing beliefs

  8. The Basis of Belief Are squares A & B the same color? Evidence: Claim Logic Experience Measurement

  9. The Basis of Belief

  10. The Basis of Belief What forms the basis of your information security program? Evidence: Claim Logic Experience Measurement

  11. Sound Familiar? Not enough data Poor quality data Garbage in, Garbage out Too many unknowns Risk factors change Can’t predict rare events Inadequate models Time consuming Overly difficult Not aligned with business Too much techno babble Too much biz speak UNRELIABLE IMPRACTICAL UNKNOWABLE IMPOSSIBLE UNCERTAINTY

  12. Lessons from Organizational Theory = UNCERTAINTY Data

  13. “…we will create a National Digital Security Board modeled on the National Transportation Safety Board. The NDSB will have the authority to investigate information security breaches reported by victim organizations. The NDSB will publish reports on its findings for the benefit of the public and other organizations, thereby increasing transparency in two respects. First, intrusions will have real costs beyond those directly associated with the incident, by bringing potentially poor security practices and software to the attention of the public. Second, other organizations will learn how to avoid the mistakes made by those who fall victim to intruders.” -- Remarks by the president on securing our nation’s cyber infrastructure May 29, 2009 http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/

  14. A Wise Proverb “Without knowledge there is no understanding; without understanding there is no knowledge”

  15. Lessons from Organizational Theory = EQUIVOCALITY Framework

  16. Greatest Threat? • Hackers • Insiders • Network intrusion • Human errors • Targeted attacks • Software vulnerabilities • Securing web apps • Internet infrastructure • Large databases • Data compromise • Downtime • Brand damage (All of these aren’t “threats”)

  17. Define the Problem Threat • An “incident” can be described by the following components: • Agent: Source of the threat • Action: Threat type or method • Asset: Target of attack • Attribute: Security property affected (CIA) Agent: Internal privileged administrator Action: Abuse of access privileges Asset: Structured data repository Attribute: Confidentiality 1 2 3 4

  18. Lessons from Organizational Theory DAFT, R. AND LENGEL, R. 1986. Organizational Information Requirements, Media Richness and Structural Design. Management Science, 32, 4, 554-569.

  19. RISK Intel: What We Do Collection Distribution Analysis External Data Products Personnel Public Risk Intel Team Internal Data (Products & Services)

  20. Data Breach Investigations Report http://verizonbusiness.com/databreach http://securityblog.verizonbusiness.com

  21. Methodology Data Source • Verizon Business Investigative Response Team Collection and Analysis • Case metrics collected during and after investigation • Anonymized then aggregated for analysis • Risk Intelligence team provides analytics Data Sample • 5 years of paid forensic investigations • Not internal Verizon incidents • ~ 600 breaches in sample • Actual compromise rather than data-at-risk • Both disclosed and non-disclosed • Most of the largest breaches ever reported

  22. Data Sample All Breaches What can we learn?

  23. Breach Sources External sources • 90+% of stolen records linked to organized crime Internal sources • Roughly equal between end-users and IT admins Partner sources • Mostly hijacked third-party accounts/connections

  24. Breach Sources Insider breaches typically larger… …but overall, outsiders more damaging

  25. Breach Methods • Most breaches and records linked to Hacking & Malware • Misuse is fairly common • Mostly abuse of authorized access • Physical attacks • Theft and tampering most common • Deceit and social attacks • Varied methods, vectors, and targets • Error is extremely common • Usually contributory (62%) rather than direct cause (3%) • Mostly omissions followed by misconfigurations

  26. Breakdown of Hacking(60% of breaches) • Default credentials, SQL injection, weak ACLs most common methods • Minority of attacks exploit patchable vulns; Most of them are old • Web applications & remote access connections are main vectors *2008 Data *2008 Data **Vulns expl in 16% of breaches

  27. Breakdown of Malware(32% of breaches) • Most malware installed by remote attacker • Malware captures data or provides access/control • Increasingly customized

  28. Attack Difficulty and Targeting • Highly difficult & sophisticated attacks not the norm • Difficulty usually malware rather than intrusion • Fully targeted attacks in minority but growing • % doubled in 2008 • Difficult and targeted attacks increasingly damaging • Shows ROI is good for skilled attackers

  29. Data compromised within hours/days after breaching perimeter Actually good news for detection & prevention Breaches go undiscovered for months Ability to detect breaches woefully inadequate (or at least inefficient) It typically takes days to weeks to contain a breach Poor planning and response procedures Breach Timeline 31

  30. Breach Discovery Methods • Most breaches discovered by a third party • Majority of internal discoveries are accidental • Effectiveness of event monitoring far below potential • Evidence found in existing log files for 80% of breaches

  31. Compromised Assets and Data • Most data breached from online systems • Conflicts with public disclosures • Cybercrime is financially motivated • Cashable data is targeted • Other types common as well • Auth credentials allow deeper access • Intellectual property at 5-year high

  32. Unknown Unknowns An SYSTEM unknown to the organization DATA unknowingly stored on an asset Unknown or forgotten ICT CONNECTIONS Accounts andPRIVILEGESnot known to exist “Yes, we’re positive all sensitive data of that type is confined to these systems.”

  33. Attack Commonalities The last year shows much of the same but new twists and trends as well • Sources: Similar distribution; organized crime behind most large breaches • Organized criminal groups driving evolution of cybercrime • Attacks: Criminals exploit errors, hack into systems, install malware • 2008 saw more targeted attacks, especially against orgs processing or storing large volumes of desirable data • Highly difficult attacks not common but very damaging • Large increase in customized, intelligent malware • Assets and Data: Focus is online cashable data • Nearly all breached from servers & apps • New data types (PIN data) sought which requires new techniques and targets • Discovery: Takes months and is accomplished by 3rd parties • Prevention: The basics–if done consistently–are effective in most cases • Increasing divergence between Targets of Opportunity and Targets of Choice • ToO: Remove blatant opportunities through basic controls • ToC: Same as above but prepare for very determined, very skilled attacks • Initial hack appears the easiest point of control

  34. Victim Commonalities • False assumptions regarding information assets • Low awareness of network and system activity • Do not necessarily have a terrible security program • Fail to consistently and comprehensively follow “the basics” • Lack of assurance and validation procedures • Cost of prevention orders of magnitude less than impact • An inefficient approach to security • Focus too much on things that don’t happen • Focus too little on the things that do happen If you like mnemonics: • Visibility • Variability • Viability

  35. Recommendations • Align process with policy • Achieve “Essential” then worry about “Excellent” • Secure Business Partner Connections • Create a Data Retention Plan • Control data with transaction zones • Monitor event logs • Create an Incident Response Plan • Increase awareness • Engage in mock incident testing • Changing default credentials is key • Avoid shared credentials • User Account Review • Application Testing and Code Review • Smarter Patch Management Strategies • Human Resources Termination Procedures • Enable Application Logs and Monitor • Define “Suspicious” and “Anomalous” (then look for whatever “It” is)

More Related