Emerging Threats: BRKSEC-2001

Emerging Threats
BRKSEC-2001
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2008, Cisco Systems, Inc. All rights reserved. 1

14330_04_2008_c1.scr
Agenda
What? Where? Why?

Trends
Year in Review
Case Studies
Threats on the Horizon
Threat Containment
BRKSEC-2001
What?
Where?
Why?
BRKSEC-2001

14330_04_2008_c1.scr
What? Where? Why?
What is a Threat?
A warning sign of possible trouble
Where are Threats?

Everywhere you can, and more importantly cannot, think of
Why are there Threats?

The almighty dollar (or euro, etc.), the underground cyber crime
industry is growing with each year
BRKSEC-2001
Examples of Attacks
Targeted Hacking
Malware Outbreaks
Economic Espionage
Intellectual Property Theft or Loss
Network Access Abuse
Theft of IT Resources
BRKSEC-2001

14330_04_2008_c1.scr
Where Can I Get Attacked?
Operating System
Network Services
Applications
Users
Attack Attack
Anywhere Everywhere
BRKSEC-2001
Operational Evolution of Threats

Emerging Threat
Threat Evolution Unresolved Threat
Nuisance Threat
Policy and
Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition
Operational
Mitigation
Burden
Human Automated
Technology Manual Process
“In the Loop” Response
Evolution
End-User
Support
Burden
End-User No End-User “Help-Desk” Aware—

Increasingly
Awareness Knowledge Know Enough to Call
Self-Reliant
BRKSEC-2001

14330_04_2008_c1.scr
Emerging Threat
Nuisance Threat
Policy and
Reaction
Process Process
Definition Operational
Mitigation
Burden
Human Automated
Evolution
End-User
Support
Burden

Increasingly
Self-Reliant
“New”, Unknown, or Largest Volume of Problems
Problems We Haven’t Focus of Most of Day to Day
Solved Yet Security Operations
BRKSEC-2001
Why?
Fame
Not so much anymore (more on this with Trends)
Money
The root of all evil…(more on this with the Year in Review)
War
A battlefront just as real as the air, land, and sea
BRKSEC-2001

14330_04_2008_c1.scr
Trends
BRKSEC-2001
Trends
Evolution of Hacker Motivation

No longer the Lone Hacker
The Cybercrime Industry
Hosting Services
Designer Malcode
BotNets
Spyware
Phishing
Fast Flux
BRKSEC-2001

14330_04_2008_c1.scr
Evolution of Motivation
2002 2003 2004 2005 2006 2007 2008
Fame
SQL Slammer Netsky,
Bagle,
MyDoom Money
Zotob
Business
= Major Media Event
BRKSEC-2001
Evolution of Motivation
Fame is not all it’s cracked up to be

To make money effectively and without
detection you need to be unknown
People are prepared for what they know
BRKSEC-2001

14330_04_2008_c1.scr
Emerging Threat
Nuisance Threat
Policy and
Reaction
Process Process
Definition Operational
Mitigation
Burden
Human Automated
Evolution
End-User
Support
Burden

Increasingly
Self-Reliant
BRKSEC-2001
No Longer the Lone Hacker
Hackers are forming development teams to work on

creating malicious code
Highly intelligent individuals are collaborating to create
new viruses and other malicious code
Software development tools for handling large projects
are being used
Development is not unlike normal software
development in the IT industry
The shared information and talents of many very skilled
hackers when working together can be worse than any
one working alone
BRKSEC-2001

14330_04_2008_c1.scr
The Cybercrime Industry
Group develops custom malcode

Custom malcode is made available for purchase
ISP administrators are paid to host malicious code on
sites that they control
Malcode collects usernames and passwords as well as
credit card numbers
Credit card numbers and usernames and passwords
are for sale
BRKSEC-2001
Cybercrime Industry: In the Past
Writers Asset End Value
Tool and Toolkit Compromise Fame

Writers Individual Host
or Application
Theft
Malware Writers
Worms Espionage
Compromise (Corporate/
Viruses Environment Government)
Trojans
BRKSEC-2001

14330_04_2008_c1.scr
Cybercrime Industry: Today
First Stage Second Stage
Writers Abusers Middle Men Abusers End Value
Tool and Toolkit Hacker/Direct Fame
Writers Attack Compromised
Host and
Theft
Application
Malware Writers Espionage

Extortionist/ (Corporate/
Machine DDoS-for-Hire Government)
Harvesting Bot-Net Creation
Worms
Extorted Pay-Offs
Viruses Spammer
Bot-Net Management:
For Rent, for Lease, for Commercial Sales
Trojans Sale
Phisher
Fraudulent Sales
Information Personal
Spyware
Harvesting Information
Pharmer/DNS
Poisoning Click-Through
Revenue
Information
Brokerage
Internal Theft: Identity Theft Financial Fraud
Abuse of
Privilege Electronic IP
Leakage
$$$ Flow of Money $$$

BRKSEC-2001
Cybercrime Industry: Hosting Services
Hosting services are for sale as part of the total

package
Hosting sites can hold a database of collected
information
Hosting sites can serve as a sales portal for
individuals wishing to purchase stolen information
Standard rates for data sales are being established
BRKSEC-2001

14330_04_2008_c1.scr
Designer Malcode
Malcode that is designed to bypass virus scanners

is made for sale
Malcode is designed to collect information and upload
it to a database
Backup malcode is also available to replace the
active malcode once it begins to be detected by
virus scanners
Malcode is designed to be very difficult to reverse
engineer, or determine its functionality making it
harder to detect and harder to trace where the
data is being sent
BRKSEC-2001
“Noise” Level
Large Scale Worms
Public
Awareness
Targeted Attacks
2000 2008
Time
BRKSEC-2001

14330_04_2008_c1.scr
Cyber Crime Profit Level
Targeted Attacks
Illicit
Dollars
Gained
Large Scale Worms
2000 2008
Time
BRKSEC-2001
Botnets
Botnet: A collection of compromised machines running programs
under a common command and control infrastructure
Building the Botnet:
Viruses, worms; infected spam; drive-by downloads; etc.
Controlling the Botnet:

Covert-channel of some form; typically IRC or custom IRC-like channel
Historically have used free DNS hosting services to point bots to the IRC server
Recent attempts to sever the command infrastructure of botnets has resulted in
more sophisticated control systems
Control services increasingly placed on compromised high-speed machines
(e.g. in academic institutions)
Redundant systems and blind connects are implemented for resiliency
Further Example as a Case Study
Source: www.wikipedia.com
BRKSEC-2001

14330_04_2008_c1.scr
Using a Botnet to Spend Spam
1. A botnet operator propagates
by viruses, worms, spam,
and malicious websites
2. The PCs log into an IRC
server or other
communications medium
3. A spammer purchases
access to the botnet from
the operator
4. The spammer sends
instructions via the IRC
server to the infected PCs—
5. …causing them to send
out spam messages to
mail servers
Source: www.wikipedia.com
BRKSEC-2001
What about Spyware?

Still a major threat
Drive-by downloads still a major source of infestation
ActiveX vulnerabilities in particular enable this
However, confusing or misleading EULAs still a problem
A Trojan by any other name—

Spyware is increasingly indistinguishable from other forms of malware
Nasty race condition: sheer number of variants makes it very difficult
for technology solutions to hit 100% accuracy at a given moment
Rise of intelligent spyware

Directed advertising is more valuable than undirected
More sophisticated spyware matches user-gathered data with
directed advertising
Bot-based spyware is also more valuable, as it can be updated over time
BRKSEC-2001

14330_04_2008_c1.scr
Phishing, Pharming, and Identity Theft
Phishing Pharming
MUNDO-BANK.COM MUNDO-BANK.COM
ited
olic S
Uns mail DN ning
E is o
Po
172.168.1.1 172.168.1.1
MUNDO- MUNDO-
MUNDO-BANK.COM BANK.COM BANK.COM
Come see us at
www.mundo-bank.com
ine
<172.168.254.254>
Onl
egular ing
172.168.254.254 R Bank 172.168.254.254
Hosts File:
mundo-bank.com = 172.168.254.254
Identity theft continues to be a problem If you’re a target:

Phishing scams growing in sophistication Consider “personalization” technologies
every day (e.g. user-chosen images on a webpage)
Protecting your users: implement some Support identified mail initiatives, like DKIM
technology, but don’t forget user education!!
BRKSEC-2001
Fast Flux
Malicious IP addresses are changing quickly

Botnets are the new DNS Servers
Very low time to live (TTL) in A Record
Infected hosts acting as DNS servers
Traditional DNS-based security measure not
longer effective
BRKSEC-2001

14330_04_2008_c1.scr
What Does this Mean?
People utilizing the emerging threats of today want

them to stay unknown
What you don’t hear about is what you should be
concerned about
Intelligence is important
BRKSEC-2001

Emerging Threat
Nuisance Threat
Policy and
Reaction
Process Process
Definition
Operational
Mitigation
Burden
Human Automated
Evolution
End-User
Support
Burden

Increasingly
Self-Reliant
BRKSEC-2001

14330_04_2008_c1.scr
Year in Review
BRKSEC-2001
2007 as a Year
Security fad: Month of Bugs

Fuzzers offer tremendous way to find vulnerabilities
Application vulnerabilities up 17% from 2006

According to the Cisco IntelliShield
Botnets control channels up 57% from 2006

According to ShadowServer.Org
1,200 new websites per day hosting malware

According to MessageLabs
BRKSEC-2001

14330_04_2008_c1.scr
2007 as a Year
Global spam up 50% from 2006, considerable up tick

in types of spam attachment
According to IronPort
One unique phishing scam every 2 minutes in 2007

According to the PhishTank
Over 10 targeted malcode attacks per day, up from

1 per day in 2006
According to MessageLabs
163 million records with personal data compromised

in 2007—up from 48 million in 2006
According to Attrition.Org
BRKSEC-2001
Fuzzers in Action—Month of Bugs
Trend started in Mid 2006 with Month of Browser Bugs

Jan ’07—Month of Apple Bugs (MoAB)
Mar ’07—Month of PHP Bugs (MoPB)
April ’07—Month of MySpace Bugs (MoMYB)
May ’07—Month of ActiveX Bugs (MoAXB)
June ’07—Month of Search Engine Bugs (MoSEB)
BRKSEC-2001

14330_04_2008_c1.scr
Stock Advice from Spam
Canadian company Diamant Art’s stock price tripled

in one day from .08 cents to .25 cents
No positive news released from the company
Spam touting the stock solely responsible for raise
in stock price
Most spam stock only increases stock price ~2%,
which is quickly lost
BRKSEC-2001
Stop Trading Spam Stocks
March 2007 US Securities and Exchange Commission

announced that 25 stocks were going to be suspended
from trading for 10 days
Not viewed as an effective way to stop stock spam
It is a start, government bodies are starting to wake up
BRKSEC-2001

14330_04_2008_c1.scr
F.B.I. Nabs BotHerders
June 2007, the US F.B.I. announced the arrest of

3 different BotHerders who were responsible for over
1 million infected machines
Step in the right direction, even if it was relatively
small group
The real news: If the F.B.I. is on your trail then your
technology has matured
BRKSEC-2001
iPhone Releases, Gets Hacked
July 2007, less than one month

after the US release of Apple’s
highly anticipated iPhone a major
vulnerability was discovered
enabling a complete compromise
New vector, new attack
As other vendors scramble to
match the iPhone in functionality
similar attacks are likely
BRKSEC-2001

14330_04_2008_c1.scr
Google Ads Link to Malicious Sites
December 2007, a security researcher discovers

that several sites using Google ads were linking to
malicious websites
Google swiftly reacted by shutting down the
ad providers
No way to know for certain how many users were
infected nor who was at fault
BRKSEC-2001
Radio Frequency ID (RFID) Cloning
Last 12 months has seen

several different
demonstrations highlighting
technology to clone RFID tags
Legal methods used to
suppress demonstrations
Current demonstrations are
more theoretical and not likely RFID is an automatic
to be easily carried out identification method, relying
on storing and remotely
retrieving data using devices
called RFID tags
- Wikipedia
BRKSEC-2001

14330_04_2008_c1.scr
Pretexting Makes Headlines
Hewlett Packard admits using Pretexting is the act of

pretexting to investigate creating and using an
internal officers invented scenario (the
pretext) to persuade a
Xbox Live accounts suffer from target to release
information or perform
pretexting attacks an action and is usually
Group calling itself Clan Infamous done over the telephone
claimed to steal 10 accounts a day - Wikipedia
BRKSEC-2001
P2P Networks Used for DoS Attacks
Flaw in open source peer-to-peer hub software DC++

Allowed attacker to direct clients to any site resulting
in a DoS
Large amount of blackmail money demanded to
prevent attack
BRKSEC-2001

14330_04_2008_c1.scr
Conclusions from 2007
Botnets have come into their own

Targeted attacks are increasingly the norm
Cybercrime industry pushing “innovation” in malware
Focus on applications
BRKSEC-2001
Case Studies
BRKSEC-2001

14330_04_2008_c1.scr
Case Studies
Corporate Liability
TJX Company’s customer database compromised
Malware in Action
Storm worm analyzed
Malware Industry
Gozi worm’s cybercrime links
BRKSEC-2001
Corporate Liability—About the Company
TJX is the parent company for a family of

discount retailers
United States
Marshalls
TJ-Maxx
HomeGoods
Canada
Winners
HomeSense
UK, Ireland, Germany

TK-Maxx
BRKSEC-2001

14330_04_2008_c1.scr
Corporate Liability—How it Happened
Attack originated at a Marshalls

store in St. Paul, Minnesota
Attackers used telescope-shaped
antenna to read WiFi signals
WiFi enabled price scanners targeted to get

network access info
Once on the network, database was targeted
Data harvesting started mid 2005 and carried
through end of 2006
BRKSEC-2001
Corporate Liability—What was Affected
Initially thought to be 45.6M credit

card numbers compromised, later
updated to 90M
Included “Track 2 Data”
Biggest credit card number heist
in history
Over 80 GB of network traffic send
to outside server
90,000,000
BRKSEC-2001

14330_04_2008_c1.scr
Corporate Liability—Example of Use
Nov. ’06 Florida law enforcement claims at least 10

thieves used credit card data in a gift card scheme
Over $8M in gift cards purchased
6 people tied to gift card scheme were arrested
Gift card scheme was carried out months before
TJX discovered the compromise
BRKSEC-2001
Corporate Liability—Aftermath
Believed to be responsible for between $68M and

$83M fraud in over 13 countries
Class-action consumer lawsuit settled
$20 store voucher
3 years credit monitoring
$20,000 ID Theft Coverage
Banks and financial institutions sued

Yet to be determined
Estimated costs to TJX are over $150M
BRKSEC-2001

14330_04_2008_c1.scr
Corporate Liability—Conclusions
Every company needs to be concerned

Does not have to be credit cards
Governments creating laws requiring disclosure
One incident can cost much more than years of
a quality security infrastructure
BRKSEC-2001
Malware in Action—Storm Worm
Started as PDF spam in early 2007

Evolved to use e-card and YouTube invites
Uses spam with links to malicious sites as main vector
of propagation
Utilizes social engineering techniques to trick users
to malicious sites
BRKSEC-2001

14330_04_2008_c1.scr
Email spam example:

To: Tony Hall
From: Dale Hammond
Subject: Dear Friend
Hi. Nice to meet u and my friend operates a company .i have got
something from him and i must say that the quality is so good .SO i tell u
the truth and hope u can connect him and welocme to his website
www.ouregoods.com. If u have any questions u can add
ouregoods@hotmail.com we are pleasure to help ,good luck to u!
BRKSEC-2001
Infected 1 BotHerder
Webserver
4
1. BotHerder updates
malcode on webtrap
2. Initiate new spam 3
pointing to webtrap
3. User reads the spam
and clicks link Infected
4. User machine
infected
BRKSEC-2001

14330_04_2008_c1.scr
game0.exe—Backdoor/downloader
game1.exe—SMTP relay
game2.exe—Email address stealer
game3.exe—Email virus spreader
game4.exe—DDoS attack tool
game5.exe—Updated copy of Storm Worm dropper
Source: www.secureworks.com
BRKSEC-2001
403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA
(HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
Copies itself to C:\Windows\disnisa.exe

Set registry to run on startup
BRKSEC-2001

14330_04_2008_c1.scr
402ba0 WinExec(w32tm/config/syncfromflags:manual
/manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
40309b
CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram
"C:\WINDOWS\disnisa.exe" enable,100)
Sync with Microsoft Time Server
Start process
Edit firewall rules to allow network access
BRKSEC-2001
77e7ac53 CreateRemoteThread(h=ffffffff,
start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)
Connect with remote machine

Wait for a command
BRKSEC-2001

14330_04_2008_c1.scr
Hub and Spoke Topology
Controller communicates
directly with bots
Simplest but limited ability
to scale
Single points of failure
BotHerder
DNS record to BotHerder
BRKSEC-2001
Peer To Peer (P2P) Topology
All bots perform

distribution
Multiple paths from
controller to bots
Scales well, very resilient
No single point of failure
BRKSEC-2001

14330_04_2008_c1.scr
Storm Worm Conclusions
Very sophisticated
“Victim of its own success”, yet still difficult to
shut down
Just one example, there are others we don’t
know about
BRKSEC-2001
The Industry in Action: GOZI
GOZI was a custom made application designed

to harvest data
Went undetected for over 50 days
Collected at least 10,000 records belonging to
over 5,000 home users
BRKSEC-2001

14330_04_2008_c1.scr
GOZI: The Discovery
Originally discovered because a user reported that

an account he accessed at work was compromised
Work computer was searched, suspicious malware
discovered
Not one of the 30 leading anti-virus companies
detected Gozi at the time
BRKSEC-2001
GOZI: The Highlights
Targeted SSL data

Modularized code (Professional grade)
Spread through iFrame IE browser vulnerability
No detection in anti-virus produces for weeks, months
Customized to target specific sensitive data
Posted on-line for “customer” purchases of stolen data
Home PCs largely infected
Accounts at top financial, retail, health care, and
government services affected
Estimated black market value of at least $2 million
BRKSEC-2001

14330_04_2008_c1.scr
GOZI: The Investigation
Organization ready to code new undetectable malware

Willing to offer tech support
Others willing to help with infection
Gozi main server located in Russia
BRKSEC-2001
GOZI: Conclusions
Truly a new industry

Pushing the envelop, trying to stay undetected
Operating in countries where it is difficult to get
shut down
BRKSEC-2001

14330_04_2008_c1.scr
BRKSEC-2001
Automated social engineering

Web 2.0
Voice over IP threats
Video files format vulnerabilities
Mobile devices
Data leakage
Outsourcing
Distributed workforce
BRKSEC-2001

14330_04_2008_c1.scr
Automated Social Engineering
In an effort to convince users to “click here”, malware

will use collected data to enhance the veracity of
targeted spam
Malcode can scan previous emails in a person’s inbox
and send a “reply”
Simply adding:
Hey,
Forgot to tell you to check out this site:
http://bad.site.com
BRKSEC-2001
Web 2.0
Hugely popular social sites (MySpace, Facebook)

offer many potential victims for attackers
Data easy to gather to assist in targeted attacks
Very dynamic, big potential for buggy software to
be present
Attracts users who are not necessarily computer
proficient
BRKSEC-2001

14330_04_2008_c1.scr
Voice over IP Threats
“Vishing”—voice way to attempt a phishing scheme

Well understood business risk is promoting integration
of security technologies in voice deployments
Limited pool of technical experts on voice within
attacker community
Follow the money: No well-established business model
driving financial incentives to attack
BRKSEC-2001
Voice Security Opportunities
Eavesdropping:
Earliest attacks focused on this (VOMIT); however, effective
deployment of secure voice makes this very difficult (easier to
use other means to access info)
SPIT: SPAM over internet telephony

Potential to be a serious annoyance, but significant barriers to
this being an effective source of profit (Vishing)
Some are technical, but most involve our current use patterns
for telephony (used on a per-phone basis, not in a “list” format)
Denial of service
Disgruntled employees or extortionists may target the voice
infrastructure by a variety of mechanisms
BRKSEC-2001

14330_04_2008_c1.scr
Video File Format Vulnerabilities
Researchers in 2007 continued to uncovered many

important to critical video file format vulnerabilities in:
QuickTime
Real Player
Windows Media Player
Flash
Documented examples of video file attacks in 2007,

not yet mainstream
With rise of video it is only a matter of time
The next “hot” YouTube video just might be dangerous…
BRKSEC-2001
New Opportunity: Proliferation of Devices

The Challenge Opportunities for Attack
• New types of devices are • Attacks on the back-end

joining the network: All of these systems provides an
Hand-helds, smart phones, cameras, ingress point into some form of
tools, physical security systems, etc. back-end system
Both the method of communication
• Diversity of OSs: and the device itself are targets
More devices means more operating
systems and custom applications • Attacks on the device
Proliferation leaves many
• Embedded OSs opportunities for taking control
Process controllers, kiosks, ATMs, of a system
lab tools, etc.
• Attacks on data
IT department often not involved
in procurement—little attention paid Sensitive data is becoming
to security increasingly distributed
and uncontrolled
For example, one environment got
hacked from an oscilloscope
BRKSEC-2001

14330_04_2008_c1.scr
Attacks on Data: Data Leakage
Still a hot topic this year
Broad term encompassing multiple
different challenges:
Security of Data at rest
Security of Data in motion
Identity-based access control
Both malicious and inadvertent disclosures
Issue has become topical typically for “Compliance” reasons

However, broader topic involves business risk management
How do I avoid inadvertent disclosures?
How do I protect my information assets from flowing to my competitors?
How do I avoid ending up in the news?
BRKSEC-2001
Architectural View of Data Leakage:

New Challenges
Server/Application Network Transit End Users Endpoint Systems
Systems
Endpoint
Enforcement Points Internal Consumers
Application
Front End
Endpoint Enforcement
Centralized Data Transit Enforcement Points
Stores: Points
Structured and
Unstructured External Consumers Decentralized Data
Stores
What’s Changed? Enforcement points Technical Translation Problem: How to

and data consumers are roughly reliably test a given data set for membership
the same; however, a new actor in a “unit of information” (e.g. how to
introduced: “Data” verifiably determine if a given mass of bits is
Quantization Problem: How to group “source code”)
data elements into units of information Policy Construction Problem: How to
relevant to the business? scalable build policy for data flows across a
large environment?
BRKSEC-2001

14330_04_2008_c1.scr
Mobile Data Continues: PC on a Stick
New “smart drives” and other similar technology extending
the existing threats to data posed by portable storage
devices
Devices carry a virtual computing environment in a
secure storage, typically plugged in via USB to any
open computer
All workspace, preference, and data information is kept
within the device, but computing resources of the host
machine are used for manipulation and processing
Challenges:
Analogous to SSL VPN security challenges, only now you
can lose the device in a cab
Unknown endpoint environment challenges: keyboard
loggers and splicers, monitor taps, webcams
Malicious software embedded in data or documents
BRKSEC-2001
Trend: Outsourcing
Motivations: Outsourcers have all the potential to

be disgruntled employees in search of revenge, only
more so—outsourcers typically feel less loyalty to the
outsourcing organization
Opportunity: In many organizations, outsourcers are
given full intranet access
Considerations:
How do you balance the need to access required applications while
providing necessary controls to mitigate risk?
When negotiating contracts, are there any provisions for data security
and integrity? Are there any provisions to audit the security posture?
What legal recourses does the organization have in the event of
compromise? Jurisdictional issues, liability and responsibility, etc.
BRKSEC-2001

14330_04_2008_c1.scr
Trend: Distributed Workforce
De-perimeterization is real
True “federated” security systems are a long ways off yet
Layers of defense and policy enforcement are critical

Drop bad traffic as close to the source as possible, but ensure
you’ve
got at least a couple of “last lines of defense”
Costs and risks to data integrity should be a part of any

calculation to adopt new business practices
There may be hidden costs that are not well understood
People and Processes Key to Mitigate Risk

User awareness and effective business processes are as
important to technology solutions
BRKSEC-2001
Coping with Threats
Conclusion and Recommendations
BRKSEC-2001

14330_04_2008_c1.scr
What’s My Exposure?
Appropriate Risk Mitigation
Risk is at the core of all
security policy decisions
With emerging threats,
Level of Mitigation
there’s always something
out there that can affect Risk Averse
your business
Effective understanding Risk Tolerant
of business risk is critical
to determining priorities in
your response plan
Level of Risk Aversion
The Challenge: Every
application is business
critical to someone
BRKSEC-2001
Example: Network-Based
Structured Data Controls
Credit Card Credit Card

1234-5678-9012-3456 Mask XXXX-XXXX-XXXX-3456
Social Security Social Security
123-45-6789 Mask XXX-XX-XXXX
Driver’s License Driver’s License
A123456 Block A123456
Employee ID Employee ID
S-924600 Mask XXXX
Patient ID Patient ID
134-AR-627 Block 134-AR-627
Request
Response
Cisco AVS 3100
BRKSEC-2001

14330_04_2008_c1.scr
Tackling Malware:
Solutions Across the Network
Remote/Branch Office
Data Center
Management
Network
Internet
Connections
Corporate Network
Internet
Corporate
LAN Business
Remote Access Partner
Systems Access
Extranet
Connections
BRKSEC-2001
Tackling Malware:
Solutions Across the Network
Remote/Branch Office
Data Center Endpoint Protection
Infection prevention:
STOP Cisco Security Agent
Management
Infection remediation:
Network GO desktop anti-virus;
Microsoft and other anti-
spyware SW
Internet
Connections
Corporate Network
Internet
STOP
Corporate Network-Based
LAN Business
Content Control
GO Remote Access Partner
Multi-function
Systems Access security devices
GO
Firewalls
STOP
Network Admission Extranet
Control Intrusion prevention
GO Connections
systems
Ensure endpoint
policy compliance Proxies
BRKSEC-2001

14330_04_2008_c1.scr
Mitigating Risk of Data Leakage:
Basic Steps
1. Protect Non-managed Machines: Remote access (employee, partner,
and vendor) from non-managed machines pose a serious risk.
Deploy protection technology in your remote access systems such as
Cisco Secure Desktop in the Cisco ASA 5500
2. Deploy Network-based Structured Data Controls: Data elements
such as Credit Card numbers or SSNs can be monitored and
controlled in return traffic using application firewalls (such as AVS
3100)
3. Lockdown Managed Endpoints: Lock down removable media
systems, such as USB ports and CD burners, using Cisco
Security Agent
4. Application Access Control: Enforce “need to know” access control
policies in the network at transit control points (e.g. in firewalls)
5. Content Inspection Services: Build out a network-wide sensor grid for
visibility and audit. Primary focus areas: email; instant messaging
BRKSEC-2001
Incident Response Basics

Incident Response Life Cycle Most important step:
Step 1
Pre-Incident Second most important step:
Planning
Step 5
1
Most commonly skipped step:
Post-Incident Step 1
Policy and Detection
Process 5 2 and Analysis Second most commonly
Analysis skipped step:
Step 5
4 3
Containment
Recovery
and Control
Adapted from reports at www.gartner.com and www.securityfocus.com

BRKSEC-2001

14330_04_2008_c1.scr
What Should I Do?
Process, process, process:

Implement strong processes up front, document them,
and use them
User education campaigns:

Ensure there is an end-user education component of your
broader information security strategy
Make effective use of technology:

Technology exists to mitigate much of your risk of exposure
to new threats—make sure you’re using what’s available
BRKSEC-2001
Technology Recommendations
Stay informed: Subscribe to a threat

information service
A cost effective way to stay on top of things
Stay informed: Actually read the information

coming from your threat information service
Summaries are quick
Utilize your infrastructure

Use tools that you already have available
BRKSEC-2001

14330_04_2008_c1.scr
Technology Recommendations
Change the game: Deploy NAC

Raise the bar on the level of protection at the internal edge
Develop and implement a complete “incident

response system”
Include technologies like IPS that enable visibility and
protection; ensure you’ve got the tools to help (like MARS)
Get tested! Engage a reputable penetration testing firm
Deploy anomaly technologies

Anomaly detection technologies can catch some emerging
threats before they’re well known
BRKSEC-2001
Intelligence Service Example

Cisco IntelliShield Alert Manager
Threat and Vulnerability
Intelligence Alerting Service
Receive Vital Intelligence that
Is Relevant and Targeted to
Your Environment
Tactical, operational and strategic

intelligence
Vendor neutral
Life cycle reporting
Vulnerability workflow
management system
Comprehensive searchable
alert database
BRKSEC-2001

14330_04_2008_c1.scr
Intelligence Summary Example
Cisco IntelliShield Cyber Risk Reports
A Strategic Intelligence Report

that Highlights Current Security
Activity and Mid-to Long-range
Perspectives
Addresses seven major risk

management categories:
vulnerability, physical, legal, trust,
identity, human, and geopolitical.
The PSARs are a result of
collaborative efforts, information
sharing, and collective security
expertise of senior analysts from
Cisco security services that
include the IntelliShield team
BRKSEC-2001
Utilize Your Infrastructure

Cisco Applied Intelligence Responses
Actionable Intelligence that

Can Be Used on Existing
Cisco Infrastructure
Vulnerability Characteristics
Mitigation Technique Overview
Risk Management
Device-Specific Mitigation
and Identification
Cisco IOS® Routers and Switches
Cisco IOS NetFlow
Cisco ASA, PIX®, and FWSM Firewalls
Cisco Intrusion Prevention System
Cisco Security Monitoring, Analysis,
and Response System
BRKSEC-2001

14330_04_2008_c1.scr
Incident Response and Threat
Prevention Systems
Considerations for Building

CS-MARS CSM a System
Cisco Security Cisco Catalyst®
Agent (CSA) Cisco ASA 5500 Service Monitoring Console:
Adaptive Security Modules
Appliance
A strong monitoring console
Cisco ISR is essential—without that,
Routers
you’re blind
CSA Internet Intranet
Breadth of Network
Control Points:
Have IPS technology ready in
Integrated Data
Monitoring, as many locations as possible,
Branch Correlation, and even if you’re not using it—it’ll
Protection Center
Response
Protection be there when you need it
Day Zero Converged Security Fine-grained Endpoint Control:
Server
Endpoint Perimeter Management
Protection Protection
Protection Ensure your endpoint security
software provides granular use
control, in addition to protective
services
BRKSEC-2001
Some Closing Thoughts

Do not get overwhelmed
Small steps can make a
big difference
Remember, to survive a
bear attack, you don’t
have to be fastest
person…you just need
to be faster than the
next guy
Do not be the least
prepared
BRKSEC-2001

14330_04_2008_c1.scr
Q and A
BRKSEC-2001
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKSEC-2001

14330_04_2008_c1.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.
BRKSEC-2001
BRKSEC-2001

14330_04_2008_c1.scr

Emerging Threats: BRKSEC-2001

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Emerging Threats: BRKSEC-2001

Uploaded by

Copyright:

Available Formats

Emerging Threats

© 2008, Cisco Systems, Inc. All rights reserved. 1

 What? Where? Why?

© 2008, Cisco Systems, Inc. All rights reserved. 2

 Where are Threats?

 Why are there Threats?

© 2008, Cisco Systems, Inc. All rights reserved. 3

Operational Evolution of Threats

End-User No End-User “Help-Desk” Aware—

© 2008, Cisco Systems, Inc. All rights reserved. 4

End-User No End-User “Help-Desk” Aware—

© 2008, Cisco Systems, Inc. All rights reserved. 5

 Evolution of Hacker Motivation

© 2008, Cisco Systems, Inc. All rights reserved. 6

= Major Media Event

 Fame is not all it’s cracked up to be

 People are prepared for what they know

© 2008, Cisco Systems, Inc. All rights reserved. 7

End-User No End-User “Help-Desk” Aware—

No Longer the Lone Hacker

 Hackers are forming development teams to work on

© 2008, Cisco Systems, Inc. All rights reserved. 8

 Group develops custom malcode

Cybercrime Industry: In the Past

Writers Asset End Value

Tool and Toolkit Compromise Fame

© 2008, Cisco Systems, Inc. All rights reserved. 9

Malware Writers Espionage

$$$ Flow of Money $$$

Cybercrime Industry: Hosting Services

 Hosting services are for sale as part of the total

© 2008, Cisco Systems, Inc. All rights reserved. 10

 Malcode that is designed to bypass virus scanners

Large Scale Worms

© 2008, Cisco Systems, Inc. All rights reserved. 11

Large Scale Worms

 Controlling the Botnet:

 Further Example as a Case Study

© 2008, Cisco Systems, Inc. All rights reserved. 12

What about Spyware?

 A Trojan by any other name—

 Rise of intelligent spyware

© 2008, Cisco Systems, Inc. All rights reserved. 13

 Identity theft continues to be a problem If you’re a target:

 Malicious IP addresses are changing quickly

© 2008, Cisco Systems, Inc. All rights reserved. 14

 People utilizing the emerging threats of today want

Operational Evolution of Threats

End-User No End-User “Help-Desk” Aware—

© 2008, Cisco Systems, Inc. All rights reserved. 15

 Security fad: Month of Bugs

 Application vulnerabilities up 17% from 2006

 Botnets control channels up 57% from 2006

 1,200 new websites per day hosting malware

© 2008, Cisco Systems, Inc. All rights reserved. 16

 Global spam up 50% from 2006, considerable up tick

 One unique phishing scam every 2 minutes in 2007

 Over 10 targeted malcode attacks per day, up from

 163 million records with personal data compromised

Fuzzers in Action—Month of Bugs

 Trend started in Mid 2006 with Month of Browser Bugs

© 2008, Cisco Systems, Inc. All rights reserved. 17

What? Where? Why?

Where are Threats?

Why are there Threats?

Evolution of Hacker Motivation

Fame is not all it’s cracked up to be

People are prepared for what they know

Hackers are forming development teams to work on

Group develops custom malcode

Hosting services are for sale as part of the total

Malcode that is designed to bypass virus scanners

Controlling the Botnet:

Further Example as a Case Study

A Trojan by any other name—

Rise of intelligent spyware

Identity theft continues to be a problem If you’re a target:

Malicious IP addresses are changing quickly

People utilizing the emerging threats of today want

Security fad: Month of Bugs

Application vulnerabilities up 17% from 2006

Botnets control channels up 57% from 2006

1,200 new websites per day hosting malware

Global spam up 50% from 2006, considerable up tick

One unique phishing scam every 2 minutes in 2007

Over 10 targeted malcode attacks per day, up from

163 million records with personal data compromised

Trend started in Mid 2006 with Month of Browser Bugs

Canadian company Diamant Art’s stock price tripled

March 2007 US Securities and Exchange Commission

June 2007, the US F.B.I. announced the arrest of

July 2007, less than one month

December 2007, a security researcher discovers

Last 12 months has seen

Hewlett Packard admits using Pretexting is the act of

Flaw in open source peer-to-peer hub software DC++

Botnets have come into their own

TJX is the parent company for a family of

UK, Ireland, Germany

Attack originated at a Marshalls

WiFi enabled price scanners targeted to get

Initially thought to be 45.6M credit

Nov. ’06 Florida law enforcement claims at least 10

Believed to be responsible for between $68M and

Banks and financial institutions sued

Estimated costs to TJX are over $150M

Every company needs to be concerned

Started as PDF spam in early 2007

Email spam example:

All bots perform

GOZI was a custom made application designed

Originally discovered because a user reported that

Targeted SSL data

Organization ready to code new undetectable malware

Truly a new industry

Automated social engineering

In an effort to convince users to “click here”, malware

Hugely popular social sites (MySpace, Facebook)

“Vishing”—voice way to attempt a phishing scheme

SPIT: SPAM over internet telephony

Researchers in 2007 continued to uncovered many

Documented examples of video file attacks in 2007,