You are on page 1of 63

www.pwc.

nl

The Internet – What is out there? Lunchlezing Inter-Actief 25 oktober 2011 Enschede

Introduction

PwC

2

PwC

3

PwC

4

PwC

5

Introduction
• Information security is a continuous process which allows organizations to have control over the IT security risks, i.e. risks related to the loss of availability, integrity and confidentiality of information. • Protecting critical business assets • Organization, technology, humans • CIA – DAD triad

PwC

6

Introduction
• In 2009 there were 159 recorded incidents of unauthorized access to critical business data by hackers. • What about the unrecorded incidents?

PwC

7

Developments in security threats and what you can do about it

PwC

8

Developments in security threats
What do we see in practice regarding online security threats?  Cybercrime (incl. botnets, phishing)  Malware (incl. viruses, trojans)  Hacking

PwC

9

Cybercrime
What is cybercrime?

The Council of Europe's Cybercrime Treaty uses the term 'cybercrime' to refer to offenses ranging from criminal activity against data to content and copyright infringement [Krone, 2005].
However, others [Zeviar-Geese, 1997-98] suggest that the definition is broader, including activities such as fraud, unauthorized access, child pornography, and cyberstalking. The United Nations Manual on the Prevention and Control of Computer Related Crime includes fraud, forgery, and unauthorized access [United Nations, 1995] in its cybercrime definition.

PwC

10

Cybercrime
So cybercrime can cover a very wide range of attacks. Understanding this wide variation in types of cybercrime is important as different types of cybercrime require different approaches to improving your computer safety. We often see:  Phishing  Malware  Botnets

PwC

11

Example

PwC

12

Phishing
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users.

PwC

13

PwC

14

Example

PwC

15

Example

PwC

16

Malware
Malware includes:  Computer viruses  Worms  Trojan horses  Scareware  Rootkits

….and other malicious software or programs.

PwC

17

Malware

Source: GOVCERT.NL

PwC

18

Malware
Computer viruses: these are programs that can attach themselves to files (.exe, .com) thereby infecting computers. Need human interaction to run. Worms: are self-replicating programs and can copy themselves to different computers, making use of network connectivity and known exploits for software vulnerabilities. Run without human interaction.

PwC

19

PwC

20

Malware
Trojan horses: legitimate looking files creating backdoors on a computer. Trojans often perform a desirable function for the user, opening access to the system without their knowledge. Rootkits: a rootkit is a program which hides activity and processes on a computer. It is often used in combination with a worm or Trojan horse to conceal their activity.

Interesting read on rootkits:
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
PwC 21

Malware

PwC

22

Malware
Scareware: comprises several classes of software with malicious payloads, or payloads of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety or the perception of a threat.

PwC

23

Malware world-wide concentrations 2010

Source for this image and the statistics on following slides: Microsoft‟s Security Intelligence Report (www.microsoft.com/sir)

PwC

24

Malware – metrics Netherlands 2010

PwC

25

Malware – metrics Netherlands 2010

PwC

26

Botnets
Computers become nodes in a botnet when attackers illicitly install malware that secretly connects the computers to the botnet. They perform tasks such as sending spam, hosting or distributing malware or other illegal files, or attacking other computers. Attackers usually install bots by exploiting vulnerabilities in software or by using social engineering tactics to trick users into installing the malware. Users are often unaware that their computers are being used for malicious purposes.
PwC 27

Botnet software for sale on the black market

PwC

28

Drive-by downloads

PwC

29

Hacking
Detected security breaches Q3 2009 – Q4 2010

PwC

30

Hacking
Wikileaks became world news when it published sensitive information about the war in Afghanistan, including the US airstrike video that killed a dozen people, including reporters and children. Around December 2010, they began releasing 251,000 diplomatic cables, this became known as „Cablegate‟

The founder of Wikileaks, Julian Assange, is arrested.
Several companies froze activities for Wikileaks.

PwC

31

PwC

32

PwC

33

PwC

34

Hacking
Recent hacks with high impact:

PwC

35

Hacking
Hacker groups are rising in number and activity.

Publishing passwords, internal network schemes and databases to the public.
One hacker group recently disclosed 62,000 credentials, Sony‟s network scheme, etc.

PwC

36

Hacking
Software vulnerabilities are one of the most important causes for successful hacks. Solution: install patches and updates for operating system and 3rd party software.

PwC

37

Hacking
Trends in security:

• Vulnerabilities are moving towards web application level
• Loss of data due to cyber crime is a structural problem

• Obsolescence of cryptography is underestimated
• Websites are on the retina‟s of criminals, disgruntled employees, journalists and competitors
(source: GOVCERT)

PwC

38

Hacking
A penetration test is the process of identifying and actively exploiting vulnerabilities in an information technology environment. Penetration tests…
• should be performed by experienced professionals. • are much more than an automated vulnerability scan.

• are typically performed by penetration testers with very limited knowledge of the target environment (to emulate common external threats).
• are sometimes referred to as an “attack and penetration study”, “pentest”, or “ethical hack”. • entail automated and manual testing procedures. • should be performed on – at least – an annual basis.

PwC

39

Hacking
Internet-based penetration testing
• Security testing focused on Internet-facing corporate resources. • Goal is to gain access to the “crown jewels” within the internal network via Internet-facing resources. • Most companies have publicly accessible network address space. • Validation of the IP address ranges supplied by client and network footprint scanning. • Examine the weaknesses found, analyze susceptibility to attacks, and attempt to exploit vulnerabilities.

Wireless penetration testing
• Security testing focused on the wireless environment. • Goal is to gain access to the “crown jewels” in the internal network via the wireless infrastructure. • Wireless networks have become very common and pose significant security risks. • Wireless access point identification and mapping. • Active penetration testing from publicly accessible areas.
PwC 40

Hacking
Dial-up penetration testing
• Security testing is focused on dial up devices.

• Goal is to gain access to the “crown jewels” in the internal network via dialup resources.
• Unauthorized or insecure dial-up devices. • Automated software to dial the supplied telephone ranges to identify carriers. • Active penetration testing of identified dial-up devices.

Web application penetration testing
• Security testing is focused on external and internal web-based applications. • Goal is to gain privileged access to the application or to gain access to other users‟ data within the application. • Supplied varying profiles or access levels. • Focused on application level vulnerabilities (OWASP).
PwC 41

Hacking
Physical security controls testing
• Security testing is focused on gaining physical access to corporate facilities, data centers, or other secured locations.
• Typically involves an element of social engineering.

Internal penetration testing
• Security testing is focused on internal systems, applications, databases, and network infrastructure. • Goal is to gain access to the “crown jewels” within the internal network. • Testing performed on the internal network perimeter simulating threats posed by employees and third parties with physical access to the facility. • Performed according to the same methodology and approach as the Internet-based penetration testing phase.

PwC

42

Vulnerability scanner

PwC

43

Application vulnerabilities OWASP Top 10

PwC

Source: The Open Web Application Security Project (OWASP) – https://www.owasp.org/

44

Application vulnerabilities OWASP Top 10

PwC

45

OWASP application level scanner

PwC

46

The anatomy of a security quick scan

PwC

47

Anatomy of a security quick scan
Example quick scan performed on:  Firewall  Website  Windows 2003 servers

PwC

48

Approach
First, we‟ve looked at the filtering of the firewall, e.g. what entry points are open and which routes are blocked?

PwC

49

Firewall – external at service provider
PORT STATE SERVICE ftp http pop3pw pop3 imap ssl/http ssl/smtp ssl/imap ssl/pop3 mysql postgresql http VERSION ProFTPD 1.3.1 Apache httpd 2.0.52 ((CentOS)) poppassd Courier pop3d Courier Imapd (released 2004) Apache httpd 2.0.52 ((CentOS)) qmail smtpd Courier Imapd (released 2004) Courier pop3d MySQL 4.1.22 PostgreSQL DB 7.4.12 - 7.4.25 Apache httpd 21/tcp open 80/tcp open 106/tcp open 110/tcp open 143/tcp open 443/tcp open 465/tcp open 993/tcp open 995/tcp open 3306/tcp open 5432/tcp open 8443/tcp open

So what? What‟s the problem with this?
PwC 50

Firewall – external at service provider
PORT STATE SERVICE ftp http pop3pw pop3 imap ssl/http ssl/smtp ssl/imap ssl/pop3 mysql postgresql http VERSION ProFTPD 1.3.1 Apache httpd 2.0.52 ((CentOS)) poppassd Courier pop3d Courier Imapd (released 2004) Apache httpd 2.0.52 ((CentOS)) qmail smtpd Courier Imapd (released 2004) Courier pop3d MySQL 4.1.22 PostgreSQL DB 7.4.12 - 7.4.25 Apache httpd 21/tcp open 80/tcp open 106/tcp open 110/tcp open 143/tcp open 443/tcp open 465/tcp open 993/tcp open 995/tcp open 3306/tcp open 5432/tcp open 8443/tcp open

E-mail server

Secure e-mail
Databases

PwC

51

Approach
The open ports are found, now let‟s see if there are any known vulnerabilities for the listening services. We have done this by using a vulnerability scanner.

PwC

52

Vulnerability scanner

PwC

53

Vulnerability scanner

PwC

54

Approach
Next, we have analyzed the website for known vulnerabilities according to the OWASP list. We have done this by using an application layer vulnerability scanner.

PwC

55

PwC

56

Vulnerabilities with high risk on the website:  Outdated software (Apache, PHP)  Cross site scripting (XSS)  Injection flaws Can lead to:  Unauthorized access

 Website defacement (reputational damage)

PwC

57

SQL manipulation

PwC

58

SQL manipulation

PwC

59

Internal servers

PwC

60

PwC

61

Internal servers
Most important recommendations for the Windows platform:  Password settings can be strengthened  Audit settings can be improved  Available services on servers can be more restrictive

PwC

62

Questions?

Damiën Meijer Manager

PwC
088 - 792 58 77 damien.meijer@nl.pwc.com

© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm's professional judgment or bind another member firm or PwCIL in any way.