600 likes | 629 Views
Emerging and Evolving threats. Philippe Roggeband Emerging Markets, Security Product Manager proggeba@cisco.com. Session Objectives. Review changes in purpose behind IT attacks Understand how these changes affect the behavior of new attacks
E N D
Emerging and Evolving threats Philippe Roggeband Emerging Markets, Security Product Manager proggeba@cisco.com
Session Objectives • Review changes in purpose behind IT attacks • Understand how these changes affect the behavior of new attacks • Identify potential protections against this new generation of attacks
Agenda • Trends in Motivation • Existing threats and Lessons from the Past • New Threats • Non-Electronic Threats • Coping with Threats: Conclusions and Recommendations
What? Where? Why? • What is a Threat? • A warning sign of possible trouble • Where are Threats? • Everywhere you can, and more importantly cannot, think of • Why are there Threats? • The almighty dollar (or euro, etc.), the underground cyber crime industry is growing with each year
Examples of Attacks • Targeted Hacking • Malware Outbreaks • Economic Espionage • Intellectual Property Theft or Loss • Network Access Abuse • Theft of IT Resources
Attack Attack Where Can I Get Attacked? Operating System Network Services Applications Users Anywhere Everywhere
Operational Evolution of Threats Emerging ThreatUnresolved Threat Threat Evolution Nuisance Threat Policy and Process Definition Reactive Process Socialized Process Formalized Process Reaction Mitigation Technology Evolution Manual Process Human “In the Loop” Automated Response Operational Burden End-User Increasingly Self-Reliant End-User “Help-Desk” Aware—Know Enough to Call End-User Awareness No End-User Knowledge Support Burden
Largest Volume of Problems Focus of Most of Day to Day Security Operations “New”, Unknown, or Problems We Haven’t Solved Yet Operational Evolution of Threats Emerging ThreatUnresolved Threat Threat Evolution Nuisance Threat Policy and Process Definition Reactive Process Socialized Process Formalized Process Reaction Mitigation Technology Evolution Manual Process Human “In the Loop” Automated Response Operational Burden End-User Increasingly Self-Reliant End-User “Help-Desk” Aware—Know Enough to Call End-User Awareness No End-User Knowledge Support Burden
Trends in motivations The threat economy
Threat Economy: In the Past Writers Asset End Value Tool and Toolkit Writers Fame Compromise Individual Host or Application Theft Malware Writers Espionage (Corporate/ Government) Virus Compromise Environment Worm Trojans
Threat Economy: Today First Stage Abusers Second Stage Abusers Writers Middle Men End Value Tool and Toolkit Writers Hacker/Direct Attack Fame Compromised Host and Application Theft Espionage (Corporate/ Government) Malware Writers Extortionist/ DDoS-for-Hire Machine Harvesting Bot-Net Creation Worms Extorted Pay-Offs Spammer Viruses Bot-Net Management: For Rent, for Lease, for Sale Commercial Sales Trojans Phisher Fraudulent Sales Information Harvesting Personal Information Spyware Pharmer/DNS Poisoning Click-Through Revenue Information Brokerage Financial Fraud Identity Theft Internal Theft: Abuse of Privilege Electronic IP Leakage
Old (and Unresolved) Threats • Worms and Viruses • Botnets • Spam • Spyware • Phishing, Pharming, and Identity Theft • Application Security
Threats to Your Users: Worms and Viruses • 2006 - Not a big year in worms and viruses…Why? • Opportunity shrinking • Motivation changing
WMF Vulnerability: Timeline • Dec 27, 2005: discovery date of vulnerability • Dec 28, 2005: original vulnerability published by Microsoft • “Vulnerability in graphics rendering engine could allow remote code execution”—critical rating • At announce, exploits were in progress • Microsoft indicates patch will be rolled into the next patch event (Jan 10, 2006) • Dec 31, 2005: emergence of a third party patch: • A third-party patch that disables the use of custom abort code becomes available (at www.hexblog.com/2005/12/wmf_vuln.html) • Jan 5, 2006: Microsoft releases patch early: • www.microsoft.com/technet/security/advisory/912840.mspx • www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Worm of the Year 2005 : The Story of Zotob • Microsoft announced the PnP vulnerability in multiple Windows versions (though most pronounced in Windows 2000) on August 9, 2005 • Flaw in how the PnP service handles malformed messages containing excessive data • Zotob.A first appeared on August 14; Zotob variants still appearing • Self-propagating worm; code has been modified countless times for further propagation • Two kinds of modifications appeared: • Evolution: enhancements made to defeat counter-measures implemented on early versions • Infighting: later versions taking advantage of weaknesses in early versions to supplant them with newer versions
Zotob.X reported Feb 6, 2006 Fixed some crash problems New propagation vector: Sets up its own SMTP server, and emails copies of itself to addresses in WAB and other well-known system files Note: does not need Outlook or other email client to run) IRC channel setup to a different server (Zotob.A connected to diabl0.turkcoders.net; Zotob.X connected to rax.r0flz.be) Evolution of Zotob 2006:What Is a Variant? Source: http://www.trendmicro.com
Resurgence of Botnets • Botnet: a collection of compromised machines running programs under a common command and control infrastructure • Building the Botnet: • Viruses, worms; infected spam; drive-by downloads; etc. • Controlling the Botnet: • Covert-channel of some form • Using a Botnet to Send Spam • A botnet operator sends out viruses or worms, infecting ordinary users’ Windows PCs • The PCs log into an IRC server or other communications medium • A spammer purchases access to the botnet from the operator • The spammer sends instructions via the IRC server to the infected PCs— • ...causing them to send out spam messages to mail servers Source: www.wikipedia.org
Zotob Secrets Revealed: All About the Money • Zotob created by Diabl0, otherwise known as Farid Essebar • Essebar was a small-time adware/spyware installer, using Mytob to infect machines and install adware for money • Diabl0 integrated publicly available Proof of Concept exploit code for the PnP vulnerability into an existing Mytob variant • FBI has said they hold evidence that Essebar was paid by Atilla Ekici (“Coder”) with stolen credit card numbers to build Mytob variants, as well as Zotob • On Aug 25, 2005, Essebar was arrested in Morocco, and Ekici in Turkey Key Question: Why Were They Caught? • Consensus answer: Essebar was clumsy • Due to lack of experience, Zotob got out of hand and got too much attention—largely because it accidentally infecting some major institutions (CNN, CIBC, others) • In other words: had they been smarter and stealthier, they’d likely never have been caught Source: http://www.securityfocus.com/news/11297
What About Spyware? • Still a major threat • Drive-by downloads still a major source of infestation • Image-based vulnerabilities in particular enable this (WMF and jpg vulnerabilities are good examples) • However, confusing or misleading EULAs still a problem • A Trojan by any other name— • Spyware is increasingly indistinguishable from certain classes of virus • Nasty race condition: sheer number of variants makes it very difficult for technology solutions to hit 100% accuracy at a given moment • Rise of intelligent spyware • Directed advertising is more valuable than undirected • More sophisticated spyware matches user-gathered data with directed advertising • Bot-based spyware is also more valuable, as it can be updated over time
MUNDO-BANK.COM MUNDO-BANK.COM MUNDO-BANK.COM Come see us at www.mundo-bank.com <172.168.254.254> 172.168.254.254 172.168.254.254 Phishing, Pharming, and Identity Theft PHISHING PHARMING MUNDO-BANK.COM MUNDO-BANK.COM Unsolicited Email DNS Poisoning 172.168.1.1 172.168.1.1 Regular Online Banking Hosts File:mundo-bank.com = 172.168.254.254 • Identity theft continues to be a problem • Phishing scams growing in sophistication every day • Protecting your users: implement some technology, but don’t forget user education!! • If you’re a target: • Consider “personalization” technologies (e.g. user-chosen images on a webpage) • Support identified mail initiatives, like DKIM
Identifying the Command & Control One Support Website One Pharmacy One Merchant Account 10-15 Unique Site Designs 100’s Web Servers 1,000’s URLs 10,000’s Message Variants Billions of Messages 100,000’s Zombies
Tackling Malware: Solutions Across the Network Remote/Branch Office Data Center Management Network Internet Connections Corporate Network Internet Corporate LAN BusinessPartnerAccess Remote Access Systems Extranet Connections
STOP STOP STOP GO GO GO GO Tackling Malware: Solutions Across the Network Remote/Branch Office Data Center Endpoint Protection • Infection prevention: Cisco Security Agent • Infection remediation: desktop anti-virus; Microsoft and other anti-spyware SW Management Network Internet Connections Corporate Network Internet Network-Based Content Control Corporate LAN BusinessPartnerAccess Remote Access Systems • Multi-function security devices • Firewalls • Intrusion prevention systems • Proxies Network Admission Control Extranet Connections • Ensure endpoint policy compliance
Application Security: The New Black Application Access Control • Control application usage by protocol semantics, not L4 port number • e.g. Kazaa tunneled over port 80 is not HTTP Application Use Control • Control how an application is used, not just who’s allowed to access it Application-Layer Attacks • Zero-day threat defense through RFC, standards, and BCP conformance Processing of application semantics and grammar is an essential component of access control and attack protection From To Protocol: FTP User: Jenn in Finance RFC Compliant: Yes Command: GET BCP Compliant: Yes File: payroll.xls
Attacks on application infrastructure continues, largely on “custom applications” (75% of attacks at application layer target custom apps) Web front-ends continue to be vulnerable, largely due to lack of implementation of solutions Injection attacks: Manipulating a backend system by injecting commands and/or code into fields in a front-end query system SQL injection is the most famous form—injects SQL commands into fields in a web page Cross-site scripting: Malicious gathering of data from an end-user by injection of a script into a web page Often-times links to a offsite malicious web page Cookie Tampering: Manipulation of session information stored in a cookie Allows manipulation of the session, even when input validation is used in the application Application Security: Server-Side Attacks Popular Attacks
Simple SQL Injection Attack Web App Login Code: Ingress to the Data Center/DMZ SQLQuery = "SELECT Username FROM Users WHERE Username = '" & strUsername & "' AND Password = '" & strPassword & "'" strAuthCheck = GetQueryResult(SQLQuery) if strAuthCheck = "" Then boolAuthenticated = False else boolAuthenticated = True end if Web Front-End Simple Attack Login: Username: ' OR " =' Password: ' OR " =' Application Server Actual Manipulated Query: SELECT Username FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='' Result: Username: Nothing = Nothing (TRUE); Password: Nothing = Nothing (TRUE) Return First Username from List and Successfully Authenticate Database Layer Remember This Attack—It’ll Come Back Later Source: http://www.securityfocus.com/infocus/1768
Responding to Server-Side Attacks Ingress to the Data Center/DMZ • Deploy network-based application firewall technologies (like AVS 3100) to mitigate these attacks in the network • However, reducing vulnerability is as much about process as it is technology • Secure coding is a must; application development teams must be mandated to use secure coding tools and processes Web Front-End Application Server Database Layer
New Threats • RFID Threats • Service-Oriented Architectures • Voice over IP Threats • Device Proliferation and Mobile Devices • Outsourcing • Distributed Workforce • Connected Home
Intro to RFID • What is RFID? • Transponder: tiny computers, often without a battery—they are powered inductively by their readers • Readers: scanning devices that wirelessly power and interact with RFID tags • Application back-end: middleware, app servers, networking, etc. • What’s so special about RFID? • Miniature size and cost (<10 cents/tag) enables active computer elements in applications never before possible: • Supply chain management; document control; smart shopping; health care; physical access control, etc. RFID Chip Examples: Library Application Chips for Books, CDs, and VHS Cassettes Source: http://en.wikipedia.org/wiki/RFID
XML Security: Basis of the Threat • Motivation: • Direct link into back-end systems look promising for theft • “Newness” of systems may mean less security in place to prevent secondary compromise (e.g. using the systems as a launch off) • Opportunities: • Identity management: slow adoption of federated identity systems may lead to identity spoofing opportunities between systems • Poorly understood problem set: the industry is still learning where the major vulnerabilities and risk areas are • Web services are “cool”: unnecessary deployments of web services by app developers looking to expand their resume are likely not paying enough attention to security concerns • Risk magnification: with shared code in an SOA, vulnerability in one piece of code may affect multiple applications
Well Known RFID Threats • Sniffing: casual reading of tags by a surreptitious, standards-compliant reading device • Tracking: using knowledge of tag-to-identity mappings to track the physical location of a user • Spoofing: cloning a tag to masquerade as the owner of the tag (e.g. payment systems, physical access) • Replay attacks: replay the results of a previous tag query (e.g. passport control) • Denial of service: blocking either the reader or the tag from functioning correctly (e.g. signal blocking or jamming) Source: http://www.rfidvirus.org/index.html
RFID Threats: Power Analysis • Power Analysis: extract information about a crypto-system by studying its physical implementation. • The power required is roughly proportional to the number of bits changing at a given time • When coupled with physical implementation details (e.g. knowledge of specs), enables the sophisticated attacker to reduce the effectiveness of crypto systems • Typically requires physical connectivity to a device • Oren and Shamir demonstrated an attack using power analysis that did not require physical connectivity to the tag • Extracted the tag’s “Kill password”, and confirmed the ability to kill a tag • Attacked a UHF Class 1 Gen 1 tag, but believe the attack is extensible to other currently shipping tags • Believe it’s possible to build an attack tool into a cell phone (freq similarities) • Paper presented at RSA 2006 Source: http://www.wisdom.weizmann.ac.il/%7Eyossio/rfid/
One idea for use of RFID tags is to use them to eliminate retail checkouts Tags will be scanned as you exit the store—you simply enter your payment info, and go on your way Killing tags would cause the system to avoid charging you Responding to this Threat: Lots of theory on foiling power analysis attacks – RFID vendors need to update chip implementations to prevent attack Kill Using This Attack Old and Slow New and Fast RFID Reader Result: Free Food
New Threats in Application Security:XML and Service Oriented Architectures What is an SOA? • Interlinked system of services, communicating with a standard methodology (XML, SOAP, etc) – “Web services” • Enables “systems of systems”; tying together disparate backend application systems into a cohesive whole Major Security Considerations: • Directly exposes the application tier to external entities for the first time • Security concerns involve both access control problems (based on strong or weak identity credentials), as well as new attack types (“X-malware”, “X-DoS”, etc) • Enables new security capabilities for integrity and confidentiality: field-level encryption services; document signing; content transformation services, etc. • Not “new” this year per se, but starting to hit critical mass
Sample SOA and XML Attacks • XML DoS: • Typically attacks against the XML parser infrastructure • Recursive inputs; overtly large pages can cause an Availability DoS by taking the parser offline • Special characters in unvalidated inputs can confuse/disrupt parser operations • Injection / Scripting attacks: • Injection attacks are carried over from Web applications • Target new areas (XPATH, etc) • X-Malware • Still largely theoretical (likely due to limited large scale deployment of Web Services), but certain to appear
New Threat: Voice over IP Threats Gartner Group Sums It up Best: • “The hype surrounding VoIP threats has, thus far, outpaced actual attacks” Thoughts on Why: • Opportunity: well understood business risk is promoting integration of security technologies in voice deployments • Opportunity: limited pool of technical experts on voice within attacker community • Motivation: no well-established business model driving financial incentives to attack
Voice Security Opportunities Old World Voice Incentives • Toll-fraud: stealing long distance • No real applicability to VoIP, as there are easier (and legal) methods to get “free” telephony New World Voice Incentives • Eavesdropping: • Earliest attacks focused on this (VOMIT); however, effective deployment of secure voice makes this very difficult (easier to use other means to access info) • SPIT: SPAM over internet telephony • Potential to be a serious annoyance, but significant barriers to this being an effective source of profit • Some are technical, but most involve our current use patterns for telephony (used on a per-phone basis, not in a “list” format) • Denial of service • Disgruntled employees or extortionists may target the voice infrastructure by a variety of mechanisms
New types of devices are joining the network: Hand-helds, smart phones, cameras, tools, physical security systems, etc. Diversity of OSs: More devices means more operating systems and custom applications Embedded OSs Process controllers, kiosks, ATMs, lab tools, etc. IT department often not involved in procurement—little attention paid to security For example, one environment got hacked from an oscilloscope Attacks on the back-end All of these systems provides an ingress point into some form of back-end system Both the method of communication and the device itself are targets Attacks on the device Proliferation leaves many opportunities for taking control of a system Attacks on data Sensitive data is becoming increasingly distributed and uncontrolled New Threat : Proliferation of Devices The Challenge Opportunities for Attack
Mobile Device Attacks: Symbian Trojans and BlueTooth Viruses Mobile attack for profit • March 2006: Java/RedBrowser.A Trojan infects Symbian phones • Requires user installation (in Russian) • Once installed, trojan sends an SMS to a premium rate number and automatically sends an authority that they can charge you • Charge is five dollars per SMS (ouch!) Bluetooth Virus • CommWarrior virus does nothing but spread over Bluetooth and MMS (and rack up charges as a result) • New variants appearing throughout 2005 and 2006 • If your phone was in range, you would receive a message asking “Install CommWarrior, yes or no?” If you say no, you’ll be asked again immediately if you’re still in range. • Many infestations happened simply to get rid of the messages Source: http://www.vnunet.com/vnunet/news/2154728/bluetooth-virus-leaves-mobile
Attacks on Data: Data Leakage • One of the year’s “Hot Topics” • Broad term encompassing multiple different challenges: • Security of Data at rest • Security of Data in motion • Identity-based access control • Both malicious and inadvertent disclosures • Issue has become topical typically for “Compliance” reasons • However, broader topic involves business risk management • How do I avoid inadvertent disclosures? • How do I protect my information assets from flowing to my competitors? • How do I avoid ending up in the news?
Mitigating Risk of Data Leakage: Basic Steps • Protect Non-managed Machines: Remote access (employee, partner, and vendor) from non-managed machines pose a serious risk. Deploy protection technology in your remote access systems such as Cisco Secure Desktop in the Cisco ASA 5500 • Deploy Network-based Structured Data Controls: Data elements such as Credit Card numbers or SSNs can be monitored and controlled in return traffic using application firewalls (such as AVS 3100) • Lockdown Managed Endpoints: Lock down removable media systems, such as USB ports and CD burners, using Cisco Security Agent • Application Access Control: Enforce “need to know” access control policies in the network at transit control points (e.g. in firewalls) • Content Inspection Services: Build out a network-wide sensor grid for visibility and audit. Primary focus areas: email; instant messaging
Credit Card XXXX-XXXX-XXXX-3456 Credit Card 1234-5678-9012-3456 MASK Social Security 123-45-6789 Social Security XXX-XX-XXXX MASK Driver’s License A123456 Driver’s License A123456 BLOCK Employee ID S-924600 Employee ID XXXX MASK Patient ID 134-AR-627 Patient ID 134-AR-627 BLOCK Example: Network-Based Structured Data Controls Request Response Cisco AVS 3100
Mobile Data Continues: PC on a Stick • New “smart drives” and other similar technology extending the existing threats to data posed by portable storage devices • Devices carry a virtual computing environment in a secure storage, typically plugged in via USB to any open computer • All workspace, preference, and data information is kept within the device, but computing resources of the host machine are used for manipulation and processing Challenges: • Analogous to SSL VPN security challenges, only now you can loose the device in a cab • Unknown endpoint environment challenges: keyboard loggers and splicers, monitor taps, webcams • Malicious software embedded in data or documents
Business Practice Trends:Outsourcing: Opening Your Door to Strangers • Motivations: Outsourcers have all the potential to be disgruntled employees in search of revenge, only more so – outsourcers typically feel less loyalty to the outsourcing organization • Opportunity: in many organizations, outsourcers are given full intranet access • Considerations: • For policy purposes, are outsourcers treated as full employees of the company, or not? • How do you balance the need to access required applications while providing necessary controls to mitigate risk? • When negotiating contracts, are there any provisions for data security and integrity? Are there any provisions to audit the security posture? • What legal recourses does the organization have in the event of compromise? Jurisdictional issues, liability and responsibility, etc.
Business Practice Trends:Home Networking and the Home Office • Rise of serious home networking: Connected home becoming ever more a reality • “Connected Fridge” – with TV fridges a reality, only a matter of time before they’re connected • Home office expectations: Users expect the same services at home that they do in the workplace – e.g. wireless • Blurry line of service: wireless setup for the home office quickly gets used for streaming audio • Challenge: • All these systems are likely connected into the same home network as the home office • Many, many new threat vectors to the business • Organizations increasingly looking at whether it is more cost effective to provide incentives (or services) for home office users to “in office” services in a secure environment
Business Practice Trends: Employees Using Home PCs for Work • Trend amongst some companies to relinquish control over employee workstations • Why: cost savings • Some organizations believe they can save significant dollars by having employees purchase their own laptops • December 2005, Gartner predicted that “by 2008, 10 percent of companies will require employee-purchased notebooks” (0.6 probability) • A number of very large (10,000+ companies) either seriously examining this, or moving to implementation • If your organization is going down this road, strongly consider adding additional layers of defense • Network admission Control vulnerability management • Content monitoring and filtering Secure remote access