1 / 33

Top 5 Security Trends for 2010

Top 5 Security Trends for 2010. Noa Bar- Yosef , Security Research Engineer, Imperva. Imperva Background. Focuses on Application Data Security and Compliance Application Defense Center (ADC) Research organization headed by Amichai Shulman Security analysis Vulnerability discovery

monty
Télécharger la présentation

Top 5 Security Trends for 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top 5 Security Trends for 2010 Noa Bar-Yosef, Security Research Engineer, Imperva

  2. Imperva Background • Focuses on Application Data Security and Compliance • Application Defense Center (ADC) • Research organization headed by Amichai Shulman • Security analysis • Vulnerability discovery • Compliance expertise • Threat research • Education MS

  3. Agenda • Scorecard for 2009 Security Trends • 2010 Top Security Trends • Emerging threats, vendor security notification policies, and new security tactics • Strategies to mitigate today’s security threats • Q&A BC

  4. Scorecard for 2009 Security Trends

  5. #1 - The Industrialization of Hacking • Hacking is becoming a profitableindustry • The foundations of any industry can be identified within hacking • Building layered roles (supply chain) • Horizontal expertise • Resource optimization • Automation • Individual or political hacking haven’t ceased; but they have become a secondary threat

  6. The Industrialization of HackingLayered Roles • Detect vulnerabilities and develop exploits • Hardcore “hackers” with strong technical capabilities • Keep clean of actual targets • Provide the building blocks for others • Grow botnets • Groups devoted to controlling as many zombies as possible • Complex operations (will discuss later) • Provide zombies from the botnet for use by perpetrators

  7. The Industrialization of HackingLayered Roles (cont.) • Exploit targets • Groups that make use of zombies for various purposes • Send spam • Collect data • Inflict DoS • Consumers • Monetize information • Credit card fraud • Identity theft • Advertize through spam • Blackmail

  8. The Industrialization of HackingResource Optimization • “Nothing is thrown to the garbage” • Each workstation or application, once compromised, is exploited in one way or another as part of the industrial food chain • Compromised Applications • Direct value (fund transfer, credit card information, etc.) • Indirect value (credentials to other systems) • Malware distribution • Blackhat SEO • Command & Control

  9. The Industrialization of HackingResource Optimization (cont.) • Workstations • Keylogger for grabbing credentials • Specialized malware for man-in-the-browser attacks • General purpose Trojan to use as part of a botnet • Relay into internal networks

  10. The Industrialization of HackingAutomation • Core of the industrial process – growing botnets and exploiting targets – is mostly automated • Selecting target applications through search engines • Compromise applications using captured zombies • Configuration and commands distributed through forums and web pages • Sometimes the compromise is through search engine abuse

  11. The Industrialization of HackingAutomation (cont.) • Templates and kits exist for everything • Remote file include • Phishing of various applications • Botnet client (ASPROX, Zeus, Clampi, etc.) • Looking at the numbers from attack campaigns clearly shows the power of automation • Last month we have heard of 132K sites compromised in one campaign • We have tracked a similar campaign 3 weeks prior and saw the same flaw exploited in the same way over hundreds of sites • Techniques are becoming more sophisticated • Randomized DNS in order to avoid C&C hijacking

  12. The Industrialization of HackingOur Advice • We are no longer fighting the script kiddies or sporadic hacking attempts – we are fighting Hackers Inc. • Cannot hide from the problem. • Small and large applications alike • Servers or workstations • It’s not personal. • Smaller organizations • Must start paying attention to application security • Either directly or through their hosting providers • Organizations must look for tools to help them detect and mitigate automation properly

  13. #2 – From Application Security to Data Security • The 90s’ were all about network related security problems (connecting enterprise networks to the Internet) and network security solutions (Network Firewall) • Throughout this decade we’ve seen a shift of activity towards web application attacks • Network security becomes commodity and network attacks are harder to execute • At the turn of the century eCommerce and online services took a steep climb. Attacker motivation increases as applications expose more information and more functionality. • It is far easier to access data through applications designed to manipulate it

  14. From application security to data securityWeb Application Security is No Longer Enough • Internal threat still prominent • Many internal applications are not web based • Web application security can be effectively applied to major internal applications but not all of them • Many time internal users have (authorized) direct access to the database • Once data from application flows into a workstation its on the loose • Regulations require that specific types of data be tracked

  15. From applications security to data securityContinuous Data Security • Track access to sensitive and regulated data throughout its lifecycle • Basic information lifecycle • Most sensitive and regulated data can be traced back to structured storage (SQL databases) • Sensitive information may be transformed into unstructured format and placed in document storage and management system (File shares, MS Sharepoint, EMC Documentum) • Data is processed in workstations and may leave the enterprise boundaries through email, WebMail, file transfer and physical media

  16. From applications security to data securityOur Advice • Controls around individual data repositories • Database access monitoring • File activity monitoring • Controls to track data in process • Next generation of DLP products • Integrate with DRM • Collaboration between data security products • Policies expressed in terms of information type based on content, rather than table and file names • Track specific pieces of information as they leave the database, flow through web applications, transformed into files and flow through outgoing channels.

  17. #3 – Social networks expose larger societies • Past: Specific parts of the population • Young adults of the Internet generation • Today / Future: Everyone and their dog have a Facebook account • Younger, immature audience • Kids making their first steps into the virtual society • Conservative adult community • People who otherwise have very conservative web access behavior • Senior community • People whose trust models are deeply rooted in the old world (my grandmother)

  18. Social networks expose larger societiesPandemic Threats • There are three distinctive pillars to social networks that make them a perfect fit for online pandemic threats: • Huge crowds • Inherently expose personal information • Built-in mechanisms for implicit and explicit trust generation between loosely coupled individuals • Attackers can push their “merchandise” to larger unsuspecting crowds with higher than ever success rates • Use the implicit trust • Abuses the abundance of personal information to create more trust

  19. Social networks expose larger societiesThe Evolution of an Octopus • Social networks are becoming social platforms • Integrating MMORPG (e.g. Farmville), 3rd party apps • More opportunities for trust abuse • ClickJacking through Farmville gifts • Less control over the robustness of integrated applications • Integrating social networks into other domains • Google, Bing and Yahoo! integrating Twitter and Facebook results • Promoting malware just became much easier!

  20. Dear Amichai,We'd like your help to spread the word about our open jobs. If you follow the link below and install this application on your Facebook profile page, your friends will be able to see, apply and forward our jobs. The best part is that if your friend, or a friend of a friend, applies for a job and is hired, you will automatically get credit for the employee referral through Jobvite. You will be eligible for the referral bonus.To install the application, please follow this link:hereBest regards,Douglas Social networks expose larger societiesThe Evolution of an Octopus • Integrating social networks into enterprise • HR systems, CRM systems • Creating a Mobius strip of information, mixing internal and external trust Dear John,We'd like your help to spread the word about our open jobs. If you follow the link below and install this application on your Facebook profile page, your friends will be able to see, apply and forward our jobs. The best part is that if your friend, or a friend of a friend, applies for a job and is hired, you will automatically get credit for the employee referral through Jobvite. You will be eligible for the referral bonus.To install the application, please follow this link:hereBest regards,Sue

  21. Social networks expose larger societiesOur Advice - Redefining Trust • Social networks are all about novelty • We can expect them to rush new features out at the expense of security • As more 3rd party apps are created we cannot expect those to consider any security at all • We need tools to help us evaluate trust in huge, dynamic, virtual societies • These are starting to show up as research projects or initial offering from various vendors • Security tools and policies should be able to build on these trust systems

  22. #4 – Credentials are the New Credit Card Numbers • Dramatic surge in the number of data compromise incidents • Credit card numbers • Personal details • Price levels per single stolen record are constantly dropping • Attackers are looking for more profitable targets • We clearly see an increased level of activity around hacking user credentials for online applications

  23. Application credentials are the new CCNsMotivation • Credit card numbers are harder to monetize • Need to purchase goods and cash those out • Personal details are even harder to monetize • Cannot be used in masses • Require additional fraud (involving identity theft) • The premise of application credentials • Easier to monetize • Higher value per record

  24. Application credentials are the new CCNsMotivation (cont.) • Financial applications • Can be easily converted into hard cash through online transactions (fund transfers, stock trading, etc.) • Enterprise in the cloud (SalesForce.com, GoogleDocs, etc.) • Access to sensitive commercial information • Can be traded for money, used for fraudulent transactions and even blackmail • Web mail • Direct access to personal details • Further access to the above mentioned applications • SPAM

  25. Application credentials are the new CCNsTools of the Trade • Keyloggers • Cleartext passwords • Once a computer is infected quality data is flowing in • Requires massive infected botnets • Phishing attacks • Cleartext passwords • Low quality data • Low success rates • Application compromise (e.g. SQL injection) • Sometimes digested password that need further cracking • High quality data • Huge numbers

  26. Application credentials are the new CCNsOur Advice • Protect you web facing applications • Defeat attacks • Store digested passwords • Defeat exposure in case of compromise • Use safe password recovery procedures • Avoid automatic leveraging of another compromise • Include two factor authentication • When possible

  27. #5 – Proactive Security • To date the security concept has been largely reactive • Wait for a vulnerability to be disclosed • Create a signature (or some other security rule) • Cross reference requests against these attack methods, regardless of their context in time or source • As a consequence security decisions are becoming more difficult and resource consumption (machine as well as human) is growing • Distinguishing “bad” requests from “good” requests based on request content alone becomes more difficult and more time consuming • Not only machine resources but also human resources as more decisions cannot be taken automatically • This is completely inadequate in world of growing attack rates

  28. Proactive securityTired of Being a Sitting Duck? • Rather than waiting to be attacked, security research teams start to proactively look for attacker activity as it is being initialised over the network • Traditionally used for longer term research, proactive intelligence operations can be used for immediate security value: • Identify compromised computers being actively exploited to launch attacks • Quickly identify attack campaigns at their early stages • Discover 0 day vulnerabilities in the wild rather than in the lab • Identify targets of upcoming attacks in advance

  29. Proactive securityMilitary Intelligence is a Contradiction in Terms* • There are different techniques for gathering timely intelligence • Some techniques, especially related to the SPAM domain have already been in use for a couple of years • Some technique are based on a network of sensors. Three basic types of sensors • Setting up targets for attacks (fake web applications, mailboxes to receive spam, etc.) • Setting up communication channels for use by attackers (anonymous proxies, TOR relays) • Network sniffers in strategic locations • Tap into C&C servers *Groucho Marx

  30. Proactive securityMilitary Intelligence (cont.) • Other techniques are more laborious • Reverse engineering of new malware to identify C&C servers • Hijack domain names intended for use by botnets • Tap into hacker discussions in forums and • Existing projects and commercial offerings for various types of threats (sample): • Dshield (General reputation for IPs) • ShadowServer (Botnet oriented) • Cyveillance (Phishing and compromised servers) • Project Honeypot (Spam related)

  31. Proactive securityOur Advice • Engaging in proactive security requires substantial research resources – don’t expect to do it yourself • Some solutions (mainly around endpoint security) are incorporating data obtained through proactive security • Next generation of enterprise solutions will include integration of data obtained from proactive security projects and providers • Add proactive security to your wish list when looking at enterprise solutions

  32. Security Trends that just missed the Top 5

  33. Questions & Answers ADC Data Security Webinar Series

More Related