Presented by Stan Dormer Director of Education & Training Services

1. www.mindgrove.co.uk “IT Security Update” ISACA Scotland June 19th 2012 Presented by Stan Dormer Director of Education & Training Services Expert

2. Administration • Timings and Breaks • 1115 • 1245 • 1500 • 1630ish • Fire • Phones

3. Today’s programme • Are security experts getting it right – what happened to all of the predictions for a secure future? • Are security architectures and standards sufficient and appropriate for the 21st century? What can we do more of or what could be done better? • What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted? • What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted? • What tools and strategies are available to detect, patch and eliminate insecurity from the ground floor upwards? • Are auditors getting the right information and probing the answers from their organisation? • Are people the weakest link? • A doomsday scenario and how we might avoid it …

4. Are security experts getting it right – what happened to all of the predictions for a secure future?

5. Back to the past– the year is 1999 • In Norway, the extremely dangerous data virus Win95.CIH has for the latest months been the fastest propagating virus. • Win95.CIH has the ability to overwrite the hard disk with garbage as well as overwrite the Flash BIOS on some PCs. If the Flash BIOS is overwritten it may even be impossible to start the PC from a boot diskette??? • However, security experts say thatit is unlikely that any new type of viruswill exceed the notorious Mellissa virusthat infected as many as 100,000 hosts over a relatively short period. • Security experts concluded that: “We will be much better prepared next time.”

6. It’s 2001 and an expert claims … “Software security has so much improved that I think it will be likely, within the next ten years, that even images that are altered will be instantly detectable and automatically alert the user to a potential fraud.” “Viruses might be out there but private persons should be safe if they use their eyes, ears and a little bit of common sense.”

7. In 2003 an expert predicts hoax viruses … • But he didn’t predict scam software … like the notorious Security Shield scareware drive-by infection (2008, 2009, 2010, 2011 and 2012) How to begin removal …

8. Or by how much scarewarewould take off … The fake (looks like a Windows Dialogue Box) … that you pay for … The cure (free) …

9. In 2007 an expert stated that hoax emails were so poorly put together and formatted that they were easy to spot … Please circulate the following warning to your friends by forwarding this email: URGENT – UK Police are Conducting Surveillance Activities! Yesterday (14th June 2012) an announcement was made in Parliament concerning the Regulation of Investigatory Powers Act stating that police were about to be given access to all email, phone calls and personal computers. They will be able remotely work through your copy of Microsoft Internet Explorer, Opera, Mozilla, Chrome, Firefox, Safari or Google and examine or gather evidence on what you are doing or even erase everything on your hard drive. They are looking for pornographic activities, untaxed commercial trading activities such as buying and selling items on eBay, movements of money between related bank accounts, and for potential crime suspects in Contact Lists. They can also view you if you have a webcam on a Macintosh or Microsoft laptop. This is new, legal and not many people as yet are aware of the impact of this intrusion into their private lives. Pass this warning along to EVERYONE in your address book and please share it with all your online friends ASAP so that co-ordinated action can be taken through members of parliament to ensure that this threat to civil liberty is stopped. Please take pre-cautionary measures such as using a browser not in the list above, erasing all of your email after reading it (print out any emails that you need to keep), covering your webcam with tape when not in use, blocking the web address www.pcremoteviewer.gov.uk and inform anyone that may have shared access to your computer to turn out lights in the room whilst working to make it difficult for the police to get a clear image. Forward this warning to everyone that might access the Internet. Note: This legislation does not yet apply to Scotland or Wales.

10. Selecting this link takes you to HMRC’s bank interface (seen on the next slide) … OK, some are a bit more obvious than others …

11. Fake banks continue to multiply Get your refund (or rapiddebit) here …

12. Even in 2011 no expert predicted so many fake on-line news stories via apparently real news agencies …    

13. Or fake investor websites

14. Or that you could (attempt to) buy fake pharmaceuticals …

15. Or that history could be rewritten …

16. Are security architectures and standards sufficient and appropriate for the 21st century? What could be done better?

17. ISO 27000x • 27001: Tells you what to do – a process that you execute • Risk analysis • Priority assessment (what priority security?) • Choice of mitigating strategy (how much mitigation?) • Put controls chosen in place • Review • Review and check on periodic basis • Based on risk assessment – problematical because depends on risk envisioning across entire technology dependent dimension • Based on multipoint controls – assumes consistency • Assumes zero psychological vector – doesn’t account for mood

18. Architectural approaches – Zachman and SABSA

19. Architectural approaches are not perfect either • Expectation of normality – no aberrant behaviour • Expectation of conformity – no bypass of rules or structures • Expectation of testability – proof of correct operation

20. COBIT and ITIL 3 • Great for establishing best practice, value and control • Expectation of normality – no aberrant behaviour • Expectation of conformity – no bypass of rules or structures • Very dependent on directives as means of control and sometimes directives that are unrealistic or capable of being misinterpreted Always use antivirus measures

21. Doing better: Expect the unexpected • Penetration testing as ad-hoc assurance • Microsoft’s (and others) SSDLC as best effort • Create more compartmentalisation – watertightbulkheads • Drive for simplicity, reduce complexity • Assume all software is flawed don’t believe that one vendor’s software is better than another

22. Doing better: Build in risk psychology .. allow for the fact that • People exaggerate spectacular but rare risks and downplay common risks • People have trouble estimating risks for anything not exactly like their normal situation • Personified risks are perceived to be greater than anonymous risks • People underestimate risks they willingly take and overestimate risks in situations they can't control • Last, people overestimate risks that are being talked about and remain an object of public scrutiny.

23. Psychological vector

24. What type of attacks, hacks and compromises are giving rise to greatest concern, and can they be halted?

25. Sophistication increasing

26. Default passwords are increasingly available – defaults being targeted

27. Easy to get hack advice from the net For all the whiners saying: "Boohooooomy IP is tracked, i'm going to jail :'(" Learn how to protect yourself BEFORE you start hacking. Hide your IP, use free software like the Tor Project browser or ProXPN VPN. I once tried to hack a website but failed and they said they had tracked down my IP. But I used Tor and ProXPN, so they ended up in Australia where I don't even live! Ha Ha! -:D

28. Denial of service attacks are better co-ordinated

29. Botnets are increasingly demonstrating their presence

30. Spam botnets are a big money making deal • Botnets make attacks very easy. Botnet are responsible for sending 87.9% of all the spam, according to the data in the Symantec Message Labs Intelligence Report.

31. Pay to use

32. Statistics from the cloud • Spam accounts for 14.5 billion messages globally per day. Spam makes up at least 75% of all national emails. Spam email makes up an even greater portion of global emails, some 92% in fact. The United States is the number one generator of spam email. • Because spam has inundated both the personal and corporate world of emailing surveys have found that spam has led to decreased public confidence and trust in Internet communications. • Spam costs businesses £15 billion annually in decreased productivity not including technical costs. This approximates to an average loss per employee annually because of spam of £1800. • Microsoft FOPE services filter millions of spam messages per day.

33. The security overhead

34. The hidden administration Layer 1 – Connection filtering (Approximately 80% of inbound spamrejected) • DNS Block List (DNSBL) • IP Allow/IP Block • Sender ID (SPF) Layer 2 – SMTP filtering (3% to 5% rejected) • Sender • Recipient • Global safe list • Global block list • Sender ID • Backscatter catching Layer 3 – Content filtering (55% to 60% rejected) • Cloudmark • Automatic updates every 45 seconds

35. On top of this all MS vulnerabilities continue

36. And so does Apple’s infatuation with media

37. And it may be time to drop Flash??? 1 release per week!

38. Social networks • The primary blended attack method used in the most advanced attacks will be to go through your social media "friends," mobile devices and through the cloud. • "We have already seen attacks that used the chat functionality of a compromised social network account to get to the right user. Expect this to be the primary vector, along with mobile and cloud exploits, in the most persistent and advanced attacks of 2012," Websense researchers have said.

39. Social scams to rise – targeting to improve • The number of people falling victim to believable social engineering scams will rise significantly if the unscrupulous attackers find a way to use mobile location-based services to design hyper-specific geo-location social engineering attempts, the report said. "People have been predicting this for years, but in 2012 it actually started to happen." • Also important are globally important events including the London Olympics or U.S. presidential elections. Cybercriminals will continue to take advantage of today's 24-hour, up-to-the minute news cycle, the report said, adding that now they will infect users where they are less suspicious. Sites designed to look like legitimate news services, Twitter feeds, Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum conversations may proliferate it said.

40. Social media in the limelight – last week • The latest threat report from GFI Labs in June2012 saw a further increase in attacks on social media sites. These included popular targets such as Facebook and Twitter, and were extended to include Google, LinkedIn and Skype. LinkedIn lost 6.5m passwords in May. • LinkedIn users saw a huge increase in fake invitations, which redirects users to a site infected with a Blackhole exploit and downloads the Cridextrojan. The malware is not easy to detect and according to M86 Security Labs is only picked up by 10 out of 43 anti-virus products. Skype also came under attack; crooks targeted users by sending false spam which claimed to give Skype credit to those who followed a link. However, users were instead directed to a compromised site which was infected with malicious Java exploits. • Google was the ‘hook' for a couple of scams, a SEO poisoning attack, which told searchers that Google systems had detected malware on their machine and led them to download a fake anti-virus package. In the second attack, a wave of spam claimed to make announcements for "Google Pharmacy”; users who followed the link ended up at notorious spam site Pharmacy Express, which has been linked to spam attacks since 2004. • Celebrity stories are being used to spread spam and tempt social media users into clicking on a story which has a hidden layer of code overlaying the main image. Customers of CBS's Last.fm music site and EHarmony's dating site also had passwords stolen last week, both companies suggested that users change their passwords immediately!

41. Use agreed international frameworks • Botnets can be markedly limited by authenticating every computer involved in an internet transaction, but traditionally this has been an unattainable goal as universal computer authentication would require the perfect and on-going cooperation of a massive number of computer owners and systems administrators around the world. • Universal computer authentication can be achieved at the server level by a novel implementation of digital signature technology called Mail Transfer Agent Authentication.

42. MTA Signing – M Kaplan

43. MTA Signing – M Kaplan

44. MTA Signing – M Kaplan

45. Must be spam

46. Applies to originators too

47. SPF now works across MTAs

48. MindGrove’s DNS SPF records A TXT record (retrieved from MindGrove’s DNS records) associates with .mindgrove.co.uk the value v=spf1 include:outlook.com ~all • This indicates that mail from Office 365 Outlook for a MindGrove Domain is to be treated as authentic when received from this outgoing MTA • And from an inbound email header MTA was • @AMSPRD0702MB106.eurprd07.prod.outlook.com

49. What tools and techniques are the hackers and scamsters deploying, and how can we avoid being impacted?

50. ATM physical fraud getting more sophisticated