The Latest Internet Security Threats and How to Protect Your Network

1
The Latest Internet Security Threats and How to
Protect Your Network

• June 08 75 Minutes

2
Latest Security Threatsand Examples
3
Hannaford

• 4.2 million records compromised
• 1,800 known fraud cases to date
• Malware installed on servers at each store
  location that would capture credit card info and
  send to attackers
• Only discovered because of the fraud that
  occurred, not detected by Hannaford
• Several class-action suits have been filed
  against Hannaford.

4
NY-Presbyterian Hospital/Weill Cornell Medical
Center

• 38 Year old Dwight McPherson who worked in the
  administration department stole nearly 50,000
  records as part of an identity theft scheme.
• McPherson told agents that in 2006 he was
  approached by someone who offered money in
  exchange for the names, addresses and other
  identifying information of male patients born
  between 1950 and 1970.
• McPherson sold one batch of 1,000 records
  sometime in December or January for 750
• A second batch a short time later earned him 600.

5
Stevens Hospital Emergency Room

• A manager for the hospital's billing company, Med
  Data, stole patients' credit card numbers. She
  gave them to her brother who bought 30,000 worth
  of clothes and gift cards over the Internet.

6
SPAM

• SPAM continues to make up the vast majority of
  email traffic (currently between 80 and 90)
• Image-based SPAM is used to evade conventional
  desktop filters
• SPAM targets groups of recipients whose personal
  details have been skimmed from social networking
  sites using a vocabulary relevant to the
  recipient's occupation.

7
Whaling

• Emails with phony subpoenas embedded with
  malicious software sent to high-ranking
  executives to steal valuable corporate
  information.
• "The success rate was incredibly high"
• The emails are crafted with the seal of the US
  federal court in San Diego, California, and are
  addressed to executives using their names,
  addresses and other individual details.

• Clicking on a link to see a "subpoena" displays a
  realistic looking document and stealthily
  installs malicious computer code in the reader's
  computer.

8
Web Site Modification
Customer types in online banking web site address
(e.g. www.myfinancialinstitution.com) in browser
address bar
www.myfinancialinstitution.com
Home page redirects traffic to attacker website
that looks identical to legitimate site
Attacker has modified legitimate web site to
redirect traffic to false web site
Attacker stores all data
9
Malware Sites

• Threats from malicious web sites has taken the
  lead over email-borne attacks
• Industry analysts IDC suggests that 30 percent of
  companies with 500 employees and more have been
  infected with malware through web surfing.  This
  compares to 20 to 25 percent of similar companies
  infected through email.
• October 2007 had 359 new variants of keyloggers
  and Trojan horse programsa record

10
Malware Sites

• MSNBC along with other major sites like
  ZDNet.com, Wired.com and History.com were
  breached with what security experts call a search
  engine input optimization attack.
• This particular Javascript iframe is injected by
  hackers into the source code of thousands of
  websites, and when a user's browser opens the
  compromised site through a random search, "the
  JavaScript ultimately serves up a concoction of
  exploits designed to gain access to the visitor's
  computer."

11
Google

• Criminals hijacked links displayed in some lists
  of search results and attempted to install
  malware on users' machines.
• In the attack, criminals bought links that
  appeared to be genuinely associated with search
  terms but which diverted users to a malicious
  site that attempted to install malware on their
  computers.

12
Phishing Stats
13
Hosting Targets
www.antiphishing.org/crimeware.html
US 32.5, down from 47
China was on top for a few months
14
Phishing with DDOS
FI OB Web Site
X
X
X
O
X
X
X
X
X
X
X
X
X
X
X
C
15
Pharming Attack

• Emailed Trojan installs application that
  redirects users to a false web site for any of 50
  financial institutions. Users simply type the
  name (www.mybank.com) into the browser and would
  be sent to the false website.
• 5 servers spread out across the world worked in
  tandem, so if one was shut down, the others would
  be available for connections
• At one point there were more than 1000 infections
  a day

16
Theft/Loss

• More data security breach incidents occur due to
  theft and loss than any other category (including
  insiders and hackers) 30 total
• However, it only accounts for 2 of records
  compromised

17
Vulnerability Compromise

• University of Maryland Study
• Systems attacked (probed) on average every 38
  seconds
• 1 in 3 compromise attempts were successful

18
Zero Day Attacks

• Compromise vulnerable systems
• Black-market prices for these remote exploits
  requiring no target-user intervention sold for
  5,000 in 2004 but have skyrocketed to as much as
  80,000 in 2007.
• Zero-Day attacks will often be successful through
  a combination of malware and SPAM
• 20 New Vulnerabilities discovered daily (average)

19
Application Level Attacks

• Cross Site Scripting (XSS)
• Buffer Overflow
• SQL Injection

20
Social Engineering
21
Attack Combinations

• Bobby Fisher Style! Using a combination of
  methods to compromise systems and execute
  attacks.
• Malware sites
• SPAM or other lures
• Trojans
• Key-loggers
• Remote Control Apps
• Identity Theft

22
Hacker coordination
BotNet
SPAM Creator
Website Hoster
Payment Processor
Info Buyer/Seller
Re-Shipper
Web Site Creator
Zero Day Code Developer
23
The Security Landscape in 2001
Maturity
Source Gartner Research
24
Security Landscape

• 223 Million identity records have been
  compromised since 2005. That translates to 11 of
  every 15 Americans.

X
X
X
X
X
X
X
X
X
X
X
25
The Shift

• August 2004, Windows XP SP2 is released changing
  the face of security
• Highest prized targets require new methods of
  compromise

26
Why So Serious?

• FFIEC/NCUA Regulations
• Data Breach Disclosure Laws
• Red Flags Rule amended to the Fair and Accurate
  Credit Transactions Act
• PCI
• Best Practices

27
Red Flags Rule

• Amendment to the Fair and Accurate Credit
  Transactions Act
• A business that maintains a credit-based
  relationship with its customers must have a
  written information security plan that outlines
  what its doing to protect customer records from
  theft.
• Businesses must comply by November 1, 2008
• Those not compliant open themselves up to the
  possibility of class-action lawsuits if their
  customer data is stolen
• The rule specifically calls out five industries
  automotive, financial, health care, insurance and
  mortgage.

28
Data Breach Disclosure

• Began with California SB 1386 that went into
  effect mid 2003

29
States that have Data Breach Notification Laws
Today more than 40 states have adopted similar
laws
30
What did they do

• A study from the Ponemon Institute found that
  nearly one-third of people who were notified of a
  data security breach affecting their personal
  information no longer conduct business with the
  company that suffered the breach. 
• Fifty-five percent of respondents said they had
  been notified of more than one breach of their
  personal data in the last two years
• Eight percent had received four or more breach
  notifications.
• Sixty-three percent of respondents said their
  notification letters offered no information about
  steps to take to protect their data. 
• More than half of the respondents said they were
  notified of breaches more than a month after the
  fact. 
• Just two percent of respondents said they had
  been victims of identity fraud as a result of a
  data breach.
• http//www.darkreading.com/document.asp?doc_id151
  378

31
OCC Bulletin 2004-20
Banks who fail to establish a structure that
adequately identifies, measures, monitors, and
controls risks may be considered to be in an
unsafe and unsound condition.
32
What is a Risk Assessment

• Information security risk assessment is the
  process used to identify and understand risks to
  the confidentiality, integrity, and availability
  of information and information systems. In its
  simplest form, a risk assessment consists of the
  identification and valuation of assets and an
  analysis of those assets in relation to potential
  threats and vulnerabilities, resulting in a
  ranking of risks to mitigate. The resulting
  information should be used to develop strategies
  to mitigate those risks. FFIEC IT Examination
  Handbook p10
• All CUs are required to perform a risk
  assessment per NCUA rules and regulations part 748

33
Security Report Card
34
Security Report Card
35
Risk Profiler
36
Layered Security
37
Threats to your systems

• Employees

• Remote Users

• Non-Compliance

• Internal Exploits

• External Exploits

• Disaster

• Network Unavailability

• Scams

38
Return
39
Return
40
Return
41
Return
42
Return
43
Return
44
Return
45
Return
46
What Can You Do

• Use updated NIDS/NIPS Sensors
• Use HIDS/HIPS for sensitive systems
• IPS can block overlapping fragments
• Harden the internal systems
• Remove all default web material
• Run web server with minimal privileges (not root
  or admin)
• May need to edit registry or unbind unused
  protocols in Windows
• Install AV, anti-SPAM, malware protection,
  personal firewall, etc.
• Patch Management

47
What can you do cont

• Policy Management
• Enforce strong passwords that are required to
  change frequently
• In-Depth vulnerability assessments including
• web apps scanners and application level scanners
• Internal Vulnerability Assessments
• External Vulnerability Assessments
• Web Content Filtering
• End User Security Awareness Training
• Email Content Filtering

48
What can you do cont

• Gateway AV SPAM
• Remote Data Backup
• Secure eMail

49
Thank You Kevin Prince Perimeter
eSecurity kprince_at_perimeterusa.com