DP SECURE 2008

SCARING YOU SECURE...

INSIGHT INTO THE
IT SECURITY JUNGLE
BY

DALBIR SINGH, CISSP

+60192109229
DALBIR@DP.IO2IO.COM
© 2008 Dataprep Holdings Bhd. All Rights Reserved.
 Agenda

Insight to IT Security

Threats and Technology

Anticipated Top 10 Information Security Trends of 2008

Security Highlight
 Presidential Election – US
 Zero Day Attack

Conclusion

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 2

 Why Today’s Presentation?

Creating an awareness of the technology risks is a step in helping

the user community take necessary precautions

There is a need to be more PROACTIVE when it comes to

technology security

We need to understand that in many cases, technology alone

cannot solve security problems

Providing users with information that can be used to help make their
technology environment more secure is a win-win situation

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 3

 Key Issues Facing Customers Today

Simplification
• Scale
• Cost
• Staffing
These Issues Are • Integration and systems management

Common
Application and
Service Optimization
to the Computer • Enablers
• Awareness
• App management
and Network • Performance/optimization
• Resilience
Layers Security
• Threats
• Theft
• Loss
• Response time

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 4

 Security Incidents 2007 – CSI Computer Crime &
Security

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 5

 Dollar Amount Losses by Type of Attack

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 6

 Security Technologies Used

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 7

 Techniques Used to Evaluate Effectiveness of
Security Technologies

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 8

 Techniques Used to Evaluate Effectivenes of
Security Awareness Training

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 9

 Actions Taken Following an Incident

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 10

 Reasons for NOT Reporting

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 11

 Key Findings

The average annual lost reported in this year’s survey shot up to $350,424
from $168,000 the previous year. Not since the 2004 report have average
losses been this high.

Almost one-fifth (18%) of those respondents who suffered one or more kinds
of security incident further said they’d suffered a “targeted attack”, defined as
malware attack aimed exclusively at their organization.

Insider abuse of network access or e-mail (such as trafficking in

pornography or pirated software) edged out virus incidents as the most
prevalent security problem, with 59 and 52 percent of respondents reporting
each respectively.

When asked generally whether they’d suffered a security incident, 46

percent of respondents said yes, down from 53 percent last year and 56
percent the year before.

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 12

 What is Security?

Merriam-Webster’s Collegiate Dictionary

Main Entry : se cu ri ty

Pronounciation : si-’kyur-&-tE

1. The quality or state of being secure: as

 a: freedom from danger : SAFETY
 b: freedom from fear and anxiety
 c: freedom from the prospect of being laid off

2.
 a: Something given, deposited, or pledged to make certain the
fulfillment of an obligation: SURETY

3. An evidence of debt or ownership

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 13

 What is Security?

4.
 a: something that secures: PROTECTION
 b:
• i: measures taken to guard against espionage or
sabotage, crime, attack or escape
• ii: an organization or department whose task is
security

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 14

 Why should you care?

The bottom line = $$$

 Risk assessment to loss of systems
• What is the $/hr for a end user workstation
• What is the $/day for a server
• What is the $/week, month, year for a critical system

Worst Case
 Production banner goes down and never comes back

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 15

 Why should you care?

Liability = Responsibility
 State and federal guidelines for IT data, systems and security
• What would be the legal ramifications if somebody broke in and stole
all the client info? Email addresses for spam?

Worst Case
 System insecurity leads to a leak of confidential information which
results in a very big lawsuit

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 16

 Why should you care?

Damages prestige of the company

 Bad press directly/indirectly influences:
• Department, staff and clients
• Potential staff and clients

 Causes the company to become a known target

• Weak security = easy target
• Word gets around VERY QUICKLY in hackerdom

Worst Case
 NST/Star front page article deriding you, your department and
company

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 17

 The Big Fallacy

“There’s nothing on my computer anybody would want!”

a non IT manager
 Would you want everyone/anyone to:
• Look at the web sites you’ve visited?
• Read all your email?
• Write email with your userid?
• Use any credit cards you’ve used online?
• Alter/delete data on your system?
• Hijack your system for further attacks to other systems?

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 18

 Threats Continue to Evolve

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 19

 So Many New Security Technologies

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 20

 Evolution of Security Challenges

Target and Scope

of Damage

Global Time from knowledge Seconds

Infrastructure
impact of vulnerability to release
Next Gen
of exploit is shrinking
Regional
Networks Minutes
Multiple 3rd Gen
Networks Days
Weeks 2nd Gen
Individual
Networks
1st Gen

Individual
Computer

1980s 1990s Today Future

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 21
 Virus and Worm Attacks

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 22

 Instant Macro Virus Maker

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 23

 Regulatory Compliance and the “IAC Triad”

Regulatory compliance

 BNM GPIS 1, HIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX),
Basel II, EPA

Integrity

 Assures accuracy and reliability of data and systems, ensuring neither is modified
in an unauthorized manner

Availability

 Ensures the system or data is available and executes in a predictable manner with
an acceptable level of performance

Confidentiality

 Prevents unauthorized disclosure of sensitive information by ensuring that the

necessary level of secrecy is in place at each junction of data processing

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 24

 Rules & Policies..

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 25

 Top 10 Information Security Trends of 2008

1. Increasingly Sophisticated Website Attacks That Exploit Browser

Vulnerabilities

2. Increasing Sophistication and Effectiveness in Botnets

3. Cyber Espionage Efforts by Well Resourced Organizations

4. Mobile Phone Threats, Especially Against iPhones and Google’s

Android-Based Phones

5. Insider Attacks

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 26

 Top 10 Information Security Trends of 2008

6. Advanced Identity Theft from Persistent Bots

7. Increasingly Malicious Spyware

8. Web Application Security Exploits

9. Increasingly Sophisticated Social Engineering Including Blending

Phishing with VOIP

10. Supply Chain Attacks That Infect Consumer Devices

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 27

 Security Highlight: Presidential Election - US

Setting the stage:

 It’s impossible to predict the future; BUT we can
 Speculate
 Make educated guesses
 Learn from past experiences

Much of what we’ll discuss:
 Has been demonstrated before; BUT
 Can be easily applied to the electoral system

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 28

 The Internet and our Electoral System

Internet increasingly relied on for voter communications

Used extensively in 2004; overshadowed in 2008

Important to understand the associated risks

One need only examine current threats
 Adware, Spyware, Malicious Code
 Typo Squatting, SPAM, Phishing, Fraud, Identity Theft
 Dissemination of misinformation
 Invasion of privacy

Emphasis will be on US Presidential Election 2008 but can be
applied everywhere

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 29

 Threat: Typo Squatting

Early 1990s was the wild west

 No precedence on domain name disputes
 Speculation and infringement ran rampant

UDRP – Uniform Domain Name Dispute Resolution Policy

 Created by ICANN in 1999
 Implemented by WIPO – World Intellectual Property Organization
 Provides a framework; but does not prevent infringement

Anticybersquatting Consumer Protect Act

 Took effect on November 29th, 1999
 Provides a legal remedy and recovery of monetary damages

Low Cost of domain registration continues to drive infringement

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 30

 Examples Disputes

Julia Roberts (juliaroberts.com)

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 31

 Typo Squatting Analysis

Mistakes include:

Missing the first ‘.’ delimiter: wwwmittromney.com

Missing a character in the name (t) www.mitromney.com

Hitting a surrounding character (r) www.mitrromney.com

Adding an additional character (t) www.mitttromney.com

Reversing two characters (im) www.imttromney.com

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 32

 Typo Squatting – August 2007

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 33

 Typo Squatting – February 2008

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 34

 Example Registered Typo Sites

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 35

 Example Registered Typo Sites

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 36

 Example Registered Typo Sites

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 37

 Example Registered Typo Sites

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 38

 What you see might not be true..

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 39

 Security Highlight – Zero Day Attack

A zero-day (or zero-hour) attack or threat is a computer threat that

tries to exploit unknown, undisclosed or unpatched computer
application vulnerabilities. The term Zero Day is also used to describe
unknown or Zero day viruses.

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 40

 Environment, Attacker, Target

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 41

 Environment Property

World Events

Political and Cultural Environment

 Significant Events
 Resultant China/US “hacker war”

Patriotism

Cultural: “Right” to hack

Safety behind the monitor

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 42

 Attack Capability Analysis

‘Natural’ Nation State Resources

 Finance
 Capabilities (exploit and mapping)
 Other pre-existing intel capabilities

Nation States
 N.Korea / China (for example)

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 43

 Attack Motivation Analysis

Nation State Coercion

 Voluntary
 Inspire attacks via nationalism
 Turn a blind eye towards activity
 Refuse to cooperate with international investigations
 Mandatory
 Issue “orders” to attack

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 44

 Threat Spectrum

So how urgent is the threat?

 Terrorist broadcasting of intentions
In a matter of time you will see attacks on the stock market. I
would not be surprised if tomorrow I hear of a big economic
collapse because of somebody attacking the main technical
systems in big companies.” – Sheikh Omar Bakri Muhammad

 Cultural conceptions in time

 Acknowledgement of the potential capability does not
mean an attack will occur in the near time

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 45

 Omar Bakri Muhammad - Profile

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 46

 What the attack might look like?

Increase or augment the impact of physical attack

Attack supporting infrastructures (telecom, medical,

transportation, power, etc.)

Attack complimentary infrastructures (finance, national

airspace systems)

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 47

 Cyberwar

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 48

 Summary of Types of Attacks

Physical
 Lowest paid employees have greatest accessibility to our systems

Social
 People tend to trust people

Network
 What you can’t see can hurt you

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 49

 Physical

Attack
 People paid to look the other way, theft
• >$120 billion loss in employee fraud for 2000

 Disgruntled ex-employee/spouse

 Distractions for support staff (sugar in tank)

Defend
 Encrypt the system and laptops

 Do secure remote backups

 Use biometric identification

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 50

 Malaysia Car Thieves Steal Finger

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 51

 Social

Attack
 Giving false credentials to reset password

 Forged email, trojan attachment

• 37% of people surveyed would read email entitled “ILOVEYOU” and
launch the attachment

 Claim from help desk, get root on desktop

Defend
 Do not give passwords over the phone

 Exit interview, removal of authorization

 Challenge strangers for ID

 Do callback to main number for verification

 Sign email, do not allow attachments

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 52
 Passwords = Socks ??

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 53

 Network

Attack
 Eavesdropping

 Data modification

 Identity spoofing

 Password based attack

 Denial of Service (DoS)

 Man-in-the-middle

 Wireless cracking

 Sniffer attack

 Application layer attack

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 54

 Network

Defend
 Do not allow non-job/untrusted applications

 Harden passwords or use biometrics

 Proactive scanning of subnets, security audits

 Enforce security policies regardless of status

 Do not give users administrative rights

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 55

 Conclusion

Security

Is like an onion
 The more layers a hacker is required to peel, the more they’re liable
to cry & move on

Should not be an afterthought

 If it is not designed in, its tacked on

Should be proactive, not retroactive

 Better to do fire prevention than smoke inhalation

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 56

 Question & Answers

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 57

 Thank You

© 2008 Dataprep Holdings Bhd. All Rights Reserved. Page 58