Cyber Security Issues and Challenges

Cyber Security Issues and Challenges
Roger Cressey
Sharm el Sheikh, Egypt
April 12, 2012
This document contains Booz Allen Hamilton Inc.

Ready for what’s next. proprietary and confidential business information.
At Booz Allen, we focus on delivering results for clients in over
40 countries across multiple domains
Who We Are ... What We Do ...
4 One of the oldest, largest and most experienced  With deep expertise in both strategy and
strategy and technology consulting firms technology, Booz Allen transcends conventional
categories of consulting
– Founded in 1914
 Booz Allen teams work together with clients to
– 25,000+ professionals help them succeed...
– $5 Billion in Annual Sales  …through the continual interplay of insight and
4 Our business model is driven by global industry action
practices emphasizing industry expertise to better  Producing results that endure tomorrow
serve clients
4 Booz Allen delivers end-to-end strategy-based
4 We bring a global perspective — have served clients transformation solutions through multi-disciplinary
in over 40 countries skills…
4 We are not aligned with any other integration firms 4 … and through our industry expertise which spans
or software vendors – we bring an objective and virtually every major industry sector
independent viewpoint to all of our clients
Mission:
Mission: Booz
Booz Allen
Allen combines
combines strategy
strategy with
with technology,
technology, and
and insight
insight with
with
action,
action, working
working with
with clients
clients to
to deliver
deliver results
results today
today that
that endure
endure
tomorrow
tomorrow
This document includes Privileged and Confidential information that shall not be disclosed outside of Booz Allen Hamilton and shall not be
duplicated, used, or disclosed—in whole or in part—for any purpose other than to evaluate these discussions.
The significant increase in the sophistication and frequency of cyber
attacks (public and non-public) presents material risks to organizations
Cybersecurity Risk Landscape

Most organizations are only prepared to
handle a fraction of actual security concerns
Threat Sources Vulnerabilities

Vulnerabilities Unprecedented
Unprecedented Risk
Risk
 Hyper-interconnectivity
Hyper-interconnectivity  Intellectual
Intellectualproperty
propertytheft
theft
Insiders of
Insiders ofinformation
informationsystems
systems  Monetary
Monetarylosses
losses
 Rapid
Rapidtechnological
technological
Criminals  Operational
Operationaldisruptions
disruptions
Criminals infrastructure
infrastructureexpansion
expansion
 Company
Companydevaluation
devaluation
 Undefinable
Undefinablebusiness
business
State
StateActors
Actors perimeter
perimeter  Customer
Customersuits
suits
 Unprepared
Unpreparedcorporate
corporate  Media
Mediapublicity
publicity
Hacktivists
Hacktivists
workforce
workforceand
andculture
culture  Brand
Branddegradation
degradation
 Dissimilar
Dissimilarsecurity
security
Individuals
Individuals  Environmental
Environmentalissues
issues
models
modelsapplied
appliedacross
across
the
theenterprise
enterprise  Regulator
Regulatorintervention
intervention
Lockheed
LockheedMartin
Martin(2011)
(2011) Citibank
Citibank(2009)
(2009)
Night
NightDragon
Dragon(2011)
(2011) Perpetrators
Perpetratorsinfiltrated
infiltrated RSA
RSA(2011)
(2011) Computer-security
Computer-securitybreach
breach
Representative Covert
Covertand
andmultidimensional
multidimensional
Representative cyber
major
majornetwork
networklinked
linkedto
to Alleged
Allegednation-state
nation-stateattack
attack targeting
targetingCitigroup
Citigroupthat
that
cyberattacks
attacksconducted
conductedagainst
against
Attacks
Attacks global
Departments
Departments of Defenseand
of Defense and against
againstSecurID
SecurIDtokens
tokens resulted
resultedininaatheft
theftof
oftens
tensofof
globaloil,
oil,energy,
energy,and
and millions
petrochemical
Homeland
HomelandSecurity
Security victimized
victimizedover
over760
760 millionsofofdollars
dollars
petrochemicalcompanies;
companies; companies
endangers companiesworldwide
worldwide
endangerscritical
criticalinfrastructure
infrastructure
3
A variety of cyber threat actors have emerged over the recent years that target
the vulnerabilities across cyber programs worldwide
High
Threat Low (APT)
Sophistication
Individuals/Amateur Hacktivists (e.g.

Actors Hackers Anonymous, LulzSec) Cyber Criminals Insiders Nation-states
Website defacement,
Website defacement, Viruses, worms, trojans, Physical access to Remote access tools (RAT),
Capabilities Denial of Service Distributed Denial of malware, botnets, web- transmit, download, or custom exploits, spear-
Service (DDoS), web-based
(DoS), Phishing scams based attacks copy information phishing, zero-day exploits
attacks , SQL injection
Personally Identifiable Trade secrets, proprietary,

Indiscriminately Selected company and Information (PII) (e.g. Trade secrets, proprietary, sensitive, or classified
Intentions selected companies organizations’ operations, SSN’s, credit card sensitive, or classified economic and/or national
and/or organizations brand, and reputation numbers, health records), information security information
proprietary information
Customer financial loss, Loss of economic Loss of national economic

Disruption of business competitive advantage,
Nuisance, disruptions company financial loss, competitive advantage,
Consequence of business operations operations, reputational reputational loss, lost increased foreign increased foreign
loss competition, loss of
productivity competition national security secrets
$5.9 million per year per

Estimated Loss1 — $171 million (single case) $20 million (single case) $2-$400 billion
organization
(1) Costs are UNITED STATES ONLY and based on disparate data, individual cases studies, and broad estimates
Sources: “Foreign Spies Stealing US Economic Secrets in Cyberspace.” Office of the National Counterintelligence Executive. October 2011 ; “Second Annual Cost of Cybercrime Study.”
Ponemon Institute. August 2011; “Sony Data Breach Cleanup to Cost $171 Million.” Information Week. May 23, 2011.
4
APTs constitute a mature attack and introduce
a new paradigm of cyber security threats
Basic Advanced APTs
Examples: Examples: Examples:
 Generic phishing scams  Distribute Denial of Service  Highly sophisticated
 Attacks against organizations  Targeted private data adversaries who can bypass
with little-to-no security – extraction virtually all of today’s “best
weakest in the practice” security controls
 Extortion as motive
heard/opportunistic  Primary goal is long-term,
approach  Customized tools persistent occupation for data
 Cyber techniques available  Developed techniques theft, intelligence espionage,
on internet/open source and other malicious activities
Types of Attackers:
 Extortionists Types of Attackers:
Types of Attackers:  Nation states
 Mature cyber criminals
 Amateur hackers  Sophisticated adversaries
 Scam artists
Maturity Level
Simple, easily accessed Technical mature, developed by Sophisticated, planned
tools, done by amateur advanced individuals or teams, over long-periods,
hacker and not but not coordinated or extremely complex, and targeted
particularly targeted targeted
Because APTs are targeted at one specific organization, they
must be treated as a primarily agent-oriented (people) problems
APTs Differ from Traditional Threats in Two Significant Ways
APTs are Persistent (Targeted ) APTs are Advanced
 Underlying cause of APTs is desire to acquire  Because attackers are interested in breaching
assets from or disrupt a single organization a specific organization regardless of cost, most
technological attacks are highly-customized
 Because of high cost of mounting an APT
attack, only large, highly-influential – Attacks tend to be over multiple vectors and
organizations are typically targeted sometimes crafted around 0-day exploits
– Target of high strategic value to attacker – Traditional signature-based detection (AV
and IDS), are generally ineffective
– Attackers typically well-funded, organized
 Given a breach, because APTs are agent-
 Attackers will not use commodity attacks: will
oriented threats, simply patching the
find and breach any potential vulnerability technology is insufficient
– Many APT entry-points are social in nature – If organization remains unhardened,
 Must consider APTs as an actor threat attacker will simply craft new payload
requiring a comprehensive mitigation – Traditional cyber security focuses mainly on
strategy technological vulnerability, not the
attacker: will not work for APTs
Because
Because attackers
attackers are
are persistent
persistent during
during an
an APT,
APT, attacks
attacks are
are advanced
advanced (i.e.
(i.e. many
many vectors,
vectors, complex)
complex)
APTs make a significant investment in their target and will vary and
escalate their techniques and not move on to another victim
Notional APT Approach Network Compromised
1. Adversary collects non- There is no “typical” APT
approach…
traditional attack information attackers will keep trying
until they gain network
2. The adversary creates a highly access
socialized, targeted e-mail
message that potentially
contains previously unknown
malicious code – spear
phishing
3. If phishing attempt successful,
the adversary immediately
connects to the victim’s
workstation
4. The adversary will quickly
install additional channels to
ensure access to the internal
network
5. The APT will quickly entrench
themselves at the enterprise
level
6. Data is collected and
exfiltrated from the network
Your opponent is a determined individual or organization, not a technology
Organizations with sensitive data need to be especially
wary of APTs: marginal improvements in traditional
Target
security are not enough
Motivation Result
2008: Large Oil Companies Attackers sought

valuable data about  Companies unaware of extent of
new discoveries of oil attack until alerted by FBI; APTs
deposits (this data had been persistent since 2008
can cost hundreds of and actively exfiltrating e-mails
millions of dollars to and passwords of senior
produce) executives
2010: Sophisticated  Chinese attackers successfully

Technology Companies Attackers sought exfiltrated sensitive data from
persistent access to Google, Adobe, Yahoo, Dow
cutting-edge Chemical, and Symantec (a
intellectual capital leading manufacturer of
computer security products)
servers
 Attackers successfully infiltrated

2010: Stuxnet several nuclear sites and
Attackers sought to
disrupt critical industrial damaged uranium enrichment
infrastructure, facilities
specifically targeting  Cited as one of the most refined
nuclear facilities pieces of malware ever
discovered, experts believe only a
nation state would be able to
produce it
Because of the high level of sophistication, traditional cyber
remediation techniques are insufficient to address the technological
risks posed by APTs
Traditional Remediation Techniques Under APTs
Traditional Remediation on Traditional Remediation on

Traditional Threats Advanced Persistent Threats
Password Reset  Attackers have procured user  Password reset temporarily removes access
passwords and have active access to to accounts
user accounts  Attackers utilize shared accounts to discover
 Password reset removes access to changed passwords
accounts  Attackers have active access to user accounts
again
Anti-Virus  Attackers have planted common  Anti-viral software unable to detect custom-
attack vectors on organization created exploits
computers  APTs require custom-crafted detection and
 Anti-viral software detects and removal solutions
removes such vectors
Network Security  Organization enacts strict firewalls  APTs planted internally already open holes
and network security to exclude through firewall and network security
external traffic  Attackers have access to user accounts,
 Internal access controls prevent wide bypassing internal access controls
data breaches
Organizations must immediately take mitigation steps to
specifically discover and protect against APTs
APTs require a fundamentally different
approach from typical cyber threats
Unique Attributes of APTs

Organizations need to create strategic,
(compared to typical cyber threats)
comprehensive mitigation plans now
 New paradigm: multiple
vectors, custom-crafted
Advanced
 Undetectable and Future APTs Trends
unpreventable by normal (predicted on past performance)
remediation techniques
 Beat best practices  Complexity of attacks is
Increasing high and constantly Recommendation
Complexity increasing  A new remediation approach
 APTs are highly targeted:  Even best-of-class security is needed: APTs are
attacker will not relent companies (e.g. Symantec) fundamentally different from
Persistent even if an attack fails are currently vulnerable traditional cyber threats
 Attackers will find and  All organizations, especially
breach any vulnerability, ones with globally-sensitive
including social ones  Number of attacks is
data, need to create a
Increasing increasing exponentially remediation approach: APTs
Multitude  The number of groups that will not go away
 Victim is chosen based on make good targets is  Risk analysis required to
political, financial, and expanding determine “am I a target?”
Targeted security interests
 Individuals are targeted
Threat/Risk Landscape
The Advanced Persistent Threat (APT) is a new level of threat sophistication

that bypasses virtually all leading cybersecurity practices
The
The APT
APT Challenge
Challenge
 New paradigm: multiple vectors, custom-crafted
 Undetectable and unpreventable by normal remediation
Advanced
Advanced techniques
 Defies typical best practices
 APTs are highly targeted: attackers will not easily relent even if a
counterstrike is launched
Persistent
Persistent
 Attackers will find and breach any vulnerability, including social
and organizational ones
 Victim organization is selected based on political, financial, and

Targeted
Targeted security interests
 Individuals are targeted
 Complexity of attacks is high and constantly increasing

Increasing
Increasing 
Even best-of-class security companies (e.g., Symantec) are
Complexity
Complexity
currently vulnerable
“Companies of all sizes that have
any involvement in national security
Increasing
Increasing
 Number of attacks is increasing exponentially or major global economic activities
Multitude  The targets of attacks are increasing
Multitude should expect to come under
pervasive and continuous APT
 Technology is getting cheaper and the cost for nation states or attacks...”
Cost
Cost of
of organized crime to fund these operations has gone down – McAfee 2011 Threats Predictions
Entry
Entry  Lower barriers to commit cyber crime with targets of attacks
steadily increasing
Traditional Best Practices
Current Best Practices APT Countermeasure
Anti-Virus Compile malicious code immediately before use, protect with kernel driver, run code in
Windows safe mode, pack with unknown packing utility
Vulnerability Assessments Generally don’t rely on known system vulnerabilities, focus on mis-configured systems,
non-vulnerability based targeted spear-phishing attacks, or application vulnerabilities
(Adobe PDF Reader, MS Office)
Network Firewall Target workstations, malicious code will beacon out, establishing a TCP session, attack
over an open port (80, 53, 443, or email)
Host Firewall Malicious code adds itself to the host firewall white list
Two-Factor Authentication Rootkit installed when user is logged in, then authenticate to the rootkit for future access,
(Common Access Cards) CAC not required for lateral movement
Email Filtering Send link to malicious code vice the code itself, send from trusted email account, send
from trusted network
Intrusion Detection Systems Port 443, Open SSL, WinRAR, other encryption
Disabling HTML email APTs don’t attempt to “hide” the link they are sending
Border Monitoring Provided border protection from external attacks

Email Filtering APTs don’t send attachments with .exe, .dll, .vbs, extensions – they send PDFs
Proxy Servers HTTP header spoof - proxy server bypass
Microsoft Patching Program Use of undocumented vulnerabilities, little or no focus on application patching
Non-Traditional Risk Factors - Host
There are a number of traditional and non-traditional host-based risk factors
that contribute substantially to your organization’s risk to Threat entrenchment
− End users with local administrative access

− LAN Manager password hashes
− Shared local administrator passwords
− No proactive threat identification component
− Unmanaged and undermanaged systems
− Mobile users (especially with VPN)
− Adobe Acrobat patch level
− Web Browser patch level
− Non-sourced DA accounts
− MS Office version and service pack
− No HBSS, or HBSS with no Threat specific configuration
Non-Traditional Risk Factors - Network
There are a number of non-traditional network-based risk factors that
contribute substantially to your organization’s risk to a sophisticated Threat
− Flat network (Layer 3)

− Flat authentication (Active Directory forests)
− Excessive lateral movement allowed
− Unproxied/unrestricted outbound access
− Unmanaged systems on the network
− Infrastructure servers with Internet access
− Little or no internal network monitoring
− Internally hosted public websites
− Weak authentication VPN
− Lack of proactive threat identification program
− Poor Active Directory design and management
The preeminent organizational cyber challenges of 2012 consist
of a blend of technical and organizational issues
Hypotheses on Top Cybersecurity Program Challenges
11
• Abundance of sensors and data available; not enough analytics
Threat
Threat Management
Management • Monitoring capabilities need to more inclusive of threat environment
• Threat intelligence and analysis needs to be broader / more relevant
22
Information •
Information Risk
Risk •
Control selection/implementation not risk-based in divisions/regions
Identified ‘cyber risks’ are narrowly focused on technology
Management
Management • Lack of interdependency analysis in risk management processes
33
• Attackers / malicious code can move laterally throughout enterprise
Infrastructure
Infrastructure Security
Security • Infrastructure security budget insufficient compared to growth
• Expanding use of insecure mobile devices
44
• Massive global penetration of programmable logic controllers (PLCs) and other software-controlled
Application
Application Security
Security products
• Secure software/products soon to be competitive differentiator
55
• Large concentrations of sensitive data exist outside of well-protected environments
Information
Information Protection
Protection • Sensitive information often flows across inadequately protected channels
• Unsophisticated mechanisms are employed to assist and enforce end-user document labeling
66
Awareness,
Awareness, Training,
Training, &
& • A more dedicated and robust cybersecurity awareness, training, and education program needed
• Internal users are not prepared for the modern threat environment
Education
Education • Third parties (e.g., contractors) require more engagement
77
Communications •
Communications &
& •
Internal change management and security consulting entities are insufficient for engaging business units
Need for prioritization and phasing of interaction with stakeholders to address cybersecurity risks
Engagement
Engagement • Customers and third parties (e.g., vendors, contractors, partners) require more enhanced engagement
88 • Inconsistent monitoring and reporting of events or a lack of dedicated continuous monitoring capabilities
Event
Event Management
Management • Reporting of real-time situational views are not tailored for stakeholders across the enterprise
• Guidelines on internal and external escalation processes are not clear nor promulgated
99 • Governance is not addressed as a senior executive issue
Governance
Governance • Inconsistent and infrequent interaction with divisions to understand business risks and requirements
• Organizational silos lead to ineffective processes / solutions
Resiliency must be integrated beyond purely technological areas, to
include policies, human capital, management, and operations
Evolving Cybersecurity Capabilities

Using an Integrated Mindset Highlights
Highlights
 Manage
Manage riskrisk from
from aa
multidimensional
multidimensional perspective:
perspective:
Policy,
Policy, People,
People, Operations,
Operations, and
and
Management,
Management, in in addition
addition toto
Technology
Technology
 Lower
Lower risk
risk and
and become
become more
more
cost
cost efficient
efficient
 Align
Align cybersecurity
cybersecurity needs
needs toto
business
business mission
mission
 Craft
Craft effective
effective solutions
solutions that
that
are
are not
not stove-piped
stove-piped toto aa single
single
area
area
 Protect
Protect assets
assets to
to enable
enable
business
business competitiveness
competitiveness and and
business
business reputation
reputation
16
Organizations need to develop all aspects of a cyber
security workforce, including:
Leadership
Education and
Development
Training
To provide leaders with To create a highly skilled
new cybersecurity cybersecurity workforce
competencies
Human Capital Awareness and

Management Communications
To acquire, develop and To create a cyber-aware,
retain cybersecurity talent and cyber-active culture
Strong
Cybersecurity
Workforce
There are defined 11 cyber roles that outline the skills and training
requirements needed for a successful cyber workforce
Skills Needed/Training
Cyber Intel Analyst Benefits
Requirements
Cyber Business Professional
Cyber Policies, Plans, &
Cyber Policy Analyst Procedures  Establishes a common lexicon and
Cyber Program Design
point of reference across all human
Cybersecurity Analyst Threat Assessment
Continuity of Operations capital management activities
Cyber Offense Analyst Incident Response
 Allows stakeholders to immediately
Cyber Roles
Certification & Accreditation

Cyber Operations Planner Vulnerability Assessment identify roles, skill sets and training
needs, consistently across functional
Cyber Compliance Analyst
Systems Requirements Analysis
areas
Secure Network Design
Secure Software Engineer  Allows existing staff to easily identify
Secure Application Design
Testing with each other to facilitate the
Cybersecurity Engineer
Systems Implementation formation of communities of interest
Cyber Strategist
Secure Configuration and practice
Management
Vulnerability Assessment
Cyber Operations Professional
A “Dynamic Defense” approach will meet today’s need for resiliency by
establishing a network of integrated processes, technologies, and people
22 Rapid Response
Find and react to adversarial
threats
• Recognize attack
• Conduct triage
Le e a r
• Perform forensics
ne al
L
ss ne
ss
are ti on
• Respond to attack
on d
• Recover/reconstitute
Aw i t u a
s
S
11 Threat Vector Intelligence Mitigation
44 Integrated
Integrated Remediation
Remediation
Gather insights on adversary Build/implement better systems
threats, intentions, and capabilities and constructs to keep
• All-source analysis Risk Informed Response • Policy adversaries out
• Indications of “early warning” Decisions • Operations
• Threat education • Technology
• Support to operations, • Management
planning and institutional • People
cybersecurity programs Mitigation
33 Evolutionary Response
Ac In s i
tio ght
Design capabilities to counter

na s
es
ac st
ble
adversarial threats
Pr B e
tic
• Capability maturity evolution
• Vulnerability assessment
• Trade-off analysis
• Operational planning
• Exercises/M&S
• Strategic road-mapping
19
Contact Information
Roger Cressey
Senior Vice President
Booz Allen Hamilton

Mclean, Virginia
USA
+1 703 9841421
Cressey_roger@bah.com
20

Cyber Security Issues and Challenges

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cyber Security Issues and Challenges

Загружено:

Авторское право:

Доступные форматы

Cyber Security Issues and Challenges

This document contains Booz Allen Hamilton Inc.

Cybersecurity Risk Landscape

Threat Sources Vulnerabilities

Individuals/Amateur Hacktivists (e.g.

Personally Identifiable Trade secrets, proprietary,

Customer financial loss, Loss of economic Loss of national economic

$5.9 million per year per

2008: Large Oil Companies Attackers sought

2010: Sophisticated  Chinese attackers successfully

 Attackers successfully infiltrated

Traditional Remediation on Traditional Remediation on

Unique Attributes of APTs

The Advanced Persistent Threat (APT) is a new level of threat sophistication

 Victim organization is selected based on political, financial, and

 Complexity of attacks is high and constantly increasing

Border Monitoring Provided border protection from external attacks

− End users with local administrative access

− Flat network (Layer 3)

Evolving Cybersecurity Capabilities

Human Capital Awareness and

Certification & Accreditation

Design capabilities to counter

Booz Allen Hamilton

Вам также может понравиться