Top 5 Security Trends for 2010 Noa Bar-Yosef, Security Research Engineer, Imperva Imperva Background Focuses on Application Data Security and Compliance Application Defense Center (ADC) + Research organization headed by Amichai Shulman + Security analysis + Vulnerability discovery + Compliance expertise + Threat research + Education MS Agenda Scorecard for 2009 Security Trends 2010 Top Security Trends + Emerging threats, vendor security notification policies, and new security tactics + Strategies to mitigate today’s security threats Q&A BC Scorecard for 2009 Security Trends Trend Score 1 Disclosure becoming irresponsible A- 2 Economics to affect threat level A 3 Surge of cloud related threats C 4 Evolution of automated attacks A+ 5 Increased threat business applications (e.g. SAP) C 6 Proliferation of CSRF D #1 - The Industrialization of Hacking Hacking is becoming a profitable industry The foundations of any industry can be identified within hacking + Building layered roles (supply chain) + Horizontal expertise + Resource optimization + Automation Individual or political hacking haven’t ceased; but they have become a secondary threat The Industrialization of Hacking Layered Roles Detect vulnerabilities and develop exploits + Hardcore “hackers” with strong technical capabilities + Keep clean of actual targets + Provide the building blocks for others Grow botnets + Groups devoted to controlling as many zombies as possible + Complex operations (will discuss later) + Provide zombies from the botnet for use by perpetrators The Industrialization of Hacking Layered Roles (cont.) Exploit targets + Groups that make use of zombies for various purposes + Send spam + Collect data + Inflict DoS Consumers + Monetize information – Credit card fraud – Identity theft + Advertize through spam + Blackmail The Industrialization of Hacking Resource Optimization “Nothing is thrown to the garbage” Each workstation or application, once compromised, is exploited in one way or another as part of the industrial food chain Compromised Applications + Direct value (fund transfer, credit card information, + + + + etc.) Indirect value (credentials to other systems) Malware distribution Blackhat SEO Command & Control The Industrialization of Hacking Resource Optimization (cont.) Workstations + Keylogger for grabbing credentials + Specialized malware for man-in-the-browser attacks + General purpose Trojan to use as part of a botnet + Relay into internal networks The Industrialization of Hacking Automation Core of the industrial process – growing botnets and exploiting targets – is mostly automated Selecting target applications through search engines Compromise applications using captured zombies + Configuration and commands distributed through forums and web pages Sometimes the compromise is through search engine abuse The Industrialization of Hacking Automation (cont.) Templates and kits exist for everything + Remote file include + Phishing of various applications + Botnet client (ASPROX, Zeus, Clampi, etc.) Looking at the numbers from attack campaigns clearly shows the power of automation + Last month we have heard of 132K sites compromised in one campaign + We have tracked a similar campaign 3 weeks prior and saw the same flaw exploited in the same way over hundreds of sites Techniques are becoming more sophisticated + Randomized DNS in order to avoid C&C hijacking The Industrialization of Hacking Our Advice We are no longer fighting the script kiddies or sporadic hacking attempts – we are fighting Hackers Inc. Cannot hide from the problem. + Small and large applications alike + Servers or workstations + It’s not personal. Smaller organizations + Must start paying attention to application security + Either directly or through their hosting providers Organizations must look for tools to help them detect and mitigate automation properly #2 – From Application Security to Data Security The 90s’ were all about network related security problems (connecting enterprise networks to the Internet) and network security solutions (Network Firewall) Throughout this decade we’ve seen a shift of activity towards web application attacks + Network security becomes commodity and network attacks are harder to execute + At the turn of the century eCommerce and online services took a steep climb. Attacker motivation increases as applications expose more information and more functionality. + It is far easier to access data through applications designed to manipulate it From application security to data security Web Application Security is No Longer Enough Internal threat still prominent Many internal applications are not web based Web application security can be effectively applied to major internal applications but not all of them Many time internal users have (authorized) direct access to the database Once data from application flows into a workstation its on the loose Regulations require that specific types of data be tracked From applications security to data security Continuous Data Security Track access to sensitive and regulated data throughout its lifecycle Basic information lifecycle + Most sensitive and regulated data can be traced back to structured storage (SQL databases) + Sensitive information may be transformed into unstructured format and placed in document storage and management system (File shares, MS Sharepoint, EMC Documentum) + Data is processed in workstations and may leave the enterprise boundaries through email, WebMail, file transfer and physical media From applications security to data security Our Advice Controls around individual data repositories + Database access monitoring + File activity monitoring Controls to track data in process + Next generation of DLP products + Integrate with DRM Collaboration between data security products + Policies expressed in terms of information type based on content, rather than table and file names + Track specific pieces of information as they leave the database, flow through web applications, transformed into files and flow through outgoing channels. #3 – Social networks expose larger societies Past: Specific parts of the population + Young adults of the Internet generation Today / Future: Everyone and their dog have a Facebook account + Younger, immature audience – Kids making their first steps into the virtual society + Conservative adult community – People who otherwise have very conservative web access behavior + Senior community – People whose trust models are deeply rooted in the old world (my grandmother) Social networks expose larger societies Pandemic Threats There are three distinctive pillars to social networks that make them a perfect fit for online pandemic threats: + Huge crowds + Inherently expose personal information + Built-in mechanisms for implicit and explicit trust generation between loosely coupled individuals Attackers can push their “merchandise” to larger unsuspecting crowds with higher than ever success rates + Use the implicit trust + Abuses the abundance of personal information to create more trust Social networks expose larger societies The Evolution of an Octopus Social networks are becoming social platforms + Integrating MMORPG (e.g. Farmville), 3rd party apps + More opportunities for trust abuse – ClickJacking through Farmville gifts + Less control over the robustness of integrated applications Integrating social networks into other domains + Google, Bing and Yahoo! integrating Twitter and Facebook results + Promoting malware just became much easier! To install the application, please follow this link: here Social networks expose larger societies The Evolution of an Octopus Best regards, Douglas Integrating social networks into enterprise + HR systems, CRM systems + Creating a Mobius strip of information, mixing internal and external trust Dear John, We'd like your help to spread the word about our open jobs. If you follow the link below and install this application on your Facebook profile page, your friends will be able to see, apply and forward our jobs. The best part is that if your friend, or a friend of a friend, applies for a job and is hired, you will automatically get credit for the employee referral through Jobvite. You will be eligible for the referral bonus. To install the application, please follow this link: here Best regards, Sue Social networks expose larger societies Our Advice - Redefining Trust Social networks are all about novelty + We can expect them to rush new features out at the expense of security + As more 3rd party apps are created we cannot expect those to consider any security at all We need tools to help us evaluate trust in huge, dynamic, virtual societies + These are starting to show up as research projects or initial offering from various vendors Security tools and policies should be able to build on these trust systems #4 – Credentials are the New Credit Card Numbers Dramatic surge in the number of data compromise incidents + Credit card numbers + Personal details Price levels per single stolen record are constantly dropping + Attackers are looking for more profitable targets We clearly see an increased level of activity around hacking user credentials for online applications Application credentials are the new CCNs Motivation Credit card numbers are harder to monetize + Need to purchase goods and cash those out Personal details are even harder to monetize + Cannot be used in masses + Require additional fraud (involving identity theft) The premise of application credentials + Easier to monetize + Higher value per record Application credentials are the new CCNs Motivation (cont.) Financial applications + Can be easily converted into hard cash through online transactions (fund transfers, stock trading, etc.) Enterprise in the cloud (SalesForce.com, GoogleDocs, etc.) + Access to sensitive commercial information + Can be traded for money, used for fraudulent transactions and even blackmail Web mail + Direct access to personal details + Further access to the above mentioned applications + SPAM Application credentials are the new CCNs Tools of the Trade Keyloggers + Cleartext passwords + Once a computer is infected quality data is flowing in + Requires massive infected botnets Phishing attacks + Cleartext passwords + Low quality data + Low success rates Application compromise (e.g. SQL injection) + Sometimes digested password that need further cracking + High quality data + Huge numbers Application credentials are the new CCNs Our Advice Protect you web facing applications + Defeat attacks Store digested passwords + Defeat exposure in case of compromise Use safe password recovery procedures + Avoid automatic leveraging of another compromise Include two factor authentication + When possible #5 – Proactive Security To date the security concept has been largely reactive + Wait for a vulnerability to be disclosed + Create a signature (or some other security rule) + Cross reference requests against these attack methods, regardless of their context in time or source As a consequence security decisions are becoming more difficult and resource consumption (machine as well as human) is growing + Distinguishing “bad” requests from “good” requests based on request content alone becomes more difficult and more time consuming + Not only machine resources but also human resources as more decisions cannot be taken automatically + This is completely inadequate in world of growing attack rates Proactive security Tired of Being a Sitting Duck? Rather than waiting to be attacked, security research teams start to proactively look for attacker activity as it is being initialised over the network Traditionally used for longer term research, proactive intelligence operations can be used for immediate security value: + Identify compromised computers being actively exploited to launch attacks + Quickly identify attack campaigns at their early stages + Discover 0 day vulnerabilities in the wild rather than in the lab + Identify targets of upcoming attacks in advance Proactive security Military Intelligence is a Contradiction in Terms* There are different techniques for gathering timely intelligence + Some techniques, especially related to the SPAM domain have already been in use for a couple of years Some technique are based on a network of sensors. Three basic types of sensors + Setting up targets for attacks (fake web applications, mailboxes to receive spam, etc.) + Setting up communication channels for use by attackers (anonymous proxies, TOR relays) + Network sniffers in strategic locations + Tap into C&C servers *Groucho Marx Proactive security Military Intelligence (cont.) Other techniques are more laborious + Reverse engineering of new malware to identify C&C servers + Hijack domain names intended for use by botnets + Tap into hacker discussions in forums and Existing projects and commercial offerings for various types of threats (sample): + Dshield (General reputation for IPs) + ShadowServer (Botnet oriented) + Cyveillance (Phishing and compromised servers) + Project Honeypot (Spam related) Proactive security Our Advice Engaging in proactive security requires substantial research resources – don’t expect to do it yourself Some solutions (mainly around endpoint security) are incorporating data obtained through proactive security Next generation of enterprise solutions will include integration of data obtained from proactive security projects and providers Add proactive security to your wish list when looking at enterprise solutions Security Trends that just missed the Top 5 Questions & Answers ADC Data Security Webinar Series