Cyber Crime’s New Era: Protecting Your Company from the Criminal Exploitation of the Internet John Frazzini Secure Systems Integration Corporation Agenda Overview of the Cyber Threat Landscape • Geopolitical Threats China & Asia Russia/former Eastern Block, Pro Islamic groups Cyber-terrorism/Pro-Terrorist Groups • Technical Threats Malicious Code Web Application Security • Future Threat Trends: Convergence of geopolitical activity, technical threats • Industry Trends? • What can you do? What do you determine to be the most significant cyber threat to your enterprise? 1. Cyber crime 2. Malicious code activity 3. Insiders 4. Support for security initiatives 30% 1 30% 2 20% 20% 3 4 Pro-China Hacking • China Eagle Union: possibly the largest organized hacker group in the world; branches all over China; hundreds of core members; possibly thousands of supporters • Most are highly nationalistic, revel in their support of government policies • Many seeking to do something "great" for China, become part of the elite • View real or perceived "slights" against China very seriously; Japan and US likely primary targets during key dates (i.e anniversaries, national holidays, etc.) Former Soviet Union and E. European Criminal Elements and Hacking • Hacker culture in former Soviet Union (FSU) very extensive and complex • Reported large-scale bank frauds in FSU using hackers and corrupt insider • Many Russian organized crime groups believed to have "computer departments" with professional hackers • Stolen credit card hacking ("kreditki") huge in FSU - bazaars for hacker-carders • Use of fake Internet shops widespread; also spam and pornography geared to lure victims • Alleged sophisticated hacker attacks against some ATMs in FSU Russia: “The Stealth Group” • A hacker “sect” - first of its kind in the world • dedicated to authoring destructive viruses; Stealth is a small, tight group; has undergone some internal strife in 2002 • Led by LovinGOD, anarchist, pro-terrorism • LovinGOD shows strong sympathy for terrorism in general; approved of 9-11 • Could make his services available to al Qaeda • Requirements for membership - one must be anti-social (no strong ties to family or an employer) and able to write an undetectable Windows virus Pro-Terrorist Hackers • Prior to Iraq war, press indicated a “ten-fold increase” in pro-terrorist hacking • Trend is correct, BUT a misinterpretation of some defacement data (see recent report on Pro-terrorist hacking) • Pro-terrorist defacements began to rise sharply in October 2002 • Better trend analysis for pro-terrorist defacement attacks is monitoring .il (primarily anti-Israel defacements) Hacker Culture: Brazil • Very active hacker population • Hundreds of .br hacker-related websites • Many of the most prolific defacers are Brazilian • Brazil Hackers Sabotage (BHS) has defaced thousands of websites globally. • BHS is top-tier defacement group in the world, according to the defacement-tracking Web site Zone.H. Emerging Technical Threats Malicious Code • Slammer was only proof of concept; no payload, but spread globally in 10 minutes. • Blended Threats: infects multiple platforms in various ways; Warhol worms will spread very quickly. • Unpatched/unknown Vulnerabilities: usually predates automated attack worm (Code Red, Nimda, etc.) • Highly targeted services: DNS (BIND), HTTP and HTTPS (Apache, IIS, OpenSSL), SSH, SQL (Slammer) Emerging Technical Threats, II Web Application Security • Generally, Web application is the easiest way to penetrate network and gain access. • Typical point security solutions (firewalls, IDS, etc.) are not effective in detecting/preventing Web application attacks. • IDS is not well developed for latest Web Application attacks • SSL does nothing to protect against these attacks • SQL Injection, Cross-Site Scripting, Poor User Session Management Emerging Technical Threats, III. • • Cross-site Scripting (XSS) SQL Injection • All relatively easy to exploit. • Can result in an online user’s web application account being hijacked, data being compromised • Fairly High Profile Press Cases: Hotmail.com, Yahoo.com, Verizon, etc. • Prevalent disclosure among security mailing lists “Warhol Worms” • It is well known that active worms such as Code Red and Nimda have the potential to spread very quickly, on the order of minutes to hours. • Hyper-virulent active worms, capable of infecting all vulnerable hosts in approximately 15 minutes to an hour. • "Warhol Worms“ use optimized scanning routines, hitlist scanning for initial propagation, and permutation scanning for complete, self coordinated coverage, could cause maximum damage before people could respond. • The potential mayhem is staggering. What priority does your organization give to security? 30% 1. Very high 2. High 3. Somewhat 4. Not a priority 1 30% 2 20% 20% 3 4 How effective is the response? • Past: Technological solutions have been provided to this “technical” problem • Future: People, Process and Technology… • Key: Effective management of cyber threats and risk Future Trends, Threats Last year’s Sobig.f represents significant shift • Convergence of malicious code activity in support of mass financial criminal activity – criminal intent • • • Future: more sophisticated, organized mass victimization Historical focus of hacking activity now transformed Sobig.g intent? Who do you think is responsible for stopping cyber attacks? 30% 1. The government 2. Independent organizations (CERT / Mitre CVE) 3. Security companies 4. You 1 30% 2 20% 20% 3 4 Industry Trends: Two Views “Self Defending” Networks and Infrastructure • • • Cisco’s Acquisition of Okena Juniper’s Acquisition of Netscreen Microsoft’s Acquisition of anti-virus capability Industry Trends (continued) Next Generation Solution Set • • • • Automated Vulnerability Remediation Security & Risk Management Systems Event Correlation Capabilities Intrusion Prevention Systems (?) What can you do? Time is not on your side! • • 6 months – 100 days, on average (one year ago) • Blaster (RPC Vuln) 2 days probing, 5 days public exploit, 10 days fully functional exploit • Lion Worm 1/29/01 Zero Day - Bind8 Buffer Overflow MS RPC Vuln MS 03-039 6 days exploit/highly functional executable by Trojan author What can you do?, II Proactively prepare for attacks • Identify and understand how future threats will impact your infrastructure and more importantly your type of business. Formulate a plan to mitigate these threats before they attack. • Formulate a proactive remediation strategy based on risk tolerance. • Shift from total reliance on technology-based solutions, Defense-in-Depth. What can you do?, III • Proactively prepare for attacks Build security into your automated business processes. Focus on business process solutions. Participate in law enforcement/government initiatives. What is the primary business driver for your organization signing off on security solutions? 30% 1. It’s the “right thing to do” 2. Regulatory compliance 3. Bottom line justification 4. Just takes your word for it 1 30% 2 20% 20% 3 4 Thank you. Questions, comments? John Frazzini CEO Secure Systems Integration Corporation jfrazzini@securesystemscorp.com