Uploaded by Itescam LD

WHAT IS CYBERSECURITY

advertisement
WHAT IS CYBERSECURITY? INTRODUCTION
Every day we hear more about cybersecurity, at the same time that we see in the media
various news about hacks, information leaks, identity thefts and other attacks and threats.
Incidents with worldwide coverage such as those of Wikileaks raise awareness about our
computer risks, but they do little to answer the big question: what should we do to have
adequate security? The purpose of this document is to answer this and other questions,
such as: What is cybersecurity?, What is the difference between cybersecurity and
computer security?, Why is it relevant to my organization?, What role do executives play in
cybersecurity?, Is it an issue that affects users, families, public organizations or private
companies?, Should we do something different from what we have been doing? To
answer these questions, we will first review some recent facts about different cyberattacks:
SOME RECENT EVENTS » February 2013. A security company has released a
comprehensive study on the intrusions that a group of Chinese hackers have made in
recent years to a multitude of American companies. The report practically attributes the
authorship to the Chinese government, through a group of hackers who are employees of
the People's Liberation Army (PLA). The Chinese government denies the evidence. »
January 2014. More than 100 million customer and credit card data are stolen from Target
department stores. The incident cost the company millions of dollars and the resignation of
the chief executive officer (CEO) and chief information officer (CIO). Throughout that same
year, several chain stores (Home Depot, NeimannMarcus, Staple and the P.F. Chang
restaurant chain among others). In most of these cases, within days of the hack, the
compromised data was sold on the black market at prices between $2 and $5 per card and
included information about the zip code or the type of purchases users typically make
(thus simplifying their fraudulent use by organized crime).
» July 2014. Another security technology company releases an article documenting the
work of the "Dragonfly" (organized crime) group that has been dedicated since 2013 to
compromising equipment and networks of energy companies in Spain, the United States,
France, Italy and Germany. The infection mechanism is through a Trojan called "Havex"
that is attached to an email that appears to be normal, and that infects SCADA
(supervisory control) and Industrial Control systems. On the same dates, and based on the
aforementioned report and the investigations of another security provider, an American
government agency publishes a Security Alert towards energy companies, explaining the
form of infection of "Havex". » August 2014. J.P. Morgan Bank suffers various attacks,
including denial of service. Nationalist Russian hacker groups claim responsibility, arguing
retaliatory actions for the US government's measures taken against Russia. » June 2015.
In an attack executed by another nation, the records of 21 million people from the U.S.
Office of Personnel Management (US-OPM) are stolen, in an incident that has been
described as one of the largest government data security breaches in U.S. history. » April
2016. The "Panama Papers" case comes to light all over the world. More than 2 terabytes
of information were obtained from the archives of the Mossack Fonseca firm by an
unknown source and given to a German newspaper who shared it, for investigation, with
400 journalists around the world. The documents detail the creation of more than 200,000
shell companies in tax havens. Among the owners are many politicians and businessmen
from around the world, including several people very close to Russian President Vladimir
Putin. These facts show us a new reality: » Today attacks are more intense » Attackers
have more resources and new motivations » Attackers are no longer just hackers and
activist groups, they have been joined by organized crime, extremist groups (including
terrorists) and even nations On the other hand, organizations have more interconnected all
their systems and, therefore, its level of technological risk is growing. In the next section,
we will review each of the above statements in more detail.
THE NEW ATTACKERS The profile of attackers has changed, organized groups are
generating targeted attacks, more complex and very difficult to discover through traditional
mechanisms. Adversaries have created a complete ecosystem that allows them to have
the capabilities and resources (economic, technological and human) necessary to move
freely. Their main motivations are economic and political. Economically, they have realized
that the sale of sensitive information of organizations is a very lucrative business, so their
main targets are financial institutions and large businesses. Politically, they realize the
importance of cyberespionage, which allows them to steal information and industrial
secrets (in general intellectual property) and, eventually, have the capabilities to carry out
cyber-attack operations. These new attackers are now referred to as cyber actors, and we
can define them, in a general way, as those people or organizations that have a goal,
motivation and resources to do harm by looking for an opportunity and exploiting a
vulnerability. The following types are identified: » Delinquent groups (organized crime) »
Terrorist groups » Subversive groups ("hacktivism") » Hostile governments ("rogue states")
» Independent hackers » Commercial organizations or competing political groups
(cyberespionage) The attack strategies used are more complex and long-term, use
multiple previous steps to reach their target, combine various exploitation and evasion
techniques, They employ advanced malware as well as various mechanisms to go
unnoticed. These targeted attacks are planned, articulated and executed thinking about
the particular profile of the victim in such a way that it is much more feasible to succeed,
which together with the value of the information that attackers seek to extract causes their
impact on organizations to be very high.
NEW THREATS One of the most sophisticated cyberthreats today is Advanced Persistent
Threats (APTs), whose objective is to steal, for a long time, valuable information from a
given organization. Attackers use multiple attack methods to breach the target
organization, one of them is spearphishing (phishing campaign aimed at a specific target,
which through addressing an email with a context that makes sense for that person or
organization, makes it very credible and with a high probability that the user will read the
email in question and open the annex that has previously been contaminated). Once the
target is breached, backdoors are created that allow the attacker to have continuous
access (this is known as communication to a command and control center or C2) to the
compromised systems. The attacker then seeks to expand his reach by taking control of
more computers to strengthen his permanence (achieve his persistence), with which, if
successful, he manages to maintain access to the client's systems for long periods, in
order to collect more information about the target, carry out more attacks (lateral
movements) until he manages to have access to the target information and extract it (an
action known as exfiltration). These attacks are typically organized through "campaigns,"
which may be made up of one or more operations, with each operation typically having the
following phases: 1) Preparation 2) Infection 3) Expansion and Persistence Achievement
4) Information Search and Extraction 5) Cleanup
MAJOR VULNERABILITIES Let's remember that vulnerabilities are the security
weaknesses of our system, understanding a system from a PC or Smartphone, to an
entire organization along with its computing and communications infrastructure,
applications and business services, as well as the information involved in the above. One
of the elements that has changed dramatically is our display surface, which means that
today we have many more hardware and software elements to protect against intrusions.
Since almost all technological vulnerabilities are associated with software, we now: 1. We
have more pieces of software running on servers, PCs, laptops, tablets, smartphones,
cars, and increasingly on "things" (what has been called the Internet of Things:
refrigerators, smart systems, and sensors in various devices or objects including watches
and smart clothes). 2. Everything is interconnected and it is very difficult, sometimes
impossible, to distinguish where one network ends and the other begins, something that
has been called the "blurred perimeter" of the new networks. 3.La complexity of
technological architectures has grown: servers (virtualized and not) with different natures
(databases, applications, services such as DNS, Active Directory, etc.), routers, switches,
balancers, traffic accelerators (different types), private and public cloud architectures,
intermediary software (middleware of various flavors), mobile applications, etc. For all of
the above, it is now more difficult to protect our environments. While an organization has
to provide security to all elements and their interconnections, an attacker only has to find a
path through which they can enter.
Download