Cyber Security

advertisement
Cyber Security
You Expect It
You Need It
Terry Pobst-Martin
Chief Information Security Officer
State of Idaho, Office of the Chief Information Officer
“Washington-- Computer
spies have broken into the
Pentagon's $300 billion Joint
Strike Fighter project”. . .
“suspected to be Chinese
Hackers.”
Apr 22, 2009 – Wall Street Journal
• “Report: Chinese hack
into White House
network”
Nov 4, 2008 - ZDNet
Posted by Andrew Nusca
Huge new effort to protect
Department of Defense
Also plan to help protect citizens in
the future
Can no longer rely on industry efforts
to counter cyber threats
Pentagon spent < $100 M
in 6 months responding to:
cyber attacks
related problems
Means of Attack into Federal Networks
1272
2274
7528
Under
Investigation
Improper
Usage
Unauthorized
Access
3214
3762
Malicious
Code
Scans, Probes,
Attempted
Access
Federal
Government
reported
18,050 cyber
security
breaches in
2008
U.S. Cyber Command Operational since October 1
“Cyberspies penetrate electrical grid”
8 April 2009, Reuters
Electrical grid network has
“Backdoors” to let bad guys in
whenever they choose
Cyber threats are now
considered
"Cybersecurity is
the soft underbelly
of this country."
Weapons of Mass
Destruction!
INL test
Electrical generators are at risk
Former National Intelligence Director
Mike McConnell
Secretary of State
Hilary Clinton
Cyber Security Act of 2009
“…the president may order a Cybersecurity emergency and order the
limitation or shutdown of Internet traffic"
• Give Federal Government access to detailed network data
• Create a new Cybersecurity “Czar”
• Is supposed to coordinate military, NSA, Commerce & DHS efforts
A Hacker’s View of the State of Idaho:
• Target
• Government networks are a valid target
• Corporations are valid targets
• Individuals are a target
• Identity and privacy information = big target
Overarching Security Issues:
Electrical grid Cyber attacks
• Won’t stop the wind blowing
• Can’t stop the water flowing
• Can stop the power to
• You
• Your house
• Your workplace
• Stoplights...
Growing security trends:
•
Huge increase in spam (Phishing, e-cards, etc.)
•
New Threats: Vishing, Pod-Slurping, Thumb-sucking, more
•
Development of wireless hacking & mobile device viruses
•
Increase in video sharing exploits (PC or mobile)
•
Significant Increase in “Drive-by” malicious-ware websites
•
Increase in “Bots” & rootkits; hard to find or stop
U of I Website
State Website Hacks
•
Replacing content with other content or photos
•
Placing pornography on agency sites
•
Reflects problems throughout the world
Blocked Network Attacks
In one week
Spam
Legitimate
Virus
The Federal Trade Commission
• Estimates nearly $50 billion is lost annually
• Result of identity theft & credit-card fraud
BBB
• 70% of Identity theft takes place from
business data loss
• Identity theft is the fastest growing crime of
all time
IDTHEFT.COM
• At least 48,606,000 identifying records have
been stolen or lost since last year
• “…laptop stolen from unlocked
truck…”
• “…former office manager indicted for
theft of records…”
• “…hard drives missing…”
• “…donated computer contained
information.”
• “A hacker breaks in…”
• “…a data breach occurred…”
• “…records dumped in garbage…”
• “…employee loses a CD with data…”
• “…a customer just walked in and left
with a stack of papers…”
High
Cross site scripting
Intruder
Knowledge
“stealth” / advanced
scanning techniques
packet spoofing denial of service
iFrame
& SQL
Injects
Auto
Coordinated
Tools
DNS
Redirects
Malware
Distribution
Staged
Sites
distributed
attack tools
www attacks
automated probes/scans
GUI
sniffers
sweepers
Botnets for
Rent
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
exploiting known vulnerabilities
Attack
Sophistication
password cracking
self-replicating code
password guessing
Low
1980
1985
1990
1995
2005
2009
Average people… make
mistakes
• Visit a site with poor security
• Obvious (e.g., pornography)
• Not obvious (e.g., MySpace,
Facebook)
• Even trusted sites – thousands
every day
• Download from the Internet
Average people… make mistakes
• Install potentially dangerous
software
• Freeware / Shareware
• Unchecked software
• Games
• Toolbars (e.g., Google Toolbar)
• Rights & access must be
minimized
Cisco Study: Laptop users bring threats into networks
• 56% believe Internet
is now “safer”
• Less “destructive”
viruses
• More security
products
• Limited awareness
“Script Kiddies” or Hacker intraining
• Use tools developed by real
Hackers
• Find excitement in breaking-in
• “Bragging Rights”
• Often purposely leave evidence
• Build a rep
• Rarely want long term
exploitation
Anyone could be an insider
• Studies show insiders bring huge
losses
• Victims at HUGE risk
• 12 times more likely hit by fraud
• 73% External sources
• 39% Business partners
• 18% Malicious Insiders
• 30% Multiple parties
External
Business
partners
Insiders
Multiple
FTC says that in the U.S., as many as
10 Million people fall victim to ID Theft every year!
Number has grown every year…
375,000
400,000
300,000
187,500
External
73%
Partner
39%
200,000
30,000
100,000
0
Median of Records Compromised
Internal
18%
If there’s a profit or edge to
gain
• Foreign governments
• Active attacks
• Network “backdoors”
• Use daily or hold for hostilities
If there’s a profit or edge to
gain
• Corporations
• Information is power
• Corporate intelligence activities
growing
• Is it ethical in the market place?
Developing new viruses all the time
• Created mostly by criminals
• A recent popular one is:
• JSRedir-R Trojan or “Gumblar”
• Infecting a new webpage every
4.5 seconds – legitimate sites
• Loads without knowledge
Refining Social Engineering
• “Twitterpornnames”
• Facebook and many other examples
Global cybercrime is the biggest
profit maker for criminals
• Surpassed drug trafficking
• Is not as dangerous as dealing
drugs or robbing banks, etc.
• True hackers selling services to
non-technical criminals
• Expertise is growing rapidly
• Money gets bigger every
month
• Software has vulnerabilities
• We need software
• To do our jobs
• To entertain ourselves
• To make life easier
• Over 90% of attacks are on
known vulnerabilities
• Patches are already out
• “Zero Day” exploits always a
possibility
• Password security is critical!
• Ensures only you can access your computer
• And the network behind it
• Use strong passwords always
• You will be attacked at the point of the weakest link
• NEVER give your network password to anyone else!
• Don’t write it down!
• Use as long a password as you can and ensure it has
–
–
–
–
Upper and Lower case Letters
Special Characters and Numbers
At least 8 characters
Passphrases are very secure
Do you remember any Song Lyrics?
I’m @ little 2x10 Country than thaT
0:04 to Save the W0rld
thE Dog days are ^^^ (done)
Te11 everYBody I'm on my w@
U R the Wind b\ mY Wings
Hey! Mr. TamB0urine Man
Do you remember Quotes, Poems, Biblical Phrases?
Ask what U can do 4 Ur country!
ToErrishuman,2_4givedivine
Early2bed&Early2risE
How do I love thee? Let me 1234 the ways!
Once upon a 12:00AM dreary
4 God so loved The world!
I will fear O evil, 4 thou art with me!
•
•
•
•
Physically secure your critical systems
Screen-lock your system when away from your computer
Ensure work areas are secure
Be aware of people who don’t belong in the work area
• Despite public
awareness
• Scammers are Social
Engineers
• E-mails look more real
• Reeling in the victims
• Large amounts of
money from small
percentage of people
• Is your Bank
account out
there?
Vishing
You can trust me
• Using Voice over IP (VoIP)
• Gain access data
• Private, personal and
financial information
• Likely to trust real person
• Caller ID spoofing builds
trust
You can trust me
• Spyware infects >80% desktops
• P2P software can come with Spyware
• Now too prevalent and insidious
• Your Anti-virus will not find it all
• Precursor to Trojans and/or Botnet
• Malware, all types, increased
32K variants in 2004 to >30 Mil in 2009
Now, almost too many to track (1/8 sec)
30,000,000
30,000,000
18,000,000
20,000,000
10,000,000
5,500,000
32,000
54,000
2004
2005
500,000
0
2006
2007
2008
2009
Overloading Anti-virus manufacturers; some last only 24 hours
Note: These numbers come from different sources
Rogue anti-virus/spyware programs
• Often generate more "alerts" than reputable software
• May bombard you with pop-ups, even when not online
• Use high-pressure sales to convince you to buy RIGHT NOW!
• Other signs of infection include:
• new desktop icons
• new wallpaper
• default homepage redirected to another site
Surfing the web is becoming a more
treacherous adventure
Safe website?
Infected Websites grew 300% in 2008
Percentage, by groups of websites “hosting” malicious software
77
80
70
Internet Criminal
Sites
70
60
51 48
48
50
50
Infected
Legitimate Sites
40
28
30
21
Unknown
20
10
0
1
1
2
2
• Attacker communicates to all his
Botnet drones / zombies
• Hackers “rent” Botnets for hours or
days
Hacker or
Bot-herder
Zombies or Bots
Command &
Control Bot
• Send out Spam
• Collect privacy
data
• Store data
• Host Pharming
websites
• Launch Denial of
Service attacks
• Other attacks
“Autorun” should be disabled to stop
this…
Free malicious software with the
purchase of any digital frame????
Or other USB powered devices
What do these
advertisements
hold?
Step 1: Understand that computer user involvement is key to
successful network / cyber security
Step 1a:
Don’t
Be
Scared
Step 2 – Manage Risk
• Rapidly changing landscape for IT solutions
• Constantly changing IT security environment
• Security tools are growing – capability, complexity, cost
• IT budgets won’t increase as quickly as demand
Analyze the security environment – focus on the risk
• What information / resources are you protecting
• What are the threats to your information / assets
• What is the risk to the organization if information /
asset is
• Lost
• Stolen
• Changed
• Develop a security plan to manage your risk
• Develop a security budget based on the security plan
• Assign the right people manage and run with the plan
Step 3: Take security seriously at work
•
•
•
•
•
•
•
•
•
•
Use strong passwords
Lock your workstations
Use care with e-mails
Do not download from the Internet
Do not install unchecked programs – rely on IT
Be aware of your Anti-Virus – is it running?
Laptop Firewalls should be on if away from the office
Make backups of important files and folders
Use a file encryption process
Ensure Security is part of all Business and IT Plans
Step 4: Take security seriously at home
• Install / Use Anti-Virus & Spyware programs
• Install / Use a Firewall program
• Keep system patched – all your programs
• Use care when reading e-mail
• Make backups of important files and folders
• Use strong passwords (different ones for different sites)
• Use care when downloading and installing
• Consider using a file encryption program
Step 5: Assess success of security procedures:
• Are risks mitigated?.. reduced?
• Modify plan when necessary
• Overcome disappointment; security can’t stop all attacks
• Experts are no longer saying “if” but “when”
Good Security can make you happy
Terry Pobst-Martin
terry.pobst-martin@cio.idaho.gov
332-1851
Download