How Cyber Adversaries Exploit the USA January 24, 2009 All Roads Lead to Rome: How Cyber Adversaries Exploit the USA Tom Kellermann, CISM / VP of Security Awareness

History Repeats Itself Hannibal using the Roman Roads to cross the Alps 40% Increase in Major Intrusions (US-CERT 2008)

Evolution of Threats Timeline

Key Trends The 2008 Cisco Annual Security Report found that the overall number of disclosed vulnerabilities grew by 11.5% over 2007. Vulnerabilities in virtualization technology nearly tripled - from 35 to 103 year-over-year - and attacks are becoming increasingly blended, cross-vector and targeted, according to the report. Cisco says its researchers saw 90% growth in threats originating from legitimate domains, nearly double what was seen in 2007. This year, numerous legitimate websites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-downloading sites, the company says.

2008 Intelligence Community Statistics 55% Increase in Remote Access Cyber Intrusions 52% Increase in Insider Cyber Intrusions 22% Increase in Credit Card Fraud

2008 Verizon Data Breach Report Analysis of over 500 e-forensics audits: 73% resulted from external sources 18% by insiders 39% implicated business partners

Blackhats: Threat Actors Nation States 108 countries with dedicated cyber-attack organizations Dragon Bytes: Chinese Information War Theory & Practice Terrorists Growing sophistication Hamas and Al Qaeda Ibrahim Samudra and Irhabi 007 Organized Crime Cybercrime is big business aka RBN FBI: #1 criminal priority is cybercrime

Modern Maginot Lines Early 1990s: Virus scanners Mid 1990s: Firewalls Late 1990s: Over-reliance on encryption (PKI) Early 2000s: Over-reliance on IDS Late 2000s: Over-reliance on intrusion prevention systems / artificial intelligence As Business Transactions are pushed outside traditional enterprise boundaries, critical data is exposed. Existing perimeter based security tools cannot handle the threats of today’s pervasive computing environment. Virus scanner only pick up 35% of know viruses and worms. Tools like Golden Hacker Defender are for sale for less than $100 which mask code so it can circumvent signature based detection on all commercial AV scanners PKI private keys are stolen at whim from C drives by hackers who then use the encryption as a secret tunnel by which to bypass forensics tools.

Primary Attack Vectors Digital insider attacks previously compromised systems Client-side applications (applications running on desktop / end-user systems, including email readers, web browsers, media players, instant messengers, productivity tools such as MS Office, etc.) Operating systems Web applications Wireless networks

2008 Trends in Attacks Against .GOV SQL Injection and Cross-site Scripting Island Hopping-Unisys/DHS Remote User Compromise-VPN Attacks-Client Side Attacks PKI Compromise--Private Key Theft Zero-Day Attacks Automated Attack Tools Digital Insider Attacks

Hosting Companies = Watering Holes The significant dependence by corporate america upon the Internet infrastructure may make it susceptible to cascading risks. Convergence of services and interoperability between different network types (including cellular, public switched telephone networks or PSTN, Internet protocol or IP networks) make up a globally shared communications line. Unlike legacy systems in which mainframes operated within closed local area networks, the new environment is an open data transmission systems consisting of a number of gateways. The result is that while this facilitates global connections and cross-border sharing of information and services, it also acts as a double-edged sword since interoperability and global connectivity also facilitate the transmission of risks.  

Why Testing is Important Hackers attack data where it sits 99.9% of the time: clients, servers and databases Of all the vulnerabilities disclosed in 2007, only 50 percent can be corrected through vendor patches. (ISS) Nearly 90 percent of 2007 vulnerabilities could be remotely exploited, up one percentage point from 2006. (ISS)

Real-World Attack Behavior Cybercriminals are still finding their way around, and through, point security defenses. Application Layer New attack paths App Defense A App Defense B App Defense C Email Spreadsheet Browser Host / OS Layer Point defense weaknesses Host Host defense A Defense B Host Defense C SEIM Credit Card #s Customer Data Employee Records Multistaged threats that move across systems and IT layers to threaten critical backend assets Network Layer Network Defense A Network Defense B Network Defense C Wireless Networking Devices Storage Networking Devices How do you know what’s working, what’s not, and what to do about it?

Evaluate the Effectiveness of Security Point Solutions Application Defenses DLP, WAF, Encryption, SDLC Mgmt, Monitoring, Correlation SEIM Endpoint AV, Patch, SW FW, HIPS, NAC Host Defenses AV, Sec Config, Patch, HIPS Network Defenses – UTM FW, IPS, IDS, AV GW, etc. Defend & Monitor Test defenses against: 800+ exploits 5,000+ total attack vectors dynamic XSS, SQL Injection, and RFI exploits Automated Rapid Penetration Tests … + One-Step network, endpoint and vuln validation tests + Ability to manually run all modules and add custom exploits Test Actionable Data: Executive Summaries Detailed Findings + Links to Fixes Audit Trails for Compliance Delta Reports Show Vuln. Mgt. Progress Report

CORE IMPACT Pro: Network Security Testing External (or Internal) Penetration Testing 

CORE IMPACT Pro: Web App Security Testing Internal Network Servers Internal Workstations User leverages compromised server to “pivot” the test to internal network systems. Web Application Server  SQL Database

Comprehensive, Real-World Security Testing By identifying and validating the most critical, exploitable risks, IMPACT enables intelligent vulnerability remediation and helps to prioritize security initiatives. App Defense A App Defense B App Defense C Email Spreadsheet Browser Host defense A Host Defense B Host Defense C SEIM Credit Card #s Customer Data Employee Records Network Defense A Network Defense B Network Defense C Wireless Networking Devices Storage Networking Devices Operational Security CISO

Core Impact Awards “Core’s smart dashboard, friendly UI, attack configuration wizards, and focused reports make penetration testing easier than ever ...” - InfoWorld, January 2008 Security Software Product of the Year - TechWorld, June 2007 “We have used IMPACT in SC Labs for two years and have found nothing else that even comes close” - SC Magazine, December 2007 "After using IMPACT it seems obvious to us that manual penetration is obsolete." - Federal Computing Week, May 2006 CORE IMPACT is an amazing tool to validate your security posture. - Information Security Magazine Wall Street Journal Technology and Innovation Award: Runner-Up, IT Security and Privacy – September 2006 “CORE IMPACT was a blast to test and a product I am certain would benefit organizations that choose to engage it.” - ISSA, May 4, 2007 eWeek Excellence Awards: Vulnerability Assessment and Remediation – May 2006