Post on 25-Feb-2016
description
transcript
OSAC/ISMA Conference
The Changing Nature of
Cyber Space
Ryan W. Garvey
OSAC/ISMA Conference
Overview
• Smartphone’s• Threats• Protection
• Cyber threats• Emerging• Defense and mitigation
• Outlook• Social media/networking• Hacktivism
OSAC/ISMA Conference
• Architecture, technologies and capabilities of telecommunication networks and mobile phones have significantly changed
• BlackBerry and iPhone and third generation (3G) mobile networks• Millions of people around the
world can make calls from almost any place in the world
• True mobility in accessing internet and information
• “Anywhere, Anytime, any Device”
OSAC/ISMA Conference
•Popular usage of mobile phones and smartphone’s
•Company’s e-mail service (e.g. via RIM Blackberry or MS Mobile Outlook)•Company’s calendar service (e.g. via MS Mobile Outlook and Microsoft Exchange)•Shared file systems (e.g. Microsoft SharePoint)•Customer Relationship Management (CRM) and Enterprise•Resource Planning (ERP) systems•Applications dedicated to mobile phones
•Mobile Sales Force Automation (SFA)•SMS alerts and notifications•Company’s internal network via Virtual Private Network (VPN) connections.
OSAC/ISMA Conference
•E-commerce and E-banking purposes• User authentication via software tokens running on Smartphone’s• Access to mobile banking applications to make money transfers• Electronic transaction authentication
•Via one time passwords sent by bank to the users via SMSes
• Micropayments via SMS, USSD or interactive voice channel• Premium content purchase (so called Premium SMS) • Alerts and notifications
•Change of account balance, debit or credit card usage etc.
• Electronic signatures via online, native or SIM card applications
•Practical application of mobile phones and Smartphone's is almost endless
OSAC/ISMA Conference
Realities• Mobile malware is not a future threat
but a current threat• First mobile phone malware seen over
10 years ago• In September 2009
– 100 known families– More than 500 modifications
• In 2010 - today– Every month a new mobile malware was identified– March 2011 – 60 malicious apps found in Android
Marketplace
OSAC/ISMA Conference
• Possible crossover’s from PC to Mobile:– Redirect user’s web traffic through attacker’s proxy
server or unauthorized access point• Attacker may remotely change mobile browser and network
configuration,• Recording and sharing all web information sent from mobile
device (e.g. all information from HTTP GET and POST) • Modifying web browser (e.g. Firefox for iPhone, or Opera Mini)• Replacing executable binaries on the phone, so all information
sent to the Internet can be intercepted– Unauthorized remote use of phone’s personal area
network capabilities (Bluetooth, Wi-Fi)• Remotely attack another user and penetrate networks that are in
the range of Smartphone, creating mobile Botnets • Perform distributed denial of service attacks on any target via
“regular” (e.g. Internet) or mobile (e.g. SMSes, MMSes etc.) communication channels
OSAC/ISMA Conference
• Two Android examples– Tap Snake
• In the Android Market Place• Tracks and monitors user’s location - GPS
Spy• GPS data includes date and time of user’s
location• Physical access required to enable GPS Spy
feature– Movie Player
• Not in Android Market Place• SMS Trojan• Poses as harmless media player application• Sends SMS messages to premium-rate
numbers• Scam has only affected Android
Smartphone users in Russia.
OSAC/ISMA Conference
Impacts• Loss of valuable data• Loss of Intellectual
Property• Loss of productivity• Negative impact on
profits or stock price• Brand damage• Lawsuits• Class actions
OSAC/ISMA Conference
Cyber Threats
OSAC/ISMA Conference
Types of Threats
OSAC/ISMA Conference
Even More Threats
• Cybercrime, online fraud and the theft of confidential information • Bots, Botnets and “modular” malicious code • Web applications are increasingly become the focal point of attacks• “Man-in-the-Middle” attacks that circumvent multi-factor authentication•
OSAC/ISMA Conference
Security Defense-in-Depth
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Continuous monitoring
Links in the Security Chain: Management, Operational, and Technical Controls
OSAC/ISMA Conference
• Inventories of authorized and unauthorized devices and software– Don’t allow personal preferences– Don’t let outside connect flash drives or
other devices to your network– Use software such as DeviceLock– Do not download software from the
Internet, do not use outside CDs, DVDs• Wireless device control
Hardware and Software Inventories
OSAC/ISMA Conference
Trust but Verify• Maintenance, monitoring, and analysis of security audit logs
• Continuous vulnerability assessment and remediation
• System of sanctions for improper behavior
• Remote scanning from HQ• Intrusion detection systems
OSAC/ISMA Conference
Limit Access to Need• Controlled Use of Administrative
Privileges• Should only be used for administrator duties• Use “RunAs” command whenever possible• Do not leave systems logged on
• Controlled access based on need to know
• Account monitoring and control
OSAC/ISMA Conference
Application Software Security • Be a good implementer• No need to reinvent the wheel• Patch quickly - organizations take
twice as long to patch application vulnerabilities as they take to patch operating system vulnerabilities
• Use automated updates when possible
OSAC/ISMA Conference
Malware Defenses• Firewalls: Block most hacker tools and
network worms. • Antispyware: Blocks spyware, Trojans,
network and email worms, spyware, but not viruses.
• Antivirus: Blocks viruses and email worms.• Intrusion Prevention Software: Block
viruses, worms and other malware by looking for the typical behavior of these attacks.
OSAC/ISMA Conference
Data Loss Prevention• Backups
– Redundancy– Different schedules– Offsite backup
• Secure Network Engineering • Penetration Tests and Red Team
Exercises • Incident Response Capability • Data Recovery Capability
OSAC/ISMA Conference
Education of Users• Don’t download programs from the
Internet• Do not use outside CDs, DVDs• Don’t attach outside devices• Don’t open unfamiliar e-mails,
especially attachments• Don’t surf sites not needed for work• Scan all files before opening
OSAC/ISMA Conference
Quick and Easy Protective Strategies
Immediate Future
Password LengthLength and complexity do matter!A six character password takes 13.7 days 6.05 hours and 51.5 minutes to crackAn eight character password takes 17 years, 10.7 months and 24.2 days to crack(Complex Passwords)
Real Time Risk EvaluationImplement a solution that provides a transparent layer of authentication at log inThis is crucial allowing a merchant, retailer or bank the ability to create a real-time digital identity for online users based on multiple factors including use behavior, machine identification and user preference.
Regular Password Changes Require Internet customers to change static passwords at regular intervals. This will cause any compromised date to become “stale” among fraudster groups.
Provide Authentication OptionsOffer customers varying authentication methods and encourage adoption based on a customers risk profile e.g. retail, vs. trust and high net worth clientsTokens, strong passwords, strong security questions, encryption certificates.
Ask Transactional QuestionsAsk questions that pertain to the users account. Last time used, amount charged. These techniques will ensure your help desk is talking to THE customer.
Customer Account Monitoring and AlertingGive customers the option to select transactional alerts and account notifications.Change of address, transfers, withdrawals, various other account changes
Customer Communication / AwarenessRegular communication with customers, identification and early notification of suspected issues
OSAC/ISMA Conference
Security Program Minimums Vulnerability Management Incident Response
Vulnerability ScanningConduct external vulnerability assessments monthly internal vulnerability assessments quarterly
Computer ForensicsAnalysis and Evidence collection of computer system / application data for the legal preservation of security event case information
Penetration Testing Annual penetration testing should be conducted to identify accessible systems, probe for known vulnerabilities, provide insight into possible attack vectors and provide recommendations on how to effectively mitigate any identified threat
Event managementRespond to events identified by IDS and AV-Systems, verify system integrity after an event has been detected.
Firewall Rule ReviewAll firewall changes should be reviewed by the security group to ensure proper security practices
Incident InvestigationPolicy violations / inappropriate use, data collection and event analysis of Internal investigations in cooperation with internal business groups (HR, Legal)
Intrusion Detection / PreventionIDS/IPS should be deployed to server as both a forensic function and to validate the efficacy of other control methods.
E-DiscoveryData collection and preservation for legal e-discovery requests
Anti-Virus SystemsAnti-Virus software should be deployed to all Windows based server and desktop systems.
PhishingResponse and management of both phishing and brand abuse attacks
OSAC/ISMA Conference
Outlook• Social Networking
• Continued growth• Continued threats
• Hacktivism• Anonymous
• DoS• Reputation & other attacks
• Increased focus on Corporations?
OSAC/ISMA Conference
Ryan W. GarveyCoordinator
Information Security & Cyber Threats571-345-7748
garveyrw@state.gov