Date post: | 29-Jan-2015 |
Category: |
Technology |
Upload: | peter-wood |
View: | 107 times |
Download: | 0 times |
Out of the Blue:Responding to New Zero-Day Threats
Peter WoodChief Executive Officer
First Base Technologies LLP
An Ethical Hacker’s View
Slide 2 © First Base Technologies 2012
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupCorporate Executive Programme UK Chair
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2012
Agenda
1. Why zero-day threats are a concern to CIOs
2. Examples of zero-day attacks
3. Minimising your vulnerabilities
4. Responding to the CIO
Beware: this presentation offers no easy solutions!
Slide 4 © First Base Technologies 2012
Why CIOs are concerned
• Criminals targeting intellectual property and corporate credentials
• Attacks are strategic
• Tools are ‘drag and drop’
• Malicious attacks cause 37% of data breaches(2012 Ponemon Cost of a Data Breach survey)
Slide 5 © First Base Technologies 2012
Why CIOs are concerned
http://www.net-security.org/secworld.php?id=11850
Slide 6 © First Base Technologies 2012
Examples of zero-day attacks
Slide 7 © First Base Technologies 2012
The Aurora attack
http://threatpost.com/
Slide 8 © First Base Technologies 2012
The Aurora attack
“If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years.Nor is it a new development that the attackers used an 0day client-side exploit along with targeted social engineering as their initial access vector.What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack.And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.”
Dino Dai Zovi
http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/
Slide 9 © First Base Technologies 2012
The RSA attack
1. Research public information about employees2. Select low-value targets3. Spear phishing email “2011 Recruitment Plan” with.xls
attachment4. Spreadsheet contains zero-day exploit that installs backdoor
through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected)
5. Digital shoulder surf & harvest credentials6. Performed privilege escalation7. Target and compromise high-value accounts8. Copy data from target servers9. Move data to staging servers and aggregate, compress and
encrypt it10. FTP to external staging server at compromised hosting site11. Finally pull data from hosted server and remove traces
Slide 10 © First Base Technologies 2012http://blogs.rsa.com/rivner/anatomy-of-an-attack/
Slide 11 © First Base Technologies 2012
Organisations remain vulnerable
Slide 12 © First Base Technologies 2012
Some background in the news
http://www.forbes.com/sites/andygreenberg/
Slide 13 © First Base Technologies 2012
Minimising your vulnerabilities
Slide 14 © First Base Technologies 2012
Traditional thinking
• Firewalls & perimeter defences
• Anti-virus
• SSL VPNs
• Desktop lock down (GPOs)
• Intrusion Detection / Prevention
• Password complexity rules
• HID (proximity) cards
• Secure server rooms
• Visitor IDs
Slide 15 © First Base Technologies 2012
Think like an attacker!
Hacking is a way of thinking:
- A hacker is someone who thinks outside the box
- It's someone who discards conventional wisdom, and does something else instead
- It's someone who looks at the edge and wonders what's beyond
- It's someone who sees a set of rules and wonders what happens if you don't follow them
[Bruce Schneier]
Hacking applies to all aspects of life - not just computers
Slide 16 © First Base Technologies 2012
Do you know how vulnerable you are?
Slide 17 © First Base Technologies 2012
Talk to the CIO before an attack!
CIO, we need budget for:
•Security standards and procedures•On-going staff training•Secure builds and secure development•On-going scans and penetration tests•Fixes to the problems we find
… and we need sign-off for the risk!
Remember: I said “no easy solutions”
OR
Slide 18 © First Base Technologies 2012
Peter WoodChief Executive Officer
First Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Twitter: peterwoodx
Need more information?