118858 Osac Isma Dubai Infosec Ppt

OSAC/ISMA Conference

The Changing Nature of

Cyber Space

Ryan W. Garvey


Overview

• Smartphone’s• Threats• Protection

• Cyber threats• Emerging• Defense and mitigation

• Outlook• Social media/networking• Hacktivism


• Architecture, technologies and capabilities of telecommunication networks and mobile phones have significantly changed

• BlackBerry and iPhone and third generation (3G) mobile networks• Millions of people around the

world can make calls from almost any place in the world

• True mobility in accessing internet and information

• “Anywhere, Anytime, any Device”


•Popular usage of mobile phones and smartphone’s

•Company’s e-mail service (e.g. via RIM Blackberry or MS Mobile Outlook)•Company’s calendar service (e.g. via MS Mobile Outlook and Microsoft Exchange)•Shared file systems (e.g. Microsoft SharePoint)•Customer Relationship Management (CRM) and Enterprise•Resource Planning (ERP) systems•Applications dedicated to mobile phones

•Mobile Sales Force Automation (SFA)•SMS alerts and notifications•Company’s internal network via Virtual Private Network (VPN) connections.


•E-commerce and E-banking purposes• User authentication via software tokens running on Smartphone’s• Access to mobile banking applications to make money transfers• Electronic transaction authentication

•Via one time passwords sent by bank to the users via SMSes

• Micropayments via SMS, USSD or interactive voice channel• Premium content purchase (so called Premium SMS) • Alerts and notifications

•Change of account balance, debit or credit card usage etc.

• Electronic signatures via online, native or SIM card applications

•Practical application of mobile phones and Smartphone's is almost endless


Realities• Mobile malware is not a future threat

but a current threat• First mobile phone malware seen over

10 years ago• In September 2009

– 100 known families– More than 500 modifications

• In 2010 - today– Every month a new mobile malware was identified– March 2011 – 60 malicious apps found in Android

Marketplace


• Possible crossover’s from PC to Mobile:– Redirect user’s web traffic through attacker’s proxy

server or unauthorized access point• Attacker may remotely change mobile browser and network

configuration,• Recording and sharing all web information sent from mobile

device (e.g. all information from HTTP GET and POST) • Modifying web browser (e.g. Firefox for iPhone, or Opera Mini)• Replacing executable binaries on the phone, so all information

sent to the Internet can be intercepted– Unauthorized remote use of phone’s personal area

network capabilities (Bluetooth, Wi-Fi)• Remotely attack another user and penetrate networks that are in

the range of Smartphone, creating mobile Botnets • Perform distributed denial of service attacks on any target via

“regular” (e.g. Internet) or mobile (e.g. SMSes, MMSes etc.) communication channels


• Two Android examples– Tap Snake

• In the Android Market Place• Tracks and monitors user’s location - GPS

Spy• GPS data includes date and time of user’s

location• Physical access required to enable GPS Spy

feature– Movie Player

• Not in Android Market Place• SMS Trojan• Poses as harmless media player application• Sends SMS messages to premium-rate

numbers• Scam has only affected Android

Smartphone users in Russia.


Impacts• Loss of valuable data• Loss of Intellectual

Property• Loss of productivity• Negative impact on

profits or stock price• Brand damage• Lawsuits• Class actions


Cyber Threats


Types of Threats


Even More Threats

• Cybercrime, online fraud and the theft of confidential information • Bots, Botnets and “modular” malicious code • Web applications are increasingly become the focal point of attacks• “Man-in-the-Middle” attacks that circumvent multi-factor authentication•


Security Defense-in-Depth

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning, policies, procedures Configuration management and control Contingency planning Incident response planning Security awareness and training Security in acquisitions Physical security Personnel security Security assessments and authorization

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Boundary and network protection devices (Firewalls, guards, routers, gateways) Intrusion protection/detection systems Security configuration settings Anti-viral, anti-spyware, anti-spam software Smart cards Continuous monitoring

Links in the Security Chain: Management, Operational, and Technical Controls


• Inventories of authorized and unauthorized devices and software– Don’t allow personal preferences– Don’t let outside connect flash drives or

other devices to your network– Use software such as DeviceLock– Do not download software from the

Internet, do not use outside CDs, DVDs• Wireless device control

Hardware and Software Inventories


Trust but Verify• Maintenance, monitoring, and analysis of security audit logs

• Continuous vulnerability assessment and remediation

• System of sanctions for improper behavior

• Remote scanning from HQ• Intrusion detection systems


Limit Access to Need• Controlled Use of Administrative

Privileges• Should only be used for administrator duties• Use “RunAs” command whenever possible• Do not leave systems logged on

• Controlled access based on need to know

• Account monitoring and control


Application Software Security • Be a good implementer• No need to reinvent the wheel• Patch quickly - organizations take

twice as long to patch application vulnerabilities as they take to patch operating system vulnerabilities

• Use automated updates when possible


Malware Defenses• Firewalls: Block most hacker tools and

network worms. • Antispyware: Blocks spyware, Trojans,

network and email worms, spyware, but not viruses.

• Antivirus: Blocks viruses and email worms.• Intrusion Prevention Software: Block

viruses, worms and other malware by looking for the typical behavior of these attacks.


Data Loss Prevention• Backups

– Redundancy– Different schedules– Offsite backup

• Secure Network Engineering • Penetration Tests and Red Team

Exercises • Incident Response Capability • Data Recovery Capability


Education of Users• Don’t download programs from the

Internet• Do not use outside CDs, DVDs• Don’t attach outside devices• Don’t open unfamiliar e-mails,

especially attachments• Don’t surf sites not needed for work• Scan all files before opening


Quick and Easy Protective Strategies

Immediate Future

Password LengthLength and complexity do matter!A six character password takes 13.7 days 6.05 hours and 51.5 minutes to crackAn eight character password takes 17 years, 10.7 months and 24.2 days to crack(Complex Passwords)

Real Time Risk EvaluationImplement a solution that provides a transparent layer of authentication at log inThis is crucial allowing a merchant, retailer or bank the ability to create a real-time digital identity for online users based on multiple factors including use behavior, machine identification and user preference.

Regular Password Changes Require Internet customers to change static passwords at regular intervals. This will cause any compromised date to become “stale” among fraudster groups.

Provide Authentication OptionsOffer customers varying authentication methods and encourage adoption based on a customers risk profile e.g. retail, vs. trust and high net worth clientsTokens, strong passwords, strong security questions, encryption certificates.

Ask Transactional QuestionsAsk questions that pertain to the users account. Last time used, amount charged. These techniques will ensure your help desk is talking to THE customer.

Customer Account Monitoring and AlertingGive customers the option to select transactional alerts and account notifications.Change of address, transfers, withdrawals, various other account changes

Customer Communication / AwarenessRegular communication with customers, identification and early notification of suspected issues


Security Program Minimums Vulnerability Management Incident Response

Vulnerability ScanningConduct external vulnerability assessments monthly internal vulnerability assessments quarterly

Computer ForensicsAnalysis and Evidence collection of computer system / application data for the legal preservation of security event case information

Penetration Testing Annual penetration testing should be conducted to identify accessible systems, probe for known vulnerabilities, provide insight into possible attack vectors and provide recommendations on how to effectively mitigate any identified threat

Event managementRespond to events identified by IDS and AV-Systems, verify system integrity after an event has been detected.

Firewall Rule ReviewAll firewall changes should be reviewed by the security group to ensure proper security practices

Incident InvestigationPolicy violations / inappropriate use, data collection and event analysis of Internal investigations in cooperation with internal business groups (HR, Legal)

Intrusion Detection / PreventionIDS/IPS should be deployed to server as both a forensic function and to validate the efficacy of other control methods.

E-DiscoveryData collection and preservation for legal e-discovery requests

Anti-Virus SystemsAnti-Virus software should be deployed to all Windows based server and desktop systems.

PhishingResponse and management of both phishing and brand abuse attacks


Outlook• Social Networking

• Continued growth• Continued threats

• Hacktivism• Anonymous

• DoS• Reputation & other attacks

• Increased focus on Corporations?


Ryan W. GarveyCoordinator

Information Security & Cyber Threats571-345-7748

[email protected]

Documents

118858 Osac Isma Dubai Infosec Ppt