Upload
software-park-thailand
View
687
Download
3
Embed Size (px)
DESCRIPTION
Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันที่ 24 กุมภาพันธ์ 2554
Citation preview
�� Security intelligenceRSA Conference 2011 �� Security intelligenceRSA Conference 2011
Prinya Hom-AnekPrinya Hom-Anek
CGEIT, CISSP, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW, ITIL Expert, CompTIA Security+, IRCA: ISMS Lead Auditor, BCMS Auditor(ISC)2 Asian Advisory Board; ISACA Thailand Committee,Thailand Information Security Association (TISA) Committee,ACIS Professional Center Co., Ltd. , President and Founder
�� Security intelligenceRSA Conference 2011
Agenda
� Introduction
� Social Networks Security Update
� Malware Security Update� Malware Security Update
� Mobile Devices and Smart phones Security
Update
� Secure Software Development Security
Update
© Copyright, ACIS Professional Center Company Limited, All rights reserved 2
�� Security intelligenceRSA Conference 2011
RSA CONFERENCERSA CONFERENCE
© Copyright, ACIS Professional Center Company Limited, All rights reserved 3
�� Security intelligenceRSA Conference 2011
The previous RSA Conference Theme
© Copyright, ACIS Professional Center Company Limited, All rights reserved 4
�� Security intelligenceRSA Conference 2011
RSA Conference 2011 (ISC)2 member reception
© Copyright, ACIS Professional Center Company Limited, All rights reserved 5
�� Security intelligenceRSA Conference 2011
Conference Theme
� Rivest used fictitious placeholder names to explain the RSA encryption method and the many steps involved in the complex system.
� Alice & Bob were born to make the subject matter easier to � Alice & Bob were born to make the subject matter easier to grasp – replacing Person A and Person B.
� Bruce Schneier, author of Applied Cryptography and another forefather of information security, introduced a host of other characters to make technical topics more understandable.
� This cast of friends and enemies – including Eve the Eavesdropper, Mallory the Malicious Attacker and Walter the Warden, among others – populate Alice & Bob's universe and evolved into common parlance in cryptography and computer security.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 6
�� Security intelligenceRSA Conference 2011
Example of an "Alice and Bob" analogy used in cryptography
© Copyright, ACIS Professional Center Company Limited, All rights reserved 7
�� Security intelligenceRSA Conference 2011
Example of an "Alice and Bob" analogy used in cryptographic hashing
© Copyright, ACIS Professional Center Company Limited, All rights reserved 8
�� Security intelligenceRSA Conference 2011
SOCIAL NETWORKS SECURITYSECURITY
© Copyright, ACIS Professional Center Company Limited, All rights reserved 9
�� Security intelligenceRSA Conference 2011
Social Networks Survey
© Copyright, ACIS Professional Center Company Limited, All rights reserved 10
�� Security intelligenceRSA Conference 2011
Social Engineering Techniques on Social Networks
� One of the more common types of attack hitting users is
“clickjacking”, also called “UI redressing”
� These attacks use maliciously created pages where the true
function of a button is concealed beneath an opaque layer
showing something entirely different.showing something entirely different.
� Often sharing or “liking” the content in question sends the
attack out to contacts through newsfeeds and status
updates, propagating the scam.
� Clickjacking attacks not only spread social networking link-
spam, they also regularly carry out other actions such as
granting access to valuable personal information and even
making purchases.© Copyright, ACIS Professional Center Company Limited, All rights reserved 11
�� Security intelligenceRSA Conference 2011
Example of Clickjacking
© Copyright, ACIS Professional Center Company Limited, All rights reserved 12
�� Security intelligenceRSA Conference 2011
How Clickjacking works?
© Copyright, ACIS Professional Center Company Limited, All rights reserved 13
�� Security intelligenceRSA Conference 2011
How to Avoid From Social Engineering Techniques on Social Network?
1. If something sounds too good to be true, it probably is.
2. Ask yourself—why would you be singled out for a windfall or other special treatment out of the millions of other Internet users. If you can’t find a good reason, it’s probably a scam.a scam.
3. Don’t believe everything you read.
4. Be patient. Too many users end up the victims of Internet crime because they do not stop to think, but instead act on impulse clicking on a “sexy” link or an interesting looking attachment without thinking of the possible consequences.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 14
�� Security intelligenceRSA Conference 2011
How to Avoid From Social Engineering Techniques on Social Network? (Cont.)
5. Never provide your personal information or information about
your company/organization.
6. Double-check the URLs of websites you visit. Some phishing
websites look identical to the actual site, but the URL may be
subtly different.subtly different.
7. Be cautious about sending sensitive information over the
Internet if you’re not confident about the security of the website.
8. Be suspicious of unsolicited phone calls and emails that ask for
information about your employees or other information. It could
be a scammer calling.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 15
�� Security intelligenceRSA Conference 2011
Applications
� Facebook has a major problem in the form of its app system.
� Any user can create an application, with a wide range of powers to interact with data stored on user pages and cross-site messaging systems, and these applications, like survey systems, and these applications, like survey scams, can then be installed and run on any users’ page.
� To combat this serious problem, a “walled garden” approach may be more suitable. This refers to a closed or exclusive set of information services provided for users, in contrast to allowing open access to applications and content.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 16
�� Security intelligenceRSA Conference 2011
Privacy Setting
� Facebook comes under regular criticism
for its provision, implementation and
explanation of user privacy features.
� Directions for setting privacy preferences
are vague and unclear—if and when are vague and unclear—if and when
they’re provided. Plus, once uploaded,
information and content may be difficult
or impossible to remove.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 17
�� Security intelligenceRSA Conference 2011
Types of Personal Data
� Likes: a person, band, movie, web page, or any other entity
represented in Facebook's social graph that has a "like" button.
"Likes" started with status updates, but have now grown to
encompass pretty much everything.
� Name, Picture, Gender, Birthday, Contact Info: self-
explanatory
� Extended Profile Data: Your family members, city, place of birth,
religious views, favorite authors, schools attended -- anything that
is an entity you can list a relationship to in your profile.
� Friends: The people you've added to friends.
� Networks: The personal networks you've set up on Facebook (e.g.
colleges & universities or companies).
� Wall posts & Photos: Self-explanatory.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 18
�� Security intelligenceRSA Conference 2011
MALWAREMALWARE
© Copyright, ACIS Professional Center Company Limited, All rights reserved 19
�� Security intelligenceRSA Conference 2011
Target Software
� Cybercriminals tend to target Microsoft, because its Office and Internet Explorer solutions are ubiquitous.
� Many users view this software as an integral part of the Windows platform, rather than separate software that may need a separate regime of updating and patching.
� Lately, cybercrooks targeted Adobe to enable malware distribution, as its PDF Reader and Flash player are also widely, if distribution, as its PDF Reader and Flash player are also widely, if not universally, installed.
� PDF exploits became ever more widespread, and new vulnerabilities in Reader emerged regularly.
� Maliciously-crafted PDFs are placed on websites or mailed out in spam runs, hoping that they will be opened in vulnerable Reader software and their payloads will be given free rein to infect systems.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 20
�� Security intelligenceRSA Conference 2011
Top 10 Vulnerable Vendors
© Copyright, ACIS Professional Center Company Limited, All rights reserved 21
�� Security intelligenceRSA Conference 2011
Best and worst patchers
© Copyright, ACIS Professional Center Company Limited, All rights reserved 22
�� Security intelligenceRSA Conference 2011
Exploit effort versus potential reward matrix
© Copyright, ACIS Professional Center Company Limited, All rights reserved 23
�� Security intelligenceRSA Conference 2011
Advanced Persistent Threat (APT)
Increasingly sophisticated cyber attacks by hostile
organizations with the goal of:
� Gaining access to defense, financial and other targeted
information from governments, corporations and individuals.information from governments, corporations and individuals.
� Maintaining a foothold in these environments to enable future
use and control.
� Modifying data to disrupt performance in their targets.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 24
�� Security intelligenceRSA Conference 2011
APT in the news
�� Security intelligenceRSA Conference 2011
APT - NASDAQ ATTACK
The Attacker were persisting within NASDAQ’ Directors Desk servers for over 12
months
25-Feb-11
26
�� Security intelligenceRSA Conference 2011
Malware Evolution
Sophistication
HighMan in the
Middle
Man in theBrowser
SilentBanker
Smishing
Zeus
SpyEye
2008200720062005200420032002
Medium
Low
Keylogging
MouseloggingScreen Capture
PhishingFake Web Sites
Trojan/VirusSpyware
VishingSmishing
2009 2010
�� Security intelligenceRSA Conference 2011
ZEUS BOTNET
28
�� Security intelligenceRSA Conference 2011
ZEUS BOTNET
29
�� Security intelligenceRSA Conference 2011
SpyEye BOTNET
�� Security intelligenceRSA Conference 2011
SpyEye BOTNET
�� Security intelligenceRSA Conference 2011
SpyEye BOTNET
�� Security intelligenceRSA Conference 2011
SpyEye BOTNET – Credit Card Grabber
�� Security intelligenceRSA Conference 2011
Zeus BOTNET Tracker
�� Security intelligenceRSA Conference 2011
SpyEye BOTNET Tracker
�� Security intelligenceRSA Conference 2011
Top ten countries hosting malware
© Copyright, ACIS Professional Center Company Limited, All rights reserved 36
�� Security intelligenceRSA Conference 2011
Top malware spreading via email attachment
© Copyright, ACIS Professional Center Company Limited, All rights reserved 37
�� Security intelligenceRSA Conference 2011
Stuxnet
� Stuxnet is a Windows computer worm discovered in July 2010 that
targets industrial software and equipment.
� The worm initially spreads indiscriminately, but includes a highly
specialized malware payload that is designed to target only Supervisory
Control And Data Acquisition (SCADA) systems that are configured to
control and monitor specific industrial processes.
� Some of Iran’s sensitive nuclear program computers were reportedly
affected by it.
� A report issued by the Congressional Research Service (CRS) claims
that Stuxnet could hit the U.S. as well.
� The so-called military-grade malware may have been an advanced
threat, showing a number of flaws in many layers of security processes.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 38
�� Security intelligenceRSA Conference 2011
STUXNET – SCADA ATTACK
39
�� Security intelligenceRSA Conference 2011
© Copyright, ACIS Professional Center Company Limited, All rights reserved 40
�� Security intelligenceRSA Conference 2011
MOBILE DEVICES AND MOBILE DEVICES AND SMARTPHONES
© Copyright, ACIS Professional Center Company Limited, All rights reserved 41
�� Security intelligenceRSA Conference 2011
Mobile Devices and Smartphones
� According to Gartner analysts, one in six people will have access to a high-tech mobile device by the end of 2010.
� In the last few years, we’ve witnessed a radical change in the way we access and use the Internet.
� The rapid upswing in sophistication of mobile technology resulted in a swift change in the way we provide mobile content and interact with it.resulted in a swift change in the way we provide mobile content and interact with it.
� However, this change brings with it a wealth of new problems for security.
� In our new, always-connected age, maintaining the integrity and privacy of networks, business data and personal information is increasingly important and difficult.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 42
�� Security intelligenceRSA Conference 2011
iPhone
� Hackers released the source code for potential iPhone spyware to the Internet (this also affected BlackBerry).
� iPhone smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application.
� The majority of security issues continue to focus on jailbroken devices, where the mobile security settings are unlocked to get more functionality.
� Users continue to jailbreak their devices in droves, tempted by the possibility of installing applications not approved by the company.
� When iPhones are plugged in to home or company computers or are set up on unapproved wireless networks to provide phone connectivity, threats are transferred from the iPhone to more vulnerable systems and networks.
� You can use a blend of policies and technologies to keep your network and machines safe. “Acceptable use” policies can attempt to control what users plug into company devices.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 43
�� Security intelligenceRSA Conference 2011
Android� Google’s Android tried to keep pace with the iPhone in terms of
functionality, and as devices diversify, the Android user base continues
to grow.
� Google found and removed banking malware from the site when a
wallpaper application gathered information on over 1 million Android
users.
� Android phones represent a considerable exposure point, but again one � Android phones represent a considerable exposure point, but again one
that relies heavily on social engineering to lure users into installing
rogue or malicious applications that give the bad guys access to their
phones.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 44
�� Security intelligenceRSA Conference 2011
BlackBerry
� BlackBerry is still the device of choice in corporate
environments.
� The BlackBerry security-built-in model is fairly successful so
far, although potential spyware applications have been
introduced.introduced.
� Most new developments—if anything—weaken that security
model, with several nations pressuring RIM to slacken their
policy of transporting all data through their central servers
in strongly encrypted form, preventing government
snooping on traffic.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 45
�� Security intelligenceRSA Conference 2011
ปลอดภยัแนน่อน !!!!
�� Security intelligenceRSA Conference 2011
Attacks Using Internet Marketing Techniques
� The search engine is our gateway to the web, and cybercrooks
are skilled at manipulating search results from the engines such
as Google, Bing and Yahoo! to lure victims to their malicious
pages.
� These pages host security risks and browser exploits just waiting
to infect users who are directed to these sites. to infect users who are directed to these sites.
� Legitimate Search Engine Optimization (SEO) techniques are
regularly used as marketing tools, but when SEO is abused by
the bad guys, and supplemented by more devious methods, it’s
known as Black Hat SEO.
� With Black Hat SEO attacks—known as “SEO poisoning”—search
engine results are poisoned to drive user traffic to the rogue site.
� Google reported that up to 1.3% of their search results are
infected. © Copyright, ACIS Professional Center Company Limited, All rights reserved 47
�� Security intelligenceRSA Conference 2011
SECURE SOFTWARE DEVELOPMENT
© Copyright, ACIS Professional Center Company Limited, All rights reserved 48
�� Security intelligenceRSA Conference 2011
Trusted Software
Security profile for trusted software in the context of software assurance includes the following:
� Protection against confidentiality, integrity, and availability threats
� Assurance that authentication cannot be circumvented� Assurance that authentication cannot be circumvented
� Validation of authorization credentials before access to resources are granted
� Effective implementation of auditing functionality for business-critical and administrative transactions
� Management of Sessions, Exceptions, and Configuration parameters.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 49
�� Security intelligenceRSA Conference 2011
Software Security Profile
Confidentiality Integrity Availability
© Copyright, ACIS Professional Center Company Limited, All rights reserved 50
Session Management
Exceptions Management
Configuration Management
Authentication Authorization Auditing
�� Security intelligenceRSA Conference 2011
Threats that Impact Trust
� There are several threats to software that can impact one’s
level of confidence or trust in it.
� These threat agents take advantage of vulnerabilities in
software and may be human or non-human.software and may be human or non-human.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 51
�� Security intelligenceRSA Conference 2011
Software Threat Agents Categorization
Software Threat Agents
© Copyright, ACIS Professional Center Company Limited, All rights reserved 52
Non-Human Human
MalwareUser Error (Accidental)
Hacker (Intentional)
�� Security intelligenceRSA Conference 2011
Types of Malware
Malware
© Copyright, ACIS Professional Center Company Limited, All rights reserved 53
Proliferative Stealthware
Viruses & Worms
Spyware & Adware
Rootkits Trojans
�� Security intelligenceRSA Conference 2011
Types of Malware (cont.)
Proliferative Malware
� Proliferative malware includes malicious software programs that, upon exploiting weaknesses in networks, hosts, and software applications, aim at propagating their malicious operations to other networks, hosts, and software applications connected to the victim.and software applications connected to the victim.
� Viruses and worms are the most common form of proliferative malware.
Stealthware
� Stealthware includes malicious software programs such as spyware and adware, Trojans, and rootkits that remain hidden and operate often without the consent or knowledge of the victimized system or user.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 54
�� Security intelligenceRSA Conference 2011
Types of Embedded Code
Backdoors
� Backdoors are code constructs embedded in
code to allow programmers to bypass security
mechanisms.
Logic bombs
Embedded Code
Maintenance Logic bombs
� Like backdoors, logic bombs are also embedded
code constructs that remain dormant in code
and are executed when specific events and/or
time conditions are met.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 55
Logic BombMaintenance
Hook/ Backdoor
�� Security intelligenceRSA Conference 2011
Trusted Software CharacteristicsFunctions as expected (reliable) Ensures security policy (resilient)
Is fault-tolerant and robust (recoverable) Maintains confidentiality, integrity, and availability of software and the data it handles
Prevents circumvention of authentication and access control checks
Handles sessions, configurations, and exceptions securely
Is deployed on host systems that are adequately hardened
Ensures protection against proliferative malware (viruses and worms)
Defends against malware that causes disclosure and destruction (spyware and adware)
Ensures protection against harmful malware that is purported as benign (Trojans)
Does not allow privilege escalation from user land to kernel land (rootkits)
Is deployed/released without any maintenance hooks (backdoors)
Ensures that there are no embedded code security threats that can be conditionally triggered (logic bombs)
Anti-tampering (obfuscation) and authenticity (signed code) controls are present
Tested, validated, and verified for software security by the organization or by an independent third party.
© Copyright, ACIS Professional Center Company Limited, All rights reserved 56
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight
Application and Development Security
� Best Practices from the Front Lines: The Fight for Secure Software
� Software Security: The Big Picture
� Stop Exposing Yourself: Principles of Attack Surface Analysis and Reduction
� The Evolution of Software Security Assurance and its Relevance Today� The Evolution of Software Security Assurance and its Relevance Today
� Innovation in Application Security
� Intelligence on the Intractable Problem of Insecure Software
� Agile Development, Security Fail
� Strategies for Security in Software QA
� Don't Teach Developers Security
� Planned vs. Agile for Security Software Development
© Copyright, ACIS Professional Center Company Limited, All rights reserved 57
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight (Cont.)
Cloud Computing Security
� Put a SOC in it: Operationalizing Security in a SaaS
Environment
� Securing Cloud Access – Beyond Enterprise IA&M
� Cloud Investigations and Forensics� Cloud Investigations and Forensics
� Hacking Exposed - Exploiting the Cloud and Virtual
Machines
© Copyright, ACIS Professional Center Company Limited, All rights reserved 58
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight (Cont.)
Social Networks Security
� Social Engineering in a Social Media World: Risk, Liability, and Control
� Blocking Social Media Is So 2010 - How to Embrace the Social Web SafelySocial Web Safely
� Is Social Networking Making Your Network Insecure?
� Proactively Tackling Social Networking and Data Security
� The Dark Side: Measuring and Analyzing Malicious Activity on Twitter
� Social Engineering in a Social Media World: Risk, Liability, and Control
© Copyright, ACIS Professional Center Company Limited, All rights reserved 59
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight (Cont.)
Mobile Security
� Are Mobile Security Threats Real? A Panel of Mobile Experts
Weigh In...
� Why You Can't Trust Your Mobile Network
� Trends in Mobile Authentication and Fraud Deterrence� Trends in Mobile Authentication and Fraud Deterrence
� Mobile Security: What Perimeter? What Defense?
� The Big Picture Never Say "Mobile Cloud Leak“
� Mobile Security the Ugly Truth
� There’s an App for That: What the Mobile App Explosion
Means for Security
© Copyright, ACIS Professional Center Company Limited, All rights reserved 60
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight (Cont.)
APT (Advanced Persistent Threats)
� Cyber War: How We Learned to Stop Worrying and Love
the Cyber Bomb
� Advanced Persistent Threats: War Stories from the Front
LinesLines
� Hypebusters: The Advanced Persistent Threat and You
� Bring Your Doctor Masks: Live Zeus Trojan Dissection
© Copyright, ACIS Professional Center Company Limited, All rights reserved 61
�� Security intelligenceRSA Conference 2011
RSA Conference Highlight (Cont.)
Technical Security
� Databases Under Attack - Securing Heterogeneous
Database Infrastructures
� Seven Steps to Protecting Databases
� The Death of Signature-Based AV� The Death of Signature-Based AV
� Cutting-Edge Hacking Techniques
© Copyright, ACIS Professional Center Company Limited, All rights reserved 62
�� Security intelligenceRSA Conference 2011
Ref: http://www.rsaconference.com/
© Copyright, ACIS Professional Center Company Limited, All rights reserved 63
�� Security intelligenceRSA Conference 2011 �� Security intelligenceRSA Conference 2011
Web : http://www.acisonline.net Email : [email protected]
Twitter : www.twitter.com/prinyaacisTwitter : www.twitter.com/prinyaacisFacebook : www.facebook.com/prinyah