Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันที่ 24 กุมภาพันธ์

�� Security intelligenceRSA Conference 2011 �� Security intelligenceRSA Conference 2011

Prinya Hom-AnekPrinya Hom-Anek

CGEIT, CISSP, CSSLP, CISA, CISM, SSCP, SANS GIAC GCFW, ITIL Expert, CompTIA Security+, IRCA: ISMS Lead Auditor, BCMS Auditor(ISC)2 Asian Advisory Board; ISACA Thailand Committee,Thailand Information Security Association (TISA) Committee,ACIS Professional Center Co., Ltd. , President and Founder

�� Security intelligenceRSA Conference 2011

Agenda

� Introduction

� Social Networks Security Update

� Malware Security Update� Malware Security Update

� Mobile Devices and Smart phones Security

Update

� Secure Software Development Security

Update

© Copyright, ACIS Professional Center Company Limited, All rights reserved 2


RSA CONFERENCERSA CONFERENCE



The previous RSA Conference Theme



RSA Conference 2011 (ISC)2 member reception



Conference Theme

� Rivest used fictitious placeholder names to explain the RSA encryption method and the many steps involved in the complex system.

� Alice & Bob were born to make the subject matter easier to � Alice & Bob were born to make the subject matter easier to grasp – replacing Person A and Person B.

� Bruce Schneier, author of Applied Cryptography and another forefather of information security, introduced a host of other characters to make technical topics more understandable.

� This cast of friends and enemies – including Eve the Eavesdropper, Mallory the Malicious Attacker and Walter the Warden, among others – populate Alice & Bob's universe and evolved into common parlance in cryptography and computer security.



Example of an "Alice and Bob" analogy used in cryptography



Example of an "Alice and Bob" analogy used in cryptographic hashing



SOCIAL NETWORKS SECURITYSECURITY



Social Networks Survey



Social Engineering Techniques on Social Networks

� One of the more common types of attack hitting users is

“clickjacking”, also called “UI redressing”

� These attacks use maliciously created pages where the true

function of a button is concealed beneath an opaque layer

showing something entirely different.showing something entirely different.

� Often sharing or “liking” the content in question sends the

attack out to contacts through newsfeeds and status

updates, propagating the scam.

� Clickjacking attacks not only spread social networking link-

spam, they also regularly carry out other actions such as

granting access to valuable personal information and even

making purchases.© Copyright, ACIS Professional Center Company Limited, All rights reserved 11


Example of Clickjacking



How Clickjacking works?



How to Avoid From Social Engineering Techniques on Social Network?

1. If something sounds too good to be true, it probably is.

2. Ask yourself—why would you be singled out for a windfall or other special treatment out of the millions of other Internet users. If you can’t find a good reason, it’s probably a scam.a scam.

3. Don’t believe everything you read.

4. Be patient. Too many users end up the victims of Internet crime because they do not stop to think, but instead act on impulse clicking on a “sexy” link or an interesting looking attachment without thinking of the possible consequences.



How to Avoid From Social Engineering Techniques on Social Network? (Cont.)

5. Never provide your personal information or information about

your company/organization.

6. Double-check the URLs of websites you visit. Some phishing

websites look identical to the actual site, but the URL may be

subtly different.subtly different.

7. Be cautious about sending sensitive information over the

Internet if you’re not confident about the security of the website.

8. Be suspicious of unsolicited phone calls and emails that ask for

information about your employees or other information. It could

be a scammer calling.



Applications

� Facebook has a major problem in the form of its app system.

� Any user can create an application, with a wide range of powers to interact with data stored on user pages and cross-site messaging systems, and these applications, like survey systems, and these applications, like survey scams, can then be installed and run on any users’ page.

� To combat this serious problem, a “walled garden” approach may be more suitable. This refers to a closed or exclusive set of information services provided for users, in contrast to allowing open access to applications and content.



Privacy Setting

� Facebook comes under regular criticism

for its provision, implementation and

explanation of user privacy features.

� Directions for setting privacy preferences

are vague and unclear—if and when are vague and unclear—if and when

they’re provided. Plus, once uploaded,

information and content may be difficult

or impossible to remove.



Types of Personal Data

� Likes: a person, band, movie, web page, or any other entity

represented in Facebook's social graph that has a "like" button.

"Likes" started with status updates, but have now grown to

encompass pretty much everything.

� Name, Picture, Gender, Birthday, Contact Info: self-

explanatory

� Extended Profile Data: Your family members, city, place of birth,

religious views, favorite authors, schools attended -- anything that

is an entity you can list a relationship to in your profile.

� Friends: The people you've added to friends.

� Networks: The personal networks you've set up on Facebook (e.g.

colleges & universities or companies).

� Wall posts & Photos: Self-explanatory.



MALWAREMALWARE



Target Software

� Cybercriminals tend to target Microsoft, because its Office and Internet Explorer solutions are ubiquitous.

� Many users view this software as an integral part of the Windows platform, rather than separate software that may need a separate regime of updating and patching.

� Lately, cybercrooks targeted Adobe to enable malware distribution, as its PDF Reader and Flash player are also widely, if distribution, as its PDF Reader and Flash player are also widely, if not universally, installed.

� PDF exploits became ever more widespread, and new vulnerabilities in Reader emerged regularly.

� Maliciously-crafted PDFs are placed on websites or mailed out in spam runs, hoping that they will be opened in vulnerable Reader software and their payloads will be given free rein to infect systems.



Top 10 Vulnerable Vendors



Best and worst patchers



Exploit effort versus potential reward matrix



Advanced Persistent Threat (APT)

Increasingly sophisticated cyber attacks by hostile

organizations with the goal of:

� Gaining access to defense, financial and other targeted

information from governments, corporations and individuals.information from governments, corporations and individuals.

� Maintaining a foothold in these environments to enable future

use and control.

� Modifying data to disrupt performance in their targets.



APT in the news


APT - NASDAQ ATTACK

The Attacker were persisting within NASDAQ’ Directors Desk servers for over 12

months

25-Feb-11

26


Malware Evolution

Sophistication

HighMan in the

Middle

Man in theBrowser

SilentBanker

Smishing

Zeus

SpyEye

2008200720062005200420032002

Medium

Low

Keylogging

MouseloggingScreen Capture

PhishingFake Web Sites

Trojan/VirusSpyware

VishingSmishing

2009 2010


ZEUS BOTNET

28


ZEUS BOTNET

29


SpyEye BOTNET


SpyEye BOTNET


SpyEye BOTNET


SpyEye BOTNET – Credit Card Grabber


Zeus BOTNET Tracker


SpyEye BOTNET Tracker


Top ten countries hosting malware



Top malware spreading via email attachment



Stuxnet

� Stuxnet is a Windows computer worm discovered in July 2010 that

targets industrial software and equipment.

� The worm initially spreads indiscriminately, but includes a highly

specialized malware payload that is designed to target only Supervisory

Control And Data Acquisition (SCADA) systems that are configured to

control and monitor specific industrial processes.

� Some of Iran’s sensitive nuclear program computers were reportedly

affected by it.

� A report issued by the Congressional Research Service (CRS) claims

that Stuxnet could hit the U.S. as well.

� The so-called military-grade malware may have been an advanced

threat, showing a number of flaws in many layers of security processes.



STUXNET – SCADA ATTACK

39




MOBILE DEVICES AND MOBILE DEVICES AND SMARTPHONES



Mobile Devices and Smartphones

� According to Gartner analysts, one in six people will have access to a high-tech mobile device by the end of 2010.

� In the last few years, we’ve witnessed a radical change in the way we access and use the Internet.

� The rapid upswing in sophistication of mobile technology resulted in a swift change in the way we provide mobile content and interact with it.resulted in a swift change in the way we provide mobile content and interact with it.

� However, this change brings with it a wealth of new problems for security.

� In our new, always-connected age, maintaining the integrity and privacy of networks, business data and personal information is increasingly important and difficult.



iPhone

� Hackers released the source code for potential iPhone spyware to the Internet (this also affected BlackBerry).

� iPhone smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application.

� The majority of security issues continue to focus on jailbroken devices, where the mobile security settings are unlocked to get more functionality.

� Users continue to jailbreak their devices in droves, tempted by the possibility of installing applications not approved by the company.

� When iPhones are plugged in to home or company computers or are set up on unapproved wireless networks to provide phone connectivity, threats are transferred from the iPhone to more vulnerable systems and networks.

� You can use a blend of policies and technologies to keep your network and machines safe. “Acceptable use” policies can attempt to control what users plug into company devices.



Android� Google’s Android tried to keep pace with the iPhone in terms of

functionality, and as devices diversify, the Android user base continues

to grow.

� Google found and removed banking malware from the site when a

wallpaper application gathered information on over 1 million Android

users.

� Android phones represent a considerable exposure point, but again one � Android phones represent a considerable exposure point, but again one

that relies heavily on social engineering to lure users into installing

rogue or malicious applications that give the bad guys access to their

phones.



BlackBerry

� BlackBerry is still the device of choice in corporate

environments.

� The BlackBerry security-built-in model is fairly successful so

far, although potential spyware applications have been

introduced.introduced.

� Most new developments—if anything—weaken that security

model, with several nations pressuring RIM to slacken their

policy of transporting all data through their central servers

in strongly encrypted form, preventing government

snooping on traffic.



ปลอดภยัแนน่อน !!!!


Attacks Using Internet Marketing Techniques

� The search engine is our gateway to the web, and cybercrooks

are skilled at manipulating search results from the engines such

as Google, Bing and Yahoo! to lure victims to their malicious

pages.

� These pages host security risks and browser exploits just waiting

to infect users who are directed to these sites. to infect users who are directed to these sites.

� Legitimate Search Engine Optimization (SEO) techniques are

regularly used as marketing tools, but when SEO is abused by

the bad guys, and supplemented by more devious methods, it’s

known as Black Hat SEO.

� With Black Hat SEO attacks—known as “SEO poisoning”—search

engine results are poisoned to drive user traffic to the rogue site.

� Google reported that up to 1.3% of their search results are

infected. © Copyright, ACIS Professional Center Company Limited, All rights reserved 47


SECURE SOFTWARE DEVELOPMENT



Trusted Software

Security profile for trusted software in the context of software assurance includes the following:

� Protection against confidentiality, integrity, and availability threats

� Assurance that authentication cannot be circumvented� Assurance that authentication cannot be circumvented

� Validation of authorization credentials before access to resources are granted

� Effective implementation of auditing functionality for business-critical and administrative transactions

� Management of Sessions, Exceptions, and Configuration parameters.



Software Security Profile

Confidentiality Integrity Availability


Session Management

Exceptions Management

Configuration Management

Authentication Authorization Auditing


Threats that Impact Trust

� There are several threats to software that can impact one’s

level of confidence or trust in it.

� These threat agents take advantage of vulnerabilities in

software and may be human or non-human.software and may be human or non-human.



Software Threat Agents Categorization

Software Threat Agents


Non-Human Human

MalwareUser Error (Accidental)

Hacker (Intentional)


Types of Malware

Malware


Proliferative Stealthware

Viruses & Worms

Spyware & Adware

Rootkits Trojans


Types of Malware (cont.)

Proliferative Malware

� Proliferative malware includes malicious software programs that, upon exploiting weaknesses in networks, hosts, and software applications, aim at propagating their malicious operations to other networks, hosts, and software applications connected to the victim.and software applications connected to the victim.

� Viruses and worms are the most common form of proliferative malware.

Stealthware

� Stealthware includes malicious software programs such as spyware and adware, Trojans, and rootkits that remain hidden and operate often without the consent or knowledge of the victimized system or user.



Types of Embedded Code

Backdoors

� Backdoors are code constructs embedded in

code to allow programmers to bypass security

mechanisms.

Logic bombs

Embedded Code

Maintenance Logic bombs

� Like backdoors, logic bombs are also embedded

code constructs that remain dormant in code

and are executed when specific events and/or

time conditions are met.


Logic BombMaintenance

Hook/ Backdoor


Trusted Software CharacteristicsFunctions as expected (reliable) Ensures security policy (resilient)

Is fault-tolerant and robust (recoverable) Maintains confidentiality, integrity, and availability of software and the data it handles

Prevents circumvention of authentication and access control checks

Handles sessions, configurations, and exceptions securely

Is deployed on host systems that are adequately hardened

Ensures protection against proliferative malware (viruses and worms)

Defends against malware that causes disclosure and destruction (spyware and adware)

Ensures protection against harmful malware that is purported as benign (Trojans)

Does not allow privilege escalation from user land to kernel land (rootkits)

Is deployed/released without any maintenance hooks (backdoors)

Ensures that there are no embedded code security threats that can be conditionally triggered (logic bombs)

Anti-tampering (obfuscation) and authenticity (signed code) controls are present

Tested, validated, and verified for software security by the organization or by an independent third party.



RSA Conference Highlight

Application and Development Security

� Best Practices from the Front Lines: The Fight for Secure Software

� Software Security: The Big Picture

� Stop Exposing Yourself: Principles of Attack Surface Analysis and Reduction

� The Evolution of Software Security Assurance and its Relevance Today� The Evolution of Software Security Assurance and its Relevance Today

� Innovation in Application Security

� Intelligence on the Intractable Problem of Insecure Software

� Agile Development, Security Fail

� Strategies for Security in Software QA

� Don't Teach Developers Security

� Planned vs. Agile for Security Software Development



RSA Conference Highlight (Cont.)

Cloud Computing Security

� Put a SOC in it: Operationalizing Security in a SaaS

Environment

� Securing Cloud Access – Beyond Enterprise IA&M

� Cloud Investigations and Forensics� Cloud Investigations and Forensics

� Hacking Exposed - Exploiting the Cloud and Virtual

Machines




Social Networks Security

� Social Engineering in a Social Media World: Risk, Liability, and Control

� Blocking Social Media Is So 2010 - How to Embrace the Social Web SafelySocial Web Safely

� Is Social Networking Making Your Network Insecure?

� Proactively Tackling Social Networking and Data Security

� The Dark Side: Measuring and Analyzing Malicious Activity on Twitter

� Social Engineering in a Social Media World: Risk, Liability, and Control




Mobile Security

� Are Mobile Security Threats Real? A Panel of Mobile Experts

Weigh In...

� Why You Can't Trust Your Mobile Network

� Trends in Mobile Authentication and Fraud Deterrence� Trends in Mobile Authentication and Fraud Deterrence

� Mobile Security: What Perimeter? What Defense?

� The Big Picture Never Say "Mobile Cloud Leak“

� Mobile Security the Ugly Truth

� There’s an App for That: What the Mobile App Explosion

Means for Security




APT (Advanced Persistent Threats)

� Cyber War: How We Learned to Stop Worrying and Love

the Cyber Bomb

� Advanced Persistent Threats: War Stories from the Front

LinesLines

� Hypebusters: The Advanced Persistent Threat and You

� Bring Your Doctor Masks: Live Zeus Trojan Dissection




Technical Security

� Databases Under Attack - Securing Heterogeneous

Database Infrastructures

� Seven Steps to Protecting Databases

� The Death of Signature-Based AV� The Death of Signature-Based AV

� Cutting-Edge Hacking Techniques



Ref: http://www.rsaconference.com/


�� Security intelligenceRSA Conference 2011 �� Security intelligenceRSA Conference 2011

Web : http://www.acisonline.net Email : [email protected]

Twitter : www.twitter.com/prinyaacisTwitter : www.twitter.com/prinyaacisFacebook : www.facebook.com/prinyah

Technology

Presentation : CIO challenges by AJ.Prinya ในงานสัมมนาผู้บริหารไอที เมื่อวันที่ 24 กุมภาพันธ์