Symantec: The rise of hacktivism and insider threats

The rise of hacktivism and insiders: new
tactics, new motives
Andrew Horbury
Senior Product Marketing Manager

Data sources: ISTR, WSTR, Symantec Security Response

hacktivism and insiders: new tactics, new motives

2

Agenda
1

Why we are here today

2

Hacktivism 101

3

How do they do it?

4

Web based attacks

5

Insiders 101

6

Mediation

7

Information sources


3

What is a Hacktivist ?
• Def. haktɪvɪst/ (noun) - a person who gains unauthorised access to
computer files or networks in order to further social or political ends.
• The term was coined in 1996 by Omega, a member of the popular
group of hackers known as Cult of the Dead Cow
• Hacktivism includes cyber attacks performed to promote (or
motivated by) political or social scopes

Source: http://hackmageddon.com/2013-cyber-attacks-timeline-master-index/


4

From activist to Hacktivist


5

Anonymous hacks Vatican website

http://www.zdnet.com/blog/security/anonymous-hacks-abortion-clinic-steals-10000-records/10675


6

So what happens?
• Criminals buy ready-made malware, such as the Sakura toolkit,
which is then installed on someone else’s website. It scans
visitors’ computers for known vulnerabilities and picks the most
effective exploit to infect them.


7

Our Websites are Being Used Against Us
Vulnerabilities and malware on the rise…..

53%

61%
of web sites serving
malware are legitimate sites

of legitimate websites have
unpatched vulnerabilities

25%
have critical vulnerabilities
unpatched


8

Our Websites are Being Used Against Us

53%

61%
of web sites serving
malware are legitimate sites

of legitimate websites have
unpatched vulnerabilities

25%

vulnerabilities reported in 2012
have critical vulnerabilities
unpatched


9

Web based attacks on the rise
The number of Web-based attacks increased by
almost a third in 2012. These attacks silently infect enterprise and

consumer users when they visit a compromised website. In
other words, you can be infected simply by visiting a legitimate
website. Typically, attackers infiltrate the website to install their
attack toolkits and malware
payloads, unbeknown to the site
owner or the potential victims.


10

Why are you telling me this? My company
is not important – why would anyone
attack me?
“C’mon no one will attack my company…
will they?”


11

Targeted Attacks by Company Size: 2012

Small businesses say……
• 41% have been a victim of cybercrime in past 12 months.
• 20% have had a virus infection in their business

• 8% have suffered from a hacking incident
• 20% have not taken any steps to protect themselves at all! In a
pool of 2000+ that’s at least 400 businesses that are probably at
high risk

• Only 36% say they regularly apply security patches
• 60% kept their antivirus software up to date


13


14

Targeted Attacks by Industry: 2012
24%

Manufacturing
Manufacturing

19%

Finance, Insurance & Real Estate
Finance, Insurance & Real Estate

17%

Services – Non-Traditional
Services – Non-Traditional

12%

Government
Government

10%

Energy/Utilities
Energy/Utilities

8%

Services – Professional
Services – Professional
Wholesale
Wholesale

2%

Retail
Retail

2%

Aerospace
Aerospace

2%

Transportation, Communications,
tion, Communications, Electric, Gas
Electric, Gas

1%
0%

5%

10%

15%

20%

25%

30%

15

Targeted Attacks by Job Function: 2012
30%

R&D
27%

Sales
24%

25%

C-Level
17%

20%
15%

Senior
12%

Shared
Mailbox
13%

10%
5%

Recruitment
Media
4%
3%

PA
1%

0%

• Attacks may start with the ultimate target but often look opportunistically
for any entry into a company

16

Are your employees putting your company’s data at
risk?
• Insider theft makes up between
8-14% of confirmed data
breaches, compared to the 88 or
92 percent attributed to external
actors
• Insider account for 69 percent of
all corporate security issues
• UK Information Commissioner’s
Office fined & prosecuted more
businesses because of insider
incidents than they did outsider
attacks in 2012


17

Are your employees putting your company’s data at
risk?
• More than 30 percent of insiders
engaging in IT sabotage have a prior
arrest history
• They may brag about the damage they
could do to the organisation if they so
desired.
• Bitterness about being passed over for
promotion
• Considering starting up a competing
business and using the organisation’s
resources and IP for a new/side business
• The pattern or quantity of the information
they retrieve might change
drastically, potentially indicating data
theft.


18

Malicious Insiders could pose the greatest risk

Areas of Focus…..
• Know your people
• Focus on deterrence, not
detection
• Identify information that is
most likely to be valuable
• Monitor ingress and egress
• Baseline normal activity


19

What do they do and what are the
threats?
Everyone is a target.


20

Anonymous has claimed responsibility for a broad
range of actions: publication of bank managers’
details, DDoS attacks on government
websites, taking child pornography websites
offline, hacking of two MIT websites, publication of
the VMware source code and attacks on Israeli
websites

21

Cutting Sword of Justice


22

Profile of Hacktivist threats
• Hacktivists mainly target the information, public and
service sectors.
• They primarily operate in Western Europe and North
America.
• Their most common attack methods are SQL
injection, using stolen credentials, brute force and DoS
attacks, remote file inclusion and backdoors
• The main assets they target are web
applications, databases and mail servers
• Their desired data is personal information, credentials
and internal corporate data

23

Insider threats
• Unauthorised access to or use of corporate information.
• Viruses, worms or other malicious code.
• Theft of intellectual property (IP).
The same research found that:

• Insiders often attempt to gain colleagues passwords or gain access
through trickery or exploit a relationship
• >70 percent of intellectual property theft cases, insiders steal the
information within 30 days of announcing their resignation
• More than half of insiders committing IT sabotage were former
employees who regained access via backdoors or corporate accounts
that were never properly disabled

24

Policies Procedures and employee access
• Temporary consultant at the Korea
Credit Bureau stole the customer
details of up to 20 million South
Koreans
• Can be
accidental
as well as
deliberate


25

What can you do about it?

•Security - assume that you are a target
•Culture - majority of insider attacks are instigated by
disgruntled employees

•Education - Educate staff about data protection and
the threats posed by hacktivists, cybercriminals and insiders is
essential.


26

Stay informed
• Follow us on twitter @nortonsecured @threatintel
@andyhorbury
• www.symantec.com/threatreport
• go.symantec.com/ssl
• Blogs www.symantec.com/connect/blogs/websitesecurity-solutions


27

Thank you!
Andrew Horbury
andy_horbury@symantec.coml
@andyhorbury

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


28

Symantec: The rise of hacktivism and insider threats

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Symantec: The rise of hacktivism and insider threats

Similar a Symantec: The rise of hacktivism and insider threats (20)

Más de Symantec Website Security

Más de Symantec Website Security (20)

Último

Último (20)

Symantec: The rise of hacktivism and insider threats