2. Agenda
• State of the security market
– Organized Cybercrime
– Common Attack Methodology
• Compliance defined
– The Compliance Two-Step
– The Obligatory Response
• A Security First Approach
• Real World Examples
4. Recent Attacks
May 4, 2009 Virginia Prescription Monitoring Program, Richmond Virginia
Compromised Records: 531,400
Type of Attack: Outside Hacker
Outcome: Attacker is still at-large. State notified 531,400 people of the breach by letter
November 10, 2010 Holy Cross Hospital, Ft. Lauderdale Florida
Compromised Records: 44,000 (1500 Confirmed)
Type of Attack: Internal Employee gained access to server
Outcome: Employee was fired and arrested. 5 other suspects have been charged.
February 10, 2011 Texas Children’s Hospital, Houston Texas
Compromised Records: 19,264
Type of Attack: Malware
Outcome: Attacker is still at-large. All patients were notified by letter
4
5. 2010 Data Breaches
Who is breaching data? How do breaches occur?
70% External Sources (-9%) 48% Involved Privilege Misuse (+26%)
48% Inside Sources (+26%) 40% Hacking (-24%)
11% Business Partners (-23%) 38% Malicious Code (<>)
27% Multiple Partners (-12%) 28% Employed Social Tactics (+16%)
15% Physical Threats (+6%)
What Commonalities Exist
85% Attacks were not highly difficult
85% Breaches were the result of opportunistic attacks
96% Were considered avoidable through reasonable controls
*Statistics from 2010 Verizon Business Data Breach Investigation Report
5
7. Cybercrime Market
The Numbers
– Global computer crime market estimated
to be $7B in 20101
– Russia responsible for $2.5B
– Growing ~35% per year overall
Interesting Trends
– Increase of specialization of participants
– On-Demand and Pay-Per-Use services
– Developing C2C market
1 Group-IB Report - 2010
8. Crime Pays
Stolen Assets/Criminal Activity Payout
Credit Card Details $5-10, expected $1-2 post PSN
Bank Credentials $80-$700
Bank Transfers 10% to 40% of amount transferred
Social Security Numbers $30-50
0Day Exploits $5,000 - $100,000
Exploits for published vulnerabilities $5,000 - $50,000
Exploit Packs $200 - $5,000
Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for
other countries
9. How it Works – The Business Model
Register With
Cybercrime Group 2 Data Sold Wholesale
5
BLACK MARKET
Purchase Malware Pack CYBERCRIME
1 GROUP
6 Payment Made
4 Infected Users Send
Data to Group
DISTRIBUTOR
Infect Users, P2P 3
seeding, XSS
VICTIMS
13. Traditional Attacks
Hacker Profile
– Talented individual
– Young, bored
Motivation
– To prove a point
– Curiosity
– Credibility
Attack Methods
– Worms targeting memory vulns in network services
– Attack payload not usually customized
14. Modern Attack Profile
Hacker Profile
– Organized Crime (84%)
– Dedicated teams who are paid
– Teams often work for criminal
organizations as a career
Motivation
– Targeted attack for financial gain
– Desire anonymity
Attack Methods
– Vulnerable web applications
– Client side applications
– Malware used to keep control
15. Delivery/Attack Surface
Infection Method Difficulty Effectiveness
Websites Easy Good
P2P Networks Easy Medium
SPAM Easy Medium
Paid Ads Medium Medium
Phishing Easy Poor
Traditional Network Exploit Difficult Poor
Blackhat SEO Medium Medium
Cross Site Scripting
‐ Most sites are vulnerable
‐ Easy to find and users trust the websites
SQL Injection
‐ Easy to find
‐ Very common
Source: Veracode State of Software Security Report, April 2011
17. Security and Compliance Management is
Becoming More Difficult Every Day
Increasing number and sophistication in security threats
• Improved organization and sophistication of attackers
• Prolonged and persistent targeting with compressed timelines to react
• Rise of contaminated spam, botnets, and social engineering for malicious breaches
Increasing complexity in maintaining compliance
• Continuous updates in requirements and reporting standards
• Adoption of new regulatory compliance standards
• Manual and laborious processes
Increasing cost to support and maintain (HW, SW, FTEs)
• Training on the latest compliance requirements and security threats
• Updating, patching, and maintaining software, scripts, and processes
• Rollout of new HW/SW to keep up with increased demand
18. Complicated and Costly Compliance Picture for
Healthcare
Implement People, Process, & Technology for Compliance
• HIPAA 164.308 Administrative safeguards
• HIPAA 164.312 Technical safeguards
Penalties for EMR Non-Compliance Coming into Effect
• Penalties and Fees up to $1.5M for neglect
• Data Breach Notification to HHS and Local Media for breaches
>500 patients
What about PCI compliance?
• PCI applies to every entity that stores, processes,
or transmits cardholder information
• Patient billing, pharmacy, etc.
19. Compliance… a costly problem
HIPAA & HITECH
Vulnerability 164.308 (a)(1)(ii)(A)
Risk Analysis – Conduct Vulnerability Assessment
Assessment
164.308 (a)(1)(ii)(B)
Risk Management – Implement security measures to reduce risk of security breaches
164.308 (a)(1)(ii)(D)
Information System Activity Review – Procedures to review system activity
IDS/IPS/Log 164.308 (a)(5)(ii)(B)
Protection from Malicious Software – Procedures to guard against malicious software host/network IPS
Management
164.308 (a)(6)(i)
Log-in Monitoring – Procedures and monitoring for log-in attempts on host IDS
164.308 (a)(6)(iii)
Response & Reporting – Mitigate and document security incidents
164.312 (b)
Log Management Audit Controls – Procedures and mechanisms for monitoring system activity
20. Compliance… a costly problem
PCI DSS SOX (CobiT)
Penalties: fines, loss of credit card processing, and Penalties: fines up to $5M, up to 10 year in prison
level 1 merchant requirements
DS 5.9 Malicious Software Prevention,
6.2 Identify newly discovered security
Detection, and Correction
Vulnerability vulnerabilities
“put preventive, detection, and corrective measures in place
Assessment 11.2 Perform network vulnerability scans (especially up-to-date security patches and virus control) across
quarterly by an ASV the organization to protect information systems and technology
from malware (e.g., viruses, worms, spyware, spam)”
DS 5.6 Security Incident Definition
“clearly define and communicate the characteristics of potential
5.1.1 Monitor zero day attacks not covered by security incidents so that they can be properly classified and
Intrusion Anti-Virus treated by the incident and problem management process”
DS 5.10 Network Security
Detection 11.4 Maintain IDS/IPS to monitor & alert
“use security techniques and related management procedures
personnel, keep engines up to date
(e.g., firewalls, security appliances, network segmentation,
intrusion detection) to authorize access and control information
flows from and to networks.”
10.2 Automated audit trails
10.3 Capture audit trails DS 5.5 Security Testing, Surveillance, and
Monitoring
Log 10.5 Secure logs
“…a logging and monitoring function will enable the early
Management 10.6 Review logs at least daily prevention and/or detection and subsequent timely reporting of
unusual and/or abnormal activities that may need to be
10.7 Maintain logs online for 3 months addressed.”
10.7 Retain audit trail for at least 1 year
21. The Ugly Truth
• Compliance is the output of post-mortem
– Some organization did not secure their data, and now everyone else
must deploy solutions, software, policies, and guidelines
• Compliance will always be a step behind the latest threat
• Compliance will NEVER mean you are secure
• Compliance mandates will continually be expanded, as
hospitals, insurance companies, and other health care resources
experience breaches, privacy violations, and security issues
22. The Compliance Two-Step
• Organizations continue to check the compliance box and then
struggle to maintain compliance
• IDS, Log Manamement and Vulnerability Scanning are the most
expensive and resource intensive – and also the most difficult
for organizations to implement and maintain
• Attacks are not being detected in an acceptable time
• Organizations that achieve compliance are able to protect their
patient data
• Companies will continue to fail to achieve compliance due to
lack of time, budget, and technical resources
23. The Obligatory Response
Protective Technical Controls
• Firewalls
• Routers
• Antivirus
• System Patching
• Complex Passwords
• Data Access Controls
• Whole Disk Encryption
• VPNs
25. Analyzing the Facts
• Companies aren‘t detecting attacks in an effective way
– Why? Chasing false alarms, other priorities, etc…
• Companies are not focusing on continuous security
– Too many companies check a box and move on
• Companies must review log data
– Companies need to be more vigilant in this area
• Most of the 99% of breaches could have been caught
– With effective intrusion detection systems, log management and
vulnerability assessment
25
26. Common Trends
• Strong push towards SaaS and MSSPs to augment their staff
• Some are looking towards cloud-based technologies to reduce
technology expenditures
• Moving away from general standards like HIPAA and SOX
towards PCI and DISA Standards
• Deploying centralization solutions to tie together their
compliance efforts
• Using GRC tools
27. Defending Users
AV Isn’t Enough
– Malware evolves ahead of AV signatures
Education
– At least half of the executables on P2P network infected
– Don’t install software from untrusted sources
– Safe browsing
– Flash drives
28. Infrastructure Defense
Close your Perimeter (egress too!)
Patch your systems
Vulnerability scanning
– Automated vuln scans & review them regularly
IDS
– Attempted botnet comm, network scans
– Propogation over RPC exploits, brute forcing Windows shares
Log Management
– Account lockouts due to brute force
– Proxy logs
WAF
30. Use Case #1: Security Issues and Identity Theft
• Scenario
• One of your system administrators returned from a two-week vacation
and was unable to login
• He believes his account has been locked out, but he’s not sure why
• Key Questions to Answer:
• Why is the account locked out?
• Where did the lock out occur?
• When did it occur?
• How did it occur?
31. Effective Log Management Can Prevent Breaches
and Provide Compliance
Breached customer records cost businesses an average of $202
per record in 20091
“86% of victims had evidence of the breach in their logs…”
“in most attacks, the victim has several days or more before
data was compromised.”2
Breach or
Suspicious Intrusion or Malicious IT alerted
Log Activity Penetration Activity
Without
Too Late
Log Mgmt
With Breach is
Log Mgmt Avoided
Log collection and SOC is alerted and
monitoring detects security containment
activity; sends alert steps are executed
32. Compliance and Security Simplified:
Security Issues and Identity Theft
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to a domain controller. Log in to a domain controller
Examine the AD object for the daily. Create a filter on the Wait for the System Admin
Without user to determine the time of username every day, and to call if their account is
Log Management lock-out. Review the logs on review the logs. Repeat locked out again.
each domain controller process for every domain
manually. controller.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Common index with search capabilities.
With • Automated alerting and notification.
Log Management • Regular reporting and forensics
33. Use Case #2: Audit Resolution Challenges
• Scenario
• A new policy is initiated to require any new Domain Administrators to
only be added by the Security Department
• A few weeks later, a routine audit discovers some new members in the
Domain Admin Group
• Key Questions to Answer:
• When were these users added?
• Who added them?
• Who was added?
34. Compliance and Security Simplified:
Audit Resolution Challenges
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to a domain controller. Log in to a domain controller
Review the logs for group daily. Review Domain Admins Wait for the System Admin
Without changes. Hope the logs are group and verify no one has to call if their account is
Log Management still on the system and have been added or removed since locked out again.
not rolled over. Repeat for the last review.
each DC.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Search on the Group Member Added and filter on Domain Admin.
With • Save View and have the report emailed on a regular basis.
Log Management • Build an automated alert to notify when users added, removed, changed
35. Use Case #3: Hacker/Attacker
• Scenario
• For several weeks your network has been running slow
• Some systems have been performing abnormally and there are new
user accounts that cannot be tied back to a particular user
• Suddenly, you receive an odd e-mail from an alleged hacker who
claims to have access to sensitive patient files
• Key Questions to Answer:
• Have you been hacked?
• If so, when did it begin?
• How would you respond?
• Should you notify the media?
36. Compliance and Security Simplified:
Business Critical Applications
Key Compliance and Security Activities
Investigating Monitoring Alerting
Log in to the firewall/VPN Log in to VPN. Search inside
gateway, look through the of the VPN Disconnect Wait for the Network
Without
logs (if it can store the logs). messages. See what time the Engineer to log in and
Intrusion Detection Look for disconnect disconnect occurred and all discover it is down.
messages, and errors. Etc. errors related to the VPN
session.
Issue: Manual & Timely Issue: Expensive Issue: Reactive
• Use logs to search for suspicious message, account creation, firewall
With messages.
Intrusion Detection • Use IDS to look for attack attempts.
• Focus efforts on actionable security incidents
37. With Complicated Threats, There is a Need for
Security Expertise
Lots of point solutions, but difficult to consume all the data
It is nearly impossible to be aware of all forms of attacks and
attack-responses, and perform all the other functions expected
relating to daily operations
Breach or
Suspicious Intrusion or Malicious IT alerted
Log Activity Penetration Activity
Without IDS
Too Late
With IDS Breach is
Avoided
Log collection and Security containment
monitoring detects steps are executed
activity; sends alert
39. Meeting the Challenges Head On
• Move from manual to automated log management
– Keys to success: effective and sustainable log management and review
• Choose a vulnerability assessment solution that aligns with your
network
– Keys to success: centralized view and remediation knowledge
• Select an intrusion protection solution that doesn’t require
costly implementation, configuration and management
– Keys to success: Implement a solution that adapts to your network
security policies and minimizes the work load of your resources
CC market 7B last year, russia 1/3 and growing 35% per yearpeople talk a lot about the chinese threat but that’s mainly bc they’re noisy & they get caught, to me means they’re not the ones you need to worry about so muchinteresting trends to note: the business models & roles evolving along similar lines as the legit IT industryon-demand & pay-per-useppl are taking on specialized roles either to limit personal risk or maximize effectivness & profit within the context of their own abilitiesT: things have evolved from single autonomous attackers to...
Credit cards – influenced by supply/demand, Sony PSN +70M cards stolen, if majority are valid & dumped on market, would push prices way downExploit packs cover multiple vulns, price based on agePPI - work like banner ad & browser toolbars affiliate programs developed in the 90’s with pay-per-view and pay-per-click models, malware install affiliate programs have sprung upT: I’m a young unemployed ukranian guy & i want in on the action
This is a screenshot of the old Dogma Millions website. This has since been taken down but you can see from the graphics the msg they send.Work for us & you can drive your own Porsche SUV on a blue water beach with Victoria’s Secret modelsT: unfortunately the English language sites aren’t as creative...
Payperinstall.com is a clearinghouse for pay per install groupsyou sign up with a affiliate, they provide a custom set of executables embedded with your affiliate IDfor every US machine you get the malware installed on, you get a dollar10,000 machines = $10,000
young student, intelligent, bored, maybe problems with authoritythink it’s cool, looking for a challenge, out defacing websites of organizations they disagree withunlikematthewbroderick, none of the guys i knew who were writing dos viruses in highschool ever had a girl in their bedroomscredibility, fame & recognition among their peers onlinehistorically they wrote worms attacking vuln network services - korgo, sasser, mostly static payload, built & released to run its courseT: things have changed a lot since then
overwhelming majority of attacks today are carried out by professional teams who do it for a livingthe goal is to control as many computers as they can to steal as much data as possiblethey can use directly or sell on the wholesale marketnot making noise, not defacing websitesremain undetected as long as they can to maximize profitsattack surface changed, even avg home networks typically have firewalls now blocking inbound connections. target vulns in client apps that sit behind the firewall & connect outonce they get code execution, malware installed to keep control of target systemsT: the new approach is working really well
Affiliates don’t care how you get their malware installedTons of websites vulnerable to XSS where you can inject Javascript that will redirect users to your hosted malware site with your fake AV software or whatever you’re deliverable isP2P are also easy, download any executable you want, use your malware kit to embed your affiliate’s code, share new binary back on the networkTrad Net Exploit – difficult bc most companies have firewalls blocking vulnerable ports, non-routable internal address space, even home networks have private addr & a firewall. All other techniques target the end user systems directly. Often after stealing that users data, malware will propagate to other systems on a corp network once it’s brought to work and connected behind the firewall, ex: conficker.Blackhat SEO – interesting & annoying at the same time. link farms and other techniques to game the search engine algorithms to get high rankings for the most common searches, justinbieber, brittney spears, most recently osama bin laden assassination videos.Flash drive example
One of the primary reasons our customers purchase our solution is to meet compliance standards. Our solutions cover the most expensive and labor intensive areas of compliance The following is a breakdown of the PCI and SOX requirements we satisfy with our solutions. For PCI we cover requirement 10, 11.2, and 11.4 which are the most costly and cumbersome to comply with. Examples: Vulnerability Assessment: 11.2 in PCI because Alert Logic is an Approved Scanning Vendor (ASV) for quarterly PCI scans Intrusion Protection: All mandates and regulations require or recommend an intrusion detection system. Log Management: We cover the majority of requirement 10 of PCI and DS 5.5 for Cobit. We make log review simple and automate the log management process.
One of the primary reasons our customers purchase our solution is to meet compliance standards. Our solutions cover the most expensive and labor intensive areas of compliance The following is a breakdown of the PCI and SOX requirements we satisfy with our solutions. For PCI we cover requirement 10, 11.2, and 11.4 which are the most costly and cumbersome to comply with. Examples: Vulnerability Assessment: 11.2 in PCI because Alert Logic is an Approved Scanning Vendor (ASV) for quarterly PCI scans Intrusion Protection: All mandates and regulations require or recommend an intrusion detection system. Log Management: We cover the majority of requirement 10 of PCI and DS 5.5 for Cobit. We make log review simple and automate the log management process.
Education – sounds extremely basic but some people don’t knowBrowsing – browsers are complex pieces of software & they all have holes, The majority of owned desktop systems I’ve seen were used by avid IE usersI use firefox, automatic updates and a number of plugins that improve your security like NoScript and RequestPolicythese tools can defeat CSRF and some XSS attacks even though the webapps you use are vulnerable.Filtering web proxies
Perimeter – many healthcare organizations block specific “bad” ports like SMTP and FTP, and even then do it inconsistently needs to be blocked in & out, exceptions specific to source & destination addresses & port numbers.Filtering web proxy... not worth much if you don’t do egress filtering at your border
Scripted Q&A- Which Hosing.com solutions support Alert Logic tools? What are the benefits/features of Cloud compared to Dedicated? If I receive a security incident, how quickly will I be contacted by the Security Operations Center?- How long to you store log data in your data center?- Who owns the data that is stored in your data center?- How can I ensure my data is safe both during transport and in storage?- How often should I be running a vulnerability scan?- I only have to fill out Self Assessment Questionairre (SAQ) A, do I still have to monitor my log data?Thank you for joining our Webinar today. We hope you found the content useful and applicable to your role. If you have questions or would like further information regarding Alert Logic’s solutions, please visit the Hosting.com website and contact us via phone, email or live chat. A recording of this session will be emailed to you in the next 48 hours. Thank you and have a wonderful day!