Safer Technology Through Threat Awareness and Response

Stephen Cobb, CISSPSenior Security Researcher

Threat awareness = know your enemy

We all know there are threats, but do we have a clear picture of them?

What are the main threats?

What can we do to defend against them?

What is behind data security breaches?

1. Malware involved in 69% of breaches2. Hacking* used in 81% of breaches

Verizon 2012 Data Breach Investigations Report

*80% of hacking is passwords: default, missing, guessed, stolen, cracked

3rd element: deception

Used in many types of attack, like this recent attempt to plant a Trojan

Clicking either link and you will be infected

(Unless you are running a good AV program)

What do cyber criminals want with our digital devices and data?

36 ways to abuse a hacked device• Spam zombie• DDoS extortion zombie• Click fraud zombie• Anonymization proxy• CAPTCHA solving zombie

• eBay/PayPal fake auctions• Online gaming credentials• Website FTP credentials• Skype/VoIP credentials• Encryption certificates

• Fake antivirus• Ransomware• Email account ransom• Webcam image extortion

• Bank account data• Credit card data• Stock and 401K accounts• Wire transfer data

• Phishing site• Malware download site• Warez piracy server• Child porn server• Spam site

• Harvest email contacts• Harvest associated accounts• Access to corporate email• Webmail spam• Stranded abroad scams

• Facebook• Twitter• LinkedIn • Google+

• Online gaming characters• Online gaming goods/$$$• PC game license keys• OS license key

Based on original work by Brian Krebs: krebsonsecurity.com

Webserver

Botnetactivity

Email attacks

Virtualgoods

Reputationhijacking

Financial credentials

Hostage attacks

Account credentials

IMPACTADVANTAGEMONEY

CREDENTIALS

What’s their motivation?

The Office of Naval Research and the rail gun• Fires a projectile at 5,000 mph with a range of 100

miles• Small businesses responsible for 86 individual sub-

contracts worth $20m

Verizon 2012 Data Breach Investigations Report

1 to 10

11 to 100

101 to 1,000

1,001 to 10,000

10,001 to 100,000

Over 100,000

0 100 200 300 400 500 600

720 breaches by size of organization (employees)

SMBs

The SMB sweet spot for the cyber-criminally inclined

Assets worthlooting

Level of protection

Big enterprise

SMB “sweet spot”

Consumers

Tools of the trade

To get into cyber crime you need:A. To be a programmer? NoB. To buy equipment? NoC. To have you own servers?

No

Crime kits are slick, easy-to-use, and you can rent them.

Consider the Serenity exploit kit

Thriving markets for credentials

All driven by proven business strategies

Specialization Modularity

Division of labor Standards

Markets

So how do you defend your devices?

Three main attacks …. and defenses

Scanning

Authentication

Malware

Hacking

AwarenessDeception

Scanning doesn’t work if you don’t use it

Scan devices while connected

Scan devices prior to connection

Require AV on mobile devices

0% 5% 10% 15% 20% 25% 30% 35% 40%

Measures in use at a sample of 82 healthcare facilities

98% experienced one or more breaches of PHIPonemon Institute Third Annual Benchmark Study on Patient Privacy & Data Security

Authentication beyond passwords

Passwords exposed in 2012: 75,000,000Need to add a second factor to authentication2FA raises the bar for attackers trying to get at your corporate network

Awareness: a powerful weapon

• Think before you click/open• If it sounds too good…• Just because your friend said…• Resources:

• Securing Our eCity• We Live Security• Podcasts and webinars• ESET Smart Security

Security news and how-tos

Thank you!

• Visit www.WeLiveSecurity.com