David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht

Infosecurity.nl 2010

Current Cyber Threat Challenges3 November 2010

www.pwc.com

PwC 2

Contents

Real threats in the real world

Targeting Sensitive Data with Commercial Value

Targeting Sensitive Data with Economic Value

Public-Private Partnership

Considerations as we go forward

PwC 3

Real threats in the real world

PwC 4

Risks we face

• Significant threat profile, like never before in history;

• Adversaries that are patient, meticulous, smart;

• Sophisticated attackers hold access to environments, undetected for months, even years; and

• Require new thinking related to how we protect and manage sensitive data.


PwC 5

Threat Continuum


Source MotivationAmateur attackers • Thrill

• Bragging rightsCriminal groups• Bot-network

Operators• Phishers/

Spammers• Malware authors• Industrial

spies/competitors

• Financial profit- Fraud- Blackmail- Bot recruitment- Trusted launch pad for further

infrastructure attacks- Identity and intellectual property theft- Industrial espionage

“Insiders”• Employees• Business partners

• Retaliation• Financial profit

Foreign state-sponsored agents

• Economic Espionage• Disrupt supply, communications, and

economic infrastructures

Th

reat

Con

tin

uu

m

PwC 6

Common failures that enable the attackers

1. Don’t know where sensitive data is located;

2. Don’t properly utilize monitoring and investigative tools;

3. Failure to address/shut down known security vulnerabilities; and

4. Have suboptimal Organizational design.


PwC 7

Targeting Sensitive Data with Commercial Value

Attack Diagram

8Infosecurity.nl 2010

PwC

Hypothetical Attack OverviewPreparation and Reconnaissance

Slide 9

Preparation and Reconnaissance

Initial Compromise

ExpandFootprint

ExecuteAttack

Major Activities

• Identify Potential Targets: Use search engines and browse web sites to identify potential targets

• Prepare Tools: Write custom applications and assemble publicly available tools to bypass antivirus

• Identify Initial Entry Point: Test identified websites for SQL injection vulnerabilities to gain access to the target network

Timeline

13 Days

Impact• Read/Write access to database records• Administrative privileges to database OS• Ability to initiate connections to other internal

systems

• Recode web applications to accept a white list of characters and filter all unnecessary characters

• Use unprivileged accounts for databases • Perform web application security assessments

Slide 9Infosecurity.nl 2010

PwC

Hypothetical Attack OverviewInitial Compromise

Slide 10


Initial Compromise

ExpandFootprint

ExecuteAttack

Major Activities

•Information Gathering: Craft SQL queries to obtain database structure and contained data

•Exploit Database Links: Identify linked databases and search the databases for sensitive data or credit/debit card data

•Upload Tools through SQL Injection: Upload malicious tools to database servers to obtain Domain Administrator password and target other systems

Timeline

12 Days13 Days

Impact• Identified dozens of databases with sensitive

personal or business data or credit/debit card data

• Obtained Domain Administrator privileges

Slide 10

PwC

Hypothetical Attack OverviewExpand Footprint

Slide 11


Initial Compromise

ExpandFootprint

ExecuteAttack

Major Activities•Establish presence in environment: Push custom developed network sniffer or other custom hacker tools onto dozens of systems to understand network topology and system traffic•Upload Web Based Tools: Upload custom web pages to external web servers to perform command and control functions on tools on internal systems•Exfiltrate data: Obtain target data •Locate Business Critical Hardware: Identify system (HSM) that creates encrypted PIN numbers

Timeline

3 Days12 Days13 Days

Impact• Attackers able to authenticate with privileged

access to Windows systems


PwC

Hypothetical Attack OverviewExecute Attack

Slide 12


Initial Compromise

ExpandFootprint

ExecuteAttack

Major Activities•Initiate Attack on HSM: Obtain clear text PIN numbers by attacking HSM device. Reverse engineer/decode sensitive encrypted data and/or gain control of wire transfer authorization process•Manipulate Financial Account Values: Use custom web pages on external web servers to modify internal database values such as the balance and transaction limits to assist in financial fraud •Distribute compromised payment cards•Set up recipient accounts to obtain fraudulent proceeds

Timeline• Initiate unauthorized ATM withdrawals or

transactions• Unauthorized ACH wires issued

Impact

3 Days12 Days13 Days 4 Days


PwC 13

Targeting Data with Economic Value

PwC 14Infosecurity.nl 2010

PwC 15

Public Private Partnership

Infosecurity.nl 2010PwC 16

Public-Private Partnership

Examples across this Continuum

• Collaboration with law enforcement;

• Collaboration with select corporate peers (Google example);

• Collaboration among Financial Services in US (FS-ISAC - hundreds of Companies sharing information about critical threats to systems within the financial services sector);

• Collaboration among industry (US Department of Defense); and

• Collaboration to protect National Critical Infrastructure (US Department of Homeland Security).

PwC 17


PwC 18


1: Sensitive Data

• Inventory and prioritize sensitive data;

• Include electronic communication among key component of the definition of sensitive data; and

• Enhance vigilance around the protection of these assets.

Key takeaways:


PwC 19


2: Technical

• Increase visibility into live memory on user systems;

• Increase vigilance on Domain Controller logs;

• Increase focus on analysis of outbound traffic (look for large outbound RAR files);

• Perform ongoing audits of key personnel (i.e., M&A team) – look for web based mail login from machines not normally used by employee; and

• Automate the above to minimize human time commitment.

Key takeaways:


PwC 20


3: Organizational

• Cyber security, and the CISO or equivalent, should be independent of IT and the CIO;

• Cyber security should have deep insight into business operations to be effective: if the CEO is traveling outside the US or if a 10-person team is working on a deal in Country X, cyber security should be aware; and

• Applying cyber security based on business operations will likely require a broader perspective than most technical oriented types are capable, making cyber security ripe for alignment under the CSO.

Key takeaways:


PwC 21

PwC - Who we are

• PwC has greater than 160,000 in greater than 150 countries. We focus on audit and assurance, tax and advisory services. We help our clients resolve complex issues and identify opportunities.

• PwC is a leading provider of security advisory and assessment services. Our Global Security practice has more than 2,100 professionals helping our clients solve complex security challenges.

• PwC was recognized by the Forrester Wave Vendor Summary as a leader in information security and IT risk consulting.

• PwC has assisted Fortune 500 companies in responding to security breaches, including network and system forensics, containment, and remediation activities.Infosecurity.nl 2010

Sincere thanks for your time.

© 2010 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. This proposal is protected under the copyright laws of the United States and other countries. This proposal contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed outside the recipient's company or duplicated, used or disclosed in whole or in part by the recipient for any purpose other than to evaluate this proposal. Any other use or disclosure in whole or in part of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.

Documents

David Burg, Infosecurity.nl, 3 november, Jaarbeurs Utrecht