Why The Security You Bought
Yesterday, Won’t Save You Today
Ian Robertson – Director of Information Security Michael Gough – Sr. Risk Analyst
9th Annual Courts and Local
About Us
Ian Robertson - CISSP, CCNP
www.cybersecurityguy.com
ian@cybersecurityguy.com
Michael Gough - CISSP, CISA
www.HackerHurricane.com
Agenda
• Common Attacks Today
• Typical Network Security Controls
• Why the Typical Controls Won’t Work Against
Today’s Common Attacks
– Why The Security You Bought Yesterday Won’t
Save You Today
• What You Can Do To Shore Up Your Defenses
– Many for Little or No Money!
Agenda
• Common Attacks Today
• Typical Network Security Controls
• Why the Typical Controls Won’t Work Against
Today’s Common Attacks
– Why The Security You Bought Yesterday Won’t
Save You Today
• What You Can Do To Shore Up Your Defenses
Security Research and Statistics
HackerHurricane.com 5
• Verizon Data Breach Report
• PandaLabs Reports
Breach Threats
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Physical* Partner Agents Error Social Misuse Internal Agents Malware Hacking External Agents 1% 1% 1% 3% 3% 3% 94% 94% 98%Breach Threat Vectors
HackerHurricane.com 7
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Web User-Initiated Exploit
Web Drive-By Downloads SQL Injection
9%
19%
89%
Top Hacking and Malware Vectors by % Records Breached
Who’s Behind It?
HackerHurricane.com 9
• Highly motivated
• Has time and resources
• Wants what you have
What Do They Want?
• Anything they can use to get
or make money
– Financial Accounts
– Sensitive Personal Information
– Confidential Records
Who’s Discovering It?
How Long Does It Take to Discover?
How Long Does It Take to Discover?
156 Days
on Average
HackerHurricane.com 13
But Don’t We Have Logs?
• Absolutely!
• Useful for SQL Injection
• Less useful for malware
• Not really being
leveraged – who wants to
look at them?
Typical Attacks Today
• Organized Crime for Financial Gain
• SQL Injection
• User Web-Based Attacks
• USB Flash Drives
• We Aren’t Catching Them (Until It’s Too Late)
Agenda
• Common Attacks Today
• Typical Network Security Controls
• Why the Typical Controls Won’t Work Against
Today’s Common Attacks
– Why The Security You Bought Yesterday Won’t
Save You Today
• What You Can Do To Shore Up Your Defenses
Typical Network Security Controls
• Firewall
• Intrusion Detection/Prevention System
• Web Filter
• SPAM Blocker (SMTP E-mail Gateway)
• Anti-Virus (Anti-Malware)
• Account Passwords (Old School)
Typical Network Security Controls
• Firewall
– Allows only certain traffic to come into and go out
of your network from/to the Internet
– Typically allows web, email and DNS in/out of your
network from/to the Internet
• Intrusion Detection/Prevention System
– Monitors your network traffic for suspicious
activity
Typical Network Security Controls
• Web Filter
– Blocks websites based upon categorical filter
(gambling, sex, social websites, etc.)
– Typically blocks websites that would violate HR
policies
• SPAM Blocker
– Blocks e-mail based upon keywords (e.g. v!agra),
sender info, block list, or heuristical analysis
– Typically blocks incoming e-mail at the Internet
perimeter (SMTP e-mail gateway)
Typical Network Security Controls
• Anti-Malware
– Blocks software which is identified in a signature
database from running
– Typically scans for signature patterns when files
are accessed, with full scans on occasion.
• Account Passwords
– Allows authorized users to log in
Perimeter Controls
(Firewall, IDS, Web Filter, SPAM Blocker)
Typical Network Security Controls from
a Hacker’s Perspective
Internal Controls (Anti-Malware) Your Data
Agenda
• Common Attacks Today
• Typical Network Security Controls
• Why the Typical Controls Won’t Work Against
Today’s Common Attacks
– Why The Security You Bought Yesterday Won’t
Save You Today
• What You Can Do To Shore Up Your Defenses
SQL Injection Attacks
• Involves tricking a web application into
executing database commands it wasn’t
intended to by using user-input form fields.
SQL Injection Example
SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM
SQL Injection Example
SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM
MASTER_DATABASE WHERE LAST_NAME = ‘*’;--’ AND RECORD_TYPE = ‘PUBLIC’;
SQL Injection vs. Common Controls
Firewall X
Access is allowed to your web application.
Intrusion
Detection/Prevention
System X
Most won’t detect this, and those that do generate nearly constant alerts and are ignored. Most are completely blind to HTTPS websites.
Web Filter X
Access is allowed to your web application.
SPAM Blocker X Not e-mail based. Anti-Malware X Not malware.
User Web-Based Attacks
• Exploits a vulnerability in software that automatically
runs when you browse a website
– Java, Flash, Acrobat, QuickTime, IE, FireFox…
• Frequently uses 0-Day exploits (new and unknown)
• Exploits are hosted on the attacker’s website or on
legitimate, compromised websites
• Legitimate advertising used (big $’s involved –
organized crime)
• Initial download grabs other malware after the initial
infection (which is what your anti-virus is often
detecting, if anything)
• 100% User initiated – result of user clicking/browsing
User Web-Based Attacks
vs. Common Controls
Firewall X
Users are allowed to access websites through the firewall.
Intrusion
Detection/Prevention
System X
Looks like normal web browsing and doesn’t have signatures for new
malware. Most are completely blind to HTTPS websites.
Web Filter X
Approved sites are compromised and hosting malware.
SPAM Blocker X Not e-mail based.
Anti-Malware X Doesn’t detect 0-day malware.
USB Flash Drives
• USB Flash Drives are easily infected on home and
third party computers with lesser security
controls
• By default, Windows XP and Vista will
automatically execute files when they are
plugged in (Windows 7 default is disabled)
• Executes using the logged-in user permissions
• Known to have been intentionally planted to gain
access to systems
– Would your users pick them up and plug them in?
Show of hands!
USB Flash Drives vs. Common Controls
Firewall X
The firewall doesn’t see this as it’s not network-based.
Intrusion
Detection/Prevention
System X
This IDS doesn’t see this as it’s not network-based. Host-based IDS/IPS aren’t likely to have signatures for it. Web Filter X
The web filter doesn’t see this as it’s not network-based.
SPAM Blocker X Not e-mail based. Anti-Malware ?
Doesn’t detect 0-day malware. May detect “older” malware.
Agenda
• Common Attacks Today
• Typical Network Security Controls
• Why the Typical Controls Won’t Work Against
Today’s Common Attacks
– Why The Security You Bought Yesterday Won’t
Save You Today
• What You Can Do To Shore Up Your Defenses
– Many for Little or No Money!
SQL Injection – What To Do
• Find out where your weaknesses are
• Fix and/or monitor them (in priority order)
• Prevent future coding errors from getting
introduced
SQL Injection – Action Plan
1. Find out where your weaknesses are.
A. Make a list of your applications that are
Internet-facing and use database credentials that allow
them to access Sensitive Personal Information.
B. Use security professionals to perform
penetration tests against these applications.
C. Check the password recovery/reset functionality
on these applications to see if they can be easily
recovered/reset.
SQL Injection – Action Plan
2. Fix and/or monitor them (in priority order)
A. Remove unnecessary access to the SPI if the
application doesn’t need it by changing database
credentials and permissions (easiest)
B. Have developers re-write the code
C. Log, alert and respond to critical messages (SQL
syntax errors, administrator account login failures,
etc.)
SQL Injection – Action Plan
3. Prevent future coding errors from getting introduced
A. Train developers on secure code development (Google, local OWASP chapter, and OWASP resources, SANS
courses, Austin BSides and LASCON conferences)
B. Ensure database administrators are assigning unique accounts with limited privileges for each application C. Implement a code review process to include security
D. Have developers perform security testing as part of code unit testing (IBM AppScan, HP WebInspect, FindBugs, manual, etc.)
E. Have security professionals perform penetration testing prior to production implementation
SQL Injection – Action Plan
4. Test on a regular basis.
A. Have security professionals perform penetration
testing of all your Internet-facing web
User Web-Based Attacks –
What You Should Do
• Find out where your weaknesses are
• Fix your weaknesses
• Prevent future infections
User Web-Based Attacks –
Action Plan
1. Find out where your weaknesses are
A. Perform a full malware scan on all your systems and
identify those that are infected
B. Maintain an accurate hardware and software
inventory for every machine on your network
C. Make a list of all the web-executable software you
have (Java, QuickTime, Adobe Reader, Flash,
RealPlayer, etc.)
D. Identify all users who have Administrative privileges
E. Identify all the categories of websites that are
User Web-Based Attacks –
Action Plan
2. Fix your weaknesses
A. Re-image any computer which is suspected or
confirmed to have an infection – no exceptions!
B. Patch all web-executable software immediately
C. Remove Administrative rights from user accounts (as
much as possible)
D. Block websites that aren’t needed for business
purposes (especially advertising sites)
E. Limit user’s time on the web
F. Harden your systems (start with the Federal Desktop
Core Configuration standard – USGCB or CIS)
User Web-Based Attacks –
Action Plan
3. Prevent future infections
A. Perform routine full malware scans on all your systems
B. Monitor security and vendor mailing lists for vulnerabilities, workarounds and patches and apply them immediately
(absolutely no less than once a month)
C. Harden all systems before they are ever deployed
D. Don’t deploy new users with Administrative privileges (unless you must)
E. Consider using FireFox and/or Chrome browsers w/ add-ons such as NoScript and AdBlock (requires user training)
F. Train users to avoid clicking on bad links (bad search results, spoofed links) –
USB Flash Drives –
What You Should Do
Follow the User Web-Based Action Plan items, plus… 4. Disable AutoRun/AutoPlay on all of your Windows
systems (part of system hardening)
5. Identify all users who require the use of USB Flash Drives. 6. Disable the USB ports for all users those who don’t (a
Windows registry key)
7. Provide all those who do with an encrypted flash drive (e.g. IronKey)
8. Implement a policy prohibiting the use of personal flash drives in your organization’s computers, and vice-versa