Emerging Security
Technological Threats
Jamie Gillespie
About AusCERT
• Australia’s national CERT
– Collect, monitor, advise on threats and vulnerabilities – Incident response coordination and assistance
– CERT training for countries and companies
• Independent, university-based, non-government and not-for-profit
• Chair of APCERT
• Close collaboration with the AHTCC
What We’re Seeing Now
• Malicious code
• Network scanning
• Device compromise
• Denial of Service
• Impersonation and Identify theft
• Malicious code represents one of the most
well known threats
• Including the classic:
– Viruses – Worms – Trojans
• Increasingly blurred line:
– Spyware – Adware
– Marketing research (Eg. MarketScore)
• Network scanning is an ever increasing problem • Usually a precursor to attacks/compromises
• Password ‘brute force’ attacks, against SSH
services, are increasingly effective and relevant • Mass scanning by worms, botnets or similar large
scale automation can lead to denial of service • Increases the cost of detecting incidents and
providing effective security management due to increased ‘noise’
• Device compromise is a continually ongoing occurrence, with automated compromise tools now the standard
• The technical barrier to entry into this arena is now quite low, anyone can download the tools • Majority are ‘end user’ devices, but vast number
are corporate, academic and government devices • Not just simple PCs and servers but also network
devices such as access points, firewalls, routers and switches
• The impact to organisations includes theft of information, corruption of information, brand
damage, legislative breaches and potential third
• Denial of Service attacks have a long history
ranging from ‘on box’ attacks through to the more widely known network attacks
• ‘BotNets’ have been used to for significant denial of service attacks, in excess of sustained
400Mbit / second for months on end
• Seen as a threat that will continue to evolve and emerge, coupled with increasingly sophisticated ‘botnets’ and financially motivation
• Impersonation and identity theft is a current and
significant threat, both to individuals and organisations • Individuals
– Email spoofing
– Account compromise – Full identity theft
• Organisations
– Email spoofing
– Site duplication and redirection
– Hijacking of domains and network traffic
Impersonation
• Rapid adoption of new technologies by both
attackers and organisations often increases base level of risk
• Organisations
– Often no well established standards or ‘best practices’ for new technologies
– Often implemented as a ‘pilot’ with security to come later
– Design oversights or lack of inherent security controls
• Attackers
– Utilise cutting edge techniques and share them in a non-competitive manner
– Have time to research and develop attacks and exploits – this is essentially their business. This
contrasts with the reactive process of most corporates
Rapid Adoption
Future Threats
• Attacks to lower percentage platforms
– Linux
– Mac OS X
– Just because software/device has less vulnerabilities, doesn’t mean it’s safe
99.99% Safe
Future Threats
• Mobile malicious code
– More specifically, multi-purpose mobile devices – ~100 million smart phones
– Symbian marketshare >70% (10% in US)
• Nokia, Siemens, Samsung, Sony Ericson, Motorola, and more…
– Windows marketshare <10%
– 20 mobile malware at end of 2004, >120 end of 2005 – Vectors
• Bluetooth, MMS, Web downloads
Future Threats
• Wireless networks
– Obviously the classical network abuse
– Network used (externally) to commit crime – Security, but not secure
• VoIP
– Most of the same old threats
• But a lack of the same old protection
– Trunking and mixing of traffic – Gateways connected to PSTN
Future Threats
• Identify theft
– Classic ID theft on the increase – Schools carry different details
• Students aren’t always students, but their details remain constant
• Removable mass storage
– iPods/MP3 Players, USB, mobiles, games – Ingress of malicious/illegal material
• Where does it go?
– Egress of internal data
Future Threats
• Insiders
– They already have access
– Profiling is next to impossible
• Even for corporates
– Frequency and impact are unknown – Detection requires a good eye
2006 Australian Computer
Crime and Security Survey
Methodology
• ACNielsen conducted the survey and
collated the results
• Mail out to 2,024 Australian IT managers
in public and private sector organisations
(+ TISN + others contacted via email)
• 389 respondents (17% response rate)
What’s the good news?
• Across most categories of electronic attack,
computer crime and abuse, there is a reduction in activity reported
• Fewer financial losses for most respondents • 19% of those that reported computer crime to
law enforcement resulted in charges being laid • There will be a high demand for skilled,
experienced information security professionals in future!
What’s the bad news?
• More bad news than good news
• Across most categories there was a
reduction in the reported use of
– security policies and procedures – IT security standards
– security technologies and
What’s the bad news?
• Higher level of vulnerabilities that resulted
in electronic attacks than before:
– Exploitation of unpatched or unprotected
software vulnerabilities (63% vs 40% in 2005) – Inadequate staff training and education in
security practices and procedures (53% in 2006 vs 47% in 2005)
– Exploitation of misconfigured operating systems, applications or network devices (50% in 2006 vs 27% in 2005)
What’s the bad news?
• 21% reported trojan or rootkit infections
(no prior visibility on this figure)
– Very high considering this malware does not self-propagate
• 45% reported virus or worm infections
What’s the same
(still not good)
• The computer security management
challenges have been almost constant
over 4 years
– Changing users’ behaviour and attitudes re computer security – 60%
– Configuration management – 47%
– Keeping up to date with the latest threats and vulnerabilities – 46%
• Only 10% managing all computer security
issues reasonably well
What’s the same
(still not good)
• A high level of dissatisfaction with the level
of qualifications and training for IT security
staff
– 65% thought their organisations needed to improve training and education
– 53% thought that lack of adequate staff
training and education in security policies and procedures contributed to the harmful
What’s interesting
• CNI organisations reported lower levels of
electronic attack and computer crime than
non-CNI organisations
– But they acknowledge many of the same
information security management challenges as their non-CNI counterparts
• Public sector organisations reported
higher levels of electronic attack than
private sector organisations
What’s interesting
• Discrepancy between attack types and
technology security counter-measures
• 90% have spam filters
• 99% have AV software
• 66% have procedural controls against
malicious software
– But 45% reported virus or worm infections – But 21% reported trojan or rootkit infections
What we don’t know
• Why fewer attacks are being reported
• Why fewer “readiness to protect” factors
are being deployed
– Security policies and procedures – IT security standards
– Security technologies/counter-measures – Training and education of staff
What we don’t know
• Whether reductions in the level of “readiness to protect” factors has impaired organisation’s
ability to detect attacks
• Whether changes in sample composition has affected the results
– Larger proportion of smaller sized organisations – Larger proportion of organisations that may not be
high users of IT
• What level of dependency and usage the
What we do know
• High level of dissatisfaction with level of training and qualifications of IT security staff
• 90% of organisations face challenges or difficulties associated with some aspect of information security management
• Most are dissatisfied with the level of spending on information security
• More respondents perceive that harmful
electronic attacks against their organisations were motivated by illicit financial gain (20% in 2006 vs 10% 2005)
Key messages
• Given the level of dissatisfaction with
adequacy of staffing resources, training, IT
security spending and general information
security management challenges overall,
organisations’ ability to manage their
information security looks increasingly
difficult
Key messages
• Despite some contradictory results, AusCERT and law enforcement continue to see worsening levels of Internet based attacks motivated by illicit financial gain, including
– online ID theft attacks
– compromising computers for use in botnets to support other forms of cyber attack (spam, DDOS extortion, ID theft)
• Predict these types of attacks will begin to impact on all e-commerce and e-government agencies and their
users/customers in future
• At the organisation level, now is the time to strengthen not reduce “readiness to protect factors”
• Importantly, more must be done at the national level – by government, industry and vendors to better address the problems identified
