Top Security Trends for 2014

Top Security Trends for 2014
Amichai Shulman, CTO, Imperva

1

© 2013 Imperva, Inc. All rights reserved.

Agenda
§  Introduction
§  2013 forecast scorecard
§  2014 security trends
§  Summary and conclusion
§  Q&A

2


Amichai Shulman – CTO, Imperva
§  Speaker at industry events
•  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on information security
•  Technion - Israel Institute of Technology

§  Former security consultant to banks and financial
services firms
§  Leads the Imperva Application Defense Center (ADC)
•  Discovered over 20 commercial application vulnerabilities
§  Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

3


2013 Forecast Scorecard

Trend

Score

1

C

2

Government
malware
goes
commercial

B+

3

Black
clouds
on
the
horizon

B+

4

Community
policing

A

5

4

Hack%vism
gets
process
driven

APT
targets
the
li?le
guy

A


#1 - 3rd Party is “No Party”

5


Known Vulnerabilities: The Known Knowns
§  There are known knowns; these are things we know that
we know…
•  Donald Rumsfeld, U.S. Secretary of Defense, February 2002

§  3rd Party Known vulnerabilities
Vulnerable components (e.g., framework libraries) can be identified
and exploited
(OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)

6


Rich Attack Surface
According to Veracode:
•  Up to 70% of internally developed code originates outside of the
development team
•  28% of assessed applications are identified as created by a 3rd
party

7


Security Falls Between the Cracks
§  Application developers
•  Introduce 3rd party code into the system
•  Not responsible for 3rd party code security (or
quality)
•  Not responsible for run-time configuration of 3rd
party components

§  IT operations
•  Not always aware of 3rd party components
§  Web server type is more visible than a library

•  Reluctant to change configuration settings that
might impact application behavior

8


2014 Forecast: Bigger! Stronger! Faster!
§  Bigger! – More Vulnerabilities!
§  Stronger! – As a result of the
of the vulnerabilities’ market
richness, attackers will create
vulnerabilities “mash-ups,”
combining several different
vulnerabilities together
§  Faster! – Shorter time from
vulnerabilities’ full disclosure
to exploits in the wild

Source: http://cdn.thinksteroids.com

9


Bigger! Disclosure Rate Increases
§  More software + more security researchers + more
bounty programs = more vulnerabilities’ disclosures
§  CVE IDs Enumeration syntax was changed to track more
than 10,000 vulnerabilities in a single year, starting on
2014

10


Stronger! Vulnerabilities “Mash-Up”
§  Take several “cheap” (low CVSS impact score) known
vulnerabilities
•  CVE-2010-3065: PHP
§  NIST assigned impact score: 2.9

•  CVE-2011-2505: PHPMyAdmin session modification vulnerability
§  NIST assigned impact score: 4.9

§  To create a shining exploit
•  PHPMyAdmin full server takeover exploit
•  Effective impact score: a perfect 10

§  Read more on Imperva’s HII report:
http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf

11


Stronger! 1 + 1 = 3

12


Faster! Vulnerability Weaponization
§  Since a vulnerability has a limited time span, attackers
strive for a faster vulnerability weaponization
§  We had witnessed weaponization time cut from weeks to
days
§  Infrastructure is the key to fast weaponization
•  Exploit code is often publicly available
•  Dormant botnets are ready to launch the attack
•  Command and Control (C2) servers and zombies support
§  Dynamic content
§  Dynamic targets

13


#2 - Server Based APT Alternative

14


Web Servers Infection is the New Black
§  Goals of infecting corporate work stations
•  Harness computing resources
§  Network bandwidth to be used in DDoS attacks
§  CPU power to mine Bitcoins

•  Use as a bridgehead into the corporate datacenter

§  Both goals are better achieved by targeting web servers
•  More powerful
•  Inherently connected to the corporate datacenter

15


Traditional Infiltration Attack

16


Why Start with Web Servers?
§  Easier reconnaissance
•  Detect type and components, discover vulnerabilities

§  Accept inbound communications from the Internet (by
definition)
•  Direct attack, no need for “human factor”
•  Remote control becomes easier
•  Attacker identity

§  Land (almost) directly into the data center
•  No need for “lateral movement”

§  Wide outgoing pipe
•  Exfiltration made easier
17


Means and Opportunity
§  Many code execution / full server takeover vulnerabilities
exist
§  Most are easy to weaponize and exploit
§  In 2013, the following environments were vulnerable to
such attacks
•  ColdFusion
•  Apache Struts
•  vBulletin (TA)
•  Jboss (TA)
•  PHP
http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html
http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html
18


Warning Signs

19


Warning Signs

20


2014 Forecast: Server Based APTs
§  We expect more APT operations to happen through
server compromise
§  Such attacks have even a smaller footprint than existing
APT techniques
•  Initial infection
•  Lateral movement
•  Exfiltration

§  Public disclosure will probably arrive 2015

21


#3 - Ad Networks = Added Risk

22


Reality Check 1
§  Malware infected PCs = potential income
§  Plenty of ways to monetize (KrebsOnSecurity)

Source: http://krebsonsecurity.com

23


Reality Check 2
§  Infected mobile devices are even more valuable
§  Can do anything a PC does, therefore can be monetized
the same way
§  Additionally, can send “premium SMS” – a very effective
and direct monetization method

Source: http://thenextweb.com

24


Black Market Economy 101
§  Infected end points are valuable
§  Therefore, driving traffic for infecting site is valuable
§  Sample price list for geo-location profiled traffic (per
thousand unique visitors; Credit: Webroot blog):

Source: http://webrootblog.files.wordpress.com

25


Malware + Advertising = Malvertising
§  Paying someone to show
your content is an already
established business
practice
§  It’s called advertising!
§  And when the content is
malicious it’s Malvertising
§  Targeted advertising is very
efficient
§  And so is targeted
malvertising
26


Source: http://bluebattinghelmet.files.wordpress.com

Malvertising so 2010…

27


Not!

Source: http://upload.wikimedia.org

28


Not!

Source: http://upload.wikimedia.org

29


The Main Door is (Pretty Much) Locked
§  Vendors closely monitor their app shops for malware
§  Result: attackers cannot directly upload malicious apps

30


2014 Forecast: Year of Mobile Malvertising
§  Dynamic content to already installed apps does not go
through the app shop
§  Supply - mobile app vendors
•  Have many users
•  Do not have a way to monetize on the traffic
•  Eager for advertising revenues

§  Demand – cyber criminals
•  Have malicious content
•  Look for alternative delivery to end users, as market is blocked
•  Eager for traffic

§  Outcome: Mobile Malvertising
31


BadNews Ad Network Infected Apps

Source: https://blog.lookout.com

32


The Ad Market is Very Complex
§  Complex environment is a
hotbed for attackers
§  Many opportunities for the
attacker to attack
•  Can choose the weakest link
•  Can move to the next target
when denied

§  App makers have a vast
“deniability region”

33


Source: http://ad-exchange.fr

#4 - (Finally) Cloud Data Breaches

34


We are Not in Kansas Anymore Toto!
§  Demand
•  SaaS and DBaaS are becoming mainstream
•  Not early adapters anymore
•  Less technical oriented organizations
•  Test and pilot deployments become production
•  Dial moves from “nice to have” applications to “mission critical”
applications

§  Supply
•  Many new providers
•  Smaller, less experienced organizations
•  Carpe Diem
§  I wanted an app of my own but ended up building a cloud service
35


Everybody Is Doing It
§  According to Verizon ‘2013 State of the Enterprise Cloud
Report’ (January 2012 – June 2013)
•  The use of cloud-based storage has increased by 90 percent
•  Organizations are now running external-facing and critical
business applications in the cloud – production applications now
account for 60 percent of cloud usage

36


Hiding in the Fog
§  Outsourcing data MISTAKEN for outsourcing
responsibility
§  Low number of breaches
§  False sense of safety

37


Ball Waiting for the Player
§  Traditional RDBMS services
•  Used as C&C and dropper infrastructure by cyber criminals
•  Security attitude is not adapted to cloud reality
•  See our “Assessing the Threat Landscape of DBaaS” HII for
more details

§  Big Data services
•  Innovative
•  Smaller providers
•  Using innovative technologies with little to no security built-in
•  Widely adopted by web application startup community, often
storing personal information

38


Warning Signs and Wakeup Calls

39



40



41



42


2014 Forecast: Cloud Breaches Increase
§  We expect to see a significant increase in cloud service
data breaches
•  SaaS
•  DBaaS

§  We expect to see a growing use of DBaaS by attackers.
It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’
trend

43


#5 – Commercial Malware for Data
Centers

44


Advanced Threat – State Sponsored

Stuxnet

•  Manual
intelligence
•  Advanced
malware attack

Doqu

•  Automatic
intelligence

Rocra
45


•  Both
•  See
Red October:
The Hunt For
the Data

Growing Criminal Interest

46



47



48


Commercialization of Military Technologies
§  Advanced threat malware capabilities flow into criminal
malware
•  Technology – modular code, two tier C&C, include data access
and handling code
•  Target – enterprise internals

§  Examples
•  Narilam – destroys business application databases
•  Malware targeting business application (SAP) spotted

49


Built-in Database Access
§  Our december 2013 HII shows commercial malware
using DBaaS as infrastructure
§  Data store accessing capabilities
§  Mevade – using an integrated services language based on SQL, called
WQL (SQL for Windows Management Interface) to query the target
system's database to learn the security settings.
§  Shylock – SQLlite - Any messages that Skype sends are stored in
Skype's main.db file, which is a standard SQLite database. Shylock
accesses this database and deletes its messages and file transfers so
that the user could not find them in the history.
§  Kulouz – SQLlite to access browser data repositories for sensitive
information, such as credentials
§  Database access malware was used in SK Comms data breach

50


2014 Forecast: Datacenter is the Goal
§  We are the tipping point and in 2014 we will see active
automated attacks against enterprise data centers
•  Infection methods are more effective than ever
•  Malware infrastructure is mature and ready
•  Criminal use cases are staring to show up

§  We expect business applications to become first class
target for criminals
•  Easier to manipulate
•  The internal version of “web application attacks”

51


Summary and Conclusion

52


Summary
§  Our five trends for 2014
•  3rd party vulnerability exploit – bigger, stronger, faster
•  Web server compromise – alternative to APT
•  Ad network infections – more targeted, mobile oriented
•  Cloud breaches – sharp rise in actual incidents
•  Commercial malware – criminals are after your data center

§  Attackers focus their attention on getting into the data
center – physical or virtual
§  Attackers prefer to use the front door (web servers) but at
the same time are constantly improving on the
alternatives (malware and infection methods)
53


Recommendations
§  Protect your front door protection
•  Web Application Firewalls are not “nice to have”
•  SDLC and patching fail in modern software and threat
environments

§  Improve your internal DATA controls
•  Enhance visibility to data access, both structured and
unstructured
•  Introduce capabilities to detect abusive access to data center
resources

§  Evaluate solutions for your cloud data repositories
•  Perform better due diligence of providers

54


Bottom Line
§  Balance your security budget to reflect the need for more
data protection over end-point and network perimeter
protection

55


Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Post-Webinar
Discussions

Webinar
Recording Link

56

Answers to
Attendee
Questions

Join Group


www.imperva.com

57


Top Security Trends for 2014

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Top Security Trends for 2014

Similaire à Top Security Trends for 2014 (20)

Plus de Imperva

Plus de Imperva (20)

Dernier

Dernier (20)

Top Security Trends for 2014