The document provides an overview of Fujitsu's risk-based approach to security management. It discusses the evolving security landscape and challenges organizations face. Fujitsu's approach involves 3 steps: 1) Conducting risk and vulnerability assessments to understand threats. 2) Visualizing security data through logs consolidation and SIEM solutions to provide situational awareness. 3) Using investigation tools to gain visibility into system behavior and provide intelligence to inform security operations. The approach is aligned with security frameworks like COBIT and ISO and aims to balance security, compliance, and business needs through a coordinated and layered enterprise security architecture.
4. 2006 - The Year Hacking Became A Business
2006 was the year hacking stopped being a hobby and
became a lucrative profession practiced by underground
of computer software developers and sellers.
It was the year when cyber-criminals targeted everything
from MySpace to Facebook.
Are you one of the victim in June?
4
5. We archived 1,419,202 web-sites deface-ments
Attacks by month Year 2010
Jan 53,915
Feb 57,867
Mar 73,712
Apr 95,078
May 83,182
Jun 81,865
Jul 87,364
Aug 63,367
Sep 185,741
Oct 194,692
Nov 258,355
Dec 184,064
Total 1,419,202
5
7. Zombie Hacker Will Hack No More
Associated Press 01.23.06
SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control
of hundreds of thousands of internet-connected computers, using the zombie network to
serve pop-up ads and renting it to people who mounted attacks on websites and sent out spam.
Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to four
felony charges for crimes, including infecting machines at two U.S. military sites, that earned him
earned him more than $61,000,
more than $61,000, said federal prosecutor James Aquilina said.
Prosecutors called the case the first to target profits derived from use of "botnets," large
numbers of computers that hackers commandeer and marshal for various nefarious deeds, their
owners unaware that parasitic programs have been installed are being run by remote control.
profits derived from use of "botnets,“
Botnets are being used increasingly to overwhelm websites with streams of data, often by
extortionists. They feed off of vulnerabilities in computers that run Microsoft's Windows operating
system, typically machines whose owners haven't bothered to install security patches.
A website Ancheta maintained included a schedule of prices he charged people who
hundreds of thousands of
wanted to rent out the machines, along with guidelines on how many bots were required to
bring down a particular type of website.
internet-connected computers,
Prosecutors say Ancheta and SoBe then installed the ad software from the two companies --
Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired
last year by 180 Solutions of Bellevue, Washington -- on the bots they controlled, pocketing more
than $58,000 in 13 months.
7
8. Hacking as Business
Hacking isn't a kid's game anymore
It had price …$$$...
The Black Market USD
Trojan program to steal online account information $980-$4,900
Credit card number with PIN $490
Billing data, including account number, address, $78-$294
Social Security number, home address, and birth date
Driver's license $147
Birth certificate $147
Social Security card $98
Credit card number with security code and expiration $6-$24
date
PayPal account logon and password $6
Data source: Trend Micro
8
9. Hacking as Services
DDoS attacks
The price usually depends on the attack time:
1 hour - US$10-20 (depends on the seller)
2 hours - US$20-40
1 day - US$100
+ 1 day - From US$200 (depends on the complexity of the job)
It is worth highlighting that they normally offer 10 minutes testing, this means that if you are
interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can
evaluate the ‘service’.
Spam Hosting: US$200
Dedicated spam server US$500
10,000,000 Mails per day US$600
SMS spam (per message) US$0.2
ICQ (1,000,000) US$150
Hiding of executable files. To avoid antivirus programs and firewalls
(They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase):
From US$1 to US$5 per executable file (cheap, isn’t it?)
RapidShare premium accounts: (Server hosting)
1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28
9
10. Hacking as Organized Crime
Cyber Criminals have become an organized bunch.
they use peer-to-peer payment systems just like they're buying and selling
on eBay, and they're not afraid to work together.
Software as a Service for criminals
Attackers use sophisticated trading interfaces to classify the stolen accounts
by the FTP server’s country of origin and the compromised site’s Google
page ranking. This information enables attackers to determine cost of the
compromised FTP credentials for resale to cybercriminals or to leverage
themselves in an attack against the more prominent Web sites.
Malware that encrypts data and then demands money to
provide the decryption key – FileFixPro
10
11. Federal websites knocked out by online botnet
attack
Computerworld UK - July 08, 2009
By Robert McMillan
A botnet comprised of about 50,000 infected computers has knocked out the
50,000 Infected Computers
websites of several government agencies, and caused headaches for
businesses in the US and South Korea.
The attack started 20 - 40and security experts have credited it with
Saturday, Gps Bandwidth
knocking the US Federal Trade Commission's (FTC's) website offline for
parts of Monday and Tuesday. Several other government websites have
also been targeted, including the US Department of Transportation (DOT).
Consuming 20 to 40 gigabytes of bandwidth per second
On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of
bandwidth per second, about 10 times the rate of a typical DDoS attack.
Security experts estimate the size of the botnet at somewhere between
30,000 and 60,000 computers.
11
12. Date Site
Year 2011
2011-04-04
2011-04-20
Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit
Sony PSN Offline
2011-04-26 PSN Outage caused by Rebug Firmware
2011-04-26 PlayStation Network (PSN) Hacked
2011-04-27 Ars readers report credit card fraud, blame Sony
2011-04-28 Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe
SONY Cases - April-June 2011
2011-05-02
2011-05-03
Sony Online Entertainment (SOE) hacked SOE Network Taken Offline
Sony Online Entertainment (SOE) issues breach notification letter
2011-05-05 Sony Brings In Forensic Experts On Data Breaches
Anonymous leaks Bank of America
2011-05-06
2011-05-07
2011-05-14
Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony
Sony succumbs to another hack leaking 2,500 "old records"
Sony resuming PlayStation Network, Qriocity services
e-mails
2011-05-17
2011-05-18
PSN Accounts still subject to a vulnerability
Prolexic rumored to consult with Sony on security
2011-05-20 Phishing site found on a Sony server
2011-05-21 Hack on Sony-owned ISP steals $1,220 in virtual cash
2011-05-22 Sony BMG Greece the latest hacked Sony site
2011-05-23 LulzSec leak Sony's Japanese Websites
2011-05-23 PSN breach and restoration to cost $171M, Sony estimates
2011-05-24 Sony says hacker stole 2,000 records from Canadian site (Sony Erricson)
2011-06-02 LulzSec versus Sony Pictures
2011-06-02 Sony BMG Belgium (sonybmg.be) database exposed
2011-06-02 Sony BMG Netherlands (sonybmg.nl) database exposed
Lulz Security hackers target Sun website
2011-06-02
2011-06-03
Sony, Epsilon Testify Before Congress
Sony Europe database leaked
2011-06-05 Latest Hack Shows Sony Didn't Plug Holes
2011-06-05 Sony Pictures Russia (www.sonypictures.ru) databases leaked
Hong Kong Stock Exchange Website
2011-06-06
2011-06-06
2011-06-08
LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)
LulzSec hits Sony BMG, leaks internal network maps>
Sony Portugal latest to fall to hackers
Hacked, Impacts Trades
2011-06-08
2011-06-11
2011-06-20
Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)
Spain Arrests 3 Suspects in Sony Hacking Case
SQLI on sonypictures.fr
2011-06-23 Class Action Lawsuit Filed Against Sony/SCEA
2011-06-28 Sony CEO asked to step down on heels of hacking fiasco
12
14. Security – A Confusing Picture
Data Loss Protection Multi Layer Firewall
Network Security Host IDS Content Monitoring and Filtering
is the first Line of Network Infrastructure Load Balancer
Defense NAC
Incident Management System
Security policies File Access Control List
fine-grain access control System Infrastructure Government regulations
operational process System compliance
central log server from a single console
Security Standards
Operation/ Password Management
visibility to Administration Authorization API
security threats
AD Authentication Access Control Keystore Management
policy-based authorization
Web Services Manager Engine
Security Breaches Alert
ID lifecycle management
Delegated administration
Entitlements Server
Middleware & compliance Breaches Alert
4A’s Security Services
System Services
delegated administration Application Security
approval workflows is the last Line of
Role-base access Business Services Defense
2FA Authentication Independent 3rd Party Audit
15
15. The Military Model for Security Issues
Threat Avoidance:
Security is the IT department’s business
- Security is the Security Expert’s Jobs
Security is an absolute
- Figure out what the threats are, and avoid them
- Either you’re secure or you’re not
Follows a computer engineering mentality
- Find and solve it
- Deploy point solution
Security becomes a barrier to business
16
16. Visibility of Malware vs. Malicious Intent
-- Invisible --
Source from : Douwe.Leguit@govcert.nl April 2007
17
17. Fujitsu Coordinated & Layered Approach
Enterprise Security Architecture
End Point Security
Network System Data Application
Security Security Security Security
Operational Security
Physical / Data Center Security
Personnel Security
Security Management
18
20. ISACA–Business Model for Information
PPTX is the latest version today?
Security
Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protection
http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/An_Introduction_to_the_Business_Model_for_Information_Security1.htm
21
21. Risk Base Approach for Security Management
Risk Management : The Business Model
Security is relative:
- Many risks and Many solutions
Security is everyone’s Business
Security is a process
- Things fail all the time
Variety of options:
- Accept the risk
- Mitigate the risk with People/Procedure/Technology
- Transfer the risk
22
23. Fujitsu Approach - 3 Steps for Better Security
Step 1 : Know your risks
Internal Regulatory
And And
External Compliance
Threats Force
Business
ROSI System
Data Cost of Doing
(Return on Security Asset Business
Investment)
Application
and Process
Vulnerability
- Risk Assessment / Compliance Assessment
- Vulnerability Assessment
- Web Application Assessment / PenTest
24
24. Fujitsu Approach - 3 Steps for Better Security
Step 2 : Visualize your situation
25
25. Fujitsu Approach - 3 Steps for Better Security
The Enterprise Today - Mountains of data, many stakeholders
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized False Positive
Service Detection Reduction
IP Leakage
Web server Web cache & proxy logs
User Monitoring SLA Monitoring
activity logs
Content management logs
Switch logs IDS/IDP logs
VA Scan logs Router logs
Windows Windows logs VPN logs
domain
logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
DHCP logs
logs server logs
San File VLAN Access
Database Logs
Access & Control logs
Logs Sources from RSA
26
26. Fujitsu Approach - 3 Steps for Better Security
Step 2 : Visualize your situation
System
Monitoring
Intelligent
Logs
and
Consolidation
Correlation
SIEM Security Information &
Solution Event Management
SOC
Security Operation Center
Incident Management
ITIL Process
27
27. Fujitsu Approach - 3 Steps for Better Security
Step 3 : Knowing your enemy’s behavior
You need an
Investigation Tools
• for pervasive
visibility into
content and behavior
• Providing precise
and actionable
intelligence
28
28. Arts of War (Sun Zi)
Section III: Investigation
Attack by Stratagem
If you know yourself
and know the Visualization
enemy, you need not
fear the result of a
hundred battles.
孫子兵法 謀攻第三:
知己知彼,百戰不殆 Remediation
29
Associated Press 01.23.06 SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on websites and sent out spam.Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina said.Under a plea agreement, which still must be approved by a judge, Ancheta will receive from 4 years to 6 years in prison, forfeit a 1993 BMW and more than $58,000 in profit and pay $19,000 in restitution to the federal government, according to court documents. He is to be sentenced May 1.Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds, their owners unaware that parasitic programs have been installed are being run by remote control.Botnets are being used increasingly to overwhelm websites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft's Windows operating system, typically machines whose owners haven't bothered to install security patches.A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December."Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught," said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators.Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment.The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year.November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on websites.Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on internet chat channels.A website Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of website.In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computers users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Florida, whom prosecutors identified by his internet nickname "SoBe," Ancheta infected more than 400,000 computers.Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.Prosecutors say Ancheta and SoBe then installed the ad software from the two companies -- Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Washington -- on the bots they controlled, pocketing more than $58,000 in 13 months."It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment."I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away," SoBe told Ancheta during a different conversation.Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as "unindicted co-conspirators."During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Virginia, according to a sworn declaration signed by Ancheta.
Security must be pervasive. Every aspect of a company should be security conscious. Security Policies, Standards And ProceduresPersonnel SecurityPhysical SecurityNetwork SecuritySystems SecuritySystem AuditRisk ManagementApplications Security - Authentication - Access ControlAudit LogsIncident ManagementDisaster Recovery And Business ContinuitySecurity AssuranceSecurity Training And Awareness Requirements
Security and Risk ManagementAsk any network administrator what he needs security for, and he can describe the threats: web site defacements, corruption and loss of data due to network penetrations, denial-of-service attacks, viruses and trojans. The list seems endless, and an endless series of news stories proves that the threats are real.Asl that same network administrators how security technologies help. And he’ll discuss avoiding the the threats. This is the traditional paradigm of computer security, born out of a computer science memtality: figure out what the threats are, and build technologies to avoid them. The conceit is that technologies can somehow “solve” computer security, and the end result is a security program that becomes an expense and a barrier to business. How many times has a security officer said: “You can’t do that; it would be insecure?”.The paradigm is wrong. Security is a people problem, not a technology problem. There is no computer security product-of even suite of pfoducts-that acts as magical security dust, imbuing a network with the property of “secure”. It can’t be done. And it’s not the way business works. Business manage risks. They manage all sorts of risks; network security is just another one. And there are many different ways to manage risks. The ones you choose in a particular situation depend on the detail of that situation. And failures happen regularly; many business manage their risks improperly, pay for their mistakes, and soldier on. Businesses are remarkably resilient.To take a concrete example, consider a physical store and the risk of shoplifting. Most grocery stores accept the risk as a cost of doing business. Clothing stores might put tags on all their garments and sensors at the doorways; they mitigate the risk with a technology. A jewelry sotre might mitigate the risk through procedures: all merchandise stays locked up, customers are not allowed to handle anything unattended, etc. And that same jewelry store will carry theft insurance, another risk management tool. More security isn’t always better. You could improve the security of a bank by strip-searching everyone who walks through the front door. But if you did this, you would have no business. Studies show that most shoplifting at department stores occurs in dressing rooms. You could improve security by removing the dress rooms, but the losses in sales would more than make up for the decrease in shoplifting. What all of these business are looking for is adequate security at a reasonable cost. This is what we need on the internet as well-security that allows a company to offer new services, to expand into new markets, and to attract and retain new customers. And the particular computer security solutions they choose depend on who they are and what they are doing.
Security is not a single solution. Security is a pervasive, ongoing process of reviewing and revising based on changes to the environment. It is the culmination of interaction between People, process, and technology. 1. People – People are the most important security component. People define Policy and process and procedures. Often, People are weakest link in any security infrastructure. Educating users on security awareness, and rewarding them when they follow you procedures, is a great way to build a security-conscious environment. 2. Process – “Security is a process, not a product”. Security product is only a one-step process. As the corporate environment change, these products should be analyzed and reconfigured. Overall, security is not something you can “get”. There is not out-of-the-box, plug-and-play solutions that provide you with an adequate security infrastructure. Building an effective security infrastructure requires analysis and planning along with the development of policies and procedures and a little help from security products. Policies form the foundation of your security infrastructure. Policies define how a company approaches security, how employees should handle security, and how certain situations will be addressed. Without strong policies implemented in the company and reviewed on a regular basis, you do not have a security infrastructure. 3. Technology – You might have a few security products installed, but you do not have and infrastructure because you do not have the foundation to build on. Surprisingly, technology is the least import component of a security infrastructure. All technology does is provide you with the means to implement your policies. I am not saying that technology is not import, but it is less important than strong policies and security-conscious employees. Now that people are aligned, and the process developed and clarified, technology can be applied to ensure consistently in the process and to provide the thin guiding rails to keep the process on track - to make it easier to follow the process than not do so.Security must be pervasive. Every aspect of a company should be security conscious. Employees need to understand the importance of security and the role they play in maintaining and effective security infrastructure. Management should realize that security is critical to the success of the company and set an example for all employees to follow regarding security consciousness.
Security and Risk ManagementAsk any network administrator what he needs security for, and he can describe the threats: web site defacements, corruption and loss of data due to network penetrations, denial-of-service attacks, viruses and trojans. The list seems endless, and an endless series of news stories proves that the threats are real.Asl that same network administrators how security technologies help. And he’ll discuss avoiding the the threats. This is the traditional paradigm of computer security, born out of a computer science memtality: figure out what the threats are, and build technologies to avoid them. The conceit is that technologies can somehow “solve” computer security, and the end result is a security program that becomes an expense and a barrier to business. How many times has a security officer said: “You can’t do that; it would be insecure?”.The paradigm is wrong. Security is a people problem, not a technology problem. There is no computer security product-of even suite of pfoducts-that acts as magical security dust, imbuing a network with the property of “secure”. It can’t be done. And it’s not the way business works. Business manage risks. They manage all sorts of risks; network security is just another one. And there are many different ways to manage risks. The ones you choose in a particular situation depend on the detail of that situation. And failures happen regularly; many business manage their risks improperly, pay for their mistakes, and soldier on. Businesses are remarkably resilient.To take a concrete example, consider a physical store and the risk of shoplifting. Most grocery stores accept the risk as a cost of doing business. Clothing stores might put tags on all their garments and sensors at the doorways; they mitigate the risk with a technology. A jewelry sotre might mitigate the risk through procedures: all merchandise stays locked up, customers are not allowed to handle anything unattended, etc. And that same jewelry store will carry theft insurance, another risk management tool. More security isn’t always better. You could improve the security of a bank by strip-searching everyone who walks through the front door. But if you did this, you would have no business. Studies show that most shoplifting at department stores occurs in dressing rooms. You could improve security by removing the dress rooms, but the losses in sales would more than make up for the decrease in shoplifting. What all of these business are looking for is adequate security at a reasonable cost. This is what we need on the internet as well-security that allows a company to offer new services, to expand into new markets, and to attract and retain new customers. And the particular computer security solutions they choose depend on who they are and what they are doing.