Security in the News

1. Security In the News Orange County CIO Roundtable July 10, 2014 Jeff Hecht Chief Compliance & Security Officer

2. Agenda • We’re going to talk about 3 major security events that have been in the news in the last 12 months. • We’ll try to understand a little about what happened and add some perspective about what those things mean for CIOs and other executives going forward. • The three events are: o The Heartbleed vulnerability o The regularity of massive data breaches, most specifically the Target breach o The revelations about the NSA as a result of documents stolen and released by Edward Snowden

3. Heartbleed - What is it? • Heatbleed is a vulnerability in the OpenSSL cryptographic software library. • This weakness allows stealing the information usually protected by SSL/TLS encryption the primary tool providing communication security and privacy over the Internet. • It’s called Heatbleed because the bug is in OpenSSL's implementation of the TLS/DTLS heartbeat extension. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

4. Heartbleed – What does it do? • The information that can be obtained through these leaks is expansive. • Not just an ability to intercept a particular exchange as it’s happening (e.g. a web session that might include confidential information), but user names and passwords and most importantly the encryption keys themselves. • Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. • Any protection given by the encryption and the signatures in the certificates can be bypassed.

5. Heartbleed – How widespread? • OpenSSL is the most popular open source cryptographic library and TLS implementation used to encrypt traffic on the Internet. • The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66%. • OpenSSL is also used to protect email servers, chat servers, virtual private networks, network appliances and wide variety of client side software. Many versions of Linux also use OpenSSL. • The bug was introduced to OpenSSL in December 2011 and has been out in the wild since March 2012. OpenSSL 1.0.1g released in April 2014 fixes the bug.

6. Heartbleed – How widespread? • The vulnerable versions have been out there for over two years now and an estimated 600,000 servers were affected. • The list of major sites affected includes: o Google o Facebook o Twitter o Instagram o YouTube o LinkedIn o Yahoo o Bank of America o Chase o Etrade o TurboTax o Amazon Web Services o DropBox o And many more… Note that because this is primarily a server side issue, it makes no difference whether your client is running Windows, an Apple OS, Android, iOS or what browser or browser version you have. Everyone who might connect to any site using OpenSSL is potentially vulnerable.

7. Heartbleed – Am I affected? o Almost certainly you as an individual accessed an affected server. o It is pretty much impossible that you don’t have an account somewhere that runs on an affected service, although it’s also nearly impossible to know if your information was actually compromised. o At first there was little you could do until the services were updated. o Now most of the major sites have removed the bug, but you must change your passwords as they may have already been compromised. o An estimated 300,000 servers have yet to be patched so your best defense is to regularly change your log in credentials for any site that may have confidential information about you.

8. Heartbleed – Is my company affected? o If you use Open Source tools to run web sites (like Linux, Apache, etc.) your company very likely is affected. o Even if you do not use those tools as primary software, you likely have devices attached to your network, like firewalls, routers and switches that use imbedded versions of Open Source software and may contain the OpenSSL library. Some of these may difficult or impossible to patch. o You may be using hosting partners that expose you to risk. o If you rely on cloud based services like Google Apps you will want to ensure all your users have recently changed their passwords. o Recovery for exposure on your infrastructure takes several steps: • Patch the vulnerability with the latest version of OpenSSL • Revocation of compromised keys (may need the help of your Certificate Authority) • Reissue and redistribute new keys • Have all users change their passwords

9. Heartbleed – Is my company affected? • You can test your web servers at: https://www.ssllabs.com/ssltest/index.html

10. • Most likely through a malware process know as “RAM scrapping” 40 Million credit and debit card numbers were stolen over a 3 week period in attack on Target POS systems • Also stolen were names, mailing addresses, phone numbers and email addresses of up to 70 million individuals • 46% drop in profits • Stock drops • $200M cost to banks and credit unions to reissue compromised cards • Target CIO out • Target CEO out • Target to invest at least $100M in upgraded POS security (chip and pin) • Neiman Marcus, Michaels, eBay, Sally Beauty, P.F. Chang’s, Paytime and others have had breaches affecting millions • An estimated one in four Americans have had credit card and other sensitive information stolen

11. Changes in cards • Chip and Pin technologies (also called smart cards or EMV) can have a positive affect on POS breaches and makes duplicating physical credit cards much harder • Widely used in Europe for some time (ironically because their network infrastructure could not support real time verification processing until recently) chip technologies: o Imbed a microchip on credit/debit cards that contains the card number, expiration, etc. in an encrypted format o The decryption takes place with a sophisticated method that is good only for that specific transaction and requires the PIN o That makes the card itself unusable at POS without the PIN and very difficult to duplicate o UK and Canada have seen large drops in fraud through use of chip and pin • Visa and MasterCard have mandated its use by 10/2015. 10/2017 the liability for fraudulent transactions will move to the entity in the chain that has the lowest level of technical security unless they are accepting chip and pin

12. Changes in cards • The resistance to adoption has been largely cost o POS terminals must be replaced (roughly 10M of them) o Cards containing the chips cost 6 to 8 times as much to make as magnetic strip cards and programming each is expensive o All told the cost goes from roughly 50 cents a card to $2.20 a card o There are approximately 1 Billion cards in the US each year so the extra cost of the cards alone is about $1.7B • Some had hoped chip and pin would be skipped in favor of a jump to directly to smartphones and NFC • Although the technology is there and would seemly avoid many of the costs associated with the chip and pin cards themselves it has not made much penetration

13. Are they resolving the problem? • Chip and Pin is a good step forward from magnetic based credit cards and makes duplicating physical cards much harder • Target (and Walmart) are trying to get some positive spin by announcing their use but its really Visa/MasterCard who are forcing everyone’s adoption • Whether executed at POS or not most breaches are the result of access through the Internet, perhaps through a third parties administration credentials • It’s hacking, phishing, etc. that pose the biggest threats • One technology that is available today that could help mitigate this is end-to- end encryption o In RAM Scrapping exploits the malware takes advantage of the fact that the encrypted information has to be in clear text at some point in RAM to do the verifications, at this point it can be captured and stolen. With end-to-end encryption the data is never exposed except at the ultimate destination (the card processor) and it remains encrypted and unusable locally . Note that SQUARE is doing this today, for obvious reasons. • But that’s going to be another expense and they are already being forced to spend the money on Chip and Pin so its not likely very soon

14. What does it mean to my company? • Obviously if you’re in the retail space, Chip and Pin and customer confidence are something you’re probably already dealing with • For everyone else, its about general data security, the basics: o Employee training • IBM Security Services 2014 Cyber Security Intelligence Index estimates 95% of security incidents are “human error” number one cause: phishing o Active monitoring o Updated patching and malware protection o Encryption wherever possible o Regular scanning and prompt remediation o User identity management o Adequate and enforced employee termination procedures o Two factor authentication for remote admin access

15. NSA Leak • Edward Snowden a former NSA employee released a large number of files he was able to remove from agency computer systems through his position as a Systems Administrator • The information revealed: • Mass-surveillance programs undertaken by the NSA directly accessing the information of US citizens as well as foreign nationals • The agency’s ability to access information stored by major US technology companies, often without individual warrants, and mass-intercepting data from the fiber-optic backbone of global phone and internet networks • They may have worked to undermine the security standards on which the internet, commerce and banking rely • The revelations have raised concerns about growing domestic surveillance, the scale of global monitoring, trustworthiness of the technology sector, whether the agencies can keep their information secure, and the quality of the laws and oversight keeping the agencies in check • The extent to which private companies are cooperating with intelligence agencies has been a source of concern for internet users as has the allegation that the NSA knew about Heartbleed and other vulnerabilities and rather than disclosed them, exploited them.

16. NSA Leak • Some pundits (notably Bruce Schneier) think these revelations show the NSA has undermined everyone’s security and by forcing commercial companies to build in ways for them to get access make the world inherently less secure • Many think direct access of US citizen’s communications represents warrantless search • Others think spying on the general populace to potentially uncover terrorist activity is within the charter of the NSA, that this is simply moving to a more technologically sophisticated way to spy and that there is adequate (although not publicly shared) oversight • There is no evidence that non-terrorism activities have been targeted or further investigated

17. NSA Leak – What does it mean to my company? • The issues about the spying itself are worthy of discussion and perhaps changes in the controls around NSA activities – but not something most companies will be able to directly influence • Also unless your company is a provider of communications services you may be unlikely to have to make a decision about cooperating to provide access to the NSA • The questions about whether the NSA or any entity can keep its’ data secure is of interest to all of us and should make us all consider: How is my company exposed to insider threats?

18. NSA Leak – Insider Threats • Many companies discount insider threats as infrequent events • While they may not be frequent they have the potential to be more serious and devastating to the enterprise • There multiple types of motivation for the insider stealing information: • Someone who believes they are being a good faith whistle blower • Someone with a grudge who wishes to harm the enterprise • Someone interested in profiting – usually quietly and perhaps for a long time – from the information • Detection is difficult. These are users that are supposed to be there and at some point need to access these systems to do their job. Either willfully or by making an mistake insiders can expose an enterprise’s most critical information

19. NSA Leak – Insider Threats • The basic idea is defense in depth. Multiple rings of security to protect not just the perimeter but the important parts of a network. Some concepts: • Islands of Security • Prevent Unauthorized Copying • Two-Factor Authentication • Separation of Duties and Two-Person Authorization • Creative Use of Encryption • Prevent Removable Media from Leaving the Building • Log Events, Monitor and Alert • Plan for Break-in to Minimize Damage • Periodic Security Audits

20. Questions & Discussion

21. Links of interest http://heartbleed.com/ https://www.ssllabs.com/ssltest/index.html (qualys heartbleed tester) http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html http://www.eweek.com/security/slideshows/surprising-trends-emerge-in-threat- landscape.html?kc=EWWHNEMNL04232014STR5&dni=120299005&rni=32883247 http://www.zdnet.com/after-heartbleed-many-open-source-apps-remain-vulnerable- 7000029205/?s_cid=e539&ttag=e539&ftag=TRE17cfd61 http://www.zdnet.com/mistaken-heartbleed-clean-up-efforts-accidentally-leaving-thousands- of-servers-vulnerable-7000029274/?s_cid=e539&ttag=e539&ftag=TRE17cfd61 http://www.eweek.com/security/slideshows/heartbleed-saga-continues-highlights-of- vulnerabilitys-first-30-days.html?kc=EWWHNEMNL05122014STR1&dni=125275543&rni=32883247 http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed http://www.scmagazine.com/critical-openssl-vulnerability-heartbleed-bug-enables-ssltls- decryption/article/341846/

22. Links of interest http://www.scmagazine.com/target-leadership-changes-continue-with-resignation-of-ceo/article/345611/2/ https://corporate.target.com/about/payment-card-issue http://finance.yahoo.com/news/sam-club-plans-safer-credit-020201727.html http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ http://www.scmagazine.com/cyber-security-tasks-that-could-have-saved-ebay-and- target/article/355060/?DCMP=EMC- SCUS_Newswire&spMailingID=8776889&spUserID=NzE4MTE4MjYyMAS2&spJobID=320939864&spReportId=MzIwO TM5ODY0S0 http://www.computerworld.com/s/article/9249037/Target_finally_gets_its_first_CISO?source=CTWNLE_nlt_mgmt _2014-06-12 http://www.smartcardalliance.org/ (lots of information on Chip & Pin, end to end encryption, etc.) http://media.scmagazine.com/documents/82/ibm_cyber_security_intelligenc_20450.pdf (IBM Cyber Security Index)

23. Links of interest http://www.scmagazine.com/house-committee-passes-bill-to-stop-unbridled-govt-access-to-phone- data/article/346186/?DCMP=EMC- SCUS_Newswire&spMailingID=8563079&spUserID=NzE4MTE4MjYyMAS2&spJobID=300934984&spReportId=MzAw OTM0OTg0S0 http://www.scmagazine.com/how-to-stop-the-next-edward-snowden/article/312257/ http://www.eweek.com/security/slideshows/steps-google-is-taking-to-protect-user-data-from-nsa-cyber- crime.html?kc=EWKNLNAV06062014STR1&dni=130701016&rni=32883247 http://www.businessweek.com/articles/2013-07-03/edward-snowden-and-the-nsa-a-lesson-in-the-insider-threat http://www.computerworld.com/s/article/9243915/Snowden_serves_up_another_lesson_on_insider_threats http://fcw.com/articles/2013/12/17/nsa-41-steps.aspx http://www.tenable.com/blog/detecting-snowden-the-insider-threat http://www.eweek.com/security/slideshows/the-snowden-leaks-one-year-later-key-lessons-cloud-providers- learned.html?kc=EWKNLCLD06122014STR1&dni=133759783&rni=32883247 http://cacm.acm.org/magazines/2014/5/174340-the-nsa-and-snowden/fulltext http://www.zdnet.com/americans-as-vulnerable-to-nsa-surveillance-as-foreigners-despite-fourth-amendment- 7000031045/?s_cid=e589&ttag=e589&ftag=TREc64629f

Security in the News

Security in the News

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(8)

Similaire à Security in the News

Similaire à Security in the News(20)

Plus de James Sutter

Plus de James Sutter(20)

Dernier

Dernier(20)

Security in the News