Mais conteúdo relacionado Semelhante a Top Security Trends for 2014 (20) Top Security Trends for 20141. Top Security Trends for 2014
Amichai Shulman, CTO, Imperva
1
© 2013 Imperva, Inc. All rights reserved.
2. Agenda
§ Introduction
§ 2013 forecast scorecard
§ 2014 security trends
§ Summary and conclusion
§ Q&A
2
© 2013 Imperva, Inc. All rights reserved.
3. Amichai Shulman – CTO, Imperva
§ Speaker at industry events
• RSA, Appsec, Info Security UK, Black Hat
§ Lecturer on information security
• Technion - Israel Institute of Technology
§ Former security consultant to banks and financial
services firms
§ Leads the Imperva Application Defense Center (ADC)
• Discovered over 20 commercial application vulnerabilities
§ Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
3
© 2013 Imperva, Inc. All rights reserved.
5. #1 - 3rd Party is “No Party”
5
© 2013 Imperva, Inc. All rights reserved.
6. Known Vulnerabilities: The Known Knowns
§ There are known knowns; these are things we know that
we know…
• Donald Rumsfeld, U.S. Secretary of Defense, February 2002
§ 3rd Party Known vulnerabilities
Vulnerable components (e.g., framework libraries) can be identified
and exploited
(OWASP: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities)
6
© 2013 Imperva, Inc. All rights reserved.
7. Rich Attack Surface
According to Veracode:
• Up to 70% of internally developed code originates outside of the
development team
• 28% of assessed applications are identified as created by a 3rd
party
7
© 2013 Imperva, Inc. All rights reserved.
8. Security Falls Between the Cracks
§ Application developers
• Introduce 3rd party code into the system
• Not responsible for 3rd party code security (or
quality)
• Not responsible for run-time configuration of 3rd
party components
§ IT operations
• Not always aware of 3rd party components
§ Web server type is more visible than a library
• Reluctant to change configuration settings that
might impact application behavior
8
© 2013 Imperva, Inc. All rights reserved.
9. 2014 Forecast: Bigger! Stronger! Faster!
§ Bigger! – More Vulnerabilities!
§ Stronger! – As a result of the
of the vulnerabilities’ market
richness, attackers will create
vulnerabilities “mash-ups,”
combining several different
vulnerabilities together
§ Faster! – Shorter time from
vulnerabilities’ full disclosure
to exploits in the wild
Source: http://cdn.thinksteroids.com
9
© 2013 Imperva, Inc. All rights reserved.
10. Bigger! Disclosure Rate Increases
§ More software + more security researchers + more
bounty programs = more vulnerabilities’ disclosures
§ CVE IDs Enumeration syntax was changed to track more
than 10,000 vulnerabilities in a single year, starting on
2014
10
© 2013 Imperva, Inc. All rights reserved.
11. Stronger! Vulnerabilities “Mash-Up”
§ Take several “cheap” (low CVSS impact score) known
vulnerabilities
• CVE-2010-3065: PHP
§ NIST assigned impact score: 2.9
• CVE-2011-2505: PHPMyAdmin session modification vulnerability
§ NIST assigned impact score: 4.9
§ To create a shining exploit
• PHPMyAdmin full server takeover exploit
• Effective impact score: a perfect 10
§ Read more on Imperva’s HII report:
http://www.imperva.com/docs/HII_PHP_SuperGlobals_Supersized_Trouble.pdf
11
© 2013 Imperva, Inc. All rights reserved.
12. Stronger! 1 + 1 = 3
12
© 2013 Imperva, Inc. All rights reserved.
13. Faster! Vulnerability Weaponization
§ Since a vulnerability has a limited time span, attackers
strive for a faster vulnerability weaponization
§ We had witnessed weaponization time cut from weeks to
days
§ Infrastructure is the key to fast weaponization
• Exploit code is often publicly available
• Dormant botnets are ready to launch the attack
• Command and Control (C2) servers and zombies support
§ Dynamic content
§ Dynamic targets
13
© 2013 Imperva, Inc. All rights reserved.
14. #2 - Server Based APT Alternative
14
© 2013 Imperva, Inc. All rights reserved.
15. Web Servers Infection is the New Black
§ Goals of infecting corporate work stations
• Harness computing resources
§ Network bandwidth to be used in DDoS attacks
§ CPU power to mine Bitcoins
• Use as a bridgehead into the corporate datacenter
§ Both goals are better achieved by targeting web servers
• More powerful
• Inherently connected to the corporate datacenter
15
© 2013 Imperva, Inc. All rights reserved.
17. Why Start with Web Servers?
§ Easier reconnaissance
• Detect type and components, discover vulnerabilities
§ Accept inbound communications from the Internet (by
definition)
• Direct attack, no need for “human factor”
• Remote control becomes easier
• Attacker identity
§ Land (almost) directly into the data center
• No need for “lateral movement”
§ Wide outgoing pipe
• Exfiltration made easier
17
© 2013 Imperva, Inc. All rights reserved.
18. Means and Opportunity
§ Many code execution / full server takeover vulnerabilities
exist
§ Most are easy to weaponize and exploit
§ In 2013, the following environments were vulnerable to
such attacks
• ColdFusion
• Apache Struts
• vBulletin (TA)
• Jboss (TA)
• PHP
http://blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html
http://blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html
18
© 2013 Imperva, Inc. All rights reserved.
21. 2014 Forecast: Server Based APTs
§ We expect more APT operations to happen through
server compromise
§ Such attacks have even a smaller footprint than existing
APT techniques
• Initial infection
• Lateral movement
• Exfiltration
§ Public disclosure will probably arrive 2015
21
© 2013 Imperva, Inc. All rights reserved.
22. #3 - Ad Networks = Added Risk
22
© 2013 Imperva, Inc. All rights reserved.
23. Reality Check 1
§ Malware infected PCs = potential income
§ Plenty of ways to monetize (KrebsOnSecurity)
Source: http://krebsonsecurity.com
23
© 2013 Imperva, Inc. All rights reserved.
24. Reality Check 2
§ Infected mobile devices are even more valuable
§ Can do anything a PC does, therefore can be monetized
the same way
§ Additionally, can send “premium SMS” – a very effective
and direct monetization method
Source: http://thenextweb.com
24
© 2013 Imperva, Inc. All rights reserved.
25. Black Market Economy 101
§ Infected end points are valuable
§ Therefore, driving traffic for infecting site is valuable
§ Sample price list for geo-location profiled traffic (per
thousand unique visitors; Credit: Webroot blog):
Source: http://webrootblog.files.wordpress.com
25
© 2013 Imperva, Inc. All rights reserved.
26. Malware + Advertising = Malvertising
§ Paying someone to show
your content is an already
established business
practice
§ It’s called advertising!
§ And when the content is
malicious it’s Malvertising
§ Targeted advertising is very
efficient
§ And so is targeted
malvertising
26
© 2013 Imperva, Inc. All rights reserved.
Source: http://bluebattinghelmet.files.wordpress.com
30. The Main Door is (Pretty Much) Locked
§ Vendors closely monitor their app shops for malware
§ Result: attackers cannot directly upload malicious apps
30
© 2013 Imperva, Inc. All rights reserved.
31. 2014 Forecast: Year of Mobile Malvertising
§ Dynamic content to already installed apps does not go
through the app shop
§ Supply - mobile app vendors
• Have many users
• Do not have a way to monetize on the traffic
• Eager for advertising revenues
§ Demand – cyber criminals
• Have malicious content
• Look for alternative delivery to end users, as market is blocked
• Eager for traffic
§ Outcome: Mobile Malvertising
31
© 2013 Imperva, Inc. All rights reserved.
32. BadNews Ad Network Infected Apps
Source: https://blog.lookout.com
32
© 2013 Imperva, Inc. All rights reserved.
33. The Ad Market is Very Complex
§ Complex environment is a
hotbed for attackers
§ Many opportunities for the
attacker to attack
• Can choose the weakest link
• Can move to the next target
when denied
§ App makers have a vast
“deniability region”
33
© 2013 Imperva, Inc. All rights reserved.
Source: http://ad-exchange.fr
34. #4 - (Finally) Cloud Data Breaches
34
© 2013 Imperva, Inc. All rights reserved.
35. We are Not in Kansas Anymore Toto!
§ Demand
• SaaS and DBaaS are becoming mainstream
• Not early adapters anymore
• Less technical oriented organizations
• Test and pilot deployments become production
• Dial moves from “nice to have” applications to “mission critical”
applications
§ Supply
• Many new providers
• Smaller, less experienced organizations
• Carpe Diem
§ I wanted an app of my own but ended up building a cloud service
35
© 2013 Imperva, Inc. All rights reserved.
36. Everybody Is Doing It
§ According to Verizon ‘2013 State of the Enterprise Cloud
Report’ (January 2012 – June 2013)
• The use of cloud-based storage has increased by 90 percent
• Organizations are now running external-facing and critical
business applications in the cloud – production applications now
account for 60 percent of cloud usage
36
© 2013 Imperva, Inc. All rights reserved.
37. Hiding in the Fog
§ Outsourcing data MISTAKEN for outsourcing
responsibility
§ Low number of breaches
§ False sense of safety
37
© 2013 Imperva, Inc. All rights reserved.
38. Ball Waiting for the Player
§ Traditional RDBMS services
• Used as C&C and dropper infrastructure by cyber criminals
• Security attitude is not adapted to cloud reality
• See our “Assessing the Threat Landscape of DBaaS” HII for
more details
§ Big Data services
• Innovative
• Smaller providers
• Using innovative technologies with little to no security built-in
• Widely adopted by web application startup community, often
storing personal information
38
© 2013 Imperva, Inc. All rights reserved.
43. 2014 Forecast: Cloud Breaches Increase
§ We expect to see a significant increase in cloud service
data breaches
• SaaS
• DBaaS
§ We expect to see a growing use of DBaaS by attackers.
It’s a newcomer to our 2013 ‘Black Cloud on the Horizon’
trend
43
© 2013 Imperva, Inc. All rights reserved.
44. #5 – Commercial Malware for Data
Centers
44
© 2013 Imperva, Inc. All rights reserved.
45. Advanced Threat – State Sponsored
Stuxnet
• Manual
intelligence
• Advanced
malware attack
Doqu
• Automatic
intelligence
Rocra
45
© 2013 Imperva, Inc. All rights reserved.
• Both
• See
Red October:
The Hunt For
the Data
49. Commercialization of Military Technologies
§ Advanced threat malware capabilities flow into criminal
malware
• Technology – modular code, two tier C&C, include data access
and handling code
• Target – enterprise internals
§ Examples
• Narilam – destroys business application databases
• Malware targeting business application (SAP) spotted
49
© 2013 Imperva, Inc. All rights reserved.
50. Built-in Database Access
§ Our december 2013 HII shows commercial malware
using DBaaS as infrastructure
§ Data store accessing capabilities
§ Mevade – using an integrated services language based on SQL, called
WQL (SQL for Windows Management Interface) to query the target
system's database to learn the security settings.
§ Shylock – SQLlite - Any messages that Skype sends are stored in
Skype's main.db file, which is a standard SQLite database. Shylock
accesses this database and deletes its messages and file transfers so
that the user could not find them in the history.
§ Kulouz – SQLlite to access browser data repositories for sensitive
information, such as credentials
§ Database access malware was used in SK Comms data breach
50
© 2013 Imperva, Inc. All rights reserved.
51. 2014 Forecast: Datacenter is the Goal
§ We are the tipping point and in 2014 we will see active
automated attacks against enterprise data centers
• Infection methods are more effective than ever
• Malware infrastructure is mature and ready
• Criminal use cases are staring to show up
§ We expect business applications to become first class
target for criminals
• Easier to manipulate
• The internal version of “web application attacks”
51
© 2013 Imperva, Inc. All rights reserved.
53. Summary
§ Our five trends for 2014
• 3rd party vulnerability exploit – bigger, stronger, faster
• Web server compromise – alternative to APT
• Ad network infections – more targeted, mobile oriented
• Cloud breaches – sharp rise in actual incidents
• Commercial malware – criminals are after your data center
§ Attackers focus their attention on getting into the data
center – physical or virtual
§ Attackers prefer to use the front door (web servers) but at
the same time are constantly improving on the
alternatives (malware and infection methods)
53
© 2013 Imperva, Inc. All rights reserved.
54. Recommendations
§ Protect your front door protection
• Web Application Firewalls are not “nice to have”
• SDLC and patching fail in modern software and threat
environments
§ Improve your internal DATA controls
• Enhance visibility to data access, both structured and
unstructured
• Introduce capabilities to detect abusive access to data center
resources
§ Evaluate solutions for your cloud data repositories
• Perform better due diligence of providers
54
© 2013 Imperva, Inc. All rights reserved.
55. Bottom Line
§ Balance your security budget to reflect the need for more
data protection over end-point and network perimeter
protection
55
© 2013 Imperva, Inc. All rights reserved.
56. Webinar Materials
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…
Post-Webinar
Discussions
Webinar
Recording Link
56
Answers to
Attendee
Questions
Join Group
© 2013 Imperva, Inc. All rights reserved.