layer8 and the attack of the flying pigsdownload.microsoft.com/documents/uk/security/issa/... ·...

Layer8 and the attack of the flying pigs

Lesley Kipling: CCE, CISA, CISSP, MCSE:+Security, CNESenior Security EngineerLaw Enforcement Tech LeadCSS Securityleskip@microsoft.com

Agenda

Microsoft CSS Security

Brief overview of the trends we’re seeing

Top 10 Microsoft Attack Vectors

Social engineering

Beast Demo

Tools

Microsoft CSS Security“Hacking the hackers”

Who we are

Incident Response specialists

What we do

Compromised = free MS support

TACTICAL mitigation

Postmortem analysis

Recommendations to help the customer secure against another attack

Get Security Support: http://www.microsoft.com/uk/protect/support/default.mspx

Trends we’re seeing

Sharp increase in cyber crime

Monetary incentive

Low risk of capture

Targeted attacks

Availability of web based info

Growth of the insider threat

Focus moving away from the OS

Attacking the applications

Combined with web app attacks

Attack Vectors:Our Customers Top 10

Social Engineering

Education (x3!), defence in depth, run as limited user, transparent security controls

Technological attacks:

Mass SQL Injection ASP.NET coding best practises, SDL for developers

Passwords Make em long and complex, change them every 90 days

Physical Attacks Bitlocker in advanced mode, disable 1394 device drivers, EFS, strong

passwords

Attack Vectors:Our Customers Top 10

Technological attacks, cont.:

Remote Code Execution Vulnerabilities Defence in depth, patch management

NULL Session Enumeration

Set RestrictAnonymous reg key – watch out for compat issues

http://support.microsoft.com/kb/823659

UnauthN Network Access

NAP, NAC technologies

VPN Servers

Harden the base machine, tighten access as per:

http://technet.microsoft.com/en-us/library/bb794723.aspx

Threat – Social Engineering

Why?

Most of your attackers already have access

It is a lot harder to configure users

Most attacks against layer 8 succeed immediately

http://zdnet.com.com/2100-1105_2-5195282.html

An example: Flying Pigs

Real example

vcodec.com

V-codec.com

vcodecdownload.com

vcodec-download.com

vcodecget.com

vcodec-get.com

vcodecpull.com

Vicodec.com

Vidcodec.com

vidscodec.com

zcodec.com

myspace.com/82959792

Another type of threat...

Evolution of Security Controls

Protection must move to the endpoints and the data

Network can no longer be the primary enforcement point

Social Engineering

THE best way to get hold of classified information

Products will in most cases NOT block the attack

KNOWLEDGE is the key to ensure this attack vector doesn’t work

Threat – Social Engineering

Demo: Beast Malware

Demo: Sysinternals\autoruns\WOLF

Questions?