brksec-2001

© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200114330_04_2008_c1 2

Emerging Threats

BRKSEC-2001


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200114330_04_2008_c1

Agenda

What? Where? Why?

Trends

Year in Review

Case Studies

Threats on the Horizon

Threat Containment


What?Where?Why?


3


What? Where? Why?

What is a Threat?A warning sign of possible trouble

Where are Threats?Everywhere you can, and more importantly cannot, think of

Why are there Threats?The almighty dollar (or euro, etc.), the underground cyber crimeindustry is growing with each year


Examples of Attacks

Targeted Hacking

Malware Outbreaks

Economic Espionage

Intellectual Property Theft or Loss

Network Access Abuse

Theft of IT Resources


4


Where Can I Get Attacked?

Users

Applications

Network Services

Operating System

Attack

Anywhere Everywhere

Attack


Operational Evolution of Threats

Automated Response

Human “In the Loop”Manual Process

No End-User Knowledge

“Help-Desk” Aware—Know Enough to Call

End-User Increasingly Self-Reliant

Mitigation Technology

Evolution

Policy and Process

Definition

End-User Awareness

Formalized Process

Socialized ProcessReactive Process

Sup

port

Bur

den

Ope

ratio

nal

Bur

den

Rea

ctio

n

Threat Evolution Emerging ThreatUnresolved Threat Nuisance Threat


5



Automated Response






Evolution

Policy and Process

Definition

End-User Awareness

Formalized Process


Sup

port

Bur

den

Ope

ratio

nal

Bur

den

Rea

ctio

n


Largest Volume of ProblemsFocus of Most of Day to Day

Security Operations

“New”, Unknown, orProblems We Haven’t

Solved Yet


Why?

FameNot so much anymore (more on this with Trends)

MoneyThe root of all evil…(more on this with the Year in Review)

WarA battlefront just as real as the air, land, and sea


6


Trends


Trends

Evolution of Hacker Motivation

No longer the Lone Hacker

The Cybercrime Industry

Hosting Services

Designer Malcode

BotNets

Spyware

Phishing

Fast Flux


7


20052002 2003 2004 2006 2007

Fame

Money

Business

Netsky, Bagle,

MyDoom

SQL Slammer

Zotob

= Major Media Event

Evolution of Motivation2008


Evolution of Motivation

Fame is not all it’s cracked up to beTo make money effectively and without detection you need to be unknown

People are prepared for what they know


8



Automated Response






Evolution

Policy and Process

Definition

End-User Awareness

Formalized Process


Sup

port

Bur

den

Ope

ratio

nal

Bur

den

Rea

ctio

n



Security Operations


Solved Yet


No Longer the Lone Hacker

Hackers are forming development teams to work on creating malicious code

Highly intelligent individuals are collaborating to create new viruses and other malicious code

Software development tools for handling large projects are being used

Development is not unlike normal software development in the IT industry

The shared information and talents of many very skilled hackers when working together can be worse than any one working alone


9


The Cybercrime Industry

Group develops custom malcode

Custom malcode is made available for purchase

ISP administrators are paid to host malicious code on sites that they control

Malcode collects usernames and passwords as well as credit card numbers

Credit card numbers and usernames and passwords are for sale


Cybercrime Industry: In the Past

End Value

Espionage(Corporate/

Government)

Fame

Theft

Writers Asset

Worms

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

Compromise Individual Host or Application

Compromise Environment


10


Cybercrime Industry: Today

Writers Middle MenSecond Stage

Abusers

Bot-Net Management:

For Rent, for Lease, for Sale

Bot-Net Creation

Personal Information

Electronic IP Leakage

$$$ Flow of Money $$$

Worms

Spyware

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

First Stage Abusers

Machine Harvesting

Information Harvesting

Hacker/Direct Attack

Internal Theft: Abuse of Privilege

Information Brokerage

Spammer

Phisher

Extortionist/ DDoS-for-Hire

Pharmer/DNS Poisoning

Identity Theft

Compromised Host and

Application

End Value

Financial Fraud

Commercial Sales

Fraudulent Sales

Click-Through Revenue

Espionage(Corporate/

Government)

Fame

Extorted Pay-Offs

Theft


Cybercrime Industry: Hosting Services

Hosting services are for sale as part of the total package

Hosting sites can hold a database of collected information

Hosting sites can serve as a sales portal for individuals wishing to purchase stolen information

Standard rates for data sales are being established


11


Designer Malcode

Malcode that is designed to bypass virus scanners is made for sale

Malcode is designed to collect information and upload it to a database

Backup malcode is also available to replace the active malcode once it begins to be detected by virus scanners

Malcode is designed to be very difficult to reverse engineer, or determine its functionality making it harder to detect and harder to trace where the data is being sent


“Noise” Level

Time

Public Awareness

Large Scale Worms

Targeted Attacks

2000 2008


12


Cyber Crime Profit Level

Illicit Dollars Gained

Large Scale Worms

Targeted Attacks

2000 2008Time


Botnets

Botnet: A collection of compromised machines running programs under a common command and control infrastructure

Building the Botnet: Viruses, worms; infected spam; drive-by downloads; etc.

Controlling the Botnet:Covert-channel of some form; typically IRC or custom IRC-like channel

Historically have used free DNS hosting services to point bots to the IRC server

Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems

Control services increasingly placed on compromised high-speed machines (e.g. in academic institutions)

Redundant systems and blind connects are implemented for resiliency

Further Example as a Case Study

Source: www.wikipedia.com


13


Using a Botnet to Spend Spam1. A botnet operator propagates

by viruses, worms, spam, and malicious websites

2. The PCs log into an IRC server or other communications medium

3. A spammer purchases access to the botnet from the operator

4. The spammer sends instructions via the IRC server to the infected PCs—

5. …causing them to send out spam messages to mail servers

Source: www.wikipedia.com


What about Spyware?

Still a major threatDrive-by downloads still a major source of infestation

ActiveX vulnerabilities in particular enable this

However, confusing or misleading EULAs still a problem

A Trojan by any other name—Spyware is increasingly indistinguishable from other forms of malware

Nasty race condition: sheer number of variants makes it very difficult for technology solutions to hit 100% accuracy at a given moment

Rise of intelligent spywareDirected advertising is more valuable than undirected

More sophisticated spyware matches user-gathered data with directed advertising

Bot-based spyware is also more valuable, as it can be updated over time


14


Phishing, Pharming, and Identity Theft

MUNDO-BANK.COM

Hosts File:mundo-bank.com = 172.168.254.254

172.168.1.1

Come see us at www.mundo-bank.com

<172.168.254.254>

MUNDO-BANK.COM

Unsolicited

Email

MUNDO-BANK.COM

172.168.1.1

Regular Online

Banking

Phishing Pharming

MUNDO-BANK.COM

172.168.254.254

DNS

Poisoning

MUNDO-BANK.COM

172.168.254.254

Identity theft continues to be a problem

Phishing scams growing in sophistication every day

Protecting your users: implement some technology, but don’t forget user education!!

If you’re a target:

Consider “personalization” technologies (e.g. user-chosen images on a webpage)

Support identified mail initiatives, like DKIM


Fast Flux

Malicious IP addresses are changing quickly

Botnets are the new DNS Servers

Very low time to live (TTL) in A Record

Infected hosts acting as DNS servers

Traditional DNS-based security measure not longer effective


15


What Does this Mean?

People utilizing the emerging threats of today want them to stay unknown

What you don’t hear about is what you should be concerned about

Intelligence is important



Automated Response






Evolution

Policy and Process

Definition

End-User Awareness

Formalized Process


Sup

port

Bur

den

Ope

ratio

nal

Bur

den

Rea

ctio

n



Security Operations


Solved Yet


16


Year in Review


2007 as a Year

Security fad: Month of BugsFuzzers offer tremendous way to find vulnerabilities

Application vulnerabilities up 17% from 2006According to the Cisco IntelliShield

Botnets control channels up 57% from 2006According to ShadowServer.Org

1,200 new websites per day hosting malwareAccording to MessageLabs


17


2007 as a Year

Global spam up 50% from 2006, considerable up tick in types of spam attachment

According to IronPort

One unique phishing scam every 2 minutes in 2007According to the PhishTank

Over 10 targeted malcode attacks per day, up from 1 per day in 2006

According to MessageLabs

163 million records with personal data compromised in 2007—up from 48 million in 2006

According to Attrition.Org


Fuzzers in Action—Month of Bugs

Trend started in Mid 2006 with Month of Browser Bugs

Jan ’07—Month of Apple Bugs (MoAB)

Mar ’07—Month of PHP Bugs (MoPB)

April ’07—Month of MySpace Bugs (MoMYB)

May ’07—Month of ActiveX Bugs (MoAXB)

June ’07—Month of Search Engine Bugs (MoSEB)


18


Stock Advice from Spam

Canadian company Diamant Art’s stock price tripled in one day from .08 cents to .25 cents

No positive news released from the company

Spam touting the stock solely responsible for raise in stock price

Most spam stock only increases stock price ~2%, which is quickly lost


Stop Trading Spam Stocks

March 2007 US Securities and Exchange Commission announced that 25 stocks were going to be suspended from trading for 10 days

Not viewed as an effective way to stop stock spam

It is a start, government bodies are starting to wake up


19


F.B.I. Nabs BotHerders

June 2007, the US F.B.I. announced the arrest of 3 different BotHerders who were responsible for over 1 million infected machines

Step in the right direction, even if it was relatively small group

The real news: If the F.B.I. is on your trail then your technology has matured


iPhone Releases, Gets Hacked

July 2007, less than one month after the US release of Apple’s highly anticipated iPhone a major vulnerability was discovered enabling a complete compromise

New vector, new attack

As other vendors scramble to match the iPhone in functionality similar attacks are likely


20


Google Ads Link to Malicious Sites

December 2007, a security researcher discovers that several sites using Google ads were linking to malicious websites

Google swiftly reacted by shutting down the ad providers

No way to know for certain how many users were infected nor who was at fault


Radio Frequency ID (RFID) Cloning

Last 12 months has seen several different demonstrations highlighting technology to clone RFID tags

Legal methods used to suppress demonstrations

Current demonstrations are more theoretical and not likely to be easily carried out RFID is an automatic

identification method, relying on storing and remotely

retrieving data using devices called RFID tags

- Wikipedia


21


Pretexting Makes Headlines

Hewlett Packard admits using pretexting to investigate internal officers

Xbox Live accounts suffer from pretexting attacks

Group calling itself Clan Infamous claimed to steal 10 accounts a day

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a

target to release information or perform

an action and is usually done over the telephone

- Wikipedia


P2P Networks Used for DoS Attacks

Flaw in open source peer-to-peer hub software DC++

Allowed attacker to direct clients to any site resulting in a DoS

Large amount of blackmail money demanded to prevent attack


22


Conclusions from 2007

Botnets have come into their own

Targeted attacks are increasingly the norm

Cybercrime industry pushing “innovation” in malware

Focus on applications


Case Studies


23


Case Studies

Corporate LiabilityTJX Company’s customer database compromised

Malware in ActionStorm worm analyzed

Malware IndustryGozi worm’s cybercrime links


Corporate Liability—About the Company

TJX is the parent company for a family of discount retailers

United StatesMarshalls

TJ-Maxx

HomeGoods

CanadaWinners

HomeSense

UK, Ireland, GermanyTK-Maxx


24


Corporate Liability—How it Happened

Attack originated at a Marshalls store in St. Paul, Minnesota

Attackers used telescope-shaped antenna to read WiFi signals

WiFi enabled price scanners targeted to get network access info

Once on the network, database was targeted

Data harvesting started mid 2005 and carried through end of 2006


Corporate Liability—What was Affected

Initially thought to be 45.6M credit card numbers compromised, later updated to 90M

Included “Track 2 Data”

Biggest credit card number heist in history

Over 80 GB of network traffic send to outside server

90,000,000


25


Corporate Liability—Example of Use

Nov. ’06 Florida law enforcement claims at least 10 thieves used credit card data in a gift card scheme

Over $8M in gift cards purchased

6 people tied to gift card scheme were arrested

Gift card scheme was carried out months before TJX discovered the compromise


Corporate Liability—Aftermath

Believed to be responsible for between $68M and $83M fraud in over 13 countries

Class-action consumer lawsuit settled$20 store voucher

3 years credit monitoring

$20,000 ID Theft Coverage

Banks and financial institutions suedYet to be determined

Estimated costs to TJX are over $150M


26


Corporate Liability—Conclusions

Every company needs to be concerned

Does not have to be credit cards

Governments creating laws requiring disclosure

One incident can cost much more than years of a quality security infrastructure


Malware in Action—Storm Worm

Started as PDF spam in early 2007

Evolved to use e-card and YouTube invites

Uses spam with links to malicious sites as main vector of propagation

Utilizes social engineering techniques to trick users to malicious sites


27



Email spam example:To: Tony HallFrom: Dale HammondSubject: Dear Friend

Hi. Nice to meet u and my friend operates a company .i have got something from him and i must say that the quality is so good .SO i tell u the truth and hope u can connect him and welocme to his website www.ouregoods.com. If u have any questions u can add [email protected] we are pleasure to help ,good luck to u!



BotHerder

Infected

1

1. BotHerder updates malcode on webtrap

2. Initiate new spam pointing to webtrap

3. User reads the spam and clicks link

4. User machine infected

2

3

4

Infected Webserver


28



game0.exe—Backdoor/downloadergame1.exe—SMTP relaygame2.exe—Email address stealergame3.exe—Email virus spreadergame4.exe—DDoS attack tool game5.exe—Updated copy of Storm Worm dropper

Source: www.secureworks.com



403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe)

77e6bc59 WriteFile(h=7a0)

403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)

40305f RegSetValueExA (disnisa)

Copies itself to C:\Windows\disnisa.exe

Set registry to run on startup


29



402ba0 WinExec(w32tm/config/syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)

77e7d0b7 WaitForSingleObject(788,64)

40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))

4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)

Sync with Microsoft Time Server

Start process

Edit firewall rules to allow network access



77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)

40da1b bind(b8, port=7018)

40d9c7 listen(h=b8 )

40a262 WaitForSingleObject(d4,2710)

Connect with remote machine

Wait for a command


30


Hub and Spoke Topology

Controller communicates directly with bots

Simplest but limited ability to scale

Single points of failureBotHerder

DNS record to BotHerder


Peer To Peer (P2P) Topology

All bots perform distribution

Multiple paths from controller to bots

Scales well, very resilient

No single point of failure


31


Storm Worm Conclusions

Very sophisticated

“Victim of its own success”, yet still difficult to shut down

Just one example, there are others we don’t know about


The Industry in Action: GOZI

GOZI was a custom made application designed to harvest data

Went undetected for over 50 days

Collected at least 10,000 records belonging to over 5,000 home users


32


GOZI: The Discovery

Originally discovered because a user reported that an account he accessed at work was compromised

Work computer was searched, suspicious malware discovered

Not one of the 30 leading anti-virus companies detected Gozi at the time


GOZI: The Highlights

Targeted SSL dataModularized code (Professional grade) Spread through iFrame IE browser vulnerability No detection in anti-virus produces for weeks, monthsCustomized to target specific sensitive data Posted on-line for “customer” purchases of stolen data Home PCs largely infectedAccounts at top financial, retail, health care, and government services affected Estimated black market value of at least $2 million



33


GOZI: The Investigation

Organization ready to code new undetectable malware

Willing to offer tech support

Others willing to help with infection

Gozi main server located in Russia



GOZI: Conclusions

Truly a new industry

Pushing the envelop, trying to stay undetected

Operating in countries where it is difficult to get shut down


34





Automated social engineering

Web 2.0

Voice over IP threats

Video files format vulnerabilities

Mobile devices

Data leakage

Outsourcing

Distributed workforce


35


Automated Social Engineering

In an effort to convince users to “click here”, malware will use collected data to enhance the veracity of targeted spam

Malcode can scan previous emails in a person’s inbox and send a “reply”

Simply adding:Hey,Forgot to tell you to check out this site:http://bad.site.com


Web 2.0

Hugely popular social sites (MySpace, Facebook) offer many potential victims for attackers

Data easy to gather to assist in targeted attacks

Very dynamic, big potential for buggy software to be present

Attracts users who are not necessarily computer proficient


36


Voice over IP Threats

“Vishing”—voice way to attempt a phishing scheme

Well understood business risk is promoting integration of security technologies in voice deployments

Limited pool of technical experts on voice within attacker community

Follow the money: No well-established business model driving financial incentives to attack


Voice Security Opportunities

Eavesdropping: Earliest attacks focused on this (VOMIT); however, effective deployment of secure voice makes this very difficult (easier to use other means to access info)

SPIT: SPAM over internet telephonyPotential to be a serious annoyance, but significant barriers tothis being an effective source of profit (Vishing)

Some are technical, but most involve our current use patterns for telephony (used on a per-phone basis, not in a “list” format)

Denial of serviceDisgruntled employees or extortionists may target the voice infrastructure by a variety of mechanisms


37


Video File Format Vulnerabilities

Researchers in 2007 continued to uncovered many important to critical video file format vulnerabilities in:

QuickTime

Real Player

Windows Media Player

Flash

Documented examples of video file attacks in 2007, not yet mainstream

With rise of video it is only a matter of time

The next “hot” YouTube video just might be dangerous…


New Opportunity: Proliferation of Devices

• New types of devices are joining the network:

Hand-helds, smart phones, cameras, tools, physical security systems, etc.

• Diversity of OSs:More devices means more operating systems and custom applications

• Embedded OSsProcess controllers, kiosks, ATMs, lab tools, etc.IT department often not involved in procurement—little attention paid to securityFor example, one environment got hacked from an oscilloscope

• Attacks on the back-endAll of these systems provides an ingress point into some form of back-end systemBoth the method of communication and the device itself are targets

• Attacks on the deviceProliferation leaves many opportunities for taking control of a system

• Attacks on dataSensitive data is becoming increasingly distributed and uncontrolled

Opportunities for AttackThe Challenge


38


Attacks on Data: Data Leakage

Still a hot topic this year

Broad term encompassing multiple different challenges:

Security of Data at rest

Security of Data in motion

Identity-based access control

Both malicious and inadvertent disclosures

Issue has become topical typically for “Compliance” reasons

However, broader topic involves business risk managementHow do I avoid inadvertent disclosures?

How do I protect my information assets from flowing to my competitors?

How do I avoid ending up in the news?


Architectural View of Data Leakage: New Challenges

Internal Consumers

External Consumers Decentralized Data Stores

Transit Enforcement Points

Endpoint Enforcement PointsCentralized Data

Stores: Structured and Unstructured

App

licat

ion

Fron

t End

Endpoint Enforcement Points

Server/Application Systems

Network Transit End Users Endpoint Systems

What’s Changed? Enforcement points and data consumers are roughly the same; however, a new actor introduced: “Data”Quantization Problem: How to group data elements into units of information relevant to the business?

Technical Translation Problem: How to reliably test a given data set for membership in a “unit of information” (e.g. how to verifiably determine if a given mass of bits is “source code”)Policy Construction Problem: How to scalable build policy for data flows across a large environment?


39


Mobile Data Continues: PC on a Stick

New “smart drives” and other similar technology extending the existing threats to data posed by portable storage devicesDevices carry a virtual computing environment in a secure storage, typically plugged in via USB to any open computerAll workspace, preference, and data information is kept within the device, but computing resources of the host machine are used for manipulation and processing

Challenges:Analogous to SSL VPN security challenges, only now you can lose the device in a cabUnknown endpoint environment challenges: keyboard loggers and splicers, monitor taps, webcamsMalicious software embedded in data or documents


Trend: Outsourcing

Motivations: Outsourcers have all the potential to be disgruntled employees in search of revenge, only more so—outsourcers typically feel less loyalty to the outsourcing organizationOpportunity: In many organizations, outsourcers are given full intranet accessConsiderations:

How do you balance the need to access required applications while providing necessary controls to mitigate risk?When negotiating contracts, are there any provisions for data security and integrity? Are there any provisions to audit the security posture?What legal recourses does the organization have in the event of compromise? Jurisdictional issues, liability and responsibility, etc.


40


Trend: Distributed Workforce

De-perimeterization is realTrue “federated” security systems are a long ways off yet

Layers of defense and policy enforcement are criticalDrop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense”

Costs and risks to data integrity should be a part of any calculation to adopt new business practices

There may be hidden costs that are not well understood

People and Processes Key to Mitigate RiskUser awareness and effective business processes are as important to technology solutions


Coping with Threats

Conclusion and Recommendations


41


What’s My Exposure?Appropriate Risk Mitigation

Risk is at the core of all security policy decisions

With emerging threats, there’s always something out there that can affect your business

Effective understanding of business risk is critical to determining priorities in your response plan

The Challenge: Every application is business critical to someone

Level of Risk Aversion

Leve

l of M

itiga

tion

Risk Tolerant

Risk Averse


Example: Network-Based Structured Data Controls

Patient ID134-AR-627

Credit CardXXXX-XXXX-XXXX-3456

Social SecurityXXX-XX-XXXX

Driver’s LicenseA123456

Employee IDXXXXMask

Mask

Mask

Block

BlockPatient ID134-AR-627

Credit Card1234-5678-9012-3456

Social Security123-45-6789

Driver’s LicenseA123456

Employee IDS-924600

Request

Response

Cisco AVS 3100


42


Extranet Connections

Corporate NetworkInternet

Remote Access Systems

Remote/Branch OfficeData Center

Management Network

Tackling Malware: Solutions Across the Network

Corporate LAN

Internet Connections

BusinessPartnerAccess


BusinessPartnerAccess

Extranet Connections

Corporate NetworkInternet

Remote Access Systems

Remote/Branch OfficeData Center

Management Network

Tackling Malware: Solutions Across the Network

Corporate LAN

Internet Connections

STOP

GO

STOPGO

GO

STOP

GO

Network-Based Content Control

Multi-function security devicesFirewallsIntrusion prevention systemsProxies

Network Admission Control

Ensure endpoint policy compliance

Endpoint ProtectionInfection prevention: Cisco Security AgentInfection remediation: desktop anti-virus; Microsoft and other anti-spyware SW


43


Mitigating Risk of Data Leakage: Basic Steps

1. Protect Non-managed Machines: Remote access (employee, partner, and vendor) from non-managed machines pose a serious risk. Deploy protection technology in your remote access systems such as Cisco Secure Desktop in the Cisco ASA 5500

2. Deploy Network-based Structured Data Controls: Data elements such as Credit Card numbers or SSNs can be monitored and controlled in return traffic using application firewalls (such as AVS 3100)

3. Lockdown Managed Endpoints: Lock down removable media systems, such as USB ports and CD burners, using Cisco Security Agent

4. Application Access Control: Enforce “need to know” access control policies in the network at transit control points (e.g. in firewalls)

5. Content Inspection Services: Build out a network-wide sensor grid for visibility and audit. Primary focus areas: email; instant messaging


Incident Response Basics

Most important step: Step 1

Second most important step: Step 5

Most commonly skipped step: Step 1

Second most commonly skipped step: Step 5

Incident Response Life Cycle

Pre-Incident Planning

Detection and Analysis

Containment and ControlRecovery

Post-Incident Policy and

Process Analysis

1

2

34

5

Adapted from reports at www.gartner.com and www.securityfocus.com


44


What Should I Do?

Process, process, process: Implement strong processes up front, document them, and use them

User education campaigns: Ensure there is an end-user education component of your broader information security strategy

Make effective use of technology:Technology exists to mitigate much of your risk of exposure to new threats—make sure you’re using what’s available


Technology Recommendations

Stay informed: Subscribe to a threat information service

A cost effective way to stay on top of things

Stay informed: Actually read the information coming from your threat information service

Summaries are quick

Utilize your infrastructureUse tools that you already have available


45


Technology Recommendations

Change the game: Deploy NACRaise the bar on the level of protection at the internal edge

Develop and implement a complete “incident response system”

Include technologies like IPS that enable visibility and protection; ensure you’ve got the tools to help (like MARS)

Get tested! Engage a reputable penetration testing firm

Deploy anomaly technologiesAnomaly detection technologies can catch some emerging threats before they’re well known


Intelligence Service Example

Tactical, operational and strategic intelligenceVendor neutralLife cycle reportingVulnerability workflow management systemComprehensive searchable alert database

Threat and Vulnerability Intelligence Alerting ServiceReceive Vital Intelligence that Is Relevant and Targeted to Your Environment

Cisco IntelliShield Alert Manager


46


Intelligence Summary Example

Addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The PSARs are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team

Cisco IntelliShield Cyber Risk Reports

A Strategic Intelligence Report that Highlights Current Security Activity and Mid-to Long-range Perspectives


Utilize Your Infrastructure

Vulnerability CharacteristicsMitigation Technique OverviewRisk ManagementDevice-Specific Mitigation and Identification

Cisco IOS® Routers and SwitchesCisco IOS NetFlowCisco ASA, PIX®, and FWSM FirewallsCisco Intrusion Prevention SystemCisco Security Monitoring, Analysis, and Response System

Cisco Applied Intelligence Responses

Actionable Intelligence that Can Be Used on Existing Cisco Infrastructure


47


Incident Response and Threat Prevention Systems

Monitoring Console: A strong monitoring console is essential—without that, you’re blind

Breadth of Network Control Points:Have IPS technology ready in as many locations as possible, even if you’re not using it—it’ll be there when you need it

Fine-grained Endpoint Control:Ensure your endpoint security software provides granular use control, in addition to protective services

Server Protection

Security Management

Monitoring, Correlation, and

Response

Cisco Security Agent (CSA)

CSA

CSMCisco Catalyst®

ServiceModules

Cisco ISR Routers

Internet

Cisco ASA 5500 Adaptive Security

Appliance

CS-MARS

Intranet

Day Zero Endpoint

Protection

Branch Protection

Converged Perimeter Protection

Integrated Data Center

Protection

Considerations for Building a System


Some Closing Thoughts

Do not get overwhelmedSmall steps can make a big differenceRemember, to survive a bear attack, you don’t have to be fastest person…you just need to be faster than the next guyDo not be the least prepared


48


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


49


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


brksec-2001

Documents