1

Dealing with security threatsA more connected world than what you think…..

Ilias ChantzosDirector EMEA & APJ Government Relations

Kenya 9 March 2010

Agenda

• A bit about Symantec and where the information comes from

• The current threat landscape

– Threats to government and national security/CIIP

– Threats to consumers

– Examples

• Anatomy of a security breach

• Operationalising security

3

Symantec Global Presence

3

11 Security  Research Centers

29 Global Support Centers

4 MSS Security Operations Centers

Government – Commercial ‐ Consumer

Sydney, Aus

Alexandria, VA

Reading, Green Park, GBR

Chennai, India

Dublin, Ireland

Austin Texas

Mountain View, CASan Francisco, CA

Pune, India

Taipei, Taiwan

Tokyo, Japan

Culver City, CA

Calgary, Alberta, CA

Chengdu, China

Brisbane, Aus

Buenos Aires, Argentina

Durham, NC

Heathrow, FL

Herndon, VA

Miami, FL

Milan, Italy

Aschheim, Germany

Atlanta, Georgia

Beijing, China

Brussels, Belgium

Cupertino, CADallas, TX

Dubai, UAE

Englewood, CO

Gotheburg, Sweden

Houston, TX

Hong Kong, China

Madrid, Spain

Melbourne, Aus

Mexico City, MexicoMumbai, India

Newton/Waltham, MA

Oak Brook, ILOrem, UT

Roseville, MN

San Luis Obispo, CA

Sandton, South Africa

Santa Monica, CA

Sao Paola, Brazil

Seattle, WA

Seoul, South Korea

Shannon, Ireland

Shanghai, China

Singapore

Springfield, OR

Ratingen, Germany

Riyadh, Saudi Arabia

Bloomfield Hills, MI

Wiesbaden, Germany

Zaltbommel, NLDToronto, CA

Warsaw, Poland

• 2.5M decoy accounts• 8B+ emails analyzed daily

SPAM / PHISHING

• 240,000 sensors• 200+ countries

ATTACK ACTIVITY

•130M+ clients, servers,   gateways

MALCODE INTELLIGENCE

• 32,000+ vulnerabilities• 11,000 vendors ‐72k  techs

VULNERABILITIES

Global Intelligence Network (GIN)

How Likely Is It?

4

To be struck by lightening?

To be in car accident?

To be bitten by a snake?

To be attacked online??1 in 2.6M 1 in 42M

1 in 300 1 in 5

Presentation Identifier Goes Here 5

The current threat landscapeThreats to Government and CIIP

6

Malicious code is installed…

• Over 60% of all malicious code detected by Symantec discovered in 2008.• Over 90% of threats are threats to confidential information.

6

7

Information is at riskMajority of data breaches in

Education (27%), followed by Government (20%) and

Healthcare (15%)

More than half of breaches (57%) due to theft or loss, followed by insecure policy

(21%)

8

Threat Activity Trends - Malicious Activity

• In 2008 the United States was the top country for malicious activity (raw numbers) with 23% of the overall proportion. China was ranked

second with 9%.• As Internet and broadband grows in certain countries their share of

malicious activity also grows.

8

9

Governments Are Prime Targets

Certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic

demographic data.Data breach at federal government jobsite USAJobs.gov

Hackers breached the site, then modified it to redirect users to a rogue URL that in turn directed attack code against their systems.

Government travel site GovTrip.gov users suffer malware attacks

Administrators … were forced to withdraw the page after it was defaced by more than 170 people over a frenzied few hours.

Defra website using Wiki editing techniques defaced

Shortly after police confiscated the group's servers, DoS attacks took the official government website and the Swedish national

police site offline. The attacks were assumed to be areprisal from disgruntled Pirate Bay users.

DoS attacks on Swedish policy and official government website

Different threat scenarios• Collect intelligence on the infrastructure

– To attack the infrastructure

– To determine the location of valuable information

• Collect intelligence

– Capture  and extract information

– Intercept communications and ciphers

• Disable the infrastructure

– That you have already infiltrated

– Directly attack it from outside

• Collect OSINT

• Conduct Psyops

• Achieve information dominance by communicating your own message

Causing problems to the navy

12

Stopping the airforce

Information leaking

Using COTS to collect intelligence

15

DDoS on Estonia some stats• 128 Unique DDoS Attacks:

– 115 – ICMP Floods

– 4 – TCP SYN Floods

– 9 – Generic Traffic FloodsSource = ArborSert

• Daily Attack Rate:

– 03/05/2007 = 21

– 04/05/2007 = 17

– 08/05/2007 = 31

– 09/05/2007 = 58

– 11/05/2007 = 1

0

20

40

60

80

03/05

/2007

04/05

/2007

05/05

/2007

06/05

/2007

07/05

/2007

08/05

/2007

09/05

/2007

10/05

/2007

11/05

/2007

Attack Intensity

• Attack Duration:17 attacks – Less than 1 minute78 attacks – 1 minute ~ 1 hour16 attacks – 1 hour ~ 5 hours8 attacks – 5 hours ~ 9 hours7 attacks – 10 hours or more

Source = ArborSert

•Peak saw traffic equivalent of 5000 clicks per second

•Attacks stopped at Midnight

•Tactics shifted as weaknesses emerged

•Swamped web sites associated with

Government Ministries, Banks, Newspapers &

Broadcasters

•Emergency Services Number disabled for at

least 1 hour

•Access was cut to sites outside of Estonia in order to keep local

access available

Cyber defense and shooting warfare• Why blow something up?

– If you can use it to collect intelligence

– If you can disable it when you want

– If you can use it afterwards again

• Russian attack in Georgia

– Information‐intelligence is power

– Preceded by cyber attack

– Psychological effect/operations

– Information dominance 

– Propaganda

Taking down the traffic grid

18

Energy supply and distribution1999 SCADA failure in Bellingham Washington ¼ mil gal of gasoline

Attacking the energy grid

Collecting OSINT

A Real And Present Danger

Suddenly the blue screen of death has a different meaning……..

SEA, AIR, ROAD & RAIL TRAFFIC

FOOD, WATER, ENERGY

FINANCE MILITARY

IT & TELECOMS

21

Current and future trends

• Hacking is for fortune not for fame

• Attackers become more sophisticated and well invested

• Target is confidential information

• Attack techniques increase in sophistication and stealth– Single use malware

– Evasion techniques (web and coding)

• Increased sophistication of botnets

• Virtual worlds and social engineering

• Critical infrastructure protection dependant on Internet Security

Presentation Identifier Goes Here 23

Threats to consumer…….

24

Stolen information is sold

• Credit card information (32%) and bank account credentials (19%)continue to be the most frequently advertised items.

• The price range of credit cards remained consistent in 2008, ranging from $0.06 to $30 per card number.

• Compromised email accounts can provide access to other confidential information and additional resources.

24

25

Website compromise

• Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts.

• Once the site is compromised, attackers modify pages so malicious content is served to visitors.

Web application vulnerabilitiesSite-specific vulnerabilities25

26

Vulnerability TrendsBrowser plug-in vulnerabilities

• Vulnerabilities in Web browser plug-ins are frequently exploited to install malicious software.

• Memory corruption vulnerabilities again made up the majority of the type of vulnerabilities in browser plug-in technologies for 2008, with 272

vulnerabilities classified as such.

26

27

Vulnerability TrendsUnpatched vulnerabilities by vendor

• In 2008, there were 112 unpatched vulnerabilities affecting enterprise-class vendors compared to 144 in 2007.

• Microsoft had the most, with a total of 46 unpatched vulnerabilities. • Of the 112 unpatched enterprise vulnerabilities, 37 were low severity, 71 were medium

severity, and 4 were high severity.

27

28

Malicious Code Trends Types

• Trojans made up 68 percent of the volume of the top 50 malicious code samples reported in 2008, a minor decrease from 69 percent in 2007.

• Worms increased slightly from 26% in 2007 to 29% in 2008. • The percentage of back doors decreased from 21% to 15% in the

current period.

28

29

Malicious Code TrendsPropagation mechanisms

• 66% of potential malicious code infections propagated as shared executable files, up significantly from 44% in 2007.

• Malicious code using P2P file sharing protocols declined from 17% in 2007 to 10% in 2008.

29

30

SpamCountry of Origin

• Over the past year, Symantec observed a 192 percent increase in spam detected across the Internet as a whole, from 119.6 billion

messages in 2007 to 349.6 billion in 2008. • In 2008, bot networks were responsible for the distribution of

approximately 90 percent of all spam email. • Russia, Turkey, and Brazil experienced significant increases in spam

volume this year.

30

31

SpamCategories

• Internet-related spam was the top category with 24% followed by commercial product spam with 19%

• Financial spam relatively constant at 16%.

31

An example how to exploit a users

Phishing Messages

Spammer

Bot -Herder

Victims

FraudWebsite

(+ Trojan horse)

Phisher

Cashier

Egg DropServer

Presentation Identifier Goes Here 33

Anatomy of a security breach

34

Anatomy of a breach

OrganizedCriminal

Well Meaning Insider

Malicious Insider

Disruption of operations

Large-scale

DDoS attacks

Defacing

websites

Malware outbreaks within

protected perimeter

Stealthy ex-filtration or unintended

loss of confidential data

Well‐Meaning Insider

35

Employee

Desktop

Server

Firewall

Hacker

1. Data on servers & desktops

2. Lost/stolen laptops, mobile devices

3. Email, Web mail, removable devices

4. Third‐party data loss incidents

5. Business processes 

“Well-Meaning Insider” Breach Sources

Targeted Attacks

36

CAPTUREAccess data on 

unprotected systems

Install root kits to capture network data

3

DISCOVERYMap organization’s 

systems

Automatically find confidential data

2

INCURSIONAttacker breaks in via targeted malware, 

improper credentials or SQL injection

1

EXFILTRATIONConfidential data sent to hacker team in the clear, wrapped in encrypted packets or  in zipped files with passwords

4

Malicious Insiders

37

1. White collar criminals

2. Terminated employees

3. Career builders

4. Industrial spies

Malicious Insider: Four TypesFirewall

Home Computer

IM

Webmail

Email

Unhappy Employee

Unhappy Employee

USB

CD/DVD

Mobile Device

Presentation Identifier Goes Here 38

Operationalising security……

39

Establishing In‐depth Defense

Future government capabilities are built on interconnected systems and effective information

sharing

Traditional ‘Bastion’security models do not effectively support such

agile, interconnected networks

Interconnected networks require in-depth,

proactive & agile defense at the periphery and the

endpoint of infrastructure and information

Collecting intelligence – Real time situation awareness

what enables the wise sovereign and the  good  general  to  strike  and conquer,  and  achieve  things beyond the reach of ordinary men, is foreknowledge 

40

SUN TZU – on the Art of War

Conficker/Downadup – Cumlative

Source – Conficker Working Group and Shadowserver

How to Stop Security Breaches

4242

Protect information proactively

Automate review of entitlements

Identify threats in real time

Integrate security operations

Prevent data exfiltration

Stop targeted attacks

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Presentation Identifier Goes Here 43

Ilias_chantzos@symantec.com