Cyber Security
Terry Pobst-MartinChief Information Security Officer
State of Idaho, Office of the Chief Information Officer
You Expect It You Need It
Securing Digital Government
Our Vulnerability and the Real Threats
Cyber Security – Trends and Issues
What can we do?
The U.S. Government is Vulnerable
“Washington-- Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project”. . . “suspected to be Chinese Hackers.” Apr 22, 2009 – Wall Street Journal
• “Report: Chinese hack into White House network”Nov 4, 2008 - ZDNetPosted by Andrew Nusca
The U.S. Government is Vulnerable
Huge new effort to protect Department of Defense
Also plan to help protect citizens in the future
Can no longer rely on industry efforts to counter cyber threats
Pentagon spent < $100 M in 6 months responding to:
cyber attacks related problems
The U.S. Government is Vulnerable
7528
37623214
2274 1272
Means of Attack into Federal Networks
Under Inves-tigation
Improper Usage
Unauthorized Access
Malicious Code
Scans, Probes, Attempted Access
Federal Government
reported 18,050 cyber
security breaches in
2008
The U.S. Government is Responding
U.S. Cyber Command Operational since October 1
The U.S. Infrastructure is Vulnerable
“Cyberspies penetrate electrical grid”
8 April 2009, ReutersElectrical grid network has “Backdoors” to let bad guys in whenever they choose
The U.S. Government is Vulnerable
Cyber threats are now considered
Weapons of Mass Destruction!
"Cybersecurity is the soft underbelly of this country."
INL testElectrical generators are at risk
Former National Intelligence Director Mike McConnell
Secretary of StateHilary Clinton
The U.S. Government is Vulnerable
Cyber Security Act of 2009
“…the president may order a Cybersecurity emergency and order the
limitation or shutdown of Internet traffic"
• Give Federal Government access to detailed network data
• Create a new Cybersecurity “Czar”
• Is supposed to coordinate military, NSA, Commerce & DHS efforts
A Hacker’s View of the State of Idaho:
• Target
• Government networks are a valid target• Corporations are valid targets• Individuals are a target• Identity and privacy information = big
target
Idaho Government is Vulnerable
The Overarching Threat in Idaho
Overarching Security Issues:
Electrical grid Cyber attacks• Won’t stop the wind blowing • Can’t stop the water flowing• Can stop the power to
• You• Your house• Your workplace• Stoplights...
The Daily Threat
Growing security trends:
• Huge increase in spam (Phishing, e-cards, etc.)
• New Threats: Vishing, Pod-Slurping, Thumb-sucking, more
• Development of wireless hacking & mobile device viruses
• Increase in video sharing exploits (PC or mobile)
• Significant Increase in “Drive-by” malicious-ware websites
• Increase in “Bots” & rootkits; hard to find or stop
U of I Website
State Website Hacks
• Replacing content with other content or photos
• Placing pornography on agency sites
• Reflects problems throughout the world
Cyber In-Security in Idaho
18-Dec
19-Dec
20-Dec
21-Dec
22-Dec
23-Dec
24-Dec
0
2000
0
4000
0
6000
0
10,160
3,3414,657
55,095
30,208
4,632 4,847
Blocked Network Attacks In one week
Known Attacks on the Statewide Network
Statewide E-mail Virus and Spam
Filtering Statistics5 - 1
1 Mar
0812 - 1
8 Mar
0819 - 2
5 Mar
0826 M
ar - 1
Apr 0
8
1 - 7 A
pr 09
8 - 15 A
pr 09
15 - 21 A
pr 09
22 - 28 A
pr 09
29 Apr -
5 May
09
K
5,000K
10,000K
15,000K
0.2K 0.7K 0.9K 0.6K 1.0K 1.0K0.7K
0.6K 0.9K
440K432K 491K
573K 356K334K
332K339K 364K
12,434K
12,255K 13,957K
13,078K
4,854K
11,849K
6,729K
5,268K10,038K
Spam
Legitimate
Virus
Identity Theft – The Big Problem
The Federal Trade Commission
• Estimates nearly $50 billion is lost annually
• Result of identity theft & credit-card fraud
BBB• 70% of Identity theft takes place from
business data loss
• Identity theft is the fastest growing crime of all time
IDTHEFT.COM• At least 48,606,000 identifying records have
been stolen or lost since last year
Identity Theft – Sophisticated?
• “…laptop stolen from unlocked
truck…”
• “…former office manager
indicted for theft of records…”
• “…hard drives missing…”
• “…donated computer contained
information.”
• “A hacker breaks in…”
• “…a data breach occurred…”
• “…records dumped in
garbage…”
• “…employee loses a CD with
data…”
• “…a customer just walked in
and left with a stack of
papers…”
High
Low
1980 1985 1990 1995 2005
IntruderKnowledge
AttackSophistication
Cross site scripting
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
“stealth” / advanced scanning
techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
AutoCoordinated Tools
Sophistication vs. Knowledge
Malware Distribution Sites
iFrame & SQL Injects
Botnets for Rent
2009
DNS Redirects
CriminalsInsiders
Young Hackers
Corporate / Foreign Entities
Who is the threat?Average Person
Network Attackers
Average people… make mistakes
• Visit a site with poor security
• Obvious (e.g., pornography)
• Not obvious (e.g., MySpace,
Facebook)
• Even trusted sites – thousands
every day
• Download from the Internet
Average Person = Big Risk
Average people… make mistakes
• Install potentially dangerous
software
• Freeware / Shareware
• Unchecked software
• Games
• Toolbars (e.g., Google Toolbar)
• Rights & access must be minimized
Average Person = Big Risk
Cisco Study: Laptop users bring threats into networks
Average Laptop User
• 56% believe Internet is now “safer”
• Less “destructive” viruses
• More security products
• Limited awareness
“Script Kiddies” or Hacker in-training• Use tools developed by real
Hackers• Find excitement in breaking-in
• “Bragging Rights”• Often purposely leave
evidence• Build a rep• Rarely want long term
exploitation
Young Hackers
Anyone could be an insider
• Studies show insiders bring huge losses
• Victims at HUGE risk• 12 times more likely hit by
fraud
Insiders – Who Are They?
Who Commits Data Breaches
• 73% External sources
• 39% Business partners
• 18% Malicious Insiders
• 30% Multiple parties
FTC says that in the U.S., as many as 10 Million people fall victim to ID Theft every year!
Number has grown every year…
External
Business partners
Insiders
Multiple
Data Breach - Source Impact
Median of Records Compromised0
100,000
200,000
300,000
400,000
30,000
187,500
375,000
External73%
Partner39%
Internal18%
If there’s a profit or edge to gain
• Foreign governments• Active attacks• Network “backdoors”• Use daily or hold for hostilities
Foreign / Corporate Threat Grows
If there’s a profit or edge to gain
• Corporations• Information is power• Corporate intelligence activities
growing• Is it ethical in the market place?
Foreign / Corporate Threat Grows
Developing new viruses all the time• Created mostly by criminals• A recent popular one is:
• JSRedir-R Trojan or “Gumblar”• Infecting a new webpage every
4.5 seconds – legitimate sites• Loads without knowledge
Refining Social Engineering • “Twitterpornnames” • Facebook and many other examples
Criminals Using a Mouse as Weapon
Global cybercrime is the biggest profit maker for criminals• Surpassed drug trafficking • Is not as dangerous as dealing
drugs or robbing banks, etc.• True hackers selling services to
non-technical criminals• Expertise is growing rapidly• Money gets bigger every month
The Prime Motivator Grows Bigger
• Software has vulnerabilities• We need software
• To do our jobs • To entertain ourselves• To make life easier
• Over 90% of attacks are on known vulnerabilities• Patches are already out
• “Zero Day” exploits always a possibility
The Real Problem: Software
Cyber Security – Trends and Issues
No ones does this anymore – do they?
PasswordIG0lf@12^
• Password security is critical!• Ensures only you can access your computer • And the network behind it
• Use strong passwords always• You will be attacked at the point of the weakest
link
Good Password Discipline
• NEVER give your network password to anyone else!• Don’t write it down!• Use as long a password as you can and ensure it has
– Upper and Lower case Letters– Special Characters and Numbers– At least 8 characters– Passphrases are very secure
Good Password Discipline
Good Password Length
Do you remember any Song Lyrics?
I’m @ little 2x10 Country than thaT
0:04 to Save the W0rld
thE Dog days are ^^^ (done)
Te11 everYBody I'm on my w@
U R the Wind b\ mY Wings
Hey! Mr. TamB0urine Man
Good Password Ideas
Do you remember Quotes, Poems, Biblical Phrases?
Ask what U can do 4 Ur country!
ToErrishuman,2_4givedivine
Early2bed&Early2risE
How do I love thee? Let me 1234 the ways!
Once upon a 12:00AM dreary
4 God so loved The world!
I will fear O evil, 4 thou art with me!
Good Password Ideas
• Physically secure your critical systems• Screen-lock your system when away from your
computer • Ensure work areas are secure• Be aware of people who don’t belong in the work area
Most Overlooked Aspect – Lock Others Out
• Despite public awareness• Scammers are Social
Engineers• E-mails look more
real• Reeling in the victims
• Large amounts of money from small percentage of people
Phishing Threat is not Going Away
• Is your Bank account out there?
Bank Accounts for Sale
Vishing is a “New” Threat Vishing
• Using Voice over IP (VoIP) • Gain access data• Private, personal and
financial information• Likely to trust real person• Caller ID spoofing builds
trust
You can trust me
You can trust me
• Spyware infects >80% desktops
• P2P software can come with
Spyware
• Now too prevalent and insidious
• Your Anti-virus will not find it all
• Precursor to Trojans and/or Botnet
• Malware, all types, increased
32K variants in 2004 to >30 Mil
in 2009
Now, almost too many to track (1/8
sec)
Spyware is Ever More Pervasive
Number of Unique Malware Variants
2004 2005 2006 2007 2008 20090
10,000,000
20,000,000
30,000,000
32,000 54,000 500,000
5,500,000
18,000,000
30,000,000
Note: These numbers come from different sources
Overloading Anti-virus manufacturers; some last only 24 hours
Watch Out for Fake AV
Rogue anti-virus/spyware programs • Often generate more "alerts" than reputable software• May bombard you with pop-ups, even when not online• Use high-pressure sales to convince you to buy RIGHT NOW! • Other signs of infection include:
• new desktop icons• new wallpaper • default homepage redirected to another site
Watch Out for Fake AV
Surfing the web is becoming a more treacherous adventure
Drive-by Malware
Safe website?
Infected Websites grew 300% in 2008
Drive-by MalwarePercentage, by groups of websites “hosting” malicious software
Early
200
7
Late
200
7
Mid
200
8
Mid
200
9
0
10
20
30
40
50
60
70
80
51 48
2821
48 50
7077
1 1 2 2
Internet Criminal Sites
Infected Legit-imate Sites
Unknown
• Attacker communicates to all his Botnet drones / zombies
• Hackers “rent” Botnets for hours or days
Botnets - Hacker Super Computers
Command & Control Bot
Zombies or Bots
Hacker or Bot-herder
Botnets – For Rent
• Send out Spam• Collect privacy data
• Store data• Host Pharming websites
• Launch Denial of Service attacks
• Other attacks
Botnets - Hacker Super Computers
“Autorun” should be disabled to stop this…
Pod-Slurping and Thumb-Sucking
Free malicious software with the purchase of any digital frame????
USB Powered Devices
Or other USB powered devices
What do these advertisements
hold?
What can you do?
We are the Keys to Security
Step 1: Understand that computer user involvement is key to successful network / cyber security
We are the Keys to Security
Step 1a:
Don’t Be
Scared
IT Must Put the Security in Place
Step 2 – Manage Risk• Rapidly changing landscape for IT solutions• Constantly changing IT security environment• Security tools are growing – capability, complexity, cost
• IT budgets won’t increase as quickly as demand
Step 2a - Determine Risk
Analyze the security environment – focus on the risk• What information / resources are you
protecting• What are the threats to your information /
assets• What is the risk to the organization if
information / asset is • Lost• Stolen• Changed
Step 2b – Security Plan• Develop a security plan to manage your risk
• Develop a security budget based on the security plan
• Assign the right people manage and run with the plan
Individual Tools for Security – at WorkStep 3: Take security seriously at work
• Use strong passwords• Lock your workstations• Use care with e-mails• Do not download from the Internet• Do not install unchecked programs – rely on IT• Be aware of your Anti-Virus – is it running?• Laptop Firewalls should be on if away from the
office• Make backups of important files and folders• Use a file encryption process• Ensure Security is part of all Business and IT Plans
Individual Tools for Security – at Home
Step 4: Take security seriously at home
• Install / Use Anti-Virus & Spyware programs
• Install / Use a Firewall program
• Keep system patched – all your programs
• Use care when reading e-mail
• Make backups of important files and folders
• Use strong passwords (different ones for different
sites)
• Use care when downloading and installing
• Consider using a file encryption program
ReassessStep 5: Assess success of security
procedures: • Are risks mitigated?.. reduced?• Modify plan when necessary
• Overcome disappointment; security can’t stop
all attacks
• Experts are no longer saying “if” but
“when”
Good Security can make you happy