Modern Cyber Threats – how yesterday’s mind set gets in the way of securing tomorrow’s critical infrastructure

Axel Wirth Healthcare Solutions Architect Distinguished Systems Engineer

AAMI 2013 Conference – ACCE Clinical Engineering Symposium

A Little History

AAMI 2013 Conference – ACCE Clinical Engineering Symposium 2

Changing Threat Landscape

3 AAMI 2013 Conference – ACCE Clinical Engineering Symposium

•The goal is to do damage, destruct, influence, reach political goals, or support a conventional attack.

Changing Threat Landscape – revisited

•Highly sophisticated

•Infinite financial resource

•Well-planned and executed with unprecedented levels of control.

Newest Motivation

Political

Espionage and Sabotage

4 AAMI 2013 Conference – ACCE Clinical Engineering Symposium

TARGETED ATTACKS

Internet Security Threat Report 2013 :: Volume 18 5

Internet Security Threat Report 2013 :: Volume 18

Targeted Attacks

in 2012

6

Internet Security Threat Report 2013 :: Volume 18 7

Targeted Attacks by Company Size

Greatest growth in 2012 is at companies with <250 employees

Employees 2,501+

50% 2,501+ 50% 1 to 2,500

50%

1,501 to 2,500

1,001 to 1,500

501 to 1,000

251 to 500

1 to 250

18% in 2011

9%

2% 3%

5%

31%

Internet Security Threat Report 2013 :: Volume 18 8

Targeted Attacks predominantly start as spear phishing attacks

In 2012, Watering Hole Attacks emerged (popularized by the Elderwood Gang)

Send an email to a person of interest

Spear Phishing

Infect a website and lie in wait for them

Watering Hole Attack

Steps of a Targeted Attack

1. Gather information from public sources (Social Media, etc.)

2. Target a few strategic persons (not only CEOs!)

3. Create 0-day & backdoor or use existing one

– Send with malicious document or other method

4. Extract desired information -> restart at 1.) if needed

– Attacks run often unnoticed for multiple month

9

1. Intelligence

4. Extract

2. Develop

3. Execute

AAMI 2013 Conference – ACCE Clinical Engineering Symposium

Internet Security Threat Report 2013 :: Volume 18 10

Effectiveness of Watering Hole Attacks

Watering Hole attacks are targeted at specific groups

Can capture a large number of victims in a very short time

Infected 500 Companies

Watering Hole Attack in 2012

All Within 24 Hours

Thwarting Targeted Attacks

Internet Security Threat Report 2013 :: Volume 18 11

• Scan and monitor inbound/outbound email and web traffic and block accordingly

• Create and enforce security policies so all confidential information is encrypted

• Restrict removable devices and functions to prevent malware infection

• Discover data spills of confidential information that are targeted by attackers • Detect and prevent exfiltration of confidential information that are targeted by

attackers

• Human Intelligence regarding active and anticipated attack campaigns, targeted attacks, and emerging threats

• Use full capabilities of monitoring solutions to provide full visibility into security posture and events across the entire enterprise footprint

• Ensure formal Incident Response capabilities are in place and fully tested • Conduct periodic penetration tests and red-team exercises to evaluate defense

and response capabilities from the perspective of an attacker

Email & Web Gateway Filtering

Encryption

Removable Media Device Control

Data Loss Prevention

Security Intelligence

Holistic Security Monitoring

Incident Preparedness & Response

SPAM TRENDS

Internet Security Threat Report 2013 :: Volume 18 12

Spam has declined for second year in a row (as % of email)

Botnet takedowns continue to have an affect

Internet Security Threat Report 2013 :: Volume 18

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Jan-11

Apr Jul Oct Jan-12

Apr Jul Oct

Global Spam Rates 2011-2012

Spam Decline

13

79% January 2011 69%

October 2012

The Risk of Spam Continues

Internet Security Threat Report 2013 :: Volume 18 14

1 in 414 Emails are a phishing attack

1 in 283 Emails are a malware attack

of all email is spam

Thwarting Spam-borne Attacks: Defense

Internet Security Threat Report 2013 :: Volume 18

• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies

• Restrict removable devices and turn off auto-run to prevent malware infection

• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks

• Detect and block new and unknown threats based on global reputation and ranking

• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies

• Network protection is more than just blacklisting

• Human Intelligence regarding active and anticipated attack campaigns, targeted attacks, and emerging threats

• Scan and monitor inbound/outbound email and web traffic and block accordingly

Layered Endpoint Protection

Security Awareness Training

Advanced Reputation Security

Holistic Network Monitoring & Layered Defenses

Security Intelligence

Email & Web Gateway Filtering

15

Internet Security Threat Report 2013 :: Volume 18

VULNERABILITIES

16

One group can significantly affect yearly numbers

Elderwood Gang drove the rise in zero-day vulnerabilities

Internet Security Threat Report 2013 :: Volume 18 17

2006 2007 2008 2009 2010 2011 2012 0

2

4

6

8

10

12

14

16

14 13

15

9

12

14

8

Total Volume

Stuxnet

4

2

3 4

Elderwood

Zero-Day Vulnerabilities

Internet Security Threat Report 2013 :: Volume 18 18

Our Websites are Being Used Against Us

61%

of web sites serving malware are legitimate sites

25%

have critical vulnerabilities unpatched

53%

of legitimate websites have unpatched vulnerabilities

19

In 2012, one threat infected more than

1 million websites

The next time it’s likely to be ransomware

Internet Security Threat Report 2013 :: Volume 18

Our Websites are Being Used Against Us

Its payload was FakeAV

Internet Security Threat Report 2013 :: Volume 18 20

21

http://money.msn.com/health-and-life-insurance/for-ransom-your-medical-records

http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-

against-us-corporations.html?pagewanted=all&_r=0

http://www.informationweek.com/security/attacks/hackers-hold-australian-medical-records/240144164?printer_friendly=this-page

AAMI 2013 Conference – ACCE Clinical Engineering Symposium

Average number of attacks seen from

one threat in 18 day period

Ransomware

Internet Security Threat Report 2013 :: Volume 18 22

Number of criminal gangs

involved in this cybercrime

Estimated amount extorted

from victims in 2012

Internet Security Threat Report 2013 :: Volume 18

Protecting Against Vulnerabilities: Defense

• Detect and block new and unknown threats based on global reputation and ranking

• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies

• Network protection is more than just blacklisting

• Leverage application virtualization technologies to reduce risk when legacy web browsers and older versions of 3rd party applications like JAVA or Adobe Reader must be used for compatibility reasons

• Use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behavior-based and other technologies

• Restrict removable devices and turn off auto-run to prevent malware infection

• Routine, frequent vulnerability assessments and penetrations tests to identify vulnerabilities in applications, systems, and mobile devices

• Formal process for addressing identified vulnerabilities

• Ensure all operating system and application patches are evaluated and deployed in a timely manner

• Ensure adherence to formal, secure configuration standards

Advanced Reputation Security

Layered Network Protection

Application Virtualization

Layered Endpoint Protection

Vulnerability Management Program

Configuration & Patch Management Program

23

Internet Security Threat Report 2013 :: Volume 18

MOBILE TRENDS

24

Android Malware Growth

Internet Security Threat Report 2013 :: Volume 18 25

0

20

40

60

80

100

120

140

160

180

200

Jan'11

Apr Jul Oct Jan'12

Apr Jul Oct

5,000

4,500

4,000

3,500

3,000

2,500

2,000

1,500

1,000

500

0

Cumulative Android Families 2011-2012

Cumulative Android Variants 2011-2012

What Does Mobile Malware Do?

Internet Security Threat Report 2013 :: Volume 18 26

0% 5% 10% 15% 20% 25% 30% 35%

Reconfigure device

Adware/Annoyance

Send Content

Track User

Traditional Threats

Steal Information

Mobile Threats by Type

32%

25%

15%

13%

8%

8%

Internet Security Threat Report 2013 :: Volume 18

Information Stealing Malware

Android.Sumzand

1. User received email with link to download app

2. Steals contact information

3. Harvested email addressed used to spam threat to others

27

Mitigating Mobile Threats

Internet Security Threat Report 2013 :: Volume 18 28

• Use application management capabilities to protect sensitive data in BYOD scenarios or where full MDM capabilities are undesirable

• Identify confidential data on mobile devices and use technologies to prevent future exposure

• Protect data from moving between applications • Encrypt mobile devices to prevent lost devices from turning into lost

confidential data

• Provide strong authentication and authorization for access to enterprise applications and resources

• Ensure safe access to enterprise resources from right devices with right postures

• Remotely wipe devices in case of theft or loss • Update devices with applications as needed without physical access • Get visibility and control of devices, users and applications

• Guard mobile device against malware and spam • Prevent the device from becoming a vulnerability • Enforce compliance across organization, including security standards & passwords

Mobile Application Management

Content Security

Identity and Access

Device Management

Device Security

Internet Security Threat Report 2013 :: Volume 18

MAC MALWARE

29

Mac Malware Trend

Internet Security Threat Report 2013 :: Volume 18 30

1

3 4

3

6

2007 2008 2009 2010 2011 2012

10 new Mac families

of malware in 2012

Internet Security Threat Report 2013 :: Volume 18 31

Flashback

But in 2012

1 Mac Threat infected 600,000

machines

Thwarting Mac Attacks: Defense

Internet Security Threat Report 2013 :: Volume 18 32

• Ensure employees become the first line of defense against socially engineered attacks, such as phishing, spear phishing, and other types of attacks Security Awareness Training

• Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies

• Network protection is more than just blacklisting Layered Network Protection

• Ensure all operating system and application patches are evaluated and deployed in a timely manner

• Ensure adherence to formal, secure configuration standards

Configuration & Patch Management Program

• Use robust endpoint protection on your Macs – they are not immune to malware Layered Endpoint Protection

Stay Informed

symantec.com/threatreport

Security Response Website

Twitter.com/threatintel

Internet Security Threat Report 2013 :: Volume 18 33

Thank you!

Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 04/13 21284433

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

34

Axel Wirth

axel_wirth@symantec.com

617 999 4035

AAMI 2013 Conference – ACCE Clinical Engineering Symposium