Security Trends and Predictions2015

(+ 2016)

Dr. Enis Karaarslan

http://netseclab.mu.edu.tr

● Based on Sophos Security Threat Trends 2015 and other several reports

Content

● More attacks against end users● Botnets, DDOS● Global Skills Gap● Massive regulatory changes ● Exploit Mitigations● Device & Internet of Things Attacks● Encryption Implementations?● Major flaws in widely-used software● Attacks to Mobile payment systems● Attack services and exploit kits● ICS/SCADA security● New Attacks for the New Protocols

More attacks against end users ...

Ransomware ...

Botnets, DDOS ...

Botnets – DDOS

● More attacks (with political purposes) to the infrastucture where botnets are used widely

Need for Collaboration

● Attacks to the DNS servers shows the need for global collaboration against attacks– Between service providers and the DNS

administration

– Between Tiers

Global Skills Gap

Global skills gap

● More and more data breaches and attacks● The cyber security skills shortage is becoming more critical● Global skills gap continues to increase● The requirement to handle incidents when they occur

(incident response)● Education need● Industry – Need for recruitment strategy for these

professionals ● Make clear to Graduates - career prospects

Massive regulatory changes

Massive regulatory changes

● European Union – implementing tough new standards in 2015, with enforcement commencing in 2016

● New regulations and fines● More progressive data protection regulation in

other jurisdictions is on the way?● cybercrime laws especially for the international

issues is needed!

Exploit Mitigations

Exploits ...

● Delivery for malicious code with– Formerly: Spam

– Now: web based infection and browser based exploits

● High value exploits (sold for more targeted use and deployed more selectively)

● Simple & effective social engineering● focusing on non-Microsoft platforms ?● Patching strategy?

OS exploit mitigations

Changes in OS like Microsoft Windows 8 and Windows 8.1:– DEP (data execution prevention, designed to

prevent the execution of attacker code in certain parts of a computer’s memory),

– ASLR (address space layout randomization, which makes writing attack code difficult by shuffling memory around),

– and more improvements

Myths

● Myths like …– Mac-OS does not have an exploits

– Linux does not have an exploits

Device &

Internet of Things Attacks

Device Security

● Wireless routers, CCTV cameras … etc are easy to hack

● Internet of Things (IoT) devices - failed to implement basic security standards

● Security– Should be a commercial requirement

– Patch distribution problems?

From the news ...

Encryption Implementations?

Encryption

● growing awareness of security and privacy

concerns● full-disk encryption

– Standard?

– Far more common default provided by OS

● More Android applications which encrypt local data

Incorrect use of SSL

● difference between effective encryption and

“marketing” encryption● Virtually no business use case involving SSL/TLS

can be considered totally secure.– making the encryption more for show (ex. most do not

use certificate pinning)

– protocol vulnerabilities

– unnecessary features

– implementation errors

Encryption problems

● Encrypt data flowing in to cloud services– Flaws in implementation?

– is it really encrypted?

● Law enforcement forensics – encryption concern

● More traffic is encrypted and can not be intercepted and scanned at the network

major flaws in widely-used software

Attackers for the search of less-considered systems?

● Heartbleed Bug - OpenSSL project – Before: No proper audits and code checks a lot of the time

– After: slow patch times

● Shellshock / Bashdoor, is a family of security bugs in the widely used Unix Bash shell. This can allow an attacker to gain unauthorized access to a computer system.

● Attackers interested in less-considered software and systems?

Attacks to Mobilepayment systems

Attacks against Mobile payment?

● Mobile payment systems– implementation mistakes?

● special hardware that makes it much harder to extract information– the use of a PIN, password or fingerprint for

– authentication;

– a token to represent your authorization

● An improvement over simple, easy to clone cards

● New payment systems will more resistant to theft

Attack services and exploit kits

Exploit kits ...

● Rise of products and services to make hacking and exploitation point-and-click easy

● Specific products for mobile and IoT on the way?● new innovation in commercializing non-PC hacking

– Android malware - the vast majority of it posing as legitimate applications and tricking the user into installing their nasty code

– New security measures - ASLR (userland and Kernel) and sandboxing features (amongst other security controls).

ICS/SCADA security

ICS Security

● Industrial control systems (ICS) are behind the mainstream desktop environment in terms of security.

● Lack of authentication, encryption or integrity-checking

● The only viable security strategy is to keep them isolated on air gapped networks.

ICS Security

● Shodan Web Search & API?● There are security initiatives from the bigger

players in this space● The gap between the mainstream world of

security and ICS is only growing bigger.● Security of the Critical Infrastructures like

Energy

Turkey Electricity blackout – a cyber attack?

● It's argued that the electricity blackout is a cyber attack?– Probably not

– Smart Grid and its potential future risks?

Flaws?

● Expect far more serious flaws exposed and used by attackers as motives continue to evolve from being by majority financially motivated.

● Greater regulation and industry standardization needed in these areas

● It will take long time to change given their high cost, high complexity and often bespoke nature

● Significant risk and security is low

New Attacks for the

New Protocols

Major Changes

● Major changes and deploying new protocols:– new version of HTTP (2.0 the successor to 1.1) is

– IPv6

● Lower level changes will likely bring interesting flaws● Ex: The IPv6 stack on Windows 7 and Windows 8 is

vulnerable to a resource exhaustion flaw which allows an attacker to send continuous random router advertisements and consume 100% CPU of the system ( crash the system entirely)

Major Changes

● IPv6 re-implements some of the old trust flaws of IPv4, such as providing mechanisms to do man in the middle but also provisions in the standard?

● UEFI provides a rich boot environment – easier to program than BIOS.

– provides interesting rootkit and bot capabilities

that may turn up new attack vectors

● Be careful with these new technologies ...

And more to come every day ...

Dr. Enis KARAARSLAN

MSKÜ Network & Security Labhttp://netseclab.mu.edu.tr

References

● Security Threat Trends 2015, SOPHOS● Amid SSL security issues, enterprises face

many problems, few answers

http://searchsecurity.techtarget.com/news/4500243725/Amid-SSL-security-issues-enterprises-face-many-problems-few-answers

● The Heartbleed Bug, http://heartbleed.com/