security trends and predictions 2015 (+ 2016)wiki.netseclab.mu.edu.tr/images/7/7e/ceng3544... ·...
TRANSCRIPT
Security Trends and Predictions2015
(+ 2016)
Dr. Enis Karaarslan
http://netseclab.mu.edu.tr
● Based on Sophos Security Threat Trends 2015 and other several reports
Content
● More attacks against end users● Botnets, DDOS● Global Skills Gap● Massive regulatory changes ● Exploit Mitigations● Device & Internet of Things Attacks● Encryption Implementations?● Major flaws in widely-used software● Attacks to Mobile payment systems● Attack services and exploit kits● ICS/SCADA security● New Attacks for the New Protocols
More attacks against end users ...
Ransomware ...
Botnets, DDOS ...
Botnets – DDOS
● More attacks (with political purposes) to the infrastucture where botnets are used widely
Need for Collaboration
● Attacks to the DNS servers shows the need for global collaboration against attacks– Between service providers and the DNS
administration
– Between Tiers
Global Skills Gap
Global skills gap
● More and more data breaches and attacks● The cyber security skills shortage is becoming more critical● Global skills gap continues to increase● The requirement to handle incidents when they occur
(incident response)● Education need● Industry – Need for recruitment strategy for these
professionals ● Make clear to Graduates - career prospects
Massive regulatory changes
Massive regulatory changes
● European Union – implementing tough new standards in 2015, with enforcement commencing in 2016
● New regulations and fines● More progressive data protection regulation in
other jurisdictions is on the way?● cybercrime laws especially for the international
issues is needed!
Exploit Mitigations
Exploits ...
● Delivery for malicious code with– Formerly: Spam
– Now: web based infection and browser based exploits
● High value exploits (sold for more targeted use and deployed more selectively)
● Simple & effective social engineering● focusing on non-Microsoft platforms ?● Patching strategy?
OS exploit mitigations
Changes in OS like Microsoft Windows 8 and Windows 8.1:– DEP (data execution prevention, designed to
prevent the execution of attacker code in certain parts of a computer’s memory),
– ASLR (address space layout randomization, which makes writing attack code difficult by shuffling memory around),
– and more improvements
Myths
● Myths like …– Mac-OS does not have an exploits
– Linux does not have an exploits
Device &
Internet of Things Attacks
Device Security
● Wireless routers, CCTV cameras … etc are easy to hack
● Internet of Things (IoT) devices - failed to implement basic security standards
● Security– Should be a commercial requirement
– Patch distribution problems?
From the news ...
Encryption Implementations?
Encryption
● growing awareness of security and privacy
concerns● full-disk encryption
– Standard?
– Far more common default provided by OS
● More Android applications which encrypt local data
Incorrect use of SSL
● difference between effective encryption and
“marketing” encryption● Virtually no business use case involving SSL/TLS
can be considered totally secure.– making the encryption more for show (ex. most do not
use certificate pinning)
– protocol vulnerabilities
– unnecessary features
– implementation errors
Encryption problems
● Encrypt data flowing in to cloud services– Flaws in implementation?
– is it really encrypted?
● Law enforcement forensics – encryption concern
● More traffic is encrypted and can not be intercepted and scanned at the network
major flaws in widely-used software
Attackers for the search of less-considered systems?
● Heartbleed Bug - OpenSSL project – Before: No proper audits and code checks a lot of the time
– After: slow patch times
● Shellshock / Bashdoor, is a family of security bugs in the widely used Unix Bash shell. This can allow an attacker to gain unauthorized access to a computer system.
● Attackers interested in less-considered software and systems?
Attacks to Mobilepayment systems
Attacks against Mobile payment?
● Mobile payment systems– implementation mistakes?
● special hardware that makes it much harder to extract information– the use of a PIN, password or fingerprint for
– authentication;
– a token to represent your authorization
● An improvement over simple, easy to clone cards
● New payment systems will more resistant to theft
Attack services and exploit kits
Exploit kits ...
● Rise of products and services to make hacking and exploitation point-and-click easy
● Specific products for mobile and IoT on the way?● new innovation in commercializing non-PC hacking
– Android malware - the vast majority of it posing as legitimate applications and tricking the user into installing their nasty code
– New security measures - ASLR (userland and Kernel) and sandboxing features (amongst other security controls).
ICS/SCADA security
ICS Security
● Industrial control systems (ICS) are behind the mainstream desktop environment in terms of security.
● Lack of authentication, encryption or integrity-checking
● The only viable security strategy is to keep them isolated on air gapped networks.
ICS Security
● Shodan Web Search & API?● There are security initiatives from the bigger
players in this space● The gap between the mainstream world of
security and ICS is only growing bigger.● Security of the Critical Infrastructures like
Energy
Turkey Electricity blackout – a cyber attack?
● It's argued that the electricity blackout is a cyber attack?– Probably not
– Smart Grid and its potential future risks?
Flaws?
● Expect far more serious flaws exposed and used by attackers as motives continue to evolve from being by majority financially motivated.
● Greater regulation and industry standardization needed in these areas
● It will take long time to change given their high cost, high complexity and often bespoke nature
● Significant risk and security is low
New Attacks for the
New Protocols
Major Changes
● Major changes and deploying new protocols:– new version of HTTP (2.0 the successor to 1.1) is
– IPv6
● Lower level changes will likely bring interesting flaws● Ex: The IPv6 stack on Windows 7 and Windows 8 is
vulnerable to a resource exhaustion flaw which allows an attacker to send continuous random router advertisements and consume 100% CPU of the system ( crash the system entirely)
Major Changes
● IPv6 re-implements some of the old trust flaws of IPv4, such as providing mechanisms to do man in the middle but also provisions in the standard?
● UEFI provides a rich boot environment – easier to program than BIOS.
– provides interesting rootkit and bot capabilities
that may turn up new attack vectors
● Be careful with these new technologies ...
And more to come every day ...
Dr. Enis KARAARSLAN
MSKÜ Network & Security Labhttp://netseclab.mu.edu.tr
References
● Security Threat Trends 2015, SOPHOS● Amid SSL security issues, enterprises face
many problems, few answers
http://searchsecurity.techtarget.com/news/4500243725/Amid-SSL-security-issues-enterprises-face-many-problems-few-answers
● The Heartbleed Bug, http://heartbleed.com/