What%remains?%What%are%(really)%new? June%13,%2013 Shin%Adachi,% CISSP,&CISM,&CISA,&PMP Lead%Security%Analyst,%NTT%I³ CoChair,%Educa6on%Commi8ee,%FIRST NTT%Innova7on%Ins7tute,%Inc. %Forum%of%Incident%Response%and%Security%Teams Disclaimer ! The%presenta6on%itself,%and%the%views% and%opinions%expressed%by%the%presenter% therein%do%NOT%reflect%those%of%his%any% affilia6ons%at%all. ! NONE%of%such%affilia6ons%above%thereof% assumes%any%legal%liability%or% responsibility%for%the%presenta6on. 2
Who%am%I? ! Shin%Adachi, %CISSP,%CISM,%CISA,%PMP ✴ Team%Representa7ve%in%the%Americas%for%NTTDCERT ✴ CoChair,%FIRST%Educa7on%CommiHee ✴ FIRST%Program%CommiHee,% for%four%consecu6ve%terms%of%five ✴ U.S.%NIST%Cloud%Compu7ng%Program%Working%Groups ✴ CloudCERT%Working%Group,%Cloud%Security%Alliance ✤ Spoke%at: ! FIRST,%Liberty%Alliance,%Kantara%Ini6a6ve,%ITUWT%SG%13,%APEC% TEL%eSecurity,%and%other%private%mee6ngs%and%conferences. ‣ CISA:&Cer)fied&Informa)on&Systems&Auditor&(ISACA) ‣ CISSP:&Cer)fied&Informa)on&Systems&Security&Professional&(ISC)² ‣ CISM:&Cer)fied&Informa)on&Security&Manager&(ISACA) ‣ PMP:&Cer)fied&Project&Management&Professional&(PMI) (Draft) Special Publication 500-293 page&80 NIST US Government Cloud Computing Tec US Government Cloud Computing Technology Roadmap Interagency, Academic, Standards Organi Volume II Release 1.0 (Draft ) Shin Adachi, GICTF- Global Inter-Cloud Techno Gabriel Akisanmi, KPMG LLP Useful Information for Cloud Adopters Lee Badger, Robert Bohn, Shilong Chu, Mike Hogan, Fang Liu, Viktor Kaufmann, Jian Mao, John Messina, Kevin Mills, Annie Sokol, Jin Tong, Fred Whiteside and Dawn Leaf Source:%NIST%Special%Publica6on%500W293 NIST Cloud Computing Program Information Technology Laboratory 4
Source:( h*p://kantaraini2a2ve.org/confluence/display/eGov/eGovernment+Implementa2on+Profile+of+SAML+V2.0+H+Contributors 5 <%This%page%is%inten6onally%blank.%> ! 6
Cuckoo’s%Egg Source:% hHp://www.amazon.com/CuckoosDEggDTrackingDComputerDEspionage/dp/1416507787 7 Cuckoo’s%Egg Authen6ca6on% breach%here ! ....eventually%realized%that%the%unauthorized%user%was%a%hacker% who%had%acquired%root%access%to%the%LBL%system%by%exploi6ng%a% vulnerability%in%the%movemail%func6on%of%the%original%GNU% Authoriza6on%breach%and% Vulnerability% Emacs. Privilege%escala6on%here Exploita6on%here Source:%Wikipedia:% h8p://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
Cuckoo’s%Egg ! Published%in % 1989 ! Story%on % August% 1986 Source:%Wikipedia:% h8p://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg 9 9 8 In%2012 ! 48% % ! 55% % overall Large%Organiza6ons Use%of%Stolen%Creden6als Figure 23: Variety of hacking actions Overall Small Large Use of stolen creds 48% 41% 55% 44% Use of backdoor or C2 36% 62% 34% 19% Brute force 47% Unknown 8% 9% 9% Source:%Figure%23%on%page%34,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT% 10
Compromised%Targets ! 38% % ! 48% % overall Small%Organiza6ons Creden6als%right%aier% Payment%Data Figure 36: Variety of compromised data Overall Small Large 61% 65% 57% Payment Credentials 38% 48% 34% Internal 24% 21% 29% Source:%Figure%36%on%page%46,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT% 11 11 How%smart%enough%are%we? ! Linkedin:%6.5%M? ! eHarmony:%1.5%M? ! Last.fm: ! IEEE:% saved%passwords%in%plain%text(!?) Sources: hCp://blog.linkedin.com/2012/06/06/linkedinKmemberKpasswordsKcompromised/ hCp://blogs.wsj.com/cio/2012/06/06/linkedinKpasswordKbreachKillustratesKendemicKsecurityKissue/ hCp://www.eharmony.com/blog/2012/06/06/updateKonKcompromisedKpasswords/ hCp://ar)cles.la)mes.com/2012/jun/06/business/laKfiKtnKeharmonyKhackedKlinkedinK20120606 hCp://www.last.fm/passwordsecurity hCp://ieeelog.com/ 12
Open%Data 13 How%about % “Open ed %Data”? 14
Example%#1 Source:%Wikileaks 15 Example%#2 Source:%Bloomberg%News,%Twi8er 16
Example%#3 ! Total&75GB&data&(compressed&to&8.2GB)&stolen& ! Ini@al&intrusion:&August&13,&2012 ! Discovered&by&vic@m:&October&18,&2012 ! Total&44&systems&compromised ! One&(1)&system&with&backdoor&malware&installed ! Three&(3)&systems&had&database&backups&or&files& stolen ! One&(1)&system&sent&data&out&for&the&aRacker ! 39&systems&accessed&by&the&aRacker ! 33&UNIQUE&malicious&soXware&and&u@li@es 17 Example%#3% (con6nued) ! 3.8&Million&SSNs,&none&of&them&encrypted [1] ! In&addi@on,&1.9&Million&dependents’ %[1] ! 700,000Z&Business&Tax&filers&informa@on %[1] ! 3.3&Million&Bank&Account&Numbers %[1] ! 5,000&“expired”&Credit&card&numbers %[1] ! US$12&Million&for&iden@ty&protec@on&services& [2] Source: [1]%hHp://www.youtube.com/watch?v=7OV6TZHZKqg& [2] hHp://www.bankinfosecurity.com/stolenDpasswordDledDtoDsouthDcarolinaDtaxDbreachDaD5309/opD1 18
Relying%on%others Figure 44: Discovery methods Overall Small Large Unrelated party (Ext) 34% 23% 52% Fraud detection (Ext) 24% 35% 7% 9% 10% 7% Customer (Ext) Law enforcement (Ext) 8% 14% 1% Actor disclosure (Ext) 7% 6% 5% Unknown 5% 4% 7% 4% 2% 9% Reported by user (Int) Financial audit (Int) 3% 2% 1% NIDS (Int) 1% 1% 4% Log review (Int) 1% 4% 1% 1% 2% Fraud detection (Int) HIDS (Int) 1% 1% Incident response (Int) 1% 1% IT audit (Int) 1% 1% <1% 1% Monitoring service (Ext) 341 186 102 Financial Espionage Other Source:%Figure%44%on%page%54,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT% 19 <%This%page%is%inten6onally%blank.%> ! 20
Lessons%we%can%learn ! Authen7ca7on%&%Authoriza7on%as%aHack%targets ๏ Regardless&of&the&aRack&vectors %[old,%new,%or%emerging] ๏ Important &Iden@ty&and&Access&Management&(IAM)& ๏ Need&broad&considera@on: ! Enrollment,%Lifecycle,%Creden6al,%Key,%and%Iden6ty%Management%for% authen6ca6on,%Access%control%and%A8ribute%management%for%authoriza6on,%Level% of%iden6ty%or%authen6ca6on%assurance,%monitoring%suspicious%behaviors,%policy% enforcement,%Circuit%breaker,%etc. ! Open ed %Data,%No%thank%you! ๏ Governments&as&aRrac@ve&aRack&targets ! Governments%have%more%personal%informa6on%than%others ! Poor%IAM%helps%government%resources%compromised. 21 Lessons%we%can%learn ! Communica6ng%with%others • Expand&our&capability&to&learn&from&those&trusted ! to&share&something&with&them ! to&learn&something&from&them ! to&no@fy,&and&to&be&no@fied&appropriately ! Do%what%we%CAN%do%NOW! ! before%excuses%or%something%new 22
QUESTIONS? ! Catch%me%here%today. ! Catch%me%next%week%at%FIRST% Educa6on%Commi8ee%or%FIRST% Annual%Conference%at%Conrad% Hilton%Bangkok. 23 ขอบคุณมาก % Thank%you%very%much! Karen%Chang Chair,%BAWG and(all(of(you(here! 24
Recommend
More recommend
