Escalating Cyber Security Threat

1
Escalating Cyber Security Threat
Jack Sebbag Canadian VP General Manager January
31st, 2005
2
The Escalating Threat

• Security threats in global business have become
  a board room issue
• The consequences of networkdowntime caused by
  security issues have become financially
  significant

3
Major Business Case is Avoiding Downtime
4

• Todays Malware Count 112195 (Jan 05)

Source McAfees VirusScan statistics
5
Virus Outbreak Count Medium and above
Source A.V.E.R.T
6
The Good old days

• New Virus infects a company
• Sample sent to lab
• New Driver written
• Customer gets fix
• All customer updated
• Maybe virus spreads
• over next weeks/months

7
Today

• Virus infects globally within hours
• Sample sent to lab (30min)
• New Driver written (1hr)
• Customer deploys
• update (hours/days)
• Too late

8
The Speed Of Attacks Accelerates

• SQL Slammer
• Blended threat exploits known vulnerability
• Global in 3 minutes
• Enterprises scramble to restore business
  availability
• Discovered 1/25/03

9
Propagation Explosion
Population Increase
7/17/01 9/18/01 12/04/01 1/25/03 8/11/03
Source IDC 2002
10
Market Drivers
Vulnerability Window
Time needed to deploy counter measures (in hrs)
11
Serious Business Impact

• Bank of America
• 14,000 ATMs down for over a day
• Ford Motor Company
• Many manufacturing facilities off-line, workers
  sent home
• Continental Airlines
• Reservation system taken off-line
• BMW
• Assembly plants impacted
• Air Canada
• Call center and check-in systems infected,
  required manual check-in
• Cisco
• Major internal infection, partners blocking email
  from Cisco.com

12
The Response Increased Security Spending
Source CIO Magazine
13
Shorter Time WindowFrom Patch to First Attack
Apr. 13, 2004 Patch MS00-078
April 30 2004
Sasser
17 Days
Oct. 16, 2003 Patch MS03-026
Aug. 11 2003
MSBlaster
26 Days
Jul. 24, 2002 Patch MS02-039
Jan. 25 2003
Slammer
185 Days
Oct. 17, 2000 Patch MS00-078
Sept. 18 2001
Nimda
336 Days
14
Enter The New Platform For Attack
15
Wireless Networks The Unsecured Frontier

• 930 million current users, 140 million in United
  States (IDC)estimates 1.2 billion smartphones by
  2004
• Wireless devices in business use to grow from 12
  million in 2004 to 39 million in 2006
• 70 percent of wireless networks are not secure -
  New York Times, 3/4/04

16
Get Ready For 1.2 Billion Holes in the Global
Business Network

• Handheld devices
• 15 million to ship in 2002 (ABN AMRO)
• Total by 2004 92 million (ABN AMRO)
• Just becoming powerful enough to do damage
• Smart Phones
• Combination of mobile phone and PDA
• Will hit North America, EMEA and APAC en masse
• By 2004, 1.2B Smart Phones worldwide (IDC)
• Proof of Concept
• Japanese ISP infected, shuts down emergency
  phone systems

17
Example of Mobile virus
18
SPAM threat or nuisance?

• Dramatic rise in spam growth rates
• Aberdeen group survey results
• 40 to 50 of all incoming emails today is spam

19
Why is SPAM growing

• Cost
• Efficiency
• Access to large population via Internet

20
The 5 Costs of Spam

• Users time to read the email productivity
  issues
• Gartner Spam messages cost US organizations 1
  billion a year in lost productivity.
• Bandwidth use
• Data storage space
• Standard Email continues to grow in size.
• Legal and moral related issues
• Already cases in US courts where employees suing
  their employers to keep them in clean safe
  working environment.
• New delivery mechanism for trojans and viruses
  we have already seen Backdoors distributed via
  spam

21
Threats Ahead in 2005 and beyond

• Phishing
• Spyware
• Distributed Denial of Service (DDOS)
• Router worms
• Spit storms

22
Is it Fishing or Phishing??

• Phishing attacks use 'spoofed' e-mails and
  fraudulent websites designed to fool recipients
  into divulging personal financial data such as
  credit card numbers, account usernames and
  passwords, social security numbers, etc. By
  hijacking the trusted brands of well-known banks,
  online retailers and credit card companies,
  phishers are able to convince up to 5 of
  recipients to respond to them.
• Before submitting financial information through a
  Web site, look for the "lock" icon on the
  browser's status bar. It means your information
  is secure during transmission.

23
(No Transcript)
24
(No Transcript)
25
Spyware

• Spyware Covertly gathers user information and
  activity without the user's knowledge. Spy
  software can record your keystrokes as you type
  them, passwords, credit card numbers, sensitive
  information, where you surf, chat logs, and can
  even take random screenshots of your activity.
  Basically whatever you do on the computer is
  completely viewable by the spy. You do not have
  to be connected to the Internet to be spied upon.
• McAfee provides Spyware, Adware, Dialers, Jokes,
  Keyloggers, Password Stealers and other PUP
  detection capabilities in VirusScan 8.0i
• McAfee is providing AntiSpyware Enterprise in
  March 2005 that will enhance this technology to
  provide removal and realtime on access scanning
  to prevent Spyware from targeting a system

26
DDoS attacks Money, Money Money

• Hi tech criminals now
• using Network for extortion.

• Online gambling company
• targeted by extortionists,
• threatening widescale
• DDoS attacks.

27
Future Attack Technologies

• Router worms
• Spit storms

28
Where to start with Security protection?
Data Theft
Viruses
Spyware
Worms
PeerToPeer attacks
Bad Stuff
Adware
External Hacker
Internal Hacker
Spam
Exploits
DoS
User
Phishing
Identity Theft
Mailers
DDoS
Vulnerabilities
29
The Window Of Vulnerability

• A combination of
• The SPEED of attack
• The BLENDED attack mechanism
• The EVOLVING network environment
• Reducing the window of vulnerability
• Proactively reduce the speed of attack
• Proactively reduce the chance of attack success
• Proactively reduce the exposure to attack

30
Detecting the method - The attack life cycle
Proof of concept code posted
Attack written starts
Security issue discovered
Security Fix Posted
Signature Posted
VENDOR
CUSTOMER
CUSTOMER
Attack Vulnerability
Security Vulnerability
Time
Pro-Active
Re-Active
0 Security virus issues Discovered
31
The attack life cycle
Security Behaviour
Attack Behaviour
Traditional AV update
Proof of concept code posted
Attack written starts
Security issue discovered
Security Fix Posted
Signature Posted
VENDOR
CUSTOMER
CUSTOMER
Attack Vulnerability
Security Vulnerability
Time
Pro-Active
Re-Active
0 Security virus issues Discovered
32
Comprehensive AV Strategy
But AV is no longer enough
33
Management McAfee ePO

• One Console For Your Security Needs
• A single, powerful easy to use interface for both
  the
• AV products AND security products

• Policy Enforcement Control
• Like AV, you need to be sure you are secure
• Powerful admin template feature for fast adoption
• Effective Maintenance And Visibility
• ePOs reporting capabilities allow you to see, at
  a glance, who is at risk, and who is secure.

34
Discovery - Rogue System Detection

• Deploy one sensor per subnet
• Sensors passively listen to network broadcasts
  (Layer2 ARP, RARP, DHCP)
• Sensor notifies ePO server of new system
  operating on network
• ePO server determines if this is a known or
  unknown system by comparing ePOs database of
  managed systems.
• ePO alerts or automatically deploys protection

3 New Rogue System Detected !!
ePolicy Orchestrator
35
McAfee Anti-Spyware Enterprise Edition Module

• True corporate/business-grade Anti-Spyware
  technology for Windows-based PCs, that detect and
  remove potentially unwanted program software
  (PUPS) in real-time and tightly integrated with
  the next-generation anti-virus product for
  complete and transparent management of both
  products as a single agent.

Announcement November 15th, 2004 and
General Availability Q1 - 2005
Proactive
Enhanced Coverage
Lowers TCO

• Real-time scanning
• detects Spyware as it is being installed.
• Memory Process Scanning

• Traditional On-Demand scanning and removal.
• Extensive database of Potentially Unwanted
  Programs (PUPS)
• Registry scanning
• Memory process scanning

• Enterprise and SMB Management support
• Automated update capability
• Single Agent integrated with AV
• Complete cleaning

36
Vulnerability Risk Management (Foundstone)

• Security posture no longer an emotion but can now
  be a science
• Identifies policies, assets, threats and risk
• By understanding risk and vulnerabilities, begin
  to identify resources to secure infrastructure.

37
Desktop Firewall

• Traditionally used for remote users to protect
  against hackers
• Required today on all devices as part of your
  anti-virus defence
• Stop malicious code and attacks
• How?
• Only allow your specified traffic on the network
• Firewall prevents undefined applications from
  connecting
• Bi-directional IDS stops malicious code
  spreading
• to other PCs

38
Fighting Spam - SpamKiller

• Rules Based - 750 processed rules that produce a
  weighted score based on view of header, body,
  structure, routing
• Customizable threshold
• Default 5 points
• Heuristic Analysis
• Engine is looking for email it doesnt know is
  SPAM
• Probability scoring based on view of view of
  header, body, checksum, etc.
• Black List / White List
• Personal
• Global
• Content filtering
• Runs e1000 appliance

39
Introducing Intrusion Prevention

• Proactive security
• Accurately detect and block attacks in real-time
• Block attacks before they reach intended targets
• Safety-net offering adequate time to patch end
  systems while managing exposure
• Protection against both known unknown attacks
• Stay a step ahead of the attackers
• Put management back into patch management
• Complements todays reactive security solutions
• Firewall, anti-virus, IDS

40
IntruShield Next Generation IDSIPS
IDS researchers/developers have always envisioned
the RESPONSE capability as an integral part of
intrusion countermeasures Including packet
logging firewall configuration

• Accurate detection and real-time prevention in
  one platform
• Unprecedented Intrusion Intelligence
• Comprehensive integrated protection
• Advanced signature, anomaly, DoS detection
• Scalability and deployment flexibility
• Industrys richest set of deployment modes
• In-line, Tap, SPAN, Port clustering, HA
• Delivers Security Return on Investment (ROI)

41
McAfee Entercept - Host Intrusion Prevention

• Safeguards the entire server including operating
  system, critical resources and applications
• Blocks damage from known and unknown (Day-Zero )
• malicious attacks
• Protects against both the external and internal
  intruder
• Protects against worms and buffer overflow
  exploits
• Eliminates exposure between deployment of patches
• Uses signature and behavior analysis to identify
  and block attacks.
• Minimizes false positives

42
End-Goal - Protection-in-Depth

• Best of Breed Intrusion Prevention to
• Reliably STOP Known Unknown attacks
• on your Information Technology infrastructure

43
Best Practices

• Know your critical assets
• Understand your threats
• Know your protection needs
• Address the cyber threat challenges
  systematically
• Detection coverage vulnerabilities
  environment
• Detection accuracy false positives false
  negatives
• Layered defense with multiple methods
• Complete protection with integrated responses,
  especially inline blocking
• Well-defined policy
• Real enforcement

44
Best practices

• Security cant be treated as a phase.
• Investment as of overall IT spending is
  warranted competitive advantage.
• Its everybodys problem treat issue of security
  as an issue of insurance.
• Practice safe computing.

45
Q A