Derrick Webber, CGI

His team demonstrates for the GRC types how attacks work, and how hackers really hack.

“They’re not breaking thru firewalls any more,” he said. “The main method is at the desktop. That’s how RSA happened – get a foothold on the desktop, eventually find an asset, and go out thru the firewall with it.”

Webber sees most IT staffers still defending themselves against attacks from 15 years ago. He calls it “The castle wall syndrome”… keep the bad guys out.

“That’s how they’re getting owned. I do a simple website spoofing where I clone the authentication page of a website, get the user’s credentials, and send them to an attacker’s page.”

The user thinks they made a mistake and re-enter credentials, this time at the attacker’s site.

“Then I create a Trojan that will bypass the current AV on the victim’s desktop, the network IPS, and get the user to play along. Tetris is one of my favorites.”

He sends a phishing email that says, “Hey, remember this game from way back when?” Meanwhile the Trojan accesses their files, captures their tokens and anything else of interest.

Once the Trojan is on the workstation the attack is from the inside out. And few organizations protect against these types of attacks.

“Whatever preventive attacks you’re protecting against you also need to detect attacks,” Webber said. “No matter how good your preventive control ware, the malware will get in. And you have to be watching. Like protecting your house takes a combination of locks and alarms.”

The biggest missing item from most IT security lists is a response plan. Once attacked, what is your response plan?

“Usually they raise the drawbridge and cut off Internet, or do too little,” said Webber. “That’s why we’re seeing organizations move to virtual desktops – once disconnected they think they’re safe. Not always.”

At SC Congress Toronto Webber will deliver a talk aimed at non-technical folks.

“I throw a lot of statistics at them, including the Websense report that said 85% of sites have bad stuff on them.

The whole idea of blacklisting sites is no longer effective. When I spoke in Victoria, half of the audience were shocked and had no idea. The other half was very mad at me, because I was contradicting what they’d been telling their management.”

From what he sees in North America, Canadian companies are very lax compared to American companies. That goes along with what other security pros have said… “former CSIS operative” Ron Myles in 2011 and Ray Boisvert, former CSIS assistant director , who also warned about the impact last year:

“They’re getting pilfered – industrial espionage, competitors… I present ideas on how to prevent or reduce and then detect them,” Webber said.

And he makes a final plea to get an incident response plan in place. Know what to do… with a nod towards the Managed Security offering CGI has in place, with IDS, firewalls, and more.

“Bruce Schneier said for the details, it’s a fire department skill set, and very few can afford to maintain a fire department,” said Webber. “To maintain the level of expertise necessary to know what’s going on isn’t cost-effective.”

For organizations the trick is to find the right outsourcer.

“I tested another firm last year, starting off very light,” Webber said. “By the end of the day I was doing completely overt attacks. Their managed security service saw nothing. So either somebody wasn’t doing their job, or something was turned off that day. There are good and bad, as with everything. So when you select a managed security provider, use the old slogan… Trust, but verify.”

Kurt Roemer, Citrix

You need control over security, not artificially inserted products at different layers.

“You have to provide application security,” said Kurt Roemer,
Chief Security Strategist at Citrix. “When we’re talking to customers, there are trends they’re trying to prepare for. One of course is mobility. While mobility is great for productivity, and it makes people happy, what can we do to get your hands around it?”

The opposite side is cloud. Senior management wants to avoid expensive investments, and want to know if they can rent the stuff in the cloud and save money.

Meanwhile IT is saying, “Wait a second… we’ve been doing this for years… why is everybody running away from us to save a couple of bucks?”

Roemer calls it software-defined networking.

“While you’re out there protecting applications in the cloud, why do you need network security? That used to be the job of discrete products. These solutions are evolving out of the data center and taking IT security into different applications.”

Segmented IT departments don’t work any longer. So you have a firewall person who says, “Hey, I’ve got the best firewall rules on the planet. Sorry you got a virus, but it wasn’t my issue.”

“Phishing, Smishing, targeted attacks, blended threats… at the end of the day it comes down to whether or not you’ve been compromised,” Roemer said. “We need to ensure those attackers are not successful in their compromises. You want to make sure as the applications are being set up; there are some natural points of control and natural policy people can use.”

He sees the need for IT to automate security for end users.

“We’ve put people in a bad position because of bad policies that expect users to make security decisions, like accepting an outdated certificate simply so they can continue working. We need to automate that so people can always do the right thing.”

Citrix and Palo Also recently did seminars with Kevin Mitnick, showing that security needs to be a blended approach.

“It’s pretty neat what he’s been thru, where he’s been able to take it, and how he’s helping people advance security,” Roemer said. “He helps people where to focus on versus where they have been focusing over the years.”

Citrix has its NetScaler service delivery platform that does Application Delivery Control (ADC), has a web application firewall, and brings DDOS mitigation. It also has the ability for Palo Alto to plug in, implying the solution exceeds those of only one vendor.

“Look at it from an application perspective,” Roemer said. “Tune optimization, performance, and security, as well as the customers themselves. Some need all security features turned on. Others my have an application that requires some things off, perhaps sending data into logs so they can see, or send attackers into a honey pot where they can watch. Everything is too critical these days to leave open, so we need to ensure security is fine-tuned as much as possible.”

Palo Alto has firewall in Wildfire AV, a solution designed to look at new code, executable files, and other things that have code. “It’s intended to say, “Seen this before and it’s ok” or “Haven’t seen this before, let’s look at it”. It’s supposed to ensure you don’t need an AV client on every endpoint, and you can still be protected against viruses.

“We use Palo Also for the intelligence into the back end apps and intelligence into these various endpoints, keeping the Kevins of the world always confused,” said Roemer. “We work with the line of business application owner. Of course IT is important to establishing security, however it’s the business that determines what security needs to be in place, and they’re responsible for it. There have been times when we’ve gone in to meet customers, and they’ve been introducing themselves to each other, because the teams haven’t met. It’s great to see everybody work to pull together a next gen solution.”

Vikram Thakur, Symantec

Those two areas are…
·    Targeted attacks
·    Mobile

“With all the malware increases we think the monetization will remain stagnant, until we change the way we’re using mobile phones,” said Symantec researcher, Vikram Thakur.

“For mobile customers we saw a 58% increase in mobile malware compared to 2011. We’re only tracking malware families; we’re not talking about individual pieces. There are a small group of malware authors, who might decide to inject malicious code into one app or 1,000. We’re looking at one piece of malicious code as a family.”

What are the driving forces behind mobile malware?
It has nothing to do with vulnerabilities of a specific platform.

·    In 2012 Apple OS found and patched 387 vulnerabilities.
·    There was 1 threat.

·    Google found and patched 13 vulnerabilities in Android.
·    There were 103 different threats

There is definitely no correlation between number of found vulnerabilities and number of threats.

The number of threats depends on three things…
1. Market share the phone has. Android is the leader in the space.
2 Openness of the platform… how easy is it to write code for the Android? It’s extremely easy.
3. Android supports multiple sources of applications. You can download them from anywhere.

These three factors make writing malware for the Android platform much more lucrative.

What is this malware doing?
·    32% of malware is stealing information… IMEI number, addresses, or other information.
·    15% was tracking users… stealing GPS information and sending it to a third party site.

“Nobody wants their data stolen,” Thakur said. “Tracking hits harder in the consumer space than enterprise, because most people don’t want to be spied upon.”

Privacy and data protection are the two most important factors of concern, as well as a reason for enterprises to focus their attentions on controlling those devices.

·    8% are what Symantec termed Annoyance Apps, representing malware authors’ experiments on how far they can go and how much they can steal

“For example one app claimed to change the phone screen into a solar panel, telling users they could recharge their phones by exposing the screen to sunlight,” said Thakur. “It even had a little bar showing the amount of charging.”

·    Targeted Attacks are up 42% since 2011

“We are seeing supplemented attacking techniques… no longer merely targeted emails… we’re also seeing waterhole attacks. We think that’ll increase in 2013.”

One water hole attack infected 500 different domains in less than 24 hours. That is hard for any spear phishing campaign to beat.

Even though the absolute number of attacks is up, who is being targeted?

·    50% of attacks are targeting organizations of 2500 or more employees.
·    31% of targeted attacks were aimed at companies with fewer than 250 employees. That’s up from 18% in 2011

Small companies are not above and beyond the possibility of attack. Small companies have fewer IT resources and information security. It makes them lucrative targets.

Small companies are also serving other large enterprises in some form – consultants, manufacturers, financial, firms with large business clients.

“Botmasters probe small firms to find small pieces of info that lead to the larger picture,” Thakur said. “I doubt that will become the majority of attacks, however it has jumped 13% in one year.”

Which industry is being attacked?
·    Manufacturing got 24% of all targeted attacks.
·    Finance, insurance, real estate 19%
·    Services – consulting 17%
·    Government is down at 12%

Better protecting assets is the name of the game.

“We found 120 new Mac malware families,” said Thakur. That doesn’t seem like much, however we found 26 in 2011. We haven’t reached the point at which malware authors find it lucrative to attack Macs. They still prefer the PC platform, because of the number of users.

For example, Flashback infected well over half a million computers. Macs aren’t immune to malware. It’s only that malware authors don’t pay attention.”

·    Only 2.5 % of threats found on Macs are Mac malware.
·    Most infected Macs examined had malware written for the PC platform 97.5% of the time.
·    Only 2.5% of the time are Mac threats found on Macs.

Mac uses get infected when they browse a drive-by website for PCs, or open an infected email with PC malware on it.

Brad Arkin, Adobe

Pretty much any big company that develops software tinkers with the steps necessary to secure its products. Microsoft has its Secure Development Lifecycle and Adobe has its Secure Product Lifecycle.

“We don’t have ‘a black and white, ‘thou shalt do this no exceptions’ process,” said Brad Arkin, senior director of product security and privacy at Adobe.

“It’s understood it’s a process of give and take, to work with the product team to map the abilities. We don’t give them a free pass… we acknowledge that certain Adobe products are at greater risk than others. We spend time assessing the risk level, and based on that we might spend more time on certain activities.”

When the team is building anything that is very popular and will be an attractive target for the bad guys, then much more thought goes into planning.

The team determines the risk profile – low, medium, high, very high – and works with the management team to ensure a minimum threshold of security IQ. Usually the teams want to do the assessment, because they want to learn, and security is a sexy topic.

“We have a belt model of security for the code writing and testing members – at the bottom layer is white belt,” Arkin said. “And we want everyone in the company to have a white belt. Next is the green belt, which takes twice the work as a white belt. We want at least one person per area to have a green belt, and sometimes a greater percentage, depending on the project.”

The training is CBT, with 8 or 10 hours of study followed by a quiz on each module… white takes 10 hours, green requires another 8.
The brown belt is project based, similar to a Masters thesis. It takes at least six months, and there are few brown belts, so it means something to get one.

“We have a party, and sometimes award a 3ft x 5ft certificate and make them carry it around,” said Arkin. “A black belt we want to take at least two years. There aren’t very many. Achieving that goes right at the top of the resume, and it’s something to be proud of. The training tells us we’ve got a security-savvy, educated team. The more secure the product, the more security knowledge the team has.”

1. The one big question that started every round table and one-on-one sessions with Canadian security professionals is, “What keeps you up at night?”

Walid Hejazi, Rotman School of Business

The answer is, “Has my organization been breached and I don’t know about it?”

A surprising number were not confident they’d detect a breach if it occurred.

As a subplot – every organization that brags it hasn’t been breached, has been breached. The classic example is Nortel, which was warned, and yet had been breached for 11 years. Hindsight is 20/20

“You wonder about this false sense of security…  doesn’t mean they haven’t been breached,” said Hejazi. “The CEO of one of Canada’s largest private sector organizations told senior management, ‘We are going to be breached in the next 18 months, so get over it now’.

“Hackers make relations online, getting access to information. Your company’s ability to make profits over a competitor is information. By accessing your systems hackers get access to it. Then they deploy it against you in the market, lowering your profits and success. Yet you won’t know.”

Hackers know if they deploy that information in a particular way you’ll know. It’s similar to in World War 2 the UK had the German radio codes. Those running the war had to allow thousands of civilians to be killed; otherwise the Germans would have known their codes had been hacked. That’s what happened at Nortel.

“People, processes, technologies – you can have the best of two, and yet be one click away from a breach,” said Hejazi. “Keep employees informed. Breaches can be malicious or unintended. Training is very important.”

2. How does a breach impact my brand?
CIOs confided their second greatest fear is, “Tomorrow morning I wake up to my CEOs name in the papers because of a breach.” The fear is greatest in information-sensitive organizations… those that need customers and partners to turn over information to facilitate transactions.

“The value of loyalty programs is substantially from confidence,” Hejazi said. “Customers lose confidence in an organizations ability to protect their information, and people stop using and opting in to these loyalty programs when that happens.”

3. What are employees doing with my data?
Mangers are concerned about where data resides. The survey team heard stories about companies that had banned the use of public cloud.

Senior management found out employees were ignoring the decree, and said, “When we say no to employees, they do it anyway, because they want to get their jobs done. If security is inconvenient they’ll circumvent it.”

People are the weakest link. So you want to make security convenient, and explain why it’s in place.

4. Your ability to retain security resources.
“We saw in the past a real salary gap between government and private sector,” said Hejazi. “This is a fast growing industry, with growth in salaries, and people leaving for jobs in the private sector.”

Managers say, “We train people to where they understand our security environment and then they leave, so we have to start all over again.”

Kevin Mitnick

“Security is both social and technical, because social engineering is what an attacker uses to get the target to comply with the request,” he said. “Then the technical side is used to exploit it. My job was to educate the delegates about the human factor, which is usually the weakest link.”

He discussed attacking over the telephone, using emails, and other types of attacks we’re seeing today.

Internet-facing applications are popular, because attackers are breaking in via client side vulnerabilities, such as getting a user to open a booby-trapped file.

“You can have a poorly developed application that faces the Internet,” said Mitnick. “The most successful attackers manipulate humans and network.”

Adobe has been a major target, because so many people use the software on their desktops. The java applet is another favorite. I use a Publisher name that looks like it’s speaking to the security of the applet.

In his demonstrations Mitnick displayed a website to his audience, and asked them to tell what they saw wrong.

“I spoke to security professionals in 10 cities, and only in three were people able to tell me what was wrong,” he said. “Many guessed at the wrong thing, or picked on tiny things. And these guys are all security professionals. Imagine if regular users were shown this.”

For what it’s worth when Mitnick demonstrated to Securebuzz the page – which we promised not to publish, as he still uses it in his presentations – we didn’t find the problem.

We can tell you it’s another useful and successful social engineering attack, which can easily contain a booby trap for unsuspecting users.

These days he focuses on security awareness training for users.

How do you resolve social engineering attacks?

“The best way is to use technology to ensure that even when a user follows the attacker’s directions, the attack still doesn’t work. I open up docs in Google cloud… so my machine can’t get exploited. Or if you’re running Adobe 11, an infected PDF file won’t work.”

The second method is future education and training.

“If something works, people forget or they’re not interested. When it doesn’t work, then it’s an IT problem. If a user opens a malicious file and his laptop stops working, he gives it to IT, because they don’t have any self-interest.”

Since humans are the weakest link in the security-technology chain, Mitnick has helped develop user technology training at Knowbe4.

“Inoculation is the newer method that I think is extremely valuable,” Mitnick said. “We’re doing mock social engineering attacks against the user base. From time to time we test, so it doesn’t lower employee morale. That way you can target users who fall for the attacks for further training. When they’re told they screwed up, they become more aware.”

Mock spear phishing attacks inoculate users against real attacks by training them to not act on every request. Yet some attacks can still be very real.

“If an attacker has done a lot of research and reconnaissance they can still forge an email that looks like it’s authentic, and that contains a malicious hyperlink,” said Mitnick. “Because it appears to have come from a trusted source, users click on it.”

The third factor changing network security is User Licenses. Many times firewall vendors sell according to number of users… if you have 10 users the cost is x and if 50 users, the cost is y.

Kevin Flynn, Fortinet

“Today if you do that, all of a sudden you can be in for a rude surprise,” said Fortinet senior product manager Kevin Flynn. “For example, right after Christmas break universities see a huge boom in the number of users on the network, which poses a problem if you’re doing a per-user license.”

People use these devices differently. They’re an adjunct to the PC. And the percentage of traffic generated by these devices as it pertains to network security is dramatically changing. That’s why IT must start treating it like a WAN.

“Over the course of the next couple of years this is going to dramatically change network infrastructure and security,” said Flynn. “History is repeating itself. Again. Which is why network security has to be part of your BYOD strategy. It’s not just on the client.”

According to UN Telecom Agency Report, the world has almost as many cell phone subscriptions as inhabitants. China alone has 1 Billion subscriptions. From a car or a smartphone or a coffee shop, a phone still has small packets that need to be inspected. These are both Wide and Local Area issues.

“How are you going to integrate wireless into your security infrastructure?” asked Flynn. “Our performance doesn’t degrade when examining large or small packets, and we don’t use per user licenses.”

Flynn’s 86-year-old mother now uses an iPAd to speak with her grandchildren. That means the assisted living center has WiFi, which it would not have had three or four years ago.

“And that means doctors walking in there want WiFi access for patient information,” he said. “Connectivity and security of the network is not only for the nice little old ladies. This phenomenon will require organizations to ask about their security and network infrastructure, because of the traffic – packets, connections, and licensing.”

Doug Hazelman, Veeam

SharePoint.

“Once we have the backups we have the image,” said Doug Hazelman, VP Products, Veeam. “We’ve always had fast file recovery, and we introduced Explorer for Exchange last year.”

Expanding capability into SharePoint is a logical step for the firm. The new capability will be included in the new version of Veeam Backup Free Edition and in Veeam Backup & Replication v7 (B&R v7) when they become generally available in Q3 2013.

“When set up correctly, SharePoint is a great document repository, for sharing information, and it has become ubiquitous among companies large and small,” Hazelman said. “Our new Veeam Explorer for Microsoft SharePoint allows us to take that VM backup of the database and find the database file, browser it, let it find the SharePoint items, and recover them.”

Veeam offers three versions of its software – Free, Standard, and Enterprise. SharePoint Explorer is included as a feature across all versions, including the free version.

Typically there will be certain functionality available in various versions. To get full functionality requires the Enterprise edition, which isn’t targeted at any particular size of company… it’s about the features.

“We try to keep things simple,” said Hazelman. “It’s not a difficult decision to decide which version you want. The SMB version is quite a significant savings if you only have from one to three hosts. We only offer that pricing up to six sockets. After that it goes to unlimited.”

Gary Hirst, Burns & Wilcox

“The relevance of cyber insurance today has really been highlighted in the last month or so with a couple of companies that were hacked – Apple being one of them,” he said. “We always viewed Apple as an invincible company, and one of their selling points is their systems don’t attract bugs or other attacks.”

Canadians being naturally cautious, Canadian corporations in particular are aware of potential liabilities of a breach.

“We give our name, address, and date of birth to loyalty card issuers, who gather an enormous amount of information on our purchasing habits,” said Hirst. “Data protection laws infiltrate a lot of different companies. We also have a situation I’ve been a victim of – credit card duplication.”

In Europe and the USA a restaurant server takes your card to a central station. In Canada the server brings a wireless card reader to your table.

Cyber insurance isn’t going to stop fraud and theft… it protects corporations that hold customer data.

Cyber insurance is useful in covering civil liabilities and contractual penalties when a corporation is hacked. If all of a sudden a firm is hacked and cannot produce statistical information required by law, insurance is there.

“It requires utmost good faith, and recognizes that companies holding this data recognize they are guardians of the data,” said Hirst. “Of course hacking is an illegal process, and you may unwittingly find yourself in a situation in which you’re financially exposed, while having to patch the holes left by criminal hackers. All of these can fundamentally undermine the financial ability of a company.”

There’s a PR problem as well – you’ve suffered a breach and all of a sudden members of the public think there is a problem in your company, when in fact you were hacked by the hacker king and there was nothing you could have done to prevent it. Coverage is sympathetic towards that exposure.

The policy doesn’t say, “We’ll cover your PR disaster.” There is the financial consequence of a customer cancelling a contract due to a virus attack or a hack. However it recognizes the potential of PR.

“It’s really cheap coverage, and something a corporation should be buying,” said Hirst. “If a director is trying to save a few dollars by not buying cyber insurance, there are liability costs, and your fiduciary duty of sitting on a board of directors is brought into question. For the relatively small premiums that these policies cost is part of risk management these directors ought to be aware of when they sit on a board.”

There are many variables in cyber insurance, and when one compares the cost of cyber to the cost of insuring your computer system or your factory or office building, it’s a small percentage when compared to actual physical damage insurance premiums.

Variables are…
1. The occupation of the corporation.
If you are a bank or corporation that provides backup, you’re going to have a greater exposure than the restaurant down the road with handheld card readers, or the garden center with a loyalty program.

2. The depth of security.
Financial instructions, data backup firms, and telephone companies spend a great deal of money on data security.

3. Revenue.
If you earn millions versus a bank that earns billions, the price is a reflection of the revenue produced.

4. Incident or loss rate.
Even at companies that are good at data protection, losses occur. Despite the commonly held opinion, insurance companies like to pay claims.

“If you had an incident of sustained cyber attack and you’ve managed to repel the boarders so to speak, that’s great PR, because it tells the insurer you have a very robust defense mechanism,” said Hirst.

5. Size of corporation.
If your company is small, insure for a maximum of a million dollars. If you’re a financial institution, you need tens of millions of dollars.

If you’re still unsure about buying cyber insurance, watch this video, in which Burns and Wilcox VP David Derigiotis outlines some criteria.

Duncan Stewart, Deloitte

“Despite all the things we read about computers with high-end graphics cards that brute force eight-character passwords, cracking them in 5.5 hours, “password”, “monkey”, and “banana” are still popular,” he said. “For heaven’s sakes start using longer and stronger passwords.”

As long as your password has a capital at the beginning, when you change 94 possibilities to a smaller subset using common words, you’re making them easy to snap.

From the Deloitte report…
An eight-character password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time.

Human behavior and changes in technology have combined to weaken formerly strong passwords.

Humans struggle to remember more than seven numbers. Over time the average person can remember only five. Adding letters, cases, and odd symbols makes remembering multiple characters even more challenging.

So users people employ memory association tricks, generating passwords that reference words and names from experience. That places a capital letter at the beginning of the password and numbers at the end.

From the Deloitte report…
Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them . These tricks and tendencies combine to make passwords less random, and therefore weaker.
In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts . Non-random distribution allows hackers to create a file, or “dictionary,” of common password words and phrases, and symbolic variations, making cracking an account thousands or millions of times easier.

What’s the alternative to passwords?

Multi-factor authentication – such as debit card and PIN – is coming. Deloitte believes the most common will be an additional password provided through your cell phone. Dropbox is already using it.

“The problem with cellphone is what if you’re on your cellphone?” Stewart asked. “You might easily take out your credit card and do a tap and go. That’s not perfect, because people can steal your credit card.”

Workable biometric authentication remains elusive.

“We think the second factor is important,” Stewart said. “Face recognition is subject to changing lighting levels and facial hair. Perhaps it’s measuring the distance between eyebrows and jaw line, which aren’t as easily changeable. They can be faked, of course.”

As always, layering security to make unauthorized access is still the best policy.  Having a keyed deadbolt lock on your door isn’t going to stop a burglar, however it’s going to slow one down. If you do that you’re more secure than without.