Embed Size (px)
Citation preview
Information Security Management Preview and Forecast 2011
Terry Leung
Professional Advisor
11 Jan, 2011
About HKISG
The Hong Kong Information Security Group
(HKISG) is a non-profit organization dedicated to
bringing awareness to the area of information
security.
The group provides the public with an educational
forum, area specific publications and the ability to
interact with information security practitioners.
Morning Agenda
9:30am-10:20am Opening Notes
Security Trends Preview, from Endpoint to the Cloud
Presented by Terry Leung, Professional Advisor,
Hong Kong Information Security Group
10:30am-11:15am Information auditing and compliance
11:25am-12:30pm Cloud Security Concerns & Mobile Security threat Raising in
Enterprises Space
What is good Information Security?
Well-developed information security governance
processes should result in information security
management programs that are scalable with the
business, repeatable across the organization,
measurable, sustainable, defensible, continually
improving, and cost-effective on an ongoing basis.
4
Frame- please cover the following
Top CIO concerns on Information Security
Security Evolution
The Next big Virus
Instant Messaging Security
Cloud Computing Security
Mobility Security
Virtualization Security
Social Networking Security
I.T. Audit and Compliance
The Need For Information Protection
In Person
Online
From
3rd Party
Store Data
Structured
Databases
Unstructured
Data
Electronic
Databases
Backup
Using Data
In
Applications
By
Employees,
Marketers
Shared with
3rd Parties
Archival
or
Disposal
Archive
Destruction
Framework for Data Governance
People Policy Process
Technology
Data Gathering
6
77.9%
77.7%
75.3%
68.5%
67.0%
Pay only for what you use
Easy to deploy to end users
Monthly Billing
Encourages standardhardware
Requires less in-house ITstaff, costs
Security is the common barrier to cloud adoption across services ( SaaS / PaaS / IaaS) with “Cost and Ease of Deployment” as common drivers
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009 (Scale: 1 = Not at all important
5 = Very Important)
Rate the benefits commonly ascribed to the 'cloud'/on-demand model
88.0%
83.0%
83.0%
81.0%
80.0%
Security
Availability
Performance
On Demand may cost more
Lack of interoperabilitystandards
Rate the challenges/issues of the 'cloud'/on-demand model
Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009
Top 5 Only
Source: IDC (Sep 2009) Cloud Computing 2010, An IDC Update; Forrester (Jan 2010) As IaaS Cloud Adoption Goes Global, Tech Vendors Must Address Local
Concerns
(Scale: 1 = Not at all important
5 = Very Important)
66%
65%
60%
60%
55%
Data protection
Access controls
Network and systemvulnerability management
Service availability
Application security
Base: 1,059 North American and European enterprise and SMB IT decision-makers
50%
43%
38%
30%
25%
Security/Privacy concerns invirtualization or cloud environments
Too immature
We believe our total costs arecheaper
The offering capabilities don't matchour needs
Our application vendor or customapps aren't compatible or won't…
Base: 1,059 North American and European enterprise and SMB IT decision-makers
How concerned is your firm about the following aspects of cloud
computing platforms such as salesforce.com, Amazon Web Services,
or Microsoft Azure?
“Why isn't your firm interested in pay-per-use hosting of virtual servers
(also known as cloud computing)?”
Top 5 Only
7
DRIVERS
BARRIERS BARRIERS
BARRIERS
PaaS IaaS
Cloud Cloud
Security Trends Preview, from Endpoint to the Cloud
Terry Leung, CISSP and CISM
Professional Associate
Hong Kong Information Security Group
11 January 2011
Agenda
1.Introduction of HKISG
2.Review of 2010 Preview
3.The 2011 Security Trends Preview
4.Our suggestions
5.Questions and Answers
Review of 2010 Preview
1.SOCIAL NETWORKS: THE #1 MALWARE SOURCE
2.THIRD‐PARTY PROGRAMS GET PWNED
3.GOVERNMENTS WILL CREATE SECRET ATTACK BOTS
4.SMART PHONES GET HAMMERED
5.DATA LOSS PREVENTION MAKES BIG GAINS
6.WINDOWS 7 SUFFERS CRITICAL ZERO DAY VULNERABILITY
7.CLOUD COMPUTING: HALF HAVEN, HALF STORM
8.SIGNATURE‐ONLY SOLUTIONS CRUMBLE AS MALWARE GOES
BALLISTIC
9.MAC THREATS DOUBLE
10.POISONING THE INFORMATION WELL
#1 – SOCIAL NETWORKS: THE #1
MALWARE SOURCE
•Nielson Online says social networks have become
more popular communication tools than email.
•Social networks by their very nature are gathering
places, which tends to imply increased levels of
trust
•Social networks leverage complex, Web 2.0
technologies that can suffer serious security
vulnerabilities.
#2 – THIRD‐PARTY PROGRAMS
GET PWNED
•OS vendors have fixed most of the obvious flaws
so the code in their popular client applications
•Patch cycle is well‐established – even automatic!
•Expect them to move on to the next layer of
software and target popular third‐party apps in
2010
•Including Adobe Flash, Sun Java, and the
ubiquitous Adobe Reader.
•Not all third‐party software vendors have gotten
the security patch cycle down yet.
#3 – GOVERNMENTS WILL CREATE SECRET ATTACK BOTS •Expect most major governments to secretly build
their own botnets for use in cyber‐warfare against
other countries and malicious entities this year.
•They will build these botnets by sneaking trojans
onto citizens‟ computers!
•Countries like the US, China, Russia, the UK,
France, Israel, and Korea have all been reported to
have instituted cyber warfare programs with the
means to launch cyber attacks.
#4 – Most Popular Smart Phones
Get Attacked
•A smart phone is simply a mobile phone
that has all kinds of extended PC‐like
services
•Many of the smart phones run light
versions of the same operating systems
that we use on our full computers.
•Something you can easily observe when
taking any form of public transit these
days.
#5 – DATA LOSS PREVENTION MAKES BIG GAINS
•2009 were full of high‐profile data breaches that
affected governments, businesses, and schools.
•This will change in 2010 as technologies that
directly protect data
•Things like local hard drive encryption and DLP
(data loss prevention) solutions
•More frequently adopted by SMBs.
#6 – WINDOWS 7 SUFFERS CRITICAL ZERO DAY VULNERABILITY
•Administrators almost uniformly hated Windows
Vista, despite its enhanced security features.
•People have raved about Windows 7 since its
early release candidate was availableven though
Microsoft reversed some of Vista‟s security
capabilities.
#7 – CLOUD COMPUTING: HALF HAVEN, HALF STORM •By now everyone has heard of the power of the
cloud.
•Can you trust cloud vendors to protect your
sensitive data?
•Can we secure virtual environments?
•How can you comply with security and
privaregulations when your sensitive data resides
somewhere in the cloud?
#8 – SIGNATURE‐ONLY SOLUTIONS
CRUMBLE AS MALWARE GOES BALLISTIC
•New malware variants have grown exponentially
over the past three years
•In 2009, PandaLabs identified over 25 million new
malware variants, while they‟d only previously
identified 15 million unique variants during their
entire 20‐year history.
•Combine them with non‐signature solutions if you
want to survive the malware deluge that‟s coming.
#9 – MAC THREATS DOUBLE
•Most Mac fanatics think their platform of choice is
bulletproof against malware.
•in 2009, Apple fixed hundreds of vulnerabilities in
its OS and supporting products
•Apple users began to see increased examples of
Mac malware (like DNSchanger variants).
#10 – POISONING THE INFORMATION WELL •Bad guys have discovered many ways to poison
the results of popular search engines.
•They leverage these SEO (search engine
optimization) techniques to place their malware
links prominently among the results of popular
searches.
The 2011 Security Trends Preview 1.THE CYBERWAR IS ON!
2.“APT” IS ACRONYM OF THE YEAR
3.VOIP ATTACKS BECOME THE NORM
4.PERIMETERS SHRINK AND HARDEN
5.CARS HACKED IN 2011
6.FACEBOOK DANGERS MAKE US NOSTALGIC FOR MALICIOUS .EXE
ATTACHMENTS
7.MANUFACTURER-DELIVERED MALWARE KEEPS GROWING
8.DLP FOR INTELLECTUAL PROPERTY PROTECTION, NOT JUST
COMPLIANCE
9.DETECTION TAKES A FRONT SEAT
10.ONLINE „EXPLOIT STORES‟ DELIVER MALWARE AS A SERVICE (MAAS)
#1 - THE CYBERWAR IS ON!
•Many believe the Stuxnet worm is a perfect
example of a politically-motivated attack
•Likely created by a state-funded team of hackers.
• The amazingly advanced, highly targeted worm
primarily infected Iranian uranium manufacturing
facilities with the sole purpose of quietly disrupting
the uranium enrichment process.
#2 – “APT” IS ACRONYM OF THE YEAR •Heard anyone mention “APT” (advanced
persistent threat) yet?
•Employ techniques the industry hasn‟t become
aware of yet.
•Stay hidden within a victim network or host for a
long period of time
•Have a specific, targeted goal in mind. For
instance, they might be designed to slowly steal
intellectual property from a specific business.
#3 – VOIP ATTACKS BECOME THE NORM •Just in the last few months, VoIP scans
and attacks have increased significantly
•Some of this has to do with the public
availability of VoIP attack tools, such as
SIPVicious.
•Moving forward, brute-force and
directory traversal class attacks against
VoIP servers will be as common as they
previously have been against email
servers.
#4 – PERIMETERS SHRINK AND HARDEN •Many security researchers have rightly
pointed out that our networks have
become more mobile
•It doesn‟t mean that the perimeter
disappears!
•Organizations concentrate their
perimeter security around the assets that
matter most – their data – which means
we will concentrate primary perimeter
defenses around our data centers.
#5 – CARS HACKED IN 2011
•Hackers are always trying to find unexpected ways
to infiltrate computing devices
•Successfully infecting network printers, routers,
and even gaming consoles with malware.
•Cars are no exception.
#6 – FACEBOOK DANGERS MAKE US NOSTALGIC FOR MALICIOUS .EXE ATTACHMENTS
•Remember when email attachments
were the biggest threat we faced?
•One site poses the largest risk of all –
Facebook.
•When you combine Facebook‟s culture
of trust, the many potential technical
security issues (Web 2.0, API, etc), and
its 500 million users, you have a huge
and attractive playground for computer
attackers and social engineers.
#7 – MANUFACTURER-DELIVERED MALWARE KEEPS GROWING
•It used to be you could buy a laptop,
a storage device, or even an
electronic picture frame and expect
the thing to be malware-free. No
more!
•Through 2010, there have been
reports of many popular products
arriving with infections out-of-the-box.
•In some cases, big companies have
even embarrassed themselves by
handing out such infected devices
#8 – DLP FOR INTELLECTUAL PROPERTY PROTECTION, NOT JUST COMPLIANCE
•Many countries are shifting toward creating more
and more digital products rather than
manufacturing physical things.
•Unfortunately, by its very nature, a digital product
is hard to protect.
•It‟s easy to make perfect copies of digital assets.
•New laws and regulations will force more
organizations to implement stronger IP protection
#9 – DETECTION TAKES A FRONT SEAT •When implementing security controls,
most organizations focus more on
protection and prevention than on
detection and analysis technologies.
•Cannot stop malware from entering the
network through a simple user mistake,
or a tiny hole in the security
infrastructure.
•Important to be able to detect and
analyze a threat that has already entered
the network
#10 – ONLINE „EXPLOIT STORES‟ DELIVER MALWARE AS A SERVICE (MAAS)
•Hacking has become more organized and
criminal.
•Hacker underground has already started
releasing pre-packaged, black-market exploit
kits.
•You can already buy web attack kits, pre-
packaged botnets, and ready-to-go malware
from underground websites and forums.
•You can even buy service contracts to get
the latest zero day threats.
Our suggestions
Our suggestions…
•Disconnected if you can..
•If no, to embrace and enjoy the convenience
brought from the technology.
•No perfect thing exist, neither do I!
•Distributed and Centralized are just time-shifting
things.
•Keep updated (both yourself and systems).
Thank You.
