Information Security Management Preview and Forecast 2011

Terry Leung

Professional Advisor

11 Jan, 2011

About HKISG

The Hong Kong Information Security Group

(HKISG) is a non-profit organization dedicated to

bringing awareness to the area of information

security.

The group provides the public with an educational

forum, area specific publications and the ability to

interact with information security practitioners.

Morning Agenda

9:30am-10:20am Opening Notes

Security Trends Preview, from Endpoint to the Cloud

Presented by Terry Leung, Professional Advisor,

Hong Kong Information Security Group

10:30am-11:15am Information auditing and compliance

11:25am-12:30pm Cloud Security Concerns & Mobile Security threat Raising in

Enterprises Space

What is good Information Security?

Well-developed information security governance

processes should result in information security

management programs that are scalable with the

business, repeatable across the organization,

measurable, sustainable, defensible, continually

improving, and cost-effective on an ongoing basis.

4

Frame- please cover the following

Top CIO concerns on Information Security

Security Evolution

The Next big Virus

Instant Messaging Security

Cloud Computing Security

Mobility Security

Virtualization Security

Social Networking Security

I.T. Audit and Compliance

The Need For Information Protection

In Person

Online

From

3rd Party

Store Data

Structured

Databases

Unstructured

Data

Electronic

Databases

Backup

Using Data

In

Applications

By

Employees,

Marketers

Shared with

3rd Parties

Archival

or

Disposal

Archive

Destruction

Framework for Data Governance

People Policy Process

Technology

Data Gathering

6

77.9%

77.7%

75.3%

68.5%

67.0%

Pay only for what you use

Easy to deploy to end users

Monthly Billing

Encourages standardhardware

Requires less in-house ITstaff, costs

Security is the common barrier to cloud adoption across services ( SaaS / PaaS / IaaS) with “Cost and Ease of Deployment” as common drivers

Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009 (Scale: 1 = Not at all important

5 = Very Important)

Rate the benefits commonly ascribed to the 'cloud'/on-demand model

88.0%

83.0%

83.0%

81.0%

80.0%

Security

Availability

Performance

On Demand may cost more

Lack of interoperabilitystandards

Rate the challenges/issues of the 'cloud'/on-demand model

Source: IDC Enterprise Panel, 3Q09, n = 263, September 2009

Top 5 Only

Source: IDC (Sep 2009) Cloud Computing 2010, An IDC Update; Forrester (Jan 2010) As IaaS Cloud Adoption Goes Global, Tech Vendors Must Address Local

Concerns

(Scale: 1 = Not at all important

5 = Very Important)

66%

65%

60%

60%

55%

Data protection

Access controls

Network and systemvulnerability management

Service availability

Application security

Base: 1,059 North American and European enterprise and SMB IT decision-makers

50%

43%

38%

30%

25%

Security/Privacy concerns invirtualization or cloud environments

Too immature

We believe our total costs arecheaper

The offering capabilities don't matchour needs

Our application vendor or customapps aren't compatible or won't…

Base: 1,059 North American and European enterprise and SMB IT decision-makers

How concerned is your firm about the following aspects of cloud

computing platforms such as salesforce.com, Amazon Web Services,

or Microsoft Azure?

“Why isn't your firm interested in pay-per-use hosting of virtual servers

(also known as cloud computing)?”

Top 5 Only

7

DRIVERS

BARRIERS BARRIERS

BARRIERS

PaaS IaaS

Cloud Cloud

Security Trends Preview, from Endpoint to the Cloud

Terry Leung, CISSP and CISM

Professional Associate

Hong Kong Information Security Group

11 January 2011

Agenda

1.Introduction of HKISG

2.Review of 2010 Preview

3.The 2011 Security Trends Preview

4.Our suggestions

5.Questions and Answers

Review of 2010 Preview

1.SOCIAL NETWORKS: THE #1 MALWARE SOURCE

2.THIRD‐PARTY PROGRAMS GET PWNED

3.GOVERNMENTS WILL CREATE SECRET ATTACK BOTS

4.SMART PHONES GET HAMMERED

5.DATA LOSS PREVENTION MAKES BIG GAINS

6.WINDOWS 7 SUFFERS CRITICAL ZERO DAY VULNERABILITY

7.CLOUD COMPUTING: HALF HAVEN, HALF STORM

8.SIGNATURE‐ONLY SOLUTIONS CRUMBLE AS MALWARE GOES

BALLISTIC

9.MAC THREATS DOUBLE

10.POISONING THE INFORMATION WELL

#1 – SOCIAL NETWORKS: THE #1

MALWARE SOURCE

•Nielson Online says social networks have become

more popular communication tools than email.

•Social networks by their very nature are gathering

places, which tends to imply increased levels of

trust

•Social networks leverage complex, Web 2.0

technologies that can suffer serious security

vulnerabilities.

#2 – THIRD‐PARTY PROGRAMS

GET PWNED

•OS vendors have fixed most of the obvious flaws

so the code in their popular client applications

•Patch cycle is well‐established – even automatic!

•Expect them to move on to the next layer of

software and target popular third‐party apps in

2010

•Including Adobe Flash, Sun Java, and the

ubiquitous Adobe Reader.

•Not all third‐party software vendors have gotten

the security patch cycle down yet.

#3 – GOVERNMENTS WILL CREATE SECRET ATTACK BOTS •Expect most major governments to secretly build

their own botnets for use in cyber‐warfare against

other countries and malicious entities this year.

•They will build these botnets by sneaking trojans

onto citizens‟ computers!

•Countries like the US, China, Russia, the UK,

France, Israel, and Korea have all been reported to

have instituted cyber warfare programs with the

means to launch cyber attacks.

#4 – Most Popular Smart Phones

Get Attacked

•A smart phone is simply a mobile phone

that has all kinds of extended PC‐like

services

•Many of the smart phones run light

versions of the same operating systems

that we use on our full computers.

•Something you can easily observe when

taking any form of public transit these

days.

#5 – DATA LOSS PREVENTION MAKES BIG GAINS

•2009 were full of high‐profile data breaches that

affected governments, businesses, and schools.

•This will change in 2010 as technologies that

directly protect data

•Things like local hard drive encryption and DLP

(data loss prevention) solutions

•More frequently adopted by SMBs.

#6 – WINDOWS 7 SUFFERS CRITICAL ZERO DAY VULNERABILITY

•Administrators almost uniformly hated Windows

Vista, despite its enhanced security features.

•People have raved about Windows 7 since its

early release candidate was availableven though

Microsoft reversed some of Vista‟s security

capabilities.

#7 – CLOUD COMPUTING: HALF HAVEN, HALF STORM •By now everyone has heard of the power of the

cloud.

•Can you trust cloud vendors to protect your

sensitive data?

•Can we secure virtual environments?

•How can you comply with security and

privaregulations when your sensitive data resides

somewhere in the cloud?

#8 – SIGNATURE‐ONLY SOLUTIONS

CRUMBLE AS MALWARE GOES BALLISTIC

•New malware variants have grown exponentially

over the past three years

•In 2009, PandaLabs identified over 25 million new

malware variants, while they‟d only previously

identified 15 million unique variants during their

entire 20‐year history.

•Combine them with non‐signature solutions if you

want to survive the malware deluge that‟s coming.

#9 – MAC THREATS DOUBLE

•Most Mac fanatics think their platform of choice is

bulletproof against malware.

•in 2009, Apple fixed hundreds of vulnerabilities in

its OS and supporting products

•Apple users began to see increased examples of

Mac malware (like DNSchanger variants).

#10 – POISONING THE INFORMATION WELL •Bad guys have discovered many ways to poison

the results of popular search engines.

•They leverage these SEO (search engine

optimization) techniques to place their malware

links prominently among the results of popular

searches.

The 2011 Security Trends Preview 1.THE CYBERWAR IS ON!

2.“APT” IS ACRONYM OF THE YEAR

3.VOIP ATTACKS BECOME THE NORM

4.PERIMETERS SHRINK AND HARDEN

5.CARS HACKED IN 2011

6.FACEBOOK DANGERS MAKE US NOSTALGIC FOR MALICIOUS .EXE

ATTACHMENTS

7.MANUFACTURER-DELIVERED MALWARE KEEPS GROWING

8.DLP FOR INTELLECTUAL PROPERTY PROTECTION, NOT JUST

COMPLIANCE

9.DETECTION TAKES A FRONT SEAT

10.ONLINE „EXPLOIT STORES‟ DELIVER MALWARE AS A SERVICE (MAAS)

#1 - THE CYBERWAR IS ON!

•Many believe the Stuxnet worm is a perfect

example of a politically-motivated attack

•Likely created by a state-funded team of hackers.

• The amazingly advanced, highly targeted worm

primarily infected Iranian uranium manufacturing

facilities with the sole purpose of quietly disrupting

the uranium enrichment process.

#2 – “APT” IS ACRONYM OF THE YEAR •Heard anyone mention “APT” (advanced

persistent threat) yet?

•Employ techniques the industry hasn‟t become

aware of yet.

•Stay hidden within a victim network or host for a

long period of time

•Have a specific, targeted goal in mind. For

instance, they might be designed to slowly steal

intellectual property from a specific business.

#3 – VOIP ATTACKS BECOME THE NORM •Just in the last few months, VoIP scans

and attacks have increased significantly

•Some of this has to do with the public

availability of VoIP attack tools, such as

SIPVicious.

•Moving forward, brute-force and

directory traversal class attacks against

VoIP servers will be as common as they

previously have been against email

servers.

#4 – PERIMETERS SHRINK AND HARDEN •Many security researchers have rightly

pointed out that our networks have

become more mobile

•It doesn‟t mean that the perimeter

disappears!

•Organizations concentrate their

perimeter security around the assets that

matter most – their data – which means

we will concentrate primary perimeter

defenses around our data centers.

#5 – CARS HACKED IN 2011

•Hackers are always trying to find unexpected ways

to infiltrate computing devices

•Successfully infecting network printers, routers,

and even gaming consoles with malware.

•Cars are no exception.

#6 – FACEBOOK DANGERS MAKE US NOSTALGIC FOR MALICIOUS .EXE ATTACHMENTS

•Remember when email attachments

were the biggest threat we faced?

•One site poses the largest risk of all –

Facebook.

•When you combine Facebook‟s culture

of trust, the many potential technical

security issues (Web 2.0, API, etc), and

its 500 million users, you have a huge

and attractive playground for computer

attackers and social engineers.

#7 – MANUFACTURER-DELIVERED MALWARE KEEPS GROWING

•It used to be you could buy a laptop,

a storage device, or even an

electronic picture frame and expect

the thing to be malware-free. No

more!

•Through 2010, there have been

reports of many popular products

arriving with infections out-of-the-box.

•In some cases, big companies have

even embarrassed themselves by

handing out such infected devices

#8 – DLP FOR INTELLECTUAL PROPERTY PROTECTION, NOT JUST COMPLIANCE

•Many countries are shifting toward creating more

and more digital products rather than

manufacturing physical things.

•Unfortunately, by its very nature, a digital product

is hard to protect.

•It‟s easy to make perfect copies of digital assets.

•New laws and regulations will force more

organizations to implement stronger IP protection

#9 – DETECTION TAKES A FRONT SEAT •When implementing security controls,

most organizations focus more on

protection and prevention than on

detection and analysis technologies.

•Cannot stop malware from entering the

network through a simple user mistake,

or a tiny hole in the security

infrastructure.

•Important to be able to detect and

analyze a threat that has already entered

the network

#10 – ONLINE „EXPLOIT STORES‟ DELIVER MALWARE AS A SERVICE (MAAS)

•Hacking has become more organized and

criminal.

•Hacker underground has already started

releasing pre-packaged, black-market exploit

kits.

•You can already buy web attack kits, pre-

packaged botnets, and ready-to-go malware

from underground websites and forums.

•You can even buy service contracts to get

the latest zero day threats.

Our suggestions

Our suggestions…

•Disconnected if you can..

•If no, to embrace and enjoy the convenience

brought from the technology.

•No perfect thing exist, neither do I!

•Distributed and Centralized are just time-shifting

things.

•Keep updated (both yourself and systems).

Thank You.