Kathleen R. Kimball, MS, CISSP, CISMSenior Director, Security Operations & Services

Information Technology Services

security@psu.edu; (814) 863-9533

March 1, 2011

SECURITY 2010BREACHES AND MALWARE AND PHISH (OH, MY!)

AGENDA

• Security 2010 Globally

• Security 2010 at Penn State (both Negative and Positive)

• Summary

• Questions

WEB-BASED SECURITY THREATSPenn State is subject to global trends in (in)security…

SOBERING NUMBERS

• From Websense Security Labs 2010 Threat Report:

• A 111.4% increase in the number of malicious Web sites from 2009 to 2010

• 79.9% of malicious Web sites were compromised legitimate sites

• 52% of data-stealing attacks were conducted over the Web

• 84.3% of all e-mail was spam

• Searching the Web for breaking/current news was more likely to cause a compromised computer than searching for “objectionable content”

SOPHOS ANALYSIS

• Sophos Security Threat Report 2011

• Web remains the biggest vehicle for malware

• A high number are legitimate web sites serving malware or hosted malvertisements. Examples:

• Farm Town (game)

• Google sponsored links

• Celebrity Twitter feeds

SYMANTEC…

• Internet Security Threat Report, Volume XV, April 2010

• Of the top attacked vulnerabilities observed in 2009, 4 out of 5 were client side vulnerabilities that were frequently attacked by web-based attacks

• Most frequent vectors – Internet Explorer and applications that process PDF files

• Crimeware kits developed for sale by the malware code writers. (Zeus kit for as little as $700)

• Inexperienced “bad guys” can buy a kit and produce a custom attack easily

• Over 90,000 unique variants of the Zeus toolkit observed

AND THE VERIZON BUSINESS RISK TEAM…

• 2010 Data Breach Investigations Report (in Cooperation with the US Secret Service), July 2010

• Organized criminal groups were responsible for 85 percent of all stolen data in 2009

• Hacking and malware were responsible for over 95 percent of all data compromised

• 85 percent of attacks are not highly difficult

SECURITY 2010 AT PENN STATEThe local Security landscape…

PENN STATE – 2010 EXPERIENCE

• >12,000,000 hostile probes daily, not even counting the latest web-based threats – the older attacks are still there

• 2,525 fully compromised systems detected by the University’s Intrusion Detection architecture

• Up 43% from 2009

• 854 of these were on University wired networks (not Residence Hall, wireless or modem-connected)

• Lowest Budget Unit total – 0 compromises (8 units)

• Highest Budget Unit total – 120 compromises

• 1025 compromised Access accounts detected – a 57% increase from 2009

PENN STATE EXPERIENCE (CONTINUED)

• Copyright Infringement is a little bit different animal, but here are the figures:

• 26 different copyright holders or their representatives reported infringement by Penn State users in 2010

• Growth in Complaints Handled:

• 2008 – 874

• 2009 – 1127

• 2010 – 1459

ON THE POSITIVE SIDE• Intrusion Detection instance at the border tuned to look specifically for web-based attacks

• ~135,000 packets per second analyzed on average

• ~2.4 Gb per second on average

• ~20,000 – 40,000 alerts daily

• More than 139,000 overtly hostile sites dynamically blocked on an average day

• More than 50 local intrusion detection sensors within units throughout the University, operated on their behalf by Security Operations and Services

• Generic header intrusion detection and correlation pinpoints additional attacks 32 TB of header data is about 12 days ~39,000,000 lines of logs a day 34 compute queues in cluster

WHAT CAN USERS DO?

• Remove sensitive information from computers

• PII – SSNs, Credit Card Numbers, Bank account numbers

• Mortgage statements

• Tax documents

• Personal health records

OTHER: WHAT CAN USERS DO?

• Run in least privilege mode

• 81% of Critical Microsoft vulnerabilities are mitigated by operating without administrator rights.

• Of the total published Microsoft vulnerabilities, 64% are mitigated by removing administrator rights.

BeyondTrust 2010 MS Vulnerability Report

THE BOTTOM LINEIt’s no longer a question of “if” your computer is compromised – it’s a matter of WHEN your computer is compromised. Will cause a re-thinking of how we protect data and systems. Meanwhile the standard guidance still applies:•Browsing can be dangerous•Scan and remove PII•Practice least privilege•Patch and update Operating System and applications as required when new patches or updates are released•Use current anti-virus (though only about 30% effective)•Utilize unit policies

Unfortunate Case Study

A user’s PII scan results show just under 14,000 hits of PII. The user is busy and closes the scanning console anticipating remediation at a later date. SIX times, the same thing continues to occur; the user is busy and closes the console.

Two months later the computer is compromised. Data mining unveils over 6,000+ unique PII instances.

Negative Media Attention

• From an alumnus: “I received a great education at Penn State, but my life could be potentially ruined because of this. I’m very disappointed in Penn State.”

• From the mother of a former student: “How could a school that’s supposed to be as great as Penn State is let this happen?”

• From a one-time student: “So now my Social Security number has been severely compromised by Penn State’s lack of attention to security, and I have to pay the consequences.”

FINANCIAL BURDEN APPROXIMATE COSTS

Forensic Investigation/Data Mining $3500+

Address Search $500 batch + $.35/record

Notification Services (mailing) $1500+

Research Funding PRICELESS

Reputation PRICELESS

SUMMARY

• Penn State is not immune to the somewhat sorry state of computer and network security globally

• If you browse, you will at some point be compromised. (Expansion of the web-based threat)

• Attacks are expanding quickly in both number and sophistication. Organized crime is a major factor.

• While it may not be enough, users need to do all they can to protect assets and to be aware of the current environment

QUESTIONS??

• Go forth and compute wisely….