Upload
simon-poole
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Kathleen R. Kimball, MS, CISSP, CISMSenior Director, Security Operations & Services
Information Technology Services
[email protected]; (814) 863-9533
March 1, 2011
SECURITY 2010BREACHES AND MALWARE AND PHISH (OH, MY!)
AGENDA
• Security 2010 Globally
• Security 2010 at Penn State (both Negative and Positive)
• Summary
• Questions
SOBERING NUMBERS
• From Websense Security Labs 2010 Threat Report:
• A 111.4% increase in the number of malicious Web sites from 2009 to 2010
• 79.9% of malicious Web sites were compromised legitimate sites
• 52% of data-stealing attacks were conducted over the Web
• 84.3% of all e-mail was spam
• Searching the Web for breaking/current news was more likely to cause a compromised computer than searching for “objectionable content”
SOPHOS ANALYSIS
• Sophos Security Threat Report 2011
• Web remains the biggest vehicle for malware
• A high number are legitimate web sites serving malware or hosted malvertisements. Examples:
• Farm Town (game)
• Google sponsored links
• Celebrity Twitter feeds
SYMANTEC…
• Internet Security Threat Report, Volume XV, April 2010
• Of the top attacked vulnerabilities observed in 2009, 4 out of 5 were client side vulnerabilities that were frequently attacked by web-based attacks
• Most frequent vectors – Internet Explorer and applications that process PDF files
• Crimeware kits developed for sale by the malware code writers. (Zeus kit for as little as $700)
• Inexperienced “bad guys” can buy a kit and produce a custom attack easily
• Over 90,000 unique variants of the Zeus toolkit observed
AND THE VERIZON BUSINESS RISK TEAM…
• 2010 Data Breach Investigations Report (in Cooperation with the US Secret Service), July 2010
• Organized criminal groups were responsible for 85 percent of all stolen data in 2009
• Hacking and malware were responsible for over 95 percent of all data compromised
• 85 percent of attacks are not highly difficult
PENN STATE – 2010 EXPERIENCE
• >12,000,000 hostile probes daily, not even counting the latest web-based threats – the older attacks are still there
• 2,525 fully compromised systems detected by the University’s Intrusion Detection architecture
• Up 43% from 2009
• 854 of these were on University wired networks (not Residence Hall, wireless or modem-connected)
• Lowest Budget Unit total – 0 compromises (8 units)
• Highest Budget Unit total – 120 compromises
• 1025 compromised Access accounts detected – a 57% increase from 2009
PENN STATE EXPERIENCE (CONTINUED)
• Copyright Infringement is a little bit different animal, but here are the figures:
• 26 different copyright holders or their representatives reported infringement by Penn State users in 2010
• Growth in Complaints Handled:
• 2008 – 874
• 2009 – 1127
• 2010 – 1459
ON THE POSITIVE SIDE• Intrusion Detection instance at the border tuned to look specifically for web-based attacks
• ~135,000 packets per second analyzed on average
• ~2.4 Gb per second on average
• ~20,000 – 40,000 alerts daily
• More than 139,000 overtly hostile sites dynamically blocked on an average day
• More than 50 local intrusion detection sensors within units throughout the University, operated on their behalf by Security Operations and Services
• Generic header intrusion detection and correlation pinpoints additional attacks 32 TB of header data is about 12 days ~39,000,000 lines of logs a day 34 compute queues in cluster
WHAT CAN USERS DO?
• Remove sensitive information from computers
• PII – SSNs, Credit Card Numbers, Bank account numbers
• Mortgage statements
• Tax documents
• Personal health records
OTHER: WHAT CAN USERS DO?
• Run in least privilege mode
• 81% of Critical Microsoft vulnerabilities are mitigated by operating without administrator rights.
• Of the total published Microsoft vulnerabilities, 64% are mitigated by removing administrator rights.
BeyondTrust 2010 MS Vulnerability Report
THE BOTTOM LINEIt’s no longer a question of “if” your computer is compromised – it’s a matter of WHEN your computer is compromised. Will cause a re-thinking of how we protect data and systems. Meanwhile the standard guidance still applies:•Browsing can be dangerous•Scan and remove PII•Practice least privilege•Patch and update Operating System and applications as required when new patches or updates are released•Use current anti-virus (though only about 30% effective)•Utilize unit policies
Unfortunate Case Study
A user’s PII scan results show just under 14,000 hits of PII. The user is busy and closes the scanning console anticipating remediation at a later date. SIX times, the same thing continues to occur; the user is busy and closes the console.
Two months later the computer is compromised. Data mining unveils over 6,000+ unique PII instances.
Negative Media Attention
• From an alumnus: “I received a great education at Penn State, but my life could be potentially ruined because of this. I’m very disappointed in Penn State.”
• From the mother of a former student: “How could a school that’s supposed to be as great as Penn State is let this happen?”
• From a one-time student: “So now my Social Security number has been severely compromised by Penn State’s lack of attention to security, and I have to pay the consequences.”
FINANCIAL BURDEN APPROXIMATE COSTS
Forensic Investigation/Data Mining $3500+
Address Search $500 batch + $.35/record
Notification Services (mailing) $1500+
Research Funding PRICELESS
Reputation PRICELESS
SUMMARY
• Penn State is not immune to the somewhat sorry state of computer and network security globally
• If you browse, you will at some point be compromised. (Expansion of the web-based threat)
• Attacks are expanding quickly in both number and sophistication. Organized crime is a major factor.
• While it may not be enough, users need to do all they can to protect assets and to be aware of the current environment