Embed Size (px)
Citation preview
What%remains?%What%are%(really)%new?June%13,%2013
Shin%Adachi,%CISSP,&CISM,&CISA,&PMPCoChair,%Educa6on%Commi8ee,%FIRST%Forum%of%Incident%Response%and%Security%Teams
Lead%Security%Analyst,%NTT%I³NTT%Innova7on%Ins7tute,%Inc.
2
Disclaimer
! The%presenta6on%itself,%and%the%views%and%opinions%expressed%by%the%presenter%therein%do%NOT%reflect%those%of%his%any%affilia6ons%at%all.
! NONE%of%such%affilia6ons%above%thereof%assumes%any%legal%liability%or%responsibility%for%the%presenta6on.
Who%am%I?! Shin%Adachi,%CISSP,%CISM,%CISA,%PMP
✴ Team%Representa7ve%in%the%Americas%for%NTTDCERT✴ CoChair,%FIRST%Educa7on%CommiHee✴ FIRST%Program%CommiHee,%for%four%consecu6ve%terms%of%five
✴ U.S.%NIST%Cloud%Compu7ng%Program%Working%Groups✴ CloudCERT%Working%Group,%Cloud%Security%Alliance✤ Spoke%at:
! FIRST,%Liberty%Alliance,%Kantara%Ini6a6ve,%ITUWT%SG%13,%APEC%TEL%eSecurity,%and%other%private%mee6ngs%and%conferences.
‣ CISSP:&Cer)fied&Informa)on&Systems&Security&Professional&(ISC)²‣ CISM:&Cer)fied&Informa)on&Security&Manager&(ISACA)
‣ CISA:&Cer)fied&Informa)on&Systems&Auditor&(ISACA)‣ PMP:&Cer)fied&Project&Management&Professional&(PMI)
4
Special Publication 500-293 (Draft)
US Government Cloud Computing Technology Roadmap
Volume II Release 1.0 (Draft)
Useful Information for Cloud Adopters
Lee Badger, Robert Bohn, Shilong Chu, Mike Hogan, Fang Liu, Viktor Kaufmann, Jian Mao, John Messina, Kevin Mills, Annie Sokol, Jin Tong, Fred Whiteside and Dawn Leaf
NIST Cloud Computing Program Information Technology Laboratory
page&80
NIST US Government Cloud Computing Technology Roadmap, Release 1.0 (Draft) November 2011
Page 80
Interagency, Academic, Standards Organizations, and Industry Contributors Shin Adachi, GICTF- Global Inter-Cloud Technology Forum, NTT DATA Agilent, L.L.C. Gabriel Akisanmi, KPMG LLP Leslie Anderson, Raytheon Company Gary Ardito, NetIQ Scott Armstrong, Symantec Corporation Kapil Bakshi, Cisco Systems Inc. Jeffrey S. Bardin, Treadstone 71 Utica College Roger Bass, Traxian, OASIS Bill Becker, SafeNet, Inc. Bhavesh C. Bhagat, Cloud Security Alliance DC, ConfidentGovernance.com, EnCrisp LLC Corey Bidne, USDA Michael Binko, kloudtrack, Software and Information Industry Association Dr. Alan H. Blair, Defense Engineering Inc. Mark Bohannon , Red Hat, Inc. Robert Borochoff, Administrative Office of the US Courts David W. Boyd, Data Tactics Corporation, Lorenz Research Corp. Richard Brackney, Microsoft Nadeem Bukhari, Kinamik Data Integrity Winston Bumpus, DMTF, VMware, Inc. William (Bill) Butler, Capitol College Kevin Call, Booz Allen Hamilton Karen Luigard Caraway, The MITRE Corporation Mark Carlson, SNIA, DMTF, Oracle Corporation Peggy Canale, Avocent Products and Services, Emerson Network Power Saravana R. Chandran, Strategy and Technology Direction Te-An Chang, Compuwright Solutions Gene Cartier, SRA International Eric Charlesworth, Cisco Systems, Inc. Arunava Chatterjee, Deloitte Consulting LLP G. Hussain Chinoy, USDA NRCS Augusto Ciuffoletti, Università di Pisa, Italy John Crandall, Brocade John Crout, United States Coast Guard Auxiliary Cory Dell, Coupa Software Yuri Demchenko, University of Amsterdam Frederic de Vaulx, Prometheus Computing, LLC Michele Drgon, DataProbity Josiah Dykstra, UMBC Carlo Espiritu, Triple Point Security Christopher Ferris, IBM Omar Fink, SAIC L. Bruce Finn, Federal Deposit Insurance Corporation David A. Foley, SNHU former student Harry J. Foxwell, PhD, Oracle Corporation Barry Garman, The Mercator Group Parisa Ghodous, University of Lyon I Richard Gordon, Jr., RICHMAR & Associates Nedim S. Goren , U.S. Census Bureau
Source:%NIST%Special%Publica6on%500W293
5
Source:(h*p://kantaraini2a2ve.org/confluence/display/eGov/eGovernment+Implementa2on+Profile+of+SAML+V2.0+H+Contributors
! <%This%page%is%inten6onally%blank.%>
6
Cuckoo’s%Egg
7
Source:%hHp://www.amazon.com/CuckoosDEggDTrackingDComputerDEspionage/dp/1416507787
Cuckoo’s%Egg
! ....eventually%realized%that%the%unauthorized%user%was%a%hacker%
who%had%acquired%root%access%to%the%LBL%system%by%exploi6ng%a%
vulnerability%in%the%movemail%func6on%of%the%original%GNU%
Emacs.
Source:%Wikipedia:%h8p://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
Authen6ca6on%breach%here
Authoriza6on%breach%and%Privilege%escala6on%here
Vulnerability%Exploita6on%here
Cuckoo’s%Egg
! Published%in%1989! Story%on%August%1986
998
Source:%Wikipedia:%h8p://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
!48%%overall
10
Overall Small Large
8%34%
44%48%
9%47%
36%41%
9%19%
62%55%
UnknownBrute force
Use of backdoor or C2Use of stolen creds
Figure 23: Variety of hacking actions
Source:%Figure%23%on%page%34,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT%
!55%%Large%Organiza6ons
In%2012
Use%of%Stolen%Creden6als
Compromised%Targets
1111
Source:%Figure%36%on%page%46,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT%
Figure 36: Variety of compromised data
Overall Small Large
24%38%
61%
21%48%
65%
29%34%
57%
InternalCredentials
Payment
!38%%overall
!48%%Small%Organiza6ons
Creden6als%right%aier%Payment%Data
How%smart%enough%are%we?
!Linkedin:%6.5%M?!eHarmony:%1.5%M?!Last.fm:!IEEE:%saved%passwords%in%plain%text(!?)
12
Sources:hCp://blog.linkedin.com/2012/06/06/linkedinKmemberKpasswordsKcompromised/hCp://blogs.wsj.com/cio/2012/06/06/linkedinKpasswordKbreachKillustratesKendemicKsecurityKissue/hCp://www.eharmony.com/blog/2012/06/06/updateKonKcompromisedKpasswords/hCp://ar)cles.la)mes.com/2012/jun/06/business/laKfiKtnKeharmonyKhackedKlinkedinK20120606hCp://www.last.fm/passwordsecurityhCp://ieeelog.com/
13
Open%Data
How%about%“Opened%Data”?
14
Example%#1
15
Source:%Wikileaks
Example%#2
16
Source:%Bloomberg%News,%Twi8er
Example%#3
17
! Total&75GB&data&(compressed&to&8.2GB)&stolen&! Ini@al&intrusion:&August&13,&2012! Discovered&by&vic@m:&October&18,&2012! Total&44&systems&compromised
! One&(1)&system&with&backdoor&malware&installed! Three&(3)&systems&had&database&backups&or&files&stolen
! One&(1)&system&sent&data&out&for&the&aRacker! 39&systems&accessed&by&the&aRacker
! 33&UNIQUE&malicious&soXware&and&u@li@es
Example%#3%(con6nued)
18
Source:[1]%hHp://www.youtube.com/watch?v=7OV6TZHZKqg&[2]hHp://www.bankinfosecurity.com/stolenDpasswordDledDtoDsouthDcarolinaDtaxDbreachDaD5309/opD1
! 3.8&Million&SSNs,&none&of&them&encrypted[1]
! In&addi@on,&1.9&Million&dependents’%[1]
! 700,000Z&Business&Tax&filers&informa@on%[1]
! 3.3&Million&Bank&Account&Numbers%[1]
! 5,000&“expired”&Credit&card&numbers%[1]
! US$12&Million&for&iden@ty&protec@on&services&[2]
Relying%on%others
19
Figure 44: Discovery methods
Overall Small Large
<1%1%1%1%1%1%1%3%4%5%7%8%9%
24%34%
341
1%1%1%
1%2%2%4%
6%14%
10%35%
23%
186 1%1%
2%4%4%
1%9%
7%5%
1%7%7%
52%
102Monitoring service (Ext)IT audit (Int)
Incident response (Int)HIDS (Int)
Fraud detection (Int)Log review (Int)
NIDS (Int)Financial audit (Int)
Reported by user (Int)Unknown
Actor disclosure (Ext)Law enforcement (Ext)
Customer (Ext)Fraud detection (Ext)Unrelated party (Ext)
Financial Espionage Other
Source:%Figure%44%on%page%54,%Verizon%2013%DATA%BREACH%INVESTIGATION%REPORT%
20
! <%This%page%is%inten6onally%blank.%>
Lessons%we%can%learn! Authen7ca7on%&%Authoriza7on%as%aHack%targets
๏ Regardless&of&the&aRack&vectors%[old,%new,%or%emerging]
๏ Important&Iden@ty&and&Access&Management&(IAM)&๏ Need&broad&considera@on:
! Enrollment,%Lifecycle,%Creden6al,%Key,%and%Iden6ty%Management%for%authen6ca6on,%Access%control%and%A8ribute%management%for%authoriza6on,%Level%of%iden6ty%or%authen6ca6on%assurance,%monitoring%suspicious%behaviors,%policy%enforcement,%Circuit%breaker,%etc.
!Opened%Data,%No%thank%you!๏ Governments&as&aRrac@ve&aRack&targets
! Governments%have%more%personal%informa6on%than%others! Poor%IAM%helps%government%resources%compromised.
21
! Communica6ng%with%others• Expand&our&capability&to&learn&from&those&trusted
! to&share&something&with&them! to&learn&something&from&them! to&no@fy,&and&to&be&no@fied&appropriately
! Do%what%we%CAN%do%NOW!! before%excuses%or%something%new
22
Lessons%we%can%learn
QUESTIONS?
23
!Catch%me%here%today.
!Catch%me%next%week%at%FIRST%Educa6on%Commi8ee%or%FIRST%Annual%Conference%at%Conrad%Hilton%Bangkok.
and(all(of(you(here!
ขอบคุณมาก%Thank%you%very%much!
24
Karen%ChangChair,%BAWG
