1. Risk Base Approach SecurityManagement15th August 2011Lam Kwok Wing CISSP, CISMlam.kwokwing@sg.fujitsu.com

2. Agenda Todays Security Situation Organizations Challenges Fujitsu Approach 2 3. Before 20063 4. 2006 - The Year Hacking Became A Business2006 was the year hacking stopped being a hobby andbecame a lucrative profession practiced by undergroundof computer software developers and sellers.It was the year when cyber-criminals targeted everythingfrom MySpace to Facebook.Are you one of the victim in June?4 5. We archived 1,419,202 web-sites deface-ments Attacks by month Year 2010Jan53,915 Feb 57,867 Mar 73,712Apr95,078 May 83,182 Jun 81,865Jul87,364 Aug 63,367 Sep185,741Oct 194,692 Nov258,355 Dec184,064 Total1,419,202 5 6. After 2006 6 7. Zombie Hacker Will Hack No MoreAssociated Press 01.23.06SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing controlof hundreds of thousands of internet-connected computers, using the zombie network toserve pop-up ads and renting it to people who mounted attacks on websites and sent out spam.Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to fourfelony charges for crimes, including infecting machines at two U.S. military sites, that earned himearned him more than $61,000,more than $61,000, said federal prosecutor James Aquilina said.Prosecutors called the case the first to target profits derived from use of "botnets," largenumbers of computers that hackers commandeer and marshal for various nefarious deeds, theirowners unaware that parasitic programs have been installed are being run by remote control.profits derived from use of "botnets,Botnets are being used increasingly to overwhelm websites with streams of data, often byextortionists. They feed off of vulnerabilities in computers that run Microsofts Windows operatingsystem, typically machines whose owners havent bothered to install security patches.A website Ancheta maintained included a schedule of prices he charged people who hundreds of thousands ofwanted to rent out the machines, along with guidelines on how many bots were required tobring down a particular type of website. internet-connected computers,Prosecutors say Ancheta and SoBe then installed the ad software from the two companies --Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquiredlast year by 180 Solutions of Bellevue, Washington -- on the bots they controlled, pocketing morethan $58,000 in 13 months. 7 8. Hacking as Business Hacking isnt a kids game anymore It had price $$$... The Black Market USD Trojan program to steal online account information $980-$4,900 Credit card number with PIN$490 Billing data, including account number, address, $78-$294 Social Security number, home address, and birth date Drivers license $147 Birth certificate$147 Social Security card $98 Credit card number with security code and expiration $6-$24 date PayPal account logon and password$6 Data source: Trend Micro 8 9. Hacking as Services DDoS attacksThe price usually depends on the attack time:1 hour - US$10-20 (depends on the seller)2 hours - US$20-401 day - US$100+ 1 day - From US$200 (depends on the complexity of the job) It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the service. Spam Hosting: US$200 Dedicated spam server US$500 10,000,000 Mails per day US$600 SMS spam (per message) US$0.2 ICQ (1,000,000) US$150 Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files wont be detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isnt it?) RapidShare premium accounts: (Server hosting) 1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$289 10. Hacking as Organized Crime Cyber Criminals have become an organized bunch. they use peer-to-peer payment systems just like theyre buying and selling on eBay, and theyre not afraid to work together. Software as a Service for criminals Attackers use sophisticated trading interfaces to classify the stolen accounts by the FTP servers country of origin and the compromised sites Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites. Malware that encrypts data and then demands money toprovide the decryption key FileFixPro10 11. Federal websites knocked out by online botnetattack Computerworld UK - July 08, 2009 By Robert McMillan A botnet comprised of about 50,000 infected computers has knocked out the50,000 Infected Computers websites of several government agencies, and caused headaches for businesses in the US and South Korea. The attack started 20 - 40and security experts have credited it withSaturday, Gps Bandwidth knocking the US Federal Trade Commissions (FTCs) website offline for parts of Monday and Tuesday. Several other government websites have also been targeted, including the US Department of Transportation (DOT). Consuming 20 to 40 gigabytes of bandwidth per second On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack. Security experts estimate the size of the botnet at somewhere between 30,000 and 60,000 computers.11 12. Date SiteYear 2011 2011-04-04 2011-04-20Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 LawsuitSony PSN Offline 2011-04-26 PSN Outage caused by Rebug Firmware 2011-04-26 PlayStation Network (PSN) Hacked 2011-04-27 Ars readers report credit card fraud, blame Sony 2011-04-28 Sony PSN hack triggers lawsuit Sony says SOE Customer Data SafeSONY Cases - April-June 2011 2011-05-02 2011-05-03Sony Online Entertainment (SOE) hacked SOE Network Taken OfflineSony Online Entertainment (SOE) issues breach notification letter 2011-05-05 Sony Brings In Forensic Experts On Data BreachesAnonymous leaks Bank of America 2011-05-06 2011-05-07 2011-05-14Sony Networks Lacked Firewall, Ran Obsolete Software: TestimonySony succumbs to another hack leaking 2,500 "old records"Sony resuming PlayStation Network, Qriocity servicese-mails 2011-05-17 2011-05-18PSN Accounts still subject to a vulnerabilityProlexic rumored to consult with Sony on security 2011-05-20 Phishing site found on a Sony server 2011-05-21 Hack on Sony-owned ISP steals $1,220 in virtual cash 2011-05-22 Sony BMG Greece the latest hacked Sony site 2011-05-23 LulzSec leak Sonys Japanese Websites 2011-05-23 PSN breach and restoration to cost $171M, Sony estimates 2011-05-24 Sony says hacker stole 2,000 records from Canadian site (Sony Erricson) 2011-06-02 LulzSec versus Sony Pictures 2011-06-02 Sony BMG Belgium (sonybmg.be) database exposed 2011-06-02 Sony BMG Netherlands (sonybmg.nl) database exposedLulz Security hackers target Sun website 2011-06-02 2011-06-03Sony, Epsilon Testify Before CongressSony Europe database leaked 2011-06-05 Latest Hack Shows Sony Didnt Plug Holes 2011-06-05 Sony Pictures Russia (www.sonypictures.ru) databases leaked Hong Kong Stock Exchange Website 2011-06-06 2011-06-06 2011-06-08LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)LulzSec hits Sony BMG, leaks internal network maps>Sony Portugal latest to fall to hackersHacked, Impacts Trades 2011-06-08 2011-06-11 2011-06-20Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)Spain Arrests 3 Suspects in Sony Hacking CaseSQLI on sonypictures.fr 2011-06-23 Class Action Lawsuit Filed Against Sony/SCEA 2011-06-28 Sony CEO asked to step down on heels of hacking fiasco12 13. Agenda Todays Security Situation Organizations Challenges Fujitsu Approach 14 14. Security A Confusing Picture Data Loss ProtectionMulti Layer Firewall Network SecurityHost IDS Content Monitoring and Filteringis the first Line ofNetwork InfrastructureLoad BalancerDefense NAC Incident Management SystemSecurity policies File Access Control List fine-grain access controlSystem InfrastructureGovernment regulations operational processSystem compliance central log server from a single consoleSecurity Standards Operation/ Password Management visibility to AdministrationAuthorization APIsecurity threatsAD AuthenticationAccess Control Keystore Management policy-based authorizationWeb Services ManagerEngineSecurity Breaches Alert ID lifecycle managementDelegated administration Entitlements ServerMiddleware &compliance Breaches Alert4As Security Services System Services delegated administrationApplication Securityapproval workflows is the last Line of Role-base access Business Services Defense2FA Authentication Independent 3rd Party Audit 15 15. The Military Model for Security IssuesThreat Avoidance:Security is the IT departments business- Security is the Security Experts JobsSecurity is an absolute- Figure out what the threats are, and avoid them- Either youre secure or youre notFollows a computer engineering mentality- Find and solve it- Deploy point solutionSecurity becomes a barrier to business16 16. Visibility of Malware vs. Malicious Intent-- Invisible --Source from : Douwe.Leguit@govcert.nl April 200717 17. Fujitsu Coordinated & Layered ApproachEnterprise Security Architecture End Point SecurityNetworkSystem DataApplicationSecurity SecuritySecuritySecurityOperational Security Physical / Data Center Security Personnel Security Security Management18 18. Security Management FrameworkCobiTITIL ISO/IEC 27001NIST SP800-53A 19 19. PPT for Security Triad ConfidentialitySecurity Triad Integrity Availability20 20. ISACABusiness Model for InformationPPTX is the latest version today?Security Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protectionhttp://www.isaca.org/Content/ContentGroups/Research1/Deliverables/An_Introduction_to_the_Business_Model_for_Information_Security1.htm21 21. Risk Base Approach for Security ManagementRisk Management : The Business Model Security is relative:- Many risks and Many solutions Security is everyones Business Security is a process- Things fail all the time Variety of options:- Accept the risk- Mitigate the risk with People/Procedure/Technology- Transfer the risk22 22. Agenda Todays Security Situation Organizations Challenges Fujitsu Approach 23 23. Fujitsu Approach - 3 Steps for Better SecurityStep 1 : Know your risksInternal RegulatoryAndAndExternal ComplianceThreatsForceBusiness ROSI SystemData Cost of Doing (Return on Security AssetBusiness Investment) Applicationand ProcessVulnerability- Risk Assessment / Compliance Assessment- Vulnerability Assessment- Web Application Assessment / PenTest24 24. Fujitsu Approach - 3 Steps for Better SecurityStep 2 : Visualize your situation25 25. Fujitsu Approach - 3 Steps for Better Security The Enterprise Today - Mountains of data, many stakeholders Malicious Code DetectionReal-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration ControlPrivileged User ManagementLockdown enforcementUnauthorized False PositiveService DetectionReductionIP LeakageWeb server Web cache & proxy logs User MonitoringSLA Monitoringactivity logs Content management logs Switch logs IDS/IDP logsVA Scan logs Router logs WindowsWindows logsVPN logs domainlogins Firewall logs Wirelessaccess logs Linux, Unix, Oracle Financial Windows OS logsLogs Mainframe Client & file DHCP logslogsserver logsSan File VLAN Access Database Logs Access & Control logsLogsSources from RSA26 26. Fujitsu Approach - 3 Steps for Better SecurityStep 2 : Visualize your situationSystem Monitoring Intelligent LogsandConsolidation CorrelationSIEMSecurity Information & SolutionEvent ManagementSOCSecurity Operation Center Incident ManagementITIL Process 27 27. Fujitsu Approach - 3 Steps for Better SecurityStep 3 : Knowing your enemys behavior You need an Investigation Tools for pervasive visibility into content and behavior Providing precise and actionable intelligence28 28. Arts of War (Sun Zi) Section III:Investigation Attack by Stratagem If you know yourself and know theVisualization enemy, you need not fear the result of a hundred battles. : Remediation29 29. Thank you 30