Before You Begin: Assign Information Classification

Before You Begin: Assign Information Classification

Emerging and Evolving threats Philippe Roggeband Emerging Markets, Security Product Manager [email protected] Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Session Objectives Review changes in purpose behind IT attacks Understand how these changes affect the behavior of new attacks Identify potential protections against this new generation of attacks Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Agenda Trends in Motivation Existing threats and Lessons from the Past New Threats Non-Electronic Threats Coping with Threats: Conclusions and Recommendations Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 What? Where? Why? What is a Threat? A warning sign of possible trouble Where are Threats? Everywhere you can, and more importantly cannot, think of Why are there Threats? The almighty dollar (or euro, etc.), the underground cyber crime industry is growing with each year Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential 4 Examples of Attacks Targeted Hacking Malware Outbreaks Economic Espionage Intellectual Property Theft or Loss Network Access Abuse Theft of IT Resources Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 Where Can I Get Attacked? Operating System Network Services Application s User s

Attack Attack Anywhere Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Everywhere 6 Operational Evolution of Threats Emerging Threat Unresolved Threat End-User Awareness Presentation_ID Reaction Mitigation Technology Evolution

Reactive Process Socialized Process Formalized Process Manual Process Human In the Loop Automated Response Support Burden Policy and Process Definition Nuisance Threat Operational Burden

Threat Evolution End-User No End-User Help-Desk Aware Knowledge Know Enough to Call 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential End-User Increasingly Self-Reliant 7 Operational Evolution of Threats Emerging Threat Unresolved Threat End-User Awareness Reaction Mitigation Technology Evolution

Reactive Process Socialized Process Formalized Process Manual Process Human In the Loop Automated Response Support Burden Policy and Process Definition End-User No End-User Help-Desk Aware Knowledge Know Enough to Call New, Unknown, or

Problems We Havent Solved Yet Presentation_ID Nuisance Threat Operational Burden Threat Evolution 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential End-User Increasingly Self-Reliant Largest Volume of Problems Focus of Most of Day to Day Security Operations 8 Trends in motivations The threat economy

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 Some statistics Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Threat Economy: In the Past Writers Asset End Value Tool and Toolkit Writers Compromise Individual

Host or Application Fame Malware Writers Virus Compromise Environment Worm Theft Espionage (Corporate/ Government) Trojans Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Threat Economy: Today Writers

First Stage Abusers Tool and Toolkit Writers Hacker/Direct Attack Middle Men Second Stage Abusers Fame Compromised Host and Application Theft Malware Writers Worms Machine Harvesting Bot-Net Creation

End Value Extortionist/ DDoS-for-Hire Espionage (Corporate/ Government) Extorted Pay-Offs Viruses Bot-Net Management: Trojans For Rent, for Lease, for Sale Spyware Information Harvesting Personal Information Spammer Commercial Sales

Phisher Pharmer/DNS Poisoning Information Brokerage Identity Theft Internal Theft: Abuse of Privilege Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Fraudulent Sales Click-Through Revenue Financial Fraud Electronic IP Leakage Cisco Confidential 12

Old and unresolved threats Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Old (and Unresolved) Threats Worms and Viruses Botnets Spam Spyware Phishing, Pharming, and Identity Theft Application Security Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Threats to Your Users: Worms and Viruses 2006 - Not a big year in

worms and viruses Why? Opportunity shrinking Motivation changing Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 WMF Vulnerability: Timeline Dec 27, 2005: discovery date of vulnerability Dec 28, 2005: original vulnerability published by Microsoft Vulnerability in graphics rendering engine could allow remote code executioncritical rating At announce, exploits were in progress Microsoft indicates patch will be rolled into the next patch event (Jan 10, 2006) Dec 31, 2005: emergence of a third party patch: A third-party patch that disables the use of custom abort code becomes available (at www.hexblog.com/2005/12/wmf_vuln.html) Jan 5, 2006: Microsoft releases patch early: www.microsoft.com/technet/security/advisory/912840.mspx www.microsoft.com/technet/security/bulletin/ms06-001.mspx Presentation_ID

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Worm of the Year 2005 : The Story of Zotob Microsoft announced the PnP vulnerability in multiple Windows versions (though most pronounced in Windows 2000) on August 9, 2005 Flaw in how the PnP service handles malformed messages containing excessive data Zotob.A first appeared on August 14; Zotob variants still appearing Self-propagating worm; code has been modified countless times for further propagation Two kinds of modifications appeared: Evolution: enhancements made to defeat counter-measures implemented on early versions Infighting: later versions taking advantage of weaknesses in early versions to supplant them with newer versions Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

Evolution of Zotob 2006: What Is a Variant? Zotob.X reported Feb 6, 2006 Fixed some crash problems New propagation vector: Sets up its own SMTP server, and emails copies of itself to addresses in WAB and other well-known system files Note: does not need Outlook or other email client to run) IRC channel setup to a different server (Zotob.A connected to diabl0.turkcoders.net; Zotob.X connected to rax.r0flz.be) Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Source: http://www.trendmicro.com 18 Resurgence of Botnets Botnet: a collection of compromised machines running programs under

a common command and control infrastructure Building the Botnet: Viruses, worms; infected spam; drive-by downloads; etc. Controlling the Botnet: Using a Botnet to Send Spam Covert-channel of some form Source: www.wikipedia.org Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1. A botnet operator sends out viruses or worms, infecting ordinary users Windows PCs 2. The PCs log into an IRC server or other communications medium 3. A spammer purchases access to the botnet from the operator 4. The spammer sends instructions via the IRC server to the infected PCs 5. ...causing them to send out spam messages to mail servers

19 Zotob Secrets Revealed: All About the Money Zotob created by Diabl0, otherwise known as Farid Essebar Essebar was a small-time adware/ spyware installer, using Mytob to infect machines and install adware for money Diabl0 integrated publicly available Proof of Concept exploit code for the PnP vulnerability into an existing Mytob variant FBI has said they hold evidence that Essebar was paid by Atilla Ekici (Coder) with stolen credit card numbers to build Mytob variants, as well as Zotob On Aug 25, 2005, Essebar was arrested in Morocco, and Ekici in Turkey Key Question: Why Were They Caught? Consensus answer: Essebar was clumsy Due to lack of experience, Zotob got out of hand and got too much attention largely because it

accidentally infecting some major institutions (CNN, CIBC, others) In other words: had they been smarter and stealthier, theyd likely never have been caught Source: http://www.securityfocus.com/news/11297 Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 What About Spyware? Still a major threat Drive-by downloads still a major source of infestation Image-based vulnerabilities in particular enable this (WMF and jpg vulnerabilities are good examples) However, confusing or misleading EULAs still a problem A Trojan by any other name Spyware is increasingly indistinguishable from certain classes of virus Nasty race condition: sheer number of variants makes it very difficult for technology solutions to hit 100% accuracy at a given moment Rise of intelligent spyware

Directed advertising is more valuable than undirected More sophisticated spyware matches user-gathered data with directed advertising Bot-based spyware is also more valuable, as it can be updated over time Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 Phishing, Pharming, and Identity Theft PHISHING PHARMING MUNDO-BANK.COM MUNDO-BANK.COM ited c i l o Uns mail E 172.168.1.1

172.168.1.1 MUNDOBANK.COM MUNDO-BANK.COM Come see us at www.mundo-bank.com <172.168.254.254> 172.168.254.254 DNS i son i o P ng MUNDOBANK.COM e nlin O g ular Reg Bankin 172.168.254.254 Hosts File: mundo-bank.com = 172.168.254.254

Identity theft continues to be a problem Phishing scams growing in sophistication every day Protecting your users: implement some technology, but dont forget user education!! Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential If youre a target: Consider personalization technologies (e.g. user-chosen images on a webpage) Support identified mail initiatives, like DKIM 22 Identifying the Command & Control One Support Website One Pharmacy One Merchant Account 10-15 Unique Site Designs

Billions of Messages Presentation_ID 100,000s Zombies 10,000s Message Variants 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1,000s URLs 100s Web Servers 23 Tackling Malware: Solutions Across the Network Remote/Branch Office Data Center Management Network Internet

Connections Corporate Network Corporate LAN Remote Access Systems Internet Business Partner Access Extranet Connections Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 Tackling Malware: Solutions Across the Network Remote/Branch Office

Data Center STOP Management Network GO Endpoint Protection Infection prevention: Cisco Security Agent Infection remediation: desktop anti-virus; Microsoft and other anti-spyware SW Internet Connections Corporate Network STOP Corporate LAN GO GO STOP

GO Remote Access Systems Network Admission Control Ensure endpoint policy compliance Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Internet Network-Based Business Content Control Partner Multi-function Access security devices Firewalls Extranet Intrusion prevention Connections systems Proxies 25

Application Security: The New Black Processing of application semantics and grammar is an essential component of access control and attack protection From To Protocol: FTP User: Jenn in Finance RFC Compliant: Yes Command: GET BCP Compliant: Yes File: payroll.xls Application Access Control Control application usage by protocol semantics, not L4 port number e.g. Kazaa tunneled over port 80 is not HTTP Application Use Control Control how an application is used, not just whos allowed to access it Application-Layer Attacks Zero-day threat defense through RFC, standards, and BCP conformance

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 Application Security: Server-Side Attacks Attacks on application infrastructure continues, largely on custom applications (75% of attacks at application layer target custom apps) Web front-ends continue to be vulnerable, largely due to lack of implementation of solutions Popular Attacks Injection attacks: Manipulating a backend system by injecting commands and/or code into fields in a front-end query system SQL injection is the most famous form injects SQL commands into fields in a web page

Cross-site scripting: Malicious gathering of data from an end-user by injection of a script into a web page Often-times links to a offsite malicious web page Cookie Tampering: Manipulation of session information stored in a cookie Allows manipulation of the session, even when input validation is used in the application Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Simple SQL Injection Attack Web App Login Code: SQLQuery = "SELECT Username FROM Users WHERE Username = '" & strUsername & "' AND Password = '" & strPassword & "'" strAuthCheck = GetQueryResult(SQLQuery) if strAuthCheck = "" Then boolAuthenticated = False

else boolAuthenticated = True end if Ingress to the Data Center/DMZ Web Front-End Simple Attack Login: Username: ' OR " =' Password: ' OR " =' Actual Manipulated Query: Application Server SELECT Username FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='' Result: Username: Nothing = Nothing (TRUE); Password: Nothing = Nothing (TRUE) Return First Username from List and Successfully Authenticate Database Layer Remember This AttackItll Come Back Later Source: http://www.securityfocus.com/infocus/1768 Presentation_ID

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28 Responding to Server-Side Attacks Deploy network-based application firewall technologies (like AVS 3100) to mitigate these attacks in the network However, reducing vulnerability is as much about process as it is technology Secure coding is a must; application development teams must be mandated to use secure coding tools and processes Ingress to the Data Center/DMZ Web Front-End Application Server Database Layer Presentation_ID

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 New threats Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30 New Threats RFID Threats Service-Oriented Architectures Voice over IP Threats Device Proliferation and Mobile Devices Outsourcing Distributed Workforce Connected Home Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

31 Intro to RFID What is RFID? Transponder: tiny computers, often without a batterythey are powered inductively by their readers Readers: scanning devices that wirelessly power and interact with RFID tags Application back-end: middleware, app servers, networking, etc. Whats so special about RFID? Miniature size and cost (<10 cents/tag) enables active computer elements in applications never before possible: Supply chain management; document control; smart shopping; health care; physical access control, etc. RFID Chip Examples: Library Application Chips for Books, CDs, and VHS Cassettes Source: http://en.wikipedia.org/wiki/RFID Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential 32 XML Security: Basis of the Threat Motivation: Direct link into back-end systems look promising for theft Newness of systems may mean less security in place to prevent secondary compromise (e.g. using the systems as a launch off) Opportunities: Identity management: slow adoption of federated identity systems may lead to identity spoofing opportunities between systems Poorly understood problem set: the industry is still learning where the major vulnerabilities and risk areas are Web services are cool: unnecessary deployments of web services by app developers looking to expand their resume are likely not paying enough attention to security concerns Risk magnification: with shared code in an SOA, vulnerability in one piece of code may affect multiple applications Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33 Well Known RFID Threats Sniffing: casual reading of tags by a surreptitious, standardscompliant reading device

Tracking: using knowledge of tag-to-identity mappings to track the physical location of a user Spoofing: cloning a tag to masquerade as the owner of the tag (e.g. payment systems, physical access) Replay attacks: replay the results of a previous tag query (e.g. passport control) Denial of service: blocking either the reader or the tag from functioning correctly (e.g. signal blocking or jamming) Source: http://www.rfidvirus.org/index.html Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34 RFID Threats: Power Analysis Power Analysis: extract information about a crypto-system by studying its physical implementation. The power required is roughly proportional to the number of bits changing at a given time When coupled with physical implementation details (e.g. knowledge of specs), enables the sophisticated attacker to reduce the effectiveness of crypto systems Typically requires physical connectivity to a device Oren and Shamir demonstrated an attack using power analysis that did not require physical connectivity to the tag Extracted the tags Kill password, and confirmed the ability to kill a tag

Attacked a UHF Class 1 Gen 1 tag, but believe the attack is extensible to other currently shipping tags Believe its possible to build an attack tool into a cell phone (freq similarities) Paper presented at RSA 2006 Source: http://www.wisdom.weizmann.ac.il/%7Eyossio/rfid/ Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35 Using This Attack One idea for use of RFID tags is to use them to eliminate retail checkouts Tags will be scanned as you exit the storeyou simply enter your payment info, and go on your way w Ne an Killing tags would cause the system to avoid charging you Old and Slow as

dF t Responding to this Threat: Lots of theory on foiling power analysis attacks RFID vendors need to update chip implementations to prevent attack RFID Reader Kill Result: Free Food Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36 New Threats in Application Security: XML and Service Oriented Architectures What is an SOA? Major Security Considerations: Interlinked system of services, communicating with a standard

methodology (XML, SOAP, etc) Web services Directly exposes the application tier to external entities for the first time Security concerns involve both access control problems (based on strong or weak identity credentials), as well as new attack types (X-malware, X-DoS, etc) Enables new security capabilities for integrity and confidentiality: field-level encryption services; document signing; content transformation services, etc. Not new this year per se, but starting to hit critical mass Enables systems of systems; tying together disparate backend application systems into a cohesive whole Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

37 Sample SOA and XML Attacks XML DoS: Typically attacks against the XML parser infrastructure Recursive inputs; overtly large pages can cause an Availability DoS by taking the parser offline Special characters in unvalidated inputs can confuse/disrupt parser operations Injection / Scripting attacks: Injection attacks are carried over from Web applications Target new areas (XPATH, etc) X-Malware Still largely theoretical (likely due to limited large scale deployment of Web Services), but certain to appear Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38 New Threat: Voice over IP Threats Gartner Group Sums It up Best: The hype surrounding VoIP threats has, thus far, outpaced actual attacks

Thoughts on Why: Opportunity: well understood business risk is promoting integration of security technologies in voice deployments Opportunity: limited pool of technical experts on voice within attacker community Motivation: no well-established business model driving financial incentives to attack Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39 Voice Security Opportunities Old World Voice Incentives Toll-fraud: stealing long distance No real applicability to VoIP, as there are easier (and legal) methods to get free telephony New World Voice Incentives Eavesdropping: Earliest attacks focused on this (VOMIT); however, effective deployment of secure voice makes this very difficult (easier to use other means to access info) SPIT: SPAM over internet telephony Potential to be a serious annoyance, but significant barriers to this being an effective source of profit Some are technical, but most involve our current use patterns for telephony (used on a per-phone

basis, not in a list format) Denial of service Disgruntled employees or extortionists may target the voice infrastructure by a variety of mechanisms Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40 New Threat : Proliferation of Devices The Challenge New types of devices are joining the network: Hand-helds, smart phones, cameras, tools, physical security systems, etc. Diversity of OSs: More devices means more operating systems and custom applications Embedded OSs Process controllers, kiosks, ATMs, lab tools, etc. IT department often not involved in procurementlittle attention paid to security

For example, one environment got hacked from an oscilloscope Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Opportunities for Attack Attacks on the back-end All of these systems provides an ingress point into some form of backend system Both the method of communication and the device itself are targets Attacks on the device Proliferation leaves many opportunities for taking control of a system Attacks on data Sensitive data is becoming increasingly distributed and uncontrolled 41 Mobile Device Attacks: Symbian Trojans and BlueTooth Viruses Mobile attack for profit

March 2006: Java/RedBrowser.A Trojan infects Symbian phones Requires user installation (in Russian) Once installed, trojan sends an SMS to a premium rate number and automatically sends an authority that they can charge you Charge is five dollars per SMS (ouch!) Bluetooth Virus CommWarrior virus does nothing but spread over Bluetooth and MMS (and rack up charges as a result) New variants appearing throughout 2005 and 2006 If your phone was in range, you would receive a message asking Install CommWarrior, yes or no? If you say no, youll be asked again immediately if youre still in range. Many infestations happened simply to get rid of the messages Source: http://www.vnunet.com/vnunet/news/2154728/bluetooth-virus-leaves-mobile Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42 Attacks on Data: Data Leakage One of the years Hot Topics Broad term encompassing multiple different challenges: Security of Data at rest Security of Data in motion Identity-based access control

Both malicious and inadvertent disclosures Issue has become topical typically for Compliance reasons However, broader topic involves business risk management How do I avoid inadvertent disclosures? How do I protect my information assets from flowing to my competitors? How do I avoid ending up in the news? Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43 Mitigating Risk of Data Leakage: Basic Steps 1. Protect Non-managed Machines: Remote access (employee, partner, and vendor) from non-managed machines pose a serious risk. Deploy protection technology in your remote access systems such as Cisco Secure Desktop in the Cisco ASA 5500 2. Deploy Network-based Structured Data Controls: Data elements such as Credit Card numbers or SSNs can be monitored and controlled in return traffic using application firewalls (such as AVS 3100) 3. Lockdown Managed Endpoints: Lock down removable media systems, such as USB ports and CD burners, using Cisco Security Agent 4. Application Access Control: Enforce need to know access control policies in the network at transit control points (e.g. in firewalls) 5. Content Inspection Services: Build out a network-wide sensor grid for

visibility and audit. Primary focus areas: email; instant messaging Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44 Example: Network-Based Structured Data Controls Credit Card 1234-5678-9012-3456 MASK Credit Card XXXX-XXXX-XXXX-3456 Social Security 123-45-6789 MASK Social Security XXX-XX-XXXX Drivers License A123456

BLOCK Drivers License A123456 Employee ID S-924600 MASK Employee ID XXXX Patient ID 134-AR-627 BLOCK Patient ID 134-AR-627 Request Response Cisco AVS 3100 Presentation_ID

2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45 Mobile Data Continues: PC on a Stick New smart drives and other similar technology extending the existing threats to data posed by portable storage devices Devices carry a virtual computing environment in a secure storage, typically plugged in via USB to any open computer All workspace, preference, and data information is kept within the device, but computing resources of the host machine are used for manipulation and processing Challenges: Analogous to SSL VPN security challenges, only now you can loose the device in a cab Unknown endpoint environment challenges: keyboard loggers and splicers, monitor taps, webcams Malicious software embedded in data or documents Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46

Business Practice Trends: Outsourcing: Opening Your Door to Strangers Motivations: Outsourcers have all the potential to be disgruntled employees in search of revenge, only more so outsourcers typically feel less loyalty to the outsourcing organization Opportunity: in many organizations, outsourcers are given full intranet access Considerations: For policy purposes, are outsourcers treated as full employees of the company, or not? How do you balance the need to access required applications while providing necessary controls to mitigate risk? When negotiating contracts, are there any provisions for data security and integrity? Are there any provisions to audit the security posture? What legal recourses does the organization have in the event of compromise? Jurisdictional issues, liability and responsibility, etc. Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47 Business Practice Trends: Home Networking and the Home Office Rise of serious home networking: Connected home becoming ever more a reality

Connected Fridge with TV fridges a reality, only a matter of time before theyre connected Home office expectations: Users expect the same services at home that they do in the workplace e.g. wireless Blurry line of service: wireless setup for the home office quickly gets used for streaming audio Challenge: All these systems are likely connected into the same home network as the home office Many, many new threat vectors to the business Organizations increasingly looking at whether it is more cost effective to provide incentives (or services) for home office users to in office services in a secure environment Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48 Business Practice Trends: Employees Using Home PCs for Work Trend amongst some companies to relinquish control over employee workstations Why: cost savings Some organizations believe they can save significant dollars by having employees purchase their

own laptops December 2005, Gartner predicted that by 2008, 10 percent of companies will require employeepurchased notebooks (0.6 probability) A number of very large (10,000+ companies) either seriously examining this, or moving to implementation If your organization is going down this road, strongly consider adding additional layers of defense Network admission Control vulnerability management Content monitoring and filtering Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Secure remote access 49 Non-electronic threats Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50

Non-Electronic Threats: Social Engineering Social Engineering Attacks: attacks that compromise the human elements of business processing Assuming an identity to exploit trust relationships These forms of attack have been around forever Not an emerging threat in and of itself, but a constant force multiplier on new threats Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51 Non-Electronic Threats: Being Unprepared Lack of implementation of an incident response plan can be a major source of risk to an organization Doing something without a plan can be worse than doing nothing Build out a plan in advance, get it approved by senior management, and implement it

Dont forget about the people: Incident Response Process? How can you plan for the unknown? Thats why we hire smart people. Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Not the Time to Be Wondering If Your Fire Extinguisher Still Works 52 Coping with Threats Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53

Incident Response Basics Incident Response Life Cycle Pre-Incident Planning Most important step: Step 1 Second most important step: Step 5 1 Post-Incident Policy and 5 Process Analysis 2 Detection and Analysis Most commonly skipped step: Step 1 Second most commonly skipped step: Step 5 4

Recovery 3 Containment and Control Theres a message in here somewhere Adapted from reports at www.gartner.com and www.securityfocus.com Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54 What Should I Do? Process, process, process: Implement strong processes up front, document them, and use them User education campaigns: Ensure there is an end-user education component of your broader information security strategy Make effective use of technology: Technology exists to mitigate much of your risk of exposure to new threatsmake sure youre using whats available

Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55 Technology Recommendations Stay informed: subscribe to a threat information service A cost effective way to stay on top of things Change the game: Deploy NAC Raise the bar on the level of protection at the internal edge Develop and implement a complete incident response system Include technologies like IPS that enable visibility and protection; ensure youve got the tools to help (like MARS) Get tested! Engage a reputable penetration testing firm Deploy anomaly technologies Anomaly detection technologies can catch some emerging threats before theyre well known Presentation_ID 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential 56 Some Closing Thoughts Dont get overwhelmed Small steps can make a big difference Remember, you dont have to be the best protectedyou just need to be a less inviting target than the next guy Adapted from: http://www.worldhop.com/Journals/J1/Bear1.html Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 Q and A Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential

58 Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59

Recently Viewed Presentations

  • Diaporama &#x27;AEP&#x27; - UNECE

    Diaporama 'AEP' - UNECE

    Impact pour le service parfois plusieurs % (de 0,5 à 5%) Dépend de la structure des abonnés, Mise en place de prêts relais, etc.. Dérive possible : de l'économiquement faible …au mauvais payeur (voire fraudeur) Provisions pour créances douteuses.
  • LISE++ : design your own spectrometer Oleg Tarasov

    LISE++ : design your own spectrometer Oleg Tarasov

    LISE++ : design your own spectrometer Oleg Tarasov 1,2 & Daniel Bazin 1 1 National Superconducting Cyclotron Laboratory, Michigan State University, East Lansing, MI 48824-1321, USA
  • Human Resources Advisory CouncilFebruary 25, 2016

    Human Resources Advisory CouncilFebruary 25, 2016

    ILD or AEL is required for T-TESS appraisers and must have certificate on file. ILD will no longer be available after 1/1/16. AEL certificate is available through Region 13 website. Must verify through the Texas Portal System each year that...
  • Eat, Drink, Have Sex, (Use Drugs)  American Society

    Eat, Drink, Have Sex, (Use Drugs) American Society

    Brain recognizes that having 1000 - 1500 U of dopamine is crazy and it rapidly starts dialling down release, production, receptors. The NA gets broken. Most people with addiction are sitting at 30 U. They can barely leave the house....
  • Advent I - Hope

    Advent I - Hope

    One For church professionals of every kind, let us pray: Many God, you did not declare any of these positions necessary, and yet our life of praise and prayer is better because of them.
  • Victorian Technologies curriculum - datta.vic.edu.au

    Victorian Technologies curriculum - datta.vic.edu.au

    DATTA Vic. timeline. 2015 - release of Victorian Technologies curriculum. 2015-2016 - course development, trialling and initial implementation. 2017 - full implementation and reporting. theTechnologies learning area. is core from F-8, some flexibility at 9-10.
  • &quot;Reward Scheme&quot;

    "Reward Scheme"

    "krishi karman award" for recognizing efforts. of the best performing states. in. foodgrains, rice, wheat coarse cereals, pulses and oilseeds production
  • The Ectothermic Vertebrates: Chapter 17A and B

    The Ectothermic Vertebrates: Chapter 17A and B

    Vertebrates are Kingdom Animalia - heterotrophs - they have to eat. There are three kinds of heterotrophs: Carnivorous - eat other animals - "meat eaters" - sharks, lions, cats, eagles, frogs, dogs. Herbivorous - eat only plants - cows, horses,...