SlideShare ist ein Scribd-Unternehmen logo

Emerging cyber threats_report2012

D
day4justice
TechnologieBildung
1 von 16
Downloaden Sie, um offline zu lesen
[ Table of Contents ] 2 Introduction 3 The Mobile Threat Vector 6 Botnets 8 Controlling Information Online 10 Advanced Persistent Threats E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 1
INTRODUCTION Collaborative research, education and awareness are required to battle advanced and large-scale botnet attacks, mobile application exploits, and manipulation of online information. In the past year, we have witnessed cyber attacks of improving human life on a global scale. As a leader unprecedented sophistication and reach. These attacks in cyber security research, Georgia Tech continues to demonstrate that malicious actors have the ability to com- develop novel, impactful solutions to important problems. promise and control millions of computers that belong to Atlanta is a major hub for cyber security, and many secu- governments, private enterprises and ordinary citizens. If rity companies rely on innovation, expertise and talent we are going to prevent motivated adversaries from attack- from Georgia Tech. ing our systems, stealing our data and harming our critical infrastructure, the broader community of security research- Our desire for broader engagement, cooperation and ers—including academia, the private sector and govern- interaction with key stakeholders is necessary for combat- ment—must work together to understand emerging threats ing the large-scale threats we face today and keeping and to develop proactive security solutions to safeguard pace with constantly evolving malware. In addition, per- the Internet and physical infrastructure that relies on it. vasive mobile application adoption and increasing attacks on our ability to access online information require objec- Georgia Tech’s annual Cyber Security Summit on Oct. 11, tive, truth-driven research to ensure integrity and trustwor- 2011 provides an opportunity for security experts from thiness of information and interactions on the Internet. industry, academia and government to come together and explore the challenges we face in securing cyber and Research projects in all these areas are currently under- cyber-connected physical systems. By seeking to engage a way at Georgia Tech. Further leveraging in-house broader audience, Georgia Tech remains at the center of research and expertise, Georgia Tech compiled the fol- efforts to develop new technologies and strategies that are lowing Emerging Cyber Threats Report, which includes effective against sophisticated cyber attacks. insight and analysis from a variety of experts from the IT security industry, government and academia. The Report The Georgia Institute of Technology is one of the nation’s and the Summit provide an open forum for discussion leading public research universities. Groundbreaking of emerging threats, their potential impact and counter- research is underway in dozens of labs across cam- measures for containing them. After the summit, we invite pus and the Georgia Tech Research Institute (GTRI). you to learn more about our work in cyber security and These efforts are focused on producing technology and engage with our experts to understand and address the innovation that will help drive economic growth, while challenges we face in securing cyber space. — Mustaque Ahamad, director, GTISC — Bo Rotoloni, director, Cyber Technology and Information Security Laboratory at GTRI 2 GEORGIA TECH CYBER SECURITY SUMMIT 2011
The Mobile Threat Vector—managing tensions between usability, security and scale Highlights: on to confirm the safety of their online location. If a user does click n Mobile applications rely increasingly on the browser, a malicious link on a mobile device, it becomes easier to obfuscate presenting unique challenges to security in terms of usability the attack since the Web address bar is not visible. and scale. The varied existence of SSL icons on mobile browsers can also n Expect compound threats targeting mobile devices to use contribute to successful exploitation. “If you’re a security expert SMS, e-mail and the mobile Web browser to launch an and you want to see the SSL certificates for a site from your mobile attack, then silently record and steal data. phone browser, it is extremely difficult to find that information—if n While USB flash drives have long been recognized for their it’s there at all,” said Traynor. “And if a security expert can’t verify ability to spread malware, mobile phones are becoming a a connection and a certificate, how do we expect the average user new vector that could introduce attacks on otherwise-pro- to avoid compromise?” tected systems Understandably, display security on mobile browsers is not as n Encapsulation and encryption for sensitive portions of a advanced as the desktop either. The way elements are laid out mobile device can strengthen security. on a page and the actions that take place when a user touches something are all opportunities to embed an attack. According to Traynor, mobile browsers are more susceptible to attacks launched just by touching the display. For example, attackers will lure users Mobile browsers present a unique challenge. with attractive display content, hiding their malicious link under- When it comes to securing mobile phones from emerging threats, neath a perfectly legitimate image. Once a user clicks on that scale, usability and device constraints present some interesting image, it gives the attackers the ability to spy on the user and challenges. The mobile phenomenon is still gaining momentum, redirect them to a malicious payload. with four billion mobile phones in use around the world and mobile Internet expected to outpace desktop Internet usage by 2014.1 Today, even less expensive mobile phones come with some form Mobile devices do not commonly receive of Web browser, representing a major vulnerability that can be patches and updates. exploited by existing and emerging threats. Dan Kuykendall, co-CEO and Chief Technology Officer for NT “Mobile applications are increasingly reliant on the browser,” said OBJECTives also worries about threats targeting mobile applica- Patrick Traynor, GTISC researcher and assistant professor at the tions and mobile browsers. “One of the biggest problems with Georgia Tech School of Computer Science. “As a result, we expect mobile browsers is that they never get updated,” he said. “For most more Web-based attacks against mobile devices to be launched in users, their operating system (OS) and mobile browser is the same the coming year.” as it was on the phone’s manufacture date. That gives the attackers a big advantage.” Tension between usability and security, along with device con- straints make it difficult to solve mobile Web browser security flaws. While computers can be manually configured not to trust compro- “The mobile vector requires special consideration when it comes to mised certificates or can receive a software patch in a matter of days, security,” said Traynor. “We still need to explore the significant dif- it can take months to remediate the same threat on mobile devices— ferences between mobile browsers and traditional desktop brows- leaving mobile users vulnerable in the meantime. The software indus- ers to fully understand the potential of emerging threats.” try needs to modify the current patch and update model to integrate mobile devices for more complete coverage. Traynor cites small screen size as just one of many device-related challenges to mobile security. Small screens can make vulnerabili- Kuykendall thinks emerging threats to mobile devices will expand ties more serious and present attackers with an opportunity. For and develop rapidly, similar to the explosion in Web application example, users on a mobile browser will not see the Web address vulnerabilities and threats witnessed several years ago. “To keep bar for very long. To enhance usability, the address bar disap- pace with market demand, the applications are being developed pears above the screen so that more of the page content can be too quickly. Therefore, developers and QA teams are not validat- displayed. But this also removes many of the visual cues users rely ing the data as aggressively as they should,” said Kuykendall. CONTINUED ON NEXT PAGE 1 Source: http://www.digitalbuzzblog.com/2011-mobile-statistics-stats-facts-marketing-infographic/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 3
The Mobile Threat Vector “They aren’t expecting attacks to come from other phones, which is “Mobile phones are already equipped with cameras that could be already happening, and they don’t fully recognize the vulnerabili- used for facial recognition or iris detection, and microphones for ties present in the back end of all the mobile applications.” voice detection,” Schutzer said. “These technologies can strengthen user and device authentication and augment security practices.” Kuykendall cites data theft as the primary goal of emerging mobile threats and lists several scenarios already happening and expected to continue, including: Implementing a strong mobile security n Exploiting a mobile browser vulnerability to get a remote shell program focused on encapsulation. that enables the attacker to remotely run commands on the As smartphones and tablet devices continue to blur the lines phone OS. between the professional and the personal, global corporations n Compound threats that use SMS, e-mail and the mobile Web such as Equifax (NYSE: EFX), one of the largest and most diverse browser to launch an attack, then silently record and steal data. sources of consumer and commercial data, are implementing stron- ger security policies around mobile devices. “When it comes to mobile security, our approach is based on Threats targeting Android and iOS are on encapsulation. It enables us to establish well-defined boundar- the rise. ies and balance user productivity with security needs,” said Tony Gunter Ollmann, vice president of research for Damballa notes Spinelli, senior vice president and Chief Security Officer of Equifax. that malware targeting mobile devices is constantly evolving. “The “After dedicating significant time and resources to select a mobile Zeus-in-the-Mobile (ZitMo) and several other examples of Android phone management platform, we launched a pilot program to malware are acting more like traditional bots by communicating ensure complete encapsulation of mobile devices for more than with a command-and-control (C2) architecture,” says Ollmann. 6,500 employees across the U.S. and 15 other countries.” “This marks an evolution beyond premium rate fraud and other tactics that do not rely on C2, and makes mobile devices as suscep- Using this approach, Equifax encapsulates and encrypts the cor- tible to criminal breach activity as desktops.” porate portion of an employee’s smartphone, and can quickly and remotely address a device that is compromised in any way. “We The ZitMo attack targeted Android users in an attempt to defeat take a layered, holistic approach to security that includes multiple banking two-factor authentication, steal credentials, and ultimately levels of defense,” said Spinelli. “Despite their rapid consumeriza- money, from users’ bank accounts. Comprised of blended tech- tion, mobile devices are no exception.” niques, this Trojan-based attack involves phishing, social engi- neering, intercepting SMS messages and sending authentication Spinelli concluded, “As mobile devices become an increasingly credentials to a remote server. attractive target in the integrated economy, it is critical for orga- nizations to adopt a multi-faceted strategy that leverages the right Dmitri Alperovitch, independent security expert and former vice combination of security best practices with business technology president of Threat Research at McAfee is also watching the mobile requirements.” space closely. “We’re already seeing an explosion of threats targeting Android and the iOS platform,” he said. “These devices will become major targets in the months ahead and are providing Academic research serves another avenue for data theft.” a marketplace need Alperovitch continued, “Mobile phones represent a physical part Founded in research efforts at Georgia Tech, Pindrop of your identity. They know and can share your location, can take Security is a telecommunication start-up that is restoring photos and record videos. Just think of the potential for data theft if security for aspects of telephony. Long viewed as a trusted an attacker could remotely control these devices. With remote con- medium, telephony is used by companies and individuals to trol of a CEO’s mobile phone, an advanced persistent adversary conduct important transactions. But Caller-ID and Automatic could activate the microphone to record private negotiations.” Number Identification can be easily manipulated leaving telephony transactions vulnerable to attack. Pindrop Security On the bright side, the same mobile device features could be used to offers a unique Caller-ID technology that authenticates callers enhance security. Dan Schutzer, CTO of BITS, the technology policy through the “fingerprint” of the phone call, making financial division of The Financial Services Roundtable, believes that mobile and other transactions over the phone more secure. devices are more naturally suited to biometric security measures. 4 GEORGIA TECH CYBER SECURITY SUMMIT 2011
Mobile devices—a new vector for attacking the network and critical systems. One source in private industry that requested anonymity worries that mobile phones will be a new on-ramp to planting malware on more secure devices. “Let’s say you’ve secured a process control system within a nuclear facility and there’s no direct connection between that system and the corporate network,” he said. “Even with such security measures in place, someone who just needs to charge his phone can introduce malware as soon as it’s plugged into a computer within that location.” While USB flash drives have long been recognized for their ability to spread malware, mobile phones are becoming a new vector that could introduce attacks on otherwise-protected systems. “A phone is also a storage device,” notes the industry insider. “I can see a sophisticated attacker writing code to exploit wireless connectivity technology that subsequently plants malware on a mobile phone. Now that phone is programmed to install a dangerous payload as soon as it connects to a targeted system.” Mobile browser security research efforts at Georgia Tech Georgia Tech researchers are working closely with nine mobile browser manufacturers to understand the differences between mobile and desktop browsers and the resulting security implications. Research efforts also include security reviews of nine mobile browsers to identify and remediate vulnerabilities that could lead to successful compromise. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 5
Botnets—the evolving nature of adversaries, tactics, techniques and procedures their stolen data” said Ollmann. “There’s serious money involved Highlights: and a highly competitive underground marketplace. You can find n Botnet controllers build massive information profiles on their hundreds of do-it-yourself botnet kits online, along with YouTube compromised users and sell the data to the highest bidder. instructional videos, competitive reviews of the botnet tools, ads sponsored by DIY constructors, tutorials and more. It has all the n Advanced persistent adversaries query botnet operators in trappings of a legitimate sector of the software space.” search of already compromised machines belonging to their attack targets. n Bad guys will borrow techniques from Black Hat SEO Advanced persistent adversaries leverage to deceive current botnet defenses like dynamic botnets to find entry points. reputation systems. Researchers expect large-scale botnets and targeted, persistent attacks to share more common ground in the future as well. According to Georgia Tech Professor Wenke Lee, “Targeted attacks While botnets have plagued the Internet for some time, their usage against a specific organization used to be perceived as isolated. in advanced persistent threats is evolving, as are the tactics, But now we have evidence that some of these targeted attacks have techniques and procedures for command and control. Today, roots in common botnets.” attacks are much more federated and the malware agents infecting devices are tuned for a particular operating system. That means When an operator creates a large-scale botnet, they have vari- the command and control infrastructure for the entire botnet can ous options for monetizing the investment. In the past, the highest remain the same and still communicate with bots across different bidders needed the computational power to send vast amounts of operating systems. spam or conduct a denial of service attack. But now, advanced persistent adversaries query botnet operators to identify compro- mised machines belonging to the company or organization in their crosshairs. The adversary may ask the botnet operator if he Botnet controllers build massive information can run some queries against the machines to determine the OS, profiles which may become part of legitimate applications running, type of function they perform, etc. to gather lead generation efforts. information for creating a targeted, stealthy attack with the end “Three or more years ago, botnet operators focused on stealing goal of data theft. In many cases, adversaries will pay top dollar email and password credentials, which were useful to spammers,” for the information, providing a new and extremely lucrative source said Gunter Ollmann, vice president of research for Damballa. of revenue for botnet operators. “Now botnet controllers are building massive profiles on their users, including name, address, age, sex, financial worth, relation- Infrastructure and information sharing will also occur more regularly ships, where they visit online, etc. They sell this information, where between botnet operators and other malicious actors. For example, it ultimately finds its way into legitimate lead generation channels.” a bot master can lend or sell his malware/bot program to another attacker that wants to compromise the same machine for a different Sites will buy the information stolen via botnets in bulk. The infor- purpose. Often this requires just a small variation or extension of the mation may exchange hands for money several times. And eventu- original bot program, and may use part of the same command and ally, a legitimate business may pay for the information for lead control infrastructure. The same theory works in reverse as a mali- generation purposes, not realizing that it has been stolen. In some cious actor can sell a successful targeted exploit to a bot operator. cases, a company might pay $20 -$30 for a qualified lead. Botnets can also play a role in auto-filling forms online that are used to compile lists for marketing purposes. The botnets already have all Botnet command and control architecture the personal information necessary to fill out the forms, and botnet is becoming decentralized. operators can devise an automated process resulting in a sophisti- cated fraud scam that is difficult to detect and prosecute. While botnets are still responsible for some of the largest DDoS attacks to date (generating > 100 Gbps of traffic), security experts “The botnet scams are still big business, and operators are com- will focus on evolution of botnet command and control architecture ing up with more elaborate fraud systems to increase the value of in the year ahead. 6 GEORGIA TECH CYBER SECURITY SUMMIT 2011
“I think the evolution of botnets has more to do with the Command to a pay-per-install company in the criminal ecosystem to infect as and Control (C2) architecture than the size of the attacks being many machines as possible. To increase its own profits, the pay- launched,” said Barry Hensley, director of the Counter Threat Unit/ per-install company will attempt to install more than one piece of Research Group at Dell SecureWorks. “We are starting to see a malware. As a result, Damballa found that more than 40 percent of decentralized C2 architecture, namely Peer-to-Peer. Since IRC and compromised devices have two or more external entities control- HTTP C2 infrastructure still work well for bot operators, P2P is not ling them. “This makes remediation difficult as users may receive yet widely implemented. Once the security space starts making an varying advice for cleaning up their machines based on the type of impact and decreasing the effectiveness of those two protocols, malware,” said Ollmann. we’ll start to see botnet operators shift toward P2P and DNS. Until then, they’ll just use what works.” Increased botnet take-downs and 64-bit computing can help. On the positive front, botnet take-downs appear to be more com- mon. “These efforts represent an evolution in the security commu- nity,” said Paul Royal, research scientist at Georgia Tech. “As highly motivated security professionals come together for a common cause, we expect to see more take-downs in the year ahead.” Royal also cites the identification and arrest of malware authors as a positive step in combatting the problem. “Taking away the criminal underground’s human capital can be very effective,” said Royal. “However, the security community is facing new ethical concerns related to take-downs that may threaten collaboration.” Royal referred to the trust required to share information about com- promised machines when part of concerted take-down operations. “Unfortunately, some organizations will take defensive information gathered as part of take-down efforts and turn it into offensive infor- mation about compromised machines, which can be sold or shared with interested parties. This practice may discourage some individu- als from participating in take-down efforts moving forward.” Royal does see some promising security advantages for combatting botnets inherent in the transition from 32-bit to 64-bit computing. “Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are both good for battling exploits, and both are better utilized with 64-bit computing,” he said. “DEP stops what should be data from executing as code. And even if malicious code is downloaded, ASLR makes it harder for threats to reach the final stage.” But the security community is still up against a serious threat when it comes to botnets. “Present defenses involve blacklisting IP addresses, Web filtering techniques and dynamic reputation systems,” said Ollmann. “A new battle front is opening up, and the bad guys will borrow techniques from Black Hat SEO to deceive dynamic repu- tation systems, similar to how they are subverting page ranking techniques used by search engines.” Pay-per-install malware will also continue to plague users. In this sce- nario, bot agent malware is developed. Then the creator subscribes E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 7
Controlling Information Online—a new frontier in information security Malicious actors try to influence search Highlights: engine algorithms for their own benefit. n Security researchers are currently debating whether person- According to Greg Conti, associate professor of computer science alization online could become a form of censorship. at West Point, in the digital age, propaganda and censorship have become automated processes. He suggests applying critical ques- n Attackers are performing search engine optimization to tions to information online, including: help their malicious sites rank highly in search results. n The trend in compromised certificate authorities exposes n Who controls the flow? numerous weaknesses in the overall trust model for n Who can alter the flow? the Internet. n Who restricts consumption? n Is there surveillance? n Is there the perception of surveillance? The control of information delivered to online users continues to “The original idea of browsing the Web from site to site without a be a complex security challenge. “In addition to trust and privacy, global search capability didn’t scale,” said Conti. “Now we have the lack of transparency concerning how governments and Internet search engines like Google with tremendous control over the flow Service Providers (ISPs) prioritize traffic is a serious threat,” said of information. Actors are trying to influence the largely neutral Nick Feamster, associate professor in the College of Computing at search engine algorithms for their own benefit using search engine Georgia Tech. Feamster studies Internet-based control of information optimization and search poisoning techniques.” along a spectrum, ranging from overt blocking of content, to mali- cious manipulation, to selective censorship and filtering, to attempts While search poisoning has been around for years, it is still an to manipulate Internet performance at the ISP level. effective technique for launching malware. In a recent 2011 cam- paign, increasing numbers of Google image search results were “When performance is degraded, a service is unavailable, or infor- poisoned, redirecting users either to an exploit kit or rogue AV mation is inaccessible, it is difficult for users to determine whether sites. Attackers compromised large numbers of legitimate sites and the root cause is an unintentional performance issue or overt censor- users had only to click on thumbnail images to launch the exploit. ship,” said Feamster. “Even examples that seem fairly innocuous can have serious impacts when it comes to opinion shaping and “The online world obfuscates where information comes from and spreading misinformation.” provides ample opportunity to manipulate information before a user receives it,” said Wenke Lee, professor in the College of Computing at Georgia Tech. “Search poisoning and index poison- ing are just two examples of attackers taking advantage of this Does personalization online present a risk? situation to launch malware.” Security researchers are currently debating whether personaliza- tion online could become a form of censorship. Websites, news In a typical search poisoning scenario, a user searches a term then media sites, social networking sites and advertisers are all sharing clicks a particular link from among the search results. They are personal data about individuals with the goal of more effectively redirected multiple times and eventually land on a page with no rel- targeting information for those individuals. For example, a news evance to the original search, which is used as a vector to deliver media website might highlight several articles under the heading malware. Attackers are doing their own search engine optimization “Recommended for You” based on age, ethnicity, location, profes- to try to get their malicious sites to rank highly in search results. sion and items searched previously. If a user only received news Malicious sites are also getting better at hiding their bad payloads under this heading, it could be limiting. The same principle holds from the search engine crawlers. If they detect a crawler, they will for search engines that filter results according to algorithms that present a clean Web page to remain undetected. factor a user’s personal information. “You may have the impression that search engines are neutral con- duits, but the results you receive could present a restricted world- view,” said Feamster. “In the case of search filtering, most users are completely unaware and have no method to widen search results beyond what the engine supplies.” 8 GEORGIA TECH CYBER SECURITY SUMMIT 2011
Combination attacks affecting DNS service In addition to new sophisticated Domain Name System (DNS) and providers and certificate authorities are certificate authority-based threats, Hensley noted several recent especially dangerous. examples of Distributed Denial of Service (DDoS) attacks and With the goal of controlling and monitoring information (as well as nation-state sponsored actions that prevented access to information stealing data), hackers will develop combination attacks that affect online, including: DNS service providers and compromise certificate authorities. n Large-scale protests coordinated via social media in Libya, Iran, These sophisticated, effective threats will be increasingly difficult Bahrain, Algeria, Jordan, Yemen and Egypt, causing nation-states to detect and will obviate the need for attackers to place a “man to disrupt Internet service or drop from the Internet entirely.1 in the middle.” Even security-conscious users will not be able to tell if they are on a malicious site if DNS provisioning systems are n DDoS attacks against various South Korean government and compromised. And if stolen certificate authorities are employed, business sites.2 attackers can create fake banking applications and more to control n DDoS attacks against various Burmese government opposition access to information, steal personal data and money. sites mark third anniversary of Saffron Revolution.3 Barry Hensley, director of the Counter Threat Unit at Dell SecureWorks, cites the 2011 DigiNotar Certificate Authority (CA) While the techniques used to mount these attacks are not new, breach as a manipulation of security controls with the intent of security researchers expect the Internet and control of informa- controlling and monitoring private citizens’ information. In the case tion online to be a pawn in future conflicts. According to Hensley, of DigiNotar, a hacker going by the handle of “COMODOHacker” “Over the past year, hacktivism has been center stage. SQL seized control of CA servers, created fraudulent certificates and used injection and DDoS attacks continue to be the tools of choice for them to execute “man-in-the-middle” attacks against hundreds of thou- these groups, many of whom are masters at disinformation and the sands of victims. The scheme enabled the hacker to access Iranian creation of alternative profiles and groups.” Gmail users’ messages and monitor much of their Internet traffic. Recent Internet-driven protests in Libya and Egypt also suggest that “The recent DigiNotar breach associated with a compromised cer- disinformation could play a bigger role in future political conflicts. tificate authority had the ultimate goal of controlling and monitoring information,” said Hensley. “The trend in compromised certificate authorities exposes numerous weaknesses in the overall trust model for the Internet, especially considering the only remediation to the DigiNotar breach was to revoke all compromised certificates.” Attempts to understand the effects of search engine filtering and personalization Researchers at Georgia Tech are currently studying the effects of personalization online search filtering. As part of this research, security experts are attempting to build an infrastructure that will provide a normalized, aggregated view of search results with all personalization for the user stripped out. 1 Source: http://www.nytimes.com/2010/02/11/world/middleeast/11tehran.html; http://www.zdnet.com/blog/igeneration/egypt-shuts-down-internet-amid-further-protests- facebook-web-traffic-drops/7915; http://www.telegraph.co.uk/news/worldnews/africaandindianocean/algeria/8320772/Algeria-tried-to-block-internet-and-Facebook-as- protest-mounted.html 2 Source: http://www.infosecurity-us.com/view/16387/south-korean-government-agencies-hit-by-ddos-attacks/ 3 Source: http://www.movements.org/blog/entry/cyber-attacks-cripple-independent-burmese-media-sites/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 9
Advanced Persistent Threats and the Intersection of Cyber Threats with Physical and Critical Infrastructure “Operation Aurora, Night Dragon and Shady Rat are all examples Highlights: of critical industries being victimized by targeted, persistent cyber n Advanced persistent threats will adapt to security measures attacks,” said Dmitri Alperovitch, independent security expert. “The until malicious objectives are achieved. adversaries behind these attacks were able to exfiltrate design sche- matics and sensitive field negotiations for new oil and gas explora- n Human error, lack of user education and weak passwords tion. These represent a company’s crown jewels and their exposure are still major vulnerabilities. has strongly impacted CEO and CIO perspectives on security.” n Cloud computing and computer hardware may present new avenues of attack, with all malware moving down the stack. Alperovitch described what’s involved in creating sophisticated threats like Stuxnet, “These threats are strategic in nature,” he n Large, flat networks with perimeter defenses at the Internet said. “They require a high level of sophistication far beyond the ingress/egress point break down quickly in the face of rudimentary skills of hacktivists. Since the goal is to remain covert, advanced persistent threats. they must involve a lot of testing resources to obfuscate the source of the attack.” Last year’s Stuxnet worm is the most publicized example of an advanced persistent cyber threat adversely impacting a physical A single APT exploitation can plague an system. But security researchers agree that cyber industrial warfare organization for months or even years. is the wave of the future—driven by advanced persistent adversar- ies and well-funded nation states. But attack sophistication largely depends on the security of the selected target. If an attack on critical infrastructure or corporate data theft can be accomplished via traditional phishing and com- mon exploit kits, adversaries will not use advanced techniques. The The advanced persistent threat—not a what, term, “advanced persistent threat” is also misused or confused with but a who? Hacktivists attempting to change industry or government behavior “The Advanced Persistent Threat (APT) buzzword has become the via organized cyber activity—typically denial-of-service campaigns most overused and misunderstood acronym in the IT security com- or the posting of compromised sensitive data designed to publicly munity” said Barry Hensley, Director of the Counter Threat Unit/ embarrass an organization or cripple operations. Research Group for Dell SecureWorks. “An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains “The tools, procedures and other controls used to defend commod- to the threat actor’s determination and the resources he is willing to ity security threats are often ineffective against targeted APTs,” said expend to achieve his objectives. It’s not a what, but a who?” Hensley. “When actors are focused on a specific target, they custom- ize and adapt their tactics, techniques and procedures to predict and “When a person or group has the required cognitive abilities and circumvent security controls and standard incident responses.” resources at their disposal, and applies them with the singular aim of obtaining intellectual property, intelligence or personally identifi- According to Hensley, an organization can be plagued by a single able information, it changes the game,” said Hensley. “It means the APT exploitation for months or years—even after it is aware of the threat can and will adapt to your security posture until its objectives effort. The incident response drags on as threat actors continually are achieved or the cost of the operation outweighs the perceived respond to defensive measures and look for new security weak- value of the target.” nesses. “Advanced persistent actors have clear objectives with cen- tralized planning and often decentralized execution,” said Hensley. While governments are important targets for espionage and intelli- “These adversaries are highly resourced, methodical, adaptive, gence gathering, computer systems, corporations and critical infra- resilient, advanced enough and clearly patient.” structure are also attractive, high-value targets. Some nation-state sponsored attacks are targeting corporations specifically for their intellectual property, sensitive business negotiations and national security designs and technology. 10 GEORGIA TECH CYBER SECURITY SUMMIT 2011
Users continue to be a common and the supply chain from beginning to end,” said Andrew Howard, hard-to-remediate weak point in security. research scientist at GTRI. “20 years ago when power stations With such high stakes, critical infrastructure must remain highly weren’t IP-enabled, that may have been less of a concern. But now alert with multiple layers of defense and constant user education. that we’re phasing out legacy hardware for newer equipment that “In the military, you’re taught that in a defensive position, you is connected to the Internet, it could open up a vulnerability to have a three-to-one advantage over an attacker,” said Greg Conti, something like Stuxnet.” associate professor of computer science at West Point. “But in security, it’s the opposite. The attacker has nearly a thousand-to-one While critical infrastructure threats most often conjure images of an advantage. We have to assume that a determined adversary can attack on the power grid, GTRI and other security experts note that overcome the defender, it is just a matter of how long it will take.” the financial infrastructure is also an attractive target, particularly for advanced persistent adversaries. As society continues to move Unfortunately, end users tend to be the most common and hard-to- away from cash, an attack on the credit card exchange system remediate weak point, and even security researchers struggle to could cause a panic and erode trust in the financial system. address the problem. “You can’t patch users,” said Conti. “And there’s always a human being somewhere behind the security technology.” Experts believe the cyber vector is a new force multiplier in nation-state conflicts. One source working in critical infrastructure agrees, “People are always the most vulnerable part of the IT infrastructure,” he said. Experts agree that a cyber conflict with physical ramifications out- “We have so many security layers and defenses, from separating side of a traditional kinetic conflict is unlikely. But they also believe physical control systems from the standard business network, to the cyber vector is a new force multiplier in nation-state conflicts. DMZs, to limiting network protocols that communicate with physical Whether APTs are targeting infrastructure, corporations or govern- systems, and securing all the primary UIs to the Internet. At the end ments, there is a strong need for public/private collaboration to of the day, there’s a person on the end of all that security that can improve security. make decisions that will have an impact.” CONTINUED ON NEXT PAGE The cloud complicates traditional GTRI leads implementation of the security defenses. Homeland Open Security Technology (HOST) program Some of the other concerns surrounding emerging threats to critical infrastructure and business in general include the move to cloud com- The U.S. Department of Homeland Security (DHS) Science puting, the transition from IPv4 to IPv6, computing monocultures and and Technology (S&T) Directorate named the Georgia Tech hardware supply chains. Cloud computing is still relatively ill-defined Research Institute (GTRI) to lead implementation efforts for the yet highly complex, presenting a giant target for adversaries. five-year, $10 million Homeland Open Security Technology (HOST) program. The HOST program investigates open “The cloud complicates today’s traditional defensive techniques,” source and open cyber security methods, models and tech- said Hensley. “A threat actor could build infrastructure in the nologies to identify viable and sustainable approaches that cloud using highly available on-line developer tools, then use it to support national cyber security objectives. command-and-control exploited computers by hiding in what we thought was benign traffic.” “The collaborative nature of open source and open technolo- gies provide unique technical and economic value, and Computer hardware may be another frontier for emerging threats. opportunities for government users,” said Joshua Davis, “We’re seeing a current trend with all malware moving down the associate division head at GTRI’s Cyber Technology and stack,” said Alperovitch. “Threats are becoming embedded in Information Security Laboratory and principal investigator for hardware. There are threats that modify the basic input/output the HOST program. system (BIOS), embed themselves in firmware and persist outside the operating system. We will need new hardware and software GTRI is leading HOST efforts in conjunction with the Open approaches to combat this problem.” Technology Research Consortium (OTRC), a collaborative network of leading academic research institutions, industry Researchers with the Georgia Tech Research Institute (GTRI) agree partners and open source community organizations that work that the hardware supply chain presents a risk. “No one controls to promote the advancement of open source software adop- tion within government agencies. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 11
Advanced Persistent Threats “Enhanced situational awareness based on reliable threat intelli- “A compartmentalized approach to network architecture is better gence is critical to forming effective defense strategies against these for defending and detecting APTs. Important assets and externally advanced threat actors. Without a thorough understanding of the facing user populations should be placed in separate enclaves with threat, defensive strategies and spending will be inefficient at best additional security controls,” said Hensley. and ineffective at worst,” said Hensley. “Cybercrime is growing and evolving rapidly across all spectrums, Hensley advocates a layered security process and controls, continu- including APTs, fake antivirus, phishing, identity theft, mobile ously applied and updated based on ongoing visibility of evolving threats and fraud,” said Hensley. “At the same time, we still see threats. Security processes and controls should include vulnerability successful attacks which exploit weak or default passwords, such lifecycle management, endpoint protection, intrusion detection/pre- as Morto, Stuxnet and Conflicker. We need a national awareness vention systems, firewalls, logging visibility, network visibility and campaign to highlight how critical the situation really is. Even home security training. users are today’s citizen soldiers as their complacency may contrib- ute to a greater national vulnerability.” “Network architecture does matter,” said Hensley. “While large, flat networks with perimeter defenses at the Internet ingress/egress point are common, this model breaks down quickly in the face of an APT. Once an APT gets a foothold, the interior of the network is highly vulnerable to additional attack stages.” [ Georgia Tech Emerging Cyber Threats Report 2012 Contributors ] Dr. Mustaque Ahamad Dan Kuykendall Director of the Georgia Tech Information Security Center (GTISC) Co-CEO and Chief Technology Officer for NT OBJECTives Dmitri Alperovitch Dr. Wenke Lee Independent Security Expert Professor, Georgia Tech College of Computing Dr. Gregory Conti Gunter Ollmann Associate Professor, Department of Electrical Engineering and Vice President of Research at Damballa Computer Science, United States Military Academy Bo Rotoloni Joshua Davis Director, Cyber Technology and Information Security Laboratory Associate Division Head, Cyber Technology and Information (CTISL) at GTRI Security Laboratory (CTISL) at GTRI Paul Royal Dr. Richard DeMillo Research Scientist, Georgia Tech Information Security Center Director of the Center for 21st Century Universities (C21U) (GTISC) and Professor of Computer Science, Georgia Tech College of Computing Dan Schutzer CTO of BITS, the technology policy division of The Financial Dr. Nick Feamster Services Roundtable Assistant Professor, Georgia Tech College of Computing Christopher Smoak Repor t Des igned B y Ed ward Th arp De sign er Dr. Barry Hensley Research Scientist, Cyber Technology and Information Security Director of the Counter Threat Unit/Research Group for Dell Laboratory (CTISL) SecureWorks Tony Spinelli Andrew Howard Senior Vice President and Chief Security Officer for Equifax, Inc. Research Scientist, Associate Division Head, Cyber Technology and Information Security Laboratory (CTISL) at GTRI Dr. Patrick Traynor Assistant Professor, Georgia Tech College of Computing 12 GEORGIA TECH CYBER SECURITY SUMMIT 2011
Emerging cyber threats_report2012
Emerging cyber threats_report2012

Empfohlen

Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011CPPGroup Plc
 
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldTrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldInfinigate Group
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
PhD Thesis Writing Assistance - Manuscript
PhD Thesis Writing Assistance - ManuscriptPhD Thesis Writing Assistance - Manuscript
PhD Thesis Writing Assistance - Manuscriptkarishmakittu
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 

Empfohlen

Puppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability ExploitsPuppetnets and Botnets: Information Technology Vulnerability Exploits
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
 
Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011Mobile and SIM data - quantifying the risk - 2011
Mobile and SIM data - quantifying the risk - 2011CPPGroup Plc
 
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldTrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” World
TrendLabs 2012 Annual Security Roundup: Evolved Threats in a “Post-PC” WorldInfinigate Group
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
PhD Thesis Writing Assistance - Manuscript
PhD Thesis Writing Assistance - ManuscriptPhD Thesis Writing Assistance - Manuscript
PhD Thesis Writing Assistance - Manuscriptkarishmakittu
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...Maurice Dawson
 
Info security - mobile approach
Info security - mobile approachInfo security - mobile approach
Info security - mobile approachEY Belgium
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013Комсс Файквэе
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_Directorate of Information Security | Ditjen Aptika
 
Hacking - how accessible is it?
Hacking - how accessible is it?Hacking - how accessible is it?
Hacking - how accessible is it?CPPGroup Plc
 
Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...IJECEIAES
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingJay McLaughlin
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSIAEME Publication
 
P50 fahl
P50 fahlP50 fahl
P50 fahlКомсс Файквэе
 
A_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_CybersecurtyA_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_CybersecurtyGovernment
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...INSPIRIT BRASIL
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Комсс Файквэе
 
The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed AnticipationZotronix
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011day4justice
 

Weitere ähnliche Inhalte

Was ist angesagt?

Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET Journal
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber SecurityStephen Lahanas
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...Maurice Dawson
 
Info security - mobile approach
Info security - mobile approachInfo security - mobile approach
Info security - mobile approachEY Belgium
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Hacking - how accessible is it?
Hacking - how accessible is it?Hacking - how accessible is it?
Hacking - how accessible is it?CPPGroup Plc
 
Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...IJECEIAES
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingJay McLaughlin
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSIAEME Publication
 
A_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_CybersecurtyA_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_CybersecurtyGovernment
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...INSPIRIT BRASIL
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 

Was ist angesagt? (19)

Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
IRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and ThreatsIRJET- Android Device Attacks and Threats
IRJET- Android Device Attacks and Threats
 
The Future of Cyber Security
The Future of Cyber SecurityThe Future of Cyber Security
The Future of Cyber Security
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
MOBILE DEVICES: THE CASE FOR CYBER SECURITY HARDENED SYSTEMS AND METHODS TO ...
 
Info security - mobile approach
Info security - mobile approachInfo security - mobile approach
Info security - mobile approach
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_
 
Hacking - how accessible is it?
Hacking - how accessible is it?Hacking - how accessible is it?
Hacking - how accessible is it?
 
Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...Security techniques for intelligent spam sensing and anomaly detection in onl...
Security techniques for intelligent spam sensing and anomaly detection in onl...
 
Securing 3-Mode Mobile Banking
Securing 3-Mode Mobile BankingSecuring 3-Mode Mobile Banking
Securing 3-Mode Mobile Banking
 
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONSCYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
CYBER SECURITY: A SURVEY ON ISSUES AND SOLUTIONS
 
P50 fahl
P50 fahlP50 fahl
P50 fahl
 
A_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_CybersecurtyA_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
A_novel_concept_for_Cybersecurity_ Institutional_Cybersecurty
 
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
Watchguard - How Cloud‐based Security Delivers   Up‐to‐the‐Minute Network Pro...
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 

Andere mochten auch

The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed AnticipationZotronix
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011day4justice
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011day4justice
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Andrea Rossetti
 

Andere mochten auch (6)

Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
The Internet As Directed Anticipation
The Internet As Directed AnticipationThe Internet As Directed Anticipation
The Internet As Directed Anticipation
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Day for justice webinar final_october 2011
Day for justice webinar final_october 2011Day for justice webinar final_october 2011
Day for justice webinar final_october 2011
 
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
Francesca Bosco, Cybercrimes - Bicocca 31.03.2011
 

Ähnlich wie Emerging cyber threats_report2012

Mobile SecurityKalyan BereKodapeComputer Security .docx
Mobile SecurityKalyan BereKodapeComputer Security .docxMobile SecurityKalyan BereKodapeComputer Security .docx
Mobile SecurityKalyan BereKodapeComputer Security .docxroushhsiu
 
Malware threat analysis techniques and approaches for IoT applications: a review
Malware threat analysis techniques and approaches for IoT applications: a reviewMalware threat analysis techniques and approaches for IoT applications: a review
Malware threat analysis techniques and approaches for IoT applications: a reviewjournalBEEI
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile securityKavita Rastogi
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Conkarenahmanny4c
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxcroysierkathey
 
Securing mobile devices in the business environment
Securing mobile devices in the business environmentSecuring mobile devices in the business environment
Securing mobile devices in the business environmentIBM Software India
 
Todays Mobile Cybersecurity
Todays Mobile CybersecurityTodays Mobile Cybersecurity
Todays Mobile CybersecurityVivastream
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2SHOLOVE INTERNATIONAL LLC
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-naAndreas Hiller
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaSylCotter
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats ReportJuniper Networks
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx1SI19IS064TEJASS
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsBMI Healthcare
 

Ähnlich wie Emerging cyber threats_report2012 (20)

Mobile SecurityKalyan BereKodapeComputer Security .docx
Mobile SecurityKalyan BereKodapeComputer Security .docxMobile SecurityKalyan BereKodapeComputer Security .docx
Mobile SecurityKalyan BereKodapeComputer Security .docx
 
Malware threat analysis techniques and approaches for IoT applications: a review
Malware threat analysis techniques and approaches for IoT applications: a reviewMalware threat analysis techniques and approaches for IoT applications: a review
Malware threat analysis techniques and approaches for IoT applications: a review
 
Report on Mobile security
Report on Mobile securityReport on Mobile security
Report on Mobile security
 
Security Threats Predictions in 2015 – Netmagic
Security Threats Predictions in 2015 – NetmagicSecurity Threats Predictions in 2015 – Netmagic
Security Threats Predictions in 2015 – Netmagic
 
Journal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993ConJournal of Computer and System Sciences 80 (2014) 973–993Con
Journal of Computer and System Sciences 80 (2014) 973–993Con
 
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docxJournal of Computer and System Sciences 80 (2014) 973–993Con.docx
Journal of Computer and System Sciences 80 (2014) 973–993Con.docx
 
Securing mobile devices in the business environment
Securing mobile devices in the business environmentSecuring mobile devices in the business environment
Securing mobile devices in the business environment
 
Todays Mobile Cybersecurity
Todays Mobile CybersecurityTodays Mobile Cybersecurity
Todays Mobile Cybersecurity
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
Internet
InternetInternet
Internet
 
expert tips
expert tipsexpert tips
expert tips
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
 
Sophos security-threat-report-2014-na
Sophos security-threat-report-2014-naSophos security-threat-report-2014-na
Sophos security-threat-report-2014-na
 
Watch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)DnaWatch Guard Reputation Enabled Defense (White Paper)Dna
Watch Guard Reputation Enabled Defense (White Paper)Dna
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats Report
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 
IT Security Trends in 2012
IT Security Trends in 2012IT Security Trends in 2012
IT Security Trends in 2012
 
How to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-paymentsHow to reduce security risks to ensure user confidence in m-payments
How to reduce security risks to ensure user confidence in m-payments
 
Emerging web security threats
Emerging web security threatsEmerging web security threats
Emerging web security threats
 

Kürzlich hochgeladen

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Kürzlich hochgeladen (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

Emerging cyber threats_report2012

  • 1.
  • 2.
  • 3. [ Table of Contents ] 2 Introduction 3 The Mobile Threat Vector 6 Botnets 8 Controlling Information Online 10 Advanced Persistent Threats E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 1
  • 4. INTRODUCTION Collaborative research, education and awareness are required to battle advanced and large-scale botnet attacks, mobile application exploits, and manipulation of online information. In the past year, we have witnessed cyber attacks of improving human life on a global scale. As a leader unprecedented sophistication and reach. These attacks in cyber security research, Georgia Tech continues to demonstrate that malicious actors have the ability to com- develop novel, impactful solutions to important problems. promise and control millions of computers that belong to Atlanta is a major hub for cyber security, and many secu- governments, private enterprises and ordinary citizens. If rity companies rely on innovation, expertise and talent we are going to prevent motivated adversaries from attack- from Georgia Tech. ing our systems, stealing our data and harming our critical infrastructure, the broader community of security research- Our desire for broader engagement, cooperation and ers—including academia, the private sector and govern- interaction with key stakeholders is necessary for combat- ment—must work together to understand emerging threats ing the large-scale threats we face today and keeping and to develop proactive security solutions to safeguard pace with constantly evolving malware. In addition, per- the Internet and physical infrastructure that relies on it. vasive mobile application adoption and increasing attacks on our ability to access online information require objec- Georgia Tech’s annual Cyber Security Summit on Oct. 11, tive, truth-driven research to ensure integrity and trustwor- 2011 provides an opportunity for security experts from thiness of information and interactions on the Internet. industry, academia and government to come together and explore the challenges we face in securing cyber and Research projects in all these areas are currently under- cyber-connected physical systems. By seeking to engage a way at Georgia Tech. Further leveraging in-house broader audience, Georgia Tech remains at the center of research and expertise, Georgia Tech compiled the fol- efforts to develop new technologies and strategies that are lowing Emerging Cyber Threats Report, which includes effective against sophisticated cyber attacks. insight and analysis from a variety of experts from the IT security industry, government and academia. The Report The Georgia Institute of Technology is one of the nation’s and the Summit provide an open forum for discussion leading public research universities. Groundbreaking of emerging threats, their potential impact and counter- research is underway in dozens of labs across cam- measures for containing them. After the summit, we invite pus and the Georgia Tech Research Institute (GTRI). you to learn more about our work in cyber security and These efforts are focused on producing technology and engage with our experts to understand and address the innovation that will help drive economic growth, while challenges we face in securing cyber space. — Mustaque Ahamad, director, GTISC — Bo Rotoloni, director, Cyber Technology and Information Security Laboratory at GTRI 2 GEORGIA TECH CYBER SECURITY SUMMIT 2011
  • 5. The Mobile Threat Vector—managing tensions between usability, security and scale Highlights: on to confirm the safety of their online location. If a user does click n Mobile applications rely increasingly on the browser, a malicious link on a mobile device, it becomes easier to obfuscate presenting unique challenges to security in terms of usability the attack since the Web address bar is not visible. and scale. The varied existence of SSL icons on mobile browsers can also n Expect compound threats targeting mobile devices to use contribute to successful exploitation. “If you’re a security expert SMS, e-mail and the mobile Web browser to launch an and you want to see the SSL certificates for a site from your mobile attack, then silently record and steal data. phone browser, it is extremely difficult to find that information—if n While USB flash drives have long been recognized for their it’s there at all,” said Traynor. “And if a security expert can’t verify ability to spread malware, mobile phones are becoming a a connection and a certificate, how do we expect the average user new vector that could introduce attacks on otherwise-pro- to avoid compromise?” tected systems Understandably, display security on mobile browsers is not as n Encapsulation and encryption for sensitive portions of a advanced as the desktop either. The way elements are laid out mobile device can strengthen security. on a page and the actions that take place when a user touches something are all opportunities to embed an attack. According to Traynor, mobile browsers are more susceptible to attacks launched just by touching the display. For example, attackers will lure users Mobile browsers present a unique challenge. with attractive display content, hiding their malicious link under- When it comes to securing mobile phones from emerging threats, neath a perfectly legitimate image. Once a user clicks on that scale, usability and device constraints present some interesting image, it gives the attackers the ability to spy on the user and challenges. The mobile phenomenon is still gaining momentum, redirect them to a malicious payload. with four billion mobile phones in use around the world and mobile Internet expected to outpace desktop Internet usage by 2014.1 Today, even less expensive mobile phones come with some form Mobile devices do not commonly receive of Web browser, representing a major vulnerability that can be patches and updates. exploited by existing and emerging threats. Dan Kuykendall, co-CEO and Chief Technology Officer for NT “Mobile applications are increasingly reliant on the browser,” said OBJECTives also worries about threats targeting mobile applica- Patrick Traynor, GTISC researcher and assistant professor at the tions and mobile browsers. “One of the biggest problems with Georgia Tech School of Computer Science. “As a result, we expect mobile browsers is that they never get updated,” he said. “For most more Web-based attacks against mobile devices to be launched in users, their operating system (OS) and mobile browser is the same the coming year.” as it was on the phone’s manufacture date. That gives the attackers a big advantage.” Tension between usability and security, along with device con- straints make it difficult to solve mobile Web browser security flaws. While computers can be manually configured not to trust compro- “The mobile vector requires special consideration when it comes to mised certificates or can receive a software patch in a matter of days, security,” said Traynor. “We still need to explore the significant dif- it can take months to remediate the same threat on mobile devices— ferences between mobile browsers and traditional desktop brows- leaving mobile users vulnerable in the meantime. The software indus- ers to fully understand the potential of emerging threats.” try needs to modify the current patch and update model to integrate mobile devices for more complete coverage. Traynor cites small screen size as just one of many device-related challenges to mobile security. Small screens can make vulnerabili- Kuykendall thinks emerging threats to mobile devices will expand ties more serious and present attackers with an opportunity. For and develop rapidly, similar to the explosion in Web application example, users on a mobile browser will not see the Web address vulnerabilities and threats witnessed several years ago. “To keep bar for very long. To enhance usability, the address bar disap- pace with market demand, the applications are being developed pears above the screen so that more of the page content can be too quickly. Therefore, developers and QA teams are not validat- displayed. But this also removes many of the visual cues users rely ing the data as aggressively as they should,” said Kuykendall. CONTINUED ON NEXT PAGE 1 Source: http://www.digitalbuzzblog.com/2011-mobile-statistics-stats-facts-marketing-infographic/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 3
  • 6. The Mobile Threat Vector “They aren’t expecting attacks to come from other phones, which is “Mobile phones are already equipped with cameras that could be already happening, and they don’t fully recognize the vulnerabili- used for facial recognition or iris detection, and microphones for ties present in the back end of all the mobile applications.” voice detection,” Schutzer said. “These technologies can strengthen user and device authentication and augment security practices.” Kuykendall cites data theft as the primary goal of emerging mobile threats and lists several scenarios already happening and expected to continue, including: Implementing a strong mobile security n Exploiting a mobile browser vulnerability to get a remote shell program focused on encapsulation. that enables the attacker to remotely run commands on the As smartphones and tablet devices continue to blur the lines phone OS. between the professional and the personal, global corporations n Compound threats that use SMS, e-mail and the mobile Web such as Equifax (NYSE: EFX), one of the largest and most diverse browser to launch an attack, then silently record and steal data. sources of consumer and commercial data, are implementing stron- ger security policies around mobile devices. “When it comes to mobile security, our approach is based on Threats targeting Android and iOS are on encapsulation. It enables us to establish well-defined boundar- the rise. ies and balance user productivity with security needs,” said Tony Gunter Ollmann, vice president of research for Damballa notes Spinelli, senior vice president and Chief Security Officer of Equifax. that malware targeting mobile devices is constantly evolving. “The “After dedicating significant time and resources to select a mobile Zeus-in-the-Mobile (ZitMo) and several other examples of Android phone management platform, we launched a pilot program to malware are acting more like traditional bots by communicating ensure complete encapsulation of mobile devices for more than with a command-and-control (C2) architecture,” says Ollmann. 6,500 employees across the U.S. and 15 other countries.” “This marks an evolution beyond premium rate fraud and other tactics that do not rely on C2, and makes mobile devices as suscep- Using this approach, Equifax encapsulates and encrypts the cor- tible to criminal breach activity as desktops.” porate portion of an employee’s smartphone, and can quickly and remotely address a device that is compromised in any way. “We The ZitMo attack targeted Android users in an attempt to defeat take a layered, holistic approach to security that includes multiple banking two-factor authentication, steal credentials, and ultimately levels of defense,” said Spinelli. “Despite their rapid consumeriza- money, from users’ bank accounts. Comprised of blended tech- tion, mobile devices are no exception.” niques, this Trojan-based attack involves phishing, social engi- neering, intercepting SMS messages and sending authentication Spinelli concluded, “As mobile devices become an increasingly credentials to a remote server. attractive target in the integrated economy, it is critical for orga- nizations to adopt a multi-faceted strategy that leverages the right Dmitri Alperovitch, independent security expert and former vice combination of security best practices with business technology president of Threat Research at McAfee is also watching the mobile requirements.” space closely. “We’re already seeing an explosion of threats targeting Android and the iOS platform,” he said. “These devices will become major targets in the months ahead and are providing Academic research serves another avenue for data theft.” a marketplace need Alperovitch continued, “Mobile phones represent a physical part Founded in research efforts at Georgia Tech, Pindrop of your identity. They know and can share your location, can take Security is a telecommunication start-up that is restoring photos and record videos. Just think of the potential for data theft if security for aspects of telephony. Long viewed as a trusted an attacker could remotely control these devices. With remote con- medium, telephony is used by companies and individuals to trol of a CEO’s mobile phone, an advanced persistent adversary conduct important transactions. But Caller-ID and Automatic could activate the microphone to record private negotiations.” Number Identification can be easily manipulated leaving telephony transactions vulnerable to attack. Pindrop Security On the bright side, the same mobile device features could be used to offers a unique Caller-ID technology that authenticates callers enhance security. Dan Schutzer, CTO of BITS, the technology policy through the “fingerprint” of the phone call, making financial division of The Financial Services Roundtable, believes that mobile and other transactions over the phone more secure. devices are more naturally suited to biometric security measures. 4 GEORGIA TECH CYBER SECURITY SUMMIT 2011
  • 7. Mobile devices—a new vector for attacking the network and critical systems. One source in private industry that requested anonymity worries that mobile phones will be a new on-ramp to planting malware on more secure devices. “Let’s say you’ve secured a process control system within a nuclear facility and there’s no direct connection between that system and the corporate network,” he said. “Even with such security measures in place, someone who just needs to charge his phone can introduce malware as soon as it’s plugged into a computer within that location.” While USB flash drives have long been recognized for their ability to spread malware, mobile phones are becoming a new vector that could introduce attacks on otherwise-protected systems. “A phone is also a storage device,” notes the industry insider. “I can see a sophisticated attacker writing code to exploit wireless connectivity technology that subsequently plants malware on a mobile phone. Now that phone is programmed to install a dangerous payload as soon as it connects to a targeted system.” Mobile browser security research efforts at Georgia Tech Georgia Tech researchers are working closely with nine mobile browser manufacturers to understand the differences between mobile and desktop browsers and the resulting security implications. Research efforts also include security reviews of nine mobile browsers to identify and remediate vulnerabilities that could lead to successful compromise. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 5
  • 8. Botnets—the evolving nature of adversaries, tactics, techniques and procedures their stolen data” said Ollmann. “There’s serious money involved Highlights: and a highly competitive underground marketplace. You can find n Botnet controllers build massive information profiles on their hundreds of do-it-yourself botnet kits online, along with YouTube compromised users and sell the data to the highest bidder. instructional videos, competitive reviews of the botnet tools, ads sponsored by DIY constructors, tutorials and more. It has all the n Advanced persistent adversaries query botnet operators in trappings of a legitimate sector of the software space.” search of already compromised machines belonging to their attack targets. n Bad guys will borrow techniques from Black Hat SEO Advanced persistent adversaries leverage to deceive current botnet defenses like dynamic botnets to find entry points. reputation systems. Researchers expect large-scale botnets and targeted, persistent attacks to share more common ground in the future as well. According to Georgia Tech Professor Wenke Lee, “Targeted attacks While botnets have plagued the Internet for some time, their usage against a specific organization used to be perceived as isolated. in advanced persistent threats is evolving, as are the tactics, But now we have evidence that some of these targeted attacks have techniques and procedures for command and control. Today, roots in common botnets.” attacks are much more federated and the malware agents infecting devices are tuned for a particular operating system. That means When an operator creates a large-scale botnet, they have vari- the command and control infrastructure for the entire botnet can ous options for monetizing the investment. In the past, the highest remain the same and still communicate with bots across different bidders needed the computational power to send vast amounts of operating systems. spam or conduct a denial of service attack. But now, advanced persistent adversaries query botnet operators to identify compro- mised machines belonging to the company or organization in their crosshairs. The adversary may ask the botnet operator if he Botnet controllers build massive information can run some queries against the machines to determine the OS, profiles which may become part of legitimate applications running, type of function they perform, etc. to gather lead generation efforts. information for creating a targeted, stealthy attack with the end “Three or more years ago, botnet operators focused on stealing goal of data theft. In many cases, adversaries will pay top dollar email and password credentials, which were useful to spammers,” for the information, providing a new and extremely lucrative source said Gunter Ollmann, vice president of research for Damballa. of revenue for botnet operators. “Now botnet controllers are building massive profiles on their users, including name, address, age, sex, financial worth, relation- Infrastructure and information sharing will also occur more regularly ships, where they visit online, etc. They sell this information, where between botnet operators and other malicious actors. For example, it ultimately finds its way into legitimate lead generation channels.” a bot master can lend or sell his malware/bot program to another attacker that wants to compromise the same machine for a different Sites will buy the information stolen via botnets in bulk. The infor- purpose. Often this requires just a small variation or extension of the mation may exchange hands for money several times. And eventu- original bot program, and may use part of the same command and ally, a legitimate business may pay for the information for lead control infrastructure. The same theory works in reverse as a mali- generation purposes, not realizing that it has been stolen. In some cious actor can sell a successful targeted exploit to a bot operator. cases, a company might pay $20 -$30 for a qualified lead. Botnets can also play a role in auto-filling forms online that are used to compile lists for marketing purposes. The botnets already have all Botnet command and control architecture the personal information necessary to fill out the forms, and botnet is becoming decentralized. operators can devise an automated process resulting in a sophisti- cated fraud scam that is difficult to detect and prosecute. While botnets are still responsible for some of the largest DDoS attacks to date (generating > 100 Gbps of traffic), security experts “The botnet scams are still big business, and operators are com- will focus on evolution of botnet command and control architecture ing up with more elaborate fraud systems to increase the value of in the year ahead. 6 GEORGIA TECH CYBER SECURITY SUMMIT 2011
  • 9. “I think the evolution of botnets has more to do with the Command to a pay-per-install company in the criminal ecosystem to infect as and Control (C2) architecture than the size of the attacks being many machines as possible. To increase its own profits, the pay- launched,” said Barry Hensley, director of the Counter Threat Unit/ per-install company will attempt to install more than one piece of Research Group at Dell SecureWorks. “We are starting to see a malware. As a result, Damballa found that more than 40 percent of decentralized C2 architecture, namely Peer-to-Peer. Since IRC and compromised devices have two or more external entities control- HTTP C2 infrastructure still work well for bot operators, P2P is not ling them. “This makes remediation difficult as users may receive yet widely implemented. Once the security space starts making an varying advice for cleaning up their machines based on the type of impact and decreasing the effectiveness of those two protocols, malware,” said Ollmann. we’ll start to see botnet operators shift toward P2P and DNS. Until then, they’ll just use what works.” Increased botnet take-downs and 64-bit computing can help. On the positive front, botnet take-downs appear to be more com- mon. “These efforts represent an evolution in the security commu- nity,” said Paul Royal, research scientist at Georgia Tech. “As highly motivated security professionals come together for a common cause, we expect to see more take-downs in the year ahead.” Royal also cites the identification and arrest of malware authors as a positive step in combatting the problem. “Taking away the criminal underground’s human capital can be very effective,” said Royal. “However, the security community is facing new ethical concerns related to take-downs that may threaten collaboration.” Royal referred to the trust required to share information about com- promised machines when part of concerted take-down operations. “Unfortunately, some organizations will take defensive information gathered as part of take-down efforts and turn it into offensive infor- mation about compromised machines, which can be sold or shared with interested parties. This practice may discourage some individu- als from participating in take-down efforts moving forward.” Royal does see some promising security advantages for combatting botnets inherent in the transition from 32-bit to 64-bit computing. “Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are both good for battling exploits, and both are better utilized with 64-bit computing,” he said. “DEP stops what should be data from executing as code. And even if malicious code is downloaded, ASLR makes it harder for threats to reach the final stage.” But the security community is still up against a serious threat when it comes to botnets. “Present defenses involve blacklisting IP addresses, Web filtering techniques and dynamic reputation systems,” said Ollmann. “A new battle front is opening up, and the bad guys will borrow techniques from Black Hat SEO to deceive dynamic repu- tation systems, similar to how they are subverting page ranking techniques used by search engines.” Pay-per-install malware will also continue to plague users. In this sce- nario, bot agent malware is developed. Then the creator subscribes E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 7
  • 10. Controlling Information Online—a new frontier in information security Malicious actors try to influence search Highlights: engine algorithms for their own benefit. n Security researchers are currently debating whether person- According to Greg Conti, associate professor of computer science alization online could become a form of censorship. at West Point, in the digital age, propaganda and censorship have become automated processes. He suggests applying critical ques- n Attackers are performing search engine optimization to tions to information online, including: help their malicious sites rank highly in search results. n The trend in compromised certificate authorities exposes n Who controls the flow? numerous weaknesses in the overall trust model for n Who can alter the flow? the Internet. n Who restricts consumption? n Is there surveillance? n Is there the perception of surveillance? The control of information delivered to online users continues to “The original idea of browsing the Web from site to site without a be a complex security challenge. “In addition to trust and privacy, global search capability didn’t scale,” said Conti. “Now we have the lack of transparency concerning how governments and Internet search engines like Google with tremendous control over the flow Service Providers (ISPs) prioritize traffic is a serious threat,” said of information. Actors are trying to influence the largely neutral Nick Feamster, associate professor in the College of Computing at search engine algorithms for their own benefit using search engine Georgia Tech. Feamster studies Internet-based control of information optimization and search poisoning techniques.” along a spectrum, ranging from overt blocking of content, to mali- cious manipulation, to selective censorship and filtering, to attempts While search poisoning has been around for years, it is still an to manipulate Internet performance at the ISP level. effective technique for launching malware. In a recent 2011 cam- paign, increasing numbers of Google image search results were “When performance is degraded, a service is unavailable, or infor- poisoned, redirecting users either to an exploit kit or rogue AV mation is inaccessible, it is difficult for users to determine whether sites. Attackers compromised large numbers of legitimate sites and the root cause is an unintentional performance issue or overt censor- users had only to click on thumbnail images to launch the exploit. ship,” said Feamster. “Even examples that seem fairly innocuous can have serious impacts when it comes to opinion shaping and “The online world obfuscates where information comes from and spreading misinformation.” provides ample opportunity to manipulate information before a user receives it,” said Wenke Lee, professor in the College of Computing at Georgia Tech. “Search poisoning and index poison- ing are just two examples of attackers taking advantage of this Does personalization online present a risk? situation to launch malware.” Security researchers are currently debating whether personaliza- tion online could become a form of censorship. Websites, news In a typical search poisoning scenario, a user searches a term then media sites, social networking sites and advertisers are all sharing clicks a particular link from among the search results. They are personal data about individuals with the goal of more effectively redirected multiple times and eventually land on a page with no rel- targeting information for those individuals. For example, a news evance to the original search, which is used as a vector to deliver media website might highlight several articles under the heading malware. Attackers are doing their own search engine optimization “Recommended for You” based on age, ethnicity, location, profes- to try to get their malicious sites to rank highly in search results. sion and items searched previously. If a user only received news Malicious sites are also getting better at hiding their bad payloads under this heading, it could be limiting. The same principle holds from the search engine crawlers. If they detect a crawler, they will for search engines that filter results according to algorithms that present a clean Web page to remain undetected. factor a user’s personal information. “You may have the impression that search engines are neutral con- duits, but the results you receive could present a restricted world- view,” said Feamster. “In the case of search filtering, most users are completely unaware and have no method to widen search results beyond what the engine supplies.” 8 GEORGIA TECH CYBER SECURITY SUMMIT 2011
  • 11. Combination attacks affecting DNS service In addition to new sophisticated Domain Name System (DNS) and providers and certificate authorities are certificate authority-based threats, Hensley noted several recent especially dangerous. examples of Distributed Denial of Service (DDoS) attacks and With the goal of controlling and monitoring information (as well as nation-state sponsored actions that prevented access to information stealing data), hackers will develop combination attacks that affect online, including: DNS service providers and compromise certificate authorities. n Large-scale protests coordinated via social media in Libya, Iran, These sophisticated, effective threats will be increasingly difficult Bahrain, Algeria, Jordan, Yemen and Egypt, causing nation-states to detect and will obviate the need for attackers to place a “man to disrupt Internet service or drop from the Internet entirely.1 in the middle.” Even security-conscious users will not be able to tell if they are on a malicious site if DNS provisioning systems are n DDoS attacks against various South Korean government and compromised. And if stolen certificate authorities are employed, business sites.2 attackers can create fake banking applications and more to control n DDoS attacks against various Burmese government opposition access to information, steal personal data and money. sites mark third anniversary of Saffron Revolution.3 Barry Hensley, director of the Counter Threat Unit at Dell SecureWorks, cites the 2011 DigiNotar Certificate Authority (CA) While the techniques used to mount these attacks are not new, breach as a manipulation of security controls with the intent of security researchers expect the Internet and control of informa- controlling and monitoring private citizens’ information. In the case tion online to be a pawn in future conflicts. According to Hensley, of DigiNotar, a hacker going by the handle of “COMODOHacker” “Over the past year, hacktivism has been center stage. SQL seized control of CA servers, created fraudulent certificates and used injection and DDoS attacks continue to be the tools of choice for them to execute “man-in-the-middle” attacks against hundreds of thou- these groups, many of whom are masters at disinformation and the sands of victims. The scheme enabled the hacker to access Iranian creation of alternative profiles and groups.” Gmail users’ messages and monitor much of their Internet traffic. Recent Internet-driven protests in Libya and Egypt also suggest that “The recent DigiNotar breach associated with a compromised cer- disinformation could play a bigger role in future political conflicts. tificate authority had the ultimate goal of controlling and monitoring information,” said Hensley. “The trend in compromised certificate authorities exposes numerous weaknesses in the overall trust model for the Internet, especially considering the only remediation to the DigiNotar breach was to revoke all compromised certificates.” Attempts to understand the effects of search engine filtering and personalization Researchers at Georgia Tech are currently studying the effects of personalization online search filtering. As part of this research, security experts are attempting to build an infrastructure that will provide a normalized, aggregated view of search results with all personalization for the user stripped out. 1 Source: http://www.nytimes.com/2010/02/11/world/middleeast/11tehran.html; http://www.zdnet.com/blog/igeneration/egypt-shuts-down-internet-amid-further-protests- facebook-web-traffic-drops/7915; http://www.telegraph.co.uk/news/worldnews/africaandindianocean/algeria/8320772/Algeria-tried-to-block-internet-and-Facebook-as- protest-mounted.html 2 Source: http://www.infosecurity-us.com/view/16387/south-korean-government-agencies-hit-by-ddos-attacks/ 3 Source: http://www.movements.org/blog/entry/cyber-attacks-cripple-independent-burmese-media-sites/ E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 9
  • 12. Advanced Persistent Threats and the Intersection of Cyber Threats with Physical and Critical Infrastructure “Operation Aurora, Night Dragon and Shady Rat are all examples Highlights: of critical industries being victimized by targeted, persistent cyber n Advanced persistent threats will adapt to security measures attacks,” said Dmitri Alperovitch, independent security expert. “The until malicious objectives are achieved. adversaries behind these attacks were able to exfiltrate design sche- matics and sensitive field negotiations for new oil and gas explora- n Human error, lack of user education and weak passwords tion. These represent a company’s crown jewels and their exposure are still major vulnerabilities. has strongly impacted CEO and CIO perspectives on security.” n Cloud computing and computer hardware may present new avenues of attack, with all malware moving down the stack. Alperovitch described what’s involved in creating sophisticated threats like Stuxnet, “These threats are strategic in nature,” he n Large, flat networks with perimeter defenses at the Internet said. “They require a high level of sophistication far beyond the ingress/egress point break down quickly in the face of rudimentary skills of hacktivists. Since the goal is to remain covert, advanced persistent threats. they must involve a lot of testing resources to obfuscate the source of the attack.” Last year’s Stuxnet worm is the most publicized example of an advanced persistent cyber threat adversely impacting a physical A single APT exploitation can plague an system. But security researchers agree that cyber industrial warfare organization for months or even years. is the wave of the future—driven by advanced persistent adversar- ies and well-funded nation states. But attack sophistication largely depends on the security of the selected target. If an attack on critical infrastructure or corporate data theft can be accomplished via traditional phishing and com- mon exploit kits, adversaries will not use advanced techniques. The The advanced persistent threat—not a what, term, “advanced persistent threat” is also misused or confused with but a who? Hacktivists attempting to change industry or government behavior “The Advanced Persistent Threat (APT) buzzword has become the via organized cyber activity—typically denial-of-service campaigns most overused and misunderstood acronym in the IT security com- or the posting of compromised sensitive data designed to publicly munity” said Barry Hensley, Director of the Counter Threat Unit/ embarrass an organization or cripple operations. Research Group for Dell SecureWorks. “An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains “The tools, procedures and other controls used to defend commod- to the threat actor’s determination and the resources he is willing to ity security threats are often ineffective against targeted APTs,” said expend to achieve his objectives. It’s not a what, but a who?” Hensley. “When actors are focused on a specific target, they custom- ize and adapt their tactics, techniques and procedures to predict and “When a person or group has the required cognitive abilities and circumvent security controls and standard incident responses.” resources at their disposal, and applies them with the singular aim of obtaining intellectual property, intelligence or personally identifi- According to Hensley, an organization can be plagued by a single able information, it changes the game,” said Hensley. “It means the APT exploitation for months or years—even after it is aware of the threat can and will adapt to your security posture until its objectives effort. The incident response drags on as threat actors continually are achieved or the cost of the operation outweighs the perceived respond to defensive measures and look for new security weak- value of the target.” nesses. “Advanced persistent actors have clear objectives with cen- tralized planning and often decentralized execution,” said Hensley. While governments are important targets for espionage and intelli- “These adversaries are highly resourced, methodical, adaptive, gence gathering, computer systems, corporations and critical infra- resilient, advanced enough and clearly patient.” structure are also attractive, high-value targets. Some nation-state sponsored attacks are targeting corporations specifically for their intellectual property, sensitive business negotiations and national security designs and technology. 10 GEORGIA TECH CYBER SECURITY SUMMIT 2011
  • 13. Users continue to be a common and the supply chain from beginning to end,” said Andrew Howard, hard-to-remediate weak point in security. research scientist at GTRI. “20 years ago when power stations With such high stakes, critical infrastructure must remain highly weren’t IP-enabled, that may have been less of a concern. But now alert with multiple layers of defense and constant user education. that we’re phasing out legacy hardware for newer equipment that “In the military, you’re taught that in a defensive position, you is connected to the Internet, it could open up a vulnerability to have a three-to-one advantage over an attacker,” said Greg Conti, something like Stuxnet.” associate professor of computer science at West Point. “But in security, it’s the opposite. The attacker has nearly a thousand-to-one While critical infrastructure threats most often conjure images of an advantage. We have to assume that a determined adversary can attack on the power grid, GTRI and other security experts note that overcome the defender, it is just a matter of how long it will take.” the financial infrastructure is also an attractive target, particularly for advanced persistent adversaries. As society continues to move Unfortunately, end users tend to be the most common and hard-to- away from cash, an attack on the credit card exchange system remediate weak point, and even security researchers struggle to could cause a panic and erode trust in the financial system. address the problem. “You can’t patch users,” said Conti. “And there’s always a human being somewhere behind the security technology.” Experts believe the cyber vector is a new force multiplier in nation-state conflicts. One source working in critical infrastructure agrees, “People are always the most vulnerable part of the IT infrastructure,” he said. Experts agree that a cyber conflict with physical ramifications out- “We have so many security layers and defenses, from separating side of a traditional kinetic conflict is unlikely. But they also believe physical control systems from the standard business network, to the cyber vector is a new force multiplier in nation-state conflicts. DMZs, to limiting network protocols that communicate with physical Whether APTs are targeting infrastructure, corporations or govern- systems, and securing all the primary UIs to the Internet. At the end ments, there is a strong need for public/private collaboration to of the day, there’s a person on the end of all that security that can improve security. make decisions that will have an impact.” CONTINUED ON NEXT PAGE The cloud complicates traditional GTRI leads implementation of the security defenses. Homeland Open Security Technology (HOST) program Some of the other concerns surrounding emerging threats to critical infrastructure and business in general include the move to cloud com- The U.S. Department of Homeland Security (DHS) Science puting, the transition from IPv4 to IPv6, computing monocultures and and Technology (S&T) Directorate named the Georgia Tech hardware supply chains. Cloud computing is still relatively ill-defined Research Institute (GTRI) to lead implementation efforts for the yet highly complex, presenting a giant target for adversaries. five-year, $10 million Homeland Open Security Technology (HOST) program. The HOST program investigates open “The cloud complicates today’s traditional defensive techniques,” source and open cyber security methods, models and tech- said Hensley. “A threat actor could build infrastructure in the nologies to identify viable and sustainable approaches that cloud using highly available on-line developer tools, then use it to support national cyber security objectives. command-and-control exploited computers by hiding in what we thought was benign traffic.” “The collaborative nature of open source and open technolo- gies provide unique technical and economic value, and Computer hardware may be another frontier for emerging threats. opportunities for government users,” said Joshua Davis, “We’re seeing a current trend with all malware moving down the associate division head at GTRI’s Cyber Technology and stack,” said Alperovitch. “Threats are becoming embedded in Information Security Laboratory and principal investigator for hardware. There are threats that modify the basic input/output the HOST program. system (BIOS), embed themselves in firmware and persist outside the operating system. We will need new hardware and software GTRI is leading HOST efforts in conjunction with the Open approaches to combat this problem.” Technology Research Consortium (OTRC), a collaborative network of leading academic research institutions, industry Researchers with the Georgia Tech Research Institute (GTRI) agree partners and open source community organizations that work that the hardware supply chain presents a risk. “No one controls to promote the advancement of open source software adop- tion within government agencies. E M E R G I N G C Y B E R T H R E AT S R E P O R T 2 0 1 2 11
  • 14. Advanced Persistent Threats “Enhanced situational awareness based on reliable threat intelli- “A compartmentalized approach to network architecture is better gence is critical to forming effective defense strategies against these for defending and detecting APTs. Important assets and externally advanced threat actors. Without a thorough understanding of the facing user populations should be placed in separate enclaves with threat, defensive strategies and spending will be inefficient at best additional security controls,” said Hensley. and ineffective at worst,” said Hensley. “Cybercrime is growing and evolving rapidly across all spectrums, Hensley advocates a layered security process and controls, continu- including APTs, fake antivirus, phishing, identity theft, mobile ously applied and updated based on ongoing visibility of evolving threats and fraud,” said Hensley. “At the same time, we still see threats. Security processes and controls should include vulnerability successful attacks which exploit weak or default passwords, such lifecycle management, endpoint protection, intrusion detection/pre- as Morto, Stuxnet and Conflicker. We need a national awareness vention systems, firewalls, logging visibility, network visibility and campaign to highlight how critical the situation really is. Even home security training. users are today’s citizen soldiers as their complacency may contrib- ute to a greater national vulnerability.” “Network architecture does matter,” said Hensley. “While large, flat networks with perimeter defenses at the Internet ingress/egress point are common, this model breaks down quickly in the face of an APT. Once an APT gets a foothold, the interior of the network is highly vulnerable to additional attack stages.” [ Georgia Tech Emerging Cyber Threats Report 2012 Contributors ] Dr. Mustaque Ahamad Dan Kuykendall Director of the Georgia Tech Information Security Center (GTISC) Co-CEO and Chief Technology Officer for NT OBJECTives Dmitri Alperovitch Dr. Wenke Lee Independent Security Expert Professor, Georgia Tech College of Computing Dr. Gregory Conti Gunter Ollmann Associate Professor, Department of Electrical Engineering and Vice President of Research at Damballa Computer Science, United States Military Academy Bo Rotoloni Joshua Davis Director, Cyber Technology and Information Security Laboratory Associate Division Head, Cyber Technology and Information (CTISL) at GTRI Security Laboratory (CTISL) at GTRI Paul Royal Dr. Richard DeMillo Research Scientist, Georgia Tech Information Security Center Director of the Center for 21st Century Universities (C21U) (GTISC) and Professor of Computer Science, Georgia Tech College of Computing Dan Schutzer CTO of BITS, the technology policy division of The Financial Dr. Nick Feamster Services Roundtable Assistant Professor, Georgia Tech College of Computing Christopher Smoak Repor t Des igned B y Ed ward Th arp De sign er Dr. Barry Hensley Research Scientist, Cyber Technology and Information Security Director of the Counter Threat Unit/Research Group for Dell Laboratory (CTISL) SecureWorks Tony Spinelli Andrew Howard Senior Vice President and Chief Security Officer for Equifax, Inc. Research Scientist, Associate Division Head, Cyber Technology and Information Security Laboratory (CTISL) at GTRI Dr. Patrick Traynor Assistant Professor, Georgia Tech College of Computing 12 GEORGIA TECH CYBER SECURITY SUMMIT 2011