3. Classical Penetration attacks
• Penetration attack steps:
o Reconnaissance
o Fingerprinting
o Application Analysis
o Threat Analysis
o Exploitation of vulnerability
4. Evolution
• How Solution Evolved
– Firewall become smarter
– IPS evolved, can stop netowork base attack in real
time
– Policy control can be strongly enfored for enterprise
assets (DMZ, Server etc.)
6. Current Threat Landscape
• Paradigm shift in Threat landscape
• More than 80% attacks today are web based
• Attack vector is shifting from Network to
Application
• Malware growth has been exponential
• Number of compromised active hosts on internet are in
millions
• Data theft is on all time high
• Hacking is no more about thrill, it's all money
8. Latest attack technique
• Attacks are highly automated
• Dynamic host generation
• User generated forums for C & C
(Twitter, google groups,IRC)
• Automated polymorphic malware generation
• Built-in debugger evasion
• Malicious code-injection in legitimate sites(msn canada,
BOI). There goes your URL Filter!
• Advanced encrypted channels for communication
10. Favorite attack vectors
• Browser is the most preferred attack vector:
o Exploiting browser plugins:
• PDF (aka Penetration Document Format) , Flash, Java and
other client applications
• Or plain old reliable user who'll do anything if you ask nicely
:)
12. Exploiting System Flaws
ATM Fraud in Kolkat and Bihar
http://www.currentweek.net/2010/08/atm-sbi-boi-fraud-
tools-screw-drivers.html
Double refund fraud in kolkata
http://timesofindia.indiatimes.com/city/kolkata-/Police-
crack-Rs-2-crore-double-
refund/articleshow/6904492.cms
13. Top Security Trends
Nation-sponsored hacking: When APT meets industrialization
The insider threat is much more than you had imagined
Man in the Browser attacks will man up
Misanthropes and anti-socials: Privacy vs. security in social networks
File security takes centre stage
Data security goes to the cloud
Mobile devices compromise data security
Hackers feeling the heat
Cyber security becomes a business process
Convergence of data security and privacy regulation worldwide
Source: http://blog.imperva.com/2010/11/index.html