IBM X-Force – Trending the Threat

IBM Security Systems
IBM X-Force – Trending the Threat
Data and Research from the 2012 Mid-Year
Trend & Risk report
Leslie Horacek
X-Force Threat Response Manager
January 2013
1
IBM Security Systems
© 2012 IBM Corporation
© 2012 IBM Corporation
IBM Security Systems
2
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
At IBM, the world is our Security lab
Security Operations Centers
Security Research Centers
Security Solution Development Labs
Institute for Advanced Security Branches
15,000 researchers, developers and subject matter experts
working security initiatives worldwide
3
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Collaborative IBM teams monitor and analyze the latest threats
Coverage
Depth
20,000+ devices
14B analyzed
under contract
3,700+ managed
clients worldwide
13B+ events
managed per day
133 monitored
countries (MSS)
1,000+ security
related patents
4
IBM Security Systems
web pages & images
40M spam &
phishing attacks
64K documented
vulnerabilities
Billions of intrusion
attempts daily
Millions of unique
malware samples
© 2012 IBM Corporation
IBM Security Systems
What are we seeing?
Annual report
gives a view of
changes in the
threat landscape
Key findings…
5
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Fewer
public exploit
disclosures
as a % of total
vulnerabilities
Is software
harder to exploit?
6
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Success in
sandboxing
Significant
decrease
in PDF
vulnerabilities
7
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Surprise!
Fewer mobile
operating
system
vulnerabilities
disclosed in
H1 2012
But…
8
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Vulnerability
disclosures
up in 2012
4,400
in 1H 2012
(on track for a
record year)
9
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Web Application
Vulnerabilities
Rise Again
47% of all
vulnerabilities affect
web applications
10
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
What is the difference between XSS and SQLi ??
 SQL injection (in base terms) is when an attacker goes after a database to take information.
 XSS (in base terms) is when an attacker attempts to “redirect” users from one site to another
malicious site
11
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Cross Site
Scripting
reaches an all
time high
51%
are categorized
as XSS
12
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
SQL
Injection
activity
reversed in
2011 and
continues to
increase
13
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Findings from the 2012 X-Force® Mid Year Trend and Risk Report
Developments
in Mac Malware
Flashback
outbreak and the
discovery of
advanced
persistent threat
(APT) Mac malware.
14
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
The drive-by-download process
Downloader
installed
Desktop Users
Exploit material
Served
Malware
installed and activated
Browse The Internet
15
IBM Security Systems
Web server with
embedded iframe
Malicious iframe
host
Web browser
targeted
© 2012 IBM Corporation
IBM Security Systems
Motivations and sophistication are rapidly evolving
Nation-state
actors
Stuxnet
National
Security
Espionage,
Activism
Monetary
Gain
Revenge,
Curiosity
16
IBM Security Systems
Competitors and
Hacktivists
Aurora
Organized
crime
Zeus
Insiders and
Script-kiddies
Code Red
© 2012 IBM Corporation
IBM Security Systems
Motivation and sophistication is evolving rapidly
 Attackers
have more
resources
 Off-the-shelf
tools are
available for
sale
 They will keep
trying until
they get in
17
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Nobody is immune
2011 Sampling of Security Incidents by Attack Type, Time and Impact
Attack Type
Online
Gaming
SQL Injection
Gaming
URL Tampering
Spear Phishing
3rd Party Software
Defense
Entertainment
DDoS
Central
Govt
Central
Government
Consumer
Electronics
Banking
Consulting
SecureID
Banking
Marketing
Services
Trojan Software
National
Police
Gaming
Internet
Services
Unknown
Consumer
Electronics
IT
Security
IT
Security
Size of circle estimates relative impact of
breach in terms of cost to business
Entertainment
Mar
Gaming Central
Govt
State
Police
Apparel
Telecommunic
ations
Defense
Apr
May
Jun
Online
Services
Online
Gaming
Financial
Market
Online
Gaming
Jul
Aug
Central
Government
Government Consulting
Central
Govt
Internet
Services
Central
Government
Online
Gaming
National
Police
Central
Central
Government Government
Feb
Online
Services
Insurance
Central
Agriculture
Government
State
Police
Central
Government
Online
Gaming
Online
Gaming
Online
Gaming
Defense
Police
Defense
Heavy
Industry
Consulting
Entertainment
Consumer
Electronics
Jan
Central
Government
IT
Security
Consumer
Electronics
Sep
Oct
Nov
Dec
Source: IBM X-Force® Research 2011 Trend and Risk Report
18
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
IT Security is a board room discussion
Business
results
Brand image
Supply chain
Legal
exposure
Impact of
hacktivism
Audit risk
Sony estimates
potential $1B
long term
impact –
$171M / 100
customers*
HSBC data
breach
discloses 24K
private banking
customers
Epsilon breach
impacts 100
national brands
TJX estimates
$150M class
action
settlement in
release of
credit / debit
card info
Lulzsec 50-day
hack-at-will
spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Zurich
Insurance PLc
fined £2.275M
($3.8M) for the
loss and
exposure of
46K customer
records
19
IBM
Security
*Sources
for Systems
all breaches shown in speaker notes
© 2012 IBM Corporation
IBM Security Systems
20
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Solving a security issue is a complex, four-dimensional puzzle
Employees
Outsourcers
Hackers
Suppliers
People
Consultants
Customers
Terrorists
Data
Structured
Unstructured
At rest
In motion
Applications
Systems
Applications
Web
Applications
Web 2.0
Mobile
Applications
Infrastructure
Datacenters
PCs
Laptops
Mobile
Cloud
Non-traditional
21
IBM Security Systems
© 2012 IBM Corporation
JK 2012-04-26
Attempting to protect the perimeter is not enough – siloed point products
and traditional defenses cannot adequately secure the enterprise
IBM Security Systems
Attackers are using sophisticated techniques to bypass defenses
22
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
CONSUMERIZATION OF IT
With the advent of Enterprise 2.0 and social business, the line between personal and professional
hours, devices and data is disappearing.
23
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Mobile is is the next evolution in computing
Mobile/Wireless/Cloud
Employees
34%
employees in 2012 are mobile
Web/Desktop
(Source: IDC*)
Client/Server
Mobile Applications
Host/Mainframe
Security
85 billion
8X
mobile applications will be
downloaded in 2012
increase in security risk
driven by proliferation of
mobile data and devices
(Source: IDC)
“Consumerisation of IT”
Unified Communications (UC)
78%
of multinational corporations plan to adopt
mobile UC by 2015, including mobile video
streaming and conferencing
24
IBM Security Systems
62%
individual–liable (BYOD*) devices used for
business, compared to 38% corporate-liable
in 2012
(Source: IDC*)
© 2012 IBM Corporation
IBM Security Systems
Uniqueness of Mobile…
Mobile Devices are
Shared More Often
Mobile Devices are
Used in More
Locations
Mobile Devices
prioritize User
Experience
Mobile Devices
have multiple
personas
Mobile Devices are
Diverse
Smartphones and
tablets are multipurpose personal
devices. Therefore,
users share them with
friends, and family
more often than
traditional computing
devices – laptops and
desktops. Social
norms on privacy are
different when
accessing filesystems vs. mobile
apps
Smartphones and
tablets are frequently
used in challenging
wireless situations
that contrast with
laptop friendly remote
access centers.
Laptops are used in a
limited number of
trusted locations
Smartphones and
tablets place a
premium on user
experience and any
security protocol that
diminishes the
experiences will not be
adopted or will be
circumvented.
Workstation level
security cannot be
assumed unless they
are dedicated devices
Smartphones and
tablets may have
multiple personas –
entertainment device,
work tool, etc. Each
persona is used in a
different context.
Users may want to
employ a different
security model for
each persona without
affecting another.
Smartphones and
tablets employ a
variety of different
platforms and have
numerous applications
aimed at pushing the
boundaries of
collaboration. The
standard interaction
paradigms used on
laptops and desktops
cannot be assumed.
25
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Mobile Security Threat Landscape
Malware
• Malware existed in various forms (viruses, worms,
Trojans, spyware) has been constantly increasing.
• 25,000 mobile malware apps were identified as of the
second quarter of 2012--a 417 percent rise from the
first quarter. (Trend)
• No platform is immune.
Malicious applications on
increase in all app stores
• “Zeus for Mobile”
• First large scale mobile
botnet in 1Q2012 –
RootStrap (Symantec)
Communication
• SMS toll fraud continues as one of primary
exploited areas
• Bluetooth is an exploited vector because a device
in a discoverable mode can be easily discovered
and lured to accept a malicious connection
request.
• “Man in the middle” attacks have been
demonstrated to be possible with several platforms
using Wi-Fi links.
• Phishing or pharming attacks can leverage multiple
channels: email, SMS, MSS, and voice
26
2
IBM Security Systems
Loss and Theft
• A survey of consumer users found that one out of
every three users has ever lost a mobile device.
• 2011 study - 36 percent of consumers in the United
States have either lost their mobile phone or had it
stolen. (Symantec)
• The major benefits of mobile devices (size and
portability) unfortunately come with the big risk of
losing sensitive data that has to be accepted but can
be mitigated.
• Cell phone theft in New York City jumped from eight
percent of robberies 10 years ago to more than 40
percent today (CBS News)
OS vulnerability based attacks
• Mobile OS vulnerabilities continue to be discovered at
significant rates
• Always on and connected, mobile device is a prime target
for hit-and-run network-based attacks and exploiting zeroday vulnerabilities.
• Published
techniques to
“jailbreak” or
“root” mobile
devices allow
hackers to get
administrative
access,
commonly
within days of
release
Total Mobile Operating System
Vulnerabilities
2006 - 2012 1H (projected)
200
150
100
50
0
2006 2007 2008 2009 2010 2011 2012
© 2012 IBM Corporation
IBM Security Systems
New Mobile threats
Which QR code is evil?
•
•
27
QR Code contained a URL to
download malware
The malware sent SMS messages
to a premium rate number (US $6
per message)
http://siliconangle.com/blog/2011/1
0/21/infected-qr-malware-surfaceson-smartphones-apps/
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Social networks create
an easy environment
to share, but without
editorial oversight this
can lead to any
number of problems.
28
IBM Security Systems
© 2012 IBM Corporation28
IBM Security Systems
Global Facebook Connections Map
Graph of 500M Facebook users’ network connections, December 2010
Source: Paul Butler, Facebook: http://www.facebook.com/note.php?note_id=469716398919
29
IBM Security Systems
© 2012 IBM Corporation29
IBM Security Systems
Social Media in Your Organization
 Facebook is now the primary communication
method for college students in the U.S. (Univ of
Maryland Study)
 Social networking accounts for 22% of all time
spent online in the U.S., and average workers
spend 5.5 hours/month on social networking from
the office (Nielson)
 Social networks are now the #1 activity on the Web
 Many employees use social media via personal
devices at work without official permission
– 1 in 3 Americans now own a smart phone, and
500M+ are expected to be sold in 2012
– IDC: 95% of workers use technology they
purchased themselves for work
– Aberdeen: 72% of firms surveyed allow
employees to use smartphones or tablets for work
30
IBM Security Systems
© 2012 IBM Corporation30
IBM Security Systems
Social Media Risks Are Increasing
 Explosion of social networks encourages a high degree of
communication and sharing, which can lead to increased
risk
 Younger generations have a much lower expectation of
(and respect for) privacy and security
 The massive amount of now public or open-source
intelligence (OSINT) that is available for gathering has
opened a new realm in information security and
attacks.
 Potential security and privacy risks from employee misuse
of social media
– Exposure of confidential information
– Use of inappropriate language / libelous speech
– Misrepresentation of corporate positions
– Potential legal liability and negative PR
– Posting of confidential or embarrassing photos or
videos
– Increased risk of malware infections
31
IBM Security Systems
In a recent survey, 63% of
more than 4,000 respondents
felt that social media
represents increased security
risks—yet only 29% reported
that they had the necessary
security controls to mitigate
those risks.
“Conventional marketing
wisdom long held that a
dissatisfied customer tells ten
people. But…in the new age
of social media, he or she
has the tools to tell ten
million.”
- Paul Gillin, The New Influencers: A
Marketer’s Guide to Social Media
© 2012 IBM Corporation31
IBM Security Systems
Open Source – a foundation for the Web, but risk-laden!
 Cost of Entry
– Positive: allows many to innovate quickly and cheaply
– Negative: allows attackers to deploy and use same tools
 Pervasiveness
– Positive: Widely used around the world, can help to identify problems quickly
– Negative: Increases appeal as a target, ensures vast base of potential victims
 Ease of Deployment (one click install)
– Positive: does not require technical skills to deploy
– Negative: More difficult to patch and maintain
32
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Web Application vulnerabilities on public exploit websites
 Major web-based Content Management Systems (CMS) programs have become better at
notifying the public when vulnerabilities are found in plug-ins written by third parties.
 Core issues are patched by the producing company that provides these systems at a much
higher rate than the plug-ins written by third parties.
33
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
34
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Security teams must shift from a conventional “defense-in-depth”
mindset and begin thinking like an attacker
Audit, Patch & Block
Detect, Analyze & Remediate
Think like a defender,
defense-in-depth mindset
Think like an attacker,
counter intelligence mindset
 Protect all assets
 Emphasize the perimeter
 Patch systems
 Use signature-based detection
 Scan endpoints for malware
 Read the latest news
 Collect logs
 Conduct manual interviews
 Shut down systems









Broad
35
IBM Security Systems
Protect high value assets
Emphasize the data
Harden targets and weakest links
Use anomaly-based detection
Baseline system behavior
Consume threat feeds
Collect everything
Automate correlation and analytics
Gather and preserve evidence
Targeted
© 2012 IBM Corporation
IBM Security Systems
Not a technical problem, but a business challenge
• Many of the recent breaches could have been prevented
• Significant effort is required to inventory, identify, and close every vulnerability
• Financial & operational resistance is always encountered, so how much of an
investment is enough?
36
© 2012 IBM Corporation
IBM Security Systems
IBM Security: Delivering intelligence, integration and expertise
across a comprehensive framework
IBM Security Systems
 IBM Security Framework
built on the foundation of
COBIT and ISO standards
 End-to-end coverage of the
security domains
 Managed and Professional
Services to help clients
secure the enterprise
37
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Get Engaged with IBM X-Force Research and Development
Follow us at @ibmsecurity
and @ibmxforce
Download X-Force
security trend & risk
reports
http://www935.ibm.com/services/us/iss/xforce/
Attend in-person events
http://www.ibm.com/events/calendar/
Join the Institute for
Advanced Security
www.instituteforadvancedsecurity.com
Subscribe to X-Force alerts at
http://iss.net/rss.php or
Frequency X at
http://blogs.iss.net/rss.php
Subscribe to the security
channel for latest security
videos
www.youtube.com/ibmsecuritysolutions
38
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
Additional References
39
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
In IBM’s 2012 Chief Information Security Officer Study, security
leaders described the changing landscape…
Nearly two-thirds say
senior executives are
paying more attention
to security issues.
Two-thirds expect
to spend more on
security over the next
two years.
External threats
are rated as a bigger
challenge than
internal threats, new
technology or compliance.
More than one-half say
mobile security
is their greatest nearterm technology
concern.
Source: IBM 2012 CISO Assessment
http://www.ibm.com/smarterplanet/us/en/business_resilience_management/article/security_essentials.html
40
IBM Security Systems
© 2012 IBM Corporation
IBM Security Systems
…And the changing role of the CISO
Influencers
• Confident, prepared
• Strategic influence
Influencers
• Less confident
• Strategic priorities,
but lack structural
elements
Responders
• Least confident
• Focus on protection
and compliance
IBM Center for Applied Insights, www.ibm.com/smarter/cai/security
41
IBM Security Systems
© 2012 IBM Corporation
IBM University Programs
IBM Cyber Security Innovation program
Objectives

Build curriculum, skills, and expertise
in Cyber Security Services and
Security Engineering

Partner with the academic
community, worldwide, while
amplifying work done by top Faculty
members

Dramatically improve skills in Asia
Pacific, Central and Eastern Europe,
Latin America, Middle East and Africa
23% of
organizations have
a “problematic
shortage” of IT
security skills
150+ Academic institutions have been identified – including UNCC
42
© 2012 IBM Corporation
IBM University Programs
The IBM Academic Initiative Security Portal
43
ibm.com/academicinitiative
© 2012 IBM Corporation
IBM University Programs
IBM Relaunches CIO / CISO Institute for Advanced Security
A new focus on
educating and enabling
CISO’s and securityminded CIO’s
907 members
267 pieces of content
Weekly themes on
Security topics
Webcasts, podcasts,
blogs, whitepapers, and
events
Recruiting external
content from non-IBM
SME’s
http://instituteforadvancedsecurity.com/
44
© 2012 IBM Corporation
Statement
of Good
Security Practices: IT system security involves protecting systems and information through prevention, detection and response
IBM Security
Systems
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
ibm.com/security
© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
45
IBM Security Systems
© 2012 IBM Corporation