Docstoc

Are You Exposed

Document Sample
Are You Exposed Powered By Docstoc
					ACI-NA Annual Conference
San Diego, CA




                                               The perils of a connected world




Dom Nessi, CISSP, GSLC, PMP, CM
Deputy Executive Director/Chief Information Officer
Los Angeles World Airports
October 17, 2011
When U.S. Attorney Jenny
Durkan appeared at a
Seattle press conference
to talk about the rise in
ATM skimming, she was
very knowledgeable
about the topic.               It is the protection of personal or
A little too well-              sensitive information, or any form of
prepared, in fact: Durkan
lost $1,000 from her            digital asset stored in a computer or in
own bank account
recently after using an         any digital memory device.
ATM kiosk whose door
lock was broken.

                               It is also the protection of physical IT
                                assets from random attacks targeted to
                                destroy or disable computing power.
The Dutch company
DigiNotar, who is a
"certificate authority" got
hacked, breached and an
unknown number of
fraudulent certificates
were issued for domain        Four Key Domains:
names that included the
Dutch government,              Confidentiality – preventing unauthorized
Google.com, Mozilla,
Skype, Yahoo, Facebook,         access to information
Twitter, the CIA, Mossad
(Israeli intelligence
agency), UK’s MI6, as
                               Integrity – preventing unauthorized
well as who's who on the
Internet, and so on.
                                modification or theft of information
This breach probably           Availability – preventing denial of service and
occurred in July 2011,
and was not discovered          ensuring authorized access to information
                               Non-Repudiation – preventing the denial of
until August 29, 2011.
This made ALL DigiNotar
certificates
untrustworthy.                  an action that took place or the claim of an
                                action that did not take place
DigiNotar has been
unable to recover from
the blow and filed for
bankruptcy in a
Netherland court. An
investigation sponsored
by the Dutch                   Simple malicious codes called malware
government, conducted
by security firm Fox-IT         and spyware, and serious viruses that
in the Netherlands,
revealed that DigiNotar         can wipe out a system
                                Hackers that target a specific device or
lacked basic security
safeguards, such as         
                                organization for either malicious
strong passwords, anti-
virus protection, and up-

                                enjoyment or financial gain
to-date software
patches.

After DigiNotar went           Denial of Service attacks that cripple an
public with the breach,
all five of the major           organization’s ability to operate
browser makers --
Apple, Google,
Microsoft, Mozilla and
Opera -- issued updates
that barred users from
reaching sites secured
with DigiNotar-issued
certificates.
Japan's Sony Corp. was a
victim of one of the
largest data breaches in
history. Sony's
PlayStation Network, its
Qriocity music streaming
service and Sony Online
                               Attacks via USB
Entertainment were
among the services
                               Large-scale, targeted Botnet Attacks
targeted by hackers
recently in cyber attacks      DDoS Attacks
and data breaches which
compromised more than          Attacks via Social Networks
100 million accounts.
                               Click Jacking and Cross-Site Scripting Web
Sony chairman and
president Howard                Attacks
Stringer apologized to
shareholders and               Phishing from “trusted” third parties
customers for the
massive online data            Online Fraud
theft, which helped drag
the company's share            Cloud Computing Concerns
price to a two-year low.
                               Data Exfiltration and Insider Threats
                               Mobile Devices and Wireless Network Attacks
                               Targeted Hacking Attempts
A regional retailer
contracted with a third
party service provider. A
burglar stole two laptops
of the service provider
containing the data of
over 800,000 clients of
                                 Aviation continues to be the target of
the retailer.
                                  terrorists- whether it be aircraft,
Under applicable
notification laws, the
                                  airports or airlines
retailer – not the service
provider – was required          Aviation is highly dependent on and
to notify affected
individuals.                      driven by computer systems
Total expenses incurred           Federal level
for notification and crisis
management to                     Airline level
customers was nearly $5
million.                          Airport level
                                  Airport tenants
                                 eEnabled aircraft will present an
                                  entirely new challenge
In 1993, the Clinton
administration began
producing the so-called
Clipper Chip, an NSA-
developed encryption
chip intended for use in
computers and
                              Homeland Security Presidential
telephones and designed
with a “key recovery”
                               Directive 7 (HSPD-7) along with the
feature that would allow
the government to crack
                               National Infrastructure Protection
the encryption on
demand, with the proper
                               Plan (NIPP) identified and categorized
legal authority.
                               18 Critical Infrastructure and & Key
The chip was a dismal
failure in the
                               Resources Sectors
marketplace, and the
project was dead by           Transportation is one of the 18
1996.
In February 2000, a 15-
year-old Canadian boy
experimentally
programmed his botnet
to hose down the
highest-traffic websites
he could find.
                             Potential targets
CNN, Yahoo!, Amazon,
                              Malicious
eBay, Dell, and E-Trade          Network
all buckled down under
the deluge, leading to           Wireless network
national headlines and
an emergency meeting             Baggage systems (hand-held devices)
of security experts at the
White House.
                                 External airport/airline website
                                 Passenger wireless
                              Theft
                                 Sensitive data of employees and
                                  contractors
                                 Credit card information
                                 Airline ticketing
                                 Concession POS
                                 Passengers’ wireless devices
In 2003, the Commerce
City Bank in Kansas City,
MO was the first to
uncover an international
scam when they
discovered that their
customer accounts were
                             Potential targets
being sacked for
$10,000 to $20,000 a          Terrorism
day from cash machines
in Italy, as a result of a       Security systems – access control, CCTV,
phishing attack aimed             perimeter intrusion
specifically at the
customers’ debit card            Credentialing
numbers and PINs.
                                 eEnabled aircraft systems
                                 Document management systems (CAD,
                                  blueprints)
                                 Radar systems
                                 Ground radar


                                            Destruction of airport data can cost
                                            billions of dollars to replace, if it is
                                            even possible
In 2004, the source code
for the unreleased first-
person shooter Half-Life
2, perhaps the most
anticipated game of all
time, had been stolen
from the computers of
                             Smart phones aren’t so smart when it
Valve Software in
Bellevue, WA.
                              comes to malware
Based on the sales of the    Adoption rate is so quick, security
original game, Valve
valued the software at a      can’t keep up
quarter billion dollars.
                             Privacy and data security concerns in
                              new hardware and software
                             Rapid roll out of new technologies too
                              quick for current security standards
                             Breaches occurring with greater
                              regularity
                             Cyber attacks due to always-on-and-
                              synchronized, comingling of personal
                              and business data
In the late 1990s, thieves
began buying swiped
credit card data called
“dumps” across the U.S.
from waiters, drive-thru
attendants, gas station
managers, retail workers
                              Recently, 300 businesses reported
for typically $10 a swipe.
A “dump” contained two
                               losing 86,000 laptops, causing $2.1
lines of text on a credit
card’s three-inch-long
                               billion in damages
                              Theft comes from hotel rooms and
magstripe. Much of it
was sent to Eastern

                               employees’ homes
Europe and sold over the
Internet ten, twenty, a
hundred, or even
thousands at a time. A        You can’t fight mobile device issues
dump was worth $20 for
a standard card, $50 for       with technological safeguards alone –
a gold card, $80 to $100
for a high-limit               you will need strong organizational
corporate card.
                               standards and policies
In July 2005, a record-
breaking 45.6 million
dumps were stolen from
the TJX-owned retail
chains T.J. Maxx,
Marshalls, and
HomeGoods.
In 2004, when stolen
magnetic stripe data
became a massive
cybercrime underground
commodity, losses to
counterfeit cards
followed the same
                             Active/Registered users of Social
stratospheric climb.
                              networking services:
In the first quarter of          500 million on Facebook
2006, counterfeiting
cards topped at $125             175 million on Twitter
million in quarterly
losses to Visa’s member          100 million on MySpace
banks alone.
                                  80 million on LinkedIn
                           Attacks and Unintended Information
                            Disclosure
                           Download of Malware

                           Professional and Personal Implications

                           Endangering yourself and others
In 2000, cyberattacks by
a group from Russia or
Ukraine, breached
victim’s networks, stole
credit card numbers
then sent an email to the      Pre-production compromise (built-in back doors)
company demanding
payment to keep quiet          Substitution of parts (Trojans in software)
about the intrusion and
to fix the security holes      Code attacks (viruses)
the hackers exploited.
                               Network attacks (worms)
The gang hit Sterling          System specific attacks (OS vulnerability)
Microsystems in
Anaheim, CA, E-Money           Authentication bypass (theft of credentials,
in New York, and even
Western Union, which
                                spoofing)
had lost nearly 16,000         Shutdown of support systems (power, AC, flight
customer credit card
numbers in an attack            controls etc.)
that came with a
$50,000 extortion              Disgruntled employee (malicious or paid)
threat. When music-
seller CD Universe did
                               Content exploitation (information made public,
not give in to a                identity of crew/passengers, aircraft incidents or
$100,000 ransom
demand, thousands of
                                failures)
customers’ credit card         Inventory scan: Preliminary findings = 613 Control
numbers showed up in a
public website.                 Systems (211 ranked)
In 2009, a specialized
Trojan horse software
emerged, designed to
steal a target’s online
banking passwords and
initiate money transfers    Headline: Fourteen airports in the US, Canada and Asia, are
from the victim’s
                            using open or poorly secured wireless networks
account right through
his own computer.

The thieves recruited          77 percent appeared to be airport networks
ordinary consumers as
unwitting money
launderers through             80 percent were unsecured or using legacy WEP (wired
bogus work-at-home              equivalent privacy) encryption
opportunities. “Work”
consisted of accepting
money transfers and
                               10 percent of the laptops detected were infected with a
payroll deposits, then
sending the bulk of the         viral (ad-hoc) Wi-Fi Network, making the users vulnerable
cash to Eastern Europe          to data leakage and identity theft
by Western Union. The
scheme’s first year of
widespread operation,          Only three percent of all mobile users were using virtual
banks and their
customers lost an               private networks (VPNs)
estimated $120 million
to the attack, with small
businesses as the most         Airports reviewed: Ottawa, Canada; San Jose, San Francisco,
common target.                  Chicago, and other US cities; Seoul, Malaysia and Singapore
In 2006, a California
identity thief stole at
least $200,000 by e-
filing bogus tax returns
through H&R Block, then
collecting the refunds        The review concluded that if hackers can bring down the
himself.
                               power grid in several cities, “how easy it would be for them
The victims’ Social            to create havoc with an unsecured baggage system.”
Security numbers were
mined from online
databases, including          “Imagine the ripple effect at a large hub airport if
California’s Death Index       someone could work their way into the baggage transition
of recently departed
Golden State residents.        system and reroute luggage all over the world. It could
                               bring the system to a grinding halt with both economic
                               and security consequences.”

                              The findings concluded that retailers, airlines and
                               providers of critical systems at airports are still not taking
                               a long hard look at cyber security or understanding the
                               additional risks that wireless introduces.
In October 2003, T-
Mobile failed to patch a
critical security hole in a
commercial server
application.
                              U.S. Customs and Border Protection officials chose to hold off
Its customer database         installing Microsoft's critical security patch on US-VISIT
was accessed and the          workstations until they could test to ensure the update
files of Hollywood stars      wouldn't interfere with the tangle of peripherals attached to
were raided, circulating      the computers. The Zotob virus changed their minds.
grainy candid photos of
Paris Hilton, Demi
Moore, Ashton Kutcher,           The$400 million US-VISIT program aims at securing the
and Nicole Richie, stolen         border from terrorists by gathering biometric information
from their SideKick               from visiting foreign nationals and comparing it against
PDAs.                             government watch lists.
The SideKick of a Secret
Service agent was also
                                 US-VISIT consists of older mainframe databases, fronted by
hacked.                           Windows 2000 workstations at nearly 300 airports,
                                  seaports and border crossings

                                 On Aug. 9, Microsoft announced a vulnerability in the
                                  software's plug-and-play feature that allowed attackers to
                                  take complete control of a computer over a network. It took
                                  only four days for a virus writer to launch an internet worm,
                                  called Zotob, that spread through the security hole.

                                 An Aug. 18, 2005 computer failure led to long lines at
                                  international airports in Los Angeles, New York, San
                                  Francisco, and elsewhere, while U.S. Customs and Border
                                  Protection (CBP) officials processed foreign visitors by hand
Google search is used by
millions of people every
day. Now, it is also used
with increasing
frequency by hackers
seeking sensitive data          Two CBP reports show that the virulent Zotob worm
like Social Security             infiltrated CBP PCs the day of the outage, prompting a
numbers.
                                 hurried effort to patch hundreds of Windows-based US-
A recent data breach at          VISIT workstations installed at 300 airports, seaports and
Yale University marks the        land border crossings around the country
latest example of a
security flaw exposed by
"Google hacking.“ For 10
months, names and               CBP officials postponed pushing the fix to CBP's Windows
Social Security numbers          2000 computers because of the array of peripherals
belonging to 43,000              hanging off of the US-VISIT workstations -- fingerprint
people affiliated with
Yale were visible through        readers, digital cameras and passport scanners – fearing
Google search.                   that the patch itself might cause a disruption.
Yale officials said - the
breach occurred because         White House cyber security adviser Howard Schmidt says
they were unaware that
Google had changed its
                                 the incident is typical of a large agency struggling with
search engine last fall to       complex networks and evolving threats. "We've got
find and index such              catching up to do in all areas, particularly areas having to
servers.
                                 do with national security and public safety," says Schmidt.
                                 "I hope you and I, 10 years from now, look back and say,
                                 'Wow, I'm glad we survived that.'"
Criminals recruit
“cashers” to use
counterfeit credit cards.
The low-limit classic
cards were for small
purchases, $500 or so.       Fake Boarding Passes Land Student in Heap of Trouble
The high-limit gold or
platinum cards were             24-year-old Indiana University student creates a web site
used for purchases from          that enables anyone to make a fake boarding pass
$1,000 to $10,000.
                                Home raided and all computers confiscated
“Cashers” are typically
attractive college-aged
                                FBI and the TSA conducting an investigation
women who could walk            Boarding pass would not have allowed unauthorized
into Nordstrom and
                                 access to an aircraft
snatch up a couple of
$500 Coach bags                 Student claims that he created the website to expose a
without raising                  loophole in national security
eyebrows, then cross to
the other side of the mall   Trams Derailed with Modified TV Remote
and do the same thing at
Bloomingdale’s.                 14-year-old boy derails four Polish light rail trains (trams)
                                Tool used: Converted television IR remote
The purchased items
were then sold on eBay.         Vulnerability: Locks disabling track changes when vehicle
                                 are present not installed
In September 2005, a
deadly new Internet
Explorer bug emerged.
The security hole was a
monster. There was no
patch, making every            Malware in the new baggage system located in a
Internet Explorer user
vulnerable.                     private network
The hacker’s target list:      A Botnet in the Airport Coordination Center and in
CitiMortgage, GMAC,
Experian’s                      the Airport Security private network did call backs
Lowermybills.com, Bank          to the Attackers’ Command & Control (C&C) Server
of America, Western
Union Money-Gram,
Lending Tree, and
                               Successfully prevented 6,408 separate hacking
Capital One Financial,          attempts into a new file transfer server two days
one of the largest credit
card issuers in the
                                after its deployment
country. The hacker
fired up a spamming            Blocked 58,884 Internet misuse and abuse within
software that opened a          two days
back door, which
allowed him to slip in
and scour the victims’         Blocked 2.9 million hacking attempts into the
hard drives for sensitive       Internet infrastructure within two days
data, and steal
passwords.
“I love the Internet… It’s
a place where we can
entertain ourselves; we
can get information; we
can watch videos… we
can buy things.
                                 Four components are vulnerable and
eBay is a great place, you
can bid on things. If you        each require a different approach to
think about it, you can
buy it on eBay. But…             security
                                  The Network
there’s a side of the
Internet that we don’t
like to think about.
                                  The Device
There’s kind of a dark
underbelly to the
Internet, one where not
                                  The Application

                                  The Back-End System
trinkets or bobbles are
bought, sold, and
traded. There’s a part of
the Internet where
people’s lives are
bought, sold, and
traded…”

-Federal prosecutor’s
opening statement at the first
federal trial of the carding
underground.
In 2004, nearly half
America’s banks, S&Ls,
and credit unions were
not verifying the CVV on
ATM and debit
transactions, which was         Get configuration management under control
why America’s inboxes
were flooded with                 Patches and updates need to be handled as soon as possible,
phishing emails                    especially those which address a security hole
targeting debit card              Once a machine’s settings are finalized, a baseline of those
numbers and PIN codes              settings need to be recorded
for “cashable” banks.
                                  Eliminate unused programs – close unused ports
Citibank, the nation’s
largest consumer bank
                                Install anti-virus software and keep it updated
by holdings, was the            Launch a "social engineering awareness" campaign
most high-profile victim.
                                    Social media is your IT systems worst nightmare
In May 2005, a Gartner              Password policies
analyst organized a
                                    Cyber security training
survey of 5,000 online
consumers and,                      Instant messaging files
extrapolating the results,
estimated that it had
                                Test your own systems
cost U.S. financial               Internet-facing web sites
institutions $2.75 billion        Penetration testing
in one year.
                                  External audits from DHS and others
In the 1997 Carlos
Salgado Jr. case – the
first large-scale online
credit card heist – the
government persuaded
the sentencing judge to
permanently seal the
                                Make better use of white lists and black lists
court transcripts for fear      Control the zombies
the targeted company
would suffer “loss of           Lock down the servers
business due to the
perception by others that       Use egress filtering
computer systems may
be vulnerable.”                 Thin clients are your friend
Consequently, the               Improve pattern recognition for network
80,000 victims were
never notified that their        traffic
names, addresses, and
credit card numbers had         Create a cyber security team in your
been offered for sale on
Internet Relay Chat (IRC),
                                 organization
a website devoted to            Insist your IT staff acquire the CISSP or some
hackers, counterfeiters
and others seeking to            other IT security related certification
illegally exploit
consumers.
In 2007, the majority of
compromised cards were
stolen from brick-and-
mortar retailers and
restaurants.

The large retail
intrusions were
compromising millions
of cards at a time, but
breaches at smaller
merchants were far more
common – Visa’s
analysis found 83
percent of credit card
breaches were at
merchants processing
one million Visa
transactions or less
annually, with the
majority of thefts taking
place at restaurants.
Sony recently revealed
intruders staged a
massive attempt to
access user accounts on
its PlayStation Network
and other online
entertainment services in
                                 Give cyber-security an international focus
the second major attack           through conferences, meetings, etc.
on its flagship gaming
site this year.                  Create a permanent cyber-security sub-
The announcement                  committee which embraces airports and
follows an embarrassing           airline concerns
data breach in April,
which compromised                Create an airport cyber-security advisory on
personal data from more
than 100 million online           zero-day vulnerabilities and other security
gaming and
entertainment accounts
                                  threats
and forced PlayStation
Network to be shut for a
                                 Initiate dialogue at all levels of airport
month.                            management – not just IT
Sony was subsequently
criticized for lax security
and acting too slowly to
inform customers as it
grappled with one of the
largest-ever security
thefts.
“If you spend more
on coffee than on IT
security, you will be
hacked. What's more,
you deserve to be
hacked. “

--  former White House
Cyber security Advisor,
Richard Clarke




                          Questions?

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:11/24/2011
language:English
pages:25