SlideShare a Scribd company logo

RSA USA 2015 - Getting a Jump on Hackers

Download as PPTX, PDF
Wolfgang Kandek, profile picture
Wolfgang Kandek

The document discusses the persistent threats posed by hackers who exploit vulnerabilities in systems, emphasizing the importance of addressing known issues like unpatched software, particularly Java. It recommends continuous perimeter scanning, maintaining an updated software inventory, and implementing two-factor authentication to improve cybersecurity. Additionally, it highlights that most vulnerabilities are old and can be mitigated through proactive security measures and user education.

Internet
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
SESSION ID: #RSAC Wolfgang Kandek Getting a Jump on Hackers Tech-T08 CTO Qualys @wkandek
#RSAC Hackers  Attack your Organization by continuously probing your organization for weaknesses.  Find and catalog vulnerabilities, software flaws and misconfigurations  Use exploits to gain control over your systems
#RSAC Hackers – Attack Perimeter
#RSAC Hackers  We can get a jump on them by using their weak spots.  Weak Spots:  Millions of Malware samples  Thousands of Vulnerabilities  Tens of Exploitation vectors
#RSAC Hackers  Mass Malware  APT and 0-days  Nation State
#RSAC Hackers – Mass Malware  Majority of all attacks  Mature technologies (on both sides)  Exploit Kits (Angler, Nuclear, …)  Analysis and Patching  “Digital Carelessness”  Research
#RSAC Hackers – Mass Malware  BSI – German Bundesamt für Sicherheit in der Informationstechnik  Digital Situation Report December 2014  Situation is critical  Digitale Sorglosigkeit => “Digital Carelessness”  95% of issues are easily addressed  Attackers use known vulnerabilities  In a limited set of software
#RSAC Hackers – Mass Malware  BSI – German Bundesamt für Sicherheit in der Informationstechnik  Digital Situation Report December 2014  Situation is critical  Digitale Sorglosigkeit => “Digital Carelessness”  95% of issues are easily addressed  Attackers use known vulnerabilities  In a limited set of software
#RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threat for the year
#RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threats for the year  BTW, attacks are on desktop not serverside Java  We can’t patch Java  Our business critical timecard application requires it..  Yes, you can.  Oracle Java v7 and v8 have a “Java Router” embedded  Multiple Javas on a machine can be selectively deployed  Deployment Rulesets - by URL, by checksum, by…
#RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threats for the year  BTW, attacks are on desktop not serverside Java  We can’t patch Java  Our business critical timecard application requires it..  Yes, you can.  Oracle Java v7 and v8 have a “Java Router” embedded  Multiple Javas on a machine can be selectively deployed
#RSAC Hackers – Mass Malware - Java Demo
#RSAC Hackers – APT and 0-days  0-days in 2014/2015  2x Windows in 2014  4x Internet Explorer in 2014, 1x2015  4x Adobe Flash in 2015  Use Safe Neighborhood Software  Alternative OS: Mac OS X  Alternative Browser: Chrome
#RSAC Hackers – APT and 0-days  Alternative Browser: Chrome  60% Marketshare  220 critical vulnerabilities in 2012-2014  0 known attacks  Aggressive Autoupdate & Fast Patching: 24 hours to 7 days  Faster than typical exploits  Sandboxing
#RSAC Hackers – VDBIR 2015  Few Vulnerabilities are being exploited – 40 in 2014  99.9% of Vulnerabilities exploited are > 1 year old  50% of 2014 CVE exploits happened within 2 weeks  Lesson: Patch all, decide which to patch faster (pg 17)  Exploitable Attribute: most important factor (pg 17)
#RSAC Hackers – APT and 0-days  0-days in 2014/2015  2x Windows in 2014  4x Internet Explorer in 2014,1x2015  4x Adobe Flash in 2015  Use Safe Neighborhood Software  Alternative OS: Mac OS X  Alternative Browser: Chrome  Alternative Flash: HTML5?  Sandbox: Chrome/Flash combo not attacked
#RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening
#RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% System Hardening Application Hardening Sandboxie EMET Exploit Mitigations
#RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening  Sandbox testing not conclusive  Application Hardening and EMET are free
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  Bypass your Hardening, the Sandbox, EMET…  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories  Mixed results 50% trivial, 50% advanced  All (!) attacked only 1 software version – Office 2010 (SP2, 32bit)
#RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories  Mixed results 50% trivial, 50% advanced
#RSAC Hackers – APT and 0-days  Dan Guido – Exploit Intelligence Project  Focus on robust configurations to prevent future exploits  Few vulnerabilities are relevant: 14 in 2009, 13 in 2010  20 in 2014  Tighter Security Settings defeat new attacks  DEP, ASLR  EMET (btw, all IE 0-days in 2014)  Disable EXE/Javascript in PDF  Limit Java to internal Applications
#RSAC Hackers – APT and 0-days  Dan Guido – Exploit Intelligence Project  Focus on robust configurations to prevent future exploits  Few vulnerabilities are relevant: 14 in 2009, 13 in 2010  20 in 2014  Tighter Security Settings defeat new attacks  DEP, ASLR  EMET (all IE 0-days in 2014)  Disable EXE/Javascript in PDF
#RSAC Hackers – APT and 0-days  Harden Applications and deploy EMET  Safer Neighbourhoods - Alternative Technology stacks  Limit Java to internal/known Applications – Deployment Rulesets
#RSAC Hackers – Attack Perimeter
#RSAC Hackers – Attack Perimeter
#RSAC Hackers – Attack Perimeter  Perimeter is everywhere  Mobility, Personal Devices  SaaS Applications enable  Security Pros  All Machines Internet hardened  No Client/Peer networking = no malware lateral growth  Security Cons  Traditional Non-Internet Tools challenged  Internet Agent Solutions
#RSAC Hackers – Attack Perimeter
#RSAC Hackers – Attack Perimeter
#RSAC Hackers - Credentials  Abuse worldwide connectivity (e-mail, mobile workstations, VPN)  Steal credentials through phishing attacks (e-mail)  Install undetectable malware  Access VPNs
#RSAC Hackers - Credentials  Abuse worldwide connectivity (e-mail, mobile workstations, VPN)  Steal credentials through phishing attacks (e-mail)  Install undetectable malware  Access VPNs
#RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/password databases available
#RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/passworddatabases available
#RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/password databases available  Password decoding/guessing in the realm of all attackers.
#RSAC Hackers - Credentials  Two factor authentication
#RSAC Hackers - Credentials  Two factor authentication
#RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  Teach your users to protect their own personal data  Banks, E-mail, Linkedin  2FA is mature now  Implement 2FA for your systems
#RSAC Act Now – x days  x=30: Scan your Perimeter Server continuously, alert on changes  x=60: Software inventory for Flash,Reader,IE,Office,Java  x=90: Update versions – Mass Malware cure  x=90+: Address Vulnerabilities Quickly  x=90+: Harden Setup - APT and 0-days  Newest Software, Use EMET, Safe neighborhoods  x=90+: Authentication - Deploy 2-Factor  Then: Watch Logs for Anomalies, Run Sandboxes
SESSION ID: #RSAC Thank you Tech-T08 http://laws.qualys.com @wkandek Wolfgang Kandek

More Related Content

What's hot (20)

PDF
Secure Code Reviews
Marco Morana
 
PDF
How to find Zero day vulnerabilities
Mohammed A. Imran
 
PDF
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
PDF
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
PDF
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
PDF
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
Brian Kelly
 
PPTX
Content Analysis System and Advanced Threat Protection
Blue Coat
 
PDF
Future-proofing maritime ports against emerging cyber-physical threats
Steven SIM Kok Leong
 
PPTX
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
PDF
Malware Evasion Techniques
Thomas Roccia
 
PDF
Web Application Security with PHP
jikbal
 
PDF
OWASP Mobile Top 10
NowSecure
 
PPTX
Future-proofing Supply Chain against emerging Cyber-physical Threats
Steven SIM Kok Leong
 
KEY
Security Code Review: Magic or Art?
Sherif Koussa
 
PDF
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
PDF
Anatomy of an Attack
Cisco Canada
 
PPTX
Preventing Known and Unknown Threats
OPSWAT
 
PDF
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
PDF
Anatomy Of An Attack
Cisco Canada
 
PDF
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 
Secure Code Reviews
Marco Morana
 
How to find Zero day vulnerabilities
Mohammed A. Imran
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
Brian Kelly
 
Content Analysis System and Advanced Threat Protection
Blue Coat
 
Future-proofing maritime ports against emerging cyber-physical threats
Steven SIM Kok Leong
 
Malware: To The Realm of Malicious Code (Training)
Satria Ady Pradana
 
Malware Evasion Techniques
Thomas Roccia
 
Web Application Security with PHP
jikbal
 
OWASP Mobile Top 10
NowSecure
 
Future-proofing Supply Chain against emerging Cyber-physical Threats
Steven SIM Kok Leong
 
Security Code Review: Magic or Art?
Sherif Koussa
 
Stop Passing the Bug: IoT Supply Chain Security
Synopsys Software Integrity Group
 
Anatomy of an Attack
Cisco Canada
 
Preventing Known and Unknown Threats
OPSWAT
 
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Anatomy Of An Attack
Cisco Canada
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 

Viewers also liked (20)

PPTX
Hackers & Crackers (+ Software Freedom)
Masoud Sadrnezhaad
 
PPTX
Pledge, Turn, Prestige - The Snowden Pitch
Marcus John Henry Brown
 
PPS
How to Identify Managers Paranoia
Trailukya Dutta
 
PPTX
Paranoia
James
 
PDF
Jonas Gyalokay, Airtame @ Nordic growth Hackers event #3
Nordic Growth Hackers
 
PDF
Profile Of The Worlds Top Hackers Webinar Slides 063009
Lumension
 
ODP
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Kaido Kikkas
 
PDF
Paranoia or risk management 2013
Henrik Kramshøj
 
PPTX
On Going Evaluations
TheJellehKed
 
PPTX
Sakai11 Migration Planning: When Paranoia Leads to Success
robin0red
 
PDF
Pants policies and paranoia
PracticalHT
 
PDF
Healthy Paranoia: What Keeps Me Up at Night
Matt Wurst
 
PDF
Gpw 2013, Konstruktive Paranoia, 2013-03-15
vit_r
 
PPT
Hacks, hackers and data journalism
Glen McGregor
 
PPT
romantic paranoia
_numbers
 
PPS
Attitude
Vishal
 
PPT
HIMSS Summit of the Southeast: Compliance and Controls
Tony Gambacorta
 
PDF
'Paranoia’
ShelleyPestell
 
PPTX
Media 2
livefreesays
 
PDF
Adventures in paranoia with sinatra and sequel
Eleanor McHugh
 
Hackers & Crackers (+ Software Freedom)
Masoud Sadrnezhaad
 
Pledge, Turn, Prestige - The Snowden Pitch
Marcus John Henry Brown
 
How to Identify Managers Paranoia
Trailukya Dutta
 
Paranoia
James
 
Jonas Gyalokay, Airtame @ Nordic growth Hackers event #3
Nordic Growth Hackers
 
Profile Of The Worlds Top Hackers Webinar Slides 063009
Lumension
 
Of Hobbits, Amish, Hackers and Technology (or, is technology for humans or vi...
Kaido Kikkas
 
Paranoia or risk management 2013
Henrik Kramshøj
 
On Going Evaluations
TheJellehKed
 
Sakai11 Migration Planning: When Paranoia Leads to Success
robin0red
 
Pants policies and paranoia
PracticalHT
 
Healthy Paranoia: What Keeps Me Up at Night
Matt Wurst
 
Gpw 2013, Konstruktive Paranoia, 2013-03-15
vit_r
 
Hacks, hackers and data journalism
Glen McGregor
 
romantic paranoia
_numbers
 
Attitude
Vishal
 
HIMSS Summit of the Southeast: Compliance and Controls
Tony Gambacorta
 
'Paranoia’
ShelleyPestell
 
Media 2
livefreesays
 
Adventures in paranoia with sinatra and sequel
Eleanor McHugh
 

Similar to RSA USA 2015 - Getting a Jump on Hackers (20)

PPTX
Cyber threats landscape and defense
fantaghost
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
PDF
How to be come a hacker slide for 2600 laos
Outhai SAIOUDOM
 
PPTX
Are ransomware attacks the problem for web hosting firms?
ahanashrin
 
PDF
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
PPT
Penetration Testing Basics
Rick Wanner
 
PPTX
Web Application Security
sudip pudasaini
 
PDF
UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf
JonathanOliver26
 
PDF
cybersecurity-careers.pdf
RakeshKumar442494
 
PPTX
So You Want a Job in Cybersecurity
2nd Sight Lab
 
PPTX
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
EthioTelecom_Getahun Biratu
 
PDF
Fighting malware - keeping your Intellectual Property safe
Prayukth K V
 
PDF
The malware monetization machine
Priyanka Aash
 
PPTX
Allianz Global CISO october-2015-draft
Eoin Keary
 
PDF
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
PDF
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
PPTX
B&W Netsparker overview
Marusya Maruzhenko
 
PDF
What is Ransomware? A Quick Guide
Sarah Roberts
 
PPTX
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Cyber threats landscape and defense
fantaghost
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
How to be come a hacker slide for 2600 laos
Outhai SAIOUDOM
 
Are ransomware attacks the problem for web hosting firms?
ahanashrin
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
Penetration Testing Basics
Rick Wanner
 
Web Application Security
sudip pudasaini
 
UQ_Cybercrime_Professionalism_Lecture_2024_07.pdf
JonathanOliver26
 
cybersecurity-careers.pdf
RakeshKumar442494
 
So You Want a Job in Cybersecurity
2nd Sight Lab
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
EthioTelecom_Getahun Biratu
 
Fighting malware - keeping your Intellectual Property safe
Prayukth K V
 
The malware monetization machine
Priyanka Aash
 
Allianz Global CISO october-2015-draft
Eoin Keary
 
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
B&W Netsparker overview
Marusya Maruzhenko
 
What is Ransomware? A Quick Guide
Sarah Roberts
 
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 

More from Wolfgang Kandek (11)

PPTX
Anatomie eines Angriffs
Wolfgang Kandek
 
PPTX
Gartner UK 2015 Anatomy of An Attack
Wolfgang Kandek
 
PPTX
MindTheSec Anatomia de um Ataque
Wolfgang Kandek
 
PDF
Unsafe SSL webinar
Wolfgang Kandek
 
PPTX
BSI Lagebericht 2014
Wolfgang Kandek
 
PPTX
Februar Patch Tuesday 2015 Webinar
Wolfgang Kandek
 
PDF
RSA ASIA 2014 - Internet of Things
Wolfgang Kandek
 
PPTX
20 Critical Security Controls and QualysGuard
Wolfgang Kandek
 
PPTX
Patch Summary Webinar February 14
Wolfgang Kandek
 
PPTX
Patch Summary Webinar April 11
Wolfgang Kandek
 
PPTX
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 
Anatomie eines Angriffs
Wolfgang Kandek
 
Gartner UK 2015 Anatomy of An Attack
Wolfgang Kandek
 
MindTheSec Anatomia de um Ataque
Wolfgang Kandek
 
Unsafe SSL webinar
Wolfgang Kandek
 
BSI Lagebericht 2014
Wolfgang Kandek
 
Februar Patch Tuesday 2015 Webinar
Wolfgang Kandek
 
RSA ASIA 2014 - Internet of Things
Wolfgang Kandek
 
20 Critical Security Controls and QualysGuard
Wolfgang Kandek
 
Patch Summary Webinar February 14
Wolfgang Kandek
 
Patch Summary Webinar April 11
Wolfgang Kandek
 
SANS Critical Security Controls Summit London 2013
Wolfgang Kandek
 

Recently uploaded (20)

PPTX
Internet Basics for class ix. Unit I. Describe
ASHUTOSHKUMAR1131
 
PDF
World Game (s) Great Redesign via ZPE - QFS pdf
Steven McGee
 
PDF
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 
PPTX
Finally, My Best IPTV Provider That Understands Movie Lovers Experience IPTVG...
Rafael IPTV
 
PDF
How to Fix Error Code 16 in Adobe Photoshop A Step-by-Step Guide.pdf
Becky Lean
 
PPTX
Random Presentation By Fuhran Khalil uio
maniieiish
 
PDF
DORA - MobileOps & MORA - DORA for Mobile Applications
Willy ROUVRE
 
PDF
The Complete Guide to Chrome Net Internals DNS – 2025
Orage Technologies
 
PPTX
Birth-after-Previous-Caesarean-Birth (1).pptx
fermann1
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
Technical Guide to Build a Successful Shopify Marketplace from Scratch.pdf
CartCoders
 
PDF
123546568reb2024-Linux-remote-logging.pdf
lafinedelcinghiale
 
PPTX
02 IoT Industry Applications and Solutions (1).pptx
abuizzaam
 
PDF
Azure Devops Introduction for CI/CD and agile
henrymails
 
PPTX
Internet_of_Things_Presentation_KaifRahaman.pptx
kaifrahaman27593
 
PDF
Real Cost of Hiring a Shopify App Developer_ Budgeting Beyond Hourly Rates.pdf
CartCoders
 
PDF
Slides PDF: ZPE - QFS Eco Economic Epochs pdf
Steven McGee
 
PDF
AiDAC – Custody Platform Overview for Institutional Use.pdf
BobPesakovic
 
PPTX
Simplifying and CounFounding in egime.pptx
Ryanto10
 
PDF
Pas45789-Energs-Efficient-Craigg1ing.pdf
lafinedelcinghiale
 
Internet Basics for class ix. Unit I. Describe
ASHUTOSHKUMAR1131
 
World Game (s) Great Redesign via ZPE - QFS pdf
Steven McGee
 
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 
Finally, My Best IPTV Provider That Understands Movie Lovers Experience IPTVG...
Rafael IPTV
 
How to Fix Error Code 16 in Adobe Photoshop A Step-by-Step Guide.pdf
Becky Lean
 
Random Presentation By Fuhran Khalil uio
maniieiish
 
DORA - MobileOps & MORA - DORA for Mobile Applications
Willy ROUVRE
 
The Complete Guide to Chrome Net Internals DNS – 2025
Orage Technologies
 
Birth-after-Previous-Caesarean-Birth (1).pptx
fermann1
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
Technical Guide to Build a Successful Shopify Marketplace from Scratch.pdf
CartCoders
 
123546568reb2024-Linux-remote-logging.pdf
lafinedelcinghiale
 
02 IoT Industry Applications and Solutions (1).pptx
abuizzaam
 
Azure Devops Introduction for CI/CD and agile
henrymails
 
Internet_of_Things_Presentation_KaifRahaman.pptx
kaifrahaman27593
 
Real Cost of Hiring a Shopify App Developer_ Budgeting Beyond Hourly Rates.pdf
CartCoders
 
Slides PDF: ZPE - QFS Eco Economic Epochs pdf
Steven McGee
 
AiDAC – Custody Platform Overview for Institutional Use.pdf
BobPesakovic
 
Simplifying and CounFounding in egime.pptx
Ryanto10
 
Pas45789-Energs-Efficient-Craigg1ing.pdf
lafinedelcinghiale
 

RSA USA 2015 - Getting a Jump on Hackers

  • 1. SESSION ID: #RSAC Wolfgang Kandek Getting a Jump on Hackers Tech-T08 CTO Qualys @wkandek
  • 2. #RSAC Hackers  Attack your Organization by continuously probing your organization for weaknesses.  Find and catalog vulnerabilities, software flaws and misconfigurations  Use exploits to gain control over your systems
  • 4. #RSAC Hackers  We can get a jump on them by using their weak spots.  Weak Spots:  Millions of Malware samples  Thousands of Vulnerabilities  Tens of Exploitation vectors
  • 5. #RSAC Hackers  Mass Malware  APT and 0-days  Nation State
  • 6. #RSAC Hackers – Mass Malware  Majority of all attacks  Mature technologies (on both sides)  Exploit Kits (Angler, Nuclear, …)  Analysis and Patching  “Digital Carelessness”  Research
  • 7. #RSAC Hackers – Mass Malware  BSI – German Bundesamt für Sicherheit in der Informationstechnik  Digital Situation Report December 2014  Situation is critical  Digitale Sorglosigkeit => “Digital Carelessness”  95% of issues are easily addressed  Attackers use known vulnerabilities  In a limited set of software
  • 8. #RSAC Hackers – Mass Malware  BSI – German Bundesamt für Sicherheit in der Informationstechnik  Digital Situation Report December 2014  Situation is critical  Digitale Sorglosigkeit => “Digital Carelessness”  95% of issues are easily addressed  Attackers use known vulnerabilities  In a limited set of software
  • 9. #RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threat for the year
  • 10. #RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threats for the year  BTW, attacks are on desktop not serverside Java  We can’t patch Java  Our business critical timecard application requires it..  Yes, you can.  Oracle Java v7 and v8 have a “Java Router” embedded  Multiple Javas on a machine can be selectively deployed  Deployment Rulesets - by URL, by checksum, by…
  • 11. #RSAC Hackers – Mass Malware - Java  Java is on our top unpatched threats for the year  BTW, attacks are on desktop not serverside Java  We can’t patch Java  Our business critical timecard application requires it..  Yes, you can.  Oracle Java v7 and v8 have a “Java Router” embedded  Multiple Javas on a machine can be selectively deployed
  • 12. #RSAC Hackers – Mass Malware - Java Demo
  • 13. #RSAC Hackers – APT and 0-days  0-days in 2014/2015  2x Windows in 2014  4x Internet Explorer in 2014, 1x2015  4x Adobe Flash in 2015  Use Safe Neighborhood Software  Alternative OS: Mac OS X  Alternative Browser: Chrome
  • 14. #RSAC Hackers – APT and 0-days  Alternative Browser: Chrome  60% Marketshare  220 critical vulnerabilities in 2012-2014  0 known attacks  Aggressive Autoupdate & Fast Patching: 24 hours to 7 days  Faster than typical exploits  Sandboxing
  • 15. #RSAC Hackers – VDBIR 2015  Few Vulnerabilities are being exploited – 40 in 2014  99.9% of Vulnerabilities exploited are > 1 year old  50% of 2014 CVE exploits happened within 2 weeks  Lesson: Patch all, decide which to patch faster (pg 17)  Exploitable Attribute: most important factor (pg 17)
  • 16. #RSAC Hackers – APT and 0-days  0-days in 2014/2015  2x Windows in 2014  4x Internet Explorer in 2014,1x2015  4x Adobe Flash in 2015  Use Safe Neighborhood Software  Alternative OS: Mac OS X  Alternative Browser: Chrome  Alternative Flash: HTML5?  Sandbox: Chrome/Flash combo not attacked
  • 17. #RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening
  • 18. #RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% System Hardening Application Hardening Sandboxie EMET Exploit Mitigations
  • 19. #RSAC Hackers – APT and 0-days  Sandboxing  Jarno Niemela’s (F-Secure) VB 2013 Paper  930 APT malwares against Hardening  Sandbox testing not conclusive  Application Hardening and EMET are free
  • 20. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  Bypass your Hardening, the Sandbox, EMET…  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed
  • 21. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed
  • 22. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories
  • 23. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories
  • 24. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories  Mixed results 50% trivial, 50% advanced  All (!) attacked only 1 software version – Office 2010 (SP2, 32bit)
  • 25. #RSAC Hackers – APT and 0-days  But APT means attacker can do anything  How good are they?  Sophos: CVE-2014-1761 (Word RTF) analysis  15+ sample families assessed  7 skill categories  Mixed results 50% trivial, 50% advanced
  • 26. #RSAC Hackers – APT and 0-days  Dan Guido – Exploit Intelligence Project  Focus on robust configurations to prevent future exploits  Few vulnerabilities are relevant: 14 in 2009, 13 in 2010  20 in 2014  Tighter Security Settings defeat new attacks  DEP, ASLR  EMET (btw, all IE 0-days in 2014)  Disable EXE/Javascript in PDF  Limit Java to internal Applications
  • 27. #RSAC Hackers – APT and 0-days  Dan Guido – Exploit Intelligence Project  Focus on robust configurations to prevent future exploits  Few vulnerabilities are relevant: 14 in 2009, 13 in 2010  20 in 2014  Tighter Security Settings defeat new attacks  DEP, ASLR  EMET (all IE 0-days in 2014)  Disable EXE/Javascript in PDF
  • 28. #RSAC Hackers – APT and 0-days  Harden Applications and deploy EMET  Safer Neighbourhoods - Alternative Technology stacks  Limit Java to internal/known Applications – Deployment Rulesets
  • 31. #RSAC Hackers – Attack Perimeter  Perimeter is everywhere  Mobility, Personal Devices  SaaS Applications enable  Security Pros  All Machines Internet hardened  No Client/Peer networking = no malware lateral growth  Security Cons  Traditional Non-Internet Tools challenged  Internet Agent Solutions
  • 34. #RSAC Hackers - Credentials  Abuse worldwide connectivity (e-mail, mobile workstations, VPN)  Steal credentials through phishing attacks (e-mail)  Install undetectable malware  Access VPNs
  • 35. #RSAC Hackers - Credentials  Abuse worldwide connectivity (e-mail, mobile workstations, VPN)  Steal credentials through phishing attacks (e-mail)  Install undetectable malware  Access VPNs
  • 36. #RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/password databases available
  • 37. #RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/passworddatabases available
  • 38. #RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  But limited effect > 2% will still click  Password reuse rampant due to complicated rules  Massive username/password databases available  Password decoding/guessing in the realm of all attackers.
  • 39. #RSAC Hackers - Credentials  Two factor authentication
  • 40. #RSAC Hackers - Credentials  Two factor authentication
  • 41. #RSAC Hackers - Credentials  Teach users to recognize attacks – ✔  Require better passwords – ✔  Teach your users to protect their own personal data  Banks, E-mail, Linkedin  2FA is mature now  Implement 2FA for your systems
  • 42. #RSAC Act Now – x days  x=30: Scan your Perimeter Server continuously, alert on changes  x=60: Software inventory for Flash,Reader,IE,Office,Java  x=90: Update versions – Mass Malware cure  x=90+: Address Vulnerabilities Quickly  x=90+: Harden Setup - APT and 0-days  Newest Software, Use EMET, Safe neighborhoods  x=90+: Authentication - Deploy 2-Factor  Then: Watch Logs for Anomalies, Run Sandboxes