Evolve Security Conference 2013 Report

Rethinking IT security strategies

The latest IT threats and trends, as well as strategies to manage them were the focus of the Trend Micro sponsored Evolve Security Conference 2013 held in Sydney on 14 May.

My top takeaways from the day’s presentations and discussions:

• Now is the time for institutions to review IT security policies, planning and practices. Increasingly sophisticated and targeted malware threats are disrupting business in tandem with the rapid uptake of cloud computing, BYOD and social media.
• When conducting security service planning you should know what is on the ground, know what is coming and how to react, have strong peer engagement (we are all in the same boat here), conduct self-assessments by scenario planning with management and keeping an eye on the market and competition.

Key threats and trends:

Malware is on the rise via social media

Malware delivery is moving on from email spam to direct messages on Twitter and on Facebook, for example, by clicking a ‘dislike’ button.

Traditional complacency persists

USB sticks, emails from old friends and cleaners finding switched on computers continue to provide opportunities for targeted attacks

Android mobile devices can be insecure

Network security threats are growing in mobile devices. In particular, open source Android mobile operating systems are an apparent mecca for malware threats due to fragmentation from custom use by telecom vendors and fewer rigors applied to updates and patches.

Threat sources are becoming more targeted, sophisticated and of a criminal nature

Targeted attacks started to gain prominence in 2010, attacking mobile operating systems; the average time from initial breach to detection was 210 days in 2012, 35 days longer than the previous years.

A few examples:

• Mobile phones are set to be a prime target as they increasingly store biometric data and other mobile wallet information.
• Toyota’s hybrid vehicle has 70 computers onboard – imagine a hacker gaining control to switch off systems.
• BMW’s are being stolen in new ways – http://jalopnik.com/5923802/watch-hackers-steal-a-bmw-in-three-minutes
• The car industry’s preferred operating system is MeeGo (from Nokia) – hackers have been able to control the speedometer needle (not the speed), in fail safe mode.
• Samsung Smart Televisions allegedly have the potential for being remote hacked for camera and microphone control to spy on bedrooms or block content.
• Indian based payment providers were recently hacked allowing fake debit cards to be created, with the distribution to money mules that extracted $45m within 10 hours from cash machines in a coordinated attack.  Physical bank robberies are becoming a relic of the past.  See http://www.guardian.co.uk/technology/2013/may/15/it-security-india-cash-machine-heists
• Ransomware is emerging – a message is received apparently from the police or FBI stating that illegal software and content has been found, with an order to pay $100-$200 dollars.
• Stuxnet targeted Siemens industrial controller systems affecting many worldwide. This malware was designed for the Iranian Nuclear facilities, but also impacted Indian power generators causing outages.
• SWATing is a targeted attack using a combination of Cyber and Physical attack vectors, such as spoofing a mobile phone to local authorities in order to fake a serious incident. Engineering this type of attack usually requires planning and access to social media information.

Every day around 180,000 new malware codes appear, requiring security companies to add around 90,000 (pattern recognition) signatures daily.

How to manage the new wave of threats and trends?

It’s hard not to be paranoid but there is away forward:

1. Start by regarding your information as a strategic asset, be aware of the attack trends, understand the behaviours of hackers, analyse the opportunities for hackers, determine likely intentions and impacts and take steps to manage a breach should any occur.
2. Seek independent experts to test your perimeter – Cloud-based attacks and Island Hopping occur when, for example, a CMS is unprotected, vulnerabilities are exploited and websites are masqueraded. It is advisable to bring in outside experts to independently conduct penetration tests.
3. Understand your enemy – start with reconnaissance (know the target), weaponisation (getting the right tool to knock down the target -managed cloud based services offer this for a small monthly fee); delivery (deploying the effective payload and hit (malware or those unpatched systems with vulnerabilities), use command and control systems once inside to gain a foothold with lateral movement and exfiltration techniques before moving into a stealthy “maintenance mode”, creating an environment to clean tracks once in and even patching security to remain hidden
4. Understand the economics at play and consider your vulnerabilities as an individual, at work, home and on the move – Hackers can gain access to VPN capable malware solutions with bulletproof hosting (they will not reveal who you are) for hundreds of dollars for set up and monthly fees, however the return of the investment is huge in the millions producing many multipliers.  93.6% of the world’s currency is digitized; expect more online heist incidents on banking infrastructure and personal digital wallets.
5. Develop and execute a strategic security plan and monitor, test and maintain – for example, the following three areas for managing threats have been identified by NAB bank:

• Securing the deteriorating threat landscape – Commoditisation increases the security threat; investment in innovation is required to compete against cyber criminals; Is the hacker’s interest of a commercial nature that is purely strategic or tactical, consider these threat and plan mitigation accordingly. Cybercrime is increasing as new business models emerge, such as lower cost operations in the cloud for business and for hackers. Ask what steps can be taken to lower risks?
• Industry forces – The security industry is growing up with accreditation and operational rigor, you may choose to invest in-house or partner for enhance capabilities.Security company competition is increasing with niche player entrants. Regulation is increasing in the finance sector.
• Business Forces – Digitisation is enabling agile online services, as more services go online the opportunities to hack increase. Transferring technology and business processes to the cloud may lower operational costs but how to protect against vulnerabilities? Converging technical and operational capabilities offer new ways to deliver and new ways to attack online services.

Acknowledgements:

Thanks to Sanjay Mehta MD and VP Trend Micro ANZ, Andrew Milroy VP ICT Research at Frost and Sullivan, Raimund Genes, CTO Trend Micro Global, JD Sherry VP Public Sector Trend Micro, and Andrew Dell, Head of Security – all of these notes are the result of the speaker’s experience and insight.