Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
SECURITY 2010 BREACHES AND MALWARE AND PHISH (OH, MY!) Kathleen R. Kimball, MS, CISSP, CISM Senior Director, Security Operations & Services Information Technology Services [email protected]; (814) 863-9533 March 1, 2011 AGENDA • Security 2010 Globally • Security 2010 at Penn State (both Negative and Positive) • Summary • Questions Penn State is subject to global trends in (in)security… WEB-BASED SECURITY THREATS SOBERING NUMBERS • From Websense Security Labs 2010 Threat Report: • A 111.4% increase in the number of malicious Web sites from 2009 to 2010 • 79.9% of malicious Web sites were compromised legitimate sites • 52% of data-stealing attacks were conducted over the Web • 84.3% of all e-mail was spam • Searching the Web for breaking/current news was more likely to cause a compromised computer than searching for “objectionable content” SOPHOS ANALYSIS • Sophos Security Threat Report 2011 • Web remains the biggest vehicle for malware • A high number are legitimate web sites serving malware or hosted malvertisements. Examples: • Farm Town (game) • Google sponsored links • Celebrity Twitter feeds SYMANTEC… • Internet Security Threat Report, Volume XV, April 2010 • Of the top attacked vulnerabilities observed in 2009, 4 out of 5 were client side vulnerabilities that were frequently attacked by web-based attacks • Most frequent vectors – Internet Explorer and applications that process PDF files • Crimeware kits developed for sale by the malware code writers. (Zeus kit for as little as $700) • Inexperienced “bad guys” can buy a kit and produce a custom attack easily • Over 90,000 unique variants of the Zeus toolkit observed AND THE VERIZON BUSINESS RISK TEAM… • 2010 Data Breach Investigations Report (in Cooperation with the US Secret Service), July 2010 • Organized criminal groups were responsible for 85 percent of all stolen data in 2009 • Hacking and malware were responsible for over 95 percent of all data compromised • 85 percent of attacks are not highly difficult The local Security landscape… SECURITY 2010 AT PENN STATE PENN STATE – 2010 EXPERIENCE • >12,000,000 hostile probes daily, not even counting the latest web-based threats – the older attacks are still there • 2,525 fully compromised systems detected by the University’s Intrusion Detection architecture • Up 43% from 2009 • 854 of these were on University wired networks (not Residence Hall, wireless or modem-connected) • Lowest Budget Unit total – 0 compromises (8 units) • Highest Budget Unit total – 120 compromises • 1025 compromised Access accounts detected – a 57% increase from 2009 PENN STATE EXPERIENCE (CONTINUED) • Copyright Infringement is a little bit different animal, but here are the figures: • 26 different copyright holders or their representatives reported infringement by Penn State users in 2010 • Growth in Complaints Handled: • 2008 – 874 • 2009 – 1127 • 2010 – 1459 ON THE POSITIVE SIDE • Intrusion Detection instance at the border tuned to look specifically for web-based attacks • ~135,000 packets per second analyzed on average • ~2.4 Gb per second on average • ~20,000 – 40,000 alerts daily • More than 139,000 overtly hostile sites dynamically blocked on an average day • More than 50 local intrusion detection sensors within units throughout the University, operated on their behalf by Security Operations and Services • Generic header intrusion detection and correlation pinpoints additional attacks 32 TB of header data is about 12 days ~39,000,000 lines of logs a day 34 compute queues in cluster WHAT CAN USERS DO? • Remove sensitive information from computers • PII – SSNs, Credit Card Numbers, Bank account numbers • Mortgage statements • Tax documents • Personal health records OTHER: WHAT CAN USERS DO? • Run in least privilege mode • 81% of Critical Microsoft vulnerabilities are mitigated by operating without administrator rights. • Of the total published Microsoft vulnerabilities, 64% are mitigated by removing administrator rights. BeyondTrust 2010 MS Vulnerability Report THE BOTTOM LINE It’s no longer a question of “if” your computer is compromised – it’s a matter of WHEN your computer is compromised. Will cause a re-thinking of how we protect data and systems. Meanwhile the standard guidance still applies: •Browsing can be dangerous •Scan and remove PII •Practice least privilege •Patch and update Operating System and applications as required when new patches or updates are released •Use current anti-virus (though only about 30% effective) •Utilize unit policies Unfortunate Case Study A user’s PII scan results show just under 14,000 hits of PII. The user is busy and closes the scanning console anticipating remediation at a later date. SIX times, the same thing continues to occur; the user is busy and closes the console. Two months later the computer is compromised. Data mining unveils over 6,000+ unique PII instances. Negative Media Attention • From an alumnus: “I received a great education at Penn State, but my life could be potentially ruined because of this. I’m very disappointed in Penn State.” • From the mother of a former student: “How could a school that’s supposed to be as great as Penn State is let this happen?” • From a one-time student: “So now my Social Security number has been severely compromised by Penn State’s lack of attention to security, and I have to pay the consequences.” FINANCIAL BURDEN Forensic Investigation/Data Mining Address Search Notification Services (mailing) APPROXIMATE COSTS $3500+ $500 batch + $.35/record $1500+ Research Funding PRICELESS Reputation PRICELESS SUMMARY • Penn State is not immune to the somewhat sorry state of computer and network security globally • If you browse, you will at some point be compromised. (Expansion of the web-based threat) • Attacks are expanding quickly in both number and sophistication. Organized crime is a major factor. • While it may not be enough, users need to do all they can to protect assets and to be aware of the current environment QUESTIONS?? • Go forth and compute wisely….