Open heart security reconstructing your protection strategy

  • Published on
    19-Oct-2014

  • View
    82

  • Download
    0

Embed Size (px)

DESCRIPTION

In the wake of the disclosure of the Heartbleed OpenSSL vulnerability in April, your companys security strategy may have skipped a beat. Join us to learn more about the ramifications and recovery from Heartbleed as experts from IBM X-Force share findings from the latest IBM X-Force Threat Intelligence Quarterly 3Q report. Join the webinar to learn more about: - The Immediate Aftermath of Heartbleed: Just one day after the disclosure, IBM Managed Security Services (MSS) witnessed attacks on customer networks spiking to 300,000 attacks in a 24-hour period. Find out why, despite a patch being issued, attacks are still ongoing. - One-Day Attacks: For one-day attacks, the goal of the attacker is to take advantage of the exposure window of organizations between when the patches are announced and when the patches are actually deployed. Learn what steps you can take to prepare your network. - Declining Vulnerability Disclosures: Vulnerability disclosures in the first half of 2014 are down compared to prior years. For those that were reported, like Heartbleed, the current CVSS v2 standard doesnt necessarily reflect the actual risk the vulnerability may pose. Learn how the industry is adapting to assess these risks more accurately. View the full on-demand webcast: https://www2.gotomeeting.com/register/319495890

Transcript

2013-MidYear-XF-Trend&Riskreport

Open Heart Security: Reconstructing Your Protection Strategy

Michael HamelinLead X-Force Security Architect 2012 IBM CorporationIBM Security Systems# 2014 IBM Corporation 2014 IBM CorporationIBM Security Systems#

IBM X-Forceis the foundation for advanced security and threat research across the IBM Security Framework. 2013 IBM CorporationIBM Security SystemsAdvanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.

As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. 2

IBM X-Force Research and DevelopmentVulnerabilityProtectionIPReputationAnti-SpamMalwareAnalysisWebApplicationControlURL / WebFilteringThe IBM X-Force MissionMonitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrows security challengesEducate our customers and the general publicIntegrate and distribute Threat Protection and Intelligence to make IBM solutions smarterExpert analysis and data sharing on the global threat landscapeZero-dayResearch 2013 IBM CorporationIBM Security SystemsCoverage20,000+ devices under contract15B+ events managed per day133 monitored countries (MSS)1,000+ security related patents100M+ customers protected from fraudulent transactionsDepth23B analyzed web pages & images7M spam & phishing attacks daily81K documented vulnerabilities860K malicious IP addressesMillions of unique malware samples

IBM X-Force monitors and analyzes the changing threat landscape. 2013 IBM CorporationIBM Security SystemsIBM X-Force has a long standing history as one of the best known commercial security research and development groups in the worldCan leverage security expertise across IBM to better understand what is happening in securityWork closely with IBM managed security services groupMonitor over 15B security events every day from nearly 4,000 security clients in over 133 countriesHave numerous intelligence sources: Global web crawler, probably biggest in world behind Google and BingSpam traps around the work database of more than 73k security vulnerability monitored every dayInternational spam collectorsAll of this is done to stay ahead of continuing threats for our customers

Web crawler is particularly interested in files, images, or pages that contain malicious links or content. The team in Kassel Germany who builds our web crawler also developed an anti spam productWe have spam traps around the world, receive large amounts of spam so that we can analyze and understand the different types so that we can preemptively block that spamOur work covers 4 key areas:ResearchEnginesContent DeliverIndustry/Customer deliverables such as this X-Force report, blogs, articles, presentations and speaking engagements

4

More thanhalf a billion recordsof personally identifiable information (PII) were leaked in 2013. 2014 IBM CorporationIBM Security Systems#5

In April 2014, the Heartbleed vulnerability in the OpenSSL software library was disclosed.The bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520), which could allow for the exfiltration of passwords, PII, and SSL certificate private keys.Source: What to Do to Protect against Heartbleed OpenSSL Vulnerability, SecurityIntelligence.com 2014 IBM CorporationIBM Security Systems#

Heartbleed attacks surged after the vulnerability disclosure.After Heartbleed was disclosed, IBM MSS witnessed over 300,000 attacks in 24 hrs, with an average of 3.47 attacks per second across the customer base. 2014 IBM CorporationIBM Security Systems#The April disclosure of the Heartbleed vulnerability in the OpenSSL library has been the security event this year, with attack traffic towards the MSS customer base peaking at more than 300,000 attacks in a single 24-hour period. Thats an average of 3.47 attacks per second for more than hundreds of customers!

A vulnerability disclosure such as Heartbleed forces organizations to look deeper into their risk management and critical communication processes. The bug permitted unauthenticated memory leaks from servers and clients alike. While the initial impact of Heartbleed is waning, a second wave of new vulnerabilities found within open-source and reusable software merits further discussion.Servers worldwide continue to be affected by this critical vulnerability. Not only did the flaw focus the attention of researchers looking for new areas of vulnerabilities within open-source and reusable code, it also gave attackers another great opportunity to use one-day attack methods.

On 15 April 2014, MSS witnessed the largest spike in activity across the customer base with more than 300,000 attacks in a single 24-hour period. Thats an average of 3.47 attacks per second for more than hundreds of customers.

7MSS continues to average 7k attacks per day mostly from malicious hosts.

2014 IBM CorporationIBM Security Systems#As of August 2014, the current status of attacks is still significant. MSS sees an average of 7,000 attacks per day across a large attack surface. With most of these attacks coming from malicious hosts, MSS recommends first patching vulnerable systems and secondarily, blocking this traffic via Intrusion Prevention Systems (IPS).8Rather than a single IP address executing the attack repeatedly, many of the attacks used a distributed method.

This enabled attackers to have a large, diversified attack surface and the flexibility to overcome rudimentary blocking strategies. 2014 IBM CorporationIBM Security Systems#Rather than a single IP address executing the attack repeatedly, many of the attacks used a distributed method. A wide range of IP addresses across multiple autonomous system numbers (ASNs) attacked the networks monitored by MSS. In fact, entire ranges of IP addresses attacked several servers at once. This enabled attackers to have a large, diversified attack surface and the flexibility to overcome rudimentary blocking strategies. 9One-day attack methods demonstrate how quickly attackers rush to exploit a vulnerability like Heartbleed.

1-Day Attacks are those that rush to exploit a new vulnerability immediately after it is publically disclosed. 2014 IBM CorporationIBM Security Systems#Just one day after the disclosure, a proof-of-concept tool capable of exploiting the Heartbleed bug began circulating, exposing unpatched systems to skilled and unskilled attackers alike. But more troubling is the fact that also a day after the disclosure, attacks leveraging the vulnerability began to occur.For one-day attacks, the goal of the attacker is to take advantage of the exposure window of organizations between when the patches are announced and when the patches are actually deployed.

Keep up with threat intelligence: a timely source of information on the latest threats is critical to keep organizations informed and allow them to respond as soon as possible.Maintain a current and accurate asset inventory: when a critical vulnerabilities is publicized, you dont have time to try and figure out where your vulnerable and exposed assets are. Attackers are engaged in the same pursuit and effective defense should not be a race to discovery; as a defender this is one area where you should have the upper hand.Have a patching solution that covers your entire infrastructure: apply patches as soon as vendors release them, and implement a rapid burn-in procedure, including back-out plans, to make sure patches dont break operational systems.Implement mitigating controls: firewalls, IPSs, endpoint protection, all can help protect against new threats during the period between the vulnerability disclosure and when youre able to apply vendor patches.Instrument your environment with effective detection: Gain visibility by monitoring your network to understand when anomalous activity is detected. Create and practice a broad incident response plan: All activities related to vulnerability disclosures and active attacks must be guided by processes involving all levels of your organization, and guided by clear procedures for a variety of situations. Test the procedures often to make sure youre not working out the kinks when an actual emergency arises.

10X-Force noted this trend was similar to a 2012 disclosure of a Java vulnerability.

2014 IBM CorporationIBM Security Systems#Heartbleed isnt the first time one-day attacks have occurred that is, attacks leveraging an already-patched vulnerability. In fact, X-Force analysts noted this trend after the disclosure of the 2012 Java vulnerability (CVE-2012-1723), as discussed in our IBM X-Force 2012 Trend and Risk Report.

Attackers are opportunistic; they will grab every opportunity to attack when a target is in a weak state. An organizations best defense against one-day attacks is to be readyto have action plans prepared and mitigations in place when a critical vulnerability is reported.Mitigation techniques that can help:Apply workarounds: Check if the vendor provides guidance for a temporary workaround that can help prevent exploitation of the vulnerability.Block attacks: Security productssuch as intrusion detection or intrusion prevention systems and anti-virus softwarecan serve as a first line of defense against exploitation of vulnerabilities while patches are being tested and deployed.Shut down systems temporarily: Although business leaders may object, another solution is to temporarily shut down or disconnect the affected system while a patch is being tested. This option may be the best way to help prevent the loss of customers personal or financial information.

11

There was a decline in vulnerability disclosures in the first half of 2014; this could be the first reduction since 2011.

2014 IBM CorporationIBM Security Systems#In the first half of 2014, we reported just over 3,900 new security vulnerabilities affecting 926 unique vendors. If this trend continues through the end of the year, the total projected vulnerabilities would fall below 8,000 total vulnerabilities for the first time since 2011.

12It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014.

A decreasing number of vendors consistently reporting vulnerabilities might be contributing to the recent decline in total overall vulnerabilities disclosed. 2014 IBM CorporationIBM Security Systems#The decreasing number of vendors consistently reporting vulnerabilities might be contributing to the recent decline in total overall vulnerabilities disclosed. It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014. However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014).Top ten vendors producing software typically have a more comprehensive approach to security that includes policies and practices for properly addressing and responding to security vulnerabilities, which likely leads to a larger number of public vulnerability disclosures.(point to PSIRT blog)We observed that out of thousands of vendors, these companies consistently disclose significant number of security vulnerabilities. We categorize these vendors in a top 10 group, leaving out the content management system (CMS) vulnerabilities since the majority of those are in third-party plug-ins and add-ons and not widely used as enterprise-level software.We agreed with PSIRT to give a nod to the blog published on how IBM is improving vulnerability tracking. This should be worked into key messages at some level.13Plug-ins are responsible for 90% of total CMS vulnerabilities disclosed. This heightened risk leads to mass infection.

2014 IBM CorporationIBM Security Systems#Vulnerabilities in CMS continue to be some of the most reported in 2014, accounting for nearly 10 percent of all reported vulnerabilities. Attack activity to third-party plug-ins (such as those available to WordPress) increased in 2014.Within the CMS vulnerabilities, 90 percent of those reported were in plug-ins or modules written by third-party sourcesnot by the core CMS vendor.

A heightened risk of exploitation of these plug-ins continues in recent months with a notable high impact example in the Mayhem Virus that seeks to compromise web servers through CMS vulnerabilities and brute-force attacks of weak or default credentials.

***Additional notes from report:

While X-Force has previously cautioned against using CMS plug-ins, a new wave of attacks against these platforms was launched in recent months, showing the continued risk. Russian site Yandex reported on a malware dubbed the Mayhem Virus11 that seeks to compromise web servers through CMS vulnerabilities and brute-force attacks of weak or default credentials.

After these web servers are compromised, they can be used to serve malware or carry out large-scale, high-bandwidth distributed-denial-of-service (DDoS) attacks against other sites and targets. For example, WordPress was used in an amplification DDoS attack in March 2014 that affected more than 162,000 sites.12 In this case, attackers used the legitimate functionality of the XML-RPC pingback feature to link blog content from different authors to a third-party website. 14

Does current CVSS scoring represent actual risk to networks and systems?Heartbleed existed for two years and received a CVSS medium base score of 5.0. 2014 IBM CorporationIBM Security Systems#Inherent flaws in the current CVSS(v2) standard and a lack of clear guidelines on how to objectively assess certain types of vulnerabilities, often fails to reflect the true risk a vulnerability may pose to an organization, causing an overall loss of confidence in the CVSS score as an accurate and reliable measure of risk.In the scoring of vulnerabilities for the first half of 2014, we found that the majority of issues fall into the CVSS medium severity range (67 percent), with 24 percent of all vulnerabilities rated critical or high.

This is the third consecutive year where the majority of vulnerabilities have been rated as medium-level risks.

The most obvious example of how some CVSS scores do not always represent true risk and impact to an organization is the Heartbleed vulnerability, which had actually existed for two years and received a CVSS medium base score of 5.0.

With the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indic...