YOUR BABY MONITOR IS ATTACKING the GOVERNMENT a Perspective on Security Risks Today and a Look Towards the Future

YOUR BABY MONITOR IS ATTACKING THE GOVERNMENT A perspective on security risks today and a look towards the future

Nick McKerrall | Threat Prevention Team

5.5 million “things” are getting connected 75% of the to the internet every organizations we day perform security checkups on have machines infected Every 32 minutes – Sensitive with bots data is sent outside the org

Every 5 seconds – a host Every 4 minutes - a high accesses a malicious risk application is used website

Green – Low Risk Beige – Medium Pink – Higher Red – Highest White – Insufficient Data

RED: Bolivia, Angola, Zambia, Botswana, Uganda, Mongolia, Sri Lanka, Vietnam

1. Conficker Worm – Botnet 2. Sality – Remote Access and Control 3. Locky – Ransomware (via mostly email) 4. Cutwail – Botnet (Spam/DDoS) 5. Zeus – Banking Trojan 6. Chanitor – Downloader 7. Tinba – Banking Trojan 8. Cryptowall – Ransomware (via exploit kits and phishing) 9. Blackhole – Exploit kit 10. Nivdort (Bayrob) – Multipurpose bot September 2016 ‘Mobile Most Wanted’ Malware

1. HummingBad – Android Rootkit 2. Triada – Android Backdoor 3. Ztorg - Application Dropper

You need to dynamically adjust to new threat sources

Attacks change geography all the time

Malware is changing constantly Both in signature/variant and purpose

We are seeing new levels of sophistication Malware is becoming big business

Our approach to protecting networks needs to change

©2016 Check Point Software Technologies Ltd. 8 ©2016 Check Point Software Technologies Ltd. 9 ©2016 Check Point Software Technologies Ltd. 10 ©2016 Check Point Software Technologies Ltd. 11 A business model as old as the internet

• 665 Gbps DDoS against Krebs Online - large enough to have his hosting provider drop him as a client

• 1 Tbps DDoS against France based hosting provider OVH

• Targeted popular sites like: Amazon, Twitter, Netflix, Etsy, Github, Spotify, NYT, Wired, Reddit

• Ontario Education Quality and Accountability office (EQAO) confirmed “intentional, malicious” cyber attack • Students and educators unable to access the system

• Industrial – ICS/SCADA/Critical infrastructure, inventory management, monitoring, safety

• Wearable tech – Fitness, augmented reality, health

• Home Automation – HVAC, Access Control, Security, lighting, convenience

• Municipal – Traffic control, parking enforcement, utilities, lighting, law enforcement, data collection

• Environmental – Pollution monitoring, water, wildlife tracking, advanced warning systems

• Generally insecure • Difficult to update/patch • Can be a target within your environment • Can be used to target you if compromised • Needs to be protected through network security and segmentation

©2016 Check Point Software Technologies Ltd. 19 Mobile Mythbusters • Mobile isn’t a big problem – 1 in 5 organizations have had a mobile breach in the last year. • MDM is enough – MDM helps control devices, but it doesn’t help protect them.

• Secure Containers are safe – Data does not always exist in containers.

©2016 Check Point Software Technologies Ltd. 20 Mobile Mythbusters • IOS is Immune – Side loaded apps, often from MDM’s can be malicious. • Mobile Antivirus is enough – Anything signature based will only detect known malware, unknown malware will slip through until it’s been identified.

• They are the unpatched, unmanaged, unknown devices in your network • Every year they gain more access to corporate resources and they gain more access to personal information • The current iPhone is 120X faster then the first iPhone. It’s a laptop in your pocket. • The attack surface is growing because nobody is really paying attention

MANAGEMENT LAYER Integrates security with business process

CONTROL LAYER Delivers real-time protections to the enforcement points

ENFORCEMENT LAYER Inspects traffic and enforces protection in well-defined segments

ATOMIC SEGMENTS STEP 1 Elements that share the same policy and protection characteristics

SEGMENT GROUPING STEP 2 Grouping of atomic segments to allow modular protection

CONSOLIDATION STEP 3 Of physical and virtual components, as network security gateways or as host-based software

TRUSTED CHANNELS STEP 4 Protect interactions and data flow between segments

Atomic segment

Group of Segments

Consolidation

REAL-TIME collaborative and open INTELLIGENCE translate into SECURITY protections.

Blocking known threats Detecting infected machines -Antivirus -Bot detection

Blocking known Exploits/Attacks Digital media rights access - HIPS Behavior Analysis -Document Protection/DRM

Incident response and analysis Application control -Forensics and behavioral -Application whitelisting

Removable media and port protection Block/control access to web content -Media Security -Web security

Protect data at rest Blocking unknown threats -Full disk encryption -Zero day

• Many different risk assessment models can be used. ̶ This example uses DREAD: ̶ Damage – how bad would an attack be? ̶ Reproducibility – how easy is it to reproduce the attack? ̶ Exploitability – how much work is it to launch the attack? ̶ Affected users – how many people will be impacted? ̶ Discoverability – how easy is it to discover the threat?

• Hosts might become infected with Ransomware and encrypt important documents ̶ How much damage could be done to the organization on one or more infected machines ̶ How easy is it to get infected? ̶ Is it difficult to launch a ransomware attack? ̶ How many of our users are exposed to this kind of attack? ̶ How easy is it to figure out if we’ve been infected?

How to Score RISK rating Result 3-high High 12-15 2-medium Medium 8-11 1-low Low 5-7

Ransomware Score Item Rating Damage potential 3 – Could knock out entire groups, could organization back days/weeks Reproducibility 3 – Very easy just run the file Exploitability 3 – Very easy to launch with RaaS like Cerber Affected users 2 – Could be 1 user or could be a entire group Discoverability 1 – Easy to discover user will know they’re infected right away

Score: 12 – HIGH This risk needs to be addressed ASAP

• Leverage the Cloud for threat intelligence and compute power. There are a lot of threat resources out there, try and consolidate them so they can be easily consumed by your prevention tools

• Zero Trust – Files must prove themselves safe before they are allowed. Using technology like document scrubbing or threat extraction can make sure users are always accessing clean documents

• Proactive blocking of malicious outbound traffic – If there are bots on your network they can’t just be logged, the C&C must be cut off so they can’t attack anyone else.

• Micro-segmentation with protection and inspection in- between segments. Don’t just rely on VLANs you need to assume threats can come from anywhere

• Visibility and Consolidation – Don’t continue adding 1 tool to address 1 problem. Look for areas of consolidation to increase visibility and effectiveness and reduce costs and complexity • If you need to spend money, spend it on prevention, detection isn’t enough anymore. Threats spread to fast, cause to much damage and are coming at to fast of a pace.

• End Ransomware on the desktop

• Emergence of Ransomware on the service delivery side

• End to the browser attack vector

• See a rapid acceleration of mobile threats

• See legislation against IT vendors and Organizations if they release vulnerable products or improperly secure their networks. Maybe ban unsafe products from being sold in the country.

• Focus of attacks on disrupting Government and Political operations. This is happening now but they will become more public.

• Legislation of malicious software

• New standards around trust, identity, and access