E-Guide How to combat the latest cybersecurity threats It takes a great deal of time and money to fine-tune IT security in response to evolving IT security threats and attack tactics. This expert e-guide provides an in-depth overview of modern computer security threats and offers technical advice on how to deal with them. Sponsored By: SearchSecurity.com E-Guide How to combat the latest cybersecurity threats E-Guide How to combat the latest cybersecurity threats Table of Contents Perimeter defenses deemed ineffective against modern security threats Evolving IT security threats: Inside Web-based, social engineering attacks Resources from ArcSight Sponsored By: Page 2 of 14 SearchSecurity.com E-Guide How to combat the latest cybersecurity threats Perimeter defenses deemed ineffective against modern security threats How do you combat today's cybersecurity threats if the intruders are already inside your network? A panel of security executives tackled this topic at the Cornerstones of Trust on Tuesday in Foster City, Calif. The annual conference is co-hosted by the Information Systems Security Association's Silicon Valley and San Francisco chapters and San Francisco Bay Area InfraGard. The idea of keeping intruders out with traditional, perimeter-based security is useless against the advanced persistent threat -- targeted attack activity by organized groups of cybercriminals to infiltrate an organization and steal data over time without being detected, panelists said. "Aurora and similar attacks mean organizations that depend on a perimeter-based strategy are victims and will remain so," said Gary Terrell, CISO at Adobe Systems Inc. Along with Google, Adobe was among about 20 companies targeted by Operation Aurora late last year . APT became a stark reality for Adobe on Jan. 2, when Google informed it was victimized by Aurora, Terrell said. John Wang, security architect at NASA, said the government is more experienced with APT than other industry sectors. "APT for us is more old hat…From my perspective, we're at war," he said. "Perimeter defenses are no longer effective, if they ever were. It's harder to fight a war from the inside than maintaining the perimeter. It requires additional resources." Criminals are after an organization's crown jewels, money or infrastructure, Wang said. "The fight starts with understanding what you're trying to protect," he added. Sponsored By: Page 3 of 14 SearchSecurity.com E-Guide How to combat the latest cybersecurity threats For Leslie Lambert, former CISO at Sun Microsystems who recently joined Juniper Networks Inc. as CISO, assuming that the bad actors behind cybersecurity threats are already inside the network raises the issue of how sensitive data is secured. Juniper has acknowledged that it was among the victims of Operation Aurora. "If they're already in, how have you applied the principals of data protection?" she asked. An inside-out security strategy can include several tactics, including DNS monitoring, which can help track down those who are already infected, Terrell said. Reputation-based file scanning, which can go beyond traditional antivirus to uncover customized malware, data loss prevention tools, and adaptive authentication based on a variety of user attributes are other useful tactics, he said. Wang said organizations need to take a defense-in-depth approach -- a strategy that hasn't gotten as much attention with all the focus on perimeter defenses. That approach includes log aggregation, application whitelisting, "encryption everywhere," and a security operations center for incident response, he said. However, all those security measures become cost prohibitive, he added. Vendors need to embed more security functionality into systems and the decision makers at organizations need to consider security costs up front. Organizations have to figure out what it is they're trying to protect with limited resources, Wang said: "You can't protect everything." Understanding attackers and their methods and motivations is an important part of the strategy to combat cybersecurity threats, Terrell said in response to a question from an audience member. "Intelligence is critical," he said. "It has to be a priority." The panel was moderated by Jacques Francoeur, senior director of identity and information at SAIC and executive director of the CSO Council Bay Area. All of the executives on Tuesday's panel serve on the council, a nonprofit that provides top security executives with a way to securely share information. Sponsored By: Page 4 of 14 Find the cybercriminal. (Never mind. ArcSight Logger already did.) [ Just downloaded the customer database onto a thumb drive. Stop cybercriminals, enforce compliance and protect your company’s data with ArcSight Logger 4. Learn more at www.arcsight.com/logger. © 2009 ArcSight. All rights reserved. SearchSecurity.com E-Guide How to combat the latest cybersecurity threats Evolving IT security threats: Inside Web-based, social engineering attacks It takes time and money to adjust IT security in response to evolving IT security threats and attack tactics. As defenders gradually update their security measures, attackers respond accordingly. Such arms-race dynamics lead to threats of increasing sophistication and efficiency. Today’s cybercriminals often have a long-term interest in their targets, and often employ social engineering to get inside a protected environment. Their tactics commonly include a malicious payload that attempts to compromise the victim’s system and may continue spreading within the organization. They also increasingly focus on weaknesses at the application level, rather than at system or network levels, to obtain data that provides the most value. Defending IT infrastructure involves understanding attack tactics that are effective today. As you assess and improve your information security program, consider the following characteristics of modern computer security threats and the recommendations for dealing with them. How social engineering attacks bypasses technical defenses Attackers increasingly employ social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. Such approaches can persuade victims into clicking on malicious links, opening exploit-laden attachments and installing malicious software. The psychological factors attackers incorporate into social engineering attacks include the following: • People pay attention to personally relevant messaging. For instance, a variant of the Waledac worm directed its potential victims to a website that showed a news excerpt about an explosion. The message was customized to include the visitor’s geographic location as the location of the explosion to entice the person to install a (Trojan) video player for Sponsored By: Page 6 of 14 SearchSecurity.com E-Guide How to combat the latest cybersecurity threats viewing the news story. In another example, attackers sent targeted email messages with malicious attachments under the guise of an agenda for an upcoming meeting. The attacker bet on the likelihood that the recipient had a meeting coming up and would want to view the agenda. • People comply with social norms, looking at others for behavioral cues. One example of this behavior is people’s tendency to click on links shared by their friends on social networking sites such as Facebook and Twitter. The Koobface worm has been highly successful at convincing people to visit malicious websites by posting links using the victims’ social networking accounts. In another example, the Nugache worm used infected systems to download malicious components from a legitimate download-tracking site, boosting the popularity of its files to attract new victims. • People trust security tools. Much like people trust individuals who look like doctors, users sometimes blindly trust the measures taken for the sake of security. Rogue antivirus tools have been highly successful at spreading by convincing victims their computers are infected and demand immediate intervention. Attackers have also used digital certificates to sign malicious executables -- as was the case with Stuxnet -- with the expectation that seeing a signed file would lower the target’s guard. Such social engineering attack techniques merge the line between external and internal threats, because social engineering will allow external attackers to quickly gain an internal vantage point. Once inside the protected perimeter, for instance, attackers tend to pursue targets that are inaccessible from the outside. To account for this threat vector, incorporate social engineering concepts into your security awareness program to make your employees more resistant to such tactics. Assess the extent to which your employees learned key concepts, provide feedback and adjust training, if necessary. Employ security defenses assuming some employees will be social engineered despite the security awareness training. This involves: • Locking down the workstation to minimize the damage a process running with user’s privileges can cause; Sponsored By: Page 7 of 14 SearchSecurity.com E-Guide How to combat the latest cybersecurity threats • Limiting the rights employees have to access the network and applications to match their business needs; • Reviewing activity logs to identify when user accounts and access is being misused; • Evaluating the effectiveness of your browser security software in its ability to restrict access to dangerous content or code downloaded by the user. Targeting workstations through the