Information Security

By Murtuja Bharmal

Agenda

• Classical Penetration Attacks

• Current Threat Landscape

• New Attack Vector

Classical Penetration attacks

• Penetration attack steps: o Reconnaissance o Fingerprinting o Application Analysis o Threat Analysis o Exploitation of vulnerability

Evolution

• How Solution Evolved

– Firewall become smarter

– IPS evolved, can stop netowork base attack in real

time

– Policy control can be strongly enfored for enterprise

assets (DMZ, Server etc.)

Classical attack simulation

Local Lan

Firewall/IPS

INTERNET

DMZ

LAN

1 2

3 4

Current Threat Landscape

• Paradigm shift in Threat landscape • More than 80% attacks today are web based • Attack vector is shifting from Network to

Application • Malware growth has been exponential • Number of compromised active hosts on internet are in

millions • Data theft is on all time high • Hacking is no more about thrill, it's all money

New Attack Vector

Latest attack technique

• Attacks are highly automated • Dynamic host generation • User generated forums for C & C

(Twitter, google groups,IRC) • Automated polymorphic malware generation • Built-in debugger evasion • Malicious code-injection in legitimate sites(msn canada,

BOI). There goes your URL Filter! • Advanced encrypted channels for communication

Botnet Command and Control

BOT

BOT

BOT

BOT

C & C

Favorite attack vectors

• Browser is the most preferred attack vector: o Exploiting browser plugins:

• PDF (aka Penetration Document Format) , Flash, Java and other client applications

• Or plain old reliable user who'll do anything if you ask nicely :)

The Ultimate Problem

INPUT

Exploiting System Flaws

ATM Fraud in Kolkat and Bihar

http://www.currentweek.net/2010/08/atm-sbi-boi-fraud-

tools-screw-drivers.html

Double refund fraud in kolkata

http://timesofindia.indiatimes.com/city/kolkata-/Police-

crack-Rs-2-crore-double-

refund/articleshow/6904492.cms

Top Security Trends

Nation-sponsored hacking: When APT meets industrialization

The insider threat is much more than you had imagined

Man in the Browser attacks will man up

Misanthropes and anti-socials: Privacy vs. security in social networks

File security takes centre stage

Data security goes to the cloud

Mobile devices compromise data security

Hackers feeling the heat

Cyber security becomes a business process

Convergence of data security and privacy regulation worldwide

Source: http://blog.imperva.com/2010/11/index.html

void@null.co.in