information security overview
DESCRIPTION
null Dharmashala Chapter - March 2014 MeetTRANSCRIPT
Information Security
By Murtuja Bharmal
Agenda
• Classical Penetration Attacks
• Current Threat Landscape
• New Attack Vector
Classical Penetration attacks
• Penetration attack steps: o Reconnaissance o Fingerprinting o Application Analysis o Threat Analysis o Exploitation of vulnerability
Evolution
• How Solution Evolved
– Firewall become smarter
– IPS evolved, can stop netowork base attack in real
time
– Policy control can be strongly enfored for enterprise
assets (DMZ, Server etc.)
Classical attack simulation
Local Lan
Firewall/IPS
INTERNET
DMZ
LAN
1 2
3 4
Current Threat Landscape
• Paradigm shift in Threat landscape • More than 80% attacks today are web based • Attack vector is shifting from Network to
Application • Malware growth has been exponential • Number of compromised active hosts on internet are in
millions • Data theft is on all time high • Hacking is no more about thrill, it's all money
New Attack Vector
Latest attack technique
• Attacks are highly automated • Dynamic host generation • User generated forums for C & C
(Twitter, google groups,IRC) • Automated polymorphic malware generation • Built-in debugger evasion • Malicious code-injection in legitimate sites(msn canada,
BOI). There goes your URL Filter! • Advanced encrypted channels for communication
Botnet Command and Control
BOT
BOT
BOT
BOT
C & C
Favorite attack vectors
• Browser is the most preferred attack vector: o Exploiting browser plugins:
• PDF (aka Penetration Document Format) , Flash, Java and other client applications
• Or plain old reliable user who'll do anything if you ask nicely :)
The Ultimate Problem
INPUT
Exploiting System Flaws
ATM Fraud in Kolkat and Bihar
http://www.currentweek.net/2010/08/atm-sbi-boi-fraud-
tools-screw-drivers.html
Double refund fraud in kolkata
http://timesofindia.indiatimes.com/city/kolkata-/Police-
crack-Rs-2-crore-double-
refund/articleshow/6904492.cms
Top Security Trends
Nation-sponsored hacking: When APT meets industrialization
The insider threat is much more than you had imagined
Man in the Browser attacks will man up
Misanthropes and anti-socials: Privacy vs. security in social networks
File security takes centre stage
Data security goes to the cloud
Mobile devices compromise data security
Hackers feeling the heat
Cyber security becomes a business process
Convergence of data security and privacy regulation worldwide
Source: http://blog.imperva.com/2010/11/index.html