sans critical security controls summit london 2013
DESCRIPTION
Present a hard Target to AttackersTRANSCRIPT
Presenting a Hard Target To Attackers
Wolfgang KandekCTO, Qualys Inc
SANS Critical Security Controls 2013
London, May 1, 2013
Defense
Threat Intelligence
Public Threat Intelligence
2012 – Data breaches in the news
2012 – Data breaches in the news
2012 – Data breaches in the news
2013 – started in a similar way
2013 – started in a similar way
2013 – started in a similar way
2013 – started in a similar way
Industry Reports
Industry Reports
Industry Reports
Industry Reports
Industry Reports
Industry Reports
Industry Reports
Industry Reports
Traditional Tools Are Failing
Attacker CompetenceIs Rising
Attacker CompetenceIs Rising
78 %
• Open System Administration Channels
• Default and Weak Passwords
• End-user has Administrator Privileges
• Outdated Software Versions
• Non-hardened Configurations
=> Flaws in System Administration
VZ DBIR Background Info
“We were getting owned through our users that were running IE with
admin privileges”
90 %
39
85 %
85 %of past incidents prevented
• About 5000 seats
• Data Breach
• 6 month security project
• Fully Patched in 2 weeks
• Admin rights controlled
• Whitelisting
• No Additional Software purchased
• No Enduser Impact
DIISRTEDepartment of Industry, Innovation, Science, Research and Tertiary Education
20 %
20 %327 malwares
20 %327 malwares
262 bypassed AV
20 %327 malwares
262 bypassed AV
Implementation
Implementation
Score: Use a letter grade system
Score: Use a letter grade system
Score: Use a letter grade systemor other mechanisms
Score: Use a letter grade system
Results
Opportunistic Attackers
Opportunistic Attackers
✔
Targeted Attackers
Targeted AttackersDisrupt, Slow Down
Targeted AttackersDisrupt, Slow Down,
Raise Cost, Force Mistakes
Information
US DoS, DIISIRTE,NASA, DHHS-CMS,GS, OfficeMax…
• Microsoft Security Intelligence Report v14
• Verizon Data Breach Investigation Report
• Kaspersky Lab – Evaluating the Threat Level of Software Vulnerabilities
• Symantec – Empirical Study of Zero-day attacks
• Mandiant Intelligence Center APT1
• South Carolina Data Breach Incident Report
• FireEye Advanced Threat Report
References