Top Cyber Security Trends for 2016

© 2015 Imperva, Inc. All rights reserved.

Top Cyber Security Trends for 2016 Amichai Shulman, CTO, Imperva December 16, 2015


Amichai Shulman – CTO, Imperva

•  Speaker at industry events –  RSA, Appsec, Info Security UK, Black Hat

•  Lecturer on information security –  Technion - Israel Institute of Technology

•  Former security consultant to banks and financial services firms •  Leads the Imperva Application Defense Center (ADC)

–  Discovered over 20 commercial application vulnerabilities –  Credited by Oracle, MSSQL, IBM and Others

2

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


Agenda

•  Introduction •  2015 Forecast Score Card •  2016 Cyber Security Trends •  Summary and Conclusion •  Q&A

3


2015 Score Card

4

Trend Score

1 Targeted attacks change their nature A

2 Patching is going to become impossible A-

3 DDoS is growing at the Internet rate A

4 SSL is at a tipping point A-


2016 Cyber Security Trend #1:

IoT / BoT - Botnet of Things 1

5


BoT - Botnet of Things

6


Hacking the Fridge

7


Asking the Right Question

•  Can someone hack my toaster?

8


Asking the Right Question

•  Can someone hack my toaster? •  Can my network be attacked with a shoe?

9

The Internet of Things

A dramatic increase in networked devices leads to more opportunities for

ATTACK

The Internet of Things


BoT - Botnet of Things

•  Connected IoT devices will never have “adequate” security –  Device take over –  Credential theft

•  Botnets can grow larger undetected –  More opportunity – easier to form larger botnets –  More DDoS as a Service opportunity

•  Possible increase in exposure from insiders –  BYOD on steroids –  Watch, wearables and others not as secure –  More compromised devices in the vicinity of enterprise networks

11


Our Prediction

•  More people talking about the wrong problems •  More “IoT” based botnets •  More incidents to link personal credentials with IoT breaches •  Highly sensitive companies starting to feel the pressure (not until the end of

the year)

12



Rise of Insider Threat 2

13


Rise of Insider Threat

14

Globally 89% of respondents felt that their organization was now more at risk from an insider attack – Vormetric 2015

“55% of the Incidents from Internal Actors due to Privilege Abuse” -Verizon DBIR 2015

Malicious Careless Compromised


Outside In

•  Personal attack surface is growing –  Social, mobile, IoE –  We are extremely exposed and extremely vulnerable

•  Engaged employees are a two way sword –  Mix work and personal life –  Most infections happen during office hours, 20% of infected machines attributed to

enterprise networks

•  End stations are increasingly vulnerable –  Tracking the number of patched vulnerabilities in end point components suggests a

growing backlog with a constant fixing capacity

16


Inside Out

•  Shadow IT –  Unmanaged Database servers –  Partly commissioned SaaS applications

•  More employees and more collaboration –  Barriers are taken down

•  Shared data repositories with trusted partners •  Sensitive data is everywhere

–  Cloud applications provide direct access without IT control –  Big data lakes –  1000s of “traditional” databases

17


Our Predictions

•  Decrease in detection rates –  Most solutions look for the tools and not the attack –  Attackers have all the infrastructure in place to evade ANY solution that takes the

above approach

•  Increase in absolute number of attacks of internal nature •  Large increase in total number and percentage of incidents of internal nature

18



Data Security for the Big and Small 3

19


Big Breaches = Big Price Tag

•  Cost of data breach is higher than anticipated –  Target’s gross breach expenses totaled $252 million, insurance compensation brought that

down to $162 million –  Home Depot expects $100 million in insurance payments toward $232 million in expenses

from its 2014 breach –  Anthem breach expected to cost more than $100 millions

20


Big Breaches Start Small

•  Target breach started with a compromised HVAC company

•  T-Mobile customer data breached through Experian

•  JPMC customer data breached after an affiliate was breached

•  Lockheed Martin breach through RSA

21


Smaller Companies are Targets

•  While sophisticated, targeted attacks do exists they are a negligible minority •  80% of infections stem from massive eMail campaigns •  Smaller organizations are infected and compromised as much as larger ones

(or even more) •  Attackers are aware of 3rd party relationships between large targets and

smaller service providers •  Transfer of liabilities may prove to be devastating for a smaller 3rd party

22


Cyber Insurance is Not a Silver Bullet

•  Big breaches leave some of the costs uncovered •  Insurance claims result in higher policy costs in the future

–  “Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time” - Bob Wice, a leader of Beazley Plc's cyber insurance practice

•  Policy cost is detrimental for smaller business –  Insurers are not proficient yet in assessing the risks –  May consider making coverage conditional on a full and frequent assessment of

policyholder vulnerabilities (PwC Research) –  Especially true for 3rd party liabilities

23


Our Predictions

•  Continuing on our previous prediction – smaller organizations are going to continue falling prey in larger numbers

•  Expect more breaches to be attributed to 3rd party negligence •  Big enterprises to start paying attention to security posture of 3rd parties

–  Set up standards / guidelines / requirements –  Transfer liability in the event of a breach

•  Cyber insurance companies to attempt to set guidelines for data security –  Penetrate the smaller business market –  Must come up with a good actuary model based on standardized mitigation requirements

24



SSL More of a Problem than a Solution? 4

25


Subversion of Free SSL Certificates for Malware

26


Subversion of Free SSL Certificates for Malware

•  Easier to encrypt C&C communications •  Fast flux DNS can now be used in conjunction with SSL •  More certificates for more organizations = more opportunity for theft

–  More opportunity for impersonation and code signing

•  Free SSL certificates can significantly lower the cost of signed malware –  Combined with automation will help them remain undetected

27


What (else) Could Possibly Go Wrong?

•  eDellRoot •  Logjam •  Schannel TLS Triple Handshake

Vulnerability - CVE-2015-6112 –  Add “Extended Master Secret”

•  Bar Mitzvah attack –  RC4 under SSL is REALLY broken

•  SSL Pinning –  Would invalidate NG Firewalls?

28


A Note on HTTP/2

•  Major complex revision of HTTP protocol –  Keep semantics but replace everything under the hood

•  Intended for use over TLS –  This part was not mandated by RFC but dictated by major browser vendors

•  Inconsistency between SPDY and HTTP/2 in the use of TLS extensions •  New implementations that are not even based on the SPDY prototypes •  Across all major servers and browsers

29


Our Predictions

•  Continuous growth in SSL implementation and design vulnerability flow •  Increase in SSL usage and changes to CA infrastructure will benefit attackers

–  More attacks go undetected over network (SSL certificates) –  More attacks go undetected inside end stations (code signing certificates)

•  New HTTP/2 vulnerability flow –  We already have some in our lab

•  It’s going to be much worst before it becomes better –  The foundation for secure traffic over the Internet must go through a drastic simplification

process

30



Ransomware/Blackmail – Flourishing Business

5

31


Ransomware Business on Personal Devices

32


Ransomware Business on Personal Devices

33

•  CryptoWall 4.0 – enhanced and harder to detect •  Once data is encrypted, unfortunately, not many options

–  Standard modern encryption used in the proper way (i.e. cannot be broken) –  Reformat and restore from backup

•  Authorities set the right atmosphere –  “To be honest, we often advise people just to pay the ransom.” – Assistant Special Agent

in Charge of the FBI’s CYBER and Counterintelligence Program –  The success of the ransomware ends up benefitting victims (same as above) –  Ransoms are low. And most ransomware scammers are good to their word (guess who…)

•  Criminals are netting an estimated $150 million a year through these scams (FBI)


Ransom/Blackmail on Enterprises

34


DDoS as a Service

35


DDoS as a Service

•  Ransoms with threats of DDoS Attacks •  Based on low end DDoS as a Service Providers •  Simple execution

–  Go online –  Purchase a monthly package –  Launch short attacks –  Send email –  Collect money

36


Our Predictions

•  Unless authorities step in this is going to grow •  May spill into the ICS / SCADA domain •  Some gangs may choose to go after bigger prey

37


Summary 6

38


Our 2016 Predictions

•  IoT will start taking its toll on enterprises and individuals –  Botnet of things –  Credential theft through insecure devices

•  Rise of insider threat –  Dramatic growth in successful attacks of insider nature –  Due to increased attack rate and lower detection rates

•  Attackers go down the food chain –  Increased attacks on smaller companies –  Increased liability will drive data security needs

39


Our 2016 Predictions (cont.)

•  Continuous decay in security value of SSL –  Coupled with new opportunities for attackers to abuse growing use of SSL –  HTTP/2 vulnerability flow

•  Ransom/Blackmail as a business model –  Fast growth business –  May affect larger organizations and other domains (ICS / SCADA)

40


Recommendations

•  Cyber space is not going to become more secure this year •  Enterprises must continue to invest in securing themselves, this goes down to

the smaller enterprises as well •  Attackers are after data. This is where enterprises should invest their efforts of

protection •  Once inside the organization attackers are not “attacking” but rather “abusing”.

Look for solutions that detect abuse rather than attack •  Look for security as an overlay solution

–  Databases cannot defend themselves –  Applications are not self defending –  Networks cannot be defended against DDoS from inside the network

41