© 2015 Imperva, Inc. All rights reserved. Top Cyber Security Trends for 2016 Amichai Shulman, CTO, Imperva December 16, 2015
© 2015 Imperva, Inc. All rights reserved.
Top Cyber Security Trends for 2016 Amichai Shulman, CTO, Imperva December 16, 2015
© 2015 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
• Speaker at industry events – RSA, Appsec, Info Security UK, Black Hat
• Lecturer on information security – Technion - Israel Institute of Technology
• Former security consultant to banks and financial services firms • Leads the Imperva Application Defense Center (ADC)
– Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MSSQL, IBM and Others
2
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2015 Imperva, Inc. All rights reserved.
Agenda
• Introduction • 2015 Forecast Score Card • 2016 Cyber Security Trends • Summary and Conclusion • Q&A
3
© 2015 Imperva, Inc. All rights reserved.
2015 Score Card
4
Trend Score
1 Targeted attacks change their nature A
2 Patching is going to become impossible A-
3 DDoS is growing at the Internet rate A
4 SSL is at a tipping point A-
© 2015 Imperva, Inc. All rights reserved.
2016 Cyber Security Trend #1:
IoT / BoT - Botnet of Things 1
5
© 2015 Imperva, Inc. All rights reserved.
BoT - Botnet of Things
6
© 2015 Imperva, Inc. All rights reserved.
Hacking the Fridge
7
© 2015 Imperva, Inc. All rights reserved.
Asking the Right Question
• Can someone hack my toaster?
8
© 2015 Imperva, Inc. All rights reserved.
Asking the Right Question
• Can someone hack my toaster? • Can my network be attacked with a shoe?
9
The Internet of Things
A dramatic increase in networked devices leads to more opportunities for
ATTACK
The Internet of Things
© 2015 Imperva, Inc. All rights reserved.
BoT - Botnet of Things
• Connected IoT devices will never have “adequate” security – Device take over – Credential theft
• Botnets can grow larger undetected – More opportunity – easier to form larger botnets – More DDoS as a Service opportunity
• Possible increase in exposure from insiders – BYOD on steroids – Watch, wearables and others not as secure – More compromised devices in the vicinity of enterprise networks
11
© 2015 Imperva, Inc. All rights reserved.
Our Prediction
• More people talking about the wrong problems • More “IoT” based botnets • More incidents to link personal credentials with IoT breaches • Highly sensitive companies starting to feel the pressure (not until the end of
the year)
12
© 2015 Imperva, Inc. All rights reserved.
2016 Cyber Security Trend #2:
Rise of Insider Threat 2
13
© 2015 Imperva, Inc. All rights reserved.
Rise of Insider Threat
14
Globally 89% of respondents felt that their organization was now more at risk from an insider attack – Vormetric 2015
“55% of the Incidents from Internal Actors due to Privilege Abuse” -Verizon DBIR 2015
Malicious Careless Compromised
© 2015 Imperva, Inc. All rights reserved.
Outside In
• Personal attack surface is growing – Social, mobile, IoE – We are extremely exposed and extremely vulnerable
• Engaged employees are a two way sword – Mix work and personal life – Most infections happen during office hours, 20% of infected machines attributed to
enterprise networks
• End stations are increasingly vulnerable – Tracking the number of patched vulnerabilities in end point components suggests a
growing backlog with a constant fixing capacity
16
© 2015 Imperva, Inc. All rights reserved.
Inside Out
• Shadow IT – Unmanaged Database servers – Partly commissioned SaaS applications
• More employees and more collaboration – Barriers are taken down
• Shared data repositories with trusted partners • Sensitive data is everywhere
– Cloud applications provide direct access without IT control – Big data lakes – 1000s of “traditional” databases
17
© 2015 Imperva, Inc. All rights reserved.
Our Predictions
• Decrease in detection rates – Most solutions look for the tools and not the attack – Attackers have all the infrastructure in place to evade ANY solution that takes the
above approach
• Increase in absolute number of attacks of internal nature • Large increase in total number and percentage of incidents of internal nature
18
© 2015 Imperva, Inc. All rights reserved.
2016 Cyber Security Trend #3:
Data Security for the Big and Small 3
19
© 2015 Imperva, Inc. All rights reserved.
Big Breaches = Big Price Tag
• Cost of data breach is higher than anticipated – Target’s gross breach expenses totaled $252 million, insurance compensation brought that
down to $162 million – Home Depot expects $100 million in insurance payments toward $232 million in expenses
from its 2014 breach – Anthem breach expected to cost more than $100 millions
20
© 2015 Imperva, Inc. All rights reserved.
Big Breaches Start Small
• Target breach started with a compromised HVAC company
• T-Mobile customer data breached through Experian
• JPMC customer data breached after an affiliate was breached
• Lockheed Martin breach through RSA
21
© 2015 Imperva, Inc. All rights reserved.
Smaller Companies are Targets
• While sophisticated, targeted attacks do exists they are a negligible minority • 80% of infections stem from massive eMail campaigns • Smaller organizations are infected and compromised as much as larger ones
(or even more) • Attackers are aware of 3rd party relationships between large targets and
smaller service providers • Transfer of liabilities may prove to be devastating for a smaller 3rd party
22
© 2015 Imperva, Inc. All rights reserved.
Cyber Insurance is Not a Silver Bullet
• Big breaches leave some of the costs uncovered • Insurance claims result in higher policy costs in the future
– “Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time” - Bob Wice, a leader of Beazley Plc's cyber insurance practice
• Policy cost is detrimental for smaller business – Insurers are not proficient yet in assessing the risks – May consider making coverage conditional on a full and frequent assessment of
policyholder vulnerabilities (PwC Research) – Especially true for 3rd party liabilities
23
© 2015 Imperva, Inc. All rights reserved.
Our Predictions
• Continuing on our previous prediction – smaller organizations are going to continue falling prey in larger numbers
• Expect more breaches to be attributed to 3rd party negligence • Big enterprises to start paying attention to security posture of 3rd parties
– Set up standards / guidelines / requirements – Transfer liability in the event of a breach
• Cyber insurance companies to attempt to set guidelines for data security – Penetrate the smaller business market – Must come up with a good actuary model based on standardized mitigation requirements
24
© 2015 Imperva, Inc. All rights reserved.
2016 Cyber Security Trend #4:
SSL More of a Problem than a Solution? 4
25
© 2015 Imperva, Inc. All rights reserved.
Subversion of Free SSL Certificates for Malware
26
© 2015 Imperva, Inc. All rights reserved.
Subversion of Free SSL Certificates for Malware
• Easier to encrypt C&C communications • Fast flux DNS can now be used in conjunction with SSL • More certificates for more organizations = more opportunity for theft
– More opportunity for impersonation and code signing
• Free SSL certificates can significantly lower the cost of signed malware – Combined with automation will help them remain undetected
27
© 2015 Imperva, Inc. All rights reserved.
What (else) Could Possibly Go Wrong?
• eDellRoot • Logjam • Schannel TLS Triple Handshake
Vulnerability - CVE-2015-6112 – Add “Extended Master Secret”
• Bar Mitzvah attack – RC4 under SSL is REALLY broken
• SSL Pinning – Would invalidate NG Firewalls?
28
© 2015 Imperva, Inc. All rights reserved.
A Note on HTTP/2
• Major complex revision of HTTP protocol – Keep semantics but replace everything under the hood
• Intended for use over TLS – This part was not mandated by RFC but dictated by major browser vendors
• Inconsistency between SPDY and HTTP/2 in the use of TLS extensions • New implementations that are not even based on the SPDY prototypes • Across all major servers and browsers
29
© 2015 Imperva, Inc. All rights reserved.
Our Predictions
• Continuous growth in SSL implementation and design vulnerability flow • Increase in SSL usage and changes to CA infrastructure will benefit attackers
– More attacks go undetected over network (SSL certificates) – More attacks go undetected inside end stations (code signing certificates)
• New HTTP/2 vulnerability flow – We already have some in our lab
• It’s going to be much worst before it becomes better – The foundation for secure traffic over the Internet must go through a drastic simplification
process
30
© 2015 Imperva, Inc. All rights reserved.
2016 Cyber Security Trend #5:
Ransomware/Blackmail – Flourishing Business
5
31
© 2015 Imperva, Inc. All rights reserved.
Ransomware Business on Personal Devices
32
© 2015 Imperva, Inc. All rights reserved.
Ransomware Business on Personal Devices
33
• CryptoWall 4.0 – enhanced and harder to detect • Once data is encrypted, unfortunately, not many options
– Standard modern encryption used in the proper way (i.e. cannot be broken) – Reformat and restore from backup
• Authorities set the right atmosphere – “To be honest, we often advise people just to pay the ransom.” – Assistant Special Agent
in Charge of the FBI’s CYBER and Counterintelligence Program – The success of the ransomware ends up benefitting victims (same as above) – Ransoms are low. And most ransomware scammers are good to their word (guess who…)
• Criminals are netting an estimated $150 million a year through these scams (FBI)
© 2015 Imperva, Inc. All rights reserved.
Ransom/Blackmail on Enterprises
34
© 2015 Imperva, Inc. All rights reserved.
DDoS as a Service
35
© 2015 Imperva, Inc. All rights reserved.
DDoS as a Service
• Ransoms with threats of DDoS Attacks • Based on low end DDoS as a Service Providers • Simple execution
– Go online – Purchase a monthly package – Launch short attacks – Send email – Collect money
36
© 2015 Imperva, Inc. All rights reserved.
Our Predictions
• Unless authorities step in this is going to grow • May spill into the ICS / SCADA domain • Some gangs may choose to go after bigger prey
37
© 2015 Imperva, Inc. All rights reserved.
Summary 6
38
© 2015 Imperva, Inc. All rights reserved.
Our 2016 Predictions
• IoT will start taking its toll on enterprises and individuals – Botnet of things – Credential theft through insecure devices
• Rise of insider threat – Dramatic growth in successful attacks of insider nature – Due to increased attack rate and lower detection rates
• Attackers go down the food chain – Increased attacks on smaller companies – Increased liability will drive data security needs
39
© 2015 Imperva, Inc. All rights reserved.
Our 2016 Predictions (cont.)
• Continuous decay in security value of SSL – Coupled with new opportunities for attackers to abuse growing use of SSL – HTTP/2 vulnerability flow
• Ransom/Blackmail as a business model – Fast growth business – May affect larger organizations and other domains (ICS / SCADA)
40
© 2015 Imperva, Inc. All rights reserved.
Recommendations
• Cyber space is not going to become more secure this year • Enterprises must continue to invest in securing themselves, this goes down to
the smaller enterprises as well • Attackers are after data. This is where enterprises should invest their efforts of
protection • Once inside the organization attackers are not “attacking” but rather “abusing”.
Look for solutions that detect abuse rather than attack • Look for security as an overlay solution
– Databases cannot defend themselves – Applications are not self defending – Networks cannot be defended against DDoS from inside the network
41