Threat Management ArcSight

I N F O R M A T I O N
ECURITY S
E SS E NTIAL G U I D E TO
Theres a bulls eye on your organizations back. Attackers want your customer data and intellectual property, and theyre going to extreme measures to target your people and network. Are you ready?
Threat MANAGEMENT
,
INSIDE
8 Become a Hunter
16 SCADA Insecurity 25 What APT Is (And What it Isnt) 32 Under Attack
44 Enterprise Protection for Web Add-Ons

INFOSECURITYMAG.COM
contents
F E AT U R E S
Become a Hunter
8 TARGETED ATTACKS
Fend off modern computer attacks by turning your incident response team into counter-threat operations. BY RICHARD BEJTLICH
SCADA Insecurity
16 CRITICAL INFRASTRUCTURE PROTECTION
Stuxnet put the spotlight on critical infrastructure protection, but will efforts to improve it come too late? BY GEORGE V. HULME
What APT Is (And What it Isnt)

25 ADVANCED PERSISTENT THREAT
Think you know all you need to know about the advanced persistent threat? Well define APT and dispel a few myths? BY RICHARD BEJTLICH
Under Attack
32 BANKING MALWARE
Cybercriminals are using increasingly stealthy and sophisticated malware to hijack online business banking accounts. BY MARCIA SAVAGE
Enterprise Protection for Web Add-Ons

44 WEB 2.0 WIDGETS
Mini Web applications are complicating security for business owners. BY NICK LEWIS
ALSO
Cyberspace Has Gone Offensive
5 EDITORS DESK Stuxnet opened a whole new avenue of offensive capabilities in cyberspace. BY MICHAEL S. MIMOSO
49 SPONSOR RESOURCES
I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT
EDITORS DESK
Cyberspace Has Gone Offensive
TABLE OF CONTENTS
Stuxnet opened a whole new avenue of attack capabilities in cyberspace. BY MICHAEL S. MIMOSO
TWO YEARS AGO, several prominent cybersecurity voices, including Paul Kurtz and Melissa
EDITORS DESK
TARGETED ATTACKS
CRITICAL INFRASTRUCTURE PROTECTION
ADVANCED PERSISTENT THREAT
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Hathaway, chose very public forums to talk about the need for offensive weapons in cyberspace. At Black Hat DC in January 2009, Kurtz implied the United States should think about militarizing cyberspace and the importance of linking intelligence from the armed forces, law intelligence and security researchers to combat attacks against critical infrastructure and the financial industry. His notion was seconded by Hathaway later that year in a paper for the Atlantic Council where she said added that regulatory support and pressure from the SEC, FCC and FTC must flank any offensive strategies. Finally Alan Paller, who runs the SANS Institute, said that the U.S. must turn to experts who understand offensive cybersecurity weaponry and attacks, such as the National Security Agencys red teams. There has to be a shift from those who write policy, to those who understand attacks. Offense must inform defense, Paller said. From my perspective, the most critical thing to do is to make sure we stop the bleeding and get serious about international standards and change federal policies so agencies cant get away with just writing reports. All the while, Stuxnet was happening. According to a detailed article in the New York Times in late January, President Bush approved a project to attack the computer systems at a uranium enrichment center in Iran. The ultimate goal was to delay or destroy Irans ability to build nuclear weapons. The end result was Stuxnet, a worm that by all accounts put a five-year dent in Irans hopes of joining the nuclear arms race. A major campaign was carried out and won, and nary a shot was fired. ALAN PALLER, SANS Institute Whether Stuxnet ultimately was a joint Israel-U.S. initiative, as suggested by the Times article, the question still hovers whether a covert action like this is the way to go. Kurtz and others have called for transparency and ultimately Congressional oversight of offensive weapons by the U.S. in cyberspace. We must begin by addressing the issue of attribution. We need to be able to fuse intelligence with private sector information to determine where attacks come from, Kurtz said. If you link what we know in the private sector with the intelligence community, you can come out with a declaratory policy that says we will look to connect the dots and fuse information through all
From my perspective, the most critical thing to do is to make sure we stop the bleeding and get serious about international standards and change federal policies so agencies cant get away with just writing reports.
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
the capabilities we have to better understand who is attacking the networks. Thats the beginning of a deterrent policy. That, however, isnt happening. Right now the U.S. and Israel are backing off official ties to Stuxnet, and wont even say the worms name in public. Thats because the ground rules havent been set for such activities in cyberspace. This goes beyond cyberespionageas was carried out in the Aurora attacks that introduced the advanced persistent threat (APT) acronym into our lexicon. These were the equivalent of precision fighter jet attacks on Iranian facilities. These were the ultimate targeted attacks, with malware pointed at process control systems manufactured by Siemens that the U.S. knew the Iranians were using in their uranium enrichment centers. As early as 2008, Department of Homeland Security experts, in conjunction with Idaho National Laboratories, were taking apart the Siemens machines looking for vulnerabilities, the Times article reports. Stuxnet, according to the article, not only damaged the plants nuclear centrifuge systems, but did so while disguising the damage; to the plants operators, all systems were functioning normally while irreparable damage was happening behind the curtain of Stuxnet. Michael Assante, president and CEO at the National Board of Information Security Examiners, and former vice president and chief security officer at NERC and critical infrastructure protection strategist at Idaho National Lab, told SearchSecurity.com that Stuxnet was the cyberspace equivalent of the B-2 bomber. The code was designed to be very modular, so that its attack payload could be changed to be able to attack different systems, Assante said. Its clear to me that the resources available to the authors of the MICHAEL ASSANTE, president and CEO, worm were substantial. They designed it with high National Board of Information Security Examiners confidence that the warhead would do exactly what it was designed to do. That takes skill and resources. Stuxnet takes us into a whole new ballgame of offensive capabilities in cyberspace. Stuxnet did its job to an extent and opened a new battlefield in cyberspace. We have our offensive weapons, it would appear. And now were just as vulnerable to a similar attack using another Stuxnet-like worm. What happens next is anyones guess, but it will be interesting to see whether U.S. lawmakers will have the foresight to talk openly about offensive weapons in cyberspace in the proper context and not be reluctant to take this one seriously.w
Its clear to me that the resources available to the authors of the worm were substantial. They designed it with high confidence that the warhead would do exactly what it was designed to do. That takes skill and resources.
SPONSOR RESOURCES
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to feedback@infosecuritymag.com.
TARGETED ATTACKS
Become a Hunter
TABLE OF CONTENTS
Fend off modern computer attacks by turning your incident response team into counterthreat operations.
BY R I C HAR D B EJTLI C H
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
ITS NATURAL FOR members of a technology-centric
WEB 2.0 WIDGETS
SPONSOR RESOURCES
industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threats behavior, and threats routinely innovate in order to evade and disrupt defensive measures. Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider the self-defending network concept to be marketing at best and counter-productive at worst. If technology and engineering arent the answer to securitys woes, then what is?
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise. These intruders can take the form of external threats who maintain persistence or internal threats who abuse their privileges. Rather than hoping defenses will repel invaders, or that breaches will be caught by passive alerting mechanisms, CTOps practitioners recognize that defeating intruders requires actively detecting and responding to them. CTOps experts then feed the lessons learned from finding and removing attackers into the software development lifecycle (SDL) and configuration and IT management processes to reduce the likelihood of future incidents. CTOps certainly requires application of engineering and technology, but the focus remains on people. People who know how to detect and respond to intrusions are the key to fighting modern threats. We will define what those people should do, as well as how you can ensure your security staff is meeting the challenge posed by modern threats. An emphasis on CTOps should not come at the expense of measures that try to remove vulnerabilities from the enterprise. Efforts to improve software security through better coding, improved configuration, and sound business logic are the preferred way to build a sound foundation for enterprise computing. CTOps practitioners are usually very supportive of efforts to rid the enterprise of weak applications, because being a hard target frustrates intruders and reduces the overall number of intrusions that defenders must detect and handle. Therefore, CTOps encourages software security efforts that build security into applications.
People who know how to detect and respond to intrusions are the key to fighting modern threats.
JUSTIFYING COUNTER-THREAT OPERATIONS

What does it mean to conduct CTOps? I recommend either building or repositioning the enterprise computer incident response team (CIRT) as the home for CTOps. If the organization lacks a CIRT, or the CIRT doesnt currently conduct CTOps, the first requirement is convincing management that CTOps is necessary. No single argument for conduct CTOps or building a CIRT will likely resonate with management. Rather than relying on a single argument, CIRT builders may find one or more of the following 13 Cs to be helpful. Incorporating these justifications into a discussion may help convince those who have budgetary and organizational authority to facilitate construction of a CTOps-capable CIRT. 1. Crisis. When the enterprise suffers a devastating security incident, managers are usually ready to take action. Although this is the worst way to justify a program because it comes after an incident, and it is often very effective. 2. Compliance. Compliance requirements may contain the language necessary to construct a team. Beware applying resources in such a manner that the original CTOps mission is lost. For example, creating a team that does nothing more than monitor for configuration changes will not result in finding advanced or even moderately skilled intruders. 3. Competitiveness. My blog post Forget ROI and Risk. Consider Competitive Advantage explains that preserving or enhancing competitive advantage often resonates with business people.
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Few people responsible for a profit and loss operation in an organization want to lose the game. If these decision makers can frame perception of security in terms of competition, they may understand the importance of CTOps and CIRTs. 4. Comparison. If your security team is 10 percent the size of the average peer organization, its not going to look good when you have a breach and have to justify your decisions. The blame for under-resourcing the CIRT will likely rest with the manager to whom the CIRT reports, so convince him or her to fund the operation to deflect possible future criticism. 5. Cost. Its likely that breaches are more expensive than defensive measures, but this can be difficult to capture empirically. In regulated industries one may be able to estimate the fines that could be levied against a breach victim, and the costs of funding credit monitoring services and associated legal and human resource expenses. For example, the U.S. Department of Defense recovered $1.3 million of a $5.4 million Pentagon contract from Apptis Inc. Investigators claimed Apptis provided inadequate computer security due to a breach in a subcontractors system. (Contractor Returns Money to Pentagon, Washington Times, July 25, 2009.) 6. Customers. It seems rare to find customers abandoning a company after a breach; people still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers, but it often is insufficient. 7. Constituents. I use this term to apply to internal parties served by a central CIRT. Large companies often provide services to other business units, so a cross-company constituency may ask for help fighting intruders. 8. Controllership. A well-governed organization can often point to a centralized counterthreat center of excellence, such as a CTOps-practicing CIRT. 9. Conservation. This is a play on green IT. What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or 2) handling them remotely by moving data, not people? A properly resourced and equipped CIRT can rely on instrumentation that accesses data needed to analyze intrusions, rather than sending people into the field to fight fires. See my blog post Green IT for more details. 10. Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses. 11. Confidence. Confidence applies to all parties involved. Can you trust your data? 12. Counting. Developing metrics is crucial for justifying a CIRTs role. Managers often want to know how regularly the enterprise suffers compromises, and how quickly the CIRT can detect and respond to intrusions. 13. [Securities and Exchange] Commission. A growing number of public security voices (for example, Melissa Hathaway) advocate disclosing significant security breaches in the 10-K forms required of publicly traded companies by the SEC. Many companies already report serious intrusions, as noted in my blog post Publicly Traded Companies Read This Blog.
If your company security team is 10 percent the size of the average peer organization, its not going to look good when you have a breach and have to justify your decisions.
SIZING AND ORGANIZING THE CIRT

Once management believes a CIRT is necessary to conduct CTOps, the next questions involve the size of the CIRT and its structure. In order to help answer this question, I polled 12 organizations with employee counts in the low thousands to the mid hundreds of thousands. I asked each organization to count the number of people they employed to detect and respond to intrusions. Based on this survey, I determined that the average number of detection and response roles for these 12 organizations was five per 10,000 employees. In other words, if your company consists of 60,000 employees, you would likely have a CIRT with 30 people. This 5 per 10,000 standard may sound fanciful to many readers, but consider the sorts of roles one must fulfill to be able to truly combat threats to the modern enterprise. The last CIRT that I built consisted of the following three teams: The Incident Response Center (IRC), responsible for the daily incident detection and response mission. The Security Assurance Team (SAT), responsible for Threat Intelligence and Reporting, Red Team engagements, and Technical Assistance (i.e., internal consulting).
TABLE OF CONTENTS
EDITORS DESK
Five Reasons CIRTs Should Join FIRST

FIRST is the Forum of Incident Response and Security Teams, an international organization with more than 200 members. Heres why your organizations CIRT should join:
TARGETED ATTACKS
1]
Professional incident responders tend to be FIRST members. FIRST membership is similar to certification, but its not the result of passing a test. Rather, FIRST membership is an ongoing, dynamic relationship that demonstrates a certain level of maturity for each organization. The FIRST membership application process may help justify some CIRT initiatives. For example, FIRST membership may help make the case for a separate, isolated malware analysis network and environment. Applying for FIRST membership compels CIRTs to document a variety of processes. For example, FIRST requires applications to document how they handle sensitive information from third parties. Following the application process brings a certain degree of rigor and clarity to CTOps work. FIRST membership is sometimes a differentiating factor when recruiting talent. FIRST members share operational practices and information through mailing lists and conferencesw
RICHARD BEJTLICH
2] 3]
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
5 reasons
5]
4]
The Support Group,responsible for designing, building, and running infrastructure used by the IRC and SAT. Within each CIRT sub-team, I divide responsibilities by skill level. All of these roles and experience levels will likely vary depending on the nature of the organization hosting the CIRT. The IRC consists of these team members: Incident handlers are subject matter experts (8-12 years of technical experience) who use unstructured analysis tools and techniques to detect and respond to the most advanced or complicated threats. Incident analysts (4-8 years of technical experience) are developing as subject matter experts; they work with incident handlers to learn how to deal with advanced threats, but they also mentor event analysts. Event analysts (2-4 years of technical experience) are beginning their incident detection careers; they use structured analysis tools and techniques to detect and respond to well-understood threats.
TABLE OF CONTENTS
The SAT consists of these team members: Principal analysts are subject matter experts (8-12 years experience) who understand and conduct advanced counter-intelligence work, fully simulate adversary activity, and/or lead
EDITORS DESK
TARGETED ATTACKS
Six Steps to Take Now

1] 2]
Create a team logo. Create a team name. Be a leader, not a manager. Read my post Everything I Need to Know About Leadership I Learned as a Patrol Leader. If you are not making progress on executing your vision within a year, or you encounter inordinate resistance, consider another role. Create documents justifying your team and have them ready when management asks.
3] 4] 5] 6]
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Use time-based metrics to explain workload. For example, if it takes two weeks for your analysts to review indicators, and that figure continues to increase, use that metric to justify additional hires. Its similar to a manufacturing situation, except the output is incident reporting.w
6 steps
RICHARD BEJTLICH
complicated security consulting projects. Senior analysts (4-8 years of technical experience) are developing as subject matter experts; they work with principal analysts on larger projects while mentoring Analysts. Analysts (2-4 years of technical experience) demonstrate aptitude in security assurance, but are learning how to offer these services. The Support Team consists of these team members: Developers write software and tools to help the IRC and SAT detect and respond to intruders. Architects design systems and lead major projects in conjunction with Engineers who implement tools and techniques. Administrators care for the systems used by the IRC and SAT, as well as infrastructure enabling the support team mission. I did not provide estimates of experience for each role in the support team, because system administrators could have 20 years of maintaining infrastructure under their belt, whereas a very effective architect might only have 8 or 10 years of experience. I recommend a person lead each of these three teams, with a single CIRT leader working as director of incident response. The director of IR should name one of the three team leaders as his or her deputy.
TABLE OF CONTENTS
EDITORS DESK
SOCs vs CIRTs
At this point, it may sound like we are describing a security operations center (SOC). To a certain extent the work of a SOC is pertinent to CTOps. SOC work tends to imply a more routine workflow whereby security devices generate alerts for generally well known or recognizable security violations. Analysts interpret the alerts, generate reports, and notify their constituencies. All of this work is necessary, but it is not sufficient to combat modern threats. SOC work tends to be somewhat passive, structured, and often not very creative. In addition to performing SOC work, CTOps requires more active, unstructured, and creative thoughts and approaches. One way to characterize this more vigorous approach to detecting and responding to threats is the term hunting. In the mid-2000s, the Air Force popularized the term hunter-killer for a missions whereby teams of security experts performed friendly force projection on their networks. They combed through data from systems and in some cases occupied the systems themselves in order to find advanced threats. The concept of hunting (without the slightly more aggressive term killing) is now gaining ground in the civilian world. If the SOC is characterized by a group that reviews alerts for signs of intruder action, the CIRT is recognized by the likelihood that senior analysts are taking junior analysts on hunting trips. A senior investigator who has discovered a novel or clever way to possibly detect intruders guides one or more junior analysts through data and systems looking for signs of the enemy. Upon validating the technique (and responding to any enemy actions), the hunting team should work to incorporate the new detection method into the repeatable processes used by SOC-type analysts. This idea of developing novel methods, testing them into the wild, and operationalizing them is the key to fighting modern adversaries.w
Richard Bejtlich is director of incident response for General Electric, and serves as principal technologist for GEs Global Infrastructure Services division. Send comments on this article to feedback@infosecuritymag.com.
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
10
SCADA Insecurity
TABLE OF CONTENTS EDITORS DESK
STUXNET PUT THE SPOTLIGHT ON CRITICAL INFRASTRUCTURE PROTECTION BUT WILL EFFORTS TO IMPROVE IT COME TOO LATE?
BY GEORGE V. HULME
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
MARK WEATHERFORD will likely not forget the week of July 12, 2010. Hed just started
his job as vice president and chief security officer at the North American Electric Reliability Corporation (NERC) that week. And as chance would have it, security researchers had recently announced the discovery of Stuxnet, one of the most advanced worms on record and widely believed to be targeting Iranian nuclear facilities. With NERCs mission being to ensure the reliability of the North American bulk power system, it was a leap right into the fire for Weatherford. The Windows-based worm, which contained a programmable logic controller (PLC) root kit, is the first known worm that can reprogram industrial systems, and was crafted to breach Supervisory Control And Data Acquisition (SCADA) systems. SCADA systems are often used to control and monitor industrial processes, including those that help to manage power grids.
11
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
Immediately, Weatherford put into place a Malware Tiger Team that could be leveraged to help NERC ensure that the information about Stuxnet that was shared among facilities was accurate and useful. The team was comprised of malware experts and representatives from a number of federal agencies. Once the initial commotion over Stuxnet subsided, the teams role faded, but not its ability to reconvene quickly should another threat against the power generation and distribution system materialize. While the hope is that such a need never arises, the probabilities point to someday in the future when the Tiger Team is called back to work. The extremely sophisticated Stuxnet worm highlighted the vulnerability of the critical infrastructure the world relies on, and security experts worry it could be a harbinger of future attacks. Thats especially true as nation-states increasingly invest in their offensive cyberattack capabilities. Just as concerning as the threat, experts say, is that efforts to secure the SCADA systems used to manage many of the critical systems for controlling electricity, water delivery and other essential services have been lax. The federal government and industry groups are taking steps to secure the grid and the SCADA systems that support it, but many worry time is running out before a significant attack hits.
The extremely sophisticated Stuxnet worm highlighted the vulnerability of the critical infrastructure the world relies on, and security experts worry it could be a harbinger of future attacks.
RISING THREATS
Theres no question that concern over critical infrastructure security is growing. Consider the findings in a report released last year by the Center for Strategic and International Studies (CSIS), and funded by security firm McAfee, In the Crossfire: Critical Infrastructure in the Age of Cyberwar. Based on a survey of 600 IT security managers from critical infrastructure organizations, the report found that 37 percent believed the vulnerability of the sector they worked increased over the year prior, and two-fifths expect a significant security incident in their sector in the next year. Only one-fifth of respondents to the survey believe their sector to be safe from serious cyberattack in the next five years. While there was no devastating attack that hit the IT systems that support the North American critical infrastructure, 2010 will nonetheless go down as a decisive year for malware and digital attacks. Cybercriminals (who themselves edged-out the hacker-hobbyist years ago) took a backseat to the state-sponsored attacker. These attackers are well trained, well-funded, and professional. They pose perhaps the greatest threat weve yet to see face the critical infrastructure. In fact, the CSIS survey found 60 percent of those surveyed believe foreign governments have been involved in past infrastructure infiltrations. Researchers at Moscow, Russia-based Kaspersky Lab, where two of the four zero-day vulnerabilities the Stuxnet worm exploited were identified, reported that Stuxnets mission was to
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
12
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
infiltrate a specific industrial control system that both monitors and controls industrial, infrastructure, and many on-site processes. It certainly wasnt considered an amateur job. The inside knowledge of SCADA technology, the sophistication of the multi-layered attack, the use of multiple zero-day vulnerabilities and legitimate certificates bring us to an understanding that Stuxnet was created by a team of extremely skilled professionals who possessed vast resources and financial support, the company said in a bulletin. I view Stuxnet as a weapons delivery system, like the B-2 bomber, says Michael Assante, president and CEO at the National Board of Information Security Examiners, and former vice president and chief security officer at NERC and critical infrastructure protection strategist at Idaho National Lab. The code was designed to be very modular, so that its attack payload could be changed to be able to attack different MICHAEL ASSANTE, president and CEO, systems. Its clear to me that the resources National Board of Information Security Examiners, and former vice president and chief security officer at NERC available to the authors of the worm were and critical infrastructure protection strategist at Idaho National Lab substantial. They designed it with high confidence that the warhead would do exactly what it was designed to do, Assante says. That takes skill and resources. That combination of well-heeled attackers and sophisticated malware means the stakes are much higher today than a few years ago when it comes to securing the critical infrastructure. This rise in the capabilities of cyber adversaries should be of concern to everyone. Civilization is dependent on the critical systems that control electricity, finances, communications, water delivery, food distribution, and manufacturing. And the management of many those systems themselves are largely dependent on SCADA systems. Years ago, however, when these SCADA systems were first developed, they werent designed to be resilient to todays security threats or heavy reliance on common and commercially available software applications, operating systems or for communications over public networks such as the Internet.
I view Stuxnet as a weapons delivery system, like the B-2 bomber.
BANKING MALWARE
IGNORING THE RISKS

WEB 2.0 WIDGETS
SPONSOR RESOURCES
As SCADA systems have become increasingly networked, many believe that the industry and the federal government have not taken strong enough steps to ensure these systems are secure. The industries that ignored cyber security, regardless of what the government said, are still doing just that, says Alan Paller, director of research at the SANS Institute. Its a fundamental market failure. The industry said it would take care of things, and it didnt do the job it said it would do. Others agree. As long as there have not been any attacks [on their critical systems], its hard for [insiders] to argue to make something more secure, says Richard Stiennon, chief research analyst at IT Harvest and author of Surviving Cyberwar. There were no attacks last year, and
13
Todays cybercrime is world class. are you up To The challenge?

HP ArcSight Express instantly alerts you to the complex threats faced by organizations by correlating millions of events occurring across the enterprise.
For more information go to www.hpenterprisesecurity.com.
Copyright 201 Hewlett-Packard Development Company, L.P. 1
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
there probably wont be attacks next year. So were not spending on security because you say we should, is the typical response security professionals hear from their management, Stiennon says. Following Stuxnet, one would think that there would had of been a surge of activity to protect the grid, but there wasnt, Paller says. That apathy extends to the developers of industrial control systems, others say. There is this climate where everyone understands the potential for mischief, but no one is talking openly about it. And the people who are finding vulnerabilities in SCADA systems and report them to the vendors find themselves in an adversarial situation, says Shawn Moyer, principal consultant at FishNet Security who co-presented a session on Wardriving the Smart Grid at BlackHat 2010. What is going on ALAN PALLER, director of research at the SANS Institute in this industry today seems a lot like what was going on in the IT industry in the late 1990s when most software companies simply ignored security. When it comes to SCADA vendors, we are really early in the maturity curve, agrees Assante. For instance, he says, while security administrators at critical infrastructure organizations would like to know how to best harden those systems, the vendors dont always provide the necessary documentation that explains how to do so. The vendors understand that security matters, and theyre starting to work security into their development processes. Generally, however, their security engineers probably arent part of the developments teams, he says. Security is not built into their processes. Over the next couple years, critical infrastructure vendors are going to have to more tightly integrate security into their design and product support initiatives, he says.
Following Stuxnet, one would think that there would had of been a surge of activity to protect the grid, but there wasnt.
REGULATIONS IN THE WORKS

BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
The federal government and industry groups arent standing still when it comes to securing the grid and SCADA dependent systems. And theyre helping guide the way to more secure and sustainable power systems. Last June, the Department of Homeland Security (DHS) released its Catalog of Control Systems Security Recommendations for Standards Developers that aims to help facilitate the creation of security standards for SCADA, process control, distributed control, and other critical infrastructure systems. The standards help to detail everything from how such industries can screen personnel to establishing physical security and setting secure configuration management guidelines. NERC, for its part, maintains security standards and guidance to roughly 2,000 public and private firms involved in electricity production and distribution in North America. NERCs Critical Infrastructure Protection (CIP) regulations were designed to help ensure
15
the reliability of bulk power generation and delivery. NERC CIP regulations comprise eight mandatory requirements that establish the minimum acceptable level of risk, and include security log collection and analysis, access control, reporting, intrusion detection/prevention system, among others. The standards have only been auditable for a couple of years, and we are light years improved from where we were a few years ago, says Weatherford. Are we where we need to be? No. But neither was PCI DSS when it first came out. Today, PCI DSS is a fairly good standard. Weatherford has a number of areas where hed like to see improvement. For instance, he would like the CIP standards to move more rapidly and possibly be augmented with more agile ways for covered organizations to manage their risk. It takes years for these standards to be agreed upon. Thats way too long for cybersecurity, he says. Additionally, Weatherford says that a more dynamic risk management framework that can be used in conjunction with the CIP standards would help facilities more intelligently manage risk. Just as all systems are not equally critical, the risk postures of different plants are not the same and cant be
TABLE OF CONTENTS
Powering Up Security
EDITORS DESK
Utility company implements network encryptors to protect SCADA data and meet NERC requirements.
WITH A HUGE POWER PLANT built back in the 1940s that covers a lot of square footage, the North American
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
case study
Energy Alliance faced a compliance challenge. North American Electric Reliability (NERC) standards require that wiring between physical security perimeters be enclosed in conduit or the data must be encrypted. For the NAEA, that would have meant a lot of conduit so it opted to encrypt, says Dominick Birolin, network engineer at NAEA. The company, which is based in Iselin, N.J., and owns a portfolio of 1,755 megawatts of electricity producing power stations in the Northeast, looked at a variety of encryption options, including point-to-point DOMINICK BIROLIN, network engineer, NAEA IPSec tunnels. But it determined that IPSec tunnels would result in latency problems, Birolin says. NAEA ultimately chose network encryptors from CipherOptics (now Certes Networks) for securing its SCADA information. CipherEngine Enforcement Points from CipherOptics are FIPS 140-2 Level 2 validated encryption appliances. With CipherOptics, the latency was in microseconds as opposed to milliseconds. That was a big advantage, especially for SCADA systems, Birolin says. The technology helps NAEA meet its compliance obligations, but data encryption is an overall good practice, MARCIA SAVAGE he says.w
With CipherOptics, the latency was in microseconds as opposed to milliseconds. That was a big advantage, especially for SCADA systems.
16
managed the same way, he says. Weve just begun work on developing a more agile way for organizations to leverage the CIP standards. Assante also agrees that critical infrastructure regulations should be risk based and more agile to help better prepare critical infrastructures and the security teams that protect them. Legislation should include the need for more sharply defined federal authority to address specific and imminent cyber security threats to critical infrastructures in the form of emergency measures, Assante said in a hearing before the Senate committee on homeland security and government affairs in November.
IMPROVING SECURITY OPERATIONS

When it comes to critical infrastructure protection, information sharing and collaboration has been called upon for years. Last year was the first year the industry has seen real information sharing begin to coalesce. In November, the Department of Homeland Security (DHS) launched a cyber security information sharing center designed to more efficiently share information about cyber threats to the critical infrastructure. Dubbed the Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Operations Center, its a 24-hour live watchdog that will, hopefully, provide state and local government officials the same details as those in the federal government. According to DHS, The National Cybersecurity and Communications Integration Center (NCCIC) will head information sharing to the MS-ISAC Operations Center. States are expected to use the MS-ISAC Operations Center to cooperate to enhance IT security defense and response. The move is just one in a recent flurry of moves by the DHS to help bolster information sharing and incident response. DHS also announced that the Information Technology Information Sharing and Analysis Center (IT-ISAC) will embed a full-time analyst and liaison to DHS at the NCCIC. The IT-ISAC consists of information technology representatives from the private sector and facilitates cooperation among members to identify sector-specific vulnerabilities and risk mitigation strategies. RICHARD STIENNON, IT Harvest Also, this past fall, to test the nations ability to withstand an advanced cyberattack, DHS and a number of international security and intelligence agencies engaged in a cyberwar game involving 1,500 security events designed to see how well federal agencies and more than 60 private sector companies in critical infrastructure responded to a cyberattack. Cyber Storm III was used to test the newly developed National Cyber Incident Response Plan (NCIRP), which is the governments current cybersecurity incident response playbook. A report detailing the results of the exercise is expected soon. Government and industry arent standing still, but the question is are they doing enough, quickly enough, says IT Harvests Stiennon.
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
Government and industry arent standing still, but the question is are they doing enough, quickly enough.
WEB 2.0 WIDGETS
SPONSOR RESOURCES
17
HELP WANTED
In the future, it may not be budget, technological, or regulatory hurdles that prove the most challenging when securing the critical infrastructure; it could be finding enough skilled security professionals. Its not that theres a problem finding security superstars, theres a lack of people with basic security skills and knowledge, says Vincent Liu, managing partner at the application security firm Stach and Liu. In its report, A Human Capital Crisis in Cybersecurity, the CSIS found that there are roughly 1,000 security professionals in the U.S. who have the specialized cybersecurity skills needed to protect the critical infrastructure. The report estimates the nation could need up to 30,000 similarly skilled people to get the job done. Theres no doubt that we need to invest more in the security workforce. We need better training, and regular VINCENT LIU, managing partner, Stach and Liu reassessments of their skill level, Assante says. NERCs Weatherford agrees: There are not many qualified, technical, cybersecurity experts that have experience in the power industry. He says its part of a troubling macro trend affecting the IT industry. Weve been talking about the retirement bubble for a couple years now. We studied the issue when I was CISO at the state of California, and we found so many technical staff eligible for retirement within next few years that it became obvious that if we didnt train and recruit enough people, we were really going to have a problem, he says. Having the IT staff needed to keep operations running smooth is one thing, having enough professionals trained in the still obscure IT security profession is anotherand experts warn we are running out of time. These arent always highly-skilled attackers or sophisticated malware that manage to get through. Ive seen traditional worms like Conficker on hardened controllers, says Assante. My greatest fear is that we are running out of time to learn our lessons. Stuxnet, although difficult to hijack or modify by others, may very well serve as a blueprint for similar but new attacks on control system technology, he adds.w
Its not that theres a problem finding security superstars, theres a lack of people with basic security skills and knowledge.
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota. Send comments on this article to feedback@infosecuritymag.com.
WEB 2.0 WIDGETS
SPONSOR RESOURCES
18
TABLE OF CONTENTS
EDITORS DESK
(AND WHAT IT ISNT)
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Think you know all you need to know about the advanced persistent threat? Well define APT and dispel a few myths. BY R I C HAR D B EJTLI C H
THE TERM advanced persistent threat, or APT, joined the common vocabulary
of the information security profession in mid-January 2010, when Google announced its intellectual property had been the victim of a targeted attack originating from China. Google wasnt alone; more than 30 other technology firms, defense contractors and large enterprises had been penetrated by hackers using an array of social engineering, targeted malware and monitoring technologies to quietly access reams of sensitive corporate data. Googles public admission put a high-profile face on targeted attacks and the lengths attackers would go to gain access to proprietary corporate and military information. It also kicked off a spate of vendor marketing that promised counter-APT products and services that have only served to cloud the issue for security managers and operations people. In this article, well define APT, dispel some myths and explain what you can do about this adversary.
19
WHAT IS THE ADVANCED PERSISTENT THREAT?

The United States Air Force coined the phrase advanced persistent threat in 2006 because teams working within the service needed a way to communicate with counterparts in the unclassified public world. Department of Defense and intelligence community members typically assign classified names to specific threat actors, and use the term intrusion set to describe activities by those threat actors. If the USAF wanted to talk about a certain intrusion set with uncleared personnel, they could not use the classified threat actor name. Therefore, the USAF developed the term APT as an unclassified moniker. It is crucial to this discussion to recognize that APT is a proper noun. APT refers to specific threat actors; APT does not refer to vaguely unknown and shadowy Internet forces. The term is most frequently applied to distinct groups operating from the AsiaPacific region. Those knowledgeable about APT activities can conduct an honest debate as to whether the term should be used to refer ONLY to certain Asia-Pacific actors, or if it can be expanded as a general classifier. In other words, if adversaries in Eastern Europe operate using the same tools, tactics, and procedures as traditional APT, should these actors also bear the APT label? The answer to this question depends on the person asking it. An information security practitioner in a private organization will typically not care if the threat actors attacking an enterprise originate in the Asia-Pacific or Eastern European regions. The reason is that the practitioner will likely take the same defensive actions regardless of the location or nationality of the adversary. However, someone with the legal and/or national security authority to apply diplomatic, intelligence, military or economic (DIME) pressure would certainly want to identify the origin of an attack. For the purposes of this article, aimed at information security practitioners, it is not necessary to answer the who question definitively. However, those who do have elements of DIME power should take attribution statements by Google and other victims seriously. Most of those actively countering APT activity describe the adversary in the following manner: dvanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the targets posture. ersistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit, they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives. hreat means the adversary is not a piece of mindless code. The opposition is a threat because it is organized and funded and motivated. Some people speak of multiple groups consisting of dedicated crews with various missions. In brief, APT is an adversary who conducts offensive digital operations (called computer network operations or perhaps computer network exploitation) to support various
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
A P T
20
state-related objectives. APT is characterized by devotion to maintaining some degree of control of a targets computer infrastructure, acting persistently to preserve or regain control and access. Unclassified briefings by counter-intelligence and military analysts use the term aggressive to emphasize the degree to which APT pursues these objectives against a variety of government, military, and private targets.
WHY IS ADVANCED PERSISTENT THREAT MISUNDERSTOOD?

Beginning in January and peaking in February and March, many elements of the digital security community focused their attention on APT. Unfortunately, some of those speaking about the problem quickly found themselves echoing statements and questionable research offered by parties who were not familiar with APT. Several factors contributed to an overall sense of confusion, with some of the more trustworthy voices competing with parties who would have been better advised to stay in the background. Several factors caused this phenomenon: Besides Googles public statement, and subsequent secondhand reporting about allegedly affected peer companies, very little original data was available. Without details to discuss, the security community turned to almost anyone willing to talk about the incident. In too many cases, the speakers turned out to be vendors who saw APT as a marketing angle to rejuvenate slumping security spending. RSA Conference 2010 featured many companies selling counter-APT products, hoping to capitalize on the new hot topic of 2010. McAfee reported it was analyzing malware that it claimed to be associated with the Google incident, independently assigning the name Aurora to the affair thanks to a path found in the malware. In late March, McAfee blamed the fog of war for mistakenly confusing a Vietnamese-targeted botnet with Google incident malware. Unfortunately, by associating this false lead with the Google incident, McAfee prompted a variety of security researchers to direct their efforts on code that likely had nothing to do with the Google incident. Many analysts too narrowly focused on the elements of the incident that they could best understand, regardless of the real nature of the event. For example, companies specializing in botnet research assumed botnets were involved, and talked about the Google incident in those terms. Others who focus on identifying vulnerabilities and developing exploits, concentrated on a flaw in Internet Explorer (patched by MS10-002) presumably leveraged by intruders to gain access to Google resources. Unfortunately, botnets have nothing to do with APT, and vulnerabilities, exploits, and malware are only elements of APT incidentsnot the core feature of them.
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
IS APT NEW?
When the Google attack entered the public arena, many people wondered if APT was something new. The answer to this question depends on ones perspective, plus understanding some history. As mentioned earlier, the term APT is approximately 4 years old. It entered the common lexicon in early 2010 with the publicity garnered by Googles bold
21
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
proclamation. However, consulting companies, particularly Mandiant have been conducting public webcasts and presentations discussing APT by name since 2008. Prior to the 2006 invention of the APT term, news stories of Chinese intruders attacking military and government organizations bore the label Titan Rain. For example, a 2005 Time magazine article by Nathan Thornburgh titled The Invasion of the Chinese Cyberspies described battles fought by Shawn Carpenter, then defending Sandia National Laboratories. That story mentioned Carpenters experience with similar intruders dating back to late 2003. Even in 1998, when I served as a captain in the Air Force Computer Emergency Response Team, we encountered adversaries that many would now label APT. Some would even argue that nothing about APT is new. To the extent that espionage is as old as warfare itself, some claim APT activity is just spying another formand not even a new medium, given the history of computer espionage dating from Cliff Stolls work in the 1980s. I argue that APT is new if those asking the question move beyond two-dimensional thinking. Considering APT activity in terms of offender, defender, means, motive, and opportunity, APT is clearly new. Points for the old camp include the identity of the offender (nation-states) and the motive (espionage). Points for the new camp make a stronger argument: Defender: I break APT targets into four phases: 1) late 1990s military victims; 2) 2000-2004 non-military government victims; 3) 2005-2009 defense industrial base; 4) 2009-present intellectual property-rich targets and software companies. (Unfortunately there are clear examples of earlier victims, but these dates roughly cover most known cases.) The assault conducted during phases 3 and 4 is unprecedented,
O BJ ECTIVES
APT Impact
Analysts currently assess APT activities as supporting four main goals.
Political objectives such as maintaining internal stability. Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims. Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worryingly is the thought that intruders could make changes to improve their position and weaken the victim. Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.
RICHARD BEJTLICH
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
22
meaning entirely new classes of defenders must protect themselves from attackers previously a concern for the military. Means: Too many critics focus on malware, ignoring (or being unaware) of the impressive management and administration applied to repeatedly attempting to access, or preserving access to target organizations. APT incidents are not hit-and-run, smash-andgrab affairs. Opportunity: The explosion of Internet connectivity in the last decade and the extreme distribution of sensitive data to end points provides cheap, low-risk, remote access options for intruders, unlike anything available to human spies. On balance, I argue APT is new, at least when considered from the perspective of nonmilitary targets, and remembering that phase 3 APT activity began in 2003 and became a significant problem in 2005.
TABLE OF CONTENTS
WHAT SHOULD DEFENDERS DO TO COUNTER APT?

The majority of this article has focused on describing APT and its history, because battling this adversary does not require a technical solution. The most effective counter-APT weapon is a trained and knowledgeable information security analyst. Many security vendors have adopted APT in their marketing literature. Some offer to find APT on a potential victims network. Others have even registered APT-themed domain names. Tools are always helpful, but the best advice I can provide is to educate business leaders about the threat so that they support organizational security programs conducted by competent and informed staff. A second question one is likely to ask follows: How do I know if I am an APT target? Contact your local Federal Bureau of Investigation office. One of the biggest game-changers in counter-APT awareness developed during the last several years is taking the form of visits by FBI and military or counter-intelligence specialists to potential victims. Its difficult to deny a security breach when representatives from a national security agency reveal excerpts from proprietary data or intellectual property and ask does this data belong to you? If you have not already engaged your organizations leaders in a counter-APT conversation, requesting a threat briefing from the local FBI office is an excellent way to promote managerial attention. On a technical level, building visibility in to ones organization will provide the situational awareness to have a chance to discover and hopefully frustrate APT activities. Without information from the network, hosts, logs, and other sources, even the most skilled analyst is helpless. Thankfully, obtaining such information is not a new challenge, and most security shops should be pursuing such programs already. The goal of counter-APT operations should be to make it as difficult as possible for the adversary to steal intellectual property; increasing the cost per megabyte, to quote the NSAs Tony Sager, is the goal.w
Richard Bejtlich is director of incident response for General Electric, and serves as principal technologist for GEs Global Infrastructure Services division. Send comments on this article to feedback@infosecuritymag.com.
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
23
BANKING MALWARE
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
UNDER ATTACK
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Cybercriminals are using increasingly stealthy and sophisticated malware to hijack online business banking accounts. BY MARCIA SAVAGE
AT FIRST, it was hard to tell what was causing the phantom money transfers from the online
bank account of a small North Carolina company. Investigators didnt know if the fraudulent wire and Automated Clearing House transfers were caused by an insider or malware, recalls Don Jackson, director of threat intelligence with the Counter Threat Unit at SecureWorks, an Atlanta-based security services provider. But the cause became quite clear when Jackson and his team examined the bookkeepers computer: an infection by the Zeus Trojan. In the past, Zeus was just spyware and wanted user names and passwords, he says. This was the first banking version of Zeus. It got into the browser and changed things on the fly.
24
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
The malware caused the business to lose nearly $98,000, Jackson says. That was in late 2007. Today, criminals are using the Zeus crimeware kit with astonishing success, pulling off six-figure heists from the online bank accounts of scores of small businesses, municipalities and nonprofits. The Federal Deposit Insurance Corporation estimates losses from fraudulent electronic funds transfers in the third quarter of 2009 at about $120 million. The attacks have been mounting over the past 18 months or so and havent slowed, experts say. Zeus is among an emerging brand of stealthy malware that steals online banking and other sensitive credentials with ever changing capabilities to evade detection and defeat security controls. Bought and sold on the Internet and continually upgraded with new features, Zeus and its ilk represent the evolution of malware into a vast commercial enterprise. Banker Trojans accounted for 61 percent of all new malware in the first quarter of this year, according to a recent study by Panda Security. Its become an arms race with the criminals behind these malwarefueled business operations, says Joe Bernik, CISO at Fifth Third Bank. Theyre constantly looking for ways to improve the functionality to overcome whatever technical controls the financial services industry or whatever industry theyre targeting puts into place, he says. Malware has surpassed phishing as the top threat, says David Shroyer, vice president of online security and enrollment at Bank of America. The speed of evolution and the shifting of threat vectors are astounding. Its light speed, so we have to be on our toes to protect our customers and our industry, he says. JOE BERNIK, CISO, Fifth Third Bank What Im seeing in the industry is this is now the big thing were all worried about and were cooperating like we never have before. Lets take a closer look at Zeus, its emerging competition in the banking malware market, their impact, and how the financial services industry is responding.
Theyre constantly looking for ways to improve the functionality to overcome whatever technical controls the financial services industry or whatever industry theyre targeting puts into place.
WEB 2.0 WIDGETS
ESCALATING BATTLE
Malicious code designed for banking fraud has been around as far back as 2003, says Jamz Yaneza, threat research manager at Trend Micro. Most early banking malware came in the form of keyloggers, which captured all kinds of sensitive information, not just online banking credentials. In the U.S., banks stepped up their defenses against spyware and keyloggers with added security, particularly two-factor authentication. In 2005, federal banking regulators issued authentication guidance for online banking, and regulators say attacks dipped for a couple years. Criminals had to figure out a new method of attack.
SPONSOR RESOURCES
25
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Banks and online providers have done a good job putting in place authentication methods that made it hard for the criminals to make money, says Laura Mather, co-founder and CEO of Silver Tail Systems, a Palo Alto, Calif.-based provider of fraud prevention systems. The bad news is the criminals didnt give up. They had to employ even more sophisticated technology in order to subvert the protections that have been put in place. Fraudsters shifted their focus to malware because their returns from phishing were diminishing, says Sean Brady, identity protection and verification product marketing manager at RSA, the security division of EMC. The more sophisticated groups were willing to put the extra investment into Trojans because they demonstrated return, he says. To circumvent strong authentication methods, criminals have to impersonate the victim, Mather says. Instead of just having a password, they have to look just like the victim, so theyre accessing the victims account from the victims own computer, which means they have the correct IP address. Its very difficult for the bank to tell the difference between the malware and LAURA MATHER, co-founder and CEO, Silver Tail Systems the legitimate user, she explains. The Silentbanker Trojan, which surfaced a couple years ago, had this interception functionality but Zeus and other newer banking Trojans have honed it, experts say. Todays banking malware attacks a victims Web browser instead of the online session, Bernik explains: It modifies and intercepts the data that is being passed to the browser and it can actively modify Web pages. Criminals have used Zeus to add fields to obtain additional data for authenticating to a bank website and to alter balances to hide fraudulent withdrawals. Researchers have detected variants of Zeus that have used the Jabber instant messaging protocol in order to use stolen credentials in real time and circumvent the security provided by one-time password tokens. Victims often receive an error message as the fraudster uses his or her credentials behind the scenes. These kind of man-in-the-browser attacks are much harder to detect than the older man-in-the-middle attacks where the hostile party inserts itself between the authenticating server and the valid user, Bernik says. It becomes increasingly difficult for financial institutions to detect because some of the defense mechanisms we were using such as device ID and geo ID have limited value when dealing with a man-in-the-browser attack, he says.
The bad news is the criminals didnt give up. They had to employ even more sophisticated technology in order to subvert the protections that have been put in place.
A FORMIDABLE FOE
Zeus, also called Zbot, has been the most pervasive and damaging banking malware so far to date, researchers say. According to Microsoft, infections by Zeus have skyrocketed
26
in the last two years. (see chart, below). The malware spreads via phony emails that pretend to notices from legitimate organizations like NACHA, the association that oversees the Automated Clearing House (ACH) network, spear phishing emails targeting specific individuals and containing links to malware-rigged websites, and drive by downloads. Researchers believe criminals in Eastern Europe, particularly Russia and Ukraine, are behind the Zeus-fueled attacks. The Zeus crimeware kit has three components, according to an analysis by Trend Micro: the Trojan, a configuration file, and a drop zone where stolen credentials are sent. After the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target included in the configuration file, Trend Micro researchers say. Criminals conduct extensive research on banking websites to hone their attacks. They will do extensive research on the siteslogging in, understanding the page flows and thresholds to perform transactions with, down to the HTML code of the actual pages
TABLE OF CONTENTS
STATISTI CS
EDITORS DESK
Zeus Infections Skyrocket

Microsoft data shows the number of reported Zeus (also called Zbot) infections shot up early this year.
TARGETED ATTACKS
Win32/Zbot Family
December 08 March 09 June 09
52,104 38,040 33,894 60,669 128, 064 212,954

0 50,000 100,000 150,000 200,000 250,000
BANKING MALWARE
October 09 December 09 March 10
WEB 2.0 WIDGETS
SPONSOR RESOURCES
Source: Microsoft Malware Protection Center Chart illustrates the number of times Zeus was detected by a Microsoft security product.
Report Count
27
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
because they will frequently use that knowledge to manipulate the page in the users browser, Brady says. The highly configurable nature of Zeus is one of its most powerful aspects, experts say. Zeus is a lot of different botnets, Mather says. Criminal A can buy Zeus and have his own command-and-control and his own botnet, and criminal B buys Zeus and has his own botnet that will be different from criminal As because its targeting victims in South America while the other is targeting victims in Europe. Earlier this year, security firm NetWitness reported finding a 75GB cache with stolen data, including credentials for online banking sites and social networks, from more than 74,000 Zeus infected systems; the company named the infected PCs tied to the Zeus attacks the Kneber botnet. In March, security researchers reported ongoing efforts to shut down Kazakhstan-based Troyak.org, an ISP serving a large chunk of a Zeus botnet. Spanish authorities in December shut down the Mariposa botnet, which stole banking and other sensitive data by infecting 12.7 million computers with Zeus and other malware. East European cybercriminal operations using the Zeus malware kit have capitalized on the recession to successfully recruit money mules in the U.S. SEAN BRADY, identity protection and verification product marketing manager, RSA, the security division of EMC to move money siphoned from business online banking accounts, experts say. Fraudsters lure money mules over the Internet with bogus work offers and use them to receive the stolen funds, instructing them to wire money overseas after deducting a commission. Oftentimes, the money is stolen in amounts less than $10,000, apparently in an attempt to not to trigger Suspicious Activity Report (SAR) requirements. Jackson and other researchers at SecureWorks have been tracking each new version of the Zeus Trojan, which is constantly updated with new functionality. In March, they wrote that the latest version featured a level of control they hadnt yet seen in malware: a hardware-based licensing system so the malware can only be run on one computer. Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer, wrote Jackson and Kevin Stevens, security researcher at SecureWorks CTU. A beta version of a new Zeus variant they examined this spring featured polymorphic encryption, which allows it to re-encrypt itself each time it infects a computer, making each infection unique and harder for antivirus systems to catch, Stevens says. Various modules, including a Firefox form grabber, a Jabber chat notifier, and Windows
They will do extensive research on the sites logging in, understanding the page flows and thresholds to perform transactions with, down to the HTML code of the actual pages because they will frequently use that knowledge to manipulate the page in the users browser.
28
7/Vista support, for Zeus are available on the Internet for prices ranging from $500 to $6,000, according to SecureWorks. The developers behind Zeus also are very sensitive to detection rates of their malware by antivirus systems, says Mickey Boodaei, CEO of online security provider Trusteer. Each variant they release goes through a kind of quality assurance process to make sure its not detected by many antivirus solutions, he says. MICKEY BOODAEI, CEO of online security provider Trusteer New York-based Trusteer released a study last fall that showed the Zeus Trojan infecting PCs with updated antivirus software 77 percent of the time.
Each variant they release goes through a kind of quality assurance process to make sure its not detected by many antivirus solutions.
THE COMPETITION
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
While Zeus has proven the most popular toolkit for criminals targeting online banking, the Clampi Trojan has also done its share of damage. Jackson says its the number two threat to online banking after Zeus, but isnt available for sale like Zeus; rather, its used by one criminal group in Eastern Europe. Like Zeus, Clampi has advanced man-in-the-browser capabilities and uses state-ofthe art polymorphic cryptors to conduct fraudulent ACH and wire transfers, according to Jackson. SecureWorks last summer documented the Clampi Trojan and how it targeted thousands of websites, including large banks, small banks and mortgage companies. Those behind Clampi use encryption adeptly, making it difficult for researchers to track it, Jackson says: It flies under the radar a lot. Last fall, Finjan researchers reported a new bank Trojan that criminals used to intercept online banking sessions and steal thousands of euros from German accounts last summer. URLzone minimizes the risk of being detected by banks antifraud systems by systematically transferring random, moderate amounts of money from compromised accounts. According to RSA researchers, the Trojan uses money mules in a highly sophisticated way in order to foil researchers trying to identify the mule accounts its using: It if detects that a computer isnt part of its botnet, it delivers a fake mule account to the researchers computer. The Silon Trojan, meanwhile, targets only customers of major U.K. banks and has managed to infect thousands of computers, according to Trusteer. Silon steals banking credentials, bypasses specific security controls and can update itself to counter banks defensive measures. Earlier this year, SecureWorks researchers discovered a new banking Trojan designed to facilitate fraudulent ACH and wire transfers. Bugats capabilities include many of those common in banking malware, including Internet Explorer and Firefox form grabbing and stealing and deleting IE, Firefox and Flash cookies. Bugat mainly targets regional banks and smaller national banks, Jackson says. Its fairly sophisticated, but not up there with Zeus and Clampi, he adds. However, the emergence of Bugat indicates the strong demand for malware to commit
29
financial fraud, according to SecureWorks. Indeed, the competition for Zeus appears to be heating up, especially with the emergence of SpyEye. According to Symantec, the first version of the malware kit appeared for sale on Russian underground forums in December. Retailing for $500, it is looking to take a chunk of the Zeus crimeware toolkit market, Symantec researchers wrote. The SpyEye toolkit is similar to Zeus in many ways and is updated regularly with new features, including one called Kill Zeus designed to delete Zeus from an infected system and leave SpyEye running, Symantec researchers noted.
THE FALLOUT
Government agencies and financial services associations began sounding the alarm about a sharp increase of fraudulent ACH and wire transfers hitting small and midsize
ADVI CE
TABLE OF CONTENTS
New Approaches
Vendors offer alternative technologies to secure online banking from fraud.
AS CRIMINALS USE increasingly sophisticated malware to commit online banking fraud, new technologies have appeared to combat the problem. Trusteers Rapport product is a browser security plug-in that works to prevent malware from tampering with online banking sessions. While traditional desktop security products try to prevent malware, were locking down the session, says Trusteer CEO Mickey Boodaei. Desktop protection products like Rapport and a similar technology from Prevx provide another strong layer of security but many banks are reluctant to go that route, says Avivah Litan, vice president and distinguished analyst at Gartner. IBM offers an alternative technology to foil online banking fraud: a USB-attached hardware device called Zone Trusted Information Channel (ZTIC) that runs the TLS/SSL protocol to create a proxy for connecting with banking websites; the SSL session bypasses any malware on a PC. IronKey recently launched Trusted Access for Banking, a USB device with a virtualized operating system and secure Web browser. Were creating a separate secured operating environment on your computer without you needing a separate computer, says David Jevans, CEO of IronKey. Both IronKey and IBM are offering locked down computing environments but the technologies still use the keyboard, Litan says: You could still record the keystrokes, so theres still an issue. Silver Tail Systems offers a different approach with technology that watches for changes in how a website is used and alerts website owners to possible fraudulent activity. We watch the behavior of the Web session to identify whether we think the behavior is a normal way to interact with a website, says Laura Mather, co-founder and CEO. Litan says many of the alternative technologies, like ZTIC, arent new but are getting more attention now. Theres nothing new under the sun but the situation is getting so bad that people are looking at these solutions, she says. Litan recommends that financial institutions take a layered approach to fighting online fraud, including fraud detection that monitors transaction behavior and desktop protection.w
MARCIA SAVAGE
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
30
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
businesses last August. In November, the FBI estimated that the fraudulent activity had resulted in approximately $100 million in attempted losses. Were not hearing about it as much on the consumer side. It does happen, but these bad guys are going after the big fish, says Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). Theyre sending spear phishing emails to individuals at businesses theyve checked out. Investigative reporter Brian Krebs has documented many cases in which small businesses and municipal agencies have lost thousands of dollars through fraudulent money transfers. Oftentimes, Zeus is cited as a culprit, such as in the case of small New York marketing firm that lost $164,000 after a Zeus infection. Business banking customers hit by online banking fraud typically lose out because they dont have the same regulatory protections to limit losses from fraudulent electronic funds transfers as consumers. The fraud surge has led to a spate of lawsuits. For example, Bullitt County in Kentucky sued its bank, First Federal Savings Bank of Elizabethtown, last summer after cybercriminals stole $415,989 through fraudulent ACH transactions, according to court documents obtained by The Courier-Journal. The bank, which claims the countys security failures led to a Zeus infection, refused to reimburse the county for $310,176 that wasnt recovered. In another case, which has been widely reported, Hillary Machinery of Plano, Texas was sued by its former bank, Dallas-based PlainsCapital, after being victimized by online banking fraud in 2009. Hillary countersued the bank over the cyberheist, in which criminals stole about $800,000; PlainsCapital recovered almost $600,000. For the financial sector and other industries, customer education has been a major weapon in successfully beating back phishing to the point where its not the threat it was five years ago, Bank of Americas Shroyer says. But customer education is less powerful of a weapon against stealthy malware that is constantly finding ways to avoid detection, he says. Malware also is trickier from a customer resolution standpoint, Shroyer says: I can fix a customer whos been exposed to phishing in a matter of minutes. A customer exposed to malware is a very difficult conversation. I cant just tell them to change their ID and passcode. I have to tell them that their endpoint, their PC, has been compromised by something that isnt just impacting their Bank of America relationships, but their Yahoo email account and other financial accounts like PayPal. Banking malware is a newer problem in the U.S., Shroyer adds, noting that banks in Australia, Brazil and the U.K. have been combating sophisticated banking Trojans for longer. Mather, a former director of fraud prevention at eBay, says phishing was the top concern when she worked at the company; malware wasnt much on the radar. Now when I talk to banks and other large organizations, theyre having to assume the customers computer is compromised. Thats a very different way to look at your customers than worrying about whether theyre going to give away their passwords.
SPONSOR RESOURCES
INDUSTRY REPSONSE
Financial industry groups, keenly aware of the critical need to preserve confidence in the online banking channel, have provided a slew of recommendations for fending off malware attacks. FS-ISAC, NACHA and the FBI, in their joint advisory last August, recommended financial institutions implement strong authentication, fraud detection and mitigation
31
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
best practices including transaction risk profiling, out-of-band transaction authentication together with fraud detection, and network defense in depth. They also advised banks to educate their corporate and small business customers about security, including: reconciling accounts on a daily basis; initiating ACH and wire transfers under dual control (with one person initiating the transfer and another authorizing it); and possibly carrying out all online banking from a locked down, standalone computer with email and Web surfing disabled. Were emphasizing an integrated, layered security strategy, FS-ISACs Nelson says. Any single defense you come up with they can circumventIf you implement a layered defense strategy, you have a better chance of defeating these bad guys. American Bankers Association backs the layered approach, says Doug Johnson, vice president of risk management policy for ABA. One of the most important lessons weve learned from Zeus is that sometimes we hang our hat too much on security technological fixes, he says, adding that internal controls like dual authorization also are critical. DOUG JOHNSON, vice president of risk management policy, The association is working with American Bankers Association other industry groups to address the problem on an ongoing basis. It is something we take very seriously because it gets to the heart of the relationship between the bank and its commercial and municipal customers, he says. Obviously, we need to counteract anything that could disrupt the trust thats built up between those two parties. Fifth Third Banks Bernik notes that new technologies are emerging to deal with the challenge of the compromised host (see p. 29) but adds, Theres no silver bullet to solve all the challenges when it comes to the online channel. Fifth Third, aiming to be a trusted advisor to its customers, provides them with education and certain technologies to combat the malware problem, he says. Making sure customers are aware of security best practices is critical, he adds. Citing security concerns, Shroyer declines to detail strategies and techniques the financial services industry is using to fight the malware problem. But he says that Bank of America is in the process of requiring customers to upgrade their online IDs and passcodes to meet its security requirements, and recently rolled out a browser upgrade for its customers to upgrade from older, vulnerable browsers. Customers can be resistant to change, but the uptake was surprising and heartening, he says. Weve got to drive the message that were here to help you protect your assets. In the wake of the malware attacks, though, the industry is coming together like never before, Shroyer says. Hes having weekly calls with other banks in which they discuss what theyre seeing and possible solutions. You would not have seen that before, he says. But now we have that collaboration. Malware, he says, is going to drive us towards an opportunity to react faster than we have in the past out of necessity.w
One of the most important lessons weve learned from Zeus is that sometimes we hang our hat too much on security technological fixes.
Marcia Savage is editor of Information Security. Send comments on this article to feedback@infosecuritymag.com.
32
WEB 2.0 WIDGETS
Enterprise Protection for Web Add-Ons

TABLE OF CONTENTS EDITORS DESK TARGETED ATTACKS CRITICAL INFRASTRUCTURE PROTECTION
Mini Web applications are complicating security for business owners. BY NICK LEWIS
WIDGETS, or mini Web applications, are popular tools or Web add-ons for users to express themselves on different Web 2.0 applications, such as Facebook or Twitter, or for organizations to access content from other websites. But there are some serious security implications that enterprises may need to defend against as Web 2.0 applications and Web add-ons become entrenched in the way business is done. Well explain how assessing the security of the widgets in Web 2.0 applications before incorporating them into their Web 2.0 environments can protect businesses Web visitors, internal users and, ultimately, their corporate reputations. Though there are legitimate business uses of Web 2.0 widgets, particularly for incorporating content from third-party sites like Facebook, Twitter, Google and others, these widgets can all too easily distribute malware and malicious code, or potentially advance other attacks.
BANKING MALWARE
Web 2.0 widgets explained

WEB 2.0 WIDGETS
SPONSOR RESOURCES
Widgets are independent applications or snippets of code from third-party sites that can be used independently or included in other websites and Web applications. They often display content, like news items or press releases, for example, but they can perform other actions too, like display a Twitter feed or include a recent blog post from another page or site. Twitter widgets let users display individual tweets on websites that can serve as real-time updates for site visitors. Similarly, Facebook widgets allow content from Facebook to be served when visiting a third-party website. Widgets can be developed with a variety of development languages. Ajax-based widgets use the Google Ajax APIs for displaying Google Maps or other Google content. Many widgets use embedded snippets of JavaScript to allow organizations to display new products or news on the
33
Web. A Twitter profile widget, for example, displays recent tweets on a website. The JavaScript snippet is simply embedded in the place where the user wants the tweets displayed. The JavaScript is executed in a visitors browser and the tweets are visible on the webpage. Basically, the website instructs Web browsers to execute code from multiple different Web servers simultaneously to create the webpage.
Security threats from Web 2.0 widgets

Malware authors started taking advantage of widgets as an attack vector several years ago, as noted in a 2008 advisory from Fortinet Inc.s FortiGuard Center, which highlighted the Zango malware that was distributed by a malicious Facebook widget. Such threats arent exactly new, but similar ones are plentiful in the wild today, and like Web 2.0 applications themselves, they are constantly evolving. Web 2.0 widgets not only pose a security risk to enterprises, but also to individual website visitors. Risk scenarios to the enterprise vary depending on specific widgets used, but typically an individual employee would fall prey by accessing malicious widget content on the Web that affects his or her computer by planting malware that seeks to infect the network or steal sensitive data stored on the users computer. Similarly, an enterprise faces risk with the Web 2.0 widgets it may incorporate into its own Web 2.0 applications for customer or public use. This is becoming an increasing concern as more companies seek to appear trendy by integrating Web 2.0 widgets from social networking platforms into their own websites and mobile applications. If those third-party Web 2.0 widgets are malicious or compromised, a companys Web visitors may execute malicious JavaScript or mobile code from multiple different websites, even though it looks like it is coming from a legitimate source (your organizations website). Suddenly a company can find itself in a liability scenario, unknowingly spreading attackers malware to its Web visitors and customers.
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
Web 2.0 widgets: Enterprise defense strategy

Despite these threats, there are ways to securely allow widgets to be used in the enterprise, both by users for their own consumption and when building mashups for external use. To protect an organizations Web visitors from malicious Web 2.0 widgets, there should first be a security awareness program in place for enterprise Web developers when including third-party widgets into websites they develop. Developers should be made aware of the potential risks from such widgets and taught to evaluate the security of the widgets before publishing them, a step easily forgotten given how simple it is to publish a new widget to a site. From there, each individual widgets functionality should be validated in a test environment to ensure basic malicious content cannot be distributed. Developers can evaluate the security of a widget by accessing the JavaScript code and carefully reviewing its functionality. To test for malicious content coming through a widget, like a Twitter stream, set up a Twitter account on a test website to see what is displayed by the widget when a variety of potentially malicious content is posted. An automated process can also check an organizations website for malicious content delivered via widget. One such process might include a script running on a computer
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
34
TABLE OF CONTENTS
where multiple antimalware products are running. The script would download all of the content referenced from the widget to determine if any of the antimalware products generate an alert from the content. You could test this by publishing a link to the EICAR test file virus sample, and see if your automated process detects the sample virus. This may not be possible in every widget, especially if the widget is a pre-compiled binary, but validating the output should still be possible. To protect internal users from putting company networks and data at risk, use the standard antimalware protections. A combination of network and endpoint defenses will protect users from most malicious content encountered via a widget. Various network appliancesoften the same devices your organization may use to block basic malware, Web proxies, etc.include protections for social networking. Some devices offer this in the base functionality, but others require additional licenses or modules to monitor for these types of threats. Awareness of the potential threats and ensuring that adequate antimalware protections are in place are critical to protect against Web 2.0 widget threats. Malicious or hacked Web 2.0 widgets can easily distribute code from third parties that can harm your infrastructure, steal your sensitive data or abuse the trust consumers Web visitors have in your organization. Going forward, its critical that your enterprise not only realize that these mashups can be dangerous, but also implement the proper protections and practices to prevent them from causing harm.w
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Childrens Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
EDITORS DESK
TARGETED ATTACKS
BANKING MALWARE
WEB 2.0 WIDGETS
SPONSOR RESOURCES
35
TECHTARGET SECURITY MEDIA GROUP
S ECURITY
EDITORIAL DIRECTOR
I N F O R M A T I O N
VICE PRESIDENT/GROUP PUBLISHER
Michael S. Mimoso
SENIOR SITE EDITOR Eric Parizo EDITOR Marcia Savage MANAGING EDITOR Kara Gattine
Doug Olender
PUBLISHER Josh Garland DIRECTOR OF PRODUCT MANAGEMENT
Susan Shaver
DIRECTOR OF MARKETING Nick Dowd NEWS DIRECTOR Robert Westervelt SALES DIRECTOR Tom Click SITE EDITOR Jane Wright CIRCULATION MANAGER Kate Sullivan ASSOCIATE EDITOR Carolyn Gibney PROJECT MANAGER Elizabeth Lareau ASSISTANT EDITOR Maggie Sullivan PRODUCT MANAGEMENT & MARKETING ASSISTANT EDITOR Greg Smith UK BUREAU CHIEF Ron Condon
Corey Strader, Andrew McHugh, Karina Rousseau SALES REPRESENTATIVES Eric Belcher ebelcher@techtarget.com Patrick Eichmann peichmann@techtarget.com Sean Flynn seflynn@techtarget.com Jennifer Gebbie jgebbie@techtarget.com Jaime Glynn jglynn@techtarget.com Leah Paikin lpaikin@techtarget.com Jeff Tonello jtonello@techtarget.com Vanessa Tonello vtonello@techtarget.com George Whetstone gwhetstone@techtarget.com Nikki Wise nwise@techtarget.com TECHTARGET INC.
CHIEF EXECUTIVE OFFICER
ART & DESIGN CREATIVE DIRECTOR Maureen Joyce COLUMNISTS Marcus Ranum, Bruce Schneier, Lee Kushner, Mike Murray CONTRIBUTING EDITORS Michael Cobb, Eric Cole, James C. Foster, Shon Harris, Richard Mackey Jr., Lisa Phifer, Ed Skoudis, Joel Snyder TECHNICAL EDITORS Greg Balaze, Brad Causey, Mike Chapple, Peter Giannacopoulos, Brent Huston, Phoram Mehta, Sandra Kay Miller, Gary Moser, David Strom, Steve Weil, Harris Weisman USER ADVISORY BOARD Phil Agcaoili, Cox Communications Richard Bejtlich, GE Seth Bromberger, Energy Sector Consortium Chris Ipsen, State of Nevada Diana Kelley, Security Curve Nick Lewis, ACM Rich Mogull, Securosis Craig Shumard, CIGNA Marc Sokol, Guardian Life Gene Spafford, Purdue University Tony Spinelli, Equifax INFORMATION SECURITY DECISIONS
GENERAL MANAGER OF EVENTS
TABLE OF CONTENTS
EDITORS DESK
TARGETED ATTACKS
Greg Strakosch
PRESIDENT Don Hawk EXECUTIVE VICE PRESIDENT
Kevin Beam
CHIEF FINANCIAL OFFICER
Jeff Wakely EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 www.parkway.co.uk LIST RENTAL SERVICES Julie Brown Phone 781-657-1336 Fax 781-657-1100
BANKING MALWARE
WEB 2.0 WIDGETS
Amy Cleary
SPONSOR RESOURCES
Information Securitys Essential Guide to Threat Management is published by TechTarget, 275 Grove Street, Newton, MA 02466 U.S.A.; Toll-Free 888-274-4111; Phone 617-431-9200; Fax 617-431-9201.
All rights reserved. Entire contents, Copyright 2011 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or INFORMATION SECURITY.
36
RESOURCES FROM OUR SPONSOR
See ad page 14
Explore some of the most prolific digital asset threats and risks facing organizations today Read the results from the Ponemon Institutes Second Annual Cost of Cyber Crime Study
About HP Enterprise Security: HP is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on market leading products from ArcSight, Fortify, and TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection, and network defense technology to protect today's applications and IT infrastructures from sophisticated cyber threats.

Threat Management ArcSight

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Threat Management ArcSight

Hochgeladen von

Copyright:

Verfügbare Formate

I N F O R M A T I O N

16 SCADA Insecurity 25 What APT Is (And What it Isnt) 32 Under Attack

44 Enterprise Protection for Web Add-Ons

What APT Is (And What it Isnt)

Enterprise Protection for Web Add-Ons

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

Cyberspace Has Gone Offensive

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

ITS NATURAL FOR members of a technology-centric

WEB 2.0 WIDGETS

CRITICAL INFRASTRUCTURE PROTECTION

JUSTIFYING COUNTER-THREAT OPERATIONS

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

SIZING AND ORGANIZING THE CIRT

Five Reasons CIRTs Should Join FIRST

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

Six Steps to Take Now

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

CRITICAL INFRASTRUCTURE PROTECTION

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

I N F O R M AT I O N S E C U R I T Y ESSENTIAL GU IDE TH R EAT MANAG E M E NT

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

I view Stuxnet as a weapons delivery system, like the B-2 bomber.

IGNORING THE RISKS

Todays cybercrime is world class. are you up To The challenge?

For more information go to www.hpenterprisesecurity.com.

Copyright 201 Hewlett-Packard Development Company, L.P. 1

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

REGULATIONS IN THE WORKS

WEB 2.0 WIDGETS

CRITICAL INFRASTRUCTURE PROTECTION

ADVANCED PERSISTENT THREAT

WEB 2.0 WIDGETS

IMPROVING SECURITY OPERATIONS