(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War

Have you addressed your # 1 Risk?

By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

The situational analysis at the battlefront reveals a new scene in todays cyber war. Whether in the U.S. or other parts of the western world, there is evidence that new strategies are required regarding cyber defense and risk management. For example, the #1 threat category, in this combat vector, is now classified as Web based- attacks (see Gartner chart on page 2). These browser-based breaches are frequently enabling an insidious form of identity- theft, also known as identity hijacking, that leaves little to no forensic footprint as evidence. These breaches have been so successful they may prove too effective for government to continue to leave cyber defense in the hands of the private sector at large. Evidence that the private sector is moving too slowly to bring resolution to these breaches and that government is stepping up to intervene, began with NSAs teaming with Google in 2010 (see Washington Post, February 4, 2010), when browser based attacks were still an infantile threat. More recently, the significant breaches at NASDAQ have also warranted a visit and help fro NSA. This phase in cyber warfare also marks an increase in hacker sophistication that exploits not only web vulnerabilities inherent in the architecture but simultaneously takes advantage of the most vulnerable part of any security system the human. This open window may now represent an inflection point for a marked increase in exposure and damages to an organization, because it opens the door to an endless number of possibilities. Below, Carnegie Mellon, one of the leading cyber security centers of excellence demonstrates this graphically.

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

Today, most organizations are ill prepared to defend against this type of (Web/browser based malware) attacks and therefore are at risk of becoming the victims of increasingly insidious and costly breaches. The 2012 Global State of Information Security Survey states that only 13 % of respondents deserved to be confident in their information security defenses. An analysis of the survey demonstrates an usual breadth in the sampling. According to Price Water House Coopers, the sampling included a worldwide security survey by PwC, CIO Magazine and CSO Magazine, with over 9,600 responses from CxOs, to directors in information security, from 138 countries (U.S. represented 29%).

Cost and Number of Breaches Moreover, insurance analysts have an infancy of experience to adequately measure or underwrite these risks. Most cyber security insurance still cover attacks based on number of records breached versus the effective cost of a breach. What happens with insureds when identity hijackers commit a significant theft without leaving a trace of a breach remains to be seen. Ponemons Annual Cost of Cyber Crime Study reports that the median annualized cost of a cyber breach has now reached $5.9 million (see Ponemon Institute Research Report, August 2011), per breach. The mounting evidence of the cost and pervasiveness of these significant Web based identity hijackings in respected organizations such as; Google, RSA, the U.S. government, the UK, electrical infrastructure in South America, Sony, NASDAQ and countless others, that are as of yet undisclosed require every CEO, CFO, CIO and CISO to act quickly in reconsidering the organizational approach toward enterprise risk management and information security in particular. So, are there any effective options when considering this attack vector; that is, virtually attempting to protect against the unknown? The increasing rate of attacks on organizations using these advanced techniques of 'identity theft' that enable impersonation, infiltration and execution of the attack without leaving a trace, mandated that new precautions and defenses be implemented. The 2012 public evidence in breaches has demonstrated that the most hardened assets and the best-trained users can be victimized, giving the most sophisticated organizations a healthy dose of humility. Trends indicate its just the beginning. In March of 2011 there were 105, 536 unique Web malware encounters, representing a 46% increase in two months from January of 2011 (Cisco Global Threat Report, Q1 2011). These trends continue in 2012. Change of priorities in cyber protection The proper response to the challenges of protection in this new era of Cyber War needs to start with changes in perceptions and priorities of implementing information security systems. Consider that the majority of security solutions and protection in the marketplace emphasize peripheral protection; physical infrastructure & machine oriented which primarily provide security to the various

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

layers of corporate and public communications network, against massive attacks. Even in cases where firewalls tout protection of behavior, these are typically detected after the fact, that is to say after the malicious software has entered the perimeter. This is typical of most cyber security environments today. They defend after penetration or based on prior intelligence by security providers e.g. via 'Black Lists if an attack is not listed in the blacklist, it will not be detected by the security system. Moreover, attacks have become increasingly directed. If an attack is intentionally targeted to a specific organization, there is a motivation for the attackers to perform a silent and pinpointed breach, which leaves a minimal signature if any at all such as in phishing, click jacking, etc. Overcoming this gap requires implementation of security tools with the ability to detect abnormalities and generic attacks in real-time independent of any blacklist. IT Trends and the cyber threat As this type of attacks continues to grow geometrically (Ciscos 2nd Quarter Global Threat Reports showed Web Malware attacks more than doubled from March to June 2011, representing 287,298 unique encounters, which had already doubled in Q1), it is unclear whether this rate is due to new IT deployment trends, improved sophistication by hackers or coordinated nation sponsored offenses. What we do know is that these trends continue in 2012 and that web browser access to the Internet, intranet, cloud, etc. is today ubiquitous and will continue. This combined with a humans instinct to trust what appears to be a credible source of communication (email laced with malware), will provide the fuel for identity hijacking practices and web browser breaches, well into the future. Todays average number of malware encounters via the Web is 335 encounters per enterprise per month. Again, these attacks are not the kind that take advantage of existing errors or vulnerabilities in the Web Browser, so the next patch/release of your web browser does not resolve the issue. This vector attack exploits the very nature of how Web Browsers architected and the human nature of people. To successfully mitigate this attack vector requires comprehensive web browser Intrusion Prevention Software/System (IPS), which few organizations have implemented. This is largely because comprehensive Web based IPS solutions are only recently entering the market. Given the sheer magnitude of Web browsers now in the business to business (b2b) supply chain, organizations are rethinking their strategy and giving careful consideration and sometimes immediate priority to comprehensive, secure Web browsing IPS software which incidentally demonstrate the highest investment/risk reduction ratio

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

As depicted by Gartners 2011 report; the 5 layers of fraud prevention:

What is 'identity theft/hi-jacking?' in the context of Web/browser based attacks? In the context of Web/browser based attacks, the term 'identity theft', or identity hi-jacking includes many techniques which exploit technical weaknesses architecturally inherent in how Web-browsers operate, on one hand and human weakness on the other. For example multiple sessions or tabs in Webbrowsers share information in ways users and many in IT dont fully understand. If you were to have a users manual for every dont do this best practice, while accessing the Internet via a Web browser, it would be impractical (several text books in size) for most applications or users to function in the

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

computing environment on a day-to-day basis. An effective Web based IPS manages this for you by protecting you from your own mistakes. For example, a hacker may tempt the user to perform an action such as; pressing a button or link, entering a password, or enticing a drag & drop to a graphic element on the screen which then triggers a background event and opening the door for malice. Unknowingly exposed, the users action allows the hacker to exploit this open window and then leverages the opportunity to an effective penetration because the victimized users rights are now owned by the hacker. This allows the hacker a myriad of options including taking over the system/computer/workstation or even installing a Trojan horse for future use, many of which will not leave a cyber breach trail. A comprehensive Web based IPS software application will protect against these scenarios when origination is from inside OR outside of your organization. Dont settle for anything less, both scenarios should be covered with one solution. Additionally, hackers implementing identity hi-jacking attacks conduct a variety of infiltration techniques through social engineering and gathering intelligence about a person via digital sources including; email, Google, Web Access, Facebook, LinkedIn, etc. Once enough information is collected the culprit hi jacks the victims identity or simply accesses the victims application and sends an infected email / message to an unsuspecting fellow employee, further deepening the security breach in the organization. This cycle repeats until the hacker acquires the privileges required to carrying out the desired malice under a victimized employees credentials, no less.

Is todays security, answering yesterdays threat? As mentioned earlier, it is important to emphasize that the vast majority of existing security systems are based on detection methodologies, which rely on blocking attacks based on previously known threats and reports such as Black Lists, or detecting anomalies after penetration. In most cases described above, traditional security systems will not recognize the attack, because the solution has no prior information about the nature of the attack and because the breach is performed through a legitimate user's stolen identity. Fortunately, there are a few products that are focusing on this attack vector, namely Web/browser attacks. However, most of these are usually point solutions for the different types of known web attacks. Even fewer are the products that encapsulate all of the main Web/browser attacks and effectively defend against the identity theft scenarios in a single browser add-on. So, as you search for a solution be sure not to settle for anything less than software which is; 1. Comprehensive, resolving 10 variations of Web/browser attacks a) Spear Phishing, Phishing & Pharming, b) Web site impersonation, c) Session riding attacks such as (CSRF, aka XSRF), d) User impersonation, e) Intranet network equipment attacks, f) DNS rebinding, g) cross site Scripting

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

(XSS) attacks, h) Click Jacking (aka UI redressing), i) Buffer Overflow (browser & plug-in exploits), and j) File Stealing, 2. Enables real-time protection against identity theft, and yet unknown threats, 3. Works for internal and external attacks, and 4. Contains all of these functions in one simple app, which is easy to load, and maintain. Be sure to have each of the above demonstrated before selecting your product, as marketing information can be misleading. Web based add-ons that have all 4 of the above in a single application effectively act like personal police protection inside of the browser which can either terminate a web browser session in progress, launch a warning to the user or simply send a warning to the back office monitoring system, in real time, on every breach attempt. Keep in mind that the need to prevent internal attempted breaches (inside the company) as well as external can not be over emphasized, including comprehensive protection against identity theft across an organization's entire domain (including E-banking, Credit card sites, personal data etc.). Given this type of software protection and properly monitored, an IT administrator can rapidly detect attempted breaches, the nature of the attack and the IP address of the attacker. Fortunately, this type of software has evolved to eliminate almost all false positives and false negatives, and do not negatively affect the performance of the Web browser. For now the battleground has literally moved to the front-line - Web-browsers inside your organization accessing the Internet and Web-browsers of end users accessing your business such as banking. Ill conclude with this last statistic, Gartners April, 2011 survey of U.S. Banks has ranked, the top 3 Security Threats for U.S. Banks as; Malware on the customers PC that can steal a banks account data or credentials, a system breach in which an outsider gets unauthorized access to your system, and a breach at a third party such as a retailer, in which a thief gets access to your customers data or credentials. This cyber threat persists in 2012. Below are some of the most proven solutions based on feedback from industry research. Questions or comments to: Israelm@me.com

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member

Software that defends Web/Browser attacks and some that prevent identity theft aka to be invented or yet unknown Web attacks: Technology

Value Added

(Draft) White Paper The Shifting Battleground in the Private Sector Cyber War
Have you addressed your # 1 Risk?
By Israel Martinez, U.S. National Cyber Security Council, private sector Board Member