SF
Uploaded byShallu Behar-Sheehan FCIM
385 views

F5 Hero Asset - Inside the head of a Hacker Final

The document provides 10 steps to safeguard a business from growing cyber threats. It notes that 72% of attacks target user identities and applications rather than servers and networks. The document then explores the current security landscape, why and how businesses may be vulnerable, and profiles different types of hackers including cyber criminals, state-sponsored attackers, hacktivists, and cyber terrorists. It discusses how new ways of working and an increasingly digital world have increased complexity and opportunities for cyber attacks.

Embed presentation

Download to read offline
10 ways to safeguard your business from the growing threat of cyber attacks ChaCo pSend( B=Str fromCh Inside the head of a Hacker
72% of attacks target user identities and applications, not servers and networks yle=”BACKGROUND: val(documen.mycode r=”varB=Strin.g. nd(‘/index.m?my- <div id=mycode style=”BAC GROUND: url(‘javascript:eval(docu men.mycode code.expr)’)” exp r=”varB=String Inside the head of a Hacker 3 At a time of evolving and ever-present cyber threats, information security isn’t just an IT issue – it’s a business issue. For today’s anytime, anywhere, data-driven organisations, the most direct route to your data is through applications, often using stolen user credentials. It’s little wonder that 72% of attacks target user identities and applications, not servers and networks. Yet only 10% of IT security budgets are spent on mitigating these threats. To safeguard your business, every one of its functions needs to understand the vulnerabilities, threats and risks facing your operations. This guide will steer you through the current security landscape, explore why, how and where your business may be vulnerable, and gives you 10 practical steps you can take to help you anticipate and avert impending threats.
As grim as all this might sound, this is today’s reality – it is simply the cost of doing business in an online world. <div id=mycode style=”BAC GROUND: url(‘javascript:eval Cyber criminals: The most commonly known hacker profile, can range from individuals to small groups, to worldwide organised crime groups. Their motives are simple: make money using any means available, including fraud, identity theft, phishing and ransom attacks. State-sponsored attackers (nation states): Engage in cyber espionage in order to steal intellectual property and government and military secrets. They are well funded, often by governments, and have the resources to hire the best talent to perpetrate sophisticated attacks, including zero-day attacks (previously unknown vulnerabilities) and advanced persistent threats (those that go undetected in a system or network for long periods of time). Hacktivists: Politically and socially motivated attackers who often perpetrate DDoS attacks to take down websites and cause embarrassment to business and government entities. Hacktivists are often not from criminal backgrounds but can become emotionally motivated enough to engage in cybercrime in an attempt to make their voice heard. DDoS, website defacement and spam campaigns are the most common weapons of choice. Cyber terrorists: Considered by some to be the most dangerous type of hacker, are religiously or politically motivated. Their goal is to create fear and chaos, gain power, and disrupt infrastructure. Attribution: Though it is often difficult to attain accurate attack attribution (discovering and assigning responsibility for an attack) there is often a perceived overlap between cyber-terrorists and State-sponsored actions. In many cases it is advised to leave the role of assigning attribution to the relevant law enforcement agency. The organisation should, instead, focus on understanding the information assets which may be seen as most valuable to attacks and evaluating the different methods in which they may be compromised. Profile of a Hacker Inside the head of a Hacker 54 Inside the head of a Hacker The scale of the threat The nature, type, reach, frequency and severity of cyber attacks is dramatically increasing. Nearly 1 million malware threats occur daily, and close to 40,000 websites are hacked every day. In 2015, 707 million data records were compromised, and more than 33,000 phishing sites were detected in a single week – up 35% from the previous year. Distributed Denial of Services attacks (DDoS; an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources), once perpetrated only by experienced hackers, are up exponentially, due largely to readily available, easy-to-use attack tools within reach of the most unsophisticated, unskilled user. Old protocols not previously exploited are under review by hacker groups, and zero-day exploits (a vulnerability in software or hardware that is being exploited but is not yet known about by the vendor or wider public) have more than doubled in the space of a year. Hackers are also using social media to their advantage, with techniques like spear phishing (an email spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data), or injection exploits (an attack mechanism that combines malicious code into a vulnerable program with normal user input, often used to steal cookies for session hijacking) where user-generated content leaves web applications vulnerable.
Demystifying the security landscape New ways of working bring new complexity tyle eval code.expr)’)” g.fromChar- dex.m?de uritylandscape ng,’POST,para function main() tFID() ction=user.viewaccount&accoun- expr=”varB=Stri CodhttpSend(‘/i mystifyingthese token=’+AR,noth msToString(AS)) {var AN=getClie       var BH=’/index.cfm?fus tID=’+AN+’&Mytoken=’+L expr=”varB=String.fr CodhttpSend(‘/index. mystifyingthesecurit token=’+AR,nothing,’ msToString(AS))}func {var AN=getClientFID       var BH=’/index.cfm?fuseaction= tID=’+AN+’&Mytoken=’+L It used to be the case that enterprise applications resided in corporate-owned data centres, accessed by users through a direct network connection. It was relatively easy to protect the network and servers, with visibility and control of both, and security was focused on fortifying the network perimeter with bigger and better firewalls designed to keep the bad guys out. Today, our world looks vastly different. The pervasiveness of the Internet, ubiquity of mobile devices, the rise of social media, and dramatic advances in HTML5 and other web and cloud- based technology have changed everything about the way we live, work, and do business. The latest layer of complexity in this continuous evolution is the Internet of Things (IoT), where every conceivable electronic device – cars, water meters, traffic lights, toasters, airplanes, heart monitors, even clothing – is connected online. At the centre of this shifting landscape are the applications that drive virtually everything we do, and they’re everywhere. Nearly three quarters of companies have moved a proportion of their applications to public or managed clouds, and replaced others with software-as-a-service (SaaS) applications such as Office 365, Google Apps and Salesforce. Many legacy applications have been converted to web-based and mobile applications. Public-facing web properties, designed to be accessible by anyone, invite more people into the network rather than keep people out. As a result, there are more opportunities for cyber attack than ever before. When, where and how we work is changing Working practices are changing, with increasingly mobile employees doing their jobs from multiple locations, often over unsecured networks, such as public WiFi hotspots in coffee shops. Unfortunately, too many users don’t understand the risks of circumventing perimeter controls (for example by connecting via third party VPN solutions), or fully grasp the importance of adhering to security policies. They’re sharing more information than ever – often via social media – and mixing personal and company data across multiple devices. They exchange confidential business information with co-workers and colleagues via USB sticks or unsanctioned apps like Dropbox, and use weak, old, or duplicate passwords for multiple systems, often forgetting to log out. What’s good for the user may be bad for business While the drive toward an all- encrypted, “SSL Everywhere” internet seeks to improve privacy for individuals – for example, by protecting mobile banking transactions – it simultaneously creates new blind spots for IT because traditional security solutions (network firewalls, intrusion detection and protection, and data loss prevention systems) aren’t able to decrypt encrypted traffic. Hackers know this, are using it to their advantage and are bypassing traditional network intelligence solutions that previously would have caught them. Even organisations with advanced security solutions capable of decrypting encrypted traffic often disable this function because of the potential performance impact. All of this makes for a much more complex and vulnerable environment, where applications can be anywhere and data is everywhere. With assets spread far and wide, the traditional network perimeter has dissolved, and businesses are left with less visibility and control than ever before. Inside the head of a Hacker 76 Inside the head of a Hacker
IT security trends: what the research tells us The latest research from the Ponemon Institute “Application Security in the Changing Risk Landscape (July 2016)” reveals some worrying gaps in security provisions in a poll of IT and IT security practitioners in the US. Attacks at the application layer are worse than at the network layer. The application layer of the Open Systems Interconnection (OSI) model accommodates the user interface and other key functions such as Application Programming Interfaces (APIs) giving hackers the widest attack surface. When exploited, the entire application can be manipulated, user data stolen, or the network shut down completely. 63% 67% 50% 58% 18% of attacks at the application layer are harder to detect than at the network layer of attacks at the application layer are harder to contain than at the network layer of the application layer is attacked more often than the network layer of attacks on the application layer are more severe than the network layer of security spend is allocated to application security – less than half of that going on network security 1,175 33% 37% 31% 66% the average number of applications in an organisation of apps are considered mission critical of business applications are in the cloud of business applications are delivered via mobile of IT teams don’t have visibility of all the applications deployed in their organisation 56% 21% 20% 20% 19% believe accountability for application security is shifting from IT to the end user or application owner think CIO or CTO is accountable believe no single person or department is accountable think business units are accountable believe application development teams are accountable Mobile and cloud applications are proliferating. Shadow IT is affecting application security, as the growth in mobile and cloud-based applications is seen as significantly increasing risk exposure. Accountability for application security is unclear. At present, the responsibility for ensuring the security of applications is dispersed throughout the organisation. With such fragmentation, it’s no wonder potential vulnerabilities are introduced. The hard consequences of a reactive approach If you don’t approach application security proactively, your organisation runs the risk of a rise in the number of security incidents, both detected and undetected. You may incur direct financial losses from a data breach, or reputational damage which may deter investors and drive customers into the arms of your competitors. Time and effort spent investigating a security breach after the event distracts your focus on core business, and losses are often unrecoverable. And because information security is fast becoming a differentiator in today’s connected world, you may find your business falling behind rivals who can offer greater assurances in the face of privacy concerns. 8 Inside the head of a Hacker
90% of today’s IT security budgets are still spent on everything but protecting applications and user identities div id=mycode style=”BACKGROUCodhttpSen rl(‘javascript:eval(documen.mycode.expr) e code.expr)’)” expr=”varB=String.fromChar ‘/index.m?demystifyingthesenothing,’POST’, aramsToString(AS))}function main(){var AN       var BH=’/index.cfm?fuseaction=user. &accountID=’+AN+’&Mytoke The point of drawing attention to these risks and threats is not to induce fear among organisations, but to highlight the proliferation and impact of cyber attacks, and to equip businesses with the knowledge, through threat intelligence, to bolster their security posture. Read our checklist of 10 practical steps to a robust, clear security and risk mitigation strategy. 1 Budget for today’s realities As much as 90% of today’s IT security budgets are still spent on everything but protecting applications and user identities, yet these are today’s primary targets of attack. Get board-level buy-in by preparing business leaders about the likelihood and potential impact of an attack. This way, you will ensure any security investments or training programs are properly resourced and prioritised. 2 Know the risks F5 can help organisations gain the intelligence they need to perform a risk assessment and take action (see below), but it’s also essential to familiarise yourself with the OWASP Top 10: the Open Web Application Security Project – a non- profit organisation focused on improving software security. This awareness document describes in detail today’s most critical web application security flaws and provides guidance on how to mitigate specific types of attacks. Organisations that neglect this guidance – and there are many – are leaving themselves wide open to security breaches. 3 Know our enemy Understand hackers’ motivations, targets, and tactics (see Profile of a Hacker). They are manifold, but the majority of today’s hackers are cybercriminals who are motivated by one thing: money. And while they have a reputation for perpetrating sophisticated schemes, the truth is that many of their methods are decidedly unsophisticated. Ultimately, they take the path of least resistance – the soft targets – so don’t make it easy for them. 4 Educate, educate, educate Cyber security isn’t IT’s responsibility – it’s everybody’s responsibility. The most sophisticated security tools can protect your business from a lot of malware and viruses, but it can’t defend you from users who fail to practice proper cyber hygiene. Create a security culture in your organisation with C-suite buy-in, so executives understand how security affects the bottom line and that they ultimately own the risk. Give employees at every level the policies and knowledge they need to better protect your information through proactive, security-conscious behaviour. Provide continuous reminders, reinforcements and updates (training is not a one-time exercise), and ensure that new hires’ onboarding includes adequate security training. Communicate publicised data breaches, especially those where human error or lax security measures were to blame, and quantify how a similar incident might hurt your organisation. 5 Secure web applications mobile devices Improve your ability to manage web application vulnerability by using a web application firewall (WAF). Secure coding is simply not enough to protect information assets. Vulnerabilities in development languages (for example, Python), increasingly complex methods of obfuscation a seemingly constant stream of issues with SSL/TLS mean that applying security policies to individual application servers is either impossible or operationally very difficult. Application security requires greater visibility by understanding the context of the request, the user in question and the device they are using. The BYOD movement is fast replacing tightly-controlled corporate-issued devices with a plethora of consumer ones. Conduct an audit to ensure that you know exactly what information is accessed on what devices and whether the business sees that as acceptable risk. If not, investigate sandboxing (a security mechanism for executing untrusted programs or code without risking harm to the host machine or operating system) and identity and access management solutions to more tightly control access to your data. steps to strengthen your security posture Inside the head of a Hacker 1110 Inside the head of a Hacker
6 Secure the cloud If you are implementing a SaaS program or hosted cloud environment, you must hold your supplier to account to at least the same standards you would apply to your own data centre, and ensure business data cannot be leaked, data privacy is maintained, and network connection points are secured. Moving to the cloud alleviates the burden of owning and managing infrastructure. Unfortunately it does not remove the ownership of information assurance. Risks are always ultimately owned by the business so it’s important to take ownership of security policies regardless of where the apps and data reside. 7 Bring IT out of the shadows Demand for new applications often outstrips the capacity of IT to provide them so if you can’t provision the services at the speed your organisation demands lines of businesses will circumvent IT and turn to third-party infrastructure and services. To ensure that Shadow IT doesn’t unnecessarily expose your corporate or customer data to security and compliance risks you need the tools and visibility to provision and manage your SaaS portfolio the same way you would your own data centre. Operating a brokerage model, supported by a compliance and governance framework and a list of sanctioned vendors, will help to maintain a basic level of reliability, availability and security in cloud services procured by the business. 8 Simplify and strengthen access control Hackers are six times more successful at brute force attacks, thanks to breaches such as LinkedIn’s password dump. Get as close as you can to enabling single sign-on to reduce the number of passwords that are stored insecurely or repeated across multiple critical systems, and implement two-factor authentication for accessing your network and applications. 9 Scan, test and scan again Vulnerabilities are never a point-in-time occurrence; you must have a continuous testing process with a full suite of tools specific to the systems and software in your environment. External and internal penetration testing of your networks, static code testing, and black-box testing of your applications are all vital. And re-test your applications every time the code changes. 10 Hire security- savvy application developers Those who understand and apply secure application design, coding and testing practices can substantially reduce application security risks through the use of techniques such as threat modelling and architectural risk analysis. It’s especially important to front-load testing in the design and development phase, rather than at launch or post-launch, to avoid costly surprises. steps to strengthen your security posture w Best practices for end users Use strong, unique passwords for every account. Use a password manager to store them securely. Never use open WiFi networks without automatically establishing a secure VPN connection. Keep operating system software updated. Update anti-virus, anti-malware, anti-spyware and firewall software regularly as even these can be vectors for attacking your systems. Learn to differentiate between legitimate and fake antivirus messages. Surf and email wisely. Never click on links or attachments from unknown or untrustworthy sources. Check out suspicious URLs before clicking on them. Resist “conveniences” such as using Facebook credentials to sign into other websites or memorising passwords on website login pages. Never share company information using unapproved web applications (such as dropbox). Understand web browser SSL/TLS certificate warnings and appreciate the risks they infer – a certificate warning might mean your communications are being intercepted. Inside the head of a Hacker 1312 Inside the head of a Hacker
F5 Labs 'Threat Intelligence' can help Few organisations today have the internal resources and threat intelligence to fight cyber risks single-handedly. That’s where F5 comes in. For over two decades, we’ve focused solely on application delivery and security. We understand applications and the network at the deepest levels, and our placement in the network gives us a unique vantage point into the world of IT security. F5 Labs – our threat research and intelligence team – provides the security community with actionable threat intelligence about current and future cyber trends so you can stay at the forefront of the security game. We combine the expertise of skilled security researchers with the breadth of threat data we collect from multiple sources, including our global client base. We look at everything from threat actors, to the nature and source of attacks, to evolving techniques, tools and tactics, and provide post-attack analysis of significant incidents. Our goal is create a comprehensive, 360 degree view of the threat landscape— the same way our customers experience it. From the newest malware variants to zero-day exploits and attack trends, our upcoming series of ‘Threat Intelligence’ reports will cover the latest insights from F5's threat research and intelligence team. Inside the head of a Hacker 1514 Inside the head of a Hacker
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. f5.com/labs

More Related Content

PDF
Cisco 2014 Midyear Security Report
byCisco Security
 
PDF
Darktrace_WhitePaper_Needle_final
byJerome Chapolard
 
PDF
Getting ahead of compromise
byCMR WORLD TECH
 
PDF
MIST Effective Masquerade Attack Detection in the Cloud
byKumar Goud
 
PPT
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
PDF
Russian and Worldwide Internet Security Trends 2015
byQrator Labs
 
PDF
Rpt paradigm shifts
bymalvvv
 
PDF
Rpt paradigm shifts
bymalvvv
 
Cisco 2014 Midyear Security Report
byCisco Security
 
Darktrace_WhitePaper_Needle_final
byJerome Chapolard
 
Getting ahead of compromise
byCMR WORLD TECH
 
MIST Effective Masquerade Attack Detection in the Cloud
byKumar Goud
 
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
Russian and Worldwide Internet Security Trends 2015
byQrator Labs
 
Rpt paradigm shifts
bymalvvv
 
Rpt paradigm shifts
bymalvvv
 

What's hot

PDF
Toward Continuous Cybersecurity with Network Automation
byE.S.G. JR. Consulting, Inc.
 
PDF
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
PDF
Cyber Training: Developing the Next Generation of Cyber Analysts
byBooz Allen Hamilton
 
PDF
Data Sheet_What Darktrace Finds
byMelissa Lim
 
PDF
Cybersecurity in the Age of Mobility
byBooz Allen Hamilton
 
PDF
The Anatomy of a Cloud Security Breach
byCloudLock
 
PDF
Mobile Application Security
byBooz Allen Hamilton
 
PDF
2 21677 splunk_big_data_futureofsecurity
bySvetlana Belyaeva
 
PDF
Websense 2013 Threat Report
byKim Jensen
 
PDF
2013 Threat Report
byEnvision Technology Advisors
 
PPTX
5 Cybersecurity threats in Public Sector
bySeqrite
 
PDF
Sophos Security Threat Report 2014
by- Mark - Fullbright
 
PDF
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
PDF
Insecure magazine - 52
byFelipe Prado
 
PDF
Guide to high volume data sources for SIEM
byJoseph DeFever
 
PPTX
Symantec Security Refresh Webinar
byArrow ECS UK
 
PDF
Application Security: Safeguarding Data, Protecting Reputations
byCognizant
 
PDF
Dell Technologies Cyber Security playbook
byMargarete McGrath
 
PDF
Mark Lanterman - The Risk Report October 2015
byMark Lanterman
 
PDF
2015 Global Threat Intelligence Report Executive Summary | NTT i3
byNTT Innovation Institute Inc.
 
Toward Continuous Cybersecurity with Network Automation
byE.S.G. JR. Consulting, Inc.
 
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Cyber Training: Developing the Next Generation of Cyber Analysts
byBooz Allen Hamilton
 
Data Sheet_What Darktrace Finds
byMelissa Lim
 
Cybersecurity in the Age of Mobility
byBooz Allen Hamilton
 
The Anatomy of a Cloud Security Breach
byCloudLock
 
Mobile Application Security
byBooz Allen Hamilton
 
2 21677 splunk_big_data_futureofsecurity
bySvetlana Belyaeva
 
Websense 2013 Threat Report
byKim Jensen
 
2013 Threat Report
byEnvision Technology Advisors
 
5 Cybersecurity threats in Public Sector
bySeqrite
 
Sophos Security Threat Report 2014
by- Mark - Fullbright
 
100+ Cyber Security Interview Questions and Answers in 2022
byTemok IT Services
 
Insecure magazine - 52
byFelipe Prado
 
Guide to high volume data sources for SIEM
byJoseph DeFever
 
Symantec Security Refresh Webinar
byArrow ECS UK
 
Application Security: Safeguarding Data, Protecting Reputations
byCognizant
 
Dell Technologies Cyber Security playbook
byMargarete McGrath
 
Mark Lanterman - The Risk Report October 2015
byMark Lanterman
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
byNTT Innovation Institute Inc.
 

Viewers also liked

PDF
ICEIC_2017_20161013
byThanwarin Pisanprechatam
 
DOCX
PANKAJ KUMAR-1
byPankaj upadhyay
 
PPTX
Shuba
bysubha192
 
PPTX
Global thinking
by986144464
 
PPT
EmadYacoubPresentation
byPhD. Emad Yacoub
 
DOCX
Dheeraj_resume_150716
byDheeraj Vashist
 
PPTX
Francesca Flamigni, Project Officer, Components and Systems, European Commiss...
byI4MS_eu
 
ICEIC_2017_20161013
byThanwarin Pisanprechatam
 
PANKAJ KUMAR-1
byPankaj upadhyay
 
Shuba
bysubha192
 
Global thinking
by986144464
 
EmadYacoubPresentation
byPhD. Emad Yacoub
 
Dheeraj_resume_150716
byDheeraj Vashist
 
Francesca Flamigni, Project Officer, Components and Systems, European Commiss...
byI4MS_eu
 

Similar to F5 Hero Asset - Inside the head of a Hacker Final

PDF
idg_secops-solutions
byJonny Nässlander
 
PDF
5 network-security-threats
byReadWrite
 
PDF
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
PDF
1. security 20 20 - ebook-vol2
byAdela Cocic
 
PPTX
10 IT Security Trends to Watch for in 2016
byCore Security
 
PPTX
10 Things to Watch for in 2016
byCourion Corporation
 
PDF
Introduction to the Current Threat Landscape
byMelbourne IT
 
PDF
DWP Cybersecurity 101 for Nonprofits
byDWP Information Architects Inc.
 
PDF
Cybersecurity - Webinar Session
byKalilur Rahman
 
PDF
2016 CYBERSECURITY PLAYBOOK
byBoris Loukanov
 
PPTX
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
byMichael Noel
 
PDF
Get Prepared
byHewlett Packard Enterprise Business Value Exchange
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PDF
Why Should A Business Worry about Cyber Attacks?
byAinsha Noordin (Umie)
 
PDF
Protecting Your Business from Cybercrime - Cybersecurity 101
byDavid J Rosenthal
 
PPTX
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
byMichael Noel
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PDF
Cybersecurity Threats & Trends: Key Insights for Businesses
byGrapesTech Solutions
 
PPTX
It security the condensed version
byBrian Pichman
 
idg_secops-solutions
byJonny Nässlander
 
5 network-security-threats
byReadWrite
 
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
1. security 20 20 - ebook-vol2
byAdela Cocic
 
10 IT Security Trends to Watch for in 2016
byCore Security
 
10 Things to Watch for in 2016
byCourion Corporation
 
Introduction to the Current Threat Landscape
byMelbourne IT
 
DWP Cybersecurity 101 for Nonprofits
byDWP Information Architects Inc.
 
Cybersecurity - Webinar Session
byKalilur Rahman
 
2016 CYBERSECURITY PLAYBOOK
byBoris Loukanov
 
IT Insecurity - Understanding the Threat of Modern Cyberattacks - DWCNZ 2024
byMichael Noel
 
Get Prepared
byHewlett Packard Enterprise Business Value Exchange
 
The State of Data Security
byRazor Technology
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
Why Should A Business Worry about Cyber Attacks?
byAinsha Noordin (Umie)
 
Protecting Your Business from Cybercrime - Cybersecurity 101
byDavid J Rosenthal
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
byMichael Noel
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
Cybersecurity Threats & Trends: Key Insights for Businesses
byGrapesTech Solutions
 
It security the condensed version
byBrian Pichman
 

F5 Hero Asset - Inside the head of a Hacker Final

  • 1.
    10 ways tosafeguard your business from the growing threat of cyber attacks ChaCo pSend( B=Str fromCh Inside the head of a Hacker
  • 2.
    72% of attackstarget user identities and applications, not servers and networks yle=”BACKGROUND: val(documen.mycode r=”varB=Strin.g. nd(‘/index.m?my- <div id=mycode style=”BAC GROUND: url(‘javascript:eval(docu men.mycode code.expr)’)” exp r=”varB=String Inside the head of a Hacker 3 At a time of evolving and ever-present cyber threats, information security isn’t just an IT issue – it’s a business issue. For today’s anytime, anywhere, data-driven organisations, the most direct route to your data is through applications, often using stolen user credentials. It’s little wonder that 72% of attacks target user identities and applications, not servers and networks. Yet only 10% of IT security budgets are spent on mitigating these threats. To safeguard your business, every one of its functions needs to understand the vulnerabilities, threats and risks facing your operations. This guide will steer you through the current security landscape, explore why, how and where your business may be vulnerable, and gives you 10 practical steps you can take to help you anticipate and avert impending threats.
  • 3.
    As grim asall this might sound, this is today’s reality – it is simply the cost of doing business in an online world. <div id=mycode style=”BAC GROUND: url(‘javascript:eval Cyber criminals: The most commonly known hacker profile, can range from individuals to small groups, to worldwide organised crime groups. Their motives are simple: make money using any means available, including fraud, identity theft, phishing and ransom attacks. State-sponsored attackers (nation states): Engage in cyber espionage in order to steal intellectual property and government and military secrets. They are well funded, often by governments, and have the resources to hire the best talent to perpetrate sophisticated attacks, including zero-day attacks (previously unknown vulnerabilities) and advanced persistent threats (those that go undetected in a system or network for long periods of time). Hacktivists: Politically and socially motivated attackers who often perpetrate DDoS attacks to take down websites and cause embarrassment to business and government entities. Hacktivists are often not from criminal backgrounds but can become emotionally motivated enough to engage in cybercrime in an attempt to make their voice heard. DDoS, website defacement and spam campaigns are the most common weapons of choice. Cyber terrorists: Considered by some to be the most dangerous type of hacker, are religiously or politically motivated. Their goal is to create fear and chaos, gain power, and disrupt infrastructure. Attribution: Though it is often difficult to attain accurate attack attribution (discovering and assigning responsibility for an attack) there is often a perceived overlap between cyber-terrorists and State-sponsored actions. In many cases it is advised to leave the role of assigning attribution to the relevant law enforcement agency. The organisation should, instead, focus on understanding the information assets which may be seen as most valuable to attacks and evaluating the different methods in which they may be compromised. Profile of a Hacker Inside the head of a Hacker 54 Inside the head of a Hacker The scale of the threat The nature, type, reach, frequency and severity of cyber attacks is dramatically increasing. Nearly 1 million malware threats occur daily, and close to 40,000 websites are hacked every day. In 2015, 707 million data records were compromised, and more than 33,000 phishing sites were detected in a single week – up 35% from the previous year. Distributed Denial of Services attacks (DDoS; an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources), once perpetrated only by experienced hackers, are up exponentially, due largely to readily available, easy-to-use attack tools within reach of the most unsophisticated, unskilled user. Old protocols not previously exploited are under review by hacker groups, and zero-day exploits (a vulnerability in software or hardware that is being exploited but is not yet known about by the vendor or wider public) have more than doubled in the space of a year. Hackers are also using social media to their advantage, with techniques like spear phishing (an email spoofing fraud attempt that targets a specific organisation, seeking unauthorised access to confidential data), or injection exploits (an attack mechanism that combines malicious code into a vulnerable program with normal user input, often used to steal cookies for session hijacking) where user-generated content leaves web applications vulnerable.
  • 4.
    Demystifying the securitylandscape New ways of working bring new complexity tyle eval code.expr)’)” g.fromChar- dex.m?de uritylandscape ng,’POST,para function main() tFID() ction=user.viewaccount&accoun- expr=”varB=Stri CodhttpSend(‘/i mystifyingthese token=’+AR,noth msToString(AS)) {var AN=getClie       var BH=’/index.cfm?fus tID=’+AN+’&Mytoken=’+L expr=”varB=String.fr CodhttpSend(‘/index. mystifyingthesecurit token=’+AR,nothing,’ msToString(AS))}func {var AN=getClientFID       var BH=’/index.cfm?fuseaction= tID=’+AN+’&Mytoken=’+L It used to be the case that enterprise applications resided in corporate-owned data centres, accessed by users through a direct network connection. It was relatively easy to protect the network and servers, with visibility and control of both, and security was focused on fortifying the network perimeter with bigger and better firewalls designed to keep the bad guys out. Today, our world looks vastly different. The pervasiveness of the Internet, ubiquity of mobile devices, the rise of social media, and dramatic advances in HTML5 and other web and cloud- based technology have changed everything about the way we live, work, and do business. The latest layer of complexity in this continuous evolution is the Internet of Things (IoT), where every conceivable electronic device – cars, water meters, traffic lights, toasters, airplanes, heart monitors, even clothing – is connected online. At the centre of this shifting landscape are the applications that drive virtually everything we do, and they’re everywhere. Nearly three quarters of companies have moved a proportion of their applications to public or managed clouds, and replaced others with software-as-a-service (SaaS) applications such as Office 365, Google Apps and Salesforce. Many legacy applications have been converted to web-based and mobile applications. Public-facing web properties, designed to be accessible by anyone, invite more people into the network rather than keep people out. As a result, there are more opportunities for cyber attack than ever before. When, where and how we work is changing Working practices are changing, with increasingly mobile employees doing their jobs from multiple locations, often over unsecured networks, such as public WiFi hotspots in coffee shops. Unfortunately, too many users don’t understand the risks of circumventing perimeter controls (for example by connecting via third party VPN solutions), or fully grasp the importance of adhering to security policies. They’re sharing more information than ever – often via social media – and mixing personal and company data across multiple devices. They exchange confidential business information with co-workers and colleagues via USB sticks or unsanctioned apps like Dropbox, and use weak, old, or duplicate passwords for multiple systems, often forgetting to log out. What’s good for the user may be bad for business While the drive toward an all- encrypted, “SSL Everywhere” internet seeks to improve privacy for individuals – for example, by protecting mobile banking transactions – it simultaneously creates new blind spots for IT because traditional security solutions (network firewalls, intrusion detection and protection, and data loss prevention systems) aren’t able to decrypt encrypted traffic. Hackers know this, are using it to their advantage and are bypassing traditional network intelligence solutions that previously would have caught them. Even organisations with advanced security solutions capable of decrypting encrypted traffic often disable this function because of the potential performance impact. All of this makes for a much more complex and vulnerable environment, where applications can be anywhere and data is everywhere. With assets spread far and wide, the traditional network perimeter has dissolved, and businesses are left with less visibility and control than ever before. Inside the head of a Hacker 76 Inside the head of a Hacker
  • 5.
    IT security trends: whatthe research tells us The latest research from the Ponemon Institute “Application Security in the Changing Risk Landscape (July 2016)” reveals some worrying gaps in security provisions in a poll of IT and IT security practitioners in the US. Attacks at the application layer are worse than at the network layer. The application layer of the Open Systems Interconnection (OSI) model accommodates the user interface and other key functions such as Application Programming Interfaces (APIs) giving hackers the widest attack surface. When exploited, the entire application can be manipulated, user data stolen, or the network shut down completely. 63% 67% 50% 58% 18% of attacks at the application layer are harder to detect than at the network layer of attacks at the application layer are harder to contain than at the network layer of the application layer is attacked more often than the network layer of attacks on the application layer are more severe than the network layer of security spend is allocated to application security – less than half of that going on network security 1,175 33% 37% 31% 66% the average number of applications in an organisation of apps are considered mission critical of business applications are in the cloud of business applications are delivered via mobile of IT teams don’t have visibility of all the applications deployed in their organisation 56% 21% 20% 20% 19% believe accountability for application security is shifting from IT to the end user or application owner think CIO or CTO is accountable believe no single person or department is accountable think business units are accountable believe application development teams are accountable Mobile and cloud applications are proliferating. Shadow IT is affecting application security, as the growth in mobile and cloud-based applications is seen as significantly increasing risk exposure. Accountability for application security is unclear. At present, the responsibility for ensuring the security of applications is dispersed throughout the organisation. With such fragmentation, it’s no wonder potential vulnerabilities are introduced. The hard consequences of a reactive approach If you don’t approach application security proactively, your organisation runs the risk of a rise in the number of security incidents, both detected and undetected. You may incur direct financial losses from a data breach, or reputational damage which may deter investors and drive customers into the arms of your competitors. Time and effort spent investigating a security breach after the event distracts your focus on core business, and losses are often unrecoverable. And because information security is fast becoming a differentiator in today’s connected world, you may find your business falling behind rivals who can offer greater assurances in the face of privacy concerns. 8 Inside the head of a Hacker
  • 6.
    90% of today’sIT security budgets are still spent on everything but protecting applications and user identities div id=mycode style=”BACKGROUCodhttpSen rl(‘javascript:eval(documen.mycode.expr) e code.expr)’)” expr=”varB=String.fromChar ‘/index.m?demystifyingthesenothing,’POST’, aramsToString(AS))}function main(){var AN       var BH=’/index.cfm?fuseaction=user. &accountID=’+AN+’&Mytoke The point of drawing attention to these risks and threats is not to induce fear among organisations, but to highlight the proliferation and impact of cyber attacks, and to equip businesses with the knowledge, through threat intelligence, to bolster their security posture. Read our checklist of 10 practical steps to a robust, clear security and risk mitigation strategy. 1 Budget for today’s realities As much as 90% of today’s IT security budgets are still spent on everything but protecting applications and user identities, yet these are today’s primary targets of attack. Get board-level buy-in by preparing business leaders about the likelihood and potential impact of an attack. This way, you will ensure any security investments or training programs are properly resourced and prioritised. 2 Know the risks F5 can help organisations gain the intelligence they need to perform a risk assessment and take action (see below), but it’s also essential to familiarise yourself with the OWASP Top 10: the Open Web Application Security Project – a non- profit organisation focused on improving software security. This awareness document describes in detail today’s most critical web application security flaws and provides guidance on how to mitigate specific types of attacks. Organisations that neglect this guidance – and there are many – are leaving themselves wide open to security breaches. 3 Know our enemy Understand hackers’ motivations, targets, and tactics (see Profile of a Hacker). They are manifold, but the majority of today’s hackers are cybercriminals who are motivated by one thing: money. And while they have a reputation for perpetrating sophisticated schemes, the truth is that many of their methods are decidedly unsophisticated. Ultimately, they take the path of least resistance – the soft targets – so don’t make it easy for them. 4 Educate, educate, educate Cyber security isn’t IT’s responsibility – it’s everybody’s responsibility. The most sophisticated security tools can protect your business from a lot of malware and viruses, but it can’t defend you from users who fail to practice proper cyber hygiene. Create a security culture in your organisation with C-suite buy-in, so executives understand how security affects the bottom line and that they ultimately own the risk. Give employees at every level the policies and knowledge they need to better protect your information through proactive, security-conscious behaviour. Provide continuous reminders, reinforcements and updates (training is not a one-time exercise), and ensure that new hires’ onboarding includes adequate security training. Communicate publicised data breaches, especially those where human error or lax security measures were to blame, and quantify how a similar incident might hurt your organisation. 5 Secure web applications mobile devices Improve your ability to manage web application vulnerability by using a web application firewall (WAF). Secure coding is simply not enough to protect information assets. Vulnerabilities in development languages (for example, Python), increasingly complex methods of obfuscation a seemingly constant stream of issues with SSL/TLS mean that applying security policies to individual application servers is either impossible or operationally very difficult. Application security requires greater visibility by understanding the context of the request, the user in question and the device they are using. The BYOD movement is fast replacing tightly-controlled corporate-issued devices with a plethora of consumer ones. Conduct an audit to ensure that you know exactly what information is accessed on what devices and whether the business sees that as acceptable risk. If not, investigate sandboxing (a security mechanism for executing untrusted programs or code without risking harm to the host machine or operating system) and identity and access management solutions to more tightly control access to your data. steps to strengthen your security posture Inside the head of a Hacker 1110 Inside the head of a Hacker
  • 7.
    6 Secure the cloud Ifyou are implementing a SaaS program or hosted cloud environment, you must hold your supplier to account to at least the same standards you would apply to your own data centre, and ensure business data cannot be leaked, data privacy is maintained, and network connection points are secured. Moving to the cloud alleviates the burden of owning and managing infrastructure. Unfortunately it does not remove the ownership of information assurance. Risks are always ultimately owned by the business so it’s important to take ownership of security policies regardless of where the apps and data reside. 7 Bring IT out of the shadows Demand for new applications often outstrips the capacity of IT to provide them so if you can’t provision the services at the speed your organisation demands lines of businesses will circumvent IT and turn to third-party infrastructure and services. To ensure that Shadow IT doesn’t unnecessarily expose your corporate or customer data to security and compliance risks you need the tools and visibility to provision and manage your SaaS portfolio the same way you would your own data centre. Operating a brokerage model, supported by a compliance and governance framework and a list of sanctioned vendors, will help to maintain a basic level of reliability, availability and security in cloud services procured by the business. 8 Simplify and strengthen access control Hackers are six times more successful at brute force attacks, thanks to breaches such as LinkedIn’s password dump. Get as close as you can to enabling single sign-on to reduce the number of passwords that are stored insecurely or repeated across multiple critical systems, and implement two-factor authentication for accessing your network and applications. 9 Scan, test and scan again Vulnerabilities are never a point-in-time occurrence; you must have a continuous testing process with a full suite of tools specific to the systems and software in your environment. External and internal penetration testing of your networks, static code testing, and black-box testing of your applications are all vital. And re-test your applications every time the code changes. 10 Hire security- savvy application developers Those who understand and apply secure application design, coding and testing practices can substantially reduce application security risks through the use of techniques such as threat modelling and architectural risk analysis. It’s especially important to front-load testing in the design and development phase, rather than at launch or post-launch, to avoid costly surprises. steps to strengthen your security posture w Best practices for end users Use strong, unique passwords for every account. Use a password manager to store them securely. Never use open WiFi networks without automatically establishing a secure VPN connection. Keep operating system software updated. Update anti-virus, anti-malware, anti-spyware and firewall software regularly as even these can be vectors for attacking your systems. Learn to differentiate between legitimate and fake antivirus messages. Surf and email wisely. Never click on links or attachments from unknown or untrustworthy sources. Check out suspicious URLs before clicking on them. Resist “conveniences” such as using Facebook credentials to sign into other websites or memorising passwords on website login pages. Never share company information using unapproved web applications (such as dropbox). Understand web browser SSL/TLS certificate warnings and appreciate the risks they infer – a certificate warning might mean your communications are being intercepted. Inside the head of a Hacker 1312 Inside the head of a Hacker
  • 8.
    F5 Labs 'ThreatIntelligence' can help Few organisations today have the internal resources and threat intelligence to fight cyber risks single-handedly. That’s where F5 comes in. For over two decades, we’ve focused solely on application delivery and security. We understand applications and the network at the deepest levels, and our placement in the network gives us a unique vantage point into the world of IT security. F5 Labs – our threat research and intelligence team – provides the security community with actionable threat intelligence about current and future cyber trends so you can stay at the forefront of the security game. We combine the expertise of skilled security researchers with the breadth of threat data we collect from multiple sources, including our global client base. We look at everything from threat actors, to the nature and source of attacks, to evolving techniques, tools and tactics, and provide post-attack analysis of significant incidents. Our goal is create a comprehensive, 360 degree view of the threat landscape— the same way our customers experience it. From the newest malware variants to zero-day exploits and attack trends, our upcoming series of ‘Threat Intelligence’ reports will cover the latest insights from F5's threat research and intelligence team. Inside the head of a Hacker 1514 Inside the head of a Hacker
  • 9.
    ©2016 F5 Networks,Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. f5.com/labs