400 likes | 428 Views
Thin Ice in the Cyber World. Presented by Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer bill.hancock@savvis.net 972-740-7347. Security transcends. WHY Security?. The Classic Reasons. Protect assets PR fears Management edict Corporate policies
E N D
Thin Ice in the Cyber World Presented by Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer bill.hancock@savvis.net 972-740-7347
Security transcends WHY Security?
The Classic Reasons • Protect assets • PR fears • Management edict • Corporate policies • Fear of attacks • Customer info • Legal reasons • Was breached…
The Present Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
Software Is Too Complex 50 45 40 35 • Sources of Complexity: • Applications and operating systems • Data mixed with programs • New Internet services • XML, SOAP, VoIP • Complex Web sites • Always-on connections • IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats 30 MILLIONS 18 20 16.5 15 10 4 3 0 WINDOWS NT (1992) WINDOWS 95 (1995) WINDOWS 98 (1998) WINDOWS 3.1 (1992) WINDOWS NT 4.0 (1996) WINDOWS 2000 (2000) WINDOWS XP (2001)
As Systems Get Complex, Attackers are Less Mentally Sophisticated… CERT/CC
Attacker Diversity • Script kiddies • Social misfits • Internal attackers • Hacking “gangs” • Organized crime • Nation-state sponsored entities • Terrorist entities
What do customers really want ? TOTAL COST OPTIMAL LEVEL OF SECURITY AT MINIMUM COST COST ($) COST OF SECURITY COUNTERMEASURES COST OF SECURITY BREACHES 0% SECURITY LEVEL 100% Security must make business sense to be adopted !
Security Biz Case DriversThe PAL Method • PAL – PR, assets/IP, law • Public Relations Issues • Costs for bad PR almost always exceed good security implementation • Asset Protection and Intellectual Property • Intellectual property • Customers • Employees • Data stores • The Law • Each country has compulsory compliance laws about security that most companies violate and don’t realize it
Purpose of the following section • Goal here is not to hit everything, just items that are either very timely or a bit outside the normal reporting of security events we see everyday
Classic Current IT Security Risks • DNS attacks • DDoS, DoS, etc. • Virii, worms, etc. • Spoofs and redirects • Social engineering • Router table attacks • OS holes, bugs • Application code problems • Insider attacks • Others…
Upcoming Security Threats • Geographic location • China is major concern • Legislation in other countries • New hacker methods and tools • VoIP • IP-VPN (MPLS) • ASN.1 and derivatives • Hacker “gangs” • Complexity of application solutions make it easier to disrupt them (Active Directory, VoIP, etc.) • Industrial espionage from competition • Covert sampling • Covert interception
Threats - Infrastructure • Core (critical) • Routing infrastructure • DNS • Cryptographic key mgt. • PBX and voice methods • E-mail • Siebel database
Threats – Infrastructure, II • Essential • Financial systems • Customer console management systems • Access management to Exodus critical resources • Intellectual property protection methods • Privacy control methods • Internal firewalls and related management • HR systems
Routing Infrastructure • No router-to-router authentication • Router table poisoning • Vector dissolution • Hop count disruption • Path inaccuracies • Immediate effect • Redundancy has no effect on repair/recovery • Edge routers/switches do not use strong access authentication methods
Routing Infrastructure, II • No CW-wide internal network IDS/monitoring • No internal network security monitoring for anomalies or stress methods • No effective flooding defense or monitoring
DNS Security Assessment • Grossly inadequate security methods against attacks • No distributed method for attack segmentation recovery • No IDS or active alarms on DNS to even see if they are up or down • Geographic distribution inadequate and easy to kill due to replication • Zone replication allows poisoning of DNS dbms • DNS servers around the company do not implement solid security architecture
Mobile Technology Security • Most corporate mobile technology when removed from the internal network or premises is WIDE OPEN to data theft, intrusion, AML, etc. • Laptops (no FW, IDS, VPN, virus killers, email crypto, file crypto, theft prevention/management, cyber tracking, remote data destruct, remote logging, AML cleaning, etc., etc., etc. • Palm Pilots, etc, - no security • 3G and data cells – no security • No operational security over wireless methods
Cyberterrorism • It’s real • It’s a major problem • Most sites have no clue on how to deal with it or what all is involved • Many sites have already been used for temporary storage of terrorist operational data (micro web sites, FTP buffer sites, steganography transfer, etc.) • If not on your radar, put it there now
Autonomous Malicious Logic • Worms, which increase with complexity and capabilities with each iteration • Increasing body of hostile code • Scans large blocks if IP addresses for vulnerabilities • Target agnostic • Large or small, powerful or not • No specific attack rationale means that anyone is vulnerable • Sharp increase in number seen in last year and growing
Buffer Overflows • Concept is not new, but there are a lot of new ones appearing daily • Due to underlying problems with core protocol language issues, such as ASN.1, the same buffer overflow attack packet type for a specific protocol can affect many different entities in different ways: • SNMP OID buffer overflow in February 2002 affected practically every instantiation of SNMP that used ASN.1 as the base definitional metalanguage • What it did to one vendor was radically different than what it did to a second vendor for the same type of packet attack
Password Crackers • Sharp rise in availability of password cracking programs • Bulk of them use brute force methods or known dictionary attack methods • Some are taking advantage of exploits of a known password hashing method • Commercial products starting to appear in the industry
Default Passwords • Still a popular exploit method: • Wireless access point admin • Operating systems • Broadband cable modems • Routers out-of-the-box • Databases out-of-the-box • Simple exploits • Laser printer passwords • SCADA components • Embedded systems
Vendor Distributed Malware • Due to lack of care in preparing distribution kits, many vendors are starting to distribute their products with malware in it • Recent gaming company distributed NIMDA with a CD distribution • Others have shipped virii and other malicious code infestations • Perimeter malware checking is not enough anymore
Insiders • Still a major threat • Responsible for over 90% of actual financial losses to companies • Most sites do not have enforceable internal security controls or capabilities • Legacy system • Hyperhrowth of systems/networks • Lack of care and planning in security as the growth has happened
Cryptographic Key Management • None • What is available is all manual • Changing keys on some technologies takes MONTHS (e.g. TACACS+) • Keys are weak in some areas and easily broken • No “jamming” defenses for key exchange methods • Little internal knowledge on key mgt and cryptographic methods
PBX and Voice Methods • No assessment of toll fraud and PBX misuse • Cell phones used continually for sensitive conversations • No conference call monitoring for illicit connections or listening • No videoconferencing security methods
PBX and Voice Methods, II • No voicemail protection or auditing efforts trans company • Easy to social engineer PBX access and re-direction • Redundancy of main switching systems questionable (e.g. May 2002 CWA OC-12 disruption)
E-Mail Security Issues • Employees in trusted positions reading e-mail • E-mail security methods take a long time to implement • Lack of use of encryption methods for confidential e-mail • Lack of keyserver for cryptographic methods (this is due to power) • Newly devised security methods not implemented yet • Use of active directory and LDAP in future a major concern
E-Mail Security Issues, II • Wireless e-mail a concern • No filters for SPAM • No keyword filter searching methods for potential IP “leakage” • Ex employees retain access information for their and other accounts
Hyperpatching • The need to quickly patch vulnerabilities is becoming a major security pain point • Protocol exploits such as SNMP will accelerate and require additional patching and fixes • Customers should stop with “old think” change control and start considering using hyperpatching and mass roll-out systems (push technology) to start solving hyperpatching problems
Employee Extortion • At least 5 different extortion methodologies have appeared that affect employee web surfers • Latest one involves persons who surf known child pornography web sites or hit on chat rooms on the subject • A link is e-mailed to the person and they threatened with being turned over to officials and employers unless they pay to keep the information about their surfing habits secret • This is a growing business…
Old Code Liabilities • Software vendors are trying to figure out how to decommission older versions and older code quickly due to patch/fix and general liability issues • Old code does not have security controls that are compatible with today’s problems and security systems
Wireless • Continues to be a problem • Mostly due to lack of implementation of controls • War driving is easy to do for most sites and to get on most networks • Illegal connection to a wireless network violates FCC regs • Need intrusion detection for wireless to detect who is associated to the LAN and doesn’t belong • Best short-term solution are peer-to-peer VPNs (desktop, site-to-site, etc.) • New threats with upcoming 3G products
Data Retention • BIG push for data retention in many parts of the world • With retention comes liabilities for retained information • U.S. has no specific retention laws except in specific financial and healthcare areas • EU and Asian countries recently enacted serious retention laws
M&A and Partnership Security • We often know nothing about the security of a non-corporate solution • After examination, most are very bad • We need procedures for evaluation of partners and M&A for security issues and corrective action • We also need to have as part of the diligence process proper security oversight on acquisitions • We often do not know about an M&A target until the press announcement
Blended Attacks • Biological and Cyber • Smallpox infection and DDoS against infrastructure • Multiphasic Cyber Attack • DDoS against routers, DNS poisoning attacks and defacement attacks at the same time • Sympathetic hacking group attacks • Upstream infrastructure attack • IXC disruption • Power grid disruption • Peering point disruption • Supply-chain vendor disruption
Questions? Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer Email: bill.hancock@savvis.net Phone: 972-740-7347