1 / 40

Thin Ice in the Cyber World

Thin Ice in the Cyber World. Presented by Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer bill.hancock@savvis.net 972-740-7347. Security transcends. WHY Security?. The Classic Reasons. Protect assets PR fears Management edict Corporate policies

camilla-farren
Download Presentation

Thin Ice in the Cyber World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thin Ice in the Cyber World Presented by Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer bill.hancock@savvis.net 972-740-7347

  2. Security transcends WHY Security?

  3. The Classic Reasons • Protect assets • PR fears • Management edict • Corporate policies • Fear of attacks • Customer info • Legal reasons • Was breached…

  4. The Past

  5. The Present Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

  6. Software Is Too Complex 50 45 40 35 • Sources of Complexity: • Applications and operating systems • Data mixed with programs • New Internet services • XML, SOAP, VoIP • Complex Web sites • Always-on connections • IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats 30 MILLIONS 18 20 16.5 15 10 4 3 0 WINDOWS NT (1992) WINDOWS 95 (1995) WINDOWS 98 (1998) WINDOWS 3.1 (1992) WINDOWS NT 4.0 (1996) WINDOWS 2000 (2000) WINDOWS XP (2001)

  7. Reported Security Incidents to CERT 1998-2003

  8. As Systems Get Complex, Attackers are Less Mentally Sophisticated… CERT/CC

  9. Attacker Diversity • Script kiddies • Social misfits • Internal attackers • Hacking “gangs” • Organized crime • Nation-state sponsored entities • Terrorist entities

  10. What do customers really want ? TOTAL COST OPTIMAL LEVEL OF SECURITY AT MINIMUM COST COST ($) COST OF SECURITY COUNTERMEASURES COST OF SECURITY BREACHES 0% SECURITY LEVEL 100% Security must make business sense to be adopted !

  11. Security Biz Case DriversThe PAL Method • PAL – PR, assets/IP, law • Public Relations Issues • Costs for bad PR almost always exceed good security implementation • Asset Protection and Intellectual Property • Intellectual property • Customers • Employees • Data stores • The Law • Each country has compulsory compliance laws about security that most companies violate and don’t realize it

  12. Purpose of the following section • Goal here is not to hit everything, just items that are either very timely or a bit outside the normal reporting of security events we see everyday

  13. Classic Current IT Security Risks • DNS attacks • DDoS, DoS, etc. • Virii, worms, etc. • Spoofs and redirects • Social engineering • Router table attacks • OS holes, bugs • Application code problems • Insider attacks • Others…

  14. Upcoming Security Threats • Geographic location • China is major concern • Legislation in other countries • New hacker methods and tools • VoIP • IP-VPN (MPLS) • ASN.1 and derivatives • Hacker “gangs” • Complexity of application solutions make it easier to disrupt them (Active Directory, VoIP, etc.) • Industrial espionage from competition • Covert sampling • Covert interception

  15. Threats - Infrastructure • Core (critical) • Routing infrastructure • DNS • Cryptographic key mgt. • PBX and voice methods • E-mail • Siebel database

  16. Threats – Infrastructure, II • Essential • Financial systems • Customer console management systems • Access management to Exodus critical resources • Intellectual property protection methods • Privacy control methods • Internal firewalls and related management • HR systems

  17. Routing Infrastructure • No router-to-router authentication • Router table poisoning • Vector dissolution • Hop count disruption • Path inaccuracies • Immediate effect • Redundancy has no effect on repair/recovery • Edge routers/switches do not use strong access authentication methods

  18. Routing Infrastructure, II • No CW-wide internal network IDS/monitoring • No internal network security monitoring for anomalies or stress methods • No effective flooding defense or monitoring

  19. DNS Security Assessment • Grossly inadequate security methods against attacks • No distributed method for attack segmentation recovery • No IDS or active alarms on DNS to even see if they are up or down • Geographic distribution inadequate and easy to kill due to replication • Zone replication allows poisoning of DNS dbms • DNS servers around the company do not implement solid security architecture

  20. Mobile Technology Security • Most corporate mobile technology when removed from the internal network or premises is WIDE OPEN to data theft, intrusion, AML, etc. • Laptops (no FW, IDS, VPN, virus killers, email crypto, file crypto, theft prevention/management, cyber tracking, remote data destruct, remote logging, AML cleaning, etc., etc., etc. • Palm Pilots, etc, - no security • 3G and data cells – no security • No operational security over wireless methods

  21. Cyberterrorism • It’s real • It’s a major problem • Most sites have no clue on how to deal with it or what all is involved • Many sites have already been used for temporary storage of terrorist operational data (micro web sites, FTP buffer sites, steganography transfer, etc.) • If not on your radar, put it there now

  22. Autonomous Malicious Logic • Worms, which increase with complexity and capabilities with each iteration • Increasing body of hostile code • Scans large blocks if IP addresses for vulnerabilities • Target agnostic • Large or small, powerful or not • No specific attack rationale means that anyone is vulnerable • Sharp increase in number seen in last year and growing

  23. Buffer Overflows • Concept is not new, but there are a lot of new ones appearing daily • Due to underlying problems with core protocol language issues, such as ASN.1, the same buffer overflow attack packet type for a specific protocol can affect many different entities in different ways: • SNMP OID buffer overflow in February 2002 affected practically every instantiation of SNMP that used ASN.1 as the base definitional metalanguage • What it did to one vendor was radically different than what it did to a second vendor for the same type of packet attack

  24. Password Crackers • Sharp rise in availability of password cracking programs • Bulk of them use brute force methods or known dictionary attack methods • Some are taking advantage of exploits of a known password hashing method • Commercial products starting to appear in the industry

  25. Default Passwords • Still a popular exploit method: • Wireless access point admin • Operating systems • Broadband cable modems • Routers out-of-the-box • Databases out-of-the-box • Simple exploits • Laser printer passwords • SCADA components • Embedded systems

  26. Vendor Distributed Malware • Due to lack of care in preparing distribution kits, many vendors are starting to distribute their products with malware in it • Recent gaming company distributed NIMDA with a CD distribution • Others have shipped virii and other malicious code infestations • Perimeter malware checking is not enough anymore

  27. Insiders • Still a major threat • Responsible for over 90% of actual financial losses to companies • Most sites do not have enforceable internal security controls or capabilities • Legacy system • Hyperhrowth of systems/networks • Lack of care and planning in security as the growth has happened

  28. Cryptographic Key Management • None • What is available is all manual • Changing keys on some technologies takes MONTHS (e.g. TACACS+) • Keys are weak in some areas and easily broken • No “jamming” defenses for key exchange methods • Little internal knowledge on key mgt and cryptographic methods

  29. PBX and Voice Methods • No assessment of toll fraud and PBX misuse • Cell phones used continually for sensitive conversations • No conference call monitoring for illicit connections or listening • No videoconferencing security methods

  30. PBX and Voice Methods, II • No voicemail protection or auditing efforts trans company • Easy to social engineer PBX access and re-direction • Redundancy of main switching systems questionable (e.g. May 2002 CWA OC-12 disruption)

  31. E-Mail Security Issues • Employees in trusted positions reading e-mail • E-mail security methods take a long time to implement • Lack of use of encryption methods for confidential e-mail • Lack of keyserver for cryptographic methods (this is due to power) • Newly devised security methods not implemented yet • Use of active directory and LDAP in future a major concern

  32. E-Mail Security Issues, II • Wireless e-mail a concern • No filters for SPAM • No keyword filter searching methods for potential IP “leakage” • Ex employees retain access information for their and other accounts

  33. Hyperpatching • The need to quickly patch vulnerabilities is becoming a major security pain point • Protocol exploits such as SNMP will accelerate and require additional patching and fixes • Customers should stop with “old think” change control and start considering using hyperpatching and mass roll-out systems (push technology) to start solving hyperpatching problems

  34. Employee Extortion • At least 5 different extortion methodologies have appeared that affect employee web surfers • Latest one involves persons who surf known child pornography web sites or hit on chat rooms on the subject • A link is e-mailed to the person and they threatened with being turned over to officials and employers unless they pay to keep the information about their surfing habits secret • This is a growing business…

  35. Old Code Liabilities • Software vendors are trying to figure out how to decommission older versions and older code quickly due to patch/fix and general liability issues • Old code does not have security controls that are compatible with today’s problems and security systems

  36. Wireless • Continues to be a problem • Mostly due to lack of implementation of controls • War driving is easy to do for most sites and to get on most networks • Illegal connection to a wireless network violates FCC regs • Need intrusion detection for wireless to detect who is associated to the LAN and doesn’t belong • Best short-term solution are peer-to-peer VPNs (desktop, site-to-site, etc.) • New threats with upcoming 3G products

  37. Data Retention • BIG push for data retention in many parts of the world • With retention comes liabilities for retained information • U.S. has no specific retention laws except in specific financial and healthcare areas • EU and Asian countries recently enacted serious retention laws

  38. M&A and Partnership Security • We often know nothing about the security of a non-corporate solution • After examination, most are very bad • We need procedures for evaluation of partners and M&A for security issues and corrective action • We also need to have as part of the diligence process proper security oversight on acquisitions • We often do not know about an M&A target until the press announcement

  39. Blended Attacks • Biological and Cyber • Smallpox infection and DDoS against infrastructure • Multiphasic Cyber Attack • DDoS against routers, DNS poisoning attacks and defacement attacks at the same time • Sympathetic hacking group attacks • Upstream infrastructure attack • IXC disruption • Power grid disruption • Peering point disruption • Supply-chain vendor disruption

  40. Questions? Dr. Bill Hancock, CISSP, CISM Vice President, Security & Chief Security Officer Email: bill.hancock@savvis.net Phone: 972-740-7347

More Related