350 likes | 531 Views
Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP. This session: What are the threats?. Agenda: Terms of reference Statistical and empirical data
E N D
Information Security & Corporate StrategyThreats to Information SecurityPresentation in London, 1998With Notes on Changes, 2002Stephen Cobb, CISSP
This session: What are the threats? • Agenda: • Terms of reference • Statistical and empirical data • Examples of information security breaches and their effects on companies • Putting threats in perspective • The main threat categories in more detail Themes: Threats may seem technical, but many defenses require non-technical skills Threats are not constant, may increase when times are tight Skills required to deal with these issues are in short supply Stephen Cobb, CISSP 2 of 35
So, what are the information security needs of the Internet-enabled company: You need to protect the confidentiality, integrity and availability of data, given that: A. Private data is now travelling on a public (untrusted) network B. Your private network is now connected to a public (untrusted) network C. Your private network users now have access to a public (untrusted) network Stephen Cobb, CISSP 3 of 35
So who am I to talk about this? • First infosecurity book from client perspective, 1992 • Certified Information System Security Professional • Formerly with National Computer Security Association • Former Director, Miora Systems Consulting (MSC) • InfoSec Labs, Rainbow Technologies • MSC beat Digital and Entrust in a security services RFP competition, April 98 — short-listed with Coopers & Lybrand, Price Waterhouse and CISCO Wheelgroup • Involved in wide range of authorized penetration tests with 100% success rate Stephen Cobb, CISSP 4 of 35
Statistics from the 5th Annual Information Security Survey, 1998 • 73% of European companies report information security risks have increased this year • Highest security concern: • network security (86%) • Next highest security concerns: • end-user security awareness (80%) • winning top management commitment (80%) Ernst&Young Computerworld Survey Global Results from 29 Countries Stephen Cobb, CISSP 5 of 35
Perceived security threats: 55 % of companies lacked confidence that their systems could withstand an internal attack -- are these your business partners? • Computer terrorists 28% • Authorized users 26% • Former employees 24% • Unauthorized users 23% • Contractors 19% Ernst&Young Computerworld Survey Global Results from 29 Countries Stephen Cobb, CISSP 6 of 35
Statistics from a 1998 Survey by Computer Security Institute / FBI • 64% of companies hadincidents of unauthorized use of computer systems within the last 12 months. • More than a third of incidents were from inside. • 65% of companies experienced laptop theft. Stephen Cobb, CISSP 7 of 35
Is it really that bad? YES! Hong Kong Reuters Office Hacked: Traders at 5 banks lose price data for 36 hours PA Teenager Charged With 5 Counts of Hacking: Southwestern Bell, BellCore, Sprint, and SRI hit Costs to Southwestern Bell alone exceed $500,000 Citibank Hit in $10 Million Hack: Russian hacker had inside help. Several $100K not yet recovered. Compaq Ships Infected PCs: Virus Taints Big Japanese Debut Computer Attack Knocks Out 3,000 Web Sites 40 hour shutdown during busiest shopping season Pair of surveys show 54%-58% of companies lost money due to computer break-ins in 1996 U.S. Government Web Sites Hacked: NASA, Air Force, NASA, DoJ, CIA And these are just ones that made the news.... Stephen Cobb, CISSP 8 of 35
Experience in the field • About 50 information system security penetration assignments in the last 18 months • 80% of these were corporations, the rest were state and local government agencies • Some of these clients wanted tests because they lacked confidence in their security, but others asked because they were confident • Number of systems we failed to penetrate: 0 • Average skill level required: 2 on a scale of 5 Stephen Cobb, CISSP 9 of 35
A closer look at one category: web site hacking Stephen Cobb, CISSP 10 of 35
Hacked by Trix and Vertex Stephen Cobb, CISSP 11 of 35
But the military would be tougher, right? 1st Communications Squadron USAF, Langley, Virginia Stephen Cobb, CISSP 12 of 35
Why? This one was a protest Stephen Cobb, CISSP 13 of 35
They were not the only ones: bestboard.com puckplace.com websignal.com cybservice.com threedot.com yorktours.com dpss.com superbio.com quinx.com textscape.com thewharf.com rebel-tech.com www.thermocrete.com www.nuvocom.com www.tvweather.com www.danehip.com www.centurydie.com www.info168.com www.cbd.de www.presage.co.uk www.boimag.co.uk www.uranium.org/ www.pcgameworld.com/ www.cccookies.com/ www.shcp.gob.mx www.ddd.fr www.usuhs.mil www.spiritualenigma.com www.bojan.com www.pcconcepts.com/ www.netbank.net.tw www.kuniv.edu.kw www.langley.af.mil sistematix.com www.onelifedrugfree.com/ www.huntingtimes.com allwrestling.com www.humblebums.com www.ju.edu www.thomasmore.edu intellus.no/ iposerve.de www.saatchi-saatchi.com/innovation/ www.rang.k12.va.us/ www.maxout.net www.thermocreteusa.com www.xhn.org www.alis.com www.top50mp3.com/ www.vpac.org/ www.phpages.com www.gov.com/ www.on-the-hook.com www.conceptsvisual.com www.1792.com www.everything-pages.com www.saflec.com www.islandbound.com www.fitp.org www.language-arts.com www.seaflower.com www.kissfreaks.com www.soteria.com www.exclusivebda.com www.intelinc.com www.allpetsgotoheaven.com www.gonebush.com www.asean-countries.com www.westernleisure.com www.bestboard.com www.brash.com www.heylloyd.com www.fetishbear.com www.timbezo.com www.cybersecret.com www.w-3productions.com www.3isecurity.com midtenn.com biohaz.com www.odi.com.pl www.knesset.gov.il sunsite.ust.hk/ 80 more in first 3 weeks of Feb 98 Then the hacked site was hacked! Stephen Cobb, CISSP 14 of 35
But what’s the harm? • Web servers may be a path to internal systems • Web servers may reveal information that can be leveraged to access internal systems • Lost time, lost customers and confidence • Lost revenue (if the site is doing e-commerce) • But probably the biggest harm: Reputations • personal, professional and corporate Stephen Cobb, CISSP 15 of 35
We need perspective on these threats • Why are we having these problems now? • Same old problems, different manifestation? • Deep-rooted problems only now coming to light • Who is causing these problems? • Threat agent assessment • Threats vary according to social and economic factors, such as redundancies, downsizing Stephen Cobb, CISSP 17 of 35
Glass house Limited attack points Limited vulnerabilities Trustworthy friends and known enemies Computer knowledgeand networks limited Clear motives Distributed computing Multiple attack points Vulnerable technology The best of friends may not have the best security Widespread computer literacy and connectivity Mixed motives That was then --- This is now Stephen Cobb, CISSP 18 of 35
Data on level of threat are hard to find, but we can ask: Who is likely to be a problem? • Sample table of responses from security officers -- subject to change due to social and economic factors Stephen Cobb, CISSP 19 of 35
Map threats relative to technical skills and business knowledge Stephen Cobb, CISSP 20 of 35
This was an early version of the government’s critical infrastructure protection plan, circa 1998 Stephen Cobb, CISSP 21 of 35
LANs to WANs, to GANs, problems long postponed are finally catching up Stephen Cobb, CISSP 23 of 35
The rush to deploy technology means the wrong tools are used, and warnings go unheeded “Don't rely on hidden variables for security.” WWW Security FAQ, 1995 Bank access page, using hidden variables. 1998 <FORM ACTION="/cgi-bin/pccgi02.exe/WF000100/ND00JD130538/? NodeId=0000?JobId=130538" METHOD="POST" > <A NAME="MAIN NEW LOGON"></A> <INPUT TYPE=HIDDEN NAME="EWF.SYS.01" VALUE="130538" > <INPUT TYPE=HIDDEN NAME="EWF.SYS.03" VALUE="MAIN NEW LOGON" > <INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="USERID"> <INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PASSWORD"> <INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PHONE_NUMBER"> Stephen Cobb, CISSP 24 of 35
Penetration PlanGather dataMap resourcesProbe for accessExploit holesEscalate accessExecute plans From: Information Warfare: Principles & Operations, E. Waltz, 1998 Stephen Cobb, CISSP 25 of 35
Threat: viruses • Large US bank, assets $50 billion+ • Computer virus brought down operations for 2 days • Infected 90% of the bank's 300 file servers and 10,000 client workstations across 6 cities in 4 states. • Production data was not damaged, but company’s balance sheet was, by at least $400,000. • Recent studies show average cost of recovering from a virus incident on a network = $10,000 to $15,000 • But as much as $1 million has been lost in a single virus incident! Stephen Cobb, CISSP 26 of 35
Top 8 Viruses = 54% of Incidents According to Virus Bulletin and Joe Wells’ Wild List, January 98 Stephen Cobb, CISSP 27 of 35
2002! One Virus = 77% of Incidents According to Virus Bulletin and Joe Wells’ Wild List, August 2002 Stephen Cobb, CISSP 28 of 35
Other malicious code • Logic bomb: dormant code inserted within a larger program, activation of which causes harm (e.g. recent $10 million Omega case) • Trojan Horse: a program designed to appear legitimate in order to enter a system and execute its own agenda (e.g. AIDS disk) • Worm: a program which copies itself many times over, hogging space and other resources, without permission (e.g. Internet worm, 1988) • Active content (Java, ActiveX) Stephen Cobb, CISSP 29 of 35
Virus types INFECTED INFECTED • Boot sector • File viruses • Multi-partite • Macro viruses • Virtual (hoax) viruses • Miscellaneous Home PC Office PC INFECTED Server INFECTED INFECTED INFECTED Let’s take a look at how a typical computer virus infection spreads... Company Network Stephen Cobb, CISSP 30 of 35
Threat: insider abuse, a major threat to company secrets • Exploited by competitors • American v. Northwest • GM and VW • Exploited by partners • BA v. Virgin • others • By government agencies • sting operations, piracy Former General Motors employee Lopez allegedly stole approximately 90,000 text pages of trade secrets transferring them from US to Germany via GM's intranet then downloading them onto VW's computers... It cost Lopez his job. VW paid over $100 million to GM to settle the case. Stephen Cobb, CISSP 31 of 35
Do people really do that? • Yes, they do! October 1996, Daniel Worthing obtained work at PPG Industries through a contract with Affiliated Building Services. • Began to stockpile proprietary information, including special formulas relating to new products such as an experimental fiberglass. • When he tried to sell to PPG’s competitor, Owens-Corning Fiberglass, they turned him in to FBI. • He pled guilty to the theft of proprietary information, value? $20 million! Stephen Cobb, CISSP 32 of 35
Do people really do that? Unauthorized access by employees: 44% Denial of service attacks: 25% System penetration from the outside: 24% Theft of proprietary information: 18% Incidents of financial fraud: 15% Sabotage of data or networks: 14% 1998 CSI/FBI Study The United States counterintelligence community has specifically identified the suspicious collection and acquisition activities of foreign entities from at least 23 countries. NACIC 1997 Annual Report on Foreign Economic Collection & Industrial Espionage Stephen Cobb, CISSP 33 of 35
2002, and mindless attacks continue • Hackers broke into the computer systems belonging to a clinic in the UK, altered medical records of 6 patients who had just been screened for cancer—switched test results from negative to positive—those patients spent several days thinking that they had cancer • The night before a patient was due to have a brain tumor removed, hackers broke into the computer where the tests were stored and corrupted the database. Surgery had to be postponed while the tests were redone Source: Richard Pethia, CERTSoftware Engineering Institute (SEI) Pittsburgh Why? Because We Can Slogan from DEF CON III Las Vegas, 1995 Stephen Cobb, CISSP 34 of 35
Thank You! • Questions? • Email me at sc at cobb associates dot com • Visit www.cobbassociates.com Stephen Cobb, CISSP 35 of 35