1 / 22

New Surveys (1-3-2001)

New Surveys (1-3-2001). Poll of 1,400 CIOs by RIH Consulting (U.S. Companies with > 100 employees More than 90% are confident with their firm’s network security Last August: 58% increased spending on security Computer Security Institute:

mahala
Download Presentation

New Surveys (1-3-2001)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Surveys (1-3-2001) • Poll of 1,400 CIOs by RIH Consulting (U.S. Companies with > 100 employees • More than 90% are confident with their firm’s network security • Last August: 58% increased spending on security • Computer Security Institute: • 50% failed to report break-ins (Computer Security Institute) • $265 million in 1999 losses • PWC: Fortune 1,000 firms lost $45 billion; high-tech firms most vulnerable http://computerworld.com/cwi/story/0%2C1199%2CNAV47_STO55809_NLTpm%2C00.html

  2. Are There Problems? • Famous sites are hacked continuously • Example: NY Times site hacked 9-13-98 • Site was closed down for hours • Hackers replaced content with a hacker manifesto plus offensive materials • More public awareness! WSJ, Sept. 14, 1998

  3. Recent Headline (Jan 6, 2001) • “FBI Teams Up with Business to Fight Cybercrime“ Reuters • FBI now encouraging companies to share info (with secure e-mail and web site) about break-ins • One hacking estimate: $1.6 trillion annual loss globally • FBI is working on 1,200 cybercrime cases, up from 450 in early 1998

  4. Recent Case • Pacific Bell’s site cracked by 16-year old hacker • Downloaded info from 200,000 user accounts • When confiscated, 63,000 were cracked • Pac Bell sent out recommendation to change all 330,000 subscribers’ pws. Infoworld, 2-24-2000, p. 64

  5. Recent Case • CD Universe • 300,000 credit card numbers were pulled from database • Faxed CD Universe offering to destroy the numbers for $100,000; was refused • Hacker published 25,000 on his web site • SSL didn’t help! Infoworld, 2-24-2000, p. 64; Wall Street Journal, 1-11-2000, p. B10

  6. Recent Attacks: DoS • Highly-visible sites such as • Amazon • eBay • Yahoo! • Buy.com • They weren’t attacked directly; users’ computers were! • Those computers repeatedly “hit” the sites

  7. Respondents’ Increases in Cost, Frequency Computer Security Institute and FBI Survey; Infoworld, 5-15-22000, p. 20

  8. Security (CERT) Incidents Source: CERT’s site

  9. Federal Government and Cybercrime • The Federal Government spends $10 million annually on computer crime-related law enforcement • There are 16,000 law enforcement agencies • Therefore, the Federal Government spends $625 per agency!

  10. Security Breaches Abound • Perfect Technologies: tested 50 sites • Security breaches in all 50 • In 8: accessed any file • In 2: executed financial transactions • In 2: gained full admin control • Range of time needed: 10 minutes to 10 hours PC World, June 2000, p. 104

  11. Gartner Group’s Grim Estimate 50% to 75% of all commercial sites can be hacked. PC World, June 2000, p. 104

  12. Ominous Prediction The Gartner Group predicted that there was an 80% chance that by 2001 a high-profile web site would be hacked, resulting in a huge stock price tumble for the firm. Infoworld, 7-19-99, p. 24

  13. What does a hacked site contain? • If you dare, go to: www.onething.com/archive/index.htm for an archive of hacked sites.

  14. Some Stats (3-8-99) Internet World 3-8-99

  15. Security • Is Web-enabling an application less secure than a dial-up traditional application? • Many say “NO” • Dial-up access opens up risks, whatever the access mechanism • Planning can help minimize the risks • However, the risks are huge

  16. Hackers • Have philosophies and culture that probably should be understood by the security staff! • Some discuss curiosity • Some discuss leverage • Some reflect on their exploits

  17. What a Hacker Does • Case you (what server, which version) • Scan you (probe all ports with packets) • Gain access (exploit weaknesses) • Live there (capture info or attack others) • Cover up the tracks (delete or edit logs) By Ed Skoudis (The Counter Hack)

  18. Some Cautions • A weak system can’t be protected with cryptography • Schneier: “If you think cryptography can solve your problem, then you don’t understand your problem and you don’t understand cryptography.” • User-remembered secrets “terribly weaken” a system PC Week, 8-10-98, p. 36

  19. A Moving Target • As larger and larger keys are devised, computing power grows to break them. • Networks of PCs can become a “supercomputer.” • Electronic Frontier Foundation has built hardware for $250,000 to decrypt 56-bit key in 4 hours. Infoworld, 7-19-99, p. 24

  20. One Tactic • Hacker calls into known corporate exchange • Randomly dialing numbers • Finds employee with pcAnywhere running for remote office access • Gains instant access to entire corporate network PC Week, 8-24-98, p. 62

  21. Default Installations Poor passwords Few backups Open ports Lack of packet filtering Poor logging Vulnerable CGI Windows Unicode Windows ISAPI buffer overflows Windows IIS flaws Unprotected shared folders Windows null-session leakage Windows LAN Manager password hash Unix remote procedure call buffer overflows Unix Sendmail vulnerabilities Unix bind weaknesses Unix trust relationships/C code Unix remote print daemon buffer overflows Unix sadmind/mountd buffer overflow Unix default SNMP authenticators Top 20 Internet Risks SANS Institute www.sans.org/top20.html eWeek, Oct 15, 2001, p. 60

  22. Virus Attacks—Rapid Acceleration eWeek, 6-19-2000, p. 68 + CERT site

More Related