1 through the eye of the hacker: a look at security and the future krizi trivisani, chief security...
TRANSCRIPT
1
Through The Eye of The
Hacker: A Look At
Security And The Future
Krizi Trivisani,Chief Security Officer
Amy Hennings, Assistant Director
November 6, 2003
Copyright Krizi Trivisani, Amy Hennings 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Agenda
•The Security Landscape – The Violation Situation
•Worm Damage and Trends
•Attacker Strategies
•Security Awareness
3
The Security Landscape – The Violation Situation 2001
Total Violations went from 354 to 5526 – an increase of 1,560%
Security Metrics Comparison 2001
0
2000
4000
6000
8000
10000
Total Minor Violations Total Severe Violations Total Violations by Month
Month and Total Violations
Num
ber o
f Vio
latio
ns
JanuaryFebruaryMarchAprilMayJuneJulyAugustSeptemberOctoberNovemberDecember
4
The Security Landscape – The Violation Situation 2002
Security Metrics Comparison 2002
010002000300040005000600070008000
Total MinorViolations
Total SevereViolations
Total Violations byMonth
Month and Total Violations
Nu
mb
er
of
Vio
lati
on
s
November
December
January '02
February '02
March '02
April '02
May '02
June '02
July '02
August '02
September '02
October '02
November '02
Average number of violations per month in 2002 is 7197
5
The Violation Situation ContinuedEmail Viruses Filtered
Trend Virus Filter Monthly Comparison
0
50,000
100,000
150,000
200,000
Month and Total Viruses
Nu
mb
er
of
Vio
lati
on
s
December
January '02
February '02
March '02
April '02
May '02
June '02
July '02
August '02
September '02
October '02
November '02
22,271 in December of 2001 increased to 150,936 in November of 2002
6
The Violation Situation ContinuedEmail Viruses Filtered
150,936 in November of 2002 increased to 1,629,194 in August of 2003
Trend Virus Filter Monthly Comparison
0
500,000
1,000,000
1,500,000
2,000,000
Month and Total Viruses
Nu
mb
er
of
Vio
lati
on
s
September '02
October '02
November '02
December '02
January '03
February '03
March '03
April '03
May '03
June '03
July '03
August '03
7
The Security Landscape – The Violation Situation 2003
Violations per month in 2003 have increased so dramatically we had to change what we were tracking!
•Incidents just to [email protected] August = 2073
•Correspondence = 138•Incident notices = 100•Random/User errors = 19•SPAM = 423•Virus = 1287•Virus Complaints = 106
•Blaster infections – 800•Minor scans, Minor hacks, Incidents of suspicious activity, External Attempted Hacks – tens of thousands per month!
8
History of Security at GW
InformationSecurityOffice Created
May2000
Nov2002
Sep2000
NISTLevelsEnvisioned
Jan2001
Jul2001
BaselineSecurity AssessmentGrade C
Aug2001
Sep2001
Nov2001
FormalScanningLabCreated &1st SecurityForum
Jan2002
Dec2001
Jul2002
Aug2002
Oct2002
1st Month of RecordedViolations – 354
Trend VirusFilter AddedTo Email39,329 FilteredIn 1st Month
TotalViolationsFor 200146,378VirusesFiltered August - December206,410
PolicyCenter&NISTLevel 1 Achieved
Web pages&AwarenessProgram
SecurityArchitecture
NovemberONLYSecurityViolations = 7,200VirusesFiltered = 155,032
Throughout 2001 and 2002, the network has not been brought down by a security incident.
Viola
tions
354
7,200
Viruse
s
Filtered
155,032
9
History of Security at GW
Nov2002
Wirelesswith VPN
Jan2003
Application LevelSecurity Assessment
Mar2003
May2003
ContinuedScanningenhancements
July2003
Aug2003
Sep2003
RecordedViolations reach over 30,000
Workstation management tools
Aggressiveawareness of patches, anti-virus
6000 ResNetStudents return
1,629,194 Viruses Filtered
800 Blaster Infections
Throughout 2003, the network has not been brought down by a security incident.
Viola
tions
10’s ofthousands
Viruse
s
Filtered
1,629,194
SecurityCommitteeFormed
FTC and GLB
NetworkMonitoringUpgrades
AshburnData CenterCreated
10
Vulnerabilities on the RiseNew Vulnerabilities per Week
10
2530
50
70
0
10
20
30
40
50
60
70
'99 '00 '01 '02 '03 Proj.Source: Symantec
11
What Attacks??
•A worm is a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down.
•A worm is a special type of virus that can replicate itself and use memory, but does not attach itself to other programs.
12
Worm In Action
13
Worldwide Impact of Slammer
• Telecommunications services failed throughout South Korea
• Airlines were impacted, several had to resort to manual backup procedures which slowed service
• Thousands of ATMs and related transactions halted• Bank of America • Canadian Imperial Bank of Commerce in Toronto• Publix supermarket cash back functions unavailable
• US Dept of State, Agriculture, Commerce, and units of Defense were hit especially hard.
• Analysts blame dip in Asian stock market on the worm • Many news agencies were crippled:
– Associated Press– The Philadelphia Inquirer– The Atlanta Journal-Constitution
14
Blaster, Welchia, And Others
A recent survey including 882 respondents determined that the MS Blaster worm: – Remediation cost $475,000 per company (median
average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000
– Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers
– From TruSecure / ICSA Labs
15
Blaster, Welchia, And Others
• Slower moving• Who was affected?
– Blaster infected over 500,000 IPs worldwide– Maryland MVA– BMW, 3M– AirCanada cancelled flights– Federal Reserve Bank of Atlanta– Philadelphia’s City Hall– Airports, Amtrak– State Department (Welchia)– Northeastern power grid ?
16
17
•
18
Who’s Vulnerable?
• "75% of all web servers running MS IIS 5.0 are vulnerable to exploitation."
– Security News Portal
19
What Are They Attacking?
• 31 new vulnerabilities announced by MS as of yesterday since the end of the summer
• Exploits are developed much sooner
• Patches are quickly and narrowly developed
• Awareness is limited
• People don’t care– I won’t do anything until my computer stops
working.
20
Decentralized Attack Trends
• Why take the chance to rob a bank when its much easier to rob the people as they leave the bank with money?
Why attack the server when users’ desktops are much easier to get to?
21
The Increase of Perimeter Security
• Core system security increase– Firewalls, IDS, IPS– Still new exploits (Cisco, etc) arise
• How to circumvent?– Attack areas that still lack adequate perimeter security
(universities)– Get someone to do it for you– Attacking the systems people don’t know are
computers – Attacking the tools security professionals use
22
Exploiting Weaknesses in User Education
• Get someone to do it for you– Trojaned user downloads – Bundled games, music, movies– P2P examples– Spyware– Social engineering
23
Exploiting Weaknesses in User Education
• Get someone to do it for you– AIM username and password stealing
• www.haxr.org
– Fun code execution• http://www.malware.com/badnews.html
24
Embedded Systems
• Computer system enclosed in an electronic device– Protection is poor or nonexistent– Increased power of new devices– Standardization– No real scanning/assessment ability
• Real Examples: 3 GW printer cases
25
•http://www.bluestumbler.org
Cell Phone Hacking•Cyber-stalking with GPS
•Keep your phone firmware up to date
•Bluetooth enabled device vulnerabilities:
•Allows anonymous access to Data, Phonebook, Calendar, Media files, Pictures, Text messages
26
Internet Appliances
• Built-in PC is a 300MHz National Semiconductor Geode processor
• 128MB of RAM and a 17GB hard disk• Windows 98
27
Radio Frequency Devices
• Building Access Cards
• Mobile speedpass, toll tags
• Cell phones, pagers
• Wireless cams
28
Attacking The Tools Security Professionals Use
• Trojaned sendmail and openssh programs
• Trojaned tcpdump and libpcap
• Snort attacks/DOS
• Anti-virus gateway DOS attacks
• Anti-forensics tools
29
What to do?
• Do what you know, knowing they know what you’ll do
• Absolutely keep up to date on new vulnerabilities and exploits– Even if you can’t stay a step ahead, at least keep up
to date on what the new attacks/exploits are
• Keep in mind that these trends – attacks will not continue to primarily be traditional attacks from the outside against core systems
30
Still A Critical Element: People Access
• People are our greatest asset and our weakest security link
• Security processes and technologies are developed to reduce the burden on people
• But, almost every security measure can be beaten by social engineering – “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” The Art of Deception
31
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
Security ImplementationRelies On:
32
What Is Security Awareness?
Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.
Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.
33
Poor Awareness and Preparation
“It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment”
“Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate”
“Nine out of ten employees revealed their password on request in exchange for a free pen”
These things don’t happen as a result of malicious intent, but rather a lack of
awareness of security risks.
34
GW’s Security Awareness Program - Materials
Program materials Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for:
New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver
Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners Next phase – “Protect IT” Security Awareness Workshop Next phase – Online quizzes
35
Our Challenge
To reduce risk by To reduce risk by implementing best implementing best
practice practice information information
security practices security practices while balancing while balancing
academic freedomacademic freedom
36
Thanks!Special thanks and resources:
• www.securityawareness.com• http://www.phenoelit.de• Exploitlabs.com• Zone-h.org• Gary Golomb• http://www.esg.de/media/embedded_systems.jpg• www.symantec.com• www.teledesignsecurity.com• www.securitystats.com