is6303 intro to voice and data security 7:30 – 8:45 pm robert j. kaufman...
TRANSCRIPT
IS6303 Intro to Voice and Data SecurityIS6303 Intro to Voice and Data Security
7:30 – 8:45 PM Robert J. Kaufman ([email protected])
Background Student Background Information Syllabus and Class Schedule
Student Background Information(email to me)
Student Background Information(email to me)
Name Phone # (opt) and reliable email address IS/CS background Security background Why you are taking this course What do you expect out of this course
SyllabusSyllabus Assumed Background
It is assumed that students in this class have a basic understanding of Operating Systems and Networks and that they have access to the Internet and a UNIX- or Windows- based PC.
TextbookComputer Security Handbook, 4ed, Bosworth and Kabay
Syllabus -- gradingSyllabus -- grading Graded Assignments
The grades for this course will be based on a standard 70% = C, 80% = B, 90%=A grading scheme. The final grades will be based on the following graded assignments:
– Paper 1 50 points– Lab 1 100 points– Exam 1 100 points– Exam 2 100 points– Lab 2 100 points– Lab 3 100 points– Lab 4 100 points– Lab 5 100 points– Final Exam 250 points– TOTAL 1000 points
NSA’s First Major Policy Address Focused On The Need For More Cyber-SecurityNSA’s First Major Policy Address Focused On The Need For More Cyber-Security
"The very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."
Computer reliance is the “soft underbelly” of American national security
US high technology firms need to join with the US government to fight cyber terrorismNational Security Advisor
Condoleeza Rice
“We are talking about a collaborative partnership between the public and private sectors that is unprecedented in our history”
Solar SunriseSolar Sunrise
January 1998: tensions between the U.S., the UN, and Iraq are on the rise. Hussein has expelled the UN inspectors. UN discussing renewing military action.
February 3: ASIMS detects intrusion at Andrews AFB
February 4: AFCERT detects additional intrusions:
Kirtland AFB
Lackland AFB Columbus AFB, MS
Solar SunriseSolar Sunrise
- Turned out to be 2 teenagers in California and their mentor in Israel - Involved systems owned by the Air Force, Navy, NASA, DOE,
MIT and several others- At least 47 FBI agents were involved in this case as well as
individuals from the OSI and members of the Israeli Ministry of Justice
- Exploited a known bug in Solaris, sniffed passwords - 500 systems involved, thousands of passwords compromised.
CitibankCitibank
Probably the largest and most famous publicly acknowledged theft
Occurred in 1994 Vladimir Levin, a 30-year old Russian hacker stole more than
$10M All but a few hundred thousand dollars recovered The actual dollar figure lost was minimal to an organization as
large as Citibank, what was more important is how this affected people’s impression of the bank. How many accounts were lost as a result of this public incident?
Worcester AirportWorcester Airport
Occurred in early 1997 14 year old hacker broke into a NYNEX digital loop carrier
system through a dial-in port The individual, who called himself “jester”, disrupted telephone
service for over 600 residents of Rutland, Mass as well as communications at Worcester Airport
Communication to the tower and emergency services was disrupted as well as the main radio transmitter and an electronic system which enables aircraft to send a signal to activate the runway lights
Omega EngineeringOmega Engineering
Timothy Lloyd was convicted in May 2000 of causing an estimated $12 million in damages to his former employer.
Back in 1996, Lloyd found out he was about to be fired He planted a logic bomb that systematically erased all of
Omega’s contracts and the proprietary software used by the company’s manufacturing tools.
Lloyd’s act of insider cyberterrorism cost Omega its competitive position in the electronics manufacturing market. At Lloyd’s trial, plant manager Jim Ferguson said, “We will never recover.”
And probably the most widely known security problem…
And probably the most widely known security problem… In March 1999, David Smith, a New Jersey
resident, released the Melissa virus. The estimated damage it caused: $80 million.
In May 2000, 23-year old Philippine college student, Onel de Guzman, released the “Love Bug” virus which proceeded to cause an estimated $8 Billion in damages worldwide.
Information Intrusion ThreatInformation Intrusion Threat
buy.com
“Cyber-attacks batter Web heavyweights”
“Cyber-attacks batter Web heavyweights”
CNN, 8,9,10 Feb 00CNN, 8,9,10 Feb 00
“Reported Incidences” “Reported Incidences”
CERT/CC, Carnegie Mellon, Apr 01
“FBI investigates 'ILOVEYOU' virus;
millions of computers affected”
5 May 00
“Love Bug caused an estimated $8 billion in damage.” WP, 11 May 00
0
5000
10000
15000
20000
25000
30000
1988 1990 1992 1994 1996 1998 2000
“War in Kosovo cost the United States $6.7 billion.” UPI, 2 Feb 00
Attacks on the DoDAttacks on the DoD In 1999, a total of 22,144 "attacks" were detected on Defense
Department networks, up from 5,844 in 1998, Air Force Maj. Gen. John Campbell, then vice director of the Defense Information Systems Agency (DISA), told Congress in March 2000.
In 2000 through August 4, a total of 13,998 such "events" were reported, according to Betsy Flood, a spokeswoman for Arlington, Virginia-based DISA, which provides worldwide communication, network and software support to the Defense Department.
DISA VAAP ResultsDISA VAAP Results
PROTECTION
DETECTION
REACTION
38,000Attacks
24,700Succeed
13,300Blocked
988Detected
23,712Undetected
267Reported
721 NotReported
To date, Chinese hackers already have unlawfully defaced a number of U.S. web sites, replacing existing content with pro-Chinese or anti-U.S. rhetoric.
In addition, an Internet worm named "Lion" is infecting computers and installing distributed
denial of service (DDOS) tools on various systems.
Hack Attack: New Global Way Of War
Washington TimesApril 23, 2001, Front Page
“China Warns Of Hack Attack”
Collateral Damage May Soon Have A New Definition
101001000110010010100100010010001000100101001101001000110010010100100010010001000100101001
101001000110010010100100010010001000100101001101001000110010010100100010010001000100101001
ADVISORY 01- 009
Issued 04/26/2001
1999 Information Security Survey745 Information Security Readers23% reported unauthorized access from outsiders
91.6% increase over 1998 results52% reported access abuse by employees14% reported access abuse by business partners, resellers, or vendorsTotal loss for 91 reporting a loss was $23,323,000
Average loss $256,297
You have to have security, or else…
2000 Information Security Survey1897 “infosecurity professionals”37% experienced a denial of service attack25% reported breaches due to insecure password24% experienced breaches due to buffer overflows24% experienced attacks on bugs in web servers58% reported employee abuse of access controls
up from 52% in 199924% reported theft or disclosure of proprietary data
up from 17% in 1999
You have to have security, or else…
1999 CSI/FBI Computer Crime & Security Survey521 security “practitioners” in the U.S.30% reported system penetrations from outsiders
an increase for the third year in a row
55% reported unauthorized access from insidersalso an increase for the third year in a row
Losses due to computer security breaches totaled (for the 163 respondents reporting a loss) $123,779,000
Average loss $759,380
You have to have security, or else…
2000 CSI/FBI Computer Crime and Security Survey643 security “practitioners” in the U.S.90% reported computer security breaches within the previous 12 months70% reported unauthorized use74% suffered financial lossesLosses due to computer security breaches totaled (for the 273 respondents reporting a loss) $265,589,940
Average loss $972,857
You have to have security, or else…
You have to have security, or else…You have to have security, or else… 2001 CSI/FBI Computer Crime and Security Survey
538 security “practitioners” in the U.S.– 91% reported computer security breaches within the previous 12
months – 70% reported their Internet connection as a frequent point of attack
(up from 59% in 2000)– 64% suffered financial losses due to breaches, 35% could quantify
this loss.– Losses due to computer security breaches totaled (for the 186
respondents reporting a loss) $377,828,700– Average loss $2,031,337
You have to have security, or else…You have to have security, or else… 2003 CSI/FBI Computer Crime and Security Survey
530 security “practitioners” in the U.S.– 30% of those who said they suffered an incident in the previous 12
months reported it to law enforcement – 78% reported their Internet connection as a frequent point of attack
(up from 70% in 2001)– 75% suffered financial losses due to breaches, 47% could quantify
this loss.– Losses due to computer security breaches totaled (for the 251
respondents reporting a loss) $201,797,340
A Sampling of Malicious ActivityA Sampling of Malicious Activity• March 1999 - EBay gets hacked• March 1999 - Melissa virus hits Internet• April 1999 - Chernobyl Virus hits• May 1999 - Hackers shut down web sites of FBI, Senate, and
DOE• June 1999 - Worm.Explore.Zip virus hits• July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice• Sept 1999 - Hacker pleads guilty to attacking NATO and Gore
web sites• Oct 1999 - Teenage hacker admits to breaking into AOL
A Sampling of Malicious ActivityA Sampling of Malicious Activity
• Nov 1999 - BubbleBoy virus hits• Dec 1999 - Babylonia virus spreads• Feb 2000 - Several sites experience DOS attacks• Feb 2000 - Alaska Airlines site hacked• May 2000 - Love Bug virus ravages net• July 2001 – Code Red Runs Rampant• Sept 2001 – Nimda Explodes
A Sampling of Malicious ActivityA Sampling of Malicious Activity• Jan 2003 – Sapphire/Slammer Worm• Aug 2003 – Blaster (LoveSan) Worm• Jan 2004 – MyDoom• Mar 2004 – Witty Worm• May 2004 – Sasser Worm• Dec 2006 – TJX Credit/Debit Card Theft• Jan 2007 – Storm Worm• Mar 2009 - Conficker • June 2010 - Stuxnet
http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
Biggest Security Concerns Among Security Professionals
Biggest Security Concerns Among Security Professionals
0%
5%
10%
15%
20%
25%
30%V
irus
es
Pri
vacy
Exp
loit
s
Ava
ilab
le
Oth
er
Phy
sica
l
Response
Source: Information Security, September 2000
Biggest security concerns among security professionals
Biggest security concerns among security professionals
2002 Info Security Magazine survey
0
5
10
15
20
25
30
35M
ali
cious
code
Auth
ori
zed
use
rs
IT &
Tele
com
Unauth
use
rs
response
What are our goals in Security?What are our goals in Security?
The “CIA” of securityConfidentialityIntegrityAvailability(authentication)(nonrepudiation)
Real Security IssuesReal Security Issues
Skills Gap
Budget
Network Crunch
Liability / Due Care
Security Skills GapSecurity Skills GapS
kill Level
Time
Rate of Technology Development
Rate of Technology Assimilation
Skill basemust be leveraged!
Skills Gap
Information Security BudgetInformation Security Budget
Corp Security I T
$
U.S. Computer Security Spending ForecastU.S. Computer Security Spending Forecast
$0.00$2,000,000.00$4,000,000.00$6,000,000.00$8,000,000.00
$10,000,000.00$12,000,000.00$14,000,000.00$16,000,000.00$18,000,000.00
2000 2001 2002 2003 2004
U.S.SecuritySpending
Source: Forrester Research, Oct 2000, see The Industry Standard, 11 Dec 2000
** Values in 1000’s of $
Internet Security Software Market
2002 - $7.4 Billion est.
1999 - $4.2 Billion
1998 - $3.1 Billion
1997 - $2 Billion
’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.
’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues
eCommerce & eDefense DynamicseCommerce & eDefense Dynamics
America Cannot Have Trillions Of Dollars Of Economic Exposure On The Wire Without The Enabling Technology Of Information Security
A trillion dollars of electronic financial transactions occur each dayUS experienced 40% increase in cyber crime over last year By mid decade a third of our GDP will be eCommerce
USCommercial
USCommercial
$2B $28B?Forrester Group
USGUSG
Market Size
$2B $12B?
Crunchy on the Outside…
…Chewy on the Inside.
Network CrunchNetwork Crunch
Computer Security Operational ModelComputer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
Textbook uses Prevention, Detection and Remediation
•Intrusion detection
•Firewalls
•Encryption
•Authentication
•Security Design Review
•Security Integration Services
•24 Hr Monitoring Services•Remote Firewall Monitoring
•Vulnerability Assessment Services•Vulnerability Scanners
Security Operational ProcessSecurity Operational Process
Improve
Monitor
Secure
Evaluate
METRICS
Legal LiabilityLegal Liability
Failure to Protect Against Loss
Failure to Protect Against Disclosure
Failure to Protect Against Harassment
HIPAA
Some DefinitionsSome Definitions
Hacker (from the Hacker Jargon File)“A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.”“One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.”“[deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence ‘password hacker’, ‘network hacker’. The correct term for this sense is ‘cracker’.”
Cracker“One who breaks security on a system. Coined c. 1985 by hackers in defense against journalistic misuse of hacker.”
Phreaker“The art and science of cracking the phone network (so as, for example, to make free long-distance calls).
Is an ROI from Security Possible?Is an ROI from Security Possible?
Security as an ROI
Improved Security ROI
Security that provides savings in the budget
Security that provides additional revenue
SummarySummary
What is the Importance and Significance of this material?
How does this topic fit into the subject of “Voice and Data Security”?