1. Internet Security Risk Management and Security Updated September 22, 2006

2. Topics Risk –Threat –Vulnerability –Event Cost Security Myths Global Trends Addressing Essential not Best Practices

3. Risk No system is 100% secure Get a clear picture –Assess weaknesses –Prepare for the probable –Protect the most critical resources Risk management is key to Internet security

4. Risk Equation Risk = Threat x Vulnerability x Event Cost –If Threat = 0, or –Vulnerability = 0, or –Event Cost = 0, or –Then there is no Risk

5. Control of Parameters Risk = Threat x Vulnerability x Event Cost –Vulnerability Good Control –Event Cost Some Control –Threat Minimal Control

6. Determine the Risks Malicious Code Electronic (Hacking) Physical Down-Time Human Factors Email X-ware

7. Categories of Risk Malicious Code –Trojans, Viruses, & Worms Electronic –Port Scanning –Hacking/Sniffing –Defacement –Spoofing Physical –Theft Down Time –Denial of Service attacks –Power/Natural Disasters Human –Disgruntled employees –Sticky-notes Email –Spam –Phishing X-ware –Adware –Spyware

8. Malicious Code Trojans, Viruses, & Worms

9. Trojan Horse A computer program that appears desirable, but contains a hidden function that causes damage to other programs –Trojan.Vundo

10. Trojan Horse Threat Backdoor Trojans –September 1999 –September 2000 –March 2001 Threat Rate –12 per Day –28 per Day –122 per Day

11. Virus A computer program that is part of another and inserts copies of itself. –It must execute itself. It will often place its own code in the path of execution of another program. – It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.

12. Types of Viruses File Infector –Jerusalem and Cascade Boot Sector –Form, Disk Killer, Michelangelo, and Stoned Master Boot Record –NYB, AntiExe, and Unashamed

13. Types of Viruses Multi-partite –One_Half, Emperor, Anthrax and Tequilla Macro –W97M.Melissa, WM.NiceDay and W97M.Groov

14. Worm A computer program that invades computers on a network, replicates itself to prevent deletion, and interferes with the host computer’s operation –This is in contrast to viruses, which requires the spreading of an infected host file. –W32.Mydoom.AX@mm

15. Real Threat Rates Malicious code is a growing problem—88% of respondents think that malicious code is "somewhat worse or much worse" than 2002, with only 12% stating the situation was "the same or better" in 2003. Malicious code is costing organizations lots of money—in 2003, disaster recovery costs increased by 23% to almost $100,000 per organization per event. Source: TruSecure, March 22, 2004

16. Electronic Threats What is out there waiting for the opportunity?

17. Port Scanning A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well- known" port number, the computer provides. –There are 65,536 ports

18. Port Scanning Rates Port Scanning –September 1999 –January 2000 –October 2000 –March 2001 Threat Rate –1 per 6 Days –1 per Day –6 per Day –9 per Day

19. Web Defacement Web site defacement, a form of malicious hacking in which a Web site is “vandalized.” Often the malicious hacker will replace the site’s normal content with a specific political or social message or will erase the content from the site entirely, relying on known security vulnerabilities for access to the site’s content.

20. Web Defacement Unicef.org

21. Web Defacement AirTran.com

22. Real Threat Rates Web Defacements –May 1999 –October 2001 –March 2001 –May 2001 –May 2002 Threat Rate –15 per Day –61 per Day –180 per Day –580 per Day –900 per Day

23. Spoofing Attempting to masquerade or closely mimic the URL displayed in a Web browser’s address bar. Used in phishing attacks and other online scams to make an imposter Web site appear legitimate, the attacker obscures the actual URL by overlaying a legitimate looking address or by using a similarly spelled URL.

24. Physical Theft

25. Physical Stolen Laptops –May 22, 2006 - A laptop computer and external drive containing personal data on more than 26 million veterans and active duty military personnel was stolen.

26. Down Time Denial of Service and Natural Disasters

27. Down Time Denial of Service –A user or program that takes up all of the system resources by launching a multitude of requests, leaving no resources, and thereby denying service to other users. –W32.DoS.funtime, Solaris.DoS.stacheld.c, Solaris.DoS.stacheld.t, Solaris.DoS.stacheld.m

28. Down Time Natural Disasters –Weather Katrina –Earth Quake –Tsunami –Volcanic

29. Human Disgruntled Employees –Insider Activity in the Banking And Finance Sector This report examines 23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002.

30. Human Disgruntled Employees –In 87% of the cases studied, the insiders employed simple, legitimate user commands to carry out the incidents –In 70% of cases studied, the insiders exploited or attempted to exploit systemic vulnerabilities in applications and/or processes or procedures

31. Human Passwords –Sticky Notes –Spouses –Children –Pets –Mythology

32. Email Spam and Phishing

33. Email Spam –64% of the world's estimated 300,000 spam servers are located in Taiwan. About 23% are located in the United States. Computer World July 10, 2006.

34. Email Phishing –PayPal

35. X-Ware Adware and Spyware

36. Adware Programs that facilitate delivery for advertising content to the user and in some cases gather information from the user's computer, including information related to Internet browser usage or other computer habits.

37. Spyware Programs that have the ability to scan systems or monitor activity and relay information to another computer or locations in cyber- space.

38. Vulnerability Where are the holes in your systems?

39. Vulnerability Prevalence Over 70% of sites with firewalls are still vulnerable to known attacks Over 80% of sites do not know what is on their networks and what is visible to the Internet

40. Mac/OS, How Safe? Symantec, a provider of antivirus and other security software, released a report stating that it has identified an increasing number of vulnerabilities in the current version of Apple Computer's Macintosh operating system (Mac OS X). Symantec reported that it had identified 37 high-impact Mac OS X vulnerabilities in the preceding year. The Macintosh installed base is relatively small, with only about 3 percent of systems in use today running the Mac OS. Source: Gartner, April 1, 2005

41. Event Cost How much will recovery cost you?

42. Event Cost Hard to Determine Cost of recovery can be more than a company can bear Organizations are often time reactive, not proactive

43. Melissa Virus Data Taken from 131 corporations immediately after Melissa period 25 companies were compromised by Melissa between Monday, March 29, and Friday, April 5 1999 20 experienced major “disaster” (>25 workstations infected)

44. Melissa Virus Average of 196 infected workstations and 9 servers per company 7,824 North American companies experienced compromise of more than 200 workstations 1,205,000 computers infected ICSA estimates total cost at $93 million dollars

45. Costs Price of Security Breaches reaches nearly $14 million per incident. That's according to a study conducted by Ponemon Institute LLC for PGP Corp., a security software vendor in Palo Alto, California. Source: Computerworld, November 14, 2005 http://www.computerworld.com/securitytopics/security/story/0,10801,106180, 00.html

46. Costs It is estimated that the worldwide impact of malicious code was 13.2 billion dollars in the year 2001 alone, with the largest contributors being: –SirCam at $1.15 Billion –Code Red (all variants) at $2.62 Billion –NIMDA at $635 Million. Source Computer Economics, 2 January 2002, http://www.computereconomics.com/cei/press/pr92101.htm http://www.computereconomics.com/cei/press/pr92101.htm

47. Costs An estimated $7.8 Billion was lost to malicious code attacks in 2004 and 2005 combined. More than 35% of computer users do not have protective software installed on their computers. Source: CNN Headline News August 8, 2006

48. Security Myths Separating Fact from Fiction

49. Top Security Myths Encryption over the Internet is important (SSL) Complex user passwords are good Daily anti-virus updates are required All vulnerabilities should be patched Businesses should focus on firewall maintenance and management

50. Global Trends Where is all of this going?

51. Internet Security Increasing complexity drives exponential growth in vulnerability Rapidly changing environment drives rapidly changing risks Greater all-to-all connectivity drives greater potential for malicious connectivity

52. Internet Security Growth in Internet users drives growth in Internet abusers Anonymity of the Internet drives tendency towards abuse

53. Essential Practices What must be done?

54. Mitigating Global Trends Move to dynamic security methods Move to distributed security methods Move toward outsourcing security solutions

55. In Practice Block (deny access by default) Turn-off Services / Ports (off by default) Substitute low-risk methods for high- risk methods Update (apply service packs that affect your situation) Patch (apply hot fixes that affect your situation) Configure Monitor

56. Presentation Sources Where did all of this information come from?

57. Sources TruSecure –http://www.TruSecure.com/ ICSA –International Computer Security Association –http://www.ICSALabs.com/ Symantec –http://www.Symantec.com/

58. Sources Insider Threat Study: Illicit Cyber Activity in the Banking and Finance – June 2005 –http://www.sei.cmu.edu/pub/docume nts/04.reports/pdf/04tr021.pdf Webopedia –http://www.webopedia.com/