Presentation on theme: "Security Threats, #1 4-May 2004 Security Threats in the Internationally Networked World David Thompson Harris Corporation 321-984-5799."— Presentation transcript:
Security Threats, #1 4-May 2004 Security Threats in the Internationally Networked World David Thompson Harris Corporation
Security Threats, #2 4-May 2004 Who am I? Started my career at NSA in 1979 Worked in Information Assurance for multiple companies over the years 9 years at DARPA Contributing Editor at eWeek Currently lead the Harris Information Assurance Center of Excellence –Focused on providing IA solutions for many US government programs
Security Threats, #3 4-May 2004 Information Protection Today It’s Tombstone, Arizona in the 1880s –Very little protection provided by law enforcement –Everyone carries their own gun for protection –The criminals prey on the weak How do you protect yourself from a pervasive international threat that operates outside jurisdictions, but can reach into your living room?
Security Threats, #4 4-May 2004 The Language of Threats threat n. 1.An expression of an intention to inflict pain, injury, evil, or punishment. 2.An indication of impending danger or harm. 3.One that is regarded as a possible danger; a menace.
Security Threats, #5 4-May 2004 The Language of Threats risk n. 1.The possibility of suffering harm or loss; danger. 2.A factor, thing, element, or course involving uncertain danger; a hazard: “the usual risks of the desert: rattlesnakes, the heat, and lack of water” (Frank Clancy). 3.One considered with respect to the possibility of loss: a poor risk.
Security Threats, #6 4-May 2004 The Language of Threats mitigation n. 1.The act of mitigating, or the state of being mitigated; abatement or diminution of anything painful, harsh, severe, afflictive, or calamitous; as, the mitigation of pain, grief, rigor, severity, punishment, or penalty.
Security Threats, #7 4-May 2004 The Language of Threats Threats derive from the actions (intentional or unintentional) of others that could inflict harm upon you Risks encompass the harm that could be inflicted upon you if you do not take action Mitigations are the actions you take to protect yourself from risk The Bottom Line : You are the one who will suffer harm, and you are responsible for protecting yourself
Security Threats, #8 4-May 2004 The Nature of the Threat Threats come from people, not technologies There are a few categories of threats, but the techniques used number in the thousands Hackers – Amateurs who break into systems for fun, vandalism or theft Virus Producers – Programmers that produce self replicating programs intended to move between systems without authorization Spies – Professionals that break into systems with the intent of removing information of value Users – Authorized system users that cause disruption through intent or error White Hats – Professionals who break into systems to test security
Security Threats, #9 4-May 2004 The Nature of the Threat Born August 6, 1963 Arrested by the FBI, February 15, 1995 Held for 4 ½ years without a bail hearing due to concern of capability to execute weapons system control from a telephone Specialist in telephone hacking (phreaking) and social engineering Now CEO of a security consulting company Cost of hacking on US business $800M $2.8B Small businesses suffer the most Kevin Mitnick HACKERS
Security Threats, #10 4-May 2004 The Nature of the Threat David Smith released Melissa in March 1999 It traversed the world in a “rolling wave” following the rising sun Smith was arrested in April 1999, received a reduced sentence due to cooperation with the FBI Calls Melissa a “Colossal Mistake” Melissa (named after a Florida stripper) caused over $80M in damage in 1 day Virus Producers David Smith
Security Threats, #11 4-May 2004 The Nature of the Threat Ran a “Family Spy Ring” providing information to the Soviet Union for decades Brother, Son and Wife were all involved in the espionage Was arrested in 1985 and sentenced to life in prison, without parole The Walker ring provided encryption keys to the Soviets allowing the monitoring of naval communications Spies John Walker Jr.
Security Threats, #12 4-May 2004 The Nature of the Threat Experts agree that the vast majority of threats stem from authorized users of the system Active attacks against internal systems Inadvertent actions that cause damage –Release virus –Access inappropriate information –Violate policy causing embarrassment Story – HBL Mercedes in Fairfax Virginia Users Typical User
Security Threats, #13 4-May 2004 The Nature of the Threat Sandia IORTA program Information Operations Red Team and Assessments Considered the Nations premier experts for conducting Red Team assessments on systems Don’t Forget – White Hats aren’t there to be your friend, and failing their tests can harm you (unemployment) White Hats
Security Threats, #14 4-May 2004 Real World Example Transformational Communications Next Generation for military communications Based on a geosynchronous constellation of satellite hosted high performance routers Provides direct IP connectivity to land, air and sea based assets globally Provides direct reach back to information, intelligence and command & control Harris providing Information Assurance expertise TC Operational Environment
Security Threats, #15 4-May 2004 Real World Example TC Connectivity
Security Threats, #16 4-May 2004 Real World Example Portions of military networks (.mil domains) connect to the Internet
Security Threats, #17 4-May 2004 Real World Example Mitigations include multiple layers of firewalls, two factor authentication, channel separation through cryptography
Security Threats, #18 4-May 2004 Real World Example - MS Windows is the dominant OS used by the military - Viruses can be introduced at any point through communications or software loading
Security Threats, #19 4-May 2004 Real World Example Virus detection is performed at all interfaces, centralized profile updates are performed
Security Threats, #20 4-May 2004 Real World Example Adversaries will attempt to gain information through monitoring satellite signals - Direct information gain - Force location - Traffic analysis
Security Threats, #21 4-May 2004 Real World Example - Multiple levels of encryption are used to mask information - Low probability of intercept (LPI) antennas used on terminals
Security Threats, #22 4-May 2004 Real World Example - Multiple levels of classified information traverse the network - User error contributing to exposure is of great concern
Security Threats, #23 4-May 2004 Real World Example Channelization and High Assurance Guards protect against information exposure
Security Threats, #24 4-May 2004 Real World Example - Red Team assessments are required for all government systems - I am betting my career on getting this right
Security Threats, #25 4-May 2004 Conclusions There is no such thing as perfect security The threat is pervasive and the techniques/vulnerabilities ever changing Protections must evolve to meet these changes It is the responsibility of the security professionals to provide adequate mitigation to result in acceptable risk Questions?