Presentation on theme: "1 Through The Eye of The Hacker: A Look At Security And The Future Krizi Trivisani, Chief Security Officer Amy Hennings, Assistant Director November 6,"— Presentation transcript:
1 Through The Eye of The Hacker: A Look At Security And The Future Krizi Trivisani, Chief Security Officer Amy Hennings, Assistant Director November 6, 2003 Copyright Krizi Trivisani, Amy Hennings This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2 Agenda The Security Landscape – The Violation Situation Worm Damage and Trends Attacker Strategies Security Awareness
3 The Security Landscape – The Violation Situation 2001 Total Violations went from 354 to 5526 – an increase of 1,560%
4 The Security Landscape – The Violation Situation 2002 Average number of violations per month in 2002 is 7197
5 The Violation Situation Continued Viruses Filtered 22,271 in December of 2001 increased to 150,936 in November of 2002
6 The Violation Situation Continued Viruses Filtered 150,936 in November of 2002 increased to 1,629,194 in August of 2003
7 The Security Landscape – The Violation Situation 2003 Violations per month in 2003 have increased so dramatically we had to change what we were tracking! Incidents just to August = 2073 Correspondence = 138 Incident notices = 100 Random/User errors = 19 SPAM = 423 Virus = 1287 Virus Complaints = 106 Blaster infections – 800 Minor scans, Minor hacks, Incidents of suspicious activity, External Attempted Hacks – tens of thousands per month!
8 History of Security at GW Information Security Office Created May 2000 Nov 2002 Sep 2000 NIST Levels Envisioned Jan 2001 Jul 2001 Baseline Security Assessment Grade C Aug 2001 Sep 2001 Nov 2001 Formal Scanning Lab Created & 1 st Security Forum Jan 2002 Dec 2001 Jul 2002 Aug 2002 Oct st Month of Recorded Violations – 354 Trend Virus Filter Added To 39,329 Filtered In 1st Month Total Violations For ,378 Viruses Filtered August - December 206,410 Policy Center & NIST Level 1 Achieved Web pages & Awareness Program Security Architecture November ONLY Security Violations = 7,200 Viruses Filtered = 155,032 Throughout 2001 and 2002, the network has not been brought down by a security incident. Violations 354 7,200 Viruses Filtered 155,032
9 History of Security at GW Nov 2002 Wireless with VPN Jan 2003 Application Level Security Assessment Mar 2003 May 2003 Continued Scanning enhancements July 2003 Aug 2003 Sep 2003 Recorded Violations reach over 30,000 Workstation management tools Aggressive awareness of patches, anti-virus 6000 ResNet Students return 1,629,194 Viruses Filtered 800 Blaster Infections Throughout 2003, the network has not been brought down by a security incident. Violations 10’s of thousands Viruses Filtered 1,629,194 Security Committee Formed FTC and GLB Network Monitoring Upgrades Ashburn Data Center Created
10 Vulnerabilities on the Rise New Vulnerabilities per Week Source: Symantec
11 What Attacks?? A worm is a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. A worm is a special type of virus that can replicate itself and use memory, but does not attach itself to other programs.
12 Worm In Action
13 Worldwide Impact of Slammer Telecommunications services failed throughout South Korea Airlines were impacted, several had to resort to manual backup procedures which slowed service Thousands of ATMs and related transactions halted Bank of America Canadian Imperial Bank of Commerce in Toronto Publix supermarket cash back functions unavailable US Dept of State, Agriculture, Commerce, and units of Defense were hit especially hard. Analysts blame dip in Asian stock market on the worm Many news agencies were crippled: –Associated Press –The Philadelphia Inquirer –The Atlanta Journal-Constitution
14 Blaster, Welchia, And Others A recent survey including 882 respondents determined that the MS Blaster worm: –Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000 –Entered company networks most often through infected laptops, then through VPNs, and finally through mis- configured firewalls or routers –From TruSecure / ICSA Labs
15 Blaster, Welchia, And Others Slower moving Who was affected? –Blaster infected over 500,000 IPs worldwide –Maryland MVA –BMW, 3M – AirCanada cancelled flights –Federal Reserve Bank of Atlanta –Philadelphia’s City Hall –Airports, Amtrak –State Department (Welchia) –Northeastern power grid ?
18 Who’s Vulnerable? "75% of all web servers running MS IIS 5.0 are vulnerable to exploitation." –Security News Portal
19 What Are They Attacking? 31 new vulnerabilities announced by MS as of yesterday since the end of the summer Exploits are developed much sooner Patches are quickly and narrowly developed Awareness is limited People don’t care –I won’t do anything until my computer stops working.
20 Decentralized Attack Trends Why take the chance to rob a bank when its much easier to rob the people as they leave the bank with money? Why attack the server when users’ desktops are much easier to get to?
21 The Increase of Perimeter Security Core system security increase –Firewalls, IDS, IPS –Still new exploits (Cisco, etc) arise How to circumvent? –Attack areas that still lack adequate perimeter security (universities) –Get someone to do it for you –Attacking the systems people don’t know are computers –Attacking the tools security professionals use
22 Exploiting Weaknesses in User Education Get someone to do it for you –Trojaned user downloads –Bundled games, music, movies –P2P examples –Spyware –Social engineering
23 Exploiting Weaknesses in User Education Get someone to do it for you –AIM username and password stealing –Fun code execution
24 Embedded Systems Computer system enclosed in an electronic device –Protection is poor or nonexistent –Increased power of new devices –Standardization –No real scanning/assessment ability Real Examples: 3 GW printer cases
25 Cell Phone Hacking Cyber-stalking with GPS Keep your phone firmware up to date Bluetooth enabled device vulnerabilities: Allows anonymous access to Data, Phonebook, Calendar, Media files, Pictures, Text messages
26 Internet Appliances Built-in PC is a 300MHz National Semiconductor Geode processor 128MB of RAM and a 17GB hard disk Windows 98
27 Radio Frequency Devices Building Access Cards Mobile speedpass, toll tags Cell phones, pagers Wireless cams
28 Attacking The Tools Security Professionals Use Trojaned sendmail and openssh programs Trojaned tcpdump and libpcap Snort attacks/DOS Anti-virus gateway DOS attacks Anti-forensics tools
29 What to do? Do what you know, knowing they know what you’ll do Absolutely keep up to date on new vulnerabilities and exploits –Even if you can’t stay a step ahead, at least keep up to date on what the new attacks/exploits are Keep in mind that these trends – attacks will not continue to primarily be traditional attacks from the outside against core systems
30 Still A Critical Element: People Access People are our greatest asset and our weakest security link Security processes and technologies are developed to reduce the burden on people But, almost every security measure can be beaten by social engineering – “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” The Art of Deception
31 Process People Technology Systems must be built to technically adhere to policy People must understand their responsibilities regarding policy Policies must be developed, communicated, maintained and enforced Processes must be developed that show how policies will be implemented Security Implementation Relies On:
32 What Is Security Awareness? Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions. Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.
33 Poor Awareness and Preparation “It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying attachment” “Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate” “Nine out of ten employees revealed their password on request in exchange for a free pen” These things don’t happen as a result of malicious intent, but rather a lack of awareness of security risks.
34 GW’s Security Awareness Program - Materials Program materials Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for: New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners Next phase – “Protect IT” Security Awareness Workshop Next phase – Online quizzes
35 Our Challenge To reduce risk by implementing best practice information security practices while balancing academic freedom
36 Thanks! Special thanks and resources: Exploitlabs.com Zone-h.org Gary Golomb
37 Contacts To contact the GWU security department