1. THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES & BUSINESS CONTINUITY Presented to Dr. Yan Chen MITP 458- Information Security & Assurance Business Case Study Presentation 09 June 2007 by The Loop Group Farney, Heilprin, Leonard

2. - 1 - 2001: THE END OF REACTIVE NETWORK SECURITY The Year of the Worm; (3) major worms released July-September 2001 Code Red -$2.6bn estimated damage -Simple buffer overflow infected 350,000+ hosts in single day Code Red II -Same attack vector (.ida), but different signature Nimda -Mass-mailing, multivariate attack All based on previously released and patched vulnerabilities -MS01-033, MS00-052, MS00-078, MS01-020 -A/V software useless Used firewall ports not needed (externally) in the first place -135, 137, 138, 139, 445, 593, 1639, 2000-3000, 3127-3198 100% Preventability!

3. - 2 - “HEROIC IT” NOT ENOUGH, PEOPLE AND PROCESS REQUIRED Speed of attack dispersion and increased geographic expansion make it impossible to react to today’s threats Design and deploy network security operations infrastructure in which automatic patch management plays central role -Vulnerabilities addressed on release day (making test assumption) Proactively tighten defenses -“deny all” vs. “allow all” on interior firewall interfaces -Perform network analysis to determine required business functions and corresponding ports, deny all else (1)Heroic IT Management Is No Longer Enough, Diamond Cluster Viewpoint, 2004 2001 attacks responsible for major shift in corporate defenses

4. - 3 - NEXT PARADIGM SHIFT: STRING SCANNING -> HEURISTICS Zero Day attacks becoming more common Virus definitions and patches not available “Ex post mechanism is folly- by focusing on catching attack of the past, you miss the attack of the future” 1 A new proactivity required: behavior based security Create behaviors for which to look for, not specific strings Heuristics is the only way to protect against Zero Day attacks -Looks for anomalous activity like -Use off the shelf software, security services, or product like Internet Motion Sensor -Most A/V software today uses heuristics at some level ·Most effective are agent-based products dedicated to this type of analysis (1)The Efficacy of Network-Level SPAM Mitigation, Sean Farney, MITP 458, 2007

5. - 4 - PERSONAL LESSONS LEARNED Globally dispersed operations offers challenges Follow-the-sun staffing great for finite day-to-day tasks, but can impede focus on large events -Lack of 24x7 line responsibility allows transition gaps and requires re-activation energy Consider centralization and/or sourcing to true 24x7 model/provider for consistent and efficient handling of operations Patching systems, either internally or externally, produce same effect Remove human element from revision compliance Commonplace now, but still new in 2001 Fight battles before they start, be as proactive as possible The Freedom 1 of “Deny All” (1)See Nietzsche’s Twilight of the Idols