1

Security Update

Vaughn BookSVP – Chief Technology Officer

Arrowhead Credit UnionNovember 9, 2004

2

Why security is important Good security practices are

essential to protecting your company’s most important resources Data Reputation

Security risks are increasing due to the demands of the always on, always connected economy

3

Security Trends

On-line Identity Theft Consumers are increasingly becoming

the victims of identity theft as a result of their online activities

e-Commerce web site compromises Spam Phishing Malware

4

Security Trends

Increasing regulatory involvement Health Insurance Portability and

Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Sarbanes Oxley Act (SOX) California Security Breach Information

Act (S.B. 1386)

5

Security Trends

Application vulnerabilities increasing Software packages are becoming

larger and more complex New vulnerabilities are discovered on a

daily basis Software vendors are unable to

address vulnerabilities before exploits are available, leading to 0 day attacks

6

Security Trends

Wireless access is becoming pervasive Wireless networks are easy to deploy,

but hard to secure High profile wireless security problems

Best Buy Lowe’s

Easy access for hackers and spammers Rogue access points

7

Security Trends Hacking is becoming easier

Identifying and exploiting security vulnerabilities no longer requires in-depth technical skills

Open source vulnerability detection tools are readily available:

Nessus Wisker NMAP Google

8

Security Trends Hacking is becoming easier – Con’t

Virus and backdoor tool kits Easy to use tools are freely available

on the Internet for creating worms, viruses and backdoor programs:

Menu driven, point and click interface Variety of distribution methods available Use encryption and polymorphism to

bypass anti-virus programs

9

Security Trends Time to patch is decreasing

The creators of security exploits are using ever more sophisticated tools to reverse engineer patches after they are released. This is decreasing the time between the release of a patch to the exploit of the vulnerability being fixed.

Slammer Worm – 6 Months Blaster – 26 days Microsoft ASN1 Critical Vulnerability – 3 days

Microsoft is now releasing patches only once a month

10

Security Trends

Changing Motives In the past many hackers and virus

writers were mainly interested in bragging rights and the respect of their peers.

Today there is a profit motive. There is money to me made in relaying spam and stealing personal and financial data for use in identity theft.

11

Security Trends

Phishing Recent exploits:

Citibank Ebay Wells Fargo

Huge returns for phishers when people answer the messages

12

Security Trends Malware is proliferating:

Viruses Worms Trojans Back doors Bots Key Loggers Ad Ware Spy Ware

13

Security Trends Malware is becoming more sophisticated

Multiple infection vectors Downloadable trojan E-mail attachment Worm infecting un-patched systems

Scan for other vulnerable or infected systems Harvest e-mail addresses, credit card

numbers and other personal information Polymorphic – evolve to evade detection Virtual Machine Aware – Difficult to analyze by

security researchers

14

Security Trends The rise of the Bot

More than 30,000 PCs per day are being recruited into secret networks that spread spam and viruses, to collect personal information and to launch distributed denial of service (DDOS) attacks

Able to phone home Often controlled via Internet Relay

Chat (IRC)

15

Security Trends Phatbot

Popular and full featured Bot running on Windows

Can take over 100 different actions triggered over the network from the attacker

Add Windows share, FTP files, add startup registry entry, scan for security vulnerabilities, harvest e-mail addresses, launch packet floods and more

Includes a software developer’s kit (SDK) so that hackers can easily add new features and customize functionality

16

Security Trends The future of Malware

Windows Root Kits Modify the operating system to hide the presence of

malicious code by hiding files, registry settings and running processes

BIOS Manipulation Malware makers will be able to hide malicious code in

the PC’s BIOS making it more difficult to detect and remove

Microcode Rewriting Current version of the Intel Pentium and AMD Athlon

processors include feature to update the CPU’s microcode. Security researchers believe that future exploits could take advantage of this ability for malicious uses

17

Steps For Improved Security Keep up with the latest attacks

Sign up to receive e-mail updates of security related issues from Microsoft, anti-virus providers and other software vendors key to your company’s operations

Install Patches Regularly Test before rollout to avoid application breakage Use Microsoft Software Update Services (SUS)

instead of automatic updates in a corporate environment

Install Antivirus software everywhere Desktop PCs, mail servers, file servers Update virus signatures daily Centralize virus notification Consider using virus protection from multiple vendors

18

Steps For Improved Security Configure firewalls for least access

Many firewalls block inbound access while allowing unlimited outbound access. This can allow malicious programs to easily contact the attacker and to spread.

Scan your network for security vulnerabilities regularly. Open source tools such as NMAP and

Nessus can identify internal and external vulnerabilities and find back door programs before they are exploited.

19

Steps For Improving Security Be Aware of Intrusion Detection

Systems (IDS) limitations IDS can identify potential attacks but can

not stop them IDS are blind to attacks encrypted by SSL

and other methods IDS often go unwatched due to the large

number of false positives Evaluate host based intrusion

prevention systems with the ability to detect and prevent attacks as an alternative

20

Resources - Tools NMAP

NMAP is a free network port scanning tool which uses a number of techniques including, connect, syn, fin scans to identify running services and firewall and router rule sets. NMAP can also identify the operation system running the remote system using a variety of TCP/IP stack fingerprinting techniques.

www.insecure.org/nmap/ Ethereal

Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. A text-based version called tethereal is included.

www.ethereal.com/ Nessus

Nessus is a remote security scanner for Linux, BSD, Solaris, and other Unixes. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems.

www.nessus.org

Snort Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis

and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rule based language to describe traffic that it should collect or pass, and a modular detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with Snort.

www.snort.org

21

Resources – Web Sites SANS

www.sans.org Security Focus

www.securityfocus.org Microsoft Security Guidance Center

www.microsoft.com/security/guidance Foundstone

www.foundstone.com