Theft Happens: Theft Happens: Theft Happens: Theft Happens:

Data Security for Data Security for Data Security for Data Security for Intellectual Property ManagersIntellectual Property ManagersIntellectual Property ManagersIntellectual Property Managers

Presented by Fred Holborn on behalf of Psiframe, Inc. to the Intellectual Property Society, July 16, 2003. For more information, visit http://www.ipsociety.net and http://www.psiframe.com.

Copyright 2003 Psiframe, Inc. All Rights Reserved.

Today’s Situation

! 92% of large organizations detected computer security attacks in 2003.

! 75% acknowledged financial losses due to computer breaches.

! Theft of proprietary information caused the greatest financial loss - $2.7 Million average.

Source: CSI / FBI Computer Crime and Security Survey, April 2003 http://www.gocsi.com

$2.7 Million . . .

! Profit vs. Loss for , Inc?

! $ Annual Interest Expense?

! $ Million in Additional Revenue to Recoup?

Founding Premise

“Improve the security of a site by breaking into it.”

Dan Farmer, 1993Creator of SATAN (Security Analysis Tool for Auditing Networks)

Source: http://www.fish.com/security/admin-guide-to-cracking.html

Psiframe’s Purpose

! Psiframe enables organizations to Lock Down Data Systems and Network Security by:

" Performing “Real World” Risk Assessments.

" Identifying Exploitable Vulnerabilities from an Attacker’s Perspective.

" Recommending “Best Practice” Solutions.

Goals and Objectives

! Protect Information Assets through a program of regularly conducted assessments that quantify and enable mitigation of unacceptable risks.

! Develop understanding and consensus among executive and technology leaders to achieve and validate strong security.

Assessing IP Assets on IP Networks

! What are the IP AssetsIP AssetsIP AssetsIP Assets and their valuesvaluesvaluesvalues?! What are the actual threatsthreatsthreatsthreats to IP Assets facilitated

by vulnerabilitiesvulnerabilitiesvulnerabilitiesvulnerabilities on Networks?! What consequencesconsequencesconsequencesconsequences are possible if threats arise?! What are the probabilities that theftstheftstheftsthefts will happen?! What safeguardssafeguardssafeguardssafeguards can be deployed?! What investmentsinvestmentsinvestmentsinvestments are required for safeguards?

What’s Vulnerable?

Examples:! Hardware Devices

! Operating Systems & Applications Software

! Systems Architecture & Configurations

! Data Transmission & Encryption Protocols

! Access Control Methods

! People

Source: Computer Emergency Response Team Coordination Center http://www.cert.org/present/cert-overview-trends/module-1.pdf

Copyright 1998-2003 Carnegie Mellon University

Reported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per Year

How Did This Happen?

! Internet connectivity is “Open” by design.! Faith and trust in “Firewalls” is misplaced.! Software and hardware security remains poor.! Complexities of systems & network

configurations are “Incomprehensible”.

What’s Required for Strong Security?

Awareness?

Budgets?

Resources?

Training?

Skills?Policies?

Procedures?

Compliance?

Assessments?

What’s At Risk?

1. Information Assets

2. Business Relationships

3. Network Infrastructure

1.1.1.1. Information Assets At Risk

! Trade Secrets

! Designs & Processes

! Business Plans

! Personnel Records

! Financial Transactions

! Privileged Communications

2.2.2.2. Business Relationships At Risk

! Customer & Partner Data Confidentiality

! Production & Service Quality

! Industry Reputation

! Competitive Advantage

! Regulatory Compliance

! Investor & Stakeholder Confidence

3.3.3.3. Network Infrastructure At Risk

! Authentication & Privacy

! Availability of Systems & Resources

! Customer & Supplier Connectivity

! Functionality of Software Applications

! Integrity of Records & Databases

! Business Continuity

Network Security Roadmap

1. Establishing Executive Mandates for Assessments2. Comparing Audit Methodologies & Deliverables3. Identifying Exploitable Vulnerabilities4. Exposing Firewall Circumventions5. Detecting & Monitoring Wireless Access6. Revealing Information Leakage & Sources7. Recognizing Critical Infrastructure & IP Threats8. Implementing Lock Down & Best Security Practices9. Maintaining Federal & State Regulatory Compliance10. Managing Ongoing Processes & Oversight

Source: http://www.ncs.gov/n5_hp/Reports/FINALREP.pdf

!Establishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong Security

Comparing Audit Methodologies

1.1.1.1. Policy & Procedure ReviewPolicy & Procedure ReviewPolicy & Procedure ReviewPolicy & Procedure Review" Determine Existence & Extent of Written Policies? Can it Prove Policy Adherence or Effectiveness?

2.2.2.2. Automated Scanning Tools & ScriptsAutomated Scanning Tools & ScriptsAutomated Scanning Tools & ScriptsAutomated Scanning Tools & Scripts" Low-Cost Product Purchase or Outsourced Option? Can they Combine & Correlate Multiple Findings? ? Do they Produce False Positives?? Are Validities of Results Affected by Version Currency?

Comparing Audit Methodologies

3.3.3.3. “Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing" Simulates Real-World Scenarios (Many Tools & Methodologies)" Combines & Correlates Multiple Results (Human Approach) " Validates Indications in “Day 0” Time" Determines Actual Risks to Specific Assets" Proves Existence/Efficacies of Policies & Practices" Tailors Recommendations to Specific Environments" Connects IT Leadership with Sr. Management- Scalability Limited by Availability of Specialists

Comparing Deliverables

! Paper Based or Interactive Reports?! Level of Comprehensiveness?! Includes Both Vulnerability & Risk Assessments?

Psiframe’s RiskPoints™ eDeliverable

RiskPoints is a trademark of Psiframe, Inc.

Identifying Exploitable Vulnerabilities

Examples:

! Routers

! Operating Systems

! Service Applications (Mail, FTP, DNS, etc.)

! Web Applications

! Configuration Errors

! Authentication Weaknesses

! People

Exploit Example: Router

Cisco IOS Vulnerability & Exploit# This vulnerability enables eavesdroppers to sniff email and monitor

other traffic while transparently forwarding it to its intended destination within milliseconds.

! Once privileged (administrative) access to the Client’s router was gained, Psiframe installed an encapsulated tunnel (Virtual Private Network) between the router and a Psiframe server on the Internet.

! Using this technique, Psiframe was able to surreptitiously captureany or all outgoing traffic from the Client's network.

Exploit Example: Web Server

Microsoft IIS Vulnerability & Exploit# This vulnerability enables intruders to deface Web sites, install worms

that attack other sites, or leverage them as stepping-stones to penetrate back-end systems such as database servers with credit card data.

! Once root access was gained to the Client’s Web server, Psiframe had full administrative control over all files and configuration settings.

! From the Web server, Psiframe was able to penetrate further and access other systems on the Client's internal network that “trusted” the Web server through the firewall.

Exposing Firewall Circumventions

! Vulnerable Systems, Services and Software! Misconfigured Firewalls & Network Topologies! Dual-Homed Devices! Modems! Rogue & Insecure Wireless Access Points

Firewall Circumvention Example

?

“WiFi” Wireless LANs

! 2003 Worldwide Users: 5 Million +! Advertised Useable Distance: ~ 300 Feet! Encryption: None (default) / 40 bit & 128 bit (WEP)! Authentication: None (default) / Various Types! User IP Address Assignment: Auto (default) / None

“WiFi” Wireless LANs

! “By year-end 2002, 30 percent of enterprises will suffer serious securityexposures from deploying wireless local area networks (WLANs) without implementing the proper security… At least 20 percent of enterprises already have ‘rogue’ WLANs attached to their corporate networks,installed by users looking for the convenience of wireless and unwilling to wait for the IS organization to take the lead… Fixing the exposure after a hacking attack cannot recapture lost intellectual property and sensitive customer information.” — Gartner

Source: http://www.gartner.com/5_about/press_releases/2001/pr20010809b.html

Wireless “WiFi” LANs

PotreroPotreroPotreroPotrero Hill, San FranciscoHill, San FranciscoHill, San FranciscoHill, San FranciscoWiFiWiFiWiFiWiFi Access PointsAccess PointsAccess PointsAccess PointsJuly 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376! Green: No Encryption! Red: Encryption (WEP) Enabled Note: Unpopulated streets not scanned.

Exploiting WiFi Range Extension

Intercepting Client Data 1.2 Miles From Source

Information Leakage Examples

# Whois: Search Domain Account Holder Recordshttp://www.xwhois.com

# Dig-It: Query DNS for Host Names & IP Addresseshttp://us.mirror.menandmice.com/cgi-bin/DoDig

# Netcraft: What’s That Site Running?http://www.netcraft.com

# Google: Technical Newsgroup Archiveshttp://groups.google.com

Info Leakage Example: Netcraft

!Source: http://www.netcraft.com

Info Leakage Example: Newsgroups

Recognizing Critical Infrastructure

! IP Asset Storage Locations & Shared Files! Authorized Users & Privileges! Networked Devices & Services! Access Points! Interconnections! Single Points of Failure! Failover, Backup & Recovery Systems

Locking Down With Best Practices

“Best Practices” is a Consensus of Approaches# SANS Institute

http://www.sans.org/resources

# NSA Security Recommendation Guideshttp://nsa.gov/snac

# IETF Site Security Handbookhttp://www.ietf.org/rfc/rfc2196.txt

# NIST Computer Security Resource Centerhttp://csrc.nist.gov

# AICPA Trust Services Principles and Criteriahttp://www.aicpa.org/assurance/systrust/princip.htm

Maintaining Regulatory Compliance

Examples of New California & Federal Legislation ! Security Breach Information Act! Notification of Risk to Personal Data Act

# Consult Your Attorney

New California Law

This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person...

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Proposed Federal Law

A bill to require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information. This Act may be cited as the Notification of “Risk to Personal Data Act”...

Source: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_bills&docid=f:s1350is.txt.pdf

Manage Process & Oversight

Strong Security Is Not An OptionStrong Security Is Not An OptionStrong Security Is Not An OptionStrong Security Is Not An Option

! Cultivate C-Level Awareness

! Regularly Assess Risks, Threats & Vulnerabilities

! Provide Administrator Training

! Review Incident Detection, Reporting

& Response Programs

Why Leverage Psiframe?

" Real World Scenarios " Comprehensive Audit Framework" Impartial & Objective Findings" Interactive RiskPointsRiskPointsRiskPointsRiskPoints eDeliverable" Best Practice Recommendations

" Expert Knowledge & Skills Transfer

Recommended Actions

1. Involve Board-Level Management2. Review a Sample Composite Deliverable3. Request an Engagement Agreement4. Conduct a “Baseline” Assessment5. Attend the Findings Presentation6. Measure Improvement Quarterly

Contact

! Fred Holborn

Desk 925.803.4131Cell 925.876.6903 Email fholborn@psiframe.comWeb http://www.psiframe.com