Security Threats, #14-May

2004

Security Threats in the Internationally Networked World

David Thompson

Harris Corporation

Dthomp03@harris.com

321-984-5799

Security Threats, #24-May

2004

Who am I?

• Started my career at NSA in 1979

• Worked in Information Assurance for multiple companies over the years

• 9 years at DARPA

• Contributing Editor at eWeek

• Currently lead the Harris Information Assurance Center of Excellence– Focused on providing IA solutions for many US

government programs

Security Threats, #34-May

2004

Information Protection Today

• It’s Tombstone, Arizona in the 1880s– Very little protection provided by law enforcement– Everyone carries their own gun for protection– The criminals prey on the weak

• How do you protect yourself from a pervasive international threat that operates outside jurisdictions, but can reach into your living room?

Security Threats, #44-May

2004

The Language of Threats

• threat n. 1.An expression of an intention to inflict pain, injury,

evil, or punishment.

2.An indication of impending danger or harm.

3.One that is regarded as a possible danger; a menace.

Security Threats, #54-May

2004

The Language of Threats

• risk n. 1.The possibility of suffering harm or loss; danger.

2.A factor, thing, element, or course involving uncertain danger; a hazard: “the usual risks of the desert: rattlesnakes, the heat, and lack of water” (Frank Clancy).

3.One considered with respect to the possibility of loss: a poor risk.

Security Threats, #64-May

2004

The Language of Threats

• mitigation n. 1. The act of mitigating, or the state of being mitigated;

abatement or diminution of anything painful, harsh, severe, afflictive, or calamitous; as, the mitigation of pain, grief, rigor, severity, punishment, or penalty.

Security Threats, #74-May

2004

The Language of Threats

• Threats derive from the actions (intentional or unintentional) of others that could inflict harm upon you

• Risks encompass the harm that could be inflicted upon you if you do not take action

• Mitigations are the actions you take to protect yourself from risk

• The Bottom Line : You are the one who will suffer harm, and you are responsible for protecting yourself

Security Threats, #84-May

2004

The Nature of the Threat

• Threats come from people, not technologies

• There are a few categories of threats, but the techniques used number in the thousands• Hackers – Amateurs who break into systems for fun, vandalism

or theft• Virus Producers – Programmers that produce self replicating

programs intended to move between systems without authorization

• Spies – Professionals that break into systems with the intent of removing information of value

• Users – Authorized system users that cause disruption through intent or error

• White Hats – Professionals who break into systems to test security

Security Threats, #94-May

2004

The Nature of the Threat

• Born August 6, 1963• Arrested by the FBI, February 15, 1995• Held for 4 ½ years without a bail hearing

due to concern of capability to execute weapons system control from a telephone

• Specialist in telephone hacking (phreaking) and social engineering

• Now CEO of a security consulting company

• Cost of hacking on US business • 1995 - $800M• 2003 - $2.8B• Small businesses suffer the most

Kevin Mitnick

HACKERS

Security Threats, #104-May

2004

The Nature of the Threat

• David Smith released Melissa in March 1999

• It traversed the world in a “rolling wave” following the rising sun

• Smith was arrested in April 1999, received a reduced sentence due to cooperation with the FBI

• Calls Melissa a “Colossal Mistake”

• Melissa (named after a Florida stripper) caused over $80M in damage in 1 day

Virus Producers

David Smith

Security Threats, #114-May

2004

The Nature of the Threat

• Ran a “Family Spy Ring” providing information to the Soviet Union for decades

• Brother, Son and Wife were all involved in the espionage

• Was arrested in 1985 and sentenced to life in prison, without parole

• The Walker ring provided encryption keys to the Soviets allowing the monitoring of naval communications

Spies

John Walker Jr.

Security Threats, #124-May

2004

The Nature of the Threat

• Experts agree that the vast majority of threats stem from authorized users of the system

• Active attacks against internal systems

• Inadvertent actions that cause damage– Release virus– Access inappropriate information– Violate policy causing embarrassment

• Story – HBL Mercedes in Fairfax Virginia

Users

Typical User

Security Threats, #134-May

2004

The Nature of the Threat

• Sandia IORTA program

• Information Operations Red Team and Assessments

• Considered the Nations premier experts for conducting Red Team assessments on systems

• Don’t Forget – White Hats aren’t there to be your friend, and failing their tests can harm you (unemployment)

White Hats

Security Threats, #144-May

2004

Real World Example

Transformational Communications

• Next Generation for military communications

• Based on a geosynchronous constellation of satellite hosted high performance routers

• Provides direct IP connectivity to land, air and sea based assets globally

• Provides direct reach back to information, intelligence and command & control

• Harris providing Information Assurance expertise

TC Operational Environment

Security Threats, #154-May

2004

Real World Example

TC Connectivity

Security Threats, #164-May

2004

Real World Example

Portions of military networks(.mil domains) connect to theInternet

Security Threats, #174-May

2004

Real World Example

Mitigations include multiplelayers of firewalls, two factorauthentication, channel separation through cryptography

Security Threats, #184-May

2004

Real World Example

- MS Windows is the dominant OS used by the military- Viruses can be introduced at any point through communications or software loading

Security Threats, #194-May

2004

Real World Example

Virus detection is performed at all interfaces, centralized profile updates are performed

Security Threats, #204-May

2004

Real World Example

Adversaries will attempt to gain information through monitoring satellite signals- Direct information gain- Force location- Traffic analysis

Security Threats, #214-May

2004

Real World Example

- Multiple levels of encryption are used to mask information- Low probability of intercept (LPI) antennas used on terminals

Security Threats, #224-May

2004

Real World Example

- Multiple levels of classified information traverse the network- User error contributing to exposure is of great concern

Security Threats, #234-May

2004

Real World Example

Channelization and High Assurance Guards protect against information exposure

Security Threats, #244-May

2004

Real World Example

- Red Team assessments are required for all government systems- I am betting my career on getting this right

Security Threats, #254-May

2004

Conclusions

• There is no such thing as perfect security• The threat is pervasive and the

techniques/vulnerabilities ever changing• Protections must evolve to meet these changes• It is the responsibility of the security professionals to

provide adequate mitigation to result in acceptable risk

Questions?