this session: what are the threats?
DESCRIPTION
Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP. This session: What are the threats?. Agenda: Terms of reference Statistical and empirical data - PowerPoint PPT PresentationTRANSCRIPT
Information Security & Corporate StrategyThreats to Information SecurityPresentation in London, 1998With Notes on Changes, 2002
Stephen Cobb, CISSP
Stephen Cobb, CISSP 2 of 35
This session: What are the threats?• Agenda:
– Terms of reference– Statistical and empirical
data– Examples of information
security breaches and their effects on companies
– Putting threats in perspective– The main threat categories
in more detail
Themes:
Threats may seem technical, but many defenses require non-technical skills
Threats are not constant, may increase when times are tight
Skills required to deal with these issues are in short supply
Stephen Cobb, CISSP 3 of 35
So, what are the information security needs of the Internet-enabled company:
You need to protect the confidentiality, integrity and availability of data, given that:
A. Private data is now travelling on a public (untrusted) network
B. Your private network is now connected to a public (untrusted) network
C. Your private network users now have access to a public (untrusted) network
Stephen Cobb, CISSP 4 of 35
So who am I to talk about this?• First infosecurity book from client perspective, 1992
• Certified Information System Security Professional
• Formerly with National Computer Security Association
• Former Director, Miora Systems Consulting (MSC)
• InfoSec Labs, Rainbow Technologies
• MSC beat Digital and Entrust in a security services RFP competition, April 98 — short-listed with Coopers & Lybrand, Price Waterhouse and CISCO Wheelgroup
• Involved in wide range of authorized penetration tests with 100% success rate
Stephen Cobb, CISSP 5 of 35
Statistics from the 5th Annual Information Security Survey, 1998• 73% of European companies report information
security risks have increased this year
• Highest security concern: – network security (86%)
• Next highest security concerns: – end-user security awareness (80%)
– winning top management commitment (80%)
Ernst&Young Computerworld SurveyGlobal Results from 29 Countries
Stephen Cobb, CISSP 6 of 35
Perceived security threats:• Computer terrorists 28%
• Authorized users 26%
• Former employees 24%
• Unauthorized users 23%
• Contractors 19%Ernst&Young Computerworld Survey
Global Results from 29 Countries
55 % of companieslacked confidencethat their systems could withstand
an internal attack --are these your
business partners?
Stephen Cobb, CISSP 7 of 35
Statistics from a 1998 Survey by Computer Security Institute / FBI
• 64% of companies hadincidents of unauthorized use of computer systems within the last 12 months.
• More than a third of incidents were from inside.
• 65% of companies experienced laptop theft.
Stephen Cobb, CISSP 8 of 35
Hong Kong Reuters Office Hacked:Traders at 5 banks lose price data for 36 hours
PA Teenager Charged With 5 Counts of Hacking:Southwestern Bell, BellCore, Sprint, and SRI hit
Costs to Southwestern Bell alone exceed $500,000Citibank Hit in $10 Million Hack:
Russian hacker had inside help.Several $100K not yet recovered.
Pair of surveys show 54%-58% of companieslost money due to computer break-ins in 1996
Compaq Ships Infected PCs:Virus Taints Big Japanese Debut
Computer Attack Knocks Out 3,000 Web Sites40 hour shutdown during busiest shopping season
U.S. Government Web Sites Hacked:NASA, Air Force, NASA, DoJ, CIA
Is it reallythat bad?YES!
And these are just ones that made the news....
Stephen Cobb, CISSP 9 of 35
Experience in the field
• About 50 information system security penetration assignments in the last 18 months
• 80% of these were corporations, the rest were state and local government agencies
• Some of these clients wanted tests because they lacked confidence in their security, but others asked because they were confident
• Number of systems we failed to penetrate: 0– Average skill level required: 2 on a scale of 5
Stephen Cobb, CISSP 10 of 35
A closer look at one category: web site hackingA closer look at one category: web site hacking
Stephen Cobb, CISSP 12 of 35
But the military would be tougher, right?But the military would be tougher, right?
1st Communications SquadronUSAF, Langley, Virginia
Stephen Cobb, CISSP 14 of 35
They were not the only ones: They were not the only ones: bestboard.compuckplace.comwebsignal.comcybservice.comthreedot.comyorktours.comdpss.comsuperbio.comquinx.comtextscape.comthewharf.comrebel-tech.comwww.thermocrete.comwww.nuvocom.comwww.tvweather.comwww.danehip.comwww.centurydie.comwww.info168.comwww.cbd.dewww.presage.co.ukwww.boimag.co.ukwww.uranium.org/www.pcgameworld.com/www.cccookies.com/www.shcp.gob.mxwww.ddd.fr www.usuhs.milwww.spiritualenigma.comwww.bojan.com
www.everything-pages.comwww.saflec.comwww.islandbound.comwww.fitp.orgwww.language-arts.comwww.seaflower.comwww.kissfreaks.comwww.soteria.comwww.exclusivebda.comwww.intelinc.comwww.allpetsgotoheaven.comwww.gonebush.comwww.asean-countries.comwww.westernleisure.comwww.bestboard.comwww.brash.comwww.heylloyd.comwww.fetishbear.comwww.timbezo.comwww.cybersecret.comwww.w-3productions.comwww.3isecurity.commidtenn.combiohaz.comwww.odi.com.plwww.knesset.gov.ilsunsite.ust.hk/
www.pcconcepts.com/www.netbank.net.twwww.kuniv.edu.kwwww.langley.af.milsistematix.comwww.onelifedrugfree.com/www.huntingtimes.comallwrestling.comwww.humblebums.comwww.ju.eduwww.thomasmore.eduintellus.no/iposerve.dewww.saatchi-saatchi.com/innovation/www.rang.k12.va.us/www.maxout.netwww.thermocreteusa.comwww.xhn.orgwww.alis.comwww.top50mp3.com/www.vpac.org/www.phpages.comwww.gov.com/www.on-the-hook.comwww.conceptsvisual.comwww.1792.com
80 more in first 3 weeks of Feb 98Then the hacked site was hacked!
Stephen Cobb, CISSP 15 of 35
But what’s the harm?
• Web servers may be a path to internal systems
• Web servers may reveal information that can be leveraged to access internal systems
• Lost time, lost customers and confidence
• Lost revenue (if the site is doing e-commerce)
• But probably the biggest harm: Reputations– personal, professional and corporate
Stephen Cobb, CISSP 17 of 35
We need perspective on these threats
• Why are we having these problems now?– Same old problems, different manifestation?– Deep-rooted problems only now coming to light
• Who is causing these problems?– Threat agent assessment– Threats vary according to social and economic
factors, such as redundancies, downsizing
Stephen Cobb, CISSP 18 of 35
• Glass house
• Limited attack points
• Limited vulnerabilities
• Trustworthy friends and known enemies
• Computer knowledgeand networks limited
• Clear motives
• Distributed computing
• Multiple attack points
• Vulnerable technology
• The best of friends may not have the best security
• Widespread computer literacy and connectivity
• Mixed motives
That was then --- This is now
Stephen Cobb, CISSP 19 of 35
Data on level of threat are hard to find, but we can ask: Who is likely to be a problem?• Sample table of
responses from security officers -- subject to change due to social and economic factors
Stephen Cobb, CISSP 21 of 35
This was an early version of the government’s critical infrastructure protection plan, circa 1998
Stephen Cobb, CISSP 24 of 35
The rush to deploy technology means the wrong tools are used, and warnings go unheededThe rush to deploy technology means the wrong tools are used, and warnings go unheeded
<FORM ACTION="/cgi-bin/pccgi02.exe/WF000100/ND00JD130538/?NodeId=0000?JobId=130538" METHOD="POST" ><A NAME="MAIN NEW LOGON"></A><INPUT TYPE=HIDDEN NAME="EWF.SYS.01" VALUE="130538" ><INPUT TYPE=HIDDEN NAME="EWF.SYS.03" VALUE="MAIN NEW LOGON" ><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="USERID"><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PASSWORD"><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PHONE_NUMBER">
“Don't rely on hidden variables for security.”WWW Security FAQ, 1995
Bank access page, using hidden variables.1998
Stephen Cobb, CISSP 25 of 35
Penetration PlanGather dataMap resourcesProbe for accessExploit holesEscalate accessExecute plans
From: Information Warfare: Principles & Operations, E. Waltz, 1998
Stephen Cobb, CISSP 26 of 35
Threat: viruses
• Large US bank, assets $50 billion+• Computer virus brought down operations for 2 days• Infected 90% of the bank's 300 file servers and
10,000 client workstations across 6 cities in 4 states.• Production data was not damaged, but company’s
balance sheet was, by at least $400,000. • Recent studies show average cost of recovering from
a virus incident on a network = $10,000 to $15,000• But as much as $1 million has been lost in a single
virus incident!
Stephen Cobb, CISSP 27 of 35
Top 8 Viruses = 54% of Incidents
Name Type Incidents Percent
CAP Macro 97 20.7Concept Macro 29 6.2Form Boot 29 6.2
AntiEXE Boot 27 5.8Parity_Boot Boot 22 4.7Monkey Boot 17 3.6Ripper Boot 17 3.6
Laroux Macro 16 3.4
According to Virus Bulletin and Joe Wells’ Wild List, January 98
Stephen Cobb, CISSP 28 of 35
2002! One Virus = 77% of IncidentsName Type Incidents Percent Win32/Klez File 4644 77.22%
Win32/Yaha File 289 4.81%
Win32/Magistr File 198 3.29%
Win32/BadTrans File 147 2.44%
Win32/Frethem File 135 2.24%
Win32/SirCam File 104 1.73%
Win32/Nimda File 66 1.10%
Win32/Hybris File 61 1.01%
Laroux Macro 49 0.81%
According to Virus Bulletin and Joe Wells’ Wild List, August 2002
Stephen Cobb, CISSP 29 of 35
Other malicious code• Logic bomb: dormant code inserted within a larger
program, activation of which causes harm (e.g. recent $10 million Omega case)
• Trojan Horse: a program designed to appear legitimate in order to enter a system and execute its own agenda (e.g. AIDS disk)
• Worm: a program which copies itself many times over, hogging space and other resources, without permission (e.g. Internet worm, 1988)
• Active content (Java, ActiveX)
Stephen Cobb, CISSP 30 of 35
Virus types
• Boot sector• File viruses• Multi-partite• Macro viruses• Virtual (hoax) viruses• Miscellaneous
INFECTED
INFECTED
Server
INFECTEDHome PC
Office PC
INFECTED
INFECTED
INFECTED
Company Network
Let’s take a lookat how a typical computer virus infection spreads...
Stephen Cobb, CISSP 31 of 35
Former General Motors employee Lopez allegedly stole approximately 90,000 text pages of trade secrets transferring them from US to Germany via GM's intranet then downloading them onto VW's computers...
It cost Lopez his job. VW paid over $100 million
to GM to settle the case.
Threat: insider abuse, a major threat to company secrets
• Exploited by competitors– American v. Northwest– GM and VW
• Exploited by partners– BA v. Virgin– others
• By government agencies– sting operations, piracy
Stephen Cobb, CISSP 32 of 35
Do people really do that?
• Yes, they do! October 1996, Daniel Worthing obtained work at PPG Industries through a contract with Affiliated Building Services.
• Began to stockpile proprietary information, including special formulas relating to new products such as an experimental fiberglass.
• When he tried to sell to PPG’s competitor, Owens-Corning Fiberglass, they turned him in to FBI.
• He pled guilty to the theft of proprietary information, value? $20 million!
Stephen Cobb, CISSP 33 of 35
Do people really do that?
The United States counterintelligence community has specifically identified the suspicious collection and acquisition activities of foreign entities from at least 23 countries. NACIC 1997 Annual Report on Foreign
Economic Collection & Industrial Espionage
Unauthorized access by employees: 44%
Denial of service attacks: 25%
System penetration from the outside: 24%
Theft of proprietary information: 18%
Incidents of financial fraud: 15%
Sabotage of data or networks: 14%1998 CSI/FBI Study
Stephen Cobb, CISSP 34 of 35
2002, and mindless attacks continue• Hackers broke into the computer systems belonging to a
clinic in the UK, altered medical records of 6 patients who had just been screened for cancer—switched test results from negative to positive—those patients spent several days thinking that they had cancer
• The night before a patient was due to have a brain tumor removed, hackers broke into the computer where the tests were stored and corrupted the database. Surgery had to be postponed while the tests were redone Source: Richard Pethia, CERT
Software Engineering Institute (SEI) PittsburghWhy? Because We Can
Slogan from DEF CON IIILas Vegas, 1995