this session: what are the threats?

Information Security & Corporate StrategyThreats to Information SecurityPresentation in London, 1998With Notes on Changes, 2002

Stephen Cobb, CISSP

Stephen Cobb, CISSP 2 of 35

This session: What are the threats?• Agenda:

– Terms of reference– Statistical and empirical

data– Examples of information

security breaches and their effects on companies

– Putting threats in perspective– The main threat categories

in more detail

Themes:

Threats may seem technical, but many defenses require non-technical skills

Threats are not constant, may increase when times are tight

Skills required to deal with these issues are in short supply


So, what are the information security needs of the Internet-enabled company:

You need to protect the confidentiality, integrity and availability of data, given that:

A. Private data is now travelling on a public (untrusted) network

B. Your private network is now connected to a public (untrusted) network

C. Your private network users now have access to a public (untrusted) network


So who am I to talk about this?• First infosecurity book from client perspective, 1992

• Certified Information System Security Professional

• Formerly with National Computer Security Association

• Former Director, Miora Systems Consulting (MSC)

• InfoSec Labs, Rainbow Technologies

• MSC beat Digital and Entrust in a security services RFP competition, April 98 — short-listed with Coopers & Lybrand, Price Waterhouse and CISCO Wheelgroup

• Involved in wide range of authorized penetration tests with 100% success rate


Statistics from the 5th Annual Information Security Survey, 1998• 73% of European companies report information

security risks have increased this year

• Highest security concern: – network security (86%)

• Next highest security concerns: – end-user security awareness (80%)

– winning top management commitment (80%)

Ernst&Young Computerworld SurveyGlobal Results from 29 Countries


Perceived security threats:• Computer terrorists 28%

• Authorized users 26%

• Former employees 24%

• Unauthorized users 23%

• Contractors 19%Ernst&Young Computerworld Survey

Global Results from 29 Countries

55 % of companieslacked confidencethat their systems could withstand

an internal attack --are these your

business partners?


Statistics from a 1998 Survey by Computer Security Institute / FBI

• 64% of companies hadincidents of unauthorized use of computer systems within the last 12 months.

• More than a third of incidents were from inside.

• 65% of companies experienced laptop theft.


Hong Kong Reuters Office Hacked:Traders at 5 banks lose price data for 36 hours

PA Teenager Charged With 5 Counts of Hacking:Southwestern Bell, BellCore, Sprint, and SRI hit

Costs to Southwestern Bell alone exceed $500,000Citibank Hit in $10 Million Hack:

Russian hacker had inside help.Several $100K not yet recovered.

Pair of surveys show 54%-58% of companieslost money due to computer break-ins in 1996

Compaq Ships Infected PCs:Virus Taints Big Japanese Debut

Computer Attack Knocks Out 3,000 Web Sites40 hour shutdown during busiest shopping season

U.S. Government Web Sites Hacked:NASA, Air Force, NASA, DoJ, CIA

Is it reallythat bad?YES!

And these are just ones that made the news....


Experience in the field

• About 50 information system security penetration assignments in the last 18 months

• 80% of these were corporations, the rest were state and local government agencies

• Some of these clients wanted tests because they lacked confidence in their security, but others asked because they were confident

• Number of systems we failed to penetrate: 0– Average skill level required: 2 on a scale of 5


A closer look at one category: web site hackingA closer look at one category: web site hacking


Hacked by Trix and VertexHacked by Trix and Vertex


But the military would be tougher, right?But the military would be tougher, right?

1st Communications SquadronUSAF, Langley, Virginia


Why? This one was a protestWhy? This one was a protest


They were not the only ones: They were not the only ones: bestboard.compuckplace.comwebsignal.comcybservice.comthreedot.comyorktours.comdpss.comsuperbio.comquinx.comtextscape.comthewharf.comrebel-tech.comwww.thermocrete.comwww.nuvocom.comwww.tvweather.comwww.danehip.comwww.centurydie.comwww.info168.comwww.cbd.dewww.presage.co.ukwww.boimag.co.ukwww.uranium.org/www.pcgameworld.com/www.cccookies.com/www.shcp.gob.mxwww.ddd.fr www.usuhs.milwww.spiritualenigma.comwww.bojan.com

www.everything-pages.comwww.saflec.comwww.islandbound.comwww.fitp.orgwww.language-arts.comwww.seaflower.comwww.kissfreaks.comwww.soteria.comwww.exclusivebda.comwww.intelinc.comwww.allpetsgotoheaven.comwww.gonebush.comwww.asean-countries.comwww.westernleisure.comwww.bestboard.comwww.brash.comwww.heylloyd.comwww.fetishbear.comwww.timbezo.comwww.cybersecret.comwww.w-3productions.comwww.3isecurity.commidtenn.combiohaz.comwww.odi.com.plwww.knesset.gov.ilsunsite.ust.hk/

www.pcconcepts.com/www.netbank.net.twwww.kuniv.edu.kwwww.langley.af.milsistematix.comwww.onelifedrugfree.com/www.huntingtimes.comallwrestling.comwww.humblebums.comwww.ju.eduwww.thomasmore.eduintellus.no/iposerve.dewww.saatchi-saatchi.com/innovation/www.rang.k12.va.us/www.maxout.netwww.thermocreteusa.comwww.xhn.orgwww.alis.comwww.top50mp3.com/www.vpac.org/www.phpages.comwww.gov.com/www.on-the-hook.comwww.conceptsvisual.comwww.1792.com

80 more in first 3 weeks of Feb 98Then the hacked site was hacked!


But what’s the harm?

• Web servers may be a path to internal systems

• Web servers may reveal information that can be leveraged to access internal systems

• Lost time, lost customers and confidence

• Lost revenue (if the site is doing e-commerce)

• But probably the biggest harm: Reputations– personal, professional and corporate


We need perspective on these threats

• Why are we having these problems now?– Same old problems, different manifestation?– Deep-rooted problems only now coming to light

• Who is causing these problems?– Threat agent assessment– Threats vary according to social and economic

factors, such as redundancies, downsizing


• Glass house

• Limited attack points

• Limited vulnerabilities

• Trustworthy friends and known enemies

• Computer knowledgeand networks limited

• Clear motives

• Distributed computing

• Multiple attack points

• Vulnerable technology

• The best of friends may not have the best security

• Widespread computer literacy and connectivity

• Mixed motives

That was then --- This is now


Data on level of threat are hard to find, but we can ask: Who is likely to be a problem?• Sample table of

responses from security officers -- subject to change due to social and economic factors


Map threats relative to technical skills and business knowledge


This was an early version of the government’s critical infrastructure protection plan, circa 1998


LANs to WANs, to GANs, problems long postponed are finally catching up


The rush to deploy technology means the wrong tools are used, and warnings go unheededThe rush to deploy technology means the wrong tools are used, and warnings go unheeded

<FORM ACTION="/cgi-bin/pccgi02.exe/WF000100/ND00JD130538/?NodeId=0000?JobId=130538" METHOD="POST" ><A NAME="MAIN NEW LOGON"></A><INPUT TYPE=HIDDEN NAME="EWF.SYS.01" VALUE="130538" ><INPUT TYPE=HIDDEN NAME="EWF.SYS.03" VALUE="MAIN NEW LOGON" ><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="USERID"><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PASSWORD"><INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PHONE_NUMBER">

“Don't rely on hidden variables for security.”WWW Security FAQ, 1995

Bank access page, using hidden variables.1998


Penetration PlanGather dataMap resourcesProbe for accessExploit holesEscalate accessExecute plans

From: Information Warfare: Principles & Operations, E. Waltz, 1998


Threat: viruses

• Large US bank, assets $50 billion+• Computer virus brought down operations for 2 days• Infected 90% of the bank's 300 file servers and

10,000 client workstations across 6 cities in 4 states.• Production data was not damaged, but company’s

balance sheet was, by at least $400,000. • Recent studies show average cost of recovering from

a virus incident on a network = $10,000 to $15,000• But as much as $1 million has been lost in a single

virus incident!


Top 8 Viruses = 54% of Incidents

Name Type Incidents Percent

CAP Macro 97 20.7Concept Macro 29 6.2Form Boot 29 6.2

AntiEXE Boot 27 5.8Parity_Boot Boot 22 4.7Monkey Boot 17 3.6Ripper Boot 17 3.6

Laroux Macro 16 3.4

According to Virus Bulletin and Joe Wells’ Wild List, January 98


2002! One Virus = 77% of IncidentsName Type Incidents Percent Win32/Klez File 4644 77.22%

Win32/Yaha File 289 4.81%

Win32/Magistr File 198 3.29%

Win32/BadTrans File 147 2.44%

Win32/Frethem File 135 2.24%

Win32/SirCam File 104 1.73%

Win32/Nimda File 66 1.10%

Win32/Hybris File 61 1.01%

Laroux Macro 49 0.81%

According to Virus Bulletin and Joe Wells’ Wild List, August 2002


Other malicious code• Logic bomb: dormant code inserted within a larger

program, activation of which causes harm (e.g. recent $10 million Omega case)

• Trojan Horse: a program designed to appear legitimate in order to enter a system and execute its own agenda (e.g. AIDS disk)

• Worm: a program which copies itself many times over, hogging space and other resources, without permission (e.g. Internet worm, 1988)

• Active content (Java, ActiveX)


Virus types

• Boot sector• File viruses• Multi-partite• Macro viruses• Virtual (hoax) viruses• Miscellaneous

INFECTED

INFECTED

Server

INFECTEDHome PC

Office PC

INFECTED

INFECTED

INFECTED

Company Network

Let’s take a lookat how a typical computer virus infection spreads...


Former General Motors employee Lopez allegedly stole approximately 90,000 text pages of trade secrets transferring them from US to Germany via GM's intranet then downloading them onto VW's computers...

It cost Lopez his job. VW paid over $100 million

to GM to settle the case.

Threat: insider abuse, a major threat to company secrets

• Exploited by competitors– American v. Northwest– GM and VW

• Exploited by partners– BA v. Virgin– others

• By government agencies– sting operations, piracy


Do people really do that?

• Yes, they do! October 1996, Daniel Worthing obtained work at PPG Industries through a contract with Affiliated Building Services.

• Began to stockpile proprietary information, including special formulas relating to new products such as an experimental fiberglass.

• When he tried to sell to PPG’s competitor, Owens-Corning Fiberglass, they turned him in to FBI.

• He pled guilty to the theft of proprietary information, value? $20 million!


Do people really do that?

The United States counterintelligence community has specifically identified the suspicious collection and acquisition activities of foreign entities from at least 23 countries. NACIC 1997 Annual Report on Foreign

Economic Collection & Industrial Espionage

Unauthorized access by employees: 44%

Denial of service attacks: 25%

System penetration from the outside: 24%

Theft of proprietary information: 18%

Incidents of financial fraud: 15%

Sabotage of data or networks: 14%1998 CSI/FBI Study


2002, and mindless attacks continue• Hackers broke into the computer systems belonging to a

clinic in the UK, altered medical records of 6 patients who had just been screened for cancer—switched test results from negative to positive—those patients spent several days thinking that they had cancer

• The night before a patient was due to have a brain tumor removed, hackers broke into the computer where the tests were stored and corrupted the database. Surgery had to be postponed while the tests were redone Source: Richard Pethia, CERT

Software Engineering Institute (SEI) PittsburghWhy? Because We Can

Slogan from DEF CON IIILas Vegas, 1995


Thank You!

• Questions?

• Email me at sc at cobb associates dot com

• Visit www.cobbassociates.com

this session: what are the threats?

Documents

network security

information security

information security

highest security concerns

enduser security awareness

yearhighest security

computer breakins

computer terrorists