Host Based Security John Scrimsher, CISSP jps@hp.com.

Host Based SecurityJohn Scrimsher, CISSP

jps@hp.com

Virus Control

Prestidigitation

Why Host Security?

Defense in Depth Threat management

Identification Assessment Response / Containment

Incident Management Coordination of efforts Damage Control Public Relations

Why Host Based Security? Perimeter Security vs. Host

Based66%

$34%

$$$

Why Host Based Security?Threat management:

Identification Malware Internal Threats

Employee Theft Unpatched systems

What is Malware?

Anything that you would not want deliberately installed on your computer.

Viruses Worms Trojans Spyware More……

Where are the threats?Threat management: Assessment Un-patched Computers Email Network File Shares Internet Downloads Social Engineering Blended Threats Hoaxes / Chain Letters

The Common Factor

Phishing

Email messages sent to large distribution lists.

Disguised as legitimate businesses

Steal personal information

Identity Theft

Since viruses can be used to steal personal data, that data can be used to steal your identity

Phishing Keystroke loggers Trojans Spyware

Now, what do we do about it?Threat Management: Containment C.I.A. Security Model

Confidentiality Integrity Availability

Current Solutions Antivirus / AntiSpyware Personal Firewall / IDS / IPS User Education

Current Security View

Red Pill / Blue Pill

How do these products help? Host Firewall / IPS blocks many

unknown and known threats

How do these products help? Antivirus

Captures Threats that use common access methods Web Downloads Email Application Attacks

(Buffer Overflow)

VBSim demo

Social Engineering

… 70 percent of those asked said they would reveal their computer passwords for a …

Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1

Bar of chocolate

Educated Users HelpThe biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you. What I found personally to be true was that it's easier to manipulate people rather than technology. Most of the time organizations overlook that human element.

Mitnick, Kevin, “How to Hack People.” BBC NewsOnline, October 14, 2002.

How do these products help?

User Education

Don’t open suspicious email

Don’t download software from untrusted sites.

Patch

Things to look for…

Unusually high number of network connections (netstat –a)

CPU Utilization Unexpected modifications to

registry RUN section. Higher than normal disk activity

Open Source

Shared information Business Models Is it more secure?

Development model Security reviewers tend to be the

same people doing the proprietary reviews

Value in education Lots of good security tools

Open Source - BrowsersFirefox vs. Internet ExplorerVulnerabilities reported in 2005

Internet Explorer

•SecurityFocus – 43

•Secunia Research – 9

•Symantec - 13

Firefox

•SecurityFocus – 43

•Secunia Research– 17

•Symantec - 21

What about shared vulnerabilities?

Plugins, WMF images

What is Management’s role? Management ties everything

together Responsibility Ownership

TechnologyInfrastructure

Organization

Management

Security is a Mindset, not a service. It must be a part of all decisions and implementations.

What is Management’s Role? Compliance Monitoring Policy Enforcement Damage Control / Public

Relations

Management’s Role

Compliance Monitoring Keep aware of security posture Legal requirements Company policies Performance metrics

Management’s Role

Policy Enforcement Pro-actively address issues Re-active contingency plans Network access controls

Management’s Role

Damage Control Do you tell customers? What about the media? How soon to go public with results? What does it cost to respond?

Legal Issues Many countries are still developing laws Privacy Laws can prevent some

investigation Regulatory Compliance Organized Crime

Regulatory Issues

Sarbanes Oxley Act (2002) Graham-Leach-Bliley Act (1999) Health Information Portability

and Accountability Act (1996) Electronic Communications

Privacy Act (1986)

Notable Legal History Robert Morris Jr. - “WANK” worm. First

internet worm ever created, set loose by accident across the internet.

Randal Schwartz - hacked into Intel claiming he was trying to point out weaknesses in their security.

David Smith - Melissa. First known use of mass-mailing technique used in a malicious manner. Some jail time.

“OnTheFly”, The Netherlands - “Anna” virus using worm generator tool. The writer was a youth who was “remorseful” but little was done to punish him.

Philippines - “Loveletter”. No jail time because there were no laws.

Jeffrey Lee Parsons – 2005 – 18 months in prison for variant of Blaster worm.

Organized Crime

Kaspersky Quote"It's hard to imagine a more ridiculous situation: a handful of virus writers are playing unpunished with the Internet, and not one member of the Internet community can take decisive action to stop this lawlessness.The problem is that the current architecture of the Internet is completely inconsistent with information security. The Internet community needs to accept mandatory user identification - something similar to driving licenses or passports.We must have effective methods for identifying and prosecuting cyber criminals or we may end up losing the Internet as a viable resource."

Eugene KasperskyHead of Antivirus Research

On the Horizon - Microsoft House on the

hill Targeted

because they are Big?

Insecure because they are Big?

On the Horizon

Network Access Controls Early Detection and Preventative

Tools Virus Throttle Active CounterMeasures WAVE Anomaly Detection Viral Patching

On the Horizon

Viral Targets Mobile Phones, PDAs Embedded Operating Systems

Automobiles Sewing Machines Bank Machines Kitchen Appliances

On the Horizon

Octopus worms Multiple components working

together Warhol Worms

MSBlaster was proof of capability Designer Worms

Target specific attacks Virus Sharing Clubs (VSCs)

Learn Learn Learn

Authors: Sarah Gordon Peter Szor Roger Grimes Kris Kaspersky Search your library or online

Questions?

Resources http://www.pcworld.com/news/article/0,aid,116163,0

0.asp http://www.detnews.com/2003/technology/0309/03/

technology-258376.htm http://www.sans.org/rr/whitepapers/engineering/1232

.php http://www.research.ibm.com/antivirus/SciPapers/

Gordon/Avenger.html