1 Through The Eye of The Hacker: A Look At Security And The Future Krizi Trivisani, Chief Security Officer Amy Hennings, Assistant Director November 6, 2003 Copyright Krizi Trivisani, Amy Hennings 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
37
Embed
1 Through The Eye of The Hacker: A Look At Security And The Future Krizi Trivisani, Chief Security Officer Amy Hennings, Assistant Director November 6,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Through The Eye of The
Hacker: A Look At
Security And The Future
Krizi Trivisani,Chief Security Officer
Amy Hennings, Assistant Director
November 6, 2003
Copyright Krizi Trivisani, Amy Hennings 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Throughout 2003, the network has not been brought down by a security incident.
Viola
tions
10’s ofthousands
Viruse
s
Filtered
1,629,194
SecurityCommitteeFormed
FTC and GLB
NetworkMonitoringUpgrades
AshburnData CenterCreated
10
Vulnerabilities on the RiseNew Vulnerabilities per Week
10
2530
50
70
0
10
20
30
40
50
60
70
'99 '00 '01 '02 '03 Proj.Source: Symantec
11
What Attacks??
•A worm is a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down.
•A worm is a special type of virus that can replicate itself and use memory, but does not attach itself to other programs.
12
Worm In Action
13
Worldwide Impact of Slammer
• Telecommunications services failed throughout South Korea
• Airlines were impacted, several had to resort to manual backup procedures which slowed service
• Thousands of ATMs and related transactions halted• Bank of America • Canadian Imperial Bank of Commerce in Toronto• Publix supermarket cash back functions unavailable
• US Dept of State, Agriculture, Commerce, and units of Defense were hit especially hard.
• Analysts blame dip in Asian stock market on the worm • Many news agencies were crippled:
– Associated Press– The Philadelphia Inquirer– The Atlanta Journal-Constitution
14
Blaster, Welchia, And Others
A recent survey including 882 respondents determined that the MS Blaster worm: – Remediation cost $475,000 per company (median
average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000
– Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers
– From TruSecure / ICSA Labs
15
Blaster, Welchia, And Others
• Slower moving• Who was affected?
– Blaster infected over 500,000 IPs worldwide– Maryland MVA– BMW, 3M– AirCanada cancelled flights– Federal Reserve Bank of Atlanta– Philadelphia’s City Hall– Airports, Amtrak– State Department (Welchia)– Northeastern power grid ?
16
17
•
18
Who’s Vulnerable?
• "75% of all web servers running MS IIS 5.0 are vulnerable to exploitation."
– Security News Portal
19
What Are They Attacking?
• 31 new vulnerabilities announced by MS as of yesterday since the end of the summer
• Exploits are developed much sooner
• Patches are quickly and narrowly developed
• Awareness is limited
• People don’t care– I won’t do anything until my computer stops
working.
20
Decentralized Attack Trends
• Why take the chance to rob a bank when its much easier to rob the people as they leave the bank with money?
Why attack the server when users’ desktops are much easier to get to?
• Computer system enclosed in an electronic device– Protection is poor or nonexistent– Increased power of new devices– Standardization– No real scanning/assessment ability
• Do what you know, knowing they know what you’ll do
• Absolutely keep up to date on new vulnerabilities and exploits– Even if you can’t stay a step ahead, at least keep up
to date on what the new attacks/exploits are
• Keep in mind that these trends – attacks will not continue to primarily be traditional attacks from the outside against core systems
30
Still A Critical Element: People Access
• People are our greatest asset and our weakest security link
• Security processes and technologies are developed to reduce the burden on people
• But, almost every security measure can be beaten by social engineering – “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” The Art of Deception
31
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
Security ImplementationRelies On:
32
What Is Security Awareness?
Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.
Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.
33
Poor Awareness and Preparation
“It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment”
“Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate”
“Nine out of ten employees revealed their password on request in exchange for a free pen”
These things don’t happen as a result of malicious intent, but rather a lack of
awareness of security risks.
34
GW’s Security Awareness Program - Materials
Program materials Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for:
New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver