This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Hackers Why? Who? What do they want? Where are you most vulnerable?
SKEEVE STEVENS [Former(?) Hacker]
I.T Security Consultant
Specialising in Security Theory, Trends, Policy, Disaster Prevention
! Australian Computer Crime and Security Survey (May 02) n ACCS Survey (only every survey of its kind in .au) reports more than 67%
of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period.
! InternetWeek n 50% of U.S Corporations have had 30 or more penetrations n 60% lost up to $200K/intrusion
! Federal Computing World n Over 50% of (U.S) Federal government agencies report unauthorised
access (some are massive numbers) ! FBI/Computer Security Institute
n 48% of all attacks originated from within the organization ! WarRoom Research Survey
n 90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches
! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks)
Networks Under Assault
Why? - Hacker Motivations ! There are many different motivations to hack
n Experimentation and desire to learn n “Gang” mentality n Psychological needs (i.e.. to be noticed?) n Misguided trust in other individuals n Altruistic reasons n Self-gratification n Revenge and malicious reasons n Emotional issues n Desire to embarrass the target (many reasons) n “Joyriding” n “Scorekeeping” n Espionage (corporate, governmental) n Criminal – Stalking, Intimidation, Hostage, Blackmail
Types of Hackers Shades of Grey - Are all Hackers Bad?
! Black Hats (The Bad Ones) n Professional Crackers (Crime Gangs) n Corporate Espionage (Criminal in a suit – more common than companies
realise – everyone has a competitor.) n e-Terrorists (with or without a motivation [eco-hackers]) n ?
! White Hats (The Good Ones) n Corporate Security n Tiger Teams (with reputations – ISS) n Big 5 Audit/Testing Teams (PWC, etc) n Law Enforcement Hackers / Military eSecurity
! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n Depends who’s paying n Freelancers – to the highest bidder, which can include LEAs
Who are the Hackers?
! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another
company of some sort ! The major area of financial loss in hacking is internal: more
money is lost via internal hacking and exploitation (by a factor of 30 or more)
! Most of the hacking that is done is from technical personnel in
technical positions within the company
Perimeter Security Is Not Enough ! Even the best perimeter firewall
can be breached ! What happens to your corporate
assets if the perimeter is breached?
! What protects your internal
network if the perimeter security fails? Most Businesses = Nothing
! How do you know you have
been breached? Most Businesses = Never Know
INTERNET
Firewall
External Router
Internal Servers
Production Network
Desktops
Workstations
Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the
perimeter protection (firewalls): n customers, consultants, contractors, temps, supply
! Many widely disseminated vulnerabilities, backdoors,
firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers
! Majority of breaches and financial losses - from those with “insider access”
Typical Inside Network Attacks
! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit
would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks
via VLAN or VPNs ! Infrastructure ignorance
Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in
the US, Australian/rest of the world statistics are hard to estimate.
! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000
Internet attacks this year, Australian Government has not publicised any numbers
! Hundreds of thousands of websites contain some form of Hacker Tools / Information
! e-Crimes are estimated to take place every 20 seconds...
eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance
policies for some situations ! One level allows for liability reduction due to
protective measures taken (What sort of firewalls / policies / operating systems / training / etc…)
! Another provides a vendor security warranty
level of assurance
! Others on their way…
????????????Future Server Threats
! Digital Nervous System components ! Infrastructure Dependencies
n Index Server/LDAP Servers n Terminal Server with thin clients n Exchange servers being used for office and workgroup flow
applications n DNS and other naming services servers n Voice over IP (VoIP) n Telephony servers for desktop telephony n Netmeeting / Video collaboration servers n NT servers being implemented in factories and industrial
networks for process control. These require real-time network security features
! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)
$ Information Store
A company’s most valuable assets are on its Information Store
An attack on your Information Store can result in:
Loss of access
Loss of data integrity
Theft of data
Loss of privacy
Legal liability
Loss of Confidence (Owners/Stock market/Customers)
Financial Loss (Fraud)
Financials
HR Records
Patient Medical Records
R&D Information
Legal Records
Summary (I) ! It is a matter of “when” not a matter of “if” you will be
attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive
corporate threat ! Many different levels of security are necessary to deal
with the threats ! Apply internal security in proper measure to meet the
actual or perceived threat environment
Summary (II) ! A Hacker can be anyone – an employee with a grudge, a
contractor, a family member. They just want something they are not supposed to have.
! Hacking is gaining access to anything you shouldn’t have
access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a
security guard to protect you, you should have an eSecurity guard.
! Many different levels of security are necessary to deal