Computerworld Conference (2002)

Hackers Why? Who? What do they want? Where are you most vulnerable?

SKEEVE STEVENS [Former(?) Hacker]

I.T Security Consultant

Specialising in Security Theory, Trends, Policy, Disaster Prevention

Email: [email protected]

www.skeeve.org

Copyright © 2002 by Skeeve Stevens All Rights Reserved

! Australian Computer Crime and Security Survey (May 02) n  ACCS Survey (only every survey of its kind in .au) reports more than 67%

of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period.

! InternetWeek n  50% of U.S Corporations have had 30 or more penetrations n  60% lost up to $200K/intrusion

! Federal Computing World n  Over 50% of (U.S) Federal government agencies report unauthorised

access (some are massive numbers) ! FBI/Computer Security Institute

n  48% of all attacks originated from within the organization ! WarRoom Research Survey

n  90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches

! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks)

Networks Under Assault

Why? - Hacker Motivations ! There are many different motivations to hack

n  Experimentation and desire to learn n  “Gang” mentality n  Psychological needs (i.e.. to be noticed?) n  Misguided trust in other individuals n  Altruistic reasons n  Self-gratification n  Revenge and malicious reasons n  Emotional issues n  Desire to embarrass the target (many reasons) n  “Joyriding” n  “Scorekeeping” n  Espionage (corporate, governmental) n  Criminal – Stalking, Intimidation, Hostage, Blackmail

Types of Hackers Shades of Grey - Are all Hackers Bad?

! Black Hats (The Bad Ones) n  Professional Crackers (Crime Gangs) n  Corporate Espionage (Criminal in a suit – more common than companies

realise – everyone has a competitor.) n  e-Terrorists (with or without a motivation [eco-hackers]) n  ?

! White Hats (The Good Ones) n  Corporate Security n  Tiger Teams (with reputations – ISS) n  Big 5 Audit/Testing Teams (PWC, etc) n  Law Enforcement Hackers / Military eSecurity

! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n  Depends who’s paying n  Freelancers – to the highest bidder, which can include LEAs

Who are the Hackers?

! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another

company of some sort ! The major area of financial loss in hacking is internal: more

money is lost via internal hacking and exploitation (by a factor of 30 or more)

! Most of the hacking that is done is from technical personnel in

technical positions within the company

Perimeter Security Is Not Enough ! Even the best perimeter firewall

can be breached ! What happens to your corporate

assets if the perimeter is breached?

! What protects your internal

network if the perimeter security fails? Most Businesses = Nothing

! How do you know you have

been breached? Most Businesses = Never Know

INTERNET

Firewall

External Router

Internal Servers

Production Network

Desktops

Workstations

Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the

perimeter protection (firewalls): n  customers, consultants, contractors, temps, supply

chain partners, employees – unhappy / rogue (espionage) / snoopy (the curious/ambitious) / terminated (fired)

! Many widely disseminated vulnerabilities, backdoors,

firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers

! Majority of breaches and financial losses - from those with “insider access”

Typical Inside Network Attacks

! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit

Biggest Mistakes in Internal Security

! Everybody trusts everybody ! “Any” theory: “We don’t have anything anyone

would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks

via VLAN or VPNs ! Infrastructure ignorance

Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in

the US, Australian/rest of the world statistics are hard to estimate.

! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000

Internet attacks this year, Australian Government has not publicised any numbers

! Hundreds of thousands of websites contain some form of Hacker Tools / Information

! e-Crimes are estimated to take place every 20 seconds...

eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance

policies for some situations ! One level allows for liability reduction due to

protective measures taken (What sort of firewalls / policies / operating systems / training / etc…)

! Another provides a vendor security warranty

level of assurance

! Others on their way…

????????????Future Server Threats

! Digital Nervous System components ! Infrastructure Dependencies

n  Index Server/LDAP Servers n  Terminal Server with thin clients n  Exchange servers being used for office and workgroup flow

applications n  DNS and other naming services servers n  Voice over IP (VoIP) n  Telephony servers for desktop telephony n  Netmeeting / Video collaboration servers n  NT servers being implemented in factories and industrial

networks for process control. These require real-time network security features

! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)

$ Information Store

A company’s most valuable assets are on its Information Store

An attack on your Information Store can result in:

Loss of access

Loss of data integrity

Theft of data

Loss of privacy

Legal liability

Loss of Confidence (Owners/Stock market/Customers)

Financial Loss (Fraud)

Financials

HR Records

Patient Medical Records

R&D Information

Legal Records

Summary (I) ! It is a matter of “when” not a matter of “if” you will be

attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive

corporate threat ! Many different levels of security are necessary to deal

with the threats ! Apply internal security in proper measure to meet the

actual or perceived threat environment

Summary (II) ! A Hacker can be anyone – an employee with a grudge, a

contractor, a family member. They just want something they are not supposed to have.

! Hacking is gaining access to anything you shouldn’t have

access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a

security guard to protect you, you should have an eSecurity guard.

! Many different levels of security are necessary to deal

with the threats