Docstoc

infotex

Document Sample
infotex Powered By Docstoc
					Information Security
       Clinic
   Keith Watson, CERIAS
   Matt Jonkman, infotex
        Jack Henry & Associates
     MidWest Central User’s Group
          November 12, 2003
  infotex
 Center for Education and
 Research in Information
  Assurance and Security



          Purdue University



infotex
              CERIAS
• Founded in May 1998
  – Lilly Endowment grant ($4.9m)
• Multidisciplinary approach to
  research
  – Six schools and 12 departments
• K-12 outreach/education programs
• Research affiliates and sponsors

  infotex
                    Mission
To establish an on-going center of excellence that will
  promote and enable world-class leadership in
  multidisciplinary approaches to information
  assurance and security research and education. This
  collaboration will advance the state and practice of
  information security and assurance. The synergy
  provided by involvement of key members of
  academia, government, and industry will promote and
  support programs of research, education, and
  community service.


   infotex
                  Vision
The Center for Education and Research in
  Information Assurance and Security will be
  internationally recognized as the leader in
  information security and assurance research,
  education, and community service.
  Personnel associated with CERIAS will be
  recognized as leaders in their areas of
  expertise and practice.


   infotex
          Disciplines Currently
              Represented
 – Communications                  –   Linguistics
 – Computer Sciences               –   Management
 – Economics                       –   Nuclear Engineering
 – Education                       –   Philosophy
 – Electrical and                  –   Political Sciences
   Computer Engineering            –   Psychology
 – English                         –   Sociology
 – Industrial Engineering
                                   More to Come ...
 Purdue and CERIAS named as a charter National Center of
Excellence in Education in Information Assurance by the NSA.


  infotex
              Research
• Helped start over 60 projects in last
  four years
• Seeded/supported over $45 million in
  grant proposals
  – Over $26.5 million funded
  – $22 million still pending
• Over 100 students in involved in
  research over the last 4 years
• Scores of papers published
• Several patents issued

  infotex
  K-12 Outreach Program
• Mission is to raise infosec awareness
  and practice within the K-12 community
• Full-time staff member to develop
  program
• Excellent web site for teachers,
  students, parents, and administrators
• Numerous workshops, classroom visits,
  and in-service programs

  infotex
     Continuing Education
• Educate specific groups based on interest and
  need for infosec education
  – IT professionals, systems administrators, law
    enforcement, management executives, etc.
• Full-time staff member to develop program
• Surveys being conducted to target initial
  audiences in the IT community
• Courses and workshops developed
• Distance learning and web-based tools
• Strategic alliances being developed


   infotex
Continuing Ed & Outreach
• NSA-funded faculty certificate program
  – CS department approved
• Indiana Information Security Day
• Educational materials produced
• Working on collaborative courses &
  national curriculum model
• Working towards a specialization in
  forensics

  infotex
      Core Competencies
• Risk Management,      • Enclave and Network
  Policies and Laws       Security
• Trusted Social and    • Incident Detection,
  Human Interactions      Response and
• Security Awareness,     Investigation
  Education and         • Identification,
  Training                Authentication and
• Assurable Software      Privacy
  Architectures         • Cryptology and
                          Rights Management


   infotex
         CERIAS Sponsors
              Founding and Tier I
•   Cisco               • Microsoft
•   Sun                 • MITRE
•   Hewlett-Packard     • NRO
•   Intel               • QinetiQ
•   Lockheed Martin
                        • Northrop
•   Los Alamos            Grumman
    National
    Laboratory          • Symantec


    infotex
        CERIAS Sponsors
                Tier II and III

• Tier II               • Tier III (new)
  – Accenture              – Indiana
  – Raytheon                 companies
                           – Infotex




   infotex
                  infotex
• Originally the Technology Division of Bucheri,
  MCcarty and Metz

• Spun off in late 1999

• Focus on Security Services, Consulting, and
  Education

• Proud Sponsor of CERIAS


   infotex
                     infotex
               Core Competencies
• Information Security
  –   Managed IDS
  –   Security Assessment
  –   Awareness Training
  –   Regulatory Compliance and Assessment
• Information Architecture
  – Data and Information Management
  – Maximizing the Value of Information
• Networking Best-Practices
  – Coaching
  – Education
  – Network Design


   infotex
infotex

Matt’s Favorite Quote:

“If you spend more on coffee than on IT
   security, you will be hacked. What's more, you
   deserve to be hacked.”

--White House cybersecurity adviser
                  Richard Clarke



   infotex
               Overview
• Information as an Asset
  – Value of information to business today
  – Vulnerabilities, Incidents, and Losses
• Your Security
  – Roles and Responsibilities
  – The Security Process
• What and How
  – Attack Timeline
  – Self-Assessment Demonstration


  infotex
             Question


At your institution, which of the
   following has more value?
  a) The money in the vault.
  b) The information on the computers.



  infotex
  Information as an Asset
• Information is very valuable to
  business today
• Customer
• Employee
• Business
• Think about your institution…


  infotex
           Customer Data
•   Account balances, withdrawals, deposits
•   Direct deposit transactions
•   Loan information and payments
•   Mortgages
•   Investments, CDs
•   ATM transactions
•   Survey Data, Marketing Info


     infotex
       Employee Data
• Payroll
• Reviews
• Taxes
• 401(k)
• Insurance claims
• Phone numbers


  infotex
        Business Data
• Competitive Information
• Organizational Strategy
• Records management
• Taxes
• Regulatory filings
• Examiner reports and findings


  infotex
What Information is Valuable
    to your Institution?
• Think about your own institution
  – Any idea of the value of the various
    kinds of information you have?
  – What if you lost access to it?
  – What if it was altered without your
    knowledge?
  – What if it was posted to a web site in
    Brazil?

  infotex
 Vulnerabilities, Incidents,
   and Losses (Oh My!)
• Vulnerabilities
  – A look at the numbers from Cassandra
  – Vendors, Products, even Security Products
• Incidents
  – CERT/CC Reports and Trends
• Losses
  – CSI/FBI Report



   infotex
       Vulnerability Counts
•   Vendor
•   Product
•   Microsoft
•   Others
•   Data taken from Cassandra DB
    – CERIAS-developed tool for alerting
      administrators of new vulnerabilities
    – Pulls data from NIST’s iCAT Metabase
    https://cassandra.cerias.purdue.edu/

    infotex
Vendor Vulnerabilities
     as of November 7, 2003
     Rank           Vendor   Count
          1   Microsoft      1193
          2   Sun             327
          3   Cisco           274
          4   Redhat          238
          5   HP              233
          6   IBM             206
          7   Oracle          175
          8   SGI             164
          9   FreeBSD         158
      10      SCO             148


infotex
Product Vulnerabilities
     as of November 7, 2003
     Rank        Product      Count
          1   Sun Solaris      199
          2   Redhat Linux     193
          3   Windows NT       177
          4   Microsoft IE     156
          5   FreeBSD          155
          6   SGI Irix         149
          7   Windows 2000     148
          8   HP HP-UX         146
          9   IBM AIX          127
      10      Microsoft IIS    105


infotex
Microsoft Vulnerabilities
     As of November 7, 2003
               Product            Count
    Windows NT                     177
    Internet Explorer              156
    Windows 2000                   148
    Internet Information Server    105
    SQL Server                     45
    Windows XP                     45
    Outlook Express                24
    Exchange                       21
    Outlook                        20


infotex
Other Product Vulnerabilities
      As of November 7, 2003
           Product   Count
      Debian Linux    90
      OpenBSD         71
      SUSE            65
      Linux Kernel    62
      Apache          54
      Cisco IOS       44
      Mac OS X        40
      Kerberos 5      25
      BIND            25
      OpenSSH         18


 infotex
            CERT/CC
• Incidents Reported
• Alerts Published
• Latest CERT Advisories
• Attack Trends




  infotex
           CERT Incidents Reported

                                                                                                                     5
                                                                                                                 , 85
                                                                                                              114


                                                                                                              4
                                                                                                          , 09
                                                                                                        82

                                                                                                    8
                                                                                                , 65
                                                                                              52
                                                                           6
                2      2      6      3      334 340 412 573 134 734 859 ,75
       6      13     25     40     77    1,    2,  2,  2,  2,  3,  9,  21




                                                                                                            03
  88

         89

                90

                       91

                              92

                                     93

                                            94

                                                   95

                                                          96

                                                                 97

                                                                        98

                                                                               99

                                                                                      00

                                                                                             01

                                                                                                            02
19

       19

              19

                     19

                            19

                                   19

                                          19

                                                 19

                                                        19

                                                               19

                                                                      19

                                                                             19

                                                                                    20

                                                                                           20

                                                                                                         20

                                                                                                         20
                                                                                                       Q
                                                                                                    -3
              infotex

                                                                                                  1Q
          19
            88




                  1
          19
            89




                  7
          19
            90




                      12
          19
            91




                                 23
          19




infotex
            92




                                21
          19
            93


                            19
          19
            94


                       15
          19
            95
                            18

          19
            96
          19
            97
                                       27 28




          19
            98
                      13




          19
            99
                           17




          20
            00
                                 22




          20
            01
   1Q     20
     -3      02
        Q
                                               37 37




          20
                                                       CERT Advisories Published




             03
                                      25
     Latest CERT Advisories
Advisory                                 Title

CA-2003-27 Multiple Vulnerabilities in Microsoft Windows and Exchange

CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations

CA-2003-25 Buffer Overflow in Sendmail

CA-2003-24 Buffer Management Vulnerability in OpenSSH

CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows

CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer

CA-2003-21 GNU Project FTP Server Compromise


     infotex
    CERT Attack Trends
            “Overview of Attack Trends”
            CERT© Coordination Center

• Automation; speed of attack tools
  – Scanning for potential victims
  – Compromising vulnerable systems
  – Propagating the attack
  – Coordinated management of tools




  infotex
     CERT Attack Trends
            “Overview of Attack Trends”
            CERT© Coordination Center

• Increasing sophistication of tools
  – Antiforensics
  – Dynamic behaviour
  – Modularity of attack tools
• Faster discovery of vulnerabilities
• Increasing permeability of firewalls
• Increasingly asymmetric threat

  infotex
      CERT Attack Trends
            “Overview of Attack Trends”
            CERT© Coordination Center

• Increasing threat from
  infrastructure attacks
  –   Distributed Denial of Service
  –   Worms
  –   Attacks on Internet DNS
  –   Attacks against or using routers



  infotex
     CERT Attack Trends
            “Overview of Attack Trends”
            CERT© Coordination Center

• Potential impact of infrastructure
  attacks
  – Denial of Service
  – Compromise of sensitive information
  – Misinformation
  – Time and resources diverted



  infotex
 2003 CSI/FBI Computer
Crime and Security Survey
• Yearly survey of security practitioners
• 2003 survey includes 530 responses
  – Variety of industries, government
  – 15% from financial sector
• Low response rate leads to unanswered
  questions about the real problem
• Total annual losses are down
  – It’s still over $200 million


   infotex
 2003 CSI/FBI Computer
Crime and Security Survey
• Top attacks by losses
  – Theft of Proprietary Info ($70M)
  – Denial of Service ($65M)
  – Virus ($27M)
  – Insider Network Abuse ($11M)
  – Financial Fraud ($10M)

  (Based on only 251 respondents)

  infotex
        Attack Paradigm
• Minimal technical knowledge needed to
  launch attacks
  – Tools simplify launching attacks
• Internet makes most systems
  accessible to attackers
  – Interconnectedness a double-edged sword
• Unprotected broadband home systems
  are launch points for massive attacks
  – Nearly untraceable DDoS zombies


  infotex
         Case Study:
    Slammer/Sapphire Worm
• Started 9:30PM PST Jan 24, 2003
• Exploited known MS SQL Server hole
• 404 bytes in a single UDP packet
• Random IP address scanning generated a
  lot of traffic
• Fastest spreading worm on record
• No malicious payload; network saturation
• Bank of America’s ATM network down for a
  day


    infotex
                Threats
• A lot of vulnerabilities to deal with
  – and more appearing all the time!
• Number of incidents increasing
  – Automated tools speed attacks
  – Worm propagation speed is fast
• Financial losses from attacks are high
  – There are few that talk about it though



   infotex
           Your Security
• Security solutions are PEOPLE
  solutions!!
  – Technology is merely the tool

• People, processes, education, and awareness!!
             »   Technology alone will not solve Security
                               Challenges




   infotex
Roles and Responsibilities

• CxO
• IT Manager
• Technical Staff




  infotex
What the CxO should know…

• The Regulations
  – Gramm-Leach-Bliley of course
  – Assess whether HIPAA may apply!!
  – Assess Sarbanes-Oxley Act
    responsibility




  infotex
    Gramm-Leach-Bliley
• Protects the safety of consumer
  information and financial
  institutions
• Industry-appropriate security
  measures required
  – Access Controls/Devices
  – Some form of Intrusion Detection
  – Security Assessments

  infotex
 Gramm-Leach-Bliley

“Effective security management
  includes the prevention, detection
  and response to attacks, intrusions
  or other system failures.”

  • GLB FAQ from the FTC website:
    www.ftc.gov



infotex
                    HIPAA
  Health Insurance Portability and Accountability Act


• Protects Patient Privacy
• May apply to other industries
  – Business, financial partners
  – Service providers
• Industry-appropriate security
  controls required


  infotex
              HIPAA

– “(1)(i) Standard: Security
  management process. Implement
  policies and procedures to prevent,
  detect, contain, and correct security
  violations. “

  • From HIPAA Security Standards Final
    Ruling


infotex
       Sarbanes-Oxley Act
• Publicly Traded Organizations required
  to protect information
  –   Information security
  –   Network security
  –   Information recoverability
  –   Etc…
• Penalties
  – Jail time, fines
  – Public Disclosure of Problems


   infotex
        Security Policy
• Regulation Requirements
  – Define enforceable standards
  – Define processes (backups, change
    control, remote access)
• What to protect
• How to protect, to what level
• Who protects

  infotex
What the CxO should know…

• How to Test
  – What companies are being used.
    • There should be more than one!!
  – How to start a test unannounced
    • And let your people know that can and
      will happen
  – How to read the tests
    • Primarily to read metrics over time


  infotex
What the CxO should know…

• When was our last test?
    • What were the results?
    • What are the outstanding issues?
    • What is the risk related to these
      outstanding issues?
    • What are we doing about these issues?
    • What is the status of the remediation of
      these issues?



  infotex
       What the IT Manager
         should know…
• Your People
   – The strengths and weaknesses of your IT
     Staff
     • NO ONE knows it all!
  – Security knowledge
  – Understanding of Policy
  – Knowledge of Environment

  – Establish relationships for:
        –   Forensics
        –   Investigation
        –   Incident Response
        –   Mass Patching/Upgrading


   infotex
       What the IT Manager
         should Know…
• Understand relationship with partners
  – Which side is responsible for what
  – What the other side is doing for security
  – What the other side’s Security Tests look
    like
• Where to get assistance
  – Contractors, Consultants, Peers
  – Security Community, Knowledge Bases


  infotex
       What the Technical Staff
           Should Know…
• Security Policy (inside and out)
   – Able to make enforcement calls
   – Higher authority for judgement calls
• Network Environment
   – What should/should not be on the network
• Application Standards
• Vulnerabilities of the Environment
   – Constant Notification
• “Normal” state of the Environment
   – Normal load, traffic, logs, processes
• How to do an Assessment
   – More on this later




    infotex
      The Security Process
• Security is Risk Management
 –    There are no 100% secure solutions that involve humans


      Risk Identification
      Risk Mitigation
      Risk Acceptance

 –    Constant Re-Evaluation


     infotex
    The Security Process
• How to Start
  – Risk realization
    • Competition
    • Online Processes
    • Databases
    • Mobile Employees
    • Value of Data!!!!!!!!



  infotex
    The Security Process
• How to Start
  – Assess where you are!!
    •   Patch Management
    •   Vulnerability Recognition
    •   Control Processes
    •   Staff Background
  – Recovery planning
    • Data, Processes, People
  – Enforcement Processes


  infotex
    The Security Process
• Assess

• Design

• Implement

• Repeat
  – (regularly, not as desired)


  infotex
    The Security Process
• Assess
  – Internal testing
    • By internal staff
    • Regular Basis
    • REPORT TO MANAGEMENT
       – Monthly or quarterly
  – Third-Party Testing
    • Rotate through 2-3 companies
    • At least once a year


  infotex
      The Security Process
• Assess
  – High-level self-assessments
       • Technical and Policy
  – Regular In-Depth Third-Party assessments
       • Technical and Policy
       • Announced AND unannounced
  –   Internal Awareness training
  –   Policy Enforcement
  –   Disaster Recovery planning
  –   Backup programs/Restoration Verification

  infotex
    The Security Process
• Design
  – Identify issues
     • From tests, process flaws, potential incidents
     • Regulation, and enforcement thereof
  – Identify Resolution
     •   The Security Community
     •   Consultants
     •   Competitors, Peers
     •   Regulation
  – Evaluate Testing
     • Testing/Drill Methods
     • Drill Schedule
  infotex
      Security Process
• Implement
 – Put in controls
 – Implement associated Policy!!!
 – Policy
 – Policy
 – Policy
 – Then Policy


  infotex
    The Security Process
• Assess

• Design

• Implement

• Repeat
  – (regularly, not as desired)


  infotex
        What and How?
• Who is Attacking?
• How does that look?
  – Attack Timeline
    • Without IDS
    • With IDS
• Self Assessment
  – Tools
  – Demonstration

  infotex
                    Who?
• Lone hacker
  – Stereotypical geek in the dark room
• Disgruntled Employee
  – Fired, not paid satisfactorily, doesn’t fit
    socially, etc
• Unaware Employee
  – Discloses passwords, deletes files, executes
    trojan, brings in infected disk, etc


  infotex
                  Who?
• Viruses/Worms
• Associates of Unethical Employee
  – Credit card scams, embezzlement
• Hacking Organizations
  – Ransom attempts, Blackmail
  – Countries we haven’t extradition treaties,
    no recourse




  infotex
                 Why?
• Your Bandwidth
• Your Information
  – Identity Theft
  – Spam Lists
• Your Computing Power
• Hide the Trail
• Harvest Access to other resources

  infotex
        How does it Look?
• Automated Attacks
    •   Predictable patterns
    •   Easily detected
    •   Effective on the large scale
    •   Generally easily defended
  – Proxy Scans
  – Worm Scans
  – Vulnerable Service Scans
    • Bind, RPC, Win32, etc



  infotex
      How does it Look?
• Manual Attacks
    • Very Few Predictable patterns
    • Not Easily Detected
    • Not Easily Defended
    • Effective on the local scale
  – Vulnerable Service Scans
  – Exposed Information
  – Social Engineering

  infotex
       Intrusion Timeline
How an Intrusion Happens…

         Time 




   infotex
                   Intrusion Timeline

                  System
Recon          Identification




   PortScans            Application
                       Identification




        infotex
                    Intrusion Timeline

                                                 Vulnerability Exploit
                  System           Application        Attempts        Successful
Recon          Identification       Probing                        Compromise




   PortScans            Application       Vulnerability       User/Pass
                       Identification     Identification      Guessing




        infotex
                    Intrusion Timeline

                                               Vulnerability Exploit
                  System           Application      Attempts                     System Control
                                                                    Successful
Recon          Identification       Probing                       Compromise                 Internal Recon




                                                                                                       Back to the
   PortScans            Application        Vulnerability    User/Pass                                  Beginning
                       Identification     Identification    Guessing      Data Scouring
                                                                                        Further Compromises
                                                                            and theft/
                                                                            Damage




        infotex
        Intrusion Timeline with IDS
         Passive Alerts
           of Interest




                                               Vulnerability Exploit
                  System           Application      Attempts                     System Control
                                                                    Successful
Recon          Identification       Probing                       Compromise                 Internal Recon




                                                                                                       Back to the
   PortScans            Application       Vulnerability     User/Pass                                  Beginning
                       Identification     Identification    Guessing      Data Scouring
                                                                            and theft/  Further Compromises
                                                                            Damage




         infotex
        Intrusion Timeline with IDS
         Passive Alerts                     Significant Alerts
           of Interest                      Response Taken




                                               Vulnerability Exploit
                  System           Application      Attempts                     System Control
                                                                    Successful
Recon          Identification       Probing                       Compromise                 Internal Recon




                                                                                                       Back to the
   PortScans            Application       Vulnerability     User/Pass                                  Beginning
                       Identification     Identification    Guessing      Data Scouring
                                                                            and theft/  Further Compromises
                                                                            Damage




          infotex
 Intrusion Timeline with IDS
     Passive Alerts                      Significant Alerts
       of Interest                       Response Taken                   Providing Forensic Trail




                                            Vulnerability Exploit
               System           Application      Attempts                     System Control
                                                                 Successful
            Identification       Probing                       Compromise                 Internal Recon




                                                                                                    Back to the
PortScans            Application       Vulnerability     User/Pass                                  Beginning
                    Identification     Identification    Guessing      Data Scouring
                                                                         and theft/  Further Compromises
                                                                         Damage




      infotex
Intrusion Timeline no IDS

                                No warning




                                                  Vulnerability Exploit
                  System            Application        Attempts                     System Control
                                                                       Successful
Recon          Identification        Probing                        Compromise                  Internal Recon




                                                                                                          Back to the
   PortScans            Application          Vulnerability     User/Pass                                  Beginning
                       Identification        Identification    Guessing       Data Scouring
                                                                                and theft/  Further Compromises
                                                                                Damage




        infotex
Intrusion Timeline no IDS

                                No warning                                 Possible Detection by Alert Admins




                                                  Vulnerability Exploit
                  System            Application        Attempts                     System Control
                                                                       Successful
Recon          Identification        Probing                        Compromise                  Internal Recon




                                                                                                          Back to the
   PortScans            Application          Vulnerability     User/Pass                                  Beginning
                       Identification        Identification    Guessing       Data Scouring
                                                                                and theft/  Further Compromises
                                                                                Damage




        infotex
       Self Assessment
• Network Probes
• Vulnerability Scanners
• Password Cracking
• Traffic Analysis

• Most tools are FREE!!!


  infotex
         Network Probes
• Nmap
  – Shows open ports, live hosts
  – OS fingerprinting
• Solarwinds
  – Network mapping, architecture
  – SNMP probing



  infotex
   Vulnerability Scanners
• Nessus
  – UNIX and Network oriented
  – More than 1200 tests
• ISS
  – Windows and Domain oriented
  – Commercial tool
• GFI Languard
  – Windows and Patch Oriented


  infotex
Vulnerability Scanners




infotex
     Password Crackers
• L0phtCrack
  – Windows passwords
  – Commercial
• John the Ripper
  – UNIX passwords
  – Freeware



  infotex
   Password Crackers




infotex
       Traffic Analysis
• Ntop
• MRTG
• Whats up Gold
• Vital Suite
• CiscoWorks



  infotex
infotex
infotex
infotex
infotex
            Conclusion



• Questions?




  infotex
            Mitigation
• Self Assessment

  –Demo…




  infotex

				
DOCUMENT INFO
wanghonghx wanghonghx http://
About