© 2004, enspherics division of ciber. all rights reserved. it security trends, threats, and...

© 2004, Enspherics Division of CIBER. All Rights Reserved.

IT Security Trends, Threats, and

Countermeasures

Ed Bassett

President

Enspherics Division of CIBER

Ed Bassett:

Things to weave in:

-- wireless

-- worms/virus

-- patching

-- spyware

Ed Bassett:

Things to weave in:

-- wireless

-- worms/virus

-- patching

-- spyware


Presentation Overview

• Trends– Statistics

– Changing Technology

– Changing Expectations

• Threats

• Countermeasures– Programmatic

– Technical


Impact Statistics

• 56% detected computer security breaches within the last twelve months.

• 75% acknowledged financial losses due to computer breaches.

• 47% were willing and/or able to quantify their financial losses. These 251 respondents reported over $201,000,000 in financial losses.– Amount of loss down significantly – 56% lower than 2002


Impact Statistics (cont.)

• Most common forms of attack/abuse:– Viruses (82%)

– Insider abuse of network access (80%)

• 25% suffered unauthorized access or misuse on their Web sites…22% said they didn’t know.

• Source – 2003 Computer Crime and Security Survey, Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad


The Trend is Clear

89 90 91 92 93 94 95 96 97 98 99 00 01

50,000

40,000

30,000

20,000

10,000

089 90 91 92 93 94 95 96 97 98 99 00 01

50,000

40,000

30,000

20,000

10,000

0

Number of Reported Incidents (CERT/CC)

2002 – 82,1002003 – 137,500


Security Drivers – Changing Technology

• Decentralized security controls– Proliferation of authentication and authorization schemes

– Application-level security decisions

• Interconnectivity w/ partners/customers– Internet connectivity

– Web-enablement of mission-critical applications

• Wireless networks

• Offshore development– May actually reduce risk!


Security Drivers – Changing Expectations

• HIPAA – Health care• GLBA – Financial services and insurance• California SB1386• Homeland Defense• Local laws and regulations• Customer/partner expectations• Insurance requirements• Internal motivations

– Cost/disruption of security incidents– Reputation/image damage– Litigation risk


HIPAA Requirements Breakdown

Administrative Safeguards

Security Management

Process

Assigned Security Responsibility

Workforce Security

Information Access

Management

Security Awareness and

Training

Security Incident Procedures

Contingency Plan Evaluation

Business Associate Contracts

Physical Safeguards

Facility Access Controls

Workstation Use Workstation Security

Device and Media Controls

Technical Safeguards

Access Control Audit Controls IntegrityPerson or Entity Authentication

Transmission Security


California SB 1386 – Information Practices Act

• If you store “personal information” on one ormore California residents, you must notify them if theirdata have (or may have) been accessed illegally

• Disclosure no longer a PR decision• Stated goal: minimize damage from identity theft

– “Expeditious notification…of possible misuse…is imperative”

• Encryption of data is critical – but not sufficient– Law only applies to “unencrypted personal information”– But what if data is decrypted as part of the “breach”?

• Affects all companies who do business with California residents– Outsourcing companies– Data processing and storage companies

• Similar legislation being introduced in several states and at the federal level


Threats – Attack Sophistication vs. Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

DDOS attacks

Source: Carnegie Mellon Software Engineering Institute


ThreatsExample 1

• Organized, targeted attacks– Example: “Russian Hackers”

– Target: Credit card numbers held by financial institutions

– Method:

• Exploit known weaknesses in e-commerce web sites

• Steal data

• Extort victim posing as security consultants

– Motivation: Money

– Results: Have successfully broken 600 financial institutions to date (source: FBI)


ThreatsExample 2

• Large-scale automated attacks– Example: Virus/Worm du jour

– Target: Vulnerable computers

– Method:

• Fast, broad mechanism to search for vulnerable systems

• Infect, spread

• Use up resources

– Motivation: Publicity

– Results: Extremely large number of systems infected in very short period; consume many resources fighting/recovering from attacks


ThreatsOther Trends

• Automated vulnerability scans– Look for services– Look for specific vulnerabilities– Now routine

• Application-focused attacks– Targeting application logic rather than base network and server protocols– Attacks target data rather than machines

• Distributed Denial of Service (DDoS)– Targeted, coordinated

• Insider – witting and unwitting


Are We Getting (Too) Used To This?

Grounds Flights!!!

Little Damage???

Discovered6 Months Ago

Blocks ATMs!!!


Done Well, Security Can Be Very Effective

• 99% of all reported intrusions “result through exploitations of known vulnerabilities or configuration errors, for which countermeasures were available.”

--Carnegie Mellon University


Countermeasures – Programmatic Maturity

• Establish solid policy foundation

• Manage risk (rather than seeking to eliminate it)

• Plan for failure

• Elevate security to “production quality”

• Blend technical and non-technical controls

• Do not rely on perimeter controls alone


Programmatic Building BlocksKey Components of an Effective Security Program

PROGRAM

MANAGE

DOCUMENT

EDUCATE

PROTECT

DETECT

RESPOND

Executive Commitment

Charter

DedicatedISO

StrategicPlanning

FundingCross-Functional

Security Oversight

Roles andResponsibilities

SecuritySkills

Asset Risk Management(Life Cycle Approach)

Policies Standards ProceduresAsset ID and

Classification

AwarenessPrograms

General Training Specialized Training

Procedures

Non-Technical Controls

Net

Technical ControlsPhysicalControls OS DB App

ElecComm

Verbal/written

Personnel

Reviews Compliance MonitoringIntrusionDetection

Auditing andEvent Logging

IncidentResponse

DisasterRecovery

BusinessContinuity

Build

Up


Risk Management Process

Ach

ieve

Def

ine

Mai

ntai

n

Vulnerabilities

Acceptable Risk

Non-Technical Controls

Technical Controls

Information

Add Controls

Operate, Maintain, Monitor,and Train

Unacceptable Risk

Risk Assessment

Threats


Technical Countermeasures(what next after the firewall)

• Application security

• Encryption

• Interior hardening

• Security management

• Assurance testing


Countermeasure – Application Security

• Applications mediate most data access by end-users• Security often ignored, or, worse yet, poorly designed• Many common attacks focused on application logic

– Attacks can be targeted at data or processes rather than machines or networks

• App attacks bypass perimeter controls– Even bogus application requests can appear to be “normal” from a

network (firewall) perspective

• Design/build applications to be secure– Analyze potential attacks/risks– Establish security requirements for custom applications– Evaluate security features in selection of off-the-shelf packages


Countermeasure – Application Security (cont.)

• Include application penetration testing in all acceptance testing

• Configure intrusion detection systems to look at application log activity– Unauthorized attempts often easy to detect

• Application features critical to security– Authentication

– Authorization

– Session context control

– Audit logging

– Intrusion detection and deterrence

– Data cleansing

– Data privacy and integrity

– Back-end communications

– Alternative interfaces

– Policies and procedures


Countermeasure – Encryption

• Admin logins, e-mail, intranet apps, file transfers, remote access, wireless, data signing, etc. etc. etc.

• Technology built in to Operating Systems, Web Browsers, E-mail Clients – but applications are not aware (yet)

A quick brown foxjumped...

File Encryption(DES)

*#$fjda^j u539!3tt389E *&...

Data DecryptionField Generation

(RSA)

Data RecoveryField Generation

(RSA)

DataDecryption

Field

DataRecovery

Field

RandomNumber

Generator

User'sPublic

Key

RandomlyGenerated FileEncryption Key K K

RecoveryPublic Key

K

Source - Microsoft


Countermeasure – Interior Hardening

• Obtain defense in depth through:– Layering– Segmentation– Containment

• Not just about the “insider attack”– Outsider attacks that “vector” past perimeter controls can attack the inside of

your network – e.g., recent worm attacks

• Security-flexible architectures– Ensure an ability to isolate so that problems in one system are not “inherited”

by large portions of the enterprise– Can greatly reduce the damage an attack can cause

• Look at:– Default deny policies – networks, desktops– Network architecture behind the firewall– Resource grouping – resources that can be accessed with a “network login”– Services offered on the internal networks– Server configuration


Countermeasure – Security Management

• Tools for visualization and correlation


Countermeasure – Security Management (cont.)

• Robust incident handling


Countermeasure – Assurance Testing

Automated External Network “Scan”

NetworkPenetration

Testing

ST&E(Compliance

Testing)

Network, Host, and

App Testing

Customized Testing of

All Components

In-depth S/W and

H/W Trust Evaluation

Low High

Commercial

Gov’t Non-DoD

DoDTyp

ical

C

hoi

ces


…and thanks!

Q&A

© 2004, enspherics division of ciber. all rights reserved. it security trends, threats, and...

Documents

spyware slide

security drivers

security trends

security survey

computer security institute

federal level slide

computer breaches

financial losses