1

Information Assurance: vulnerabilities, threats, and controls

Dr. Wayne Summers

Department of Computer Science

Columbus State University

Summers_wayne@colstate.edu

http://csc.colstate.edu/summers

3Sapphire / SQL Slammer

“Beginning Saturday, January 25 at approximately 12:30 a.m. EST, a distributed denial-of-service attack spread rapidly throughout the global Internet. Within 10 minutes, most of the vulnerable hosts on the Internet were infected. By morning, Bank of America customers could not withdraw money from 13,000 ATMs. Continental Airline’s Web site was offline… Normally heavy Internet trading on the South Korean stock market vanished….

Sapphire is a 376-byte worm that infects Microsoft SQL Server 2000 hosts via the SQL Resolution Service running on UDP port 1434. The worm does no damage to the infected machine….”

4

Information Assurance: Introduction

Vulnerabilities

Threats

Controls

Conclusions

5Computer Security

the protection of the computer resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware, and the denial of one's own computer facilities irrespective of the method together with such criminal activities including computer related fraud and blackmail. [Palmer]

6Goals

confidentiality - limiting who can access assets of a computer system.

integrity - limiting who can modify assets of a computer system.

availability - allowing authorized users access to assets.

7Definitions

vulnerability - weakness in the security system that might be exploited to cause a loss or harm.

threats - circumstances that have the potential to cause loss or harm. Threats typically exploit vulnerabilities.

control - protective measure that reduces a vulnerability or minimize the threat.

8CERT list of Current Activity

Buffer overflow in ntdll.dll

Windows shares (null/weak passwords – worm W32.Deloder)

Buffer overflow in sendmail

SQL Server Worm (SQL Slammer) / weak passwords in SQL Server & Microsoft Data Engine

Buffer overflow in Samba

Vulnerabilities in SIP

SSH Vulnerabilities

Buffer overflow in Windows Shell

CVS (Concurrent Versions System) Server

Buffer overflow in Windows Locator Service

9Vulnerabilities reported 1995-1999

2000-2002

In 2002 over 80 vulnerabilities in IE patched; over 30 remain

April 02, Security News Portal: 75% of all web servers running MS IIS 5.0 are vulnerable to exploitation.

Year 1995 1996 1997 1998 1999*

Vulnerabilities 171 345 311 262 417

Year 2000 2001 2002Vulnerabilities 1,090 2,437 4,129

10Common Vulnerabilities and Exposures

CVE Report (http://cve.mitre.org/) has 480 pages of certified vulnerabilities and exposures and 853 pages of candidates for consideration ranging from buffer overflows and denial of service attacks to bugs in software:– “Microsoft Outlook 2000 and 2002, when

configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.”

11Vulnerabilities

“Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.”– Robert Graham, lead architect of Internet

Security Systems

12Types of Threats

interception - some unauthorized party has gained access to an asset.

modification - some unauthorized party tampers with an asset.

fabrication - some unauthorized party might fabricate counterfeit objects for a computer system.

interruption - asset of system becomes lost or unavailable or unusable.

132002 Computer Crime and Security Survey – CSI/FBI Report Ninety percent of respondents detected computer

security breaches within the last twelve months.

Eighty percent acknowledged financial losses due to computer breaches.

Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.

For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

14Recent News

20% increase in number of attacks on corporate networks in the second half of 2002. (Symantec)

$45 billion worldwide spending on IT security products and services by 2006. (IDC)

The Internet Risk Impact Summary Report cites an 84 percent increase in "suspicious activities" such as automatic probing. The number of new worms and hybrids grew seven-fold to 752, compared to 101 in the fourth quarter of 2002. (Internet Security Systems (ISS))

“Inundated with a persistent stream of new and recurring viruses and worms, nearly three-quarters of the 306 respondents say the virus problem is getting worse, especially in terms of money and resources spent to combat and recover from infections.”

15Cyberterrorism

“Cyberterrrorism is largely overblown.” Bruce Schneier, founder and CTo – Counterpane Internet Security

“Critical systems don’t run on the Internet, they are based on secure networks, we have protected our systems and do not rely on the Internet” Rainer Fahs, Senior InfoSec Engineer NATO.

16Malware and other Threats

Viruses / Worms– 1987-1995: boot & program infectors

– 1995-1999: Macro viruses (Concept)

– 1999-2003: self/mass-mailing worms (Melissa-Klez)

– 2001-???: Megaworms (Code Red, Nimda, SQL Slammer, Slapper)

Trojan Horses

– Remote Access Trojans (Back Orifice)

Most Threats use Buffer Overflow vulnerabilities

17Social Engineering

“we have met the enemy and they are us” - POGO

Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick

18Controls

Reduce and contain the risk of security breaches

“Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.]

19Defense in Depth

Antivirus

Firewall

Intrusion Detection Systems

Intrusion Protection Systems

Vulnerability Analyzers

Authentication Techniques (passwords, biometric controls)

BACKUP

20Default-Deny Posture

Configure all perimeter firewalls and routers to block all protocols except those expressly permitted.

Configure all internal routers to block all unnecessary traffic between internal network segments, remote VPN connections, and business partner links.

Harden servers and workstations to run only necessary services and applications.

Organize networks into logical compartmental segments that only have necessary services and communications with the rest of the enterprise.

Patch servers and applications on a routine schedule.

21Practical Patches

Develop an up-to-date inventory of all production systems.

Standardize production systems to same version of OS and application software.

Compare reported vulnerabilities against your inventory/control list.

Classify the risk (severity of threat, level of vulnerability, cost of mitigation and recovery)

Apply the patch

22New Types of Controls

Threat Management System - early-warning system that uses a worldwide network of firewall and intrusion-detection systems to aggregate and correlate attack data.

Vulnerability Assessment Scanner - penetration testing and security audit scanner that locates and assesses the security strength of databases and applications within your network.

23Symantec "best practices": Turn off and remove unneeded services.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date.

Enforce a password policy.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses.

Isolate infected computers quickly to prevent further compromising your organization.

Do not open attachments unless they are expected. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

24Education & Misinformation

SQL Slammer infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e.g. Visio) as well as 3rd parties.

CodeRed infected primarily desktops from people who didn't know that the "personal" version of IIS was installed.

Educate programmers and future programmers of the importance of checking for buffer overflows.

25Conclusions

Every organization MUST have a security policy

– Acceptable use statements

– Password policy

– Training / Education

Conduct a risk analysis to create a baseline for the organization’s security

Create a cross-functional security team

“You are the weakest link”

26Bibliography Does Cyberterrorism Pose a True Threat? -

http://www.pcworld.com/resource/printable/article/0,aid,109819,00.asp

Network Security: Best Practices - http://www.computerworld.com/printthis/2003/0,4814,77625,00.html

Practical Patching - http://www.infosecuritymag.com/2003/mar/justthebasics.shtml

Symantec Offers Early Warning of Net Threats - http://www.pcworld.com/news/article/0,aid,109322,00.asp

The Art of Deception – Kevin Mitnick