designing a secure organization
DESCRIPTION
Designing a Secure Organization. Where are we today?. What is the Problem?. 2002-2004 Security Statistics Common Threats Identity Theft Anatomy of Attack Incident Response & Forensics Fixing The Problem. Blended Threats: A Deadly Combination. - PowerPoint PPT PresentationTRANSCRIPT
Designing a Secure OrganizationDesigning a Secure Organization
What is the Problem?What is the Problem?
2002-2004 Security StatisticsCommon Threats
Identity TheftAnatomy of Attack
Incident Response & ForensicsFixing The Problem
Where are we today?
Blended Threats: A Deadly CombinationBlended Threats: A Deadly Combination
Blended threats combine hacking, DoS, and worm-like propagation
Can rapidly compromise millions of machines
Often spread without human interaction
Importance: Create confidentiality
breaches Corrupt system integrity Impact availability of data
and systems, compromise patient care
Klezsadmind
BugBear
CodeRed
NimdaWorm Blaster
What is Spyware?What is Spyware?
Spyware is a non-viral application (surveillance tool) Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can that is loaded without the user’s knowledge and can monitor computer activity (Trojans), such as:monitor computer activity (Trojans), such as: Keystroke tracking and captureKeystroke tracking and capture Email loggingEmail logging Instant messaging usage and snapshotsInstant messaging usage and snapshots Modifying application/OS behavior (e.g. Modifying application/OS behavior (e.g.
CoolWebSearch)CoolWebSearch) Spyware and adware can increase business risks:Spyware and adware can increase business risks:
Theft of confidential dataTheft of confidential data Unauthorized enterprise accessUnauthorized enterprise access Reduced PC performanceReduced PC performance Increased bandwidth wasteIncreased bandwidth waste
How do People Get Infected?How do People Get Infected?
Web browsingWeb browsing Unauthorized downloadsUnauthorized downloads File swappingFile swapping Email attachmentsEmail attachments Instant messagingInstant messaging Installing “legitimate software” Installing “legitimate software”
(malicious mobile code)(malicious mobile code)
Dec 03
Mar 04 Apr 04 May 04* June 04* July 04 Aug 04-
100,000
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
1,100,000
1,200,000
The Problem is Growing
Sept 04
1,300,000
1,400,000
1,500,000
*Estimates of average monthly increase
Source: CA Security Advisory Team, Center for Pest Research
Number of Spyware Reports
Gartner Confirms the Spyware ThreatGartner Confirms the Spyware Threat
““At mid-2004, At mid-2004, Gartner customers are seeing a surge Gartner customers are seeing a surge in manifestations of ‘spyware,’in manifestations of ‘spyware,’ invasive methods to invasive methods to steal user privacy that disrupt users and their steal user privacy that disrupt users and their workstations at home and at work. Customers workstations at home and at work. Customers report that the cleanup effort may take a few hours, report that the cleanup effort may take a few hours, but that in no time at all, but that in no time at all, the same systems are the same systems are infected again.”infected again.”
Spyware Will Cost You Time and Spyware Will Cost You Time and MoneyMoney
Microsoft estimates that spyware is responsible for Microsoft estimates that spyware is responsible for 50% of all PC crashes50% of all PC crashes
Dell reports 20% of its technical support calls Dell reports 20% of its technical support calls involve spywareinvolve spyware
Sources: InformationWeek, “Tiny, Evil Things,” George Hulme and Thomas Claburn, April 26, 2004 -and-
http://www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19
The Effect of SpywareThe Effect of Spyware
Adware andAdware and
CookiesCookies Track user Track user
activity on activity on the Internetthe Internet
Collect Collect personal personal informationinformation
Pop-Up AdsPop-Up Ads Collect Collect
information information for cookiesfor cookies
Interrupt Interrupt user user transactions transactions on the on the InternetInternet
Flood users Flood users with ads and with ads and freeze freeze machinesmachines
Install Install utilities that utilities that modify user modify user servicesservices
HijackersHijackers Modify Modify
content of content of web pagesweb pages
Block access Block access to websitesto websites
Redirect Redirect users to users to unintended unintended websiteswebsites
Install Install hidden/backdhidden/backdoor oor processes processes and services and services that are that are tightly bound tightly bound to OSto OS
Disrupt Disrupt websites websites used for used for mission-mission-critical critical applicationsapplications
Spyware (Overt)Spyware (Overt) Gains a Gains a
remote remote control control capability, capability, which which includes includes searching searching and reading and reading local fileslocal files
Has a self-Has a self-updating updating capabilitycapability
Often Often includes a includes a network network sniffersniffer
Can usually Can usually activate activate webcam or webcam or microphonemicrophone
Usually logs Usually logs all all keystrokeskeystrokes
SE
CU
RIT
Y T
HR
EA
T
SYSTEM DEGRADATION
Anti-Spyware Business DriversAnti-Spyware Business Drivers Mitigate risk and limit legal liabilityMitigate risk and limit legal liability
Protect from unauthorized access and information Protect from unauthorized access and information theft theft
Reduce threat to employees, partners, customers, Reduce threat to employees, partners, customers, intellectual property, regulatory compliance and brandintellectual property, regulatory compliance and brand
Help ensure business continuityHelp ensure business continuity Maintain employee productivityMaintain employee productivity Avoid business disruptions and system downtimeAvoid business disruptions and system downtime Reduce bandwidth wasteReduce bandwidth waste
Reduce costsReduce costs Lack of resources to research new threats Lack of resources to research new threats Minimize help desk calls due to spyware infestationMinimize help desk calls due to spyware infestation Costly impact of spyware infested machines (time and Costly impact of spyware infested machines (time and
money)money)
Anti-Spyware Complements Anti-Spyware Complements Traditional MethodsTraditional Methods
VirusesWormsTrojans
Hack in ProgressRouted AttackPort Scan
Buffer OverflowsIE ExploitsOutlook Exploits
Spyware
Adware
Hacker Tools
DistributedDenial-of-Service
Zombies
Keyloggers
Trojans
Security StatisticsSecurity Statistics
General Internet attack trends are showing a 64% annual rate of General Internet attack trends are showing a 64% annual rate of growth growth SymantecSymantec
The average company experiences 32 cyber-attacks per week The average company experiences 32 cyber-attacks per week CheckpointCheckpoint
The average measurable cost of a serious security incident in Q1/Q2 The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000 2004 was approximately $500,000 UK Dept of Trade & IndustryUK Dept of Trade & Industry
Identify theft related personal information is selling for $500-$1000 Identify theft related personal information is selling for $500-$1000 per record per record CFE ResourceCFE Resource
Average of 79 new vulnerabilities per week in 2004!!Average of 79 new vulnerabilities per week in 2004!! Eeye Digital SecurityEeye Digital Security
According to the 2003 Computer Security Institute surveyAccording to the 2003 Computer Security Institute survey
90% of companies had security breaches in the past 12 months90% of companies had security breaches in the past 12 months 80% acknowledged financial losses as a result80% acknowledged financial losses as a result 40% detected denial of service attacks40% detected denial of service attacks 40% detected system penetration from outside40% detected system penetration from outside 33% detected internal attack sources33% detected internal attack sources
The most serious and expensive losses were of proprietary information. The most serious and expensive losses were of proprietary information.
Yet these companies seem to be doing all the right things when it comes Yet these companies seem to be doing all the right things when it comes to information security:to information security:
90% use anti-virus software90% use anti-virus software 89% use firewalls89% use firewalls 60% use intrusion detection systems60% use intrusion detection systems
Statistics from the FBI & Interpol on hacking:Statistics from the FBI & Interpol on hacking:
More Security StatisticsMore Security Statistics
More vulnerabilities = higher likelihood of attack More vulnerabilities = higher likelihood of attack Faster attack propagation = less time to reactFaster attack propagation = less time to react
Initial Compromise Initial Compromise RateRate
Code Red Code Red (2001)(2001)
1.8 hosts / hour1.8 hosts / hour
Slammer Slammer (2003)(2003)
420 hosts / hour420 hosts / hour
Infected Pop. Doubling Infected Pop. Doubling TimeTime
Code RedCode Red 37 min.37 min.
SlammerSlammer 8.5 sec.8.5 sec.
Single Host Scan RateSingle Host Scan Rate Code RedCode Red 11 probes / sec.11 probes / sec.
SlammerSlammer 26,000 probes / 26,000 probes / secsec
Vulnerable Population Vulnerable Population Saturation Saturation
Code RedCode Red 24 hours24 hours
SlammerSlammer 30 minutes30 minutes
A Total Novice Can be a Hacker TodayA Total Novice Can be a Hacker Today
Anatomy Of AttackAnatomy Of Attack
Common ThreatsCommon Threats
ThreatsThreats
Hackers – “Script Kiddies”Hackers – “Script Kiddies” Employees – former and Employees – former and
disgruntleddisgruntled Domestic Competitors – Domestic Competitors –
“Competitive Intelligence”“Competitive Intelligence” State Sponsored & Corporate State Sponsored & Corporate
EspionageEspionage Extremists – Earth Liberation Extremists – Earth Liberation
Front (ELF)Front (ELF)
Federal'naya Sluzhba Federal'naya Sluzhba Bezopasnosti Bezopasnosti
ELF ELF
Common Threats (Continued)Common Threats (Continued)
Physical – equipment, Physical – equipment, machinery, mines, office machinery, mines, office buildings, soft targetsbuildings, soft targets
Personnel – unfettered Personnel – unfettered access to network-access to network-information resources, information resources, elicitation techniques, elicitation techniques, defamation of defamation of character/slandercharacter/slander
Network/Information Assets Network/Information Assets – Network access, database – Network access, database and file access, web server, and file access, web server, mail servermail server
Anatomy of AttackAnatomy of AttackModis OperandiModis Operandi
Physical PenetrationsPhysical Penetrations
Company Profiling – Open Source ResearchCompany Profiling – Open Source Research
Footprinting – Scanning – Enumeration – Penetration – Escalate Footprinting – Scanning – Enumeration – Penetration – Escalate Privilege – Stealing/Damaging Corp. informationPrivilege – Stealing/Damaging Corp. information
Trojans – remote controlling systemsTrojans – remote controlling systems
Buffer OverflowsBuffer Overflows
Known ExploitsKnown Exploits
Port Redirection of PacketsPort Redirection of Packets
Zone TransfersZone Transfers
SNMP SweepsSNMP Sweeps
Router ExploitationRouter Exploitation
Key Loggers – Software and Hardware devicesKey Loggers – Software and Hardware devices
Denial of ServiceDenial of Service
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Physical PenetrationsPhysical Penetrations
SurveillanceSurveillance
Dumpster DivingDumpster Diving
Impersonation of Authorized Impersonation of Authorized PersonnelPersonnel
bigwidget.net
Registrant :Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US
Domain Name: BIGWIDGET.NET
Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) [email protected] [email protected] 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014
Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998Database last updated on 7-Jun-2000 15:54
Domain servers in listed order:
EHECATL.BIGWIDGET.NET 10.1.1.53NS1-AUTH.SPRINTLINK.NET 206.228.179.10NS.COMMANDCORP.COM 130.205.70.10
~$ telnet mail.bigwidget.net 25
Trying 10.1.1.10 ...
Connected to mail.bigwidget.net
Escape character is '^]'.
hacker:
hacker:~$
Connection closed by foreign host.
telnet mail.bigwidget.net 143
Trying 10.1.1.10...
Connected to mail.bigwidget.net. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to [email protected])
. logout
* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed
Connection closed by foreign host.
hacker ~$ ./imap_exploit mail.bigwidget.com
IMAP Exploit for Linux.Author: Akylonius ([email protected])Modifications: p1 ([email protected])
Completed successfully.
hacker ~$ telnet mail.bigwidget.com
Trying 10.1.1.10...
Connected to mail.bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686
root
bigwidget:~# whoami
root
bigwidget:~# cat ./hosts
127.0.0.1 localhost localhost.localdomain10.1.1.9 thevault accounting10.1.1.11 fasttalk sales10.1.1.12 geekspeak engineering10.1.1.13 people human resources10.1.1.14 thelinks marketing10.1.1.15 thesource information systems
bigwidget:~# cd /etc
login:
Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99
bigwidget:~#
cat visa.txt
cd /data/creditcards
bigwidget:~#
bigwidget:~# crack /etc/passwd
Cracking /etc/passwd...
username: bobman password: nambobusername: jsmith password: redbirdsusername: root password:
bigwidget:~# ftp thesource
Connected to thesource220 thesource Microsoft FTP Service (Version 4.0).
Name: jsmith
331 Password required for jsmith.
Password: ********
230 User jsmith logged in.
Remote system type is Windows_NT.
ftp> cd \temp
250 CDW command successful.
ftp> send netbus.exe
local: netbus.exe remote: netbus.exe
200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.
ftp>
ftp>
quit
thevault:~$ telnet thesource
Trying 10.1.1.15... Connected to thesource.bigwidget.com.Escape character is '^]'.
Microsoft (R) Windows 2000
Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: jsmith
password: ********
*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp
C:\TEMP> netbus.exe
Connected to the.source.bigwidget.com
NetBus 1.6, by cf
Screendump
Postmaster < [email protected] >
[email protected]; [email protected]
Greetings < URGENT >
Greetings Bigwidget employees:
I have officially compromised your entire system, and have obtained all of your accounting information.
Yours Truly,
Friendly Hacker
David Smith
Router
Web
Clients & Workstations
NetBusNetBusFTP
imapimap
Firewall
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
Attempts to remove W32.Blaster.Worm
Payload:
Deletes files: Deletes msblast.exe.
Causes system instability: Vulnerable Windows 2000 machines will
experience system instability due to the RPC service crash.
Compromises security settings: Installs a TFTP server on all the infected machines
Malicious CodeMalicious Code
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
W32.Welchia.Worm
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135.
Payload Trigger: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31.
Payload:
Performs Denial of Service against windowsupdate.com
Causes system instability: May cause machines to crash.
Compromises security settings: Opens a hidden remote cmd.exe shell.
W32.Blaster.Worm
Nmap (Network Scanner) is an open source, freely distributed port scanner.
Designed to scan large networks rapidly.
Can be used to target specific services.
Includes features to evade Intrusion Detection.
Utilizes TCP/IP fingerprinting for remote host identification.
NmapNmap
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Create outbound or receive Create outbound or receive inbound TCP or UPD inbound TCP or UPD connectionsconnections
Feature - rich network Feature - rich network debugging and “exploration” debugging and “exploration” tooltool
Port ScanningPort Scanning
Remote “backdoor” shellRemote “backdoor” shell
SYN Bombing – Denial of SYN Bombing – Denial of Service AttacksService Attacks
Cryptcat - Can encrypt traffic Cryptcat - Can encrypt traffic using twofish encryptionusing twofish encryption
NetcatNetcat““The TCP/IP The TCP/IP Swiss Army Swiss Army
Knife”Knife”
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Wireless network discovering and auditing toolWireless network discovering and auditing tool
Decodes traffic to provide information about the networkDecodes traffic to provide information about the network
Interfaces with GPS to track locations of discovered networksInterfaces with GPS to track locations of discovered networks
Wireless ToolsWireless Tools
Wireless network discoveryWireless network discovery
Displays and tracks information about wireless networksDisplays and tracks information about wireless networks
Runs on Microsoft WindowsRuns on Microsoft Windows
Wireless tool that recovers wireless encryption KeyWireless tool that recovers wireless encryption Key
Monitors wireless traffic passivelyMonitors wireless traffic passively
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Back OrificeBack Orifice – A powerful “Network – A powerful “Network Administrator” tool that is small in size, Administrator” tool that is small in size, extensible, and free from CDC.extensible, and free from CDC.
Keystroke LoggerKeystroke Logger
Registry EditingRegistry Editing
Redirection of TCP/IP connectionsRedirection of TCP/IP connections
File TransfersFile Transfers
TrojansTrojans
Sub-SevenSub-Seven – An extremely dangerous – An extremely dangerous Trojan that enables full control of hostTrojan that enables full control of host
Erase harddrivesErase harddrives
Execute programsExecute programs
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
L0ftcrackL0ftcrack
Security experts from industry, Security experts from industry, government, and academia cite weak government, and academia cite weak passwords as one of the most critical passwords as one of the most critical internet security threats. internet security threats.
L0phtCrack can obtain 18% of the L0phtCrack can obtain 18% of the passwords within 10 minutes in a passwords within 10 minutes in a recent demonstration.recent demonstration.
90% of the passwords were 90% of the passwords were recovered within 48 hours on a recovered within 48 hours on a Pentium II/300Pentium II/300
LC3 can even sniff encrypted LC3 can even sniff encrypted passwords from the passwords from the challenge/response exchanged when challenge/response exchanged when one machine authenticates to another one machine authenticates to another over the network.over the network.
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Tools Used during Attacks
Connected to www.test.com
www.test.com
NetBus; UltraScan; WinFinger; SATAN; SAINT; Winnuke; BackOrfice; NMAPNetBus; UltraScan; WinFinger; SATAN; SAINT; Winnuke; BackOrfice; NMAP
In addition to numerous handbooks & tutorials:In addition to numerous handbooks & tutorials:
Anatomy of Attack (Continued)Anatomy of Attack (Continued)
Abraham Abdallah, 32, shown here in a police photo released March 20, allegedly
masterminded the theft of identities by using computers in a Brooklyn library to obtain
credit records of chief executives. (NYPD/Reuters)
Man Charged with Using Internet to
Steal Millions from Oprah, Spielberg,
and Others
N E W Y O R K, March 20 — A Brooklyn man has been charged
with stealing millions from the rich and famous through the Internet, apparently using a public library computer to help him pull off the
heist.
Identity TheftIdentity Theft
Personal InformationPersonal Information
NameName AddressAddress Telephone numberTelephone number Date of birthDate of birth Driver’s license #Driver’s license # Identification card #Identification card # Social Security #Social Security #
Bank account #Bank account # Utility account #Utility account # Medical Record #Medical Record # Credit card #Credit card # Cell phone/pager #Cell phone/pager # Internet addressInternet address
Just the facts…
Types of identity theft fraudTypes of identity theft fraud
Credit card – 42%Credit card – 42% Telephone or utility – 20%Telephone or utility – 20% Bank – 13%Bank – 13% Employment related – 9%Employment related – 9% Loans – 7%Loans – 7% Government documents/benefits – 6%Government documents/benefits – 6% Medical Records – 19%Medical Records – 19% Attempted – 10%Attempted – 10%
How Does Identity Theft Happen? How Does Identity Theft Happen? Discovery…Discovery…
• Applying for a loan/refinance/credit cards• Sign-in Rosters• Canadian/Netherlands Lotter: “You Have WON”• Free Credit Report Emails• Email chain letters/pyramid schemes• “Find out everything on anyone”• Questionnaires• Account Verification• Résumé's – Social Security numbers/DOB
Specific Warnings…Specific Warnings… EBAY AND PAYPAL ACCT. VERIFICATION SCAMS, July 18, 2003EBAY AND PAYPAL ACCT. VERIFICATION SCAMS, July 18, 2003
Do not respond to emails from E-Bay or PayPal that ask for Do not respond to emails from E-Bay or PayPal that ask for credit information, SSN and other personal data. ITRC is aware credit information, SSN and other personal data. ITRC is aware that many of these are scams and the country is being blanketed that many of these are scams and the country is being blanketed with them currently. with them currently.
FTC WARNING—DO NOT CALL REGISTRY, confirmed May 9, FTC WARNING—DO NOT CALL REGISTRY, confirmed May 9, 20032003Companies and websites have been making deceptive claims Companies and websites have been making deceptive claims that they can register consumers in advance for the FTC's do-that they can register consumers in advance for the FTC's do-not-call list. Two are being sued by the FTC at this time. These not-call list. Two are being sued by the FTC at this time. These sites include: Free-Do-Not-Call-List.org and National-Do-Not-Call-sites include: Free-Do-Not-Call-List.org and National-Do-Not-Call-List.us. Neither of these are official governmental sites. One of List.us. Neither of these are official governmental sites. One of them is even charging a service fee. them is even charging a service fee.
Unauthorized "hospital personnel" asking for info, Sept. 2003Unauthorized "hospital personnel" asking for info, Sept. 2003here are some scam artists posing as hospital employees (and here are some scam artists posing as hospital employees (and we can assume this goes on in nursing homes) asking patients we can assume this goes on in nursing homes) asking patients to either verify information or to help fill in some blanks. They to either verify information or to help fill in some blanks. They carry clipboards and may even wear hospital or lab coats. carry clipboards and may even wear hospital or lab coats. Hospital personnel must be on the lookout for these con artists Hospital personnel must be on the lookout for these con artists and patients (and family members) must require identification and patients (and family members) must require identification prior to giving out any information.prior to giving out any information.
Who to contact…Who to contact…
Credit card companiesCredit card companies BankBank Insurance CompaniesInsurance Companies Medical Providers (Hospitals, Dental Offices)Medical Providers (Hospitals, Dental Offices) Social securitySocial security Department of Motor VehiclesDepartment of Motor Vehicles Utility companyUtility company ID Theft ClearinghouseID Theft Clearinghouse
Prevention…Prevention…
Shred any document that Shred any document that contains personal information contains personal information
Shred unused credit Shred unused credit solicitationssolicitations
Request and review your Request and review your credit report on a regular credit report on a regular basisbasis
NEVER give out personal NEVER give out personal information unless you information unless you initiate the processinitiate the process
Carefully read documents Carefully read documents and question the use of your and question the use of your personal informationpersonal information
Incident Response
&
Forensic Investigations
RCCEEG is an organization of RCCEEG is an organization of law enforcement officers, law enforcement officers, prosecutors and computer prosecutors and computer professionals regional and professionals regional and surrounding counties; dedicated surrounding counties; dedicated to providing manpower, technical to providing manpower, technical and legal assistance in computer and legal assistance in computer crime education and crime education and investigations.investigations.
NIPC - Detect, deter, NIPC - Detect, deter, assess, warn, respond, and assess, warn, respond, and investigate unlawful acts investigate unlawful acts involving computer and involving computer and information technologies information technologies and unlawful acts, both and unlawful acts, both physical and cyber, that physical and cyber, that threaten or target our critical threaten or target our critical infrastructuresinfrastructures
FBI Cyber Crime DivisionFBI Cyber Crime DivisionThe FBI's Cyber Crime The FBI's Cyber Crime Division is responsible for Division is responsible for criminal investigations of criminal investigations of intellectual property, high intellectual property, high tech and computer crimes. tech and computer crimes.
Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations
“B”“Ramon Garcia”“Jim Baker”“G. Robertson”“Mr. Diamonds”
Searched investigative database
Hacked into the FBI’s top Russian Counterintelligence Chief’s computer – Caught, but said it was to show the vulnerability of the computer systems
27 year veteran with FBI
Involved in some of the most important counterintelligence cases in recent times
FBI Agent Robert P. Hanssen
Incident Response & Forensic Investigations
He did multiple U-turns - Counter surveillance
Had hand-held GPS for finding drop or signal sites
As of Feb 2001 had consumer debts of $53,000
Brian P. Regan, AF MSG ( R )
20-year military career at the National Reconnaissance Office
Daily access to Intelink
Arrested at Dulles International Airport as he was about to board a flight for Switzerland via Germany
Country A, which sources said was Libya
Less than a month before his Aug. 30, 2000, retirement from the Air Force, Regan established an e-mail address under a pseudonym -- Steven Jacobs of Alexandria -- which he planned to use for surreptitious contacts with foreign governments, according to the FBI affidavit
Created a cache of classified documents, files, and diskettes.
Incident Response & Forensic Investigations
Incident Response & Forensic Investigations
The arrest of Ahmed Fathy Mehalba, a former soldier who failed to graduate from Fort Huachuca and a naturalized U.S. citizen of Egyptian descent, was taken into custody Monday at Boston's Logan International Airport. The inspectors found 132 CD-ROMs, some containing classified documents.
During the interview, Mehalba admitted that his uncle was an Intelligence Officer for the Egyptian army.
U.S. Southern Command officials said Mehalba had been employed at the facility as a contractor for The Titan Corporation, a U.S. contractor in San Diego that supports homeland security and counterterrorism.
DMZ•E-mail•File Transfer•HTTP
RouterRouter
Human ResourcesHuman Resources
MarketingMarketing
EngineeringEngineering
ManufacturingManufacturing
External Threat
Corporate Network
Internal Threat
Wireless AP
Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations
Process of collecting, correlating, analyzing data and Process of collecting, correlating, analyzing data and content moving through a networkcontent moving through a network
N-gram analysis is used to determine relationships between N-gram analysis is used to determine relationships between like types of information such as SMTP, JPEG, HTTP, and GIF.like types of information such as SMTP, JPEG, HTTP, and GIF.
eTrust Network ForensicseTrust Network Forensics
Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations
EnCaseEnCase Award winning and validated by the courts, EnCase Award winning and validated by the courts, EnCase allows law enforcement and IT professionals to conduct a allows law enforcement and IT professionals to conduct a powerful, yet completely non-invasive computer forensic powerful, yet completely non-invasive computer forensic investigation.investigation.
Reads the Dynamic Disk partition structure and resolves Reads the Dynamic Disk partition structure and resolves all of the possible configurations.all of the possible configurations.
Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations
Report of Investigation
ROI
Date
Subject: LASTNAME, Firstname City, State
Investigative Memorandum for Record IMFR2
Date
Subject: LASTNAME, Firstname City, State
Investigative Memorandum for Record IMFR1
Date
Subject: LASTNAME, Firstname City, State
Incident Response & Forensic Investigations
Key Success FactorsKey Success Factors
Limited Knowledge – Need to KnowLimited Knowledge – Need to Know
Trained Professionals – Technical & InvestigationsTrained Professionals – Technical & Investigations
Proper Evidence HandlingProper Evidence Handling
Liaison with Local and Federal Law EnforcementLiaison with Local and Federal Law Enforcement
Civil v.s. Criminal ActionsCivil v.s. Criminal Actions
Incident Response & Forensic InvestigationsIncident Response & Forensic Investigations
Fixing The ProblemFixing The Problem
Security Architecture CapabilitiesSecurity Architecture Capabilities
Security SponsorshipSecurity Sponsorship Security StrategySecurity Strategy Security Function StructureSecurity Function Structure Security Function Resources Security Function Resources
and Skillsetand Skillset Security Policies, Standards, Security Policies, Standards,
Guidelines, and ProceduresGuidelines, and Procedures Security OperationsSecurity Operations Security MonitoringSecurity Monitoring User ManagementUser Management
User AwarenessUser Awareness Application SecurityApplication Security Database and Metadata SecurityDatabase and Metadata Security Host SecurityHost Security Internal Network SecurityInternal Network Security Network Perimeter SecurityNetwork Perimeter Security Physical and Environmental SecurityPhysical and Environmental Security Contingency PlanningContingency Planning
16 Distinct Client Capabilities can be Assessed, Architected, 16 Distinct Client Capabilities can be Assessed, Architected,
Integrated, and Monitored:Integrated, and Monitored:
Enterprise Security ModelEnterprise Security Model
Regulatory EnvironmentRegulatory Environment UK: Personal Information Protection and Electronic UK: Personal Information Protection and Electronic
Documents Act (2001)Documents Act (2001)
US: HIPAA (Health Insurance Portability Accountability Act) US: HIPAA (Health Insurance Portability Accountability Act)
US: Gramm Leach Bliley (GLBA)US: Gramm Leach Bliley (GLBA)
US: California: SB 1386 – mandates public disclosure of US: California: SB 1386 – mandates public disclosure of computer-security breaches in which confidential information computer-security breaches in which confidential information may have been compromised. Becomes active on July 1, may have been compromised. Becomes active on July 1, 2003. 2003.
EU: European Data Directive 95/46/ECEU: European Data Directive 95/46/EC
UK: Data Protection Act of 1998UK: Data Protection Act of 1998
http://www.privacyinternational.org/countries/index.htmlhttp://www.privacyinternational.org/countries/index.html
Privacy is a Patchwork Quilt...Privacy is a Patchwork Quilt...Each law is but One of the PatchesEach law is but One of the Patches
Fair Credit Reporting Actof 1970
Privacy Act of 1974
Right to FinancialPrivacy Act of 1978
Electronic Communications Privacy Act of 1986
50 Statelaws
FTC oversight
Recent legislation (more patches):Anti-spam bill (Unsolicited Commercial Electronic Mail Act of 2000)The Privacy Policy Enforcement in Bankruptcy Act of 2000Delahunt and Bachus’s bill (July 2000)Cantwell Legislation (July 2004)
European Privacy Directive
Financial Services Modernization Act of 1999(Gramm-Leach-Bliley)
DistributedApps
DistributedApps
Sun One Dir
Sun One Dir
USER
Info Sec
IT Admins
Audit &ReportingAudit &
Reporting
ProvisioningProvisioning
IT Admins
Mainframe(ACF2)
Mainframe(ACF2)
OracleOracle
MS SQLMS SQL
MSActive Dir
MSActive Dir
EnterpriseApps
EnterpriseApps
EmailEmail NovelleDir
NovelleDir
UnixHPUXUnix
HPUX
ExternalLDAP SerExternal
LDAP Ser
Web AppsWeb Apps• Multiple Logins &
Passwords
• Multiple administrative contacts and processes
• Multiple profiles to manage
AccessManagement
AccessManagement
Current StateCurrent State
PayrollPayroll • Applications provisioned one at a time
• Slow, costly, insecure On-boarding & Off-boarding
• Access changes handled one at time by platforms specific admins
• No single view of user access & activities
• Limited means to assess and report security posture
Helpdesk
Approving Manager
IntranetIntranet
DivisionApps
DivisionApps
•Access Needs
•Password & Profile
Management
•Access Needs
•Password & Profile
Management
HigherIAM
Management Cost
Complex ComplianceEnvironment
HigherRisk
LowerProductivity
LowerQuality
of Service
Access ControlAccess Control
App DB OSApp DB OS App DB OS
Access ControlAccess Control
Policy Engine
App DB OSApp DB OS App DB OS
Access ControlAccess Control
Policy Engine GUI
App DB OSApp DB OS App DB OS
Access ControlAccess Control
Policy EngineWeb GUI
App DB OSApp DB OS App DB OS
Access ControlAccess ControlHR System
Policy EngineWeb GUI
App DB OSApp DB OS App DB OS
Access ControlAccess ControlHR System
Policy Engine
Authentication Service
Web GUI
App DB OSApp DB OS App DB OS
Access ControlAccess ControlHR System
Policy Engine
Authentication Service
Web GUI
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Access ControlAccess ControlHR System
Policy Engine
Audit/Command Center
Authentication Service
Web GUI
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Access ControlAccess ControlHR System
Policy Engine
Audit/Command Center
Authentication Service
Web GUI
Enhance OSEnhance OSEnhance OS
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Access ControlAccess ControlHR System
Policy Engine
Audit/Command Center
Authentication Service
Web GUI
Enhance OSEnhance OSEnhance OS
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Forensics Repository
MSActive Dir
MSActive Dir
IAM Shared Services Infrastructure
DistributedApps
DistributedApps
Sun One Dir
Sun One Dir
USER
Audit &ReportingAudit &
Reporting
ProvisioningProvisioning
Mainframe(ACF2)
Mainframe(ACF2)
OracleOracle
MS SQLMS SQLEnterprise
AppsEnterprise
Apps
EmailEmail NovelleDir
NovelleDir
UnixHPUXUnix
HPUX
ExternalLDAP SerExternal
LDAP Ser
Web AppsWeb Apps
AccessManagement
AccessManagement
IAM Future StateIAM Future State
PayrollPayroll
Helpdesk
Approving Manager
•Access Needs
•Password & Profile
Management
•Access Needs
•Password & Profile
Management
IntranetIntranet
DivisionApps
DivisionApps
Info Sec
IT Admins
IT Admins
Access Control• Policy Store• User Store
Access Control• Policy Store• User Store
Provisioning• Engine
• Workflow• Directory
Provisioning• Engine
• Workflow• Directory
Audit &Reporting• Engine
• Data Store
Audit &Reporting• Engine
• Data Store
•Self-Service Password &
Profile Management
•Self-Service Password &
Profile Management
Improved Productivity
&User Satisfaction
Improved Operational
Efficiency
Reduced Administrative Cost
Improved ComplianceReduced Overall Risk
What are the immediate steps today?What are the immediate steps today?
Commitment to ProceedCommitment to Proceed Executive level sponsorship of Enterprise Executive level sponsorship of Enterprise
Security ProgramSecurity Program Establish Information Security OfficeEstablish Information Security Office Commit budget for FY 2003-2005Commit budget for FY 2003-2005
Enterprise Security Program should be implemented as anEnterprise Security Program should be implemented as anenterprise initiative to ensure project successenterprise initiative to ensure project success
Enterprise Security Program should be implemented as anEnterprise Security Program should be implemented as anenterprise initiative to ensure project successenterprise initiative to ensure project success
What are the short term steps?What are the short term steps?
Mitigate RisksMitigate Risks Implement Information Security Policies InfrastructureImplement Information Security Policies Infrastructure Implement Security Monitoring ToolsImplement Security Monitoring Tools
Demonstrate CommitmentDemonstrate Commitment Establish Enterprise Security Program OfficeEstablish Enterprise Security Program Office Commit Budget and Resources for Enterprise Security Commit Budget and Resources for Enterprise Security
ProgramProgram
InitiateEnterpriseSecurityProgram
CompleteBaseline
Capabilities
CompleteService
Capabilities
CompleteEnabling
Capabilities
What are the long term steps?What are the long term steps?
Maturation of Enterprise Security CapabilitiesMaturation of Enterprise Security Capabilities
1.1. Baseline Capabilities – formalize core capabilities Baseline Capabilities – formalize core capabilities to mitigate enterprise information security risksto mitigate enterprise information security risks
2.2. Service Capabilities – deliver security services to Service Capabilities – deliver security services to support business requirements and end userssupport business requirements and end users
3.3. Enabling Capabilities – deploy security Enabling Capabilities – deploy security capabilities to enable business strategiescapabilities to enable business strategies
5 Initiatives of an Enterprise Security Architecture 5 Initiatives of an Enterprise Security Architecture
1.1. Assessment Of Existing Security EnvironmentAssessment Of Existing Security Environment
Development of an effective enterprise security architecture must Development of an effective enterprise security architecture must begin with an analysis of the effectiveness of existing security begin with an analysis of the effectiveness of existing security controls.controls.
2.2. Development Of A Security Architecture That Supports Business Development Of A Security Architecture That Supports Business ObjectivesObjectives
Understand business objectives and strategy, and develop an Understand business objectives and strategy, and develop an end-state vision of the way in which security will support and end-state vision of the way in which security will support and enable those objectives.enable those objectives.
3.3. Development Of An Enterprise-Wide Security Architecture That Development Of An Enterprise-Wide Security Architecture That Supports Business StrategySupports Business Strategy
Define the end-state architecture, including the integration and Define the end-state architecture, including the integration and deployment across the enterprise of structural, procedural, deployment across the enterprise of structural, procedural, knowledge, technology or support focused security initiatives knowledge, technology or support focused security initiatives consistent with the business vision.consistent with the business vision.
5 Initiatives of an Enterprise Security Architecture (cont.)5 Initiatives of an Enterprise Security Architecture (cont.)
4.4. Development Of A Security Program That Maintains A High Security Development Of A Security Program That Maintains A High Security PosturePosture
Establish design principles and standards and transfer Establish design principles and standards and transfer knowledge to enable the continued integrity of the security knowledge to enable the continued integrity of the security architecture as it evolves with new technologies and threats to architecture as it evolves with new technologies and threats to information assets over time.information assets over time.
5.5. Identify An Appropriate Security Migration StrategyIdentify An Appropriate Security Migration Strategy
Plan the transition from the current environment to the end-state Plan the transition from the current environment to the end-state architecture.architecture.
Implementation Approach ComparisonImplementation Approach Comparison
Piece Meal EnterpriseImplementation Implementation
• Total Cost $ 8,429 $7,761• Expense Cost $ 4,079 $ 194• Capital Cost $ 4,350 $7,567• Discount 15% 25%• Completion Year 2005 Year 2003• Management Multiple Single• Accountability Many One• Integrated Low High• “Win” FactorLow Visibility High Visibility
ConclusionConclusion
Preparing for risks brings tangible benefits in hostile environment:Preparing for risks brings tangible benefits in hostile environment:
• Perimeter is disappearing, threats are 360 degreesPerimeter is disappearing, threats are 360 degrees
• Exploits and hacking tools are readily availableExploits and hacking tools are readily available
• Skills required to exploit threats are low and droppingSkills required to exploit threats are low and dropping
• Blended threats will become more sophisticatedBlended threats will become more sophisticated
Defense in depth across entire network is key:Defense in depth across entire network is key:
• Vulnerability managementVulnerability management
• Firewalls and VPNsFirewalls and VPNs
• AntivirusAntivirus
• Intrusion detectionIntrusion detection
• Support and alerting servicesSupport and alerting services
•ID ManagementID Management
•Forensics ToolsForensics Tools
Implement process to manage policy and incidentsImplement process to manage policy and incidents
Top management support and awareness training are keyTop management support and awareness training are key
DiscussionDiscussion
Michael CoadyMichael Coady
Computer Associates Intl.Computer Associates Intl.
Vice President , North AmericaVice President , North America
Security ServicesSecurity Services