Thin Ice in the Cyber World
Presented by
Dr. Bill Hancock, CISSP, CISM
Vice President, Security &
Chief Security Officer
972-740-7347
WHY Security?
IT disciplines:
systems, networks,
storage, databases,
applications, support
Physical, Logical and
Electronic boundaries
Departmental silos
Supply Chain
Countries and jurisdictions
SS
EE
CC
UU
RR
II
TT
YY
Security transcends
The Classic ReasonsProtect assets
PR fears
Management edict
Corporate policies
Fear of attacks
Customer info
Legal reasons
Was breached…
The Past
The Present
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
0
10
20
30
40
50
MIL
LIO
NS
Software Is Too Complex
Sources of Complexity:
• Applications and operating systems
• Data mixed with programs
• New Internet services XML, SOAP, VoIP
• Complex Web sites
• Always-on connections
• IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats
WIN
DO
WS
3.1
(1
992
)
WIN
DO
WS
NT
(19
92
)
WIN
DO
WS
95
(1
995
)
WIN
DO
WS
NT 4
.0
(19
96
)
WIN
DO
WS
98
(1
998
)
WIN
DO
WS
20
00
(2
000
)
3 4
15 16.5
18
35
WIN
DO
WS
XP
(20
01
)
45
Reported Security Incidents to CERT 1998-2003
0
20000
40000
60000
80000
100000
120000
140000
1998 1999 2000 2001 2002 2003
As Systems Get Complex, Attackers are Less Mentally Sophisticated…
CERT/CC
Attacker DiversityScript kiddies
Social misfits
Internal attackers
Hacking “gangs”
Organized crime
Nation-state sponsored entities
Terrorist entities
What do customers really want ?
COST OF SECURITY
COUNTERMEASURES
COST OF SECURITYBREACHES
OPTIMAL LEVEL OF SECURITY AT MINIMUM COST
TOTAL COST
COST ($)
SECURITY LEVEL 100%0%
Security must make business sense to be adopted !
Security Biz Case DriversThe PAL Method
PAL – PR, assets/IP, law
Public Relations Issues• Costs for bad PR almost always exceed good security
implementation
Asset Protection and Intellectual Property• Intellectual property• Customers• Employees• Data stores
The Law• Each country has compulsory compliance laws about
security that most companies violate and don’t realize it
Purpose of the following section
Goal here is not to hit
everything, just items that are
either very timely or a bit
outside the normal reporting of
security events we see
everyday
Classic Current IT Security Risks DNS attacks
DDoS, DoS, etc.Virii, worms, etc.Spoofs and redirectsSocial engineeringRouter table attacksOS holes, bugsApplication code problemsInsider attacksOthers…
Upcoming Security ThreatsGeographic location China is major concern• Legislation in other countries
New hacker methods and toolsVoIP IP-VPN (MPLS)ASN.1 and derivativesHacker “gangs”Complexity of application
solutions make it easier to disrupt them (Active Directory, VoIP, etc.)
Industrial espionage from competition
Covert samplingCovert interception
Threats - Infrastructure
Core (critical)• Routing infrastructure• DNS• Cryptographic key mgt.• PBX and voice methods• E-mail• Siebel database
Threats – Infrastructure, IIEssential • Financial systems• Customer console management systems• Access management to Exodus critical
resources• Intellectual property protection methods• Privacy control methods• Internal firewalls and related management• HR systems
Routing Infrastructure
No router-to-router authentication• Router table poisoning• Vector dissolution• Hop count disruption• Path inaccuracies• Immediate effect• Redundancy has no
effect on repair/recovery
Edge routers/switches do not use strong access authentication methods
Routing Infrastructure, II
No CW-wide internal network IDS/monitoringNo internal network security monitoring for
anomalies or stress methodsNo effective flooding defense or monitoring
DNS Security Assessment
Grossly inadequate security methods against attacks
No distributed method for attack segmentation recovery
No IDS or active alarms on DNS to even see if they are up or down
Geographic distribution inadequate and easy to kill due to replication
Zone replication allows poisoning of DNS dbms
DNS servers around the company do not implement solid security architecture
Mobile Technology SecurityMost corporate mobile
technology when removed from the internal network or premises is WIDE OPEN to data theft, intrusion, AML, etc.• Laptops (no FW, IDS, VPN,
virus killers, email crypto, file crypto, theft prevention/management, cyber tracking, remote data destruct, remote logging, AML cleaning, etc., etc., etc.
• Palm Pilots, etc, - no security• 3G and data cells – no
security• No operational security over
wireless methods
Cyberterrorism
It’s real
It’s a major problem
Most sites have no clue on how to deal with it or what all is involved
Many sites have already been used for temporary storage of terrorist operational data (micro web sites, FTP buffer sites, steganography transfer, etc.)
If not on your radar, put it there now
Autonomous Malicious Logic Worms, which increase with complexity and
capabilities with each iteration
Increasing body of hostile code
Scans large blocks if IP addresses for vulnerabilities• Target agnostic• Large or small, powerful or not
No specific attack rationale means that anyone is vulnerable
Sharp increase in number seen in last year and growing
Buffer Overflows
Concept is not new, but there are a lot of new ones appearing daily
Due to underlying problems with core protocol language issues, such as ASN.1, the same buffer overflow attack packet type for a specific protocol can affect many different entities in different ways:• SNMP OID buffer overflow in February 2002 affected
practically every instantiation of SNMP that used ASN.1 as the base definitional metalanguage
• What it did to one vendor was radically different than what it did to a second vendor for the same type of packet attack
Password Crackers
Sharp rise in availability of password cracking programs
Bulk of them use brute force methods or known dictionary attack methods
Some are taking advantage of exploits of a known password hashing method
Commercial products starting to appear in the industry
Default PasswordsStill a popular exploit method:• Wireless access point admin
• Operating systems
• Broadband cable modems
• Routers out-of-the-box
• Databases out-of-the-box
• Simple exploits
Laser printer passwords
SCADA components
Embedded systems
Vendor Distributed Malware
Due to lack of care in preparing distribution kits,
many vendors are starting to distribute their
products with malware in it
• Recent gaming company distributed NIMDA with a CD
distribution
• Others have shipped virii and other malicious code
infestations
Perimeter malware checking is not enough
anymore
Insiders
Still a major threat
Responsible for over 90% of actual financial losses to
companies
Most sites do not have enforceable internal security controls or
capabilities
• Legacy system
• Hyperhrowth of systems/networks
• Lack of care and planning in security as the growth has
happened
Cryptographic Key ManagementNoneWhat is available is all
manualChanging keys on some
technologies takes MONTHS (e.g. TACACS+)
Keys are weak in some areas and easily broken
No “jamming” defenses for key exchange methods
Little internal knowledge on key mgt and cryptographic methods
PBX and Voice Methods
No assessment of toll fraud and PBX misuse
Cell phones used continually for sensitive conversations
No conference call monitoring for illicit connections or listening
No videoconferencing security methods
PBX and Voice Methods, IINo voicemail protection or auditing efforts
trans companyEasy to social engineer PBX access and re-
directionRedundancy of main switching systems
questionable (e.g. May 2002 CWA OC-12 disruption)
E-Mail Security IssuesEmployees in trusted positions
reading e-mailE-mail security methods take a
long time to implementLack of use of encryption methods
for confidential e-mailLack of keyserver for
cryptographic methods (this is due to power)
Newly devised security methods not implemented yet
Use of active directory and LDAP in future a major concern
E-Mail Security Issues, IIWireless e-mail a concernNo filters for SPAMNo keyword filter searching methods for
potential IP “leakage”Ex employees retain access information
for their and other accounts
Hyperpatching
The need to quickly patch vulnerabilities is becoming a major security pain point
Protocol exploits such as SNMP will accelerate and require additional patching and fixes
Customers should stop with “old think” change control and start considering using hyperpatching and mass roll-out systems (push technology) to start solving hyperpatching problems
Employee Extortion
At least 5 different extortion methodologies have appeared that affect employee web surfers
Latest one involves persons who surf known child pornography web sites or hit on chat rooms on the subject• A link is e-mailed to the person and they threatened
with being turned over to officials and employers unless they pay to keep the information about their surfing habits secret
This is a growing business…
Old Code Liabilities
Software vendors are trying to figure out how to decommission older versions and older code quickly due to patch/fix and general liability issues
Old code does not have security controls that are compatible with today’s problems and security systems
Wireless
Continues to be a problemMostly due to lack of implementation of controlsWar driving is easy to do for most sites and to get
on most networksIllegal connection to a wireless network violates
FCC regsNeed intrusion detection for wireless to detect
who is associated to the LAN and doesn’t belongBest short-term solution are peer-to-peer VPNs
(desktop, site-to-site, etc.)New threats with upcoming 3G products
Data Retention
BIG push for data retention in many parts of the
world
With retention comes liabilities for retained
information
U.S. has no specific retention laws except in
specific financial and healthcare areas
EU and Asian countries recently enacted
serious retention laws
M&A and Partnership Security
We often know nothing about the security of a non-corporate solution
After examination, most are very bad We need procedures for evaluation of
partners and M&A for security issues and corrective action
We also need to have as part of the diligence process proper security oversight on acquisitions• We often do not know about an
M&A target until the press announcement
Blended AttacksBiological and Cyber• Smallpox infection and DDoS against infrastructure
Multiphasic Cyber Attack• DDoS against routers, DNS poisoning attacks and defacement
attacks at the same time
Sympathetic hacking group attacksUpstream infrastructure attack• IXC disruption• Power grid disruption• Peering point disruption• Supply-chain vendor disruption
Dr. Bill Hancock, CISSP, CISMVice President, Security& Chief Security Officer
Email: [email protected]: 972-740-7347
Questions?