host based security john scrimsher, cissp [email protected]
Post on 19-Dec-2015
221 views
TRANSCRIPT
![Page 2: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/2.jpg)
Virus Control
Prestidigitation
![Page 3: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/3.jpg)
Why Host Security?
Defense in Depth Threat management
Identification Assessment Response / Containment
Incident Management Coordination of efforts Damage Control Public Relations
![Page 4: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/4.jpg)
Why Host Based Security? Perimeter Security vs. Host
Based66%
$34%
$$$
![Page 5: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/5.jpg)
Why Host Based Security?Threat management:
Identification Malware Internal Threats
Employee Theft Unpatched systems
![Page 6: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/6.jpg)
What is Malware?
Anything that you would not want deliberately installed on your computer.
Viruses Worms Trojans Spyware More……
![Page 7: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/7.jpg)
Where are the threats?Threat management: Assessment Un-patched Computers Email Network File Shares Internet Downloads Social Engineering Blended Threats Hoaxes / Chain Letters
The Common Factor
![Page 8: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/8.jpg)
Phishing
Email messages sent to large distribution lists.
Disguised as legitimate businesses
Steal personal information
![Page 9: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/9.jpg)
Identity Theft
Since viruses can be used to steal personal data, that data can be used to steal your identity
Phishing Keystroke loggers Trojans Spyware
![Page 10: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/10.jpg)
Now, what do we do about it?Threat Management: Containment C.I.A. Security Model
Confidentiality Integrity Availability
Current Solutions Antivirus / AntiSpyware Personal Firewall / IDS / IPS User Education
![Page 11: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/11.jpg)
Current Security View
![Page 12: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/12.jpg)
Red Pill / Blue Pill
![Page 13: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/13.jpg)
How do these products help? Host Firewall / IPS blocks many
unknown and known threats
![Page 14: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/14.jpg)
How do these products help? Antivirus
Captures Threats that use common access methods Web Downloads Email Application Attacks
(Buffer Overflow)
VBSim demo
![Page 15: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/15.jpg)
Social Engineering
… 70 percent of those asked said they would reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1
Bar of chocolate
![Page 16: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/16.jpg)
Educated Users HelpThe biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you. What I found personally to be true was that it's easier to manipulate people rather than technology. Most of the time organizations overlook that human element.
Mitnick, Kevin, “How to Hack People.” BBC NewsOnline, October 14, 2002.
![Page 17: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/17.jpg)
How do these products help?
User Education
Don’t open suspicious email
Don’t download software from untrusted sites.
Patch
![Page 18: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/18.jpg)
Things to look for…
Unusually high number of network connections (netstat –a)
CPU Utilization Unexpected modifications to
registry RUN section. Higher than normal disk activity
![Page 19: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/19.jpg)
Open Source
Shared information Business Models Is it more secure?
Development model Security reviewers tend to be the
same people doing the proprietary reviews
Value in education Lots of good security tools
![Page 20: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/20.jpg)
Open Source - BrowsersFirefox vs. Internet ExplorerVulnerabilities reported in 2005
Internet Explorer
•SecurityFocus – 43
•Secunia Research – 9
•Symantec - 13
Firefox
•SecurityFocus – 43
•Secunia Research– 17
•Symantec - 21
What about shared vulnerabilities?
Plugins, WMF images
![Page 21: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/21.jpg)
What is Management’s role? Management ties everything
together Responsibility Ownership
TechnologyInfrastructure
Organization
Management
Security is a Mindset, not a service. It must be a part of all decisions and implementations.
![Page 22: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/22.jpg)
What is Management’s Role? Compliance Monitoring Policy Enforcement Damage Control / Public
Relations
![Page 23: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/23.jpg)
Management’s Role
Compliance Monitoring Keep aware of security posture Legal requirements Company policies Performance metrics
![Page 24: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/24.jpg)
Management’s Role
Policy Enforcement Pro-actively address issues Re-active contingency plans Network access controls
![Page 25: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/25.jpg)
Management’s Role
Damage Control Do you tell customers? What about the media? How soon to go public with results? What does it cost to respond?
![Page 26: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/26.jpg)
Legal Issues Many countries are still developing laws Privacy Laws can prevent some
investigation Regulatory Compliance Organized Crime
![Page 27: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/27.jpg)
Regulatory Issues
Sarbanes Oxley Act (2002) Graham-Leach-Bliley Act (1999) Health Information Portability
and Accountability Act (1996) Electronic Communications
Privacy Act (1986)
![Page 28: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/28.jpg)
Notable Legal History Robert Morris Jr. - “WANK” worm. First
internet worm ever created, set loose by accident across the internet.
Randal Schwartz - hacked into Intel claiming he was trying to point out weaknesses in their security.
David Smith - Melissa. First known use of mass-mailing technique used in a malicious manner. Some jail time.
“OnTheFly”, The Netherlands - “Anna” virus using worm generator tool. The writer was a youth who was “remorseful” but little was done to punish him.
Philippines - “Loveletter”. No jail time because there were no laws.
Jeffrey Lee Parsons – 2005 – 18 months in prison for variant of Blaster worm.
![Page 29: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/29.jpg)
Organized Crime
![Page 30: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/30.jpg)
Kaspersky Quote"It's hard to imagine a more ridiculous situation: a handful of virus writers are playing unpunished with the Internet, and not one member of the Internet community can take decisive action to stop this lawlessness.The problem is that the current architecture of the Internet is completely inconsistent with information security. The Internet community needs to accept mandatory user identification - something similar to driving licenses or passports.We must have effective methods for identifying and prosecuting cyber criminals or we may end up losing the Internet as a viable resource."
Eugene KasperskyHead of Antivirus Research
![Page 31: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/31.jpg)
On the Horizon - Microsoft House on the
hill Targeted
because they are Big?
Insecure because they are Big?
![Page 32: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/32.jpg)
On the Horizon
Network Access Controls Early Detection and Preventative
Tools Virus Throttle Active CounterMeasures WAVE Anomaly Detection Viral Patching
![Page 33: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/33.jpg)
On the Horizon
Viral Targets Mobile Phones, PDAs Embedded Operating Systems
Automobiles Sewing Machines Bank Machines Kitchen Appliances
![Page 34: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/34.jpg)
On the Horizon
Octopus worms Multiple components working
together Warhol Worms
MSBlaster was proof of capability Designer Worms
Target specific attacks Virus Sharing Clubs (VSCs)
![Page 35: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/35.jpg)
Learn Learn Learn
Authors: Sarah Gordon Peter Szor Roger Grimes Kris Kaspersky Search your library or online
![Page 36: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/36.jpg)
Questions?
![Page 37: Host Based Security John Scrimsher, CISSP jps@hp.com](https://reader036.vdocuments.us/reader036/viewer/2022062300/56649d375503460f94a1044b/html5/thumbnails/37.jpg)
Resources http://www.pcworld.com/news/article/0,aid,116163,0
0.asp http://www.detnews.com/2003/technology/0309/03/
technology-258376.htm http://www.sans.org/rr/whitepapers/engineering/1232
.php http://www.research.ibm.com/antivirus/SciPapers/
Gordon/Avenger.html