secure internetsecure internet - introducciónpd... · 2020. 5. 9. · hacking usa 3734 9859 21756...
TRANSCRIPT
-
1
Secure InternetSecure InternetSecure Internet
2004. 2
KIM,WooHan
Head of KISC
KIM,WooHanKIM,WooHan
Head of KISCHead of KISC
[email protected]@kisa.or.kr
Korea Information Security Agency
-
2
Positive Sides of Internet (Global)Positive Sides of Internet (Global)Source: Peacockmaps,IANA
NetworkNetworkNetwork
171,638,2972003.1
93,047,7852000.7
26,053,0001997.7
3,864,0001994.10
617,0001991.10
56,0001988.10
28,1741987.12
1,9611986.10
1,0241984.10
2351982.5
2131981.8
No. of HostsYEAR
020,000,00040,000,00060,000,00080,000,000
100,000,000120,000,000140,000,000160,000,000180,000,000
'82 '84 '86 '87 '88 '91 '94 '97 '00 '03
No. of Host ComputersNo. of Host Computers
Korea Information Security Agency
-
3
Negative Sides of Internet (Global)Negative Sides of Internet (Global)Source:dshield.orgSource:dshield.org
0
10000
20000
30000
40000
50000
60000
70000
80000
90000
100000
No.ofHacking
USA 3734 9859 21756 52658 73359
UK 1594 1712 4783 40274 99940
Japan 923 788 2232 2853 996
1998 1999 2000 2001 2002
Korea Information Security Agency
-
4
Positive Sides of Internet (Korea)Positive Sides of Internet (Korea)Source: KrNiC
NetworkNetwork
3098060820032003
2717952020022002
2298521620012001
1892198420002000
1040230419991999
817408019981998
725657619971997
620800019961996
476620819951995
384870419941994
332441619931993
No. of IP AddressesNo. of IP AddressesYear Year
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
No. of IP addresses in Korea
Korea Information Security Agency
-
5
Negative Sides of Internet (Korea)Negative Sides of Internet (Korea)
0
5,000
10,000
15,000
20,000
25,000
Jan. Feb. M ar. Apr. M ay Jun. Jul. Aug. Sep.
V irus
Worm
Trojan Horse
Hoax
Joke
etc.
0
5,000
10,000
15,000
20,000
25,000
Jan. Feb. M ar. Apr. M ay Jun. Jul. Aug. Sep.
V irus
Worm
Trojan Horse
Hoax
Joke
etc.
Source : KISA( 2003) Source : KISA( 2003)
Number of Intrusion events reported to KISA ( Except Slammer WorNumber of Intrusion events reported to KISA ( Except Slammer Worm )m )
Korea Information Security Agency
-
6
Evolution of Virus & WormEvolution of Virus & Worm……
Intruder’s Knowledge
Korea Information Security Agency
-
7
Threat from evolving wormThreat from evolving worm……
1980s 1990-2000 Today Future
First Gen• Boot viruses• CIH
First Gen• Boot viruses• CIH
Weeks Second Gen• Macro viruses• Denial of
service• CodeRed,• Nimda
Second Gen• Macro viruses• Denial of
service• CodeRed,• Nimda
DaysThird Gen• Distributed
denial of service
• Blended threats
• Slammer• MSblast
Third Gen• Distributed
denial of service
• Blended threats
• Slammer• MSblast
Hr./Min.
Next Gen• Flash threats• Massive
worm-driven DDoS
• Damaging payload worms
• Slammer +Welchia +SoBig.X
• ?????
Next Gen• Flash threats• Massive
worm-driven DDoS
• Damaging payload worms
• Slammer +Welchia +SoBig.X
• ?????
Min./Sec.
PC/Server
LAN
ISP
Mul.ISPs
GlobalDay Zero
Korea Information Security Agency
-
8
Announcement : Announcement : Top 20 Vulnerabilities ListTop 20 Vulnerabilities ListSource:Symantec
10
2530
50
70
0
10
20
30
40
50
60
70
'99 '00 '01 '02 '03 proj.
Vulnerabilities on the Rise Vulnerabilities on the Rise –– New Vulnerabilities per WeekNew Vulnerabilities per Week
Korea Information Security Agency
-
9
Announcement : Announcement : Top 20 Vulnerabilities ListTop 20 Vulnerabilities ListSource: isc.incidents.org• Unix
• BIND (Berkeley Internet Name Domain)/DNS• Remote Procedure Call (RPC)• Apache Web Server• General UNIX Authentication• Clear Text Services• Sendmail• Simple network Management Protocol (SNMP)• Secure Shell (SSH)• Misconfiguration of Enterprise Services (NFS/NIS)• Open Secure Sockets Layer
•Windows• Internet Information Server (IIS)• Microsoft SQL Server• Windows Authentication• Internet Explorer• Windows Remote Access Services• Microsoft Data Access Components (MDAC)• Windows Scripting Host (WSH)• Microsoft Outlook -- Outlook Express• Windows Peer to Peer File Sharing (P2P)• Simple Network Management Protocol (SNMP)
Korea Information Security Agency
-
10
NetworkNetwork & Vulnerabilities& Vulnerabilities……
ATM교환망
보 라 넷
교육기관
Video
기지국
HDSL-CO
HDSL-RT
전자도서관
교육기관
ONU
CATVHead End
교육기관
DACS교육기관
L/L
4W
4W
가입자 댁내
초고속국가망인터넷Gateway
L2-IX
국내인터넷트래픽
DREAMLINEEDUNET
ChanneliNetsgoUNITEL
KRNET
GigaPOP
GigaPOP
GigaPOP
해외인터넷 트래픽케이블모뎀
한국전산원
BGP4
1472
DNS
Web Hosting
News
Mail
FTP
가정고객
분기결합기
가정고객
케이블모뎀
D/U모뎀
스위칭허브
국가망인터넷서버(국가망투자비활용)
PSTN
서버…. 서버
….
천리안
* 국가망 노드에서 개별학교까지의 가입자망은중계유선망, B-WLL, 전용회선등 활용가능함.
Web Mailing(교육부전용)
ISP
VideoRP
DSLAM
xDSLModem
WLL
ONU
CATVHead End
Router L/L
2W
4W
Customer Site
ISP NetworkGateway
L2-IX
ISP NISP5
ISP4ISP3ISP2
ISP1
GigaPOP
GigaPOP
GigaPOP
International InternetCM
ForeignISP
BGP4
DNS
DBMS
Web
Mail
FTP
Home
Splitter
Home
Cable Modem
D/UModem
Server Farm
Dial-Up
Web Mail
BINDBIND
RRPPCC
SendSendMailMail
Apache/Apache/IISIIS
SQLSQL
ExplorerExplorer
MisMis__ConfigConfig
IOS/IOS/JuNOSJuNOS
MS:MS:Patch !!Patch !!
Korea Information Security Agency
-
11
Doomsday Doomsday ……. (. (’’03.1.25)03.1.25)
First 30 min. infected ration among74,856 distinct IP addresses.
1.531.53Netherlands
1.721.72Japan
2.022.02U.K.
2.022.02Australia
2.382.38Canada
2.882.88Taiwan
3.983.98China
6.966.96Unknown
11.8211.82KOREA
42.8742.87USA
% of % of VictimsVictims
CountryCountry
SlammerSlammer’’s Geographical s Geographical DistributionDistribution
SQL Slammer worm infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet.
SQL Slammer worm infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet.
Korea Information Security Agency
-
12
Another Worm in Aug., Another Worm in Aug., ’’0303MSBlastMSBlast :2003.8.12:2003.8.12
Source:McAfeeSource:McAfee
Infected System : 200,000 more
Spread Speed : a couple of hours
DDoS against windowsupdate.com
Infected System : 200,000 more
Spread Speed : a couple of hours
DDoS against windowsupdate.com
Vulnerability : RPC-DCOM -. RPC was fine : Just receiving data and passes to DCOM-. DCOM was problems : File name was limited to 544 Bytes, No Checking
for length of file nameLarge file name -> Stack O/F -> Arbitrary code can be executed.
Vulnerability : RPC-DCOM -. RPC was fine : Just receiving data and passes to DCOM-. DCOM was problems : File name was limited to 544 Bytes, No Checking
for length of file nameLarge file name -> Stack O/F -> Arbitrary code can be executed.
Korea Information Security Agency
-
13
Another Worm in Aug., Another Worm in Aug., ’’0303WelchiaWelchia : 2003.8.15: 2003.8.15
Source:McAfeeSource:McAfee
Traffic flooding to LAN and ISP Network
Remove MSBlaster.exe
Scheduled to stop on Jan.1st, 2004
Traffic flooding to LAN and ISP Network
Remove MSBlaster.exe
Scheduled to stop on Jan.1st, 2004
MSBlaster Clone : Same Vulnerability as MSBlasterICMP Packet increment : Traffic Flooding to ISP NetworkPing Request –(Answer)->RPC 135 Scan -> DNS Query for MS Patch (MS 02-029) to wipeout MSBlastRecursive Attack to find another victims
MSBlaster Clone : Same Vulnerability as MSBlasterICMP Packet increment : Traffic Flooding to ISP NetworkPing Request –(Answer)->RPC 135 Scan -> DNS Query for MS Patch (MS 02-029) to wipeout MSBlastRecursive Attack to find another victims
Korea Information Security Agency
-
14
Another Worm in Aug., Another Worm in Aug., ’’0303SoBig.FSoBig.F : 2003. 8.19: 2003. 8.19
Source:McAfeeSource:McAfee
6th Version of SoBig Series in 2003-. Launched via
UseNet
Attached File (80KB) sending -> Traffic Flooding to ISP and Mail Server
20 Master Servers: 2 Servers in Korea
6th Version of SoBig Series in 2003-. Launched via
UseNet
Attached File (80KB) sending -> Traffic Flooding to ISP and Mail Server
20 Master Servers: 2 Servers in Korea
Massive Mailing Worm ( Release / Closing Date )
-. SoBig.A ( 2003. 1. 9/ ) -. SoBig.B ( 2003. 5.18/2003.5.31) -. SoBig.C ( 2003. 5.31/2003.6.8 ) -. SoBig.D ( 2003. 6.18/2003.7.2 )-. SoBig.E ( 2003. 6.25/2003.7.14) -. SoBig.F ( 2003.8.18/ 2003.9.10)
Massive Mailing Worm ( Release / Closing Date )
-. SoBig.A ( 2003. 1. 9/ ) -. SoBig.B ( 2003. 5.18/2003.5.31) -. SoBig.C ( 2003. 5.31/2003.6.8 ) -. SoBig.D ( 2003. 6.18/2003.7.2 )-. SoBig.E ( 2003. 6.25/2003.7.14) -. SoBig.F ( 2003.8.18/ 2003.9.10)
Korea Information Security Agency
-
15
New Movement from MicrosoftNew Movement from Microsoft
SDSD33 + Communications+ Communications
Secure by Secure by DesignDesign
Secure by Secure by DefaultDefault
Secure in Secure in DeploymentDeployment
CommunicationsCommunications
Windows95/98
33.5%
Windows
NT/XP/2000
62.6%
etc
0.1%
Solaris
0.2%Linux
3.7%
Window 98 : Fade out by 2006Window 98 : Fade out by 2006Longhorn Longhorn : 2005 ?: 2005 ?Security Enhancement: Competing with Security Enhancement: Competing with
Vaccine companiesVaccine companiesFighting with Linux Consortium ?Fighting with Linux Consortium ?
Source : Microsoft
Korea Information Security Agency
-
16
Microsoft has changed,Microsoft has changed,“ Open Policy, no more Almighty…”
Source : Microsoft
TwC Partnerships: Enterprise, Academic and Government
Shared Source InitiativesShared Source InitiativesEnterprise Source Licensing ProgramEnterprise Source Licensing ProgramAcademic Source Licensing Program Academic Source Licensing Program Windows CE Licensing ProgramsWindows CE Licensing Programs
Government Security ProgramGovernment Security ProgramAllows national governments and international organizations to Allows national governments and international organizations to
confirm the quality of the platformconfirm the quality of the platformHelps governments build a secure infrastructureHelps governments build a secure infrastructureIncludes opportunities for security trainingIncludes opportunities for security training
Over 60 governments eligible for GSP, current signatories include NATO, United Kingdom, Russia, China, Chinese-Taipei, Australia, New Zealand, etc.
Over 60 governments eligible for GSP, current signatories includOver 60 governments eligible for GSP, current signatories include NATO, e NATO, United Kingdom, Russia, China, ChineseUnited Kingdom, Russia, China, Chinese--Taipei, Australia, New Zealand, Taipei, Australia, New Zealand, etc.etc.
Korea Information Security Agency
-
17
Movement from CiscoMovement from CiscoSource: Cisco
Ope
ratio
nal c
apab
ility
Applications to services and complexity of network security
Protection from threats- Comprehensive, integrated solutions
Protection from threats- Comprehensive, integrated solutions
Detection of threats- Reactive point products, some automationDetection of threats- Reactive point products, some automation
Block and hide- Manual, crypto solves allBlock and hide- Manual, crypto solves all
19951995
19851985
Future
Today
Detection
Protection
Adaptive networks- Self-managing, self-healing- Security-aware networks
Korea Information Security Agency
-
18
So, Cisco wants to doSo, Cisco wants to do……..
Policy Servers
Deny!
Compliant Endpoint:
internetinternet
Admit!
Noncompliant Endpoint:
What does that mean?What does that mean?
. . To protectTo protect innocent & clean network user and system. (?)innocent & clean network user and system. (?)
. . To protectTo protect IP network (IP network (LAN,WAN,GlobalLAN,WAN,Global) (?)) (?)
. . To protectTo protect CiscoCisco’’s IP products from competitors (?)s IP products from competitors (?)
. . To protectTo protect selected US friends in IT industry (?)selected US friends in IT industry (?)
Conclusion : Conclusion : ““Security is the last business model to be survivedSecurity is the last business model to be survived..””
Source: Cisco
1st : Team_Up1st : Team_Up 2nd : Network Admission Control2nd : Network Admission Control
Korea Information Security Agency
-
19
All Round Counter MeasurersAll Round Counter Measurers……
Source: Source: www.caida.orgwww.caida.org ( World Wide BGP Connection )( World Wide BGP Connection ) Harmonization required !
Gov.: Policy, EducationGov.: Policy, Education
Corp : Investment, MindCorp : Investment, Mind
ISV : Secure S/W codingISV : Secure S/W coding
User : Patch, Vaccine, PCUser : Patch, Vaccine, PC--F/WF/W
ISP : Secure ISP : Secure Network,CollaborationNetwork,Collaboration
Korea Information Security Agency
http://www.caida.org/
-
20
Reaction from MIC after 1/25/Reaction from MIC after 1/25/’’0303MIC : Ministry of Information and Communication
Regulations for more secure internet ( 12/29/Regulations for more secure internet ( 12/29/’’03 )03 )--. E. E--Secure Korea from internet intrusion Attack ( Hacking and Virus/Secure Korea from internet intrusion Attack ( Hacking and Virus/Worm )Worm )--. E. E--Clean Korea from SPAM Mail and Pornography Clean Korea from SPAM Mail and Pornography --. E. E--Privacy Korea protecting personal private information (SSN etc.Privacy Korea protecting personal private information (SSN etc.))
Stimulation for the Internet Security Investment by ISP & CorpStimulation for the Internet Security Investment by ISP & Corp..--. 30 B KW planned before 1/25/. 30 B KW planned before 1/25/’’03 03 --. 100 B KW invested within Year 2003 after 1/25/. 100 B KW invested within Year 2003 after 1/25/’’0303
Monitoring and Protection Center Opening (12/17/Monitoring and Protection Center Opening (12/17/’’03)03)--. KISA/KISC ( Korea Internet Security Center ). KISA/KISC ( Korea Internet Security Center )
Promotion for the Cyber Security AwarenessPromotion for the Cyber Security Awareness--. . NetizenNetizen : Training and Education: Training and Education--. ISP : Security Guide line for the ISP and IDC . ISP : Security Guide line for the ISP and IDC
Secure Core Router DevelopmentSecure Core Router Development--. Long term R&D project for the more secure router. Long term R&D project for the more secure router
Korea Information Security Agency
-
21
KISCKISC’’ss Task & Job FlowTask & Job Flow……
Major ISPs
Sec. Co
RTSD Agent
Notice Mail
IDS/Firewall
User
S/W,H/W
AV/Vaccine
ISP/ESM
Vul.
Worm
Detc.
Fore
ign
Info
.
Notifica
tion
Mail
Web.
SMS
Messenger
FAX
TRS
KISC
Analysis
Propagation
Detect
Recovery
Private SectorsPrivate SectorsPrivate Sectors
Home UsersHome UsersHome Users
Press & TV/RadioPress & TV/RadioPress & TV/Radio
ISP & Hot LinersISP & Hot LinersISP & Hot Liners
PropagationPropagationPropagationDetectDetectDetect AnalysisAnalysisAnalysis
Korea Information Security Agency
-
22
KISCKISC’’ss Today & Today & To_Be_ModelTo_Be_Model……
KISC
Int’l Relations
NetizenCompanySecurity Co.
Other Institutes
Network Vul.
S/W Vul.
백신
보안 패치
바이러스샘플/공격 유형
ISPs / IDCs / SOs
해외 동향침해사고 공동대응
Vul. R&D Center
인터넷
B/U-Site
I S P
Cyber Vac.
Other ISACs
Telecom ISAC
KISC’s Expert Sys.
Other ISVsOther ISVs
Other AVsOther AVs
Global R&D Cooperation
US-CERT-CN-CERUS-JP T
국제공조 체계
Korea Information Security Agency
-
23
We are the partnersWe are the partners……
Thanks !
For the Secure Internet !!!
Korea Information Security Agency
Secure InternetPositive Sides of Internet (Global)Negative Sides of Internet (Global)Positive Sides of Internet (Korea)Negative Sides of Internet (Korea)Evolution of Virus & Worm…Threat from evolving worm…Announcement : Top 20 Vulnerabilities ListAnnouncement : Top 20 Vulnerabilities ListNetworkDoomsday …. (’03.1.25)Another Worm in Aug., ’03Another Worm in Aug., ’03Another Worm in Aug., ’03New Movement from MicrosoftMicrosoft has changed,Movement from CiscoSo, Cisco wants to do….All Round Counter Measurers…Reaction from MIC after 1/25/’03KISC’s Task & Job Flow…KISC’s Today & To_Be_Model…We are the partners…