Transcript a Powerpoint document of this presentation. 4638 KB

Protecting The Digital Economy
David Gerulski
Director of Marketing
Internet Security Systems
Agenda
•
•
•
•
•
•
•
•
Introduction
E-Commerce Security Drivers
Developing a Security Policy
Anatomy of an Attack
Policy Enforcement
Enterprise Risk Management
Security Resources
Conclusion
ISS Overview
• Headquartered in Atlanta, GA, USA
• Pioneered vulnerability assessment and intrusion detection
technology
• Leader in Enterprise Security Management
• Publicly traded on NASDAQ: ISSX
• Industry leading technology 35+ product awards
• 1,000+ employee owners worldwide
• Over 300 certified security partners
• Over 7,500 customers worldwide
ISS Market Share
Network
Intrusion Detection &
Assessment Market
Network
Vulnerability Assessment
Market
Network
Intrusion Detection
Market
Source: International Data Corporation (IDC), August 1999
E-Commerce
Security Drivers
Business Is Changing
Yesterday
Internal Focus
Today
External Focus
Access is granted to
employees only
Suppliers, customers, and
prospects all need some
form of access
Centralized Assets
Distributed Assets
Applications and data are
centralized in fortified IT bunkers
Applications and data are
distributed across servers,
locations, and business units
Prevent Losses
Generate Revenue
The goal of security is to
protect against confidentiality
breaches
The goal of security is to
enable eCommerce
IT Control
Business Control
Security manager decides
who gets access
Business units want the
authority to grant access
Source: Forrester Research, Inc.
The Threat Grows
60%
40%
47%
20%
54%
38%
1996
1997
1998
Source: 1998 Computer Security Institute/FBI Computer Crime and Security Survey
The Internal Threat Is Real
E-Commerce Issues
Principle Business Drivers
• Increase Revenue
• Increase Profitability
Principle Security Drivers
• Greater Susceptibility to Attack
• Greater Probability of Catastrophic Consequences
• Much Greater “Loss to Incident” Ratio
Our Strength Is Our Weakness
• In Touch With Anyone With a Modem
• Have an International Presence
• Partners Can Now Collaborate
• Leverage Web-based Supply Chain Technologies
• Employees Can Work From Home, at Night, Over
the Weekends, and on Holiday
• Application Servers Can Support Entire Divisions
Consequences
• Exposure to Legal Liability
DDoS Distributed Denial-of-Service
Company A
Web
Server
Company B
Router
University A
Company C
Company D
UNIX
Firewall UNIX
NT
UNIX
NT
Consequences
• Exposure to legal liability
• Decreased Stockholder Equity
• 30 Seconds on CNN
• Damaged Image
Consequences
• Exposure to Legal Liability
• Decreased Stockholder Equity
• 30 Seconds on CNN
• Damaged Image
• Decreased Employee Productivity
• Loss of Intellectual Property & Assets
• Inefficient Use of Resources
Summary
• E-Business is here to stay
• Networks are exposed and under attack
• There’s no more turning a “blind eye”
• It’s a business issue and it should be treated in a
business-like manner
• Implement a security program not a security
technology
Developing a Security Policy
A Blueprint for Success
Security Policy
• Blue Print for Good Security Program
• Standards Based - British Standard 7799
• Management Buy In
• High Level to Technical
• Business Driven Not Vendor Driven
• Non-Static
Enforced Security Policy
• Minimize Exposure to Vulnerabilities
• Prepare for Attacks on Our Systems
• Manage Internal Staff Behavior
• Manage External Access and Activity
• Maintain Appropriate Security Configurations
& Response Strategies
• Exploit Built-in Security Features
• Measure and Record Patterns and Trends
for Future Security Planning
The Anatomy of an Attack
bigwidget.com
Registrant :
Big Widget, Inc. (BIGWIDGET_DOM)
1111 Big Widget Drive
Really Big, CA 90120
US
Domain Name: BIGWIDGET.COM
Administrative Contact, Technical Contact:
Simms, Haywood (HS69)
[email protected]
1111 Big Widget Drive, UMIL04-07
Really Big, CA 90210
678-443-6001
Record last updated on 24-June-2000
Record expires on 20-Mar-2010
Record created on 14-Mar-1998
Database last updated on 7-Jun-2000 15:54
Domain servers in listed order:
EHECATL.BIGWIDGET.COM
NS1-AUTH.SPRINTLINK.NET
NS.COMMANDCORP.COM
208.21.0.7
206.228.179.10
130.205.70.10
Zone Contact, Billing Contact:
Dodge, Rodger (RD32)
[email protected]
1111 Big Widget Drive, UMIL04-47
Really Big, CA 90210
678-443-6014
hacker: ~$ telnet bigwidget.com 25
Trying 10.0.0.28...
Connected to bigwidget.com
Escape character is '^]'.
Connection closed by foreign host.
hacker:~$ telnet bigwidget.com 143
Trying 10.0.0.28...
Connected to bigwidget.com.
* OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)
(Report problems in this server to [email protected])
. logout
* BYE bigwidget IMAP4rev1 server terminating connection
. OK LOGOUT completed
Connection closed by foreign host.
imap
imap
hacker ~$ ./imap_exploit bigwidget.com
IMAP Exploit for Linux.
Author: Akylonius ([email protected])
Modifications: p1 ([email protected])
Completed successfully.
hacker ~$ telnet bigwidget.com
Trying 10.0.0.28...
Connected to bigwidget.com.
Red Hat Linux release 4.2 (Biltmore)
Kernel 2.0.35 on an i686
login: root
bigwidget:~# whoami
root
bigwidget:~# cd /etc
bigwidget:~# cat ./hosts
127.0.0.1
208.21.2.10
208.21.2.11
208.21.2.12
208.21.2.13
208.21.2.14
208.21.2.15
localhost
thevault
fasttalk
geekspeak
people
thelinks
thesource
bigwidget:~# rlogin thevault
localhost.localdomain
accounting
sales
engineering
human resources
marketing
information systems
thevault:~# cd /data/creditcards
thevault:~# cat visa.txt
Allan B. Smith
Donna D. Smith
Jim Smith
Joseph L.Smith
Kay L. Smith
Mary Ann Smith
Robert F. Smith
6543-2223-1209-4002
6543-4133-0632-4572
6543-2344-1523-5522
6543-2356-1882-7532
6543-2398-1972-4532
6543-8933-1332-4222
6543-0133-5232-3332
12/99
06/98
01/01
04/02
06/03
05/01
05/99
thevault:~# crack /etc/passwd
Cracking /etc/passwd...
username: bobman
username: mary
username: root
password: nambob
password: mary
password: ncc1701
thevault:~# ftp thesource
Connected to thesource
220 thesource Microsoft FTP Service (Version 4.0).
Name: administrator
331 Password required for administrator.
Password: *******
230 User administrator logged in.
Remote system type is Windows_NT.
ftp> cd \temp
250 CDW command successful.
ftp> send netbus.exe
ftp> local: netbus.exe remote: netbus.exe
200 PORT command successful.
150 Opening BINARY mode data connection for netbus.exe
226 Transfer complete.
ftp> quit
thevault:~$ telnet thesource
Trying 208.21.2.160.
.. Connected to thesource.bigwidget.com.
Escape character is '^]'.
Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381)
Welcome to MS Telnet Service
Telnet Server Build 5.00.98217.1
login: administrator
password: *******
*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\> cd \temp
C:\TEMP> netbus.exe
David Smith
NetBus 1.6, by cf
[email protected]
David Smith < [email protected] >
My Raise < URGENT >
Dear Mr. Smith
I would like to thank you for the huge raise that you have seen fit to give me. With my
new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the
company. This really makes me feel good because I deserve it.
Your Son,
Dave
Screendump
Connected to the.source.bigwidget.com
Anatomy of the Attack
BigWidget’s Network
NetBus
Crack
Web
Server
UNIX
NT
UNIX
NT
UNIX
Firewall
Router
Network
E-Mail
Server
imap
Clients & Workstations
Real World
Web Page Defacements
New York Times
Policy Enforcement
Through Detection and Response
What Is Vulnerable?
IT Infrastructure
Web
Server
Servers
Firewall
Router
Network
E-Mail
Server
Clients & Workstations
What Is Vulnerable?
Applications
E-Commerce
Web Server
SAP
Peoplesoft
Firewall
Router
E-Mail
Server
Web Browsers
What Is Vulnerable?
Databases
Microsoft
SQL Server
Oracle
Router
Firewall
Sybase
What Is Vulnerable?
Operating Systems
Solaris
Windows NT
HP-UX
Firewall
Router
Network
AIX
Windows 95 & NT
What Is Vulnerable?
Networks
Web
Server
Servers
Firewall
Router
TCP/IP
Netware
E-Mail
Server
Enterprise
Risk Management
Enterprise Security Management
Vulnerability Assessment Service
corrective action report
Vulnerability: GetAdmin
Severity: High Risk
IP Address: 215.011.200.255
OS: Windows NT 4.0
Fix:
From the Start menu, choose Programs/Administrative Tools/User
Manager. Under Policies/User Rights, check the users who have
admin privileges on that host. Stronger action may be needed,
such as reinstalling the operating system from CD. Consider this
host compromised, as well as any passwords from any other users
on this host. In addition, Apply the post-SP3 getadmin patch, or
SP4 when available. Also refer to Microsoft Knowledge Base
Article Q146965.txt.
Managed Intrusion Detection Service
EMAIL
ALERT/
LOG
ATTACK
DETECTED
SESSION
LOGGED
SESSION
TERMINATED
RECONFIGURE
FIREWALL/
ROUTER
ATTACK DETECTED
INTERNAL
RECORD SESSION
Why a managed solution?
Reasons for firewall breach:
Bad Technology
7%
Both
44%
Bad Technology
Mismanagement
Both
Mismanagement
49%
Computer Security Institute Study 1998
Why Outsource?
• Network Security Is Complex
• Requires Specialized Skills and Dedicated
Resources
• Difficulty in Hiring, Maintaining and
Retaining IT Security Staff
• High Costs of Doing It on Your Own
Managed Firewall Home Page
Firewall Security Policy
Firewall - Daily Logs
Web Usage Report
Intrusion Detection Daily Events
Intrusion Detection
Custom - Query Entry Screen
Benefits of Using BellSouth’s
Managed Security Services
•
Enables organizations to establish and maintain security across
the Internet, Intranet and Extranet
– Less expensive
• Leverage an existing security infrastructure
• Offers reliability and cost-effectiveness without having to
maintain 24x7 dedicated security staff
• Scaleable and modular services enable increased
flexibility to upgrade services as needed
– More Secure
• Based on a robust and proven security architecture
• Utilizes best of breed technologies
• Supported by a dedicated staff of security engineers.
• Proven operational procedures ensure proper response
and escalation of security events
• Round-the-clock real-time monitoring for full-time
protection
• All critical Internet-based security needs are addressed
– Free’s up your resources to focus on other key company
initiatives
BellSouth & ISS
Value Proposition
• BellSouth
– Trusted Business Partner
– Operational Excellence
– Highest levels of Customer Satisfaction
• Internet Security Systems (ISS)
– Security Expertise
– Market leader in security
• Together
– Best in class IP access and network security
solutions to support your E-Business strategy
Thank You!
For more information please join us at:
www.iss.net