Security Update - Claremont Graduate University
Download
Report
Transcript Security Update - Claremont Graduate University
Security Update
Vaughn Book
SVP – Chief Technology Officer
Arrowhead Credit Union
November 9, 2004
1
Why security is important
Good security practices are essential to
protecting your company’s most
important resources
Data
Reputation
Security risks are increasing due to the
demands of the always on, always
connected economy
2
Security Trends
On-line Identity Theft
Consumers are increasingly becoming the
victims of identity theft as a result of their
online activities
e-Commerce web site compromises
Spam
Phishing
Malware
3
Security Trends
Increasing regulatory involvement
Health Insurance Portability and
Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes Oxley Act (SOX)
California Security Breach Information Act
(S.B. 1386)
4
Security Trends
Application vulnerabilities increasing
Software packages are becoming larger
and more complex
New vulnerabilities are discovered on a
daily basis
Software vendors are unable to address
vulnerabilities before exploits are available,
leading to 0 day attacks
5
Security Trends
Wireless access is becoming pervasive
Wireless networks are easy to deploy, but
hard to secure
High profile wireless security problems
Best Buy
Lowe’s
Easy access for hackers and spammers
Rogue access points
6
Security Trends
Hacking is becoming easier
Identifying and exploiting security vulnerabilities
no longer requires in-depth technical skills
Open source vulnerability detection tools are
readily available:
Nessus
Wisker
NMAP
Google
7
Security Trends
Hacking is becoming easier – Con’t
Virus and backdoor tool kits
Easy to use tools are freely available on the
Internet for creating worms, viruses and
backdoor programs:
Menu driven, point and click interface
Variety of distribution methods available
Use encryption and polymorphism to bypass
anti-virus programs
8
Security Trends
Time to patch is decreasing
The creators of security exploits are using ever
more sophisticated tools to reverse engineer
patches after they are released. This is decreasing
the time between the release of a patch to the
exploit of the vulnerability being fixed.
Slammer Worm – 6 Months
Blaster – 26 days
Microsoft ASN1 Critical Vulnerability – 3 days
Microsoft is now releasing patches only once a
month
9
Security Trends
Changing Motives
In the past many hackers and virus writers
were mainly interested in bragging rights
and the respect of their peers.
Today there is a profit motive. There is
money to me made in relaying spam and
stealing personal and financial data for use
in identity theft.
10
Security Trends
Phishing
Recent exploits:
Citibank
Ebay
Wells Fargo
Huge returns for phishers when people
answer the messages
11
Security Trends
Malware is proliferating:
Viruses
Worms
Trojans
Back doors
Bots
Key Loggers
Ad Ware
Spy Ware
12
Security Trends
Malware is becoming more sophisticated
Multiple infection vectors
Downloadable trojan
E-mail attachment
Worm infecting un-patched systems
Scan for other vulnerable or infected systems
Harvest e-mail addresses, credit card numbers
and other personal information
Polymorphic – evolve to evade detection
Virtual Machine Aware – Difficult to analyze by
security researchers
13
Security Trends
The rise of the Bot
More than 30,000 PCs per day are being
recruited into secret networks that spread
spam and viruses, to collect personal
information and to launch distributed
denial of service (DDOS) attacks
Able to phone home
Often controlled via Internet Relay Chat
(IRC)
14
Security Trends
Phatbot
Popular and full featured Bot running on Windows
Can take over 100 different actions triggered over
the network from the attacker
Add Windows share, FTP files, add startup registry entry,
scan for security vulnerabilities, harvest e-mail
addresses, launch packet floods and more
Includes a software developer’s kit (SDK) so that
hackers can easily add new features and
customize functionality
15
Security Trends
The future of Malware
Windows Root Kits
BIOS Manipulation
Modify the operating system to hide the presence of malicious
code by hiding files, registry settings and running processes
Malware makers will be able to hide malicious code in the PC’s
BIOS making it more difficult to detect and remove
Microcode Rewriting
Current version of the Intel Pentium and AMD Athlon
processors include feature to update the CPU’s microcode.
Security researchers believe that future exploits could take
advantage of this ability for malicious uses
16
Steps For Improved Security
Keep up with the latest attacks
Install Patches Regularly
Sign up to receive e-mail updates of security related issues
from Microsoft, anti-virus providers and other software
vendors key to your company’s operations
Test before rollout to avoid application breakage
Use Microsoft Software Update Services (SUS) instead of
automatic updates in a corporate environment
Install Antivirus software everywhere
Desktop PCs, mail servers, file servers
Update virus signatures daily
Centralize virus notification
Consider using virus protection from multiple vendors
17
Steps For Improved Security
Configure firewalls for least access
Many firewalls block inbound access while allowing
unlimited outbound access. This can allow
malicious programs to easily contact the attacker
and to spread.
Scan your network for security vulnerabilities
regularly.
Open source tools such as NMAP and Nessus can
identify internal and external vulnerabilities and
find back door programs before they are exploited.
18
Steps For Improving Security
Be Aware of Intrusion Detection Systems
(IDS) limitations
IDS can identify potential attacks but can not stop
them
IDS are blind to attacks encrypted by SSL and
other methods
IDS often go unwatched due to the large number
of false positives
Evaluate host based intrusion prevention
systems with the ability to detect and prevent
attacks as an alternative
19
Resources - Tools
NMAP
Ethereal
Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or
from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for
each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the
reconstructed stream of a TCP session. A text-based version called tethereal is included.
www.ethereal.com/
Nessus
NMAP is a free network port scanning tool which uses a number of techniques including, connect, syn, fin scans to
identify running services and firewall and router rule sets. NMAP can also identify the operation system running the
remote system using a variety of TCP/IP stack fingerprinting techniques.
www.insecure.org/nmap/
Nessus is a remote security scanner for Linux, BSD, Solaris, and other Unixes. It is plug-in-based, has a GTK interface,
and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII
text, and suggests solutions for security problems.
www.nessus.org
Snort
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet
logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety
of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more. Snort uses a flexible rule based language to describe traffic that it should collect or pass, and a modular
detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with
Snort.
www.snort.org
20
Resources – Web Sites
SANS
Security Focus
www.securityfocus.org
Microsoft Security Guidance Center
www.sans.org
www.microsoft.com/security/guidance
Foundstone
www.foundstone.com
21