Storage Decisions 2003

Download Report

Transcript Storage Decisions 2003 

Thin Ice in the Cyber World
Presented by
Dr. Bill Hancock, CISSP, CISM
Vice President, Security &
Chief Security Officer
[email protected]
972-740-7347
WHY Security?
Security transcends
S
E
IT disciplines:
systems, networks,
C
storage, databases,
U
Physical, Logical and
applications, support
R
Electronic boundaries
I
Departmental silos
T
Supply Chain
Y
Countries and jurisdictions
The Classic Reasons
 Protect assets
 PR fears
 Management edict
 Corporate policies
 Fear of attacks
 Customer info
 Legal reasons
 Was breached…
The Past
The Present
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
Software Is Too Complex
50
 Sources of Complexity:
IP stacks in cell phones,
PDAs, gaming consoles,
refrigerators,
thermostats
10
3
4
0
WINDOWS XP (2001)
Always-on connections
16.5
WINDOWS 2000 (2000)
Complex Web sites
15
WINDOWS 98 (1998)
•
•
•
New Internet services
 XML, SOAP, VoIP
18
20
WINDOWS NT 4.0 (1996)
•
30
WINDOWS 95 (1995)
Data mixed
with programs
35
WINDOWS NT (1992)
•
40
WINDOWS 3.1 (1992)
Applications and
operating systems
MILLIONS
•
45
Reported Security Incidents to CERT 1998-2003
140000
120000
100000
80000
60000
40000
20000
0
1998
1999
2000
2001
2002
2003
As Systems Get Complex, Attackers are Less Mentally
Sophisticated…
CERT/CC
Attacker Diversity
 Script kiddies
 Social misfits
 Internal attackers
 Hacking “gangs”
 Organized crime
 Nation-state sponsored entities
 Terrorist entities
What do customers really want ?
TOTAL
COST
OPTIMAL LEVEL OF
SECURITY AT
MINIMUM COST
COST
($)
COST OF
SECURITY
COUNTERMEASURES
0%
COST OF
SECURITY
BREACHES
SECURITY LEVEL
100%
Security must make business sense to be adopted !
Security Biz Case Drivers
The PAL Method
 PAL – PR, assets/IP, law
 Public Relations Issues
•
Costs for bad PR almost always exceed good security
implementation
 Asset Protection and Intellectual Property
•
•
•
•
Intellectual property
Customers
Employees
Data stores
 The Law
•
Each country has compulsory compliance laws about
security that most companies violate and don’t realize
it
Purpose of the following section
 Goal here is not to hit
everything, just items
that are either very
timely or a bit outside
the normal reporting of
security events we see
everyday
Classic Current IT Security
Risks
 DNS attacks
 DDoS, DoS, etc.
 Virii, worms, etc.
 Spoofs and redirects
 Social engineering
 Router table attacks
 OS holes, bugs
 Application code problems
 Insider attacks
 Others…
Upcoming Security Threats
 Geographic location
 China is major concern
• Legislation in other countries
 New hacker methods and tools
 VoIP
 IP-VPN (MPLS)
 ASN.1 and derivatives
 Hacker “gangs”
 Complexity of application
solutions make it easier to disrupt
them (Active Directory, VoIP, etc.)
 Industrial espionage from
competition
 Covert sampling
 Covert interception
Threats - Infrastructure
 Core (critical)
• Routing infrastructure
• DNS
• Cryptographic key mgt.
• PBX and voice methods
• E-mail
• Siebel database
Threats – Infrastructure, II
 Essential
• Financial systems
• Customer console management systems
• Access management to Exodus critical
resources
• Intellectual property protection methods
• Privacy control methods
• Internal firewalls and related management
• HR systems
Routing Infrastructure
 No router-to-router
authentication
• Router table poisoning
• Vector dissolution
• Hop count disruption
• Path inaccuracies
• Immediate effect
• Redundancy has no
effect on
repair/recovery
 Edge routers/switches
do not use strong
access authentication
methods
Routing Infrastructure, II
 No CW-wide internal network IDS/monitoring
 No internal network security monitoring for
anomalies or stress methods
 No effective flooding defense or monitoring
DNS Security Assessment
 Grossly inadequate security
methods against attacks
 No distributed method for attack
segmentation recovery
 No IDS or active alarms on DNS to
even see if they are up or down
 Geographic distribution inadequate
and easy to kill due to replication
 Zone replication allows poisoning of
DNS dbms
 DNS servers around the company
do not implement solid security
architecture
Mobile Technology Security
 Most corporate mobile
technology when removed from
the internal network or premises
is WIDE OPEN to data theft,
intrusion, AML, etc.
• Laptops (no FW, IDS, VPN,
virus killers, email crypto, file
crypto, theft
prevention/management,
cyber tracking, remote data
destruct, remote logging,
AML cleaning, etc., etc., etc.
• Palm Pilots, etc, - no security
• 3G and data cells – no
security
• No operational security over
wireless methods
Cyberterrorism
 It’s real
 It’s a major problem
 Most sites have no clue on how to deal with
it or what all is involved
 Many sites have already been used for
temporary storage of terrorist operational
data (micro web sites, FTP buffer sites,
steganography transfer, etc.)
 If not on your radar, put it there now
Autonomous Malicious Logic
 Worms, which increase with complexity and
capabilities with each iteration
 Increasing body of hostile code
 Scans large blocks if IP addresses for
vulnerabilities
•
•
Target agnostic
Large or small, powerful or not
 No specific attack rationale means that
anyone is vulnerable
 Sharp increase in number seen in last year
and growing
Buffer Overflows
 Concept is not new, but there are a lot of new ones appearing
daily
 Due to underlying problems with core protocol language issues,
such as ASN.1, the same buffer overflow attack packet type for
a specific protocol can affect many different entities in different
ways:
• SNMP OID buffer overflow in February 2002 affected
practically every instantiation of SNMP that used ASN.1 as
the base definitional metalanguage
• What it did to one vendor was radically different than what it
did to a second vendor for the same type of packet attack
Password Crackers
Sharp rise in availability of password cracking
programs
Bulk of them use brute force methods or known
dictionary attack methods
Some are taking advantage of exploits of a
known password hashing method
Commercial products starting to appear in the
industry
Default Passwords
Still a popular exploit method:
•
•
•
•
•
•
Wireless access point admin
Operating systems
Broadband cable modems
Routers out-of-the-box
Databases out-of-the-box
Simple exploits
 Laser printer passwords
 SCADA components
 Embedded systems
Vendor Distributed Malware
 Due to lack of care in preparing distribution kits,
many vendors are starting to distribute their
products with malware in it
•
Recent gaming company distributed NIMDA with a CD
distribution
•
Others have shipped virii and other malicious code
infestations
 Perimeter malware checking is not enough
anymore
Insiders
 Still a major threat
 Responsible for over 90% of actual financial losses to
companies
 Most sites do not have enforceable internal security controls or
capabilities
•
•
•
Legacy system
Hyperhrowth of systems/networks
Lack of care and planning in security as the growth has
happened
Cryptographic Key Management
 None
 What is available is all
manual
 Changing keys on some
technologies takes
MONTHS (e.g. TACACS+)
 Keys are weak in some
areas and easily broken
 No “jamming” defenses
for key exchange methods
 Little internal knowledge
on key mgt and
cryptographic methods
PBX and Voice Methods
 No assessment of toll
fraud and PBX misuse
 Cell phones used
continually for sensitive
conversations
 No conference call
monitoring for illicit
connections or listening
 No videoconferencing
security methods
PBX and Voice Methods, II
 No voicemail protection or auditing efforts
trans company
 Easy to social engineer PBX access and redirection
 Redundancy of main switching systems
questionable (e.g. May 2002 CWA OC-12
disruption)
E-Mail Security Issues
 Employees in trusted positions
reading e-mail
 E-mail security methods take a
long time to implement
 Lack of use of encryption methods
for confidential e-mail
 Lack of keyserver for
cryptographic methods (this is
due to power)
 Newly devised security methods
not implemented yet
 Use of active directory and LDAP
in future a major concern
E-Mail Security Issues, II
 Wireless e-mail a concern
 No filters for SPAM
 No keyword filter searching methods for
potential IP “leakage”
 Ex employees retain access information
for their and other accounts
Hyperpatching
 The need to quickly patch vulnerabilities is
becoming a major security pain point
 Protocol exploits such as SNMP will accelerate
and require additional patching and fixes
 Customers should stop with “old think” change
control and start considering using
hyperpatching and mass roll-out systems (push
technology) to start solving hyperpatching
problems
Employee Extortion
At least 5 different extortion
methodologies have appeared that
affect employee web surfers
Latest one involves persons who surf
known child pornography web sites or
hit on chat rooms on the subject
•
A link is e-mailed to the person and they threatened
with being turned over to officials and employers
unless they pay to keep the information about their
surfing habits secret
This is a growing business…
Old Code Liabilities
Software vendors are trying to
figure out how to decommission
older versions and older code
quickly due to patch/fix and
general liability issues
Old code does not have security
controls that are compatible with
today’s problems and security
systems
Wireless
 Continues to be a problem
 Mostly due to lack of implementation of controls
 War driving is easy to do for most sites and to get
on most networks
 Illegal connection to a wireless network violates
FCC regs
 Need intrusion detection for wireless to detect
who is associated to the LAN and doesn’t belong
 Best short-term solution are peer-to-peer VPNs
(desktop, site-to-site, etc.)
 New threats with upcoming 3G products
Data Retention
 BIG push for data retention in many parts of
the world
 With retention comes liabilities for retained
information
 U.S. has no specific retention laws except in
specific financial and healthcare areas
 EU and Asian countries recently enacted serious
retention laws
M&A and Partnership Security
 We often know nothing about the
security of a non-corporate solution
 After examination, most are very bad
 We need procedures for evaluation of
partners and M&A for security issues
and corrective action
 We also need to have as part of the
diligence process proper security
oversight on acquisitions
• We often do not know about an
M&A target until the press
announcement
Blended Attacks
Biological and Cyber
•
Smallpox infection and DDoS against infrastructure
Multiphasic Cyber Attack
•
DDoS against routers, DNS poisoning attacks and defacement
attacks at the same time
Sympathetic hacking group attacks
Upstream infrastructure attack
•
•
•
•
IXC disruption
Power grid disruption
Peering point disruption
Supply-chain vendor disruption
Questions?
Dr. Bill Hancock, CISSP, CISM
Vice President, Security
& Chief Security Officer
Email: [email protected]
Phone: 972-740-7347