Digex Executive Breakfast

1
Digex Executive Breakfast Internet Security Mark
Shull President CEO Pam Fusco Title
2
Security incidents are on the rise
Know Your Enemy
Meet Your Ally...
3
The High Cost of Security Breaches
Know Your Enemy...
CSI/FBI Security Survey 2000

• 90 of companies surveyed detected cyber attacks
  within the last 12 months
• 74 reported losses due to computer breaches
• 35 of the surveyed companies reported a total of
  over 265 million in losses due to attacks

• More than 40,000 known viruses with 200 new
  viruses every month
• Code Red I II defaced 300,000 Windows servers
• Melissa cost businesses almost 400 million in
  losses
• Love Bug morphed into 29 variants and infected
  500,000 machines
• Datamonitor estimates that the amount businesses
  lose each year to eSecurity breaches will be as
  much as 15 billion

4
What You Dont Know Can Hurt You

• By 2003, 50 of Small and Midsize Enterprises
  (SMEs) that manage their own Internet security
  will have experienced a successful Internet-based
  attack. More than 60 of those enterprises will
  be unaware that they have been attacked.
• --Gartner Group, October 2000

5
Global network security products

• Datamonitor estimates that in 2000 the market for
  network security products will reach 5.9bn
• it will grow at a CAGR of 30 to reach 21.2bn by
  year end 2005
• the largest markets in 2000 will be the mature
  anti-virus, authorization administration and
  firewall markets
• the three fastest growing markets will be for
  content security, VPNs and PKI, growing at 66,
  59 and 46 respectively.

6
Increased Security risks are driving Increased
Security spending
25,000
Authorization/admin
VPN
PKI
20,000
ID/VA
Firewalls
15,000
Encryption
Content security
m
Authentication
10,000
Anti-virus
5,000
2000
2001
2002
2003
2004
2005
7
Do you have the right security resources?
Percent of Global 1000 CompaniesThat have
Security Measures to Detect Hackers
Percentage of Global1000s that have it
Percentage of Global1000s that DONT have it
Security Measure
Comprehensive, enforceable Security Policies
65
35
Personnel and Systems in place to Recognize
attacks
40
60
Effective computer incident response teams ready
to respond to hacking
40
60
Source Giga Information Group 2001
8
Are you able to handle it??

• Reduce your risk
• Can you really protect your business well?
• Are you willing to take the risk?
• Would you bet your job?

DigexSmartCenter Fire Wall
INFECTION SPREADS
INFECTION CODE RED
WORMVIRUS
9
Disaster can strike your business
Virus Comes in Through a Data Stream

• The Code Red virus infection costs in upwards of
  x-million, and downtimes of as long as x-days.
• Melisa
• CodeRed

A CODE RED INFECTION COULD MEAN DISASTER.
10
Securing the Fort

• The Basics
• Network Intrusion Detection
• Systematic Update Process
• Security Advisories
• Scheduled and Unscheduled Network Security Scans
• 3rd Party Security Audit Support
• Real-time Host-based Intrusion Detection (IDS)
• Security Scan and Vulnerability Assessment
  Reporting and Analysis
• Security Investigations / After Action Resolution
  Reporting

11
Network Intrusion Detection

• Provides proactive real-time network protection
• Implemented at the Access layer
• Capture, analyze, and evaluate raw TCP/IP
  information
• Packet Sniffer (Source and Destination IP
  address)
• Sniffers function in stealth mode capturing and
  resolving network traffic near real-time
• Tools
• --Shadow Utilizes a database/IDS Security
  Policy based on exploits, attacks,
  vulnerabilities and server traffic patterns
  hourly
• --Snort IDS performing real-time traffic
  analysis and packet logging of IP networks.
• - Detects a variety of attacks and probes (i.e.
  buffer overflows, stealth port scans, CGI
  attacks, SMB probes, OS fingerprinting attempts)

12
Network Intrusion Detection

• How do the Experts Handle Intrusion?
• Digex employs Certified Security Engineers to
  respond, report and evaluate Intrusion Detection
  logs
• We send abuse notifications to the malicious
  attackers source
• 80 of abuses are committed by victims
• --System was hacked
• --Students have been expelled
• --Service to ISP customer has been terminated

13
Smart Update Process

• Timely Maintenance Protects Against New Attacks
• Digex SSO monitors commercial, underground,
  government and vendor channels for exploits
  relating to software/applications, OSs and other
  platform vulnerabilities.
• SSO evaluates vulnerabilities to determine
  operational impact (risk level)
• SSO advisories detail concerns, exploitability,
  level of risk associated with the events and
  recommended actions.
• If no vendor patch is released, SSO devises
  and/or develops a workaround
• Patch/workaround is presented to Engineering for
  testing against Digex standard build
• Advisory is updated and sent to customers
• Security Patch/workaround is implemented to
  affected systems via EMOP/MOP

14
Security Advisories

• Keeps stakeholders informed
• SSO advisories are forwarded to customers
  detailing security actions related to OS and
  application exploits as well as global events
  that may affect customer servers. (e.g.
  political, religious, environmental, etc.)
• Digex pro-actively measures i.e. advisory
  detailing increased traffic originating from
  Chinese IP address blocks.
• Customized rule-sets were suggested to curtail
  hostile threats and prevent possible exploits.
  IP address blocks were based on data from SSO
  Network IDS logs.
• SSO composes advisories notifying customers of
  newly developed exploits/vulnerabilities (Smart
  Update Process)

15
3rd Party Security Audits

• Provides access to best practices in the industry
• Digex experts support customers 3rd Party
  security audit request
• Reviews auditors tools and techniques to ensure
  auditors do not adversely impact customers/Digex
  Network infrastructure
• SSO verifies customer IP addresses for accuracy
• Digex IDS analysts monitor traffic throughout
  the audit
• Digex provides consultation and after action
  review

16
Host-based Intrusion Detection

• Proactively detects attacks and protects
• business data
• Entercept (includes a Security Scan and
  Vulnerability Assessment)
• Prevent attacks prior to execution
• Individual Attack Signatures Protection against
  hacking exploits processes matching attack
  behaviors against dictionary. (e.g. Launch of
  NetBUS or BackOrface)
• Generic Attack Signatures Protects against
  several unknown and known attacks, categories of
  attack (i.e. Buffer Overflows)
• HTTP Protection safeguards against attacks
  directed at Web applications via the HTTP
  protocol.
• Application Shielding Offers security
  specifically for Web servers, designed to protect
  applications, application files and application
  data.

17
Security Scan and Vulnerability Assessment

• Identifies vulnerabilities to minimize risk
• Symantecs Enterprise Security Manager (ESM)
• Host-based
• Provides a thorough internal evaluation
• Password strength
• Modified system files
• Services enabled
• User Rights, etc.
• An agent is installed on the server

18
Security Scan and Vulnerability Assessment

• Proactive Assessment of Site Vulnerability and
  Recommended Action Plan
• Symantecs NetRecon
• Network-based Scanner
• Progressive Scanner information obtained from
  one server is applied to another. Learns through
  experience
• Database of hacker techniques identifying
• Outdated security patches
• Server misconfigurations
• Vulnerable service enabled
• Open ports
• Buffer Overflow vulnerabilities
• Denial of Service (DoS) vulnerabilities
• Does NOT perform DoS attacks

19
Security Scan and Vulnerability Assessment (SSO
Scripts)

• Proactive Assessment of Site Vulnerability and
  Recommended Action Plan
• Proprietary scripts to encompass techniques which
  do not exist within commercial tools. (i.e.
  application level and URL vulnerabilities)
• Customized report to include overall Risk
  Analysis
• Security Report forwarded directly to client
  (FedEx)
• Digex SSO analyst that performed the test is the
  same POC who will provide after action conference
  with clients.
• Available one-time or monthly per customers
  schedule

20
Security Investigations / Auditing

• Ensures the most secured site environment
• Digex SSO continuously deploys systems auditing
  across all data centers
• Audit criteria attack signatures based on data
  obtained from Network IDS logs.
• SSO performs security investigations, reports and
  after action evaluation based on systems life
  cycle
• Security Audits are dynamic, evolving with newly
  discovered threats, software weaknesses, etc.

21
Digex Certifications

• Statement of Auditing Standards Number 70
  (SAS-70) Type I and Type II (July 1, 2000
  December 31, 2000)
• Beltsville, Cupertino, CA and UK Data Centers
• TruSecure Managed Service Providers Certification
• Digex Standard Build Servers
• Audited Quarterly
• TruSecure Managed Firewall Certification

22
Code Red - A Security Success Story

• June 19, 2001
• Digex deploys SMARTUPDATE security advisory to
  clients
• June 20, 2001
• Digex deploys tested vendor security patch
  MS01-033 to protect client and internal systems
• SSO launches security audits to ensure systems
  are security hardened
• June 22, 2001
• SSO deploys ADDITIONAL proprietary security
  scripts/techniques to Network IDSes located
  worldwide
• IDSes armed with current alerting/profiling
  mechanisms to recognize threats, exploits related
  to IIS security vulnerabilities

23
Code Red - A Security Success Story

• July 12, 2001
• Internet and Security communities advised of
  first incarnation of possible worm
• Worm labeled CODE RED WORM (CRv1)
• Corporations cautioned WORM infects hosts
  running unpatched versions of MSs IIS web server
  
• SSO continuously profiles IDSes
• NO activity noted at Digex (IDSes continue
  filtering)
• NO customers or internal systems impacted

24
Code Red - A Security Success Story

• July 16, 2001
• Digex SSO alerted via IDSes
• Numerous external IPs attempting to exploit a
  targeted HOST via .ida Code Red vulnerability
• SSO responds to alerts and investigates targeted
  system
• Exploit did NOT penetrate or defile host,
  targeted system was previously patched June 20,
  2001, ultimately curtailing exploit attempts

25
Code Red - A Security Success Story

• July 17, 2001
• Security reports begin to evolve
• A new worm variant may be circulating, taking
  advantage of the vulnerability detailed in
  MS01-033, buffer overflow within IIS
• WORM exploits unpatched systems
• Causes web servers/services to stop/restart
• Possible defacement
• May launch attacked from afflicted IIS systems in
  search of other vulnerable systems (UNPATCHED)

26
Code Red - A Security Success Story

• July 19, 2001
• CERT releases advisory Approx 1000 GMT a random
  seed variant of Code Red (CRV2) began to infect
  hosts
• Seemingly minor SEED modification from CRv1s
  static SEED to CRv2s RANDOM
• SEED modification has a MAJOR impact
• 359,000 systems infected via CRv2 in less than14
  hours

27
Code Red - A Security Success Story

• The probe rate of CRv2, on July 19th was so high,
  systems were being infected as the patch for the
  .ida vulnerability was applied
• SSO tested the theory with a decoy server
• Decoy was infected within 3 hours of production
• Any device with a web interface could fall prey
• Printers, routers, switches and DSL modems
• peripherals were not infected with the WORM, they
  crashed or rebooted when an infected server
  attempted to forward a copy of the worm

28
Code Red - A Security Success Story

• August 4, 2001
• An entirely new worm released CODE RED II
• CODE RED II was completely unrelated to CRv1 and
  CRv2, but CODE RED II does contain the source
  code string
• CODE RED II brought with it greater dangers
• Installs a mechanism for remote, root-level
• Does not deface web pages, nor launch DoS
• BUT, installs a BACKDOOR allowing ANY code to be
  executed, allowing servers to be used in the
  future for possible DoS launches

29
Code Red - A Security Success Story

• Customer acceptance of the Digex patch upgrades
  conducted over a month prior, resulted in zero
  impact to customer site configurations.
• While Digex remained confident in its server
  patch deployments, Security Analysts continued
  around the clock to analyze hostile Code Red
  network traffic. Digex security devices captured
  over 209,000 malicious exploit attempts solely
  related to the Worm. All of these attempts were
  unsuccessful.

30
Thank You Open Discussion