Threats to Information Systems 98-02

1
Information Security Corporate StrategyThreats
to Information SecurityPresentation in London,
1998With Notes on Changes, 2002Stephen Cobb,
CISSP
2
This session What are the threats?

• Agenda
• Terms of reference
• Statistical and empirical data
• Examples of information security breaches and
  their effects on companies
• Putting threats in perspective
• The main threat categories in more detail

Themes Threats may seem technical, but many
defenses require non-technical skills Threats are
not constant, may increase when times are
tight Skills required to deal with these issues
are in short supply
3
So, what are the information security needs of
the Internet-enabled company

• You need to protect the confidentiality,
  integrity and availability of data, given that
• A. Private data is now travelling on a public
  (untrusted) network
• B. Your private network is now connected to a
  public (untrusted) network
• C. Your private network users now have access to
  a public (untrusted) network

4
So who am I to talk about this?

• First infosecurity book from client perspective,
  1992
• Certified Information System Security
  Professional
• Formerly with National Computer Security
  Association
• Former Director, Miora Systems Consulting (MSC)
• InfoSec Labs, Rainbow Technologies
• MSC beat Digital and Entrust in a security
  services RFP competition, April 98 short-listed
  with Coopers Lybrand, Price Waterhouse and
  CISCO Wheelgroup
• Involved in wide range of authorized penetration
  tests with 100 success rate

5
Statistics from the 5th Annual Information
Security Survey, 1998

• 73 of European companies report information
  security risks have increased this year
• Highest security concern
• network security (86)
• Next highest security concerns
• end-user security awareness (80)
• winning top management commitment (80)

ErnstYoung Computerworld Survey Global Results
from 29 Countries
6
Perceived security threats
55 of companies lacked confidence that their
systems could withstand an internal attack
-- are these your business partners?

• Computer terrorists 28
• Authorized users 26
• Former employees 24
• Unauthorized users 23
• Contractors 19

ErnstYoung Computerworld Survey Global Results
from 29 Countries
7
Statistics from a 1998 Survey by Computer
Security Institute / FBI

• 64 of companies hadincidents of unauthorized
  use of computer systems within the last 12
  months.
• More than a third of incidents were from inside.
• 65 of companies experienced laptop theft.

8
Is it really that bad? YES!
Hong Kong Reuters Office Hacked Traders at 5
banks lose price data for 36 hours
PA Teenager Charged With 5 Counts of
Hacking Southwestern Bell, BellCore, Sprint, and
SRI hit Costs to Southwestern Bell alone exceed
500,000
Citibank Hit in 10 Million Hack Russian hacker
had inside help. Several 100K not yet recovered.
Compaq Ships Infected PCs Virus Taints Big
Japanese Debut
Computer Attack Knocks Out 3,000 Web Sites 40
hour shutdown during busiest shopping season
Pair of surveys show 54-58 of companies lost
money due to computer break-ins in 1996
U.S. Government Web Sites Hacked NASA, Air
Force, NASA, DoJ, CIA
And these are just ones that made the news....
9
Experience in the field

• About 50 information system security penetration
  assignments in the last 18 months
• 80 of these were corporations, the rest were
  state and local government agencies
• Some of these clients wanted tests because they
  lacked confidence in their security, but others
  asked because they were confident
• Number of systems we failed to penetrate 0
• Average skill level required 2 on a scale of 5

10
A closer look at one category web site hacking
11
Hacked by Trix and Vertex
12
But the military would be tougher, right?
1st Communications Squadron USAF, Langley,
Virginia
13
Why? This one was a protest
14
They were not the only ones
bestboard.com puckplace.com websignal.com cybservi
ce.com threedot.com yorktours.com dpss.com superbi
o.com quinx.com textscape.com thewharf.com rebel-t
ech.com www.thermocrete.com www.nuvocom.com www.tv
weather.com www.danehip.com www.centurydie.com www
.info168.com www.cbd.de www.presage.co.uk www.boim
ag.co.uk www.uranium.org/ www.pcgameworld.com/ www
.cccookies.com/ www.shcp.gob.mx www.ddd.fr
www.usuhs.mil www.spiritualenigma.com www.bojan.co
m
www.pcconcepts.com/ www.netbank.net.tw www.kuniv.e
du.kw www.langley.af.mil sistematix.com www.onelif
edrugfree.com/ www.huntingtimes.com allwrestling.c
om www.humblebums.com www.ju.edu www.thomasmore.ed
u intellus.no/ iposerve.de www.saatchi-saatchi.com
/innovation/ www.rang.k12.va.us/ www.maxout.net ww
w.thermocreteusa.com www.xhn.org www.alis.com www.
top50mp3.com/ www.vpac.org/ www.phpages.com www.go
v.com/ www.on-the-hook.com www.conceptsvisual.com
www.1792.com
www.everything-pages.com www.saflec.com www.islan
dbound.com www.fitp.org www.language-arts.com www.
seaflower.com www.kissfreaks.com www.soteria.com w
ww.exclusivebda.com www.intelinc.com www.allpetsgo
toheaven.com www.gonebush.com www.asean-countries.
com www.westernleisure.com www.bestboard.com www.b
rash.com www.heylloyd.com www.fetishbear.com www.t
imbezo.com www.cybersecret.com www.w-3productions.
com www.3isecurity.com midtenn.com biohaz.com www.
odi.com.pl www.knesset.gov.il sunsite.ust.hk/
80 more in first 3 weeks of Feb 98 Then the
hacked site was hacked!
15
But whats the harm?

• Web servers may be a path to internal systems
• Web servers may reveal information that can be
  leveraged to access internal systems
• Lost time, lost customers and confidence
• Lost revenue (if the site is doing e-commerce)
• But probably the biggest harm Reputations
• personal, professional and corporate

16
(No Transcript)
17
We need perspective on these threats

• Why are we having these problems now?
• Same old problems, different manifestation?
• Deep-rooted problems only now coming to light
• Who is causing these problems?
• Threat agent assessment
• Threats vary according to social and economic
  factors, such as redundancies, downsizing

18
That was then --- This is now

• Glass house
• Limited attack points
• Limited vulnerabilities
• Trustworthy friends and known enemies
• Computer knowledgeand networks limited
• Clear motives

• Distributed computing
• Multiple attack points
• Vulnerable technology
• The best of friends may not have the best
  security
• Widespread computer literacy and connectivity
• Mixed motives

19
Data on level of threat are hard to find, but we
can ask Who is likely to be a problem?

• Sample table of responses from security officers
  -- subject to change due to social and economic
  factors

20
Map threats relative to technical skills and
business knowledge
21
This was an early version of the governments
critical infrastructure protection plan, circa
1998
22
(No Transcript)
23
LANs to WANs, to GANs, problems long postponed
are finally catching up
24
The rush to deploy technology means the wrong
tools are used, and warnings go unheeded
Don't rely on hidden variables for
security. WWW Security FAQ, 1995 Bank access
page, using hidden variables. 1998
ltFORM ACTION"/cgi-bin/pccgi02.exe/WF000100/ND00JD
130538/? NodeId0000?JobId130538" METHOD"POST"
gt ltA NAME"MAIN NEW LOGON"gtlt/Agt ltINPUT
TYPEHIDDEN NAME"EWF.SYS.01" VALUE"130538"
gt ltINPUT TYPEHIDDEN NAME"EWF.SYS.03"
VALUE"MAIN NEW LOGON" gt ltINPUT TYPE"HIDDEN"
SIZE"10" MAXLENGTH"100" NAME"USERID"gt ltINPUT
TYPE"HIDDEN" SIZE"10" MAXLENGTH"100"
NAME"PASSWORD"gt ltINPUT TYPE"HIDDEN" SIZE"10"
MAXLENGTH"100" NAME"PHONE_NUMBER"gt
25
Penetration PlanGather dataMap resourcesProbe
for accessExploit holesEscalate accessExecute
plans
From Information Warfare Principles
Operations, E. Waltz, 1998
26
Threat viruses

• Large US bank, assets 50 billion
• Computer virus brought down operations for 2
  days
• Infected 90 of the bank's 300 file servers and
  10,000 client workstations across 6 cities in 4
  states.
• Production data was not damaged, but companys
  balance sheet was, by at least 400,000.
• Recent studies show average cost of recovering
  from a virus incident on a network 10,000 to
  15,000
• But as much as 1 million has been lost in a
  single virus incident!

27
Top 8 Viruses 54 of Incidents
According to Virus Bulletin and Joe Wells Wild
List, January 98
28
2002! One Virus 77 of Incidents
According to Virus Bulletin and Joe Wells Wild
List, August 2002
29
Other malicious code

• Logic bomb dormant code inserted within a larger
  program, activation of which causes harm (e.g.
  recent 10 million Omega case)
• Trojan Horse a program designed to appear
  legitimate in order to enter a system and execute
  its own agenda (e.g. AIDS disk)
• Worm a program which copies itself many times
  over, hogging space and other resources, without
  permission (e.g. Internet worm, 1988)
• Active content (Java, ActiveX)

30
Virus types
INFECTED
INFECTED

• Boot sector
• File viruses
• Multi-partite
• Macro viruses
• Virtual (hoax) viruses
• Miscellaneous

Home PC
INFECTED
Office PC
Server
INFECTED
INFECTED
INFECTED
Lets take a look at how a typical computer
virus infection spreads...
Company Network
31
Threat insider abuse, a major threat to company
secrets

• Exploited by competitors
• American v. Northwest
• GM and VW
• Exploited by partners
• BA v. Virgin
• others
• By government agencies
• sting operations, piracy

Former General Motors employee Lopez allegedly
stole approximately 90,000 text pages of trade
secrets transferring them from US to Germany via
GM's intranet then downloading them onto VW's
computers... It cost Lopez his job. VW paid over
100 million to GM to settle the case.
32
Do people really do that?

• Yes, they do! October 1996, Daniel Worthing
  obtained work at PPG Industries through a
  contract with Affiliated Building Services.
• Began to stockpile proprietary information,
  including special formulas relating to new
  products such as an experimental fiberglass.
• When he tried to sell to PPGs competitor,
  Owens-Corning Fiberglass, they turned him in to
  FBI.
• He pled guilty to the theft of proprietary
  information, value? 20 million!

33
Do people really do that?
Unauthorized access by employees 44 Denial of
service attacks 25 System penetration from the
outside 24 Theft of proprietary information
18 Incidents of financial fraud 15 Sabotage of
data or networks 14 1998 CSI/FBI Study
The United States counterintelligence community
has specifically identified the suspicious
collection and acquisition activities of foreign
entities from at least 23 countries.
NACIC 1997 Annual Report on Foreign
Economic Collection Industrial Espionage
34
2002, and mindless attacks continue

• Hackers broke into the computer systems belonging
  to a clinic in the UK, altered medical records of
  6 patients who had just been screened for
  cancerswitched test results from negative to
  positivethose patients spent several days
  thinking that they had cancer
• The night before a patient was due to have a
  brain tumor removed, hackers broke into the
  computer where the tests were stored and
  corrupted the database. Surgery had to be
  postponed while the tests were redone

Source Richard Pethia, CERTSoftware Engineering
Institute (SEI) Pittsburgh
Why? Because We Can
Slogan from DEF CON III Las Vegas, 1995
35
Thank You!

• Questions?
• Email me at sc at cobb associates dot com
• Visit www.cobbassociates.com