Current Threats to Corporate Information Security Management

1
Current Threats to Corporate Information
Security Management

• YOUNG Wo Sang
• Program Committee, PISA
• ws.young_at_pisa.org.hk

2
Two Recent Attacks

• SirCAM (July 2001)
• Code Red II (Aug 2001)

3
Top 10 Internet Security Threats

• Consensus Report 2000
• - SANS, the NIPC, and the Federal CIO Council
• These aren't the only threatsjust the most
  common at the moment. Hopeful we will eliminate
  these threats and create a new list next year.

4
Top 10 Internet Security Threats

• 1. Bind
• 2. Vulnerable CGI Programs
• 3. Remote Procedure Calls (RPC)
• 4. Microsoft IIS weakness
• 5. Sendmail Buffer Overflow
• 6. sadmind (Solaris) and mountd
• 7. Global file sharing
• 8. User ID's / Passwords
• 9. IMAP and POP
• 10. Default SNMP

Code Red II
SirCAM
5
SirCAM

• Damage
• Release or destroy sensitive information
• Distribution
• Mass mailing to email addresses found in address
  book
• Malicious computer write to unprotected Windows
  share in the network
• Exploit
• Vulnerability of Global File Sharing Weak
  Password

6
Code Red II

• Damage
• Install Backdoors on the infected web servers
  that allows any remote attacker to further
  compromise the system
• Distribution
• Scan for vulnerable hosts to infect
• Exploit
• Vulnerability of Buffer Overflow in Index service
  that come with IIS (installed by default)

7
The Implications 1

• Self-sufficiency and Self-learn
• They do not rely on the email system to spread,
  but scan for the next victim on the network
• Optimized for High Efficiency
• Code Red II spreads much faster than previous
  Code Red by using a more intelligent algorithm to
  select victim IP address
• More and more adaptive -- just a start of a
  greater attack
• 3. Un-patched systems hinder total suppression.

8
The Implications 2

• 4. Remote Exploit
• A hacker can run commands on the system without
  having to access it directly.
• 5. Allow further attack
• They broadcast to the Internet the servers that
  are vulnerable to these flaws, allowing others to
  further attack the victims by other means
• 6. Next Victims
• Hackers will find ways to attack more critical
  components like routers and network equipment

9
Potential Threats 1

• When the old tricks can win the new game
• Variants exploiting same old vulnerability
• When we breaks our Firewall perimeter
• Remote VPN, Wireless LAN
• When the Trust fails
• Mobile workers, Contractors and Guests

10
Potential Threats 2

• When one thinks he has done enough
• I can just reboot the server when the server is
  defaced by the Code Red
• When Nobody cares about the Others
• why patch? The infection does not hurt me
• When it is too late when I know

11
Technical Controls

• Protection
• Protect network outside firewall as well as
  Inside firewall
• Control Outgoing connections besides Incoming
  connections
• Avoid Trojans
• Avoid spread of worm from infected internal
  machine
• Wireless LAN employ secure channel
• LAN Control cable tap (hard job!)

12
Technical Controls

• Protection (cont.)
• Tighten all access control, password control
  IMMEDIATELY
• Detection
• Check Server Integrity
• Scan internal network for vulnerability
• Install Intrusion Detection System
• Correction
• Backup Recovery

13
Management Controls

• Server patch management (not easy)
• Effective Information Asset Management
• Ongoing Patch Change Management
• Scan all incoming notebooks (not easy)
• Manage and Scan Remote PCs (hard!)

14
Detection and Reporting

• Development of Detection, Analysis, Warning and
  Response Capabilities in corporate and
  governmental environment
• Crisis Management
• Legislation framework

15
Lack of Resources and Expertise

• Outsource Information Security Management

16
Lesson learned

• Our individual security depends on our mutual
  security
• The consequences of failure could drive your
  company out of business

17
References

• Top 10 Internet Security Threats 2000
• http//www.sans.org/topten.htm
• Code Red, Code Red II, and SirCAM Attacks
  highlight Need for Proactive Measures
• http//www.gao.gov/new.items/d011073t.pdf
• Code Red II Worm Analysis Update
• http//www.incidents.org/react/code_redII.php

18
Q A

• Thank You