INFORMATION SECURITY LAW

1
INFORMATION SECURITY LAW
2
Risk Analysis

• Assets
• Threats
• Vulnerabilities

3
Risk Analysis - Identification of Assets

• Physical assets
• Hardware
• Software purchased or developed programs
• Documentation manuals, administrative
  procedures, etc
• Supplies paper forms, magnetic media, printer
  liquid, etc
• Money, financial assets

4
Identification of Assets Intellectual Capital

• Data and databases
• Client lists and customer information
• Contract and pricing information
• Internal processes and methods of doing business
• Business strategies and plans
• New product development, promotional campaigns
• R D activities
• Other intangibles, such as goodwill,
  organizational structure, employee
  knowledge/expertise

5
Threats and Vulnerabilities

• Threat
• Any circumstance or event with the potential to
  intentionally or unintentionally exploit a
  specific vulnerability in an information system
  or otherwise adversely affect an organizations
  operations or assets

6
Threats and Vulnerabilities

• Vulnerability
• A flaw or weakness in the design or
  implementation of an information system that
  could be intentionally or unintentionally
  exploited to adversely affect an organizations
  operations or assets

7

• Threats and Vulnerabilities The Big Picture

8
The State of Information Security

• Security problems are growing
• Total financial losses doubled in 2003
• Most organizations are not yet equipped to deal
  with security threats
• Growth of the external threat
• New and evolving threats
• 95 of security issues could have been avoided if
  systems were properly configured and patched

CERT 2003 Computer Crime Survey
9
Attacks and Attackers

• Attackers
• Internal or external
• Purpose or motivation of attacker

10
Attackers

• Hackers
• Hacking intentional access without authorization
  or in excess of authorization
• Some are highly skilled, others have less
  technical expertise

11
Attackers

• Script Kiddies
• Use pre-written attack scripts (kiddie scripts)
• Viewed as lamers
• Large numbers make dangerous
• Noise of kiddie script attacks masks more
  sophisticated attacks

12
Attackers

• Criminals, organized crime
• Theft and embezzlement
• Credit card and identity theft
• Stealing trade secrets (intellectual property)
• Extortion

13
Attackers

• Employees (Present Former), Consultants,
  Partners, Vendors and Contractors
• Financial theft
• Theft of trade secrets
• Sabotage

14
Attackers

• Cyberterrorists
• New level of danger
• Infrastructure destruction
• IT Infrastructure
• Use IT to damage physical infrastructure

15
Attackers - Motivation

• Fame or publicity
• Revenge or personal motivation e.g., harm to
  former employers business
• Economic gain (theft, extortion, identity theft,
  industrial espionage)
• Political or ideological - cyberterrorists, spys
  etc.

16
Spy
Thief
Trespasser
Author
Vandal
Script-Kiddie
HobbyistHacker
Expert
Specialist
17
Largest segment by spent on defense
Spy
Largest area by lost
Fastest growing segment
Thief
Trespasser
Largest area by volume
Author
Vandal
HobbyistHacker
Script-Kiddie
Expert
Specialist
18
Attacks and Attackers

• Attacks
• Directed or Random
• Nature of attack - methods/means

19
Types of Attacks
Attacks
Social Engineering -- Opening Attachments Password
Theft Information Theft
Physical Access Attacks -- Wiretapping Server
Hacking Vandalism
Dialog Attacks -- Eavesdropping Impersonation Mess
age Alteration
Penetration Attacks
Malware -- Viruses Worms
Denial of Service
Scanning (Probing)
Break-in
20
Common Types of Attacks

• Denial of service attacks
• Malware
• Hacking/unauthorized access

21
Denial-of-Service (DOS) Attacks

• Attack on availability, prevents legitimate
  users access to a system by flooding the system
  with illegitimate traffic
• Usually act of vandalism
• Threat of DOS can be means of extortion

22
Types of DOS Attacks

• Single-Message DOS Attacks
• Crash a host with a single attack packet
• Flooding DOS Attacks
• Flood host with a series of packets

23
Figure 4-11 Denial-of-Service (DoS) Attacks

• Flooding Denial-of-Service Attacks
• SYN flooding (Figure 4-12)
• Try to open many connections with SYN segments
• Victim must prepare to work with many connections
• Victim crashes if runs out of resources at least
  slows down
• More expensive for the victim than the attacker

24
Figure 4-12 SYN Flooding DoS Attack
SYN
SYN
SYN
SYN
SYN
Attacker Sends Flood of SYN Segments Victim Sets
Aside Resources for Each Victim Crashes or Victim
Becomes Too Overloaded to Respond to the SYNs
from Legitimate Uses
Attacker 1.34.150.37
Victim 60.168.47.47
25
Figure 4-13 Smurf Flooding DoS Attack
Innocent Firm
Echo
4. Echo Replies
Attacker 1.34.150.37
2. Router with Broadcasting Enabled
1. Single
ICMP Echo Message Source IP 60.168.47.47
(Victim) Destination IP Broadcast
3. Broadcast Echo Message
Victim 60.168.47.47
26
Denial-of-Service (DOS) Attacks

• Distributed Denial-of-Service Attack
• Sophisticated DOS attack where attacker takes
  control of hundreds or thousands of computers
  (Zombies) and uses them to launch a coordinated
  attack against a target or multiple targets

27
Figure 4-14 Distributed Denial-of-Service (DDoS)
Attack
Zombie
Handler
Attack Command
Attack Command
Attack Packet
Victim 60.168.47.47
Attacker 1.34.150.37
Attack Packet
Attack Command
Attack Command
Zombie
Attack Packet
Attack Command
Handler
Zombie
28
Malicious Software (Malware)

• Malware Malicious software
• Automated attack robot capable of doing damage
• Contain harmful or benign payloads

29
Types of Malware

• Viruses piece of programming code usually
  disguised that causes unexpected and damaging
  results
• Infect files or system sectors on disk
• Attach themselves to executable programs or to
  disk system sectors (mostly the former)
• Infected file must be executed for virus to be
  able to work

30
Types of Malware

• Worms self-replicating virus that does not alter
  files but resides in active memory and duplicates
  itself
• Generally use parts of operating system that are
  automatic and invisible to the user
• Propagate by themselves between hosts

31
Types of Malware

• Trojan horse program in which the malicious code
  is contained inside apparently harmless
  programming or data
• Malicious scripts programs embedded in a Web
  site that can cause some degree of damage
  (pop-ups, crashing of system)

32
Virus Propogation

• Exchange floppy disks
• IRC, P2P and instant messaging (IM)
• Downloads
• E-mail attachments
• 90 of viruses spread via e-mail attachments today

33
Unauthorized Access/Hacking

• Probing and surveillance techniques
• Scanning, sniffing, fingerprinting, social
  engineering
• Penetration and access
• Password guessing cracking software,
  exploiting known vulnerabilities
• Compromising the information system
• Spyware, keystroke programs, robots

34
Trends in Attacks

• Automation of attack tools
• Sophistication
• Faster discovery of vulnerabilities
• Increasing permeability of firewalls
• Asymmetric threats
• Infrastructure attacks

35
Symantic Internet Security Threat Report (2004)

• Increased threats to e-commerce
• Short time between vulnerability and exploit
• Rise in remotely controlled bots
• Increase in easy-to-exploit vulnerabilities

36
Top Vulnerabilities to Windows Systems

• W1 Internet Information Services (IIS)
• W2 Microsoft SQL Server (MSSQL)
• W3 Windows Authentication
• W4 Internet Explorer (IE)
• W5 Windows Remote Access Services
• W6 Microsoft Data Access Components (MDAC)
• W7 Windows Scripting Host (WSH)
• W8 Microsoft Outlook and Outlook Express
• W9 Windows Peer to Peer File Sharing (P2P)
• W10 Simple Network Management Protocol (SNMP)

37
Top Vulnerabilities to UNIX Systems

• U1 BIND Domain Name System
• U2 Remote Procedure Calls (RPC)
• U3 Apache Web Server
• U4 General UNIX Authentication Accounts with
  No Passwords or Weak Passwords
• U5 Clear Text Services
• U6 Sendmail
• U7 Simple Network Management Protocol (SNMP)
• U8 Secure Shell (SSH)
• U9 Misconfiguration of Enterprise Services
  NIS/NFS
• U10 Open Secure Sockets Layer (SSL)