Lesson 1 Course Introduction

1
Lesson 1Course Introduction
2
Overview

• Course Administrivia
• Info Assurance Review
• Incident Response

3
IS6973 Special Studies in ISIncident Response

• 600-750 PM
• Robert Kaufman (rkaufman_at_utsa.edu)
• Background
• Contact information
• Syllabus and Class Schedule
• Student Background Information
• Email

4
Student Background Information

• Name
• Phone (opt) and reliable email address
• IS/CS background
• Security background
• Why you are taking this course
• What do you expect out of this course

5
Administrivia

• Course Text
• Incident Response, by Kevin Mandia and Chris
  Prosise, 2nd Edition
• Additional References
• Hacking Exposed, by McClure, Scambray, Kurtz
• Cyber crime Investigators Field Guide, by Bruce
  Middleton

6
Administrivia

• Grades
• 2 Tests
• Final
• 3 Projects
• Minor Exercises along the way

7
A sampling of activity from a security perspective

• March 1999 - EBay gets hacked
• March 1999 - Melissa virus hits Internet
• April 1999 - Chernobyl Virus hits
• May 1999 - Hackers shut down web sites of FBI,
  Senate, and DOE
• June 1999 - Worm.Explore.Zip virus hits
• July 1999 - Cult of the Dead Cow (CDC) releases
  Back Orifice
• Sept 1999 - Hacker pleads guilty to attacking
  NATO and Gore web sites
• Oct 1999 - teenage hacker admits to breaking into
  AOL
• Nov 1999 - BubbleBoy virus hits
• Dec 1999 - Babylonia virus spreads
• Feb 2000 - several sites experience DOS attacks
• Feb 2000 - Alaska Airlines site hacked
• May 2000 - Love Bug virus ravages net

8
Internet Security Software Market
2002 - 7.4 Billion est. 1999 - 4.2
Billion 1998 - 3.1 Billion 1997 - 2 Billion
97 98 figures based on a study released by
market research firm International Data Corp. in
Framingham, Mass. 99 02 figures from IDC
study based on a survey of 300 companies with
more than 100 million in annual revenues
9
DISA VAAP Results
P R O TECTION
D E T E C T I O N
REACTION
10
You have to have security, or else

• 1999 CSI/FBI Computer Crime Security Survey
• 521 security practitioners in the U.S.
• 30 reported system penetrations from outsiders,
  an increase for the third year in a row
• 55 reported unauthorized access from insiders,
  also an increase for the third year in a row
• Losses due to computer security breaches totaled
  (for the 163 respondents reporting a loss)
  123,779,000
• Average loss 759,380

11
Getting Worse

• 2000 CSI/FBI Computer Crime and Security Survey
• 643 security practitioners in the U.S.
• 90 reported computer security breaches within
  the previous 12 months
• 70 reported unauthorized use
• 74 suffered financial losses due to breaches
• Losses due to computer security breaches totaled
  (for the 273 respondents reporting a loss)
  265,589,940
• Average loss 972,857

12
and Worse

• 2001 CSI/FBI Computer Crime and Security Survey
• 538 security practitioners in the U.S.
• 91 reported computer security breaches within
  the previous 12 months
• 70 reported their Internet connection as a
  frequent point of attack (up from 59 in 2000)
• 64 suffered financial losses due to breaches,
  35 could quantify this loss.
• Losses due to computer security breaches totaled
  (for the 186 respondents reporting a loss)
  377,828,700
• Average loss 2,031,337

13
Leveling Off?

• 2002 CSI/FBI Computer Crime Security Survey
• 503 security practitioners in the U.S.
• 90 detected computer security breaches
• 40 detected penetrations from the outside
• 80 acknowledged financial losses due to breaches
• 455,848,000 in losses due to computer security
  breaches totaled (for the 223 respondents
  reporting a loss)
• 26 reported theft of proprietary info
  (170,827,000)
• 25 reported financial fraud (115,753,000)
• 34 reported intrusions to law enforcement
• 78 detected employee abuse of internet access
  privileges, i.e. pornography and inappropriate
  email use
• Average loss 2,044,161

14
Computer Security
The Prevention and/or detection of unauthorized
actions by users of a computer system.
In the beginning, this meant ensuring privacy on
shared systems. Today, interesting aspect of
security is in enabling different access levels.
15
What are our goals in Security?

• The CIA of security
• Confidentiality
• Integrity
• Data integrity
• Software Integrity
• Availability
• Accessible and usable on demand
• (authentication)
• (nonrepudiation)

16
The root of the problem

• Most security problems can be grouped into one of
  the following categories
• Network and host misconfigurations
• Lack of qualified people in the field
• Operating system and application flaws
• Deficiencies in vendor quality assurance efforts
• Lack of qualified people in the field
• Lack of understanding of/concern for security

17
Computer Security Operational Model
Protection Prevention
(Detection Response)
18
Proactive vs- Reactive Models

• Most organizations only react to security
  threats, and, often times, those reactions come
  after the damage has already been done.
• The key to a successful information security
  program resides in taking a pro-active stance
  towards security threats, and attempting to
  eliminate vulnerability points before they can be
  used against you.

19
So What Happens When Computer Security Fails?

• Incident Response--A Six Step Process
• Preparation Proactive Computer Security
• Identification
• Containment
• Eradication
• Recovery
• Hot Wash

20
Resources in the Fight

• SANS
• CERT CC
• FIRST
• DOE CIAC
• CERIAS
• NIST

21
SANS

• System Administration, Networking, and Security
  (SANS) Institute
• Global Incident Analysis Center
• Security Alerts, Updates, Education
• NewsBites, Security Digest, Windows
• Digest
• Certification
• http//www.sans.org/

22
Carnegie Mellon CERT CC

• Computer Emergency Response Team Coordination
  Center
• Started by DARPA
• Alerts Response Services
• Training and CERT Standup
• Clearing House
• http//www.cert.org

23
FIRST

• Forum of Incident Response and Security
• Teams
• Established 1988
• Govt Private Sector Membership
• Over 70 Members
• Coordinate Global Response
• http//www.first.org

24
DOE CIAC

• Computer Incident Advisory Capability
• Established 1989
• Part of Lawrence Livermore Lab
• Awareness training and education
• Trend, threat, vulnerability data collection and
  analysis
• http//ciac.llnl.gov/

25
CERIAS

• Center for Education and Research in
• Information Assurance and Security
• Home of Gene Spafford
• A "University Center"
• InfoSec Research Education
• Members Academia, Govt, Industry
• http//www.cerias.purdue.edu/coast/)

26
NIST

• National Institute of Science and Technology
  (NIST)
• Operares Computer Security
• Resource Clearinghouse (CSRC)
• Raising Awarenss
• Multiple Disciplines
• Main Source of Fed Govt Standards
• http//csrc.ncsl.nist.gov/

27
(No Transcript)
28
(No Transcript)
29
http//www.caida.org/analysis/security/code-red/ne
wframes-small-log.gif
30
E-Commerce Security Example Breaking an
E-Business
31
Consider this Network
How Can A Hacker Attack?
32
Step 1 Attacker exploits weakness in CGI script
to break through firewall and gain shell
privileges on host
33
Step 2 Attacker finds dBase PW in CGI Script and
downloads all account numbers and PWs
Step 1 Attacker exploits weakness in CGI script
to break through firewall and gain shell
privileges on host
34
Step 2 Attacker finds dBase PW in CGI Script and
downloads all account numbers and PWs
Step 1 Attacker exploits weakness in CGI script
to break through firewall and gain shell
privileges on host
Step 3 Attacker installs NetBus and
controls managers terminal
35
Going for the Kill!
Customer updates portfolio tracking preferences
Customer Checks portfolio performance
Customer Enters account ID and PW
Customer is Authenticated and access is granted
Customer buys/sells shares
Step 4 Attacker credits account under their
control
Investment bank debits/credits customers cash
account and updates portfolios
Investment bank notifies customer with
confirmation of transaction
36
So How Many VulnerabiltiesAre Out?Lets See
What the CERT CCSays.
37
History LessonThe Art of War, Sun Tzu

• Lesson for you
• Know the enemy
• Know yourselfand in a 100 battles you will never
  be defeated
• If ignorant both of your enemy and of yourself
  you are certain in every battle to be in peril

38
History LessonThe Art of War, Sun Tzu

• Lesson for the Hacker
• Probe him and learn where his strength is
  abundant and where deficient
• To subdue the enemy without fighting is the acme
  of skill
• One able to gain victory by modifying his tactics
  IAW with enemy situation may be said to be divine

39
Hacker Attacks

• Intent is for you to know your enemy
• Not intended to make you a hacker
• Need to know defensive techniques
• Need to know where to start recovery process
• Need to assess extent of investigative environment

40
Anatomy of a Hack
FOOTPRINTING
SCANNING
ENUMERATION
ESCALATING PRIVILEGE
GAINING ACCESS
PILFERING
COVERING TRACKS
CREATING BACKDOORS
DENIAL OF SERVICE
Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
41
Footprinting

• Objective
• Target Address Range
• Acquire Namespace
• Information Gathering
• Surgical Attack
• Dont Miss Details

• Technique
• Open Source Search
• whois
• Web Interface to whois
• ARIN whois
• DNS Zone Transfer

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
42
Scanning

• Objective
• Bulk target assessment
• Determine Listening Services
• Focus attack vector

• Technique
• Ping Sweep
• TCP/UDP Scan
• OS Detection

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
43
Enumeration

• Objective
• Intrusive Probing Commences
• Identify valid accounts
• Identify poorly protected shares

• Technique
• List user accounts
• List file shares
• Identify applications

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
44
Gaining Access

• Objective
• Informed attempt to access target
• Typically User level access

• Technique
• Password sniffing
• File share brute forcing
• Password file grab
• Buffer overflows

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
45
Escalating Privilege

• Objective
• Gain Root level access

• Technique
• Password cracking
• Known exploits

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
46
Pilfering

• Objective
• Info gathering to access trusted systems

• Technique
• Evaluate trusts
• Search for cleartext passwords

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
47
Cover Tracks

• Objective
• Ensure highest access
• Hide access from system administrator or owner

• Technique
• Clear logs
• Hide tools

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
48
Creating Back Doors

• Objective
• Deploy trap doors
• Ensure easy return access

• Technique
• Create rogue user accounts
• Schedule batch jobs
• Infect startup files
• Plant remote control services
• Install monitors
• Trojanize

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
49
Denial of Service

• Objective
• If unable to escalate privilege then kill
• Build DDOS network

• Technique
• SYN Flood
• ICMP Attacks
• Identical src/dst SYN requests
• Out of bounds TCP options
• DDOS

Source Hacking Exposed, McClure, Sacmbray, and
Kurtz
50
Hacker Exploits per SANS
RECONNAISSANCE
SCANNING
KEEPING ACCESS
EXPLOIT SYSTEMS
COVER TRACKS
Source SANs Institute
51
Hacking Summary

• Hacking on the rise
• Hacktivism
• New crime vector
• Loose international laws
• Tools automated and readily available
• Blended Threats
• Multi-axis attacks
• Automated Zombies