Cyber Security

1
Cyber Security Infrastructure Protection

FBI Philadelphia Division Special Agent John B.
Chesson
2
Cyber Terrorism
3
Potential Cyber Attacks

• Unauthorized Intrusions
• Website Defacements
• Domain Name Server Attacks
• Distributed Denial of Service (DDoS) Attacks
• Computer Worms
• Routing Operations
• Critical Infrastructures
• Compound Attacks

4
Infrastructure ProtectionA New Threat Paradigm

• Cyberspace the Infrastructure behind Critical
  Infrastructure

9. Manufacturing 10. Food Agriculture 11.
Chemicals and Hazardous Materials 12. Defense
Industry 13. Public Health
The New Threat Anyone with a Computer
5
Potential Sources of Attacks

• Thrill Seekers
• Disgruntled Employees
• Organized Crime
• Terrorist Sympathizers and Anti-U.S. Hackers
• Terrorist Groups
• Nation-States

6
Thrill Seekers

• No political motives
• Seeking notoriety bragging rights
• Nuisance attacks using pre-fabricated tools and
  exploits
• Potential for serious disruptions and monetary
  damage

7
Terrorist Sympathizers and Anti-U.S. Hackers

• Extremist Muslim groups known hacker groups
  (G-Force Pakistan, Pakistan Hackerz Club)
• Anti-Israeli groups
• Anti-capitalism and anti-globalization movement
• Chinese hackers

8
Terrorist Groups

• Terrorist groups are using information technology
• Terrorists possess the will and can easily obtain
  the means to attack IT targets
• Potential for major cyber attacks is very high

9
Cyber Capabilities

• Cyber Attacks
• Osama bin Laden allegedly gave a statement
• "hundreds of young men had pledged to him that
  they were ready to die and that hundreds of
  Muslim scientists were with him and who would use
  their knowledge in chemistry, biology and (sic)
  ranging from computers to electronics against the
  infidels.
• Mapping US vulnerabilities
• Compound Attacks most dangerous

10
Nation States China

• Our country needs to go all-out to develop
  high-quality internet warriors. That should
  include development in exclusive universities as
  well as attracting private computer users to take
  part in internet combat".
• Liberation Army Daily
• China views information operations/information
  warfare (IO/IW) as a strategic weapon for use
  outside of traditional operational boundaries.
• China is particularly sensitive to the potential
  asymmetric applications IO/IW can have in any
  future conflict with a technologically superior
  adversary.
• Kosovo and the Chinese Embassy strike in Belgrade
• US / China reconnaissance incident
• Impact of Technology in the war on Terrorism
  Afghanistan

11
Many Potential Cyber Threats

• Unstructured Threats
• Insiders
• Recreational Hackers
• Institutional Hackers

• Structured Threats
• Organized Crime
• Industrial Espionage
• Hacktivists

• National Security Threats
• Terrorists
• Intelligence Agencies
• Information Warriors

12
Network Security Challenges

• Remote system access achieved in seconds
• Access for computing resources
• Series of remote systems compromised
• Firewalls are not enough
• Intrusions from foreign countries
• Network Security skills and resources in short
  supply

13
Attack Sophistication vs. Intruder Technical
Knowledge
Intruder Knowledge
Tools
stealth / advanced scanning techniques
High
packet spoofing
DoS
sniffers
www attacks
sweepers
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
exploiting known vulnerabilities
Attack Sophistication
password cracking
self-replicating code
Attackers
password guessing
Low
1980
1985
1990
1995
2000
14
Current Cyber Attack TrendsCERT warns of
automated attacks

• Freely available tools exploit vulnerabilities
• Part of the scanning process
• Capable of self-initiation
• Well-managed coordinated global scale attacks
• Tools like Sobig self-propagate to global
  saturation in 28 minutes.
• IRC and IM are popular coordination attack tools.
• Signature based protection systems (Anti-virus
  and IDS) are ineffective against the new
  Polymorphic attacks
• IRC and HTTP are being used to disguise malicious
  code in legitimate network traffic

15

Types of Attacks

• Viruses
• Worms
• Trojans
• Denial of
  Service
• Computer
  Intrusions

16
Viruses/Worms/Trojans

• The Love Bug
• Estimated to have impacted 45 million users
• 20 Different Countries 10 Billion Two Days!
• Initiated in Philippines
• No Cyber Crime Legislation
• No extradition
• Anna Kournikova
• Virus in attachment
• Visual Basic Script disguised
• as a jpg image
• Code Red v1, v2, Code Red II
• W32 / My Party Worm
• Bugbear Worm

VBS Worm Generator from Internet
17
Denial of Service Attacks

• A Well Documented Vulnerability
• Victim computer(s) have not been compromised
• Victim computer simply overwhelmed with
  traffic.ICMP, Syn flood, etc.
• Code Red WhiteHouse.Gov attack
• Distributed Denial of Servicemore traffic,
  harder to trace
• You Have No Control

18
Computer IntrusionTypical Methodology
Gain user access
Scanning
Attack other hosts
Corrupt log files
erase log files
Locate system to attack
Cover tracks
Install backdoors
Take or alter information
Engage in other un- authorized activity
Gain privileged access
Sniffers
Root
create root users
Buffer overflow
19
OPERATION CYBERLOSS
www.ic3.gov
20
Hack
Customer account/credit info
Subject
East Europe
Through hack/intrusion, subject obtains customer
account credit info
21
Subject
East Europe
Using IRC chat rooms, the subject recruits
college students to assist in scam.
22
Subject
East Europe
Orders for Merchandise Placed using Stolen Acct
Info..
Merchandise Shipped to Co-conspirators..
23
OPERATION CYBERLOSSMAY, 2001

• 26 FBI FIELD OFFICES AND NUMEROUS OTHER FEDERAL
  AGENCIES.
• 32 STATE AND LOCAL LAW ENFORCEMENT AGENCIES
• INVOLVED 57,662 VICTIMS AND OVER 118,000,000 IN
  LOSSES.
• 61 CASES
• 2,025 LOSS TO 50,000,000 AGGREGATE LOSS
• AUCTION FRAUD, HACKING, ID THEFT, SOFTWARE PIRACY

www.ic3.gov
24
Where are they learning to do that?
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
Philadelphias Wireless Web

• This image is from the WiFiMaps.com web site.
• http//www.wifimaps.com

32
(No Transcript)
33
Virus Creation Kits
34
Virus Exchange Web Site
35
On-Line Resources

• Federal Bureau of Investigation
• http//www.ic3.gov/
• (formerly www.ifccfbi.gov/)
• U.S. Department of Justice
• Computer Crime and Intellectual
• Property Section
• http//www.usdoj.gov/criminal/cybercrime

36
On-Line Resources (continued)

• CERT/CC
• http//www.cert.org
• located at the Software Engineering Institute
• Federally funded research and development center
  operated by Carnegie Mellon University.
• 2/18/2002 SNMP Vulnerability report
• CIAC
• http//ciac/llnl.gov/ciac/
• Located at Lawrence Livermore National Labs
• Federally funded by U.S. D.O.E.
• SANS
• http//www.sans.org
• Non-profit educational network security
  consortium
• Offers training and certification courses

37
(No Transcript)
38
(No Transcript)
39
Network Security Basics

• Develop a written Network Security Policy
• Coordinate with Legal, Security, and IT
  Departments
• Conduct Routine Network Security Audits
• Maintain and review Network Server and Router
  logs
• Use Intrusion Detection Software (IDS)
• Regularly backup and archive all critical files
• Investigate network irregularities completely
• Use Access Control List and Encryption
• If Attacked, notify Law Enforcement quickly

40
When to contact Law Enforcement?

• Computer facilitated (non-intrusion)
• E-mail extortions
• Child pornography
• Fraud Theft (IFCC) www.ifccfbi.gov
• Computer Intrusion (Title 18 Sec 1030)
• Unauthorized or exceeding authorized access to a
  protected computer
• National security
• Denial of Service attacks
• Data alteration or destruction
• Theft of intellectual property
• Worms virus attacks
• Web defacement or Website redirects

41
Youve just been hacked.

• What should you do?
• What should you NOT do?

42
What You Should Do If Attacked

• Notify corporate security legal counsel
• Think About
• Protecting Yourself
• (Mission Critical vs. Proprietary Data)
• Catching the Perpetrator
• Activate your incident management team
• Created PRIOR to any incident
• One person in charge
• One person responsible for evidence.
• Keep a chronological log of events

43
What To Do (continued)

• Activate all available audit trails logging.
• What logs were active at the time of the attack?
• Begin keystroke monitoring.
• Banner in place?
• Identify and recover available evidence.
• System log files, system images, altered/damaged
  files, intruders files, network logs (IDS,
  routers, SNMP, etc.), traditional evidence.
• Secure evidence and maintain simple
  chain-of-custody records.

44
What To Do (continued)

• Identify source(s) of the attack.
• Record specific damages and losses.
• Important for prosecution
• Prepare for repeat attacks.
• Protecting Mission Critical vs. Proprietary Data
• Theorize - nobody knows your system like you.
• Determine how the intrusion happened.
• Identify possible subjects and motives.
• Call law enforcement but be patient

45
What NOT To Do

• Do NOT use the compromised systems before
  preserving any evidence.
• Do not make assumptions as to Federal
  jurisdiction or prosecutorial merit.
• Do not assume that by ignoring the incident, or
  damage to your files, that it will go away.
• Do not correspond via E-mail on a compromised
  network regarding the incident or the
  investigation.

46
What to Expect if you call the FBI

• Agents will interview staff and obtain evidence
• Obtain prosecutive opinion
• Trace the attack (subpoenas, 2703(d) orders,
  sources
• Identify the subject(s)
• Obtain/execute search warrants, interview
  subjects
• Examine evidence, identify more victims, develop
  more leads
• Obtain Federal Grand Jury Indictment
• Arrest and Possible Trail
• Disclosure Issues

Confidential
Public
47
What to Expect if you call the FBI

• Possible plea bargaining
• Possible trial
• Sentencing (upon conviction)
• Restitution

These steps do NOT occur quickly!
48
Self Defense in the Current Environment What Can
You Do Today?
Sample Banner

• This is a ___________ computer system. Before
  processing classified and/or sensitive but
  unclassified information, check the security
  accreditation level of this system. Do not
  process, store, or transmit information
  classified above the accreditation level of this
  system. This computer system, including all
  related equipment, networks, and network devices
  (including Internet access) are provided only for
  authorized ___________ use. _________ computer
  systems may be monitored for all lawful purposes,
  including to ensure their use is authorized, for
  management of the system, to facilitate
  protection against unauthorized access, and to
  verify security procedures, survivability, and
  operational security. Monitoring includes, but
  is not limited to, active attacks by authorized
  __________ entities to test or verify the
  security of the system. During monitoring,
  information may be examined, recorded, copied,
  and used for authorized purposes. All
  information, including personal information,
  placed on or sent over this system may be
  monitored. Use of this __________ computer
  system, authorized or unauthorized, constitutes
  consent to monitoring. Unauthorized use of this
  __________ computer system may subject you to
  civil litigation and/or criminal prosecution.
  Evidence of unauthorized use collected during
  monitoring may be used for administrative,
  criminal or other adverse action. Use of this
  system constitutes consent to monitoring for all
  lawful purposes.

49
Self Defense in the Current Environment What Can
You Do Today?

• Increase logging and filtering
• Protect your data according to its value / use
• Proprietary vs. Mission Critical
• Understand your Defenses
• (Flexible vs. Rigid)
• Make use of warning banners
• Develop a patch management protocol
• Establish an Incident Management Plan / Team
• Include Critical Incident scenarios
• Know your I.T. staff personally it will matter
• Join your local chapter of InfraGard

50
What is InfraGard?

• Government/law enforcement alliance with private
  industry
• To promote protection of critical information
  systems
• Provides formal and informal channels for the
  exchange of information about infrastructure
  threats and vulnerabilities

51
InfraGard Membership

• Representatives from private industry, government
  agencies, academic institutions, state local
  law enforcement
• Membership requirements (No Cost)
• Sign Membership agreement
• Ethics/confidentiality pledge
• FBI criminal records check

52
http//www.infragard.net/
53
www.infragardphl.org
54
Cyber Incident Detection Data Analysis Center

• Sharing serious cyber threat data to defend
  against cyber attacks threatening our national
  critical infrastructure

55
Cyber Threat Picture Current Obstacles to Timely
Accurate Reporting
Current Cyber Incident Reporting
National Infrastructure Protection
Government
Victim Corporation
Executives
Law Enforcement
NIP
IT Staff
Security
Technical Expertise
Who has the big picture?
Asset Protection
Something Breaks
Trouble Shoot
Analysis Tools
Legal Liability
FBI ?
IDS
Repair
Training
DHS ?
Attacker Skill level
Anomaly Noticed
Market Perception
Intelligence Base
Investigate
DOD ?
Detection
Response
Warning
Analysis
Notification
Intrusion
56
External Services on a Network Vulnerable to
Attack
Participants Perimeter Network
Web
Offers normal looking company services, but no
legitimate network traffic. Use of this system
will assist in an Early Detection of a Cyber
Attack
Mail, Web, FTP
Companys Mission Critical Network
Mail
CIDDAC 24/7 Operations
Real-time Cyber Attack Detection Sensor (RCADS)
FTP
57
Take Home Points

• Cyber Terrorism is a real possibility based upon
  trends indicating terrorists targeting critical
  infrastructures
• Sophistication and number of Attacks are on the
  increase, while executing Attacks are Easier via
  Automation Availability of Tools
• Government, law enforcement, intelligence
  agencies and private industry must work together
  to protect critical infrastructures and
  information systems

58
www.infragard.net
The End
John B. Chesson Special Agent
FBI Philadelphia, PA 215-418-4406 jchesson_at_fbi.gov
www.ciddac.org