Module F

1
(No Transcript)
2
Information Assurance vulnerabilities, threats,
and controls

• Dr. Wayne Summers
• TSYS Department of Computer Science
• Columbus State University
• Summers_wayne_at_colstate.edu
• http//csc.colstate.edu/summers

3
(No Transcript)
4
SQL Slammer

• It only took 10 minutes for the SQL Slammer worm
  to race across the globe and wreak havoc on the
  Internet two weeks ago, making it the
  fastest-spreading computer infection ever seen.
• The worm, which nearly cut off Web access in
  South Korea and shut down some U.S. bank teller
  machines, doubled the number of computers it
  infected every 8.5 seconds in the first minute of
  its appearance.

5
BLASTER

• On Aug. 11, the Blaster virus and related bugs
  struck, hammering dozens of corporations.
• At least 500,000 computers worldwide infected
• Maryland Motor Vehicle Administration shut its
  offices for a day.
• Check-in system at Air Canada brought down.
• Infiltrated unclassified computers on the
  Navy-Marine intranet.

6
SOBIG.F

• Ten days later, the SoBig virus took over,
  causing delays in freight traffic at rail giant
  CSX Corp. forcing cancellation of some
  Washington-area trains and causing delays
  averaging six to 10 hours.
• Shutting down more than 3,000 computers belonging
  to the city of Forth Worth.
• One of every 17 e-mails scanned was infected (AOL
  detected 23.2 million attachments infected with
  SoBig.F)
• Worldwide, 15 of large companies and 30 of
  small companies were affected by SoBig -
  estimated damage of 2 billion.

7
Information Assurance

• Introduction
• Vulnerabilities
• Threats
• Controls
• Conclusions

8
Computer Security

• the protection of the computer resources against
  accidental or intentional disclosure of
  confidential data, unlawful modification of data
  or programs, the destruction of data, software or
  hardware, and the denial of one's own computer
  facilities irrespective of the method together
  with such criminal activities including computer
  related fraud and blackmail. Palmer

9
Goals

• confidentiality - limiting who can access assets
  of a computer system.
• integrity - limiting who can modify assets of a
  computer system.
• availability - allowing authorized users access
  to assets.

10
Definitions

• vulnerability - weakness in the security system
  that might be exploited to cause a loss or harm.
• threats - circumstances that have the potential
  to cause loss or harm. Threats typically exploit
  vulnerabilities.
• control - protective measure that reduces a
  vulnerability or minimize the threat.

11
CERT list of Current Activity

• Increase in traffic to 554/tcp
• RealNetworks media server RTSP protocol parser
  buffer overflow
• W32/Sobig.F Worm
• email-borne malicious program with a specially
  crafted attachment that has a .pif extension
• W32/Welchia worm
• designed to kill and remove the msblast.exe
  artifact left behind by W32/Blaster  
• W32/Blaster worm
• exploit known vulnerabilities in the Microsoft
  Remote Procedure Call (RPC) Interface. Causes a
  DoS attack on windowsupdate.com  
• Exploitation of Microsoft RPC Vulnerabilities
• buffer overflow vulnerability exists in
  Microsoft's Remote Procedure Call (RPC)
  implementation. A remote attacker could exploit
  this vulnerability to execute arbitrary code or
  cause a denial of service
• Attempts To Exploit Cisco IOS Interface Blocked
  Vulnerabilities
• could allow an intruder to execute a
  denial-of-service attack against a vulnerable
  device

12
Vulnerabilities reported

• 1995-1999
• 2000-2002
• In 2002 over 80 vulnerabilities in IE patched
  over 30 remain unpatched as of Sept. 11, 2003.

13
Common Vulnerabilities and Exposures

• CVE Report (http//cve.mitre.org/) has 480 pages
  of certified vulnerabilities and exposures and
  853 pages of candidates for consideration ranging
  from buffer overflows and denial of service
  attacks to bugs in software
• Microsoft Outlook 2000 and 2002, when configured
  to use Microsoft Word as the email editor, does
  not block scripts that are used while editing
  email messages in HTML or Rich Text Format (RTF),
  which could allow remote attackers to execute
  arbitrary scripts via an email that the user
  forwards or replies to.

14
Vulnerabilities

• Todays complex Internet networks cannot be made
  watertight. A system administrator has to get
  everything right all the time a hacker only has
  to find one small hole. A sysadmin has to be
  lucky all of the time a hacker only has to get
  lucky once. It is easier to destroy than to
  create.
• Robert Graham, lead architect of Internet
  Security Systems

15
Types of Threats

• interception - some unauthorized party has gained
  access to an asset.
• modification - some unauthorized party tampers
  with an asset.
• fabrication - some unauthorized party might
  fabricate counterfeit objects for a computer
  system.
• interruption - asset of system becomes lost or
  unavailable or unusable.

16
2003 Computer Crime and Security Survey CSI/FBI
Report

• 251 organizations report almost 202 million in
  financial losses, but that's 56 percent improved
  over last year.
• theft of proprietary information caused the
  greatest financial loss (70,195,900 was lost,
  with the average reported loss being
  approximately 2.7 million).
• Second was denial of service attacks, responsible
  for more than 65 million in total losses among
  those surveyed.
• Insider attacks and system abuse followed virus
  infections as the top category of adverse events
  based on the number of incidents.
• 50 percent of all attacks go unreported, and 22
  percent of companies dont know if their Web site
  suffered unauthorized access .
• companies that experienced serious computer
  system intrusions failed in nearly 10 percent of
  cases to patch the vulnerable systems.

17
Recent News

• 45 billion worldwide spending on IT security
  products and services by 2006. (IDC)
• The speed at which viruses and worms are
  spreading is increasing.
• A serious security flaw shows that Microsoft
  Passport identities could be easily compromised.
• Microsoft Corp. warned today that users of its
  Office software are at risk of having their
  computers taken over by an attacker unless they
  apply a patch to correct the problem. (9/3/2003)

18
Recent News

• September 17, CNET News.com Flaws set to spawn
  another Blaster. Tools exploiting a new Windows
  flaw have started to appear, prompting warnings
  of imminent virus attacks. Ken Dunham, an analyst
  at a private security firm, said on Tuesday,
  September 16, that it is "highly likely" that new
  worms or Trojan horses will emerge in the next
  few days. These bugs are expected to prey on
  computers that have not been updated with the
  latest security patch for Microsoft's operating
  system. "A new Blaster-like worm family could be
  created in a matter of hours or days, now that
  exploit source code has been posted in the
  underground," Dunham wrote in an email. "The new
  attack tool makes it trivial for any malicious
  actor to gain unauthorized root access to an
  unpatched computer."

19
Malware and other Threats

• Viruses / Worms
• 1987-1995 boot program infectors
• 1995-1999 Macro viruses (Concept)
• 1999-2003 self/mass-mailing worms (Melissa-Klez)
• 2001-??? Megaworms (Code Red, Nimda, SQL
  Slammer, Slapper)
• Trojan Horses
• Remote Access Trojans (Back Orifice)
• Most Threats use Buffer Overflow vulnerabilities

20
Social Engineering

• we have met the enemy and they are us - POGO
• Social Engineering getting people to do things
  that they wouldnt ordinarily do for a stranger
  The Art of Deception, Kevin Mitnick

21
Controls

• Reduce and contain the risk of security breaches
• Security is not a product, its a process
  Bruce Schneier Using any security product
  without understanding what it does, and does not,
  protect against is a recipe for disaster.

22
Solutions

• Apply defense in-depth
• Run and maintain an antivirus product
• Do not run programs of unknown origin
• Disable or secure file shares
• Deploy a firewall
• Keep your patches up-to-date

23
Defense in Depth

• Antivirus
• Firewall
• Intrusion Detection Systems
• Intrusion Protection Systems
• Vulnerability Analyzers
• Authentication Techniques (passwords, biometric
  controls)
• BACKUP

24
Critical Microsoft Security Bulletin MS03-039

• Verify firewall configuration.
• Stay up to date. Use update services from
  Microsoft to keep your systems up to date.
• Use and keep antivirus software up-to-date. You
  should not let remote users or laptops connect to
  your network unless they have up-to-date
  antivirus software installed. In addition,
  consider using antivirus software in multiple
  points of your computer infrastructure, such as
  on edge Web proxy systems, as well as on email
  servers and gateways.
• You should also protect your network by requiring
  employees to take the same three steps with home
  and laptop PCs they use to remotely connect to
  your enterprise, and by encouraging them to talk
  with friends and family to do the same with their
  PCs. (http//www.microsoft.com/protect)

25
Default-Deny Posture

• Configure all perimeter firewalls and routers to
  block all protocols except those expressly
  permitted.
• Configure all internal routers to block all
  unnecessary traffic between internal network
  segments, remote VPN connections, and business
  partner links.
• Harden servers and workstations to run only
  necessary services and applications.
• Organize networks into logical compartmental
  segments that only have necessary services and
  communications with the rest of the enterprise.
• Patch servers and applications on a routine
  schedule.

26
Practical Patches

• Develop an up-to-date inventory of all production
  systems.
• Standardize production systems to same version of
  OS and application software.
• Compare reported vulnerabilities against your
  inventory/control list.
• Classify the risk (severity of threat, level of
  vulnerability, cost of mitigation and recovery)
• Apply the patch

27
New Types of Controls

• Threat Management System - early-warning system
  that uses a worldwide network of firewall and
  intrusion-detection systems to aggregate and
  correlate attack data.
• Vulnerability Assessment Scanner - penetration
  testing and security audit scanner that locates
  and assesses the security strength of databases
  and applications within your network.

28
Symantec "best practices"

• Turn off and remove unneeded services.
• If a blended threat exploits one or more network
  services, disable, or block access to, those
  services until a patch is applied.
• Always keep your patch levels up-to-date.
• Enforce a password policy.
• Configure your email server to block or remove
  email that contains file attachments that are
  commonly used to spread viruses.
• Isolate infected computers quickly to prevent
  further compromising your organization.
• Do not open attachments unless they are expected.
  Also, do not execute software that is downloaded
  from the Internet unless it has been scanned for
  viruses. Simply visiting a compromised Web site
  can cause infection if certain browser
  vulnerabilities are not patched.

29
Education Misinformation

• SQL Slammer infected through MSDE 2000, a
  lightweight version of SQL Server installed as
  part of many applications from Microsoft (e.g.
  Visio) as well as 3rd parties.
• CodeRed infected primarily desktops from people
  who didn't know that the "personal" version of
  IIS was installed.
• Educate programmers and future programmers of the
  importance of checking for buffer overflows.

30
Conclusions

• Every organization MUST have a security policy
• Acceptable use statements
• Password policy
• Training / Education
• Conduct a risk analysis to create a baseline for
  the organizations security
• Create a cross-functional security team
• You are the weakest link

31
Bibliography

• Does Cyberterrorism Pose a True Threat? -
  http//www.pcworld.com/resource/printable/article/
  0,aid,109819,00.asp
• Network Security Best Practices -
  http//www.computerworld.com/printthis/2003/0,4814
  ,77625,00.html
• Practical Patching - http//www.infosecuritymag.co
  m/2003/mar/justthebasics.shtml
• Symantec Offers Early Warning of Net Threats -
  http//www.pcworld.com/news/article/0,aid,109322,0
  0.asp
• The Art of Deception Kevin Mitnick