Module F - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Module F

Description:

'It only took 10 minutes for the SQL Slammer worm to race ... fabrication - some unauthorized party might fabricate counterfeit objects for a computer system. ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 32
Provided by: xx48
Category:
Tags: fabricate | module

less

Transcript and Presenter's Notes

Title: Module F


1
(No Transcript)
2
Information Assurance vulnerabilities, threats,
and controls
  • Dr. Wayne Summers
  • TSYS Department of Computer Science
  • Columbus State University
  • Summers_wayne_at_colstate.edu
  • http//csc.colstate.edu/summers

3
(No Transcript)
4
SQL Slammer
  • It only took 10 minutes for the SQL Slammer worm
    to race across the globe and wreak havoc on the
    Internet two weeks ago, making it the
    fastest-spreading computer infection ever seen.
  • The worm, which nearly cut off Web access in
    South Korea and shut down some U.S. bank teller
    machines, doubled the number of computers it
    infected every 8.5 seconds in the first minute of
    its appearance.

5
BLASTER
  • On Aug. 11, the Blaster virus and related bugs
    struck, hammering dozens of corporations.
  • At least 500,000 computers worldwide infected
  • Maryland Motor Vehicle Administration shut its
    offices for a day.
  • Check-in system at Air Canada brought down.
  • Infiltrated unclassified computers on the
    Navy-Marine intranet.

6
SOBIG.F
  • Ten days later, the SoBig virus took over,
    causing delays in freight traffic at rail giant
    CSX Corp. forcing cancellation of some
    Washington-area trains and causing delays
    averaging six to 10 hours.
  • Shutting down more than 3,000 computers belonging
    to the city of Forth Worth.
  • One of every 17 e-mails scanned was infected (AOL
    detected 23.2 million attachments infected with
    SoBig.F)
  • Worldwide, 15 of large companies and 30 of
    small companies were affected by SoBig -
    estimated damage of 2 billion.

7
Information Assurance
  • Introduction
  • Vulnerabilities
  • Threats
  • Controls
  • Conclusions

8
Computer Security
  • the protection of the computer resources against
    accidental or intentional disclosure of
    confidential data, unlawful modification of data
    or programs, the destruction of data, software or
    hardware, and the denial of one's own computer
    facilities irrespective of the method together
    with such criminal activities including computer
    related fraud and blackmail. Palmer

9
Goals
  • confidentiality - limiting who can access assets
    of a computer system.
  • integrity - limiting who can modify assets of a
    computer system.
  • availability - allowing authorized users access
    to assets.

10
Definitions
  • vulnerability - weakness in the security system
    that might be exploited to cause a loss or harm.
  • threats - circumstances that have the potential
    to cause loss or harm. Threats typically exploit
    vulnerabilities.
  • control - protective measure that reduces a
    vulnerability or minimize the threat.

11
CERT list of Current Activity
  • Increase in traffic to 554/tcp
  • RealNetworks media server RTSP protocol parser
    buffer overflow
  • W32/Sobig.F Worm
  • email-borne malicious program with a specially
    crafted attachment that has a .pif extension
  • W32/Welchia worm
  • designed to kill and remove the msblast.exe
    artifact left behind by W32/Blaster  
  • W32/Blaster worm
  • exploit known vulnerabilities in the Microsoft
    Remote Procedure Call (RPC) Interface. Causes a
    DoS attack on windowsupdate.com  
  • Exploitation of Microsoft RPC Vulnerabilities
  • buffer overflow vulnerability exists in
    Microsoft's Remote Procedure Call (RPC)
    implementation. A remote attacker could exploit
    this vulnerability to execute arbitrary code or
    cause a denial of service
  • Attempts To Exploit Cisco IOS Interface Blocked
    Vulnerabilities
  • could allow an intruder to execute a
    denial-of-service attack against a vulnerable
    device

12
Vulnerabilities reported
  • 1995-1999
  • 2000-2002
  • In 2002 over 80 vulnerabilities in IE patched
    over 30 remain unpatched as of Sept. 11, 2003.

13
Common Vulnerabilities and Exposures
  • CVE Report (http//cve.mitre.org/) has 480 pages
    of certified vulnerabilities and exposures and
    853 pages of candidates for consideration ranging
    from buffer overflows and denial of service
    attacks to bugs in software
  • Microsoft Outlook 2000 and 2002, when configured
    to use Microsoft Word as the email editor, does
    not block scripts that are used while editing
    email messages in HTML or Rich Text Format (RTF),
    which could allow remote attackers to execute
    arbitrary scripts via an email that the user
    forwards or replies to.

14
Vulnerabilities
  • Todays complex Internet networks cannot be made
    watertight. A system administrator has to get
    everything right all the time a hacker only has
    to find one small hole. A sysadmin has to be
    lucky all of the time a hacker only has to get
    lucky once. It is easier to destroy than to
    create.
  • Robert Graham, lead architect of Internet
    Security Systems

15
Types of Threats
  • interception - some unauthorized party has gained
    access to an asset.
  • modification - some unauthorized party tampers
    with an asset.
  • fabrication - some unauthorized party might
    fabricate counterfeit objects for a computer
    system.
  • interruption - asset of system becomes lost or
    unavailable or unusable.

16
2003 Computer Crime and Security Survey CSI/FBI
Report
  • 251 organizations report almost 202 million in
    financial losses, but that's 56 percent improved
    over last year.
  • theft of proprietary information caused the
    greatest financial loss (70,195,900 was lost,
    with the average reported loss being
    approximately 2.7 million).
  • Second was denial of service attacks, responsible
    for more than 65 million in total losses among
    those surveyed.
  • Insider attacks and system abuse followed virus
    infections as the top category of adverse events
    based on the number of incidents.
  • 50 percent of all attacks go unreported, and 22
    percent of companies dont know if their Web site
    suffered unauthorized access .
  • companies that experienced serious computer
    system intrusions failed in nearly 10 percent of
    cases to patch the vulnerable systems.

17
Recent News
  • 45 billion worldwide spending on IT security
    products and services by 2006. (IDC)
  • The speed at which viruses and worms are
    spreading is increasing.
  • A serious security flaw shows that Microsoft
    Passport identities could be easily compromised.
  • Microsoft Corp. warned today that users of its
    Office software are at risk of having their
    computers taken over by an attacker unless they
    apply a patch to correct the problem. (9/3/2003)

18
Recent News
  • September 17, CNET News.com Flaws set to spawn
    another Blaster. Tools exploiting a new Windows
    flaw have started to appear, prompting warnings
    of imminent virus attacks. Ken Dunham, an analyst
    at a private security firm, said on Tuesday,
    September 16, that it is "highly likely" that new
    worms or Trojan horses will emerge in the next
    few days. These bugs are expected to prey on
    computers that have not been updated with the
    latest security patch for Microsoft's operating
    system. "A new Blaster-like worm family could be
    created in a matter of hours or days, now that
    exploit source code has been posted in the
    underground," Dunham wrote in an email. "The new
    attack tool makes it trivial for any malicious
    actor to gain unauthorized root access to an
    unpatched computer."

19
Malware and other Threats
  • Viruses / Worms
  • 1987-1995 boot program infectors
  • 1995-1999 Macro viruses (Concept)
  • 1999-2003 self/mass-mailing worms (Melissa-Klez)
  • 2001-??? Megaworms (Code Red, Nimda, SQL
    Slammer, Slapper)
  • Trojan Horses
  • Remote Access Trojans (Back Orifice)
  • Most Threats use Buffer Overflow vulnerabilities

20
Social Engineering
  • we have met the enemy and they are us - POGO
  • Social Engineering getting people to do things
    that they wouldnt ordinarily do for a stranger
    The Art of Deception, Kevin Mitnick

21
Controls
  • Reduce and contain the risk of security breaches
  • Security is not a product, its a process
    Bruce Schneier Using any security product
    without understanding what it does, and does not,
    protect against is a recipe for disaster.

22
Solutions
  • Apply defense in-depth
  • Run and maintain an antivirus product
  • Do not run programs of unknown origin
  • Disable or secure file shares
  • Deploy a firewall
  • Keep your patches up-to-date

23
Defense in Depth
  • Antivirus
  • Firewall
  • Intrusion Detection Systems
  • Intrusion Protection Systems
  • Vulnerability Analyzers
  • Authentication Techniques (passwords, biometric
    controls)
  • BACKUP

24
Critical Microsoft Security Bulletin MS03-039
  • Verify firewall configuration.
  • Stay up to date. Use update services from
    Microsoft to keep your systems up to date.
  • Use and keep antivirus software up-to-date. You
    should not let remote users or laptops connect to
    your network unless they have up-to-date
    antivirus software installed. In addition,
    consider using antivirus software in multiple
    points of your computer infrastructure, such as
    on edge Web proxy systems, as well as on email
    servers and gateways.
  • You should also protect your network by requiring
    employees to take the same three steps with home
    and laptop PCs they use to remotely connect to
    your enterprise, and by encouraging them to talk
    with friends and family to do the same with their
    PCs. (http//www.microsoft.com/protect)

25
Default-Deny Posture
  • Configure all perimeter firewalls and routers to
    block all protocols except those expressly
    permitted.
  • Configure all internal routers to block all
    unnecessary traffic between internal network
    segments, remote VPN connections, and business
    partner links.
  • Harden servers and workstations to run only
    necessary services and applications.
  • Organize networks into logical compartmental
    segments that only have necessary services and
    communications with the rest of the enterprise.
  • Patch servers and applications on a routine
    schedule.

26
Practical Patches
  • Develop an up-to-date inventory of all production
    systems.
  • Standardize production systems to same version of
    OS and application software.
  • Compare reported vulnerabilities against your
    inventory/control list.
  • Classify the risk (severity of threat, level of
    vulnerability, cost of mitigation and recovery)
  • Apply the patch

27
New Types of Controls
  • Threat Management System - early-warning system
    that uses a worldwide network of firewall and
    intrusion-detection systems to aggregate and
    correlate attack data.
  • Vulnerability Assessment Scanner - penetration
    testing and security audit scanner that locates
    and assesses the security strength of databases
    and applications within your network.

28
Symantec "best practices"
  • Turn off and remove unneeded services.
  • If a blended threat exploits one or more network
    services, disable, or block access to, those
    services until a patch is applied.
  • Always keep your patch levels up-to-date.
  • Enforce a password policy.
  • Configure your email server to block or remove
    email that contains file attachments that are
    commonly used to spread viruses.
  • Isolate infected computers quickly to prevent
    further compromising your organization.
  • Do not open attachments unless they are expected.
    Also, do not execute software that is downloaded
    from the Internet unless it has been scanned for
    viruses. Simply visiting a compromised Web site
    can cause infection if certain browser
    vulnerabilities are not patched.

29
Education Misinformation
  • SQL Slammer infected through MSDE 2000, a
    lightweight version of SQL Server installed as
    part of many applications from Microsoft (e.g.
    Visio) as well as 3rd parties.
  • CodeRed infected primarily desktops from people
    who didn't know that the "personal" version of
    IIS was installed.
  • Educate programmers and future programmers of the
    importance of checking for buffer overflows.

30
Conclusions
  • Every organization MUST have a security policy
  • Acceptable use statements
  • Password policy
  • Training / Education
  • Conduct a risk analysis to create a baseline for
    the organizations security
  • Create a cross-functional security team
  • You are the weakest link

31
Bibliography
  • Does Cyberterrorism Pose a True Threat? -
    http//www.pcworld.com/resource/printable/article/
    0,aid,109819,00.asp
  • Network Security Best Practices -
    http//www.computerworld.com/printthis/2003/0,4814
    ,77625,00.html
  • Practical Patching - http//www.infosecuritymag.co
    m/2003/mar/justthebasics.shtml
  • Symantec Offers Early Warning of Net Threats -
    http//www.pcworld.com/news/article/0,aid,109322,0
    0.asp
  • The Art of Deception Kevin Mitnick
Write a Comment
User Comments (0)
About PowerShow.com