Not Your Fathers Internet

1
Not Your Fathers Internet

• Multi-Vector Security Threats and Solutions

John T Chapman Sr. Systems Engineer Sherpa
Technologies, Inc. jchapman_at_sherpatech.com
2
Agenda

• A Brief History
• Network Security 2006
• Common Questions/Myths
• What Can I Do
• Wrap-Up

3
A Brief History
4
The Internet (circa 1986)
5
Yesterdays Attackers

• Few worms (few networks)
• Viruses commonly spread via floppies
• Motives
• Test skills
• Increase knowledge
• Bragging rights
• Make a statement
• Typical attacker skilled individual

6
Morris Worm (Nov 2. 1988)

• Robert T. Morris at the time, a 23 yr old PhD
  candidate at Cornell University
• Infected 10 of hosts on the internet (6,000 of
  roughly 60,000)
• (Affected substantially more, due to the Denial
  of Service behavior)
• Similarities to modern threats
• Attacked multiple vulnerabilities
• Sendmail
• Finger
• rsh/rexec
• Weak Passwords (included password-cracker)
• Wasnt intended to be destructive
• (designed to measure the size of the Internet)
• Programming mistake (bug) caused it to be an
  effective Denial of Service attack.

7
The Internet (2006)

• The Opte Project
• (http//www.opte.org/maps/)
• net, ca, us com, org mil, gov, edu, jp,
• cn, tw, au de, uk, it, pl, fr br, kr, nl,
• unknown

8
Todays Attackers

• CyberCrime Profit rather than Prestige
• Phishing
• Extortion
• Multi-vector, multi-purpose threats
• Building an attack infrastructure

9
Top Targets

• Financial Sector
• Education
• Small Business

10
Key Vectors

• E-Mail
• Web
• Vulnerable Services/Applications
• Client-Side Exploits

11
New Techniques

• Bot or Zombie Networks
• Modular Code
• Anti-Security
• Anti-Removal
• Stealth (RootKit)

12
Spyware/Adware

• Users not informed of installation
• Users not informed of all functions of software
• Fine Print
• Bundling of programs without related
  functionality (embedded Ad/Spyware within other
  toolkits)
• Ambiguous classification gray market

13
Viruses/Worms

• Sober.X
• Netsky.P
• Mytob.ED
• Mytob.DF
• Spybot
• Mytob.EE
• Tooso.L
• Mytob.KU
• Netsky.Z
• Mytob

14
Spybot

• http//securityresponse.symantec.com/avcenter/venc
  /data/w32.spybot.worm.html
• Bot
• Publically-available source code and toolkits
• Multi-vector
• Multi-function

15
On the Horizon

• Phishing
• Instant Messaging (IM) and Peer-to-Peer (P2P)
• Integrated Voice-Data Devices
• Consumer Electronics
• Macintosh OS X

16
Common Questions/Myths
17
Why Should I Care

• Performance
• Reputation
• Secrets
• Cost
• Regulations
• Liability
• Damage

18
But I Already

• Have A Firewall
• Use AntiVirus
• Patch systems regularly

19
Examples

• University of California (Oct 2004)
• ChoicePoint (Feb 2005)
• Sumitomo Mitsui Bank (March 2005)
• MasterCard/CardSystems (May 2005)

20
Updates

• Georgetown University (Feb 12)
• CitiBank/Sams Club (Dec 2005, March 7, 9)
• CrossOver Trojan (Feb 23) Windows/Windows Mobile
• Mannicum (March 8) Destructive IM worm
• CommWarrior.D (March 8) Symbian Worm
• CardTrp.ab (March 9) Symbian Trojan
• Redbrowser.A (Feb 28) Java J2ME Mobile devices
  Trojan

21
What can I do?
22
Best Practices

• Security is trade-off Risk model
• Defense-in-Depth (Onion Model)
• Focus on low-hanging fruit
• For you (easy to implement)
• For the attackers (your weak points)
• Ongoing process

23
Solutions

• Tier 1 - Must Haves
• Perimeter Security (Firewall Basic Network IPS)
• Server Security (E-Mail, Web, File, Directory)
• Host Security (AV, Firewall, Policy/rights,
  Patching)
• Basic Identity Management (Password policy)
• Security Policy (Risk analysis, Planning,
  Enforcement, Budget)
• Staffing (System Administrator and Web Developer
  training, End-user awareness)

24
Solutions

• Tier 2 - Should Haves
• Segmentation (Internal Security, Host IPS, etc.)
• Central Management (Patch, AV, Logging consoles)
• Advanced Identity Management (Single Sign-On,
  Two-Factor Authentication, Policy-based Identity
  Management)
• Tier 3 - Could Haves
• Contracted Services (Monitoring, Response,
  Advisories)
• Auditing (Internal or Third-Party Review)
• Vulnerability Assessments
• Advanced Web Security (Portals, Web Application
  Vulnerability scans)

25
Next Generation Solutions

• Unified Threat Management
• Integrated Security Architecture

26
Unified Threat Management

• Multiple tools, single appliance
• Pros
• Lower-cost, One-stop-shopping
• Typically high integration
• Typically easier to manage
• Single vendor support
• Cons
• Generally ignores host/local security
• Some features may not be full-function (esp.
  compared to best-of-breed)

27
Integrated Security Architecture

• Communication/Management between separate
  solutions
• Pros
• More comprehensive solution addresses all
  levels/layers
• Improves response time to attack (sometimes
  automated)
• Improves ability to do post-attack forensic
  analysis
• Cons
• Can be costly to purchase and implement
• Integration can be difficult
• Open architecture may provide best-of-breed at
  expense of completeness/smoothness of integration
• Closed architecture may sacrifice best-of-breed
  or exclude some areas of functionality some
  Closed suites are still not well-integrated

28
Wrap-Up
29
Summary

• Motive
• Evolving, complex threats requires
  defense-in-depth
• Shifting focus towards weak points of
  infrastructure
• Defenses must evolve to match attackers
• Effective protection includes prompt, complete
  and effective response to new threats and
  compromised systems.

30
References

• Hobbes Internet Timeline v8.1http//www.zakon.or
  g/robert/internet/timeline/
• Wikipedia Timeline of notable computer viruses
  and wormshttp//en.wikipedia.org/wiki/Timeline_of
  _notable_computer_viruses_and_worms
• The Internet Worm of 1988http//world.std.com/fr
  anl/worm.html
• The Opte Projecthttp//www.opte.org/maps/
• Symantec Internet Security Threat Report Volume
  IX (March 8, 2006)http//www.symantec.com/enterpr
  ise/threatreport/index.jsp
• Sopranos in Cyberspacehttp//www.checkpoint.com/s
  ecuritycafe/readingroom/endpoint/docs/sopranos_in_
  cyberspace.pdf
• SANS Top 20http//www.sans.org/top20/
• SANS What Works Tools for Defense
  In-Depthhttp//www.sans.org/whatworks/
• WebRoot State of Spywarehttp//www.webroot.com/so
  sreporthome

31
Updates links

• Georgetown Universityhttp//www.computerworld.com
  /hardwaretopics/hardware/server/story/0,10801,1092
  45,00.html?fromstory_kc
• Citibankhttp//www.computerworld.com/securitytopi
  cs/security/story/0,10801,109308,00.htmlhttp//ww
  w.computerworld.com/securitytopics/security/story/
  0,10801,109427,00.htm

32
Updates links

• CrossOver Trojan (Feb 23) Windows/Windows
  Mobilehttp//news.com.com/StandoffoverPC-to-mob
  ilejumpingcode/2100-7349_3-6046361.html
• Mannicum (March 8) Destructive IM
  wormhttp//vil.nai.com/vil/content/v_138850.htm
• CommWarrior.D (March 8) Symbian
  Wormhttp//www.sarc.com/avcenter/venc/data/symbos
  .commwarrior.d.html

33
Updates links

• CardTrp.ab (March 9) Symbian Trojanhttp//www.sar
  c.com/avcenter/venc/data/symbos.cardtrp.ab.html
• Redbrowser.A (Feb 28) Java J2ME Mobile devices
  Trojanhttp//www.trendmicro.com/vinfo/virusencycl
  o/default5.asp?VNameJ2ME_ REDBROW.A

34
Questions?

• http//www.sherpatech.com/events/edtech-2006-sherp
  a.ppt
• jchapman_at_sherpatech.com
• barco_at_sherpatech.com