Module F

1
(No Transcript)
2
Computer Security

• Dr. Wayne Summers
• TSYS Department of Computer Science
• Columbus State University
• Summers_wayne_at_colstate.edu
• http//csc.colstate.edu/summers

3
(No Transcript)
4
SQL Slammer

• It only took 10 minutes for the SQL Slammer worm
  to race across the globe and wreak havoc on the
  Internet two weeks ago, making it the
  fastest-spreading computer infection ever seen.
• The worm, which nearly cut off Web access in
  South Korea and shut down some U.S. bank teller
  machines, doubled the number of computers it
  infected every 8.5 seconds in the first minute of
  its appearance.

5
BLASTER

• On Aug. 11, the Blaster virus and related bugs
  struck, hammering dozens of corporations.
• At least 500,000 computers worldwide infected
• Maryland Motor Vehicle Administration shut its
  offices for a day.
• Check-in system at Air Canada brought down.
• Infiltrated unclassified computers on the
  Navy-Marine intranet.

6
SOBIG.F

• Ten days later, the SoBig virus took over,
  causing delays in freight traffic at rail giant
  CSX Corp. forcing cancellation of some
  Washington-area trains and causing delays
  averaging six to 10 hours.
• Shutting down more than 3,000 computers belonging
  to the city of Forth Worth.
• One of every 17 e-mails scanned was infected (AOL
  detected 23.2 million attachments infected with
  SoBig.F)
• Worldwide, 15 of large companies and 30 of
  small companies were affected by SoBig -
  estimated damage of 2 billion.

7
Information Assurance

• Introduction
• Vulnerabilities
• Threats
• Controls
• Conclusions

8
Computer Security

• the protection of the computer resources against
  accidental or intentional disclosure of
  confidential data, unlawful modification of data
  or programs, the destruction of data, software or
  hardware, and the denial of one's own computer
  facilities irrespective of the method together
  with such criminal activities including computer
  related fraud and blackmail. Palmer

9
Goals

• confidentiality - limiting who can access assets
  of a computer system.
• integrity - limiting who can modify assets of a
  computer system.
• availability - allowing authorized users access
  to assets.

10
Definitions

• vulnerability - weakness in the security system
  that might be exploited to cause a loss or harm.
• threats - circumstances that have the potential
  to cause loss or harm. Threats typically exploit
  vulnerabilities.
• control - protective measure that reduces a
  vulnerability or minimize the threat.

11
CERT list of Advisories (August-October 2003)

• CA-2003-27 Multiple Vulnerabilities in Microsoft
  Windows and Exchange
• There are multiple vulnerabilities in Microsoft
  Windows and Microsoft Exchange, the most serious
  of which could allow remote attackers to execute
  arbitrary code.
• Multiple Vulnerabilities in SSL/TLS
  Implementations
• may allow a remote attacker to execute arbitrary
  code. The common impact is denial of service.
• Buffer Overflow in Sendmail
• could allow a remote attacker to execute
  arbitrary code with the privileges of the
  sendmail daemon, typically root
• Buffer Management Vulnerability in OpenSSH
• may allow a remote attacker to corrupt heap
  memory which could cause a denial-of-service
  condition
• RPCSS Vulnerabilities in Microsoft Windows
• remotely exploitable buffer overflows that may
  allow an attacker to execute arbitrary code with
  system privileges
• Multiple Vulnerabilities in Microsoft Internet
  Explorer
• could allow a remote attacker to execute
  arbitrary code with the privileges of the user
  running IE
• GNU Project FTP Server Compromise
• W32/Blaster worm
• exploit known vulnerabilities in the Microsoft
  Remote Procedure Call (RPC) Interface

12
Vulnerabilities reported

• 1995-1999
• 2000-2002
• In 2002 over 80 vulnerabilities in IE patched
  over 30 remain unpatched as of Sept. 11, 2003.

Year 1995 1996 1997 1998 1999
Vulnerabilities 171 345 311 262 417
Year 2000 2001 2002
Vulnerabilities 1,090 2,437 4,129
13
Common Vulnerabilities and Exposures

• CVE Report (http//cve.mitre.org/) has 480 pages
  of certified vulnerabilities and exposures and
  853 pages of candidates for consideration ranging
  from buffer overflows and denial of service
  attacks to bugs in software
• 347 CVE entries or candidates that match Linux
• Buffer overflow in RogerWilco graphical server
  1.4.1.6 and earlier, allows remote attackers to
  cause a denial of service and execute arbitrary
  code via a client request with a large length
  value.
• Docview before 1.1-18 in Caldera OpenLinux 3.1.1,
  SCO Linux 4.0, OpenServer 5.0.7, configures the
  Apache web server in a way that allows remote
  attackers to read arbitrary publicly readable
  files via a certain URL, possibly related to
  rewrite rules.

14
Top Vulnerabilities to Unix Systems

• Remote Procedure Calls (RPC)
• Apache Web Server
• Secure Shell (SSH)
• Simple Network Management Protocol (SNMP)
• File Transfer Protocol (FTP)
• R-Services -- Trust Relationships
• Line Printer Daemon (LPD)
• Sendmail
• BIND/DNS
• General Unix Authentication -- Accounts with No
  Passwords or Weak Passwords
• http//www.sans.org/top20/

15
Vulnerabilities

• Todays complex Internet networks cannot be made
  watertight. A system administrator has to get
  everything right all the time a hacker only has
  to find one small hole. A sysadmin has to be
  lucky all of the time a hacker only has to get
  lucky once. It is easier to destroy than to
  create.
• Robert Graham, lead architect of Internet
  Security Systems

16
Types of Threats

• interception - some unauthorized party has gained
  access to an asset.
• modification - some unauthorized party tampers
  with an asset.
• fabrication - some unauthorized party might
  fabricate counterfeit objects for a computer
  system.
• interruption - asset of system becomes lost or
  unavailable or unusable.

17
2003 Computer Crime and Security Survey CSI/FBI
Report

• 251 organizations report almost 202 million in
  financial losses, but that's 56 percent improved
  over last year.
• theft of proprietary information caused the
  greatest financial loss (70,195,900 was lost,
  with the average reported loss being
  approximately 2.7 million).
• Second was denial of service attacks, responsible
  for more than 65 million in total losses among
  those surveyed.
• Insider attacks and system abuse followed virus
  infections as the top category of adverse events
  based on the number of incidents.
• 50 percent of all attacks go unreported, and 22
  percent of companies dont know if their Web site
  suffered unauthorized access .
• companies that experienced serious computer
  system intrusions failed in nearly 10 percent of
  cases to patch the vulnerable systems.

18
Recent News

• CRITICAL WINDOWS, EXCHANGE ALERTS ISSUED
  Microsoft recommends immediately patching five
  critical vulnerabilities, four in Windows and one
  in Exchange 2000 Server. All five, if exploited,
  could enable an outsider to remotely execute code
  on a vulnerable system. (10/16/2003)
• PATCHED XP/2000 VULNERABLE TO RPC EXPLOIT
  (10/16/2003)
• 45 billion worldwide spending on IT security
  products and services by 2006. (IDC)
• The increased sophistication of worms really
  concerns us and while we didnt see a major
  outbreak in the first half of this year for
  Linux-based blended threats, we really do believe
  its on the horizon. Tony Vincent, senior
  analyst at Symantec.
• Microsoft Corp. warned today that users of its
  Office software are at risk of having their
  computers taken over by an attacker unless they
  apply a patch to correct the problem. (9/3/2003)
• Microsoft faces possible class-action suit over
  security breaches (10/2/2003)

19
Recent News

• ComputerWorld (Oct. 02, 2003) Trojan program uses
  Internet Explorer hole to hijack browsers
• Computer hackers have found another way to
  exploit an unpatched hole in Microsoft Corp.'s
  Internet Explorer Web browser, using a specially
  designed attack Web site to install a Trojan
  horse program on vulnerable Windows machines. The
  Trojan program changes the Domain Name System
  (DNS) configuration on the Windows machine so
  that requests for popular Web search engines like
  Google and AltaVista bring the Web surfer to a
  Web site maintained by the hackers instead,
  according to warnings from leading security
  companies.
• The attacks are the latest in a string of
  online scams that rely on an easy-to-exploit flaw
  in Internet Explorer known as the "ObjectData"
  vulnerability. Earlier attacks that relied on the
  vulnerability include a worm that spreads using
  American Online Inc.'s Instant Messenger network.
  
• Microsoft released a patch for the ObjectData
  vulnerability, MS03-032, in August, but even
  machines that were patched remain vulnerable to
  the latest attack because of holes in the patch,
  according to a bulletin posted by Network
  Associates Inc.

20
Virus? Use this patch immediately !

• Dear friend , use this Internet Explorer patch
  now!
• There are dangerous virus in the Internet now!
• More than 500.000 already infected!
• E-mail from "Microsoft ltsecurity_at_microsoft.comgt

21
Malware and other Threats

• Viruses / Worms
• 1987-1995 boot program infectors
• 1995-1999 Macro viruses (Concept)
• 1999-2003 self/mass-mailing worms (Melissa-Klez)
• 2001-??? Megaworms (Code Red, Nimda, SQL
  Slammer, Slapper)
• Trojan Horses
• Remote Access Trojans (Back Orifice)
• Most Threats use Buffer Overflow vulnerabilities

22
Social Engineering

• we have met the enemy and they are us - POGO
• Social Engineering getting people to do things
  that they wouldnt ordinarily do for a stranger
  The Art of Deception, Kevin Mitnick

23
Controls

• Reduce and contain the risk of security breaches
• Security is not a product, its a process
  Bruce Schneier Using any security product
  without understanding what it does, and does not,
  protect against is a recipe for disaster.
• Security is NOT installing a firewall.
• A Security Audit is NOT "running a port scan and
  turning things off"

24
Security is

• "Can you still continue to work
  productively/safely, without compounding the
  problem"
• only as good as your "weakest link"
• "risk management of your corporate resources
  (computers) and people"
• "Can somebody physically walk out with your
  computers, disks, tapes, .. "
• a Process, Methodology, Policies and People
• 24x7x365 ... constantly ongoing .. never ending
• "learn all you can as fast as you can, without
  negatively affecting the network, productivity
  and budget"
• http//www.linux-sec.net/

25
Food for Thought

• 80-90 of any/all security issues are INTERNAL (
  not the outside world )
• If you want to simulate a disk crash right now
  (unplug it NOW)...
• what data did you just lose ..
• how fast can you recover your entire system from
  the offline backups ..
• If the hacker/cracker penetrated your firewall
  ...
• what else can they do to your network/data ...
• what will they see on your network and other
  computers ...
• If your T1/T3 died ( dead router, dead csu/dsu,
  dead hubs ) ...
• how much loss of productivity (lost revenue)
  would you suffer for being offline ...
• do you have a secondary backup internet
  connection ...
• There always is someone out there that can get in
  ... if they wanted to ...
• http//www.linux-sec.net/

26
Solutions

• Apply defense in-depth
• Run and maintain an antivirus product
• Do not run programs of unknown origin
• Disable or secure file shares
• Deploy a firewall
• Keep your patches up-to-date

27
Critical Microsoft Security Bulletin MS03-039

• Verify firewall configuration.
• Stay up to date. Use update services from
  Microsoft to keep your systems up to date.
• Use and keep antivirus software up-to-date. You
  should not let remote users or laptops connect to
  your network unless they have up-to-date
  antivirus software installed. In addition,
  consider using antivirus software in multiple
  points of your computer infrastructure, such as
  on edge Web proxy systems, as well as on email
  servers and gateways.
• You should also protect your network by requiring
  employees to take the same three steps with home
  and laptop PCs they use to remotely connect to
  your enterprise, and by encouraging them to talk
  with friends and family to do the same with their
  PCs. (http//www.microsoft.com/protect)

28
Defense in Depth

• Antivirus
• Firewall
• Intrusion Detection Systems
• Intrusion Protection Systems
• Vulnerability Analyzers
• Authentication Techniques (passwords, biometric
  controls)
• BACKUP

29
Default-Deny Posture

• Configure all perimeter firewalls and routers to
  block all protocols except those expressly
  permitted.
• Configure all internal routers to block all
  unnecessary traffic between internal network
  segments, remote VPN connections, and business
  partner links.
• Harden servers and workstations to run only
  necessary services and applications.
• Organize networks into logical compartmental
  segments that only have necessary services and
  communications with the rest of the enterprise.
• Patch servers and applications on a routine
  schedule.

30
New Types of Controls

• Threat Management System - early-warning system
  that uses a worldwide network of firewall and
  intrusion-detection systems to aggregate and
  correlate attack data.
• Vulnerability Assessment Scanner - penetration
  testing and security audit scanner that locates
  and assesses the security strength of databases
  and applications within your network.

31
Education Misinformation

• SQL Slammer infected through MSDE 2000, a
  lightweight version of SQL Server installed as
  part of many applications from Microsoft (e.g.
  Visio) as well as 3rd parties.
• CodeRed infected primarily desktops from people
  who didn't know that the "personal" version of
  IIS was installed.
• Educate programmers and future programmers of the
  importance of checking for buffer overflows.

32
The 7 Top Management Errors that Lead to Computer
Security Vulnerabilities

• Number Seven Pretend the problem will go away if
  they ignore it.
• Number Six Authorize reactive, short-term fixes
  so problems re-emerge rapidly
• Number Five Fail to realize how much money their
  information and organizational reputations are
  worth.
• Number Four Rely primarily on a firewall.
• Number Three Fail to deal with the operational
  aspects of security make a few fixes and then
  not allow the follow through necessary to ensure
  the problems stay fixed
• Number Two Fail to understand the relationship
  of information security to the business problem
  -- they understand physical security but do not
  see the consequences of poor information
  security.
• Number One Assign untrained people to maintain
  security and provide neither the training nor the
  time to make it possible to do the job.
• http//www.sans.org/resources/errors.php

33
Conclusions

• Every organization MUST have a security policy
• Acceptable use statements
• Password policy
• Training / Education
• Conduct a risk analysis to create a baseline for
  the organizations security
• Create a cross-functional security team
• You are the weakest link

34

• The most potent tool in any security arsenal
  isnt a powerful firewall or a sophisticated
  intrusion detection system. When it comes to
  security, knowledge is the most effective tool
• Douglas Schweizer The State of Network
  Security, Processor.com, August 22, 2003.

35
Resources

• http//www.sans.org
• http//www.cert.org
• http//www.cerias.purdue.edu/
• http//www.linuxsecurity.com/
• http//www.linux-sec.net/
• Cuckoos Egg Clifford Stoll
• Takedown Tsutomu Shimomura
• The Art of Deception Kevin Mitnick
• Black Ice Dan Verton
• Beyond Fear Bruce Schneier

36
COMPUTER SECURITY DAYNovember 30, 2003
ACCENTUATE THE POSITIVE