Module F - PowerPoint PPT Presentation

About This Presentation
Title:

Module F

Description:

Module F - Columbus State University – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 27
Provided by: xx349
Category:
Tags: infosec | module

less

Transcript and Presenter's Notes

Title: Module F


1
(No Transcript)
2
Information Assurance vulnerabilities, threats,
and controls
  • Dr. Wayne Summers
  • Department of Computer Science
  • Columbus State University
  • Summers_wayne_at_colstate.edu
  • http//csc.colstate.edu/summers

3
Sapphire / SQL Slammer
  • Beginning Saturday, January 25 at approximately
    1230 a.m. EST, a distributed denial-of-service
    attack spread rapidly throughout the global
    Internet. Within 10 minutes, most of the
    vulnerable hosts on the Internet were infected.
    By morning, Bank of America customers could not
    withdraw money from 13,000 ATMs. Continental
    Airlines Web site was offline Normally heavy
    Internet trading on the South Korean stock market
    vanished.
  • Sapphire is a 376-byte worm that infects
    Microsoft SQL Server 2000 hosts via the SQL
    Resolution Service running on UDP port 1434. The
    worm does no damage to the infected machine.

4
Information Assurance
  • Introduction
  • Vulnerabilities
  • Threats
  • Controls
  • Conclusions

5
Computer Security
  • the protection of the computer resources against
    accidental or intentional disclosure of
    confidential data, unlawful modification of data
    or programs, the destruction of data, software or
    hardware, and the denial of one's own computer
    facilities irrespective of the method together
    with such criminal activities including computer
    related fraud and blackmail. Palmer

6
Goals
  • confidentiality - limiting who can access assets
    of a computer system.
  • integrity - limiting who can modify assets of a
    computer system.
  • availability - allowing authorized users access
    to assets.

7
Definitions
  • vulnerability - weakness in the security system
    that might be exploited to cause a loss or harm.
  • threats - circumstances that have the potential
    to cause loss or harm. Threats typically exploit
    vulnerabilities.
  • control - protective measure that reduces a
    vulnerability or minimize the threat.

8
CERT list of Current Activity
  • Buffer overflow in ntdll.dll
  • Windows shares (null/weak passwords worm
    W32.Deloder)
  • Buffer overflow in sendmail
  • SQL Server Worm (SQL Slammer) / weak passwords in
    SQL Server Microsoft Data Engine
  • Buffer overflow in Samba
  • Vulnerabilities in SIP
  • SSH Vulnerabilities
  • Buffer overflow in Windows Shell
  • CVS (Concurrent Versions System) Server
  • Buffer overflow in Windows Locator Service

9
Vulnerabilities reported
  • 1995-1999
  • 2000-2002
  • In 2002 over 80 vulnerabilities in IE patched
    over 30 remain
  • April 02, Security News Portal 75 of all web
    servers running MS IIS 5.0 are vulnerable to
    exploitation.

Year 1995 1996 1997 1998 1999
Vulnerabilities 171 345 311 262 417
Year 2000 2001 2002
Vulnerabilities 1,090 2,437 4,129
10
Common Vulnerabilities and Exposures
  • CVE Report (http//cve.mitre.org/) has 480 pages
    of certified vulnerabilities and exposures and
    853 pages of candidates for consideration ranging
    from buffer overflows and denial of service
    attacks to bugs in software
  • Microsoft Outlook 2000 and 2002, when configured
    to use Microsoft Word as the email editor, does
    not block scripts that are used while editing
    email messages in HTML or Rich Text Format (RTF),
    which could allow remote attackers to execute
    arbitrary scripts via an email that the user
    forwards or replies to.

11
Vulnerabilities
  • Todays complex Internet networks cannot be made
    watertight. A system administrator has to get
    everything right all the time a hacker only has
    to find one small hole. A sysadmin has to be
    lucky all of the time a hacker only has to get
    lucky once. It is easier to destroy than to
    create.
  • Robert Graham, lead architect of Internet
    Security Systems

12
Types of Threats
  • interception - some unauthorized party has gained
    access to an asset.
  • modification - some unauthorized party tampers
    with an asset.
  • fabrication - some unauthorized party might
    fabricate counterfeit objects for a computer
    system.
  • interruption - asset of system becomes lost or
    unavailable or unusable.

13
2002 Computer Crime and Security Survey CSI/FBI
Report
  • Ninety percent of respondents detected computer
    security breaches within the last twelve months.
  • Eighty percent acknowledged financial losses due
    to computer breaches.
  • Forty-four percent (223 respondents) were willing
    and/or able to quantify their financial losses.
    These 223 respondents reported 455,848,000 in
    financial losses.
  • For the fifth year in a row, more respondents
    (74) cited their Internet connection as a
    frequent point of attack than cited their
    internal systems as a frequent point of attack
    (33).
  • Thirty-four percent reported the intrusions to
    law enforcement. (In 1996, only 16 acknowledged
    reporting intrusions to law enforcement.)

14
Recent News
  • 20 increase in number of attacks on corporate
    networks in the second half of 2002. (Symantec)
  • 45 billion worldwide spending on IT security
    products and services by 2006. (IDC)
  • The Internet Risk Impact Summary Report cites an
    84 percent increase in "suspicious activities"
    such as automatic probing. The number of new
    worms and hybrids grew seven-fold to 752,
    compared to 101 in the fourth quarter of 2002.
    (Internet Security Systems (ISS))
  • Inundated with a persistent stream of new and
    recurring viruses and worms, nearly
    three-quarters of the 306 respondents say the
    virus problem is getting worse, especially in
    terms of money and resources spent to combat and
    recover from infections.

15
Cyberterrorism
  • Cyberterrrorism is largely overblown. Bruce
    Schneier, founder and CTo Counterpane Internet
    Security
  • Critical systems dont run on the Internet, they
    are based on secure networks, we have protected
    our systems and do not rely on the Internet
    Rainer Fahs, Senior InfoSec Engineer NATO.

16
Malware and other Threats
  • Viruses / Worms
  • 1987-1995 boot program infectors
  • 1995-1999 Macro viruses (Concept)
  • 1999-2003 self/mass-mailing worms (Melissa-Klez)
  • 2001-??? Megaworms (Code Red, Nimda, SQL
    Slammer, Slapper)
  • Trojan Horses
  • Remote Access Trojans (Back Orifice)
  • Most Threats use Buffer Overflow vulnerabilities

17
Social Engineering
  • we have met the enemy and they are us - POGO
  • Social Engineering getting people to do things
    that they wouldnt ordinarily do for a stranger
    The Art of Deception, Kevin Mitnick

18
Controls
  • Reduce and contain the risk of security breaches
  • Security is not a product, its a process
    Bruce Schneier Using any security product
    without understanding what it does, and does not,
    protect against is a recipe for disaster.

19
Defense in Depth
  • Antivirus
  • Firewall
  • Intrusion Detection Systems
  • Intrusion Protection Systems
  • Vulnerability Analyzers
  • Authentication Techniques (passwords, biometric
    controls)
  • BACKUP

20
Default-Deny Posture
  • Configure all perimeter firewalls and routers to
    block all protocols except those expressly
    permitted.
  • Configure all internal routers to block all
    unnecessary traffic between internal network
    segments, remote VPN connections, and business
    partner links.
  • Harden servers and workstations to run only
    necessary services and applications.
  • Organize networks into logical compartmental
    segments that only have necessary services and
    communications with the rest of the enterprise.
  • Patch servers and applications on a routine
    schedule.

21
Practical Patches
  • Develop an up-to-date inventory of all production
    systems.
  • Standardize production systems to same version of
    OS and application software.
  • Compare reported vulnerabilities against your
    inventory/control list.
  • Classify the risk (severity of threat, level of
    vulnerability, cost of mitigation and recovery)
  • Apply the patch

22
New Types of Controls
  • Threat Management System - early-warning system
    that uses a worldwide network of firewall and
    intrusion-detection systems to aggregate and
    correlate attack data.
  • Vulnerability Assessment Scanner - penetration
    testing and security audit scanner that locates
    and assesses the security strength of databases
    and applications within your network.

23
Symantec "best practices"
  • Turn off and remove unneeded services.
  • If a blended threat exploits one or more network
    services, disable, or block access to, those
    services until a patch is applied.
  • Always keep your patch levels up-to-date.
  • Enforce a password policy.
  • Configure your email server to block or remove
    email that contains file attachments that are
    commonly used to spread viruses.
  • Isolate infected computers quickly to prevent
    further compromising your organization.
  • Do not open attachments unless they are expected.
    Also, do not execute software that is downloaded
    from the Internet unless it has been scanned for
    viruses. Simply visiting a compromised Web site
    can cause infection if certain browser
    vulnerabilities are not patched.

24
Education Misinformation
  • SQL Slammer infected through MSDE 2000, a
    lightweight version of SQL Server installed as
    part of many applications from Microsoft (e.g.
    Visio) as well as 3rd parties.
  • CodeRed infected primarily desktops from people
    who didn't know that the "personal" version of
    IIS was installed.
  • Educate programmers and future programmers of the
    importance of checking for buffer overflows.

25
Conclusions
  • Every organization MUST have a security policy
  • Acceptable use statements
  • Password policy
  • Training / Education
  • Conduct a risk analysis to create a baseline for
    the organizations security
  • Create a cross-functional security team
  • You are the weakest link

26
Bibliography
  • Does Cyberterrorism Pose a True Threat? -
    http//www.pcworld.com/resource/printable/article/
    0,aid,109819,00.asp
  • Network Security Best Practices -
    http//www.computerworld.com/printthis/2003/0,4814
    ,77625,00.html
  • Practical Patching - http//www.infosecuritymag.co
    m/2003/mar/justthebasics.shtml
  • Symantec Offers Early Warning of Net Threats -
    http//www.pcworld.com/news/article/0,aid,109322,0
    0.asp
  • The Art of Deception Kevin Mitnick
Write a Comment
User Comments (0)
About PowerShow.com