Title: Host Based Security
1Host Based Security
- John Scrimsher, CISSP
- jps_at_hp.com
2Virus Control
3Why Host Security?
- Defense in Depth
- Threat management
- Identification
- Assessment
- Response / Containment
- Incident Management
- Coordination of efforts
- Damage Control
- Public Relations
4Why Host Based Security?
- Perimeter Security vs. Host Based
66
34
5Why Host Based Security?
- Threat management Identification
- Malware
- Internal Threats
- Employee Theft
- Unpatched systems
6What is Malware?
- Anything that you would not want deliberately
installed on your computer. - Viruses
- Worms
- Trojans
- Spyware
- More
7Where are the threats?Threat management
Assessment
- Un-patched Computers
- Email
- Network File Shares
- Internet Downloads
- Social Engineering
- Blended Threats
- Hoaxes / Chain Letters
8Phishing
- Email messages sent to large distribution lists.
- Disguised as legitimate businesses
- Steal personal information
9Identity Theft
- Since viruses can be used to steal personal data,
that data can be used to steal your identity - Phishing
- Keystroke loggers
- Trojans
- Spyware
10Now, what do we do about it?Threat Management
Containment
- C.I.A. Security Model
- Confidentiality
- Integrity
- Availability
- Current Solutions
- Antivirus / AntiSpyware
- Personal Firewall / IDS / IPS
- User Education
11Current Security View
12Red Pill / Blue Pill
13How do these products help?
- Host Firewall / IPS blocks many unknown and known
threats
14How do these products help?
- Antivirus Captures Threats that use common access
methods - Web Downloads
- Email
- Application Attacks (Buffer Overflow)
VBSim demo
15Social Engineering
- 70 percent of those asked said they would
reveal their computer passwords for a
Bar of chocolate
Schrage, Michael. 2005. Retrieved from
http//www.technologyreview.com/articles/05/03/iss
ue/review_password.asp?p1
16Educated Users Help
- The biggest threat to the security of a company
is not a computer virus, an unpatched hole in a
key program or a badly installed firewall. In
fact, the biggest threat could be you. What I
found personally to be true was that it's easier
to manipulate people rather than technology. Most
of the time organizations overlook that human
element.
Mitnick, Kevin, How to Hack People. BBC
NewsOnline, October 14, 2002.
17How do these products help?
- User Education
- Dont open suspicious email
- Dont download software from untrusted sites.
- Patch
18Things to look for
- Unusually high number of network connections
(netstat a) - CPU Utilization
- Unexpected modifications to registry RUN section.
- Higher than normal disk activity
19Open Source
- Shared information
- Business Models
- Is it more secure?
- Development model
- Security reviewers tend to be the same people
doing the proprietary reviews - Value in education
- Lots of good security tools
20Open Source - Browsers
- Firefox vs. Internet Explorer
- Vulnerabilities reported in 2005
- Internet Explorer
- SecurityFocus 43
- Secunia Research 9
- Symantec - 13
- Firefox
- SecurityFocus 43
- Secunia Research 17
- Symantec - 21
What about shared vulnerabilities? Plugins, WMF
images
21What is Managements role?
- Management ties everything together
- Responsibility
- Ownership
- Security is a Mindset, not a service. It must be
a part of all decisions and implementations.
22What is Managements Role?
- Compliance Monitoring
- Policy Enforcement
- Damage Control / Public Relations
23Managements Role
- Compliance Monitoring
- Keep aware of security posture
- Legal requirements
- Company policies
- Performance metrics
24Managements Role
- Policy Enforcement
- Pro-actively address issues
- Re-active contingency plans
- Network access controls
25Managements Role
- Damage Control
- Do you tell customers?
- What about the media?
- How soon to go public with results?
- What does it cost to respond?
26Legal Issues
- Many countries are still developing laws
- Privacy Laws can prevent some investigation
- Regulatory Compliance
- Organized Crime
27Regulatory Issues
- Sarbanes Oxley Act (2002)
- Graham-Leach-Bliley Act (1999)
- Health Information Portability and Accountability
Act (1996) - Electronic Communications Privacy Act (1986)
28Notable Legal History
- Robert Morris Jr. - WANK worm. First internet
worm ever created, set loose by accident across
the internet. - Randal Schwartz - hacked into Intel claiming he
was trying to point out weaknesses in their
security. - David Smith - Melissa. First known use of
mass-mailing technique used in a malicious
manner. Some jail time. - OnTheFly, The Netherlands - Anna virus using
worm generator tool. The writer was a youth who
was remorseful but little was done to punish
him. - Philippines - Loveletter. No jail time because
there were no laws. - Jeffrey Lee Parsons 2005 18 months in prison
for variant of Blaster worm.
29Organized Crime
30Kaspersky Quote
- "It's hard to imagine a more ridiculous
situation a handful of virus writers are playing
unpunished with the Internet, and not one member
of the Internet community can take decisive
action to stop this lawlessness. - The problem is that the current architecture of
the Internet is completely inconsistent with
information security. The Internet community
needs to accept mandatory user identification -
something similar to driving licenses or
passports. - We must have effective methods for identifying
and prosecuting cyber criminals or we may end up
losing the Internet as a viable resource." - Eugene KasperskyHead of Antivirus Research
31On the Horizon - Microsoft
- House on the hill
- Targeted because they are Big?
- Insecure because they are Big?
32On the Horizon
- Network Access Controls
- Early Detection and Preventative Tools
- Virus Throttle
- Active CounterMeasures
- WAVE
- Anomaly Detection
- Viral Patching
33On the Horizon
- Viral Targets
- Mobile Phones, PDAs
- Embedded Operating Systems
- Automobiles
- Sewing Machines
- Bank Machines
- Kitchen Appliances
34On the Horizon
- Octopus worms
- Multiple components working together
- Warhol Worms
- MSBlaster was proof of capability
- Designer Worms
- Target specific attacks
- Virus Sharing Clubs (VSCs)
35Learn Learn Learn
- Authors
- Sarah Gordon
- Peter Szor
- Roger Grimes
- Kris Kaspersky
- Search your library or online
36Questions?
37Resources
- http//www.pcworld.com/news/article/0,aid,116163,0
0.asp - http//www.detnews.com/2003/technology/0309/03/tec
hnology-258376.htm - http//www.sans.org/rr/whitepapers/engineering/123
2.php - http//www.research.ibm.com/antivirus/SciPapers/Go
rdon/Avenger.html