Module F

1
(No Transcript)
2
Information Assurance vulnerabilities, threats,
and controls

• Dr. Wayne Summers
• Department of Computer Science
• Columbus State University
• Summers_wayne_at_colstate.edu
• http//csc.colstate.edu/summers

3
Sapphire / SQL Slammer

• Beginning Saturday, January 25 at approximately
  1230 a.m. EST, a distributed denial-of-service
  attack spread rapidly throughout the global
  Internet. Within 10 minutes, most of the
  vulnerable hosts on the Internet were infected.
  By morning, Bank of America customers could not
  withdraw money from 13,000 ATMs. Continental
  Airlines Web site was offline Normally heavy
  Internet trading on the South Korean stock market
  vanished.
• Sapphire is a 376-byte worm that infects
  Microsoft SQL Server 2000 hosts via the SQL
  Resolution Service running on UDP port 1434. The
  worm does no damage to the infected machine.

4
Information Assurance

• Introduction
• Vulnerabilities
• Threats
• Controls
• Conclusions

5
Computer Security

• the protection of the computer resources against
  accidental or intentional disclosure of
  confidential data, unlawful modification of data
  or programs, the destruction of data, software or
  hardware, and the denial of one's own computer
  facilities irrespective of the method together
  with such criminal activities including computer
  related fraud and blackmail. Palmer

6
Goals

• confidentiality - limiting who can access assets
  of a computer system.
• integrity - limiting who can modify assets of a
  computer system.
• availability - allowing authorized users access
  to assets.

7
Definitions

• vulnerability - weakness in the security system
  that might be exploited to cause a loss or harm.
• threats - circumstances that have the potential
  to cause loss or harm. Threats typically exploit
  vulnerabilities.
• control - protective measure that reduces a
  vulnerability or minimize the threat.

8
CERT list of Current Activity

• Buffer overflow in ntdll.dll
• Windows shares (null/weak passwords worm
  W32.Deloder)
• Buffer overflow in sendmail
• SQL Server Worm (SQL Slammer) / weak passwords in
  SQL Server Microsoft Data Engine
• Buffer overflow in Samba
• Vulnerabilities in SIP
• SSH Vulnerabilities
• Buffer overflow in Windows Shell
• CVS (Concurrent Versions System) Server
• Buffer overflow in Windows Locator Service

9
Vulnerabilities reported

• 1995-1999
• 2000-2002
• In 2002 over 80 vulnerabilities in IE patched
  over 30 remain
• April 02, Security News Portal 75 of all web
  servers running MS IIS 5.0 are vulnerable to
  exploitation.

10
Common Vulnerabilities and Exposures

• CVE Report (http//cve.mitre.org/) has 480 pages
  of certified vulnerabilities and exposures and
  853 pages of candidates for consideration ranging
  from buffer overflows and denial of service
  attacks to bugs in software
• Microsoft Outlook 2000 and 2002, when configured
  to use Microsoft Word as the email editor, does
  not block scripts that are used while editing
  email messages in HTML or Rich Text Format (RTF),
  which could allow remote attackers to execute
  arbitrary scripts via an email that the user
  forwards or replies to.

11
Vulnerabilities

• Todays complex Internet networks cannot be made
  watertight. A system administrator has to get
  everything right all the time a hacker only has
  to find one small hole. A sysadmin has to be
  lucky all of the time a hacker only has to get
  lucky once. It is easier to destroy than to
  create.
• Robert Graham, lead architect of Internet
  Security Systems

12
Types of Threats

• interception - some unauthorized party has gained
  access to an asset.
• modification - some unauthorized party tampers
  with an asset.
• fabrication - some unauthorized party might
  fabricate counterfeit objects for a computer
  system.
• interruption - asset of system becomes lost or
  unavailable or unusable.

13
2002 Computer Crime and Security Survey CSI/FBI
Report

• Ninety percent of respondents detected computer
  security breaches within the last twelve months.
• Eighty percent acknowledged financial losses due
  to computer breaches.
• Forty-four percent (223 respondents) were willing
  and/or able to quantify their financial losses.
  These 223 respondents reported 455,848,000 in
  financial losses.
• For the fifth year in a row, more respondents
  (74) cited their Internet connection as a
  frequent point of attack than cited their
  internal systems as a frequent point of attack
  (33).
• Thirty-four percent reported the intrusions to
  law enforcement. (In 1996, only 16 acknowledged
  reporting intrusions to law enforcement.)

14
Recent News

• 20 increase in number of attacks on corporate
  networks in the second half of 2002. (Symantec)
• 45 billion worldwide spending on IT security
  products and services by 2006. (IDC)
• The Internet Risk Impact Summary Report cites an
  84 percent increase in "suspicious activities"
  such as automatic probing. The number of new
  worms and hybrids grew seven-fold to 752,
  compared to 101 in the fourth quarter of 2002.
  (Internet Security Systems (ISS))
• Inundated with a persistent stream of new and
  recurring viruses and worms, nearly
  three-quarters of the 306 respondents say the
  virus problem is getting worse, especially in
  terms of money and resources spent to combat and
  recover from infections.

15
Cyberterrorism

• Cyberterrrorism is largely overblown. Bruce
  Schneier, founder and CTo Counterpane Internet
  Security
• Critical systems dont run on the Internet, they
  are based on secure networks, we have protected
  our systems and do not rely on the Internet
  Rainer Fahs, Senior InfoSec Engineer NATO.

16
Malware and other Threats

• Viruses / Worms
• 1987-1995 boot program infectors
• 1995-1999 Macro viruses (Concept)
• 1999-2003 self/mass-mailing worms (Melissa-Klez)
• 2001-??? Megaworms (Code Red, Nimda, SQL
  Slammer, Slapper)
• Trojan Horses
• Remote Access Trojans (Back Orifice)
• Most Threats use Buffer Overflow vulnerabilities

17
Social Engineering

• we have met the enemy and they are us - POGO
• Social Engineering getting people to do things
  that they wouldnt ordinarily do for a stranger
  The Art of Deception, Kevin Mitnick

18
Controls

• Reduce and contain the risk of security breaches
• Security is not a product, its a process
  Bruce Schneier Using any security product
  without understanding what it does, and does not,
  protect against is a recipe for disaster.

19
Defense in Depth

• Antivirus
• Firewall
• Intrusion Detection Systems
• Intrusion Protection Systems
• Vulnerability Analyzers
• Authentication Techniques (passwords, biometric
  controls)
• BACKUP

20
Default-Deny Posture

• Configure all perimeter firewalls and routers to
  block all protocols except those expressly
  permitted.
• Configure all internal routers to block all
  unnecessary traffic between internal network
  segments, remote VPN connections, and business
  partner links.
• Harden servers and workstations to run only
  necessary services and applications.
• Organize networks into logical compartmental
  segments that only have necessary services and
  communications with the rest of the enterprise.
• Patch servers and applications on a routine
  schedule.

21
Practical Patches

• Develop an up-to-date inventory of all production
  systems.
• Standardize production systems to same version of
  OS and application software.
• Compare reported vulnerabilities against your
  inventory/control list.
• Classify the risk (severity of threat, level of
  vulnerability, cost of mitigation and recovery)
• Apply the patch

22
New Types of Controls

• Threat Management System - early-warning system
  that uses a worldwide network of firewall and
  intrusion-detection systems to aggregate and
  correlate attack data.
• Vulnerability Assessment Scanner - penetration
  testing and security audit scanner that locates
  and assesses the security strength of databases
  and applications within your network.

23
Symantec "best practices"

• Turn off and remove unneeded services.
• If a blended threat exploits one or more network
  services, disable, or block access to, those
  services until a patch is applied.
• Always keep your patch levels up-to-date.
• Enforce a password policy.
• Configure your email server to block or remove
  email that contains file attachments that are
  commonly used to spread viruses.
• Isolate infected computers quickly to prevent
  further compromising your organization.
• Do not open attachments unless they are expected.
  Also, do not execute software that is downloaded
  from the Internet unless it has been scanned for
  viruses. Simply visiting a compromised Web site
  can cause infection if certain browser
  vulnerabilities are not patched.

24
Education Misinformation

• SQL Slammer infected through MSDE 2000, a
  lightweight version of SQL Server installed as
  part of many applications from Microsoft (e.g.
  Visio) as well as 3rd parties.
• CodeRed infected primarily desktops from people
  who didn't know that the "personal" version of
  IIS was installed.
• Educate programmers and future programmers of the
  importance of checking for buffer overflows.

25
Conclusions

• Every organization MUST have a security policy
• Acceptable use statements
• Password policy
• Training / Education
• Conduct a risk analysis to create a baseline for
  the organizations security
• Create a cross-functional security team
• You are the weakest link

26
Bibliography

• Does Cyberterrorism Pose a True Threat? -
  http//www.pcworld.com/resource/printable/article/
  0,aid,109819,00.asp
• Network Security Best Practices -
  http//www.computerworld.com/printthis/2003/0,4814
  ,77625,00.html
• Practical Patching - http//www.infosecuritymag.co
  m/2003/mar/justthebasics.shtml
• Symantec Offers Early Warning of Net Threats -
  http//www.pcworld.com/news/article/0,aid,109322,0
  0.asp
• The Art of Deception Kevin Mitnick