The Changing Threat PLENA

Curtis L. Blais CCNA, CCNP, GCIA, GCFW, WCSP, CISSP

National Practice Manager, Enterprise Security Consulting

TELUS, Solutions Consulting

[email protected]

June 2005

Overview Contents
1.

Whats going on in security?

Statistics Whos Attacking and Why

2.

What has changed?

Threat Perimeter

3. 4.

Legislation Planning Security

Management Technology Sustainment

5.

Musings & Examples

Statistics

Recent Statistics
According to a 2004 E-Crime Watch Survey:*
70% of enterprises surveyed reported at least 1 e-crime or intrusion in 2003 43% reported an increase over the previous year 56% reported operational losses 25% reported financial losses 32% do not track losses due to e-crimes or intrusions 41% do not have a formal plan for reporting and responding to e-crimes Many companies still seem unwilling to report e-crime for fear of damaging their reputation
* Sponsored by CSO magazine, the US Secret Service and the CERT Coordination Centre

Attacks on the Rise

The number of security incidents is increasing exponentially
85% of the incidents reported to CERT* since 1988 have occurred in the last 3 years and the trend is expected to continue.
* CERT = Computer Emergency Response Team
160000

137529
140000

120000

100000

82094
80000

60000

52658

40000

21756
20000

9859

6
0

2573 132 252 406 773 1334 2340 2412

96 89 91 92 93 90 94 95

2134 3734

97

99

88

00

98

01

19

19

02 20

19

20

19

19

19

19

19

19

19

19

19

Incidents

20

20

03

Attacks on the Rise

Platform Windows Third Party Windows Apps Linux HP-UX Unix Novell Cross Platform Web Application
# of Updates & Vulnerabilities

1 13 3 1 5 1 12 74

Over 100 vulnerabilities for the week

Windows Vulnerability = MySQL MaxDB Administrative Server Buffer Overflows An exploit was circulating within ONE DAY of discovery.

* SANS Vulnerability Alert - April 28, 2005 - Vol. 4. Week 17

Attacks on the Rise

Apple Patches Twenty Vulnerabilities in OS X 10.3.9*
Severity: Medium
3 May, 2005

Summary:

Today, Apple released security updates for OS X 10.3.9, fixing twenty security issues in software packages that ship as part of OS X, including Apache Web server, AppleScript and sudo. A remote attacker exploiting the worst of these security issues could execute arbitrary code, possibly gaining full control of your OS X machine. If you manage OS X machines, you should download, test and install Apple's security update as soon as possible.

* WatchGuard Live Security Update - May 3, 2005

Attacks on the Rise

A scan of more than 35,300 systems across more than 18,000 companies to date shows that in the first three months of 2005: At least one form of unwanted program [Trojan, system monitor, cookie or adware] was present in 87% of PCs. Excluding cookies, the other forms of spyware were present in more than 55% of corporate PCs. Adware was present on 53% of machines scanned within the enterprise. The presence of Trojan horses within enterprises was "surprisingly high" at 7%, accounting for an average of 1.3 infections per PC.
Report from Webroot Software released May 4,2005

Who is Attacking and Why?

Whos Attacking and Why?

Attacks can come from a variety of sources ranging from:
hackers script kiddies disgruntled employees industrial spies terrorists organized crime

Whos Attacking and Why?

The motives are just as varied:
money, profit access to additional resources competitive advantage economic political grievance vengeance curiosity mischief attention
Myth - We dont do anything that makes us a target for attack. Why do you need to be a specific target? This assumes that the attacker needs a reason that makes sense to you. In fact most dont - they do it because they can and you are vulnerable There is no single motivation for attacking a network

Whos Attacking and Why?

There

are groups of people out there that are targeting businesses. We're seeing an increase in that more now because a lot of the Eastern European hacker groups have determined that you can make money from gaining access to computers. And it's all about money now. It used to be about access, but now the entire scope of the way we do things has changed.*

*Interview with Mr. Dave Thomas, chief of the FBI's Computer Intrusion Section

Whos Attacking and Why?

Imam Samudra Aliases: Fatih, Fat, Kudama, Abdul Aziz, Abu Umar and Heri Age: 35 Employment: Computer expert Role: Named by police as coordinator of the October 12, 2002 Bali Nightclub bombing attack that killed over 200 people. He decided where to place the bombs and he also chaired meetings to plan the bombings. Verdict: Guilty - awaiting death by firing squad in an Indonesian Prison

Whos Attacking and Why?

Published a jailhouse autobiography that contains virulent justifications for the Bali attacks Tucked into the back of the 280-page book is a chapter of an entirely different cast titled "Hacking, Why Not?" Samudra urges fellow Muslim radicals to take the holy war into cyberspace by attacking computers, with the particular aim of committing credit card fraud, called "carding."

What has changed?

Increasing Opportunities for Attacks

Rapid adoption of computer and network technology Explosion of e-commerce capabilities over the Internet Thousands of exploitable vulnerabilities in technology Lack of awareness regarding information security Shortage of qualified system and network administrators and information security staff Lack of coordinated effort within large organizations to protect, detect, analyze, and respond to computer security events

The Changing Nature of the Threat

The Intruder perspective: Intruders are increasingly better prepared and more organized Intruder tools are:
increasingly more sophisticated easy to use, especially by novice intruders designed to support large-scale attacks

Internet attacks are perceived as easy, low risk, and hard to trace:
intruders often compromise a series of remote systems, making it difficult to trace their activities

The Changing Nature of the Threat

Source code is not required to find vulnerabilities Intruders are leveraging the availability of broadband connections
collections of compromised home computers prove to be serious weapons

The Changing Nature of the Threat, contd

Organizational Perspective: IT is critical infrastructure Increasingly reliant upon the Internet and connectivity for operations Insufficient security resources & training System and network administrators not prepared Employees are heavily burdened with their everyday initiatives
(lack of dedicated security individuals)

The Changing Nature of the Threat, contd

mobile viruses, Phishing, and exploited vulnerabilities are quickly becoming the predominant threats affecting consumers and enterprises alike * a steady increase in Trojans and 'BOTs while mass mailer viruses taper off. *
A bot is a malicious program that joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control it for fun and also for profit. Attackers even go a step further and bring different bots together. Such a structure, consisting of many compromised machines which can be managed from an IRC channel, is called a botnet.

* McAfee AVERT Report on Top Threats for first quarter 2005 released April 25, 2005

The Changing Nature of the Threat, contd

Electronic Social Engineering

The Changing Nature of the Threat, contd

The Changing Nature of the Threat, contd

The Changing Nature of the Threat, contd

Pharming -- a new technique for Internet fraud
Hackers appear to have an increasing interest in reaping financial reward from their actions and creations. If, until now, phishing -- using e-mails to lure users into entering data into spoofed online banking Web sites -- was one of the most widespread fraud techniques, pharming' now poses an even greater threat. Pharming consists in the name resolution system modification, so that when a user thinks he or she is accessing to bank's Web page, he or she is actually accessing the IP of a spoofed site.

The Perimeter has changed

What was the traditional perimeter no longer exists. Firewalls alone are no longer adequate - threats can come in many forms and attack from multiple areas in the network.

IBM

The Perimeter has changed

Modem Bank

IBM

TALK / DATA TALK

RS CS TR RD TD CD

TALK / DATA TALK

RS CS TR RD TD CD

TALK / DATA TALK

RS CS TR RD TD CD

The Perimeter has changed

Todays networks require layered solutions to receive complete protection. The cost of recovery is far greater than the cost of being prepared. Security must be considered in terms of daily operations, not just as a distant threat that may happen once or twice a year.
In 1882, fire sprinklers were considered to be as dubious an investment as information security is today.

Effects of an Attack
Loss of service through denial-of-service unauthorized use or misuse of computing systems
access private data to launch attacks against others

Loss / alteration / compromise of data or software Monetary / financial loss Operational Downtime In addition, intangible assets are at risk:
Brand Reputation Client and partner trust Stock Value Constituent trust

Is Your Organization Prepared?

Consider these questions: What is the impact to the organization if the network is unavailable for an hour? a day? a week? What is the cost due to loss of productivity? How much revenue will be lost? What is the impact to the users/constituents? Do you have the plans, resources and skills in place to recover from an attack?

Legislation

Legislation
You are now liable by Federal/Provincial legislation for personal information captured during day-to-day operations
http://www.oipc.ab.ca/pipa/ (Alberta) http://www.mser.gov.bc.ca/privacyaccess/Privacy/OIPC_links.htm (BC) http://www.privcom.gc.ca/legislation/02_06_01_e.asp (Federal)

Need to safeguard personal information, comply with legislation, mitigate liability

Legislation

Consider:
Am I familiar with the legislation? Do I know if my organization is compliant? What are the risks to the information? Do I really need all this information? What specifically is in place to protect personal information?

Legislation
4.1.1 An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organizations compliance 4.1.4 Organizations shall implement policies and practices to give effect to the principles, including 4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held

Legislation
10 principles of the act:
1. 2.

Comply with all 10 Principles Identifying the purposes for collecting personal information Informing individuals, in a way they will understand, the purposes for the collection, use or disclosure of personal information Limiting collection to only the information necessary under the purposes defined Safely disposing of information that no longer fulfills the intended purpose

3.

4.

5.

Legislation
6. 7.

Keeping information accurate Safeguarding the information from unauthorized access, disclosure or copying Informing customers, clients and employees of the corporate policies and practices for the management of personal information Providing access to an individuals personal information when legally requested Developing simple and easily accessible complaint procedures and follow-on enforcement

8.

9.

10.

Note: The Officers of the organization are the ones who will be held culpable in the event of a privacy breach

Other Legislation

HIPPA

US legislation for National standards to protect health care information US Legislation around Financials and Accounting Disclosure US Legislation - Disclosure of Nonpublic Personal Information

Sarbanes Oxley (SOX)

Gramm-Leach-Bliley (GLB) Act

Critical support for the Markey Amendment came from Congressman Joe Barton (R-TX). Congressman Barton noted that he started receiving Victoria's Secret catalogs at his Washington home. This was troublinghe didn't want his wife thinking that he bought lingerie for women in Washington, or that he spent his time browsing through such material. It seems that the Congressmans credit union had sold his address to Victoria's Secret.

Planning Security

Management Assess & Plan

Policy development Identify gaps / vulnerabilities
Management

Identify acceptable risk What solutions are in place Determine review period Establish testing cycle Decide on Managed vs Unmanaged Develop Security Architecture Identify/Secure Budget (ROI)

Performed with the Business Objectives of the organization in mind

Technology Implementation

Are all the key risk areas protected: Email / virus / SPAM
Technology

Web / java scripts / Active X Authentication Remote access Wireless

Enforcement of Decisions made in Management Step

Perimeter (firewall/IDS/Content) Internal (Policy Monitoring) Deployed Security Architecture

Sustainment

Verify solution maintenance Validate solution is meeting the identified need Ensure partnerships managed properly Identify process gaps Monitoring / logging / reporting Feedback loop to planning process Assure continued training Technology review (upgrade required?) In case of incident actual steps to recover

Sustainment

Ecosecurity System

Musings & Examples

Other Items
Security Consulting is like a 12 step program
Step 1 Admit you need help

Receiving security assistance does not demonstrate weakness

Allows for the identification and remediation of potential harmful vulnerabilities Provides for a third party view of the security position

A synonymous example from the Accounting world: ould you believe an organizations financial report that never allowed an external auditor to review their financial statements?

Examples
Big Bad Holes
Large international organization Performed a Perimeter Assessment Found some interesting lines in the firewall configuration

Wireless Gone Bad

Government organization Dealing with financial matters Interesting device found in a partners office..

DDoS Testing
Intruder Alert

Examples
Raw Data from Capture File
1 0050: 20 56 49 53 41 20 20 53 34 35 31 30 31 35 38 31 | VISA S45101581
0060: 30 30 35 34 36 38 31 32 20 20 48 4f 46 46 4d 41 | 0054XXXX HOFFMA 0070: 4e 2f 41 4d 42 45 52 20 20 30 39 30 35 20 20 20 | N/AMBER 0905

2 0050: 20 4d 43 20 20 20 20 53 35 35 32 35 32 32 30 30 | MC

S55252200 0060: 30 30 31 31 32 33 32 35 20 20 55 4e 49 43 48 2f | 0011XXXX UNICH/ 0070: 42 52 55 43 45 20 20 20 20 31 30 30 33 20 20 20 | BRUCE 1003

3 0050: 20 41 4d 58 20 20 20 53 33 37 33 35 38 39 34 32 | AMX

S37358942 0060: 35 34 39 31 30 30 39 20 20 20 52 4f 53 53 49 47 | 549XXXX ROSSIG 0070: 4e 4f 4c 2f 4a 46 20 20 20 30 34 30 35 20 20 20 | NOL/JF 0405

4 0050: 20 45 4e 52 4f 55 54 53 33 36 33 33 30 34 39 35 | ENROUTS36330495
0060: 33 37 30 30 31 36 20 20 20 20 42 45 53 54 2f 44 | 37XXXX 0070: 45 52 45 4b 20 20 20 20 20 30 35 30 35 20 20 20 | EREK

BEST/D 0505

Examples
CSCdu78272 CSCdu85817 CSCdv00738 CSCdv17303 CSCdv24986 CSCdv26953 CSCdv31029 CSCdv32237 CSCdv33495 CSCdv39306 CSCdv40404 CSCdv42836 CSCdv52820 CSCdv53837 CSCdv55044 CSCdv56552 CSCdv57122 CSCdv57570 CSCdv60361 CSCdv63087 CSCdv64039 CSCdv64435 CSCdv65961 CSCdv69641 CSCdv70291 CSCdv71017 CSCdv72013 CSCdv74412 CSCdv75812 CSCdv76727 CSCdv83025 CSCdv84391 CSCdv86755 CSCdv87789 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes SIP debugs does not show correct message ID hostobjdb being corrupted. Add enhanced platform support for the PIX 506. stateful failover show high err count under stress. Assertion if conf net and command write mem in config file. Skinny:Need to update to version 3.1 code. SIP:maddr= & received= parameters not NATd. Active-X filter does not work correctly. static PAT and fixup ftp breaks ACTIVE ftp PIX loses ARP entry for HSRP address. IKE mode config bug - causes PIX crash with dump. IKE continuous channel mode does not work with IOS unity. Memory leak on PIX when verifying peers certs during IKE phase 1. after 1st IPSEC peer down, 60 second delay before switch to 2nd peer. ESP packets routed basing on encapsulated destination address. Session counts are inconsistent UDP vs. TCP. AAA proxy limit exceeded and out of Tcb_user errors. PIX crashes when vpn client 3.1 connects. H.225:Call fails when newly encoded message is smaller. ENH: need debugs for hardware accelerator (VAC) TCP connection to PIX from token ring client hangs. PIX code space not write protected. 1550 byte blocks go to zero, PIX stops passing traffic. PIX can only recognize 2 interfaces in PIX-515E in monitor. Traceback triggered by TACACS+ authentication of FTP. PIX reboots with stack trace in isakmp_receiver thread. H323:Inbound call w/ indirect voice due to early removal of data. pptp - non-zero reserved field in header. VoIP fixups drop 1-byte TCP keep-alive. Traceback fover_rep after no fail with failover on serial cable. DNS Flakiness. Some outbound UDP DNS replies being denied by PIX. Add OID support for 506E & 515E hardware platforms. icmp type is not correctly interpreted with aaa. PIX 506E hangs when booting with 64 sector flash.

265 Caveats

Summary
Security incidents continue to become more frequent and sophisticated The traditional LAN perimeter no longer exists Todays environments need to layer security to provide complete protection Legislation is forcing those who have not already taken appropriate action to do so To stay current, organizational security requires a continuous evolving security system: Management, Technology & Sustainment Have your security position verified by a third party

Thank-you
Curtis L. Blais CCNA, CCNP, GCIA, GCFW, WCSP, CISSP
National Practice Manager, Enterprise Security Consulting TELUS, Solutions Consulting [email protected]

Appendix

Security Solutions

Security Solutions (Consulting)