logging in or signing up christine nelson 112001 Shariyar Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 145 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 25, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Fighting Back Against Cybercrime: A Plan of Action: Fighting Back Against Cybercrime: A Plan of Action Alan Paller Director of Research The SANS Institute paller@sans.org www.sans.org Questions For Today: Questions For Today How has the threat grown since the Feb. 2000 DDoS attacks? Why hasn’t the problem been fixed? Why is there more reason for hope now than in the past? What is the Cyber Defense Initiative and what role can you play? Slide3: How Has The Threat Grown? Increased Opportunity Since DDoS Attack In February 2000: Increased Opportunity Since DDoS Attack In February 2000 52 million more machines were connected to the Internet (72 million in 2/00) Security-skilled system administrators increased by only a few thousand. Windows 2000 arrived with at least 200 security flaws BIND had several more vulnerabilities More Sophisticated Attacks: More Sophisticated Attacks Automation in attacks More stealthy attack tools Increasing incidence of national pride (China) and social/environmental activist attackers Multi-layer attacks for economic extortion – yet still automated Extortion on a grand scale Rapidly propagating worms Multi-pronged attack tools Hacked .gov & .mil Sites August 1 – November 11, 2000: Hacked .gov andamp; .mil Sites August 1 – November 11, 2000 Administrative Office of the U.S. Courts (www.mab.uscourts.gov) Army Signal Command (cpocner.apg.army) Army Signal Command (www.mears.redstone.army.mil) Aviation Systems Division, NASA Ames (www.aviationsystemsdivision.arc.nasa.gov) ci.washington.dc.us (www.ci.washington.dc.us) Defense Automated Printing Service (dodssp.daps.mil) DISA Information Systems Center (maestro.den.disa.mil) DOI US Bureau of Reclamation (www.mp.usbr.gov) DOI US DOI, Bureau of Land Management (adoptahorse.blm.gov) DoT National Transportation Safety Board (www.ntsb.gov) DoT United States Department of Transportation (stratplan.dot.gov) Energy Sandia National Laboratories (samt4831.sandia.gov) Federal Maritime Commission (www.fmc.gov) Government Printing Office (www.gpo.gov) Multistate Tax Commission (www.mtc.gov) NASA #2 Technical Info, Jet Propulsion Labs (NASA) (techinfo.jpl.nasa.gov) NASA LARC NASA (se-pc7.larc.nasa.gov) NASA National Aeronautics and Space Administration (toyota.gsfc.nasa.gov) NASA Technology Server, NASA (technology.nasa.gov) National Highway Traffic Safety Administration (www.nhtsa.dot.gov) National Institutes of Health (intra.ninds.nih.gov) National Library of Medicine SIS5 Server, NIH (sis5.nlm.nih.gov) MORE…. More .gov and .mil sites hacked: More .gov and .mil sites hacked NOAA Central Administrative Support Center, NOAA (www.casc.noaa.gov) NOAA National Oceanic and Atmospheric Admin (storms-dev.nos.noaa.gov) NOAA National Oceanic and Atmospheric Administration (vortex.cmdl.noaa.gov) NSF National Science Foundation (roga.nsf.gov) U.S. Fish and Wildlife Service (www.fws.gov) Uniformed Services University of the Health Science (bb.lrc.usuhs.mil) Uniformed Services University of the Health Science (rcslinux.lrc.usuhs.mil) US Navy Naval Computer and Telecommunications Station (med01.nctsw.navy.mil) US Navy Jaxm Navy (www.jaxm.navy.mil) US Navy Naval Ocean Systems Center (iph-nt5.nosc.mil) US Navy Naval Pacific Meteorology and Oceanography Center, Yokosuka, Japan (www.yoko.npmoc.navy.mil) US Navy NLMOC Navy (jf.nlmoc.navy.mil) US Navy www.nasjax.navy.mil (www.nasjax.navy.mil) US Office of Surface Mining (feecomp.osmre.gov) USGS United States Geological Survey (mrdata.usgs.gov) Total Reported and Mirrored at attrition.org August 1 to November 10: 37 Between April 1 and April 21, 2001, more than 20 .mil and .gov web sites have been defaced and posted to attrition.org. How could that many be hacked and defaced in such a short time? First Union: First Union If you buy a Solaris system from Sun and install it using standards settings, what score would you get on a Center for Internet Security Audit where 100 was good? Has it improved? Slide9: Understanding the attacks: Understanding the attacks Find a vulnerability Exploit it Install hacker tools An example Put together a script to automate it all A visit inside a hacker’s lab...: A visit inside a hacker’s lab... How do they get in? Don’t firewalls stop them? What can they do when they get in? Slide12: Slide13: IIS4 / IIS5 ISAPI Vulnerability Slide14: Slide15: ~$ telnet bigwidget.com 80 Trying 10.0.0.28... Connected to bigwidget.com Escape character is '^]'. hacker: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 02 Oct 2001 18:50:26 GMT Content-Type: application/octet-stream Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. c:\inetpub\scriptsandgt; GET /scripts/root.exe ^] telnetandgt; quit Connection closed. Slide16: imapd Viewing bigwidget.com's C: drive Slide17: Allan B. Smith 6543-2223-1209-4002 12/99 Donna D. Smith 6543-4133-0632-4572 06/98 Jim Smith 6543-2344-1523-5522 01/01 Joseph L.Smith 6543-2356-1882-7532 04/02 Kay L. Smith 6543-2398-1972-4532 06/03 Mary Ann Smith 6543-8933-1332-4222 05/01 thevault:~# cat visa.txt cd /data/creditcards thevault:~# thevault:~# crack /etc/passwd Cracking /etc/passwd... username: bob password: ding username: mary password: mary username: root password: ncc1701 thevault:~# ftp thesource Connected to thesource 220 thesource Microsoft FTP Service (Version 4.0). Name: administrator 331 Password required for administrator. Password: ******* 230 User administrator logged in. Remote system type is Windows_NT. Slide18: Slide19: John Smith, (Director of Research, BigWig) Tobe Hadd, (President, CEO, BigWig) Anatomy of the Attack: Anatomy of the Attack BigWidget’s Network Firewall E-Mail Server NT Web Server Router Clients andamp; Workstations Network UNIX NT UNIX The Lion Worm: The Lion Worm March 22nd – 25 Linux systems managers report major compromises to GIAC All night analysis finds: The Lion worm uses a known vulnerability (20-30% of name servers), steals password files, installs back doors and a vicious DDOS tool, launches a program on the infected machine to find and infect more machines There appears to be no effective recovery – if your backups don’t work you are out of business. Probably 10-20,000 systems have been infected. If we understand the problem, why don’t agencies and contractors fix them?: If we understand the problem, why don’t agencies and contractors fix them? INTERNET VANDALS STRIKE USIA WEB SITE: INTERNET VANDALS STRIKE USIA WEB SITE The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a 'Trojan Horse' piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. 'We simply can't have this happening every six months. People rely on us.' (New York Times 21 Jan 99) What Organizations Do: What Organizations Do They hire a consulting organization to perform a vulnerability analysis and penetration test. The consultant’s analysis shows 5 to 30 vulnerabilities per system. Management or the security officer sends the vulnerability report to the system administrators with a strong suggestion that the problems should be fixed right away. What Actually Happens Then?: What Actually Happens Then? The sysadmins are overwhelmed by the volume of tasks the list entails and the number of hours they will take. They do a few things that are obvious to them. The demands of their regular work reassert themselves. Their bosses tell them to 'just get this one project done and then get right back on the security fixes.' And then.... INTERNET VANDALS STRIKE USIA WEB SITE: INTERNET VANDALS STRIKE USIA WEB SITE The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a 'Trojan Horse' piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. 'We simply can't have this happening every six months. People rely on us.' (New York Times 21 Jan 99) Primary Points of Vulnerability: Primary Points of Vulnerability Systems and networks configured insecurely by vendors and default passwords Initial configuration management lapses System administrators who fail to maintain security because it is hard, and because it is not a priority and/or they have not learned security Users who unknowingly open the door Reasons for Cautious Optimism:The Cyber Defense Initiative: Reasons for Cautious Optimism: The Cyber Defense Initiative What will it take?: What will it take? Make it easier to configure systems safely: Consensus standards for what has to be done, and rapid updates when new types of attacks are mounted. Deploy automated tools for frequent testing Require compliance before connection Automate patch maintenance Train and certify everyone who has hands-on responsibility for managing and securing systems and networks Universal user awareness with good guidance Safer systems delivered by vendors Better early warning systems Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them Internet Storm Center: Internet Storm Center April 30, 2001 Knowing an attack has been launched?: Knowing an attack has been launched? 4:58 PM Thursday Combined data from 120 sites show that unwanted traffic to port 53 spiked on 3/21. How do you find the worm code?: How do you find the worm code? It’s hard to find one of a few thousand infected systems out of 100 million systems on the Internet. So you need a large community made up of folks who are skilled, have the right systems, and are willing to help look for it. 91,000 subscribers of the weekly Security Alert Consensus fit that profile. They found the code less than 3 hours after a note went out to them. 8:58 PM – 11:50 PM Thursday, 3/22 The Lion Worm: The Lion Worm Uses a well-known BIND vulnerability Steals password files and sends them to china.com Installs multiple back doors and a DDoS attack tool. Forces the infected system to search the Internet for more vulnerable systems and infect them. How do you analyze the code and develop a tool to find machines that have been infected – overnight!: How do you analyze the code and develop a tool to find machines that have been infected – overnight! Recruit volunteers from a small circle of trusted people who have proven their ability to analyze code and develop diagnostics. Jointly analyze the code and test the tool Deliver beta to small group of sites Fix and post the tool. (20,000 downloads the first day) 12:10 AM – 7:15 AM Friday, 3/23 How do you tell the people who need to know?: How do you tell the people who need to know? Use an alerts-only announcement to 200,000 security professionals. Involve other distribution points. Complement the announcements with technology news coverage. 8:30 AM – 11:00 AM Friday, 3/23 Follow-Up: Follow-Up UUNET black-holes traffic to China.com where the worm sent password files – providing more immediate damage reduction than all our announcements. Analysts infiltrate the worm author’s IRC chat room – identify new strains before they are launched. Developers try to create systems to clean the worm out of infected computers. Saturday 3/24 – Wednesday 3/28 How It Works: How It Works IDS Sensors SACC Global Internet Storm Center Analysis and Coordination Center SACC* IDS Sensors *SACCs may be PDD63 ISACs, national government CERTs, ISPs and other managed service providers, large user organizations, and independent SACCs. ISPs Ten most probed ports: Ten most probed ports Top Ten Target Ports Probe traffic by continent: Probe traffic by continent The Global Internet Storm Center: The Global Internet Storm Center Action 1: Participate In Internet Storm Center: Action 1: Participate In Internet Storm Center Operational public SACC: www.dshield.org Operational site for global analysis and coordination: www.incidents.org/cid Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Security skills gap (extra): Security skills gap (extra) Which of the following have been taught the principal security threats and how to protect against them? MCSE, CCNA, Solaris certified people Vulnerability testing consultants Security officers Firewall operators Training the Technical People: Training the Technical People Sysadmin and security training is being radically upgraded through the SANS GIAC programs SANS Security Essentials Firewalls and Perimeter Protection Intrusion Detection UNIX and Linux Windows Advanced Incident Handling and Hacker Exploits Auditing Security Information Security Officers Certification: Certification Certifications are available but not required must prove mastery, not just pass a test for certification A practical for each track For Security Essentials: more than 1000 of their research papers are posted at http://www.sans.org/infosecFAQ/index.htm Those who earn LevelTwo certifications appear to gain substantial authority in their organizations Substantial increases in salary reported by Foote survey InfoSec Reading Room: InfoSec Reading Room Win Win2000 Unix Sun Mac Linux Other Topics A-I: Application andamp; Database Sec Attacking Attackers Auditing andamp; Assessment Authentication Case Studies Commercial Software DNS Issues eCommerce Email Issues Encryption andamp; VPNs Firewalls/Perimeter Def. Hackers History of InfoSec Home andamp; Small Office Incident Handling/Forensics Action 2: Follow through on skills development: Action 2: Follow through on skills development Ensure all sysadmins, auditors, intrusion detection and firewall professionals, and ISSM/ISSOs have GIAC certifications Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of security officers as well as administrators Raising the level of awareness of what needs to be done for protection Does Awareness Matter?: Does Awareness Matter? Rob Kolstad called his contractor friend who works help desks (recently at: HP, Agilent, IBM, Compaq, and Digital Equipment Corp.) Asked him if he set/reset passwords: 'yep' Over the phone? 'yep' With identification/verification? 'nope' Ever had any security training for this at any of these five companies? 'nope' Does Awareness Matter?: Does Awareness Matter? Every computer with an unpatched Internet Explorer can be expected to become infected with nimda and to rapidly infect others around them. Action 3: Improve Awareness Programs: Action 3: Improve Awareness Programs Ensure your awareness program: Covers all exploited weaknesses in the control of the employees Covers what to look for and what to do when you see it. Includes anecdotes as memory aids Is delivered online for tracking and coverage Requires demonstration of mastery Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Top Twenty Internet Security Threats: Top Twenty Internet Security Threats A few vulnerabilities are responsible for more than 80% of all successful attacks 20-40% of all systems are vulnerable to some of them Why should an attacker look for a difficult path when such easy ones are available? How valuable is an agreement on the most critical vulnerabilities?: How valuable is an agreement on the most critical vulnerabilities? Reduction from 1.3 to less than .1 vulnerability per system Reduction in successful attacks as a percent of all attacks Cooperation and automation among sysadmins to fix the vulnerabilities Sense of accomplishment and kudos from management. The Agency: NASA SANS/FBI Top Twenty: SANS/FBI Top Twenty Announced October 1, 2001 Consensus involving more than 30 organizations Separated by platform Instructions on how to fix them Free scanning tool to test systems (email info@cisecurity.org subject 'Top20 scanner') Action 4: Fix the top twenty: Action 4: Fix the top twenty Set up a competition Reward success Initial configurations Report regularly Set procurement specs. Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them A group of organizations joined to say:: A group of organizations joined to say: Our combined knowledge is better than the knowledge any one of us has. If we reach consensus we can all rely on that as 'generally accepted benchmarks of due care' If we can get the auditors to use the same benchmarks that there will be more cooperation Perhaps we can even get the vendors to deliver safer systems Some of the Participants: Some of the Participants Government: National Institute of Standards and Technology Infocomm Development Authority of Singapore Naval Surface Warfare Center US Treasury Financial Management Service Washington State Dept. of Health US Army Corps of Engineers NASA/GSFC/SEWP Australian National Audit Office US Dept of Justice, Office of Justice Programs Library of Congress Royal Canadian Mounted Police Communications Security Establishment (Canada) Canadian CERT Participants (cont’d):: Participants (cont’d): Industry: Pacific Gas andamp; Electric SASKTel Lucent Technologies LGandamp;E Energy Hallmark Chevron Intel Vulcan Materials Mrs. Smith’s Bakeries PJM Allegheny Energy Pitney Bowes Component Graphics eScout.com Emprise Technologies REDW Technologies Educational Testing Svc. Financial Models Co. Agilent Technologies Shell Services Int’l Inc. More (cont’d):: More (cont’d): Finance and Insurance: VISA Allstate First Union Corporation Nat’l Life Assurance Co of Canada U.S. Central Credit Union Union Bank of California City National Bank (LA) Consulting/Service: WorldPort (Ireland) Guardent Procinct Security Foundstone Server Vault Grant Thornton Integralis Ltd (England) More (cont’d):: More (cont’d): Universities: Institute for Security Technology Studies at Dartmouth UC Davis Virginia Tech Monash University (Australia) University of Alabama at Birmingham University of Missouri Blenkinge Inst. of Technology (Sweden) Utah State University Consulting/Service: PricewaterhouseCoopers ISS Symantec/Axent BindView Harris NetIQ Telenesius VIGILANTe Cervalis NEC e-Border www.cisecurity.orgCenter for Internet Security: www.cisecurity.org Center for Internet Security Founding Organizations Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Auditors (AICPA) Institute of Internal Auditors (IIA) Three simple steps: Three simple steps Develop a consensus on exactly what needs to be done to each type of system, at a minimum. Add a consensus on extra steps that can improve security. The 'benchmarks') Create testing tools that allow organizations to test and monitor security Keep them both promptly up to date with new threats. Benchmarks: (www.cisecurity.org): Benchmarks: (www.cisecurity.org) Phase I (now through August) Solaris Windows 2000 Phase II Other UNIX Windows NT Major databases Phase III Applications Appliances Action 5: Use the CIS Benchmarks: Action 5: Use the CIS Benchmarks And help build SCORE SCORE: Security Consensus for Operational Readiness Evaluation: SCORE: Security Consensus for Operational Readiness Evaluation Bringing security into the mainstream of network and system management A web of consensus tools that monitor networks and systems to verify security readiness Examples: Cisco routers, Solaris, Win2K, named, discovery, many more. Action 6: Help Build SCORE: Action 6: Help Build SCORE Suggest segments Propose tools Test tools Build bridges between operation and security groups Questions about the CDI?: Questions about the CDI? Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them Creating SCORE You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
christine nelson 112001 Shariyar Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 145 Category: Science & Tech.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 25, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Fighting Back Against Cybercrime: A Plan of Action: Fighting Back Against Cybercrime: A Plan of Action Alan Paller Director of Research The SANS Institute paller@sans.org www.sans.org Questions For Today: Questions For Today How has the threat grown since the Feb. 2000 DDoS attacks? Why hasn’t the problem been fixed? Why is there more reason for hope now than in the past? What is the Cyber Defense Initiative and what role can you play? Slide3: How Has The Threat Grown? Increased Opportunity Since DDoS Attack In February 2000: Increased Opportunity Since DDoS Attack In February 2000 52 million more machines were connected to the Internet (72 million in 2/00) Security-skilled system administrators increased by only a few thousand. Windows 2000 arrived with at least 200 security flaws BIND had several more vulnerabilities More Sophisticated Attacks: More Sophisticated Attacks Automation in attacks More stealthy attack tools Increasing incidence of national pride (China) and social/environmental activist attackers Multi-layer attacks for economic extortion – yet still automated Extortion on a grand scale Rapidly propagating worms Multi-pronged attack tools Hacked .gov & .mil Sites August 1 – November 11, 2000: Hacked .gov andamp; .mil Sites August 1 – November 11, 2000 Administrative Office of the U.S. Courts (www.mab.uscourts.gov) Army Signal Command (cpocner.apg.army) Army Signal Command (www.mears.redstone.army.mil) Aviation Systems Division, NASA Ames (www.aviationsystemsdivision.arc.nasa.gov) ci.washington.dc.us (www.ci.washington.dc.us) Defense Automated Printing Service (dodssp.daps.mil) DISA Information Systems Center (maestro.den.disa.mil) DOI US Bureau of Reclamation (www.mp.usbr.gov) DOI US DOI, Bureau of Land Management (adoptahorse.blm.gov) DoT National Transportation Safety Board (www.ntsb.gov) DoT United States Department of Transportation (stratplan.dot.gov) Energy Sandia National Laboratories (samt4831.sandia.gov) Federal Maritime Commission (www.fmc.gov) Government Printing Office (www.gpo.gov) Multistate Tax Commission (www.mtc.gov) NASA #2 Technical Info, Jet Propulsion Labs (NASA) (techinfo.jpl.nasa.gov) NASA LARC NASA (se-pc7.larc.nasa.gov) NASA National Aeronautics and Space Administration (toyota.gsfc.nasa.gov) NASA Technology Server, NASA (technology.nasa.gov) National Highway Traffic Safety Administration (www.nhtsa.dot.gov) National Institutes of Health (intra.ninds.nih.gov) National Library of Medicine SIS5 Server, NIH (sis5.nlm.nih.gov) MORE…. More .gov and .mil sites hacked: More .gov and .mil sites hacked NOAA Central Administrative Support Center, NOAA (www.casc.noaa.gov) NOAA National Oceanic and Atmospheric Admin (storms-dev.nos.noaa.gov) NOAA National Oceanic and Atmospheric Administration (vortex.cmdl.noaa.gov) NSF National Science Foundation (roga.nsf.gov) U.S. Fish and Wildlife Service (www.fws.gov) Uniformed Services University of the Health Science (bb.lrc.usuhs.mil) Uniformed Services University of the Health Science (rcslinux.lrc.usuhs.mil) US Navy Naval Computer and Telecommunications Station (med01.nctsw.navy.mil) US Navy Jaxm Navy (www.jaxm.navy.mil) US Navy Naval Ocean Systems Center (iph-nt5.nosc.mil) US Navy Naval Pacific Meteorology and Oceanography Center, Yokosuka, Japan (www.yoko.npmoc.navy.mil) US Navy NLMOC Navy (jf.nlmoc.navy.mil) US Navy www.nasjax.navy.mil (www.nasjax.navy.mil) US Office of Surface Mining (feecomp.osmre.gov) USGS United States Geological Survey (mrdata.usgs.gov) Total Reported and Mirrored at attrition.org August 1 to November 10: 37 Between April 1 and April 21, 2001, more than 20 .mil and .gov web sites have been defaced and posted to attrition.org. How could that many be hacked and defaced in such a short time? First Union: First Union If you buy a Solaris system from Sun and install it using standards settings, what score would you get on a Center for Internet Security Audit where 100 was good? Has it improved? Slide9: Understanding the attacks: Understanding the attacks Find a vulnerability Exploit it Install hacker tools An example Put together a script to automate it all A visit inside a hacker’s lab...: A visit inside a hacker’s lab... How do they get in? Don’t firewalls stop them? What can they do when they get in? Slide12: Slide13: IIS4 / IIS5 ISAPI Vulnerability Slide14: Slide15: ~$ telnet bigwidget.com 80 Trying 10.0.0.28... Connected to bigwidget.com Escape character is '^]'. hacker: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 02 Oct 2001 18:50:26 GMT Content-Type: application/octet-stream Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. c:\inetpub\scriptsandgt; GET /scripts/root.exe ^] telnetandgt; quit Connection closed. Slide16: imapd Viewing bigwidget.com's C: drive Slide17: Allan B. Smith 6543-2223-1209-4002 12/99 Donna D. Smith 6543-4133-0632-4572 06/98 Jim Smith 6543-2344-1523-5522 01/01 Joseph L.Smith 6543-2356-1882-7532 04/02 Kay L. Smith 6543-2398-1972-4532 06/03 Mary Ann Smith 6543-8933-1332-4222 05/01 thevault:~# cat visa.txt cd /data/creditcards thevault:~# thevault:~# crack /etc/passwd Cracking /etc/passwd... username: bob password: ding username: mary password: mary username: root password: ncc1701 thevault:~# ftp thesource Connected to thesource 220 thesource Microsoft FTP Service (Version 4.0). Name: administrator 331 Password required for administrator. Password: ******* 230 User administrator logged in. Remote system type is Windows_NT. Slide18: Slide19: John Smith, (Director of Research, BigWig) Tobe Hadd, (President, CEO, BigWig) Anatomy of the Attack: Anatomy of the Attack BigWidget’s Network Firewall E-Mail Server NT Web Server Router Clients andamp; Workstations Network UNIX NT UNIX The Lion Worm: The Lion Worm March 22nd – 25 Linux systems managers report major compromises to GIAC All night analysis finds: The Lion worm uses a known vulnerability (20-30% of name servers), steals password files, installs back doors and a vicious DDOS tool, launches a program on the infected machine to find and infect more machines There appears to be no effective recovery – if your backups don’t work you are out of business. Probably 10-20,000 systems have been infected. If we understand the problem, why don’t agencies and contractors fix them?: If we understand the problem, why don’t agencies and contractors fix them? INTERNET VANDALS STRIKE USIA WEB SITE: INTERNET VANDALS STRIKE USIA WEB SITE The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a 'Trojan Horse' piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. 'We simply can't have this happening every six months. People rely on us.' (New York Times 21 Jan 99) What Organizations Do: What Organizations Do They hire a consulting organization to perform a vulnerability analysis and penetration test. The consultant’s analysis shows 5 to 30 vulnerabilities per system. Management or the security officer sends the vulnerability report to the system administrators with a strong suggestion that the problems should be fixed right away. What Actually Happens Then?: What Actually Happens Then? The sysadmins are overwhelmed by the volume of tasks the list entails and the number of hours they will take. They do a few things that are obvious to them. The demands of their regular work reassert themselves. Their bosses tell them to 'just get this one project done and then get right back on the security fixes.' And then.... INTERNET VANDALS STRIKE USIA WEB SITE: INTERNET VANDALS STRIKE USIA WEB SITE The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a 'Trojan Horse' piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. 'We simply can't have this happening every six months. People rely on us.' (New York Times 21 Jan 99) Primary Points of Vulnerability: Primary Points of Vulnerability Systems and networks configured insecurely by vendors and default passwords Initial configuration management lapses System administrators who fail to maintain security because it is hard, and because it is not a priority and/or they have not learned security Users who unknowingly open the door Reasons for Cautious Optimism:The Cyber Defense Initiative: Reasons for Cautious Optimism: The Cyber Defense Initiative What will it take?: What will it take? Make it easier to configure systems safely: Consensus standards for what has to be done, and rapid updates when new types of attacks are mounted. Deploy automated tools for frequent testing Require compliance before connection Automate patch maintenance Train and certify everyone who has hands-on responsibility for managing and securing systems and networks Universal user awareness with good guidance Safer systems delivered by vendors Better early warning systems Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them Internet Storm Center: Internet Storm Center April 30, 2001 Knowing an attack has been launched?: Knowing an attack has been launched? 4:58 PM Thursday Combined data from 120 sites show that unwanted traffic to port 53 spiked on 3/21. How do you find the worm code?: How do you find the worm code? It’s hard to find one of a few thousand infected systems out of 100 million systems on the Internet. So you need a large community made up of folks who are skilled, have the right systems, and are willing to help look for it. 91,000 subscribers of the weekly Security Alert Consensus fit that profile. They found the code less than 3 hours after a note went out to them. 8:58 PM – 11:50 PM Thursday, 3/22 The Lion Worm: The Lion Worm Uses a well-known BIND vulnerability Steals password files and sends them to china.com Installs multiple back doors and a DDoS attack tool. Forces the infected system to search the Internet for more vulnerable systems and infect them. How do you analyze the code and develop a tool to find machines that have been infected – overnight!: How do you analyze the code and develop a tool to find machines that have been infected – overnight! Recruit volunteers from a small circle of trusted people who have proven their ability to analyze code and develop diagnostics. Jointly analyze the code and test the tool Deliver beta to small group of sites Fix and post the tool. (20,000 downloads the first day) 12:10 AM – 7:15 AM Friday, 3/23 How do you tell the people who need to know?: How do you tell the people who need to know? Use an alerts-only announcement to 200,000 security professionals. Involve other distribution points. Complement the announcements with technology news coverage. 8:30 AM – 11:00 AM Friday, 3/23 Follow-Up: Follow-Up UUNET black-holes traffic to China.com where the worm sent password files – providing more immediate damage reduction than all our announcements. Analysts infiltrate the worm author’s IRC chat room – identify new strains before they are launched. Developers try to create systems to clean the worm out of infected computers. Saturday 3/24 – Wednesday 3/28 How It Works: How It Works IDS Sensors SACC Global Internet Storm Center Analysis and Coordination Center SACC* IDS Sensors *SACCs may be PDD63 ISACs, national government CERTs, ISPs and other managed service providers, large user organizations, and independent SACCs. ISPs Ten most probed ports: Ten most probed ports Top Ten Target Ports Probe traffic by continent: Probe traffic by continent The Global Internet Storm Center: The Global Internet Storm Center Action 1: Participate In Internet Storm Center: Action 1: Participate In Internet Storm Center Operational public SACC: www.dshield.org Operational site for global analysis and coordination: www.incidents.org/cid Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Security skills gap (extra): Security skills gap (extra) Which of the following have been taught the principal security threats and how to protect against them? MCSE, CCNA, Solaris certified people Vulnerability testing consultants Security officers Firewall operators Training the Technical People: Training the Technical People Sysadmin and security training is being radically upgraded through the SANS GIAC programs SANS Security Essentials Firewalls and Perimeter Protection Intrusion Detection UNIX and Linux Windows Advanced Incident Handling and Hacker Exploits Auditing Security Information Security Officers Certification: Certification Certifications are available but not required must prove mastery, not just pass a test for certification A practical for each track For Security Essentials: more than 1000 of their research papers are posted at http://www.sans.org/infosecFAQ/index.htm Those who earn LevelTwo certifications appear to gain substantial authority in their organizations Substantial increases in salary reported by Foote survey InfoSec Reading Room: InfoSec Reading Room Win Win2000 Unix Sun Mac Linux Other Topics A-I: Application andamp; Database Sec Attacking Attackers Auditing andamp; Assessment Authentication Case Studies Commercial Software DNS Issues eCommerce Email Issues Encryption andamp; VPNs Firewalls/Perimeter Def. Hackers History of InfoSec Home andamp; Small Office Incident Handling/Forensics Action 2: Follow through on skills development: Action 2: Follow through on skills development Ensure all sysadmins, auditors, intrusion detection and firewall professionals, and ISSM/ISSOs have GIAC certifications Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of security officers as well as administrators Raising the level of awareness of what needs to be done for protection Does Awareness Matter?: Does Awareness Matter? Rob Kolstad called his contractor friend who works help desks (recently at: HP, Agilent, IBM, Compaq, and Digital Equipment Corp.) Asked him if he set/reset passwords: 'yep' Over the phone? 'yep' With identification/verification? 'nope' Ever had any security training for this at any of these five companies? 'nope' Does Awareness Matter?: Does Awareness Matter? Every computer with an unpatched Internet Explorer can be expected to become infected with nimda and to rapidly infect others around them. Action 3: Improve Awareness Programs: Action 3: Improve Awareness Programs Ensure your awareness program: Covers all exploited weaknesses in the control of the employees Covers what to look for and what to do when you see it. Includes anecdotes as memory aids Is delivered online for tracking and coverage Requires demonstration of mastery Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Top Twenty Internet Security Threats: Top Twenty Internet Security Threats A few vulnerabilities are responsible for more than 80% of all successful attacks 20-40% of all systems are vulnerable to some of them Why should an attacker look for a difficult path when such easy ones are available? How valuable is an agreement on the most critical vulnerabilities?: How valuable is an agreement on the most critical vulnerabilities? Reduction from 1.3 to less than .1 vulnerability per system Reduction in successful attacks as a percent of all attacks Cooperation and automation among sysadmins to fix the vulnerabilities Sense of accomplishment and kudos from management. The Agency: NASA SANS/FBI Top Twenty: SANS/FBI Top Twenty Announced October 1, 2001 Consensus involving more than 30 organizations Separated by platform Instructions on how to fix them Free scanning tool to test systems (email info@cisecurity.org subject 'Top20 scanner') Action 4: Fix the top twenty: Action 4: Fix the top twenty Set up a competition Reward success Initial configurations Report regularly Set procurement specs. Cyber Defense Initiative: Cyber Defense Initiative Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them A group of organizations joined to say:: A group of organizations joined to say: Our combined knowledge is better than the knowledge any one of us has. If we reach consensus we can all rely on that as 'generally accepted benchmarks of due care' If we can get the auditors to use the same benchmarks that there will be more cooperation Perhaps we can even get the vendors to deliver safer systems Some of the Participants: Some of the Participants Government: National Institute of Standards and Technology Infocomm Development Authority of Singapore Naval Surface Warfare Center US Treasury Financial Management Service Washington State Dept. of Health US Army Corps of Engineers NASA/GSFC/SEWP Australian National Audit Office US Dept of Justice, Office of Justice Programs Library of Congress Royal Canadian Mounted Police Communications Security Establishment (Canada) Canadian CERT Participants (cont’d):: Participants (cont’d): Industry: Pacific Gas andamp; Electric SASKTel Lucent Technologies LGandamp;E Energy Hallmark Chevron Intel Vulcan Materials Mrs. Smith’s Bakeries PJM Allegheny Energy Pitney Bowes Component Graphics eScout.com Emprise Technologies REDW Technologies Educational Testing Svc. Financial Models Co. Agilent Technologies Shell Services Int’l Inc. More (cont’d):: More (cont’d): Finance and Insurance: VISA Allstate First Union Corporation Nat’l Life Assurance Co of Canada U.S. Central Credit Union Union Bank of California City National Bank (LA) Consulting/Service: WorldPort (Ireland) Guardent Procinct Security Foundstone Server Vault Grant Thornton Integralis Ltd (England) More (cont’d):: More (cont’d): Universities: Institute for Security Technology Studies at Dartmouth UC Davis Virginia Tech Monash University (Australia) University of Alabama at Birmingham University of Missouri Blenkinge Inst. of Technology (Sweden) Utah State University Consulting/Service: PricewaterhouseCoopers ISS Symantec/Axent BindView Harris NetIQ Telenesius VIGILANTe Cervalis NEC e-Border www.cisecurity.orgCenter for Internet Security: www.cisecurity.org Center for Internet Security Founding Organizations Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Auditors (AICPA) Institute of Internal Auditors (IIA) Three simple steps: Three simple steps Develop a consensus on exactly what needs to be done to each type of system, at a minimum. Add a consensus on extra steps that can improve security. The 'benchmarks') Create testing tools that allow organizations to test and monitor security Keep them both promptly up to date with new threats. Benchmarks: (www.cisecurity.org): Benchmarks: (www.cisecurity.org) Phase I (now through August) Solaris Windows 2000 Phase II Other UNIX Windows NT Major databases Phase III Applications Appliances Action 5: Use the CIS Benchmarks: Action 5: Use the CIS Benchmarks And help build SCORE SCORE: Security Consensus for Operational Readiness Evaluation: SCORE: Security Consensus for Operational Readiness Evaluation Bringing security into the mainstream of network and system management A web of consensus tools that monitor networks and systems to verify security readiness Examples: Cisco routers, Solaris, Win2K, named, discovery, many more. Action 6: Help Build SCORE: Action 6: Help Build SCORE Suggest segments Propose tools Test tools Build bridges between operation and security groups Questions about the CDI?: Questions about the CDI? Improving early warning systems Upgrading skills of people with security responsibility Raising the level of awareness of what needs to be done for protection Defining the principal internet security threats and testing for the vulnerabilities Establishing minimum benchmarks for safer systems and networks – and measuring them Creating SCORE