Module F - Columbus State University

1 Information Assurance: vulnerabilities, threats, and controls Dr. Wayne Summers TSYS Department of Computer Science Columbus State University [email protected] http://csc.colstate.edu/summers 3 SQL Slammer It only took 10 minutes for the SQL Slammer worm to race across the globe and wreak havoc on the Internet two weeks ago, making it the

fastest-spreading computer infection ever seen. The worm, which nearly cut off Web access in South Korea and shut down some U.S. bank teller machines, doubled the number of computers it infected every 8.5 seconds in the first minute of its appearance. It is estimated that 90% of all systems that fell victim to the SQL Slammer worm were infected within the first 10 minutes. 4 BLASTER On Aug. 11, the Blaster virus and related bugs

struck, hammering dozens of corporations. At least 500,000 computers worldwide infected Maryland Motor Vehicle Administration shut its offices for a day. Check-in system at Air Canada brought down. Infiltrated unclassified computers on the NavyMarine intranet. In eight days, the estimated cost of damages neared $2 billion. 5 SOBIG.F Ten days later, the SoBig virus took over, causing delays in freight

traffic at rail giant CSX Corp. forcing cancellation of some Washington-area trains and causing delays averaging six to 10 hours. Shutting down more than 3,000 computers belonging to the city of Forth Worth. One of every 17 e-mails scanned was infected (AOL detected 23.2 million attachments infected with SoBig.F) Worldwide, 15% of large companies and 30% of small companies were affected by SoBig - estimated damage of $2 billion. MyDoom quickly surpassed Sobig as the fastest- spreading e-mail worm ever. In addition to seeding Windows machines to create botnets, MyDoom was programmed to launch DDoS (distributed denial-ofservice) attacks on Microsoft's Web site. 6

Information Assurance: Definitions Vulnerabilities Threats Controls Conclusions 7 Computer Security the protection of the computer resources 8 against accidental or intentional disclosure of confidential data, unlawful modification

of data or programs, the destruction of data, software or hardware, and the denial of one's own computer facilities irrespective of the method together with such criminal activities including computer related fraud and blackmail. [Palmer] Goals confidentiality - limiting who can access assets of a computer system. integrity - limiting who can modify assets of a computer system. availability - allowing authorized users

access to assets. 9 Definitions 10 vulnerability - weakness in the security system that might be exploited to cause a loss or harm. threats - circumstances that have the potential to cause loss or harm. Threats

typically exploit vulnerabilities. control - protective measure that reduces a vulnerability or minimize the threat. Technical Cyber Security Alerts 11 (http://www.us-cert.gov/cas/techalerts/) TA11-130AMicrosoft Updates for Multiple VulnerabilitiesMay 10, 2011 TA11-067AMicrosoft Updates for Multiple VulnerabilitiesMarch 8, 2011 TA11-039AMicrosoft Updates for Multiple VulnerabilitiesFebruary 8, 2011 TA11-011AMicrosoft Updates for Multiple VulnerabilitiesJanuary 11, 2011 TA10-348AMicrosoft Updates for Multiple VulnerabilitiesDecember 14, 2010

TA10-313AMicrosoft Updates for Multiple VulnerabilitiesNovember 9, 2010 TA10-287AOracle Updates for Multiple VulnerabilitiesOctober 14, 2010 TA10-285AMicrosoft Updates for Multiple VulnerabilitiesOctober 12, 2010 TA10-279AAdobe Reader and Acrobat Affected by Multiple Vulnerabilities October 6, 2010 TA10-263AAdobe Flash Vulnerabilities September 20, 2010 TA10-257AMicrosoft Updates for Multiple Vulnerabilities September 14, 2010 TA10-238AMicrosoft Windows Insecurely Loads Dynamic LibrariesAugust 26, 2010 TA10-231AAdobe Reader and Acrobat VulnerabilitiesAugust 19, 2010 TA10-223AAdobe Flash and AIR VulnerabilitiesAugust 11, 2010 Recent news Hackers exploit Flash bug in new attacks against Gmail users Adobe patches vulnerability that attackers

use to steal Web email usernames, passwords June 6, 2011 12:33 PM ET 12 13 Vulnerabilities reported Year Vulnerabilities 1995 1996 1997 171 345 311 1998 1999* 262 417

Year Vulnerabilities 2000 2001 2002 2003 1,090 2,437 4,129 3,784 The number of attacks is now so large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. Exacerbating the problem is that most organizations do not have an Internet-wide view of the attacks. [http://www.sans.org/top-cyber-security-risks/] Top Vulnerabilities to Windows

Systems Windows Services Internet Explorer Windows Libraries Microsoft Office and Outlook Express Windows Configuration Weaknesses Top Vulnerabilities in UNIX Systems UNIX Configuration Weaknesses Mac OS X Top Vulnerabilities in Networking Products

Cisco IOS and non-IOS Products Juniper, CheckPoint and Symantec Products Cisco Devices Configuration Weaknesses http://www.sans.org/top20/ 14 Top Vulnerabilities in Cross-Platform Applications Backup Software Anti-virus Software PHP-based Applications Database Software File Sharing Applications DNS Software

Media Players Instant Messaging Applications Mozilla and Firefox Browsers Other Cross-platform Applications http://www.sans.org/top20/ 15 Buffer Overflow A Gartner study found buffer overflows to be the most common security flaw in programs. Unfortunately, matters haven't improved since that study was done in 1999. Not a week goes by without the announcement of yet another serious overflow-triggered vulnerability. Overflows occur when a program tries to store

more data than the allocated memory can hold. The extra data slops over into the adjacent memory area, overwriting what was already there, including data or instructions. Malicious hackers have become proficient at leveraging such overflows to introduce their own code into programs, effectively hijacking the computer. 16 Buffer Overflow At the same time, overflows occur when programmers do not include code to check the size of data before storing it. Some programming languages make overflows difficult or impossible, because they

automatically expand the memory area as needed to accommodate incoming data. Other languages, including C, make overflows practically inevitable since they typically lack any automatic size checking and will happily cram "10 pounds of data" into a five-pound memory area. Unless a programmer makes a special effort to test for overflow conditions, these flaws become part of the application. The deadline pressure to get code out the door exacerbates the problem: instead of developers or testers addressing the issue, flaws turn up on the computers of millions of users. 17

Vulnerabilities Todays complex Internet networks cannot be made watertight. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create. Robert Graham, lead architect of Internet Security Systems 18 Types of Threats interception - some unauthorized party has

gained access to an asset. modification - some unauthorized party tampers with an asset. fabrication - some unauthorized party might fabricate counterfeit objects for a computer system. interruption - asset of system becomes lost or unavailable or unusable. 19

Recent News Browser Windows Without Indications of Their 20 Origins may be Used in Phishing Attempts. Microsoft has investigated a public report of a phishing method that affects Web browsers in general, including Internet Explorer. The report describes the scenario of multiple, overlapping browser windows, some of which contain no indications of their origin. An attacker could arrange windows in such a way as to trick users into thinking that an unidentified dialog or popup window is trustworthy when it is in fact fraudulent. Source: Microsoft Security Advisory (902333)

IM Worms could spread in seconds Symantec has done some simulationsand has found that half a million systems could be infected in as little as 30 to 40 seconds. [InternetWeek Jun 21, 2004] Recent News Cabir is the first-ever computer virus that is capable of spreading over mobile phone networks. It is a network worm that infects phones running the Symbian mobile phone operating system by Symbian. [http://www.technewsworld.com/story/34542.ht ml June 14, 2004] Fraudulent e-mails designed to dupe Internet users out of their credit card details or bank information topped the three billion mark last

month, according to one of the largest spam email filtering companies. The authentic-looking e-mails, masquerading as messages from banks or online retailers, have become a popular new tool for tech-savvy fraudsters in a new scam known as "phishing. [Gartner report, June 2004] 21 22 E-mail from "Microsoft [email protected] {Virus?} Use this patch immediately ! Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected!

Vigilantes Go on the Offensive to Bait Net Crooks http://www.npr.org/templates/story/story.php?storyId =4716843 Scambaiter - http://www.419eater.com/ Malware and other Threats Viruses / Worms (over 180,000 viruses 5/2006; doubling every 12 months) 1987-1995: boot & program infectors

1995-1999: Macro viruses (Concept) 1999-2003: self/mass-mailing worms (Melissa-Klez) 2001-???: Megaworms [blended attacks] (Code Red, Nimda, SQL Slammer, Slapper) Trojan Horses Remote Access Trojans (Back Orifice) Computer parasites (pests Splog, spyware, BHOs, keylogger, dialers, SPIM) Most Threats use Buffer Overflow vulnerabilities 23 Social Engineering we have met the enemy and they are us -

POGO Social Engineering getting people to do things that they wouldnt ordinarily do for a stranger The Art of Deception, Kevin Mitnick 24 Controls 25 Reduce and contain the risk of security breaches Security is not a product, its a process

Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.] Security is NOT installing a firewall. A Security Audit is NOT "running a port scan and turning things off" Security is "Can you still continue to work productively/safely, without compounding the problem" only as good as your "weakest link" "risk management of your corporate resources (computers) and people" "Can somebody physically walk out with your

computers, disks, tapes, .. " a Process, Methodology, Policies and People 24x7x365 ... constantly ongoing .. never ending "learn all you can as fast as you can, without negatively affecting the network, productivity and budget" http://www.linux-sec.net/ 26 Food for Thought 80%-90% of any/all security issues are INTERNAL ( not the outside world ) If you want to simulate a disk crash right now (unplug it NOW)... what data did you just lose .. how fast can you recover your entire system from the offline backups ..

If the hacker/cracker penetrated your firewall ... what else can they do to your network/data ... what will they see on your network and other computers ... There always is someone out there that can get in ... if they wanted to ... http://www.linux-sec.net/ "Ninety-five percent of software bugs are caused by the same 19 programming flaws," Amit Yoran said. For this reason, it's "inexcusable" to develop software that suffers from an avoidable flaw such as buffer overflow.

http://www.informationweek.com/story/showArticle.jhtml?articleID=18902167 27 Solutions Apply defense in-depth Run and maintain an antivirus product Do not run programs of unknown origin Disable or secure file shares Deploy a firewall Keep your patches up-to-date 28 Critical Microsoft Security Bulletin

MS03-039 Verify firewall configuration. Stay up to date. Use update services from Microsoft to 29 keep your systems up to date. Use and keep antivirus software up-to-date. You should not let remote users or laptops connect to your network unless they have up-to-date antivirus software installed. In addition, consider using antivirus software in multiple points of your computer infrastructure, such as on edge Web proxy systems, as well as on email servers and gateways. You should also protect your network by requiring employees to take the same three steps with home and laptop PCs they use to remotely connect to your

enterprise, and by encouraging them to talk with friends and family to do the same with their PCs. (http://www.microsoft.com/protect) Defense in Depth Antivirus Firewall Intrusion Detection Systems Intrusion Protection Systems Vulnerability Analyzers Authentication Techniques (passwords, biometric controls) Encryption BACKUP 30

Default-Deny Posture 31 Configure all perimeter firewalls and routers to block all protocols except those expressly permitted. Configure all internal routers to block all unnecessary traffic between internal network segments, remote VPN connections, and business partner links. Harden servers and workstations to run only necessary services and applications.

Organize networks into logical compartmental segments that only have necessary services and communications with the rest of the enterprise. Patch servers and applications on a routine schedule. Education & Misinformation SQL Slammer infected through MSDE 2000, a lightweight version of SQL Server installed as part of many applications from Microsoft (e.g. Visio) as well as 3rd parties. CodeRed infected primarily desktops from

people who didn't know that the "personal" version of IIS was installed. Educate programmers and future programmers of the importance of checking for buffer overflows. 32 The 7 Top Management Errors that Lead 33 to Computer Security Vulnerabilities Number Seven: Pretend the problem will go away if they ignore it. Number Six: Authorize reactive, short-term fixes so problems re-emerge rapidly

Number Five: Fail to realize how much money their information and organizational reputations are worth. Number Four: Rely primarily on a firewall. Number Three: Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed Number Two: Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. Number One: Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. http://www.sans.org/resources/errors.php Conclusions Every organization MUST have a security

policy ( http://uits.colstate.edu/infosec/securitypolicies/s ecurity_policies.asp / ) Acceptable use statements Password policy Training / Education Conduct a risk analysis to create a baseline for the organizations security You are the weakest link 34

35 The most potent tool in any security arsenal isnt a powerful firewall or a sophisticated intrusion detection system. When it comes to security, knowledge is the most effective tool Douglas Schweizer The State of Network Security, Processor.com, August 22, 2003. Resources http://www.sans.org http://www.cert.org

http://www.cerias.purdue.edu/ http://www.linuxsecurity.com/ http://www.linux-sec.net/ http://www.microsoft.com/security/ Cuckoos Egg Clifford Stoll Takedown Tsutomu Shimomura The Art of Deception Kevin Mitnick 19 Deadly Sins of Software Security Howard, Leblanc, Viega http://www.us-cert.gov/reading_room/ 36 COMPUTER SECURITY AWARENESS WEEK (http://cins.colstate.edu/awareness/) October 31 November 4, 2005

ACCENTUATE THE POSITIVE 37 Questions? Dr. Wayne Summers TSYS School of Computer Science Columbus State University Columbus, GA [email protected] 02/11/2020 Columbus State University

Recently Viewed Presentations

  • Basic Introduction Course - uscgaux-ocnj.org

    Basic Introduction Course - uscgaux-ocnj.org

    The Auxiliary utilizes the "Chain of Leadership" for its communication and directives. Members must be familiar with this chain so that they know where to go, and where not to go. In general, members should only initiate communications with peers...
  • Vein of Galen

    Vein of Galen

    Mother and father of baby remained closely involved in infants care. Family visited daily and participated in infants cares such as feeding, bathing and bonding. Parents participated in a two day room in prior to the first anticipated discharge date....
  • Chemical bonding involves either transferring or sharing electrons

    Chemical bonding involves either transferring or sharing electrons

    Diamond and graphite (forms of carbon) and silicon dioxide (silica) are examples of giant covalent structures (lattices) of atoms. All the atoms in these structures are linked to other atoms by strong covalent bonds and . so they have very...
  • Foundations of Strategy Chapter 3: Resources and Capabilities

    Foundations of Strategy Chapter 3: Resources and Capabilities

    Recruiting talented individuals for market research and customer service. Production plants in India, USA, Europe, and China ... The profit earning potential of a resource or capability ... Foundations of Strategy Chapter 3: Resources and Capabilities
  • Geovisualizing Collections of Penn State University Libraries ...

    Geovisualizing Collections of Penn State University Libraries ...

    Geovisualizing Collections of Penn State University Libraries:a geographical and statistical perspective of use, age, and relevancy. Sherry Roth. MGIS Candidate. Advisor: Dr. J. Blanford. Penn State University
  • Cognitive Tasks and fMRI data: Machine Learning Classifications

    Cognitive Tasks and fMRI data: Machine Learning Classifications

    Reading the Mind: Cognitive Tasks and fMRI data: the improvement Omer Boehm, David Hardoon and Larry Manevitz IBM Research Center and University of Haifa,
  • NEUROPEDAGOGIA

    NEUROPEDAGOGIA

    fibrosa externa. Se compone de dos regiones la esclerótica y la córnea. Esclerótica: Es blanca y opaca, con fibras colágenas tipo I entremezcladas con fibras elásticas; avascular, que brinda protección y estabilidad a las estructuras internas. Cubre la mayor parte...
  • HBO therapy - HKSCCM

    HBO therapy - HKSCCM

    * Infectious causes of soft tissue gas Clostridial myonecrosis Clostridial anaerobic cellulitis Nonclostridial anaerobic cellulitis Synergistic necrotizing cellulitis Necrotizing fasciitis Nonclostridial crepitant myositis * Fournier's Gangrene NF of the genitalia and perineum Aetiology: Polymicrobial infection - aerobic →strept., staph., E...