Current Threats to Corporate Information Security Management.ppt

2,833
-1

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,833
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
77
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • SANS, the NIPC, and the Federal CIO Council published a consensus report on the Top Ten Internet Security Threats in 2000 summer (http://www.sans.org/topten.htm). The idea is to publicize a list for all to work on. It was expected that a new list can come up in the next year. However, it seems a lot of outstanding issues still deal with the original 10 threats, like the SirCAM and Code Reds .
  • 1. Code Red and Code Red II uses the IIS weakness, though different from the one quoted in year 2000 2. SirCAM exploits the NETBIOS file sharing (ports 135-139 in NT; port 445 in W2K). It also take advantage of weak password in Windows.
  • Code Red II is much more harmful than Code Red. It opens the victim machine for greater risk.
  • If we use a biological analogy to depict the breakthroughs of SirCAM and Code Red, we found that they have been regenerated to a more tough, intelligent and more automatic organisms. More self-motivated virus/worm using newer algorithms from AI will increase the spreading, penetration and difficulty of detection. (Evolution of Organisms) The high speed network removes bottleneck of internet traffic , AS WELL AS worm spreading traffic. 3. Un-patched system = those who have virus to infect others, though the virus has no impact to them. e.g. many infected system by Code Red 1 were not patched because the owner did not think the need to fix an unused service (IIS installed by default). However, their machines were used as zombie to attack others.
  • 5. Analogy of Code Red II to grant possibilities to other attacks is similar to “complication” (bing fa diseases) in medicine. 6. More crafted attacks is possible. Code Red and SirCAM seems to test water. IIS being the focus of the year but there are a lot other devices with weak security protection.
  • Unpatched systems with old vulnerability still open to be attached Traditional perimeter protection could be bypassed by VPN. Few consider VPN as insecure. Yes, the channel is encrypted but it does not mean the remote system is well protected. Wireless LAN makes cable tapping control even more difficult. Mobile workers bring with the infected notebooks to the office. Contractors and Guests are more likely to cause infections. Hong Kong Government intranet and several big companies were infected. They have deployed perimeter defense but …
  • People awareness is very doubtful People do not care about others, just like they do not care about the environment Some do care, but they do not possess the tools to detect and defend
  • Firewall configuration Some old configuration just block incoming traffic. People should think about blocking outgoing traffic as well. This prevents Trojan from initiating connection from inside out This also prevents infected system from attacking out Network tapping control Wireless LAN should allow only encrypted connection Common LAN is more difficult to control. Servers should tighten password and permission control to avoid network attack.
  • Detection We need to change our way of thinking -- Treat internal network more toward untrusted network Do Penetration test to systems to find flaws Install IDS to alert attacks Correction Make sure we backup systems
  • Management Problems Too many patches – what to patch, what has been patched and what has not? There is a need to have a list of all information assets, listed in order of risk. Control of patch and change is required Out of office systems (notebook, remote PCs) are high risk area. Control must be tightened.
  • We see immature infrastructure both globally and in corporate level in detecting, analyzing and warning of incidences and response. Crisis Management – there is no strong state command of the crisis. Every country, every corp did their own protection. Communication is weak. CERTs need to work a lot harder. CERTs need to have central coordination and yet have to develop distributed points in corps. Teenage Hacking using kiddy hacking tools – hindrance in prosecution
  • Outside help must be seek to manage the situation, if resources is limited. Demand of the information security industry and profession outgrows the supply
  • Current Threats to Corporate Information Security Management.ppt

    1. 1. Current Threats to Corporate Information Security Management YOUNG Wo Sang Program Committee, PISA [email_address]
    2. 2. Two Recent Attacks <ul><li>SirCAM (July 2001) </li></ul><ul><li>Code Red II (Aug 2001) </li></ul>
    3. 3. Top 10 Internet Security Threats <ul><li>Consensus Report 2000 </li></ul><ul><li>- SANS, the NIPC, and the Federal CIO Council </li></ul><ul><li>“ These aren't the only threats…just the most common at the moment. Hopeful we will eliminate these threats and create a new list next year.” </li></ul>
    4. 4. Top 10 Internet Security Threats <ul><li>1. Bind </li></ul><ul><li>2. Vulnerable CGI Programs </li></ul><ul><li>3. Remote Procedure Calls (RPC) </li></ul><ul><li>4. Microsoft IIS weakness </li></ul><ul><li>5 . Sendmail Buffer Overflow </li></ul><ul><li>6. sadmind (Solaris) and mountd </li></ul><ul><li>7. Global file sharing </li></ul><ul><li>8. User ID's / Passwords </li></ul><ul><li>9. IMAP and POP </li></ul><ul><li>10. Default SNMP </li></ul>Code Red II SirCAM
    5. 5. SirCAM <ul><li>Damage </li></ul><ul><ul><li>Release or destroy sensitive information </li></ul></ul><ul><li>Distribution </li></ul><ul><ul><li>Mass mailing to email addresses found in address book </li></ul></ul><ul><ul><li>Malicious computer write to unprotected Windows share in the network </li></ul></ul><ul><li>Exploit </li></ul><ul><ul><li>Vulnerability of Global File Sharing & Weak Password </li></ul></ul>
    6. 6. Code Red II <ul><li>Damage </li></ul><ul><ul><li>Install “Backdoors” on the infected web servers that allows any remote attacker to further compromise the system </li></ul></ul><ul><li>Distribution </li></ul><ul><ul><li>Scan for vulnerable hosts to infect </li></ul></ul><ul><li>Exploit </li></ul><ul><ul><li>Vulnerability of Buffer Overflow in Index service that come with IIS (installed by default) </li></ul></ul>
    7. 7. The Implications 1 <ul><li>Self-sufficiency and Self-learn </li></ul><ul><ul><li>They do not rely on the email system to spread, but scan for the next victim on the network </li></ul></ul><ul><li>Optimized for High Efficiency </li></ul><ul><ul><li>Code Red II spreads much faster than previous Code Red by using a more intelligent algorithm to select victim IP address </li></ul></ul><ul><ul><li>More and more adaptive -- just a start of a greater attack </li></ul></ul><ul><li>3. Un-patched systems hinder total suppression. </li></ul>
    8. 8. The Implications 2 <ul><li>4. Remote Exploit </li></ul><ul><ul><li>A hacker can run commands on the system without having to access it directly. </li></ul></ul><ul><li>5. Allow further attack </li></ul><ul><ul><li>They broadcast to the Internet the servers that are vulnerable to these flaws, allowing others to further attack the victims by other means </li></ul></ul><ul><li>6. Next Victims </li></ul><ul><ul><li>Hackers will find ways to attack more critical components like routers and network equipment </li></ul></ul>
    9. 9. Potential Threats 1 <ul><li>When the old tricks can win the new game </li></ul><ul><ul><li>Variants exploiting same old vulnerability </li></ul></ul><ul><li>When we breaks our Firewall perimeter </li></ul><ul><ul><li>Remote VPN, Wireless LAN </li></ul></ul><ul><li>When the Trust fails </li></ul><ul><ul><li>Mobile workers, Contractors and Guests </li></ul></ul>
    10. 10. Potential Threats 2 <ul><li>When one thinks he has done enough </li></ul><ul><ul><li>“I can just reboot the server when the server is defaced by the Code Red” </li></ul></ul><ul><li>When Nobody cares about the Others </li></ul><ul><ul><li>“why patch? The infection does not hurt me …” </li></ul></ul><ul><li>When it is too late when I know </li></ul>
    11. 11. Technical Controls <ul><li>Protection </li></ul><ul><ul><li>Protect network outside firewall as well as Inside firewall </li></ul></ul><ul><ul><li>Control Outgoing connections besides Incoming connections </li></ul></ul><ul><ul><ul><li>Avoid Trojans </li></ul></ul></ul><ul><ul><ul><li>Avoid spread of worm from infected internal machine </li></ul></ul></ul><ul><ul><li>Wireless LAN: employ secure channel </li></ul></ul><ul><ul><li>LAN : Control cable tap (hard job!) </li></ul></ul>
    12. 12. Technical Controls <ul><li>Protection (cont.) </li></ul><ul><ul><li>Tighten all access control, password control IMMEDIATELY </li></ul></ul><ul><li>Detection </li></ul><ul><ul><li>Check Server Integrity </li></ul></ul><ul><ul><li>Scan internal network for vulnerability </li></ul></ul><ul><ul><li>Install Intrusion Detection System </li></ul></ul><ul><li>Correction </li></ul><ul><ul><li>Backup & Recovery </li></ul></ul>
    13. 13. Management Controls <ul><li>Server patch management (not easy) </li></ul><ul><ul><li>Effective Information Asset Management </li></ul></ul><ul><ul><li>Ongoing Patch & Change Management </li></ul></ul><ul><li>Scan all incoming notebooks (not easy) </li></ul><ul><li>Manage and Scan Remote PCs (hard!) </li></ul>
    14. 14. Detection and Reporting <ul><li>Development of Detection, Analysis, Warning and Response Capabilities in corporate and governmental environment </li></ul><ul><li>Crisis Management </li></ul><ul><li>Legislation framework </li></ul>
    15. 15. Lack of Resources and Expertise <ul><li>Outsource Information Security Management </li></ul>
    16. 16. Lesson learned <ul><li>Our individual security depends on our mutual security </li></ul><ul><li>The consequences of failure could drive your company out of business </li></ul>
    17. 17. References <ul><li>Top 10 Internet Security Threats 2000 </li></ul><ul><ul><li>http://www.sans.org/topten.htm </li></ul></ul><ul><li>Code Red, Code Red II, and SirCAM Attacks highlight Need for Proactive Measures </li></ul><ul><li>http://www.gao.gov/new.items/d011073t.pdf </li></ul><ul><li>Code Red II Worm Analysis Update </li></ul><ul><li>http://www.incidents.org/react/code_redII.php </li></ul>
    18. 18. Q & A <ul><li>Thank You </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×