By Fredrick P. Holborn

1. Theft Happens:
Data Security for
Intellectual Property Managers
Presented by Fred Holborn on behalf of Psiframe, Inc. to the Intellectual Property Society, July 16, 2003.
For more information, visit http://www.ipsociety.net and http://www.psiframe.com.
Copyright  2003 Psiframe, Inc. All Rights Reserved.

2. Today’s Situation
! 92% of large organizations detected computer
security attacks in 2003.
! 75% acknowledged financial losses due to
computer breaches.
! Theft of proprietary information caused the
greatest financial loss - $2.7 Million average.
Source: CSI / FBI Computer Crime and Security Survey, April 2003 http://www.gocsi.com

3. $2.7 Million . . .
! Profit vs. Loss for , Inc?
! $ Annual Interest Expense?
! $ Million in Additional Revenue to Recoup?

4. Founding Premise
“Improve the security of a site
by breaking into it.”
Dan Farmer, 1993
Creator of SATAN
(Security Analysis Tool for Auditing Networks)
Source: http://www.fish.com/security/admin-guide-to-cracking.html

5. Psiframe’s Purpose
! Psiframe enables organizations to Lock Down
Data Systems and Network Security by:
" Performing “Real World” Risk Assessments.
" Identifying Exploitable Vulnerabilities
from an Attacker’s Perspective.
" Recommending “Best Practice” Solutions.

6. Goals and Objectives
! Protect Information Assets through a program of
regularly conducted assessments that quantify
and enable mitigation of unacceptable risks.
! Develop understanding and consensus among
executive and technology leaders to achieve and
validate strong security.

7. Assessing IP Assets on IP Networks
! What are the IP Assets and their values
values?
! What are the actual threats to IP Assets facilitated
by vulnerabilities on Networks?
! What consequences are possible if threats arise?
! What are the probabilities that thefts will happen?
! What safeguards can be deployed?
! What investments are required for safeguards?

8. What’s Vulnerable?
Examples:
! Hardware Devices
! Operating Systems & Applications Software
! Systems Architecture & Configurations
! Data Transmission & Encryption Protocols
! Access Control Methods
! People

9. Reported Hardware & Software Vulnerabilities per Year
Source: Computer Emergency Response Team Coordination Center
http://www.cert.org/present/cert-overview-trends/module-1.pdf
Copyright  1998-2003 Carnegie Mellon University

10. How Did This Happen?
! Internet connectivity is “Open” by design.
! Faith and trust in “Firewalls” is misplaced.
! Software and hardware security remains poor.
! Complexities of systems & network
configurations are “Incomprehensible”.

11. What’s Required for Strong Security?
Awareness?
Assessments?
Budgets?
Compliance?
Resources?
Procedures?
Training?
Policies? Skills?

12. What’s At Risk?
1. Information Assets
2. Business Relationships
3. Network Infrastructure

13. 1. Information Assets At Risk
! Trade Secrets
! Designs & Processes
! Business Plans
! Personnel Records
! Financial Transactions
! Privileged Communications

14. 2. Business Relationships At Risk
! Customer & Partner Data Confidentiality
! Production & Service Quality
! Industry Reputation
! Competitive Advantage
! Regulatory Compliance
! Investor & Stakeholder Confidence

15. 3. Network Infrastructure At Risk
! Authentication & Privacy
! Availability of Systems & Resources
! Customer & Supplier Connectivity
! Functionality of Software Applications
! Integrity of Records & Databases
! Business Continuity

16. Network Security Roadmap
1. Establishing Executive Mandates for Assessments
2. Comparing Audit Methodologies & Deliverables
3. Identifying Exploitable Vulnerabilities
4. Exposing Firewall Circumventions
5. Detecting & Monitoring Wireless Access
6. Revealing Information Leakage & Sources
7. Recognizing Critical Infrastructure & IP Threats
8. Implementing Lock Down & Best Security Practices
9. Maintaining Federal & State Regulatory Compliance
10. Managing Ongoing Processes & Oversight

17. !Establishing Executive Mandates for Strong Security
Source: http://www.ncs.gov/n5_hp/Reports/FINALREP.pdf

18. Comparing Audit Methodologies
1. Policy & Procedure Review
" Determine Existence & Extent of Written Policies
? Can it Prove Policy Adherence or Effectiveness?
2. Automated Scanning Tools & Scripts
" Low-Cost Product Purchase or Outsourced Option
? Can they Combine & Correlate Multiple Findings?
? Do they Produce False Positives?
? Are Validities of Results Affected by Version Currency?

19. Comparing Audit Methodologies
3. “Red Team” Vulnerability, Exploit & Pen. Testing
" Simulates Real-World Scenarios (Many Tools & Methodologies)
" Combines & Correlates Multiple Results (Human Approach)
" Validates Indications in “Day 0” Time
" Determines Actual Risks to Specific Assets
" Proves Existence/Efficacies of Policies & Practices
" Tailors Recommendations to Specific Environments
" Connects IT Leadership with Sr. Management
- Scalability Limited by Availability of Specialists

20. Comparing Deliverables
! Paper Based or Interactive Reports?
! Level of Comprehensiveness?
! Includes Both Vulnerability & Risk Assessments?

21. Psiframe’s RiskPoints™ eDeliverable
RiskPoints is a trademark of Psiframe, Inc.

22. Identifying Exploitable Vulnerabilities
Examples:
! Routers
! Operating Systems
! Service Applications (Mail, FTP, DNS, etc.)
! Web Applications
! Configuration Errors
! Authentication Weaknesses
! People

23. Exploit Example: Router
Cisco IOS Vulnerability & Exploit
# This vulnerability enables eavesdroppers to sniff email and monitor
other traffic while transparently forwarding it to its intended
destination within milliseconds.
! Once privileged (administrative) access to the Client’s router was
gained, Psiframe installed an encapsulated tunnel (Virtual Private
Network) between the router and a Psiframe server on the Internet.
! Using this technique, Psiframe was able to surreptitiously capture
any or all outgoing traffic from the Client's network.

24. Exploit Example: Web Server
Microsoft IIS Vulnerability & Exploit
# This vulnerability enables intruders to deface Web sites, install worms
that attack other sites, or leverage them as stepping-stones to penetrate
back-end systems such as database servers with credit card data.
! Once root access was gained to the Client’s Web server, Psiframe had
full administrative control over all files and configuration settings.
! From the Web server, Psiframe was able to penetrate further and access
other systems on the Client's internal network that “trusted” the Web
server through the firewall.

25. Exposing Firewall Circumventions
! Vulnerable Systems, Services and Software
! Misconfigured Firewalls & Network Topologies
! Dual-Homed Devices
! Modems
! Rogue & Insecure Wireless Access Points

26. Firewall Circumvention Example
?

27. “WiFi” Wireless LANs
! 2003 Worldwide Users: 5 Million +
! Advertised Useable Distance: ~ 300 Feet
! Encryption: None (default) / 40 bit & 128 bit (WEP)
! Authentication: None (default) / Various Types
! User IP Address Assignment: Auto (default) / None

28. “WiFi” Wireless LANs
! “By year-end 2002, 30 percent of enterprises will suffer serious security
exposures from deploying wireless local area networks (WLANs) without
implementing the proper security… At least 20 percent of enterprises
already have ‘rogue’ WLANs attached to their corporate networks,
installed by users looking for the convenience of wireless and unwilling
to wait for the IS organization to take the lead… Fixing the exposure
after a hacking attack cannot recapture lost intellectual property and
sensitive customer information.” — Gartner
Source: http://www.gartner.com/5_about/press_releases/2001/pr20010809b.html

29. Wireless “WiFi” LANs
Potrero Hill, San Francisco
WiFi Access Points
July 1, 2003 Drive Count = 376
! Green: No Encryption
! Red: Encryption (WEP) Enabled
Note: Unpopulated streets not scanned.

30. Exploiting WiFi Range Extension
Intercepting Client Data
1.2 Miles From Source

31. Information Leakage Examples
# Whois: Search Domain Account Holder Records
http://www.xwhois.com
# Dig-It: Query DNS for Host Names & IP Addresses
http://us.mirror.menandmice.com/cgi-bin/DoDig
# Netcraft: What’s That Site Running?
http://www.netcraft.com
# Google: Technical Newsgroup Archives
http://groups.google.com

32. Info Leakage Example: Netcraft
!Source: http://www.netcraft.com

33. Info Leakage Example: Newsgroups

34. Recognizing Critical Infrastructure
! IP Asset Storage Locations & Shared Files
! Authorized Users & Privileges
! Networked Devices & Services
! Access Points
! Interconnections
! Single Points of Failure
! Failover, Backup & Recovery Systems

35. Locking Down With Best Practices
“Best Practices” is a Consensus of Approaches
# SANS Institute
http://www.sans.org/resources
# NSA Security Recommendation Guides
http://nsa.gov/snac
# IETF Site Security Handbook
http://www.ietf.org/rfc/rfc2196.txt
# NIST Computer Security Resource Center
http://csrc.nist.gov
# AICPA Trust Services Principles and Criteria
http://www.aicpa.org/assurance/systrust/princip.htm

36. Maintaining Regulatory Compliance
Examples of New California & Federal Legislation
! Security Breach Information Act
! Notification of Risk to Personal Data Act
# Consult Your Attorney

37. New California Law
This bill, operative July 1, 2003, would require a state
agency, or a person or business that conducts business in
California, that owns or licenses computerized data that
includes personal information, as defined, to disclose in
specified ways, any breach of the security of the data, as
defined, to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person...
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

38. Proposed Federal Law
A bill to require Federal agencies, and persons engaged in
interstate commerce, in possession of electronic data
containing personal information, to disclose any
unauthorized acquisition of such information. This Act may
be cited as the Notification of “Risk to Personal Data Act”...
Source: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_bills&docid=f:s1350is.txt.pdf

39. Manage Process & Oversight
Strong Security Is Not An Option
! Cultivate C-Level Awareness
! Regularly Assess Risks, Threats & Vulnerabilities
! Provide Administrator Training
! Review Incident Detection, Reporting
& Response Programs

40. Why Leverage Psiframe?
" Real World Scenarios
" Comprehensive Audit Framework
" Impartial & Objective Findings
" Interactive RiskPoints eDeliverable
" Best Practice Recommendations
" Expert Knowledge & Skills Transfer

41. Recommended Actions
1. Involve Board-Level Management
2. Review a Sample Composite Deliverable
3. Request an Engagement Agreement
4. Conduct a “Baseline” Assessment
5. Attend the Findings Presentation
6. Measure Improvement Quarterly

42. Contact
! Fred Holborn
Desk 925.803.4131
Cell 925.876.6903
Email fholborn@psiframe.com
Web http://www.psiframe.com