• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cybercrime
 

Cybercrime

on

  • 890 views

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ICM in 2000. ...

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ICM in 2000.

The presentation begins by giving an overview of what hackers are, what they do and what drives them. Security fundamentals such as encryption and the four pillars of information security are discussed. The presentation ends with discussions on the security process and security certification.

Statistics

Views

Total Views
890
Views on SlideShare
863
Embed Views
27

Actions

Likes
2
Downloads
96
Comments
0

4 Embeds 27

http://research.sensepost.com 12
http://www.sensepost.com 11
http://localhost 3
http://www.sensepost.co.za 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...

Cybercrime Cybercrime Presentation Transcript

  • charl van der walt jaco van graan roelof temmingh CYBERCRIME
    • 1. INFORMATION SECURITY AWARENESS Jaco van Graan
    • 2. PROFILING THE ENEMY Roelof Temmingh
    • 3. SECURITY TRENDS AND STATICS Charl van der Walt
    • 4. INFORMATION SECURITY FUNDAMENTALS Charl van der Walt
    • 5 . SECURITY DEMONSTRATED SensePost Information Security
    • 6. THE INFORMATION SECURITY PROCESS Jaco van Graan
    • 7. INFORMATION SECURITY CERTIFICATION Charl van der Walt
    • 8. THE BOTTOM LINE Jaco van Graan
    AGENDA CYBERCRIME charl van der walt jaco van graan roelof temmingh
  • INTRODUCTION
    • About the speakers
      • jaco van graan
      • charl van der walt
      • roelof temmingh
    • Objective
    • Approach
    • References:
      • http://wips.sensepost.com/misc/cybercrime.zip
      • http://www.sensepost.com
      • [email_address]
      • [email_address]
      • roelof@sensepost.com
    CYBERCRIME jaco van graan
    • 1. The Age of the Net
    • 2. Threats and Risks in IT
    • 3. Examples
    • 4. What’s this hacking stuff?
    • 5 . What do hackers do?
    • 6. But why hack?
    • 7. Why they do it
    • 8. Security Breaches in the past 12 months
    AGENDA INFORMATION SECURITY AWARENESS jaco van graan
  • Age of the Net...
    • Global village
    • Information overload
    • Evernet
    • E - Commerce
    • Removing the middleman
    • Information replaces inventory
    INFORMATION SECURITY AWARENESS jaco van graan
  • Threats and Risks in IT
    • Lack of security in IT
    • Networks transfer data without security
    • System administrators are trusted (completely)
    • Theft
    • People
      • Untrusted, Outsourcing
    • Internet designed with open architecture
    • Hacking
    INFORMATION SECURITY AWARENESS jaco van graan
  • What’s this hacking stuff?
    • “ Hacker”
      • clever programmer
      • Enjoys learning details of a programming language or system
      • Enjoys actually doing the programming rather than just theorizing about it
      • Capable of appreciating someone else's hacking
      • Picks up programming quickly
      • Expert at a particular programming language or system, as in “UNIX ”hacker"
    INFORMATION SECURITY AWARENESS jaco van graan
  • What hackers do:
    • Steal
      • information - to use and to sell
      • money from accounts
      • goods through e-buying
      • resource - time and equipment
    • Talk
    • Leave backdoors open
    • Launch new attacks
    INFORMATION SECURITY AWARENESS jaco van graan
  • But why hack?
    • Fun
      • technical challenges
      • curiosity
      • harmless pranks
      • thrills
    • Emotional
      • pride
      • hate
      • revenge
      • psychological
    INFORMATION SECURITY AWARENESS jaco van graan
  • How do they do it?
    • Social engineering
    • Networking
    • Resources from the web...
    INFORMATION SECURITY AWARENESS jaco van graan
  • Security breaches past 12 months INFORMATION SECURITY AWARENESS jaco van graan
    • 1. Statistics on Commercial Crime
    • 2. Statistics on Computer Crime
    • 3. Computers and Commercial Crime
    • 4. The value of Trends and Statistics
    • 5 . Trends in Computer Security
    • 6. Determining your own Risk Profile…
    TRENDS & STATISTICS SECURITY TRENDS & STATISTICS charl van der walt
  • Statistics on Commercial Crime
    • Commercial crime up 3.5% from last year
      • R 3.4 billion in the first half of '99 alone
    • 84.3% of cases involved fraud
      • 25,000 incidents
      • R 2.9 billion
    • Gauteng occupies a first position with regard to Commercial Crime
    • www.saps.org.za
    SECURITY TRENDS & STATISTICS charl van der walt
  • Statistics on Computer Crime
    • 61% of the organizations surveyed have experienced losses due to unauthorized computer use.
    • The average loss from theft of proprietary information is over $1.2M .
    • The average loss from data or network sabotage is over $1.1M .
    • 50% of all organizations surveyed reported insider abuse of net access.
    • FBI / CSI Survey, 1999
    SECURITY TRENDS & STATISTICS charl van der walt
  • Statistics on Computer Crime SECURITY TRENDS & STATISTICS charl van der walt “ Just ask Edgars, the clothing retail group, which lost more than R1m after a computer programmer brought down more than 600 stores for an entire day.” Financial Mail - April 2000
  • Threat Distribution - International SECURITY TRENDS & STATISTICS charl van der walt
      • Theft of proprietary info 20%
      • Sabotage of data or networks 15%
      • Telecom eavesdropping 10%
      • System penetration by outsider 24%
      • Insider abuse of net access 76%
      • Financial fraud 11%
      • Denial of service 25%
      • Virus contamination 70%
      • Unauthorized access to info by insider 43%
      • Telecom fraud 13%
      • Active wiretapping 2%
      • Laptop theft 54%
  • Threat Distribution - RSA SECURITY TRENDS & STATISTICS charl van der walt
      • Some form of breach 89%
      • Virus incident 87%
      • Theft of equipment 80%
      • E-mail intrusion 27%
      • Loss of company documents 12%
      • Breach of confidentiality 8%
      • External systems attack 8%
      • Internal systems attack 6%
  • Computers & Commercial Crime
    • KPMG:
    • ‘ 63% of top-level managers in South Africa rate their company's dependence on IT for the successful running of business as "Extremely High”’
    • Business today simply doesn't run without IT
    • Neither does fraud or other commercial crime
    SECURITY TRENDS & STATISTICS charl van der walt
  • The value of statistics
    • Local and International statistics differ
      • “ Internal”: 76% vs 6%
      • “ External”: 24% vs 8%
    • Statistical methodologies differ
    • Many incidents are never discovered
    • Most are never reported
    • Statistics probably won’t tell you much,
    • Except:
      • Create an awareness
      • Stimulate technology
      • Indicate trends
    SECURITY TRENDS & STATISTICS charl van der walt
  • Trends in IT security
    • The industry is typically technology driven:
    • Host Security
    • Firewalls
    • Virus scanners
    • Proxies
    • VPN
    • Content Scanners
    • Intrusion Detection
    • Hacker-in-a-Box
    • Host Security
    • File Security
    SECURITY TRENDS & STATISTICS charl van der walt
  • Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt The magnitude of the risk is a product of the value of the information and the degree to which the vulnerability can be exploited.
    • 1. Media and "hackers" - utter confusion
    • 2. The intellectual and emotional makeup of a good "hacker"
    • 3. Types of "hackers"
    • 4. What motivates "hackers" ?
    • 5 . The real threat - should we be worried about "hackers"?
    PROFILING THE ENEMY PROFILING THE ENEMY roelof temmingh
    • 1. Understanding the Internet
    • 2. The four Pillars
    • 3. Control Methods
    • 4. More about Encryption
    • 5. Security Technologies
    • 6. Security Products
    • 7 . Case Study
    SECURITY FUNDAMENTALS INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Understanding the Internet
    • Host
    • Network
    • LAN
    • WAN
    • Internet
    • Protocol
    • IP
    • Packet
    • Server / Service
    • Port
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Four Pillars of Information Security
    • Access Control
      • Control who may and who may not access data
    • Confidentiality
      • Ensure data is viewed only by intended audience
    • Integrity
      • Ensure data is not changed by unauthorized parties
    • Authenticity
      • Ensure that data originated where you think
    • #5 - Availability
      • Ensure data is there when you need it
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Control Methods
    • Information Security Policy
    • Sound system design
    • Access Control
      • Physical
      • Network
      • Operating System
      • Application
    • Encryption
    • Audit and Review
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • More about Encryption
    • Encrypt
      • Convert information into unreadable format
        • Crypto-Text
    • Decrypt
      • Change data back to normal format
        • Clear-Text
    • Algorithm
      • Steps followed to encrypt or decrypt the information
    • Key
      • Secret shared between parties
    • Key Length
      • An indication of how hard the key is to guess
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Still more about Encryption
    • Public Key Cryptography
      • A special type of encryption using a key pair
    • Private Key
      • Kept strictly secret
    • Public Key
      • Published with a Certificate
    • Certificate
      • A way of linking your Key to your Identity
    • Certificate Authority (CA)
      • Responsible for verifying the Certificate
    • Public Key Infrastructure (PKI)
      • Structures needed to make the process work
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Technologies
    • Firewalls
      • Network Level
      • Application Level
      • Content Level
    • Authentication Systems
      • Something you know
      • Something you have
      • Something you are
    • Encryption Protocols
      • SSH
      • SSL
      • IPSec
    • Intrusion Detection Systems
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Products
    • Firewalls
      • Check Point FW-1 (www.checkpoint.com)
      • NAI Gauntlet (www.nai.com)
      • Linux IPchains (www.linux.org)
    • Authentication Systems
      • RSA SecurID (www.rsa.com)
      • Alladin eToken (www.aks.com)
    • Encryption
      • Windows EFS -
      • Trispen IPGranite (www.trispen.com)
    • Intrusion Detection Systems
      • AXENT Netprowler (www.axent.com)
      • SNORT (www.snort.org)
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Use a firewall
      • Restrict access to port 80 and 443 only
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Use a secure web server
      • Netscape Enterprise 3/6
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Use SSL to encrypt the connection
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Use SSL for authentication
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Data Confidentiality
      • No credit card numbers to foreign sites
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Use two-factor authentication
      • The BlueBean credit card
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Account Lockout
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Case Study - www.bluebean.com
    • Potential Weaknesses
      • Credit card number can be guessed
      • User PC could be attacked
      • User could be tricked
      • Cycle through the card numbers, not the PINs?
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • SECURITY DEMONSTRATED
    • 1. Connecting to the firewall
    • 2. Using passwords to restrict access to data
    • 3. Using a firewall to protect or servers
    • 4. Using IDS to warn us of attacks
    THE INFORMATION SECURITY PROCESS jaco van graan
  • SECURITY DEMONSTRATED
    • 1. A server is connected to the Internet.
    • 2. Passwords are used to restrict access to the MS file service.
    SECURITY DEMO roelof temmingh
  • SECURITY DEMONSTRATED
    • 3. An firewall is used to restrict server access to the web service port - 80.
    SECURITY DEMO roelof temmingh
  • SECURITY DEMONSTRATED
    • 4. An IDS system is used to detect and report on attempted attacks on the web server.
    SECURITY DEMO roelof temmingh
  • THE SECURITY PROCESS
    • 1. Proactive or Reactive?
    • 2. The Process
    • 3. Threat / Risk Analysis
    • 4. Security Policy
    • 5 . Planning
    • 6. Implementation
    • 7. Manage & Monitor
    • 8. Internal & External Audit
    • 9. Intrusion Detection
    • 10. Adjust Security Policy
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Proactive or Reactive?
    • Locate weaknesses
    • Controls in place
    • LT cost effective
    THE INFORMATION SECURITY PROCESS jaco van graan
    • No or weak controls
    • Try plug security holes
    • Least effective
    • Costly
  • The Process… THE INFORMATION SECURITY PROCESS jaco van graan Threat/Risk Analysis Security Policy Creation Planning Policy Enforcement/ Implementation Monitor & Manage Intrusion detection Security Audit 1 2 3 4 5 6 7
  • Threat/risk Analysis
    • Value you assets (information/reputation).
    • Determine the acceptable level of loss.
    • Some losses will inevitably occur.
      • Eliminating ALL loses would be either too costly or impossible.
    • Level of acceptable losses need to be set
      • dictates how much you are willing to spend on security.
    • Set time period for the acceptable losses.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Security Policy
    • Practical, understandable.
    • Control document.
    • Communicated.
    • Endorsed by management.
    • Applies to all users of infrastructure.
    • Gives security administrator a mandate
    THE INFORMATION SECURITY PROCESS jaco van graan A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard those assets.
  • Planning
    • Enforcement of controls - security policy
    • Select products to ensure compliance
    • Determine required implementation and maintenance skills
    • Evaluate impact on business
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Planning
    • Resources
      • People
      • Time
      • $$$
    • Evaluate possible security partner
      • Experience: references
      • Financial backing
      • Trust relationship
      • Support: training/skills transfer/SLA’s
      • Product range
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Implementation
    • Remember your exposure!
    • Security partner?
    • Schedule change control - security policy
    • Inform all users / business partners
    • Ensure skill level of implementers
    • Roll back plan
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Manage & Monitor
    • Physical audit of infrastructure
    • Responsibility handover
      • Security alerts, advisories, bug fixes
      • Equipment load
      • Configuration changes
    • Catch ‘em! (If you can…)
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Internal & External Audit
    • Collect and evaluate evidence to determine whether a computer system :
      • safeguards assets.
      • maintain data integrity.
      • allow the goals of an organisation to be achieved efficiently and effectively.
    • Security policy as control document.
    • International standards: SAS 70; Bs 7799.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Internal Audit
    • Compare to internal audit division.
    • Independence, thus not involved in implementation or operations.
    • Report to IT manager.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Organisation
      • Independence
      • References
      • Experience
      • Certification
      • Cost
      • Ethics
      • Services offered
      • Backing: subsidiary/insurance
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Methodology
      • Certification/benchmark
      • Audit plan
      • Execution according to plan
      • Report
      • Recommendations & resolution
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Resources
      • Business skills
      • Experience: qualification; Certifications; Bodies
      • Individual background
    • The brief… How; What; Where?
      • Type: logical; Physical or social
      • Restrictions / conditions
      • Internal /external
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Toolbox.
      • Tool combinations: wider vulnerability exposure.
      • Proprietary or off the shelf.
    • Confidentiality.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Intrusion Detection
    • If all else failed…
    • Regular updates.
    • Follow up of intrusion attempts.
    • Play it again, Sam.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Adjust Security Policy
    • Recommendations from internal & external audits.
    • New business requirements.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • SECURITY CERTIFICATION
    • 1. Definition
    • 2. The purpose of Certification
    • 3. Leading standards today
    • 4. Is Certification for you?
    • 5. Choosing the right standard
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Definition INFORMATION SECURITY CERTIFICATION charl van der walt The evaluation of the security of a computer system by a recognised third party. If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
  • Objective
    • To enforce structure on your security program
    • A means of assessing your own security
    • A means of measuring against best-of-breed
    • A means of convincing others of your security
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • BS 7799
      • British Standards Institute
      • Outlines 10 controls that must be addressed
      • Uses the c:cure program for accreditation
      • www.bsi.org.uk / www.bsi.org.za
      • www.c:cure.org
    • TCSEC
      • Trusted Computer System Evaluation Criteria
      • “ Orange Book”
      • Published by the US National Security Agency
      • Defines different ‘Levels’ of trust
        • Minimal -> Formally Proven
      • www.radium.ncsc.mil/tpep
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ITSEC
      • Information Technology Security Evaluation Criteria
      • Recognised by most European countries
      • Concentrates on product evaluations
      • Defines different levels (E0 - E6)
      • www.itsec.gov.uk
    • CCITSE
      • Common Criteria for IT Security Evaluation
      • Joint American / European Evaluation Standard
      • Successor to TCSEC and ITSEC
      • Defines ‘levels’ similar to TCSEC, but more flexible
        • Protection Profiles
      • http://csrc.nist.gov/cc/
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ISO / GMITS
      • Guidelines to the Management of IT Security
      • Published by the JTC
        • Joint Technical Committee of ISO and IEC
      • www.iso.ch
      • www.diffuse.org/secure.html
    • COBIT
      • Control Objectives for Information and Related Technologies
      • Information Systems Audit and Control Association
        • ISACA
      • ‘ Business Oriented & Practical’
      • www.isaca.org
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ICSA
      • International Computer Security Association
      • Commercial Venture represented world-wide
      • Product certification and security assurance services
        • TrueSecure
      • Internet focused
      • www.icsa.net
    • Ernst & Young SAS70
      • Statement of Auditing Standards # 70
      • American version of a similar international standard
      • Specifically for the outsourced environment
      • Business focused
      • www.ey.com
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Is Certification for you?
    • Yes, if:
      • You’re a large corporation
      • You’re publicly owned
      • You offer IT-based services to clients
      • You have legal obligations
      • You’re comfortable with formal processes
    • No, if:
      • You have a small, manageable infrastructure
      • You’re only responsibility is to yourself
      • You have an informal culture and strong skills
      • You believe certification will make you secure
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Choosing the right standard
    • Recognition
      • Respect in your target market
    • Focus
      • Support for your own security objectives
    • Local Presence
      • A program that can be certified in SA
    • Total cost
      • Good return on investment
    • Overhead
      • Reasonable implementation time and life-span
    • Impact
      • A tangible effect on your systems
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • THE BOTTOM LINE
    • 1. Take security seriously
    • 2. Don’t panic!
    • 3. Value your information
    • 4. Evaluate your risk
    • 5. Be requirement driven, not technology driven
    • 6. Enable your business
    THE BOTTOM LINE jaco van graan