Computerworld Conference (2002)


Published on

Computerworld Conference (2002)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Computerworld Conference (2002)

  1. 1. Hackers Why? Who? What do they want? Where are you most vulnerable? SKEEVE STEVENS [Former(?) Hacker] I.T Security Consultant Specialising in Security Theory, Trends, Policy, Disaster Prevention Email: Copyright © 2002 by Skeeve Stevens All Rights Reserved
  2. 2. ! Australian Computer Crime and Security Survey (May 02) n  ACCS Survey (only every survey of its kind in .au) reports more than 67% of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period. ! InternetWeek n  50% of U.S Corporations have had 30 or more penetrations n  60% lost up to $200K/intrusion ! Federal Computing World n  Over 50% of (U.S) Federal government agencies report unauthorised access (some are massive numbers) ! FBI/Computer Security Institute n  48% of all attacks originated from within the organization ! WarRoom Research Survey n  90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches ! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks) Networks Under Assault
  3. 3. Why? - Hacker Motivations ! There are many different motivations to hack n  Experimentation and desire to learn n  “Gang” mentality n  Psychological needs (i.e.. to be noticed?) n  Misguided trust in other individuals n  Altruistic reasons n  Self-gratification n  Revenge and malicious reasons n  Emotional issues n  Desire to embarrass the target (many reasons) n  “Joyriding” n  “Scorekeeping” n  Espionage (corporate, governmental) n  Criminal – Stalking, Intimidation, Hostage, Blackmail
  4. 4. Types of Hackers Shades of Grey - Are all Hackers Bad? ! Black Hats (The Bad Ones) n  Professional Crackers (Crime Gangs) n  Corporate Espionage (Criminal in a suit – more common than companies realise – everyone has a competitor.) n  e-Terrorists (with or without a motivation [eco-hackers]) n  ? ! White Hats (The Good Ones) n  Corporate Security n  Tiger Teams (with reputations – ISS) n  Big 5 Audit/Testing Teams (PWC, etc) n  Law Enforcement Hackers / Military eSecurity ! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n  Depends who’s paying n  Freelancers – to the highest bidder, which can include LEAs
  5. 5. Who are the Hackers? ! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another company of some sort ! The major area of financial loss in hacking is internal: more money is lost via internal hacking and exploitation (by a factor of 30 or more) ! Most of the hacking that is done is from technical personnel in technical positions within the company
  6. 6. Perimeter Security Is Not Enough ! Even the best perimeter firewall can be breached ! What happens to your corporate assets if the perimeter is breached? ! What protects your internal network if the perimeter security fails? Most Businesses = Nothing ! How do you know you have been breached? Most Businesses = Never Know INTERNET Firewall External Router Internal Servers Production Network Desktops Workstations
  7. 7. Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the perimeter protection (firewalls): n  customers, consultants, contractors, temps, supply chain partners, employees – unhappy / rogue (espionage) / snoopy (the curious/ambitious) / terminated (fired) ! Many widely disseminated vulnerabilities, backdoors, firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers ! Majority of breaches and financial losses - from those with “insider access”
  8. 8. Typical Inside Network Attacks ! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit
  9. 9. Biggest Mistakes in Internal Security ! Everybody trusts everybody ! “Any” theory: “We don’t have anything anyone would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks via VLAN or VPNs ! Infrastructure ignorance
  10. 10. Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in the US, Australian/rest of the world statistics are hard to estimate. ! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000 Internet attacks this year, Australian Government has not publicised any numbers ! Hundreds of thousands of websites contain some form of Hacker Tools / Information ! e-Crimes are estimated to take place every 20 seconds...
  11. 11. eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance policies for some situations ! One level allows for liability reduction due to protective measures taken (What sort of firewalls / policies / operating systems / training / etc…) ! Another provides a vendor security warranty level of assurance ! Others on their way…
  12. 12. ????????????Future Server Threats ! Digital Nervous System components ! Infrastructure Dependencies n  Index Server/LDAP Servers n  Terminal Server with thin clients n  Exchange servers being used for office and workgroup flow applications n  DNS and other naming services servers n  Voice over IP (VoIP) n  Telephony servers for desktop telephony n  Netmeeting / Video collaboration servers n  NT servers being implemented in factories and industrial networks for process control. These require real-time network security features ! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)
  13. 13. $ Information Store A company’s most valuable assets are on its Information Store An attack on your Information Store can result in: Loss of access Loss of data integrity Theft of data Loss of privacy Legal liability Loss of Confidence (Owners/Stock market/Customers) Financial Loss (Fraud) Financials HR Records Patient Medical Records R&D Information Legal Records
  14. 14. Summary (I) ! It is a matter of “when” not a matter of “if” you will be attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive corporate threat ! Many different levels of security are necessary to deal with the threats ! Apply internal security in proper measure to meet the actual or perceived threat environment
  15. 15. Summary (II) ! A Hacker can be anyone – an employee with a grudge, a contractor, a family member. They just want something they are not supposed to have. ! Hacking is gaining access to anything you shouldn’t have access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a security guard to protect you, you should have an eSecurity guard. ! Many different levels of security are necessary to deal with the threats