1. The Trials of InformationThe Trials of Information
& Communication& Communication
Systems SecuritySystems Security
Presented by
Ian A. Murphy, Pres. & CEO
IAM / Secure Data Systems,Inc.
5. YOU ARE ON TRIAL EACH AND EVERY DAY!
HACKERS, CRIMINALS, CURRENT & EX-EMPLOYEES
ARE OUT TO GET YOU & YOUR SYSTEMS!
6. YOU ARE BEING BURIED UNDER A SEA OF TECHNOLOGY!
YOU HAVE NO IDEAS AS TO WHAT TO DO OR HOW TO DO IT!
VENDORS ARE TELLING YOU THAT THEY ARE THE
END ALL OF YOUR SECURITY PROBLEMS!
HOW ARE YOU GOING TO DEFEND YOURSELF?
AND THE ENEMY IS BETTER EQUIPPED THAN YOU!
7. WE HAVE PASS CARDS,WE HAVE PASS CARDS,
WE HAVE DISKS,WE HAVE DISKS,
WE HAVE NO IDEASWE HAVE NO IDEAS
AS TOAS TO
WHAT TO FIX!”WHAT TO FIX!”
THIS IS THE CRY OF THE
INFORMATION SECURITY
MANAGER IN YOUR
COMPANY!
9. THEY ARE HAVING A PARTY! AND YOU ARE NOT INVITED!
AND THE WORST PART IS THAT YOU ARE PAYING FOR IT!
10. TECHNOLOGY IS CHANGING EACH
AND EVERY DAY!
WHAT DO YOU KNOW OF THE NEW
TECHNOLOGIES THAT ARE HERE
TO PROTECT YOUR SYSTEMS AND
YOU?
11. YOUR OWN USERS WON’TYOUR OWN USERS WON’T
LISTEN TO REASON, FOR ANYLISTEN TO REASON, FOR ANY
REASON AT ALL!REASON AT ALL!
12. Your usersYour users
are basicallyare basically
very lazy!very lazy!
They will notThey will not
listen to yourlisten to your
request torequest to
maintain anymaintain any
form ofform of
security!security!
You must learnYou must learn
security yourself!security yourself!
DO YOU KNOWDO YOU KNOW
WHAT YOU AREWHAT YOU ARE
DOING?DOING?
13. TO GET YOUR USERS TO LEARN SECURITYTO GET YOUR USERS TO LEARN SECURITY
AND TO USE THE SECURITY MEASURESAND TO USE THE SECURITY MEASURES
IS SHEAR TORTURE!IS SHEAR TORTURE!
14. Searching through the worldsSearching through the worlds
ofof technology, you forever seektechnology, you forever seek
KnowledgeKnowledge
15. Seeking knowledge at:Seeking knowledge at:
ConferencesConferences
Industry MagazinesIndustry Magazines
Vendor ContactsVendor Contacts
Big 6 HousesBig 6 Houses
Other MainstreamOther Mainstream
Intelligence SourcesIntelligence Sources
WHY?WHY? THEY DO NOT PROVIDE THE LATESTTHEY DO NOT PROVIDE THE LATEST
INTELLIGENCE KNOWLEDGE!INTELLIGENCE KNOWLEDGE!
16. OR YOU SEE SOMETHING AS
SILLY AS THIS CRAP AND
YOU BUY IT BECAUSE IT SAID...
17. AND YOU LISTEN TO ALL THESE
VENDORS LIKE A SCHOOL CHILDLIKE A SCHOOL CHILD
READY TO ACCEPT ANYTHING!READY TO ACCEPT ANYTHING!
18. YOUYOU FEELFEEL
LIKE ALIKE A
CLOWN!CLOWN!
AND SENIORAND SENIOR
MANAGEMENTMANAGEMENT
WANTS THEWANTS THE
ANSWERS.ANSWERS.
NOW!NOW!
19. SO WHAT DO YOU
DO?
YOU RUN TO THE
FINISH LINE AND
YOUR COACH AT
THE END OF THE
RACE!
BIG SIX???????????
ARE YOU NUTS???ARE YOU NUTS???
21. BIG 6 ACCOUNTING HOUSESBIG 6 ACCOUNTING HOUSES
ARE JUST THAT!ARE JUST THAT!
THEY ARE ACCOUNTANTS!THEY ARE ACCOUNTANTS!
22. BIG SIXBIG SIX
INFORMATION SECURITYINFORMATION SECURITY &&
RISK MANAGEMENTRISK MANAGEMENT
CONSULTANTSCONSULTANTS!!
FIRMS
23. AND YOU GO THROUGH LOTSAND YOU GO THROUGH LOTS
OF MEETING TO DISCUSSOF MEETING TO DISCUSS WHATWHAT?
24. YOU AREYOU ARE PAYINGPAYING
FOR ALL OF THISFOR ALL OF THIS!!
BUTBUT YOUYOU
AREARE
GETTINGGETTING
THIS!THIS!
25. SO THE STATEMENT THAT FITSSO THE STATEMENT THAT FITS
PERFECTLY WHEN THEYPERFECTLY WHEN THEY
CALL YOU FOR A “CLIENT”CALL YOU FOR A “CLIENT”
CONTACT MEETING!CONTACT MEETING!
BEAM ME UP SCOTTY!BEAM ME UP SCOTTY!
THERE’STHERE’S
NO INTELLIGENTNO INTELLIGENT
LIFE HERE!LIFE HERE!
26. CREATIONCREATION OF YOUROF YOUR
OWN DATA SECURITYOWN DATA SECURITY
PROGRAM IS NOW,PROGRAM IS NOW,
““BROUGHT TO YOU BY”BROUGHT TO YOU BY”
HACKERS, CRACKERSHACKERS, CRACKERS
&&
THIEVESTHIEVES
A FULL SERVICE TECHNOLOGY GROUP, INC.A FULL SERVICE TECHNOLOGY GROUP, INC.
27. WITHOUT YOURWITHOUT YOUR
OWNOWN WORKINGWORKING,,
REALISTICREALISTIC,,
INFOSECINFOSEC
POLICIES, YOU,POLICIES, YOU,
YOUR SYSTEMS,YOUR SYSTEMS,
AND YOURAND YOUR
INFORMATIONINFORMATION
ARE ON AARE ON A SHIPSHIP
OF FOOLSOF FOOLS,,
SINKING FASTSINKING FAST!!
32. Lack of the overall view of securityLack of the overall view of security
No Total Control of Security CapabilityNo Total Control of Security Capability
High Administration & Monitoring CostsHigh Administration & Monitoring Costs
Lack of User Productivity due to Security ProceduresLack of User Productivity due to Security Procedures
Security Policies are not enforceable enterprise wide.Security Policies are not enforceable enterprise wide.
In simple terms, your security program can’t work!In simple terms, your security program can’t work!
Good Luck! You have a ticketGood Luck! You have a ticket
to ride the I.S.S. Titanic!to ride the I.S.S. Titanic!
33. MOST DIR’S OF CORP. SEC.MOST DIR’S OF CORP. SEC.
ONLY HAVE ONE THING ONONLY HAVE ONE THING ON
THEIR MIND!THEIR MIND! N.I.M.B.Y.N.I.M.B.Y.!!
34. WHAT TO WATCH!WHAT TO WATCH!
TELEPHONE SYSTEMS COMPUTER SYSTEMSTELEPHONE SYSTEMS COMPUTER SYSTEMS
TAPE SYSTEMS BACK-UPSTAPE SYSTEMS BACK-UPS
POWER / HVAC LABORPOWER / HVAC LABOR
NETWORK CONNECTIONS / INTERNET ACCESSNETWORK CONNECTIONS / INTERNET ACCESS
PHYSICAL ACCESS INFORMATIONPHYSICAL ACCESS INFORMATION
35. DO YOU HAVE A D.S.O.?DO YOU HAVE A D.S.O.?
DATA SECURITY OFFICERDATA SECURITY OFFICER
NOT ANOT A
CORP.CORP.
COP!COP!
36. YOUR NEW DATA SECURITY OPSYOUR NEW DATA SECURITY OPS
38. USERS NEVER KNOW, WHENUSERS NEVER KNOW, WHEN
UNDER ATTACK!UNDER ATTACK! TEACH THEMTEACH THEM!!
39.
40.
41. WHEN YOU GET ATTACKEDWHEN YOU GET ATTACKED
WHAT DO YOU DO?WHAT DO YOU DO?
SHIELDS UP! RED ALERT!SHIELDS UP! RED ALERT!
42. YOU HAVE BEEN ATTACKEDATTACKED BY
SOMEONE WHO YOU DON’T
KNOW! WHO DOES NOT CARE
ABOUT YOU! AND YOU ARE
NOW LOOKING FOR A JOB!
43. The minute after your attacked!The minute after your attacked!
Your systems are destroyed!Your systems are destroyed!
44. After a Security
Breach, your
Hams are ready to
be carved by
Senior
Management!
You have been
exposed to
whatever the
attacker feels like
doing to you!
47. DO NOT CALL THE POLICE!DO NOT CALL THE POLICE!
THEY CAN NOT HELP YOU, YET!THEY CAN NOT HELP YOU, YET!
THEY HAVE NO IDEA!THEY HAVE NO IDEA!
48. THIS IS NO TIME TO FLAMETHIS IS NO TIME TO FLAME
OUT AND DISCOVER THAT YOUOUT AND DISCOVER THAT YOU
DO NOT HAVE A PLAN TO DEALDO NOT HAVE A PLAN TO DEAL
WITH A LACK OF SECURITY &WITH A LACK OF SECURITY &
COUNTERMEASURESCOUNTERMEASURES
WAKE UP!WAKE UP!
49.
50. IT DOES NOT GET ANY EASIERIT DOES NOT GET ANY EASIER
TO PLAN FOR AN ATTACK,TO PLAN FOR AN ATTACK,
THEN NOW! IF YOU DON’T, YOUTHEN NOW! IF YOU DON’T, YOU
CAN EXPECT SOMEONE LIKECAN EXPECT SOMEONE LIKE
THIS TO COME THROUGH YOURTHIS TO COME THROUGH YOUR
NETWORK, OR WORSE!NETWORK, OR WORSE!
51. AND YOU MAKE ITAND YOU MAKE IT
SO EASY TO LEARNSO EASY TO LEARN
ABOUT YOU ALLABOUT YOU ALL
THE TIME!THE TIME!
JUST CALL THE HELP DESK!JUST CALL THE HELP DESK!
54. SO WHAT? YOU WILL LOSESO WHAT? YOU WILL LOSE
SOME FRIENDS! BUT YOUSOME FRIENDS! BUT YOU
WILL WIN NEW ONES INWILL WIN NEW ONES IN
SENIOR MANAGEMENT!SENIOR MANAGEMENT!
55. SAVED SOME BUCKSSAVED SOME BUCKS !!!!
BUT IN THE LONG RUN YOU
DISCOVER THAT YOU HAVE...
56. V. Circuits Fax Circuits Data Circuits
Network
Interconnects
Connected
Desk Top
Units
Connected
Servers
Dial-Ups EDI
Other
Networks
57. NOW FOR SECURITY, YOU COULD USE WHAT WE USE TONOW FOR SECURITY, YOU COULD USE WHAT WE USE TO
STOP UNAUTHORIZED ACCESS TO OUR INFORMATION!STOP UNAUTHORIZED ACCESS TO OUR INFORMATION!
OR YOU COULD STAY IN YOUR BUDGET!OR YOU COULD STAY IN YOUR BUDGET!
BUDGET, BUDGET, WHAT BUDGETBUDGET, BUDGET, WHAT BUDGET??????????????
IAM / SECURE DATA SYSTEMSIAM / SECURE DATA SYSTEMS
58. You are already
bleedingbleeding from an
Information
Systems
operations
budget
that is being
slashed eachslashed each
and everyand every
yearyear.
59. Computer Hacking &
The Future
WE ARE YOUR WORLDWE ARE YOUR WORLD!
WE OWN YOUR NETWORKS!WE OWN YOUR NETWORKS!
60. AND WHO ARE THESE GUYS?AND WHO ARE THESE GUYS?
RETIREDRETIRED? CIA, FBI, NSA, NIA,? CIA, FBI, NSA, NIA,
AND OTHERAND OTHER RETIRED SPOOKSRETIRED SPOOKS!!
61.
62. THE HACKER COMMUNITYTHE HACKER COMMUNITY
STATE OF THE ART SYSTEMS
WELL ORGANIZED.WELL ORGANIZED.
FREE COMMUNICATIONS.FREE COMMUNICATIONS.
EMERGENCY BROADCASTS.EMERGENCY BROADCASTS.
FASTER DISCOVERY OF FLAWS.FASTER DISCOVERY OF FLAWS.
TRANSMITS ALL INFORMATIONTRANSMITS ALL INFORMATION
WORLD WIDE IN SECONDS.WORLD WIDE IN SECONDS.
63. REWARDS OF HACKING SYSTEMSREWARDS OF HACKING SYSTEMS
YOU COULDYOU COULD
HAVE WONHAVE WON
A LIMITEDA LIMITED
EDITIONEDITION
TEE SHIRTTEE SHIRT
OROR
SWEATSHIRTSWEATSHIRT
64. HACKERS ARE BRIDGING THEHACKERS ARE BRIDGING THE
GAPS IN SECURITY FOR YOUGAPS IN SECURITY FOR YOU
FOR FREE! THEY ARE THEFOR FREE! THEY ARE THE
TESTBEDS FOR YOUR SYSTEMS!TESTBEDS FOR YOUR SYSTEMS!
68. INTERNET RESOURCES EXAMPLES
PHRACK MAGAZINE, COMPUTER UNDERGROUND DIGEST,
THE INTERNET UNDERGROUND, HACKERS HAVEN, LOpht
HEAVY INDUSTRIES, TIM’S CLUBHOUSE, LODCOM,
SURFPUNK DIRECTORY, BLACK CRAWLING SYSTEMS,
CLM HACK / PHREAK / SECURITY MAIN, UNDERGROUND,
THE WORLD OF HACKING, LAND OF STUFF, CERT, COAST,
CYBERPUNK RESEARCH LABS, WAR ON THE INTERNET,
THE CRYPT NEWSLETTER, LUNARGUY’S PHUN STUPH,
DIGITAL FREEDOM NETWORK, TAKE OVER THE WORLD,
BONE’S H / P / C PAGE O’RAMA, LOCKPICKING GUIDE,
GARAGE DOOR HACKING, AND MULTIPLE FTP SITES!
69. WE ARE ALL INTERCONNECTEDWE ARE ALL INTERCONNECTED
OR BETTER KNOWN AS :
REACH OUT, REACH OUTREACH OUT, REACH OUT
AND HACK / CRASH SOMEONE!AND HACK / CRASH SOMEONE!
70. Keeping your nose in your own
dish! No More!
• Telecom circuits are growing in vast numbers!
• Telecom providers don’t know how many
circuits they have at any given time. The
Internet Underground knows roughly the
numbers and the capabilities of the circuits.
• You need to perform an audit of all of your
systems, equipment, trash, data & circuits!
71. Our Situation
• What Do We Have To Worry About?
• You Have No Idea!
• What Are You Up Against?
• There is NO Complete Security!
• Only Obstacles!
72. How Did This Happen?
• History of Hacking!
• 8BBS was one of the
first!
• Legion of Doom
• 414’s
• Phrack
• And Now, the Netizens!
73. We are not alone, anymore!We are not alone, anymore!
• There is no more real “Big Iron” that
rules! It is all now “Little Iron” rules!
• You have more power on your desk
then 5 years ago! So do they!So do they!
• The entire civilized world is inter-
connected! GulpGulp!
• Who “Who “rulesrules” the roost now!” the roost now!
74. NETWORK HELLNETWORK HELL
• EveryoneEveryone has a modem!has a modem! EveryoneEveryone
can connect with you!can connect with you!
• WhoWho dodo you andyou and do notdo not let in?let in?
• 45 Million and Counting!45 Million and Counting!
• ““This is Mission Control, Internet!”This is Mission Control, Internet!”
• The whole world has you in their hands!The whole world has you in their hands!
75. INTRANETS ARE WAN’S AND LAN’S EXPOSED!
1. INTRANETS ARE NOTHING NEW!
THEY ARE JUST SMALLER NETWORKS!
2. NETWORKS ARE ROADWAYS / HIGHWAYS
TO YOUR INFORMATION!
3. THERE ARE NO REAL TRAFFIC COPS IN ANY NETWORK!
76. WHO TO CALL TO PERFORM A REVIEW!WHO TO CALL TO PERFORM A REVIEW!
DO NOT CALLDO NOT CALL THE BIG 6 ACCOUNTING HOUSES!
THEY HAVE NONO REAL TALENTREAL TALENT FOR SUCH ACTIONS!
FLUFFY REPORTSFLUFFY REPORTS,, GLAD HANDINGGLAD HANDING ANDAND FALSE ETHICSFALSE ETHICS
ARE NOT WHAT YOU ARE LOOKING, OR WANT TO PAY
FOR! YOU ARE LOOKING FOR REAL RESULTSYOU ARE LOOKING FOR REAL RESULTS!!
THERE CAN BE NO RULES FOR THE AUDIT! IT MUST BE
“OPEN SEASON” ON YOUR COMPLETE ENVIRONMENT!
THE HACKERS DON’T HAVE RULES WHEN THEY
ATTACK, WHY SHOULD THE AUDITORS HAVE RULES?
REAL PROFESSIONALS ONLY!REAL PROFESSIONALS ONLY!
77. YOUR CHOICES!
• YOU HAVE TO KNOW YOUR
ENEMY! START YOUR RESEARCH!
• KNOW WHAT YOUR
VULNERABILITIES ARE!
• START TO THINK LIKE THE
HACKERS!
• BECOME YOUR OWN IN-HOUSE
CROOK!
78. CREATE A IN-HOUSE HACKER
SQUAD!
ISSUE HACKER ALERTS FOR
YOUR COMPANY!
LEARN HOW TO HACK YOUR OWN SYSTEMS
AND TRY TO FIX THE HOLES AND HACK IT
AGAIN!