View
50
Download
2
Category
Tags:
Preview:
DESCRIPTION
Beyond Security Awareness!. ALAN PALLER APALLER@SANS.ORG THE SANS INSTITUTE. The Public Is Awakening. editorial on Jan 26 Why the 'China virus' hack at US energy companies is worrisome by John Yemma, Editor - PowerPoint PPT Presentation
Citation preview
ALAN PALLERAPALLER@SANS.ORG
THE SANS INSTITUTE
Beyond Security Awareness!
The Public Is AwakeningThe Public Is Awakening editorial on Jan 26Why the 'China virus' hack at US
energy companies is worrisome by John Yemma, Editor
“The stakes in the global cyber-war are at least as high as those in the global war on terror.”
2
Four years building to public Four years building to public outrageoutrageAugust 29, 2005: Titan Rain
August 17, 2006: Gen. Lord Confirms
3
Major General William Major General William LordLord“China has downloaded 10 to 20 terabytes of data from the NIPRNet”
“They’re looking for your identity so they can get into the network as you,”
“There is a nation-state threat by the Chinese.”
Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of
Warfighting Integration and Chief Information Officer
August 21, 2006 Government Computer News “Red Storm Rising”
October 6, 2006: Commerce BIS DivisionThe federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month. 4
Four years building to public Four years building to public outrageoutrageDec 1, 2007: 300 British Companies
Apr 8, 2009: The Grid
5
Four years building to public Four years building to public outrageoutrageJanuary 15, 2010Google & more
January 25, 2010: Oil Companies
6
The Big One We’ve Been The Big One We’ve Been ExpectingExpecting
7
YOUR BANK ACCOUNTYOUR BROKERAGE ACCOUNT
YOUR PEACE OF MINDYOUR JOB SECURITY
How Do These Attacks Threaten You?
8
Your Bank Account
Attacker: Opens accounts in most banksYou: Get your machine infected (we’ll come back
to how you did that)Attacker: Installs keystroke loggerYou: Visit your bank site and sign onAttacker: Captures your keystrokes; sends the
data to his server; signs on to your account; moves money to his account in the same bank; takes your money away
Big difference: personal account; business account
9
99
Your brokerage account
Attacker: Buys a lot of shares in a penny stockYou: Get your machine infected (we’ll come back to
how you did that)Attacker: Installs keystroke loggerYou: Visit your brokerage site and sign onAttacker: Captures your keystrokes; sends the data
to his server; signs on to your account; sells your shares; uses your money to buy the penny stock causing the price to rise sharply; moves money to his account in the same bank; takes your money away.
Called pump & dump
10
10
Your Peace of Mind
You: Get your machine infected (we’ll come back to how you did that)
Attacker: Installs attack software or denial of service tool or spam generation tool
Attacker attempts to penetrate DoD using your computer, or denies service to a commercial site using your computer, or sends out 300,000 spam messages.
At 3 AM one night, the FBI knocks on your door asking why you are attacking DoD, or attacking a commercial web site, or sending spam.
An event you don’t forget.
11
1111
Your Job Security
You: Get your machine infected (we’ll come back to how you did that) – especially by the Chinese
The attacker waits until you use your credentials to sign on to DoE’s systems.
The attacker uses your access to gather data, infect other systems, and leave back doors.
The attack is discovered and traced to your machine.
You are asked to explain why you signed into DoE with an infected system – your answer affects your career
12
12
How Did Your System Get Infected?
13
… and the big one: Application AttacksPlaces you visitJanuary: 87,000 web sites infected and infecting visitors who trusted them.
14
14
Email with attachments
Osama was captured this morning – see attached pictures of him in custody
The Department has just agreed to a 14% cutback in staff, the attached spreadsheet shows which groups are going to have to give up the most positions
Britney Spears caught in an embarrassing position
Give money to victims of the Pakistan floodMany, many more.
15
15
Email you respond to
Spear Phishing - Victims being attacked while doing what they should
be doing
What’s wrong with this hypertext url?
http://www.microsoft.com/security
16
16
How Spear Phishing works
An e-mail arrives from your security officer saying:
“ Microsoft has given us a heads-up about a major new vulnerability. They won’t be making the patch public until tomorrow but have offered us early access to the patches. Before you leave work today go to the following Microsoft site and download the new patch
http://www.microsoft.com/security/alert-windows.mspx
17
17
Why it went to the wrong place: html code was actually:
<a href="http://www.hackersite.com"> http://www.microsoft.com/security/alert-windows.mspx </a>
Would it have fooled anyone in your organization?
18
18
Subcommittee on Emerging Threats, Cybersecurity, and Science and TechnologyApril 17, 2007 Chairman: Jim Langevin "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure
Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program
Setting the stage
19
Two responsesCommerce
1. No idea when it got it in, how it got in, or where it spread
2. Took 8 days to filter (ineffective)
3. Unable to clean the systems; forced to replace them
4. Do not know whether they have found or gotten rid of the infections
State
1. Detected it immediately
2. Put effective filter in place within 24 hours; shared filter with other agencies
3. Found two zero-days
4. Helped Microsoft and AV companies create patches and signatures
5. Cleaned infected systems, confident all had been found
20
What was the difference?
Was it tools? No Almost same commercial tools – Commerce had
more commercial IPS/IDS
Was it skills? Yes Commerce – only experience was firewall
operations not even firewall engineering. No training other than prep for Security + and later for CISSP
State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.
21
Which skills matter most?
Security skills: System forensics; network forensics and deep packet
inspection; Windows, UNIX, and PDA defensive configuration; log analysis; script development; exploits and penetration testing; secure coding; reverse engineering. Plus counter intelligence.
Foundations: Networking and network administration; computer
operations and system administration; Java and C/C+ programming including the 25 most dangerous programming errors
22
Is Any Country Investing In Developing These Skills?
Wicked Rose
Key weapons in future wars will be people with advanced, technical cyber security skills
23
Where do we find the people with skills?
1. Pathways to Professionalism – A Federal Initiative
Security officers may continue in their positions after one year only if they master one of four key technical areas in security.
2. The US Cyber Challenge
24
Can the Cyber Challenge Find Highly Talented Young People?
25
Q. You're in your senior year in high school -- had you already taken computer courses at school?A. I enrolled to take Introduction to Programming this year, but they cancelled it; they couldn't find a suitable teacher.
Q. How do people demonstrate and test their skills if they do not have the opportunity to play in the NetWars rounds?A. There aren't many options for kids with lots of cyber skill to be able to exercise and further develop those skills. Most would just simply target random servers and hack illegally, so it was great that I found NetWars.
26
Who is supporting the US Cyber Challenge?
FBI NSA DHS
27
Seven Levels
Cyber Foundations
Cyber Patriot Cyber Defense Competition
The Security Treasure Hunts
NetWars
The Cyber Camps
Collegiate Cyber Defense Leagues
Internships and Scholarships
28
Questions?
29
Recommended