Page 18 Oct 2004

IT Security AwarenessDangers in the Networked World

Lai Zit SengNUS School of Computing

Page 28 Oct 2004

Topics

• History: Recent Worms• What is Security• Why Worry• What’s Happening in SOC

Page 38 Oct 2004

History – Code Red

• Struck on 12th Jul 2001– Public announcement on 17th Jul 2001– CERT announcement on 19th Jul 2001, and again

on 26th Jul 2001• Exploited buffer overflow in IIS

– CERT published advisory on 19th Jun 2001– Patch available from MS since 18th Jun 2001

• Estimated $2B in damages (Aug 2001)– Source: Computer Economics (quoted by

NewsFactor.com)

Page 48 Oct 2004

History – Slammer Worm

• Struck on 25th Jan 2003• Infected 75K hosts• Our own NUSNET “melted down” for hours

– Elsewhere: Disrupted ATMs, 911 systems• Exploited MS-SQL and MSDE vulnerabilities

– Patch available from MS since 10th Jul 2002– CERT advisory 29th Jul 2002

• Estimated US$1B in damages– Source: Mi2g

Page 58 Oct 2004

History – W32/Blaster

• Struck on 11th Aug 2003• Exploits RPC vulnerabilities

– CERT advisory on 17th Jul 2003– Patch available from MS since 16th Jul 2003

• Unprecedented damages– Mi2g estimates $32.8B in economic damages

(together with other malware of Aug 2003)

Page 68 Oct 2004

History – Other Incidents

• Apache/mod_ssl worm– CERT advisory 14th Sep 2002– Vulnerability published by CERT since 30th

Jul 2002• Nimda worm

– CERT announced 18th Sep 2001– Exploits vulnerability for which patch

available from MS since 29th Mar 2001

Page 78 Oct 2004

Security Triad

• Confidentiality: Ensuring that data contained in an information system is accessible only to those authorized.

• Integrity: Ensuring that data contained in or functions carried out by an information system is correct.

• Availability: Ensuring that an information system is accessible to those authorized to use it.

Page 88 Oct 2004

Why Worry

• Advances in technology: Convenience, cost, availability

• Pervasiveness of networked computing• Network convergence: Single network

for Voice, Video and Data• Human Issues:

– Social Engineering

Page 98 Oct 2004

Why Worry – cont’d

• Infrastructure/Operations– ATMs, Power Grid etc exposed to Internet

• Various risk exposures: Confidentiality, Integrity, Availability

• Zero-Day exposures• Phishing attacks• Risks are outstripping safeguards

Page 108 Oct 2004

Changes in Intrusion Profile

1988• Exploiting passwords• Exploiting known

vulnerabilities

Today• Exploiting protocol flaws• Examining source code

for security flaws• Abusing public servers• Installing sniffers• Source address

spoofing• DoS, DDoS• Widespread automated

scanning

Page 118 Oct 2004

Page 128 Oct 2004

Incidents Reported to CERT/CC

985921756

52658

82094

137529

0

20000

40000

60000

80000

100000

120000

140000

1999 2000 2001 2002 2003

Incidents Reported

From: CERT/CC Website

Page 138 Oct 2004

How many incidents?

0%10%20%30%40%50%60%70%80%

1999 2000 2001 2002 2003 2004

> 10 Incidents6 - 10 Incidents1 - 5 Incidents

From: 2004 CSI/FBI Computer Crime and Security Survey

Page 148 Oct 2004

How many incidents from Outside?

0%

10%

20%

30%

40%

50%

60%

1999 2000 2001 2002 2003 2004

1 - 5 Incidents6 - 10 Incidents> 10 Incidents

From: 2004 CSI/FBI Computer Crime and Security Survey

Page 158 Oct 2004

How many incidents from Inside?

0%

10%

20%

30%

40%

50%

60%

1999 2000 2001 2002 2003 2004

1 - 5 Incidents6 - 10 Incidents> 10 Incidents

From: 2004 CSI/FBI Computer Crime and Security Survey

Page 168 Oct 2004

SOC IDS Activity

Statistics for 1st Oct 2004:• 238155 IDS log entries• 42578 runs of portscanning activities• 12908 incidences of Windows/SMB

traffic anomaly• 209 accesses to our honeypot

Page 178 Oct 2004

SOC Network VA Statistics

As on 8th Oct 2004:• 37 machines denied network access

(due to enforcement)• 185 critical vulnerabilities unfixed

Page 188 Oct 2004

Security Lab

• Objective:– Enable learning and experimentation relating to IT

Security– Setting up experiments and playground for anyone

interested in IT Security– Activities relating to SIG^2 NUS Chapter

• Servers, desktop computers and network equipment

• Look out for upcoming news

Page 198 Oct 2004

Questions and Answers

Lai Zit SengEmail: laizs@comp.nus.edu.sg