Protecting The Digital EconomyProtecting The Digital Economy

David GerulskiDavid GerulskiDirector of MarketingDirector of Marketing

Internet Security SystemsInternet Security Systems

Agenda

• Introduction• E-Commerce Security Drivers• Developing a Security Policy• Anatomy of an Attack• Policy Enforcement• Enterprise Risk Management• Security Resources• Conclusion

ISS Overview

• Headquartered in Atlanta, GA, USA

• Pioneered vulnerability assessment and intrusion detection technology

• Leader in Enterprise Security Management

• Publicly traded on NASDAQ: ISSX

• Industry leading technology 35+ product awards

• 1,000+ employee owners worldwide

• Over 300 certified security partners

• Over 7,500 customers worldwide

ISS Market Share

Source: International Data Corporation (IDC), August 1999

NetworkVulnerability Assessment

Market

NetworkIntrusion Detection

Market

NetworkIntrusion Detection & Assessment Market

E-Commerce Security Drivers

E-Commerce Security Drivers

Business Is Changing

Source: Forrester Research, Inc.

Access is granted to employees only

Applications and data are centralized in fortified IT bunkers

Security manager decides who gets access

Internal Focus

Centralized Assets

The goal of security is to protect against confidentiality

breaches

Prevent Losses

IT Control

Yesterday

Suppliers, customers, and prospects all need some

form of access

Applications and data are distributed across servers,

locations, and business units

The goal of security is to enable eCommerce

Business units want the authority to grant access

External Focus

Distributed Assets

Generate Revenue

Business Control

Today

The Threat Grows

Source: 1998 Computer Security Institute/FBI Computer Crime and Security Survey

38%47% 54%

60%

40%

20%

1996 1997 1998

The Internal Threat Is Real

E-Commerce Issues

Principle Business Drivers

• Increase Revenue

• Increase Profitability

Principle Security Drivers

• Greater Susceptibility to Attack

• Greater Probability of Catastrophic Consequences

• Much Greater “Loss to Incident” Ratio

Our Strength Is Our Weakness

• In Touch With Anyone With a Modem

• Have an International Presence

• Partners Can Now Collaborate

• Leverage Web-based Supply Chain Technologies

• Employees Can Work From Home, at Night, Over

the Weekends, and on Holiday

• Application Servers Can Support Entire Divisions

Consequences

• Exposure to Legal Liability

DDoS Distributed Denial-of-Service

UNIXFirewall

Web Server

Router

NTUNIX NTUNIX

Company A

Company B

University A

Company C

Company D

Consequences

• Decreased Stockholder Equity

• 30 Seconds on CNN

• Damaged Image

• Exposure to legal liability

Consequences

• Decreased Employee Productivity

• Loss of Intellectual Property & Assets

• Inefficient Use of Resources

• Exposure to Legal Liability

• Decreased Stockholder Equity

• 30 Seconds on CNN

• Damaged Image

Summary

• E-Business is here to stay

• Networks are exposed and under attack

• There’s no more turning a “blind eye”

• It’s a business issue and it should be treated in a

business-like manner

• Implement a security program not a security

technology

Developing a Security PolicyA Blueprint for Success

Developing a Security PolicyA Blueprint for Success

Security Policy

• Blue Print for Good Security Program

• Standards Based - British Standard 7799

• Management Buy In

• High Level to Technical

• Business Driven Not Vendor Driven

• Non-Static

Enforced Security Policy

• Minimize Exposure to Vulnerabilities

• Prepare for Attacks on Our Systems

• Manage Internal Staff Behavior

• Manage External Access and Activity

• Maintain Appropriate Security Configurations& Response Strategies

• Exploit Built-in Security Features

• Measure and Record Patterns and Trends for Future Security Planning

The Anatomy of an AttackThe Anatomy of an Attack

bigwidget.com

Registrant :Big Widget, Inc. (BIGWIDGET_DOM) 1111 Big Widget Drive Really Big, CA 90120 US

Domain Name: BIGWIDGET.COM

Administrative Contact, Technical Contact: Zone Contact, Billing Contact: Simms, Haywood (HS69) Dodge, Rodger (RD32) Haywood.Simms@BIGWIDGET.COM Rodger.Dodge@BIGWIDGET.COM 1111 Big Widget Drive, UMIL04-07 1111 Big Widget Drive, UMIL04-47 Really Big, CA 90210 Really Big, CA 90210 678-443-6001 678-443-6014

Record last updated on 24-June-2000Record expires on 20-Mar-2010Record created on 14-Mar-1998Database last updated on 7-Jun-2000 15:54

Domain servers in listed order:

EHECATL.BIGWIDGET.COM 208.21.0.7NS1-AUTH.SPRINTLINK.NET 206.228.179.10NS.COMMANDCORP.COM 130.205.70.10

~$ telnet bigwidget.com 25

Trying 10.0.0.28...

Connected to bigwidget.com

Escape character is '^]'.

hacker:

hacker:~$

Connection closed by foreign host.

telnet bigwidget.com 143

Trying 10.0.0.28...

Connected to bigwidget.com. * OK bigwidget IMAP4rev1 Service 9.0(157) at Wed, 14 Oct 1998 11:51:50 -0400 (EDT)(Report problems in this server to MRC@CAC.Washington.EDU)

. logout

* BYE bigwidget IMAP4rev1 server terminating connection. OK LOGOUT completed

Connection closed by foreign host.

imap

imap

hacker ~$ ./imap_exploit bigwidget.com

IMAP Exploit for Linux.Author: Akylonius (aky@galeb.etf.bg.ac.yu)Modifications: p1 (p1@el8.org)

Completed successfully.

hacker ~$ telnet bigwidget.com

Trying 10.0.0.28...

Connected to bigwidget.com.

Red Hat Linux release 4.2 (Biltmore)Kernel 2.0.35 on an i686

root

bigwidget:~# whoami

root

bigwidget:~# cat ./hosts

127.0.0.1 localhost localhost.localdomain208.21.2.10 thevault accounting208.21.2.11 fasttalk sales208.21.2.12 geekspeak engineering208.21.2.13 people human resources208.21.2.14 thelinks marketing208.21.2.15 thesource information systems

bigwidget:~# cd /etc

bigwidget:~# rlogin thevault

login:

Allan B. Smith 6543-2223-1209-4002 12/99Donna D. Smith 6543-4133-0632-4572 06/98Jim Smith 6543-2344-1523-5522 01/01Joseph L.Smith 6543-2356-1882-7532 04/02Kay L. Smith 6543-2398-1972-4532 06/03Mary Ann Smith 6543-8933-1332-4222 05/01Robert F. Smith 6543-0133-5232-3332 05/99

thevault:~#

cat visa.txt

cd /data/creditcards

thevault:~#

thevault:~# crack /etc/passwd

Cracking /etc/passwd...

username: bobman password: nambobusername: mary password: maryusername: root password: ncc1701

thevault:~# ftp thesource

Connected to thesource220 thesource Microsoft FTP Service (Version 4.0).

Name: administrator

331 Password required for administrator.

Password: *******

230 User administrator logged in.

Remote system type is Windows_NT.

ftp> cd \temp

250 CDW command successful.

ftp> send netbus.exe

local: netbus.exe remote: netbus.exe

200 PORT command successful.150 Opening BINARY mode data connection for netbus.exe226 Transfer complete.

ftp>

ftp>

quit

thevault:~$ telnet thesource

Trying 208.21.2.160... Connected to thesource.bigwidget.com.Escape character is '^]'.

Microsoft (R) Windows NT (TM) Version 4.00 (Build 1381)

Welcome to MS Telnet ServiceTelnet Server Build 5.00.98217.1login: administrator

password: *******

*===============================================================Welcome to Microsoft Telnet Server.*===============================================================C:\> cd \temp

C:\TEMP> netbus.exe

Connected to the.source.bigwidget.com

NetBus 1.6, by cf

Screendump

David Smith < dsmith@bigwidget.com >

President@bigwidget.com

My Raise < URGENT >

Dear Mr. Smith

I would like to thank you for the huge raise that you have seen fit to give me. With my new salary of $350,000.00 a year I am sure I am the highest paid mail clerk in the company. This really makes me feel good because I deserve it.

Your Son,

Dave

David Smith

Anatomy of the Attack

BigWidget’s Network

UNIXFirewall

E-Mail Server

Web Server

Router

NT

Clients & Workstations

Network

UNIX NTUNIX

imapimap

CrackCrack NetBusNetBus

Real World Web Page Defacements

Real World Web Page Defacements

New York Times

Policy Enforcement Through Detection and ResponsePolicy Enforcement

Through Detection and Response

IT Infrastructure

Firewall

E-Mail Server

Web Server

Router

Servers

Clients & Workstations

Network

What Is Vulnerable?

Applications

Router

E-CommerceWeb Server

E-Mail Server

Firewall

SAP Peoplesoft

Web Browsers

What Is Vulnerable?

Databases

FirewallRouter

OracleMicrosoft

SQL Server Sybase

What Is Vulnerable?

Firewall

AIX

Solaris

Router

Windows NT

Network

Operating Systems

HP-UX

Windows 95 & NT

What Is Vulnerable?

Firewall

E-Mail Server

Web Server

Router

Servers

Networks

TCP/IP

Netware

What Is Vulnerable?

Enterprise Risk Management

Enterprise Risk Management

Enterprise Security Management

Vulnerability Assessment Service

corrective action reportcorrective action report

Vulnerability:

Severity:

IP Address:

OS:

Fix:

GetAdmin

High Risk

215.011.200.255

Windows NT 4.0From the Start menu, choose Programs/Administrative Tools/User Manager. Under Policies/User Rights, check the users who have admin privileges on that host. Stronger action may be needed, such as reinstalling the operating system from CD. Consider this host compromised, as well as any passwords from any other users on this host. In addition, Apply the post-SP3 getadmin patch, or SP4 when available. Also refer to Microsoft Knowledge Base Article Q146965.txt.

Managed Intrusion Detection Service

EMAILALERT/

LOG

ATTACK DETECTED

RECORD SESSION

SESSIONTERMINATED

RECONFIGUREFIREWALL/

ROUTER

INTERNAL

ATTACKDETECTED

SESSIONLOGGED

49%Mismanagement

44%Both

Computer Security Institute Study 1998

Reasons for firewall breach:

7%Bad Technology Bad Technology

Mismanagement

Both

Why a managed solution?

Why Outsource?

• Network Security Is Complex

• Requires Specialized Skills and Dedicated Resources

• Difficulty in Hiring, Maintaining and Retaining IT Security Staff

• High Costs of Doing It on Your Own

Managed Firewall Home Page

Firewall Security Policy

Firewall - Daily Logs

Web Usage Report

Intrusion Detection Daily Events

Intrusion DetectionCustom - Query Entry Screen

Benefits of Using BellSouth’s Managed Security Services

• Enables organizations to establish and maintain security across the Internet, Intranet and Extranet– Less expensive

• Leverage an existing security infrastructure• Offers reliability and cost-effectiveness without having to

maintain 24x7 dedicated security staff • Scaleable and modular services enable increased

flexibility to upgrade services as needed– More Secure

• Based on a robust and proven security architecture• Utilizes best of breed technologies • Supported by a dedicated staff of security engineers.• Proven operational procedures ensure proper response

and escalation of security events • Round-the-clock real-time monitoring for full-time

protection• All critical Internet-based security needs are addressed

– Free’s up your resources to focus on other key company initiatives

BellSouth & ISS Value Proposition• BellSouth

– Trusted Business Partner

– Operational Excellence

– Highest levels of Customer Satisfaction

• Internet Security Systems (ISS)

– Security Expertise

– Market leader in security

• Together

– Best in class IP access and network security solutions to support your E-Business strategy

Thank You!Thank You!

For more information please join us at:

www.iss.net