Thin Ice in the Cyber World

Presented by

Dr. Bill Hancock, CISSP, CISM

Vice President, Security &

Chief Security Officer

bill.hancock@savvis.net

972-740-7347

WHY Security?

IT disciplines:

systems, networks,

storage, databases,

applications, support

Physical, Logical and

Electronic boundaries

Departmental silos

Supply Chain

Countries and jurisdictions

SS

EE

CC

UU

RR

II

TT

YY

Security transcends

The Classic ReasonsProtect assets

PR fears

Management edict

Corporate policies

Fear of attacks

Customer info

Legal reasons

Was breached…

The Past

The Present

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

0

10

20

30

40

50

MIL

LIO

NS

Software Is Too Complex

Sources of Complexity:

• Applications and operating systems

• Data mixed with programs

• New Internet services XML, SOAP, VoIP

• Complex Web sites

• Always-on connections

• IP stacks in cell phones, PDAs, gaming consoles, refrigerators, thermostats

WIN

DO

WS

3.1

(1

992

)

WIN

DO

WS

NT

(19

92

)

WIN

DO

WS

95

(1

995

)

WIN

DO

WS

NT 4

.0

(19

96

)

WIN

DO

WS

98

(1

998

)

WIN

DO

WS

20

00

(2

000

)

3 4

15 16.5

18

35

WIN

DO

WS

XP

(20

01

)

45

Reported Security Incidents to CERT 1998-2003

0

20000

40000

60000

80000

100000

120000

140000

1998 1999 2000 2001 2002 2003

As Systems Get Complex, Attackers are Less Mentally Sophisticated…

CERT/CC

Attacker DiversityScript kiddies

Social misfits

Internal attackers

Hacking “gangs”

Organized crime

Nation-state sponsored entities

Terrorist entities

What do customers really want ?

COST OF SECURITY

COUNTERMEASURES

COST OF SECURITYBREACHES

OPTIMAL LEVEL OF SECURITY AT MINIMUM COST

TOTAL COST

COST ($)

SECURITY LEVEL 100%0%

Security must make business sense to be adopted !

Security Biz Case DriversThe PAL Method

PAL – PR, assets/IP, law

Public Relations Issues• Costs for bad PR almost always exceed good security

implementation

Asset Protection and Intellectual Property• Intellectual property• Customers• Employees• Data stores

The Law• Each country has compulsory compliance laws about

security that most companies violate and don’t realize it

Purpose of the following section

Goal here is not to hit

everything, just items that are

either very timely or a bit

outside the normal reporting of

security events we see

everyday

Classic Current IT Security Risks DNS attacks

DDoS, DoS, etc.Virii, worms, etc.Spoofs and redirectsSocial engineeringRouter table attacksOS holes, bugsApplication code problemsInsider attacksOthers…

Upcoming Security ThreatsGeographic location China is major concern• Legislation in other countries

New hacker methods and toolsVoIP IP-VPN (MPLS)ASN.1 and derivativesHacker “gangs”Complexity of application

solutions make it easier to disrupt them (Active Directory, VoIP, etc.)

Industrial espionage from competition

Covert samplingCovert interception

Threats - Infrastructure

Core (critical)• Routing infrastructure• DNS• Cryptographic key mgt.• PBX and voice methods• E-mail• Siebel database

Threats – Infrastructure, IIEssential • Financial systems• Customer console management systems• Access management to Exodus critical

resources• Intellectual property protection methods• Privacy control methods• Internal firewalls and related management• HR systems

Routing Infrastructure

No router-to-router authentication• Router table poisoning• Vector dissolution• Hop count disruption• Path inaccuracies• Immediate effect• Redundancy has no

effect on repair/recovery

Edge routers/switches do not use strong access authentication methods

Routing Infrastructure, II

No CW-wide internal network IDS/monitoringNo internal network security monitoring for

anomalies or stress methodsNo effective flooding defense or monitoring

DNS Security Assessment

Grossly inadequate security methods against attacks

No distributed method for attack segmentation recovery

No IDS or active alarms on DNS to even see if they are up or down

Geographic distribution inadequate and easy to kill due to replication

Zone replication allows poisoning of DNS dbms

DNS servers around the company do not implement solid security architecture

Mobile Technology SecurityMost corporate mobile

technology when removed from the internal network or premises is WIDE OPEN to data theft, intrusion, AML, etc.• Laptops (no FW, IDS, VPN,

virus killers, email crypto, file crypto, theft prevention/management, cyber tracking, remote data destruct, remote logging, AML cleaning, etc., etc., etc.

• Palm Pilots, etc, - no security• 3G and data cells – no

security• No operational security over

wireless methods

Cyberterrorism

It’s real

It’s a major problem

Most sites have no clue on how to deal with it or what all is involved

Many sites have already been used for temporary storage of terrorist operational data (micro web sites, FTP buffer sites, steganography transfer, etc.)

If not on your radar, put it there now

Autonomous Malicious Logic Worms, which increase with complexity and

capabilities with each iteration

Increasing body of hostile code

Scans large blocks if IP addresses for vulnerabilities• Target agnostic• Large or small, powerful or not

No specific attack rationale means that anyone is vulnerable

Sharp increase in number seen in last year and growing

Buffer Overflows

Concept is not new, but there are a lot of new ones appearing daily

Due to underlying problems with core protocol language issues, such as ASN.1, the same buffer overflow attack packet type for a specific protocol can affect many different entities in different ways:• SNMP OID buffer overflow in February 2002 affected

practically every instantiation of SNMP that used ASN.1 as the base definitional metalanguage

• What it did to one vendor was radically different than what it did to a second vendor for the same type of packet attack

Password Crackers

Sharp rise in availability of password cracking programs

Bulk of them use brute force methods or known dictionary attack methods

Some are taking advantage of exploits of a known password hashing method

Commercial products starting to appear in the industry

Default PasswordsStill a popular exploit method:• Wireless access point admin

• Operating systems

• Broadband cable modems

• Routers out-of-the-box

• Databases out-of-the-box

• Simple exploits

Laser printer passwords

SCADA components

Embedded systems

Vendor Distributed Malware

Due to lack of care in preparing distribution kits,

many vendors are starting to distribute their

products with malware in it

• Recent gaming company distributed NIMDA with a CD

distribution

• Others have shipped virii and other malicious code

infestations

Perimeter malware checking is not enough

anymore

Insiders

Still a major threat

Responsible for over 90% of actual financial losses to

companies

Most sites do not have enforceable internal security controls or

capabilities

• Legacy system

• Hyperhrowth of systems/networks

• Lack of care and planning in security as the growth has

happened

Cryptographic Key ManagementNoneWhat is available is all

manualChanging keys on some

technologies takes MONTHS (e.g. TACACS+)

Keys are weak in some areas and easily broken

No “jamming” defenses for key exchange methods

Little internal knowledge on key mgt and cryptographic methods

PBX and Voice Methods

No assessment of toll fraud and PBX misuse

Cell phones used continually for sensitive conversations

No conference call monitoring for illicit connections or listening

No videoconferencing security methods

PBX and Voice Methods, IINo voicemail protection or auditing efforts

trans companyEasy to social engineer PBX access and re-

directionRedundancy of main switching systems

questionable (e.g. May 2002 CWA OC-12 disruption)

E-Mail Security IssuesEmployees in trusted positions

reading e-mailE-mail security methods take a

long time to implementLack of use of encryption methods

for confidential e-mailLack of keyserver for

cryptographic methods (this is due to power)

Newly devised security methods not implemented yet

Use of active directory and LDAP in future a major concern

E-Mail Security Issues, IIWireless e-mail a concernNo filters for SPAMNo keyword filter searching methods for

potential IP “leakage”Ex employees retain access information

for their and other accounts

Hyperpatching

The need to quickly patch vulnerabilities is becoming a major security pain point

Protocol exploits such as SNMP will accelerate and require additional patching and fixes

Customers should stop with “old think” change control and start considering using hyperpatching and mass roll-out systems (push technology) to start solving hyperpatching problems

Employee Extortion

At least 5 different extortion methodologies have appeared that affect employee web surfers

Latest one involves persons who surf known child pornography web sites or hit on chat rooms on the subject• A link is e-mailed to the person and they threatened

with being turned over to officials and employers unless they pay to keep the information about their surfing habits secret

This is a growing business…

Old Code Liabilities

Software vendors are trying to figure out how to decommission older versions and older code quickly due to patch/fix and general liability issues

Old code does not have security controls that are compatible with today’s problems and security systems

Wireless

Continues to be a problemMostly due to lack of implementation of controlsWar driving is easy to do for most sites and to get

on most networksIllegal connection to a wireless network violates

FCC regsNeed intrusion detection for wireless to detect

who is associated to the LAN and doesn’t belongBest short-term solution are peer-to-peer VPNs

(desktop, site-to-site, etc.)New threats with upcoming 3G products

Data Retention

BIG push for data retention in many parts of the

world

With retention comes liabilities for retained

information

U.S. has no specific retention laws except in

specific financial and healthcare areas

EU and Asian countries recently enacted

serious retention laws

M&A and Partnership Security

We often know nothing about the security of a non-corporate solution

After examination, most are very bad We need procedures for evaluation of

partners and M&A for security issues and corrective action

We also need to have as part of the diligence process proper security oversight on acquisitions• We often do not know about an

M&A target until the press announcement

Blended AttacksBiological and Cyber• Smallpox infection and DDoS against infrastructure

Multiphasic Cyber Attack• DDoS against routers, DNS poisoning attacks and defacement

attacks at the same time

Sympathetic hacking group attacksUpstream infrastructure attack• IXC disruption• Power grid disruption• Peering point disruption• Supply-chain vendor disruption

Dr. Bill Hancock, CISSP, CISMVice President, Security& Chief Security Officer

Email: bill.hancock@savvis.netPhone: 972-740-7347

Questions?