Threats and Vulnerabilities. Ed Crowley

Threats and Vulnerabilities Ed Crowley

Threat and Vulnerability Objectives At the end of this course, you should be able to analyze and differentiate among types of: Malware Attacks Social engineering attacks Wireless attacks Application attacks Mitigation and deterrent techniques You should also be able to: Implement assessment tools and techniques to identify security threats and vulnerabilities Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning

http://www.wired.com/threatlevel/2010/03/tjx-

Threat Agents Adrian Lamo Kevin Mitnick Kevin Poulsen Alexey Ivanov Vasiliy Gorshkov Mafia Boy Manning Assange John Walker

Risk Primitives Vulnerability A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security... Threat Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. Risk The probability that a particular threat will exploit a particular vulnerability... From NCSC-TG-004 Aqua Book See also RFC 2828

Threats and Vulnerabilities? Can be found in: People Lack of situational awareness Social engineering Insiders (bribes and incompetence) Processes Online Financial Transactions Conventional Financial Transactions Credit, debit, and ATM cards Technology Computer and Communications Systems Point of sale terminals VA databases, etc Threats and Vulnerabilities are Dynamic

Technology and Solutions If you think technology can solve your security problems, then: You don t understand the problems and You don t understand the technology. B. Schneier

Common Threats Malware Worms, Viruses, Trojans Conventional Attacks MiM, DDoS, Smurf, phishing Social Engineering Wireless Rogue Access Points, wardriving Web Application XSS, SQL Injection Insiders

Internet Threat Attributes, one Automation Automated infections (Worms and Trojan Horses) Morris Worm, 1988 Honey Pot Project Record (17 seconds) Stuxnet Speed of Exploit Propagation Negates traditional log based response process Distance doesn t matter No International Borders on the Internet Legal jurisdiction scope You may not have a perimeter (Blended threats)

25 Jan 2003 Blue color represents Slammer, 30 minutes after release In the first minute, the infected population doubled in size every 8.5 (±1) seconds. After approximately three minutes, the worm achieved max scanning rate (over 55 million scans per second)

Worms and Viruses Robert Morris Internet Worm, 1988 First conviction under the 1986 Federal Computer Security Act Father was the chief scientist at NSA s, National Computer Security Center (NCSC) Currently, a MIT associate professor

Malware Trojans and Spyware Trojans Email A virus posing as a photo of Russian tennis player Anna Kournikova. Spread twice as fast as I Love You. Polymorphic Encrypted DDOS Distributed Denial of Service Attack Mafia Boy and Tribal Flood knocked down Yahoo and Ebay. Stuxnet Spyware

INFOWar A military adversary who tries to undermine his target s ability to wage war by attacking the information or network infrastructure. Short term focus of affecting his target s ability to wage war. Objects: Military advantage Chaos AssymetricalWarfare

Proactive Solutions The notion of fixing a security flaw after it becomes a problem won t work on the Internet. Education and Training are critical components of any security plan. Periodic assessments are critical security components NIST 800-30 NSA IAM/IDM Assessment requires appropriate tools and processes Assessment reports become inputs to the mitigation process.

Assessment Tools Insecure.org --From online security tools survey Tools we will work with include: BackTrack Wireshark Nmap NetCat

Tools Assess Vulnerabilities In most environments, vulnerabilities result from system management process failures. Specifically, poor: System management System software configuration Applications software configurations Patch management Software management Access control, etc. User management and administration Weak password policy

Enterprise Vulnerabilities Likely symptoms of underlying systems management process failures Solution: Identify and correct management practices i.e. implement appropriate security policies and procedures

Mis-Management Categories One OS configuration Flawed or inappropriate Software maintenance Failure to apply patches Lack of configuration control Password/access control Failure to comply with password policy Improper access control settings

Mis-Management Categories Two Malicious software Presence Evidence of use Dangerous services Vulnerable services or processes Application configuration Improperly configured applications

Assessment Assessment is the first step for any enterprise that wants to start managing information risks correctly. By assessing networks in the same way as a determined attacker, you can approach risk management proactively. It is never impossible to break into a computer system, only improbable. Risk must be managed Appropriate to focus on: Structured and logical IP based network security assessment.

Recognized Assessment Standards NSA, IAM www.iatrp.com INFOSEC Assessment Methodology (IAM) framework helps consultants and security professionals outside the NSA provide assessment services to clients in line with a recognized standard. Three assessment levels Assessment (IAM) Evaluation (IEM) Red Team (Pen Testing) In process of being up leveled, see: http://www.isatrp.org/index.php UK CESG CHECK

CESG Check UK Government Communications Headquarters (GCHQ) Information assurance arm known as the Communications and Electronics Security Group (CSEG). CHECK focuses on Network Security Assessment Evaluates and accredits UK security testing teams Runs an assault course to test the attack and penetration techniques and methods demonstrated by attendees. CLAS (CSEG Listed Adviser Scheme) Covers information security in a broad sense and tackles areas such as BS7799 BS7799 iseventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.

CHECK Competence Areas Network assessment tools including: DNS information retrieval tools Network mapping and probing tools ICMP, TCP, and UDP, TCP service banner grabbing SNMP information retrieval Understanding of common router and switches relating to access and configuration weaknesses: Telnet HTTP SNMP TFTP. Other Unix and Windows specific competencies

Online References NSA IAM/IEM Web Site http://www.cesg.gov.uk/site/check/index.cfm http://examples.oreilly.com/networksa/tools/

Questions?