[email protected] 973-403-69551 internet and network vulnerability scanning with iss part 1-...
TRANSCRIPT
[email protected] 973-403-6955 1
Internet and Network Internet and Network Vulnerability Scanning with ISSVulnerability Scanning with ISS
Part 1- Evolution of Computer Security Part 1- Evolution of Computer Security
FAE/NYSSCPAFAE/NYSSCPA
June 11, 2002June 11, 2002
Bruce H. Nearon, CPABruce H. Nearon, CPADirector of Information Technology Security AuditingDirector of Information Technology Security Auditing
[email protected] 973-403-6955 2
The First ComputerThe First Computer
1822 - Charles 1822 - Charles BabbageBabbage
The difference engineThe difference engine Navigational tablesNavigational tables
[email protected] 973-403-6955 3
WW II Battle of the North WW II Battle of the North AtlanticAtlantic
1943 – The Enigma 1943 – The Enigma MachineMachine
Alan TuringAlan Turing
The code breakersThe code breakers
[email protected] 973-403-6955 5
The Space RaceThe Space Race
1960’s Apollo Program1960’s Apollo Program
IBM 360IBM 360
[email protected] 973-403-6955 6
Let the games beginLet the games begin
1970’s - A generation of 1970’s - A generation of programmers raised on video programmers raised on video gamesgames
[email protected] 973-403-6955 7
The End of Computer The End of Computer SecuritySecurity
The InternetThe Internet
ModemsModems
IBM PCIBM PC
LANSLANS
WANSWANS
WWWWWW
NetscapeNetscape
Windows 95Windows 95
[email protected] 973-403-6955 8
Mainframe era vs. Windows Mainframe era vs. Windows eraera
Mainframe EraMainframe Era MilitaryMilitary GovernmentGovernment BanksBanks InsuranceInsurance SecuritySecurity IntegrityIntegrity ConfidentialityConfidentiality Rocket scientistsRocket scientists Few usersFew users
Windows EraWindows Era GamesGames HobbyistsHobbyists Small businessSmall business Ease of useEase of use Click kiddiesClick kiddies 500 million users500 million users
[email protected] 973-403-6955 9
HackersHackers
[email protected] 973-403-6955 10
NTNT HackHack FAQ v2 FAQ v2The Unofficial The Unofficial NTNT HackHack FAQ.Beta Version 2. Compiled by Simple FAQ.Beta Version 2. Compiled by Simple Nomad Nomad www.nmrc.org/faqs/nt/ www.nmrc.org/faqs/nt/
News: Insurer: News: Insurer: WindowsWindows NTNT a high risk a high risk56 percent of all the successful, documented 56 percent of all the successful, documented hackhack attacks occurred attacks occurred on systems using Microsoft. on systems using Microsoft. www.zdnet.com/zdnn/stories/news/0,4586,2766045,00.html www.zdnet.com/zdnn/stories/news/0,4586,2766045,00.html
..
News: How Do I News: How Do I HackHack Thee? Thee?How Do I How Do I HackHack Thee? By Bill Machrone PC Magazine Thee? By Bill Machrone PC Magazine ...... helpful helpful crackers is L0phtCrack, which cracks crackers is L0phtCrack, which cracks WindowsWindows NTNT passwords from a passwords from a workstation.workstation.www.zdnet.com/zdnn/stories/comment/0,5859,2385238,00.htmlwww.zdnet.com/zdnn/stories/comment/0,5859,2385238,00.html
101 Ways to 101 Ways to HackHack into into WindowsWindows NTNT A study by Shake A study by Shake Communications Pty Communications Pty Ltd www.info-sec.com/OSsec/OSsec_042898e_j.html-ssi Ltd www.info-sec.com/OSsec/OSsec_042898e_j.html-ssi
Britney's Britney's NTNT hackhack guide It was much easier to guide It was much easier to hackhack a a WindowsWindows NTNT box than i ever imagined, and after years being a sys admin, this box than i ever imagined, and after years being a sys admin, this was scary thought indeed. was scary thought indeed. www.interphaze.org/bits/britneysnthackguide.htmlwww.interphaze.org/bits/britneysnthackguide.html
[email protected] 973-403-6955 11
OK, I’m sold what should I OK, I’m sold what should I do?do?
Start with the Board of DirectorsStart with the Board of Directors Does the Board take an interest in IT Does the Board take an interest in IT
security?security? Does the Board ask senor Does the Board ask senor
management the tough questions management the tough questions about IT security?about IT security?
Does the Board know what to ask?Does the Board know what to ask? Same questions for the CEO and CFO.Same questions for the CEO and CFO.
[email protected] 973-403-6955 12
The Tough QuestionsThe Tough Questions Has the company done an IT Has the company done an IT
security risk assessment?security risk assessment? How does senior management How does senior management
know that the network is secure?know that the network is secure? Has the Board communicated their Has the Board communicated their
expectations regarding security?expectations regarding security? What level of security is expected?What level of security is expected?
Has there been an assessment of Has there been an assessment of IT security done independent of IT security done independent of the IT department?the IT department?
[email protected] 973-403-6955 13
Organizational Red FlagsOrganizational Red Flags Does the CIO report to the CFO?Does the CIO report to the CFO? Is there an IT steering committee Is there an IT steering committee
made up of senior management?made up of senior management? What is senior management’s What is senior management’s
philosophy regarding IT security?philosophy regarding IT security? Is IT security left up to the IT Is IT security left up to the IT
department?department?
[email protected] 973-403-6955 14
More Red FlagsMore Red Flags Are there written IT security policies Are there written IT security policies
and procedures?and procedures? Has the company adopted a System Has the company adopted a System
Development Life Cycle (SDLC) Development Life Cycle (SDLC) standard?standard?
Does the CFO know which users can Does the CFO know which users can change financial data?change financial data?
Are audit logs enabled, reviewed, and Are audit logs enabled, reviewed, and retained?retained?
Does someone independent of IT Does someone independent of IT review the logs?review the logs?
[email protected] 973-403-6955 15
More Red FlagsMore Red Flags How many people in the IT How many people in the IT
department have ADMIN, ROOT, department have ADMIN, ROOT, ALL OBJECT, or SUPERUSER rights?ALL OBJECT, or SUPERUSER rights?
Is there an up-to-date IT asset Is there an up-to-date IT asset inventory list?inventory list?
[email protected] 973-403-6955 16
Wrap-upWrap-up Security –Today’s systems were Security –Today’s systems were
never designed to be secure. never designed to be secure. You have to secure them yourself.You have to secure them yourself. The key to security is the Board The key to security is the Board
and senior management and senior management understanding security, taking understanding security, taking responsibility for it, and responsibility for it, and communicating their expectations.communicating their expectations.