bnearon@jhcohn.com 973-403-6955 1

Internet and Network Internet and Network Vulnerability Scanning with ISSVulnerability Scanning with ISS

Part 1- Evolution of Computer Security Part 1- Evolution of Computer Security

FAE/NYSSCPAFAE/NYSSCPA

June 11, 2002June 11, 2002

Bruce H. Nearon, CPABruce H. Nearon, CPADirector of Information Technology Security AuditingDirector of Information Technology Security Auditing

bnearon@jhcohn.com 973-403-6955 2

The First ComputerThe First Computer

1822 - Charles 1822 - Charles BabbageBabbage

The difference engineThe difference engine Navigational tablesNavigational tables

bnearon@jhcohn.com 973-403-6955 3

WW II Battle of the North WW II Battle of the North AtlanticAtlantic

1943 – The Enigma 1943 – The Enigma MachineMachine

Alan TuringAlan Turing

The code breakersThe code breakers

bnearon@jhcohn.com 973-403-6955 4

The Cold WarThe Cold War

1958 - SAGE1958 - SAGE

bnearon@jhcohn.com 973-403-6955 5

The Space RaceThe Space Race

1960’s Apollo Program1960’s Apollo Program

IBM 360IBM 360

bnearon@jhcohn.com 973-403-6955 6

Let the games beginLet the games begin

1970’s - A generation of 1970’s - A generation of programmers raised on video programmers raised on video gamesgames

bnearon@jhcohn.com 973-403-6955 7

The End of Computer The End of Computer SecuritySecurity

The InternetThe Internet

ModemsModems

IBM PCIBM PC

LANSLANS

WANSWANS

WWWWWW

NetscapeNetscape

Windows 95Windows 95

bnearon@jhcohn.com 973-403-6955 8

Mainframe era vs. Windows Mainframe era vs. Windows eraera

Mainframe EraMainframe Era MilitaryMilitary GovernmentGovernment BanksBanks InsuranceInsurance SecuritySecurity IntegrityIntegrity ConfidentialityConfidentiality Rocket scientistsRocket scientists Few usersFew users

Windows EraWindows Era GamesGames HobbyistsHobbyists Small businessSmall business Ease of useEase of use Click kiddiesClick kiddies 500 million users500 million users

bnearon@jhcohn.com 973-403-6955 9

HackersHackers

bnearon@jhcohn.com 973-403-6955 10

NTNT HackHack FAQ v2 FAQ v2The Unofficial The Unofficial NTNT HackHack FAQ.Beta Version 2. Compiled by Simple FAQ.Beta Version 2. Compiled by Simple Nomad Nomad www.nmrc.org/faqs/nt/ www.nmrc.org/faqs/nt/

  News: Insurer: News: Insurer: WindowsWindows NTNT a high risk a high risk56 percent of all the successful, documented 56 percent of all the successful, documented hackhack attacks occurred attacks occurred on systems using Microsoft. on systems using Microsoft. www.zdnet.com/zdnn/stories/news/0,4586,2766045,00.html www.zdnet.com/zdnn/stories/news/0,4586,2766045,00.html

..

  News: How Do I News: How Do I HackHack Thee? Thee?How Do I How Do I HackHack Thee? By Bill Machrone PC Magazine Thee? By Bill Machrone PC Magazine ...... helpful helpful crackers is L0phtCrack, which cracks crackers is L0phtCrack, which cracks WindowsWindows NTNT passwords from a passwords from a workstation.workstation.www.zdnet.com/zdnn/stories/comment/0,5859,2385238,00.htmlwww.zdnet.com/zdnn/stories/comment/0,5859,2385238,00.html

  101 Ways to 101 Ways to HackHack into into WindowsWindows NTNT A study by Shake A study by Shake Communications Pty Communications Pty Ltd www.info-sec.com/OSsec/OSsec_042898e_j.html-ssi Ltd www.info-sec.com/OSsec/OSsec_042898e_j.html-ssi

  Britney's Britney's NTNT hackhack guide It was much easier to guide It was much easier to hackhack a a WindowsWindows NTNT box than i ever imagined, and after years being a sys admin, this box than i ever imagined, and after years being a sys admin, this was scary thought indeed. was scary thought indeed. www.interphaze.org/bits/britneysnthackguide.htmlwww.interphaze.org/bits/britneysnthackguide.html

bnearon@jhcohn.com 973-403-6955 11

OK, I’m sold what should I OK, I’m sold what should I do?do?

Start with the Board of DirectorsStart with the Board of Directors Does the Board take an interest in IT Does the Board take an interest in IT

security?security? Does the Board ask senor Does the Board ask senor

management the tough questions management the tough questions about IT security?about IT security?

Does the Board know what to ask?Does the Board know what to ask? Same questions for the CEO and CFO.Same questions for the CEO and CFO.

bnearon@jhcohn.com 973-403-6955 12

The Tough QuestionsThe Tough Questions Has the company done an IT Has the company done an IT

security risk assessment?security risk assessment? How does senior management How does senior management

know that the network is secure?know that the network is secure? Has the Board communicated their Has the Board communicated their

expectations regarding security?expectations regarding security? What level of security is expected?What level of security is expected?

Has there been an assessment of Has there been an assessment of IT security done independent of IT security done independent of the IT department?the IT department?

bnearon@jhcohn.com 973-403-6955 13

Organizational Red FlagsOrganizational Red Flags Does the CIO report to the CFO?Does the CIO report to the CFO? Is there an IT steering committee Is there an IT steering committee

made up of senior management?made up of senior management? What is senior management’s What is senior management’s

philosophy regarding IT security?philosophy regarding IT security? Is IT security left up to the IT Is IT security left up to the IT

department?department?

bnearon@jhcohn.com 973-403-6955 14

More Red FlagsMore Red Flags Are there written IT security policies Are there written IT security policies

and procedures?and procedures? Has the company adopted a System Has the company adopted a System

Development Life Cycle (SDLC) Development Life Cycle (SDLC) standard?standard?

Does the CFO know which users can Does the CFO know which users can change financial data?change financial data?

Are audit logs enabled, reviewed, and Are audit logs enabled, reviewed, and retained?retained?

Does someone independent of IT Does someone independent of IT review the logs?review the logs?

bnearon@jhcohn.com 973-403-6955 15

More Red FlagsMore Red Flags How many people in the IT How many people in the IT

department have ADMIN, ROOT, department have ADMIN, ROOT, ALL OBJECT, or SUPERUSER rights?ALL OBJECT, or SUPERUSER rights?

Is there an up-to-date IT asset Is there an up-to-date IT asset inventory list?inventory list?

bnearon@jhcohn.com 973-403-6955 16

Wrap-upWrap-up Security –Today’s systems were Security –Today’s systems were

never designed to be secure. never designed to be secure. You have to secure them yourself.You have to secure them yourself. The key to security is the Board The key to security is the Board

and senior management and senior management understanding security, taking understanding security, taking responsibility for it, and responsibility for it, and communicating their expectations.communicating their expectations.

bnearon@jhcohn.com 973-403-6955 17

Questions?

Thank you!