some security hot issues

2001 Symantec Corporation, All Rights Reserved

Some Security Hot IssuesAllan Wall

BCS North London Branch Meeting

13th November 2002

2 – 2001 Symantec Corporation, All Rights Reserved

Who is the enemy ?

DestructionPhysical Infrastructure

Terrorists,Non-State Actors

Cyber Terrorist

Political Power, Balance Change

Political Infrastructure

Government Organization

Information Warfare

Monetary GainAssets‘Criminal’ Cracker,‘Black Hat’

Computer Crime

Downtime, Defacement,Denial of Service

Email,Web Sites

Vandal,Script Kiddie,Packet Monkey

Computer Crime

ResultsTargetAttacker Description

Classification


Where do the threats come from?

Country Attacks

Israel 33.1

Hong Kong 22.1

France 19.9

Belgium 17.6

Thailand 15.9

Countries > 1M Internet Users

Country Attacks

Kuwait 50.8

Iran 30.8

Peru 24.5

Chile 24.4

Nigeria 22.3

Attacks per 10,000 Internet Users

Countries < 1M Internet Users

Jan. – Jun. 2002 (Symantec 2002)


The Redundant Message..Cost of Damage

CodeRed Estimated: 2.5 Billion Dollars

Nimda Cost Estimated: 500+ Million Dollars

186 Respondents in 2001 CSI/FBI Survey

• $151,230,100 – Theft of proprietary information

• $45,288,150 – Virus

• $35,001,650 – Insider Net Abuse

• $19,066,601 – System Penetration

• $4,283,600 – Denial of Service


The Blended Threat

Isn’t going away Combines hacking, DoS, and worm-like propagation

Most recent example – W32.Bugbear.mm Mass mailing worm It’s own SMTP engine Discovers and utilises network shares to spread Does keystroke logging Creates a backdoor for access Attempts to disable AV and personal firewall products Due to a bug in shared drive exploit, it can overwhelm shared printers causing

them to print reams of gibberish


Blended Threat Defence

Proactive vulnerability management

Security in layers

Security in depth

Superior security response


The Sleeper Virus

Not a fast mailer or a mass mailer - It's slower and more subtle

Hybris - a computer worm that uses encrypted plug-ins to

update itself over the internet

Sits quietly monitoring email traffic

Compiles list of addresses and slowly leaks email infections

Morphs depending on updates


The Sleeper Virus Defence

Update virus definitions frequently

Treat email attachments with suspicion

Use a personal firewall


Shatter Attacks

The mechanism used is the Win32 API, which has been relatively

static since Windows NT 3.5 was released in July 1993

Microsoft cannot change it – without full scale redesign

An example – Windows messaging / queuing

An attacker can use these techniques to escalate their

privileges


Shatter Attacks - Defence

Full-scale Windows redesign (scrapping Win32)

Better design by every Windows application vendor

Protect your windows systems to make it hard for undesirables

to get access they can exploit

Needs continual monitoring


Cross site scripting attacks - XSS

“Expert hacks Hotmail in 1 line of code!”

Attackers will inject JavaScript, VBScript, ActiveX, HTML, or

Flash to fool a user

Exploits dynamic web-site content resulting in: account hijacking changing of user settings cookie theft/poisoning false advertising

Will become more common, even automated


XSS attacks - Defence

Design web pages that validates user input

HTML escaping

Using PERL scripting tools designed to help


Biometrics

• More secure and stronger identification.• moving away from (multiple) IDs/Passwords, reducing risk from

“lost” or loaned credentials (including tokens).

• Most common • Fingerprint, hand, iris / retina / facial / voice recognition.

• Provides the inextricable link – the guarantee

that the registered user is actually present.

Or does it…….?


Biometrics

• Relatively high cost solutions, immature technology – bigger

cost/risk if they fail (but cheaper to support)

• Privacy and intrusiveness issues

• Accuracy – false positive / false negative rates• Facial recognition: only 60-80% accurate, 1 in 100 false +ve

• Unproven/untested technologies – just how hard/easy are they to

spoof?

• Example: Finger print recognition• Can be spoofed for <$20 in about 30 minutes using “jelly” fingers


Background security checks

Less than 60% of organisations carry out checks on new staff

IT Security Professionals

Banking

Critical infrastructure EnergyTelecoms Utilities

Employees are still the weakest link


Targeted Attacks

Focussed attack on specific targets within the organisation:• Spoof email or CD.

Social engineering to create “familiarity”:• Message on business opportunity,hobby, interest.

Low activity malware implanted:• Disable AV.• Collecting keystrokes or audio.• Email data out.

Response – “Combined interoperable defence.”


The Good News…The Bad News…Airborne Viruses

Personal, Local and Wide Area Personal, Local and Wide Area Connectivity is enabling Connectivity is enabling

the Enterprise the Enterprise

Source: Symantec 2002

802.11 can be visible from over a mile

away.

Bluetooth

30 feet

2.5 and 3G can be visible for many

miles

and exposingand exposing to new to new security risksecurity risk


Airborne Viruses - Defence

Unless you don’t have assets worth protecting . . .

. . . Don’t use wireless technology without putting

in the countermeasures that are available!


The law of requisite variety (Prof.Ross Ashby)

Formal Descriptions

The abundance or variety of alternative control actions which a control mechanism is capable of executing must be at least equal to the abundance or variety of the spontaneous fluctuations which have to be corrected by the control mechanism, if the control mechanism is to perform its function effectively.

Only a greater amount of variety in a regulator can control the variety present in a given system.

The larger the variety of actions available to a control system. The larger the variety of perturbations it is able to compensate

Only variety can destroy variety.

There must be as much variety in the control mechanism as there is variety in

the threat


Ways to win..

Proactive security – mitigate your risk (do not just

rely on technology..)

Threats are defeated by Information + Technology

Superior response capability

“In-source” / outsource

Size and flexibility in defence


References

Symantec Figures: Internet Security Threat Report Volume II

http://enterprisesecurity.symantec.com/content.cfm?EID=0&ArticleID=1539

Blended Threats: http://www.informationweek.com/story/IWK20020516S0020

http://www.symantec.com/symadvantage/012/blended.html

Sleeper Virus: http://news.zdnet.co.uk/story/0,,t269-s2083648,00.html

Shatter Attacks: http://security.tombom.co.uk/shatter.html

Cross Site Scripting: http://www.securiteam.com/securityreviews/5FP000A81E.html

Biometrics – BBC: http://news.bbc.co.uk/1/hi/sci/tech/1991517.stm

Airborne Virus: http://www.networkmagazine.com/article/NMG20001130S0001/2

Ross Ashby: http://pespmc1.vub.ac.be/ASHBBOOK.html

some security hot issues

Documents