© 2004, enspherics division of ciber. all rights reserved. it security trends, threats, and...
TRANSCRIPT
© 2004, Enspherics Division of CIBER. All Rights Reserved.
IT Security Trends, Threats, and
Countermeasures
Ed Bassett
President
Enspherics Division of CIBER
Ed Bassett:
Things to weave in:
-- wireless
-- worms/virus
-- patching
-- spyware
Ed Bassett:
Things to weave in:
-- wireless
-- worms/virus
-- patching
-- spyware
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Presentation Overview
• Trends– Statistics
– Changing Technology
– Changing Expectations
• Threats
• Countermeasures– Programmatic
– Technical
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Impact Statistics
• 56% detected computer security breaches within the last twelve months.
• 75% acknowledged financial losses due to computer breaches.
• 47% were willing and/or able to quantify their financial losses. These 251 respondents reported over $201,000,000 in financial losses.– Amount of loss down significantly – 56% lower than 2002
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Impact Statistics (cont.)
• Most common forms of attack/abuse:– Viruses (82%)
– Insider abuse of network access (80%)
• 25% suffered unauthorized access or misuse on their Web sites…22% said they didn’t know.
• Source – 2003 Computer Crime and Security Survey, Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad
© 2004, Enspherics Division of CIBER. All Rights Reserved.
The Trend is Clear
89 90 91 92 93 94 95 96 97 98 99 00 01
50,000
40,000
30,000
20,000
10,000
089 90 91 92 93 94 95 96 97 98 99 00 01
50,000
40,000
30,000
20,000
10,000
0
Number of Reported Incidents (CERT/CC)
2002 – 82,1002003 – 137,500
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Security Drivers – Changing Technology
• Decentralized security controls– Proliferation of authentication and authorization schemes
– Application-level security decisions
• Interconnectivity w/ partners/customers– Internet connectivity
– Web-enablement of mission-critical applications
• Wireless networks
• Offshore development– May actually reduce risk!
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Security Drivers – Changing Expectations
• HIPAA – Health care• GLBA – Financial services and insurance• California SB1386• Homeland Defense• Local laws and regulations• Customer/partner expectations• Insurance requirements• Internal motivations
– Cost/disruption of security incidents– Reputation/image damage– Litigation risk
© 2004, Enspherics Division of CIBER. All Rights Reserved.
HIPAA Requirements Breakdown
Administrative Safeguards
Security Management
Process
Assigned Security Responsibility
Workforce Security
Information Access
Management
Security Awareness and
Training
Security Incident Procedures
Contingency Plan Evaluation
Business Associate Contracts
Physical Safeguards
Facility Access Controls
Workstation Use Workstation Security
Device and Media Controls
Technical Safeguards
Access Control Audit Controls IntegrityPerson or Entity Authentication
Transmission Security
© 2004, Enspherics Division of CIBER. All Rights Reserved.
California SB 1386 – Information Practices Act
• If you store “personal information” on one ormore California residents, you must notify them if theirdata have (or may have) been accessed illegally
• Disclosure no longer a PR decision• Stated goal: minimize damage from identity theft
– “Expeditious notification…of possible misuse…is imperative”
• Encryption of data is critical – but not sufficient– Law only applies to “unencrypted personal information”– But what if data is decrypted as part of the “breach”?
• Affects all companies who do business with California residents– Outsourcing companies– Data processing and storage companies
• Similar legislation being introduced in several states and at the federal level
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Threats – Attack Sophistication vs. Intruder Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
DDOS attacks
Source: Carnegie Mellon Software Engineering Institute
© 2004, Enspherics Division of CIBER. All Rights Reserved.
ThreatsExample 1
• Organized, targeted attacks– Example: “Russian Hackers”
– Target: Credit card numbers held by financial institutions
– Method:
• Exploit known weaknesses in e-commerce web sites
• Steal data
• Extort victim posing as security consultants
– Motivation: Money
– Results: Have successfully broken 600 financial institutions to date (source: FBI)
© 2004, Enspherics Division of CIBER. All Rights Reserved.
ThreatsExample 2
• Large-scale automated attacks– Example: Virus/Worm du jour
– Target: Vulnerable computers
– Method:
• Fast, broad mechanism to search for vulnerable systems
• Infect, spread
• Use up resources
– Motivation: Publicity
– Results: Extremely large number of systems infected in very short period; consume many resources fighting/recovering from attacks
© 2004, Enspherics Division of CIBER. All Rights Reserved.
ThreatsOther Trends
• Automated vulnerability scans– Look for services– Look for specific vulnerabilities– Now routine
• Application-focused attacks– Targeting application logic rather than base network and server protocols– Attacks target data rather than machines
• Distributed Denial of Service (DDoS)– Targeted, coordinated
• Insider – witting and unwitting
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Are We Getting (Too) Used To This?
Grounds Flights!!!
Little Damage???
Discovered6 Months Ago
Blocks ATMs!!!
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Done Well, Security Can Be Very Effective
• 99% of all reported intrusions “result through exploitations of known vulnerabilities or configuration errors, for which countermeasures were available.”
--Carnegie Mellon University
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasures – Programmatic Maturity
• Establish solid policy foundation
• Manage risk (rather than seeking to eliminate it)
• Plan for failure
• Elevate security to “production quality”
• Blend technical and non-technical controls
• Do not rely on perimeter controls alone
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Programmatic Building BlocksKey Components of an Effective Security Program
PROGRAM
MANAGE
DOCUMENT
EDUCATE
PROTECT
DETECT
RESPOND
Executive Commitment
Charter
DedicatedISO
StrategicPlanning
FundingCross-Functional
Security Oversight
Roles andResponsibilities
SecuritySkills
Asset Risk Management(Life Cycle Approach)
Policies Standards ProceduresAsset ID and
Classification
AwarenessPrograms
General Training Specialized Training
Procedures
Non-Technical Controls
Net
Technical ControlsPhysicalControls OS DB App
ElecComm
Verbal/written
Personnel
Reviews Compliance MonitoringIntrusionDetection
Auditing andEvent Logging
IncidentResponse
DisasterRecovery
BusinessContinuity
Build
Up
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Risk Management Process
Ach
ieve
Def
ine
Mai
ntai
n
Vulnerabilities
Acceptable Risk
Non-Technical Controls
Technical Controls
Information
Add Controls
Operate, Maintain, Monitor,and Train
Unacceptable Risk
Risk Assessment
Threats
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Technical Countermeasures(what next after the firewall)
• Application security
• Encryption
• Interior hardening
• Security management
• Assurance testing
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Application Security
• Applications mediate most data access by end-users• Security often ignored, or, worse yet, poorly designed• Many common attacks focused on application logic
– Attacks can be targeted at data or processes rather than machines or networks
• App attacks bypass perimeter controls– Even bogus application requests can appear to be “normal” from a
network (firewall) perspective
• Design/build applications to be secure– Analyze potential attacks/risks– Establish security requirements for custom applications– Evaluate security features in selection of off-the-shelf packages
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Application Security (cont.)
• Include application penetration testing in all acceptance testing
• Configure intrusion detection systems to look at application log activity– Unauthorized attempts often easy to detect
• Application features critical to security– Authentication
– Authorization
– Session context control
– Audit logging
– Intrusion detection and deterrence
– Data cleansing
– Data privacy and integrity
– Back-end communications
– Alternative interfaces
– Policies and procedures
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Encryption
• Admin logins, e-mail, intranet apps, file transfers, remote access, wireless, data signing, etc. etc. etc.
• Technology built in to Operating Systems, Web Browsers, E-mail Clients – but applications are not aware (yet)
A quick brown foxjumped...
File Encryption(DES)
*#$fjda^j u539!3tt389E *&...
Data DecryptionField Generation
(RSA)
Data RecoveryField Generation
(RSA)
DataDecryption
Field
DataRecovery
Field
RandomNumber
Generator
User'sPublic
Key
RandomlyGenerated FileEncryption Key K K
RecoveryPublic Key
K
Source - Microsoft
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Interior Hardening
• Obtain defense in depth through:– Layering– Segmentation– Containment
• Not just about the “insider attack”– Outsider attacks that “vector” past perimeter controls can attack the inside of
your network – e.g., recent worm attacks
• Security-flexible architectures– Ensure an ability to isolate so that problems in one system are not “inherited”
by large portions of the enterprise– Can greatly reduce the damage an attack can cause
• Look at:– Default deny policies – networks, desktops– Network architecture behind the firewall– Resource grouping – resources that can be accessed with a “network login”– Services offered on the internal networks– Server configuration
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Security Management
• Tools for visualization and correlation
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Security Management (cont.)
• Robust incident handling
© 2004, Enspherics Division of CIBER. All Rights Reserved.
Countermeasure – Assurance Testing
Automated External Network “Scan”
NetworkPenetration
Testing
ST&E(Compliance
Testing)
Network, Host, and
App Testing
Customized Testing of
All Components
In-depth S/W and
H/W Trust Evaluation
Low High
Commercial
Gov’t Non-DoD
DoDTyp
ical
C
hoi
ces
© 2004, Enspherics Division of CIBER. All Rights Reserved.
…and thanks!
Q&A