1

Information Assurance:vulnerabilities, threats, and controls

Dr. Wayne Summers

TSYS Department of Computer Science

Columbus State University

Summers_wayne@colstate.edu

http://csc.colstate.edu/summers

3

4SQL Slammer

“It only took 10 minutes for the SQL Slammer worm to race across the globe and wreak havoc on the Internet two weeks ago, making it the fastest-spreading computer infection ever seen.”

“The worm, which nearly cut off Web access in South Korea and shut down some U.S. bank teller machines, doubled the number of computers it infected every 8.5 seconds in the first minute of its appearance.”

It is estimated that 90% of all systems that fell victim to the SQL Slammer worm were infected within the first 10 minutes.

5BLASTER

On Aug. 11, the Blaster virus and related bugs struck, hammering dozens of corporations.

At least 500,000 computers worldwide infected

Maryland Motor Vehicle Administration shut its offices for a day.

Check-in system at Air Canada brought down.

Infiltrated unclassified computers on the Navy-Marine intranet.

In eight days, the estimated cost of damages neared $2 billion.

6SOBIG.F

Ten days later, the SoBig virus took over, causing delays in freight traffic at rail giant CSX Corp. forcing cancellation of some Washington-area trains and causing delays averaging six to 10 hours.

Shutting down more than 3,000 computers belonging to the city of Forth Worth.

One of every 17 e-mails scanned was infected (AOL detected 23.2 million attachments infected with SoBig.F)

Worldwide, 15% of large companies and 30% of small companies were affected by SoBig - estimated damage of $2 billion.

7

Information Assurance: Definitions

Vulnerabilities

Threats

Controls

Conclusions

8Computer Security

the protection of the computer resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware, and the denial of one's own computer facilities irrespective of the method together with such criminal activities including computer related fraud and blackmail. [Palmer]

9Definitions

vulnerability - weakness in the security system that might be exploited to cause a loss or harm.

threats - circumstances that have the potential to cause loss or harm. Threats typically exploit vulnerabilities.

control - protective measure that reduces a vulnerability or minimize the threat.

10Vulnerabilities reported 1995-1999

2000-2003

In 2002 over 80 vulnerabilities in IE patched; There are currently 24 items, updated on 2004/01/27. [http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html]

Incidents reported increased from 82,094 in 2002 to 137,529 in 2003

Year 1995 1996 1997 1998 1999*Vulnerabilities 171 345 311 262 417

Year 2000 2001 2002 2003Vulnerabilities 1,090 2,437 4,129 3,784

11Security IncidentsTotal incidents reported (1988-2003): 319,992. An

incident may involve one or thousands of sites and incidents may last for long periods.

Source: CERT/CC

12Vulnerabilities

“Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.”– Robert Graham, lead architect of Internet

Security Systems

13Recent News November 29, Washington Post - Hackers find cell phones next

weak link to exploit -Virus converts each icon into a death's head

November 05, Asbury Park Press (NJ) - Computer virus hits state offices. Drivers and applicants endured sometimes long waits at the newly overhauled New Jersey Motor Vehicle Commission's (MVC) offices on three days last week after a hard charging computer virus struck its statewide system.

A survey conducted by Internet service provider America Online Inc. found that 20% of home computers were infected by a virus or worm, and that various forms of snooping programs such as spyware and adware are on a whopping 80% of systems. Even so, more than two-thirds of home users think they are safe from online threats. [ComputerWorld, OCTOBER 25, 2004]

“A zero-day exploit targeting one of the latest Microsoft flaws was publicly announced Tuesday, …just one week after Microsoft announced a record number of 10 security bulletins, seven of them critical. [20 Oct 2004 | SearchSecurity.com]

The Gartner Group estimates that in the last year, 57 million U.S. adults received phishing e-mails, of which 11 million clicked on the provided links, and 1.78 million provided passwords and other sensitive personal information. In total, the scams resulted in fraud losses of $2.4 billion. [Gartner report, June 2004]

IM Worms could spread in seconds – “Symantec has done some simulations…and has found that half a million systems could be infected in as little as 30 to 40 seconds.” [InternetWeek – Jun 21]

14{Virus?} Use this patch immediately !

Dear friend , use this Internet Explorer patch now!

There are dangerous virus in the Internet now!

More than 500.000 already infected!

E-mail from "Microsoft“ <security@microsoft.com>

15Malware and other Threats Viruses / Worms (over 100,000 viruses – 11/2004)

– 1987-1995: boot & program infectors– 1995-1999: Macro viruses (Concept)– 1999-2003: self/mass-mailing worms (Melissa-Klez)– 2001-???: Megaworms [blended attacks] (Code Red, Nimda,

SQL Slammer, Slapper)

Trojan Horses– Remote Access Trojans (Back Orifice)– Computer parasites (pests – spyware, BHOs,

keylogger, dialers, SPIM) Computer security company Trend Micro detected 1,485 viruses in

September [2004], a 600% increase over the 250 spotted a year ago. Of those, 45% were Trojan horses attempting to steal personal data, the company said. The company also reported a “surge in zombie networks,” saying it had found 400 programs in the past month compared with 17 a year ago.

16Social Engineering

“we have met the enemy and they are us” – POGO

The greatest security risk facing large companies and individual internet users over the next 10 years will be the increasingly sophisticated use of social engineering to bypass IT security defences, according to analyst firm Gartner. [ZDNet Australia, November 01, 2004 ]

Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick

17Controls

Reduce and contain the risk of security breaches

“Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.]

Security is NOT installing a firewall.

18Defense in Depth

Antivirus– Keep it up to date

Deploy a Firewall– Review settings and logs frequently

Authentication Techniques (passwords, biometric controls)

Disable or secure file shares

Keep your patches up-to-date

BACKUP

19

“The most potent tool in any security arsenal isn’t a powerful firewall or a sophisticated intrusion detection system. When it comes to security, knowledge is the most effective tool…”

Douglas Schweizer – The State of Network Security, Processor.com, August 22, 2003.

20Resources http://www.sans.org

http://www.cert.org

http://www.cerias.purdue.edu/

http://www.linuxsecurity.com/

http://www.linux-sec.net/

http://www.microsoft.com/security/

Cuckoo’s Egg – Clifford Stoll

Takedown – Tsutomu Shimomura

The Art of Deception – Kevin Mitnick

21COMPUTER SECURITY DAYNovember 30, 2004

ACCENTUATE THE POSITIVE