Transcript Information Security & Corporate Strategy

Information Security & Corporate Strategy
Threats to Information Security
Presentation in London, 1998
With Notes on Changes, 2002
Stephen Cobb, CISSP
This session: What are the threats?
• Agenda:
– Terms of reference
– Statistical and empirical
data
– Examples of information
security breaches and their
effects on companies
– Putting threats in perspective
– The main threat categories
in more detail
Stephen Cobb, CISSP
Themes:
Threats may seem
technical, but many
defenses require nontechnical skills
Threats are not constant,
may increase when
times are tight
Skills required to deal
with these issues are in
short supply
2 of 35
So, what are the information security
needs of the Internet-enabled company:
You need to protect the confidentiality, integrity
and availability of data, given that:
A. Private data is now travelling on a public
(untrusted) network
B. Your private network is now connected to a
public (untrusted) network
C. Your private network users now have access
to a public (untrusted) network
Stephen Cobb, CISSP
3 of 35
So who am I to talk about this?
•
•
•
•
•
•
First infosecurity book from client perspective, 1992
Certified Information System Security Professional
Formerly with National Computer Security Association
Former Director, Miora Systems Consulting (MSC)
InfoSec Labs, Rainbow Technologies
MSC beat Digital and Entrust in a security services RFP
competition, April 98 — short-listed with Coopers &
Lybrand, Price Waterhouse and CISCO Wheelgroup
• Involved in wide range of authorized penetration tests
with 100% success rate
Stephen Cobb, CISSP
4 of 35
Statistics from the 5th Annual
Information Security Survey, 1998
• 73% of European companies report information
security risks have increased this year
• Highest security concern:
– network security (86%)
• Next highest security concerns:
– end-user security awareness (80%)
– winning top management commitment (80%)
Ernst&Young Computerworld Survey
Global Results from 29 Countries
Stephen Cobb, CISSP
5 of 35
Perceived security threats:
• Computer terrorists 28%
• Authorized users 26%
• Former employees 24%
• Unauthorized users 23%
• Contractors 19%
Stephen Cobb, CISSP
55 % of companies
lacked confidence
that their systems
could withstand
an internal attack -are these your
business partners?
Ernst&Young Computerworld Survey
Global Results from 29 Countries
6 of 35
Statistics from a 1998 Survey by
Computer Security Institute / FBI
• 64% of companies had
incidents of unauthorized
use of computer systems
within the last 12 months.
• More than a third of
incidents were from inside.
• 65% of companies
experienced laptop theft.
Stephen Cobb, CISSP
7 of 35
Is it really Hong Kong Reuters Office Hacked:
Traders at 5 banks lose price data for 36 hours
that bad?
YES! PA Teenager Charged With 5 Counts of Hacking:
Southwestern Bell, BellCore, Sprint, and SRI hit
Costs to Southwestern Bell alone exceed $500,000
Citibank Hit in $10 Million Hack:
Russian hacker had inside help.
Compaq Ships Infected PCs:
Several $100K not yet recovered.
Virus Taints Big Japanese Debut
Computer Attack Knocks Out 3,000 Web Sites
40 hour shutdown during busiest shopping season
Pair of surveys show 54%-58% of companies
lost money due to computer break-ins in 1996
U.S. Government Web Sites Hacked:
NASA, Air Force, NASA, DoJ, CIA
Stephen Cobb, CISSP
And these are just
ones that made the
news....
8 of 35
Experience in the field
• About 50 information system security
penetration assignments in the last 18 months
• 80% of these were corporations, the rest were
state and local government agencies
• Some of these clients wanted tests because
they lacked confidence in their security, but
others asked because they were confident
• Number of systems we failed to penetrate: 0
– Average skill level required: 2 on a scale of 5
Stephen Cobb, CISSP
9 of 35
A closer look at one category: web site hacking
Stephen Cobb, CISSP
10 of 35
Hacked by Trix and Vertex
Stephen Cobb, CISSP
11 of 35
But the military would be tougher, right?
Stephen Cobb, CISSP
1st Communications Squadron
12 of 35
USAF, Langley, Virginia
Why? This one was a protest
Stephen Cobb, CISSP
13 of 35
They were not the only ones:
www.everything-pages.com
www.saflec.com
www.islandbound.com
www.fitp.org
www.language-arts.com
www.seaflower.com
www.kissfreaks.com
www.soteria.com
www.exclusivebda.com
www.intelinc.com
www.allpetsgotoheaven.com
www.gonebush.com
www.asean-countries.com
www.westernleisure.com
www.bestboard.com
www.brash.com
www.heylloyd.com
www.fetishbear.com
www.timbezo.com
www.cybersecret.com
www.w-3productions.com
www.3isecurity.com
midtenn.com
biohaz.com
www.odi.com.pl
www.knesset.gov.il
sunsite.ust.hk/
bestboard.com
puckplace.com
websignal.com
cybservice.com
threedot.com
yorktours.com
dpss.com
superbio.com
quinx.com
textscape.com
thewharf.com
rebel-tech.com
www.thermocrete.com
www.nuvocom.com
www.tvweather.com
www.danehip.com
www.centurydie.com
www.info168.com
www.cbd.de
www.presage.co.uk
www.boimag.co.uk
www.uranium.org/
www.pcgameworld.com/
www.cccookies.com/
www.shcp.gob.mx
www.ddd.fr www.usuhs.mil
www.spiritualenigma.com
www.bojan.com
www.pcconcepts.com/
www.netbank.net.tw
www.kuniv.edu.kw
www.langley.af.mil
sistematix.com
www.onelifedrugfree.com/
www.huntingtimes.com
allwrestling.com
www.humblebums.com
www.ju.edu
www.thomasmore.edu
intellus.no/
iposerve.de
www.saatchisaatchi.com/innovation/
www.rang.k12.va.us/
www.maxout.net
www.thermocreteusa.com
www.xhn.org
www.alis.com
www.top50mp3.com/
www.vpac.org/
www.phpages.com
www.gov.com/
www.on-the-hook.com
www.conceptsvisual.com
www.1792.com
80 more in first 3 weeks of Feb 98
Then the hacked site was hacked!
Stephen Cobb, CISSP
14 of 35
But what’s the harm?
• Web servers may be a path to internal systems
• Web servers may reveal information that can
be leveraged to access internal systems
• Lost time, lost customers and confidence
• Lost revenue (if the site is doing e-commerce)
• But probably the biggest harm: Reputations
– personal, professional and corporate
Stephen Cobb, CISSP
15 of 35
Stephen Cobb, CISSP
16 of 35
We need perspective on these threats
• Why are we having these problems now?
– Same old problems, different manifestation?
– Deep-rooted problems only now coming to light
• Who is causing these problems?
– Threat agent assessment
– Threats vary according to social and economic
factors, such as redundancies, downsizing
Stephen Cobb, CISSP
17 of 35
That was then --- This is now
•
•
•
•
Glass house
Limited attack points
Limited vulnerabilities
Trustworthy friends
and known enemies
• Computer knowledge
and networks limited
• Clear motives
Stephen Cobb, CISSP
•
•
•
•
Distributed computing
Multiple attack points
Vulnerable technology
The best of friends may
not have the best security
• Widespread computer
literacy and connectivity
• Mixed motives
18 of 35
Data on level of
threat are hard
to find, but we
can ask: Who is
likely to be a
problem?
• Sample table of
responses from
security officers -subject to change
due to social and
economic factors
Stephen Cobb, CISSP
19 of 35
Map threats relative to technical skills
and business knowledge
Stephen Cobb, CISSP
20 of 35
This was an early
version of the
government’s critical
infrastructure protection
plan, circa 1998
Stephen Cobb, CISSP
21 of 35
Stephen Cobb, CISSP
22 of 35
LANs to WANs, to GANs, problems long
postponed are finally catching up
Stephen Cobb, CISSP
23 of 35
The rush to deploy technology means the wrong
tools are used, and warnings go unheeded
“Don't rely on hidden variables for security.”
WWW Security FAQ, 1995
Bank access page, using hidden variables.
<FORM ACTION="/cgi-bin/pccgi02.exe/WF000100/ND00JD130538/?
1998
NodeId=0000?JobId=130538" METHOD="POST" >
<A NAME="MAIN NEW LOGON"></A>
<INPUT TYPE=HIDDEN NAME="EWF.SYS.01" VALUE="130538" >
<INPUT TYPE=HIDDEN NAME="EWF.SYS.03" VALUE="MAIN NEW LOGON" >
<INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="USERID">
<INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PASSWORD">
<INPUT TYPE="HIDDEN" SIZE="10" MAXLENGTH="100" NAME="PHONE_NUMBER">
Stephen Cobb, CISSP
24 of 35
Penetration Plan
Gather data
Map resources
Probe for access
Exploit holes
Escalate access
Execute plans
Stephen Cobb, CISSP
25 of 1998
35
From: Information Warfare: Principles & Operations, E. Waltz,
Threat: viruses
• Large US bank, assets $50 billion+
• Computer virus brought down operations for 2 days
• Infected 90% of the bank's 300 file servers and
10,000 client workstations across 6 cities in 4 states.
• Production data was not damaged, but company’s
balance sheet was, by at least $400,000.
• Recent studies show average cost of recovering from
a virus incident on a network = $10,000 to $15,000
• But as much as $1 million has been lost in a single
virus incident!
Stephen Cobb, CISSP
26 of 35
Top 8 Viruses = 54% of Incidents
Name
CAP
Concept
Form
AntiEXE
Parity_Boot
Monkey
Ripper
Laroux
Type
Macro
Macro
Boot
Boot
Boot
Boot
Boot
Macro
Incidents
97
29
29
27
22
17
17
16
Percent
20.7
6.2
6.2
5.8
4.7
3.6
3.6
3.4
According to Virus Bulletin and Joe Wells’ Wild List, January 98
Stephen Cobb, CISSP
27 of 35
2002! One Virus = 77% of Incidents
Name
Type
Incidents
Percent
Win32/Klez
File
4644
77.22%
Win32/Yaha
File
289
4.81%
Win32/Magistr
File
198
3.29%
Win32/BadTrans
File
147
2.44%
Win32/Frethem
File
135
2.24%
Win32/SirCam
File
104
1.73%
Win32/Nimda
File
66
1.10%
Win32/Hybris
File
61
1.01%
Macro
49
0.81%
Laroux
According to Virus Bulletin and Joe Wells’ Wild List, August 2002
Stephen Cobb, CISSP
28 of 35
Other malicious code
• Logic bomb: dormant code inserted within a larger
program, activation of which causes harm (e.g.
recent $10 million Omega case)
• Trojan Horse: a program designed to appear
legitimate in order to enter a system and execute
its own agenda (e.g. AIDS disk)
• Worm: a program which copies itself many times
over, hogging space and other resources, without
permission (e.g. Internet worm, 1988)
• Active content (Java, ActiveX)
Stephen Cobb, CISSP
29 of 35
Virus types
•
•
•
•
•
•
Boot sector
Home PC
File viruses
Multi-partite
Macro viruses
Virtual (hoax) viruses
Miscellaneous
Office PC
Server
Let’s take a look
at how a typical
computer virus
infection spreads...
Stephen Cobb, CISSP
Company Network
30 of 35
Threat: insider abuse, a major threat to
company secrets
• Exploited by competitors
– American v. Northwest
– GM and VW
• Exploited by partners
– BA v. Virgin
– others
• By government agencies
– sting operations, piracy
Stephen Cobb, CISSP
Former General Motors
employee Lopez allegedly
stole approximately 90,000
text pages of trade secrets
transferring them from US to
Germany via GM's intranet
then downloading them onto
VW's computers...
It cost Lopez his job.
VW paid over $100 million
to GM to settle the case.
31 of 35
Do people really do that?
• Yes, they do! October 1996, Daniel Worthing
obtained work at PPG Industries through a contract
with Affiliated Building Services.
• Began to stockpile proprietary information, including
special formulas relating to new products such as an
experimental fiberglass.
• When he tried to sell to PPG’s competitor, OwensCorning Fiberglass, they turned him in to FBI.
• He pled guilty to the theft of proprietary information,
value? $20 million!
Stephen Cobb, CISSP
32 of 35
Do people really do that?
Unauthorized access by employees: 44%
Denial of service attacks: 25%
System penetration from the outside: 24%
Theft of proprietary information: 18%
Incidents of financial fraud: 15%
Sabotage of data or networks: 14%
1998 CSI/FBI Study
The United States counterintelligence community has
specifically identified the suspicious collection and
acquisition activities of foreign entities from at least 23
countries.
NACIC 1997 Annual Report on Foreign
Economic Collection & Industrial Espionage
Stephen Cobb, CISSP
33 of 35
2002, and mindless attacks continue
• Hackers broke into the computer systems belonging to a
clinic in the UK, altered medical records of 6 patients who
had just been screened for cancer—switched test results
from negative to positive—those patients spent several
days thinking that they had cancer
• The night before a patient was due to have a brain tumor
removed, hackers broke into the computer where the tests
were stored and corrupted the database. Surgery had to be
postponed while the tests were redone Source: Richard Pethia, CERT
Why? Because We Can
Software Engineering Institute
(SEI) Pittsburgh
Slogan from DEF CON III
Las Vegas, 1995
Stephen Cobb, CISSP
34 of 35
Thank You!
• Questions?
• Email me at sc at cobb associates dot com
• Visit www.cobbassociates.com
Stephen Cobb, CISSP
35 of 35