IT Security Awareness Dangers in the Networked World
description
Transcript of IT Security Awareness Dangers in the Networked World
Page 18 Oct 2004
IT Security AwarenessDangers in the Networked World
Lai Zit SengNUS School of Computing
Page 28 Oct 2004
Topics
• History: Recent Worms• What is Security• Why Worry• What’s Happening in SOC
Page 38 Oct 2004
History – Code Red
• Struck on 12th Jul 2001– Public announcement on 17th Jul 2001– CERT announcement on 19th Jul 2001, and again
on 26th Jul 2001• Exploited buffer overflow in IIS
– CERT published advisory on 19th Jun 2001– Patch available from MS since 18th Jun 2001
• Estimated $2B in damages (Aug 2001)– Source: Computer Economics (quoted by
NewsFactor.com)
Page 48 Oct 2004
History – Slammer Worm
• Struck on 25th Jan 2003• Infected 75K hosts• Our own NUSNET “melted down” for hours
– Elsewhere: Disrupted ATMs, 911 systems• Exploited MS-SQL and MSDE vulnerabilities
– Patch available from MS since 10th Jul 2002– CERT advisory 29th Jul 2002
• Estimated US$1B in damages– Source: Mi2g
Page 58 Oct 2004
History – W32/Blaster
• Struck on 11th Aug 2003• Exploits RPC vulnerabilities
– CERT advisory on 17th Jul 2003– Patch available from MS since 16th Jul 2003
• Unprecedented damages– Mi2g estimates $32.8B in economic damages
(together with other malware of Aug 2003)
Page 68 Oct 2004
History – Other Incidents
• Apache/mod_ssl worm– CERT advisory 14th Sep 2002– Vulnerability published by CERT since 30th
Jul 2002• Nimda worm
– CERT announced 18th Sep 2001– Exploits vulnerability for which patch
available from MS since 29th Mar 2001
Page 78 Oct 2004
Security Triad
• Confidentiality: Ensuring that data contained in an information system is accessible only to those authorized.
• Integrity: Ensuring that data contained in or functions carried out by an information system is correct.
• Availability: Ensuring that an information system is accessible to those authorized to use it.
Page 88 Oct 2004
Why Worry
• Advances in technology: Convenience, cost, availability
• Pervasiveness of networked computing• Network convergence: Single network
for Voice, Video and Data• Human Issues:
– Social Engineering
Page 98 Oct 2004
Why Worry – cont’d
• Infrastructure/Operations– ATMs, Power Grid etc exposed to Internet
• Various risk exposures: Confidentiality, Integrity, Availability
• Zero-Day exposures• Phishing attacks• Risks are outstripping safeguards
Page 108 Oct 2004
Changes in Intrusion Profile
1988• Exploiting passwords• Exploiting known
vulnerabilities
Today• Exploiting protocol flaws• Examining source code
for security flaws• Abusing public servers• Installing sniffers• Source address
spoofing• DoS, DDoS• Widespread automated
scanning
Page 118 Oct 2004
Page 128 Oct 2004
Incidents Reported to CERT/CC
985921756
52658
82094
137529
0
20000
40000
60000
80000
100000
120000
140000
1999 2000 2001 2002 2003
Incidents Reported
From: CERT/CC Website
Page 138 Oct 2004
How many incidents?
0%10%20%30%40%50%60%70%80%
1999 2000 2001 2002 2003 2004
> 10 Incidents6 - 10 Incidents1 - 5 Incidents
From: 2004 CSI/FBI Computer Crime and Security Survey
Page 148 Oct 2004
How many incidents from Outside?
0%
10%
20%
30%
40%
50%
60%
1999 2000 2001 2002 2003 2004
1 - 5 Incidents6 - 10 Incidents> 10 Incidents
From: 2004 CSI/FBI Computer Crime and Security Survey
Page 158 Oct 2004
How many incidents from Inside?
0%
10%
20%
30%
40%
50%
60%
1999 2000 2001 2002 2003 2004
1 - 5 Incidents6 - 10 Incidents> 10 Incidents
From: 2004 CSI/FBI Computer Crime and Security Survey
Page 168 Oct 2004
SOC IDS Activity
Statistics for 1st Oct 2004:• 238155 IDS log entries• 42578 runs of portscanning activities• 12908 incidences of Windows/SMB
traffic anomaly• 209 accesses to our honeypot
Page 178 Oct 2004
SOC Network VA Statistics
As on 8th Oct 2004:• 37 machines denied network access
(due to enforcement)• 185 critical vulnerabilities unfixed
Page 188 Oct 2004
Security Lab
• Objective:– Enable learning and experimentation relating to IT
Security– Setting up experiments and playground for anyone
interested in IT Security– Activities relating to SIG^2 NUS Chapter
• Servers, desktop computers and network equipment
• Look out for upcoming news