Security Threats, #1 4-May 2004 Security Threats in the Internationally Networked World David...
-
Upload
damien-peay -
Category
Documents
-
view
215 -
download
0
Transcript of Security Threats, #1 4-May 2004 Security Threats in the Internationally Networked World David...
Security Threats, #14-May
2004
Security Threats in the Internationally Networked World
David Thompson
Harris Corporation
321-984-5799
Security Threats, #24-May
2004
Who am I?
• Started my career at NSA in 1979
• Worked in Information Assurance for multiple companies over the years
• 9 years at DARPA
• Contributing Editor at eWeek
• Currently lead the Harris Information Assurance Center of Excellence– Focused on providing IA solutions for many US
government programs
Security Threats, #34-May
2004
Information Protection Today
• It’s Tombstone, Arizona in the 1880s– Very little protection provided by law enforcement– Everyone carries their own gun for protection– The criminals prey on the weak
• How do you protect yourself from a pervasive international threat that operates outside jurisdictions, but can reach into your living room?
Security Threats, #44-May
2004
The Language of Threats
• threat n. 1.An expression of an intention to inflict pain, injury,
evil, or punishment.
2.An indication of impending danger or harm.
3.One that is regarded as a possible danger; a menace.
Security Threats, #54-May
2004
The Language of Threats
• risk n. 1.The possibility of suffering harm or loss; danger.
2.A factor, thing, element, or course involving uncertain danger; a hazard: “the usual risks of the desert: rattlesnakes, the heat, and lack of water” (Frank Clancy).
3.One considered with respect to the possibility of loss: a poor risk.
Security Threats, #64-May
2004
The Language of Threats
• mitigation n. 1. The act of mitigating, or the state of being mitigated;
abatement or diminution of anything painful, harsh, severe, afflictive, or calamitous; as, the mitigation of pain, grief, rigor, severity, punishment, or penalty.
Security Threats, #74-May
2004
The Language of Threats
• Threats derive from the actions (intentional or unintentional) of others that could inflict harm upon you
• Risks encompass the harm that could be inflicted upon you if you do not take action
• Mitigations are the actions you take to protect yourself from risk
• The Bottom Line : You are the one who will suffer harm, and you are responsible for protecting yourself
Security Threats, #84-May
2004
The Nature of the Threat
• Threats come from people, not technologies
• There are a few categories of threats, but the techniques used number in the thousands• Hackers – Amateurs who break into systems for fun, vandalism
or theft• Virus Producers – Programmers that produce self replicating
programs intended to move between systems without authorization
• Spies – Professionals that break into systems with the intent of removing information of value
• Users – Authorized system users that cause disruption through intent or error
• White Hats – Professionals who break into systems to test security
Security Threats, #94-May
2004
The Nature of the Threat
• Born August 6, 1963• Arrested by the FBI, February 15, 1995• Held for 4 ½ years without a bail hearing
due to concern of capability to execute weapons system control from a telephone
• Specialist in telephone hacking (phreaking) and social engineering
• Now CEO of a security consulting company
• Cost of hacking on US business • 1995 - $800M• 2003 - $2.8B• Small businesses suffer the most
Kevin Mitnick
HACKERS
Security Threats, #104-May
2004
The Nature of the Threat
• David Smith released Melissa in March 1999
• It traversed the world in a “rolling wave” following the rising sun
• Smith was arrested in April 1999, received a reduced sentence due to cooperation with the FBI
• Calls Melissa a “Colossal Mistake”
• Melissa (named after a Florida stripper) caused over $80M in damage in 1 day
Virus Producers
David Smith
Security Threats, #114-May
2004
The Nature of the Threat
• Ran a “Family Spy Ring” providing information to the Soviet Union for decades
• Brother, Son and Wife were all involved in the espionage
• Was arrested in 1985 and sentenced to life in prison, without parole
• The Walker ring provided encryption keys to the Soviets allowing the monitoring of naval communications
Spies
John Walker Jr.
Security Threats, #124-May
2004
The Nature of the Threat
• Experts agree that the vast majority of threats stem from authorized users of the system
• Active attacks against internal systems
• Inadvertent actions that cause damage– Release virus– Access inappropriate information– Violate policy causing embarrassment
• Story – HBL Mercedes in Fairfax Virginia
Users
Typical User
Security Threats, #134-May
2004
The Nature of the Threat
• Sandia IORTA program
• Information Operations Red Team and Assessments
• Considered the Nations premier experts for conducting Red Team assessments on systems
• Don’t Forget – White Hats aren’t there to be your friend, and failing their tests can harm you (unemployment)
White Hats
Security Threats, #144-May
2004
Real World Example
Transformational Communications
• Next Generation for military communications
• Based on a geosynchronous constellation of satellite hosted high performance routers
• Provides direct IP connectivity to land, air and sea based assets globally
• Provides direct reach back to information, intelligence and command & control
• Harris providing Information Assurance expertise
TC Operational Environment
Security Threats, #154-May
2004
Real World Example
TC Connectivity
Security Threats, #164-May
2004
Real World Example
Portions of military networks(.mil domains) connect to theInternet
Security Threats, #174-May
2004
Real World Example
Mitigations include multiplelayers of firewalls, two factorauthentication, channel separation through cryptography
Security Threats, #184-May
2004
Real World Example
- MS Windows is the dominant OS used by the military- Viruses can be introduced at any point through communications or software loading
Security Threats, #194-May
2004
Real World Example
Virus detection is performed at all interfaces, centralized profile updates are performed
Security Threats, #204-May
2004
Real World Example
Adversaries will attempt to gain information through monitoring satellite signals- Direct information gain- Force location- Traffic analysis
Security Threats, #214-May
2004
Real World Example
- Multiple levels of encryption are used to mask information- Low probability of intercept (LPI) antennas used on terminals
Security Threats, #224-May
2004
Real World Example
- Multiple levels of classified information traverse the network- User error contributing to exposure is of great concern
Security Threats, #234-May
2004
Real World Example
Channelization and High Assurance Guards protect against information exposure
Security Threats, #244-May
2004
Real World Example
- Red Team assessments are required for all government systems- I am betting my career on getting this right
Security Threats, #254-May
2004
Conclusions
• There is no such thing as perfect security• The threat is pervasive and the
techniques/vulnerabilities ever changing• Protections must evolve to meet these changes• It is the responsibility of the security professionals to
provide adequate mitigation to result in acceptable risk
Questions?