Beyond Security Awareness!
ALAN PALLER
APALLER@SANS.ORG
THE SANS INSTITUTE
The Public Is Awakening
editorial on Jan 26
Why the 'China virus' hack at US energy
companies is worrisome
by John Yemma, Editor

“The stakes in the global cyberwar are at least as high as
those in the global war on
terror.”
2
Four years building to public outrage

August 29, 2005: Titan Rain

August 17, 2006: Gen. Lord Confirms
3
Major General William Lord
“China has downloaded 10 to 20 terabytes
of data from the NIPRNet”
“They’re looking for your identity so they
can get into the network as you,”
“There is a nation-state threat by the
Chinese.”
Maj. Gen. William Lord, director of information, services
and integration in the Air Force’s Office of Warfighting
Integration and Chief Information Officer
August 21, 2006 Government Computer News “Red Storm Rising”
October 6, 2006: Commerce BIS Division
The federal government's Commerce Department admitted Friday
that heavy attacks on its computers by hackers working through
Chinese servers have forced the bureau responsible for granting
export licenses to lock down Internet access for more than a month.
4
Four years building to public outrage
Dec 1, 2007: 300 British Companies
Apr 8, 2009: The Grid
5
Four years building to public outrage
January 15, 2010
Google & more
January 25, 2010: Oil Companies
6
The Big One We’ve Been Expecting
7
How Do These Attacks
Threaten You?
YOUR BANK ACCOUNT
YOUR BROKERAGE ACCOUNT
YOUR PEACE OF MIND
YOUR JOB SECURITY
8
Your Bank Account
9
 Attacker: Opens accounts in most banks
 You: Get your machine infected (we’ll come back to




how you did that)
Attacker: Installs keystroke logger
You: Visit your bank site and sign on
Attacker: Captures your keystrokes; sends the data
to his server; signs on to your account; moves money
to his account in the same bank; takes your money
away
Big difference: personal account; business account
9
Your brokerage account
10
 Attacker: Buys a lot of shares in a penny stock
 You: Get your machine infected (we’ll come back to




how you did that)
Attacker: Installs keystroke logger
You: Visit your brokerage site and sign on
Attacker: Captures your keystrokes; sends the data
to his server; signs on to your account; sells your
shares; uses your money to buy the penny stock
causing the price to rise sharply; moves money to his
account in the same bank; takes your money away.
Called pump & dump
10
Your Peace of Mind
11
 You: Get your machine infected (we’ll come back to how




you did that)
Attacker: Installs attack software or denial of service tool or
spam generation tool
Attacker attempts to penetrate DoD using your computer,
or denies service to a commercial site using your computer,
or sends out 300,000 spam messages.
At 3 AM one night, the FBI knocks on your door asking why
you are attacking DoD, or attacking a commercial web site,
or sending spam.
An event you don’t forget.
11
Your Job Security
12
 You: Get your machine infected (we’ll come back to




how you did that) – especially by the Chinese
The attacker waits until you use your credentials to
sign on to DoE’s systems.
The attacker uses your access to gather data, infect
other systems, and leave back doors.
The attack is discovered and traced to your machine.
You are asked to explain why you signed into DoE
with an infected system – your answer affects your
career
12
How Did Your System Get
Infected?
13
Places
youthe
visit
… and
big one: Application Attacks
January: 87,000 web14 sites infected and
infecting visitors who trusted them.
14
Email with attachments
15
 Osama was captured this morning – see attached




pictures of him in custody
The Department has just agreed to a 14% cutback in
staff, the attached spreadsheet shows which groups
are going to have to give up the most positions
Britney Spears caught in an embarrassing position
Give money to victims of the Pakistan flood
Many, many more.
15
Email you respond to
16
Spear Phishing - Victims being attacked
while doing what they should be doing
What’s wrong with this hypertext url?
http://www.microsoft.com/security
16
How Spear Phishing works
17
 An e-mail arrives from your
security officer saying:
“ Microsoft has given us a heads-up about a major new
vulnerability. They won’t be making the patch public until
tomorrow but have offered us early access to the patches.
Before you leave work today go to the following Microsoft
site and download the new patch
http://www.microsoft.com/security/alertwindows.mspx
17
18
Why it went to the wrong place: html
code was actually:
<a href="http://www.hackersite.com">
http://www.microsoft.com/security/alertwindows.mspx </a>
Would it have fooled anyone in your
organization?
18
Setting the stage
Subcommittee on
Emerging Threats, Cybersecurity, and
Science and Technology
April 17, 2007 Chairman: Jim Langevin
"We don't know who's inside our networks. We don't
know what information has been stolen. We need to
get serious about this threat to our national security."
 State Dept witness: Don Reid, Senior
Coordinator for Security Infrastructure
 Commerce Dept witness: Dave Jarrell,
Manager, Critical Infrastructure Protection
Program
19
Two responses
Commerce
State
1. No idea when it got it in,
how it got in, or where it
spread
1. Detected it immediately
2. Took 8 days to filter
(ineffective)
3. Unable to clean the
systems; forced to replace
them
4. Do not know whether they
have found or gotten rid
of the infections
2. Put effective filter in place
within 24 hours; shared
filter with other agencies
3. Found two zero-days
4. Helped Microsoft and AV
companies create
patches and signatures
5. Cleaned infected systems,
confident all had been
found
20
What was the difference?
 Was it tools? No
 Almost same commercial tools – Commerce had
more commercial IPS/IDS
 Was it skills? Yes
 Commerce – only experience was firewall operations
not even firewall engineering. No training other than
prep for Security + and later for CISSP
 State – experience and training in forensics,
vulnerabilities and exploits, deep packet inspection,
log analysis, script development, secure coding,
reverse engineering. Plus counter intelligence. And
managers with strong technical security skills.
21
Which skills matter most?
 Security skills:
 System forensics; network forensics and deep packet
inspection; Windows, UNIX, and PDA defensive configuration;
log analysis; script development; exploits and penetration
testing; secure coding; reverse engineering. Plus counter
intelligence.
 Foundations:
 Networking and network administration; computer
operations and system administration; Java and C/C+
programming including the 25 most dangerous
programming errors
22
Is Any Country Investing In
Developing These Skills?
Wicked Rose
Key weapons in future wars will be
people with advanced, technical
cyber security skills
23
Where do we find the people
with skills?
1. Pathways to Professionalism – A Federal
Initiative
Security officers may continue in their positions
after one year only if they master one of four
key technical areas in security.
2. The US Cyber Challenge
24
Can the Cyber Challenge Find Highly
Talented Young People?
25
Q. You're in your senior year in high school -- had you
already taken computer courses at school?
A. I enrolled to take Introduction to Programming this
year, but they cancelled it; they couldn't find a
suitable teacher.
Q. How do people demonstrate and test their skills if
they do not have the opportunity to play in the
NetWars rounds?
A. There aren't many options for kids with lots of cyber
skill to be able to exercise and further develop those
skills. Most would just simply target random servers
and hack illegally, so it was great that I found
NetWars.
26
Who is supporting the US Cyber
Challenge?
FBI
NSA
DHS
27
Seven Levels
Cyber Foundations
Cyber Patriot Cyber Defense
Competition
The Security Treasure Hunts
NetWars
The Cyber Camps
Collegiate Cyber Defense Leagues
Internships and Scholarships
28
Questions?
29