Chapter 1 A Framework Name: ___________Tim Simmons______________ E-Mail: ___tim.simmons@us.army.mil; timothy.simmons@freenet.de Test Your Understanding 2. a) In the Riptech data, how many times is the average firm attacked each year? A: at an annual rate of 1,000 times per year. b) What percent of all firms experienced a highly aggressive attack in the first half of 2002? A: “Twenty-three percent of all firms examined experienced at least one sophisticated aggressive attack in the first 6 months of 2002.” c) Are most attacks targeted at specific firms? A: No, only 39% of all the attacks where directed at specific firms, the rest appeared to be random attacks based on the firm’s IP address range. d) Why are sophisticated aggressive attacks especially dangerous? A: Because of their sophistication, sophisticated aggressive attacks are 26% more likely to cause severe damage to networks and computer systems, than other less sophisticated aggressive attacks. e) In the SecurityFocus data, how many times is the average firm probed each year? A: There was an average of 13,000 network scanning probe packets per firm each year. f) How many times is the average firm’s website attacked each year? A: There was an average of 3,000 website attack packet per firm each year. g) How many times is the average firm subjected to denial-of-service attack packets each year? Chapter 1: Framework A: The average firm was subject to 600 denial- of-service attack packets each year. h) Which operating systems are attacked frequently? A: According to this study all popular operating systems are attacked frequently, although in this study speaks of data that was collected on, Microsoft Windows, UNIX/LINUX, and Cisco’s OS. i) In the Honeynet Project data, how quickly were Windows 98 PCs with open shares and without passwords taken over? A: According to this project this configuration, which happens to be the common configuration of most home networks it must have not taken the attackers much time at all to compromise. These systems were compromised five times in 4 days. j) Were LINUX PC servers safe from attack? A: No, although it took the attackers longer the Red Hat 6.2 LINUX PC server with default configurations only three days to compromise. 3. a) Describe the four ways in which tomorrow’s security threats will be worse than today’s. A: a. The frequency of attacks is growing – in 2 years we can expect four times as many incedences. b. The randomness in victim selection will grow – where earlier attacks were aimed at specific firms, today’s attacks are equivalent to someone shooting a gun into a crowd of people. c. Growing malevolence - the malicious payloads that viruses and worms carry with them today show a rapidly growing readiness and eagerness to do damage during attacks. d. Growing attack automation – viruses and related attacks are not merely a category of attack. They represent a trend toward attack automation by the creation of attack robots that spread rapidly using exploits and approaches formerly used by individual attackers. b) Should we plan based upon current experiences? Explain. A: No, although the situation today is bad, today’s threat environment should not be the basis for planning. 9. a) What are the goals of both cyberwar and cyberterror? Page 2 Chapter 1: Framework A: The goals of both cyberwar and cyberterror are to attack governments or nongovernmental groups respectively that focus on a country’s IT infrastructure and its physical infrastructure; in the latter case the attackers may use computers to assist in the physical attack. b) Distinguish between cyberwar, cyberterrorism, and amateur information warfare. A: The difference between cyberwar, cybertorrorism, and amateur information warfare are the groups that carry them out. Cyberwar and cyberterrorism will more than likely have better funding and organization, either through governmental or terrorist organizations. Amateur information warfare is carried out by individual amateur attackers or small groups of amateurs. c) What implications do cyberterror and cyberwar have for corporate IT security planning? A: Due to the amount of cost of damage caused by information warfare conducted by individual amateurs that alone was in the billions of dollars; this should be considered a very large threat and should be given a much higher priority when it comes to security policy development and planning (part of PPR). 15. a) What do firewalls do? A: Firewalls are designed to keep attacker messages out of the company’s internal private network while still allowing messages from authorized users to get through. While examining every packet that enters or leaves a network, if the firewall detects the signature of an attack message, it drops the packet. Otherwise the packets are allowed to pass through to the internal network. b) What do IDSs do? A: Like a firewall, an IDS reads each arriving or outgoing packet looking for attack signatures. However, it takes no action on the packets it examines beyond storing copies of packets for later forensic analysis and warning the network administrator. c) Why must servers be hardened? A: Because of the known vulnerabilities of default configurations hackers are given a playing field in which they could very well damage the entire network if those known vulnerabilities are not closed and security patches are not installed that fix those problems. d) What are known vulnerabilities? Page 3 Chapter 1: Framework A: Known vulnerabilities are those vulnerabilities that exist in lots of PC configurations which are installed with default settings and that are known to exist by the attackers. e) How are they addressed? A: Properly setting up servers by “hardening” them and ensuring that the latest security patches are installed rapidly when they come out. f) What probably is the single most important thing that companies can do to improve their security? A: Patching host software with the latest patches. 21. a) Why is misconfiguration easy to do? A: Misconfiguration is easy to do because with firewalls and other security tool configurations are tricky and somewhat difficult. It is important and critical that this be done very meticulously. b) Why is it necessary to update firewalls and other protections? A: Because the threats never stays the same and change constantly. So it is important to make sure that the security tools that you are using are not only configured correctly but also updated regularly. c) What do security audits do? A: The configuration of security tools are so complicated that security audits, which are intentional attacks to test these security features to make sure that they are working. d) Why are security audits necessary? A: Because of the amount of misconfigurations and other failures that are encountered by these intentional attacks. This gives the IT specialist and system administrators a chance to fix or patch any leaks in the security system. Thought Questions 1. Why do you think most people focus on security technology rather than on corporate security management? A: Too many people rely on technology to do the tough jobs for them these days. After all isn’t that what is says on the product’s packaging, “Once installed you are safe from …. Attacks.” 2. The Riptech and SecurityFocus data indicate that the average firm is attacked thousands of times per year. Yet only a moderate percentage of people who responded to the CSI/FBI survey reported incidents. Explain this apparent inconsistency. Page 4 Chapter 1: Framework A: I think it is because of the way the data was collected. In the CSI/FBI survey many attacks are not detected in the average firm. On the other hand the Riptech and SecurityFocus data were collected there data from the log files produced by the firewalls when they drop suspect attack packets. It is only right that Riptech and SecurityFocus have a more accurate account of the attacks that happen at any given time. 3. Create three corporate security policies. These policies should be specific. Otherwise, there would be ambiguity in their application. A: That is true, it is very easy to misinterpret what is written in some policies when they are not very specific. They should be dummy-proof. 4. After the September 11 disaster, National Guard troops were stationed at U.S. airport checkpoints. In Pennsylvania, at least, the troops were not allowed to load their weapons, and loading them would take several seconds. What were the risks involved in loading weapons versus leaving weapons unloaded? A: Load the Weapons: The worst thing that could have happened would have been an accidental discharge – which is known to happen. Leave the Weapons unloaded: These precious seconds could make a difference when having to react quickly to any situation. 5. During the height of the September 11, 2001 crisis, a hacker group called Yihat (Youth Intelligent Hackers Against Terrorism) broke into a Saudi Arabian bank and hacked a server to seek evidence that terrorists were using the bank. They copied at least a spreadsheet file. The group’s goal was not to harm the bank but to look for terrorists. The bank used no firewall and configured the server for easy outside access. Comment on this. A: At first it sounds like a bank that I will never use. But looking closely it looks more than just a bank with a terrible system administrator/analyst. It looks as if this type of outside access is condoned. Maybe this bank was allowing this type of access either because they had no real online banking systems that allow some type of read only access, or it was allowing terrorist the way to use as much money as they needed for the funding of Jihad. Troubleshooting Question 1. You put a firewall between your company and the Internet. a) Argue for putting the IDS on the Internet side of the firewall. b) Argue for putting the IDS on the side of your firewall going to the internal network. Page 5