Information and
Security
Topics
The Need for Security
January 2001 - Microsoft
Lab 2 : Passwords
Launched a $200 million advertising
campaign Monday touting reliability of its
software.
Domain 1: General Security Concepts
“Trust No One.”
- The X-Files
What Happened
Within 3 days...
Your Employees...
Hackers conduct denial of service
attacks, blocking people out of
Microsoft.com, MSNBC.com and
Hotmail.com.
Case Study
Online Gambling
In addition, during the recovery phase,
there was a 22 hour lock out...
By an employee error
Online Gambling
Gambling is tightly controlled by various
government agencies.
It is illegal in many locations
The Internet is changing all that
Security Horror Story...
Software Demo
Password Recovery
Office allows for passwords on
documents
How good is it?
Video: 60min Online Gambling
Office Password Recovery
performs brute force recovery
tests every combination
What did you think?
Let's test it...
Office Passwords
Business Needs First
Chapter 2
The Need for Security
Our bad neighbor makes us early stirrers,
Which is both healthful and good husbandry.
-- William Shakespeare (1564–1616)
King Henry, in Henry V, act 4, sc. 1
Enabling the Safe Operation of Applications
ƒ Organization need environments that safeguard
applications using IT systems
ƒ Management must continue to oversee infrastructure
once in place—not defer to IT department
ƒ
Information security performs four important functions
for an organization
ƒ
Protects ability to function
ƒ
Enables safe operation of applications implemented on
its IT systems
ƒ
Protects data the organization collects and uses
ƒ
Safeguards technology assets in use
Protecting Data that Organizations Collect and Use
ƒ Organization, without data, loses its record of transactions
and/or ability to deliver value to customers
ƒ Protecting data in motion and data at rest both critical
aspects of information security
Protecting the Functionality of an Organization
ƒ Management (general and IT) responsible for
implementation
ƒ Information security is both management issue and
people issue
ƒ Organization should address information security in
terms of business impact and cost
Safeguarding Technology Assets in Organizations
ƒ Organizations must have secure infrastructure services
based on size and scope of enterprise
ƒ Additional security services may be needed as
organization expands
ƒ More robust solutions may be needed to replace security
programs the organization has outgrown
Threats
Threats (continued)
ƒ Threat: an object, person, or other entity that represents a
constant danger to an asset
ƒ The 2004 CSI/FBI survey found:
ƒ Management must be informed of the different threats
facing the organization
ƒ By examining each threat category, management
effectively protects information through policy, education,
training, and technology controls
ƒ 79 percent of organizations reported cyber security
breaches within the last 12 months
ƒ 54 percent of those organizations reported financial losses
totaling over $141 million
Threats to Information Security
Acts of Human Error or Failure
Acts of Human Error or Failure (continued)
ƒ Includes acts performed without malicious intent
ƒ Employee mistakes can easily lead to:
ƒ Causes include:
ƒ Inexperience
ƒ Improper training
ƒ Incorrect assumptions
ƒ Employees are among the greatest threats to an
organization’s data
Figure 2-1 – Acts of Human Error or
Failure
ƒ Revelation of classified data
ƒ Entry of erroneous data
ƒ Accidental data deletion or modification
ƒ Data storage in unprotected areas
ƒ Failure to protect information
ƒ Many of these threats can be prevented with controls
Compromises to Intellectual Property
Deliberate Acts of Espionage or Trespass
ƒ Intellectual property (IP): “ownership of ideas and control
over the tangible or virtual representation of those ideas”
ƒ Access of protected information by unauthorized individuals
ƒ The most common IP breaches involve software piracy
ƒ Two watchdog organizations investigate software abuse:
ƒ Software & Information Industry Association (SIIA)
ƒ Business Software Alliance (BSA)
ƒ Enforcement of copyright law has been attempted with
technical security mechanisms
ƒ Competitive intelligence (legal) vs. industrial
espionage (illegal)
ƒ Shoulder surfing occurs anywhere a person accesses
confidential information
ƒ Controls let trespassers know they are encroaching on
organization’s cyberspace
ƒ Hackers uses skill, guile, or fraud to bypass controls
protecting others’ information
Deliberate Acts of Espionage or Trespass
Deliberate Acts of Espionage or Trespass
(continued)
(continued)
ƒ Expert hacker
ƒ Unskilled hacker
ƒ Develops software scripts and program exploits
ƒ Many more unskilled hackers than expert hackers
ƒ Usually a master of many skills
ƒ Use expertly written software to exploit a system
ƒ Will often create attack software and share with others
ƒ Do not usually fully understand the systems they hack
Deliberate Acts of Espionage or Trespass
(continued)
ƒ Other terms for system rule breakers:
ƒ Cracker: “cracks” or removes software protection
designed to prevent unauthorized duplication
Deliberate Acts of Information Extortion
Deliberate Acts of Sabotage or Vandalism
ƒ Attacker steals information from computer system and
demands compensation for its return or nondisclosure
ƒ Attacks on the face of an organization—its Web site
ƒ Commonly done in credit card number theft
ƒ Threats can range from petty vandalism to organized
sabotage
ƒ Web site defacing can erode consumer confidence,
dropping sales and organization’s net worth
ƒ Phreaker: hacks the public telephone network
ƒ Threat of hacktivist or cyber-activist operations rising
ƒ Cyber-terrorism: much more sinister form of hacking
Figure 2-5 - Cyber Activists Wanted
Deliberate Acts of Theft
Deliberate Software Attacks
ƒ Illegal taking of another’s physical, electronic, or
intellectual property
ƒ Malicious software (malware) designed to damage,
destroy, or deny service to target systems
ƒ Physical theft is controlled relatively easily
ƒ Includes viruses, worms, Trojan horses, logic bombs,
back doors, and denial-of-services attacks
ƒ Electronic theft is more complex problem; evidence of
crime not readily apparent
Forces of Nature
Deviations in Quality of Service
ƒ Forces of nature are among the most dangerous threats
ƒ Includes situations where products or services not
delivered as expected
ƒ Disrupt not only individual lives, but also storage,
transmission, and use of information
ƒ Organizations must implement controls to limit damage
and prepare contingency plans for continued operations
ƒ Information system depends on many interdependent
support systems
ƒ Internet service, communications, and power irregularities
dramatically affect availability of information and systems
Internet Service Issues
ƒ Internet service provider (ISP) failures can considerably
undermine availability of information
ƒ Outsourced Web hosting provider assumes responsibility
for all Internet services as well as hardware and Web site
operating system software
Communications and Other Service
Provider Issues
Power Irregularities
ƒ Commonplace
ƒ Other utility services affect organizations: telephone,
water, wastewater, trash pickup, etc.
ƒ Loss of these services can affect organization’s ability to
function
ƒ Lead to fluctuations such as power excesses, power
shortages, and power losses
ƒ Organizations with inadequately conditioned power are
susceptible
ƒ Controls can be applied to manage power quality
Technical Hardware Failures or Errors
Technical Software Failures or Errors
ƒ Occur when manufacturer distributes equipment
containing flaws to users
ƒ Purchased software that contains unrevealed faults
ƒ Can cause system to perform outside of expected
parameters, resulting in unreliable or poor service
ƒ Some errors are terminal; some are intermittent
Attacks
ƒ Combinations of certain software and hardware can
reveal new software bugs
ƒ Entire Web sites dedicated to documenting bugs
Table 2-2 - Attack Replication
Vectors
ƒ Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems
ƒ Proper managerial planning should prevent technology
obsolescence; IT plays large role
Attacks (continued)
ƒ Malicious code: includes execution of viruses, worms,
Trojan horses, and active Web scripts with intent to
destroy or steal information
ƒ Act or action that exploits vulnerability (i.e., an identified
weakness) in controlled system
ƒ Accomplished by threat agent which damages or steals
organization’s information
Technological Obsolescence
New Table
ƒ Hoaxes: transmission of a virus hoax with a real virus
attached; more devious form of attack
ƒ Back door: gaining access to system or network using
known or previously unknown/newly discovered access
mechanism
Attacks (continued)
Attacks (continued)
ƒ Password crack: attempting to reverse calculate a
password
ƒ Denial-of-service (DoS): attacker sends large number of
connection or information requests to a target
ƒ Brute force: trying every possible combination of options
of a password
ƒ Dictionary: selects specific accounts to attack and uses
commonly used passwords (i.e., the dictionary) to guide
guesses
Attacks (continued)
Figure 2-9 - Denial-of-Service
Attacks
ƒ Target system cannot handle successfully along with
other, legitimate service requests
ƒ May result in system crash or inability to perform
ordinary functions
ƒ Distributed denial-of-service (DDoS): coordinated stream
of requests is launched against target from many
locations simultaneously
Figure 2-11 - Man-in-the-Middle
ƒ Spoofing: technique used to gain unauthorized access;
intruder assumes a trusted IP address
ƒ Man-in-the-middle: attacker monitors network packets,
modifies them, and inserts them back into network
ƒ Spam: unsolicited commercial e-mail; more a nuisance
than an attack, though is emerging as a vector for some
attacks
Attacks (continued)
ƒ Mail bombing: also a DoS; attacker routes large quantities
of e-mail to target
ƒ Sniffers: program or device that monitors data traveling
over network; can be used both for legitimate purposes
and for stealing information from a network
ƒ Social engineering: using social skills to convince people
to reveal access credentials or other valuable information
to attacker
Attacks (continued)
ƒ “People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
biometric devices ... and somebody can call an
unsuspecting employee. That's all she wrote, baby. They
got everything.” —Kevin Mitnick
ƒ “Brick attack”: best configured firewall in the world can’t
stand up to a well-placed brick
Attacks (continued)
ƒ Buffer overflow: application error occurring when more
data is sent to a buffer than can be handled
ƒ Timing attack: relatively new; works by exploring contents
of a Web browser’s cache to create malicious cookie
Setting Password Complexity
Log in as administrator
Administrative Tools
Local Security Policy
Account Policies
Password Policy
Passwords must meet complexity reqs
Enable
Log Off Administrator
Logon on as User1
Change Password
What happens?
Run As Command
It is best if the administrator uses a
normal account, and then use the Run
As command to do administration work.
Log in as User 2
Try to open Local Security Policy
Shift/Right Click on Local Security Policy
Select Run As
Log in as Administrator
Hands On Security+
Lab 2: Passwords
Preventing Display of Last Login
Log in as administrator
Administrative Tools
Local Security Policy
Security Options
Do not display last name in login ...
Enable
Log Off Administrator
Ctrl-Alt-Del to login
What happens?
Setting Password Length
Log in as administrator
Administrative Tools
Local Security Policy
Account Policies
Password Policy
Minimum Password Length
Set Length to 9
Log Off Administrator
Logon on as User1
Change Password
What happens?
Account Lockout Policy
Log in as administrator
Administrative Tools
Local Security Policy
Account Policies
Account Lockout Policy
Account Lockout threshold
Set to 3
Lockout Duration and Reset
Log Off Administrator
Use the wrong password for User2
What happens?
1.4 Attacks
Security+
Domain 1: General
Security Concepts
Active
Passive
Password
Malicious Code
Cryptographic
DoS/DDos
DDoS
Denial of Service Attack
Single / Distributed
Buffer Overflows
Very Common
Prevent access to services
Resource Consumption
Demo: buffer.cpp
Malformed Packets
SYN Attacks
Spoofing
Faking Return Address
Used to prevent trace back
Also used in Denial of Service
What can be spoofed
IP, MAC, User, Date...
Anything...
URL Spoofing
Capture another page
Man in the Middle Attacks
URL Spoofs
Misspellings
aool.com
Similar names
Mdonalds.com
Assumed Names
Dole96.org
Other Domains
nasa.com
Others
Replay
Point user to Attacker Site
DNS poisoning
Pump Search Engine
TCP/IP Hijacking
Wardialing
http://microsoft.com
http://microsoft.com@attack.com
Wardriving
Dumpster Diving
1.6 Social Engineering
1.7 Vulnerability Scanning
Password Attacks
Just Ask Them
Find open ports and services
Brute Force
Kevin Mitnick
Can use used by
System Administrators
Secure Systems
Attackers
Find Weaknesses
Dictionary Based
Pizza - 1997
Schwan's targets Kraft
Need Production Information
Posed as reporter, student...
300,000 pizzas a day
1.5 Malicious Code
Malware
Virus
Trojan Horse
Logic Bombs
Worms
Back Door
Examples
Office Password Recovery
Sniffing
Viruses
Parasitic
Bootstrap sector
Multi-partite
Companion
Link
Data file (Macro)
Some Statistics
NCSA: 1 Billion a year
$800 per infected computer
$10 per computer
Every Fortune 500 has reported
1 in 300 emails contains virus
More Statistics
Viruses
One Report
200+ new viruses a month
Costs: $16,000 in lost data and
productivity
Code fragment that attaches to a larger
program
Norton
3 new Viruses a day
Replicates
Is not independent
Destructive Payload
Symantec virus spread program
Memory Resident
File Infection
Worms
Independent program
Duplicates itself
Spreads to other systems
Trojan Horses
FLAG.EXE
Says it does one thing, but really does
something else
Program to display the US flag and
Play the National Anthem
Steal passwords, files, etc
On RBBS systems, would look for the
Master Password file
Stand alone
Copy Password file to FLAG.BAS in the
Downloading Area
Trap Doors
Spoofs
Back door, bypass security
Tricks users into giving away info
Removed before shipment
Tricks them into thinking their system is
under attack
Leaves very big hole in system
Typically lead to a supervisor state and
bypass normal audit trails
Bombs
Code planted deep in system
Logic Bomb, Time bomb
Typical
Dec 31
"Employee # not in Payroll File"
Used in commercial programs
for copy protection and lease
Protecting
Boot from known floppy
Install only licensed software
Don't install if package was opened
Don't install software from home
Install only needed software
Be careful with downloads
Run against virus scanner before
installing
Backups
Remedies
Anti-virus programs
Melissa - MS Word Macro Virus
In Depth
Spyware monitors
Firewalls
Keep them up to date!
Melissa - Secondary Effect
Melissa Timeline
Saturday, March 27 , AM
Researchers discover that the virus
includes traceable identification
numbers (GUIDs).
Phar Lap Software's Richard M. Smith
reverse-engineers an IP address from
Melissa's GUID.
The Melissa Macro
Virus
Melissa Timeline
Friday, March 26, AM
Melissa Timeline
Friday, March 26, PM
Posted to alt.sex message board,
allegedly by skyrocket@aol.com.
Infects U.S. companies, swamping
e-mail systems.
Named 'Melissa,' after comments by
'Kwyjibo' found inside the virus.
National Infrastructure Protection Center
notified of Melissa.
Anti-virus firms believe Melissa
originated in Western Europe.
Anti-virus companies call it the most
prolific virus -- ever.
Melissa Timeline
Saturday, March 27 , PM
FBI warns U.S. organizations to watch
out for Melissa on Monday.
More U.S. companies hit. Some
companies revert to paper, rather than
e-mail, warnings
Melissa Timeline
Monday, March 29 , AM
Many IT departments stop the virus.
An Excel strain of Melissa, nicknamed
Papa, surfaces.
The FBI launches a manhunt for
Melissa's creator.
Melissa Timeline
Monday, March 29 , PM
Traced to SkyRocket on AOL and
Source of Kaos, a Web site run by
VicodinES, a 'retired' virus writer.
Melissa Timeline
Tuesday, March 30, AM
Source of Kaos site is unplugged.
Many IT workers report that they have
contained the virus
Owner of the SkyRocket account says
he is not Melissa's creator.
Kaos' site hasn't been active
Melissa Timeline
Thursday, April 1, AM
AOL is presented with a court order from
a state judge in New Jersey requesting
information concerning the Melissa
virus.
Final Results
How much is your time worth? If you're
David Smith, creator of the Melissa
virus, it's apparently worth a whopping
$4 million a month. Smith was
sentenced in a New Jersey courtroom
on May 1, 2002, receiving only twenty
months in Federal prison and a $5,000
fine for creating and distributing the virus
which is estimated to have caused $80
million in damage.
Melissa Timeline
Thursday, April 1, PM
New Jersey police arrest
David L. Smith, 30, of
Aberdeen on charges of
originating the Melissa virus
outbreak. New Jersey's attorney general
says Smith was snared with the help of
AOL technicians.
Melissa Timeline
Tuesday, March 30, PM
New variants of Melissa are reported in
the wild.
The FBI seizes Source of Kaos' Web
server in Orlando, Fla. Also talks to
Source of Kaos's Roger Sibert -- asking
questions about the whereabouts of
VicondinES
Melissa Timeline
Friday, April 2, AM
David Smith, described as a 'computer
guy,' is released on $100,000 bail.
Faces 40 years, $480,000 fines
Got: $5,000 and 20 months
Video: Melissa
Windows vs. Linux
October 2004
Steve Balmer talks about Windows and
Linux Security.
What do you think?
Do you think anything has changed over
the past 2 years?
End of Presentation