Internet Security
Risk Management
and Security
Updated September 22, 2006
Topics
• Risk
– Threat
– Vulnerability
– Event Cost
• Security Myths
• Global Trends
• Addressing Essential not Best
Practices
Risk
• No system is 100% secure
• Get a clear picture
– Assess weaknesses
– Prepare for the probable
– Protect the most critical resources
• Risk management is key to
Internet security
Risk Equation
• Risk = Threat x Vulnerability x
Event Cost
– If Threat = 0, or
– Vulnerability = 0, or
– Event Cost = 0, or
– Then there is no Risk
Control of Parameters
• Risk = Threat x Vulnerability x
Event Cost
– Vulnerability
• Good Control
– Event Cost
• Some Control
– Threat
• Minimal Control
Determine the Risks
• Malicious Code
• Electronic (Hacking)
• Physical
• Down-Time
• Human Factors
• Email
• X-ware
Categories of Risk
• Malicious Code
– Trojans, Viruses, &
Worms
• Electronic
–
–
–
–
Port Scanning
Hacking/Sniffing
Defacement
Spoofing
• Physical
– Theft
• Down Time
– Denial of Service attacks
– Power/Natural Disasters
• Human
– Disgruntled employees
– Sticky-notes
• Email
– Spam
– Phishing
• X-ware
– Adware
– Spyware
Malicious Code
Trojans, Viruses, & Worms
Trojan Horse
• A computer program that appears
desirable, but contains a hidden
function that causes damage to
other programs
– Trojan.Vundo
Trojan Horse Threat
• Backdoor Trojans
– September 1999
– September 2000
– March 2001
• Threat Rate
– 12 per Day
– 28 per Day
– 122 per Day
Virus
• A computer program that is part of
another and inserts copies of itself.
– It must execute itself. It will often place its
own code in the path of execution of
another program.
– It must replicate itself. For example, it may
replace other executable files with a copy of
the virus infected file. Viruses can infect
desktop computers and network servers
alike.
Types of Viruses
• File Infector
– Jerusalem and Cascade
• Boot Sector
– Form, Disk Killer, Michelangelo, and
Stoned
• Master Boot Record
– NYB, AntiExe, and Unashamed
Types of Viruses
• Multi-partite
– One_Half, Emperor, Anthrax and
Tequilla
• Macro
– W97M.Melissa, WM.NiceDay and
W97M.Groov
Worm
• A computer program that invades
computers on a network, replicates
itself to prevent deletion, and interferes
with the host computer’s operation
– This is in contrast to viruses, which requires
the spreading of an infected host file.
– W32.Mydoom.AX@mm
Real Threat Rates
• Malicious code is a growing problem—88% of
respondents think that malicious code is
"somewhat worse or much worse" than 2002,
with only 12% stating the situation was "the
same or better" in 2003.
• Malicious code is costing organizations lots of
money—in 2003, disaster recovery costs
increased by 23% to almost $100,000 per
organization per event.
Source: TruSecure, March 22, 2004
Electronic Threats
What is out there waiting for
the opportunity?
Port Scanning
• A port scan is a series of messages
sent by someone attempting to
break into a computer to learn
which computer network services,
each associated with a "wellknown" port number, the computer
provides.
– There are 65,536 ports
Port Scanning Rates
• Port Scanning
–
–
–
–
September 1999
January 2000
October 2000
March 2001
• Threat Rate
–
–
–
–
1
1
6
9
per
per
per
per
6 Days
Day
Day
Day
Web Defacement
• Web site defacement, a form of
malicious hacking in which a Web site is
“vandalized.” Often the malicious hacker
will replace the site’s normal content
with a specific political or social
message or will erase the content from
the site entirely, relying on known
security vulnerabilities for access to the
site’s content.
Web Defacement
• Unicef.org
Web Defacement
• AirTran.com
Real Threat Rates
• Web Defacements
–
–
–
–
–
May 1999
October 2001
March 2001
May 2001
May 2002
• Threat Rate
–
–
–
–
–
15 per Day
61 per Day
180 per Day
580 per Day
900 per Day
Spoofing
• Attempting to masquerade or closely
mimic the URL displayed in a Web
browser’s address bar. Used in phishing
attacks and other online scams to make
an imposter Web site appear legitimate,
the attacker obscures the actual URL by
overlaying a legitimate looking address
or by using a similarly spelled URL.
Physical
Theft
Physical
• Stolen Laptops
– May 22, 2006 - A laptop computer
and external drive containing
personal data on more than 26
million veterans and active duty
military personnel was stolen.
Down Time
Denial of Service and Natural
Disasters
Down Time
• Denial of Service
– A user or program that takes up all of the
system resources by launching a multitude
of requests, leaving no resources, and
thereby denying service to other users.
– W32.DoS.funtime, Solaris.DoS.stacheld.c,
Solaris.DoS.stacheld.t,
Solaris.DoS.stacheld.m
Down Time
• Natural Disasters
– Weather
• Katrina
– Earth Quake
– Tsunami
– Volcanic
Human
• Disgruntled Employees
– Insider Activity in the Banking And
Finance Sector This report examines
23 incidents carried out by 26
insiders in the banking and finance
sector between 1996 and 2002.
Human
• Disgruntled Employees
– In 87% of the cases studied, the insiders
employed simple, legitimate user
commands to carry out the incidents
– In 70% of cases studied, the insiders
exploited or attempted to exploit systemic
vulnerabilities in applications and/or
processes or procedures
Human
• Passwords
– Sticky Notes
– Spouses
– Children
– Pets
– Mythology
Email
Spam and Phishing
Email
• Spam
– 64% of the world's estimated
300,000 spam servers are located in
Taiwan. About 23% are located in the
United States.
Computer World July 10, 2006.
Email
• Phishing
– PayPal
X-Ware
Adware and Spyware
Adware
• Programs that facilitate delivery for
advertising content to the user and
in some cases gather information
from the user's computer,
including information related to
Internet browser usage or other
computer habits.
Spyware
• Programs that have the ability to
scan systems or monitor activity
and relay information to another
computer or locations in cyberspace.
Vulnerability
Where are the holes in your
systems?
Vulnerability
Prevalence
• Over 70% of sites with firewalls
are still vulnerable to known
attacks
• Over 80% of sites do not know
what is on their networks and what
is visible to the Internet
Mac/OS, How Safe?
• Symantec, a provider of antivirus and other
security software, released a report stating
that it has identified an increasing number of
vulnerabilities in the current version of Apple
Computer's Macintosh operating system (Mac
OS X).
• Symantec reported that it had identified 37
high-impact Mac OS X vulnerabilities in the
preceding year.
• The Macintosh installed base is relatively
small, with only about 3 percent of systems in
use today running the Mac OS.
Source: Gartner, April 1, 2005
Event Cost
How much will recovery cost
you?
Event Cost
• Hard to Determine
• Cost of recovery can be more than
a company can bear
• Organizations are often time
reactive, not proactive
Melissa Virus
• Data Taken from 131 corporations
immediately after Melissa period
• 25 companies were compromised
by Melissa between Monday, March
29, and Friday, April 5 1999
• 20 experienced major “disaster”
(>25 workstations infected)
Melissa Virus
• Average of 196 infected
workstations and 9 servers per
company
• 7,824 North American companies
experienced compromise of more
than 200 workstations
• 1,205,000 computers infected
• ICSA estimates total cost at $93
million dollars
Costs
• Price of Security Breaches reaches
nearly $14 million per incident.
That's according to a study
conducted by Ponemon Institute
LLC for PGP Corp., a security
software vendor in Palo Alto,
California.
Source: Computerworld, November 14, 2005
http://www.computerworld.com/securitytopics/security/story/0,10801,106180,0
0.html
Costs
• It is estimated that the worldwide
impact of malicious code was 13.2
billion dollars in the year 2001 alone,
with the largest contributors being:
– SirCam at $1.15 Billion
– Code Red (all variants) at $2.62 Billion
– NIMDA at $635 Million.
Source Computer Economics, 2 January 2002,
http://www.computereconomics.com/cei/press/pr92101.htm
Costs
• An estimated $7.8 Billion was lost
to malicious code attacks in 2004
and 2005 combined.
• More than 35% of computer users
do not have protective software
installed on their computers.
Source: CNN Headline News August 8, 2006
Security Myths
Separating Fact from Fiction
Top Security Myths
• Encryption over the Internet is
important (SSL)
• Complex user passwords are good
• Daily anti-virus updates are required
• All vulnerabilities should be patched
• Businesses should focus on firewall
maintenance and management
Global Trends
Where is all of this going?
Internet Security
• Increasing complexity drives
exponential growth in vulnerability
• Rapidly changing environment
drives rapidly changing risks
• Greater all-to-all connectivity
drives greater potential for
malicious connectivity
Internet Security
• Growth in Internet users drives
growth in Internet abusers
• Anonymity of the Internet drives
tendency towards abuse
Essential Practices
What must be done?
Mitigating Global
Trends
• Move to dynamic security methods
• Move to distributed security
methods
• Move toward outsourcing security
solutions
In Practice
• Block (deny access by default)
• Turn-off Services / Ports (off by default)
• Substitute low-risk methods for highrisk methods
• Update (apply service packs that affect
your situation)
• Patch (apply hot fixes that affect your
situation)
• Configure
• Monitor
Presentation Sources
Where did all of this
information come from?
Sources
• TruSecure
– http://www.TruSecure.com/
• ICSA
– International Computer Security
Association
– http://www.ICSALabs.com/
• Symantec
– http://www.Symantec.com/
Sources
• Insider Threat Study: Illicit Cyber
Activity in the Banking and Finance
– June 2005
– http://www.sei.cmu.edu/pub/docume
nts/04.reports/pdf/04tr021.pdf
• Webopedia
– http://www.webopedia.com/