1 / 21

Information Assurance: vulnerabilities, threats, and controls

Information Assurance: vulnerabilities, threats, and controls. Dr. Wayne Summers TSYS Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers. SQL Slammer.

cheung
Télécharger la présentation

Information Assurance: vulnerabilities, threats, and controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance:vulnerabilities, threats, and controls Dr. Wayne Summers TSYS Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers

  2. SQL Slammer • “It only took 10 minutes for the SQL Slammer worm to race across the globe and wreak havoc on the Internet two weeks ago, making it the fastest-spreading computer infection ever seen.” • “The worm, which nearly cut off Web access in South Korea and shut down some U.S. bank teller machines, doubled the number of computers it infected every 8.5 seconds in the first minute of its appearance.” • It is estimated that 90% of all systems that fell victim to the SQL Slammer worm were infected within the first 10 minutes.

  3. BLASTER • On Aug. 11, the Blaster virus and related bugs struck, hammering dozens of corporations. • At least 500,000 computers worldwide infected • Maryland Motor Vehicle Administration shut its offices for a day. • Check-in system at Air Canada brought down. • Infiltrated unclassified computers on the Navy-Marine intranet. • In eight days, the estimated cost of damages neared $2 billion.

  4. SOBIG.F • Ten days later, the SoBig virus took over, causing delays in freight traffic at rail giant CSX Corp. forcing cancellation of some Washington-area trains and causing delays averaging six to 10 hours. • Shutting down more than 3,000 computers belonging to the city of Forth Worth. • One of every 17 e-mails scanned was infected (AOL detected 23.2 million attachments infected with SoBig.F) • Worldwide, 15% of large companies and 30% of small companies were affected by SoBig - estimated damage of $2 billion.

  5. Information Assurance: • Definitions • Vulnerabilities • Threats • Controls • Conclusions

  6. Computer Security • the protection of the computer resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware, and the denial of one's own computer facilities irrespective of the method together with such criminal activities including computer related fraud and blackmail. [Palmer]

  7. Definitions • vulnerability - weakness in the security system that might be exploited to cause a loss or harm. • threats - circumstances that have the potential to cause loss or harm. Threats typically exploit vulnerabilities. • control - protective measure that reduces a vulnerability or minimize the threat.

  8. Vulnerabilities reported • 1995-1999 • 2000-2003 • In 2002 over 80 vulnerabilities in IE patched; There are currently 24 items, updated on 2004/01/27. [http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html] • Incidents reported increased from 82,094 in 2002 to 137,529 in 2003

  9. Security Incidents Total incidents reported (1988-2003): 319,992. An incident may involve one or thousands of sites and incidents may last for long periods. Source: CERT/CC

  10. Vulnerabilities • “Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.” • Robert Graham, lead architect of Internet Security Systems

  11. Recent News • November 29, Washington Post - Hackers find cell phones next weak link to exploit -Virus converts each icon into a death's head • November 05, Asbury Park Press (NJ) - Computer virus hits state offices. Drivers and applicants endured sometimes long waits at the newly overhauled New Jersey Motor Vehicle Commission's (MVC) offices on three days last week after a hard charging computer virus struck its statewide system. • A survey conducted by Internet service provider America Online Inc. found that 20% of home computers were infected by a virus or worm, and that various forms of snooping programs such as spyware and adware are on a whopping 80% of systems. Even so, more than two-thirds of home users think they are safe from online threats. [ComputerWorld, OCTOBER 25, 2004] • “A zero-day exploit targeting one of the latest Microsoft flaws was publicly announced Tuesday, …just one week after Microsoft announced a record number of 10 security bulletins, seven of them critical. [20 Oct 2004 | SearchSecurity.com] • The Gartner Group estimates that in the last year, 57 million U.S. adults received phishing e-mails, of which 11 million clicked on the provided links, and 1.78 million provided passwords and other sensitive personal information. In total, the scams resulted in fraud losses of $2.4 billion. [Gartner report, June 2004] • IM Worms could spread in seconds – “Symantec has done some simulations…and has found that half a million systems could be infected in as little as 30 to 40 seconds.” [InternetWeek – Jun 21]

  12. {Virus?} Use this patch immediately ! • Dear friend , use this Internet Explorer patch now! • There are dangerous virus in the Internet now! • More than 500.000 already infected! E-mail from "Microsoft“ <security@microsoft.com>

  13. Malware and other Threats • Viruses / Worms (over 100,000 viruses – 11/2004) • 1987-1995: boot & program infectors • 1995-1999: Macro viruses (Concept) • 1999-2003: self/mass-mailing worms (Melissa-Klez) • 2001-???: Megaworms [blended attacks] (Code Red, Nimda, SQL Slammer, Slapper) • Trojan Horses • Remote Access Trojans (Back Orifice) • Computer parasites (pests – spyware, BHOs, keylogger, dialers, SPIM) • Computer security company Trend Micro detected 1,485 viruses in September [2004], a 600% increase over the 250 spotted a year ago. Of those, 45% were Trojan horses attempting to steal personal data, the company said. The company also reported a “surge in zombie networks,” saying it had found 400 programs in the past month compared with 17 a year ago.

  14. Social Engineering • “we have met the enemy and they are us” – POGO • The greatest security risk facing large companies and individual internet users over the next 10 years will be the increasingly sophisticated use of social engineering to bypass IT security defences, according to analyst firm Gartner. [ZDNet Australia, November 01, 2004 ] • Social Engineering – “getting people to do things that they wouldn’t ordinarily do for a stranger” – The Art of Deception, Kevin Mitnick

  15. Controls • Reduce and contain the risk of security breaches • “Security is not a product, it’s a process” – Bruce Schneier [Using any security product without understanding what it does, and does not, protect against is a recipe for disaster.] • Security is NOT installing a firewall.

  16. Defense in Depth • Antivirus • Keep it up to date • Deploy a Firewall • Review settings and logs frequently • Authentication Techniques (passwords, biometric controls) • Disable or secure file shares • Keep your patches up-to-date • BACKUP

  17. “The most potent tool in any security arsenal isn’t a powerful firewall or a sophisticated intrusion detection system. When it comes to security, knowledge is the most effective tool…” Douglas Schweizer – The State of Network Security, Processor.com, August 22, 2003.

  18. Resources • http://www.sans.org • http://www.cert.org • http://www.cerias.purdue.edu/ • http://www.linuxsecurity.com/ • http://www.linux-sec.net/ • http://www.microsoft.com/security/ • Cuckoo’s Egg – Clifford Stoll • Takedown – Tsutomu Shimomura • The Art of Deception – Kevin Mitnick

  19. COMPUTER SECURITY DAYNovember 30, 2004 ACCENTUATE THE POSITIVE

More Related