Average Security Controls vs. Hacker Tools: 1999 to 2010

19
Average Security Controls vs. Hacker Tools: 1999 to 2010 Presented By: Jason Witty 2/16/2006

description

Average Security Controls vs. Hacker Tools: 1999 to 2010. Presented By: Jason Witty 2/16/2006. Presentation Overview. Quick Disclaimer Amusing (or not) Statistics 1999 – 2006 Us vs. Them Existing Tool Screenshots Predictions to 2010 Wrap-up / Questions. Disclaimer. - PowerPoint PPT Presentation

Transcript of Average Security Controls vs. Hacker Tools: 1999 to 2010

Page 1: Average Security Controls vs. Hacker Tools: 1999 to 2010

Average Security Controls vs. Hacker

Tools: 1999 to 2010

Presented By:

Jason Witty

2/16/2006

Page 2: Average Security Controls vs. Hacker Tools: 1999 to 2010

Presentation Overview

Quick Disclaimer Amusing (or not) Statistics 1999 – 2006 Us vs. Them Existing Tool Screenshots Predictions to 2010 Wrap-up / Questions

Page 3: Average Security Controls vs. Hacker Tools: 1999 to 2010

Disclaimer

The views and opinions expressed in this presentation are strictly those of the author and should not be taken as an endorsement of any company or technology. Permission is granted to redistribute this material in its entirety provided that this disclaimer notice is not removed or altered. Do not spray directly into eyes. Knives are sharp – they cut things. Caution: filling is hot. 

Page 4: Average Security Controls vs. Hacker Tools: 1999 to 2010

Computer Incident Statistics

Number of Incidents Handled by CERT/CC

020000400006000080000

100000120000140000160000

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

•In 1988 there were only 6 computer incidents reported to CERT/CC.

•There were 137,529 reported to CERT in 2003.

•CERT stopped tracking incident stats in 2004, due to the “widespread use of automated attack tools” (everybody’s getting attacked)

Page 5: Average Security Controls vs. Hacker Tools: 1999 to 2010

Vulnerabilities

2005 - 55 MS advisories

2004 45 MS advisories

2003 51 MS advisories

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

1999 2000 2001 2002 2003 2004 2005 2006

Others

Apple

Sun

Microsoft

0

50

100

150

200

250

1999 2000 2001 2002 2003 2004 2005 2006

Microsoft

Sun

Apple

2005: Apple released nearly as

many vulns as Microsoft

Source: http://nvd.nist.gov/

Page 6: Average Security Controls vs. Hacker Tools: 1999 to 2010

Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools

1999New Vulns.

914

Password Security & Some 2-factorInternet Firewalls and NIDS commonSSL for Internet SitesIPSec VPNsSecurity Awareness Training

“I love You” virusBO2K, SubSeven“Point, click, and attack" GUIs Published default password listsNMAP

2000New Vulns.

1014

More adoption of the above.Progressive companies doing HIDSStrong-auth for VPNs common

NIDS Evasion CLI IP SpoofingSteganography

2001New Vulns.

1672

More adoption of the above.Network Layer Anti-virus commonStill using passwords for most access

“Code Red” / NIMDASocial Engineering ContestsFirewall Tunneling

Page 7: Average Security Controls vs. Hacker Tools: 1999 to 2010

Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools

2002New Vulns.

1946

Still using passwords for most appsUS starting to see privacy / security legislation take effect and new legislation being created.Progressive companies looking at GIDS / IPS

“DC Phone Home”Filesystem CryptoWeb-app brute-forcingSteganographic trojansPassive IP fingerprintingBootable Linux distros

2003New Vulns.

1252

More adoption of the above.Progressive companies looking at application firewalls / app IDS

Alternate data storage methods (DNS, etc.)Airsnort, NetStumbler

2004New Vulns.

2343

More adoption of the above.IPS becoming mainstream, technologies for layer-7 firewalling blending.

Bootable OS’es on CD with pre-compiled toolsGoogle HackingBot-nets

Page 8: Average Security Controls vs. Hacker Tools: 1999 to 2010

Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools

2005New Vulns.

4714

Still using passwords for most access. FFIEC guidelines published.Some companies seriously looking at DRM.IAM Systems widely deployed.Enterprise Risk Management teams common in Medium-Large businesses

BiDiBLAH

–Nessus

–MetaSploit

–GoogleAPI

–Port/banner scanner

–DNS dumping

–Sub-domain finder (country scan)

–HTML and Office reporting

BackTrack = WHAX (formerly Whoppix) + Auditor

Rent-a-BotNet

Page 9: Average Security Controls vs. Hacker Tools: 1999 to 2010

2002 Hacker Tools: Web HackingWebCracker Web Session Brute Forcer

Page 10: Average Security Controls vs. Hacker Tools: 1999 to 2010

1990-1999 Hacker ToolsUltimate Zip Cracker L0phtcrack

Nessus, Netcat, SAINT, NMAP, Juggernaut, Etehreal

Page 11: Average Security Controls vs. Hacker Tools: 1999 to 2010

2000-2005 Hacker Tools

DSniff, Airsnarf, Hping2, Ettercap, Nikto, Kismet, Netstumbler

Whoppix

Page 12: Average Security Controls vs. Hacker Tools: 1999 to 2010

2006 Hacker Tools: Back Track

BackTrack = WHAX (Formerly Whoppix) + Auditor Security Collection

Page 13: Average Security Controls vs. Hacker Tools: 1999 to 2010

2006: Here and Now

The new iPod Video (60GB) can store:– 25,000 photos OR– 15,000 songs OR– 2,000 videos OR– 1,536,000,000 CC#’s (Name, Exp Date., CVV Codes = 40 B/rec) OR– 60 pick-up trucks worth of paper documents

Page 14: Average Security Controls vs. Hacker Tools: 1999 to 2010

2006: Here and Now - II

McAfee Internal User Security Survey (Europe)http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey

1 in 5 workers let family and friends use company laptops.

More than 50% connect their own devices to their work PC. 25% of the above do so every day.

1 in 10 confessed to downloading content they shouldn't

2 in 3 have a limited knowledge of computer security

5% admitted to accessing areas in their IT system that they shouldn't have

Page 15: Average Security Controls vs. Hacker Tools: 1999 to 2010

2006: Here and Now - III Teenage kids are renting Bot-nets in 10,000 PC

lots, for $/hr. on IRC Highly complex worms contain multiple exploits,

payloads, and encrypted commands Point and Click Hacking is Here. All CVEs,

published exploits, GUI tools, and an OS to use them on fit on a single CD (which BTW fits in the standard amount of RAM on a PC these days.)

The RIAA continues to sue grandmothers, children, students, etc. for illegally downloading songs of the Internet.

Auditrocities ;-)

Page 16: Average Security Controls vs. Hacker Tools: 1999 to 2010

Predictions for 2010 (Next 5 Years) Security as a “Feature” vs. “Product” (and better

security “Process”) Infosec and Physical security more closely

integrated – NOTE: Cameras *Everywhere* RIAA, MPAA finally “get it” – common

standards/tools for DRM integrated into most products

Strong Authentication standard for eCommerce, biometrics prevalent

ERM drives ESM/SIM/SEM integration – Enterprise Risk Dashboards common

DDoS prevention technology integrate into all firewalls, routers, switches (driven by easy access to Bot-Nets)

Page 17: Average Security Controls vs. Hacker Tools: 1999 to 2010

Questions?

Page 18: Average Security Controls vs. Hacker Tools: 1999 to 2010

Tool Links BiDiBLAH - http://www.sensepost.com/research/bidiblah/ BackTrack (Formerly WHAX[Whoppix] + Auditor) -

http://www.whoppix.net/index.php/Main_Page Top 75 Tools - http://www.insecure.org/tools.html Packet Storm has tens of thousands of free hacker tools

available - http://www.packetstormsecurity.org

Page 19: Average Security Controls vs. Hacker Tools: 1999 to 2010

Random Stuff

Linus Torvalds born Sunday Dec 28th, 1969 Unix OS “born” Thursday Jan 1st, 1970