E. Gelbstein A. Kamal Information Insecurity Part I: The Problem Next slide: PgDn or Click Previous...

1 of 49E. GelbsteinA. Kamal

Information InsecurityPart I: The Problem

Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc

Information Insecurity

Part I: The Problem




Cyber-attacks are different

No need for physical contact with the victims

Easy to learn techniques and acquire tools

Small investment can cause massive economic damage

Many network operators and countries may

be involved

When done subtly it leaves few or no traces

Easy for the players to hide

Inadequate cyberspacelegislation




Today’s Seven major threats

1. State sanctioned information warfare

2. Information counter-intelligence

3. Cyber-terrorism

4. Cyber-organized crime

5. Information sabotage

6. Cyber-crime

7. Cyber-hooliganism




Cyberterror and Cyberwar

Question 1 What constitutes an act of war in Cyberspace?Question 2 What is cyber-terrorism?

Lack of definitions

Electromagnetic pulse Attack on military networks/ computers Attack on critical civilian infrastructure (electricity, water,transport, hospitals)

Disruption of civil systems (tax, social security, banking)Disinformation

not IF but WHEN




Cybercriminals

Financial fraudTheft of intellectual property

Money launderingUnlicensed gambling

PornographyIdentity theft

Industrial (& other) espionageExtortion

and many other…




Cyberhooligans

SpamSynchronised DOS attackHijacking a computerDisseminating virus/worm (without destructive payload)Redirecting website trafficWebsite SpoofingWebsite defacementActivating intrusion detection



Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: EscIt all started with the

invention of writing

Bronze Age cuneiformwriting on clay tablet

Accounting document in whichthe pictures represent goods and

the notches quantities

Mesopotamia ± 6,000 years agoMusée du Louvre, Paris

and the need to keep secrets




Followed by more inventions

PaperPrinting

BooksLibraries

PhotographyPhonograph

PhotocopierScanner

Digital everythingGrowing ease of copying

(copyright issues)

making increasing use of

binary digits (bits)




Cyberspace: the world of bitsWorld Wide Web

Deep WebIntranetsExtranets

Networks not usingInternet technologies

OECD’s “OLIS”Business to Business procurement (B2B)

Computer aided design done jointly by several companies

Satellite communicationsMilitary communicationsRailroad communicationsAir traffic controlNuclear utilities

400 million “users” and growing




What do we do in cyberspace? Transaction

Process support

Publication

Analysis

E-commerceTreasury, funds transferStock ExchangesAirline reservationsProcurementMessaging

Usually Mission Critical

StatisticsData miningCredit ratingActuarial analysisBusiness IntelligenceSituation Analysis

Some may beMission Critical

Some may not beMission Critical

Factory automationAir traffic control

UtilitiesLogistics and tracking

Accounting and payrollKnowledge management

Office automationWire servicese-publishingInteractive databasesPublishing

Increasingly Mission Critical

ever expanding listsof possibilities




The world of bits and atoms (1)

Scheduling: timetableScheduling: aircraft/ trains, etcScheduling: maintenanceScheduling: staff and crewsCalculating fuel requirementsTraffic ControlTicketing, fares and yield managementPassenger information systemsModeling and traffic reroutingetc.





Robotic systemsComputer assisted manufacturingMass customizationJust in time logisticsAssembly line monitoringQuality assurance and controlsetc.





Electricity generation Water treatment

7 days a week, 24 hours a day operationsSafety monitoring and controlsEnvironmental controls (for discharges)Quality assurance and controlsDistribution managementetc.




And more: vital services

Skills and knowledge intensiveI.T. is becoming a component in all of them

Emergency services

Hospitals

Education




Crime and punishment

Codes of conduct and law recorded since the invention of writing

Humans are tool makers. Tools have always been used creatively in crime and war

Legislation develops less fast than technology and new forms of crime

Law enforcement is not a 100% answer

Code of Hammurabicontains 282 proclamations (laws)Mesopotamia ~ 3300 years ago Musée du Louvre, Paris

particularly in cyberspace




Types of cyber-attackComputers and communications as tools

Breaking passwords DecryptionInterception

Computers and communications as weapons

Malicious codedis-information sabotage smart weapons

Computers and communications as a target

Fraud Extorsion DisruptionEspionage




101101010…

Many forms of attack

Many players

Everyone a targetEvery system a challengeNo need for physical contactFew, if any, traces leftInadequate or non-existent legislation




Attack trends: malicious code

Source: CERT, Computer Emergency Response Team April 2002 at Carnegie Mellon University www.cert.org

Year 1995 1996 1997 1998 1999 2000 2001

Vulnerabilities 171 345 311 262 417 1090 2437

Year 1988 1989 1990 1991 1992 1993 1994

Incidents reported 6 132 252 406 773 1334 2340

Year 1995 1996 1997 1998 1999 2000 2001

Incidents reported 2402 2573 2134 3734 98592175

652658

Vulnerabilities reported to CERT

Number of incidents reported to CERT




Economic Impact (1)

Average bank holdup: $ 14,000 dollars

Average computer theft: $ 2,000,000 dollars

Source: Association of Certified Fraud Examiners (U.S.A.), 2000




Economic Impact (2)

CODE RED (a worm) infected360,000 web servers in the first 14 hours

Source: Computer Economics Inc, 2000

The bad news: CODE RED and NIMDA had no destructive

payload and are seen as “proof of concept” for future designs

It then spread around the world in 48 hours




Economic Impact (3)

Estimated cost of virus and worm infections in 2001 – 17 billion US dollars to

• clean malicious software from all equipment

• restore lost and damaged data

• help end users and clients

• test and return systems to normal operations

• loss of productivity as a result of downtime

Assumes 1 person-minute = 1 $




The Players – by organization

Individual usersSmall businesses

Large enterprisesand organizations

National governmentand legislation

Vendors andservice providers

Highereducation

CriticalInfrastructures

InternationalOrganizations




Critical infrastructures

Oil refineries anddistribution depots

Airlines and airtraffic control

Banking andfinancial services

Power generationand distribution

pipelines

Water purificationand distribution

IXPs

Public transport

Emergencyservices

Fixed and mobiletelecommunications




Public domain informationSome of these Exchanges are

not secure facilities




so far, just fun

www.turnofftheinternet.com




Special responsibilities

Ensure computing is highly secure

Monitor and deal with vulnerabilities continually

Maintain effective boundaries with the Internet

Employ qualified and trained I.T. security personnel

Manage interdependencies with other critical infrastructures

Share information with other critical infrastructures

Have ready disaster recovery and crisis management plans

Seek, obtain and maintain security certification

CRITICAL INFRASTRUCTURES




Special responsibilitiesNATIONAL GOVERNMENT AND LEGISLATION

Implement national security programs

Promote standards and best practices

Ensure clear definition of accountability and oversight

Conduct security audits of government agencies

Provide adequate funding for information security

Recruit, train and retain qualified I.T. security personnel

Conduct awareness programs for government employees

Make arrangements for reporting security incidents

Have warning, analysis, incident response and recovery procedures




Special responsibilitiesINTERNATIONAL ORGANIZATIONS

Encourage international standards for information security

Develop mechanisms for international cooperation

Develop appropriate governance of cyberspace

Create effective mechanisms for sharing information




Special responsibilitiesVENDORS AND SERVICE PROVIDERS

Balance “time to market” against product vulnerabilities

Protect the interests of customers by providing alerts, patches, fixes and upgrades, perform more functions for them

Liaise with User Groups and others to reduce vulnerabilities

Develop fair terms and conditions of software licences that do not absolve vendors from responsibility and liability

Collaborate in the pursuit of cyber-attackers by providing access to records, logs and data




Special responsibilitiesLARGE ENTERPRISES AND ORGANIZATIONS

Establish clear responsibility for information security and appropriate reporting lines

The CEO, the Board and the Auditors should know about standards, best practices and self-evaluation

Establish enterprise-wide security policies including what should be disclosed to the Board, stakeholders, auditors, etc

Implement employee awareness programs

Manage insider threats (and balance risk vs. employee privacy)

Have appropriate risk management and insurance cover

Have working arrangements to report security incidents




Special responsibilitiesHIGHER EDUCATION

Take steps to prevent attacks originating within Institutions

Protect critical information from external and internal attack

Organize for security as a shared concern with other Institutions worldwide




Special responsibilitiesSMALL BUSINESSES AND INDIVIDUALS

Be aware of cyber-security issues and of how to deal with vulnerabilities and incidents

Awareness of the security issues of new technologies such as ADSL, wireless connectivity, etc

Require vendors to disclose risks

Need for Internet Service Providers to perform more cyber-security functions for home users ?




The Players – by nature

Responsible end-usersSecurity administrators

Security managersInternal auditors

Security coordinatorsProviders of security alerts

Ethical hackers

Malicious insidersScript kiddiesHackers, crackers, phreakersHacktivistsSpies (industrial and other)Organised crimeCyber-terrorists

VendorsSecurity auditors Security consultantsLegislators

BAD GUYS

VERY SPECIAL GUYS

GOOD GUYS

and many more




The Bad Guys

Knowledge

Access

Motivation

Malicious insidersScript kiddies

Hackers, crackers, phreakersHacktivists

Spies (industrial and other)Organised crimeCyber-terrorists




ACCESS mechanisms

OFFICIAL

UNOFFICIAL

Authorized insidersRights of former personnel (should have been removed)

Disclosure by insidersAbuse of insider knowledgeAbuse of presence as visitorTheft of ID and passwordNewly discovered vulnerabilities Hacker club disclosuresForced entry (password breaker)




Knowledge sources

Shared through hacker groups and conferences

Obtained by followingpublic discussions onproduct vulnerabilities

Privileged insider knowledge

Buying commercially available hacking tools

Virus, worm and othermalicious code design




What motivates the Bad Guys (1)

nuisances

Script Kiddies

Ethical HackersIndividual copyright violators

HacktivistsCyber-hooligansEmulate the “big boys”

ego-trip Deny service (sit-in)Make themselves heardCause embarrassmentMaliceGain publicity

Defy authoritySafely break the lawMinor financial gain

Show how smart they areIdentify vulnerabilities = fun

Many become security consultants





Industrial+ spies

Business copyright violators

Non-ethical Hackers (crackers)

Virus and worm designers

almost alwaysMONEY

“Just because it’s there”

Test new ways to spread malicious codeCause loss or corruption of dataSteal IDs and passwords Impersonation and spoofingSteal credit card and similar dataSabotage, etcLow risk of detection and punishment





Organized crime

Malicious insider

Strong personal animosity towards a personGrudge against employer

Criminal intent: fraud, extortion, theft,corruption of data, sabotage, etc

Low risk of detection and punishment

New areas of opportunity - globallyEase of hiding in cyberspaceEase of establishing global networksLack of legislation and jurisdiction

Interpol, Europol, FBI, Chambers of Commerce and many others organizing to fight it





Cyber-terrorists

Ease of establishing global networksAbility to hide in cyberspaceLack of legislation and jurisdiction

Richness of opportunityAvailability and low cost of resources neededImpact of successful attacksVisibility

Driven by ideology




Hiding in cyber-space (1)

Encryption

Voice, fax and data communicationsE-mailStored dataIn public postings

Dorothy Denning and William BaughInformation, Communication and Society, 1999

Digital compression

Steganography

XWR2T P5%WZ $E#GT

LLVWLSHVBNRMVDFRMTHTXT

Message bits are mixed with the bits defining the image




Hiding in cyber-space (2)

Use of passwords

Hiding information in remote servers

Disabling audit logs in servers

Anonymous remailersAnonymous digital cashComputer penetration and loopingCellphone cloningCellphone pre-paid cards

Anonymity

Nobody knows who you areNobody knows where you are




Offences – forms of attack

Aiding and abetting cyber-criminalsFraud, embezzlementForgery

CATEGORIES

Data-relatedInterception Modification Theft

Network-relatedInterference

SabotageAnonymity

Access-relatedHacking

Malicious code distribution

Computer-related




Network-related offences

Interference

SabotageDenial of service

Control of a server or network devicesUsing a trusted network to access

another network“Sniffing” traffic

Hoaxes

Physical disconnection or damageCorruption of Domain Name Servers

Attack on an Internet Exchange Point (IXP)Attack of a critical infrastructure

AnonymityStolen and cloned cellphonesHijacking the ID and password of a legitimate network user




Data-related offencesInterception

Modification

Theft

Defacement of a websitee-mail spoofing and impersonationDatabase and document contentsCommercial transactions

Intellectual propertyPersonal dataUser IDs and passwordsNon-public domain information

Voice and fax e-mail Data transfers

(fixed and mobile)

10010101001




Access-related offencesHacking

Distribution ofmalicious code

Unauthorized access to networks and computer systemsUse of electronic services without paymentDeleting and/or destroying dataDisclosure of security weaknesses found and how to overcome themInvasion of privacy

To launch a distributed denial of service attackTo slow down/close down a network (worm)To corrupt servers and data (virus and/or worm)To gain control of a server or device (trojan horse, back door)To extort payment (logical bomb)




Computer-related offences

Aiding and abettingcyber-crime

Fraud

Forgery

Providing (knowingly or not) technical, financial and legal facilities for conducting and/or hiding cyber-crime

Messaging and documentsDigital I.D.Copyrighted data (software, music, e-book)

Falsification of financial transactionsMisuse of credit card and personal dataUnlicensed financial services, gambling




Impact of various offences

Most pervasive Most expensive

Most publicised Most frequent

Virus, worm, trojan horseInsider fraud, sabotage

Theft of proprietary information

Attacks on e-business- theft of credit card data- Denial of Service

Developers’ mistakesNetwork misconfigurationPoor system administration

E. Gelbstein A. Kamal Information Insecurity Part I: The Problem Next slide: PgDn or Click Previous...

Documents

Transcript of E. Gelbstein A. Kamal Information Insecurity Part I: The Problem Next slide: PgDn or Click Previous...