Theft Happens: Theft Happens: Theft Happens: Theft Happens:
Data Security for Data Security for Data Security for Data Security for Intellectual Property ManagersIntellectual Property ManagersIntellectual Property ManagersIntellectual Property Managers
Presented by Fred Holborn on behalf of Psiframe, Inc. to the Intellectual Property Society, July 16, 2003. For more information, visit http://www.ipsociety.net and http://www.psiframe.com.
Copyright 2003 Psiframe, Inc. All Rights Reserved.
Today’s Situation
! 92% of large organizations detected computer security attacks in 2003.
! 75% acknowledged financial losses due to computer breaches.
! Theft of proprietary information caused the greatest financial loss - $2.7 Million average.
Source: CSI / FBI Computer Crime and Security Survey, April 2003 http://www.gocsi.com
$2.7 Million . . .
! Profit vs. Loss for , Inc?
! $ Annual Interest Expense?
! $ Million in Additional Revenue to Recoup?
Founding Premise
“Improve the security of a site by breaking into it.”
Dan Farmer, 1993Creator of SATAN (Security Analysis Tool for Auditing Networks)
Source: http://www.fish.com/security/admin-guide-to-cracking.html
Psiframe’s Purpose
! Psiframe enables organizations to Lock Down Data Systems and Network Security by:
" Performing “Real World” Risk Assessments.
" Identifying Exploitable Vulnerabilities from an Attacker’s Perspective.
" Recommending “Best Practice” Solutions.
Goals and Objectives
! Protect Information Assets through a program of regularly conducted assessments that quantify and enable mitigation of unacceptable risks.
! Develop understanding and consensus among executive and technology leaders to achieve and validate strong security.
Assessing IP Assets on IP Networks
! What are the IP AssetsIP AssetsIP AssetsIP Assets and their valuesvaluesvaluesvalues?! What are the actual threatsthreatsthreatsthreats to IP Assets facilitated
by vulnerabilitiesvulnerabilitiesvulnerabilitiesvulnerabilities on Networks?! What consequencesconsequencesconsequencesconsequences are possible if threats arise?! What are the probabilities that theftstheftstheftsthefts will happen?! What safeguardssafeguardssafeguardssafeguards can be deployed?! What investmentsinvestmentsinvestmentsinvestments are required for safeguards?
What’s Vulnerable?
Examples:! Hardware Devices
! Operating Systems & Applications Software
! Systems Architecture & Configurations
! Data Transmission & Encryption Protocols
! Access Control Methods
! People
Source: Computer Emergency Response Team Coordination Center http://www.cert.org/present/cert-overview-trends/module-1.pdf
Copyright 1998-2003 Carnegie Mellon University
Reported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per YearReported Hardware & Software Vulnerabilities per Year
How Did This Happen?
! Internet connectivity is “Open” by design.! Faith and trust in “Firewalls” is misplaced.! Software and hardware security remains poor.! Complexities of systems & network
configurations are “Incomprehensible”.
What’s Required for Strong Security?
Awareness?
Budgets?
Resources?
Training?
Skills?Policies?
Procedures?
Compliance?
Assessments?
What’s At Risk?
1. Information Assets
2. Business Relationships
3. Network Infrastructure
1.1.1.1. Information Assets At Risk
! Trade Secrets
! Designs & Processes
! Business Plans
! Personnel Records
! Financial Transactions
! Privileged Communications
2.2.2.2. Business Relationships At Risk
! Customer & Partner Data Confidentiality
! Production & Service Quality
! Industry Reputation
! Competitive Advantage
! Regulatory Compliance
! Investor & Stakeholder Confidence
3.3.3.3. Network Infrastructure At Risk
! Authentication & Privacy
! Availability of Systems & Resources
! Customer & Supplier Connectivity
! Functionality of Software Applications
! Integrity of Records & Databases
! Business Continuity
Network Security Roadmap
1. Establishing Executive Mandates for Assessments2. Comparing Audit Methodologies & Deliverables3. Identifying Exploitable Vulnerabilities4. Exposing Firewall Circumventions5. Detecting & Monitoring Wireless Access6. Revealing Information Leakage & Sources7. Recognizing Critical Infrastructure & IP Threats8. Implementing Lock Down & Best Security Practices9. Maintaining Federal & State Regulatory Compliance10. Managing Ongoing Processes & Oversight
Source: http://www.ncs.gov/n5_hp/Reports/FINALREP.pdf
!Establishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong SecurityEstablishing Executive Mandates for Strong Security
Comparing Audit Methodologies
1.1.1.1. Policy & Procedure ReviewPolicy & Procedure ReviewPolicy & Procedure ReviewPolicy & Procedure Review" Determine Existence & Extent of Written Policies? Can it Prove Policy Adherence or Effectiveness?
2.2.2.2. Automated Scanning Tools & ScriptsAutomated Scanning Tools & ScriptsAutomated Scanning Tools & ScriptsAutomated Scanning Tools & Scripts" Low-Cost Product Purchase or Outsourced Option? Can they Combine & Correlate Multiple Findings? ? Do they Produce False Positives?? Are Validities of Results Affected by Version Currency?
Comparing Audit Methodologies
3.3.3.3. “Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing“Red Team” Vulnerability, Exploit & Pen. Testing" Simulates Real-World Scenarios (Many Tools & Methodologies)" Combines & Correlates Multiple Results (Human Approach) " Validates Indications in “Day 0” Time" Determines Actual Risks to Specific Assets" Proves Existence/Efficacies of Policies & Practices" Tailors Recommendations to Specific Environments" Connects IT Leadership with Sr. Management- Scalability Limited by Availability of Specialists
Comparing Deliverables
! Paper Based or Interactive Reports?! Level of Comprehensiveness?! Includes Both Vulnerability & Risk Assessments?
Psiframe’s RiskPoints™ eDeliverable
RiskPoints is a trademark of Psiframe, Inc.
Identifying Exploitable Vulnerabilities
Examples:
! Routers
! Operating Systems
! Service Applications (Mail, FTP, DNS, etc.)
! Web Applications
! Configuration Errors
! Authentication Weaknesses
! People
Exploit Example: Router
Cisco IOS Vulnerability & Exploit# This vulnerability enables eavesdroppers to sniff email and monitor
other traffic while transparently forwarding it to its intended destination within milliseconds.
! Once privileged (administrative) access to the Client’s router was gained, Psiframe installed an encapsulated tunnel (Virtual Private Network) between the router and a Psiframe server on the Internet.
! Using this technique, Psiframe was able to surreptitiously captureany or all outgoing traffic from the Client's network.
Exploit Example: Web Server
Microsoft IIS Vulnerability & Exploit# This vulnerability enables intruders to deface Web sites, install worms
that attack other sites, or leverage them as stepping-stones to penetrate back-end systems such as database servers with credit card data.
! Once root access was gained to the Client’s Web server, Psiframe had full administrative control over all files and configuration settings.
! From the Web server, Psiframe was able to penetrate further and access other systems on the Client's internal network that “trusted” the Web server through the firewall.
Exposing Firewall Circumventions
! Vulnerable Systems, Services and Software! Misconfigured Firewalls & Network Topologies! Dual-Homed Devices! Modems! Rogue & Insecure Wireless Access Points
Firewall Circumvention Example
?
“WiFi” Wireless LANs
! 2003 Worldwide Users: 5 Million +! Advertised Useable Distance: ~ 300 Feet! Encryption: None (default) / 40 bit & 128 bit (WEP)! Authentication: None (default) / Various Types! User IP Address Assignment: Auto (default) / None
“WiFi” Wireless LANs
! “By year-end 2002, 30 percent of enterprises will suffer serious securityexposures from deploying wireless local area networks (WLANs) without implementing the proper security… At least 20 percent of enterprises already have ‘rogue’ WLANs attached to their corporate networks,installed by users looking for the convenience of wireless and unwilling to wait for the IS organization to take the lead… Fixing the exposure after a hacking attack cannot recapture lost intellectual property and sensitive customer information.” — Gartner
Source: http://www.gartner.com/5_about/press_releases/2001/pr20010809b.html
Wireless “WiFi” LANs
PotreroPotreroPotreroPotrero Hill, San FranciscoHill, San FranciscoHill, San FranciscoHill, San FranciscoWiFiWiFiWiFiWiFi Access PointsAccess PointsAccess PointsAccess PointsJuly 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376July 1, 2003 Drive Count = 376! Green: No Encryption! Red: Encryption (WEP) Enabled Note: Unpopulated streets not scanned.
Exploiting WiFi Range Extension
Intercepting Client Data 1.2 Miles From Source
Information Leakage Examples
# Whois: Search Domain Account Holder Recordshttp://www.xwhois.com
# Dig-It: Query DNS for Host Names & IP Addresseshttp://us.mirror.menandmice.com/cgi-bin/DoDig
# Netcraft: What’s That Site Running?http://www.netcraft.com
# Google: Technical Newsgroup Archiveshttp://groups.google.com
Info Leakage Example: Netcraft
!Source: http://www.netcraft.com
Info Leakage Example: Newsgroups
Recognizing Critical Infrastructure
! IP Asset Storage Locations & Shared Files! Authorized Users & Privileges! Networked Devices & Services! Access Points! Interconnections! Single Points of Failure! Failover, Backup & Recovery Systems
Locking Down With Best Practices
“Best Practices” is a Consensus of Approaches# SANS Institute
http://www.sans.org/resources
# NSA Security Recommendation Guideshttp://nsa.gov/snac
# IETF Site Security Handbookhttp://www.ietf.org/rfc/rfc2196.txt
# NIST Computer Security Resource Centerhttp://csrc.nist.gov
# AICPA Trust Services Principles and Criteriahttp://www.aicpa.org/assurance/systrust/princip.htm
Maintaining Regulatory Compliance
Examples of New California & Federal Legislation ! Security Breach Information Act! Notification of Risk to Personal Data Act
# Consult Your Attorney
New California Law
This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person...
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
Proposed Federal Law
A bill to require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information. This Act may be cited as the Notification of “Risk to Personal Data Act”...
Source: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_bills&docid=f:s1350is.txt.pdf
Manage Process & Oversight
Strong Security Is Not An OptionStrong Security Is Not An OptionStrong Security Is Not An OptionStrong Security Is Not An Option
! Cultivate C-Level Awareness
! Regularly Assess Risks, Threats & Vulnerabilities
! Provide Administrator Training
! Review Incident Detection, Reporting
& Response Programs
Why Leverage Psiframe?
" Real World Scenarios " Comprehensive Audit Framework" Impartial & Objective Findings" Interactive RiskPointsRiskPointsRiskPointsRiskPoints eDeliverable" Best Practice Recommendations
" Expert Knowledge & Skills Transfer
Recommended Actions
1. Involve Board-Level Management2. Review a Sample Composite Deliverable3. Request an Engagement Agreement4. Conduct a “Baseline” Assessment5. Attend the Findings Presentation6. Measure Improvement Quarterly
Contact
! Fred Holborn
Desk 925.803.4131Cell 925.876.6903 Email [email protected] http://www.psiframe.com