Upload
skeeve-stevens
View
136
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Computerworld Conference (2002)
Citation preview
Hackers Why? Who? What do they want? Where are you most vulnerable?
SKEEVE STEVENS [Former(?) Hacker]
I.T Security Consultant
Specialising in Security Theory, Trends, Policy, Disaster Prevention
Email: [email protected]
www.skeeve.org
Copyright © 2002 by Skeeve Stevens All Rights Reserved
! Australian Computer Crime and Security Survey (May 02) n ACCS Survey (only every survey of its kind in .au) reports more than 67%
of respondents have been attacked/hacked during the 2001 period – 7% higher than the U.S in the same period.
! InternetWeek n 50% of U.S Corporations have had 30 or more penetrations n 60% lost up to $200K/intrusion
! Federal Computing World n Over 50% of (U.S) Federal government agencies report unauthorised
access (some are massive numbers) ! FBI/Computer Security Institute
n 48% of all attacks originated from within the organization ! WarRoom Research Survey
n 90% of Fortune 500 companies in the U.S surveyed admitted to inside security breaches
! Very few companies will talk. Too much fear of losing investor confidence and perhaps panicking the customer base (i.e. banks)
Networks Under Assault
Why? - Hacker Motivations ! There are many different motivations to hack
n Experimentation and desire to learn n “Gang” mentality n Psychological needs (i.e.. to be noticed?) n Misguided trust in other individuals n Altruistic reasons n Self-gratification n Revenge and malicious reasons n Emotional issues n Desire to embarrass the target (many reasons) n “Joyriding” n “Scorekeeping” n Espionage (corporate, governmental) n Criminal – Stalking, Intimidation, Hostage, Blackmail
Types of Hackers Shades of Grey - Are all Hackers Bad?
! Black Hats (The Bad Ones) n Professional Crackers (Crime Gangs) n Corporate Espionage (Criminal in a suit – more common than companies
realise – everyone has a competitor.) n e-Terrorists (with or without a motivation [eco-hackers]) n ?
! White Hats (The Good Ones) n Corporate Security n Tiger Teams (with reputations – ISS) n Big 5 Audit/Testing Teams (PWC, etc) n Law Enforcement Hackers / Military eSecurity
! Grey Hats (The Not-so-Bad / Not-so-Good Ones) n Depends who’s paying n Freelancers – to the highest bidder, which can include LEAs
Who are the Hackers?
! 49% are inside employees or contractors on the internal network ! 17% come from dial-up (still inside people) ! 34% are from Internet or an external connection to another
company of some sort ! The major area of financial loss in hacking is internal: more
money is lost via internal hacking and exploitation (by a factor of 30 or more)
! Most of the hacking that is done is from technical personnel in
technical positions within the company
Perimeter Security Is Not Enough ! Even the best perimeter firewall
can be breached ! What happens to your corporate
assets if the perimeter is breached?
! What protects your internal
network if the perimeter security fails? Most Businesses = Nothing
! How do you know you have
been breached? Most Businesses = Never Know
INTERNET
Firewall
External Router
Internal Servers
Production Network
Desktops
Workstations
Perimeter Security Is Not Enough ! Many companies with “insider access” - dissolve the
perimeter protection (firewalls): n customers, consultants, contractors, temps, supply
chain partners, employees – unhappy / rogue (espionage) / snoopy (the curious/ambitious) / terminated (fired)
! Many widely disseminated vulnerabilities, backdoors,
firewall holes, firewall pole vaults - such as dial-up modems, shareware password crackers
! Majority of breaches and financial losses - from those with “insider access”
Typical Inside Network Attacks
! Insider attack ! Social engineering ! Virus infiltration ! Denial of Service ! OS or application bug ! Infiltration via passwords ! Infiltration via “no security” ! Spoofing ! Trojan horse ! Brute force ! Stealth infiltration ! Protocol flaw or exploit
Biggest Mistakes in Internal Security
! Everybody trusts everybody ! “Any” theory: “We don’t have anything anyone
would want anyway” – never true ! No internal monitoring of any kind ! No internal intrusion detection ! No internal network isolation methods ! No separation of critical networks or subnetworks
via VLAN or VPNs ! Infrastructure ignorance
Network Security IS a Serious Issue ! $202 Billion Lost every year by companies to “e-Crime” in
the US, Australian/rest of the world statistics are hard to estimate.
! 90% of e-Crime financial losses are INTERNAL ! U.S. Government alone will experience over 300,000
Internet attacks this year, Australian Government has not publicised any numbers
! Hundreds of thousands of websites contain some form of Hacker Tools / Information
! e-Crimes are estimated to take place every 20 seconds...
eSecurity / Hacking Insurance Policies ! Yes, you can actually buy hacking insurance
policies for some situations ! One level allows for liability reduction due to
protective measures taken (What sort of firewalls / policies / operating systems / training / etc…)
! Another provides a vendor security warranty
level of assurance
! Others on their way…
????????????Future Server Threats
! Digital Nervous System components ! Infrastructure Dependencies
n Index Server/LDAP Servers n Terminal Server with thin clients n Exchange servers being used for office and workgroup flow
applications n DNS and other naming services servers n Voice over IP (VoIP) n Telephony servers for desktop telephony n Netmeeting / Video collaboration servers n NT servers being implemented in factories and industrial
networks for process control. These require real-time network security features
! Home implementations for broadband/DSL access ! Small business via broadband/DSL access ! Seasonal threats (holiday hacker gangs)
$ Information Store
A company’s most valuable assets are on its Information Store
An attack on your Information Store can result in:
Loss of access
Loss of data integrity
Theft of data
Loss of privacy
Legal liability
Loss of Confidence (Owners/Stock market/Customers)
Financial Loss (Fraud)
Financials
HR Records
Patient Medical Records
R&D Information
Legal Records
Summary (I) ! It is a matter of “when” not a matter of “if” you will be
attacked or hacked - the statistics are against you ! Internal network security is still the most pervasive
corporate threat ! Many different levels of security are necessary to deal
with the threats ! Apply internal security in proper measure to meet the
actual or perceived threat environment
Summary (II) ! A Hacker can be anyone – an employee with a grudge, a
contractor, a family member. They just want something they are not supposed to have.
! Hacking is gaining access to anything you shouldn’t have
access to, using means you shouldn’t be using (illegal?) ! eSecurity is as important as real security. If you have a
security guard to protect you, you should have an eSecurity guard.
! Many different levels of security are necessary to deal
with the threats