Current Threats to Corporate Information Security Management YOUNG Wo Sang Program Committee, PISA ws.young@pisa.org.hk
Two Recent Attacks SirCAM (July 2001) Code Red II (Aug 2001)
Top 10 Internet Security Threats Consensus Report 2000 - SANS, the NIPC, and the Federal CIO Council “These aren't the only threats…just the most common at the moment. Hopeful we will eliminate these threats and create a new list next year.” SANS, the NIPC, and the Federal CIO Council published a consensus report on the Top Ten Internet Security Threats in 2000 summer (http://www.sans.org/topten.htm). The idea is to publicize a list for all to work on. It was expected that a new list can come up in the next year. However, it seems a lot of outstanding issues still deal with the original 10 threats, like the SirCAM and Code Reds .
Top 10 Internet Security Threats 1. Bind 2. Vulnerable CGI Programs 3. Remote Procedure Calls (RPC) 4. Microsoft IIS weakness 5. Sendmail Buffer Overflow 6. sadmind (Solaris) and mountd 7. Global file sharing 8. User ID's / Passwords 9. IMAP and POP 10. Default SNMP Code Red II 1. Code Red and Code Red II uses the IIS weakness, though different from the one quoted in year 2000 2. SirCAM exploits the NETBIOS file sharing (ports 135-139 in NT; port 445 in W2K). It also take advantage of weak password in Windows. SirCAM
SirCAM Damage Distribution Exploit Release or destroy sensitive information Distribution Mass mailing to email addresses found in address book Malicious computer write to unprotected Windows share in the network Exploit Vulnerability of Global File Sharing & Weak Password
Code Red II Damage Distribution Exploit Install “Backdoors” on the infected web servers that allows any remote attacker to further compromise the system Distribution Scan for vulnerable hosts to infect Exploit Vulnerability of Buffer Overflow in Index service that come with IIS (installed by default) Code Red II is much more harmful than Code Red. It opens the victim machine for greater risk.
The Implications 1 Self-sufficiency and Self-learn They do not rely on the email system to spread, but scan for the next victim on the network Optimized for High Efficiency Code Red II spreads much faster than previous Code Red by using a more intelligent algorithm to select victim IP address More and more adaptive -- just a start of a greater attack 3. Un-patched systems hinder total suppression. If we use a biological analogy to depict the breakthroughs of SirCAM and Code Red, we found that they have been regenerated to a more tough, intelligent and more automatic organisms. More self-motivated virus/worm using newer algorithms from AI will increase the spreading, penetration and difficulty of detection. (Evolution of Organisms) The high speed network removes bottleneck of internet traffic , AS WELL AS worm spreading traffic. 3. Un-patched system = those who have virus to infect others, though the virus has no impact to them. e.g. many infected system by Code Red 1 were not patched because the owner did not think the need to fix an unused service (IIS installed by default). However, their machines were used as zombie to attack others.
The Implications 2 4. Remote Exploit 5. Allow further attack A hacker can run commands on the system without having to access it directly. 5. Allow further attack They broadcast to the Internet the servers that are vulnerable to these flaws, allowing others to further attack the victims by other means 6. Next Victims Hackers will find ways to attack more critical components like routers and network equipment 5. Analogy of Code Red II to grant possibilities to other attacks is similar to “complication” (bing fa diseases) in medicine. 6. More crafted attacks is possible. Code Red and SirCAM seems to test water. IIS being the focus of the year but there are a lot other devices with weak security protection.
Potential Threats 1 When the old tricks can win the new game Variants exploiting same old vulnerability When we breaks our Firewall perimeter Remote VPN, Wireless LAN When the Trust fails Mobile workers, Contractors and Guests Unpatched systems with old vulnerability still open to be attached Traditional perimeter protection could be bypassed by VPN. Few consider VPN as insecure. Yes, the channel is encrypted but it does not mean the remote system is well protected. Wireless LAN makes cable tapping control even more difficult. Mobile workers bring with the infected notebooks to the office. Contractors and Guests are more likely to cause infections. Hong Kong Government intranet and several big companies were infected. They have deployed perimeter defense but …
Potential Threats 2 When one thinks he has done enough “I can just reboot the server when the server is defaced by the Code Red” When Nobody cares about the Others “why patch? The infection does not hurt me …” When it is too late when I know People awareness is very doubtful People do not care about others, just like they do not care about the environment Some do care, but they do not possess the tools to detect and defend
Technical Controls Protection Protect network outside firewall as well as Inside firewall Control Outgoing connections besides Incoming connections Avoid Trojans Avoid spread of worm from infected internal machine Wireless LAN: employ secure channel LAN : Control cable tap (hard job!) Firewall configuration Some old configuration just block incoming traffic. People should think about blocking outgoing traffic as well. This prevents Trojan from initiating connection from inside out This also prevents infected system from attacking out Network tapping control Wireless LAN should allow only encrypted connection Common LAN is more difficult to control. Servers should tighten password and permission control to avoid network attack.
Technical Controls Protection (cont.) Detection Correction Tighten all access control, password control IMMEDIATELY Detection Check Server Integrity Scan internal network for vulnerability Install Intrusion Detection System Correction Backup & Recovery Detection We need to change our way of thinking -- Treat internal network more toward untrusted network Do Penetration test to systems to find flaws Install IDS to alert attacks Correction Make sure we backup systems
Management Controls Server patch management (not easy) Effective Information Asset Management Ongoing Patch & Change Management Scan all incoming notebooks (not easy) Manage and Scan Remote PCs (hard!) Management Problems Too many patches – what to patch, what has been patched and what has not? There is a need to have a list of all information assets, listed in order of risk. Control of patch and change is required Out of office systems (notebook, remote PCs) are high risk area. Control must be tightened.
Detection and Reporting Development of Detection, Analysis, Warning and Response Capabilities in corporate and governmental environment Crisis Management Legislation framework We see immature infrastructure both globally and in corporate level in detecting, analyzing and warning of incidences and response. Crisis Management – there is no strong state command of the crisis. Every country, every corp did their own protection. Communication is weak. CERTs need to work a lot harder. CERTs need to have central coordination and yet have to develop distributed points in corps. Teenage Hacking using kiddy hacking tools – hindrance in prosecution
Lack of Resources and Expertise Outsource Information Security Management Outside help must be seek to manage the situation, if resources is limited. Demand of the information security industry and profession outgrows the supply
Lesson learned Our individual security depends on our mutual security The consequences of failure could drive your company out of business
References Top 10 Internet Security Threats 2000 http://www.sans.org/topten.htm Code Red, Code Red II, and SirCAM Attacks highlight Need for Proactive Measures http://www.gao.gov/new.items/d011073t.pdf Code Red II Worm Analysis Update http://www.incidents.org/react/code_redII.php
Q & A Thank You