computer security 101 computer security 101 Eric Pancer Computer Security Response Team

april, welcome!  Why Are You Here?  Why Am I Here?

april, sponsors Information Services Computer Security Response Team

incidents and trends

april, what defines an incident?  A computer security incident covers a large range of violations, including:  Harassment,  Denial/Interruption of Service,  Malware Infection (worm, virus),  Unauthorized Access,  Misuse of Data or Services,  Copyright Infringement,  Spam?

april, general statistics CERT/CC: Incidents Reported 1991 – – 1, – 2, – 2, – 9, – 52, – 137,529

april, in our backyard  W32.Blaster Worm  Exploited a vulnerability patched in July,  Unleashed August,  900+ Infections from August 11, 2003 to October 11,  Persists at approximately 8-10 infections weekly.  ‘Bots  Exploits common vulnerabilities.  Variants released weekly.  Centrally controlled.  Growing more and more malicious.  700+ unique hosts since January, 2004.

april, even more alarming  W32.Slammer Worm  January,  Attacked…  …unpatched MS-SQL 2000 servers…  …unpatched desktops with Microsoft Desktop Engine…  Interrupted Bank of America ATM Services.  Caused a “meltdown” of University network services due to other “bugs” on the network.  Vulnerability was announced June, 2002!

april, how do we find violations?  Intelligence gathering is performed in many ways – though human interaction and communication is still the best method.  Reports to  Internal reports.  Monitoring network flows.  Searching for attack patterns.  Hearsay, rumors, gossip.

april, sample report Date: Fri, 9 Apr :57: From: To: Cc: Subject: Abuse! Suspicious Activity!!! Hello, You are being contacted regarding suspicious activity logged from a host on your network. We found that the address was attempting to connect to the VPN port 500 (TCP) on Apr 8 at 18:15:41 (EST). Log Entries (All times are EDT): *Apr 8 18:15: x *Apr 8 18:15: x Please review the log information included below. The data reflected in the log could be interpreted as a user from your domain attempting to probe a federal government network. Please investigate this immediately and take action to prevent further probing of the network.

april, network flows 19 Apr 04 10:49: tcp > RS 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp ?> EST 19 Apr 04 10:49: tcp > EST 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > FIN 19 Apr 04 10:49: tcp > RST 19 Apr 04 10:50: tcp > TIM 19 Apr 04 10:51: udp ACC 19 Apr 04 10:50: tcp CON 19 Apr 04 10:51: udp ACC 19 Apr 04 10:50: tcp > RST 19 Apr 04 10:51: udp ACC 19 Apr 04 10:51: udp ACC 19 Apr 04 10:51: udp ACC 19 Apr 04 10:50: tcp > EST 19 Apr 04 10:51: udp ACC 19 Apr 04 10:51: udp ACC 19 Apr 04 10:50: tcp > RST 19 Apr 04 10:51: udp ACC

april, known signatures alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \ (msg:"SCAN - Microsoft Directory and File Services"; \ stateless; flags:S,12; threshold: type threshold, track by_src, \ count 520, seconds 600; classtype:network-scan; priority:7; sid: ; rev:1;) [**] [1: :1] SCAN - Microsoft Directory and File Services [**] [Classification: Detection of a Network Scan] [Priority: 7] 04/19/04-01:54: :2460 -> :135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20 DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

april, is it 1984?  Are you Big Brother?  Why do you care?  Do you read my ?  Isn’t the network secure?  I don’t do anything malicious, so don’t look at what I do please.

general concepts

april, common myths  “Why should I care, I have nothing to hide.”  “Why does anyone care about my computer?”  “It’s too difficult to get access to my computer or personal information…”  “If someone tries to [insert malicious activity here], I will notice!”  “Ignorance is bliss!”

april, are you at risk? Using the following puts you at risk: Computers Credit Cards Banks Airlines Automobiles …many more…

april, CIA – the building blocks Confidentiality AuthenticityIntegrity

april, confidentiality  Ensures privacy.  Applies to both data on disks and network communication.  Accomplished through encryption:   s/mime  pgp  ssh and ipsec Confidentiality

april, integrity  Develops trust of the network and computer systems.  Applies to both data on disks and network communication.  Integrity is increased by proper data and system management. Integrity

april, authenticity  Another catalyst for trust.  Required for data on disk and network communication.  Prevents ID theft, “man in the middle” attacks, etc. Authenticity

april, vulnerability life cycle vulnerability discussion concept code exploit automation research

april, assumptions  Researchers will continue to find new bugs and vulnerabilities.  Active exploitation of these vulnerabilities will continue through worms, viruses, etc.  Technology will continue to progress and the quality of code will continue to fall. Santa Claus is real!

terminology

april, denial of service  The overload of a system preventing the normal use of that system.  A denial of service (DoS) attack is a common method to prevent users from accessing websites.

april, scanning  Enumerating the security of a computer system and/or the service(s) they provide.  A “portscan” commonly occurs to check the type of computer operating system being used.  Thousands of portscans against the University have taken place in the time you have read this slide!

april, exploit  A piece of malicious code or action against a computer system to elevate privileges or gain further access.  Exploits mostly act on bugs found in software or hardware. These bugs are usually due to human error coding or system misconfiguration.

april, virus  A virus is a piece of code that modifies existing applications or data to change the behavior of that application or of data.  Viruses rely on human interaction to ensure their survival and propagation.

april, worm  A worm is a program that propagates itself over a network, reproducing itself and changing as needed, to survive and adapt.  The term worm is derived from tapeworm as coined in John Brunner’s book “Shockwave Rider.”

april, (ro)bot  A software program or computer that performance repetetive functions; usually commanded as part of a botnet (see next slide).  Although robots were first introduced to spider the world wide web, the term bot has come to represent an increasing threat against computer users.

april, botnet  A collection of computers acting in conjunction with one another to perform automated tasks.  Botnets can be built using viruses, worms or other attacks. These botnets (sometimes thousands of computers) can then carry out “scan and ‘sploit” actions automatically.

april, feeling overwhelmed yet?

defending with technology

april, start with the basics  Basic computer security is through technology is easy; use…  A firewall,  Anti-Virus Software,  Patch your computer quickly, when required,  Strong passwords!

april, firewalls  The most useful tool in your bag of defenses.  Prevents intruders from accessing services on your computer.  Validates/normalizes network traffic.  May provide reports and trend analysis.  Available for all major operating systems – usually for free!

april, anti-virus software  Stops viruses and worms sent by , attachments, downloads, etc.  Detects malicious software through intelligent heuristics.  Available for all major desktop and server operating systems.  A requirement; not an option.

april, patches  (Usually) free updates to your computer; can be downloaded from the Internet.  Available before most exploits surface.  Automated, usually.  Critical to overall security.  Chant: “We Must Patch, We Must Patch…”

april, strong passwords  Keeps you on-target with best practices.  Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including  Not based on any dictionary word from any language.  Changes regularly; not shared.

april, coordinated efforts result in success! Goal

behavioral changes

april, what technology doesn’t solve  Security technologies adapt as threats appear. They are not able to (easily) combat:  Threats,  Hoaxes,  Scams,  The behavior of others.

april, the clue factor

april, education and awareness  Education and awareness are key to increasing the security posture of the University, and global Internet.  Dispells the FUD (fear, uncertainty, doubt).  Addresses problems before they exist.  Extends the radius of clue.  Creates inclusion in the entire infosecurity effort.

april, self-education  You can increase your own awareness of security related issues.  Subscribe to mailing lists for security notifications.  Visit security related websites.  Contact us, we’re always willing to help.  Voice your concern on security related issues, helping raise awareness in others.

april, test your efforts  Contact us and we can schedule a vulnerability scan for your department or network.  Register your network with us; we can send you reports of suspicious behavior.  Help us tailor an awareness program for your department.  Remember: security is about sharing knowledge and contacts, not technology.

april, thank you!  Questions?  Contact CSRT: Computer Security Response Team or… Eric Pancer pgp: C E5 51E7 683C F765 62F7 7F8E 7ACB CFF3