Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer security 101 computer security 101 Eric Pancer Computer Security Response Team

Similar presentations


Presentation on theme: "Computer security 101 computer security 101 Eric Pancer Computer Security Response Team"— Presentation transcript:

1 computer security 101 computer security 101 Eric Pancer Computer Security Response Team http://security.depaul.edu/

2 april, 2004 2 welcome!  Why Are You Here?  Why Am I Here?

3 april, 2004 3 sponsors Information Services Computer Security Response Team

4 incidents and trends

5 april, 2004 5 what defines an incident?  A computer security incident covers a large range of violations, including:  Harassment,  Denial/Interruption of Service,  Malware Infection (worm, virus),  Unauthorized Access,  Misuse of Data or Services,  Copyright Infringement,  Spam?

6 april, 2004 6 general statistics CERT/CC: Incidents Reported 1991 – 406 1993 – 1,334 1995 – 2,412 1997 – 2,134 1999 – 9,859 2001 – 52,658 2003 – 137,529

7 april, 2004 7 in our backyard  W32.Blaster Worm  Exploited a vulnerability patched in July, 2003.  Unleashed August, 2003.  900+ Infections from August 11, 2003 to October 11, 2003.  Persists at approximately 8-10 infections weekly.  ‘Bots  Exploits common vulnerabilities.  Variants released weekly.  Centrally controlled.  Growing more and more malicious.  700+ unique hosts since January, 2004.

8 april, 2004 8 even more alarming  W32.Slammer Worm  January, 2003.  Attacked…  …unpatched MS-SQL 2000 servers…  …unpatched desktops with Microsoft Desktop Engine…  Interrupted Bank of America ATM Services.  Caused a “meltdown” of University network services due to other “bugs” on the network.  Vulnerability was announced June, 2002!

9 april, 2004 9 how do we find violations?  Intelligence gathering is performed in many ways – though human interaction and communication is still the best method.  Reports to abuse@depaul.edu.abuse@depaul.edu  Internal reports.  Monitoring network flows.  Searching for attack patterns.  Hearsay, rumors, gossip.

10 april, 2004 10 sample e-mail report Date: Fri, 9 Apr 2004 12:57:16 -0400 From: Abuse@example.gov To: abuse@depaul.edu Cc: cert@cert.org, Abuse@example.gov Subject: Abuse! Suspicious Activity!!! 140.192.21.254 Hello, You are being contacted regarding suspicious activity logged from a host on your network. We found that the address 140.192.21.254 was attempting to connect to the VPN port 500 (TCP) on Apr 8 at 18:15:41 (EST). Log Entries (All times are EDT): *Apr 8 18:15:41 140.192.21.254 500 x.123.208.2 500 1 *Apr 8 18:15:43 140.192.21.254 500 x.123.208.2 500 1 Please review the log information included below. The data reflected in the log could be interpreted as a user from your domain attempting to probe a federal government network. Please investigate this immediately and take action to prevent further probing of the network.

11 april, 2004 11 network flows 19 Apr 04 10:49:33.61177 tcp 140.192.27.47.3076 -> 66.18.100.2.80 RS 19 Apr 04 10:49:33.62319 tcp 140.192.83.97.1302 -> 63.123.232.243.80 FIN 19 Apr 04 10:49:33.63790 tcp 192.77.161.22.44274 ?> 140.192.220.21.80 EST 19 Apr 04 10:49:33.62713 tcp 140.192.55.29.4462 -> 12.130.91.26.80 EST 19 Apr 04 10:49:33.63408 tcp 140.192.131.188.4726 -> 216.73.87.20.80 FIN 19 Apr 04 10:49:33.64504 tcp 140.192.110.86.3986 -> 64.40.102.42.80 FIN 19 Apr 04 10:49:33.64507 tcp 140.192.132.134.4947 -> 216.120.60.144.80 FIN 19 Apr 04 10:49:33.65468 tcp 140.192.132.67.3357 -> 207.68.173.254.80 FIN 19 Apr 04 10:49:33.66201 tcp 140.192.15.106.4881 -> 207.68.162.24.80 FIN 19 Apr 04 10:49:33.66328 tcp 140.192.15.106.4882 -> 207.68.162.24.80 FIN 19 Apr 04 10:49:33.66709 tcp 140.192.227.36.1106 -> 205.158.62.54.80 FIN 19 Apr 04 10:49:33.66836 tcp 140.192.132.134.4948 -> 216.120.60.175.80 FIN 19 Apr 04 10:49:39.36782 tcp 140.192.151.158.4632 -> 216.239.41.104.80 RST 19 Apr 04 10:50:06.11342 tcp 140.192.196.6.3649 -> 1.0.0.1.80 TIM 19 Apr 04 10:51:27.93013 udp 24.186.52.241.1620 140.192.170.146.3845 ACC 19 Apr 04 10:50:55.77691 tcp 140.192.196.6.4670 207.44.246.72.80 CON 19 Apr 04 10:51:28.05120 udp 128.175.131.52.3964 140.192.177.213.1480 ACC 19 Apr 04 10:50:54.13063 tcp 140.192.196.6.4671 -> 207.44.246.72.80 RST 19 Apr 04 10:51:28.07679 udp 209.6.25.71.2021 140.192.176.87.3068 ACC 19 Apr 04 10:51:27.81926 udp 140.192.175.192.1343 62.143.31.15.1870 ACC 19 Apr 04 10:51:27.93307 udp 140.192.231.133.1612 142.179.17.60.1053 ACC 19 Apr 04 10:50:51.29740 tcp 200.87.50.62.10547 -> 140.192.175.183.139 EST 19 Apr 04 10:51:28.08786 udp 209.6.25.71.2021 140.192.176.87.3068 ACC 19 Apr 04 10:51:28.08839 udp 149.159.97.73.1576 140.192.172.92.1495 ACC 19 Apr 04 10:50:54.13644 tcp 140.192.196.6.4686 -> 207.44.246.72.80 RST 19 Apr 04 10:51:28.09423 udp 62.163.81.124.11480 140.192.171.165.11895 ACC

12 april, 2004 12 known signatures alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \ (msg:"SCAN - Microsoft Directory and File Services"; \ stateless; flags:S,12; threshold: type threshold, track by_src, \ count 520, seconds 600; classtype:network-scan; priority:7; sid:6010001; rev:1;) [**] [1:6010001:1] SCAN - Microsoft Directory and File Services [**] [Classification: Detection of a Network Scan] [Priority: 7] 04/19/04-01:54:42.622054 140.192.21.254:2460 -> 10.203.54.114:135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20 DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK

13 april, 2004 13 is it 1984?  Are you Big Brother?  Why do you care?  Do you read my email?  Isn’t the network secure?  I don’t do anything malicious, so don’t look at what I do please.

14 general concepts

15 april, 2004 15 common myths  “Why should I care, I have nothing to hide.”  “Why does anyone care about my computer?”  “It’s too difficult to get access to my computer or personal information…”  “If someone tries to [insert malicious activity here], I will notice!”  “Ignorance is bliss!”

16 april, 2004 16 are you at risk? Using the following puts you at risk: Computers Credit Cards Banks Airlines Automobiles …many more…

17 april, 2004 17 CIA – the building blocks Confidentiality AuthenticityIntegrity

18 april, 2004 18 confidentiality  Ensures privacy.  Applies to both data on disks and network communication.  Accomplished through encryption:  https://  s/mime  pgp  ssh and ipsec Confidentiality

19 april, 2004 19 integrity  Develops trust of the network and computer systems.  Applies to both data on disks and network communication.  Integrity is increased by proper data and system management. Integrity

20 april, 2004 20 authenticity  Another catalyst for trust.  Required for data on disk and network communication.  Prevents ID theft, “man in the middle” attacks, etc. Authenticity

21 april, 2004 21 vulnerability life cycle vulnerability discussion concept code exploit automation research

22 april, 2004 22 assumptions  Researchers will continue to find new bugs and vulnerabilities.  Active exploitation of these vulnerabilities will continue through worms, viruses, etc.  Technology will continue to progress and the quality of code will continue to fall. Santa Claus is real!

23 terminology

24 april, 2004 24 denial of service  The overload of a system preventing the normal use of that system.  A denial of service (DoS) attack is a common method to prevent users from accessing websites.

25 april, 2004 25 scanning  Enumerating the security of a computer system and/or the service(s) they provide.  A “portscan” commonly occurs to check the type of computer operating system being used.  Thousands of portscans against the University have taken place in the time you have read this slide!

26 april, 2004 26 exploit  A piece of malicious code or action against a computer system to elevate privileges or gain further access.  Exploits mostly act on bugs found in software or hardware. These bugs are usually due to human error coding or system misconfiguration.

27 april, 2004 27 virus  A virus is a piece of code that modifies existing applications or data to change the behavior of that application or of data.  Viruses rely on human interaction to ensure their survival and propagation.

28 april, 2004 28 worm  A worm is a program that propagates itself over a network, reproducing itself and changing as needed, to survive and adapt.  The term worm is derived from tapeworm as coined in John Brunner’s book “Shockwave Rider.”

29 april, 2004 29 (ro)bot  A software program or computer that performance repetetive functions; usually commanded as part of a botnet (see next slide).  Although robots were first introduced to spider the world wide web, the term bot has come to represent an increasing threat against computer users.

30 april, 2004 30 botnet  A collection of computers acting in conjunction with one another to perform automated tasks.  Botnets can be built using viruses, worms or other attacks. These botnets (sometimes thousands of computers) can then carry out “scan and ‘sploit” actions automatically.

31 april, 2004 31 feeling overwhelmed yet?

32 defending with technology

33 april, 2004 33 start with the basics  Basic computer security is through technology is easy; use…  A firewall,  Anti-Virus Software,  Patch your computer quickly, when required,  Strong passwords!

34 april, 2004 34 firewalls  The most useful tool in your bag of defenses.  Prevents intruders from accessing services on your computer.  Validates/normalizes network traffic.  May provide reports and trend analysis.  Available for all major operating systems – usually for free!

35 april, 2004 35 anti-virus software  Stops viruses and worms sent by email, attachments, downloads, etc.  Detects malicious software through intelligent heuristics.  Available for all major desktop and server operating systems.  A requirement; not an option.

36 april, 2004 36 patches  (Usually) free updates to your computer; can be downloaded from the Internet.  Available before most exploits surface.  Automated, usually.  Critical to overall security.  Chant: “We Must Patch, We Must Patch…”

37 april, 2004 37 strong passwords  Keeps you on-target with best practices.  Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”.  Not based on any dictionary word from any language.  Changes regularly; not shared.

38 april, 2004 38 coordinated efforts result in success! Goal

39 behavioral changes

40 april, 2004 40 what technology doesn’t solve  Security technologies adapt as threats appear. They are not able to (easily) combat:  Threats,  Hoaxes,  Scams,  The behavior of others.

41 april, 2004 41 the clue factor

42 april, 2004 42 education and awareness  Education and awareness are key to increasing the security posture of the University, and global Internet.  Dispells the FUD (fear, uncertainty, doubt).  Addresses problems before they exist.  Extends the radius of clue.  Creates inclusion in the entire infosecurity effort.

43 april, 2004 43 self-education  You can increase your own awareness of security related issues.  Subscribe to mailing lists for security notifications.  Visit security related websites.  Contact us, we’re always willing to help.  Voice your concern on security related issues, helping raise awareness in others.

44 april, 2004 44 test your efforts  Contact us and we can schedule a vulnerability scan for your department or network.  Register your network with us; we can send you reports of suspicious behavior.  Help us tailor an awareness program for your department.  Remember: security is about sharing knowledge and contacts, not technology.

45 april, 2004 45 thank you!  Questions?  Contact CSRT: Computer Security Response Team abuse@depaul.edu security@depaul.edu http://security.depaul.edu/ or… Eric Pancer epancer@security.depaul.edu pgp: C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3


Download ppt "Computer security 101 computer security 101 Eric Pancer Computer Security Response Team"

Similar presentations


Ads by Google