Average Security Controls vs. Hacker Tools: 1999 to 2010
description
Transcript of Average Security Controls vs. Hacker Tools: 1999 to 2010
Average Security Controls vs. Hacker
Tools: 1999 to 2010
Presented By:
Jason Witty
2/16/2006
Presentation Overview
Quick Disclaimer Amusing (or not) Statistics 1999 – 2006 Us vs. Them Existing Tool Screenshots Predictions to 2010 Wrap-up / Questions
Disclaimer
The views and opinions expressed in this presentation are strictly those of the author and should not be taken as an endorsement of any company or technology. Permission is granted to redistribute this material in its entirety provided that this disclaimer notice is not removed or altered. Do not spray directly into eyes. Knives are sharp – they cut things. Caution: filling is hot.
Computer Incident Statistics
Number of Incidents Handled by CERT/CC
020000400006000080000
100000120000140000160000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
•In 1988 there were only 6 computer incidents reported to CERT/CC.
•There were 137,529 reported to CERT in 2003.
•CERT stopped tracking incident stats in 2004, due to the “widespread use of automated attack tools” (everybody’s getting attacked)
Vulnerabilities
2005 - 55 MS advisories
2004 45 MS advisories
2003 51 MS advisories
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
1999 2000 2001 2002 2003 2004 2005 2006
Others
Apple
Sun
Microsoft
0
50
100
150
200
250
1999 2000 2001 2002 2003 2004 2005 2006
Microsoft
Sun
Apple
2005: Apple released nearly as
many vulns as Microsoft
Source: http://nvd.nist.gov/
Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools
1999New Vulns.
914
Password Security & Some 2-factorInternet Firewalls and NIDS commonSSL for Internet SitesIPSec VPNsSecurity Awareness Training
“I love You” virusBO2K, SubSeven“Point, click, and attack" GUIs Published default password listsNMAP
2000New Vulns.
1014
More adoption of the above.Progressive companies doing HIDSStrong-auth for VPNs common
NIDS Evasion CLI IP SpoofingSteganography
2001New Vulns.
1672
More adoption of the above.Network Layer Anti-virus commonStill using passwords for most access
“Code Red” / NIMDASocial Engineering ContestsFirewall Tunneling
Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools
2002New Vulns.
1946
Still using passwords for most appsUS starting to see privacy / security legislation take effect and new legislation being created.Progressive companies looking at GIDS / IPS
“DC Phone Home”Filesystem CryptoWeb-app brute-forcingSteganographic trojansPassive IP fingerprintingBootable Linux distros
2003New Vulns.
1252
More adoption of the above.Progressive companies looking at application firewalls / app IDS
Alternate data storage methods (DNS, etc.)Airsnort, NetStumbler
2004New Vulns.
2343
More adoption of the above.IPS becoming mainstream, technologies for layer-7 firewalling blending.
Bootable OS’es on CD with pre-compiled toolsGoogle HackingBot-nets
Black Hat vs. White Hat “Maturity”Year “Average” Security Controls “Average” Attack Tools
2005New Vulns.
4714
Still using passwords for most access. FFIEC guidelines published.Some companies seriously looking at DRM.IAM Systems widely deployed.Enterprise Risk Management teams common in Medium-Large businesses
BiDiBLAH
–Nessus
–MetaSploit
–GoogleAPI
–Port/banner scanner
–DNS dumping
–Sub-domain finder (country scan)
–HTML and Office reporting
BackTrack = WHAX (formerly Whoppix) + Auditor
Rent-a-BotNet
2002 Hacker Tools: Web HackingWebCracker Web Session Brute Forcer
1990-1999 Hacker ToolsUltimate Zip Cracker L0phtcrack
Nessus, Netcat, SAINT, NMAP, Juggernaut, Etehreal
2000-2005 Hacker Tools
DSniff, Airsnarf, Hping2, Ettercap, Nikto, Kismet, Netstumbler
Whoppix
2006 Hacker Tools: Back Track
BackTrack = WHAX (Formerly Whoppix) + Auditor Security Collection
2006: Here and Now
The new iPod Video (60GB) can store:– 25,000 photos OR– 15,000 songs OR– 2,000 videos OR– 1,536,000,000 CC#’s (Name, Exp Date., CVV Codes = 40 B/rec) OR– 60 pick-up trucks worth of paper documents
2006: Here and Now - II
McAfee Internal User Security Survey (Europe)http://www.theregister.co.uk/2005/12/15/mcafee_internal_security_survey
1 in 5 workers let family and friends use company laptops.
More than 50% connect their own devices to their work PC. 25% of the above do so every day.
1 in 10 confessed to downloading content they shouldn't
2 in 3 have a limited knowledge of computer security
5% admitted to accessing areas in their IT system that they shouldn't have
2006: Here and Now - III Teenage kids are renting Bot-nets in 10,000 PC
lots, for $/hr. on IRC Highly complex worms contain multiple exploits,
payloads, and encrypted commands Point and Click Hacking is Here. All CVEs,
published exploits, GUI tools, and an OS to use them on fit on a single CD (which BTW fits in the standard amount of RAM on a PC these days.)
The RIAA continues to sue grandmothers, children, students, etc. for illegally downloading songs of the Internet.
Auditrocities ;-)
Predictions for 2010 (Next 5 Years) Security as a “Feature” vs. “Product” (and better
security “Process”) Infosec and Physical security more closely
integrated – NOTE: Cameras *Everywhere* RIAA, MPAA finally “get it” – common
standards/tools for DRM integrated into most products
Strong Authentication standard for eCommerce, biometrics prevalent
ERM drives ESM/SIM/SEM integration – Enterprise Risk Dashboards common
DDoS prevention technology integrate into all firewalls, routers, switches (driven by easy access to Bot-Nets)
Questions?
Tool Links BiDiBLAH - http://www.sensepost.com/research/bidiblah/ BackTrack (Formerly WHAX[Whoppix] + Auditor) -
http://www.whoppix.net/index.php/Main_Page Top 75 Tools - http://www.insecure.org/tools.html Packet Storm has tens of thousands of free hacker tools
available - http://www.packetstormsecurity.org
Random Stuff
Linus Torvalds born Sunday Dec 28th, 1969 Unix OS “born” Thursday Jan 1st, 1970