computer security 101computer security 101computer security 101computer security 101

Eric PancerEric Pancer

Computer Security Response TeamComputer Security Response Team

http://security.depaul.edu/http://security.depaul.edu/

april, 20042

welcome!welcome!

Why Are You Here? Why Am I Here?

april, 20043

sponsorssponsors

Information Services

Computer Security

Response Team

incidents and trendsincidents and trends

april, 20045

what defines an incident?what defines an incident?

A computer security incident covers a large range of violations, including: Harassment, Denial/Interruption of Service, Malware Infection (worm, virus), Unauthorized Access, Misuse of Data or Services, Copyright Infringement, Spam?

april, 20046

general statisticsgeneral statistics

CERT/CC: Incidents Reported 1991 – 406 1993 – 1,334 1995 – 2,412 1997 – 2,134 1999 – 9,859 2001 – 52,658 2003 – 137,529

april, 20047

in our backyardin our backyard

W32.Blaster Worm Exploited a

vulnerability patched in July, 2003.

Unleashed August, 2003.

900+ Infections from August 11, 2003 to October 11, 2003.

Persists at approximately 8-10 infections weekly.

‘Bots Exploits common

vulnerabilities. Variants released

weekly. Centrally controlled. Growing more and

more malicious. 700+ unique hosts

since January, 2004.

april, 20048

even more alarmingeven more alarming

W32.Slammer Worm January, 2003. Attacked…

…unpatched MS-SQL 2000 servers… …unpatched desktops with Microsoft Desktop

Engine… Interrupted Bank of America ATM Services. Caused a “meltdown” of University network

services due to other “bugs” on the network. Vulnerability was announced June, 2002!

april, 20049

how do we find violations?how do we find violations?

Intelligence gathering is performed in many ways – though human interaction and communication is still the best method. Reports to abuse@depaul.edu. Internal reports. Monitoring network flows. Searching for attack patterns. Hearsay, rumors, gossip.

april, 200410

sample e-mail reportsample e-mail report

Date: Fri, 9 Apr 2004 12:57:16 -0400From: Abuse@example.govTo: abuse@depaul.eduCc: cert@cert.org, Abuse@example.govSubject: Abuse! Suspicious Activity!!! 140.192.21.254

Hello,

You are being contacted regarding suspicious activity logged from a host onyour network. We found that the address 140.192.21.254 was attempting to connect to the VPN port 500 (TCP) on Apr 8 at 18:15:41 (EST).

Log Entries (All times are EDT):

*Apr 8 18:15:41 140.192.21.254 500 x.123.208.2 500 1*Apr 8 18:15:43 140.192.21.254 500 x.123.208.2 500 1

Please review the log information included below. The data reflected in the log could be interpreted as a user from your domain attempting to probe a federal government network. Please investigate this immediately and take action to prevent further probing of the network.

april, 200411

network flowsnetwork flows

19 Apr 04 10:49:33.61177 tcp 140.192.27.47.3076 -> 66.18.100.2.80 RS19 Apr 04 10:49:33.62319 tcp 140.192.83.97.1302 -> 63.123.232.243.80 FIN19 Apr 04 10:49:33.63790 tcp 192.77.161.22.44274 ?> 140.192.220.21.80 EST19 Apr 04 10:49:33.62713 tcp 140.192.55.29.4462 -> 12.130.91.26.80 EST19 Apr 04 10:49:33.63408 tcp 140.192.131.188.4726 -> 216.73.87.20.80 FIN19 Apr 04 10:49:33.64504 tcp 140.192.110.86.3986 -> 64.40.102.42.80 FIN19 Apr 04 10:49:33.64507 tcp 140.192.132.134.4947 -> 216.120.60.144.80 FIN19 Apr 04 10:49:33.65468 tcp 140.192.132.67.3357 -> 207.68.173.254.80 FIN19 Apr 04 10:49:33.66201 tcp 140.192.15.106.4881 -> 207.68.162.24.80 FIN19 Apr 04 10:49:33.66328 tcp 140.192.15.106.4882 -> 207.68.162.24.80 FIN19 Apr 04 10:49:33.66709 tcp 140.192.227.36.1106 -> 205.158.62.54.80 FIN19 Apr 04 10:49:33.66836 tcp 140.192.132.134.4948 -> 216.120.60.175.80 FIN19 Apr 04 10:49:39.36782 tcp 140.192.151.158.4632 -> 216.239.41.104.80 RST19 Apr 04 10:50:06.11342 tcp 140.192.196.6.3649 -> 1.0.0.1.80 TIM19 Apr 04 10:51:27.93013 udp 24.186.52.241.1620 <-> 140.192.170.146.3845 ACC19 Apr 04 10:50:55.77691 tcp 140.192.196.6.4670 <?> 207.44.246.72.80 CON19 Apr 04 10:51:28.05120 udp 128.175.131.52.3964 <-> 140.192.177.213.1480 ACC19 Apr 04 10:50:54.13063 tcp 140.192.196.6.4671 -> 207.44.246.72.80 RST19 Apr 04 10:51:28.07679 udp 209.6.25.71.2021 <-> 140.192.176.87.3068 ACC19 Apr 04 10:51:27.81926 udp 140.192.175.192.1343 <-> 62.143.31.15.1870 ACC19 Apr 04 10:51:27.93307 udp 140.192.231.133.1612 <-> 142.179.17.60.1053 ACC19 Apr 04 10:50:51.29740 tcp 200.87.50.62.10547 -> 140.192.175.183.139 EST19 Apr 04 10:51:28.08786 udp 209.6.25.71.2021 <-> 140.192.176.87.3068 ACC19 Apr 04 10:51:28.08839 udp 149.159.97.73.1576 <-> 140.192.172.92.1495 ACC19 Apr 04 10:50:54.13644 tcp 140.192.196.6.4686 -> 207.44.246.72.80 RST19 Apr 04 10:51:28.09423 udp 62.163.81.124.11480 <-> 140.192.171.165.11895 ACC

april, 200412

known signaturesknown signatures

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \

(msg:"SCAN - Microsoft Directory and File Services"; \

stateless; flags:S,12; threshold: type threshold, track by_src, \

count 520, seconds 600; classtype:network-scan;

priority:7; sid:6010001; rev:1;)

[**] [1:6010001:1] <em0> SCAN - Microsoft Directory and File

Services [**] [Classification: Detection of a Network Scan]

[Priority: 7] 04/19/04-01:54:42.622054 140.192.21.254:2460

-> 10.203.54.114:135 TCP TTL:126 TOS:0x0 ID:49784 IpLen:20

DgmLen:48 DF ******S* Seq: 0xC6D0AB86 Ack: 0x0

Win: 0x4000 TcpLen: 28 TCP Options (4)

=> MSS: 1460 NOP NOP SackOK

april, 200413

is it 1984?is it 1984?

Are you Big Brother? Why do you care? Do you read my email? Isn’t the network

secure? I don’t do anything

malicious, so don’t look at what I do please.

general conceptsgeneral concepts

april, 200415

common mythscommon myths

“Why should I care, I have nothing to hide.” “Why does anyone care about my computer?” “It’s too difficult to get access to my computer

or personal information…” “If someone tries to [insert malicious activity

here], I will notice!” “Ignorance is bliss!”

april, 200416

are you at risk?are you at risk?

Using the following puts you at risk: Computers Credit Cards Banks Airlines Automobiles …many more…

april, 200417

CIACIA – the building blocks – the building blocks

ConfidentialityConfidentiality

AuthenticityAuthenticityIntegrityIntegrity

april, 200418

confidentialityconfidentiality

Ensures privacy. Applies to both data

on disks and network communication.

Accomplished through encryption: https:// s/mime pgp ssh and ipsec

ConfidentialityConfidentiality

april, 200419

integrityintegrity

Develops trust of the network and computer systems.

Applies to both data on disks and network communication.

Integrity is increased by proper data and system management.

IntegrityIntegrity

april, 200420

authenticityauthenticity

Another catalyst for trust.

Required for data on disk and network communication.

Prevents ID theft, “man in the middle” attacks, etc.

Authenticity Authenticity

april, 200421

vulnerability life cyclevulnerability life cycle

vulnerability

discussion

research

automation

exploit

concept code

april, 200422

assumptionsassumptions

Researchers will continue to find new bugs and vulnerabilities.

Active exploitation of these vulnerabilities will continue through worms, viruses, etc.

Technology will continue to progress and the quality of code will continue to fall.

Santa Claus is real!

terminologyterminology

april, 200424

denial of servicedenial of service

The overload of a system preventing the normal use of that system.

A denial of service (DoS) attack is a common method to prevent users from accessing websites.

april, 200425

scanningscanning

Enumerating the security of a computer system and/or the service(s) they provide.

A “portscan” commonly occurs to check the type of computer operating system being used.

Thousands of portscans against the University have taken place in the time you have read this slide!

april, 200426

exploitexploit

A piece of malicious code or action against a computer system to elevate privileges or gain further access.

Exploits mostly act on bugs found in software or hardware. These bugs are usually due to human error coding or system misconfiguration.

april, 200427

virusvirus

A virus is a piece of code that modifies existing applications or data to change the behavior of that application or of data.

Viruses rely on human interaction to ensure their survival and propagation.

april, 200428

wormworm

A worm is a program that propagates itself over a network, reproducing itself and changing as needed, to survive and adapt.

The term worm is derived from tapeworm as coined in John Brunner’s book “Shockwave Rider.”

april, 200429

(ro)bot(ro)bot

A software program or computer that performance repetetive functions; usually commanded as part of a botnet (see next slide).

Although robots were first introduced to spider the world wide web, the term bot has come to represent an increasing threat against computer users.

april, 200430

botnetbotnet

A collection of computers acting in conjunction with one another to perform automated tasks.

Botnets can be built using viruses, worms or other attacks. These botnets (sometimes thousands of computers) can then carry out “scan and ‘sploit” actions automatically.

april, 200431

feeling overwhelmed yet?feeling overwhelmed yet?

defending with technologydefending with technology

april, 200433

start with the basicsstart with the basics

Basic computer security is through technology is easy; use… A firewall, Anti-Virus Software, Patch your computer

quickly, when required, Strong passwords!

april, 200434

firewallsfirewalls

The most useful tool in your bag of defenses.

Prevents intruders from accessing services on your computer.

Validates/normalizes network traffic.

May provide reports and trend analysis.

Available for all major operating systems – usually for free!

april, 200435

anti-virus softwareanti-virus software

Stops viruses and worms sent by email, attachments, downloads, etc.

Detects malicious software through intelligent heuristics.

Available for all major desktop and server operating systems.

A requirement; not an option.

april, 200436

patchespatches

(Usually) free updates to your computer; can be downloaded from the Internet.

Available before most exploits surface.

Automated, usually. Critical to overall security. Chant: “We Must Patch, We Must

Patch…”

april, 200437

strong passwordsstrong passwords

Keeps you on-target with best practices.

Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”.

Not based on any dictionary word from any language.

Changes regularly; not shared.

april, 200438

coordinated efforts result in coordinated efforts result in success!success!

0

2

4

6

8

10

12

14

16

18

20

F F+A F+A+P F+A+(P)2

Worm

Virus

Goal

behavioral changesbehavioral changes

april, 200440

what technology doesn’t what technology doesn’t solvesolve

Security technologies adapt as threats appear. They are not able to (easily) combat: Threats, Hoaxes, Scams, The behavior of others.

april, 200441

the clue factorthe clue factor

april, 200442

education and awarenesseducation and awareness

Education and awareness are key to increasing the security posture of the University, and global Internet. Dispells the FUD (fear, uncertainty,

doubt). Addresses problems before they

exist. Extends the radius of clue. Creates inclusion in the entire

infosecurity effort.

april, 200443

self-educationself-education

You can increase your own awareness of security related issues. Subscribe to mailing lists for

security notifications. Visit security related websites. Contact us, we’re always

willing to help. Voice your concern on security

related issues, helping raise awareness in others.

april, 200444

test your effortstest your efforts

Contact us and we can schedule a vulnerability scan for your department or network.

Register your network with us; we can send you reports of suspicious behavior.

Help us tailor an awareness program for your department.

Remember: security is about sharing knowledge and contacts, not technology.

april, 200445

thank you!thank you!

Questions? Contact CSRT:

Computer Security Response Teamabuse@depaul.edusecurity@depaul.eduhttp://security.depaul.edu/

or…Eric Pancerepancer@security.depaul.edupgp: C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3