2. ! Australian Computer Crime and Security Survey (May 02)
n ACCS Survey (only every survey of its kind in .au) reports more than 67%
of respondents have been attacked/hacked during the 2001 period – 7%
higher than the U.S in the same period.
! InternetWeek
n 50% of U.S Corporations have had 30 or more penetrations
n 60% lost up to $200K/intrusion
! Federal Computing World
n Over 50% of (U.S) Federal government agencies report unauthorised
access (some are massive numbers)
! FBI/Computer Security Institute
n 48% of all attacks originated from within the organization
! WarRoom Research Survey
n 90% of Fortune 500 companies in the U.S surveyed admitted to inside
security breaches
! Very few companies will talk. Too much fear of losing investor
confidence and perhaps panicking the customer base (i.e. banks)
Networks Under Assault
3. Why? - Hacker Motivations
! There are many different motivations to hack
n Experimentation and desire to learn
n “Gang” mentality
n Psychological needs (i.e.. to be noticed?)
n Misguided trust in other individuals
n Altruistic reasons
n Self-gratification
n Revenge and malicious reasons
n Emotional issues
n Desire to embarrass the target (many reasons)
n “Joyriding”
n “Scorekeeping”
n Espionage (corporate, governmental)
n Criminal – Stalking, Intimidation, Hostage, Blackmail
4. Types of Hackers
Shades of Grey - Are all Hackers Bad?
! Black Hats (The Bad Ones)
n Professional Crackers (Crime Gangs)
n Corporate Espionage (Criminal in a suit – more common than companies
realise – everyone has a competitor.)
n e-Terrorists (with or without a motivation [eco-hackers])
n ?
! White Hats (The Good Ones)
n Corporate Security
n Tiger Teams (with reputations – ISS)
n Big 5 Audit/Testing Teams (PWC, etc)
n Law Enforcement Hackers / Military eSecurity
! Grey Hats (The Not-so-Bad / Not-so-Good Ones)
n Depends who’s paying
n Freelancers – to the highest bidder, which can include LEAs
5. Who are the Hackers?
! 49% are inside employees or contractors on the internal network
! 17% come from dial-up (still inside people)
! 34% are from Internet or an external connection to another
company of some sort
! The major area of financial loss in hacking is internal: more
money is lost via internal hacking and exploitation (by a factor of
30 or more)
! Most of the hacking that is done is from technical personnel in
technical positions within the company
6. Perimeter Security Is Not Enough
! Even the best perimeter firewall
can be breached
! What happens to your corporate
assets if the perimeter is
breached?
! What protects your internal
network if the perimeter security
fails? Most Businesses = Nothing
! How do you know you have
been breached? Most Businesses
= Never Know
INTERNET
Firewall
External
Router
Internal Servers
Production
Network
Desktops
Workstations
7. Perimeter Security Is Not Enough
! Many companies with “insider access” - dissolve the
perimeter protection (firewalls):
n customers, consultants, contractors, temps, supply
chain partners, employees – unhappy / rogue
(espionage) / snoopy (the curious/ambitious) /
terminated (fired)
! Many widely disseminated vulnerabilities, backdoors,
firewall holes, firewall pole vaults - such as dial-up
modems, shareware password crackers
! Majority of breaches and financial losses - from those with
“insider access”
8. Typical Inside Network Attacks
! Insider attack
! Social engineering
! Virus infiltration
! Denial of Service
! OS or application bug
! Infiltration via passwords
! Infiltration via “no security”
! Spoofing
! Trojan horse
! Brute force
! Stealth infiltration
! Protocol flaw or exploit
9. Biggest Mistakes in Internal Security
! Everybody trusts everybody
! “Any” theory: “We don’t have anything anyone
would want anyway” – never true
! No internal monitoring of any kind
! No internal intrusion detection
! No internal network isolation methods
! No separation of critical networks or subnetworks
via VLAN or VPNs
! Infrastructure ignorance
10. Network Security IS a Serious Issue
! $202 Billion Lost every year by companies to “e-Crime” in
the US, Australian/rest of the world statistics are hard to
estimate.
! 90% of e-Crime financial losses are INTERNAL
! U.S. Government alone will experience over 300,000
Internet attacks this year, Australian Government has not
publicised any numbers
! Hundreds of thousands of websites contain some form of
Hacker Tools / Information
! e-Crimes are estimated to take place every 20 seconds...
11. eSecurity / Hacking Insurance Policies
! Yes, you can actually buy hacking insurance
policies for some situations
! One level allows for liability reduction due to
protective measures taken (What sort of
firewalls / policies / operating systems /
training / etc…)
! Another provides a vendor security warranty
level of assurance
! Others on their way…
12. ????????????Future Server Threats
! Digital Nervous System components
! Infrastructure Dependencies
n Index Server/LDAP Servers
n Terminal Server with thin clients
n Exchange servers being used for office and workgroup flow
applications
n DNS and other naming services servers
n Voice over IP (VoIP)
n Telephony servers for desktop telephony
n Netmeeting / Video collaboration servers
n NT servers being implemented in factories and industrial
networks for process control. These require real-time network
security features
! Home implementations for broadband/DSL access
! Small business via broadband/DSL access
! Seasonal threats (holiday hacker gangs)
13. $
Information Store
A company’s most valuable assets are on its Information Store
An attack on your Information Store
can result in:
Loss of access
Loss of data integrity
Theft of data
Loss of privacy
Legal liability
Loss of Confidence (Owners/Stock
market/Customers)
Financial Loss (Fraud)
Financials
HR Records
Patient Medical Records
R&D Information
Legal Records
14. Summary (I)
! It is a matter of “when” not a matter of “if” you will be
attacked or hacked - the statistics are against you
! Internal network security is still the most pervasive
corporate threat
! Many different levels of security are necessary to deal
with the threats
! Apply internal security in proper measure to meet the
actual or perceived threat environment
15. Summary (II)
! A Hacker can be anyone – an employee with a grudge, a
contractor, a family member. They just want something
they are not supposed to have.
! Hacking is gaining access to anything you shouldn’t have
access to, using means you shouldn’t be using (illegal?)
! eSecurity is as important as real security. If you have a
security guard to protect you, you should have an
eSecurity guard.
! Many different levels of security are necessary to deal
with the threats