|
The first in a series entitled Network Security Investment—The Executive ROI Briefcase, this white paper describes the dynamics in today's business climate that are driving network security requirements, and provides an understanding of the threats facing business leaders today. It includes an appendix that describes malicious code attacks that have occurred in the recent past.
Other white papers in the series include:
This white paper reviews some of the laws that mandate consumer privacy protection and how network security helps ensure data privacy.
This white paper discusses best practices for disaster recover that involve information security and IT professionals, as well as law enforcement.
This white paper quantifies the value of network security with regard to the economic consequences of a security breach.
This white paper describes the steps you should take to ensure a secure network infrastructure.
As an organization's dependency on computers and network communications increases, so does its vulnerability to information security compromises. Almost every week the media reports on new computer crimes, system break-ins, malicious code attacks, and the ever-growing threat of cyber terrorism. Current research on network security shows three realities that organizations must consider:
Many types of information must be protected by law. In the United States, the Gramm-Leach-Bliley Act requires companies to notify consumers of their privacy policies and to provide opt-out provisions for consumers who do not want their personal information distributed beyond the company. In addition, the Gramm-Leach-Bliley Act protects nonpublic financial data. Data stored on computers that has even a remote possibility of containing information such as social security numbers, credit card and financial account numbers, account balances, and investment portfolio information must be protected.
The use and disclosure of patient medical information originally was protected by a patchwork of U.S. state laws, leaving gaps in the protection of patients' privacy and confidentiality. The United States Congress also recognized the need for national patient record privacy standards in 1996 when it enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protecting all medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally.
In addition to the legal ramifications of a security breach, independent research firm, Computer Economics has substantiated that malicious attacks result in actual financial costs, decreases in revenue, and an incredible impact on productivity. The SAFE Blueprint from Cisco Systems is an architecture that can help organizations to reduce incidents of security breach and to meet the requirements of new laws and regulations around the world.
Security is becoming far more complex everyday and SAFE serves as a guide to network designers considering the security requirements of their network. SAFE takes a defense-in-depth approach to network security design resulting in a layered approach to security where the failure of one security system is not likely to lead to the compromise of network resources.
This series of white papers provides data that CEOs, CFOs, and others can use to evaluate and justify security expenditures along with a step-by-step guide to determine return on investment for security in your organization. This series delivers executive level managers an understanding of what happens when network security is breached, the process for recovering from a breach in security, and provides comprehensive information on how to evaluate the potential return on investment for network security protection. Finally, action steps that management should take to improve network security are also provided.
The analyst team for this project was led by Michael Erbschloe, vice president of research for Computer Economics of Carlsbad, California. Mr. Erbschloe is also the author of Information Warfare: How to Survive Cyber Attacks and The Executives Guide to Privacy Management. He also co-authored Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan.
Three major dynamics have converged, heightening the need for network and system security. These dynamics have raised the risks multifold for organizations that are required to protect the privacy of information or have a high political or brand profile.
Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. For many years, the United States General Accounting Office (GAO) found weaknesses in the information systems of United States government agencies. To gain a broader understanding of successful security programs, the GAO studied the management practices of eight nonfederal organizations. This study was designed to provide organizations around the world with a framework to reorient their security programs to make them visible, integral components of their business operations.
The organizations studied had adopted five principles of risk management:
1. Assess risk and determine needs
2. Establish a central management focus on risks and security
3. Implement appropriate policies and related controls
5. Monitor and evaluate policy and control effectiveness
All organizations studied said that risk considerations and related cost-benefit trade-offs were a primary focus of their security programs. Security was not an end in itself, but a set of policies and controls designed to support business operations. The GAO found that there were general practices associated with each risk management principle and that these practices were common to the organizations studied.
The principle goal of the SAFE Blueprint is to provide best practice information on designing and implementing secure networks. SAFE provides an actionable process that can be used to achieve many of the recommendations of the milestone GAO study.
SAFE serves as a guide to network designers considering the security requirements of their network, and takes a defense-in-depth approach to network security design. This type of design focuses on the expected threats and methods of mitigation, resulting in a layered approach to security where the failure of one security system is not likely to lead to the compromise of network resources. To ensure the most comprehensive level of protection possible, every network should include security components that address the following five aspects of network security.
Identity is the accurate and positive identification of network users, hosts, applications, services, and resources. Identity mechanisms are important—ensuring that authorized users gain access to the enterprise computing resources they need, while unauthorized users are denied access. Cisco networks use the authentication, authorization, and accounting (AAA) capabilities of the Cisco Secure Access Control Server to provide a foundation that authenticates users, determines access levels, and archives all necessary audit and accounting data.
Perimeter security solutions control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. This access control is handled by routers and switches with access control lists (ACLs) and by dedicated firewall appliances. A firewall provides a barrier to traffic crossing a network's perimeter and permits only authorized traffic to pass, according to a predefined security policy. Complementary tools, including virus scanners and content filters, also help control network perimeters. Firewalls are generally the first security products that organizations deploy to improve their security postures. Cisco provides organizations considerable flexibility in firewall choices. The Cisco PIX® Firewall is the world's leading firewall, providing network customers of all sizes with unmatched reliability, scalability, and functionality. The Cisco IOS® Firewall provides embedded firewall capabilities in the routing and switched infrastructures.
Companies must protect confidential information from eavesdropping or tampering during transmission. By implementing virtual private networks (VPNs), enterprises can establish private, secure communications across a public network—usually the Internet—and extend their corporate networks to remote offices, mobile users, telecommuters, and extranet partners. Encryption technology ensures that messages traveling across a VPN cannot be intercepted or read by anyone other than the authorized recipient by using advanced mathematical algorithms to "scramble" messages and their attachments.
The Cisco VPN 3000 Series Concentrator is a best-of-breed, remote-access VPN solution. Incorporating the most advanced, high-availability capabilities with a unique purpose-built architecture, Cisco VPN 3000 concentrators allow corporations to build high-performance, scalable, and robust VPN infrastructures to support their mission-critical, remote-access applications. An ideal way to build site-to-site VPNs is with Cisco VPN-optimized routers.
To ensure that their networks remain secure, companies should continuously monitor for attacks and regularly test the state of their security infrastructures. Network vulnerability scanners can proactively identify areas of weakness, and intrusion detection systems (IDSs) can monitor and reactively respond to security events as they occur.
IDS and vulnerability scanners provide an additional layer of network security. While firewalls permit or deny traffic based on source, destination, port, or other criteria, they do not actually analyze traffic for attacks or search the network for existing vulnerabilities. In addition, firewalls typically do not address the internal threat presented by "insiders." The Cisco Intrusion Detection System (IDS) is the industry's first real-time, network intrusion detection system that can protect the network perimeter, extranets, and increasingly vulnerable internal networks. The system uses sensors, which are high-speed network appliances, to analyze individual packets to detect suspicious activity. Cisco also offeres IDS host sensors to provide pervasive protection on servers throughout the network. If the data stream in a network exhibits unauthorized activity or a network attack, the sensors can detect the misuse in real time, forward alarms to an administrator, and remove the offender from the network.
As networks grow in size and complexity, the requirement for centralized security policy management tools that can administer security elements is paramount. Sophisticated tools that can specify, manage, and audit the state of security policy through browser-based user interfaces enhance the usability and effectiveness of network security solutions. Cisco provides a centralized, policy-based, security management approach for the enterprise.
CiscoWorks VPN/Security Management Solution (VMS), an integral part of the SAFE Blueprint, combines Web-based tools for configuring, monitoring and troubleshooting enterprise Virtual Private Networks (VPNs), firewalls, and network and host-based intrusion detection systems (IDS).
CiscoWorks VMS includes the following modules:
VMS delivers the industry's first robust, scalable architecture and feature set that addresses the needs of small and large-scale VPN and security deployments.
All IT managers agree that protecting network resources against security breaches is a necessity, but many are not willing to commit to the continual effort required. Without adequate network security, the organization is open to a variety of risks—all of which are detrimental to profitability.
Research firm Computer Economics projects the likelihood that organizations will be hit with a security attack is growing. Computer crime will grow by an estimated 230 percent during 2002. Similar trends are expected with Internet fraud (expected to increase over 100 percent), and viruses (expected to increase by 22 percent) during the same period. These statistics are even more disturbing than they first appear because the data used as the basis for these projections are probably underreported. According to government and industry sources, only about 20 percent of computer security violations are actually reported.
The sixth annual Computer Crime and Security Survey—conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad—provides an updated look at the impact of computer crime in the United States. Responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.
Eighty-five percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. Thirty-five percent (186 respondents) were willing or able to quantify their financial losses, and reported $377,828,700 in financial losses. In contrast, the losses from 249 respondents in 2000 totaled $265,589,940. The average annual total during the three years prior to 2000 was $120,240,180.
A CIO KnowPulse Poll of 170 CIOs conducted in 2001 revealed that the majority (67 percent) of CIOs are not very confident or not at all confident that law enforcement will provide their companies with sufficient advance warning of a threat to computer systems. Twenty-seven percent are somewhat confident, with only two percent very confident and two percent extremely confident. While nearly half (49 percent) of the CIOs polled have had additional responsibility or accountability for security infrastructure placed on them in the last year, more than one-third (39 percent) still do not have cyber-security experts on staff or contracted.
As for national security, CIOs are split in their confidence level regarding the technologies, plans, and procedures currently in place to protect the nation's critical infrastructure. Following speculation that the next assault on the United States could be a cyber attack, just over half (54%) of CIOs are extremely, very, or somewhat confident in the ability of the United States to protect critical infrastructures. The remainder are not very confident (32%) or not at all confident (13%).
According to research conducted by security specialist Evidian, European companies are divided over the potential threat to business from viruses, hack attacks, and other forms of sabotage. Evidian surveyed 250 companies in the finance, retail, and public sectors in the United Kingdom, France, Germany, Italy, Benelux, Scandinavia, and Spain, asking IT managers and directors to identify what they believed to be the main threat, which solutions are needed to deal with it, and the area of their internal systems most at risk.
In France, Benelux, Spain, and Germany, viruses were seen as the major threat, with 40 percent of companies identifying this form of attack as the most prevalent. In the United Kingdom, deliberate sabotage by employees or former employees was identified as the greatest area of concern, while in Scandinavia most companies claimed accidental damage caused by an employee was the primary concern. In Italy, financial fraud was identified as the greatest reason for worry.
Evidian's research also identified considerable differences in the areas of the business infrastructure perceived to be most at risk. In Germany and Spain, intranets were identified by the majority of respondents as being most in need of protection, while in France, Scandinavia, and Benelux, Web sites were seen as most at risk. In the United Kingdom, corporate databases were considered to be the most vulnerable.
Viruses and other malicious code attacks are growing in number and so is the cost incurred by companies, government organizations, and private individuals to clean up systems and get them back into working order. Malicious code attacks include worms and viruses of all types.
The following tables show Computer Economics' analysis of the worldwide economic impact of malicious code attacks. Data is provided for specific high-profile incidents (Table 1) and by year (Table 2). Economic impact includes the costs to eliminate the virus, clean and restore systems, lost revenue, and the impact on worker productivity.
Table 1
Code Attack Analysis by Incident
|
||||||||||||||||||||||||||||||||
Table 2
Code Attack Analysis by Year
|
||||||||||||||||||
Incidents that occurred after the Love Bug attack in May 2000 had less economic impact, primarily because the process of cleaning up virus damage has been highly automated since that attack.
The Computer Economics Cyber Attack Index shows the relative economic impact of specific incidents in relationship to the Love Bug outbreak that occurred in 2000 and to date remains the incident with the greatest economic impact. The Love Bug attack has a rating of 10 and all other attacks are rated according to their relative economic impact.
On February 6, 2002, Dale L. Watson, Executive Assistant Director of Counterterrorism and Counterintelligence for the FBI, testified before the United States Senate Select Committee on Intelligence. He pointed out that during the past several years, the FBI had identified a wide array of cyber threats, ranging from defacement of Web sites by juveniles to sophisticated intrusions sponsored by foreign powers.
Some of these incidents pose more significant threats than others. The theft of national security information from a government agency or the interruption of electrical power to a major metropolitan area would have greater consequences for national security, public safety, and the economy than the defacement of a website. But even the less serious categories have real consequences and, ultimately, can undermine public confidence in web-based commerce and violate privacy or property rights.
An attack on a Web site that closes down an e-commerce site can have disastrous consequences for a Web-based business. An intrusion that results in the theft of millions of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers' willingness to engage in e-commerce.
These events have indeed occurred. In February 2000, a distributed denial-of-service (DDoS) attack by unknown hackers caused considerable packet loss and downtime of a large commercial Web site. In March 2001, a large commercial Web site reported that thousands of credit cards numbers had been exposed. In December 2000, security was breached at another large commercial Web site and more than 55,000 credit card numbers were taken from its servers and posted on the Web.
Watson contends that beyond criminal threats, cyberspace also faces a variety of significant national security threats, including threats from terrorists. Terrorist groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and engage in secure communications. Cyber terrorism—the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population—is clearly an emerging threat.
On January 16, 2002, the FBI disseminated an advisory via the National Law Enforcement Telecommunications System regarding possible attempts by terrorists to use U.S. municipal and state Web sites to obtain information on local energy infrastructures, water reservoirs, dams, highly enriched uranium storage sites, and nuclear and gas facilities. Although the FBI possesses no specific threat information regarding these apparent intrusions, these types of activities on the part of terrorists pose serious challenges to our national security.
In Information Warfare: How to Survive Cyber Attacks, the author Michael Erbschloe, concludes that a wide range of information warfare strategies exist and that nations need to be prepared to defend against them. The ten types of cyber attacks and their potential impact on private companies are illustrated in Table 3. However, each of the ten categories of cyber attacks has a price tag, a required organizational structure, and a timeline for preparation and implementation.
Table 3
The Potential Impact of Cyber Attacks on Private Companies
To be able to finance, organize, and mount offensive ruinous and offensive containment cyber attacks is so expensive that the publicly political enemies of the large industrial nations cannot afford to use such strategies. But that does not mean that the lesser tactics would not be extremely damaging to infrastructures and economies. This strategy requires a wide range of mental and physical skill sets and an in-depth understanding of information architectures, programming, telecommunications, hardware, software, security, and encryption. It also requires access to a wide variety of telecommunications systems and many types of computers. It may also require a physically capable and equipped task force to physically penetrate a computer or communications facility, retrieve or modify information, and possibly even destroy the equipment. This information warfare strategy is extremely expensive and could only be implemented by a nation that is willing to spend billions of dollars to develop specific methods and train the hundreds, if not thousands, of people necessary to implement the strategy.
Smaller, less-developed nations in no way can afford to mount and sustain defensive ruinous cyber attacks or defensive responsive containment cyber attacks strategies. At best, they could mount random terrorist cyber attacks or random rogue cyber attacks strategies. Most likely they would depend on amateur rogue cyber attacks carried out by a few patriots or geographically dispersed allies.
The private sector in industrial, computer-dependent nations needs to be concerned about large-scale offensive ruinous cyberattacks in widespread conflicts that get out of hand. However, given the cost structures, the types of information warfare that will be most likely waged against large, industrial, computer-dependent countries are sustained terrorist information warfare, random terrorist information warfare, sustained rogue information warfare, random rogue information warfare, and amateur rogue information warfare.
The corporations most vulnerable to cyber attacks are those that are heavily involved in and derive the majority of their revenues from electronic commerce, or dot-coms. It will cost corporations much more to defend themselves against these cyber attack strategies than it will cost cyber terrorists to mount such attacks—since an organization can never tell what type of attack will be launched, it must protect against a wide range of possible scenarios.
There are many sources of threats to computer security, including organized criminals, cyber terrorists, industrial spies, foreign countries in conflict with targeted nations, disgruntled employees, and amateur hackers. Each of these groups has different motivations and poses a different type of threat. The reasons why hacking and intrusions occur vary just as much as the type of intruder:
A fundamental dynamic of computer security is that defenders must always succeed in protecting systems. If attackers do not succeed, they can try again later or move on to another target that may be easier to steal information from, damage, or disable. However, the defenders must continually succeed in order to keep systems up and running, to protect vital information, to maintain their jobs, or to comply with the terms of a security contract. Attackers have the easy side of cyber warfare and have the advantage of being able to come back many times and attempt an attack.
A second dynamic that favors the attacker is the growth of computer networks and the increase in Internet connectivity. There are many systems connected to so many other systems in numerous ways, it has become almost impossible to tally the number of systems that are connected. A conversation with a director of computer security at a large telecommunications firm revealed the magnitude of this problem. When asked, "Are all of the computers in your company secure?" the answer was straightforward: "They will be when I find out where they all are." This problem has become more widespread as corporations and military units continue to build out their networks and attach more and more devices to their networks every day. Network engineers and communications technicians in organizations around the world are building networks as fast as they can, many of which lack adequate security.
A third dynamic that favors attackers is that they can easily have access to all of the same technology the defender has, as well as technical system information, including weaknesses in hardware and software. Although the companies that produce IT products put forth considerable effort to conceal the weaknesses of their systems and software, it is virtually impossible to hide this information from people who really want to gain access. There are many Web sites, user manuals, bug reports, and books that provide a continuous flow of information about how IT products work and what kinds of weakness are present in the products.
Attackers also have an advantage in that they can use the Internet and become members of the same clubs, chat rooms, bulletin boards, and e-mail lists that defenders use to help them obtain information about products or confer with their peers. Individuals can easily assume identities and remain anonymous as they wander the Web seeking out information that helps them develop information warfare attack tactics. The openness of the Internet and the freedom to publish almost any type of information in numerous countries has resulted in the Web becoming a huge repository of information for those who know how to find it and have the patience to do so.
Attackers can work their craft from almost anywhere in the world. The Internet and global telecommunications networks transform many of the tactics used by information warriors into casual telecommuting experiences. The global nature of communications also lets attackers from many different countries collaborate by exchanging information or working together as virtual teams in their attack efforts. This allows attackers to have the same sort of support network that defenders have established over the years. Devices that are targets of attacks include the following:
Although most networks evolve with the growing IT requirements of the enterprise, the SAFE Blueprint for Secure e-Business from Cisco takes a modular approach, which has two main advantages. First, it allows the architecture to address the security relationship between the various functional blocks of the network. Second, it permits designers to evaluate and implement security on a module-by-module basis, instead of attempting the complete architecture in a single phase. Thus it encompasses all of the types of devices that can be attacked.
To counter such a broad range of threats, it may be necessary for an organization to hire new staff and retrain existing staff. When there is a shortage of staff in an organization or in a particular region it may be necessary to contract for managed security services.
In 1998, the National Institute of Standards and Technology (NIST) categorized and analyzed 237 computer attacks that were published on the Internet out of an estimated 400 published attacks. This sample yielded the following statistics:
Some attacks are elaborately complex, while others are performed unknowingly by a well-intentioned device operator. The original architects of the Internet never anticipated the kind of widespread adoption the Internet has achieved today. As a result, in the early days of the IP, security was not designed into the specification. For this reason, most IP implementations are inherently insecure. Cisco security and VPN products can help mitigate many types of attacks. There are several approaches to attacking networks, including the following:
Application-layer attacks are implemented using several different methods. One of the most common methods is exploiting well-known weaknesses in software that are commonly found on servers, such as sendmail, HTTP, and FTP. By exploiting these weaknesses, hackers can gain access to a computer with the permissions of the account running the application, which is usually a privileged system-level account. These application layer attacks are often widely publicized in an effort to allow administrators to rectify the problem with a patch. Unfortunately, many hackers also subscribe to these same mailing lists, which results in their learning about the attack at the same time (if they haven't discovered it already).
The primary problem with application-layer attacks is that they often use ports that are allowed through a firewall. For example, a hacker executing a known vulnerability against a Web server often uses TCP port 80 in the attack. Because the Web server serves pages to users, a firewall needs to allow access on that port. From a firewall's perspective, it is merely standard port 80 traffic.
Autorooters are programs that automate the entire hacking process. Computers are sequentially scanned, probed, and captured. The capture process includes installing a rootkit on the computer and using the newly captured system to automate the intrusion process. Automation allows an intruder to scan hundreds of thousands of systems in a short period of time.
Backdoors are paths into systems that can be created during an intrusion or with specifically designed Trojan horse code. The backdoor, unless detected and vulnerabilities patched, can be used again and again by an intruder to enter a computer or network. Often an intruder will use the computer to gain access to other systems or to launch denial-of-service (DoS) attacks when they have no further use for the computer.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are among the most difficult attacks to completely eliminate. Even among the hacker community, these attacks are regarded as trivial and considered bad form because they require so little effort to execute. Still, because of their ease of implementation and potentially significant damage, DoS and DDoS attacks deserve special attention from security administrators. DoS and DDoS attacks are different from most other attacks because they are generally not targeted at gaining access to your network or the information on your network. These attacks focus on making a service unavailable for normal use, which is typically accomplished by exhausting some resource limitation on the network or within an operating system or application. These attacks include the following:
TCP SYN Flood can happen when a client attempts to establish a TCP connection to a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half-open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections.
"Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting.
Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) are distributed tools used to launch coordinated DoS attacks from many sources against one or more targets. TFN has the capability to generate packets with spoofed source IP addresses. An intruder instructing a master to send attack instructions to a list of TFN servers or daemons carries out a DoS attack using a TFN network. The daemons then generate the specified type of DoS attack against one or more target IP addresses. Source IP addresses and source ports can be randomized, and packet sizes can be altered. Use of the TFN master requires an intruder-supplied list of IP addresses for the daemons.
Stacheldraht (German for "barbed wire") combines features of several DoS attacks, including TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents. There is an initial mass-intrusion phase, in which automated tools are used to remotely root-compromise large numbers of systems to be used in the attack. This is followed by a DoS attack phase, in which these compromised systems are used to attack one or more sites.
IP spoofing attacks occur when a hacker inside or outside of a network pretends to be a trusted computer. A hacker can do this by either using an IP address that is within the range of trusted IP addresses for a network, or an authorized external IP address that is trusted and to which access is provided to specified resources on a network. IP spoofing attacks are often a launch point for other attacks. The classic example is to launch a DoS attack using spoofed source addresses to hide the hacker's identity.
Normally, an IP spoofing attack is limited to the injection of malicious data or commands into an existing stream of data that is passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the hacker must change all routing tables to point to the spoofed IP address. Another approach hackers sometimes take is to simply not worry about receiving any response from the applications. If a hacker tries to obtain a sensitive file from a system, application responses are unimportant. However, if a hacker manages to change the routing tables to point to the spoofed IP address, the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.
"Man-in-the-middle" attacks can occur when a hacker has access to network packets that come across a network (for example, a person who is working for an Internet service provider (ISP) and has access to all network packets transferred between the employer's network and any other network). Such attacks are often implemented using network packet sniffers and routing and transport protocols. The possible uses of such attacks are theft of information, hijacking of an ongoing communications session to gain access to private network resources, traffic analysis to derive information about a network and its users, DoS, corruption of transmitted data, and introduction of new information into network sessions.
Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. When hackers attempt to penetrate a particular network, they often need to learn as much information as possible about the network before launching attacks. This can take the form of DNS queries, ping sweeps, and port scans. DNS queries can reveal such information as who owns a particular domain and what addresses have been assigned to that domain. Ping sweeps of the addresses revealed by the DNS queries can present a picture of the live hosts in a particular environment. After such a list is generated, port-scanning tools can cycle through all well-known ports to provide a complete list of all services running on the hosts discovered by the ping sweep. Finally, the hackers can examine the characteristics of the applications running on the hosts. This can lead to specific information that is useful when the hacker attempts to compromise that service.
Packet sniffers are a software application that uses a network adapter card in "promiscuous mode" (where the network adapter card sends all packets received on the physical network wire to an application for processing) to capture all network packets that are sent across a particular collision domain. Packet sniffers are used legitimately in networks to aid in troubleshooting and traffic analysis. However, because several network applications send data in clear text (telnet, FTP, SMTP, POP3, etc.), a packet sniffer can provide meaningful and often sensitive information, such as user names and passwords.
One serious problem with acquiring user names and passwords is that users often reuse their login names and passwords across multiple applications and systems. In fact, many users employ a single password for access to all accounts and applications. If an application is run in client-server mode and authentication information is sent across the network in clear text, then it is likely that this same authentication information can be used to gain access to other corporate or external resources. Because hackers know and use human characteristics (attack methods known collectively as social engineering attacks), such as using a single password for multiple accounts, they are often successful in gaining access to sensitive information. In a worst-case scenario, a hacker can gain access to a system-level user account, which the hacker can then use to create a new account that can be used at any time as a back door to break into a network and its resources.
Password attacks can use several different methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account and/or password. Often, a brute-force attack is performed using a program that runs across the network and attempts to log in to a shared resource, such as a server. When hackers successfully gain access to resources, they have the same rights as the users whose accounts have been compromised to gain access to those resources. If the compromised accounts have sufficient privileges, the hackers can create back doors for future access without concern for any status and password changes to the compromised user accounts.
Another problem exists whereby users have the same password on every system they connect to. Often, this includes personal systems, corporate systems, and systems on the Internet. Because that password is only as secure as the most weakly administered host that contains it, if that host is compromised, hackers have a whole range of hosts on which they can try the same password.
Port redirection attacks are a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be dropped. Consider a firewall with three interfaces and a host on each interface. The host on the outside can reach the host on the public services segment (commonly referred to as a DMZ) but not the host on the inside. The host on the public services segment can reach the host on both the outside and the inside. If hackers were able to compromise the public services segment host, they could install software to redirect traffic from the outside host directly to the inside host. Though neither communication violates the rules implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host.
Trojan horse attacks and viruses refer to malicious software that is attached to another program to execute a particular unwanted function on a user's workstation. An example of a virus is a program that is attached to command.com (the primary interpreter for Windows systems) that deletes certain files and infects any other versions of command.com that it can find. A Trojan horse is different only in that the entire application was written to look like something else. An example of a Trojan horse is a software application that runs a simple game on a user's workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every user in the user's address book. Then other users get the game and play it, thus spreading the Trojan horse.
Trust exploitation attacks occur when an individual takes advantage of a trust relationship within a network. The classic example is a perimeter network connection from a corporation. These network segments often house DNS, SMTP, and HTTP servers. Because the servers all reside on the same segment, a compromise of one system can lead to the compromise of other systems-one system might trust the other systems attached to their same network. Another example is a system on the outside of a firewall that has a trust relationship with a system on the inside of a firewall. When the outside system is compromised, it can use that trust relationship to attack the inside network.
For descriptions of malicious code attacks that have occurred in the recent past, see the Appendix following the summary below.
Improving information security is critical to the operations, reputation, and economic stability of any organization. New laws require greater privacy protection and new threats to computer and network security are emerging daily. The SAFE Blueprint for Secure e-Business from Cisco Systems provides best practice information to interested parties on designing and implementing secure networks. SAFE serves as a guide to network designers considering the security requirements of their network, taking a defense-in-depth approach to network security design. This type of design focuses on the expected threats and methods of mitigation. Key steps that managers should take in improving security include the following:
It is critical that upper-level managers provide support for security improvement initiatives. The principles, processes, and procedures documented in this series of white papers will guide a new security team through the difficulties of getting organized and gaining momentum. Existing security teams can benefit from the return on investment (ROI) analysis procedures and the concepts inherent in the SAFE Blueprint.
Learn about privacy protection and the laws and regulations affecting today's businesses through the second white paper in this series, "Privacy Protection Depends on Network Security."
Other white papers in the series include:
This white paper discusses best practices for disaster recover that involve information security and IT professionals, as well as law enforcement.
This white paper quantifies the value of network security with regard to the economic consequences of a security breach.
This white paper describes the steps you should take to ensure a secure network infrastructure.
You can find this series of white papers, design and implementation guides, and case studies that demonstrate how other companies implemented security and VPN solutions over a secure network to expand connectivity and reduce costs at http://www.cisco.com/go/security.
The Nimda attack (W32/Nimda worm) affected systems running Microsoft Windows 95, 98, ME, NT, and 2000. The Nimda worm was spread by multiple mechanisms:
The e-mail message delivering the Nimda worm had a variable subject line and slight variations in the attached binary file, causing the MD5 checksum to be different when comparing different attachments from different e-mail messages. However, the file length of the attachment appeared to consistently be 57344 bytes. The worm also contained code that attempted to resend the infected e-mail messages every ten days.
Nimda modified all Web content files it found, including files with. htm, .html, and .asp extensions. As a result, any user browsing Web content on the system, whether via the file system or via a Web server was capable of downloading a copy of the worm. Some browsers automatically executed the downloaded copy, thus infecting the browsing system.
The Code Red worm was a self-replicating malicious code that exploited a known vulnerability in Microsoft IIS servers. Code Red attempted to connect to TCP port 80 on a randomly chosen host. When a successful connection to port 80 was achieved, the attacking host sent an HTTP GET request to the victim, attempting to exploit a buffer overflow in the indexing service. Depending on the configuration of the host that received this request, there were varied consequences.
If the exploit was successful, Code Red began executing on the new victim host. In an early variant of the worm, victim hosts were defaced on all pages requested from the server:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
In addition to Web site defacement, infected systems experienced performance degradation as a result of the scanning activity of Code Red. This degradation was very severe in many cases; it is possible for Code Red to infect a machine multiple times simultaneously. Many non-compromised systems and networks that were being scanned by other hosts infected by the Code Red experienced serious denial of service.
While Code Red appeared to merely deface Web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploited could also be used to execute arbitrary code in the Local System security context. This effectively gave attackers complete control of the victim's system.
When Code Red II succeeded in compromising a system, it checked to see if it had already infected this system by verifying the existence of the Code Red II atom. If the worm did not find the atom it created the atom and continued the infection process. It then checked the default system language, and spawned threads for propagation. If the default system language was Chinese (Taiwanese) or Chinese (PRC), 600 threads were spawned to scan for 48 hours. Otherwise, 300 threads were created which scanned for 24 hours.
Code Red II copied %SYSTEM%\CMD.EXE to root.exe in the IIS scripts and MSADC folders. Placing CMD.EXE in a publicly accessible directory would allow an intruder to execute arbitrary commands on the compromised machine with the privileges of the IIS server process.
Code Red II also created a Trojan horse copy of explorer.exe and copied it to C:\ and D:\. The Trojan horse explorer.exe called the real explorer.exe to mask its existence, and created a virtual mapping which exposed the C: and D: drives.
SirCam (W32/Sircam) affected all versions of Microsoft Windows. It spread through e-mail and through unprotected network shares. Once SirCam infected a system, it may have revealed or deleted sensitive information. SirCam could infect a machine when executed by opening an e-mail attachment containing the code or by copying itself into unprotected network shares.
SirCam could appear in an e-mail message written in either English or Spanish with a seemingly random subject line. All known versions of SirCam used the following format in the body of the message:
I send you this file in order to have your advice
I hope you like the file that I sendo you
I hope you can help me with this file that I send
This is the file with the information you ask for
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
The e-mail message contained an attachment whose name matched the subject line and had a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Antivirus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension was .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contained both the malicious code and the contents of a file copied from an infected system.
When the attachment was opened, the copied file was extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file was then opened using the appropriate default viewer while the infection process continued in the background.
SirCam had its own SMTP client capabilities, which it used to propagate via e-mail. It determined a recipient list by searching for e-mail addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searched the folders referred to by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache for files containing e-mail addresses. All addresses found were stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
SirCam first attempted to send messages using the default e-mail settings for the current user. If the default settings were not present, it used one of the following SMTP relays:
mail.<defaultdomain> (for example, mail.example.org)
The Love Bug worm affected systems running Microsoft Windows with Windows Scripting Host enabled. The Love Bug was a malicious VBScript program which spread through various means, including e-mail, Windows file sharing, IRC, USENET news, and possibly via Web pages. When the worm executed, it attempted to send copies of itself, using Microsoft Outlook, to all the entries in all the address books. Thus people who received copies of the worm via e-mail would have most likely recognized the sender. The mail it sent had the following characteristics:
An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS"
The body of the message read "kindly check the attached LOVELETTER coming from me."
In Internet Relay Chat the worm attempted to create a file named script.ini in any directory that contained certain files associated with the popular IRC client mIRC. The script file would attempt to send a copy of the worm via DCC to other people in any IRC channel joined by the victim. There were also reports of the worm appearing in USENET newsgroups.
When the worm executed, it searched for certain types of files and made changes to those files depending on the type of file. For files on fixed or network drives, it took the following steps:
Since the worm overwrote the modified files, file recovery was difficult and in many cases impossible. It also modified the Internet Explorer Start Page. If the file <DIRSYSTEM>\WinFAT32.exe did not exist, the worm set the Internet Explorer Start page to one of four randomly selected URLs. These URLs all referred to a file named WIN-BUGSFIX.exe, which presumably contained malicious code. The worm checked for this file in the Internet Explorer downloads directory, and if found, the file was added to the list of programs to run at reboot. The Internet Explorer Start page was then reset to "about:blank".
In addition to other changes, the worm updated the following registry keys:
Melissa (W97M_Melissa) affected systems with Microsoft Word 97 or Word 2000. Any mail-handling system could have experienced performance problems or a denial of service as a result of the propagation of this macro virus. Melissa propagated in the form of an e-mail message containing an infected Word document as an attachment. The transport message was most frequently reported to contain the following Subject header
Subject: Important Message From <name>
Where <name> is the full name of the user sending the message.
The body of the message was a multipart MIME message containing two sections. The first section of the message (Content-Type: text/plain) contained the text:
Here is that document you asked for... don't show anyone else ;-)
The next section (Content-Type: application/msword) was initially reported to be a document called "list.doc". This document contained references to pornographic Web sites.
When a user opened an infected .doc file with Microsoft Word97 or Word2000, the macro virus was immediately executed if macros were enabled. Upon execution, the virus first lowered the macro security settings to permit all macros to run when documents were opened in the future. Therefore, the user would not be notified when the virus was executed in the future.
The macro then checked to see if the registry key "HKEY_Current_User\Software\Microsoft\Office\Melissa?" had a value of "... by Kwyjibo". If that registry key did not exist or did not have a value of "... by Kwyjibo", the virus proceeded to propagate itself by sending an e-mail message to the first 50 entries in every Microsoft Outlook MAPI address book. Melissa could not send mail on systems running MacOS; however, it could be stored on MacOS.
Melissa set the value of the registry key to "... by Kwyjibo". Setting this registry key caused the virus to only propagate once per session. Melissa then infected the Normal.dot template file. By default, all Word documents use the Normal.dot template; thus, any newly created Word document would be infected. Because unpatched versions of Word97 may have trusted macros in templates, the virus could execute without warning.
Indirectly, this virus could have caused a denial of service on mail servers. Many large sites reported performance problems with their mail servers as a result of the propagation of this virus.
ExploreZip affected systems running Windows 95, Windows 98, or Windows NT. In addition, any mail handling system could have experienced performance problems or a denial of service as a result of the propagation of this Trojan horse program.
The ExploreZip Trojan horse was propagated between users in e-mail messages containing an attached file named zipped_files.exe. Once installed, the program may also have acted as a worm, and propagated itself without any human interaction. The body of the e-mail message usually appeared to have come from a known e-mail correspondent, and usually contained the following text:
I received your e-mail and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
Opening the zipped_files.exe file caused the program to execute. It is possible that some mailer configurations might have automatically opened the file received in the form of an e-mail attachment. When the program was run, an error message was displayed:
Cannot open file: it does not appear to be a valid archive. If this file is part of a ZIP format backup set, insert the last disk of the backup set and try again. Please press F1 for help.
The program searched local and networked drives (drive letters C through Z) for specific file types and attempted to erase the contents of the files, leaving a zero byte file. The targets included Microsoft Office files, such as .doc, .xls, and .ppt, and various source code files, such as .c, .cpp, .h, and .asm. It did not appear to delete files with the "hidden" or "system" attribute, regardless of their extension.
The zipped_files.exe program created a copy of itself in a file called explore.exe in the following location(s):
This explore.exe file is an identical copy of the zipped_files.exe Trojan horse, and the file size is 210432 bytes. MD5 (Explore.exe) = 0e10993050e5ed199e90f7372259e44b
On Windows 98 systems, the zipped_files.exe program created an entry in the WIN.INI file: run=C:\WINDOWS\SYSTEM\Explore.exe
On Windows NT systems, an entry is made in the system registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
run = "C:\WINNT\System32\Explore.exe"
Independent research firm Computer Economics has collected and analyzed data on the impact of malicious code attacks, hacking and intrusion incidents, and the cost of system downtime for several years. Much of this work dates backs as far as the early 1990s. The analysis of malicious code attacks intensified in the late 1990s as major virus incidents such as Melissa, I Love You, Code Red, and Nimda became commonplace.
The research has largely been client-driven. When Computer Economics' clients needed to determine the ROI for security and virus protection, an in-depth research process was initiated. Data collection is ongoing and involves the following:
The economic impact analysis and models that Computer Economics creates are based on numerous research efforts over a period of several years. Data has been obtained from more than 2000 organizations from virtually every industry sector and every major industrial country around the world.
The analyst teams for these projects have been led by Michael Erbschloe, vice president of research for Computer Economics of Carlsbad, California. Mr. Erbschloe is the author of Information Warfare: How to Survive Cyber Attacks and The Executive's Guide to Privacy Management. He also coauthored Net Privacy: A Guide to Developing & Implementing an Ironclad ebusiness Privacy Plan. In addition, he has presented at professional conferences around the world.
Posted: Fri Nov 21 18:47:00 PST 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.