cyber security infrastructure protection l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Security & Infrastructure Protection PowerPoint Presentation
Download Presentation
Cyber Security & Infrastructure Protection

Loading in 2 Seconds...

play fullscreen
1 / 56

Cyber Security & Infrastructure Protection - PowerPoint PPT Presentation


  • 381 Views
  • Uploaded on

Cyber Security & Infrastructure Protection. FBI Philadelphia Division Special Agent John B. Chesson. Cyber Terrorism. Potential Cyber Attacks. Unauthorized Intrusions Website Defacements Domain Name Server Attacks Distributed Denial of Service (DDoS) Attacks Computer Worms

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Security & Infrastructure Protection' - Anita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cyber security infrastructure protection

Cyber Security& Infrastructure Protection

FBI Philadelphia Division

Special Agent John B. Chesson

potential cyber attacks
Potential Cyber Attacks
  • Unauthorized Intrusions
  • Website Defacements
  • Domain Name Server Attacks
  • Distributed Denial of Service (DDoS) Attacks
  • Computer Worms
  • Routing Operations
  • Critical Infrastructures
  • Compound Attacks
infrastructure protection a new threat paradigm
Infrastructure Protection:A New Threat Paradigm

Cyberspace: the Infrastructure behind Critical Infrastructure…

9. Manufacturing 10. Food & Agriculture 11. Chemicals and Hazardous Materials

12. Defense Industry 13. Public Health

The New Threat: Anyone with a Computer

potential sources of attacks
Potential Sources of Attacks
  • Thrill Seekers
  • Disgruntled Employees
  • Organized Crime
  • Terrorist Sympathizers and Anti-U.S. Hackers
  • Terrorist Groups
  • Nation-States
thrill seekers
Thrill Seekers
  • No political motives
  • Seeking notoriety – bragging rights
  • ‘Nuisance attacks’ using pre-fabricated tools and exploits
  • Potential for serious disruptions and monetary damage
terrorist sympathizers and anti u s hackers
Terrorist Sympathizers and Anti-U.S. Hackers
  • Extremist Muslim groups – known hacker groups (G-Force Pakistan, Pakistan Hackerz Club)
  • Anti-Israeli groups
  • Anti-capitalism and anti-globalization movement
  • Chinese hackers
terrorist groups
Terrorist Groups
  • Terrorist groups are using information technology
  • Terrorists possess the will and can easily obtain the means to attack IT targets
  • Potential for major cyber attacks is very high
cyber capabilities
Cyber Capabilities
  • Cyber Attacks…
  • Osama bin Laden allegedly gave a statement:
    • "hundreds of young men had pledged to him that they were ready to die and that hundreds of Muslim scientists were with him and who would use their knowledge in chemistry, biology and (sic)ranging from computers to electronics againstthe infidels.”
  • Mapping US vulnerabilities
  • Compound Attacks most dangerous
nation states china
Nation States: China
  • “Our country needs to go all-out to develop high-quality internet warriors. That should include development in exclusive universities as well as attracting private computer users to take part in internet combat".
    • Liberation Army Daily
  • China views information operations/information warfare (IO/IW) as a strategic weapon for use outside of traditional operational boundaries.
  • China is particularly sensitive to the potential asymmetric applications IO/IW can have in any future conflict with a technologically superior adversary.
    • Kosovo and the Chinese Embassy strike in Belgrade
    • US / China reconnaissance incident
    • Impact of Technology in the war on Terrorism Afghanistan
slide11

Many Potential Cyber Threats

Unstructured Threats

  • Insiders
  • Recreational Hackers
  • Institutional Hackers

National Security Threats

  • Terrorists
  • Intelligence Agencies
  • Information Warriors

Structured Threats

  • Organized Crime
  • Industrial Espionage
  • Hacktivists
slide12

Attack Sophistication vs.

Intruder Technical Knowledge

Intruder

Knowledge

Tools

“stealth” / advanced scanning techniques

High

packet spoofing

DoS

sniffers

www attacks

sweepers

automated probes/scans

GUI

back doors

network mgmt. diagnostics

disabling audits

hijacking

sessions

burglaries

exploiting known vulnerabilities

Attack

Sophistication

password cracking

self-replicating code

Attackers

password guessing

Low

1980

1985

1990

1995

2000

current cyber attack trends cert warns of automated attacks
Current Cyber Attack TrendsCERT warns of automated attacks
  • Freely available tools exploit vulnerabilities
    • Part of the scanning process
    • Capable of self-initiation
    • Well-managed & coordinated global scale attacks
  • Tools like “Sobig” self-propagate to global saturation in 28 minutes.
  • IRC and IM are popular coordination attack tools.
  • Signature based protection systems(Anti-virus and IDS) are ineffective against the new Polymorphic attacks
  • IRC and HTTP are being used to disguise malicious code in legitimate network traffic
slide14

Types of Attacks

  • Viruses
  • Worms
  • Trojans
  • Denial of Service
  • Computer Intrusions
viruses worms trojans
Viruses/Worms/Trojans
  • The Love Bug
    • Estimated to have impacted 45 million users
      • 20 Different Countries; $10 Billion; Two Days!
      • Initiated in Philippines
        • No Cyber Crime Legislation
        • No extradition
  • Anna Kournikova
      • Virus in attachment
        • Visual Basic Script disguised

as a jpg image

  • Code Red v1, v2, Code Red II
  • W32 / My Party Worm
  • Bugbear Worm

VBS Worm Generator from Internet

denial of service attacks
Denial of Service Attacks
  • A Well Documented Vulnerability
  • Victim computer(s) have not been compromised
  • Victim computer simply overwhelmed with traffic….ICMP, Syn flood, etc.
      • Code Red WhiteHouse.Gov attack
  • Distributed Denial of Service…more traffic, harder to trace
  • You Have No Control
computer intrusion typical methodology
Computer Intrusion:Typical Methodology

Scanning

Gain user

access

Corrupt log files

Attack

other hosts

erase log files

Locate

system

to attack

Cover

tracks

Install

backdoors

Take or

alter

information

Sniffers

Gain

privileged

access

Engage in

other un-

authorized

activity

Root

create root users

Buffer overflow

slide19

ISP

Victim company

Parent Company

Hack

Customer account/credit info

Subject

East Europe

Through hack/intrusion, subject obtains customer account credit info

slide20

Chat Room

ISP

Subject

East Europe

Using IRC chat rooms, the subject recruits college students to assist in scam.

slide21

ISP

Subject

East Europe

Orders for Merchandise Placed using Stolen Acct Info..

Merchandise Shipped to Co-conspirators..

slide22

OPERATION CYBERLOSSMAY, 2001

  • 26 FBI FIELD OFFICES AND NUMEROUS OTHER FEDERAL AGENCIES.
  • 32 STATE AND LOCAL LAW ENFORCEMENT AGENCIES
  • INVOLVED 57,662 VICTIMS AND OVER $118,000,000 IN LOSSES.
  • 61 CASES
  • $2,025 LOSS TO $50,000,000 AGGREGATE LOSS
  • AUCTION FRAUD, HACKING, ID THEFT, SOFTWARE PIRACY

www.ic3.gov

philadelphia s wireless web
Philadelphia’s Wireless Web
  • This image is from the WiFiMaps.com web site.

http://www.wifimaps.com

on line resources
On-Line Resources
  • Federal Bureau of Investigation
    • http://www.ic3.gov/

(formerly: www.ifccfbi.gov/)

  • U.S. Department of Justice
    • Computer Crime and Intellectual

Property Section

    • http://www.usdoj.gov/criminal/cybercrime
on line resources continued
On-Line Resources (continued)
  • CERT/CC
    • http://www.cert.org
      • located at the Software Engineering Institute
      • Federally funded research and development center operated by Carnegie Mellon University.
      • 2/18/2002 SNMP Vulnerability report
  • CIAC
    • http://ciac/llnl.gov/ciac/
      • Located at Lawrence Livermore National Labs
      • Federally funded by U.S. D.O.E.
  • SANS
    • http://www.sans.org
    • Non-profit educational network security consortium
    • Offers training and certification courses
network security basics
Network Security Basics
  • Develop a written Network Security Policy
  • Coordinate with Legal, Security, and IT Departments
  • Conduct Routine Network Security Audits
  • Maintain and review Network Server and Router logs
  • Use Intrusion Detection Software (IDS)
  • Regularly backup and archive all critical files
  • Investigate network irregularities completely
  • Use Access Control List and Encryption
  • If Attacked, notify Law Enforcement quickly
when to contact law enforcement
When to contact Law Enforcement?
  • Computer facilitated (non-intrusion)
    • E-mail extortions
    • Child pornography
    • Fraud & Theft (IFCC) www.ifccfbi.gov
  • Computer Intrusion (Title 18 Sec 1030)
    • Unauthorized or exceeding authorized access to a protected computer
      • National security
      • Denial of Service attacks
      • Data alteration or destruction
      • Theft of intellectual property
      • Worms & virus attacks
      • Web defacement or Website redirects
you ve just been hacked
You’ve just been hacked.
  • What should you do?
  • What should you NOT do?
what you should do if attacked
What You Should Do If Attacked…
  • Notify corporate security & legal counsel
    • Think About:
      • Protecting Yourself
        • (Mission Critical vs. Proprietary Data)
      • Catching the Perpetrator
  • Activate your incident management team
      • Created PRIOR to any incident
      • One person in charge
      • One person responsible for evidence.
  • Keep a chronological log of events
what to do continued
What To Do (continued)
  • Activate all available audit trails & logging.
      • What logs were active at the time of the attack?
  • Begin keystroke monitoring.
      • Banner in place?
  • Identify and recover available evidence.
      • System log files, system images, altered/damaged files, intruder’s files, network logs (IDS, routers, SNMP, etc.), traditional evidence.
      • Secure evidence and maintain simple “chain-of-custody” records.
what to do continued43
What To Do (continued)
  • Identify source(s) of the attack.
  • Record specific damages and losses.
      • Important for prosecution
  • Prepare for repeat attacks.
      • Protecting Mission Critical vs. Proprietary Data
  • Theorize - nobody knows your system like you.
      • Determine how the intrusion happened.
      • Identify possible subjects and motives.
  • Call law enforcement – but be patient
what not to do
What NOT To Do
  • Do NOT use the compromised systems before preserving any evidence.
  • Do not make assumptions as to Federal jurisdiction or prosecutorial merit.
  • Do not assume that by ignoring the incident, or damage to your files, that it will go away.
  • Do not correspond via E-mail on a compromised network regarding the incident or the investigation.
what to expect if you call the fbi
What to Expect if you call the FBI
  • Agents will interview staff and obtain evidence
  • Obtain prosecutive opinion
  • Trace the attack (subpoenas, 2703(d) orders, sources
    • Identify the subject(s)
  • Obtain/execute search warrants, interview subjects
  • Examine evidence, identify more victims, develop more leads
  • Obtain Federal Grand Jury Indictment
  • Arrest and Possible Trail
    • Disclosure Issues…

Confidential

Public

what to expect if you call the fbi46
What to Expect if you call the FBI
  • Possible plea bargaining
  • Possible trial
  • Sentencing (upon conviction)
    • Restitution

These steps do NOT occur quickly!

self defense in the current environment what can you do today
Self Defense in the Current EnvironmentWhat Can You Do Today?
  • Increase logging and filtering
  • Protect your data according to its value / use:
      • Proprietary vs. Mission Critical
  • Understand your Defenses
      • (Flexible vs. Rigid)
  • Make use of warning banners
  • Develop a patch management protocol
  • Establish an Incident Management Plan / Team
      • Include “Critical Incident” scenarios
      • Know your I.T. staff personally – it will matter
  • Join your local chapter of InfraGard
slide48
Government/law enforcement alliance with private industry

To promote protection of critical information systems

Provides formal and informal channels for the exchange of information about infrastructure threats and vulnerabilities

What is InfraGard?

infragard membership
InfraGard Membership

Representatives from private industry, government agencies, academic institutions, state & local law enforcement

Membership requirements (No Cost)

Sign Membership agreement

Ethics/confidentiality pledge

FBI criminal records check

slide52
Sharing serious cyber threat data to defend against cyber attacks threatening our national critical infrastructure

Cyber Incident Detection

& Data Analysis Center

slide53

Automated Incident Reporting

Cyber Threat Picture

Current Obstacles to Timely & Accurate Reporting

Current Cyber Incident Reporting

National Infrastructure Protection

Government

Victim Corporation

Executives

Law

Enforcement

NIP

Security

ITStaff

Technical Expertise

Who has the big picture?

Asset Protection

Something Breaks

Trouble Shoot

Analysis Tools

Legal Liability

FBI ?

IDS

Repair

Training

DHS ?

Attacker

Skill level

Anomaly Noticed

Market Perception

Intelligence Base

Investigate

DOD ?

Intrusion

Detection

Response

Notification

Analysis

Warning

slide54

External Services on a Network

Vulnerable to Attack

Attacker

Participant’s Perimeter Network

Web

Offers normal looking company services, but no legitimate network traffic. Use of this system will assist in an Early Detection of a Cyber Attack

Mail, Web, FTP

Company’s Mission Critical

Network

Mail

CIDDAC 24/7 Operations

Real-time Cyber Attack Detection Sensor (RCADS)

FTP

slide55

Take Home Points

  • Cyber Terrorism is a real possibility based upon trends indicating terrorists targeting critical infrastructures
  • Sophistication and number of Attacks are on the increase, while executing Attacks are Easier via Automation & Availability of Tools
  • Government, law enforcement, intelligence agencies and private industry must work together to protect critical infrastructures and information systems
slide56

www.infragard.net

The End

John B. Chesson

Special Agent FBI

Philadelphia, PA

215-418-4406

jchesson@fbi.gov

www.ciddac.org