This document discusses information security threats facing organizations. It begins by defining security as freedom from risk or danger and the application of safeguards to prevent loss. It then discusses the types of threats including hackers, vandals, insiders, and espionage. It emphasizes the importance of knowing potential enemies and one's own weaknesses. Emerging threats discussed include social engineering, wireless networks, and lack of security on many wireless access points. The document stresses taking a defense-in-depth approach using administrative, physical, and technical controls to mitigate risks.
2. Overview
⢠What is security?
⢠Who are the threats?
⢠Know thy enemy
⢠Know thyself
⢠Emerging threats
⢠Plan of defense
⢠Security Management
⢠Defense in depth
3. What Is âSecurityâ?
⢠âFreedom from risk or dangerâ*
⢠The application of safeguards to
prevent loss
⢠A subjective measurement of
preparedness for risk
⢠A feeling of safety ď
* The American Heritage Dictionary of the English Language.
4. What is Risk?
⢠A potential for loss or harm
⢠An exposure to a threat
⢠Risk is subjective
⢠Dependent on situation and
circumstances
5. Whatâs the big deal?
⢠Loss of company assets
⢠Loss of revenue/market
share
⢠Loss of intellectual property
⢠Loss of privacy
⢠Damage to reputation
6. Who is a threat?
⢠Hackers
⢠Vandals
⢠Espionage
⢠Insiders
⢠Everyone*
* This depends on how paranoid you are.
8. Knowing your Enemy
Not knowing who the enemy is can be a bad thing
⢠Vietnam
⢠âWar on Drugsâ
⢠Vezzini - from The Princess Bride
9. Know Thyself
⢠"Well, cyberterrorists may be difficult to capture in the act,
but from what I know about people who are highly skilled
with computers, they should be easy to beat up."
â Ernest Cey, Speechwriter
⢠"You mean some hacker could disrupt the computerized
billing and record-keeping of my local phone company,
costing them millions of dollars? That's awesome."
â Frank Moreland, Piano Teacher
⢠"This is not a tool we should take seriously, or our customers
should take seriously..."
â Edmund Muth, Microsoft, as reported by the New York Times,
referring to Back Orifice.
10. History of the Hack
1960: The Dawn of Hacking
1970: Phone Phreaks and Cap'n
Crunch
1980: Hacker Message Boards and
Groups
1983: Kids' Games
1984: Hacker 'Zines- Birth of the 2600
group
1986: Use a Computer, Go to Jail
1988: The Morris Worm
1989: The Germans and the KGB
1990: Operation Sundevil
1993: Why Buy a Car When You Can
Hack One?
1994: Hacking Tools R Us
1995: The Mitnick Takedown
1997: Hacking AOL
1998: The Cult of Hacking and the
Israeli Connection
1999: Software Security Goes
Mainstream
2000: Service Denied (DDOS)
2001: DNS Attacks
11. Hacking is not that hard to do!
⢠Openly displayed information
⢠Easily available tools
⢠Dumpster Diving
⢠Shoulder Surfing
13. ⢠Go to http://neworder.box.sk/ and search for your favorite
operating system or program. Chances are itâs already been
hacked.
⢠Find tools to secure your network and test your system for
vulnerabilities. http://packetstorm.dnsi.info
⢠Tools and info on security research. http://blacksun.box.sk/
⢠News and Info on wireless hacking and security. Tools to
audit wireless networks. Home of the DFW Wireless Users
Group.
http://www.dfwwireless.org
⢠Daily news, vulnerability listings, and advisories.
http://www.net-security.org/
Resources
14. Social Engineering
⢠Using social interaction to get information
⢠Plays upon peopleâs good intentions
⢠Extremely effective in many situations
⢠Common ploys
â The Dumb User
â The VIP
â The Lost Puppy
â The Prize
15. Social Engineering
⢠Attempt to manipulate or trick a person into
providing information or access
⢠Bypass network security by exploiting human
vulnerabilities
⢠Human-based
â Impersonation
â Third-person authorization
⢠Computer-based
â Popup windows
â Mail attachments
16. Wireless Networks
⢠Different technology, same threat
⢠Out of sight out of mind
⢠âGee Wizâ technology
⢠Increases attack accessibility
⢠Unauthorized clients
⢠Misconfigurations
17. Consumer Wireless Products
Local Area NetworkLocal Area Network
TechnologyTechnology
802.11 (FHSS) 2.4 GHz802.11 (FHSS) 2.4 GHz
1 Mbps1 Mbps
Freq. Hopped Spread SpectrumFreq. Hopped Spread Spectrum
802.11 (DSSS) 2.4 GHz802.11 (DSSS) 2.4 GHz
1 or 2 Mbps1 or 2 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum
HiperlanHiperlan
23.5 Mbps23.5 Mbps
High Performance Radio LANHigh Performance Radio LAN
P802.11b (DSSS) 2.4 GHzP802.11b (DSSS) 2.4 GHz
11 Mbps11 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum
P802.11a 5 GHzP802.11a 5 GHz
InitialInitial
ShipmentsShipments
InitialInitial
ShipmentsShipments
FinalFinal
SpecificationSpecification
SpecificationsSpecifications
ApprovedApproved
Initial MobileInitial Mobile
ShipmentsShipments
19991999 20002000 20012001 20022002 20032003
Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4
54 Mbps54 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum
23. My crime is that of curiosity. My crime is
that of judging people by what they say and
think, not what they look like. My crime is
that of outsmarting you, something that you
will never forgive me for.
Mentor â Hackers Manefisto