Information Technology (IT) Security

1
Information Technology (IT) Security Training
and Awareness Workshop
AIM 42nd ABMTS August 2011
2
WORKSHOP PRESENTERS
Tony H. McMahon MITS Director, Transition
2 Program Manager Cust.Acct. Data Eng. Program
Office Washington, DC
Giselle C. Joseph IT Security Specialist MITS
CyberSecurity Operations Houston, Texas
3
IRS as TARGET

• Largest IT environment of any U.S. civilian
  agency

• More PII than any other government agency

• Process 2.5T of revenues

• Complex diverse IT infrastructure

• Complex diverse business processes utilizing
  many channels (e-file,
• paper, internet, phone, walk-in)

• 80 of American Taxpayers will file
  electronically by the year 2012

• 700 PODs

4
Probes to IRS
Top 10 Attacking Countries (denied) Hit
Count
Hit Count is Based on every 3 months
United States (US) 14,911,704
China (CN) 1,101,127
Canada (CA) 668,888
Great Britain (GB) 145,444
Japan 106,340
Germany (DE) 98,002
No Country Code Europe (EU) 55,002
Korea (KR 47,437
Netherlands (NL) 46,623
Russia (RU) 37,005
5
What is at Risk?

• DATA All information used and transmitted by the
  organization
• Sensitive But Unclassified (SBU) SBU data refers
  to sensitive but unclassified information
  originating within IRS offices. Ex Personal,
  Tax Return Information,
• Personally Identifiable Information (PII).. PII
  includes the personal data of taxpayers, and also
  the personal information of employees,
  contractors, applicants, and visitors to the IRS
  Ex Home addresses, Names, Social Security
  Numbers,
• National Security Information - Cyber Espionage
• HARDWARE- Desktop computers, servers, wireless
  access points (APs), networking equipment, and
  telecommunications connections etc
• SOFTWARE- Application programs, operating
  systems, and security software etc

6
CYBER SECURITY MISCONCEPTIONS

• No one knows who I am on the Internet
• The Internet is a virtual world, so nothing bad
  can happen to me
• Security software (anti-virus, firewall, etc.)
  will protect me
• The IRS will protect me
• Law enforcement will protect me

Who Believes All This?
5
7
Internet Attack Activity
Web-based attack activity, 20092010Source
Symantec Corporation
8
Who are they?
Who are the Attackers Why?
No longer just techno-geeks.

• GANGS/GROUPS
• Criminal gangs
• Employ individuals or groups of hackers to steal
  PII,
• credit card banking information.
• Hacker Gangs
• Create sell botnets hacker tools
• Sometimes engage in activity to wage cyber war on
  
• each other or to boost their reputation.
• Political or religious groups
• Hacking for military and commercial secrets to
  inflict
• damage.
• Well resourced - Funded by criminal enterprises,
  nations,
• political or religious entities.

. Hackers, Attackers or Intruders
Script Kiddies Computer Spy Employees
Cybercriminals Cyberterrorists

• Glory Motivated
• Financial Profit
• Political Motivated
• Religious Groups
• They have Shift from Glory-Motivated-Vandals
  to
• Financially-Politically-Motivated-Cyber-Crime

WHY?
9
Old and New Enemies
Joseph McElroy Hacked US Dept of Energy
Jeffrey Lee Parson Blaster-B copycat
Chen Ih Hua CIH Virus
Andrew Schwarmkoff Russian Mob Phisher

• Jeremy Jaynes
• 24M SPAM KING

Jay Echouafni Competitive DDoS

• Photos from colleagues at F-Secure

10
Political or Religious Groups

• Highly motivated, professionally trained
  equipped adversaries

• Espionage and sabotage aimed at US Government,
  Military Commercial sites

• Strategic Tactical Attacks

• Threat to the military economic security of the
  United states

11
How is all this Happening?

• Social Engineering
• Phishing, Pharming etc
• Malware (Malicious Code)
• Viruses, Trojans, Spyware, Spam, Botnets etc
• Network Vulnerabilities Attacks
• Weak Passwords, Backdoors, DoS, Spoofing, etc
• Hardware Base Attacks
• USB drives, Cell phones etc
• Web Browser Attacks
• Cookies, Active X etc
• Communication Based Attacks
• Instant Messaging (IM), peer-to-peer (P2P) etc
• Wireless Attacks Protocol-Based Attacks
• War Driving, Bluesnarfing etc
• Difficulties in Defending Against Attackers
• Speed, Sophistication Simplicity of Attacks
  etc
• Lack of Education and Training (Security
  Awareness)
• Smart People doing NOT So Smart Things
• Donate computer with uncleaned disk w/o
  sanitization.

12
Social Engineering

• Combat Social Engineering
• Never reveal or share your password
• Never provide information about IRS systems
  networks.
• Never change your password to something that
  another person has requested.
• Never disclose Sensitive Official Use Only
  (OUO) information.
• Never reply to e-mail messages that request your
  personal information.
• Never click links in suspicious e-mail.
• Never unsubscribe from Email unless its a
  reputable business.
• Never download from the Internet on IRS
  computers.
• Always be careful whom and where you download
  from on home computers.
• Always verify the identity of callers
• Always discard sensitive information
  appropriately (shred, locked burn bens etc)
• When dealing with companies make sure you do your
  homework to ensure that they are legitimate
  Better Business Bureau (BBB).

• Social Engineering Tactics
• Social Engineering is the act of manipulating
  people into performing actions or divulging
  confidential information. While similar to a
  confidence trick or simple fraud, the term
  typically applies to trickery or deception for
  the purpose of information gathering, fraud or
  computer system access in most cases the
  attacker never comes face-to-face with the
  victim.
• E-Mail
• Phishing, Pharming,
• Computer hoaxes etc
• Telephone
• In Person
• Shoulder Surfing, Stealing, Browsing
• Dumpster Diving
• Internet
• Unsafe Web Sites
• In Writing

13
SYSTEM THREATS

• Three main objectives of Malware
• Infecting Malware Viruses, Worms
• Concealing Malware Trojan Horses, Rootkits,
  Logic Bombs, Backdoors, and Privilege Escalation
• Malware for Profit Spam, Spyware, and
  Botnets

MALWARE
Malware is software that enters a computer system
without the owners knowledge or consent. Malware
is also referred to as Malicious Code or
Malicious Content. Malware's most common pathway
from criminals to users is through the
Internet primarily by e-mail and the World Wide
Web. Malware is a variety of damaging and/or
annoying software.

14
SYSTEM THREATS

• Trojans are approximately 90 of the Malicious
  code
• events detected by IRS every quarter.
• 80 or more of these Trojans come from Malicious
  Websites
• According to Symantec, Trojans are the Most
  important source
• of potential infections.
• In 2010, 56 percent of the volume of the top 50
  malicious code samples
• reported were classified as Trojansthe
  same percentage as in 2009.

Trojan Horse or Trojan, are a type of malware
that disguise themselves as legitimate, it is
destructive program that masquerades as an
application. When an end-user attempts to
install or run the seemingly-benign executable
file, their system becomes infected with
malicious code, which gives an attacker access to
the users privileges and sensitive information.
Malware
Trojan Horses
Spyware (Malware)
Spyware is a general term used to describe
software that violates a users personal
security. Spyware creators are motivated by
profit generate income through advertisements
or by acquiring personal information and may
change configurations. Although attackers use
several different spyware tools, the two most
common are adware and key loggers.
Adware (Spyware tool) typically display
advertising banners or pop-up Ads or opens Web
browser while user is on the Internet. Keylogger
(Spyware tool) is a small hardware device or a
program that monitors each keystroke a user types
on the computers keyboard. Spyware usually
performs one of the following functions on a
users computer Advertising, (Pop-ups),
Collecting personal information or Changing
computer configurations. NOTE Your Personal
Information can be obtained through
zabasearch.com, Spokeo,
15
SYSTEM THREATS

• Phishing is a way of attempting to acquire
  sensitive information such as usernames,
  passwords and credit card details by masquerading
  as a trustworthy entity in an electronic
  communication.
• Phishing is typically carried out by e-mail or
  instant messaging, and it often directs users to
  enter details at a fake website whose look and
  feel are almost identical to the legitimate one.
• Phishers like to use variations of a legitimate
  address ex www.ebay_secure.com
• In many cases when clicking open pop-ups it will
  attach Malware to your computer.
• Most SPAM comes in forms of Chain letters,
  Jokes, Hoaxes, and Advertisement.
• Botnets, networks of virus-infected computers,
  are used to send about 80 of spam.
• Spammers collect e-mail addresses from chatrooms,
  websites, customer lists, newsgroups, and viruses
  which harvest users' address books, and are sold
  to other spammers.
• Spam averages 80 of all e-mail sent with many
  containing attachments of Malware.
• In the year 2011 the estimated figure for spam
  messages are around seven trillion.

PHISHING
Phishing is an attack that sends an e-mail or
displays a Web announcement that falsely claims
to be from a legitimate enterprise in an attempt
to trick the user into surrendering private
information. Social Engineering
SPAM is unsolicited, junk e-mail. It continues
to escalate through the Internet. On average it
costs U.S. Organizations 1000.(or more) per
person annually in lost productivity. Social
Engineering / Malware
SPAM
16
SYSTEM THREATS

• UNSAFE WEB SITES Many legitimate web sites
  unknowingly have been infected and have malware
  attached to downloads. Users should never log on
  to a web site from a link in an e-mail instead
  they should open a new browser window and type
  the legitimate address.
• IRM 10.8.27.3 (1) states Employees should not
  download unauthorized program. DOWNLOADING NOT
  PERMITTED.
• Any Web site in which the user is asked to enter
  personal information should start with https
  instead of http and should include a padlock in
  the browser status bar.
• One way to check the links in an e-mail you
  receive is to place your mouse cursor over the
  link BUT DO NOT CLICK. This will display the true
  link as shown in the image below.
• REMOVABLE MEDIA Some types of removable media
  are blu-ray discs, DVDs, CDs, Memory Cards,
  Floppy disks, Magnetic tapes, paper data
  storage, USB drives etc.. iPods, MP3 Players,
  digital cameras, and smart phones connected to
  your computer system are also considered to be
  removable media.
• In 2010 IRS saw an increasing trend of malware
  related infections resulting from users
  connecting either IRS issued or personally owned
  removable media to IRS systems.

Web Browsing
Web Browsing Surfing the web can often lead to
unsafe websites. In addition, There are many
E-mail messages that direct users to unsafe
websites. Phishing
Removable Media
Removable Media is designed to be removed from
the computer without powering the computer off.
Despite advantages, Removable media are widely
used to spread malware. Hardware Based Attack
17
SYSTEM THREATS
Botnet (Malware)
Botnets One of the popular payloads of malware
today that is carried by Trojan horses, worms and
viruses is a program that will allow the infected
computer To be placed under the remote control of
an attacker. This infected robot Computer is
known as a zombie. When hundreds, thousands, or
even tens of Thousands of zombie computers are
under the control of an attacker, this creates A
botnet. Malware Botnets enables attackers to
send massive amounts of spam, harvest e-mail
addresses, spread malware, manipulate online
polls, denying services, flooding Servers with
request until servers cannot respond or function
properly.
A denial-of-service (DOS) attack attempts to
consume network resources so that The network or
its devices cannot respond to legitimate
requests. NOTE Although DoS attacks are not
widespread on wireless networks,
inadvertent Interference from other RF devices
(cordless telephones, microwave ovens, baby
monitors) Can sometimes actually cause DoS. When
slow transmission happens either turn them Off or
cut them off.
Denial of Service Attacks
Zero-Day Attack - This type of attack occurs when
an attacker discovers and exploits A previously
unknown flaw, providing zero days of warning.
Zero Day Attacks
18
SYSTEM THREATS
Network Attacks Networks have been the
favorite targets of attackers for several
reasons. An attacker who can successfully
penetrate a computer network might have access
to hundreds and or even thousands of desktop
systems, servers, and storage devices.
Also, Networks have had notoriously weak
security, such as default passwords left set
on Network devices. And because networks offer
many services to users, it is sometimes Difficult
to ensure that each service is properly protected
against attackers. Network Vulnerabilities weak
passwords, default accounts, backdoors, and
privilege escalation. Network Categories and
Methods of Attacks denial-of-service, spoofing,
man-in-the-middle, and replay attacks,
protocol-based or wireless etc
Network Attacks
Communication Based Attacks
Communication Based Attacks Some of the most
common communications-based Attacks are SMTP
open relays, instant messaging, and peer-to-peer
(P2P) networks.
Wireless Attacks
Wireless Attacks As wireless networks have
become commonplace, new attacks have Been
created to target networks. These attacks
include rogue access points, war driving,
Bluesnarfing, and blue jacking.
19
www.phishing_at_irs.gov www.spam_at_irs.gov
Malicious E-Mail
Many Emails may lead to unsafe websites Either
containing Malicious Code or trying to Obtain
personal information. (Look at the address link)

• ltAgt Billing Pxxx xxx
• ltAgt xxx xxx Road
• ltAgt Suite 400
• ltAgt xxx, CA xxx
• ltAgt US
• ltAgt Phone xxxxxx7605
• ltAgt e-mail pxxx.xxx_at_atf.gov
• ltAgt Payment Method Credit Card
• ltAgt Name On Card Pxxx x. xxx
• ltAgt Credit Card 5568xxxxxxxxxxxx
• ltAgt Credit Type MasterCard
• ltAgt Expires 05/2009
• ltAgt CVV2 421

• IRS CSIRC Bulletin - 03022011-001-Bulletin
  Malicious Email Entitled "W-2 form update" in
  Circulation
• What is the problem?
• The CSIRC team is aware of malicious code
  circulating via phishing email messages entitled
  "Important W-2 form
• update". These email messages appear to come from
  the Internal Revenue Service and offer a link
  that suggests it
• will take you to the "updated version of the W-2
  form". The link contained within the email
  messages seem to be
• legitimate but is in fact a way of luring
  unsuspecting users into downloading malicious
  software in the form of a Trojan.
• Pictured below is an example of the recent
  phishing message currently in circulation, the
  incorrect punctuation and
• misspellings are an immediate red flag. However,
  this threat could take virtually any form as the
  subject and content
• could vary according to the objective of the true
  sender.

FALSE This notice is yet another redirection
scam (also known as phishing) Intended to
deceive recipients into disclosing their card
information, account Information, social
security numbers, passwords and other sensitive
information.

20
www.phishing_at_irs.gov www.spam_at_irs.gov
Malicious E-Mail
Attackers take advantage of major events to get
monies or to expose your computer to a Malicious
Code.

21
Fake Security Software
One of the most common ways for cybercriminals to
steal money from people is through the use of
fake security software, according to the most
recent Microsoft Security Intelligence Report.
This kind of software is also known as
scareware or rogue security software.
Cybercriminals use it to scare people into
downloading more malicious software onto their
computer or pay for a fake product. For more
information, see Watch out for fake virus alerts.
Here are examples of the graphics used by
cybercriminals trick you into downloading their
security software. Microsoft Security
Tips