(Notes) 02 02 Modern Network Security Threats - Evolution of Network Security
(Notes) 02 02 Modern Network Security Threats - Evolution of Network Security
(Notes) 02 02 Modern Network Security Threats - Evolution of Network Security
1985 – by year 1985 the sophistication of attacker tools is lower it's more on the technical knowledge of
the intruders
2010 up to now – The knowledge or the level of knowledge required by intruders is getting
steadily lowered yet their ability to perpetrate sophisticated attacks against the survivability of
the system has increased
We have the sophistication of attacker tools much higher compared to the technical knowledge
an intruder must possess
Intruders or hackers nowadays more relies on the sophistication of attacker tools than the
technical knowledge but if you have the technical knowledge to get ins into the system then you
are a great hacker
Contributing factors that drives this sophistication of attacker tools higher compared to technical
knowledge
According to Morris, the worm was not written to cause damage, but to gauge the size of
the Internet.
o But the worm was released from MIT, not Cornell where Morris was a student.
The Morris worm worked by exploiting known vulnerabilities in Unix send mail, Finger,
rsh/rexec and weak passwords.
It is usually reported that around 6,000 major Unix machines were infected by the Morris
worm.
o The cost of the damage was estimated at $10M-100M.
Good Thing
The Morris worm prompted DARPA to fund the establishment of the CERT/CC at
Carnegie Mellon University to give experts a central point for coordinating responses to
network emergencies.
Robert Morris was tried and convicted of violating the 1986 Computer Fraud and Abuse
Act.
o After appeals he was sentenced to three-year probation, 400 hours of community
service, and a fine of $10,000.
What is "Code Red"?
The Code Red worm was a DoS attack and was released on July 19, 2001 and attacked web
servers globally, infecting over 350,000 hosts and in turn affected millions of users.
Day 1 - 19: The infected host will attempt to connect to TCP port 80 of randomly chosen
IP addresses in order to further propagate the worm.
Day 20 - 27: A packet-flooding denial of service attack will be launched against a
particular fixed IP address.
Day 28 - end of the month: The worm "sleeps"; no active connections or denial of
service.
Has it stopped?
Although the worm resides entirely in memory, a reboot of the machine will purge it from the
system.
However, patching the system for the underlying vulnerability remains imperative since
the likelihood of re-infection is quite high due to the rapid propagation of the worm.
Network security professionals must develop and implement a security policy which includes a
process to continually keep tabs on security advisories and patches.
That is why we are encouraged to update the software that we have.
Code Red - A good thing?
It was a wakeup call for network administrators.
It made it very apparent that network security administrators must patch their systems
regularly.
If security patches had been applied in a timely manner, the Code Red worm would only merit a
footnote in network security history.
CERT Code Red (Computer Emergency Response Team)
Alternative: Computer Emergency Readiness Team || Computer Security Incident Response
http://www.cert.org/advisories/CA-2001-19.html
This is an expert group that handles computer security incidents
Has been designated to serve as the national agency to perform the following functions in the
area of cyber security
Every day a lot of intruders develop an application that will hamper the operation of the
organization
They develop something that would totally stop okay so the operation of the victim. It
could either be via email it could either be via any platform available wherein the new
threats can be sent and would cause damage to the organization.