Page 1
© 1999, 2000 Carnegie Mellon University
Overview of Security Trends for System and Network Administrators
Networked Systems Survivability ProgramSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
Sponsored by the United States Department of Defense
Page 2
© 1999, 2000 Carnegie Mellon University page 2
This Course Provides ...
• Introduction to information security issues and concepts
• Key areas to be addressed for information security
• Foundation for applying best security practices
• Resources for further technical help and training
• Current trends in information security
What are your expectations?
Page 3
© 1999, 2000 Carnegie Mellon University page 3
Objectives
• Understand the challenges of securing information in a global, dynamic, networked systems environment
• Understand the range of vulnerabilities and threats
• Develop information security strategies and identify resources
• Learn proactive measures you can use to defend and improve your organization’s information security
• Learn ways to improve readiness to respond to and recover from information security incidents
• Understand your vital role as a communicator regarding information security
Page 4
© 1999, 2000 Carnegie Mellon University page 4
What Is The Internet?
• Collection of networks that communicate
- with a common set of protocols (TCP/IP)
- by multilateral agreement
• Collection of networks with
- no central control
- no central authority
- no common legal oversight or regulations
- no standard acceptable use policy
• “wild west” atmosphere
Page 5
© 1999, 2000 Carnegie Mellon University page 5
What Is The Internet?
• Physical network connections not important
- leased lines
- dial-up
- wireless
• Logical connectivity
- everything is connected to everything else
Page 6
© 1999, 2000 Carnegie Mellon University page 6
Internet Security in the Beginnings of the Internet
• Internet started as a research project (ARPANET)
- small community of researchers
- trusted community
• Security was not a primary consideration in the design of Internet protocols
“Security issues are not discussed in this memo.” - many RFC documents
Where Wizards Stay Up Late by Katie Hafner and Matthew Lyon (ISBN 0-684 81201-0)
Page 7
© 1999, 2000 Carnegie Mellon University page 7
Why Is Internet Security a Problem?
• Security not a design consideration
• Implementing change is difficult
• Openness makes machines easy targets
• Increasing complexity
Page 8
© 1999, 2000 Carnegie Mellon University page 8
The Beginning of the CERT/CC
postmortem
wormattack
CERT/CCcreated
MorrisWorm
November 1988
Page 9
© 1999, 2000 Carnegie Mellon University page 9
Who We Are
*FFRDC - Federally Funded Research and Development Center
Networked SystemsSurvivability Program
(FFRDC*)
U.S. DoD -Office of the Under
Secretary(Research andEngineering)
sponsor
SurvivableNetwork
Management
SurvivableNetwork
Technology
Page 10
© 1999, 2000 Carnegie Mellon University page 10
RepairedSystems
Research Results
Technology Evaluation
Survivable Network Technology
SurvivableNetwork Management
CERTCoordinationCenter
ProtectedSystems
ImprovedSystems
NSS Program Strategies
Page 11
© 1999, 2000 Carnegie Mellon University page 11
• Initially charged by DARPA* to serve as a focal point for Internet security by
- Fostering collaboration on security issues across the Internet community
- Providing technical assistance to Internet sites
- Analysing vulnerabilities and providing alerts to the Internet community
- Assisting other organisations in the formation of CSIRTs**
- Conducting tutorials, site evaluations, research
*DARPA - U.S. Department of Defense, Defense Advanced Research Projects Agency
**CSIRTs - Computer Security Incident Response Teams
What is the CERT/CC?
Page 12
© 1999, 2000 Carnegie Mellon University page 12
What is the CERT/CC?
• Responsibilities now include providing
- Internet security information for
– system and network administrators
– technology managers
– policy makers
- Guidance and co-ordination for major Internet security events
– Melissa virus
– Y2K
- Leadership in the response team community
– CSIRT formation and development assistance
Page 13
© 1999, 2000 Carnegie Mellon University page 13
What is the CERT/CC?
• The CERT/CC focuses specifically on technical issues relating to Internet security
• The CERT/CC does not focus on
- who the intruders are
- where intruders are located (physically)
- motivations of intruders
- monitoring/surveillance of intruders
– other than understanding the technical implications of what the intruder community is doing
Page 14
© 1999, 2000 Carnegie Mellon University page 14
The CERT®/CC Constituency - Internet
• Global distribution
- more than 72 million host computers as of January 2000*
• Diverse user demographics
- government agencies
- academic and research institutions
- corporate users
- home users
*Source: Internet Software Consortium (http://www.isc.org/)
Page 15
© 1999, 2000 Carnegie Mellon University page 15
CERT®/CC Principles
• Provide valued services
- proactive as well as reactive
• Ensure confidentiality and impartiality
- we do not identify victims but can pass information anonymously and describe activity without attribution
- unbiased source of trusted information
• Co-ordinate with other organizations and experts
- academic, government, corporate
- distributed model for incident response teams (co-ordination and co-operation, not control)
Principles
Page 16
© 1999, 2000 Carnegie Mellon University page 16
Current Activities• 24 hour confidential incident response and vulnerability
analysis
• Providing Internet security information to system and network administrators
• Developing a knowledgebase of vulnerability and incident data
• Documenting best practices for information security
• Facilitating the formation and training of new incident response teams
Page 17
© 1999, 2000 Carnegie Mellon University page 17
Direction of Internet Security
What the Internet community is facing in terms of Internet security in the next few years can be summed up in the following statements:
• The expertise of intruders is increasing
• The sophistication of attacks and intruder tools/toolkits is increasing
• The effectiveness of intruders is increasing (knowledge is being passed to less knowledgeable intruders thus making them effective)
Page 18
© 1999, 2000 Carnegie Mellon University page 18
Direction of Internet Security
• The number of intrusions is increasing
• The number of companies and users of the Internet is increasing
• The complexity of protocols and applications run on clients and servers attached to the Internet is increasing
• The complexity of the Internet as a network is increasing
Page 19
© 1999, 2000 Carnegie Mellon University page 19
Direction of Internet Security
• The information infrastructure has many fundamental security design problems that cannot be quickly addressed
• The number of people with security knowledge and expertise is increasing, but at a significantly smaller rate than the increase in the number of Internet users
• The number of security tools available is increasing, but not necessarily as fast as the complexity of software, systems and networks
Page 20
© 1999, 2000 Carnegie Mellon University page 20
Direction of Internet Security
• The number of incident response teams is increasing, but the ratio of incident response personnel to Internet users is decreasing
• The vendor product development and testing cycle is decreasing
• Vendors continue to produce software with vulnerabilities, including types of vulnerabilities where prevention is well-understood (such as buffer overflows)
Page 21
© 1999, 2000 Carnegie Mellon University page 21
Course Overview
• Information Security Concepts
• Key Areas
- Communication
- Vulnerabilities and Threats
- Strategies and Tactics
- Planning for Information Security
- Information Security Policy
- Incident Handling
- Making the Case
• Putting it all Together
Page 22
© 1999, 2000 Carnegie Mellon University page 22
Information Security ConceptsOverview
• An example of an information security incident
• Information Security Model
• Complexity of Security
• Protecting Information Assets and Resources
• Administrative Responsibilities
• Risk and Trust
Page 23
© 1999, 2000 Carnegie Mellon University page 23
Information Security Breached
New York Times - 9/3/1988
Page 24
© 1999, 2000 Carnegie Mellon University page 24
Information Security BreachedLessons Learned:
• Intruders actively seek ways to compromise systems
• Vulnerabilities and threats are constantly evolving
• Even sophisticated, security-conscientious organizations need to be vigilant
Notes:
• The signs of an information security compromise are not always readily visible
• Sustaining and improving information security requires continuous, proactive effort and readiness to respond
Page 25
© 1999, 2000 Carnegie Mellon University page 25
Information States
Security Measures
InformationSecurityProperties
NSTISSI 4011: National Training Standard for Information Systems Security Professionals, 1994
Information Security Model
Page 26
© 1999, 2000 Carnegie Mellon University page 26
Availability
Integrity
Confidentiality
Information Security Properties
Page 27
© 1999, 2000 Carnegie Mellon University page 27
Processing
Storage
Transmission
Information States
Page 28
© 1999, 2000 Carnegie Mellon University page 28
Policy & Procedures
Technology
Education, Training & Awareness
Security Measures
Page 29
© 1999, 2000 Carnegie Mellon University page 29
Confidentiality
Integrity
Availability
ProcessingStorage
Transmission
Policy & ProceduresTechnology
Education, Training & Awareness
Information Security Model
Page 30
© 1999, 2000 Carnegie Mellon University page 30
Complexity of Administration
In a networked systems environment, sustaining the security of information assets is a complicated task
• Interpret information security policies to implement appropriate access controls, data protection and capacity
• Establish and implement means to verify user credentials
• Implement and enforce information security policies at a variety of levels - data, host, network, Internet
• Sustain and monitor information security consistently throughout the system and network infrastructure
The complexity increases rapidly with scale
Page 31
© 1999, 2000 Carnegie Mellon University page 31
Example: Data on a Workstation
Page 32
© 1999, 2000 Carnegie Mellon University page 32
Employees
Page 33
© 1999, 2000 Carnegie Mellon University page 33
Removable Media
Page 34
© 1999, 2000 Carnegie Mellon University page 34
Other Systems on the Network
Page 35
© 1999, 2000 Carnegie Mellon University page 35
Other Resources on the Network
Page 36
© 1999, 2000 Carnegie Mellon University page 36
Access to the Internet
Page 37
© 1999, 2000 Carnegie Mellon University page 37
Access to Other Local Networks
Page 38
© 1999, 2000 Carnegie Mellon University page 38
Other Routes to the Internet
Page 39
© 1999, 2000 Carnegie Mellon University page 39
Telephones and Modems
Page 40
© 1999, 2000 Carnegie Mellon University page 40
Open Network Ports
Page 41
© 1999, 2000 Carnegie Mellon University page 41
Remote Users
Page 42
© 1999, 2000 Carnegie Mellon University page 42
Vendor and Contractor Access
Page 43
© 1999, 2000 Carnegie Mellon University page 43
Access to External Resources
Page 44
© 1999, 2000 Carnegie Mellon University page 44
Public Information Services
Page 45
© 1999, 2000 Carnegie Mellon University page 45
Operating Environment
Page 46
© 1999, 2000 Carnegie Mellon University page 46
Complexity of Administration
• These are a sampling of the issues
• Taking a mistake in just one part of one area can lead to a compromise
Page 47
© 1999, 2000 Carnegie Mellon University page 47
Protecting Information Assets and Resources
• Avoidance
• Prevention
• Detection
• Containment and Response
• Recovery
• Improvement
Page 48
© 1999, 2000 Carnegie Mellon University page 48
Administrative Responsibilities• Authorization
• Authentication
• Accountability
• Monitoring
• Response to information security incidents
• Damage assessment and recovery
• Analysis and implementation of security improvements
• System and software deployment, upkeep and retirement
• Backups and “hot spares”
Page 49
© 1999, 2000 Carnegie Mellon University page 49
Risk and Trust
Managing Risk
• Identify the information assets to be protected
• Prioritize the importance of securing each information asset
• Identify vulnerabilities of each asset, and the threats to it
• Prioritize impact of threats to vulnerabilities
• Select and implement appropriate safeguards
• Assume incidents will occur - “There are no silver bullets”
Trust Dilemma
• You cannot eliminate, nor mitigate all possible risks
• At some point, you have to trust someone or something
Page 50
© 1999, 2000 Carnegie Mellon University page 50
Exercise: Trust
Complete the exercise on page 1.
Page 51
© 1999, 2000 Carnegie Mellon University page 51
Information Security ConceptsKey Points
• The goal of information security is to sustain and defend the confidentiality, integrity and availability of information
• Despite your best efforts, you must assume that information security incidents will occur
• Even sophisticated, security-conscientious organizations need to be vigilant
• The complexity of administrating information security increases rapidly with scale
• Sustaining and improving information security is a continuous risk management activity
• At some point, you have to trust someone or something
Page 52
© 1999, 2000 Carnegie Mellon University page 52
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
Page 53
© 1999, 2000 Carnegie Mellon University page 53
Communication
Key Areas
Page 54
© 1999, 2000 Carnegie Mellon University page 54
Communication
Overview
• Meaningful and Effective Communication
• Communicating about Security
• Communication Channels
Page 55
© 1999, 2000 Carnegie Mellon University page 55
Communication
Meaningful communication
• language
• context
Effective communication
• accuracy and clarity
• relevance to the listener
Page 56
© 1999, 2000 Carnegie Mellon University page 56
Communicating about Security
YOUOther System and Network Administrators
Information Security Officers and Incident Handling Groups
Management
Information Technology Staff and Systems Developers
Users of Information Systems
Information Service Providers, Vendors and Contractors
Page 57
© 1999, 2000 Carnegie Mellon University page 57
Communication Channels
Whom do you call?
• Peer system and network administrators
• Management
• Information Security Officers
• Physical Security Staff
• Network Service Providers, IT vendors
• Incident Handling Organizations
Who calls you?
• Whom should they call?
• Who should call you?
Page 58
© 1999, 2000 Carnegie Mellon University page 58
Exercise: Contact List
Complete the exercise on pages 2 and 3.
Page 59
© 1999, 2000 Carnegie Mellon University page 59
Communication
Key Points
• Excellent communication skills are a must for computer professionals
• As a computer professional, you have an important role in communicating to others about information security
• Establishing and sustaining communication channels are critically important for information security readiness
Page 60
© 1999, 2000 Carnegie Mellon University page 60
Communication
Vulnerabilities & Threats
Key Areas
Page 61
© 1999, 2000 Carnegie Mellon University page 61
Vulnerabilities & Threats
Overview
• Why Care About Vulnerabilities
• Common Terms
• Vulnerabilities
• Threats
• Intruders
• Software Flaws
• Configuration Errors
• Network Intrusions
• Forms of Attack
Page 62
© 1999, 2000 Carnegie Mellon University page 62
Will Vulnerabilities Be Found?• San Diego Supercomputer Center conducted an
experiment
• Red Hat Linux 5.2 with no security patches installed on machine
• Monitoring established to record traffic to and from host
• Most not otherwise used by staff
See: http://worm.sdsc.edu
Page 63
© 1999, 2000 Carnegie Mellon University page 63
• 8 hours from install
- probed for Solaris RPC vul, not compromised
• 21 days from install
- 20 exploits tried for vuls including POP, IMAP, telnet, RPC, and mountd
- exploit attempts failed because they were exploits for Red Hat 6.x
• About 40 days from install
- POP server vul compromised
- wipes some system logs
- installs rootkit and sniffer
Will Vulnerabilities Be Found?
Page 64
© 1999, 2000 Carnegie Mellon University page 64
Common Terms
Vulnerability - A feature or a combination of features of a system that allows an adversary to place the system in a state that is contrary to the desires of the people responsible for the system and increases the probability or magnitude of undesirable behavior in or of the system.
Threat - any circumstance or event with the potential for causing harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service
Safeguard - an action, device, procedure, technique, or other measure that reduces the vulnerability of an information system
Page 65
© 1999, 2000 Carnegie Mellon University page 65
Common Terms
Incident - An event (or set of related events) in which the information security policies of an organization are violated.
A collection of data representing one or more related attcks. Attacks may be related by attacker, type of attack, objectives, sites, or timing.
Attack - An attempt to breach the security of an information asset or resource
Page 66
© 1999, 2000 Carnegie Mellon University page 66
Common Terms
Intrusion - A breach in the security of an information asset or resource resulting from a successful attack.
An action conducted by one adversary, the intruder, against another adversary, the victim. The intruder carries out an attack with a specific objective in mind. From the perspective of an administrator responsible for maintaining a system, an attack is a set of one or more events that may have one or more security consequences. From the perspective of an intruder, an attack is a mechanism to fulfill an objective.
Page 67
© 1999, 2000 Carnegie Mellon University page 67
Common Terms
Intruder - A person who deliberately attempts to breach the security of an information asset or resource.
The person who carries out an attack. Attacker is a common synonym for intruder. The words attacker and intruder apply only after an attack has occurred. A potential intruder may be referred to as an adversary. Since the label of intruder is assigned by the victim of the intrusion and is therefore contingent on the victim’s definition of encroachment, there can be no ubiquitous categorization of actions as being intrusive or not.
Page 68
© 1999, 2000 Carnegie Mellon University page 68
Common Terms
Trojan Horse - Malicious software or content planted by an intruder on a target system, typically masquerading as a normal or expected program or file. Intruders often install trojan horse versions of system software on systems they have compromised to hide their activities on the system and to illicitly gather information such as users’ account passwords.
Trojan horse software may also be embedded in e-mail attachments in a manner that causes unsuspecting recipients to execute the malicious software when the attachment is opened. Examples include the Melissa macro virus and Happy99.exe trojan horse.
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
Page 69
© 1999, 2000 Carnegie Mellon University page 69
Common Terms
Compromise - Disclosure of information to unauthorized persons
A breach in the security of an information asset or resource
“root” Compromise - Compromise of an information system resulting in access by an intruder at a level equivalent to that of an administrator (a.k.a. root, superuser) of the system
Page 70
© 1999, 2000 Carnegie Mellon University page 70
Software and Hardware
Personnel
Environment
Change
Vulnerabilities
Page 71
© 1999, 2000 Carnegie Mellon University page 71
… to Availability
… to Integrity
... to Confidentiality
Threats Overview
Page 72
© 1999, 2000 Carnegie Mellon University page 72
Threats to Confidentiality
• Unauthorized access
- observation, eavesdropping, copying, theft
• Inappropriate disclosure
Page 73
© 1999, 2000 Carnegie Mellon University page 73
Threats to Integrity
• Unauthorized modification or destruction
• Loss of means to authenticate or verify integrity
Page 74
© 1999, 2000 Carnegie Mellon University page 74
Threats to Availability
• Denial of service
• Theft
• Threats to integrity
- availability of reliable data
• Loss of the means to access data
- passwords, encryption keys,technology
Page 75
© 1999, 2000 Carnegie Mellon University page 75
Other Threats
Human Error
• Data entry errors
• Improper data handling
- transmission
- processing
- storage
- disposal
• Negligence
Page 76
© 1999, 2000 Carnegie Mellon University page 76
Other Threats
Environment
• Electromagnetic Interference
• Physical damage due to weather
• Natural disasters
• Armed conflicts
• Loss of power, water, networkor phone connectivity
Page 77
© 1999, 2000 Carnegie Mellon University page 77
Intruders Overview
• Internal
• External
• Means
• Motive
• Opportunity
Page 78
© 1999, 2000 Carnegie Mellon University page 78
Internal Intruders
• Employees
• Contractors
• Service personnel
• Visitors
• Covert agents
Page 79
© 1999, 2000 Carnegie Mellon University page 79
External Intruders
• Former employees
• Contractors
• Clients and Customers
• “Crackers”
• Vandals
• Thieves and Organized Crime
• Business competitors
• Political opponents and Insurgent groups
• Foreign agents
Page 80
© 1999, 2000 Carnegie Mellon University page 80
Means is the sum of:
• What they know and can learn
- Abundant sources of technical information
• Information from others who can help them
- Mailing lists, conferences, chat rooms
• Tools they have at their disposal to execute an intrusion
- Availability of sophisticated, easy-to-use intruder tools
Intruder Means
Page 81
© 1999, 2000 Carnegie Mellon University page 81
Evolving Intruder Threat
1975 1980 1985 1990 1995 2000
Low
High
Sophistication of Intruder Attacks
Page 82
© 1999, 2000 Carnegie Mellon University page 82
Evolving Intruder Threat
1975 1980 1985 1990 1995 2000
Novice
Expert
Technical Knowledge and Skill Required by Intruders
Page 83
© 1999, 2000 Carnegie Mellon University page 83
Intruder Motives
• Money, profit
• Access to additional resources
• Competitive advantage
- Economic
- Political
• Personal grievance, vengeance
• Curiosity
• Mischief
• Attention
Page 84
© 1999, 2000 Carnegie Mellon University page 84
Opportunities for Intrusion
• Rapid adoption of computer and network technology in government, industry, and educational organizations
• Internet explosion and e-commerce
• Thousands of exploitable vulnerabilities in technology
• Lack of awareness regarding information security
• Shortage of qualified system and network administrators and information security staff
• Lack of applicable laws and means of enforcement
• International scope
Page 85
© 1999, 2000 Carnegie Mellon University page 85
Internet Growth
1975 1980 1985 1990 1995 2000
Network Wizards, Inc. Internet Domain Survey Host Count History
50,000,000
40,000,000
30,000,000
0
10,000,000
20,000,000
Page 86
© 1999, 2000 Carnegie Mellon University page 86
AdvancedIntrudersDiscover NewVulnerability
CrudeExploit Tools
Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Vulnerability Exploit Cycle
Page 87
© 1999, 2000 Carnegie Mellon University page 87
Software Vulnerabilities
Examples
• Buffer overflows
• Timing windows
Avoiding Software Vulnerabilities
• Defensive Programming
Page 88
© 1999, 2000 Carnegie Mellon University page 88
Buffer Overflow Example
Subroutine return address
Buffer in the subroutine Buffer
Return Address
Page 89
© 1999, 2000 Carnegie Mellon University page 89
Buffer Overflow Example
• In a subroutine, the intruder forcesmore data into a buffer than the sizeof the buffer allocated for it
IntruderData
Buffer
Return Address
Page 90
© 1999, 2000 Carnegie Mellon University page 90
Buffer Overflow Example
• In a subroutine, the intruder forcesmore data into a buffer than the size ofthe buffer allocated for it
• The intruder data spills over onto thesubroutine return address memory cell
• Embedded in the intruder dataare malicious program commandsand a new subroutine return address
• When the subroutine returns, the nextinstructions executed are those givenby the intruder, with the privileges of the program
Buffer
Return Address
Page 91
© 1999, 2000 Carnegie Mellon University page 91
A real-world timing window problem:
• Call video store
• “Do you have ‘Saving Private Ryan’?”
• “Yes”
• Drive to video store
• Alas, someone retrieved the copy first
You asked an incomplete question.
Should have asked:
• “Do you have ‘Saving Private Ryan’ and if you do, please hold it for me.”
• Better level of atomicity
Timing Window Example
Page 92
© 1999, 2000 Carnegie Mellon University page 92
TIME PROGRAM
t1 if (file_does_not_exist(some_file)) then
t2 create(some_file);
t3 endif
Stretch the t1 to t2 interval
Change the world during that interval
Timing Window Example
Page 93
© 1999, 2000 Carnegie Mellon University page 93
How to change the t1 to t2 interval?
• Load the system: run many programs, flood with network traffic, anything to make the system run slower
• Run the race over and over; eventually you’ll win
What to do in the t1 to t2 interval?
• Replace created file with symbolic link
• File then created elsewhere
• If set UID root program, then file created anywhere, or contents abandoned
Timing Window Example
Page 94
© 1999, 2000 Carnegie Mellon University page 94
TIME PROGRAM ATTACKER
t1 if (…("/tmp/t") then
t1+i symlink("/tmp/t", "/etc/passwd")
t2 create("/tmp/t");
This results in /etc/passwd being “created,” or zeroed, hence a denial of service
Timing Window Example
Page 95
© 1999, 2000 Carnegie Mellon University page 95
Defensive Programming
• Trusting untrustworthy data
- always check input length
- always use bounded functions
- always check input for unexpected data
- limit acceptable input; reject all violations; provide documented default
• Avoid vulnerable functions such as system() and popen()
• Test all programs thoroughly before deployment
- make testing conditions as realistic as possible
- always check boundary conditions
Page 96
© 1999, 2000 Carnegie Mellon University page 96
Common Configuration Errors Overview
• Vulnerable default configurations
• Incorrect access controls and execution privileges
• Problems maintaining system and network software
Page 97
© 1999, 2000 Carnegie Mellon University page 97
Vulnerable Default Configurations• Empty passwords and well-known vendor passwords
• Guest and other default accounts
• Unnecessary features and services enabled
• Remote access enabled
• Logging and auditing features disabled
• Incorrect default access controls
• Need for updated device drivers and software patches
Page 98
© 1999, 2000 Carnegie Mellon University page 98
Incorrect System Access Controls• Access to administrative systems, programs, and
configuration data
• Access privileges for storage volumes, directories and files
• Remote access to local system resources
• Ownership of files and access privileges retained by terminated accounts
• Access to backup data
Page 99
© 1999, 2000 Carnegie Mellon University page 99
Incorrect Network Access Controls• Access to administrative capabilities of networked systems
and components
• Router and switch configurations
• Firewall configurations
• Network monitor configurations
• Trust relationships between networked systems
Page 100
© 1999, 2000 Carnegie Mellon University page 100
Problems Maintaining System and Network Software• Failing to keep software up-to-date regarding security fixes
• Assuming old configuration files will be OK for updated versions of software
• Assuming that new versions of software will have all the security fixes included
• Accepting unwritten default settings (not setting all configuration settings explicitly)
• Inconsistency of software versions and configurations across all systems and network infrastructure components
Page 101
© 1999, 2000 Carnegie Mellon University page 101
Exercise: Vulnerabilities
Complete the exercise on page 4.
Page 102
© 1999, 2000 Carnegie Mellon University page 102
Network Intrusions
• Intrusions from remote systems can be achieved in amatter of seconds using automated intruder tools
• Intruders are interested in gaining access to computing resources as well as to private data
• Intruders often compromise a series of remote systems, making it difficult to trace their activities
• Network intrusions originating outside of your jurisdiction and from foreign countries may be impossible to prosecute
Page 103
© 1999, 2000 Carnegie Mellon University page 103
A Network Intrusion Scenario
Page 104
© 1999, 2000 Carnegie Mellon University page 104
Intruder Probes a Remote System
Page 105
© 1999, 2000 Carnegie Mellon University page 105
Exploits a Vulnerability Found
Page 106
© 1999, 2000 Carnegie Mellon University page 106
Gains Privileged Access
Page 107
© 1999, 2000 Carnegie Mellon University page 107
Installs Trojan Horse Programs
Page 108
© 1999, 2000 Carnegie Mellon University page 108
Compromises Other Local Hosts
Page 109
© 1999, 2000 Carnegie Mellon University page 109
Attacks Other Remote Systems
Page 110
© 1999, 2000 Carnegie Mellon University page 110
Exploits Connectivity Found
Page 111
© 1999, 2000 Carnegie Mellon University page 111
Attacks Target System
Page 112
© 1999, 2000 Carnegie Mellon University page 112
Inflicts Damage
Page 113
© 1999, 2000 Carnegie Mellon University page 113
Forms of Attack
• Abuse of Access Privileges
• Physical Theft
• Information Gathering
• Password Cracking
• Exploitation of System and Network Vulnerabilities
• Spoofing
• Denial of Service
• Exploitation of Trust
• Network Infrastructure Attacks
• Malicious Code
Page 114
© 1999, 2000 Carnegie Mellon University page 114
Information Gathering
• Dumpster Diving
• Social Engineering
• Probes
• Network Scans
• Network Mapping
• Keystroke Monitoring
• Packet Sniffing
Probes and network scans are the most commonly reported intruder activity
Page 115
© 1999, 2000 Carnegie Mellon University page 115
Scans
• Intruders commonly use automated tools to scan networks for vulnerable systems
• Scans may be recognizable in network traffic logs as a series of consecutive probes to a range of system addresses or port numbers
• Stealth scans spread probes out over time to appear inconspicuous within normal traffic patterns
• Intruders employ automated tools to call telephone number ranges in search of modems used for dial-up connections
Page 116
© 1999, 2000 Carnegie Mellon University page 116
Under normal conditions, the data in a packet transmitted over the network is readonly by the destination system to which it is addressed.
Router
Packet Sniffing
Page 117
© 1999, 2000 Carnegie Mellon University page 117
When a packet sniffer is present, a copy of all packets that pass by it on the network are covertly captured.
Packet SnifferExecuting
Router
Packet Sniffing
Page 118
© 1999, 2000 Carnegie Mellon University page 118
Sniffed Telnet Example
Page 119
© 1999, 2000 Carnegie Mellon University page 119
Denial of Service
• Loss of availability
• Loss of the ability to respond
• Consumption of a limited resource
• Forcing failure or shutdown of a system that
- contains a needed information asset or resource, or
- is required for delivery of an information asset or resource
Page 120
© 1999, 2000 Carnegie Mellon University page 120
Examples of Denial of Service
Common denials of service launched across networks:
• Mail Bombs
• Ping Floods (e.g. “Smurf” attacks)
• SYN Attacks
• UDP Bounce Attacks
• Distributed Denials of Service
Page 121
© 1999, 2000 Carnegie Mellon University page 121
Mail Bombs
Floods of e-mail messages intended to consume and exceed your mail system’s capacity to process and store them
• Automated tools can generate a continuous e-mail stream
• Falsified subscriptions of your e-mail address to a large number of automated mailing lists and newsgroups results in a flood of unwanted e-mail
What can you do?
• Require a confirmation message to initiate all subscriptions
• Enable anti-spam measures on mail proxies and servers
Page 122
© 1999, 2000 Carnegie Mellon University page 122
Ping Floods
Floods of ping requests tie up a system’s ability to respond to legitimate connection requests
Example: “Smurf” attacks
Page 123
© 1999, 2000 Carnegie Mellon University page 123
. . . .
10.0.0.x network
Attacker
Router
Router Target
1. The attacker forges a ping packet with the source address set to that of the target system
192.168.123.45
“Ping from192.168.123.45to 10.0.0.255”
“Smurf” Attack
Page 124
© 1999, 2000 Carnegie Mellon University page 124
. . . .
10.0.0.x network
Attacker
Router
Router Target
2. The forged ping packet is sent to the broadcast address of remote networks
192.168.123.45
“Smurf” Attack
Broadcast address 10.0.0.255
Page 125
© 1999, 2000 Carnegie Mellon University page 125
. . . .
10.0.0.x network
Attacker
Router
Router Target
3. Pinging the broadcast address causes all hosts on that network to respond to the forged ping request
192.168.123.45
“Smurf” Attack
Page 126
© 1999, 2000 Carnegie Mellon University page 126
. . . .
10.0.0.x network
Attacker
Router
Router Target
4. The hosts on the remote network each return pings to the target host, flooding it with pings
192.168.123.45
“Smurf” Attack
Page 127
© 1999, 2000 Carnegie Mellon University page 127
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
Page 128
© 1999, 2000 Carnegie Mellon University page 128
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
• The server keeps track of a limited number of open TCP connections
Page 129
© 1999, 2000 Carnegie Mellon University page 129
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
• The server keeps track of a limited number of open TCP connections
• For each open TCP connection, the server waits a preset interval for the ACK packet in step 3
Page 130
© 1999, 2000 Carnegie Mellon University page 130
Client Server
SYN Attacks
“Half-open” TCP connections
1SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
Page 131
© 1999, 2000 Carnegie Mellon University page 131
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
Page 132
© 1999, 2000 Carnegie Mellon University page 132
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
Page 133
© 1999, 2000 Carnegie Mellon University page 133
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
• New connection attempts, even legitimate ones, get denied
Page 134
© 1999, 2000 Carnegie Mellon University page 134
UDP Bounce Attacks
User Datagram Protocol (UDP) is connectionless
UDP versions of diagnostic services simply respond when they receive a packet addressed to them
• echo
• discard
• daytime
• character generator (chargen)
Page 135
© 1999, 2000 Carnegie Mellon University page 135
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
UDP Bounce Attacks
“To green:chargenFrom yellow:echo”
Page 136
© 1999, 2000 Carnegie Mellon University page 136
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
UDP Bounce Attacks
chargenecho
Page 137
© 1999, 2000 Carnegie Mellon University page 137
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to the chargen port of the first target
UDP Bounce Attacks
chargenecho
Page 138
© 1999, 2000 Carnegie Mellon University page 138
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to the chargen port of the first target
• Each packet sent the chargen port gets several back...
UDP Bounce Attacks
chargenecho
Page 139
© 1999, 2000 Carnegie Mellon University page 139
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
UDP Bounce Attacks
chargenecho
Page 140
© 1999, 2000 Carnegie Mellon University page 140
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network
UDP Bounce Attacks
chargenecho
Page 141
© 1999, 2000 Carnegie Mellon University page 141
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network
Services like echo and chargen should generally be disabled on all systems and filtered at network gateways
UDP Bounce Attacks
chargenecho
Page 142
© 1999, 2000 Carnegie Mellon University page 142
Typical Distributed DoS Attack
Internet
intruder
Page 143
© 1999, 2000 Carnegie Mellon University page 143
Step One - Intruder to Handler
Internet
intruder
intruder sendscommands to
handler
Page 144
© 1999, 2000 Carnegie Mellon University page 144
Step Two - Handler to Agents
Internet
intruder
master sendscommands to agents
Page 145
© 1999, 2000 Carnegie Mellon University page 145
Step Three - Agents to Victim
Internet
intruder
each agentindependently sendstraffic to the victim
Page 146
© 1999, 2000 Carnegie Mellon University page 146
DDoS Attack Tools Summary
trin00 and Tribe Flood Network
http://www.cert.org/incident_notes/IN-99-07
Tribe Flood Network 2K
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Stacheldraht
http://www.cert.org/advisories/CA-2000-01.html
WinTrin00
http://www.cert.org/incident_notes/IN-2000-01.html
mstream
http://www.cert.org/incident_notes/IN-2000-05.html
Page 147
© 1999, 2000 Carnegie Mellon University page 147
DDOS Communication MethodsTrinoo:
• intruder->handler 27665/tcp
• handler<->agent 27444/udp, 31335/udp
TFN:
• intruder->handler ssh, telnet, ICMP (loki)...
• handler->agent echo_reply/icmp
Stacheldraht:
• intruder->handler 16660/tcp
• handler->agent 65000/tcp, echo_reply/icmp
Shaft:
• intruder->handler 24032/tcp (not 20483/tcp)
• handler<->agent 18753/udp, 20433/udp
Page 148
© 1999, 2000 Carnegie Mellon University page 148
Exploitation of Trust
It is common to set up trust relationships between networked systems to facilitate convenient access
• single sign-on authentication
• shared network file systems
Trust relationships between systems that rely on network information to identify systems are vulnerable to exploitation by spoofed (i.e. forged) network packets
Example: IP Source Address Spoofing
Page 149
© 1999, 2000 Carnegie Mellon University page 149
IP Source Address Spoofing
Trusting Host Trusted Host
Intruder’s Host
• 10.1.2.3 (yellow) trusts 10.1.2.4 (green) implicitly
10.1.2.3 10.1.2.4
Page 150
© 1999, 2000 Carnegie Mellon University page 150
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder spoofs a connection request from 10.1.2.4
10.1.2.3 10.1.2.4
SYN from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4
Page 151
© 1999, 2000 Carnegie Mellon University page 151
IP Source Address Spoofing
Trusting Host Trusted Host
• 10.1.2.3 attempts to acknowledge the connection request
10.1.2.3 10.1.2.4
SYN:ACK to 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
Page 152
© 1999, 2000 Carnegie Mellon University page 152
IP Source Address Spoofing
Trusting Host Trusted Host
• Normally, 10.1.2.4 would reject the SYN:ACK packet
10.1.2.3 10.1.2.4
RST from 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
Page 153
© 1999, 2000 Carnegie Mellon University page 153
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder, however, has denied service by 10.1.2.4
10.1.2.3 10.1.2.4
SYN:ACK to 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
Page 154
© 1999, 2000 Carnegie Mellon University page 154
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder spoofs an acknowledgment from 10.1.2.4
10.1.2.3 10.1.2.4
ACK from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4
Page 155
© 1999, 2000 Carnegie Mellon University page 155
IP Source Address Spoofing
Trusting Host Trusted Host
• 10.1.2.3 establishes the connection, believing that the intruder’s host is the trusted host, 10.1.2.4
10.1.2.3 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
Page 156
© 1999, 2000 Carnegie Mellon University page 156
Malicious Code
• Viruses
• Trojan Horse Attacks
- Executable content in downloaded files
- Executable web page content: Javascript, Java, ActiveX
- Executable content in e-mail and attached documents
• Worms
Always verify the integrity and authenticity of downloaded content
Always scan content for malicious code before opening
Page 157
© 1999, 2000 Carnegie Mellon University page 157
Love Letter Worm
• Malicious code that potentially
- generates large amounts of email and entries in the registry
- destroys or hides certain types of files
• Propagates via several methods
- email
- infected files (on local disk and network drives)
- IRC
• Uses social component to facilitate spread
Page 158
© 1999, 2000 Carnegie Mellon University page 158
Love Letter Worm
• New variants continue to be discovered
• While the worst activity is over, re-infections will continue to occur in the future
See:
http://www.cert.org/advisories/CA-2000-04.html
Page 159
© 1999, 2000 Carnegie Mellon University page 159
Exercise: Attacks
Complete the exercise on page 5.
Page 160
© 1999, 2000 Carnegie Mellon University page 160
Vulnerabilities & Threats
Key Points
• The intruder threat is increasing
• Always use defensive programming techniques
• Intruders use sophisticated, automated, easy-to-use tools to launch attacks
• Intruders actively scan networks and probe systems to find vulnerabilities that they can exploit
• Denial of service attacks are common and difficult to avoid
• Intruders often exploit trust relationships among systems
• Always guard against malicious code in content received
Page 161
© 1999, 2000 Carnegie Mellon University page 161
Communication
Vulnerabilities & Threats
Strategies & Tactics
Key Areas
Page 162
© 1999, 2000 Carnegie Mellon University page 162
Strategies & Tactics
Overview
• Complexity of Administration
• IT System Life Cycle
• Preparation
• Implementation Challenges
• Strategies for Manageable Security
• Sustaining Security over Time
• Common Security Tactics
Page 163
© 1999, 2000 Carnegie Mellon University page 163
Exercise: Infrastructure
Complete the exercise on page 6.
Page 164
© 1999, 2000 Carnegie Mellon University page 164
Complexity of Administration
Page 165
© 1999, 2000 Carnegie Mellon University page 165
IT System Life Cycle
Initiation and Planning
Development and Acquisition
Preparation and Testing
Implementation
• Education and Training
Operation
• Maintenance and Updates
• Security Monitoring
• Disposal of Information
Termination
Page 166
© 1999, 2000 Carnegie Mellon University page 166
Preparation
For all systems and networks administered:
• maintain a complete record of all systems and networks
• know what information assets and resources they contain
• know what information security policies apply to them
• know what system and network services are enabled
- e.g., Web, e-mail, and file service, remote login, DNS, etc.
• identify weakest links
• identify means to avoid, prevent, detect and respond to security problems
• document assumptions and tradeoffs
Page 167
© 1999, 2000 Carnegie Mellon University page 167
Implementation Challenges
• Vendors generally focus their efforts on product features and flexibility, not ease of secure administration
• Existing system and network infrastructure may not support the desired means to secure information
• There may be no way to satisfy all requirements as stated in your organization’s information security policy
• The cost to implement and sustain security measures as required by policy may be prohibitive
Page 168
© 1999, 2000 Carnegie Mellon University page 168
Strategies for Manageable Security• Take a conservative approach to configuration
• Separate and isolate networks, systems and services
• Create layers of access and diversify safeguards
• Practice vigilance
Page 169
© 1999, 2000 Carnegie Mellon University page 169
Conservative Approach
• Assume that vulnerabilities exist that you are not aware of
• Start by disabling all capabilities
• Enable only those capabilities that are required, and configure them to maximize security
• Remove all unnecessary software and data
• Carefully consider security implications of all added functionalities
• Apply the Principle of Least Privilege
Page 170
© 1999, 2000 Carnegie Mellon University page 170
Separate, Isolate and Simplify• Separate and isolate networks, systems, services and data
by role, purpose and security sensitivity
• Establish zones of infrastructure and administration separated by differences in information security policy, e.g.
- Servers vs. client workstations
- Network services per server host
- Internal vs. external (public) accessibility
- Classified vs. non-classified data
• Enforce differences in information security policy between zones
Page 171
© 1999, 2000 Carnegie Mellon University page 171
Consistency, Depth, Diversity
You’re only ever as secure as your weakest link
• Efforts to secure information are useless if there exist ways to get around them
Layer defenses to limit and contain breaches in security
• Do not assume your access controls and firewalls are impervious
• Perimeter defenses cannot thwart insider threats
Diversify safeguards between layers of access
• Do not let the same vulnerability affect multiple levels
Page 172
© 1999, 2000 Carnegie Mellon University page 172
Practice Vigilance
• Prepare, test and replicate systems in an isolated, physically secure environment
• Deploy secure system, network and application logging and monitoring capabilities
• Regularly review logs for signs of intrusion
• Look for unexpected changes to directories and files
• Regularly scan for viruses
• Maintain and practice readiness to respond to security incidents
• Keep systems, software and configurations up-to-date
• Actively raise user and management awareness regarding information security
Page 173
© 1999, 2000 Carnegie Mellon University page 173
Sustaining Security Over TimeThe appropriate information security strategies and tactics to apply will change over time as
• your organization’s needs change
• your system or network requirements change
• new automated tools become available
• new systems are deployed
• new network connectivity is established
• existing systems and software become outdated
• new vulnerabilities are discovered
• intruder attack patterns change
Page 174
© 1999, 2000 Carnegie Mellon University page 174
Common Security Tactics
• Cryptography
• Firewalls
• Network traffic filtering
• Network traffic monitoring
• Host security
• Security patches and workarounds
• Passwords
• Vulnerability testing
• Virus scanning
• Secure backups
Page 175
© 1999, 2000 Carnegie Mellon University page 175
Uses of Cryptography
Confidentiality
• Encryption of files and data transmitted over networks
• Encryption of data stored off-line
Integrity Assurance
• Cryptographic checksums to strongly inhibit fraud
Authentication and Non-repudiation
• Public key authentication and digital signatures
Examples:
• Secure e-mail (PGP, S/MIME)
• Secure remote network connections (Secure Shell, VPNs)
Page 176
© 1999, 2000 Carnegie Mellon University page 176
Network Firewalls
One or more components placed at gateways between networks to enforce information security policy
• Filtering routers
• Bastion hosts and application/service proxies
• Network switches
• Network monitors
Ensure secure administration of firewall components
Reinforce perimeter defenses with host security
Page 177
© 1999, 2000 Carnegie Mellon University page 177
Minimal Firewall
FirewallRouter
InternalNetwork
ExternalNetwork
Page 178
© 1999, 2000 Carnegie Mellon University page 178
Firewall + Application Gateway
ExteriorBorderRouter
InteriorFirewallRouter
BastionHost
InternalNetwork
ExternalNetwork
Perimeter Network
Page 179
© 1999, 2000 Carnegie Mellon University page 179
Multiple Internal Networks
ExteriorBorderRouter
InteriorFirewallRouter
NetworkMonitor
BastionHost
ExternalNetwork
InternalNetwork
InternalNetwork
Page 180
© 1999, 2000 Carnegie Mellon University page 180
NetworkMonitor
A More Complex Firewall Setup
ExteriorBorderRouter
SpecializedInteriorFirewallSystem
NetworkMonitor
BastionHost
Switch
ExternalNetwork
InternalNetwork
InternalNetwork
Page 181
© 1999, 2000 Carnegie Mellon University page 181
TCP/IP Network Filtering
Prevent IP Source Address Spoofing across network boundaries
Block Inbound:
• packets with source IP addresses that match an IP address of your internal network
Block Outbound:
• packets with source IP addresses that do not match an IP address of your internal network
Block both inbound and outbound:
• packets with source IP addresses in one of the reserved IP address ranges (RFC 1918)
Page 182
© 1999, 2000 Carnegie Mellon University page 182
TCP/IP Network Filtering
Inhibit common forms of Denial of Service attacks
• Disable IP directed broadcasts at all routers
Inhibit opportunities for packet sniffing and session hijacking
• Block IP source-routed packets at all routers
Page 183
© 1999, 2000 Carnegie Mellon University page 183
Host Security Guidelines
• Disable and remove all unnecessary accounts
• Disable and remove all unnecessary network and system services and application software
• Protect all sensitive system and service configuration software and data against unauthorized access
• Configure and enable logging and monitoring mechanisms
• Configure and require strong authentication for access to all information assets and resources
• Use groups to simplify management of access controls
• Regularly check system software and configuration data for unexpected changes
• Avoid implicit trust relationships between hosts
Page 184
© 1999, 2000 Carnegie Mellon University page 184
Why Care About Patches
of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available.
Page 185
© 1999, 2000 Carnegie Mellon University page 185
Security Patches and Workarounds
• Stay up-to-date regarding vendor patches and workarounds to address security vulnerabilities
• Verify the integrity and authenticity of all downloaded software before applying it to your systems
• Test patches and workarounds in an isolated, physically secure test environment before deployment
• Deploy security patches and workarounds as soon as possible to reduce exposure to attacks
• Maintain a thorough, up-to-date record of security patches and workarounds that you have applied
Page 186
© 1999, 2000 Carnegie Mellon University page 186
CERT® Advisories
CERT® Advisories alert you to vulnerabilities for which you should take immediate action
• Description of the vulnerability and its scope
• Potential impact should the vulnerability be exploited
• Solutions or workarounds
• Appendices contain details and vendor information
• Revision history
• PGP signature
Page 187
© 1999, 2000 Carnegie Mellon University page 187
Other CERT® Publications
The CERT® Coordination Center website (www.cert.org)
• CERT® Summaries
• Vendor-Initiated Bulletins
• CERT® Incident Notes
• CERT® Vulnerability Notes
• CERT® Security Improvement Modules
• Tech Tips
Page 188
© 1999, 2000 Carnegie Mellon University page 188
Password Guidelines
Passwords are susceptible to cracking and sniffing
• Use one-time passwords wherever possible
If you must use reusable passwords
• Avoid trivial and easily-crackable passwords
• Protect password data against unauthorized access
• Educate all users regarding the critical importance of protecting password confidentiality
For all systems and network components
• Ensure that all accounts have passwords
• Replace all vendor-supplied passwords
Page 189
© 1999, 2000 Carnegie Mellon University page 189
In an isolated, physically secure test environment:
• Password cracking tools
• Network scanning tools
• System scanning tools
Vulnerability Testing
“Know what the intruders can know about you”
Warning: Make sure you have authority to doso in writing before you engage inany vulnerability testing activities!
Page 190
© 1999, 2000 Carnegie Mellon University page 190
Virus Scanning
Even the most conscientious users can receive a virus
• Files and media exchanged between employees and with customers or other external contacts
• Data downloaded from remote systems
• E-mail attachments
Measures
• Install and regularly use current virus scanning software
• Keep virus scanners data up-to-date on all systems
• Raise awareness of current and emerging virus threats
• Train users to scan all data received for viruses before use
Page 191
© 1999, 2000 Carnegie Mellon University page 191
Secure Backups
• Data backups are essential to enable recovery in the event of failures and security incidents
• The confidentiality and integrity of data must be sustained during backup, storage, and restoration
• Data backup media must be protected against theft, modification, and destruction
• The means used to record and read backup media must be maintained as long as that media is used
• Encryption keys and passwords used to protect backup data must be securely escrowed
Page 192
© 1999, 2000 Carnegie Mellon University page 192
Strategies & Tactics
Key Points
• Good security administration is all about good systems administration
• Take a conservative approach in configuration management
• Separate, isolate and simplify system and network services
• You’re only ever as secure as your weakest link
• Practice vigilance and be prepared for change
• Apply appropriate tactics to sustain and improve security
• Keep systems and network components up-to-date regarding patches and workarounds for security
• Maintain secure backups
Page 193
© 1999, 2000 Carnegie Mellon University page 193
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Key Areas
Page 194
© 1999, 2000 Carnegie Mellon University page 194
Planning
Overview
• Importance of planning
• Planning considerations
Page 195
© 1999, 2000 Carnegie Mellon University page 195
Importance of Planning
You cannot afford to be left wondering what to do when struck by an information security incident
• Your first information security incident could put your organization entirely out of business
“A penny of planning is worth a pound of recovery”
• Time and resources must be allocated for planning
“Do not paint yourself into a corner”
• Information security measures must accommodate change
Page 196
© 1999, 2000 Carnegie Mellon University page 196
Planning Considerations
Sustaining and improving information security is a complex, continuous, long term process
• Information assets and resources to be protected
• System and network architecture
• Communication channels and reporting procedures
• Proactive security measures and procedures
• Reactive security measures and procedures
• Testing and evaluating your plans
• Keeping plans up-to-date
• Documentation and record keeping
Page 197
© 1999, 2000 Carnegie Mellon University page 197
Planning
Key Points
• You cannot afford to be left wondering what to do when you are struck by an information security incident
• Time and resources must be allocated for planning
• Proactive and reactive security measures and procedures must be carefully planned and tested
• Maintain documented plans for information security measures, including assumptions and reasoning
Page 198
© 1999, 2000 Carnegie Mellon University page 198
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Key Areas
Page 199
© 1999, 2000 Carnegie Mellon University page 199
Information Security Policy
Overview
• Participants and Stakeholders
• Risk Management and Analysis
• Characteristics of an Effective Information Security Policy
• Information Security Policy Issues
• Examples of Information Security Policy Statements
Page 200
© 1999, 2000 Carnegie Mellon University page 200
Exercise: Information Security Policy
Complete the exercise on pages 7 and 8.
Page 201
© 1999, 2000 Carnegie Mellon University page 201
Information Security Policy
What shapes the policy?
Who writes and shapes the policy and procedures?
Page 202
© 1999, 2000 Carnegie Mellon University page 202
PolicyStakeholders
Management Top management (CTO, CIO)
Users
Others (clients, partners)
Network Admin
System Admin
Database Admin
Human Resources
Legal
Information Security Policy
Page 203
© 1999, 2000 Carnegie Mellon University page 203
Risk Analysis
Steps
1. Identify and assign value to assets
2. Prioritize assets
3. Determine vulnerability to threats and damage potential
4. Prioritize impact of threats
5. Select cost-effective safeguards
Page 204
© 1999, 2000 Carnegie Mellon University page 204
Characteristics of an Effective Information Security Policy• Long term focus
• Clear and concise
• Role-based
• Realistic
• Specifies areas of responsibility and authority
• Well-defined
• Up-to-date
Page 205
© 1999, 2000 Carnegie Mellon University page 205
Communications
Privacy
Accountability
Authorization
Violations
Network Traffic
Availability
Auditing
Identification
Authentication
Access
Redundancy
Resources
Supporting Info Risk Reduction
Information Security Policy Topics
Purchasing Guidelines
Page 206
© 1999, 2000 Carnegie Mellon University page 206
Acceptable Use Policy Issues for Users
• Prohibiting sharing of accounts
• Requiring good passwords
• Guidelines for accessing unprotected programs or files
• Breaking into accounts
• Breaking into systems
• Cracking passwords
• Disrupting service
Page 207
© 1999, 2000 Carnegie Mellon University page 207
Policy Issues for Privileged (Administrative) Users
• Authority and conditions for reading e-mail of other users
• Accessing protected programs or files
• Disrupting service under specific conditions
• Prohibiting sharing of accounts
• Prohibiting unauthorized creation of user accounts
• Authority and conditions for using vulnerability testing tools
Page 208
© 1999, 2000 Carnegie Mellon University page 208
Policy Issues Examples
• What are users allowed to do with hardware on their computers?
• How do users gain remote access?
• What guidelines must a laptop user observe?
• How is software evaluated for deployment?
- What process must software pass through before it is installed?
- What files does the software access when running?
Page 209
© 1999, 2000 Carnegie Mellon University page 209
Security Policy Example 1
Users must not copy software provided by
Organization X to any storage media (floppy disk,
magnetic tape, etc.), transfer such software to another
computer, or disclose such software to outside parties
without written permission from the Director of
Information Technology.
• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 125
Page 210
© 1999, 2000 Carnegie Mellon University page 210
Security Policy Example 2
Internet access using computers in Organization X is
permissible only when users go through an
Organization X firewall. Other ways to access the
Internet, such as dial-up connections with an Internet
Service Provider (ISP), are prohibited if Organization X
computers are employed.
• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 318
Page 211
© 1999, 2000 Carnegie Mellon University page 211
Information Security Policy
Key Points
• Make information security policy work for you and your organization
• Use risk management and risk analysis methods to shape information security policies
• Know what your organization’s information security policy authorizes you to do as a computer professional, and the conditions under which you can act with authority
Page 212
© 1999, 2000 Carnegie Mellon University page 212
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Key Areas
Page 213
© 1999, 2000 Carnegie Mellon University page 213
Incident Handling
Overview
• CERT® Coordination Center Experience
• Intruders: Active and Organized
• Effective Incident Handling
• Incident Handling Steps
Page 214
© 1999, 2000 Carnegie Mellon University page 214
CERT®/CC Experience
Since 1988 the CERT® Coordination Center has
• Responded to more than 18,000 security incidents that have affected more than 660,000 hosts on the Internet
• Helped to foster the creation of more than 80 incident response teams
Page 215
© 1999, 2000 Carnegie Mellon University page 215
Recent CERT/CC Experiences 1997 1998 1999 2000*
Incidents handled 3,2853,285 4,942 4,942 9,8599,859 8,8368,836
Vulnerabilities reported 196196 262262 417417 442442
Email msgs processed 38,40638,406 31,93331,933 34,61234,612 26,41326,413
CERT Advisories, VendorBulletins, and Vul Notes 4444 3434 2020 99
CERT Summaries and Incident Notes 66 1515 1313 1010
*January through June of 2000*January through June of 2000
Page 216
© 1999, 2000 Carnegie Mellon University page 216
Recent CERT®/CC ExperiencesThe increase in incidents in 1998 and 1999 can be attributed to the following factors:
• Significant increase in automated scanning and automated attacks by intruders
• Greater awareness of CERT®/CC by sites
• Increase in sites regularly reporting incidents
• Automated reporting
Page 217
© 1999, 2000 Carnegie Mellon University page 217
Intruders: Active & Organized
• Telephone/voice message systems
• E-mail
• Bulletin board systems
• Anonymous FTP service
• Internet Relay Chat (IRC) - #hack channel
• Web sites
• Conferences
• Publications
Page 218
© 1999, 2000 Carnegie Mellon University page 218
Handling Security Incidents
Assume that security incidents will occur
Plan and maintain readiness to handle security incidents
• Without adequate planning, you will incur much greater losses and much greater costs in the recovery effort
Computer Security Incidents Response Teams (CSIRTs)
Do not wait until after an intrusion has occurred to start thinking about how to handle a security incident
Page 219
© 1999, 2000 Carnegie Mellon University page 219
Effective Incident Handling
The primary goals of incident handling are to:
• Control and minimize damage
• Preserve evidence
• Recover as soon as possible
• Learn enough to help prevent exposure to similar problems in the future
Page 220
© 1999, 2000 Carnegie Mellon University page 220
1 Prepare
2 Respond
3 Recover
4 Follow-up
Incident Handling Steps
Page 221
© 1999, 2000 Carnegie Mellon University page 221
1
2
3
4
1
2
3
4
Incident Handling Steps
1 Prepare
2 Respond
3 Recover
4 Follow-up
Page 222
© 1999, 2000 Carnegie Mellon University page 222
Prepare
Ensure that security policies support incident handling
Plan responses
• Locate backups
• Identify available resources and tools
• Coordinate team members; define roles and responsibilities.
• Establish secure communication channels
• Coordinate with your public relations spokesperson
• Designate a technical lead to work with the public relations spokesperson
• Conduct regular training and readiness drills
Page 223
© 1999, 2000 Carnegie Mellon University page 223
Respond
• Follow your information security policy and procedures
• Verify the incident
• Analyze the intrusion
• Communicate with appropriate parties
• Handle media inquires through your designated public relations spokesperson
• Collect and protect information
• Contain the intrusion
Page 224
© 1999, 2000 Carnegie Mellon University page 224
Recover
Eliminate all means of intruder access
• If systems have been compromised
- Restore programs from trusted vendor-supplied media
- Restore data from trusted backups
• Install appropriate patches or fixes
• Modify accounts and passwords as needed
Return systems to normal operation
• Reestablish connectivity
• Monitor systems for further attacks
Page 225
© 1999, 2000 Carnegie Mellon University page 225
Follow-up
Identify lessons learned and implement improvements
• Assess time and resources used and damage incurred
• Document commands, code, and procedures used in responding
• Support legal activities such as investigation and prosecution if appropriate
• Conduct a postmortem
• Document all findings and lessons learned
• Implement improvements to information security policies, procedures, and measures
Page 226
© 1999, 2000 Carnegie Mellon University page 226
Exercise: Intrusion Scenarios
Complete the exercise on pages 9 and 10.
Page 227
© 1999, 2000 Carnegie Mellon University page 227
Incident Handling
Key Points
• Assume that security incidents will occur
• Plan and maintain readiness to handle security incidents
• Follow incident handling steps when security incidents occur
• Implement improvements based on lessons learned
Page 228
© 1999, 2000 Carnegie Mellon University page 228
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
Page 229
© 1999, 2000 Carnegie Mellon University page 229
Making the Case for Information Security
Overview
• Making the Case to Stakeholders
• Tools and Resources
Page 230
© 1999, 2000 Carnegie Mellon University page 230
PolicyStakeholders
Management Top management (CTO, CIO)
Users
Others (clients, partners)
Network Admin
System Admin
Database Admin
Human Resources
Legal
Making the Case
Page 231
© 1999, 2000 Carnegie Mellon University page 231
Making the Case
Effective information security requires universal participation and awareness among stakeholders
Implementing information security measures requires buy-in, support and resources from management
Resources to help raise awareness
• Computer Security Institute/FBI Computer Crime Survey
• National Infrastructure Protection Center CyberNotes
• Press reports of information security incidents
Page 232
© 1999, 2000 Carnegie Mellon University page 232
Tools and Resources
Tools for making your case
• Risk management / analysis findings
• Information Security Policy
• Legal obligations
• Data gathering / record keeping - statistics and metrics
• Simple economics argument
Existing resources
• Y2K analyses
• Insurance company evaluations
• Accounting audits
Page 233
© 1999, 2000 Carnegie Mellon University page 233
Exercise: Getting Support
Complete the exercise on page 11.
Page 234
© 1999, 2000 Carnegie Mellon University page 234
Making the Case for Information Security
Key Points
• Make the case for information security in language that your stakeholders understand
• Gain and maintain support and resources for information security from stakeholders
• Document the information security effort
Page 235
© 1999, 2000 Carnegie Mellon University page 235
Putting it all Together
Review
Next Steps
Page 236
© 1999, 2000 Carnegie Mellon University page 236
Confidentiality
Integrity
Availability
ProcessingStorage
Transmission
Policy & ProceduresTechnology
Education, Training & Awareness
Information Security Model
Page 237
© 1999, 2000 Carnegie Mellon University page 237
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
Page 238
© 1999, 2000 Carnegie Mellon University page 238
Exercise: Action Plan
Complete the exercise on pages 12 and 13.
Page 239
© 1999, 2000 Carnegie Mellon University page 239
How To Contact Us
24-hour hotline: +1 412 268 7090
CERT personnel answer 8:30 AM - 5:00PM EST(GMT-5)/EDT (GMT-4) Mon.-Fri. On call for emergencies during otherhours.
FAX: +1 412 268 6989
Anonymous FTP archive: ftp://ftp.cert.org/pub/
Web site: http://www.cert.org
Email: [email protected]
US mail: CERT Coordination CenterSoftware Engineering InstituteCarnegie Melon University4500 Fifth AvenuePittsburgh, PA 15213-3890 USA
Page 240
© 1999, 2000 Carnegie Mellon University page 240
How To Contact Us
Key ID: 0x6A9591D0Key Type: Diffie-Hellman/DSSExpires: 9/30/00Key Size: 2048/1024Fingerprint: 9E04 84E2 E27A 6A73 9C69
72DE 5AFD 91BE 6A95 91D0UserID: CERT Coordination Center
<[email protected] >
http://www.cert.org/contact_cert/encryptmail.html
Page 241
© 1999, 2000 Carnegie Mellon University page 241
How To Contact Us
Key ID: 0x84DF0FD5Key Type: RSAExpires: 9/30/00Key Size: 1024Fingerprint: F8 FD 6B F7 36 B6 E0 86
C5 72 20 6E 5D 66 68 98UserID: CERT Coordination Center
<[email protected] >
http://www.cert.org/contact_cert/encryptmail.html