© 1999, 2000 Carnegie Mellon University Overview of Security Trends for System and Network Administrators Networked Systems Survivability Program Software.

© 1999, 2000 Carnegie Mellon University

Overview of Security Trends for System and Network Administrators

Networked Systems Survivability ProgramSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890

Sponsored by the United States Department of Defense

© 1999, 2000 Carnegie Mellon University page 2

This Course Provides ...

• Introduction to information security issues and concepts

• Key areas to be addressed for information security

• Foundation for applying best security practices

• Resources for further technical help and training

• Current trends in information security

What are your expectations?


Objectives

• Understand the challenges of securing information in a global, dynamic, networked systems environment

• Understand the range of vulnerabilities and threats

• Develop information security strategies and identify resources

• Learn proactive measures you can use to defend and improve your organization’s information security

• Learn ways to improve readiness to respond to and recover from information security incidents

• Understand your vital role as a communicator regarding information security


What Is The Internet?

• Collection of networks that communicate

- with a common set of protocols (TCP/IP)

- by multilateral agreement

• Collection of networks with

- no central control

- no central authority

- no common legal oversight or regulations

- no standard acceptable use policy

• “wild west” atmosphere


What Is The Internet?

• Physical network connections not important

- leased lines

- dial-up

- wireless

• Logical connectivity

- everything is connected to everything else


Internet Security in the Beginnings of the Internet

• Internet started as a research project (ARPANET)

- small community of researchers

- trusted community

• Security was not a primary consideration in the design of Internet protocols

“Security issues are not discussed in this memo.” - many RFC documents

Where Wizards Stay Up Late by Katie Hafner and Matthew Lyon (ISBN 0-684 81201-0)


Why Is Internet Security a Problem?

• Security not a design consideration

• Implementing change is difficult

• Openness makes machines easy targets

• Increasing complexity


The Beginning of the CERT/CC

postmortem

wormattack

CERT/CCcreated

MorrisWorm

November 1988


Who We Are

*FFRDC - Federally Funded Research and Development Center

Networked SystemsSurvivability Program

(FFRDC*)

U.S. DoD -Office of the Under

Secretary(Research andEngineering)

sponsor

SurvivableNetwork

Management

SurvivableNetwork

Technology


RepairedSystems

Research Results

Technology Evaluation

Survivable Network Technology

SurvivableNetwork Management

CERTCoordinationCenter

ProtectedSystems

ImprovedSystems

NSS Program Strategies


• Initially charged by DARPA* to serve as a focal point for Internet security by

- Fostering collaboration on security issues across the Internet community

- Providing technical assistance to Internet sites

- Analysing vulnerabilities and providing alerts to the Internet community

- Assisting other organisations in the formation of CSIRTs**

- Conducting tutorials, site evaluations, research

*DARPA - U.S. Department of Defense, Defense Advanced Research Projects Agency

**CSIRTs - Computer Security Incident Response Teams

What is the CERT/CC?



• Responsibilities now include providing

- Internet security information for

– system and network administrators

– technology managers

– policy makers

- Guidance and co-ordination for major Internet security events

– Melissa virus

– Y2K

- Leadership in the response team community

– CSIRT formation and development assistance



• The CERT/CC focuses specifically on technical issues relating to Internet security

• The CERT/CC does not focus on

- who the intruders are

- where intruders are located (physically)

- motivations of intruders

- monitoring/surveillance of intruders

– other than understanding the technical implications of what the intruder community is doing


The CERT®/CC Constituency - Internet

• Global distribution

- more than 72 million host computers as of January 2000*

• Diverse user demographics

- government agencies

- academic and research institutions

- corporate users

- home users

*Source: Internet Software Consortium (http://www.isc.org/)


CERT®/CC Principles

• Provide valued services

- proactive as well as reactive

• Ensure confidentiality and impartiality

- we do not identify victims but can pass information anonymously and describe activity without attribution

- unbiased source of trusted information

• Co-ordinate with other organizations and experts

- academic, government, corporate

- distributed model for incident response teams (co-ordination and co-operation, not control)

Principles


Current Activities• 24 hour confidential incident response and vulnerability

analysis

• Providing Internet security information to system and network administrators

• Developing a knowledgebase of vulnerability and incident data

• Documenting best practices for information security

• Facilitating the formation and training of new incident response teams


Direction of Internet Security

What the Internet community is facing in terms of Internet security in the next few years can be summed up in the following statements:

• The expertise of intruders is increasing

• The sophistication of attacks and intruder tools/toolkits is increasing

• The effectiveness of intruders is increasing (knowledge is being passed to less knowledgeable intruders thus making them effective)



• The number of intrusions is increasing

• The number of companies and users of the Internet is increasing

• The complexity of protocols and applications run on clients and servers attached to the Internet is increasing

• The complexity of the Internet as a network is increasing



• The information infrastructure has many fundamental security design problems that cannot be quickly addressed

• The number of people with security knowledge and expertise is increasing, but at a significantly smaller rate than the increase in the number of Internet users

• The number of security tools available is increasing, but not necessarily as fast as the complexity of software, systems and networks



• The number of incident response teams is increasing, but the ratio of incident response personnel to Internet users is decreasing

• The vendor product development and testing cycle is decreasing

• Vendors continue to produce software with vulnerabilities, including types of vulnerabilities where prevention is well-understood (such as buffer overflows)


Course Overview

• Information Security Concepts

• Key Areas

- Communication

- Vulnerabilities and Threats

- Strategies and Tactics

- Planning for Information Security

- Information Security Policy

- Incident Handling

- Making the Case

• Putting it all Together


Information Security ConceptsOverview

• An example of an information security incident

• Information Security Model

• Complexity of Security

• Protecting Information Assets and Resources

• Administrative Responsibilities

• Risk and Trust


Information Security Breached

New York Times - 9/3/1988


Information Security BreachedLessons Learned:

• Intruders actively seek ways to compromise systems

• Vulnerabilities and threats are constantly evolving

• Even sophisticated, security-conscientious organizations need to be vigilant

Notes:

• The signs of an information security compromise are not always readily visible

• Sustaining and improving information security requires continuous, proactive effort and readiness to respond


Information States

Security Measures

InformationSecurityProperties

NSTISSI 4011: National Training Standard for Information Systems Security Professionals, 1994

Information Security Model


Availability

Integrity

Confidentiality

Information Security Properties


Processing

Storage

Transmission

Information States


Policy & Procedures

Technology

Education, Training & Awareness

Security Measures


Confidentiality

Integrity

Availability

ProcessingStorage

Transmission

Policy & ProceduresTechnology




Complexity of Administration

In a networked systems environment, sustaining the security of information assets is a complicated task

• Interpret information security policies to implement appropriate access controls, data protection and capacity

• Establish and implement means to verify user credentials

• Implement and enforce information security policies at a variety of levels - data, host, network, Internet

• Sustain and monitor information security consistently throughout the system and network infrastructure

The complexity increases rapidly with scale


Example: Data on a Workstation


Employees


Removable Media


Other Systems on the Network


Other Resources on the Network


Access to the Internet


Access to Other Local Networks


Other Routes to the Internet


Telephones and Modems


Open Network Ports


Remote Users


Vendor and Contractor Access


Access to External Resources


Public Information Services


Operating Environment



• These are a sampling of the issues

• Taking a mistake in just one part of one area can lead to a compromise


Protecting Information Assets and Resources

• Avoidance

• Prevention

• Detection

• Containment and Response

• Recovery

• Improvement


Administrative Responsibilities• Authorization

• Authentication

• Accountability

• Monitoring

• Response to information security incidents

• Damage assessment and recovery

• Analysis and implementation of security improvements

• System and software deployment, upkeep and retirement

• Backups and “hot spares”


Risk and Trust

Managing Risk

• Identify the information assets to be protected

• Prioritize the importance of securing each information asset

• Identify vulnerabilities of each asset, and the threats to it

• Prioritize impact of threats to vulnerabilities

• Select and implement appropriate safeguards

• Assume incidents will occur - “There are no silver bullets”

Trust Dilemma

• You cannot eliminate, nor mitigate all possible risks

• At some point, you have to trust someone or something


Exercise: Trust

Complete the exercise on page 1.


Information Security ConceptsKey Points

• The goal of information security is to sustain and defend the confidentiality, integrity and availability of information

• Despite your best efforts, you must assume that information security incidents will occur

• Even sophisticated, security-conscientious organizations need to be vigilant

• The complexity of administrating information security increases rapidly with scale

• Sustaining and improving information security is a continuous risk management activity

• At some point, you have to trust someone or something


Communication

Vulnerabilities & Threats

Strategies & Tactics

Planning

Information Security Policy

Incident Handling

Making the Case

Key Areas


Communication

Key Areas


Communication

Overview

• Meaningful and Effective Communication

• Communicating about Security

• Communication Channels


Communication

Meaningful communication

• language

• context

Effective communication

• accuracy and clarity

• relevance to the listener


Communicating about Security

YOUOther System and Network Administrators

Information Security Officers and Incident Handling Groups

Management

Information Technology Staff and Systems Developers

Users of Information Systems

Information Service Providers, Vendors and Contractors


Communication Channels

Whom do you call?

• Peer system and network administrators

• Management

• Information Security Officers

• Physical Security Staff

• Network Service Providers, IT vendors

• Incident Handling Organizations

Who calls you?

• Whom should they call?

• Who should call you?


Exercise: Contact List

Complete the exercise on pages 2 and 3.


Communication

Key Points

• Excellent communication skills are a must for computer professionals

• As a computer professional, you have an important role in communicating to others about information security

• Establishing and sustaining communication channels are critically important for information security readiness


Communication


Key Areas



Overview

• Why Care About Vulnerabilities

• Common Terms

• Vulnerabilities

• Threats

• Intruders

• Software Flaws

• Configuration Errors

• Network Intrusions

• Forms of Attack


Will Vulnerabilities Be Found?• San Diego Supercomputer Center conducted an

experiment

• Red Hat Linux 5.2 with no security patches installed on machine

• Monitoring established to record traffic to and from host

• Most not otherwise used by staff

See: http://worm.sdsc.edu


• 8 hours from install

- probed for Solaris RPC vul, not compromised

• 21 days from install

- 20 exploits tried for vuls including POP, IMAP, telnet, RPC, and mountd

- exploit attempts failed because they were exploits for Red Hat 6.x

• About 40 days from install

- POP server vul compromised

- wipes some system logs

- installs rootkit and sniffer

Will Vulnerabilities Be Found?


Common Terms

Vulnerability - A feature or a combination of features of a system that allows an adversary to place the system in a state that is contrary to the desires of the people responsible for the system and increases the probability or magnitude of undesirable behavior in or of the system.

Threat - any circumstance or event with the potential for causing harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service

Safeguard - an action, device, procedure, technique, or other measure that reduces the vulnerability of an information system


Common Terms

Incident - An event (or set of related events) in which the information security policies of an organization are violated.

A collection of data representing one or more related attcks. Attacks may be related by attacker, type of attack, objectives, sites, or timing.

Attack - An attempt to breach the security of an information asset or resource


Common Terms

Intrusion - A breach in the security of an information asset or resource resulting from a successful attack.

An action conducted by one adversary, the intruder, against another adversary, the victim. The intruder carries out an attack with a specific objective in mind. From the perspective of an administrator responsible for maintaining a system, an attack is a set of one or more events that may have one or more security consequences. From the perspective of an intruder, an attack is a mechanism to fulfill an objective.


Common Terms

Intruder - A person who deliberately attempts to breach the security of an information asset or resource.

The person who carries out an attack. Attacker is a common synonym for intruder. The words attacker and intruder apply only after an attack has occurred. A potential intruder may be referred to as an adversary. Since the label of intruder is assigned by the victim of the intrusion and is therefore contingent on the victim’s definition of encroachment, there can be no ubiquitous categorization of actions as being intrusive or not.


Common Terms

Trojan Horse - Malicious software or content planted by an intruder on a target system, typically masquerading as a normal or expected program or file. Intruders often install trojan horse versions of system software on systems they have compromised to hide their activities on the system and to illicitly gather information such as users’ account passwords.

Trojan horse software may also be embedded in e-mail attachments in a manner that causes unsuspecting recipients to execute the malicious software when the attachment is opened. Examples include the Melissa macro virus and Happy99.exe trojan horse.

http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html


Common Terms

Compromise - Disclosure of information to unauthorized persons

A breach in the security of an information asset or resource

“root” Compromise - Compromise of an information system resulting in access by an intruder at a level equivalent to that of an administrator (a.k.a. root, superuser) of the system


Software and Hardware

Personnel

Environment

Change

Vulnerabilities


… to Availability

… to Integrity

... to Confidentiality

Threats Overview


Threats to Confidentiality

• Unauthorized access

- observation, eavesdropping, copying, theft

• Inappropriate disclosure


Threats to Integrity

• Unauthorized modification or destruction

• Loss of means to authenticate or verify integrity


Threats to Availability

• Denial of service

• Theft

• Threats to integrity

- availability of reliable data

• Loss of the means to access data

- passwords, encryption keys,technology


Other Threats

Human Error

• Data entry errors

• Improper data handling

- transmission

- processing

- storage

- disposal

• Negligence


Other Threats

Environment

• Electromagnetic Interference

• Physical damage due to weather

• Natural disasters

• Armed conflicts

• Loss of power, water, networkor phone connectivity


Intruders Overview

• Internal

• External

• Means

• Motive

• Opportunity


Internal Intruders

• Employees

• Contractors

• Service personnel

• Visitors

• Covert agents


External Intruders

• Former employees

• Contractors

• Clients and Customers

• “Crackers”

• Vandals

• Thieves and Organized Crime

• Business competitors

• Political opponents and Insurgent groups

• Foreign agents


Means is the sum of:

• What they know and can learn

- Abundant sources of technical information

• Information from others who can help them

- Mailing lists, conferences, chat rooms

• Tools they have at their disposal to execute an intrusion

- Availability of sophisticated, easy-to-use intruder tools

Intruder Means


Evolving Intruder Threat

1975 1980 1985 1990 1995 2000

Low

High

Sophistication of Intruder Attacks


Evolving Intruder Threat

1975 1980 1985 1990 1995 2000

Novice

Expert

Technical Knowledge and Skill Required by Intruders


Intruder Motives

• Money, profit

• Access to additional resources

• Competitive advantage

- Economic

- Political

• Personal grievance, vengeance

• Curiosity

• Mischief

• Attention


Opportunities for Intrusion

• Rapid adoption of computer and network technology in government, industry, and educational organizations

• Internet explosion and e-commerce

• Thousands of exploitable vulnerabilities in technology

• Lack of awareness regarding information security

• Shortage of qualified system and network administrators and information security staff

• Lack of applicable laws and means of enforcement

• International scope


Internet Growth

1975 1980 1985 1990 1995 2000

Network Wizards, Inc. Internet Domain Survey Host Count History

50,000,000

40,000,000

30,000,000

0

10,000,000

20,000,000


AdvancedIntrudersDiscover NewVulnerability

CrudeExploit Tools

Distributed

Novice IntrudersUse Crude

Exploit Tools

AutomatedScanning/ExploitTools Developed

Widespread Use of Automated Scanning/Exploit Tools

Intruders Begin Using New Types of Exploits

Vulnerability Exploit Cycle


Software Vulnerabilities

Examples

• Buffer overflows

• Timing windows

Avoiding Software Vulnerabilities

• Defensive Programming


Buffer Overflow Example

Subroutine return address

Buffer in the subroutine Buffer

Return Address



• In a subroutine, the intruder forcesmore data into a buffer than the sizeof the buffer allocated for it

IntruderData

Buffer

Return Address



• In a subroutine, the intruder forcesmore data into a buffer than the size ofthe buffer allocated for it

• The intruder data spills over onto thesubroutine return address memory cell

• Embedded in the intruder dataare malicious program commandsand a new subroutine return address

• When the subroutine returns, the nextinstructions executed are those givenby the intruder, with the privileges of the program

Buffer

Return Address


A real-world timing window problem:

• Call video store

• “Do you have ‘Saving Private Ryan’?”

• “Yes”

• Drive to video store

• Alas, someone retrieved the copy first

You asked an incomplete question.

Should have asked:

• “Do you have ‘Saving Private Ryan’ and if you do, please hold it for me.”

• Better level of atomicity

Timing Window Example


TIME PROGRAM

t1 if (file_does_not_exist(some_file)) then

t2 create(some_file);

t3 endif

Stretch the t1 to t2 interval

Change the world during that interval



How to change the t1 to t2 interval?

• Load the system: run many programs, flood with network traffic, anything to make the system run slower

• Run the race over and over; eventually you’ll win

What to do in the t1 to t2 interval?

• Replace created file with symbolic link

• File then created elsewhere

• If set UID root program, then file created anywhere, or contents abandoned



TIME PROGRAM ATTACKER

t1 if (…("/tmp/t") then

t1+i symlink("/tmp/t", "/etc/passwd")

t2 create("/tmp/t");

This results in /etc/passwd being “created,” or zeroed, hence a denial of service



Defensive Programming

• Trusting untrustworthy data

- always check input length

- always use bounded functions

- always check input for unexpected data

- limit acceptable input; reject all violations; provide documented default

• Avoid vulnerable functions such as system() and popen()

• Test all programs thoroughly before deployment

- make testing conditions as realistic as possible

- always check boundary conditions


Common Configuration Errors Overview

• Vulnerable default configurations

• Incorrect access controls and execution privileges

• Problems maintaining system and network software


Vulnerable Default Configurations• Empty passwords and well-known vendor passwords

• Guest and other default accounts

• Unnecessary features and services enabled

• Remote access enabled

• Logging and auditing features disabled

• Incorrect default access controls

• Need for updated device drivers and software patches


Incorrect System Access Controls• Access to administrative systems, programs, and

configuration data

• Access privileges for storage volumes, directories and files

• Remote access to local system resources

• Ownership of files and access privileges retained by terminated accounts

• Access to backup data


Incorrect Network Access Controls• Access to administrative capabilities of networked systems

and components

• Router and switch configurations

• Firewall configurations

• Network monitor configurations

• Trust relationships between networked systems


Problems Maintaining System and Network Software• Failing to keep software up-to-date regarding security fixes

• Assuming old configuration files will be OK for updated versions of software

• Assuming that new versions of software will have all the security fixes included

• Accepting unwritten default settings (not setting all configuration settings explicitly)

• Inconsistency of software versions and configurations across all systems and network infrastructure components


Exercise: Vulnerabilities



Network Intrusions

• Intrusions from remote systems can be achieved in amatter of seconds using automated intruder tools

• Intruders are interested in gaining access to computing resources as well as to private data

• Intruders often compromise a series of remote systems, making it difficult to trace their activities

• Network intrusions originating outside of your jurisdiction and from foreign countries may be impossible to prosecute


A Network Intrusion Scenario


Intruder Probes a Remote System


Exploits a Vulnerability Found


Gains Privileged Access


Installs Trojan Horse Programs


Compromises Other Local Hosts


Attacks Other Remote Systems


Exploits Connectivity Found


Attacks Target System


Inflicts Damage


Forms of Attack

• Abuse of Access Privileges

• Physical Theft

• Information Gathering

• Password Cracking

• Exploitation of System and Network Vulnerabilities

• Spoofing

• Denial of Service

• Exploitation of Trust

• Network Infrastructure Attacks

• Malicious Code


Information Gathering

• Dumpster Diving

• Social Engineering

• Probes

• Network Scans

• Network Mapping

• Keystroke Monitoring

• Packet Sniffing

Probes and network scans are the most commonly reported intruder activity


Scans

• Intruders commonly use automated tools to scan networks for vulnerable systems

• Scans may be recognizable in network traffic logs as a series of consecutive probes to a range of system addresses or port numbers

• Stealth scans spread probes out over time to appear inconspicuous within normal traffic patterns

• Intruders employ automated tools to call telephone number ranges in search of modems used for dial-up connections


Under normal conditions, the data in a packet transmitted over the network is readonly by the destination system to which it is addressed.

Router

Packet Sniffing


When a packet sniffer is present, a copy of all packets that pass by it on the network are covertly captured.

Packet SnifferExecuting

Router

Packet Sniffing


Sniffed Telnet Example


Denial of Service

• Loss of availability

• Loss of the ability to respond

• Consumption of a limited resource

• Forcing failure or shutdown of a system that

- contains a needed information asset or resource, or

- is required for delivery of an information asset or resource


Examples of Denial of Service

Common denials of service launched across networks:

• Mail Bombs

• Ping Floods (e.g. “Smurf” attacks)

• SYN Attacks

• UDP Bounce Attacks

• Distributed Denials of Service


Mail Bombs

Floods of e-mail messages intended to consume and exceed your mail system’s capacity to process and store them

• Automated tools can generate a continuous e-mail stream

• Falsified subscriptions of your e-mail address to a large number of automated mailing lists and newsgroups results in a flood of unwanted e-mail

What can you do?

• Require a confirmation message to initiate all subscriptions

• Enable anti-spam measures on mail proxies and servers


Ping Floods

Floods of ping requests tie up a system’s ability to respond to legitimate connection requests

Example: “Smurf” attacks


. . . .

10.0.0.x network

Attacker

Router

Router Target

1. The attacker forges a ping packet with the source address set to that of the target system

192.168.123.45

“Ping from192.168.123.45to 10.0.0.255”

“Smurf” Attack


. . . .

10.0.0.x network

Attacker

Router

Router Target

2. The forged ping packet is sent to the broadcast address of remote networks

192.168.123.45

“Smurf” Attack

Broadcast address 10.0.0.255


. . . .

10.0.0.x network

Attacker

Router

Router Target

3. Pinging the broadcast address causes all hosts on that network to respond to the forged ping request

192.168.123.45

“Smurf” Attack


. . . .

10.0.0.x network

Attacker

Router

Router Target

4. The hosts on the remote network each return pings to the target host, flooding it with pings

192.168.123.45

“Smurf” Attack


1SYN

2ACK:SYN

3ACK

Client Server

SYN Attacks

TCP session handshake sequence


1SYN

2ACK:SYN

3ACK

Client Server

SYN Attacks


• The server keeps track of a limited number of open TCP connections


1SYN

2ACK:SYN

3ACK

Client Server

SYN Attacks


• The server keeps track of a limited number of open TCP connections

• For each open TCP connection, the server waits a preset interval for the ACK packet in step 3


Client Server

SYN Attacks

“Half-open” TCP connections

1SYN

2ACK:SYN

1SYN

2ACK:SYN

1SYN

. . .


Client Server1

SYN

2ACK:SYN

1SYN

2ACK:SYN

1SYN

. . .

SYN Attacks


• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period


Client Server1

SYN

2ACK:SYN

1SYN

2ACK:SYN

1SYN

. . .

SYN Attacks



• The server’s pool of open TCP connection slots fills up


Client Server1

SYN

2ACK:SYN

1SYN

2ACK:SYN

1SYN

. . .

SYN Attacks



• The server’s pool of open TCP connection slots fills up

• New connection attempts, even legitimate ones, get denied


UDP Bounce Attacks

User Datagram Protocol (UDP) is connectionless

UDP versions of diagnostic services simply respond when they receive a packet addressed to them

• echo

• discard

• daytime

• character generator (chargen)


• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target

UDP Bounce Attacks

“To green:chargenFrom yellow:echo”



• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target

UDP Bounce Attacks

chargenecho




• Every packet received on the echo port is returned back to the chargen port of the first target

UDP Bounce Attacks

chargenecho




• Every packet received on the echo port is returned back to the chargen port of the first target

• Each packet sent the chargen port gets several back...

UDP Bounce Attacks

chargenecho


• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond

UDP Bounce Attacks

chargenecho



• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network

UDP Bounce Attacks

chargenecho



• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network

Services like echo and chargen should generally be disabled on all systems and filtered at network gateways

UDP Bounce Attacks

chargenecho


Typical Distributed DoS Attack

Internet

intruder


Step One - Intruder to Handler

Internet

intruder

intruder sendscommands to

handler


Step Two - Handler to Agents

Internet

intruder

master sendscommands to agents


Step Three - Agents to Victim

Internet

intruder

each agentindependently sendstraffic to the victim


DDoS Attack Tools Summary

trin00 and Tribe Flood Network

http://www.cert.org/incident_notes/IN-99-07

Tribe Flood Network 2K

http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html

Stacheldraht

http://www.cert.org/advisories/CA-2000-01.html

WinTrin00

http://www.cert.org/incident_notes/IN-2000-01.html

mstream

http://www.cert.org/incident_notes/IN-2000-05.html


DDOS Communication MethodsTrinoo:

• intruder->handler 27665/tcp

• handler<->agent 27444/udp, 31335/udp

TFN:

• intruder->handler ssh, telnet, ICMP (loki)...

• handler->agent echo_reply/icmp

Stacheldraht:

• intruder->handler 16660/tcp

• handler->agent 65000/tcp, echo_reply/icmp

Shaft:

• intruder->handler 24032/tcp (not 20483/tcp)

• handler<->agent 18753/udp, 20433/udp


Exploitation of Trust

It is common to set up trust relationships between networked systems to facilitate convenient access

• single sign-on authentication

• shared network file systems

Trust relationships between systems that rely on network information to identify systems are vulnerable to exploitation by spoofed (i.e. forged) network packets

Example: IP Source Address Spoofing


IP Source Address Spoofing

Trusting Host Trusted Host

Intruder’s Host

• 10.1.2.3 (yellow) trusts 10.1.2.4 (green) implicitly

10.1.2.3 10.1.2.4




• The intruder spoofs a connection request from 10.1.2.4

10.1.2.3 10.1.2.4

SYN from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4




• 10.1.2.3 attempts to acknowledge the connection request

10.1.2.3 10.1.2.4

SYN:ACK to 10.1.2.4

Intruder’s Hostpretending to be 10.1.2.4




• Normally, 10.1.2.4 would reject the SYN:ACK packet

10.1.2.3 10.1.2.4

RST from 10.1.2.4





• The intruder, however, has denied service by 10.1.2.4

10.1.2.3 10.1.2.4

SYN:ACK to 10.1.2.4





• The intruder spoofs an acknowledgment from 10.1.2.4

10.1.2.3 10.1.2.4

ACK from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4




• 10.1.2.3 establishes the connection, believing that the intruder’s host is the trusted host, 10.1.2.4

10.1.2.3 10.1.2.4



Malicious Code

• Viruses

• Trojan Horse Attacks

- Executable content in downloaded files

- Executable web page content: Javascript, Java, ActiveX

- Executable content in e-mail and attached documents

• Worms

Always verify the integrity and authenticity of downloaded content

Always scan content for malicious code before opening


Love Letter Worm

• Malicious code that potentially

- generates large amounts of email and entries in the registry

- destroys or hides certain types of files

• Propagates via several methods

- email

- infected files (on local disk and network drives)

- IRC

• Uses social component to facilitate spread


Love Letter Worm

• New variants continue to be discovered

• While the worst activity is over, re-infections will continue to occur in the future

See:

http://www.cert.org/advisories/CA-2000-04.html


Exercise: Attacks




Key Points

• The intruder threat is increasing

• Always use defensive programming techniques

• Intruders use sophisticated, automated, easy-to-use tools to launch attacks

• Intruders actively scan networks and probe systems to find vulnerabilities that they can exploit

• Denial of service attacks are common and difficult to avoid

• Intruders often exploit trust relationships among systems

• Always guard against malicious code in content received


Communication



Key Areas



Overview

• Complexity of Administration

• IT System Life Cycle

• Preparation

• Implementation Challenges

• Strategies for Manageable Security

• Sustaining Security over Time

• Common Security Tactics


Exercise: Infrastructure





IT System Life Cycle

Initiation and Planning

Development and Acquisition

Preparation and Testing

Implementation

• Education and Training

Operation

• Maintenance and Updates

• Security Monitoring

• Disposal of Information

Termination


Preparation

For all systems and networks administered:

• maintain a complete record of all systems and networks

• know what information assets and resources they contain

• know what information security policies apply to them

• know what system and network services are enabled

- e.g., Web, e-mail, and file service, remote login, DNS, etc.

• identify weakest links

• identify means to avoid, prevent, detect and respond to security problems

• document assumptions and tradeoffs


Implementation Challenges

• Vendors generally focus their efforts on product features and flexibility, not ease of secure administration

• Existing system and network infrastructure may not support the desired means to secure information

• There may be no way to satisfy all requirements as stated in your organization’s information security policy

• The cost to implement and sustain security measures as required by policy may be prohibitive


Strategies for Manageable Security• Take a conservative approach to configuration

• Separate and isolate networks, systems and services

• Create layers of access and diversify safeguards

• Practice vigilance


Conservative Approach

• Assume that vulnerabilities exist that you are not aware of

• Start by disabling all capabilities

• Enable only those capabilities that are required, and configure them to maximize security

• Remove all unnecessary software and data

• Carefully consider security implications of all added functionalities

• Apply the Principle of Least Privilege


Separate, Isolate and Simplify• Separate and isolate networks, systems, services and data

by role, purpose and security sensitivity

• Establish zones of infrastructure and administration separated by differences in information security policy, e.g.

- Servers vs. client workstations

- Network services per server host

- Internal vs. external (public) accessibility

- Classified vs. non-classified data

• Enforce differences in information security policy between zones


Consistency, Depth, Diversity

You’re only ever as secure as your weakest link

• Efforts to secure information are useless if there exist ways to get around them

Layer defenses to limit and contain breaches in security

• Do not assume your access controls and firewalls are impervious

• Perimeter defenses cannot thwart insider threats

Diversify safeguards between layers of access

• Do not let the same vulnerability affect multiple levels


Practice Vigilance

• Prepare, test and replicate systems in an isolated, physically secure environment

• Deploy secure system, network and application logging and monitoring capabilities

• Regularly review logs for signs of intrusion

• Look for unexpected changes to directories and files

• Regularly scan for viruses

• Maintain and practice readiness to respond to security incidents

• Keep systems, software and configurations up-to-date

• Actively raise user and management awareness regarding information security


Sustaining Security Over TimeThe appropriate information security strategies and tactics to apply will change over time as

• your organization’s needs change

• your system or network requirements change

• new automated tools become available

• new systems are deployed

• new network connectivity is established

• existing systems and software become outdated

• new vulnerabilities are discovered

• intruder attack patterns change


Common Security Tactics

• Cryptography

• Firewalls

• Network traffic filtering

• Network traffic monitoring

• Host security

• Security patches and workarounds

• Passwords

• Vulnerability testing

• Virus scanning

• Secure backups


Uses of Cryptography

Confidentiality

• Encryption of files and data transmitted over networks

• Encryption of data stored off-line

Integrity Assurance

• Cryptographic checksums to strongly inhibit fraud

Authentication and Non-repudiation

• Public key authentication and digital signatures

Examples:

• Secure e-mail (PGP, S/MIME)

• Secure remote network connections (Secure Shell, VPNs)


Network Firewalls

One or more components placed at gateways between networks to enforce information security policy

• Filtering routers

• Bastion hosts and application/service proxies

• Network switches

• Network monitors

Ensure secure administration of firewall components

Reinforce perimeter defenses with host security


Minimal Firewall

FirewallRouter

InternalNetwork

ExternalNetwork


Firewall + Application Gateway

ExteriorBorderRouter

InteriorFirewallRouter

BastionHost

InternalNetwork

ExternalNetwork

Perimeter Network


Multiple Internal Networks


InteriorFirewallRouter

NetworkMonitor

BastionHost

ExternalNetwork

InternalNetwork

InternalNetwork


NetworkMonitor

A More Complex Firewall Setup


SpecializedInteriorFirewallSystem

NetworkMonitor

BastionHost

Switch

ExternalNetwork

InternalNetwork

InternalNetwork


TCP/IP Network Filtering

Prevent IP Source Address Spoofing across network boundaries

Block Inbound:

• packets with source IP addresses that match an IP address of your internal network

Block Outbound:

• packets with source IP addresses that do not match an IP address of your internal network

Block both inbound and outbound:

• packets with source IP addresses in one of the reserved IP address ranges (RFC 1918)


TCP/IP Network Filtering

Inhibit common forms of Denial of Service attacks

• Disable IP directed broadcasts at all routers

Inhibit opportunities for packet sniffing and session hijacking

• Block IP source-routed packets at all routers


Host Security Guidelines

• Disable and remove all unnecessary accounts

• Disable and remove all unnecessary network and system services and application software

• Protect all sensitive system and service configuration software and data against unauthorized access

• Configure and enable logging and monitoring mechanisms

• Configure and require strong authentication for access to all information assets and resources

• Use groups to simplify management of access controls

• Regularly check system software and configuration data for unexpected changes

• Avoid implicit trust relationships between hosts


Why Care About Patches

of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available.


Security Patches and Workarounds

• Stay up-to-date regarding vendor patches and workarounds to address security vulnerabilities

• Verify the integrity and authenticity of all downloaded software before applying it to your systems

• Test patches and workarounds in an isolated, physically secure test environment before deployment

• Deploy security patches and workarounds as soon as possible to reduce exposure to attacks

• Maintain a thorough, up-to-date record of security patches and workarounds that you have applied


CERT® Advisories

CERT® Advisories alert you to vulnerabilities for which you should take immediate action

• Description of the vulnerability and its scope

• Potential impact should the vulnerability be exploited

• Solutions or workarounds

• Appendices contain details and vendor information

• Revision history

• PGP signature


Other CERT® Publications

The CERT® Coordination Center website (www.cert.org)

• CERT® Summaries

• Vendor-Initiated Bulletins

• CERT® Incident Notes

• CERT® Vulnerability Notes

• CERT® Security Improvement Modules

• Tech Tips


Password Guidelines

Passwords are susceptible to cracking and sniffing

• Use one-time passwords wherever possible

If you must use reusable passwords

• Avoid trivial and easily-crackable passwords

• Protect password data against unauthorized access

• Educate all users regarding the critical importance of protecting password confidentiality

For all systems and network components

• Ensure that all accounts have passwords

• Replace all vendor-supplied passwords


In an isolated, physically secure test environment:

• Password cracking tools

• Network scanning tools

• System scanning tools

Vulnerability Testing

“Know what the intruders can know about you”

Warning: Make sure you have authority to doso in writing before you engage inany vulnerability testing activities!


Virus Scanning

Even the most conscientious users can receive a virus

• Files and media exchanged between employees and with customers or other external contacts

• Data downloaded from remote systems

• E-mail attachments

Measures

• Install and regularly use current virus scanning software

• Keep virus scanners data up-to-date on all systems

• Raise awareness of current and emerging virus threats

• Train users to scan all data received for viruses before use


Secure Backups

• Data backups are essential to enable recovery in the event of failures and security incidents

• The confidentiality and integrity of data must be sustained during backup, storage, and restoration

• Data backup media must be protected against theft, modification, and destruction

• The means used to record and read backup media must be maintained as long as that media is used

• Encryption keys and passwords used to protect backup data must be securely escrowed



Key Points

• Good security administration is all about good systems administration

• Take a conservative approach in configuration management

• Separate, isolate and simplify system and network services

• You’re only ever as secure as your weakest link

• Practice vigilance and be prepared for change

• Apply appropriate tactics to sustain and improve security

• Keep systems and network components up-to-date regarding patches and workarounds for security

• Maintain secure backups


Communication



Planning

Key Areas


Planning

Overview

• Importance of planning

• Planning considerations


Importance of Planning

You cannot afford to be left wondering what to do when struck by an information security incident

• Your first information security incident could put your organization entirely out of business

“A penny of planning is worth a pound of recovery”

• Time and resources must be allocated for planning

“Do not paint yourself into a corner”

• Information security measures must accommodate change


Planning Considerations

Sustaining and improving information security is a complex, continuous, long term process

• Information assets and resources to be protected

• System and network architecture

• Communication channels and reporting procedures

• Proactive security measures and procedures

• Reactive security measures and procedures

• Testing and evaluating your plans

• Keeping plans up-to-date

• Documentation and record keeping


Planning

Key Points

• You cannot afford to be left wondering what to do when you are struck by an information security incident

• Time and resources must be allocated for planning

• Proactive and reactive security measures and procedures must be carefully planned and tested

• Maintain documented plans for information security measures, including assumptions and reasoning


Communication



Planning


Key Areas



Overview

• Participants and Stakeholders

• Risk Management and Analysis

• Characteristics of an Effective Information Security Policy

• Information Security Policy Issues

• Examples of Information Security Policy Statements


Exercise: Information Security Policy




What shapes the policy?

Who writes and shapes the policy and procedures?


PolicyStakeholders

Management Top management (CTO, CIO)

Users

Others (clients, partners)

Network Admin

System Admin

Database Admin

Human Resources

Legal



Risk Analysis

Steps

1. Identify and assign value to assets

2. Prioritize assets

3. Determine vulnerability to threats and damage potential

4. Prioritize impact of threats

5. Select cost-effective safeguards


Characteristics of an Effective Information Security Policy• Long term focus

• Clear and concise

• Role-based

• Realistic

• Specifies areas of responsibility and authority

• Well-defined

• Up-to-date


Communications

Privacy

Accountability

Authorization

Violations

Network Traffic

Availability

Auditing

Identification

Authentication

Access

Redundancy

Resources

Supporting Info Risk Reduction

Information Security Policy Topics

Purchasing Guidelines


Acceptable Use Policy Issues for Users

• Prohibiting sharing of accounts

• Requiring good passwords

• Guidelines for accessing unprotected programs or files

• Breaking into accounts

• Breaking into systems

• Cracking passwords

• Disrupting service


Policy Issues for Privileged (Administrative) Users

• Authority and conditions for reading e-mail of other users

• Accessing protected programs or files

• Disrupting service under specific conditions

• Prohibiting sharing of accounts

• Prohibiting unauthorized creation of user accounts

• Authority and conditions for using vulnerability testing tools


Policy Issues Examples

• What are users allowed to do with hardware on their computers?

• How do users gain remote access?

• What guidelines must a laptop user observe?

• How is software evaluated for deployment?

- What process must software pass through before it is installed?

- What files does the software access when running?


Security Policy Example 1

Users must not copy software provided by

Organization X to any storage media (floppy disk,

magnetic tape, etc.), transfer such software to another

computer, or disclose such software to outside parties

without written permission from the Director of

Information Technology.

• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 125


Security Policy Example 2

Internet access using computers in Organization X is

permissible only when users go through an

Organization X firewall. Other ways to access the

Internet, such as dial-up connections with an Internet

Service Provider (ISP), are prohibited if Organization X

computers are employed.

• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 318



Key Points

• Make information security policy work for you and your organization

• Use risk management and risk analysis methods to shape information security policies

• Know what your organization’s information security policy authorizes you to do as a computer professional, and the conditions under which you can act with authority


Communication



Planning


Incident Handling

Key Areas


Incident Handling

Overview

• CERT® Coordination Center Experience

• Intruders: Active and Organized

• Effective Incident Handling

• Incident Handling Steps


CERT®/CC Experience

Since 1988 the CERT® Coordination Center has

• Responded to more than 18,000 security incidents that have affected more than 660,000 hosts on the Internet

• Helped to foster the creation of more than 80 incident response teams


Recent CERT/CC Experiences 1997 1998 1999 2000*

Incidents handled 3,2853,285 4,942 4,942 9,8599,859 8,8368,836

Vulnerabilities reported 196196 262262 417417 442442

Email msgs processed 38,40638,406 31,93331,933 34,61234,612 26,41326,413

CERT Advisories, VendorBulletins, and Vul Notes 4444 3434 2020 99

CERT Summaries and Incident Notes 66 1515 1313 1010

*January through June of 2000*January through June of 2000


Recent CERT®/CC ExperiencesThe increase in incidents in 1998 and 1999 can be attributed to the following factors:

• Significant increase in automated scanning and automated attacks by intruders

• Greater awareness of CERT®/CC by sites

• Increase in sites regularly reporting incidents

• Automated reporting


Intruders: Active & Organized

• Telephone/voice message systems

• E-mail

• Bulletin board systems

• Anonymous FTP service

• Internet Relay Chat (IRC) - #hack channel

• Web sites

• Conferences

• Publications


Handling Security Incidents

Assume that security incidents will occur

Plan and maintain readiness to handle security incidents

• Without adequate planning, you will incur much greater losses and much greater costs in the recovery effort

Computer Security Incidents Response Teams (CSIRTs)

Do not wait until after an intrusion has occurred to start thinking about how to handle a security incident


Effective Incident Handling

The primary goals of incident handling are to:

• Control and minimize damage

• Preserve evidence

• Recover as soon as possible

• Learn enough to help prevent exposure to similar problems in the future


1 Prepare

2 Respond

3 Recover

4 Follow-up

Incident Handling Steps


1

2

3

4

1

2

3

4

Incident Handling Steps

1 Prepare

2 Respond

3 Recover

4 Follow-up


Prepare

Ensure that security policies support incident handling

Plan responses

• Locate backups

• Identify available resources and tools

• Coordinate team members; define roles and responsibilities.

• Establish secure communication channels

• Coordinate with your public relations spokesperson

• Designate a technical lead to work with the public relations spokesperson

• Conduct regular training and readiness drills


Respond

• Follow your information security policy and procedures

• Verify the incident

• Analyze the intrusion

• Communicate with appropriate parties

• Handle media inquires through your designated public relations spokesperson

• Collect and protect information

• Contain the intrusion


Recover

Eliminate all means of intruder access

• If systems have been compromised

- Restore programs from trusted vendor-supplied media

- Restore data from trusted backups

• Install appropriate patches or fixes

• Modify accounts and passwords as needed

Return systems to normal operation

• Reestablish connectivity

• Monitor systems for further attacks


Follow-up

Identify lessons learned and implement improvements

• Assess time and resources used and damage incurred

• Document commands, code, and procedures used in responding

• Support legal activities such as investigation and prosecution if appropriate

• Conduct a postmortem

• Document all findings and lessons learned

• Implement improvements to information security policies, procedures, and measures


Exercise: Intrusion Scenarios



Incident Handling

Key Points

• Assume that security incidents will occur

• Plan and maintain readiness to handle security incidents

• Follow incident handling steps when security incidents occur

• Implement improvements based on lessons learned


Communication



Planning


Incident Handling

Making the Case

Key Areas


Making the Case for Information Security

Overview

• Making the Case to Stakeholders

• Tools and Resources


PolicyStakeholders

Management Top management (CTO, CIO)

Users

Others (clients, partners)

Network Admin

System Admin

Database Admin

Human Resources

Legal

Making the Case


Making the Case

Effective information security requires universal participation and awareness among stakeholders

Implementing information security measures requires buy-in, support and resources from management

Resources to help raise awareness

• Computer Security Institute/FBI Computer Crime Survey

• National Infrastructure Protection Center CyberNotes

• Press reports of information security incidents


Tools and Resources

Tools for making your case

• Risk management / analysis findings

• Information Security Policy

• Legal obligations

• Data gathering / record keeping - statistics and metrics

• Simple economics argument

Existing resources

• Y2K analyses

• Insurance company evaluations

• Accounting audits


Exercise: Getting Support



Making the Case for Information Security

Key Points

• Make the case for information security in language that your stakeholders understand

• Gain and maintain support and resources for information security from stakeholders

• Document the information security effort


Putting it all Together

Review

Next Steps


Confidentiality

Integrity

Availability

ProcessingStorage

Transmission

Policy & ProceduresTechnology




Communication



Planning


Incident Handling

Making the Case

Key Areas


Exercise: Action Plan



How To Contact Us

24-hour hotline: +1 412 268 7090

CERT personnel answer 8:30 AM - 5:00PM EST(GMT-5)/EDT (GMT-4) Mon.-Fri. On call for emergencies during otherhours.

FAX: +1 412 268 6989

Anonymous FTP archive: ftp://ftp.cert.org/pub/

Web site: http://www.cert.org

Email: [email protected]

US mail: CERT Coordination CenterSoftware Engineering InstituteCarnegie Melon University4500 Fifth AvenuePittsburgh, PA 15213-3890 USA


How To Contact Us

Key ID: 0x6A9591D0Key Type: Diffie-Hellman/DSSExpires: 9/30/00Key Size: 2048/1024Fingerprint: 9E04 84E2 E27A 6A73 9C69

72DE 5AFD 91BE 6A95 91D0UserID: CERT Coordination Center

<[email protected]>

http://www.cert.org/contact_cert/encryptmail.html


How To Contact Us

Key ID: 0x84DF0FD5Key Type: RSAExpires: 9/30/00Key Size: 1024Fingerprint: F8 FD 6B F7 36 B6 E0 86

C5 72 20 6E 5D 66 68 98UserID: CERT Coordination Center

<[email protected]>

http://www.cert.org/contact_cert/encryptmail.html

© 1999, 2000 Carnegie Mellon University Overview of Security Trends for System and Network Administrators Networked Systems Survivability Program Software.

Documents

internet security

information security

internet internet

information security

information security

internet community

trusted community security

complexity slide