Transcript Cover Slide Example - NEbraskaCERT Conference 2009

Overview of Security Trends
for System and Network
Administrators
Networked Systems Survivability Program
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Sponsored by the United States Department of Defense
© 1999, 2000 Carnegie Mellon University
This Course Provides ...
• Introduction to information security issues and concepts
• Key areas to be addressed for information security
• Foundation for applying best security practices
• Resources for further technical help and training
• Current trends in information security
What are your expectations?
© 1999, 2000 Carnegie Mellon University
page 2
Objectives
• Understand the challenges of securing information in a
global, dynamic, networked systems environment
• Understand the range of vulnerabilities and threats
• Develop information security strategies and identify
resources
• Learn proactive measures you can use to defend and
improve your organization’s information security
• Learn ways to improve readiness to respond to and recover
from information security incidents
• Understand your vital role as a communicator regarding
information security
© 1999, 2000 Carnegie Mellon University
page 3
What Is The Internet?
• Collection of networks that communicate
- with a common set of protocols (TCP/IP)
- by multilateral agreement
• Collection of networks with
- no central control
- no central authority
- no common legal oversight or
regulations
- no standard acceptable use policy
• “wild west” atmosphere
© 1999, 2000 Carnegie Mellon University
page 4
What Is The Internet?
• Physical network connections not important
- leased lines
- dial-up
- wireless
• Logical connectivity
- everything is
connected to
everything else
© 1999, 2000 Carnegie Mellon University
page 5
Internet Security in the
Beginnings of the Internet
• Internet started as a research project
(ARPANET)
- small community of researchers
- trusted community
• Security was not a primary consideration in
the design of Internet protocols
“Security issues are not discussed in this
memo.” - many RFC documents
Where Wizards Stay Up Late by Katie
Hafner and Matthew Lyon (ISBN 0-684
81201-0)
© 1999, 2000 Carnegie Mellon University
page 6
Why Is Internet Security a
Problem?
• Security not a design consideration
• Implementing change is difficult
• Openness makes machines easy targets
• Increasing complexity
© 1999, 2000 Carnegie Mellon University
page 7
The Beginning of the CERT/CC
worm
attack
Morris
Worm
post
mortem
CERT/CC
created
November 1988
© 1999, 2000 Carnegie Mellon University
page 8
Who We Are
or
spons
U.S. DoD Office of the Under
Secretary
(Research and
Engineering)
(FFRDC*)
Networked Systems
Survivability Program
Survivable
Network
Management
Survivable
Network
Technology
*FFRDC - Federally Funded Research and Development Center
© 1999, 2000 Carnegie Mellon University
page 9
NSS Program Strategies
CERT
Coordination
Center
Repaired
Systems
Technology
Evaluation
Survivable
Network
Management
Protected
Systems
Research
Results
Survivable
Network
Technology
Improved
Systems
© 1999, 2000 Carnegie Mellon University
page 10
What is the CERT/CC?
• Initially charged by DARPA* to serve as a focal point
for Internet security by
- Fostering collaboration on security issues across
the Internet community
- Providing technical assistance to Internet sites
- Analysing vulnerabilities and providing alerts to the
Internet community
- Assisting other organisations in the formation of
CSIRTs**
- Conducting tutorials, site evaluations, research
*DARPA - U.S. Department of Defense, Defense Advanced Research Projects Agency
**CSIRTs - Computer Security Incident Response Teams
© 1999, 2000 Carnegie Mellon University
page 11
What is the CERT/CC?
• Responsibilities now include providing
- Internet security information for
– system and network administrators
– technology managers
– policy makers
- Guidance and co-ordination for major Internet security
events
– Melissa virus
– Y2K
- Leadership in the response team community
– CSIRT formation and development assistance
© 1999, 2000 Carnegie Mellon University
page 12
What is the CERT/CC?
• The CERT/CC focuses specifically on technical issues
relating to Internet security
• The CERT/CC does not focus on
- who the intruders are
- where intruders are located (physically)
- motivations of intruders
- monitoring/surveillance of intruders
– other than understanding the technical implications
of what the intruder community is doing
© 1999, 2000 Carnegie Mellon University
page 13
The CERT®/CC Constituency Internet
• Global distribution
- more than 72 million host computers as of January
2000*
• Diverse user demographics
- government agencies
- academic and research institutions
- corporate users
- home users
*Source: Internet Software Consortium (http://www.isc.org/)
© 1999, 2000 Carnegie Mellon University
page 14
CERT®/CC Principles
• Provide valued services
- proactive as well as reactive
• Ensure confidentiality and impartiality
- we do not identify victims but can pass information
anonymously and describe activity without attribution
- unbiased source of trusted information
• Co-ordinate with other organizations and experts
- academic, government, corporate
- distributed model for incident response teams (co-ordination
and co-operation, not control)
© 1999, 2000 Carnegie Mellon University
page 15
Current Activities
• 24 hour confidential incident response and vulnerability
analysis
• Providing Internet security information to system and
network administrators
• Developing a knowledgebase of vulnerability and
incident data
• Documenting best practices for information security
• Facilitating the formation and training of new incident
response teams
© 1999, 2000 Carnegie Mellon University
page 16
Direction of Internet Security
What the Internet community is facing in terms of
Internet security in the next few years can be summed
up in the following statements:
• The expertise of intruders is increasing
• The sophistication of attacks and intruder tools/toolkits is
increasing
• The effectiveness of intruders is increasing (knowledge is
being passed to less knowledgeable intruders thus
making them effective)
© 1999, 2000 Carnegie Mellon University
page 17
Direction of Internet Security
• The number of intrusions is increasing
• The number of companies and users of the Internet is
increasing
• The complexity of protocols and applications run on
clients and servers attached to the Internet is increasing
• The complexity of the Internet as a network is increasing
© 1999, 2000 Carnegie Mellon University
page 18
Direction of Internet Security
• The information infrastructure has many fundamental
security design problems that cannot be quickly
addressed
• The number of people with security knowledge and
expertise is increasing, but at a significantly smaller rate
than the increase in the number of Internet users
• The number of security tools available is increasing, but
not necessarily as fast as the complexity of software,
systems and networks
© 1999, 2000 Carnegie Mellon University
page 19
Direction of Internet Security
• The number of incident response teams is increasing, but
the ratio of incident response personnel to Internet users
is decreasing
• The vendor product development and testing cycle is
decreasing
• Vendors continue to produce software with vulnerabilities,
including types of vulnerabilities where prevention is wellunderstood (such as buffer overflows)
© 1999, 2000 Carnegie Mellon University
page 20
Course Overview
• Information Security Concepts
• Key Areas
- Communication
- Vulnerabilities and Threats
- Strategies and Tactics
- Planning for Information Security
- Information Security Policy
- Incident Handling
- Making the Case
• Putting it all Together
© 1999, 2000 Carnegie Mellon University
page 21
Information Security Concepts
Overview
• An example of an information security incident
• Information Security Model
• Complexity of Security
• Protecting Information Assets and Resources
• Administrative Responsibilities
• Risk and Trust
© 1999, 2000 Carnegie Mellon University
page 22
Information Security Breached
New York Times - 9/3/1988
© 1999, 2000 Carnegie Mellon University
page 23
Information Security Breached
Lessons Learned:
• Intruders actively seek ways to compromise systems
• Vulnerabilities and threats are constantly evolving
• Even sophisticated, security-conscientious organizations
need to be vigilant
Notes:
• The signs of an information security compromise are not
always readily visible
• Sustaining and improving information security requires
continuous, proactive effort and readiness to respond
© 1999, 2000 Carnegie Mellon University
page 24
Information Security Model
Information States
Information
Security
Properties
Security Measures
NSTISSI 4011: National Training Standard for Information Systems Security Professionals, 1994
© 1999, 2000 Carnegie Mellon University
page 25
Information Security Properties
Confidentiality
Integrity
Availability
© 1999, 2000 Carnegie Mellon University
page 26
Information States
Processing
Storage
Transmission
© 1999, 2000 Carnegie Mellon University
page 27
Security Measures
Policy & Procedures
Technology
Education, Training & Awareness
© 1999, 2000 Carnegie Mellon University
page 28
Information Security Model
Processing
Storage
Transmission
Confidentiality
Integrity
Availability
Policy & Procedures
Technology
Education, Training &
Awareness
© 1999, 2000 Carnegie Mellon University
page 29
Complexity of Administration
In a networked systems environment, sustaining the
security of information assets is a complicated task
• Interpret information security policies to implement
appropriate access controls, data protection and capacity
• Establish and implement means to verify user credentials
• Implement and enforce information security policies at a
variety of levels - data, host, network, Internet
• Sustain and monitor information security consistently
throughout the system and network infrastructure
The complexity increases rapidly with scale
© 1999, 2000 Carnegie Mellon University
page 30
Example: Data on a Workstation
© 1999, 2000 Carnegie Mellon University
page 31
Employees
© 1999, 2000 Carnegie Mellon University
page 32
Removable Media
© 1999, 2000 Carnegie Mellon University
page 33
Other Systems on the Network
© 1999, 2000 Carnegie Mellon University
page 34
Other Resources on the Network
© 1999, 2000 Carnegie Mellon University
page 35
Access to the Internet
© 1999, 2000 Carnegie Mellon University
page 36
Access to Other Local Networks
© 1999, 2000 Carnegie Mellon University
page 37
Other Routes to the Internet
© 1999, 2000 Carnegie Mellon University
page 38
Telephones and Modems
© 1999, 2000 Carnegie Mellon University
page 39
Open Network Ports
© 1999, 2000 Carnegie Mellon University
page 40
Remote Users
© 1999, 2000 Carnegie Mellon University
page 41
Vendor and Contractor Access
© 1999, 2000 Carnegie Mellon University
page 42
Access to External Resources
© 1999, 2000 Carnegie Mellon University
page 43
Public Information Services
© 1999, 2000 Carnegie Mellon University
page 44
Operating Environment
© 1999, 2000 Carnegie Mellon University
page 45
Complexity of Administration
• These are a sampling of the issues
• Taking a mistake in just one part of one area can lead to a
compromise
© 1999, 2000 Carnegie Mellon University
page 46
Protecting Information Assets
and Resources
• Avoidance
• Prevention
• Detection
• Containment and Response
• Recovery
• Improvement
© 1999, 2000 Carnegie Mellon University
page 47
Administrative Responsibilities
• Authorization
• Authentication
• Accountability
• Monitoring
• Response to information security incidents
• Damage assessment and recovery
• Analysis and implementation of security improvements
• System and software deployment, upkeep and retirement
• Backups and “hot spares”
© 1999, 2000 Carnegie Mellon University
page 48
Risk and Trust
Managing Risk
• Identify the information assets to be protected
• Prioritize the importance of securing each information asset
• Identify vulnerabilities of each asset, and the threats to it
• Prioritize impact of threats to vulnerabilities
• Select and implement appropriate safeguards
• Assume incidents will occur - “There are no silver bullets”
Trust Dilemma
• You cannot eliminate, nor mitigate all possible risks
• At some point, you have to trust someone or something
© 1999, 2000 Carnegie Mellon University
page 49
Exercise: Trust
Complete the exercise on page 1.
© 1999, 2000 Carnegie Mellon University
page 50
Information Security Concepts
Key Points
• The goal of information security is to sustain and defend
the confidentiality, integrity and availability of information
• Despite your best efforts, you must assume that information
security incidents will occur
• Even sophisticated, security-conscientious organizations
need to be vigilant
• The complexity of administrating information security
increases rapidly with scale
• Sustaining and improving information security is a
continuous risk management activity
• At some point, you have to trust someone or something
© 1999, 2000 Carnegie Mellon University
page 51
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
© 1999, 2000 Carnegie Mellon University
page 52
Key Areas
Communication
© 1999, 2000 Carnegie Mellon University
page 53
Communication
Overview
• Meaningful and Effective Communication
• Communicating about Security
• Communication Channels
© 1999, 2000 Carnegie Mellon University
page 54
Communication
Meaningful communication
• language
• context
Effective communication
• accuracy and clarity
• relevance to the listener
© 1999, 2000 Carnegie Mellon University
page 55
Communicating about Security
Users of Information
Systems
Management
Information Service
Providers, Vendors
and Contractors
YOU
Information
Technology Staff and
Systems Developers
© 1999, 2000 Carnegie Mellon University
Other System and
Network
Administrators
Information Security
Officers and Incident
Handling Groups
page 56
Communication Channels
Whom do you call?
• Peer system and network administrators
• Management
• Information Security Officers
• Physical Security Staff
• Network Service Providers, IT vendors
• Incident Handling Organizations
Who calls you?
• Whom should they call?
• Who should call you?
© 1999, 2000 Carnegie Mellon University
page 57
Exercise: Contact List
Complete the exercise on pages 2 and 3.
© 1999, 2000 Carnegie Mellon University
page 58
Communication
Key Points
• Excellent communication skills are a must for computer
professionals
• As a computer professional, you have an important role in
communicating to others about information security
• Establishing and sustaining communication channels are
critically important for information security readiness
© 1999, 2000 Carnegie Mellon University
page 59
Key Areas
Communication
Vulnerabilities & Threats
© 1999, 2000 Carnegie Mellon University
page 60
Vulnerabilities & Threats
Overview
• Why Care About Vulnerabilities
• Common Terms
• Vulnerabilities
• Threats
• Intruders
• Software Flaws
• Configuration Errors
• Network Intrusions
• Forms of Attack
© 1999, 2000 Carnegie Mellon University
page 61
Will Vulnerabilities Be Found?
• San Diego Supercomputer Center conducted an
experiment
• Red Hat Linux 5.2 with no security patches installed on
machine
• Monitoring established to record traffic to and from host
• Most not otherwise used by staff
See: http://worm.sdsc.edu
© 1999, 2000 Carnegie Mellon University
page 62
Will Vulnerabilities Be Found?
• 8 hours from install
- probed for Solaris RPC vul, not compromised
• 21 days from install
- 20 exploits tried for vuls including POP, IMAP, telnet,
RPC, and mountd
- exploit attempts failed because they were exploits for
Red Hat 6.x
• About 40 days from install
- POP server vul compromised
- wipes some system logs
- installs rootkit and sniffer
© 1999, 2000 Carnegie Mellon University
page 63
Common Terms
Vulnerability - A feature or a combination of features of a
system that allows an adversary to place the system in a
state that is contrary to the desires of the people responsible
for the system and increases the probability or magnitude of
undesirable behavior in or of the system.
Threat - any circumstance or event with the potential for
causing harm to an information system in the form of
destruction, disclosure, adverse modification of data, and/or
denial of service
Safeguard - an action, device, procedure, technique, or
other measure that reduces the vulnerability of an
information system
© 1999, 2000 Carnegie Mellon University
page 64
Common Terms
Incident - An event (or set of related events) in which the
information security policies of an organization are violated.
A collection of data representing one or more related attcks.
Attacks may be related by attacker, type of attack,
objectives, sites, or timing.
Attack - An attempt to breach the security of an information
asset or resource
© 1999, 2000 Carnegie Mellon University
page 65
Common Terms
Intrusion - A breach in the security of an information asset
or resource resulting from a successful attack.
An action conducted by one adversary, the intruder, against
another adversary, the victim. The intruder carries out an
attack with a specific objective in mind. From the perspective
of an administrator responsible for maintaining a system, an
attack is a set of one or more events that may have one or
more security consequences. From the perspective of an
intruder, an attack is a mechanism to fulfill an objective.
© 1999, 2000 Carnegie Mellon University
page 66
Common Terms
Intruder - A person who deliberately attempts to breach the
security of an information asset or resource.
The person who carries out an attack. Attacker is a common
synonym for intruder. The words attacker and intruder apply
only after an attack has occurred. A potential intruder may be
referred to as an adversary. Since the label of intruder is
assigned by the victim of the intrusion and is therefore
contingent on the victim’s definition of encroachment, there
can be no ubiquitous categorization of actions as being
intrusive or not.
© 1999, 2000 Carnegie Mellon University
page 67
Common Terms
Trojan Horse - Malicious software or content planted by an
intruder on a target system, typically masquerading as a
normal or expected program or file. Intruders often install
trojan horse versions of system software on systems they
have compromised to hide their activities on the system and
to illicitly gather information such as users’ account
passwords.
Trojan horse software may also be embedded in e-mail
attachments in a manner that causes unsuspecting
recipients to execute the malicious software when the
attachment is opened. Examples include the Melissa macro
virus and Happy99.exe trojan horse.
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
© 1999, 2000 Carnegie Mellon University
page 68
Common Terms
Compromise - Disclosure of information to unauthorized
persons
A breach in the security of an information asset or resource
“root” Compromise - Compromise of an information
system resulting in access by an intruder at a level
equivalent to that of an administrator (a.k.a. root, superuser)
of the system
© 1999, 2000 Carnegie Mellon University
page 69
Vulnerabilities
Software and Hardware
Environment
Personnel
Change
© 1999, 2000 Carnegie Mellon University
page 70
Threats Overview
... to Confidentiality
… to Integrity
… to Availability
© 1999, 2000 Carnegie Mellon University
page 71
Threats to Confidentiality
• Unauthorized access
- observation, eavesdropping, copying, theft
• Inappropriate disclosure
© 1999, 2000 Carnegie Mellon University
page 72
Threats to Integrity
• Unauthorized modification or destruction
• Loss of means to authenticate or verify integrity
© 1999, 2000 Carnegie Mellon University
page 73
Threats to Availability
• Denial of service
• Theft
• Threats to integrity
- availability of reliable data
• Loss of the means to access data
- passwords, encryption keys,
technology
© 1999, 2000 Carnegie Mellon University
page 74
Other Threats
Human Error
• Data entry errors
• Improper data handling
- transmission
- processing
- storage
- disposal
• Negligence
© 1999, 2000 Carnegie Mellon University
page 75
Other Threats
Environment
• Electromagnetic Interference
• Physical damage due to weather
• Natural disasters
• Armed conflicts
• Loss of power, water, network
or phone connectivity
© 1999, 2000 Carnegie Mellon University
page 76
Intruders Overview
• Internal
• External
• Means
• Motive
• Opportunity
© 1999, 2000 Carnegie Mellon University
page 77
Internal Intruders
• Employees
• Contractors
• Service personnel
• Visitors
• Covert agents
© 1999, 2000 Carnegie Mellon University
page 78
External Intruders
• Former employees
• Contractors
• Clients and Customers
• “Crackers”
• Vandals
• Thieves and Organized Crime
• Business competitors
• Political opponents and Insurgent groups
• Foreign agents
© 1999, 2000 Carnegie Mellon University
page 79
Intruder Means
Means is the sum of:
• What they know and can learn
- Abundant sources of technical information
• Information from others who can help them
- Mailing lists, conferences, chat rooms
• Tools they have at their disposal to execute an intrusion
- Availability of sophisticated, easy-to-use intruder tools
© 1999, 2000 Carnegie Mellon University
page 80
Evolving Intruder Threat
High
Sophistication of
Intruder Attacks
Low
1975
© 1999, 2000 Carnegie Mellon University
1980
1985
1990
1995
2000
page 81
Evolving Intruder Threat
Expert
Technical
Knowledge and
Skill Required by
Intruders
Novice
1975
© 1999, 2000 Carnegie Mellon University
1980
1985
1990
1995
2000
page 82
Intruder Motives
• Money, profit
• Access to additional resources
• Competitive advantage
- Economic
- Political
• Personal grievance, vengeance
• Curiosity
• Mischief
• Attention
© 1999, 2000 Carnegie Mellon University
page 83
Opportunities for Intrusion
• Rapid adoption of computer and network technology in
government, industry, and educational organizations
• Internet explosion and e-commerce
• Thousands of exploitable vulnerabilities in technology
• Lack of awareness regarding information security
• Shortage of qualified system and network administrators
and information security staff
• Lack of applicable laws and means of enforcement
• International scope
© 1999, 2000 Carnegie Mellon University
page 84
Internet Growth
50,000,000
40,000,000
30,000,000
Network Wizards, Inc.
Internet Domain Survey
Host Count History
20,000,000
10,000,000
0
1975
© 1999, 2000 Carnegie Mellon University
1980
1985
1990
1995
2000
page 85
Vulnerability Exploit Cycle
Novice Intruders
Use Crude
Exploit Tools
Crude
Exploit Tools
Distributed
Automated
Scanning/Exploit
Tools Developed
Widespread Use
of Automated
Scanning/Exploit
Tools
Intruders
Begin
Using New
Types
of Exploits
Advanced
Intruders
Discover New
Vulnerability
© 1999, 2000 Carnegie Mellon University
page 86
Software Vulnerabilities
Examples
• Buffer overflows
• Timing windows
Avoiding Software Vulnerabilities
• Defensive Programming
© 1999, 2000 Carnegie Mellon University
page 87
Buffer Overflow Example
Subroutine return address
Buffer in the subroutine
© 1999, 2000 Carnegie Mellon University
Return Address
Buffer
page 88
Buffer Overflow Example
• In a subroutine, the intruder forces
more data into a buffer than the size
of the buffer allocated for it
Intruder
Data
Return Address
Buffer
© 1999, 2000 Carnegie Mellon University
page 89
Buffer Overflow Example
• In a subroutine, the intruder forces
more data into a buffer than the size of
the buffer allocated for it
• The intruder data spills over onto the
subroutine return address memory cell
• Embedded in the intruder data
are malicious program commands
and a new subroutine return address
• When the subroutine returns, the next
instructions executed are those given
by the intruder, with the privileges of
the program
© 1999, 2000 Carnegie Mellon University
Return Address
Buffer
page 90
Timing Window Example
A real-world timing window problem:
• Call video store
• “Do you have ‘Saving Private Ryan’?”
• “Yes”
• Drive to video store
• Alas, someone retrieved the copy first
You asked an incomplete question.
Should have asked:
• “Do you have ‘Saving Private Ryan’ and if you do, please
hold it for me.”
• Better level of atomicity
© 1999, 2000 Carnegie Mellon University
page 91
Timing Window Example
TIME
PROGRAM
t1
if (file_does_not_exist(some_file)) then
t2
t3
create(some_file);
endif
Stretch the t1 to t2 interval
Change the world during that interval
© 1999, 2000 Carnegie Mellon University
page 92
Timing Window Example
How to change the t1 to t2 interval?
• Load the system: run many programs, flood with network
traffic, anything to make the system run slower
• Run the race over and over; eventually you’ll win
What to do in the t1 to t2 interval?
• Replace created file with symbolic link
• File then created elsewhere
• If set UID root program, then file created anywhere, or
contents abandoned
© 1999, 2000 Carnegie Mellon University
page 93
Timing Window Example
TIME PROGRAM
t1
if (…("/tmp/t") then
t1+i
t2
ATTACKER
symlink("/tmp/t", "/etc/passwd")
create("/tmp/t");
This results in /etc/passwd being “created,” or zeroed,
hence a denial of service
© 1999, 2000 Carnegie Mellon University
page 94
Defensive Programming
• Trusting untrustworthy data
- always check input length
- always use bounded functions
- always check input for unexpected data
- limit acceptable input; reject all violations; provide
documented default
• Avoid vulnerable functions such as system() and popen()
• Test all programs thoroughly before deployment
- make testing conditions as realistic as possible
- always check boundary conditions
© 1999, 2000 Carnegie Mellon University
page 95
Common Configuration Errors
Overview
• Vulnerable default configurations
• Incorrect access controls and execution privileges
• Problems maintaining system and network software
© 1999, 2000 Carnegie Mellon University
page 96
Vulnerable Default
Configurations
• Empty passwords and well-known vendor passwords
• Guest and other default accounts
• Unnecessary features and services enabled
• Remote access enabled
• Logging and auditing features disabled
• Incorrect default access controls
• Need for updated device drivers and software patches
© 1999, 2000 Carnegie Mellon University
page 97
Incorrect System Access
Controls
• Access to administrative systems, programs, and
configuration data
• Access privileges for storage volumes, directories and files
• Remote access to local system resources
• Ownership of files and access privileges retained by
terminated accounts
• Access to backup data
© 1999, 2000 Carnegie Mellon University
page 98
Incorrect Network Access
Controls
• Access to administrative capabilities of networked systems
and components
• Router and switch configurations
• Firewall configurations
• Network monitor configurations
• Trust relationships between networked systems
© 1999, 2000 Carnegie Mellon University
page 99
Problems Maintaining System
and Network Software
• Failing to keep software up-to-date regarding security fixes
• Assuming old configuration files will be OK for updated
versions of software
• Assuming that new versions of software will have all the
security fixes included
• Accepting unwritten default settings (not setting all
configuration settings explicitly)
• Inconsistency of software versions and configurations
across all systems and network infrastructure components
© 1999, 2000 Carnegie Mellon University
page 100
Exercise: Vulnerabilities
Complete the exercise on page 4.
© 1999, 2000 Carnegie Mellon University
page 101
Network Intrusions
• Intrusions from remote systems can be achieved in a
matter of seconds using automated intruder tools
• Intruders are interested in gaining access to computing
resources as well as to private data
• Intruders often compromise a series of remote systems,
making it difficult to trace their activities
• Network intrusions originating outside of your jurisdiction
and from foreign countries may be impossible to prosecute
© 1999, 2000 Carnegie Mellon University
page 102
A Network Intrusion Scenario
© 1999, 2000 Carnegie Mellon University
page 103
Intruder Probes a Remote
System
© 1999, 2000 Carnegie Mellon University
page 104
Exploits a Vulnerability Found
© 1999, 2000 Carnegie Mellon University
page 105
Gains Privileged Access
© 1999, 2000 Carnegie Mellon University
page 106
Installs Trojan Horse Programs
© 1999, 2000 Carnegie Mellon University
page 107
Compromises Other Local Hosts
© 1999, 2000 Carnegie Mellon University
page 108
Attacks Other Remote Systems
© 1999, 2000 Carnegie Mellon University
page 109
Exploits Connectivity Found
© 1999, 2000 Carnegie Mellon University
page 110
Attacks Target System
© 1999, 2000 Carnegie Mellon University
page 111
Inflicts Damage
© 1999, 2000 Carnegie Mellon University
page 112
Forms of Attack
• Abuse of Access Privileges
• Physical Theft
• Information Gathering
• Password Cracking
• Exploitation of System and Network Vulnerabilities
• Spoofing
• Denial of Service
• Exploitation of Trust
• Network Infrastructure Attacks
• Malicious Code
© 1999, 2000 Carnegie Mellon University
page 113
Information Gathering
• Dumpster Diving
• Social Engineering
• Probes
• Network Scans
• Network Mapping
• Keystroke Monitoring
• Packet Sniffing
Probes and network scans are the most commonly
reported intruder activity
© 1999, 2000 Carnegie Mellon University
page 114
Scans
• Intruders commonly use automated tools to scan networks
for vulnerable systems
• Scans may be recognizable in network traffic logs as a
series of consecutive probes to a range of system
addresses or port numbers
• Stealth scans spread probes out over time to appear
inconspicuous within normal traffic patterns
• Intruders employ automated tools to call telephone number
ranges in search of modems used for dial-up connections
© 1999, 2000 Carnegie Mellon University
page 115
Packet Sniffing
Under normal conditions, the
data in a packet transmitted
over the network is read
only by the destination system
to which it is addressed.
Router
© 1999, 2000 Carnegie Mellon University
page 116
Packet Sniffing
When a packet sniffer is
present, a copy of all packets
that pass by it on the network
are covertly captured.
Router
Packet Sniffer
Executing
© 1999, 2000 Carnegie Mellon University
page 117
Sniffed Telnet Example
© 1999, 2000 Carnegie Mellon University
page 118
Denial of Service
• Loss of availability
• Loss of the ability to respond
• Consumption of a limited resource
• Forcing failure or shutdown of a system that
- contains a needed information asset or resource, or
- is required for delivery of an information asset or
resource
© 1999, 2000 Carnegie Mellon University
page 119
Examples of Denial of Service
Common denials of service launched across networks:
• Mail Bombs
• Ping Floods (e.g. “Smurf” attacks)
• SYN Attacks
• UDP Bounce Attacks
• Distributed Denials of Service
© 1999, 2000 Carnegie Mellon University
page 120
Mail Bombs
Floods of e-mail messages intended to consume and
exceed your mail system’s capacity to process and
store them
• Automated tools can generate a continuous e-mail stream
• Falsified subscriptions of your e-mail address to a large
number of automated mailing lists and newsgroups results
in a flood of unwanted e-mail
What can you do?
• Require a confirmation message to initiate all subscriptions
• Enable anti-spam measures on mail proxies and servers
© 1999, 2000 Carnegie Mellon University
page 121
Ping Floods
Floods of ping requests tie up a system’s ability to
respond to legitimate connection requests
Example: “Smurf” attacks
© 1999, 2000 Carnegie Mellon University
page 122
“Smurf” Attack
1. The attacker forges a ping
packet with the source
address set to that of the
target system
Attacker
“Ping from
192.168.123.45
to 10.0.0.255”
10.0.0.x network
....
Router
Router
Target
192.168.123.45
© 1999, 2000 Carnegie Mellon University
page 123
“Smurf” Attack
2. The forged ping packet is
sent to the broadcast
address of remote networks
10.0.0.x network
Router
....
Attacker
Broadcast address 10.0.0.255
Router
Target
192.168.123.45
© 1999, 2000 Carnegie Mellon University
page 124
“Smurf” Attack
3. Pinging the broadcast
address causes all hosts on
that network to respond to the
forged ping request
10.0.0.x network
....
Router
Attacker
Router
Target
192.168.123.45
© 1999, 2000 Carnegie Mellon University
page 125
“Smurf” Attack
4. The hosts on the remote
network each return
pings to the target host,
flooding it with pings
10.0.0.x network
....
Router
Attacker
Router
Target
192.168.123.45
© 1999, 2000 Carnegie Mellon University
page 126
SYN Attacks
TCP session handshake sequence
Client
1
SYN
ACK:SYN
3
© 1999, 2000 Carnegie Mellon University
Server
2
ACK
page 127
SYN Attacks
TCP session handshake sequence
Client
1
SYN
ACK:SYN
3
Server
2
ACK
• The server keeps track of a limited number of open TCP
connections
© 1999, 2000 Carnegie Mellon University
page 128
SYN Attacks
TCP session handshake sequence
Client
1
SYN
ACK:SYN
3
Server
2
ACK
• The server keeps track of a limited number of open TCP
connections
• For each open TCP connection, the server waits a preset
interval for the ACK packet in step 3
© 1999, 2000 Carnegie Mellon University
page 129
SYN Attacks
“Half-open” TCP connections
Client
1
SYN
ACK:SYN
1
2
SYN
...
© 1999, 2000 Carnegie Mellon University
2
SYN
ACK:SYN
1
Server
page 130
SYN Attacks
“Half-open” TCP connections
Client
1
SYN
ACK:SYN
1
2
SYN
ACK:SYN
2
SYN
...
1
Server
• The server receives a number of SYN packets but no
subsequent ACK packets within the timeout period
© 1999, 2000 Carnegie Mellon University
page 131
SYN Attacks
“Half-open” TCP connections
Client
1
SYN
ACK:SYN
1
2
SYN
ACK:SYN
2
SYN
...
1
Server
• The server receives a number of SYN packets but no
subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
© 1999, 2000 Carnegie Mellon University
page 132
SYN Attacks
“Half-open” TCP connections
Client
1
SYN
ACK:SYN
1
2
SYN
ACK:SYN
2
SYN
...
1
Server
• The server receives a number of SYN packets but no
subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
• New connection attempts, even legitimate ones, get denied
© 1999, 2000 Carnegie Mellon University
page 133
UDP Bounce Attacks
User Datagram Protocol (UDP) is connectionless
UDP versions of diagnostic services simply respond
when they receive a packet addressed to them
• echo
• discard
• daytime
• character generator (chargen)
© 1999, 2000 Carnegie Mellon University
page 134
UDP Bounce Attacks
• The attacker forges a packet addressed to the chargen port
of one target, claiming to originate from the echo port of the
other target
“To green:chargen
From yellow:echo”
© 1999, 2000 Carnegie Mellon University
page 135
UDP Bounce Attacks
• The attacker forges a packet addressed to the chargen port
of one target, claiming to originate from the echo port of the
other target
echo
chargen
• The target receiving the forged packet responds by sending
a number of packets to the echo port of the other target
© 1999, 2000 Carnegie Mellon University
page 136
UDP Bounce Attacks
• The attacker forges a packet addressed to the chargen port
of one target, claiming to originate from the echo port of the
other target
echo
chargen
• The target receiving the forged packet responds by sending
a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to
the chargen port of the first target
© 1999, 2000 Carnegie Mellon University
page 137
UDP Bounce Attacks
• The attacker forges a packet addressed to the chargen port
of one target, claiming to originate from the echo port of the
other target
echo
chargen
• The target receiving the forged packet responds by sending
a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to
the chargen port of the first target
• Each packet sent the chargen port gets several back...
© 1999, 2000 Carnegie Mellon University
page 138
UDP Bounce Attacks
• The targets rapidly send an increasing flood of traffic to one
another, rendering both systems unable to respond
echo
© 1999, 2000 Carnegie Mellon University
chargen
page 139
UDP Bounce Attacks
• The targets rapidly send an increasing flood of traffic to one
another, rendering both systems unable to respond
echo
chargen
• The extreme volume of traffic generated between the targets
also affects network connectivity of other systems that
share the network
© 1999, 2000 Carnegie Mellon University
page 140
UDP Bounce Attacks
• The targets rapidly send an increasing flood of traffic to one
another, rendering both systems unable to respond
echo
chargen
• The extreme volume of traffic generated between the targets
also affects network connectivity of other systems that
share the network
Services like echo and chargen should generally be
disabled on all systems and filtered at network gateways
© 1999, 2000 Carnegie Mellon University
page 141
Typical Distributed DoS Attack
intruder
Internet
© 1999, 2000 Carnegie Mellon University
page 142
Step One - Intruder to Handler
intruder sends
commands to
handler
intruder
Internet
© 1999, 2000 Carnegie Mellon University
page 143
Step Two - Handler to Agents
intruder
Internet
master sends
commands to agents
© 1999, 2000 Carnegie Mellon University
page 144
Step Three - Agents to Victim
each agent
independently sends
traffic to the victim
intruder
Internet
© 1999, 2000 Carnegie Mellon University
page 145
DDoS Attack Tools Summary
trin00 and Tribe Flood Network
http://www.cert.org/incident_notes/IN-99-07
Tribe Flood Network 2K
http://www.cert.org/advisories/CA-99-17-denial-ofservice-tools.html
Stacheldraht
http://www.cert.org/advisories/CA-2000-01.html
WinTrin00
http://www.cert.org/incident_notes/IN-2000-01.html
mstream
http://www.cert.org/incident_notes/IN-2000-05.html
© 1999, 2000 Carnegie Mellon University
page 146
DDOS Communication Methods
Trinoo:
• intruder->handler
27665/tcp
• handler<->agent
27444/udp, 31335/udp
TFN:
• intruder->handler
• handler->agent
ssh, telnet, ICMP (loki)...
echo_reply/icmp
Stacheldraht:
• intruder->handler
• handler->agent
16660/tcp
65000/tcp, echo_reply/icmp
Shaft:
• intruder->handler
24032/tcp (not 20483/tcp)
• handler<->agent
18753/udp, 20433/udp
© 1999, 2000 Carnegie Mellon University
page 147
Exploitation of Trust
It is common to set up trust relationships between
networked systems to facilitate convenient access
• single sign-on authentication
• shared network file systems
Trust relationships between systems that rely on
network information to identify systems are vulnerable
to exploitation by spoofed (i.e. forged) network packets
Example: IP Source Address Spoofing
© 1999, 2000 Carnegie Mellon University
page 148
IP Source Address Spoofing
• 10.1.2.3 (yellow) trusts 10.1.2.4 (green) implicitly
Trusting Host
Trusted Host
10.1.2.3
10.1.2.4
Intruder’s Host
© 1999, 2000 Carnegie Mellon University
page 149
IP Source Address Spoofing
• The intruder spoofs a connection request from 10.1.2.4
Trusting Host
Trusted Host
10.1.2.3
10.1.2.4
SYN from 10.1.2.4
© 1999, 2000 Carnegie Mellon University
Intruder’s Host
pretending to be
10.1.2.4
page 150
IP Source Address Spoofing
• 10.1.2.3 attempts to acknowledge the connection request
Trusting Host
Trusted Host
SYN:ACK to 10.1.2.4
10.1.2.3
10.1.2.4
Intruder’s Host
pretending to be
10.1.2.4
© 1999, 2000 Carnegie Mellon University
page 151
IP Source Address Spoofing
• Normally, 10.1.2.4 would reject the SYN:ACK packet
Trusting Host
Trusted Host
RST from 10.1.2.4
10.1.2.3
10.1.2.4
Intruder’s Host
pretending to be
10.1.2.4
© 1999, 2000 Carnegie Mellon University
page 152
IP Source Address Spoofing
• The intruder, however, has denied service by 10.1.2.4
Trusting Host
Trusted Host
SYN:ACK to 10.1.2.4
10.1.2.3
10.1.2.4
Intruder’s Host
pretending to be
10.1.2.4
© 1999, 2000 Carnegie Mellon University
page 153
IP Source Address Spoofing
• The intruder spoofs an acknowledgment from 10.1.2.4
Trusting Host
Trusted Host
10.1.2.3
10.1.2.4
ACK from 10.1.2.4
© 1999, 2000 Carnegie Mellon University
Intruder’s Host
pretending to be
10.1.2.4
page 154
IP Source Address Spoofing
• 10.1.2.3 establishes the connection, believing that the
intruder’s host is the trusted host, 10.1.2.4
Trusting Host
Trusted Host
10.1.2.3
10.1.2.4
Intruder’s Host
pretending to be
10.1.2.4
© 1999, 2000 Carnegie Mellon University
page 155
Malicious Code
• Viruses
• Trojan Horse Attacks
- Executable content in downloaded files
- Executable web page content: Javascript, Java, ActiveX
- Executable content in e-mail and attached documents
• Worms
Always verify the integrity and authenticity of
downloaded content
Always scan content for malicious code before opening
© 1999, 2000 Carnegie Mellon University
page 156
Love Letter Worm
• Malicious code that potentially
- generates large amounts of email and entries in the
registry
- destroys or hides certain types of files
• Propagates via several methods
- email
- infected files (on local disk and network drives)
- IRC
• Uses social component to facilitate spread
© 1999, 2000 Carnegie Mellon University
page 157
Love Letter Worm
• New variants continue to be discovered
• While the worst activity is over, re-infections will continue
to occur in the future
See:
http://www.cert.org/advisories/CA-2000-04.html
© 1999, 2000 Carnegie Mellon University
page 158
Exercise: Attacks
Complete the exercise on page 5.
© 1999, 2000 Carnegie Mellon University
page 159
Vulnerabilities & Threats
Key Points
• The intruder threat is increasing
• Always use defensive programming techniques
• Intruders use sophisticated, automated, easy-to-use tools to
launch attacks
• Intruders actively scan networks and probe systems to find
vulnerabilities that they can exploit
• Denial of service attacks are common and difficult to avoid
• Intruders often exploit trust relationships among systems
• Always guard against malicious code in content received
© 1999, 2000 Carnegie Mellon University
page 160
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
© 1999, 2000 Carnegie Mellon University
page 161
Strategies & Tactics
Overview
• Complexity of Administration
• IT System Life Cycle
• Preparation
• Implementation Challenges
• Strategies for Manageable Security
• Sustaining Security over Time
• Common Security Tactics
© 1999, 2000 Carnegie Mellon University
page 162
Exercise: Infrastructure
Complete the exercise on page 6.
© 1999, 2000 Carnegie Mellon University
page 163
Complexity of Administration
© 1999, 2000 Carnegie Mellon University
page 164
IT System Life Cycle
Initiation and Planning
Development and Acquisition
Preparation and Testing
Implementation
• Education and Training
Operation
• Maintenance and Updates
• Security Monitoring
• Disposal of Information
Termination
© 1999, 2000 Carnegie Mellon University
page 165
Preparation
For all systems and networks administered:
• maintain a complete record of all systems and networks
• know what information assets and resources they contain
• know what information security policies apply to them
• know what system and network services are enabled
- e.g., Web, e-mail, and file service, remote login, DNS, etc.
• identify weakest links
• identify means to avoid, prevent, detect and respond to
security problems
• document assumptions and tradeoffs
© 1999, 2000 Carnegie Mellon University
page 166
Implementation Challenges
• Vendors generally focus their efforts on product features
and flexibility, not ease of secure administration
• Existing system and network infrastructure may not support
the desired means to secure information
• There may be no way to satisfy all requirements as stated in
your organization’s information security policy
• The cost to implement and sustain security measures as
required by policy may be prohibitive
© 1999, 2000 Carnegie Mellon University
page 167
Strategies for Manageable
Security
• Take a conservative approach to configuration
• Separate and isolate networks, systems and services
• Create layers of access and diversify safeguards
• Practice vigilance
© 1999, 2000 Carnegie Mellon University
page 168
Conservative Approach
• Assume that vulnerabilities exist that you are not aware of
• Start by disabling all capabilities
• Enable only those capabilities that are required, and
configure them to maximize security
• Remove all unnecessary software and data
• Carefully consider security implications of all added
functionalities
• Apply the Principle of Least Privilege
© 1999, 2000 Carnegie Mellon University
page 169
Separate, Isolate and Simplify
• Separate and isolate networks, systems, services and data
by role, purpose and security sensitivity
• Establish zones of infrastructure and administration
separated by differences in information security policy, e.g.
- Servers vs. client workstations
- Network services per server host
- Internal vs. external (public) accessibility
- Classified vs. non-classified data
• Enforce differences in information security policy between
zones
© 1999, 2000 Carnegie Mellon University
page 170
Consistency, Depth, Diversity
You’re only ever as secure as your weakest link
• Efforts to secure information are useless if there exist ways
to get around them
Layer defenses to limit and contain breaches in security
• Do not assume your access controls and firewalls are
impervious
• Perimeter defenses cannot thwart insider threats
Diversify safeguards between layers of access
• Do not let the same vulnerability affect multiple levels
© 1999, 2000 Carnegie Mellon University
page 171
Practice Vigilance
• Prepare, test and replicate systems in an isolated,
physically secure environment
• Deploy secure system, network and application logging and
monitoring capabilities
• Regularly review logs for signs of intrusion
• Look for unexpected changes to directories and files
• Regularly scan for viruses
• Maintain and practice readiness to respond to security
incidents
• Keep systems, software and configurations up-to-date
• Actively raise user and management awareness regarding
information security
© 1999, 2000 Carnegie Mellon University
page 172
Sustaining Security Over Time
The appropriate information security strategies and
tactics to apply will change over time as
• your organization’s needs change
• your system or network requirements change
• new automated tools become available
• new systems are deployed
• new network connectivity is established
• existing systems and software become outdated
• new vulnerabilities are discovered
• intruder attack patterns change
© 1999, 2000 Carnegie Mellon University
page 173
Common Security Tactics
• Cryptography
• Firewalls
• Network traffic filtering
• Network traffic monitoring
• Host security
• Security patches and workarounds
• Passwords
• Vulnerability testing
• Virus scanning
• Secure backups
© 1999, 2000 Carnegie Mellon University
page 174
Uses of Cryptography
Confidentiality
• Encryption of files and data transmitted over networks
• Encryption of data stored off-line
Integrity Assurance
• Cryptographic checksums to strongly inhibit fraud
Authentication and Non-repudiation
• Public key authentication and digital signatures
Examples:
• Secure e-mail (PGP, S/MIME)
• Secure remote network connections (Secure Shell, VPNs)
© 1999, 2000 Carnegie Mellon University
page 175
Network Firewalls
One or more components placed at gateways between
networks to enforce information security policy
• Filtering routers
• Bastion hosts and application/service proxies
• Network switches
• Network monitors
Ensure secure administration of firewall components
Reinforce perimeter defenses with host security
© 1999, 2000 Carnegie Mellon University
page 176
Minimal Firewall
Firewall
Router
External
Network
© 1999, 2000 Carnegie Mellon University
Internal
Network
page 177
Firewall + Application Gateway
Bastion
Host
Exterior
Border
Router
Interior
Firewall
Router
External
Network
Internal
Network
Perimeter Network
© 1999, 2000 Carnegie Mellon University
page 178
Multiple Internal Networks
Bastion
Host
Exterior
Border
Router
Internal
Network
Interior
Firewall
Router
External
Network
Network
Monitor
© 1999, 2000 Carnegie Mellon University
Internal
Network
page 179
A More Complex Firewall Setup
Bastion
Host
Exterior
Border
Router
Specialized
Interior
Firewall
System
Internal
Network
Switch
External
Network
Network
Monitor
© 1999, 2000 Carnegie Mellon University
Network
Monitor
Internal
Network
page 180
TCP/IP Network Filtering
Prevent IP Source Address Spoofing across network
boundaries
Block Inbound:
• packets with source IP addresses that match an IP address
of your internal network
Block Outbound:
• packets with source IP addresses that do not match an IP
address of your internal network
Block both inbound and outbound:
• packets with source IP addresses in one of the reserved IP
address ranges (RFC 1918)
© 1999, 2000 Carnegie Mellon University
page 181
TCP/IP Network Filtering
Inhibit common forms of Denial of Service attacks
• Disable IP directed broadcasts at all routers
Inhibit opportunities for packet sniffing and session
hijacking
• Block IP source-routed packets at all routers
© 1999, 2000 Carnegie Mellon University
page 182
Host Security Guidelines
• Disable and remove all unnecessary accounts
• Disable and remove all unnecessary network and system
services and application software
• Protect all sensitive system and service configuration
software and data against unauthorized access
• Configure and enable logging and monitoring mechanisms
• Configure and require strong authentication for access to
all information assets and resources
• Use groups to simplify management of access controls
• Regularly check system software and configuration data for
unexpected changes
• Avoid implicit trust relationships between hosts
© 1999, 2000 Carnegie Mellon University
page 183
Why Care About Patches
of intrusions result from exploitation of known
vulnerabilities or configuration errors where
countermeasures were available.
© 1999, 2000 Carnegie Mellon University
page 184
Security Patches and
Workarounds
• Stay up-to-date regarding vendor patches and workarounds
to address security vulnerabilities
• Verify the integrity and authenticity of all downloaded
software before applying it to your systems
• Test patches and workarounds in an isolated, physically
secure test environment before deployment
• Deploy security patches and workarounds as soon as
possible to reduce exposure to attacks
• Maintain a thorough, up-to-date record of security patches
and workarounds that you have applied
© 1999, 2000 Carnegie Mellon University
page 185
CERT® Advisories
CERT® Advisories alert you to vulnerabilities for which
you should take immediate action
• Description of the vulnerability and its scope
• Potential impact should the vulnerability be exploited
• Solutions or workarounds
• Appendices contain details and vendor information
• Revision history
• PGP signature
© 1999, 2000 Carnegie Mellon University
page 186
Other CERT® Publications
The CERT® Coordination Center website (www.cert.org)
• CERT® Summaries
• Vendor-Initiated Bulletins
• CERT® Incident Notes
• CERT® Vulnerability Notes
• CERT® Security Improvement Modules
• Tech Tips
© 1999, 2000 Carnegie Mellon University
page 187
Password Guidelines
Passwords are susceptible to cracking and sniffing
• Use one-time passwords wherever possible
If you must use reusable passwords
• Avoid trivial and easily-crackable passwords
• Protect password data against unauthorized access
• Educate all users regarding the critical importance of
protecting password confidentiality
For all systems and network components
• Ensure that all accounts have passwords
• Replace all vendor-supplied passwords
© 1999, 2000 Carnegie Mellon University
page 188
Vulnerability Testing
“Know what the intruders can know about you”
Warning:
Make sure you have authority to do
so in writing before you engage in
any vulnerability testing activities!
In an isolated, physically secure test environment:
• Password cracking tools
• Network scanning tools
• System scanning tools
© 1999, 2000 Carnegie Mellon University
page 189
Virus Scanning
Even the most conscientious users can receive a virus
• Files and media exchanged between employees and with
customers or other external contacts
• Data downloaded from remote systems
• E-mail attachments
Measures
• Install and regularly use current virus scanning software
• Keep virus scanners data up-to-date on all systems
• Raise awareness of current and emerging virus threats
• Train users to scan all data received for viruses before use
© 1999, 2000 Carnegie Mellon University
page 190
Secure Backups
• Data backups are essential to enable recovery in the event
of failures and security incidents
• The confidentiality and integrity of data must be sustained
during backup, storage, and restoration
• Data backup media must be protected against theft,
modification, and destruction
• The means used to record and read backup media must be
maintained as long as that media is used
• Encryption keys and passwords used to protect backup
data must be securely escrowed
© 1999, 2000 Carnegie Mellon University
page 191
Strategies & Tactics
Key Points
• Good security administration is all about good systems
administration
• Take a conservative approach in configuration management
• Separate, isolate and simplify system and network services
• You’re only ever as secure as your weakest link
• Practice vigilance and be prepared for change
• Apply appropriate tactics to sustain and improve security
• Keep systems and network components up-to-date
regarding patches and workarounds for security
• Maintain secure backups
© 1999, 2000 Carnegie Mellon University
page 192
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
© 1999, 2000 Carnegie Mellon University
page 193
Planning
Overview
• Importance of planning
• Planning considerations
© 1999, 2000 Carnegie Mellon University
page 194
Importance of Planning
You cannot afford to be left wondering what to do when
struck by an information security incident
• Your first information security incident could put your
organization entirely out of business
“A penny of planning is worth a pound of recovery”
• Time and resources must be allocated for planning
“Do not paint yourself into a corner”
• Information security measures must accommodate change
© 1999, 2000 Carnegie Mellon University
page 195
Planning Considerations
Sustaining and improving information security is a
complex, continuous, long term process
• Information assets and resources to be protected
• System and network architecture
• Communication channels and reporting procedures
• Proactive security measures and procedures
• Reactive security measures and procedures
• Testing and evaluating your plans
• Keeping plans up-to-date
• Documentation and record keeping
© 1999, 2000 Carnegie Mellon University
page 196
Planning
Key Points
• You cannot afford to be left wondering what to do when you
are struck by an information security incident
• Time and resources must be allocated for planning
• Proactive and reactive security measures and procedures
must be carefully planned and tested
• Maintain documented plans for information security
measures, including assumptions and reasoning
© 1999, 2000 Carnegie Mellon University
page 197
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
© 1999, 2000 Carnegie Mellon University
page 198
Information Security Policy
Overview
• Participants and Stakeholders
• Risk Management and Analysis
• Characteristics of an Effective Information Security Policy
• Information Security Policy Issues
• Examples of Information Security Policy Statements
© 1999, 2000 Carnegie Mellon University
page 199
Exercise: Information Security
Policy
Complete the exercise on pages 7 and 8.
© 1999, 2000 Carnegie Mellon University
page 200
Information Security Policy
What shapes the policy?
Who writes and shapes the policy and procedures?
© 1999, 2000 Carnegie Mellon University
page 201
Information Security Policy
Management
Top management
(CTO, CIO)
Legal
Users
Human
Resources
Policy
Stakeholders
Others
(clients, partners)
Database
Admin
System
Admin
© 1999, 2000 Carnegie Mellon University
Network
Admin
page 202
Risk Analysis
Steps
1. Identify and assign value to assets
2. Prioritize assets
3. Determine vulnerability to threats and damage potential
4. Prioritize impact of threats
5. Select cost-effective safeguards
© 1999, 2000 Carnegie Mellon University
page 203
Characteristics of an Effective
Information Security Policy
• Long term focus
• Clear and concise
• Role-based
• Realistic
• Specifies areas of responsibility and authority
• Well-defined
• Up-to-date
© 1999, 2000 Carnegie Mellon University
page 204
Information Security Policy
Topics
Purchasing Guidelines
© 1999, 2000 Carnegie Mellon University
page 205
Acceptable Use Policy Issues for
Users
• Prohibiting sharing of accounts
• Requiring good passwords
• Guidelines for accessing unprotected programs or files
• Breaking into accounts
• Breaking into systems
• Cracking passwords
• Disrupting service
© 1999, 2000 Carnegie Mellon University
page 206
Policy Issues for Privileged
(Administrative) Users
• Authority and conditions for reading e-mail of other users
• Accessing protected programs or files
• Disrupting service under specific conditions
• Prohibiting sharing of accounts
• Prohibiting unauthorized creation of user accounts
• Authority and conditions for using vulnerability testing
tools
© 1999, 2000 Carnegie Mellon University
page 207
Policy Issues Examples
• What are users allowed to do with hardware on their
computers?
• How do users gain remote access?
• What guidelines must a laptop user observe?
• How is software evaluated for deployment?
- What process must software pass through before it is
installed?
- What files does the software access when running?
© 1999, 2000 Carnegie Mellon University
page 208
Security Policy Example 1
Users must not copy software provided by
Organization X to any storage media (floppy disk,
magnetic tape, etc.), transfer such software to another
computer, or disclose such software to outside parties
without written permission from the Director of
Information Technology.
• Information Security Policies Made Easy, Charles Cresson
Wood, 1997, p. 125
© 1999, 2000 Carnegie Mellon University
page 209
Security Policy Example 2
Internet access using computers in Organization X is
permissible only when users go through an
Organization X firewall. Other ways to access the
Internet, such as dial-up connections with an Internet
Service Provider (ISP), are prohibited if Organization X
computers are employed.
• Information Security Policies Made Easy, Charles Cresson
Wood, 1997, p. 318
© 1999, 2000 Carnegie Mellon University
page 210
Information Security Policy
Key Points
• Make information security policy work for you and your
organization
• Use risk management and risk analysis methods to shape
information security policies
• Know what your organization’s information security policy
authorizes you to do as a computer professional, and the
conditions under which you can act with authority
© 1999, 2000 Carnegie Mellon University
page 211
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
© 1999, 2000 Carnegie Mellon University
page 212
Incident Handling
Overview
• CERT® Coordination Center Experience
• Intruders: Active and Organized
• Effective Incident Handling
• Incident Handling Steps
© 1999, 2000 Carnegie Mellon University
page 213
CERT®/CC Experience
Since 1988 the CERT® Coordination Center has
• Responded to more than 18,000 security incidents that have
affected more than 660,000 hosts on the Internet
• Helped to foster the creation of more than 80 incident
response teams
© 1999, 2000 Carnegie Mellon University
page 214
Recent CERT/CC Experiences
1997
1998
1999
2000*
3,285
4,942
9,859
8,836
Vulnerabilities reported
196
262
417
442
Email msgs processed
38,406
31,933
34,612
26,413
44
34
20
9
6
15
13
10
Incidents handled
CERT Advisories, Vendor
Bulletins, and Vul Notes
CERT Summaries and
Incident Notes
*January through June of 2000
© 1999, 2000 Carnegie Mellon University
page 215
Recent CERT®/CC Experiences
The increase in incidents in 1998 and 1999 can be
attributed to the following factors:
• Significant increase in automated scanning and
automated attacks by intruders
• Greater awareness of CERT®/CC by sites
• Increase in sites regularly reporting incidents
• Automated reporting
© 1999, 2000 Carnegie Mellon University
page 216
Intruders: Active & Organized
• Telephone/voice message systems
• E-mail
• Bulletin board systems
• Anonymous FTP service
• Internet Relay Chat (IRC) - #hack channel
• Web sites
• Conferences
• Publications
© 1999, 2000 Carnegie Mellon University
page 217
Handling Security Incidents
Assume that security incidents will occur
Plan and maintain readiness to handle security incidents
• Without adequate planning, you will incur much greater
losses and much greater costs in the recovery effort
Computer Security Incidents Response Teams (CSIRTs)
Do not wait until after an intrusion has occurred to start
thinking about how to handle a security incident
© 1999, 2000 Carnegie Mellon University
page 218
Effective Incident Handling
The primary goals of incident handling are to:
• Control and minimize damage
• Preserve evidence
• Recover as soon as possible
• Learn enough to help prevent exposure to similar problems
in the future
© 1999, 2000 Carnegie Mellon University
page 219
Incident Handling Steps
4 Follow-up
3 Recover
2 Respond
1 Prepare
© 1999, 2000 Carnegie Mellon University
page 220
Incident Handling Steps
4
3
2
1
1
© 1999, 2000 Carnegie Mellon University
4
3
2
4 Follow-up
3 Recover
2 Respond
1 Prepare
page 221
Prepare
Ensure that security policies support incident handling
Plan responses
• Locate backups
• Identify available resources and tools
• Coordinate team members; define roles and
responsibilities.
• Establish secure communication channels
• Coordinate with your public relations spokesperson
• Designate a technical lead to work with the public relations
spokesperson
• Conduct regular training and readiness drills
© 1999, 2000 Carnegie Mellon University
page 222
Respond
• Follow your information security policy and procedures
• Verify the incident
• Analyze the intrusion
• Communicate with appropriate parties
• Handle media inquires through your designated public
relations spokesperson
• Collect and protect information
• Contain the intrusion
© 1999, 2000 Carnegie Mellon University
page 223
Recover
Eliminate all means of intruder access
• If systems have been compromised
- Restore programs from trusted vendor-supplied media
- Restore data from trusted backups
• Install appropriate patches or fixes
• Modify accounts and passwords as needed
Return systems to normal operation
• Reestablish connectivity
• Monitor systems for further attacks
© 1999, 2000 Carnegie Mellon University
page 224
Follow-up
Identify lessons learned and implement improvements
• Assess time and resources used and damage incurred
• Document commands, code, and procedures used in
responding
• Support legal activities such as investigation and
prosecution if appropriate
• Conduct a postmortem
• Document all findings and lessons learned
• Implement improvements to information security policies,
procedures, and measures
© 1999, 2000 Carnegie Mellon University
page 225
Exercise: Intrusion Scenarios
Complete the exercise on pages 9 and 10.
© 1999, 2000 Carnegie Mellon University
page 226
Incident Handling
Key Points
• Assume that security incidents will occur
• Plan and maintain readiness to handle security incidents
• Follow incident handling steps when security incidents
occur
• Implement improvements based on lessons learned
© 1999, 2000 Carnegie Mellon University
page 227
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
© 1999, 2000 Carnegie Mellon University
page 228
Making the Case for
Information Security
Overview
• Making the Case to Stakeholders
• Tools and Resources
© 1999, 2000 Carnegie Mellon University
page 229
Making the Case
Management
Top management
(CTO, CIO)
Legal
Users
Human
Resources
Policy
Stakeholders
Others
(clients, partners)
Database
Admin
System
Admin
© 1999, 2000 Carnegie Mellon University
Network
Admin
page 230
Making the Case
Effective information security requires universal
participation and awareness among stakeholders
Implementing information security measures requires
buy-in, support and resources from management
Resources to help raise awareness
• Computer Security Institute/FBI Computer Crime Survey
• National Infrastructure Protection Center CyberNotes
• Press reports of information security incidents
© 1999, 2000 Carnegie Mellon University
page 231
Tools and Resources
Tools for making your case
• Risk management / analysis findings
• Information Security Policy
• Legal obligations
• Data gathering / record keeping - statistics and metrics
• Simple economics argument
Existing resources
• Y2K analyses
• Insurance company evaluations
• Accounting audits
© 1999, 2000 Carnegie Mellon University
page 232
Exercise: Getting Support
Complete the exercise on page 11.
© 1999, 2000 Carnegie Mellon University
page 233
Making the Case for
Information Security
Key Points
• Make the case for information security in language that your
stakeholders understand
• Gain and maintain support and resources for information
security from stakeholders
• Document the information security effort
© 1999, 2000 Carnegie Mellon University
page 234
Putting it all Together
Review
Next Steps
© 1999, 2000 Carnegie Mellon University
page 235
Information Security Model
Processing
Storage
Transmission
Confidentiality
Integrity
Availability
Policy & Procedures
Technology
Education, Training &
Awareness
© 1999, 2000 Carnegie Mellon University
page 236
Key Areas
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
© 1999, 2000 Carnegie Mellon University
page 237
Exercise: Action Plan
Complete the exercise on pages 12 and 13.
© 1999, 2000 Carnegie Mellon University
page 238
How To Contact Us
24-hour hotline:
+1 412 268 7090
CERT personnel answer 8:30 AM - 5:00
PM EST(GMT-5)/EDT (GMT-4) Mon.-Fri.
On call for emergencies during other
hours.
FAX:
+1 412 268 6989
Anonymous FTP archive:
ftp://ftp.cert.org/pub/
Web site:
http://www.cert.org
Email:
[email protected]
US mail:
CERT Coordination Center
Software Engineering Institute
Carnegie Melon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890 USA
© 1999, 2000 Carnegie Mellon University
page 239
How To Contact Us
Key ID:
Key Type:
Expires:
Key Size:
Fingerprint:
UserID:
0x6A9591D0
Diffie-Hellman/DSS
9/30/00
2048/1024
9E04 84E2 E27A 6A73 9C69
72DE 5AFD 91BE 6A95 91D0
CERT Coordination Center
<[email protected]>
http://www.cert.org/contact_cert/encryptmail.html
© 1999, 2000 Carnegie Mellon University
page 240
How To Contact Us
Key ID:
Key Type:
Expires:
Key Size:
Fingerprint:
UserID:
0x84DF0FD5
RSA
9/30/00
1024
F8 FD 6B F7 36 B6 E0 86
C5 72 20 6E 5D 66 68 98
CERT Coordination Center
<[email protected]>
http://www.cert.org/contact_cert/encryptmail.html
© 1999, 2000 Carnegie Mellon University
page 241