Transcript Intrusion Detection - University of Sunderland

Securing E-Commerce
CSEM02
University of Sunderland
Harry R. Erwin, PhD
Resources
• Garfinkel and Spafford, 1996, Practical UNIX and
Internet Security, O’Reilly, ISBN: 1-56592-148-8
• Anderson, 2001, Security Engineering, Wiley,
ISBN: 0-471-38922-6.
• Norberg, 2001, Securing Windows NT/2000
Servers, O'Reilly, ISBN: 1-56592-768-0. Most of
this lecture is based on Norberg.
• Zwicky, Cooper, and Chapman, 2000, Building
Internet Firewalls, second edition, O'Reilly,
ISBN: 1-56592-871-7.
The Most Common Threats
Involving E-Commerce
• Intrusion—typically in the form of site
defacement, with damage to the company’s
reputation.
• Denial of service—preventing authorized users
from using the system, resulting in loss of
business.
• Information theft—unauthorized persons
obtaining private information, resulting in legal
liability.
A Typical Attack
How <http://www.apache.org> was hacked:
(from Norberg, based on a BugTraq report on May 4, 2000)
1. The attackers uploaded a PHP script to a worldwriteable ftp directory (dubious).
2. The web server root directory was the same as the ftp
server root directory (bad).
3. The PHP script executed UNIX commands (bad) that
created a shell server bound to a high port that was
open (bad—no firewall).
4. Finally, they used a database process that was running
as root (more bad) to create a setuid root shell.
What is a Body to Do?
• You must have and maintain a high level of
security for your site.
• This is feasible, but it requires awareness
and knowledge.
Security Strategies (Zwicky)
• Least privilege—processes and users should have
only the privileges they need for their job
• Defense in depth—multiple security layers
• Choke point—limit access to your system
• Weakest link—attacks will seek vulnerabilities
• Fail-safe stance—deny access if the system fails
• Universal participation—everybody buys in
• Diversity of defense—multiple mechanisms
• Simplicity—only the simple can be made secure
• Security through obscurity—is valid (but weak)
Building a Secure Site
• Plan for it. Cover all the bases and formally
analyze your requirements.
• Define your policies. (UK and Microsoft
definition, not US government definition.)
See RFC 2196, Site Security Handbook.
• Provide physical security.
• Implement access control.
• Use a firewall.
Operating a Secure Site
• Audit access policy violations.
• Make frequent backups.
• Collect logs on a separate and secure
system.
• Ask others to review your plans and work.
• Use encryption.
The Bastion Host
•
•
•
•
•
The critical strongpoint in the network’s security.
Are hardened.
Are audited regularly.
May use modified software.
The software in use will be trusted—hence should
be designed, tested, and configured for safe
operation.
• Be prepared for their being compromised.
The Perimeter Network
• A DMZ (‘demilitarized zone’)
• A firewall system, serving as a single point of
entry.
• An untrusted network on the outskirts of the
private trusted network.
• Serves as an intermediate stage between the
internet and the internal network.
• Multiple compartments.
• Default-deny access.
What is the Problem with this
Network?
internet
firewall
http only
Web
Server
odbc
only
firewall
internal network
DBMS
Server
Perimeter Components
• Routers (provide access control)
• Firewall gateways
– Application-level gateways (layer 7)
– Packet filters (layer 4)
• Bastion hosts
–
–
–
–
–
email servers
www servers
ftp servers
victim machines (or sacrificial goats)
etc.
• Switches and hubs
Rules of Thumb
•
•
•
•
•
Default-deny
Defense in depth
Keep it simple
Take a phased approach
Plan, plan, plan
Hardening a Bastion Host
• Enforce least privilege—applications and
users should run with only the privilege
level needed to run correctly
• Separate ports—one or a few fixed TCP/IP
ports per application. Block the rest.
• Use cryptography
• Don’t trust your applications
Host Design Steps
1. Minimal OS with the latest service pack.
2. Install only the applications you need.
3. Reapply the service pack and add
necessary patches
4. Remove/disable unneeded OS components
5. Harden the OS
6. Restrict access to files and other objects.
UNIX, Windows, or MacOS X?
• MacOS X—is BSD UNIX, and Apple takes
security very seriously. Now considered the most
secure commercially available solution.
• UNIX is preferred over Windows—has better
tools for building a bastion host and better remote
management.
• Windows NT/2000—in some ways stronger than
UNIX, but network security is much weaker—too
many ports open and too many services. Much
harder to administer if UNIX-style hardening is
done. Much weaker security if not. YMMV.
Windows NT Rules
• NetBIOS—avoid. TCP/IP only. Do not connect to
the public network until fully hardened.
• Never, ever, install MS Office or development
tools. Remove all unnecessary applications,
network services, and system processes.
• No LINUX dual boot. Use CYGWIN instead.
• US version of Windows (updated most quickly)
• NTFS
• “Standalone” member server. No domains. No
user accounts.
Secure Remote Administration of
Windows Servers
• Symantec pcAnywhere
• Windows 2000 Terminal Services with IPSec. Use
File Copy utility from the Server Resource Kit.
• Open Source
–
–
–
–
SSH
Cygwin (UNIX emulation)
TCP Wrappers
VNC
Backup Policy
Think about:
• Who does backups?
• How often are backups taken?
• Local or network?
• Where are the media stored?
• Who may restore data to the system?
• How often are the backups tested?
Remember Bruce Schneier’s
Three Rules of Security
• Schneier Risk Demystification: Numbers do matter
and are not that hard to understand.
• Schneier Secrecy Demystification: Secrecy is
anathema to security:
– It’s brittle
– It conceals abuse
– It prevents sensible trade-offs
• Schneier Agenda Demystification: Know the
agendas of the people involved in a security
decision. That will usually predict their decisions.
Conclusions
• You can secure e-commerce, but…
–
–
–
–
–
–
Plan carefully
Define your policies
Provide physical security
Implement access control
Firewalls
And manage it carefully
After All That, You Still Want to
Be Certified
• SSCP
–
–
–
–
One year of experience in at least one area
Three-hour exam in seven areas
Agree to the code of ethics
Continuing education
• CISSP
–
–
–
–
–
Three to four years of experience
Six-hour exam in ten areas
Agree to the code of ethics
Background approval
Continuing education
SSCP Knowledge Areas
•
•
•
•
•
•
•
Access Controls
Administration
Audit and Monitoring
Risk, Response and Recovery
Cryptography
Data Communications
Malicious Code/Malware
CISSP Knowledge Areas
•
•
•
•
•
•
•
•
•
•
Access Control Systems & Methodology
Applications & Systems Development
Business Continuity Planning
Cryptography
Law, Investigation & Ethics
Operations Security
Physical Security
Security Architecture & Models
Security Management Practices
Telecommunications, Network & Internet Security