Transcript Integrity - Andrew.cmu.edu

Integrity
(slides courtesy of Leticia Nisbet,
Lauren Walters, and Andrew Yao)
1
Why Integrity?
• Integrity is equivalent to trust / reliability /
truth
• Failure to protect integrity opens organization
to largest classes of malware
• Integrity is often the first target of intruders
2
Definitions
• Integrity requires that computer system assets
and transmitted information be capable of
modification only by authorized parties.
– not modified by unauthorized persons
– not created by unauthorized persons
• In telecommunication, the term data integrity
has the following meanings:
– The condition in which data are identically
maintained during any operation, such as transfer,
storage, and retrieval.
– The preservation of data for their intended use.
3
Integrity Compromise
• Integrity can be compromised in two main ways:
– Malicious altering
• Attacker alters account number in a bank transaction
• Forging an identity document
– Accidental altering
• Transmission errors: “my name Leticia and u have a car”
• Hard disk crash
4
Network Integrity
• When considering what to protect within your
network, you are concerned with maintaining
the integrity of:
– the physical network
– your network software and resources
– your reputation
• This Integrity involves
– identity of computers and users
– proper operation of the services
– network performance
5
Common Methods of Attack on Integrity
• The four methods of attack that are commonly
used to compromise the integrity of a
network:
– Network packet sniffers
– IP spoofing
– Password attacks
– Application layer attacks
6
Network Packet Sniffers
• Network packet sniffers can yield critical system information, such as
user account information and passwords.
– When an attacker obtains the correct account information, he or she
has the run of your network.
• Worst-case scenario
– an attacker gains access to a system-level user account
– creates a new account that can be used at any time as a back door
– can modify system-critical files such as:
• the password for the system administrator account
• the list of services and permissions on file servers
• the login details for other computers that contain confidential
information.
7
Network Packet Sniffers 2
• Packet sniffers provide information about the topology of your network
that many attackers find useful. such as
– what computers run which services
– how many computers are on your network
– which computers have access to others
• A network packet sniffer can be modified
– to interject new information
– change existing information in a packet.
• Attack can cause network connections to shut down prematurely, as
well as change critical information within the packet.
– Imagine modification to the accounting system
8
IP Spoofing
• IP spoofing can yield access to user accounts and
passwords, and it can also be used in other ways.
– Attacker emulates one of your internal users in ways that prove
embarrassing for your organization
• Such attacks are easier when an attacker has a user
account and password
• Are possible by combining simple spoofing attacks with
knowledge of messaging protocols.
– Telnetting directly to the SMTP port on a system allows the
attacker to insert bogus sender information.
9
Password Attacks
• A brute-force password attack can provide access to
accounts that can be used to modify critical network files
and services.
• Can compromise network's integrity
– Once an attacker gets the password and gains access to the
system
– he can modify the routing tables for the network.
– attacker ensures that all network packets are routed to him or
her before they are transmitted to their final destination
10
Application Layer Attacks
• Application Layer attacks can be implemented using
several different methods.
– A common method is exploiting well-known weaknesses in
software commonly found on servers, such as sendmail,
PostScript, and FTP.
– By exploiting these weaknesses, attackers can gain access to a
computer with the permissions of the account running the
application
– usually a privileged system-level account
11
Application Layer Attacks
Trojan horse attacks
– implemented using bogus programs that attacker substitutes for
common programs.
– programs provide all functionality of a normal application or
service
– also include other features that are known to
the attacker
– programs can capture sensitive information and distribute it
back to the attacker
12
Network considerations when defining security
policies
• Three main types of networks must be
considered when defining a security policy
– Trusted
– Un-trusted
– Unknown.
13
Trusted Networks
• Networks inside your network security perimeter.
• Networks that you are trying to protect.
– Someone in the organization administers the computers that comprise
these networks (most times)
– Organization controls their security measures.
– Usually, trusted networks are within the security perimeter.
• To set up firewall server
– explicitly identify the type of networks that are attached to the firewall
server through network adapter cards
– After the initial configuration, the trusted networks include the
firewall server and all networks behind it.
One exception to this general rule is the inclusion of virtual private
networks (VPNs)
14
Un-trusted Networks
• Networks known to be outside your security perimeter.
– Un-trusted because they are outside your control
– No control over the administration or security policies for these
sites
– Private, shared networks from which you are trying to protect
your network
– Still need and want to communicate with these networks
although they are un-trusted.
• To set up the firewall server
– explicitly identify the un-trusted networks from which that
firewall can accept requests
15
Know Your Enemy
•
•
•
•
Know attackers or intruders.
Consider who might want to circumvent your security measures
Identify their motivations.
Determine what they might want to do and the damage that they
could cause to your network.
• Security measures can never make it impossible for a user to perform
unauthorized tasks with a computer system; they can only make it
harder.
• The goal is to make sure that the network security controls are beyond
the attacker's ability or motivation.
16
Count the Cost
• Security measures usually reduce convenience, especially for
sophisticated users.
• Security can delay work and can create expensive administrative and
educational overhead.
• Security can use significant computing resources and require dedicated
hardware.
• When you design your security measures, understand their costs and
weigh those costs against the potential benefits.
• To do that, you must understand the costs of the measures themselves
and the costs and likelihood of security breaches. If you incur security
costs out of proportion to the actual dangers, you have done yourself a
disservice.
17
Identify Any Assumptions
• Every security system has underlying
assumptions.
– For example, you might assume that your network
is not tapped, that attackers know less than you
do, that they are using standard software, or that
a locked room is safe. Be sure to examine and
justify your assumptions. Any hidden assumption
is a potential security hole.
18
Control Your Secrets
• Most security is based on secrets.
– Eg. Passwords and encryption keys
• Too often, the secrets are not all that secret. The most important part
of keeping secrets is in knowing the areas that you need to protect.
• What knowledge would enable someone to circumvent your system?
• You should jealously guard that knowledge and assume that everything
else is known to your adversaries.
• The more secrets you have, the harder it will be to keep them all.
Security systems should be designed so that only a limited number of
secrets need to be kept.
19
Limit the Scope of Access
• You should create appropriate barriers in your
system so that if intruders access one part of
the system, they do not automatically have
access to the rest of the system.
• The security of a system is only as good as the
weakest security level of any single host in the
system.
20
Limit Your Trust
• You should know exactly which software you
rely on, and your security system should not
have to rely on the assumption that all
software is bug-free.
21
Tools
• Integrity Management Software
• Anti-Virus Software
22
Integrity Management Software
• Encryption is most commonly used for
secrecy but it can also be used for integrity.
• Check for integrity by specifically utilizing…
– Hash functions
– Digital Signatures
– File Size
• Example
– Tripwire Enterprise
23
Hash Functions
• A public function that maps a plaintext message of any
length to a fixed length hash value
• Are used as an authenticator
• Pros
– Offers integrity
• Cons
– No confidentiality
• Examples
– CRC
– MD5
– SHA-1
24
Examples of
Integrity Management Software
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Advanced CheckSum Verifier (ACSV)
Advanced Intrusion Detection Environment
(AIDE)
Cambia CM
Crckit
FileCheckMD5
FTimes
Hashdig
Integrit
Intrusec CM
Jacksum
LANGuard Security Integrity Monitor
MD5 Hashing Utilities
Md5deep
Nabou
NIST_Crc
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Radmind
Samhain
Secure Hash Signature Generator
Sentinel
Sha_verify
Spidernet
SysCheck
Sysdiff
Tripwire - Commercial
Tripwire – OpenSource
Veracity System Integrity Assurance
ViperDB
Yafic
Winalysis
WinInterrogate
Xintegrity
25
Anti-virus Software
•
The techniques for detecting a virus include
–
–
–
–
–
Checking unexpected increases in file size
Noting changes in timestamps
Sudden decreases in free space
Calculating checksums
Saving images on the internal control tables and
noting unexplained changes
26