Transcript SECURITY

SECURITY: THE BIG PICTURE
Ayal Rosenberg
PDEV
“If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory
gained you will also suffer a defeat. If you know neither the enemy nor
yourself, you will succumb in every battle.”
Sun Tzu – The Art of War
“A new military revolution has emerged. The revolution is essentially a
Transformation from the mechanized warfare of the industrial age to the
information warfare of the information age. Information warfare is a war of
decisions and control, a war of knowledge, and a war of intellect. The aim of
information warfare will be gradually changed from ‘preserving oneself and
wiping out the enemy’ to ‘preserving oneself and controlling the opponent’.
Information warfare includes electronic warfare, tactical deception, strategic
deterrence, propaganda warfare, psychological warfare, network warfare and
structural sabotage. Under today’s technological conditions, the ‘all conquering
stratagems’ of Sun Tzu more than two millennia ago – ‘vanquishing the enemy
without fighting’ and subduing the enemy by ‘soft strike’ or ‘soft destruction’ –
could finally be truly realized.”
Chinese Army newspaper Jiefangjun Bao – May 1996
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
“Security is a process not a product”
- Bruce Scheier
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
• CRIMINAL ATTACKS
• PRIVACY VIOLATIONS
• PUBLICITY ATTACKS
How can I acquire the maximum financial return by attacking the system?
•
•
•
•
•
Fraud
Scams
Destructive Attacks
Intellectual Property Theft (Piracy)
Brand Theft
•
•
•
•
•
•
Targeted Attacks
Data Harvesting
Surveillance
Databases
Traffic Analysis
Massive Electronic Surveillance
How can I get famous by attacking the system?
• Bad Press costs more than theft
• Inform criminals who can exploit the
news
• Denial of Service
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
Crooks haven’t changed.
It’s just that cyberspace is the new place for them to ply their trade.
•
•
•
•
•
Objectives
Access
Resources
Expertise
Risk
•
•
•
•
•
•
•
•
•
•
HACKERS
LONE CRIMINALS
MALICIOUS INSIDERS
INDUSTRIAL ESPIONAGE
PRESS
ORGANIZED CRIME
POLICE
TERRORISTS
NATIONAL INTELLIGENCE
INFO-WARRIORS
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
•
•
•
•
•
•
•
•
Privacy
Multi-Level Security
Anonymity
Authentication
Integrity
Audit
Electronic Currency
Proactive Solutions
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
• CRYPTOGRAPHY
• COMPUTER SECURITY
• IDENTIFICATION & AUTHORIZATION
A group of people use private knowledge to keep
messages secret from third parties.
Cryptography is not a panacea.
You need more than it for security – but it is essential.
You don’t have to understand the math.
You do have to understand the ramifications.
•
•
•
•
•
Distribution of keys
Storing of keys
Destruction of keys
Proliferation of pair-wise keys in symmetric mode
Performance degradation in asymmetric mode
Receive Encrypted Message
Compose Message
Fund Manager
Broker
Decrypt
with Key
Encrypt Message
withMessage
key
Generate Public key and distribute
Send Message
Compose Message
Encrypt
Message
with Public
key key
Decrypt
Message
with Private
Broker
•
•
•
•
Cipher Text Only Attack
Known Plain Text Attacks
Chosen Plain Text Attacks
Brute Force Attacks
•
•
•
•
•
Distribution of keys
Storing of keys
Destruction of keys
Proliferation of pair-wise keys in symmetric mode
Performance degradation in asymmetric mode
• Message Authentication Codes
• Symmetric Algorithms: HMAC or NMAC
• One-Way Hash Functions
• Secure Hash Algorithm (SHA1)
• Secure Hash Standard (SHS)
• RIPEMD-160 (EU)
• MD5 (?) MD4 - obsolete
• Digital Signatures
• Public and private keys.
• Sender encrypts with private and receiver decrypts with public.
• Allows for non-repudiation.
•Digital Signature Algorithm (DSA)
• Digital Signature Standard (DSS)
Confidentiality !!!
Stop unauthorized users from reading sensitive information.
Integrity !!!
Every piece of data should be as the last authorized modifier
left it.
Availability!!
The property of being accessible and useable upon demand by
an authorized entity.
Access Control = Confidentiality + Integrity + Availability
• Security Kernels
• Reference Monitor
• Trusted Computing Base
• Secure Kernel
• OS Evaluation Criteria
• C2
• ISO 15408
Who are you and can you prove it!!
Allow authorized users in!
Keep unauthorized users out!
• Username and Password
• Username – identification
• Password - proof of identification
• Biometrics
• Biometric came from the person at verification time
• Biometric matches master on file
• Access Tokens
• Password for tokens -> PIN
• Authentication Protocols
• Cryptographic authentication over a network
• Salt
• Kerberos
• Single Sign On
• Incompatible legacy
• Single point of failure
Kerberos Server
Session key
Request to logon onto Machine X
Long term key
Check
Kerberos
to Server
see ifsends
Client
ticket
has with
permission
anda session
to key
logkey
on
forby
to
authentication
Server X
to Client
X issues
long term
Kerbros
Session key
Server X validates ticket and session key with long term key
Client
Send authenticator and session key to Server X
Use the session key to create an authenticator
Server X
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
• MALICIOUS SOFTWARE
• NETWORK SECURITY
• NETWORK DEFENCES
• Payload and Propagation
• Classifications
• Viruses
• Worms
• Trojan Horses
• Modular Code Problem
• Isolation and Memory Safety
• Access Control at the interfaces
• Code Signing
• Mobile Code
• Web Security
•
•
•
•
SSL
Cross Site Scripting
Cookie Abuse
Web Service Scripts
Mainly TCP/IP protocol
Post office not Telephone company!
• Router Vulnerability
• Password Sniffing
• IP Spoofing
• DNS Security
• Denial of Service Attacks
• Distributed Denial of Service Attacks
• FIRE-WALLS
• Attacks
• Go around
• Sneak key in
• Take over
• Types: Packet Filters & Proxy Gateways
• DEMILITARIZED ZONES (DMZ)
• Connect disjointed pieces of network
• Connect mobile, roaming users
• VIRTUAL PRIVATE NETWORKS (VPN)
• Misuse detection
• Anomaly detection
• INTRUSION DETECTION SYSTEMS (IDSs)
• HONEY POTS & ALARMS
• VULNERABILITY SCANNERS
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES
“The problem is that security measures such as cryptography, secure kernels,
Firewalls and everything else work much better in theory than they do in
practice. In other words: Security flaws in the implementation are much more
common and much more serious than security flaws in design.
Design is about software reliability”
- Bruce Schneier
“Products have problems - and they are getting worse. The
only reasonable thing to do is to create processes that accept
this reality. We must implement these processes to get as
much safety as possible.”
- Bruce Schneier
• PRINCIPLES
• DETECTION & RESPONSE
• COUNTER-ATTACK
• RISK MANAGEMENT
• Compartmentalize
• Secure the weakest link
• Use Choke Points
• In-depth Defense
• Fail Securely
• Leverage Unpredictability
• Embrace Simplicity
•“Complexity is the worst enemy if security!”
• “Be as simple as possible but no simpler” - Einstein
• Enlist Users
• Assure
• Question
• Trust no one – especially yourself!!!!
“Detection is more important than prevention!”
• Detect Attacks
• Analyze Attacks
• Detection
• Localization
• Identification
• Assessment
• Respond to Attacks
• Make the problem go away
• Catch the Attacker
• Be Vigilant
• Continuous
• Immediateness
• Prteparedness
• Watch the Watchers
• Recover from Attacks
• Recover from compromise
“The best defense is attack!!!”
“Attacker is a tortoise; Defender must be a fox!”
“There is no 100% security!”
“Identify the risk then either accept it, or reduce it or insure
against it.”
“Security does not have to be perfect but risks have to be
manageable.”
“Outsource to experts!”
“How big is the potential loss?”
“We don’t know!!”
“How likely is the loss to occur?”
“We don’t know.”
“How much is your company worth?”
“One billion rands!”
“The premium will be one billion rands!”
“I’ve realized that the fundamental problems in security are no
longer about technology; they’re about how to use
technology.”
“There is no way to turn security into a product.”
“It’s more and more about process.”
- Bruce Schneier
•
•
•
•
•
•
ATTACKS
ADVERSARIES
SECURITY NEEDS
TECHNOLOGIES
NETWORKED COMPUTER SECURITY
PROCESSES