Transcript ppt - Computer Secrity Classes

INF526:
Secure Systems Administration
Quiz Review and
Adversarial Security Planning
(continued)
Prof. Clifford Neuman
Lecture 5
8 February 2017
OHE100C
Class Presentation Schedule
2/8 Miles Wright-Walker - Developing adversarial security plan
2/15 Matthew Jackoski - Red Teaming / Pen Testing Tools
2/22 Abdulla Binkulaib - Developing a response plan
3/1 Jikun Li - Linux security administration
3/8 Daniel Dmytrisin - Network security components & Tech
3/22 Haibo Zhang - Network Security administration
3/29 Mariam Fahad Bubeshait - Configuration Management
4/5 Mohammed Alsubaie – SIEM and Intrusion Detection
4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics
4/19 Andrew Gronski - Accreditation and acceptance testing
1
But First – Review of Quiz 1
Policy Administration - A system is secure if it
correctly applies policies for access to system
resources. The application of policy has several
distinct components that may occur in different
places, or different modules within a system.
–
–
–
–
Policy Enforcement Point
Policy Decision Point
Policy Administration Point
Policy Information Point
2
Web Server
For each of the systems described below, use your best
explanation to describe what constitutes each function and
where that function occurs in the system or supporting
infrastructure.
• Access control for files exported through a web server
such as apache when page permissions are managed
using the .htaccess file.
•
•
•
•
PEP:
PDP:
PAP:
PIP:
3
Appliance Firewall
For each of the systems described below, use your best
explanation to describe what constitutes each function and
where that function occurs in the system or supporting
infrastructure.
• Filtering of packets passing through an appliance firewall.
•
•
•
•
PEP:
PDP:
PAP:
PIP:
4
Unix/Linux Filesystem
For each of the systems described below, use your best
explanation to describe what constitutes each function and
where that function occurs in the system or supporting
infrastructure.
• Access to local files with standard unix permissions on a
system running Linux or Unix.
•
•
•
•
PEP:
PDP:
PAP:
PIP:
5
Banking Application
For each of the systems described below, use your best
explanation to describe what constitutes each function and
where that function occurs in the system or supporting
infrastructure.
• Access to your customers account balance through a web
server in the banking example that we have been
discussing in class.
•
•
•
•
PEP:
PDP:
PAP:
PIP:
6
Minimization
Minimization, Provide examples of minimization,
and steps that you can take to achieve such
minimization, in each of the situations discussed
below.
• Reduction of the attack surface for servers
running within your corporate network.
7
Minimization
Minimization, Provide examples of minimization,
and steps that you can take to achieve such
minimization, in each of the situations discussed
below.
• Reduction of impact for insider threats, or for
compromise resulting from subversion of server
processes.
8
Minimization
Minimization, Provide examples of minimization,
and steps that you can take to achieve such
minimization, in each of the situations discussed
below.
• Reduction of the impact to other systems on your
network when one system is compromised or
subverted.
9
Security Requirements Documents
List the kinds of requirements that should be
specified in a security requirements document.
– Include a 1 or 2 sentence description of what is
described by the requirement.
(A security requirements document might sometimes be referred to as a security policy, or an organizational security policy, but I am
avoiding the term “security policy” because that term is sometimes used to refer to other policies within a system. Here I am
concerned with the broader use of the term. )
TrialPaySB
• Physical Security Requirements
– Includes placement of devices, requirements for
physical protection such as locks, doors, cages, cables,
building defenses, and protection of portable media.
Could include tempest requirements, visibility
requirements, and screening on entrance or exit from a
facility.
10
Security Requirements Documents
• Personnel Security Requirements
– Includes information on required reference checks,
criminal background checks, training, code of conduct,
and procedures for revoking access and vetting for
special access.
• Authentication and Identity Management Policies
– Requirements for multi-factor authentication, password
strength, no sharing of accounts, federated identity
management, password resets, etc.
11
Data Protection Policies
• Information Flow Policies (MAC)
– Marking, removal of media, who may access, nondisclosure requirements.
– Encryption requirements for data in place or in transit.
• Email and communication policies
• Software installation and access policies
• Monitoring policies
• Others?
12
INF526:
Security Systems Administration
Student Presentation
Adversarial Security Planning
M.S. Candidate Myles Wright-Walker
February 8, 2017
What is an Adversarial Security Plan?
• An adversarial security plan enables an entity to develop
an awareness of their networks and systems in order to
protect data, safeguard their operations, and guard their
infrastructure.
14
Purpose of an Adversarial Security
Plan
• Predicting intentions and future actions of malicious
entities
• Limit attack surface
• Assist in developing a containment architecture in case
of breach
15
What is Situational Awareness?
• The United States Marine Corps defines
situational awareness as the:
“Knowledge and understanding of the current
situation which promotes timely, relevant, and
accurate assessment of friendly, enemy, and other
operations within the battlespace in order to
facilitate decision making” (MCRP 5-12A).
16
Situational Awareness in Regards to
Cyber Security
• Within the cyber domain, this doctrine of
situational awareness provides:
1. A precise understanding of the resources within your
systems and network.
2. An accurate awareness of the operations and
personnel that contribute to the overall function of
the system and network.
17
Situational Awareness in Regards to
Cyber Security
3. An accurate and in-depth assessment of current
resources and operations as well as weaknesses
4. An understanding of an adversaries potential targets
and what can be used to exploit them to cripple
systems.
5. Provides flexibility.
18
Elements of Developing Cyber
Situational Awareness
NIST Cybersecurity and Cyber Infrastructure and Key Resources (CIKR) Framework.
19
Goals of Attackers: Methodology
• Attackers generally implement the following
methodology:
1. Reconnaissance

Information gathering, What/ Who is the target?
2. Scanning/ Enumerating

What is the attack surface? Ex: Access points/ open ports, live
hosts, accounts, policies, etc.
3. Gaining Access

Breaching systems, executing malicious software
4. Maintaining Access

Establishing backdoors, unpatched systems
5. Clearing Evidence

Decoy traffic, log manipulation, obfuscation of identity
20
Goals of Attackers: Targets
• As stated in the previous lecture, adversaries will target:
– The weakest link within a target system or network
• Example: Unpatched systems
– Weaknesses within the system environment
• Example: Open ports, weak security mechanism policies
– Subversion of defenses
• Example: IDS evasion, disabling firewalls
21
Goals of Attackers: Tools
• Reconnaissance
1. DNS Look Up

root# whois abc.com
2. Getting IP Addresses

Use a “whois” client
3. Trace the IP

root# traceroute abc.com
4. Identify servers

Use the host command
• Scanning and Enumerating Targets
– Port/ TCP scanning, Nmap, and Nessus
22
Goals of Attackers: Tools
• Gaining Access
– Metasploit, oclHashcat
• Maintaining Access
– Establishing backdoor through creating user accounts or taking
over unused accounts.
– Metasploit Meterperter
• Clearing Evidence
–
–
–
–
VPN service/ Other Encrypted Communication
Proxies
Botnet
Log Manipulation (Not Always Plausible)
23
Consequences of Breach
• In order to understand the consequences of an attack, it
is necessary to develop a risk model, with the purpose
of:
– Reducing, avoiding, accepting, and transferring risk
Remember from INF519:
Risk of an Attack = Vulnerability x Threat
or
Risk = Cost x Probability of an Attack
Outlined in: NIST 800-39 Managing Information Security Risk & NIST 800-30 Guidance
for Conducting Risk Assessments
24
Prioritizing Resources for Defense
• In order to defend your network and system against
attacks, it is necessary to develop a threat model with
the purpose of:
– Identifying threats
• Vulnerabilities
• Deficiencies in security requirements and design
– Identifying countermeasures
•
•
•
•
Technical mechanisms
Administrative and physical controls
Personnel Security and Training
Physical Security
– Identifying weakest link through being repeatable
25
Case Study
• Consider you work at a data center in charge of
centralizing an organization’s IT operations and
equipment. You are instructed to ensure that the data
stored within the server room is secure.
• Environmental Factors:
– The room is secured through two factor authentication.
– Personnel who access the server room require an escort of
equal or higher clearance.
– The HVAC systems are controlled through a 3rd party
– All the appropriate MAC and DAC policies are implemented.
26
Case Study
1. Set Goals and Objectives of Organization (Top-Level
Awareness).
a) Identify who you are protecting, what you are protecting, where
you are protecting said assets, and why.
2. Identify assets, systems, and networks.
3. Assess Risk.
a) Enumerate threats, vulnerabilities, impact, likelihood (of attack
and success), predisposing conditions, and countermeasures.
27
Case Study
4. Prioritize Resources
a) Set metrics to identify what assets require the most security and
implement security mechanisms appropriately
5. Implement Situational Awareness Security Plan
6. Measure and monitor effectiveness.
a) Verify implemented mechanisms are configured and working
properly.
b) Determine ongoing effectiveness.
c) Identify and take into consideration risk impacting changes to
systems and network, and act accordingly.
28
INF526:
Secure Systems Administration
Virtualization
Prof. Clifford Neuman
Lecture 5
8 February 2017
OHE100C
Virtualization
• Management
– You can running many more “machines” and create
new ones in an automated manner.
– This is useful for server farms.
• Separation
– “Separate” machines provide a fairly strong, though
coarse grained level of protection.
– Because the isolation can be configured to be almost
total, there are fewer special cases or management
interfaces to get wrong.
Virtualization and Containment
• The separation provided by virtualization
may be just what is needed to keep data
managed by trusted applications out of
the hands of other processes.
• But a VM would have to make sure the
data is protected on disk as well.
Virtualization
• Operating Systems are all about
virtualization
–One of the most important function of a
modern operating system is managing
virtual address spaces.
–But most operating systems do this for
applications, not for other OSs.
Virtualization and Administration
• Issues affecting administration of virtual
machines
–
–
–
–
–
–
–
Containment
Side Channels
Throwaway mentality
Stateless machines
Privileged remote access
Less physical or siloed specialization
Relationship to cloud computing
33
Virtualization of the OS
• Some have said that all problems in computer science
can be handled by adding a later of indirection.
– Others have described solutions as reducing the
problem to a previously unsolved problem.
• Virtualization of OS’s does both.
– It provides a useful abstraction for running guest
OS’s.
– But the guest OS’s have the same problems as if
they were running natively.
Is Virtualization Different?
• Same problems
– Most of the problems handled by hypervisors are the
same problems handled by traditional OS’s
• But the Abstractions are different
– Hypervisors present a hardware abstraction.
• E.g. disk blocks
– OS’s present and application abstraction.
• E.g. files
Virtualization
• Running multiple operating systems
simultaneously.
– OS protects its own objects from within
– Hypervisor provides partitioning of
resources between guest OS’s.
Managing Virtual Resource
• Page faults typically trap to the Hypervisor
(host OS).
– Issues arise from the need to replace page tables
when switching between guest OS’s.
– Xen places itself in the Guest OS’s first region of
memory so that the page table does not need to be
rewitten for traps to the Hypervisor.
• Disks managed as block devices allocated to guest
OS’s, so that the Xen code to protect disk extents can
be as simple as possible.
Virtualization
• Operating Systems are all about
virtualization
–One of the most important functions of
a modern operating system is
managing virtual address spaces.
–But most operating systems do this for
applications, not for other OSs.
Virtualization of the OS
• Some have said that all problems in computer science
can be handled by adding a layer of indirection.
– Others have described solutions as reducing the
problem to a previously unsolved problem.
• Virtualization of OS’s does both.
– It provides a useful abstraction for running guest
OS’s.
– But the guest OS’s have the same problems as if
they were running natively.
What is the benefit of virtualization
• Management
– You can run many more “machines” and create new
ones in an automated manner.
– This is useful for server farms.
• Separation
– “Separate” machines provide a fairly strong, though
coarse grained level of protection.
– Because the isolation can be configured to be almost
total, there are fewer special cases or management
interfaces to get wrong.
What makes virtualization hard
• Operating systems are usually written to
assume that they run in privileged mode.
• The Hypervisor (the OS of OS’s) manages the
guest OS’s as if they are applications.
• Some architecture provide more than two
“Rings” which allows the guest OS to reside
between the two states.
– But there are still often assumptions in
coding that need to be corrected in the
guest OS.
Managing Virtual Resource
• Page faults typically trap to the Hypervisor
(host OS).
– Issues arise from the need to replace page tables
when switching between guest OS’s.
– Xen places itself in the Guest OS’s first region of
memory so that the page table does not need to be
rewritten for traps to the Hypervisor.
• Disks managed as block devices allocated to guest
OS’s, so that the Xen code protects disk extents and is
as simple as possible.
Partitioning of Resources
• Fixed partitioning of resources makes the job
of managing the Guest OS’s easier, but it is
not always the most efficient way to partition.
– Resources unused by one OS (CPU,
Memory, Disk) are not available to others.
• But fixed provisioning prevents use of
resources in one guest OS from effecting
performance or even denying service to
applications running in other guest OSs.
The Security of Virtualization
• +++ Isolation and protection between OS’s
can be simple (and at a very coarse level of
granularity).
• +++ This coarse level of isolation may be an
easier security abstraction to conceptualize
than the finer grained policies typically
encountered in OSs.
• --- Some malware (Blue pill) can move the real
OS into a virtual machine from within which
the host OS (the Malware) can not be
detected.
Virtualization and Trusted Computing
• The separation provided by virtualization
may be just what is needed to keep data
managed by trusted applications out of
the hands of other processes.
• But a trusted Guest OS would have to
make sure the data is protected on disk
as well.
Arun Viswanathan
(Slides primarily from XEN website
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html)
XEN Hypervisor Intro
• An x86 virtual machine monitor
• Allows multiple commodity operating systems
to share conventional hardware in a safe and
resource managed fashion,
• Provides an idealized virtual machine
abstraction to which operating systems such
as Linux, BSD and Windows XP, can be
ported
with minimal effort.
• Design supports 100 virtual machine
instances simultaneously on a modern server.
Arun Viswanathan
(Slides primarily from XEN website
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html)
Para-Virtualization in Xen
• Xen extensions to x86 arch
– Like x86, but Xen invoked for privileged ops
– Avoids binary rewriting
– Minimize number of privilege transitions into Xen
– Modifications relatively simple and self-contained
• Modify kernel to understand virtualised env.
– Wall-clock time vs. virtual processor time
• Desire both types of alarm timer
– Expose real resource availability
• Enables OS to optimise its own behaviour
Arun Viswanathan
(Slides primarily from XEN website
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html)
Xen 3.0 Architecture
AGP
ACPI
PCI
x86_32
x86_64
IA64
VM0
Device
Manager &
Control s/w
VM1
Unmodified
User
Software
VM2
Unmodified
User
Software
GuestOS
GuestOS
GuestOS
(XenLinux)
(XenLinux)
(XenLinux)
Back-End
Native
Device
Drivers
Control IF
VM3
Unmodified
User
Software
Unmodified
GuestOS
(WinXP))
SMP
Front-End
Device Drivers
Safe HW IF
Front-End
Device Drivers
Event Channel
Virtual CPU
Front-End
Device Drivers
Virtual MMU
Xen Virtual Machine Monitor
Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE)
Copyright © 1995-2012 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
VT-x
Arun Viswanathan
(Slides primarily from XEN website
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html)
x86 CPU virtualization
 Xen runs in ring 0 (most privileged)
 Ring 1/2 for guest OS, 3 for user-space
 GPF if guest attempts to use privileged instr
 Xen lives in top 64MB of linear addr space
 Segmentation used to protect Xen as switching
page tables too slow on standard x86
 Hypercalls jump to Xen in ring 0
 Guest OS may install ‘fast trap’ handler
 Direct user-space to guest OS system calls
 MMU virtualisation: shadow vs. direct-mode
Copyright © 1995-2012 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Figure by Carl Waldspurger - VMWARE
VMWare
 Goals - provide ability to run multiple operating
systems, and to run untrusted code safely.
 Isolation primarily from guest OS to the outside.
 This can provide
isolation between
guest OS’s
 Often configured to
run inside a larger
host OS, but also
support a VMM
layer as an option.
Copyright © 1995-2012 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Figure by Carl Waldspurger - VMWARE
VMWare Memory Virtualization
 Intercepts MMU manipulating functions such as
functions that change page table or TLB
 Manages shadow
page tables with
VM to Machine
Mappings
 Kept in sync
using physical
to page mappings
of VMM.
Copyright © 1995-2012 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Virtualization and Containment
• Stronger containment than within O/S
• Weaker than provided in segregated hardware
• Can provide visibility into VM by security tools
• Concern with subversion of Host/Hypervisor
52
Virtualization and Side Channels
– Multi-Tenant architecture (cloud)
– Ability to monitor performance and power to monitor
and spy on activities in other virtual machines.
53
Virtualization and Throwaway
–
–
–
–
VM’s can be recreated easily and automatically.
This allows administrators to be careless
It allows fast recovery
But new instance of machine has same vulnerabilities
of compromised machine.
54
Stateless Virtualizaton
• Tendency to store persistent data on separate
services such as NAS.
• Those external services must be considered part
of attack surface.
• Local state such as logs might be lost, use
network based monitoring.
55
Privileges and Virtualizaton
• Inherent privleges used to be based on access
to console and the physical machine.
• Console access is “remote” when using virtual
machines, and thus such access may be
available without true physical access.
56
No Silos in Virtualizaton
• System Administrator functions used to be
specialized: Backup, hardware, OS,
applications.
• With virtualization, almost all is an application.
• Therefore administrators now need full range of
knowledge.
57
Virtualizaton and the Cloud
• What happens when you “outsource”
administration of your VMs.
– Policy on assignment to providers
– Accreditation of providers
– Need visibility through “information points” in policy
evaluation.
– Side channels an issue for multi-tenancy.
58
Group Exercise One
• Decide on the software components to be deployed to
implement software requirements on next slide.
– Custom development should be simple scripts.
– Use packages for database and other components.
• Decide on the VM’s to be created to run those software
components.
– You can run more than one software component within a VM if you
choose.
– Decide on the methods you will use to contain access to those software
components, and to the information managed by those components.
•
•
•
•
Configure communication between VM’s and to the outside
Install packages
Write scripts and demonstrate basic flow through system.
Report on progress as group now by email on Tuesday 7 Feb.
59
Group 1
• Abdullah Binkulaib and Dan Dmytrisin have provided initial
information, but are having difficulty engaging the rest of group
one.
60
Group 2
• Submitted a requirements and design document
–
–
–
–
Include project scope and assumptions
Data classes, User Classes, and Protection Domains
System Components
System Design
• Including Data Flow Diagrams
• Including Network Diagrams
– Development timeline through end of February
61
Banking
• Your organization must:
–
–
–
Maintain a database of account holders
A database of account balances
Enable web access by customers who:
•
•
•
•
•
Can update their personal information
Check their account balance
Transfer funds to another account (by number)
View transactions on their account
Submit an image of a check for deposit
–
•
(check should be viewable, but you do not need to scan it or process it)
Access is needed
–
–
–
Via web from the open internet
Outbound email confirming transactions
All other interactions may be limited by information flow policies
to internal machines.
62
Preparation for Lab Activities
• Install free version of vmplayer or
virtualbox on your own machine
• Configure some version / dist of Linux as a
guest OS.
• Run two instances simultaneously
• Configure to allow network communication
between the two VMs.
• Install a web server on one of the VMs.
• Configure Dynamic DNS (e.g. no-ip.com)
to enable connection to the server from the
internet.
16
Connecting to VMs
• VNC – Virtual Network Computing
– Install TightVNC or other Client on machine from which
access is attempted.
– Install and configure VNC server on Virtual Machine
– A VNC Server can be run inside your VM, or in the hypervisor
• Inside the VM is likely easier
• Portmapping a must
– Find the IP using dynamic DNS
– But multiple VM’s on a shared NAT need to be mapped manually to
different ports.
• We are trying to gain access to a server under which you can
run VM’s which you would connect to the same way you would
here, via VNC
– Address mapping would be easier.
64