Transcript here
CSE 4482: Computer Security Management:
Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
4/13/2015
1
Managing Firewalls
• Any firewall device must have its own
configuration
– Regulates its actions
– Regardless of firewall implementation
• Policy regarding firewall use
– Should be articulated before made operable
• Configuring firewall rule sets can be difficult
– Each firewall rule must be carefully crafted,
placed into the list in the proper sequence,
debugged, and tested
2
Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.)
• Configuring firewall rule sets (cont’d.)
– Proper sequence: perform most resourceintensive actions after the most restrictive ones
• Reduces the number of packets that undergo
intense scrutiny
• Firewalls deal strictly with defined patterns
of measured observation
– Are prone to programming errors, flaws in rule
sets, and other inherent vulnerabilities
3
Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.)
• Firewalls are designed to function within
limits of hardware capacity
– Can only respond to patterns of events that
happen in an expected and reasonably
simultaneous sequence
4
Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.)
• Firewall best practices
– All traffic from the trusted network allowed out
– The firewall is never accessible directly from
the public network
– Simple Mail Transport Protocol (SMTP) data is
allowed to pass through the firewall
• Should be routed to a SMTP gateway
– All Internet Control Message Protocol (ICMP)
data should be denied
5
Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.)
• Firewall best practices (cont’d.)
– Telnet (terminal emulation) access to all
internal servers from the public networks
should be blocked
– When Web services are offered outside the
firewall
• HTTP traffic should be handled by some form of
proxy access or DMZ architecture
6
Management of Information Security, 3rd ed.
Next: dealing with intrusions
• Intrusion detection and prevention
• Intrusion: attacker attempts to gain entry
or disrupt normal operation
• Examples: password cracking,
unauthorized data access, unauthorized
software installation, unauthorized
configuration changes, denial of service
attacks
7
Typical intrusion steps
• Initial reconnaissance (IP addrs, names,
platforms…)
• Network probes: port scanning, ping
• Breaking in: gaining access to systems
• Take over the network: install rootkits,..
• Launch main attack: steal data, modify
content, denial of service attacks,…
8
Intrusion detection
A possible scenario
(http://flylib.com/books/4/213/1/html/2/images/fig04_13.jpg)
9
Intrusion Detection and
Prevention Systems
• The term intrusion detection/prevention
system (IDPS) can be used to describe
current anti-intrusion technologies
• Can detect an intrusion
• Can also prevent that intrusion from
successfully attacking the organization by
means of an active response
10
Management of Information Security, 3rd ed.
Intrusion Detection and
Prevention Systems (cont’d.)
• IDPSs work like burglar alarms
– Administrators can choose the alarm level
– Can be configured to notify administrators via
e-mail and numerical or text paging
• Like firewall systems, IDPSs require
complex configurations to provide the level
of detection and response desired
• Active solutions!
11
Management of Information Security, 3rd ed.
Intrusion Detection and
Prevention Systems (cont’d.)
• The newer IDPS technologies
– Different from older IDS technologies
• IDPS technologies can respond to a detected threat
by attempting to prevent it from succeeding
– Types of response techniques:
• The IDPS stops the attack itself
• The IDPS changes the security environment
• The IDPS changes the attack’s content
12
Management of Information Security, 3rd ed.
Intrusion Detection and
Prevention Systems (cont’d.)
IDPSs are either
• host based to protect server or host
information assets
• network based to protect network
information assets, or
IDPS detection methods
• Signature based
• Statistical anomaly based
13
Management of Information Security, 3rd ed.
Intrusion Detection and
Prevention Systems (cont’d.)
Figure 10-9 Intrusion detection and prevention systems
14
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Host-based IDPS
• Resides on a particular computer or server
and monitors activity only on that system
• Benchmark and monitor the status of key
system files and detect when intruder creates,
modifies, or deletes files
• Most HIDPSs work on the principle of
configuration or change management
• Advantage over NIDPS: can usually be
installed so that it can access information
encrypted when traveling over network
From Principles of Information Security, Fourth Edition
15
Host-Based IDPS (contd.)
• Configures and classifies various
categories of systems and data files
• HIDPSs provide only a few general levels
of alert notification
• Unless the HIDPS is very precisely
configured, benign actions can generate a
large volume of false alarms
• HIDPSs can monitor multiple computers
simultaneously
16
Management of Information Security, 3rd ed.
Advantages of HIDPSs
• Can detect local events on host systems and
detect attacks that may elude a network-based
IDPS
• Functions on host system, where encrypted
traffic will have been decrypted and is
available for processing
• Not affected by use of switched network
protocols
• Can detect inconsistencies in how applications
and systems programs were used by
examining records stored in audit logs
From Principles of Information Security, Fourth Edition
17
Disadvantages of HIDPSs
• Pose more management issues
• Vulnerable both to direct attacks and attacks
against host operating system
• Does not detect multi-host scanning, nor
scanning of non-host network devices
• Susceptible to some denial-of-service attacks
• Can use large amounts of disk space
• Can inflict a performance overhead on its
host systems
From Principles of Information Security, Fourth Edition
18
Network-Based IDPS
• Resides on computer or appliance
connected to segment of an organization’s
network; looks for signs of attacks
• Installed at specific place in the network
where it can watch traffic going into and out
of particular network segment
• Monitor network traffic
– When a predefined condition occurs, notifies
the appropriate administrator
19
Management of Information Security, 3rd ed.
Network-Based IDPS - contd
• Looks for patterns of network traffic
• Match known and unknown attack
strategies against their knowledge base to
determine whether an attack has occurred
• Yield many more false-positive readings
than host-based IDPSs
20
Management of Information Security, 3rd ed.
Advantages of NIDPSs
• Good network design and placement of
NIDPS can enable organization to use a
few devices to monitor large network
• NIDPSs are usually passive and can be
deployed into existing networks with
little disruption to normal network
operations
• NIDPSs not usually susceptible to direct
attack and may not be detectable by
attackers
From Principles of Information Security, Fourth Edition
21
Disadvantages of NIDPSs
• Can become overwhelmed by network
volume and fail to recognize attacks
• Require access to all traffic to be
monitored
• Cannot analyze encrypted packets
• Cannot reliably ascertain if attack was
successful or not
• Some forms of attack are not easily
discerned by NIDPSs, specifically those
involving fragmented packets
From Principles of Information Security, Fourth Edition
22
Signature-Based IDPS
• Examines data traffic for something that
matches the preconfigured, predetermined
attack pattern signatures
– Also called knowledge-based IDPS
– The signatures must be continually updated as
new attack strategies emerge
– A weakness of this method:
• If attacks are slow and methodical, they may slip
undetected through the IDPS, as their actions may
not match a signature that includes factors based
on duration of the events
23
Management of Information Security, 3rd ed.
Statistical Anomaly-Based IDPS
• Also called behavior-based IDPS
• First collects data from normal traffic and
establishes a baseline
– Then periodically samples network activity, based on
statistical methods, and compares the samples to the
baseline
– When activity falls outside the baseline parameters
(clipping level), The IDPS notifies the administrator
24
Management of Information Security, 3rd ed.
Statistical Anomaly-Based IDPS-2
Advantages:
• Able to detect new types of attacks,
because it looks for abnormal activity of
any type
• IDPS can detect new types of attacks
Disadvantages
• Requires much more overhead and
processing capacity than signature-based
• May generate many false positives
25
Management of Information Security, 3rd ed.
Selecting IDPS Approaches and
Products
• Technical and policy considerations
– What is your systems environment?
– What are your security goals and
objectives?
– What is your existing security policy?
• Organizational requirements and
constraints
– What are requirements that are levied from
outside the organization?
– What are your organization’s resource
constraints?
Principles of Information Security, Fourth Edition
26
Selecting IDPS Approaches and
Products - contd
• IDPSs product features and quality
– Is the product sufficiently scalable for your
environment?
– How has the product been tested?
– What is the user level of expertise targeted
by the product?
– Is the product designed to evolve as the
organization grows?
– What are the support provisions for the
product?
Principles of Information Security, Fourth Edition
27
IDPS: Strengths
• IDPSs perform the following functions well:
– Monitoring and analysis of system events and
user behaviors
– Testing security states of system configurations
– Baselining security state of system and tracking
changes
– Recognizing system event patterns matching
known attacks
– Recognizing activity patterns that vary from
normal activity
Principles of Information Security, Fourth Edition
2828
IDPS: Strengths - contd
• IDPSs perform the following functions well:
(cont’d.)
– Managing OS audit and logging mechanisms and
data they generate
– Alerting appropriate staff when attacks are
detected
– Measuring enforcement of security policies
encoded in analysis engine
– Providing default information security policies
– Allowing non-security experts to perform important
security monitoring functions
Principles of Information Security, Fourth Edition
2929
IDPSs: Limitations
IDPSs cannot perform the following functions:
• Compensating for weak/missing security
mechanisms in protection infrastructure
• Instantaneously detecting, reporting,
responding to attack when there is heavy
network or processing load
• Detecting new attacks or variants of existing
attacks
• Effectively responding to attacks by
sophisticated attackers
• Investigating attacks without human
intervention
Principles of Information Security, Fourth Edition
30
IDPSs: Limitations (contd.)
IDPSs cannot perform the following functions
(cont’d.):
• Resisting attacks intended to defeat or
circumvent them
• Compensating for problems with fidelity of
data sources
• Dealing effectively with switched networks
Principles of Information Security, Fourth Edition
31
Deployment and Implementation
of an IDPS
An IDPS can be implemented as
• Centralized: all IDPS control functions are
implemented and managed in a central
location
• Fully distributed: all control functions are
applied at the physical location of each IDPS
component
• Partially distributed: combines the two; while
individual agents can still analyze and
respond to local threats, they report to a
hierarchical central facility to enable
organization to detect widespread attacks
Principles of Information Security, Fourth Edition
3232
Figure 7-4 Centralized IDPS Control13
Principles of Information Security, Fourth Edition
33
Figure 7-5 Fully Distributed IDPS Control14
Principles of Information Security, Fourth Edition
34
Figure 7-6 Partially Distributed IDPS Control15
Principles of Information Security, Fourth Edition
35
Deployment and Implementation
of an IDPS (cont’d.)
• IDPS deployment
– Like decision regarding control strategies, decision
about where to locate elements of intrusion
detection systems can be art in itself
– Planners must select deployment strategy that is
based on careful analysis of organization’s
information security requirements but, at the same
time, causes minimal impact
– NIDPS and HIDPS can be used in tandem to
cover both individual systems that connect to an
organization’s networks and networks themselves
Principles of Information Security, Fourth Edition
36
Deploying network-based IDPSs
NIST recommends four locations for NIDPS sensors
• Location 1: Behind
each external firewall,
in the network DMZ
• Location 2: Outside
an external firewall
• Location 3: On major
network backbones
• Location 4: On critical
subnets
Principles of Information Security, Fourth Edition
37
Deploying host-based IDPSs
• Proper implementation of HIDPSs can
be a painstaking and time-consuming
task
• Deployment begins with implementing
most critical systems first
• Installation continues until either all
systems are installed or the
organization reaches planned degree of
coverage it is willing to live with
Principles of Information Security, Fourth Edition
38
Measuring IDPS Effectiveness
• IDPSs are evaluated using four dominant
metrics: thresholds, blacklists and whitelists,
alert settings, and code viewing and editing
• Evaluation of IDPS might read: at 100 Mb/s,
IDS was able to detect 97% of directed
attacks
• Since developing this collection can be
tedious, most IDPS vendors provide testing
mechanisms that verify systems are
performing as expected
Principles of Information Security, Fourth Edition
39
Measuring IDPS Effectiveness - 2
• Some of these testing processes will
enable the administrator to:
– Record and retransmit packets from real
virus or worm scan
– Record and retransmit packets from a real
virus or worm scan with incomplete TCP/IP
session connections (missing SYN
packets)
– Conduct a real virus or worm scan against
an invulnerable system
Principles of Information Security, Fourth Edition
40
Managing IDPS
• If there is no response to an alert, then an
alarm does no good
• IDPSs must be configured to differentiate
between routine circumstances and low,
moderate, or severe threats
• A properly configured IDPS can translate a
security alert into different types of
notifications
– A poorly configured IDPS may yield only noise
41
Management of Information Security, 3rd ed.
Managing IDPS – contd.
• Most IDPSs monitor systems using agents
– Software that resides on a system and reports
back to a management server
• Consolidated enterprise manager
– Software that allows the security professional
to collect data from multiple host- and networkbased IDPSs and look for patterns across
systems and subnetworks
• Collecting responses from all IDPSs
• Used to identify cross-system probes and intrusions
42
Management of Information Security, 3rd ed.
Wireless Networking Protection
• Most organizations that make use of
wireless networks use an implementation
based on the IEEE 802.11 protocol
• The size of a wireless network’s footprint
– Depends on the amount of power the
transmitter/receiver wireless access points
(WAP) emit
– Sufficient power must exist to ensure quality
connections within the intended area
• But not allow those outside the footprint to connect
43
Management of Information Security, 3rd ed.
Wireless Networking Protection - 2
• War driving
– Moving through a geographic area or building,
actively scanning for open or unsecured WAPs
• Common encryption protocols used to
secure wireless networks
– Wired Equivalent Privacy (WEP)
– Wi-Fi Protected Access (WPA)
44
Management of Information Security, 3rd ed.
Wired Equivalent Privacy (WEP)
• Provides a basic level of security to prevent
unauthorized access or eavesdropping
• Does not protect users from observing
each others’ data
• Has several fundamental cryptological
flaws
– Resulting in vulnerabilities that can be
exploited, which led to replacement by WPA
45
Management of Information Security, 3rd ed.
Wi-Fi Protected Access (WPA)
• WPA is an industry standard
– Created by the Wi-Fi Alliance
• Some compatibility issues with older WAPs
• IEEE 802.11i
– Has been implemented in products such as
WPA2
• WPA2 has newer, more robust security protocols
based on the Advanced Encryption Standard
– WPA /WPA 2 provide increased capabilities for
authentication, encryption, and throughput
46
Management of Information Security, 3rd ed.
Wi-Max
• Wi-Max (WirelessMAN)
– An improvement on the technology developed
for cellular telephones and modems
– Developed as part of the IEEE 802.16
standard
– A certification mark that stands for Worldwide
Interoperability for Microwave Access
47
Management of Information Security, 3rd ed.
Bluetooth
• A de facto industry standard for short range
(approx 30 ft) wireless communications
between devices
• The Bluetooth wireless communications link
can be exploited by anyone within range
– Unless suitable security controls are implemented
• In discoverable mode devices can easily be
accessed
– Even in nondiscoverable mode, the device is
susceptible to access by other devices that have
connected with it in the past
48
Management of Information Security, 3rd ed.
Bluetooth (cont’d.)
• Does not authenticate connections
– It does implement some degree of security
when devices access certain services like dialup accounts and local-area file transfers
• To secure Bluetooth enabled devices:
– Turn off Bluetooth when you do not intend to
use it
– Do not accept an incoming communications
pairing request unless you know who the
requestor is
49
Management of Information Security, 3rd ed.
Managing Wireless Connections
• One of the first management requirements
is to regulate the size of the wireless
network footprint
– By adjusting the placement and strength of the
WAPs
• Select WPA or WPA2 over WEP
• Protect preshared keys
50
Management of Information Security, 3rd ed.
Honeypots, Honeynets, and
Padded Cell Systems
• Honeypots: decoy systems designed to lure
potential attackers away from critical systems
• Honeypots are designed to:
– Divert attacker from accessing critical systems
– Collect information about attacker’s activity
– Encourage attacker to stay on system long
enough for administrators to document event and,
perhaps, respond
• Honeynets: collection of honeypots
connecting several honey pot systems on a
subnet
Principles of Information Security, Fourth Edition
51
Honeypots, Honeynets, and
Padded Cell Systems (contd.)
• Padded cell: honeypot that has been
protected so it cannot be easily compromised
• In addition to attracting attackers with
tempting data, a padded cell operates in
tandem with a traditional IDPS
• When the IDPS detects attackers, it
seamlessly transfers them to a special
simulated environment where they can cause
no harm—the nature of this host environment
is what gives approach the name padded cell
Principles of Information Security, Fourth Edition
52
Honeypots, Honeynets, and
Padded Cell Systems (contd.)
Advantages
• Attackers can be diverted to targets they
cannot damage
• Administrators have time to decide how to
respond to attacker
• Attackers’ actions can be easily and more
extensively monitored, and records can be
used to refine threat models and improve
system protections
• Honeypots may be effective at catching
insiders who are snooping around a network
Principles of Information Security, Fourth Edition
53
Honeypots, Honeynets, and
Padded Cell Systems (cont’d.)
Disadvantages
• Legal implications of using such devices are
not well defined
• Honeypots and padded cells have not yet
been shown to be generally useful security
technologies
• Expert attacker, once diverted into a decoy
system, may become angry and launch a
more hostile attack against an organization’s
systems
• Administrators and security managers need a
high level of expertise to use these systems
Principles of Information Security, Fourth Edition
54
Trap and Trace Systems
• Use combination of techniques to detect an
intrusion and trace it back to its source
• Trap usually consists of honeypot or padded
cell and alarm
• Legal drawbacks to trap and trace
– Enticement: process of attracting attention to
system by placing tantalizing bits of information in
key locations
– Entrapment: action of luring an individual into
committing a crime to get a conviction
– Enticement is legal and ethical, entrapment is not
Principles of Information Security, Fourth Edition
55
Active Intrusion Prevention
• Some organizations implement active
countermeasures to stop attacks
• One tool (LaBrea) takes up unused IP
address space to pretend to be a
computer and allow attackers to
complete a connection request, but then
holds connection open
Principles of Information Security, Fourth Edition
5656
Scanning and Analysis Tools
• Used to find vulnerabilities in systems
– Holes in security components, and other
unsecured aspects of the network
• Conscientious administrators frequently
browse for new vulnerabilities, recent
conquests, and favorite assault techniques
• Security administrators may use attacker’s
tools to examine their own defenses and
search out areas of vulnerability
57
Management of Information Security, 3rd ed.
Scanning and Analysis Tools
(contd.)
Scanning tools: Collect the information that
an attacker needs
• Footprinting
– The organized research of the Internet
addresses owned by a target organization
• Fingerprinting
– The systematic examination of all of the
organization’s network addresses
– Yields useful information about attack targets
58
Management of Information Security, 3rd ed.
Figure 7-9 Sam Spade
Principles of Information Security, Fourth Edition
59
Scanning and Analysis Tools
•
•
•
•
•
•
•
•
Port mappers
Network mappers
Firewall analysis
OS detection tools
Vulnerability scanners
Packet sniffers
Wireless sniffers
Password crackers
60
Port Scanners
• A port is a network channel or connection
point in a data communications system
• Port scanning utilities (port scanners)
– Identify computers that are active on a
network, as well as their active ports and
services, the functions and roles fulfilled by the
machines, and other useful information
61
Management of Information Security, 3rd ed.
Port Scanners (cont’d.)
Table10-5 Commonly used port numbers
62
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Port Scanners (contd.)
• Well-known ports
– Those from 0 through 1023
– Registered ports are those from 1024 through
49151
– Dynamic and private ports are those from
49152 through 65535
• Open ports must be secured
– Can be used to send commands to a
computer, gain access to a server, and exert
control over a networking device
63
Management of Information Security, 3rd ed.
Network mappers
• Mostly use ICMP ping
• Most port scanners can be used as
network mappers, e.g. Nmap, LanState
64
Firewall Analysis
• Several tools automate remote discovery of
firewall rules and assist the administrator in
analyzing them
• Administrators who feel wary of using the
same tools that attackers use should
remember:
– It is intent of user that will dictate how information
gathered will be used
– In order to defend a computer or network well, it is
necessary to understand ways it can be attacked
• A tool that can help close up an open or
poorly configured firewall will help network
defender minimize risk from attack
Principles of Information Security, Fourth Edition
65
Firewall Analysis – contd.
``Firewalking’’ steps
• Network discovery – apply traceroute to a
host inside network (finds TTL count to
firewall)
• Scanning – TCP/UDP packets with TTL of 1hop past firewall sent; if the firewall allows
packets in, ICMP TTL Expired message will
be sent by binding host
• E.g. Firewalk
66
OS Detection Tools
• Detecting a target computer’s operating
system (OS) is very valuable to an
attacker
• There are many tools that use
networking protocols to determine a
remote computer’s OS, e.g. Nmap,
Xprobe
• Strategies: passive fingerprinting, active
fingerprinting
Principles of Information Security, Fourth Edition
67
Active fingerprinting
• Find out more about host from TCP/IP
characteristics
• TCP FIN probing: TCP RFC specifies that a FIN packet
to an open port should be ignored. MS Windows
responds with a RST packet
• TCP Initial Sequence Number: Some OS choose
random values. Windows generates it from the system
clock
• TCP Initial window size: Linux 2.4 5840 bytes, 2.2
32120 bytes
• IP ID sampling: MSWin uses a predictable sequence,
Linux chooses random numbers.
• ICMP Error message quoting: Linux quotes more than
required
68
Passive fingerprinting
Information gathered through sniffing
• TTL in IP packets: normally Linux TTL= 64, MS
Windows TTL = 128
• Don’t fragment bit in IP header: most OS 1,
OpenBSD 0
• Type of service field in IP header: normally 0,
some OS non-zero
Generally less useful. Dependent on traffic
pattern
69
OS detection countermeasures
• Modify responses to various network
events/packets
• Morph, IP Scrubber: “scrubs” clean any
outgoing packets of OS relates information
• IP personality (http://ippersonality.sourceforge.net)
(patch for Linux kernel)
70
Vulnerability Scanners
• Capable of scanning networks for very
detailed information
• Variants of port scanners
• Identify exposed user names and groups,
show open network shares, and expose
configuration problems and other server
vulnerabilities
71
Management of Information Security, 3rd ed.
Vulnerability Scanners - 2
•
•
•
•
Nessus – freeware
Used by over 75000 companies
Different versions for Unix, Mac, Windows
Detects open ports, mis-configurations (e.g.
missing patches), default passwords,
presence of viruses, back-door programs
72
Management of Information Security, 3rd ed.
Packet Sniffers
• A network tool that collects and analyzes
packets on a network
– It can be used to eavesdrop on network traffic
• Connects directly to a local network from
an internal location
• To use a packet sniffer legally, you must:
– Be on a network that the organization owns
– Be directly authorized by the network’s owners
– Have the knowledge and consent of the users
– Have a justifiable business reason for doing so
73
Management of Information Security, 3rd ed.
Packet Sniffers - 2
• Any network card can be switched to
“promiscuous” mode to sniff all LAN
packets
• Simply tapping into the Internet is a
violation of wiretapping laws
• Example: Wireshark
74
Management of Information Security, 3rd ed.
Wireless Sniffers
• Wireless sniffing is much easier than wired
sniffing
• Very difficult to detect – leaves no traceable
evidence
• Example: NetStumbler
75
Management of Information Security, 3rd ed.
Password Crackers
Most systems store encrypted passwords.
• MS Windows typically uses
C:\Windows\System32\config folder
• Cannot be accessed directly by users, BUT
can be accessed by installing LCP, pwdump
or FGDUMP (require Admin privilege to
install).
• Encryption algorithm known (NT LAN
Manager in Win 7)
• Case sensitive (unlike older versions of
MSWin), applies MD4
76
Password Crackers – contd.
Attack types
• Brute force – very slow
• Dictionary attack – only common disctionary
words used
• Precomputed dictionary attack – saves time
required for encryption
• E.g. Cain and Able or “Cain” (some virus
scanners detect it as malware! Microsoft
Security Essentials “Tool: This program has
potentially unwanted behavior”)
77
Managing Scanning and Analysis
Tools
• The security manager must be able to see
the organization’s systems and networks
from the viewpoint of potential attackers
– The security manager should develop a
program to periodically scan his or her own
systems and networks for vulnerabilities with
the same tools that a typical hacker might use
• Using in-house resources, contractors, or an
outsourced service provider
78
Management of Information Security, 3rd ed.
Managing Scanning and Analysis
Tools (cont’d.)
• Drawbacks:
– Tools do not have human-level capabilities
– Most tools function by pattern recognition, so
they only handle known issues
– Most tools are computer-based, so they are
prone to errors, flaws, and vulnerabilities of
their own
– Tools are designed, configured, and operated
by humans and are subject to human errors
79
Management of Information Security, 3rd ed.
Managing Scanning and Analysis
Tools (cont’d.)
• Drawbacks: (cont’d.)
– Some governments, agencies, institutions, and
universities have established policies or laws
that protect the individual user’s right to access
content
– Tool usage and configuration must comply with
an explicitly articulated policy, and the policy
must provide for valid exceptions
80
Management of Information Security, 3rd ed.
Other measures
• Content filters
• Cryptographic tools
81
Content Filters
• Protect systems from misuse
– And unintentional denial-of-service conditions
• A software program or a hardware/software
appliance that allows administrators to
restrict content that comes into a network
• Common application of a content filter
– Restriction of access to Web sites with nonbusiness-related material, such as
pornography, or restriction of spam e-mail
– Content filters ensure that employees are
using network resources appropriately
82
Management of Information Security, 3rd ed.
Using Cryptographic Controls
• Modem cryptosystems can generate
unbreakable ciphertext
– Possible only when the proper key
management infrastructure has been
constructed and when the cryptosystems are
operated and managed correctly
83
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• Cryptographic controls can be used to
support several aspects of the business:
– Confidentiality and integrity of e-mail and its
attachments Authentication, confidentiality,
integrity, and nonrepudiation of e-commerce
transactions
– Authentication and confidentiality of remote
access through VPN connections
– A higher standard of authentication when used
to supplement access control systems
84
Management of Information Security, 3rd ed.
Using Cryptographic Controls
• Secure Multipurpose Internet Mail Extensions
(S/MIME)
– Builds on Multipurpose Internet Mail Extensions
(MIME) encoding format
• Adds encryption and authentication via digital signatures
based on public key cryptosystems
• Privacy Enhanced Mail (PEM)
– Proposed by the Internet Engineering Task Force
(IETF) as a standard that will function with public key
cryptosystems
– Uses 3DES symmetric key encryption and RSA for key
exchanges and digital signatures
85
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• Pretty Good Privacy (PGP)
– Developed by Phil Zimmerman
– Uses the IDEA Cipher
• A 128-bit symmetric key block encryption algorithm
with 64-bit blocks for message encoding
– Like PEM, it uses RSA for symmetric key
exchange and to support digital signatures
86
Management of Information Security, 3rd ed.
Using Cryptographic Controls
• IP Security (IPSec)
– The primary and dominant cryptographic
authentication and encryption product of the IETF’s IP
Protocol Security Working Group
– Combines several different cryptosystems:
• Diffie-Hellman key exchange for deriving key material between
peers on a public network
• Public key cryptography for signing the Diffie-Hellman
exchanges to guarantee the identity of the two parties
• Bulk encryption algorithms, such as DES, for encrypting the
data
• Digital certificates signed by a certificate authority to act as
digital ID cards
87
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• IPSec has two components:
– The IP Security protocol
• Specifies the information to be added to an IP
packet and indicates how to encrypt packet data
– The Internet Key Exchange, which uses
asymmetric key exchange and negotiates the
security associations
88
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• IPSec works in two modes of operation:
– Transport
• Only the IP data is encrypted, not the IP headers
themselves
• Allows intermediate nodes to read the source and
destination addresses
– Tunnel
• The entire IP packet is encrypted and inserted as
the payload in another IP packet
– Often used to support a virtual private network
89
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• Secure Electronic Transactions (SET)
– Developed by MasterCard and VISA to provide
protection from electronic payment fraud
– Encrypts credit card transfers with DES for
encryption and RSA for key exchange
• Secure Sockets Layer (SSL)
– Developed by Netscape in 1994 to provide
security for e-commerce transactions
– Uses RSA for key transfer
• On IDEA, DES, or 3DES for encrypted symmetric
key-based data transfer
90
Management of Information Security, 3rd ed.
Using Cryptographic Controls
• Secure Hypertext Transfer Protocol
– Provides secure e-commerce transactions and
encrypted Web pages for secure data transfer over the
Web, using different algorithms
• Secure Shell (SSH)
– Provides security for remote access connections over
public networks by using tunneling, authentication
services between a client and a server
– Used to secure replacement tools for terminal
emulation, remote management, and file transfer
applications
91
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• Cryptosystems provide enhanced and
secure authentication
– One approach is provided by Kerberos, which
uses symmetric key encryption to validate an
individual user’s access to various network
resources
• Keeps a database containing the private keys of
clients and servers that are in the authentication
domain that it supervises
92
Management of Information Security, 3rd ed.
Using Cryptographic Controls
(cont’d.)
• Cryptosystems provide enhanced and
secure authentication (cont’d.)
– Kerberos system knows these private keys and
can authenticate one network node (client or
server) to another
– Kerberos also generates temporary session
keys—that is, private keys given to the two
parties in a conversation
93
Management of Information Security, 3rd ed.
Managing Cryptographic Controls
• Don’t lose your keys
• Know who you are communicating with
• It may be illegal to use a specific encryption
technique when communicating to some
nations
• Every cryptosystem has weaknesses
• Give access only to those with a business
need
• When placing trust into a certificate
authority, ask “Who watches the
watchers?”
94
Management of Information Security, 3rd ed.
Managing Cryptographic
Controls (cont’d.)
• There is no security in obscurity
• Security protocols and the cryptosystems
they use are installed and configured by
humans
– They are only as good as their installers
• Make sure that your organization’s use of
cryptography is based on well-constructed
policy and supported with sound
management procedures
95
Management of Information Security, 3rd ed.
Summary
•
•
•
•
•
•
•
Introduction
Access controls
Firewalls
Intrusion detection and prevention systems
Wireless network protection
Scanning and analysis tools
Cryptography
96
Management of Information Security, 3rd ed.