IA Summer School – Practice

Download Report

Transcript IA Summer School – Practice

IA Summer School –
Practice
Willis Marti
June 2006
Agenda
• Tuesday
– Lecture
• Wednesday
– Guest plus Hands-on
• Thursday
– Hands-on
• Bibliography
Tuesday Agenda
•
•
•
•
•
Ethics & Overview of ‘Practice’
Forensics & Legal Issues
Vulnerabilities
Threats, Protection & Mitigation
Incident Response
Wednesday Agenda
•
•
•
•
Dr. Dave McIntyre, ICHS
Lions, Tigers, Bears and Rootkits
Encryption Tools
Log Analysis
Thursday Agenda
•
•
•
•
Port Scanning
Packet Analysis
Attack Scripts
Intrusion Detection & Prevention
Ethics & Overview
• Ethics is a general term for what is often
described as the “science (study) of
morality”. In philosophy, ethical behavior is
that which is “good” or “right.”
• a set of moral principles or values
• Keys:
– More than one way!
– A way to judge behavior
More than One System
• Understand your environment
– Laws
– Regulation
– Custom
• Understand your users
– Globalization is real
– Backgrounds can’t be assumed
What are Ethics?
• According to the Webster Dictionary, ethics is
the system or code of morals of a particular
person, religion, group or profession.
• Ethics are subject to personal interpretation.
Two people may not view the same ethical
issue the same way.
What are Ethics? (continued)
• Ethical issues are not legal issues.
• Legal issues have documented definitions (laws)
and specific consequences if the laws are broken.
• Ethical issues are guidelines set by a specific group
of people with no real documented definitions of
what is right and what is wrong.
• Individuals can choose if they wish to follow the ethical
guideline or not.
Three Ethical Decision Theories
1. Utilitarianism Theory
 Considers the ethical issue and its relationship to
individuals
 Makes decision a decision based on what benefits the
most people
 "The greater good of the most people".
Utilitarianism Example:
An 8:00 am class has 10 students in it. Nine of those
students and the Teaching Assistant (TA) all live in Friley Hall,
which is on one side of campus, while one student lives in
Hawthorn Court, on the other side of campus. The TA decides
to move the lecture to Pearson Hall instead of Lagomarcino
Hall, as Pearson is much closer to the ten individuals' dorm than
the one individuals' dorm. This benefits 10 people and
inconveniences one person, thus more people are benefited
than not.
Three Ethical Decision Theories (cont.)
2. Pluralism Theory
 Believes there are two options in an ethical issue, right and
wrong decisions
 Pluralism stresses each person has a decision-making duty,
must make ethical decisions based on that duty, and never
break away from the decision-making duty.
 All decisions are clear-cut, black and white
Pluralism Example:
No one should ever lie. Your best friend recently was picked up
for OWI. Ten minutes before the arrest you were in the vehicle and
knew your friend was intoxicated. The police have asked about
your whereabouts during this time and if you could attest to your
friends' intoxicated state. You have to make a decision to lie or tell
the truth. You decide to tell the truth because you have a duty to
always tell the truth.
Three Ethical Decision Theories (cont.)
3. Rights-based Theory
 All people have rights, and those rights must be respected
 Decisions are based on respecting individual rights
 All decisions are clear-cut, black and white
Rights-based Example:
You are a network administrator with access to many email
accounts. The temptation to read personal email is strong.
However, you know you should never read a person’s email
because it violates a person’s rights to privacy, and resist the
temptation.
Ethical Issues Related to
Computers
• Fraud
• Privacy
• Program Ownership
Academic Controversy Questions
• What is the ethical question in this scenario?
• What is the individual’s questionable behavior?
• What different views could there be concerning
this ethical question?
• Justify why the persons actions are right or wrong
• What do you think the right thing is to do? What
would you do in this situation?
• What can be done to eliminate the ethical question?
Novice Academic Controversy #1
Josh is an employee at HOW Programs, a programming company
that specializes in writing customized software for large corporations.
Josh's boss, Jo Ann, asked him to write a program enabling ABC
Wood Company to analyze their sales and predict what supplies the
company should stock up on to maintain a proper inventory.
After sitting down with the ABC Wood Company representatives to
get an idea of what they wanted for the program, Josh realized there
were commercial software packages that would do bits and pieces of
what he wanted to write in his program.
Josh felt he could take a few shortcuts, thus getting the program to
ABC sooner if he took the program already written and incorporated it
into his program code.
By completing such a large project a few days earlier, Josh
received a bonus and promotions.
Were Josh's actions ethical?
Novice Academic Controversy #2
Three years later, Caroline began working at HOW Programs.
She was given a project that required her to write a program
that would evaluate inventory and determine the rate of production
needed so that inventory would not get too high or too low.
After doing some research on the project, Caroline found a
program Josh wrote for the ABC Wood Company.
Caroline realized Josh's project was similar. She decided that
a combination of the same basic ideas behind Josh's program and
some new program code would work well in her program.
Caroline used pieces of Josh's program as she wrote the
remainder of the program. Caroline received a bonus and a
promotion because of the program.
Were Caroline's actions ethical?
Bottom Line
• There are standards.
• There are punishments (sanctions).
• It’s not how the user views the
ethics/legality of a situation, it’s how your
environment views it.
Forensics & Legal Issues
(Computer) Forensics is the use of specialized
techniques for recovery, authentication, and
analysis of electronic data when a case
involves issues relating to reconstruction of
computer usage, examination of residual
data, authentication of data by technical
analysis or explanation of technical features
of data and computer usage.
Forensic Subjects
•
•
•
•
•
•
•
•
•
•
Computer Crime
Basic Forensic
A Few Technology Issues
Legal Challenges
Search and Seizure of Computers
Collection of Evidence from a “Live” System
Forensic Imaging and Verification
Data Recovery and Analysis
Encryption
Real World
Computer Crime
•
•
•
•
•
•
•
What is a computer crime?
Types of evidence
Why collect evidence
The rules of evidence (next slide!)
Locard’s Exchange Principle
Why is computer forensics necessary?
Computer Forensics as part of an Incident
Response Plan
Differing Standards
•
•
•
•
Criminal
Civil
Administrative
Sysadmin
•
•
•
•
95%+
51%
25% ?
???
Basic Forensics
• The forensics objective
• The principles of evidential integrity and
continuity
• Chain of Custody
• Computer Forensics Methodology
• General Evidence Processing Guidelines
and Procedures
A Few Technology Issues
•
•
•
•
•
•
•
•
Types of storage
Hard disks
Review of disk geometry
Tables and file structure
Sectors and clusters
File storage
Unallocated File Space
Spool, Temporary, and
Swap Files
• Floppy disks
• Allocated vs. Unallocated
space
• Deleted files, File Slack
• Computer memory and
RAM Slack
• Bios control
• Device drivers
• Initialization files
• The Boot sequence
• General overview of
Networks
Search and Seizure of Computers
•
•
•
•
•
•
•
•
Preparing a Forensic Checklist
To seize or not to seize
How to handle a “live” computer
Understanding the boot sequence for forensic
control
What to seize and where to look
Photographing and recording equipment layout
Bagging, tagging and removing equipment
Storage of seized equipment
Collection of Evidence from a “Live”
System
•
•
•
•
•
•
•
•
•
•
Build Forensic Response Toolkit
Trusted Source Files
Built-in Operating System Utilities
Specialized Windows tools
Analysis of Data
Log Analysis and Correlation
File Access Times
Abnormal Processes
Reviewing Relevant Files
Unusual of Hidden Files
Data Recovery and Analysis
•
•
•
•
•
•
•
•
•
Overview of analysis software
Demonstration of analysis techniques
Keyword searching
Graphic searching
Producing, viewing, and sorting file listings
Extracting files
Undeleting files
Investigating floppy disks
Use the Forensics Toolkit
Vulnerabilities
• People are our biggest vulnerability.
• People are unavoidable.
Unwarranted Trust
– Address spoofing
– Viruses & worms
– Denial of service attacks
– Packet sniffing
– Password cracking
Everything’s Vulnerable
– Design Vulnerabilities
– Implementation Vulnerabilities
– Configuration Vulnerabilities
– Resource Vulnerabilities
– User Vulnerabilities
– Business Process Vulnerabilities
Why Vulnerabilities
• Engineers assume things should work.
• Rarely does anyone consider deliberate
deception.
• Programs and people that lie can gain
advantage.
Vulnerability Management
• Process to identify and remediate vulnerabilities in
the enterprise to reduce risk posture
• Processes
– Asset Classification
– Incident, Vulnerability & Threat Handling
• Incident Categorization, Assessment, Response
• Vulnerability & Threat Identification and Response
– Enterprise Remediation
• Threat/Vulnerability Prioritization, Accountability, etc.
• Remediation Tracking
– Metrics
Security Program Value
How to Manage
Security
Metrics
Security Processes:
Threat, Vuln, IAM, NAC
Security Staff: Expertise, Experience
Security Infrastructure: Assess, Plan, Implement
Active Management
• “Discovery Scans”
– Frequent Scans to Baseline and Discover Assets
– Identify & Classify Assets and Enforce Policies
• Conduct Vulnerability Scans on Critical Assets
– Automated Recurring Scans
– Shift from Quarterly or Yearly Consultative Scans
• Aggregate, Prioritize and Assign Accountability
• Workflow System to Track Remediation Effort
• Result = Awareness of Critical Assets Exposure
CVE
• http://www.cve.mitre.org/
Threats, Protection & Mitigation
Defining Network Security
Security is prevention of unwanted
information transfer
• What are the components?
–
–
–
–
...Physical Security
…Operational Security
…Human Factors
…Protocols
Areas for Protection
•
•
•
•
Privacy
Data Integrity
Authentication/Access Control
Denial of Service
Security
Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
Cost < Value * Threat *Likelihood
Threats
•
•
•
•
•
Hackers/Crackers (“Joyriders”)
Criminals (Thieves)
Rogue Programs (Viruses, Worms)
Internal Personnel
System Failures
Network Threats
•
•
•
•
•
IP Address spoofing attacks
TCP SYN Flood attacks
Random port scanning of internal systems
Snooping of network traffic
Buffer overrun attacks
Network Threats (cont.)
• Backdoor command attacks
• Information leakage attacks via finger, echo,
ping, and traceroute commands
• Attacks via download of Java and ActiveX
scripts
• TCP Protocol Attacks
Threat, Value and Cost Tradeoffs
•
•
•
•
•
Operations Security
Host Security
Firewalls
Cryptography: Encryption/Authentication
Monitoring/Audit Trails
Host Security
• Security versus Performance &
Functionality
• Unix/Linux, Microsoft Windows, MVS, etc
• Desktops vs Servers
• “Security Through Obscurity” L
Host Security (cont)
• Programs
• Configuration
• Regression Testing
Network Security
• Traffic Control
• Not a replacement for Host-based
mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points & Performance
• IDS/IPS
– NetSQUID
Access Control
• Host-based:
–
–
–
–
Passwords, etc.
Directory Rights
Access Control Lists
Superusers L
• Network-based:
–
–
–
–
Address Based
Filters
Encryption
Path Selection
Network Security and Privacy
• Protecting data from being read by unauthorized persons.
• Preventing unauthorized persons from inserting and
deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
FIREWALLS
•
•
•
•
•
Prevent against (many) attacks
Access Control
Authentication
Logging
Notifications
Types of Firewalls
• Packet Filters
– Network Layer
• Stateful Packet Filters
– Network Level
• Circuit-Level Gateways
– Session Level
• Application Gateways
– Application Level
Application
Presentation
Session
Transport
Network
Data Link
Physical
Packet Level
• Sometimes part of router
• TAMU “Drawbridge”
Drawbridge
Campus
ROTW
Router
Circuit Level
• Dedicated Host
• Socket Interfaces
Local
FW
ROTW
Application Level
• Needs a dedicated host
• Special Software most everywhere
Firewall
telnet
ROTW
Firewall Installation Issues
FTP
INTERNET
DNS
Web
Router
Mail
Firewall Installation Issues
•
•
•
•
•
•
DNS Problems
Web Server
FTP Server
Mail Server
Mobile Users
Performance
Address Transparency
• Need to make some addresses visible to
external hosts.
• Firewall lets external hosts connect as if
firewall was not there.
• Firewall still performs authentication
Gateway
Internet
10.0.0.0
128.194.103.0
Network Address Translation
Firewall
Network Address Translation
Host B: External Host
Gateway Host
Host A: Internal Host
gw control
ftpd
ftp
proxy ftp
TCP
IP
TCP
Data Link
IP
Hardware
Data Link
TCP
IP
Data Link
Hardware
Hardware
A GW
Datagram
A B Datagram
Virtual Private Networks
Encapsulate
Hello
Authenticate
Hello
Encrypt
Hello
INTERNET
!@@%*
!@@%*
!@@%*
Creates a “ Virtual Private Network “
Hello
Decapsulate
Hello
Authenticate
Hello
Decrypt
VPN Secure Tunnels
• Different types of Tunnels supported
• Encryption
• Secret key used for used for authenticatio
and encryption
• Trusted hosts are allowed to use the tunnel
on both ends
Summary
• Security must be comprehensive to be
effective.
• Remember threat, value, cost when
implementing a system.
• Security is achievable, but never 100%.
• Make your system fault tolerant.
NIST Security Mandates
• Develop standards and guidelines for the Federal
government
• Improve the overall security of IT products and
services
• Make the national infrastructures more secure
NIST Security Guidelines
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
800-27, Engineering Principles for IT Security
800-28, Mobile Code and Active Content
800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 1401 and FIPS 140-2
800-30, Risk Management Guide for Information Technology Systems
800-31, Intrusion Detection Systems
800-32, Intro to Public Key Technology and Federal PKI Infrastructure
800-33, Underlying Technical Models for Information Technology Security
800-34, Contingency Planning Guide for Information Technology System
800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques
800-41, Guidelines on Firewalls and Firewall Policy
800-44, Guidelines on Securing Public Web Servers
800-45, Guidelines on Electronic Mail Security
800-46, Security for Telecommuting and Broadband Communications
800-47, Security Guide for Interconnecting Information Technology Systems
800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming
Scheme
Available at http://csrc.nist.gov/publications/nistpubs/index.html
NIST Security Guidelines in Draft
(Available now)
• 800-37, Guidelines for the Security Certification and Accreditation (C&A) of
Federal Information Technology Systems
• 800-55, Security Metrics Guide for Information Technology Systems
• 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC
Authentication Mode
• 800-36, Guide to Selecting IT Security Products
• 800-35, Guide to IT Security Services
• 800-4A, Security Considerations in Federal Information Technology
Procurements
• 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
• 800-50, Building an Information Technology Security Awareness and Training
Program
• 800-43, System Administration Guidance for Windows 2000 Professional
• Draft 800-42, Guideline on Network Security Testing
Available at http://csrc.nist.gov/publications/drafts.html
Incident Response
• Provide an effective and efficient means of dealing
with the situation in a manner that reduces the
potential impact to the organization.
• Provide management with sufficient information
in order to decide on an appropriate course of
action.
• Maintain or restore business continuity.
• Defend against future attacks.
• Deter attacks through investigation and
prosecution.
Incident Response –
Why is it Critical?
• Resolve the problem
– Find out what happened
– How it happened
– Who did it
•
•
•
•
Create a record of the incident for later use
Create a record to observe trends
Create a record to improve processes
Avoid confusion
Elements of Incident Response
•
•
•
•
•
•
Preparation
Identification
Containment
Eradication
Recovery
Follow-up
Preparation
Without adequate preparation, it is extremely
likely that response efforts to an incident will
be disorganized and that there will be
considerable confusion among personnel.
Preparation limits the potential for damage by
ensuring response actions are known and
coordinated.
Identification
The process of determining whether or not an
incident has occurred and the nature of an
incident. Identification may occur through
the use of automated network intrusion
equipment or by a user or SA.
Identification is a difficult process. Noticing
the symptoms of an incident is often
difficult. There are many false positives.
However, noticing an anomaly should drive
the observer to investigate further.
Who can identify an Incident
• Users – My system is slow, my mail is
missing, my files have changed
• System support personnel – servers locked
up, files missing, accounts add/deleted,
weird stuff happening , anomalies in the
logs
• Intrusion Detection Systems and Firewalls –
Automatically ID violations to policies
Possible Incident Classifications
• Unauthorized Privileged (root) Access – Access
gained to a system and the use of root privileges
without authorization.
• Unauthorized Limited (user) Access – Access gained
to a system and the use of user privileges without
authorization.
• Unauthorized Unsuccessful Attempted Access –
Repeated attempt to gain access as root or user on the
same host, service, or system with a certain number of
connections from the same source.
Possible Incident Classifications
(cont.)
• Unauthorized Probe – Any attempt to gather information
about a system or user on-line by scanning a site and
accessing ports through operating system vulnerabilities.
• Poor Security Practices – Bad passwords, direct
privileged logins, etc, which are collected from network
monitor systems.
• Denial of Service (DOS) Attacks – Any action that
preempts or degrades performance of a system or
network affecting the mission, business, or function of
an organization.
Possible Incident
Classifications (cont.)
• Malicious Logic – Self-replicating software that
is viral in nature; is disseminated by attaching to
or mimicking authorized computer system files;
or acts as a trojan horse, worm, malicious
scripting, or a logic bomb. Usually hidden and
some may replicate. Effects can range from
simple monitoring of traffic to complicated
automated backdoor with full system rights.
Possible Incident
Classifications (cont.)
• Hardware/Software Failure – Non-malicious
failure of HW or SW assets.
• Infrastructure Failure – Non-malicious failure of
supporting infrastructure to include power failure,
natural disasters, forced evacuation, and service
providers failure to deliver services.
• Unauthorized Utilization of Services – This can
include game play, relaying mail without approval,
creating dial-up access, use organizational
equipment for personal gain, and personal servers
on the network.
Containment
The process of limiting the scope and magnitude of
an incident.
As soon as it is recognized that an incident has
occurred or is occurring, steps should
immediately be taken to contain the incident.
Containment - Example
• Incidents involving using malicious code are
common, and since malicious code incidents
can spread rapidly, massive destruction and
compromise of information is possible.
• It is not uncommon to find every workstation
connected to a LAN infected when there is a
virus outbreak.
– Internet Worm of 1988 attacked 6,000 computers in
the U.S. in one day.
– LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US
– Kournikova worm affects still being analyzed
Eradication
• The process of removing the cause of the
incident.
– For a virus – anti-virus software is best
– For a network may involve block/filter IP address
at the router/firewall
– Ideally, but difficult, best eradicated by bringing
the perpetrators into legal custody and convicting
them in a court of law.
Recovery
• The process of restoring a system to its normal
operating status
– Unsuccessful incidents – assure system operation
and data not affected
– Complex and/or successful incidents – May require
complete restoration from known clean system
backups. Essential to assure the backups integrity
and to verify restore operation was successful
Follow-Up
•
•
•
•
Critical
Helps to improve incident handling procedures
Address efforts to prosecute perpetrators
Activities Include:
–
–
–
–
Analyze the Incident and the Response
Analyze the Cost of the Incident
Prepare a Report
Revise Policies and Procedures
Bibliography
• Materials provided electronically
– NPS CISR class notes for CS3600
– Security White Paper {old}