Ch09-HardwareSoftwareControlsx
Download
Report
Transcript Ch09-HardwareSoftwareControlsx
Chapter 9
Hardware and software controls
Overview
Password Management
Access control lists (ACLs)
Firewalls and their capabilities
Intrusion Detection/Prevention Systems
Patching operating systems and Applications
End Point Protection
Information security control best practices
2
Background
Best known controls
Used in almost every computer
Not comprehensive list of controls
In career
Many other controls
E.g. Application-specific controls
Introduce basics underlying information security controls
3
Help evaluate merits of other controls
Passwords
Definitions
Identification
Presentation of a user identity for the system
Typically by a username
Authentication
Establishing confidence in the validity of a claimed identity
Typically using a password
Secret series of characters known only to owner
Design goals of passwords
4
Simple enough for average users
Secure enough for most applications
Password types
Personal identification number (PIN)
Short (4-6 digits), numerical password
Useful when
Small keypads are necessary, e.g. ATM machines, or
Regular passwords could potentially create human safety problems
E.g. airport fire suppression systems
Relatively insecure
Short and can be easily guessed
Only provide limited security
Generally assumes existence of other security mechanisms
5
E.g. daily withdrawal limits and security cameras in ATMs
Physical security at airports
Password types – contd.
Passphrase
Sequence of words that serves as a password
E.g. - Wow!!!thisis#1clasatschooL
Motivation
Human brain can only retain up to about 7 chunks of information in
short term memory
But each chunk can be fairly large
So, passphrases can be longer than passwords
But easier to remember than an arbitrary sequence of characters
However, long passphrase not necessarily safer
6
Simple passphrases such as “thisisthe#1classatschool” can be predictable and
easily guessed by attackers
Compared to passwords such as “TiT#`CaS.”
Password management
So far, you have been a user of passwords
In profession, you are on the other side
Making it all work
In particular
Information security of passwords in your custody
Accomplished through password management
Process of defining, implementing, and maintaining password policies
throughout an enterprise
Reduce likelihood that systems using passwords will be compromised
NIST Special publication 800-118
7
Guide to enterprise password management
Password management – contd.
Information security concerns
CIA triad re-introduced
Organizations need to protect the confidentiality, integrity, and
availability of passwords
Asset management terminology
Passwords are restricted and essential information assets
Loss of confidentiality or integrity can give intruders improper access to
information
Non-availability of a password can make underlying protected resource
unavailable
8
Hence, passwords are restricted assets
Hence, passwords are essential
Password management – contd.
National Institute for Standards and Technology (NIST)
Guidelines for minimum recommendations regarding password
management
Basis for discussion here
Specific organizations may have more stringent password
management requirements
E.g. Banks, hospitals
May impose additional requirements
Including
9
Requiring mechanisms other than passwords for authentication
Password management – contd.
For optimal (minimal) investment
Begin with recognition of threats which can compromise
passwords
Take actions to minimize likelihood of these compromises
NIST recognizes 4 threats to passwords
10
Password capturing
Password guessing and cracking
Password replacing
Using compromised passwords
Password threats
Password capturing
1.
Ability of an attacker to acquire a password from storage,
transmission, or user knowledge and behavior
Improper storage
Unencrypted transmission
Password guessing
2.
An intruder makes repeated attempts to authenticate using
possible passwords such as default passwords and dictionary
words
Password cracking
Process of generating a character string that matches any existing
password string on the targeted system
11
Requires unrestricted access to encrypted versions of saved passwords
Password threats – contd.
Password replacing
3.
Substitution of the user’s existing password with a password
known to the attacker
Generally happens using various social engineering techniques
Exploiting weaknesses in the system’s password reset policies
Using compromised passwords
4.
Passwords on the system known to unauthorized users
May be exploited to launch other social engineering attacks, change
file permissions on sensitive files
If the compromised password is of a privileged user
E.g. an IT administrator
Attacker may even be able to modify applications and systems for later
exploitation
12
E.g. create a privileged account for himself (most attackers are indeed men!)
Password management recommendations
Implemented as a password policy
Set of rules for using passwords
For users
What kinds of passwords are allowed
For administrators
How passwords may be stored, transmitted issued to new users and reset
as necessary
13
E.g. length and complexity rules for passwords
E.g. account for any industry-specific regulations
Password management – contd.
Dealing with password guessing and cracking
Pay attention to password storage
Passwords must be made sufficiently complex
Accounts must be locked after many successive failed login
attempts
14
Access to files and databases used to store passwords should be
tightly restricted
Save password hashes, not passwords
Encrypt all password exchange
Strictly verify identity of all users who attempt to recover forgotten
passwords or reset passwords
Educate all users of password stealing attempts through phishing
attacks, shoulder surfing, and other methods
Minimizes opportunities for hackers to guess a password
Password management – contd.
Password expiration
Duration for which password may be used without change
Reduces likelihood that compromised password can be used productively
Often, passwords collection and password usage are separate operations
Creates delay before compromised password is used
Password compromise may not be very damaging
Problems
Particularly in absence of password synchronization or SSO
Users forget passwords
Costly IT support to recover forgotten passwords
Hence
Use judiciously
15
If password is changed before the attacker attempts to use it
Longest possible durations
Password limitations and alternatives
Users often forget passwords
Help desks to respond to user requests
Password reset mechanisms
Expensive
Challenge questions may not be strong enough
Relatively simple social engineering attacks such as phishing can exploit reset
mechanisms
Hence, considerable interest in developing alternatives
Not trivial
Users know how to use passwords
Limited data available on actual losses suffered by organizations due to password theft
Why fix what is not broken
Proposals for alternatives
Passfaces
Draw-a-secret
16
User pre-selects a set of human faces and the user selects a face from this set among
those presented during a login attempt
Users draw a continuous line across a grid of squares
Access control
Limiting access to information system resources only to
authorized users, programs, processes, or other systems
E.g. Locks
Access control models
Descriptions of the availability of resources in a system
Properties of access control models
Representation of access control in computer security
Represent protection needs of any resource at varying levels of
granularity
Without unreasonable computational burden on operating system
Popular access control models
17
Access control lists (ACLs)
Role-based access control (RBAC)
Access control lists (ACLs)
List of permissions attached to specified objects
Use simple syntax to specify
Subjects
Objects
Allowed operations
E.g.
Network connection
ACL: (131.247.93.68, ANY, block)
Operating system checks all incoming resource requests
18
Subject: Host 131.247.93.68
Object: ANY resource on the network
Operation: Block from passing through the network connection
Any ACL entry may prohibit access to the resource
Access control lists (ACLs) – contd.
Common use
Files
1.
Specify rights for users or groups to files and executables
E.g. chmod command
Network connections
2.
Specify port numbers and network addresses that may be accessed
Common way to implement firewalls
Default ACLs
Present in most modern operating systems
System Administration chapter
Provide reasonable levels of security for the average user
Properties
Some of the simplest controls to implement
Basis for many other security controls
19
E.g. prevent over-writing of passwords
Access matrix
Simple representation of ACLs
Subjects attempt operations on objects
Operations permitted if allowed by ACL
Cells show permissions for subject
on object
ACL for user on corresponding object
E.g. File 1
Subject John is owner
Has read and write permissions on file
Can assign any permission to any user on file
20
Subject Bob
Given read permission
Subject Alice
Given execute permission
John
Host 1
Block
Objects
File 1
File 2
Own
Read
Read
Subjects
Bob
Alice
Block
Allow
Write
Read
Execute
Read
Own
Read
Write
Execute
ACL limitations
Limited scalability
To modify permissions for a specific user
Permissions for that user must be modified individually on all objects
to which the user has access
Not possible to assign permissions based on user
responsibilities
When user changes roles
21
Role-appropriate permissions for the user must be modified
individually on all applicable objects
Role based access control (RBAC)
Assign permissions to user roles rather than to individual
users
Roles are created for job functions
Users are assigned roles based on responsibilities
Access permissions defined for roles
Separation between users and access controls
As users evolve within the organization
Roles can be assigned
Access permissions are automatically updated
RBAC reduces cost and administrative effort, compared
to ACLs
22
But tool support evolving
Firewalls
Hardware or software that prevent the dangers originating on
one network from spreading to another network
Allow one network to connect to another network while
maintaining some amount of protection
E.g. door to a home or office
Allow residents to get out of the house
Block rain and sleet from entering the home
Maintain some degree of confidentiality
Serve multiple purposes
23
Restricting entry and exit from the network to carefully specified
locations
Limiting incoming Internet traffic to specific application running on
specific devices
Blocking outgoing traffic from hosts suspected to have been
compromised
Firewalls – contd.
Constraints
Not generally intended to defend against specialized attacks
E.g. Doors of a retail store are not designed to detect shoppers with
explosives, or shoplifters
Where necessary (e.g. at airports)
Left to more specialized controls, e.g.
Human inspectors
Anti-theft technologies
Benefits
24
Very effective and relatively inexpensive first line of defense
Defend against large number of common nuisances
Firewall arrangement
Figure shows
typical
arrangement
25
Intercept all
traffic between
the Internet and
the organization’s
network
Implement
organization’s
traffic rules
Internet
Local network
Firewall
Firewall rules
Specified using ACL syntax
e.g.
pass
pass
pass
pass
block
block
26
in
out
in
out
in
out
quick from 192.168.1.0/24 to 192.168.10.50
quick from 192.168.10.50 to 192.168.1.0/24
log quick from any to any port = 22
log quick from any port = 22 to any
all
all
Firewall limitations
Defenseless against insiders and unregulated traffic
Defenseless against user practices
Protect against attacks originating outside the network
Traffic inside the organization does not cross firewall
Compromised computer can steal data from other computers
Flash storage devices
Defenseless against encrypted traffic
Cannot be inspected
E.g. SSL traffic
Configuration
27
Poorly configured firewall
Only provides illusion of security
Firewall types
Packet filtering firewalls
1.
Examine protocol header fields to determine entry, e.g.
Source and destination IP addresses
Destination port address
TCP flags
Example usage
Block incoming packets from ISP with history of sending spam
Host or ISP identified by the source IP address field
Deep packet inspection firewalls
2.
Examine packet data, in addition to protocol headers
Compare against database of known malicious payloads
28
Identify payloads that attempt to launch buffer overflow or other attacks
Typical firewall organization
Typical deployment involves
Perimeter firewall
Lies between the external network and the organization
Allows hosts outside the organization to access public-facing services
De-militarized zone
Network between external network and organization’s internal network
E.g. web, email and DNS.
Hosts external services such as http, smtp and DNS
Interior firewall
Limits access to organization’s internal network
Specific applications for requests originating from specific hosts
Militarized zone
29
E.g. Student learning system and records database
Location of all the organization’s information assets
Internet
Typical firewall organization – contd.
DMZ
email
DNS
www
30
Internal network
Basic firewall recommendations
Allow users to access to the following services on the Internet
Web (port 80, 443) to specified hosts running web servers
Email (ports 25, 465, 585, 993, 995) to specified hosts running email
DNS (port 53) to specified hosts running the DNS service
Remote desktop connections (port 3389)
SSH (port 22) to specific UNIX hosts
General rules of thumb
Allow “secure” services
Allow access to “safe” services on designated hosts
E.g. email and the web
Block legacy, unmaintained services
31
Encrypt transactions
In popular use, hence regularly updated
SSH (for UNIX connections) and Remote Desktop (for Windows clients)
Telnet and FTP
Intrusion detection/ prevention systems
Intrusion detection systems (IDS)
Monitor IT systems for malicious activity or violations of usage policies
Two types
Network-based
Host-based
Maximize probability of detecting intrusion attempts
Can raise alarms about impending attacks
Watching for reconnaissance activity (host and port scans)
Software applications on individual hosts
Monitor local activity such as file access and system calls for suspicious behavior
Most enterprises employ multiple IDSs, each with its own set of rules
Monitor network traffic and application protocol activity to identify suspicious connections
Usually included in routers and firewalls
Often precede large-scale attacks
Intrusion prevention systems
32
Build on IDS and attempt to stop potential intrusions
Detection methods
How do IDS/ IPS detect intrusions?
Three methods
Signatures
Anomalies
Compare observed events against defined activities for each protocol state
Most commercial implementations use combination of all three
33
Deviations between observed events and defined activity patterns
Protocol states
Sequence of bytes that is known to be a part of malicious software
Maximize effectiveness
Detection methods comparison
Signature-based
Very effective against simple well-known threats
Also computationally very efficient
Not effective against previously unknown threats,
disguised threats and complex threats
Uses simple string comparison operations
I LOVE YOU virus with email subject line read “job offer for
you”
Cannot detect attacks composed of multiple events
If individual events are potentially legitimate
E.g. Cannot detect port scans
34
Every individual probe packet is a well-formed and legitimate packet
Detection methods comparison – contd.
Anomaly-based
Very effective at detecting previously unknown threats, e.g.
Malware that sends out large volumes of spam email
Malware that uses computer to break passwords
Computer's behavior significantly different from established profile
Concerns
Building profiles can be very challenging, e.g.
Computer may perform full backups on last day of the month
Large volumes of network data transfer
35
If not included as part of baseline profile, will be flagged
Detection methods comparison – contd.
Protocol-state-based
Aware of allowed operations for a given protocol state, e.g.
Able to identify unexpected sequences of commands
E.g. issuing same command repeatedly can indicate a brute-force attack
Can keep track of the user id used for each session
Knows that a user in an unauthenticated state should only attempt a
limited number of login attempts, or
User in unauthenticated state should only attempt a small set of
commands
Helpful when investigating an incident.
Can include checks for individual commands
E.g. monitoring lengths of arguments
Limitation
36
Username with a length of 1000 characters can be considered suspicious
Username with non-text data is even more unusual and merits flagging
Tracking many simultaneous sessions can be extremely resource-intensive
IDS/ IPS limitations
Two well-known limitations
Detection errors
1.
Many alarms do not represent real threats
Many real threats are missed
Very sensitive IDS will detect more real attacks, but also flag many benign transactions as
malicious
Less sensitive IDS will not raise too many false alarms, but will also miss many real attacks
Real attacks are very expensive
So organizations generally prefer false positives over false negatives
Increases cost of sifting through all alarms raised
Evasion
2.
Act of conducting malicious activity so that it looks safe, e.g.
Called false negatives
Reducing one generally increases the other, e.g.
Called false positives
Conduct port scans extremely slowly (over many days) and from many different sources
Malware can be sent as parts of file attachments, and appear legitimate
IDS/ IPS therefore cannot be trusted to detect all malicious activity
37
However, like firewalls, very effective as part of overall security deployment
Patch management
Patch
Software that corrects security and functionality problems in
software and firmware
Also called updates
Usually the most effective way to mitigate software vulnerabilities
Patch management
Process of identifying, acquiring, installing, and verifying patches
Many information security frameworks impose patch management
requirements
E.g. Payment Card Industry (PCI) Data Security Standard (DSS) requires
that critical patches must be installed within one month of the release of
the patch (PCI DSS 2.0 requirement 6.1.b)
Concerns
Patches can break existing software
38
Particularly in-house software developed using older technologies
Patch management challenges
NIST
1.
Timing, prioritization and testing
Usually necessary to prioritize which patches should be
installed first
E.g. web servers need to be prioritized over desktops in militarized zone
Operational system might fail from patching, causing business
disruptions
Timing, prioritization and testing are often in conflict
Patch bundle solution to conflict
Release aggregates of many patches as patch bundles at quarterly or other
periodic schedules
39
Issue patches instantly for exploits known to be getting exploited
Reduces patch testing effort at organizations and facilitates deployment
Patch management challenges – contd.
2.
Configuration
Often multiple mechanisms for applying patches
Competing patch installation procedures can cause conflicts
Resolve any conflicts among competing patch application methods
Users, particularly power users may override or circumvent
patch management processes, e.g.
40
May try to overwrite patches
May try to remove previously installed patches
May try to install patches that fails organization’s internal tests
Therefore identify all ways in which patches could be applied
Automatic updates, manual updates, vulnerability scanners
Disabling patch management software
Installing old and unsupported versions of software
Uninstalling patches
Patch management challenges – contd.
3.
Alternative hosts
Diversity in the computing environment
May include unsupported hardware
Appliances are a particularly interesting case
Often manufacturers are not very familiar with the importance of
patch management
May not support automated procedures for testing and deploying patches
Patch management can easily become time consuming and labor intensive
Software inventory
4.
Organization should maintain current and complete inventory of all
patchable software installed on each host in the organization
41
Inventory should also include correct version and patch status
Patch management challenges – contd.
Resource overload
5.
Patch deployment needs to be managed to prevent overload
Download speeds can become significantly slow
If many hosts start downloading the same large patch at the same time
Network bandwidth can also become a constraint
Large organizations
Particularly if patches are transmitted across continents on WAN networks
Common strategies
Sizing patch infrastructure to handle expected request volumes
Staggering delivery of patches
42
Hard drives hunt for different blocks for each individual host
Only deliver patches to a limited number of hosts at any given time
Patch management challenges – contd.
6.
Implementation verification
Forcing required changes on target host so that patch
takes effect
May require restarting a patched application or service
Or, rebooting the entire operating system
Or making other changes to the state of the host
Can be very difficult to determine if a particular patch has
taken effect at a particular host
One mechanism
Use other methods of confirming installation
43
E.g., using a vulnerability scanner that is independent from the patch
management system
End-point protection
Security implemented at the end user device
Desktops, laptops, and mobile devices used directly by consumers of the IT
system
Typically implemented using specialized software applications
Provide services such as
Defense of last resort
Attempts to pick up security problems missed by network controls such as firewalls
and intrusion detection systems
Can offer security that organization-wide systems cannot provide
E.g. confirm that versions of the operating system, browser etc. on the device are upto-date
Alert user if necessary to initiate an update
Also provides protection against other compromised devices internal to the
network
44
Anti-virus protection
Anti-malware protection
Intrusion detection
Compromised desktop within the network may scan ports as a zombie
End-point security software on targeted hosts can detect scans and block requests
Detection mechanisms
Signatures
1.
Traditional method of detecting malicious software
Similar to signature-based IDS
Reputation
2.
Safety of file based on reputation score calculated using file’s observable
attributes
Over time, reputation scores calculated and updated for every known executable file
About 10 billion in number
Eliminates need to scan every byte of every file for known malware signatures
Greatly speeds virus and malware scanning, freeing up computer resources for productive tasks
Computationally efficient at detecting previously unknown threats
Previously unknown files naturally receive a low reputation score
Like how new borrowers like teenagers begin with a low credit score
File used by more users for longer periods of time with no observed malicious effects
Reputation score of the file keeps improving
45
Identified by file hash
Like how borrowers improve credit ratings through responsible borrowing
Overview
Password Management
Access control lists (ACLs)
Firewalls and their capabilities
Intrusion Detection/Prevention Systems
Patching operating systems and Applications
End Point Protection
Information security control best practices
46