Post on 16-Apr-2017
PacINET 2007
Information Security Workshop
August 21, 2007
Presenter
Chris Hammond-Thrasher
10 years of ICT consulting in Canada
Was a Senior Management Consultant in Security, Privacy, and Technical Risk for Fujitsu Consulting Canada
MLIS (I am a librarian)
CISSP (I am a security manager)
Currently USP Library Systems Manager
Author of the Digital Fiji blog
Agenda
Part 0: Why are we here?
Part 1: Information security?
Part 2: What an information security team needs to know
Part 3: Security incidents
Part 4: Top ten infosec tools
Goals
To show participants the scope of the field of information security management
To demonstrate that there is an ethical responsibility that goes along with information security skills (aka h4X0r 5k1775)
To entice participants to lobby their employers, educational institutions, and professional organizations to provide them with more infosec training and certification opportunities
To establish a need for regional infosec cooperation we need a PacCERT!
Part 0 Why are we here?
A war zone
Leading up to the 1991 invasion of Iraq
The American NSA disabled Iraqi air defense computers with virus laden printers sold to Iraq through Jordanians
A war zone
The cost of cybercrime
A 2005 FBI study found that 90% of US companies suffered security incidents
Cybercrime cost US companies an average of US$24,000 last year
The total cost of cybercrime in the US, in 2005 alone, was over US$400 billion
A war zone
Human rights, China, and Yahoo
The House Foreign Affairs Committee has ordered an investigation into Yahoos role in the prosecution of Shi Tao, a journalist and Yahoo Mail user, who was arrested in 2004 by Chinese officials after Yahoo cooperated with their request for information. The committees interest in the matter was sparked by new documents that suggest Yahoo gave information to Chinese authorities knowing that it could lead to the reporters arrest.
A war zone
2007 Estonian cyber attack
The May events followed the Estonian [pop. 1.3 million] decision to dismantle and move a symbolically significant Russian war memorial... Many of the early attacks that subsequently overwhelmed Estonia's Web servers, banks, and government email systems were rudimentary, with instructions widely posted on these blogs telling people how to send manual pings to the country's servers. But more sophisticated tools soon were used, with botnets flooding Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.
A war zone
Phishing, Internet fraud, and identity theft
A 2004 study reported that 685,000 Americans had experienced identity theft and collectively lost US$680 million
In 2005, Israelis lost US$10 million to similar crimes
A Pacific war zone?
The coming battle
Oceania (not including Aus and NZ) has 510,890 Internet users out of a population of 9,209,260 or roughly 0.5%
While the global Internet user growth rate from 2000 to 2007 is 225%, it is as high as 1,100% in Samoa, 833% in Fiji, and 320% in the Solomon Islands
A Pacific war zone?
The South Pacific is catching up...
All of the bad things about the Internet come along with the good
We are in a good position because we only have to glance over the ocean to see exactly what problems have already started coming our way, including which solutions are effective, and which solutions are not worth doing
Building information security capacity takes time we need to start now!
A Pacific war zone
The time is ripe to create regional infosec organizations, the first of which ought to be a Pacific Computer Emergency Response Team (PacCERT)
Coordinate ISP's and other high-tech organization's responses to major security incidents
Support under-skilled law enforcement agencies
Respond to security incidents and proactively prevent them
Regional corporate and governmental cooperation is required to make this happen
Part 1 - Infosec?
Part 1 - Infosec?
What is information security?
Outline
Definitions
Professional organizations
Certifications
Heros and villains
My definition
Information security is the art, science, and practice of protecting information systems against willful or accidental harm.
ISO definition
ISO 17799 [now ISO 27002] defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:
Confidentiality ensuring that information is accessible only to those authorized to have access.
Integrity safeguarding the accuracy and completeness of information and processing methods.
Availability ensuring that authorized users have access to information and associated assets when required.
Tom Carlson, Information Security Management, 2001
CIA
Confidentiality
Information should only be available to its intended reader (possibly a person or software)
Integrity
Information should only be alterable by those who are permitted to do so
Availability
Information should be available to those who need it when they need it
Risks, threats, and vulns
Risk
The magnitude of a risk equals the cost of the one time occurrence of a threat multiplied by its estimated frequency of occurrence
R = (one time cost) x (frequency)
Threats which pose a small cost, such as I forgot my password, but occur frequently may pose a significant risk
Threats that occur infrequently, such as water damage in the new server room, but have high one time costs may not be significant risks
Risks, threats, and vulns
Threats
Or threat events, are events which may compromise the CIA of your information assets
i.e. Theft of equipment or virus infections
Vulnerabilities
Exploitable weaknesses
i.e. Buffer overflows or poorly trained staff
Controls
Administrative
Implemented in policy and procedure
i.e. Criminal screening or user awareness programs
Logical
Implemented in hardware and software
i.e. Network firewalls, ACLs, or the principal of least privilege
Physical
Implemented in real space
i.e. Locked doors, security guards, or fire control
Controls
Preventative
Reduce the likelihood of threat events occurring
i.e. Firewalls, intrusion prevention, or strong passwords
Detection
Detecting attempted or successful incidents
i.e. Network and host-based IDSes or vigilant users
Mitigating
Reduces the impact of security incidents
i.e. Backups or an incident response team
Professional organizations
Anti-Virus Information Exchange Network (AVIEN)
Center for Secure Information Systems (CSIS)
Computer Security Institute
Computing Technology Industry Association (CompTIA)
Information Systems Audit and Control Association (ISACA)
Information Systems Security Association, Inc. (ISSA)
International Association for Computer Systems Security, Inc. (IACSS)
International Federation for Information Processing (IFIP)
Technical Committee 11 (TC-11) on Security and Protection in
Information Systems
International Information Systems Security Certification Consortium (ISC2)
National White Collar Crime Center
SANS Institute
Certifications
The big ones:
CISSP from (ISC)2
CISA from ISACA
CISM from ISACA
GIAC certifications from SANS
Notable vendor certifications:
CISCO
CheckPoint
Heros
Gaius Julius Caesar (100 BC -44 BC)
Protected military communications with the Caesar Cipher. This cipher works by shifting all of the letters in the alphabet by a given number (the key) to create a garbled message.
Example:Caesar cipher with a key of 3
abcdefghijklmnopqrstuvwxyz^^^^^^^^^^^^^^^^^^^^^^^^^^cdefghijklmnopqrstuvwxyzab
Plaintext:inthe begin ningt herew asdar kness andvo id
Ciphertext:kpvjg dgikp pkpiv jgtgy cufct mpguu cpfxq kf
Alan Turing (1912 - 1954)
An English mathematician and code breaker. Turing was instrumental in breaking German World War II naval codes.
He also envisaged a kind of computer known now as a Turing machine in:
On computable numbers,with an application to theEntscheidunsproblem. 1936.
And created the definitive test for artificial intelligence known as the Turing test in:
Computing machinery and intelligence. 1950. Mind, 59, pp. 433-460.
Bruce Schneier (1963 - )
Cryptographer turned author, Schneier is one of the leading voices in both information security in the USA. He is also one of the most significant critics of American homeland security policy.
Examples:
Applied Cryptography, 1996, John Whiley & Sons
http://www.schneier.com/blog/
Whitfield Diffie (1944 - ) and Martin Hellman (1945 - )
Cryptologists and inventors of the Diffie-Hellman key exchange algorythm in 1976. The DH algorithm provided a radical new way for two parties to exchange secrets. The DH algorithm and its derivatives are the cornerstones of many public key encryption protocols in use today.
Villains?
Robert MorrisWrote the firstworm in 1988
Kevin MitnickArrested in1995 and nowa consultant
Kevin Paulson(aka Dark Dante)Arrested in 1991and now SeniorEditor at Wired
Jon Johansen(aka DVD Jon)wrote DeCSSat the age of 15
David SmithWrote the Melissavirus in 1999 whichcaused US$500million in damages
R2-D2Repeatedviolations ofImperialsystems
John Draper(akaCap'n Crunch)Phone phreak1972
Part 2 - knowledge
Part 2 - knowledge
What an information security, or infosec, team needs to know
Outline
Infosec domains
Infosec team critical success factors
Domain 1 access control
Access control may be applied at the network level, host level, application level, or even for individual functions or data elements
Access control has two components
Identity management
Ensuring that users are who they say they are
Identity management systems use up to three factors to identify users
Something you know: passwords or phrases
Something you have: a card, RFID tag, or other device
Something you are (biometrics): finger prints, retina patterns, etc.
Domain 1 access control
Authorization
Authorization is the mechanism that determines what a user is allowed to do or see in a system
Often this takes the form of an access control list (ACL) which lists what actions a user or group of users is permitted to take against which system objects
Domain 2 application sec.
Security considerations should play a prominent role in all phases of the application development life cycle
All user input should be cleaned and validated before processing
Security testing is not the same as functional testing
Web application require testing against known web app. vulnerabilities
Applications that handle sensitive information should require security certification before going live and recertification after major upgrades
Domain 3 bc and drp
Business continuity planning
Planning to ensure that critical business processes are resilient to change and attack
Understand your organization's risk tolerance
Define what a critical business process is for your organization
Identify which business processes are critical
Identify potential threats
Develop strategies that minimize interruptions critical process due to known (or likely) threats
Domain 3 bc and drp
Disaster Recovery Planning
Developing and testing procedures that will allow critical systems to recover from severe change or attack
Ideally, complete the BCP first
Identify information systems that are required to support critical business processes
Develop plans to minimize down-time if an environmental change or attack destroys the system hardware and/or software
Strategies include co-location, hot and cold stand-byes, etc.
Domain 4 - cryptography
Two methods of sending secret messages
Hiding the message: stenography
Jumbling the message so that it is mathematically difficult to un-jumble: cryptography
Cryptography can provide other functions
Verifiable message integrity
Key exchange
Non-repudiation
Source/destination validation
Secure time-stamping
Domain 4 - cryptography
Ciphers
Symmetric
Summetric ciphers use one key to encrypt and decrypt
This creates a problem of key management how to securely get the key to everyone who needs it without compromising it
i.e. DES, 3DES, twofish, blowfish, and AES
Asymmetric
Assymetric ciphers use a pair of keys for calculation one is kept private and the other is shared publically
Assymetric ciphers require large keys and are computationally intensive
i.e. RSA and El Gamal
Domain 4 - cryptography
Digests
Also known as checksums or cryptographic hashes
A kind of one-way function
They do not have a key
They generate a fixed length output from variable length input
The input cannot be reconstructed from the output
Useful in establishing message integrity
Domain 4 - cryptography
Protocols
Cryptographic protocols define a processing sequence using one or more ciphers to perform a secure transaction
i.e. SSL/TLS, ssh, and SKIP
SSL v2, SSL v3, and TLS 1
Secures US$ billions of Internet transactions
Can encrypt TCP communications (i.e. HTTP -> HTTPS)
Provides confidentiality without previous key exchange
Provides end-point validation with signed certificates
Domain 5 risk management
We defined risks and threats in Part 1
Risk management is central to infosec management as it provides a rationale for allocating limited resources
i.e. If a risk assessment reveals that a company stands to lose US$10,000 annually due to malware, there is a strong business case to invest in a US$20,000 antivirus infrastructure.
Domain 5 risk management
Q: How do I do a risk assessment?
A: Unfortunately, that topic requires an entire workshop to itself.
Identify information assets and their value or sensitivity
Identify potential threats
For each asset, estimate the damage caused by a one-time occurrence of each threat
For each asset-threat pair, estimate the frequency of occurrence to arrive at an estimate of risk
Domain 6 law, ethics, etc
Infosec professionals need to be familiar with intellectual property law, privacy law, and computer crime law in their jurisdiction
In the South Pacific, several countries lack all three!
Many infosec certifications require that certification holders submit to a code of ethics
Typically, these codes forbid scanning, attacking, sniffing, testing, etc. without first obtaining informed consent from the target.
Domain 7 operations sec
Security operations include
Information classification
Security testing on an ongoing basis and with major system changes
Incident response and prevention
Monitoring logs
Network IDS, host IDS, firewall, VPN, and others
Liaising with ICT managers and practitioners
Reviewing infosec information from outside sources
i.e. Full disclosure list, bugtrac list, Internet Storm Center, national and regional CERTs (we need a PacCERT!)
Domain 7 operations sec
One of the most important and commonly overlooked activities is an infosec awareness program
Staff that understand the reasons behind security policies are less likely to circumvent them
Trained staff are more likely to notice suspicious activity
Infosec is complicated and constantly changing people need regular reminders
Domain 8 physical sec
Rule #1: if an attacker can gain physical access to your hardware, it is only a matter of time before they gain complete control
The design and equipping of server rooms and data centers is well understood. Consult an expert if you are putting one together.
Network equipment, including wiring closets, personal computers, and mobile devices are too often ignored
Domain 8 physical sec
Principles
Off site backups!
Allow only trusted individuals access
Allow access only on a need-to-access basis
Protect against environmental changes
Loss of power
High temperature
Moisture
Fire
Domain 9 sec architecture
Security architecture is the ongoing process of planning security infrastructure and activities across an entire organization
Responsible for enterprise wide security policies
i.e. Information classification, acceptable use, and roles
Setting security technology standards
i.e. Standards for hardening critical servers, brand of firewall to be used at all branch offices, password policies, and high-level network design
Planning enterprise-wide security technologies
i.e. Single sign-on (SSO), IDS sensor deployment across a large network, and VPN infrastructure for teleworkers
Domain 10 t/c and network
Telecommunications and network security
Requires advanced knowledge of communications protocols and technologies
OSI network model
TCP/IP networking including ARP, UDP, and ICMP
Perimeter security
Encrypted communications channels
Network intrusion detection and prevention
Telephone security
Traffic control firewall rules and routing tables
Infosec team success
In addtion to knowledge of the 10 domains, a successful infosec team requires,
a clear mandate,
the right number of staff,
the right policies and procedures,
the right tools, and
support from management
Part 3 - incidents
Part 3 - incidents
Security incidents
Outline
Anatomy of a hacker attack
Other common incidents
Incident response fundamentals
Anatomy of an attack
Step 1 gather information (mostly passive)
Step 2 find vulnerabilities (mostly active)
Step 3 exploit vulnerabilities
Step 4 conceal activity (cover your tracks)
Anatomy of an attack
Step 1 gather information (mostly passive)
Attacker's activities
whois on target address
Surf target website
Google target
Detection
Very difficult as this is all normal activity
Anatomy of an attack
Step 2 find vulnerabilities (mostly active)
Attacker's activities
Port scans with tools such as nmap
Sniffing with tools such as Wireshark or Ettercap
Vulnerability scanning with tools such as Nessus
Detection
Intrusion detection systems (IDS) such as snort can detect many port scans and vulnerability scans
Passive sniffing is hard to detect. There are tools such as Ettercap that can identify NICs in promiscuous mode.
ARP cache poisoning and other attacks that facilitate sniffing on switched networks can also be detected by some IDSes, firewalls, switches, and other tools
Anatomy of an attack
Step 3 exploit vulnerabilities
Attacker's activities
Attack software weaknesses with exploit code. The metasploit framework is a toolkit for developing exploits.
Attack passwords
Detection
IDSes can detect many application attacks as well as large volumes of login attempts
Some applications will log failed login attempts
Host-based intrusion detection tools such as tripwire and logwatch can detect some suspicious activities
Anatomy of an attack
Step 4 conceal activity
Attacker activities
Edit suspicious activities out of system logs
Install backdoors or rootkits to facilitate future concealed access to the target
Detection
Host-based intrusion detection tools can detect some of these activities
Virus scanners and rootkit checkers can sometimes find rootkits but not always!
Other common incidents
Most security incidents do not involve a classic hack
Some common incidents
Malware infection: virus, trojan, worm, spyware, etc.
Insider attack
DoS
Lost or stolen passwords
Web application attacks: css, sql injection, etc.
Social engineering
Incident response basics
Have an Incident Response Team with well defined roles before an incident happens
Have written procedures for incident handling
Have clear lines of communication
Who decides whether it is bad enough to phone the police?
Which managers need to be informed?
Decide when and how you will quarantine potentially compromised equipment
Who decides when it is better to be offline than insecure?
Part 4 - tools
Part 4 - tools
Top 10 free infosec tools
Wireshark (windows, linux/unix)
nmap (windows, linux/unix)
Nessus (windows, linux/unix)
Snort (windows, linux/unix)
Clam AV (windows, linux/unix)
Tor (windows, linux/unix)
ssh (windows, linux/unix)
John the ripper (windows, linux/unix)
Ettercap (windows, but best on linux/unix)
Cain and Abel (windows)
Thank you for your time.
Make good choices.
Chris Hammond-Thrasher MLIS, CISSPUSP Library Systems Manager / Bloggerthrashor@gmail.comhammondthrasher_c@usp.ac.fjthrashor@skypehttp://dfiji.blogspot.com/
Photo credits
All photos used in this presentation are available under a Creative Commons license
Credits
Camera http://www.flickr.com/photos/bhikku/
Keys http://www.flickr.com/photos/kk/
Superheros http://www.flickr.com/photos/jcroft/
Schneier http://www.flickr.com/photos/quinnums
Diffie/Hellman http://www.flickr.com/photos/dfarber
R2-D2 http://www.flickr.com/photos/revlimit/
Foil hat http://www.flickr.com/photos/nicmcphee
Incident http://www.flickr.com/photos/mjb
Palm pilot http://www.flickr.com/photos/splorp
Gateway http://www.flickr.com/photos/cromaducale
Click to edit the title text format
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level