Kathleen KimballDirector, Computer and Network Security

Penn State

(814) 863-9533 FAX: (814) 865-2585 24 hr: 863-HELP

Email: krk5@psu.edu

Incident Email: security@psu.edu

Kathleen KimballDirector, Computer and Network Security

Penn State

(814) 863-9533 FAX: (814) 865-2585 24 hr: 863-HELP

Email: krk5@psu.edu

Incident Email: security@psu.edu

To Boldly Go! To Go Boldly? (Whatever…)

Security in University Environments

To Boldly Go! To Go Boldly? (Whatever…)

Security in University Environments

Network Security OfficeNetwork Security Office

• Responsible for University-wide network security functions

• Functional Responsibilities include:

Policy Development

Training

Vulnerability Assessment

Risk Analysis

Incident Response

• Responsible for University-wide network security functions

• Functional Responsibilities include:

Policy Development

Training

Vulnerability Assessment

Risk Analysis

Incident Response

P o lic y Tra in in g V u ln erab ilityA ssessm en t

R iskA n a lys is

In c id en tR esp on se

D irec to r, C om p u te r an d N etw ork S ecu rity

Session OverviewSession Overview

• Problem Review

• Security Elements

• Incident Experience

• Is there Hope? What needs to be solved? Current /Future “Solutions”

• Problem Review

• Security Elements

• Incident Experience

• Is there Hope? What needs to be solved? Current /Future “Solutions”

The University ProblemThe University Problem

• Insecure systems, networks and apps (Oh, my!)

• Insufficient numbers of trained personnel

• Extremely wide-ranging user requirements

• The Barbarians are sometimes inside the gates

- Complicates some traditional corporate approaches

• Exploit tools simple enough for a 10 year old; security tools incomprehensible to a 50 year old

• High speed connectivity. (Flooding and warez trading can be done at extremely fast speeds)

• Insecure systems, networks and apps (Oh, my!)

• Insufficient numbers of trained personnel

• Extremely wide-ranging user requirements

• The Barbarians are sometimes inside the gates

- Complicates some traditional corporate approaches

• Exploit tools simple enough for a 10 year old; security tools incomprehensible to a 50 year old

• High speed connectivity. (Flooding and warez trading can be done at extremely fast speeds)

In Short...In Short...

We are a very attractive target….

We are a very attractive target….

Security ElementsSecurity Elements

• Authentication

• Authorization

• Confidentiality and Integrity

• Accountability

• Authentication

• Authorization

• Confidentiality and Integrity

• Accountability

An Important PrincipleAn Important Principle

• Least Privilege

- Perhaps we should call it Appropriate Privilege

- You should have access to everything that you need; those without a similar need should not

• Least Privilege

- Perhaps we should call it Appropriate Privilege

- You should have access to everything that you need; those without a similar need should not

Least Privilege (Continued)Least Privilege (Continued)• Easy to visualize in terms of applications or

database fields. (In most cases, I should not have access to your medical or credit records).

• Needs to be extended to systems and networks

- System - Turn off unused services; set file and directory permissions to limit access to those who truly require access; limit root and “everyone” access

- Network - does every machine globally really need to be able to check your electronic doors and windows???

• Easy to visualize in terms of applications or database fields. (In most cases, I should not have access to your medical or credit records).

• Needs to be extended to systems and networks

- System - Turn off unused services; set file and directory permissions to limit access to those who truly require access; limit root and “everyone” access

- Network - does every machine globally really need to be able to check your electronic doors and windows???

Authentication Authentication

• Who are you anyway?

• Methods

User/ID Password

Certs (Not the breath mint)

Tokens or smart cards

Biometrics

Combinations of the above

• Who are you anyway?

• Methods

User/ID Password

Certs (Not the breath mint)

Tokens or smart cards

Biometrics

Combinations of the above

Does Anyone Really Care About Your Password?

Does Anyone Really Care About Your Password?

Cryptographically Secure CertificatesCryptographically Secure Certificates

• Selectively promising but also mildly overhyped

• Problems:

- Whoever issues it has to accept something to prove who you are - what if they’re wrong

- Where do you keep your Certs -- your hard drive is the wrong answer

- How do you unlock them - adequacy of passphrase or other technique

- On the critical infrastructure side -- how do you check revocation status in almost real-time

• Selectively promising but also mildly overhyped

• Problems:

- Whoever issues it has to accept something to prove who you are - what if they’re wrong

- Where do you keep your Certs -- your hard drive is the wrong answer

- How do you unlock them - adequacy of passphrase or other technique

- On the critical infrastructure side -- how do you check revocation status in almost real-time

OtherOther

• Tokens and smart cards

- Good augmentation. Frustrating for the forgetful

• Biometrics

- Will be more extensively used as the price becomes more attractive

• Tokens and smart cards

- Good augmentation. Frustrating for the forgetful

• Biometrics

- Will be more extensively used as the price becomes more attractive

Rule of ThumbRule of Thumb

• Make both Authentication and Authorization mechanisms proportionate not just to the value of the data but also to the value of your system or network to the attacker

• Make both Authentication and Authorization mechanisms proportionate not just to the value of the data but also to the value of your system or network to the attacker

AuthorizationAuthorization

• Now that you know who I am; what can I do?

- Usually controlled by database or extended directory mechanism

- May be individual or role-based

At a system level: What can I access on the system (relevant permissions)

At a network level: What parts of the network can I see (or reach out and touch)

• Now that you know who I am; what can I do?

- Usually controlled by database or extended directory mechanism

- May be individual or role-based

At a system level: What can I access on the system (relevant permissions)

At a network level: What parts of the network can I see (or reach out and touch)

Confidentiality and IntegrityConfidentiality and Integrity

• Encryption

- Secret key

- Public/private key

- Digital signatures

- Cryptographically secure checksums

• Encryption

- Secret key

- Public/private key

- Digital signatures

- Cryptographically secure checksums

LimitationsLimitations

• Keylength (Brute Force Attack)

• Non-Random Random Numbers to Generate Seed

• Compromise of Secret Key

• Poor Passphrase Selection (or keystroke monitoring)

• Does not substitute for other security measures (e.g., host security)

• Keylength (Brute Force Attack)

• Non-Random Random Numbers to Generate Seed

• Compromise of Secret Key

• Poor Passphrase Selection (or keystroke monitoring)

• Does not substitute for other security measures (e.g., host security)

AccountabilityAccountability

• Logs are good

- Access to logs can be adequately controlled; but if the data is not there, the trail ends

* All the King’s horses, FBI agents or Galactic Defense Forces cannot trace something technically in the absence of logs

• Logs are good

- Access to logs can be adequately controlled; but if the data is not there, the trail ends

* All the King’s horses, FBI agents or Galactic Defense Forces cannot trace something technically in the absence of logs

Selected Defenses/”Solutions”Selected Defenses/”Solutions”

• Encryption

• Firewalls

• Intrusion Detection

• Other

• Encryption

• Firewalls

• Intrusion Detection

• Other

Solutions: FirewallsSolutions: Firewalls

• Firewalls are collections of filters and gateways that shield trusted networks from untrusted networks.

• Firewalls are collections of filters and gateways that shield trusted networks from untrusted networks.

UntrustedNetworkOutside

TrustedNetworkInside

Firewall

Security Perimeter

Packet FilteringPacket Filtering

Untrusted

Screening Router(Allows or blockspackets per policy)

Dual-Homed HostDual-Homed Host

UUnturstedUnntruatUntrusted

(Firewall)

Screened SubnetScreened Subnet

Untrusted

Interior Router

Bastion

Exterior Router

(Perimeter Network)

(Interior Network)

Personal FirewallsPersonal Firewalls

• Can obtain a small hardware based firewall, but normally this term refers to software based

• Low cost

• Shows a lot of promise in areas that have zero investment dollars (e.g., student residence hall machines)

• Can obtain a small hardware based firewall, but normally this term refers to software based

• Low cost

• Shows a lot of promise in areas that have zero investment dollars (e.g., student residence hall machines)

LimitationsLimitations

• If the attacker is already on the interior or trusted network, there’s no protection

• Reasonably easy to bypass (dial-up modem at the desk)

• Can only address known threats. New threats may get through

• Does not inhibit viruses (for the most part)

• If the attacker is already on the interior or trusted network, there’s no protection

• Reasonably easy to bypass (dial-up modem at the desk)

• Can only address known threats. New threats may get through

• Does not inhibit viruses (for the most part)

Bottom LineBottom Line

• Firewalls are useful as part of a “defense in depth strategy”

• They do not solve all problems, everywhere

• They are less useful in environments where the barbarians are already inside the gates

• Firewalls are useful as part of a “defense in depth strategy”

• They do not solve all problems, everywhere

• They are less useful in environments where the barbarians are already inside the gates

INTRUSION DETECTION NEEDED

Intrusion DetectionIntrusion Detection

• Most practical now check for changes in critical files (e.g., tripwire)

• Much work (particularly government) in network models

• Some commercial products available

• Most practical now check for changes in critical files (e.g., tripwire)

• Much work (particularly government) in network models

• Some commercial products available

Ultimately this is where we must evolve. We need not only locks but also burglar alarms....

Ultimately this is where we must evolve. We need not only locks but also burglar alarms....

Other Issues: Web SecurityOther Issues: Web Security

• Web Security approaches are somewhat one-dimensional

• Approaches address secure session conduct and document transmission

• Do not address host security issues, privacy, denial of service

• ****A “SECURE” SERVER ISN’T (at least not comprehensively)****

• Web Security approaches are somewhat one-dimensional

• Approaches address secure session conduct and document transmission

• Do not address host security issues, privacy, denial of service

• ****A “SECURE” SERVER ISN’T (at least not comprehensively)****

Incidents: A Growth Industry Incidents: A Growth Industry

• A Department of Defense (DoD) tiger team test:

8932 systems tested7860 systems successfully penetrated 390 sys admins detected the attack 19 reported the attack

• A Department of Defense (DoD) tiger team test:

8932 systems tested7860 systems successfully penetrated 390 sys admins detected the attack 19 reported the attack

Total Incident Percentages - 1999

Commercial Use - 2%Copyright Violation - 1%

Unauthorized Access Attempts - 17%

Electronic Harassment - 4%

Spam, Relays, Chain Letters - 21%

Forgeries - 1%

Other - 6%

Total Reported: 3976

Average (Month): 331.3

Highest - October (500)

Lowest - July (157)

NUMBERS

System-Acct-Data Compromise - 4%

Denial of Service - 44%

Comparison of Incidents by Year1997 through 1999

0

500

1000

1500

2000

2500

3000

3500

4000

Ave

rag

eM

on

th

Lo

wes

tM

on

th

Hig

hes

tM

on

th

To

tal

Inci

den

ts

1997 - 979

1998 - 2310

1999 - 3976

Selected Intrusion TechniquesSelected Intrusion Techniques

• Probes

- Also email borne virii-worms

• IP Spoofing

• Floods (non-distributed)

• Log modification (rootkit)

• “Combo Plate” - Multiple attacks combined - may involve multiple OS (the latest “worm”)

• Distributed Denial of Service Attacks

Trinoo, TFN, TFN2K, Stacheldraht (carko)

• Probes

- Also email borne virii-worms

• IP Spoofing

• Floods (non-distributed)

• Log modification (rootkit)

• “Combo Plate” - Multiple attacks combined - may involve multiple OS (the latest “worm”)

• Distributed Denial of Service Attacks

Trinoo, TFN, TFN2K, Stacheldraht (carko)

ProbesProbes

• Typically automated scans to determine which services are running on a given port

• Determine vulnerable services and, optionally attempt to exploit

• Double-edged sword -- Can be extremely valuable to system administrators

• Examples: Strobe, ISS, nmap

• Typically automated scans to determine which services are running on a given port

• Determine vulnerable services and, optionally attempt to exploit

• Double-edged sword -- Can be extremely valuable to system administrators

• Examples: Strobe, ISS, nmap

Email Borne Virii-wormsEmail Borne Virii-worms

• Hybris

- Snowhite, “Dirty words”

• Romeo and Juliet

• “From” addresses not trustworthy. Some variants not only replicate “to” email addressees but may also pull the “from” address at random from that source

• Digression: Windows Trojans

• Hybris

- Snowhite, “Dirty words”

• Romeo and Juliet

• “From” addresses not trustworthy. Some variants not only replicate “to” email addressees but may also pull the “from” address at random from that source

• Digression: Windows Trojans

Log & Utility Changes (Rootkit)Log & Utility Changes (Rootkit)

• Used AFTER a system has been compromised

• Trojans most common tools/utilities that would enable the intrusion to be detected (e.g., login, ls, ps, ifconfig, netstat). Trojan program checksums will match true distribution.

• Alters log files to eliminate evidence of activity

• Used AFTER a system has been compromised

• Trojans most common tools/utilities that would enable the intrusion to be detected (e.g., login, ls, ps, ifconfig, netstat). Trojan program checksums will match true distribution.

• Alters log files to eliminate evidence of activity

Denial of ServiceDenial of Service

• IP address frequently (but not always) “spoofed”

• Simple (ping floods, mail bombs)

• Slightly more complicated (Smurf)

• The real mother (Distributed Denial of Service Attacks)

• IP address frequently (but not always) “spoofed”

• Simple (ping floods, mail bombs)

• Slightly more complicated (Smurf)

• The real mother (Distributed Denial of Service Attacks)

Ugly is as Ugly DoSUgly is as Ugly DoS

D is trib u ted D oS

S lave 1 S lave N

M as te r 1

S lave 1 S lave N

M as te r 2

S lave 1 S lave N

M as te r N

A ttacker

What Needs to be Solved?What Needs to be Solved?

• Host Security

- Systems and Network Administration

Will we ever have enough people with sufficient training to “get well”

- Education (Catch 22: Interest is proportional to direct, personal experience. The most effective security proponents are those who have just been exploited)

- VENDOR IMPROVEMENTS

• Host Security

- Systems and Network Administration

Will we ever have enough people with sufficient training to “get well”

- Education (Catch 22: Interest is proportional to direct, personal experience. The most effective security proponents are those who have just been exploited)

- VENDOR IMPROVEMENTS

What Needs to be Solved (Continued)What Needs to be Solved (Continued)

• Network Security

Protocol Vulnerabilities

Authentication and Authorization

Confidentiality and Integrity Protection en route

Intelligent implementation of distributed firewall/filtering approaches consistent with the unique nature of university environments

Intrusion Detection - implies better logging

• Network Security

Protocol Vulnerabilities

Authentication and Authorization

Confidentiality and Integrity Protection en route

Intelligent implementation of distributed firewall/filtering approaches consistent with the unique nature of university environments

Intrusion Detection - implies better logging

Integrated Planning NeededIntegrated Planning Needed

• THERE IS NO MAGIC BULLET. No one solution will make your installation secure. Defense in depth required...Also, defenses will change over time.

• THERE IS NO MAGIC BULLET. No one solution will make your installation secure. Defense in depth required...Also, defenses will change over time.

WHAT HAVE WE LEARNED, GRASSHOPPER?

WHAT HAVE WE LEARNED, GRASSHOPPER?

Incident 1Incident 1

• Your upstream provider notifies you that all the machines in a given subnet are actively flooding an external company

- What’s going on? What do you do? What went wrong that allowed this to happen?

• Your upstream provider notifies you that all the machines in a given subnet are actively flooding an external company

- What’s going on? What do you do? What went wrong that allowed this to happen?

Incident 2Incident 2

• The State Police call and report multiple instances of credit card fraud via a store’s web-based order form. The IP’s are in your address space but not ones you instantly recognize.

• The State Police call and report multiple instances of credit card fraud via a store’s web-based order form. The IP’s are in your address space but not ones you instantly recognize.

Incidents 3 & 4Incidents 3 & 4

• A broadcast medium experiences some disruption. It appears that there are some unexpected files on the drive. (This is the second time this has happened this week).

• An administrative desktop machine is sending unexpectedly large volumes to the commercial Internet. Suddenly reports of probes/defaced web pages are received related to this machine.

• A broadcast medium experiences some disruption. It appears that there are some unexpected files on the drive. (This is the second time this has happened this week).

• An administrative desktop machine is sending unexpectedly large volumes to the commercial Internet. Suddenly reports of probes/defaced web pages are received related to this machine.

SummarySummary

• Security isn’t “going away”. In fact, it’s becoming the squeaky wheel that must be oiled - now

• Incidents are becoming technically “neat” but increasingly difficult to resolve. They involve more systems and are harder to detect initially

• If there truly was a “hacker ethic”, it seems to be eroding

• Examining systems (and preserving evidence) requires skilled forensic examination

• Security isn’t “going away”. In fact, it’s becoming the squeaky wheel that must be oiled - now

• Incidents are becoming technically “neat” but increasingly difficult to resolve. They involve more systems and are harder to detect initially

• If there truly was a “hacker ethic”, it seems to be eroding

• Examining systems (and preserving evidence) requires skilled forensic examination

Questions?Questions?