Kathleen Kimball Director, Computer and Network Security Penn State (814) 863-9533 FAX: (814)...
-
date post
18-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of Kathleen Kimball Director, Computer and Network Security Penn State (814) 863-9533 FAX: (814)...
Kathleen KimballDirector, Computer and Network Security
Penn State
(814) 863-9533 FAX: (814) 865-2585 24 hr: 863-HELP
Email: [email protected]
Incident Email: [email protected]
Kathleen KimballDirector, Computer and Network Security
Penn State
(814) 863-9533 FAX: (814) 865-2585 24 hr: 863-HELP
Email: [email protected]
Incident Email: [email protected]
To Boldly Go! To Go Boldly? (Whatever…)
Security in University Environments
To Boldly Go! To Go Boldly? (Whatever…)
Security in University Environments
Network Security OfficeNetwork Security Office
• Responsible for University-wide network security functions
• Functional Responsibilities include:
Policy Development
Training
Vulnerability Assessment
Risk Analysis
Incident Response
• Responsible for University-wide network security functions
• Functional Responsibilities include:
Policy Development
Training
Vulnerability Assessment
Risk Analysis
Incident Response
P o lic y Tra in in g V u ln erab ilityA ssessm en t
R iskA n a lys is
In c id en tR esp on se
D irec to r, C om p u te r an d N etw ork S ecu rity
Session OverviewSession Overview
• Problem Review
• Security Elements
• Incident Experience
• Is there Hope? What needs to be solved? Current /Future “Solutions”
• Problem Review
• Security Elements
• Incident Experience
• Is there Hope? What needs to be solved? Current /Future “Solutions”
The University ProblemThe University Problem
• Insecure systems, networks and apps (Oh, my!)
• Insufficient numbers of trained personnel
• Extremely wide-ranging user requirements
• The Barbarians are sometimes inside the gates
- Complicates some traditional corporate approaches
• Exploit tools simple enough for a 10 year old; security tools incomprehensible to a 50 year old
• High speed connectivity. (Flooding and warez trading can be done at extremely fast speeds)
• Insecure systems, networks and apps (Oh, my!)
• Insufficient numbers of trained personnel
• Extremely wide-ranging user requirements
• The Barbarians are sometimes inside the gates
- Complicates some traditional corporate approaches
• Exploit tools simple enough for a 10 year old; security tools incomprehensible to a 50 year old
• High speed connectivity. (Flooding and warez trading can be done at extremely fast speeds)
Security ElementsSecurity Elements
• Authentication
• Authorization
• Confidentiality and Integrity
• Accountability
• Authentication
• Authorization
• Confidentiality and Integrity
• Accountability
An Important PrincipleAn Important Principle
• Least Privilege
- Perhaps we should call it Appropriate Privilege
- You should have access to everything that you need; those without a similar need should not
• Least Privilege
- Perhaps we should call it Appropriate Privilege
- You should have access to everything that you need; those without a similar need should not
Least Privilege (Continued)Least Privilege (Continued)• Easy to visualize in terms of applications or
database fields. (In most cases, I should not have access to your medical or credit records).
• Needs to be extended to systems and networks
- System - Turn off unused services; set file and directory permissions to limit access to those who truly require access; limit root and “everyone” access
- Network - does every machine globally really need to be able to check your electronic doors and windows???
• Easy to visualize in terms of applications or database fields. (In most cases, I should not have access to your medical or credit records).
• Needs to be extended to systems and networks
- System - Turn off unused services; set file and directory permissions to limit access to those who truly require access; limit root and “everyone” access
- Network - does every machine globally really need to be able to check your electronic doors and windows???
Authentication Authentication
• Who are you anyway?
• Methods
User/ID Password
Certs (Not the breath mint)
Tokens or smart cards
Biometrics
Combinations of the above
• Who are you anyway?
• Methods
User/ID Password
Certs (Not the breath mint)
Tokens or smart cards
Biometrics
Combinations of the above
Cryptographically Secure CertificatesCryptographically Secure Certificates
• Selectively promising but also mildly overhyped
• Problems:
- Whoever issues it has to accept something to prove who you are - what if they’re wrong
- Where do you keep your Certs -- your hard drive is the wrong answer
- How do you unlock them - adequacy of passphrase or other technique
- On the critical infrastructure side -- how do you check revocation status in almost real-time
• Selectively promising but also mildly overhyped
• Problems:
- Whoever issues it has to accept something to prove who you are - what if they’re wrong
- Where do you keep your Certs -- your hard drive is the wrong answer
- How do you unlock them - adequacy of passphrase or other technique
- On the critical infrastructure side -- how do you check revocation status in almost real-time
OtherOther
• Tokens and smart cards
- Good augmentation. Frustrating for the forgetful
• Biometrics
- Will be more extensively used as the price becomes more attractive
• Tokens and smart cards
- Good augmentation. Frustrating for the forgetful
• Biometrics
- Will be more extensively used as the price becomes more attractive
Rule of ThumbRule of Thumb
• Make both Authentication and Authorization mechanisms proportionate not just to the value of the data but also to the value of your system or network to the attacker
• Make both Authentication and Authorization mechanisms proportionate not just to the value of the data but also to the value of your system or network to the attacker
AuthorizationAuthorization
• Now that you know who I am; what can I do?
- Usually controlled by database or extended directory mechanism
- May be individual or role-based
At a system level: What can I access on the system (relevant permissions)
At a network level: What parts of the network can I see (or reach out and touch)
• Now that you know who I am; what can I do?
- Usually controlled by database or extended directory mechanism
- May be individual or role-based
At a system level: What can I access on the system (relevant permissions)
At a network level: What parts of the network can I see (or reach out and touch)
Confidentiality and IntegrityConfidentiality and Integrity
• Encryption
- Secret key
- Public/private key
- Digital signatures
- Cryptographically secure checksums
• Encryption
- Secret key
- Public/private key
- Digital signatures
- Cryptographically secure checksums
LimitationsLimitations
• Keylength (Brute Force Attack)
• Non-Random Random Numbers to Generate Seed
• Compromise of Secret Key
• Poor Passphrase Selection (or keystroke monitoring)
• Does not substitute for other security measures (e.g., host security)
• Keylength (Brute Force Attack)
• Non-Random Random Numbers to Generate Seed
• Compromise of Secret Key
• Poor Passphrase Selection (or keystroke monitoring)
• Does not substitute for other security measures (e.g., host security)
AccountabilityAccountability
• Logs are good
- Access to logs can be adequately controlled; but if the data is not there, the trail ends
* All the King’s horses, FBI agents or Galactic Defense Forces cannot trace something technically in the absence of logs
• Logs are good
- Access to logs can be adequately controlled; but if the data is not there, the trail ends
* All the King’s horses, FBI agents or Galactic Defense Forces cannot trace something technically in the absence of logs
Selected Defenses/”Solutions”Selected Defenses/”Solutions”
• Encryption
• Firewalls
• Intrusion Detection
• Other
• Encryption
• Firewalls
• Intrusion Detection
• Other
Solutions: FirewallsSolutions: Firewalls
• Firewalls are collections of filters and gateways that shield trusted networks from untrusted networks.
• Firewalls are collections of filters and gateways that shield trusted networks from untrusted networks.
UntrustedNetworkOutside
TrustedNetworkInside
Firewall
Security Perimeter
Screened SubnetScreened Subnet
Untrusted
Interior Router
Bastion
Exterior Router
(Perimeter Network)
(Interior Network)
Personal FirewallsPersonal Firewalls
• Can obtain a small hardware based firewall, but normally this term refers to software based
• Low cost
• Shows a lot of promise in areas that have zero investment dollars (e.g., student residence hall machines)
• Can obtain a small hardware based firewall, but normally this term refers to software based
• Low cost
• Shows a lot of promise in areas that have zero investment dollars (e.g., student residence hall machines)
LimitationsLimitations
• If the attacker is already on the interior or trusted network, there’s no protection
• Reasonably easy to bypass (dial-up modem at the desk)
• Can only address known threats. New threats may get through
• Does not inhibit viruses (for the most part)
• If the attacker is already on the interior or trusted network, there’s no protection
• Reasonably easy to bypass (dial-up modem at the desk)
• Can only address known threats. New threats may get through
• Does not inhibit viruses (for the most part)
Bottom LineBottom Line
• Firewalls are useful as part of a “defense in depth strategy”
• They do not solve all problems, everywhere
• They are less useful in environments where the barbarians are already inside the gates
• Firewalls are useful as part of a “defense in depth strategy”
• They do not solve all problems, everywhere
• They are less useful in environments where the barbarians are already inside the gates
INTRUSION DETECTION NEEDED
Intrusion DetectionIntrusion Detection
• Most practical now check for changes in critical files (e.g., tripwire)
• Much work (particularly government) in network models
• Some commercial products available
• Most practical now check for changes in critical files (e.g., tripwire)
• Much work (particularly government) in network models
• Some commercial products available
Ultimately this is where we must evolve. We need not only locks but also burglar alarms....
Ultimately this is where we must evolve. We need not only locks but also burglar alarms....
Other Issues: Web SecurityOther Issues: Web Security
• Web Security approaches are somewhat one-dimensional
• Approaches address secure session conduct and document transmission
• Do not address host security issues, privacy, denial of service
• ****A “SECURE” SERVER ISN’T (at least not comprehensively)****
• Web Security approaches are somewhat one-dimensional
• Approaches address secure session conduct and document transmission
• Do not address host security issues, privacy, denial of service
• ****A “SECURE” SERVER ISN’T (at least not comprehensively)****
Incidents: A Growth Industry Incidents: A Growth Industry
• A Department of Defense (DoD) tiger team test:
8932 systems tested7860 systems successfully penetrated 390 sys admins detected the attack 19 reported the attack
• A Department of Defense (DoD) tiger team test:
8932 systems tested7860 systems successfully penetrated 390 sys admins detected the attack 19 reported the attack
Total Incident Percentages - 1999
Commercial Use - 2%Copyright Violation - 1%
Unauthorized Access Attempts - 17%
Electronic Harassment - 4%
Spam, Relays, Chain Letters - 21%
Forgeries - 1%
Other - 6%
Total Reported: 3976
Average (Month): 331.3
Highest - October (500)
Lowest - July (157)
NUMBERS
System-Acct-Data Compromise - 4%
Denial of Service - 44%
Comparison of Incidents by Year1997 through 1999
0
500
1000
1500
2000
2500
3000
3500
4000
Ave
rag
eM
on
th
Lo
wes
tM
on
th
Hig
hes
tM
on
th
To
tal
Inci
den
ts
1997 - 979
1998 - 2310
1999 - 3976
Selected Intrusion TechniquesSelected Intrusion Techniques
• Probes
- Also email borne virii-worms
• IP Spoofing
• Floods (non-distributed)
• Log modification (rootkit)
• “Combo Plate” - Multiple attacks combined - may involve multiple OS (the latest “worm”)
• Distributed Denial of Service Attacks
Trinoo, TFN, TFN2K, Stacheldraht (carko)
• Probes
- Also email borne virii-worms
• IP Spoofing
• Floods (non-distributed)
• Log modification (rootkit)
• “Combo Plate” - Multiple attacks combined - may involve multiple OS (the latest “worm”)
• Distributed Denial of Service Attacks
Trinoo, TFN, TFN2K, Stacheldraht (carko)
ProbesProbes
• Typically automated scans to determine which services are running on a given port
• Determine vulnerable services and, optionally attempt to exploit
• Double-edged sword -- Can be extremely valuable to system administrators
• Examples: Strobe, ISS, nmap
• Typically automated scans to determine which services are running on a given port
• Determine vulnerable services and, optionally attempt to exploit
• Double-edged sword -- Can be extremely valuable to system administrators
• Examples: Strobe, ISS, nmap
Email Borne Virii-wormsEmail Borne Virii-worms
• Hybris
- Snowhite, “Dirty words”
• Romeo and Juliet
• “From” addresses not trustworthy. Some variants not only replicate “to” email addressees but may also pull the “from” address at random from that source
• Digression: Windows Trojans
• Hybris
- Snowhite, “Dirty words”
• Romeo and Juliet
• “From” addresses not trustworthy. Some variants not only replicate “to” email addressees but may also pull the “from” address at random from that source
• Digression: Windows Trojans
Log & Utility Changes (Rootkit)Log & Utility Changes (Rootkit)
• Used AFTER a system has been compromised
• Trojans most common tools/utilities that would enable the intrusion to be detected (e.g., login, ls, ps, ifconfig, netstat). Trojan program checksums will match true distribution.
• Alters log files to eliminate evidence of activity
• Used AFTER a system has been compromised
• Trojans most common tools/utilities that would enable the intrusion to be detected (e.g., login, ls, ps, ifconfig, netstat). Trojan program checksums will match true distribution.
• Alters log files to eliminate evidence of activity
Denial of ServiceDenial of Service
• IP address frequently (but not always) “spoofed”
• Simple (ping floods, mail bombs)
• Slightly more complicated (Smurf)
• The real mother (Distributed Denial of Service Attacks)
• IP address frequently (but not always) “spoofed”
• Simple (ping floods, mail bombs)
• Slightly more complicated (Smurf)
• The real mother (Distributed Denial of Service Attacks)
Ugly is as Ugly DoSUgly is as Ugly DoS
D is trib u ted D oS
S lave 1 S lave N
M as te r 1
S lave 1 S lave N
M as te r 2
S lave 1 S lave N
M as te r N
A ttacker
What Needs to be Solved?What Needs to be Solved?
• Host Security
- Systems and Network Administration
Will we ever have enough people with sufficient training to “get well”
- Education (Catch 22: Interest is proportional to direct, personal experience. The most effective security proponents are those who have just been exploited)
- VENDOR IMPROVEMENTS
• Host Security
- Systems and Network Administration
Will we ever have enough people with sufficient training to “get well”
- Education (Catch 22: Interest is proportional to direct, personal experience. The most effective security proponents are those who have just been exploited)
- VENDOR IMPROVEMENTS
What Needs to be Solved (Continued)What Needs to be Solved (Continued)
• Network Security
Protocol Vulnerabilities
Authentication and Authorization
Confidentiality and Integrity Protection en route
Intelligent implementation of distributed firewall/filtering approaches consistent with the unique nature of university environments
Intrusion Detection - implies better logging
• Network Security
Protocol Vulnerabilities
Authentication and Authorization
Confidentiality and Integrity Protection en route
Intelligent implementation of distributed firewall/filtering approaches consistent with the unique nature of university environments
Intrusion Detection - implies better logging
Integrated Planning NeededIntegrated Planning Needed
• THERE IS NO MAGIC BULLET. No one solution will make your installation secure. Defense in depth required...Also, defenses will change over time.
• THERE IS NO MAGIC BULLET. No one solution will make your installation secure. Defense in depth required...Also, defenses will change over time.
Incident 1Incident 1
• Your upstream provider notifies you that all the machines in a given subnet are actively flooding an external company
- What’s going on? What do you do? What went wrong that allowed this to happen?
• Your upstream provider notifies you that all the machines in a given subnet are actively flooding an external company
- What’s going on? What do you do? What went wrong that allowed this to happen?
Incident 2Incident 2
• The State Police call and report multiple instances of credit card fraud via a store’s web-based order form. The IP’s are in your address space but not ones you instantly recognize.
• The State Police call and report multiple instances of credit card fraud via a store’s web-based order form. The IP’s are in your address space but not ones you instantly recognize.
Incidents 3 & 4Incidents 3 & 4
• A broadcast medium experiences some disruption. It appears that there are some unexpected files on the drive. (This is the second time this has happened this week).
• An administrative desktop machine is sending unexpectedly large volumes to the commercial Internet. Suddenly reports of probes/defaced web pages are received related to this machine.
• A broadcast medium experiences some disruption. It appears that there are some unexpected files on the drive. (This is the second time this has happened this week).
• An administrative desktop machine is sending unexpectedly large volumes to the commercial Internet. Suddenly reports of probes/defaced web pages are received related to this machine.
SummarySummary
• Security isn’t “going away”. In fact, it’s becoming the squeaky wheel that must be oiled - now
• Incidents are becoming technically “neat” but increasingly difficult to resolve. They involve more systems and are harder to detect initially
• If there truly was a “hacker ethic”, it seems to be eroding
• Examining systems (and preserving evidence) requires skilled forensic examination
• Security isn’t “going away”. In fact, it’s becoming the squeaky wheel that must be oiled - now
• Incidents are becoming technically “neat” but increasingly difficult to resolve. They involve more systems and are harder to detect initially
• If there truly was a “hacker ethic”, it seems to be eroding
• Examining systems (and preserving evidence) requires skilled forensic examination