Sem 001 sem-001

Security Basics Seminar Agenda Start Time Title Presenter

8:30 AM Introduction Hugh Thompson

8:45 AM Security Industry and Trends Hugh Thompson

9:30 AM Viruses, Malware and Threats Uri Rivner

10:15 AM Break

10:30 AM Governance, Risk and Compliance Justin Peavey

11:15 AM Application Security Jason Rouse

12:00 PM Break

1:15 PM Crypto 101/Encryption Basics, SSL & Certificates Ben Jun

2:00 PM Mobile and Network Security Paul Youn Marc Blanchou

2:45 PM Break

3:00 PM Authentication Technologies Bill Duane

3:45 PM Firewalls and Perimeter Protection Bill Cheswick

4:30 PM Seminar Adjourns

Session ID:

Session Classification:

SEM-001

Introductory

Introduction and a look at Security Trends

Hugh Thompson, Ph.D. Program Committee Chairman, RSA Conference Twitter: @DrHughThompson

Agenda Intro to Information Security

Security Trends

Business of Information Security

www.plateaueffect.com

Background

Intro to Information Security

Hacking a soda machine…

US $0.10 Value US $0.25 23.5mm Size 24.26mm 5.7 g Weight 5.67 g Nickel Composition Cupro-Nickel

Bahamas 10¢ US 25¢

The Shifting IT Environment (…or why security has become so

important)

► The business has to adhere to regulations, guidelines, standards,… ► SAS 112 and SOX (U.S.) – have upped the ante on financial audits (and

supporting IT systems) ► PCI DSS – requirements on companies that process payment cards ► HIPAA, GLBA, BASEL II, …, many more

► Audits are changing the economics of risk and create an “impending event”

Hackers may attack you but auditors will show up

► Disclosure laws mean that the consequences of failure have increased ► Waves of disclosure legislation

Shift: Compliance and Consequences

• System communication is fundamentally changing – many transaction occur over the web

• Network defenses are covering a shrinking portion of the attack surface

• Cloud is changing our notion of a perimeter • Worker mobility is redefining the IT landscape • The security model has changed from good people vs. bad

people to enabling partial trust – There are more “levels” of access: Extranets, partner access, customer

access, identity management, …

Shift: Technology

► Cyber criminals are becoming organized and profit-driven ► An entire underground economy exists to support cybercrime

► Attackers are shifting their methods to exploit both technical and human weaknesses

► Attackers after much more than traditional monetizable data (PII, etc.) ► Hacktivism ► State-sponsored attacks ► IP attacks/breaches

Shift: Attackers

► Customers, especially businesses, are starting to use security as a discriminator

► In many ways security has become a non-negotiable expectation of businesses

► Banks, photocopiers, pens, etc. are being sold based on security…

► Security being woven into service level agreements (SLAs)

Shift: Customer expectations

► How do you communicate the value of security to the enterprise (and management)?

► How do you measure security? ► How do you rank risks? ► How do you reconcile security and compliance? ► How can you be proactive and not reactive? ► What does “security” mean? Where does our job begin and

end? ► What about big issues in the news like APT’s, hacktivism,

leaks, DDoS attacks, …? How should/can we adapt what we do based on them?

Big Questions

The Economics of Security

Hackernomics (noun)

A social science concerned chiefly with

description and analysis of attacker motivations, economics, and business risk.

Characterized by 5 fundamental immutable laws and 4

corollaries

Law 1

Most attackers aren’t evil or insane; they just want something

Corollary 1.a.:

We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets

Law 2

Security isn’t about security. It’s about mitigating risk at some cost.

Corollary 2.a.:

In the absence of metrics, we tend to over focus on risks that are either familiar or recent.

Law 3

Most costly breaches come from simple failures, not from attacker ingenuity

Corollary 3.a.:

Bad guys can, however, be VERY creative if properly incentivized.

Law 4

In the absence of security education or experience, people (employees, users,

customers, …) naturally make poor security decisions with technology

Corollary 4.a.: Systems needs to be easy to use securely and difficult to use insecurely

Law 5

Attackers usually don’t get in by cracking some impenetrable security control, they

look for weak points like trusting employees

A Visual Journey of Security Trends

Enjoy the rest of the conference!!

Session ID:Session Classification:

Uri Rivner | Head of Cyber StrategyBioCatch

SEM-001General Interest

Advanced Cyber Threats

Join the Dark Economy

TechnicalInfrastructure

Cash OutFraudster

Fraud Eco System

HarvestingFraudster

OperationalInfrastructure

CommunicationFraud forum / chat room

User Account

Tools Hosting Delivery Mules Drops Monetizing

Gaining Credibility

Crimeware you can Afford

6

Sinowal (proprietary)Launched 2006

Sinowal (proprietary)Launched 2006

YourOnline Banking Password…And then some more.

Drive By Download still strong

Social Network Infection

InfectionServicesAreYourFriends

2.3 Cents per Hijacked PC

Seeing is Believing

ZeusiLeaks

Zeus 2.0Most popular Trojan Kit ($3,000)

Feature Zeus 2.0

Polymorphism

HTML Injections

MITB capability

Documentation

Customer Support

Trojan Infrastructure

Infection / Update Drop Zone Command & Control

Personal/Work Mix

The Executive Assistant

Foreign space agency

Particle Accelerator

The Treasurer

Laser Focused Trojans

Lost your Carbon?NimKey Trojan


NimkeyCommand & Control

€23,000,000


€18,700,000€7,000,000

Humans can’t be Patched

Advanced Persistent ThreatsSee anything in common?

Attack Targets Entry Vector

Going After

Ghostnet Ministries, Embassies, Office of Dalai Lama

Spear Phishing

Sensitive documents

Aurora 34 companies: Google, Adobe, defense, internet, financial, critical infrastructure

Spear Phishing

Intellectual property

Night Dragon Critical infrastructure Spear Phishing

Intellectual property

94% of attacks undetected by target

Advanced Persistent ThreatsWhat’s New here?

1980‐2010

2010‐2020

New Defense Doctrine

Fighting Advanced Threats : Key Requirements

Resistance Detection Investigation Intelligence

Q&A

Got any questions? Send me a LinkedIn invitation (Uri Rivner)

Session ID: Session Classification:

Governance, Risk, And Compliance

Governance, Risk, and Compliance

Justin S. Peavey Omgeo

Introductions

Justin Peavey SVP, Information Systems & Security, CISO Omgeo, LLC [email protected]

Agenda

3

What is GRC?

How to Get Started

Recommendations

What is GRC?

4

GRC Defined

Risk

Compliance

Governance

5

Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.

Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.

What is driving GRC

GRC

Security Standards

Regulatory Requirements

Risk Management

Practices

Ethical and Financial

Standards

New Technologies

Transparency and

Accountability Demands

Demonstration of Controls

6

Views of GRC

• GRC has traditionally been viewed as the structure and actions in place to avoid negative consequences: – Regulatory fines – Costs/reputation loss due to security breach – Costs associated with inefficiencies in operations – Ethical or Financial Scandals

• Increasingly, GRC is being viewed as fundamental to complex business operations – Complex, multi-national legal and regulatory landscape – Major highly-impactful events increasing the

consequences

7

Tangent: Why Regulation? • Regulation is “controlling human or societal behavior by rules or restrictions”1

– Regulation attempts to produce outcomes or prevent outcomes which otherwise might not occur in the desired manner.

• Schneier on Regulation2: “[it] is all about economics”

– In a capitalist system, companies make decisions on their own self interest. Normally this is a good thing, but some effects of the decisions, externalities, are not borne by the companies.

– Regulation and Liability force the externalities to be part of the self-interest of the company and become included factors in the decision making.

• Principle-based vs. Rules-based Regulation

– Principle-based is less proscriptive and generally weathers time better. It also generally leaves more room for interpretation by both you and the regulators.

– Rules-based is more proscriptive and therefore generally more straightforward to ‘pass’, but the rules can quickly be dated as new approaches emerge and the goal of the regulation can easily be lost sight of.

• Key: Regulation is all about achieving a specific set of goals, understand what that goal is – demonstrate to the regulator how your program achieves that goal.

1. ^ Bert-Jaap Koops et al. Starting Points for ICT Regulations, Deconstructing Prevalent Policy One-liners, Cambridge University Press, Cambridge: 2006, p. 81

2.Bruce Schneier. Do Federal Security Regulations Help?. 8

https://secure.wikimedia.org/wikipedia/en/wiki/Regulation

How to Get Started?

9

Getting Started (from within your security program)

• Acknowledge that Information Security is a Risk Management Discipline

• Acknowledge that fundamentally, you and auditors are trying to achieve similar goals

• If you don’t already, begin integrating Risk Management processes into security operations 10

Information Security Risk Management

11 Image Available at: www.ossie-group.org

Developing a GRC Corporate Strategy: The Strategy Roadmap

12

ANALYZE Identify Process Dependencies,

Complexity and Priority

DISCOVER Conduct Interviews and

Document GRC Processes

PLAN Determine the Project Vision, Goals,

Scope and Stakeholders

ARCHITECT Define a GRC Solution Architecture Based

on Process Analysis

PUBLISH Deliver the Strategy Roadmap

Document and Application

SCHEDULE Define the Project Approach,

Timeline and Resources

GRC Roadmap (yikes!)

13

Phase 1 Phase 2

Phase 3

Phase 4

Phase 5

13

Recommendations

14

Recommendations • Identify areas and high sensitivity areas and assets to start with (examples):

– Information Security • Applications, Sites, Key Functions

– Vendor Management • High Dependency, High Risk, High Cost

– Regulatory & Legal Compliance – Finance/Ethics

• Establish baseline of expected activities/controls to measure from and assess risk

• Refine your assessment models from real data, focus on qualitative, not quantitative analysis. Goal should be to prioritize most significant risks and most valuable actions.

• Identify actionable or indicative information. Establish metrics/dashboards and vehicle for getting them reviewed

• As your process stabilizes, look at eGRC options that may map well to your company’s needs.

15

Session ID:Session Classification:

Jason RouseBloomberg LP

SEM-001BEGINNER

INTRODUCTION TO SOFTWARE SECURITY

► INTRODUCTION

► WHO CARES

► WAYS AHEAD

► APPLYING YOUR KNOWLEDGE

AGENDA

INTRODUCTION

► What do wireless devices, cell phones, PDAs, browsers, routers, operating systems, servers, personal computers, public key infrastructure systems, smart meters, watches, televisions, stereos, and firewalls have in common?

QUICK QUESTION

Software

QUICK QUESTION #2

“Seven years ago I wrote another book: Applied Cryptography. In it I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactionsunregulated gambling, undetectable authentication, anonymous cash safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: ‘It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.’

It’s just not true. Cryptography can’t do any of that.”

--Bruce Schneier

MAGIC CRYPTO FAIRY DUST

SECURITY = NON-FUNCTIONAL GOALS

► Prevention► Traceability and auditing► Monitoring► Privacy and confidentiality► Multi-level security► Anonymity► Authentication► Integrity

► A very good basic book is Schneier’s “Secrets and Lies”

SOFTWARE SECURITY IS HARD

►Complexity never, ever goes down

libraries languages compilersinterpretersscriptshacks

SOFTWARE SECURITY IS HARD►Users must not be involved in hard choices

SOFTWARE SECURITY IS HARD

►Who truly envisioned this?

►Organic Growth, Interdependence

WHO HAS ONE OF THESE?

MODERN SECURITY IS RISK

COST OF MITIGATION COST OF BREACHES

OPTIMAL SECURITY AT MINIMUM COST

TOTAL COST

COST ($)

0%

SECURITY LEVEL

100%

► There is no such thing as 100% secure► Must make tradeoffs► Should be BUSINESS DECISIONS

► Proactive security is about building things right

► Security is not a “function”

► It’s all about SOFTWARE► Most security problems are

cause by software bugs and flaws

► We MUST build secure software

Who Cares?

WE CARE BECAUSE…

$59.5B billion – security flaws, bugs and software– National Institute of Standards and Technology ‐ 2004

$100M ‐ $200M cost of product recall– Wireless Device Providers

Hundreds of Thousands of Mobile User’s infected with malware– Fortune 100, 2012

Software is business-critical and causes significant impact when it fails …

$500M in lost market value ‐ Fortune 500 Entertainment Company

75% of all attacks occur at the application layer– Gartner

World‐wide denial of service to cellular telephones–Mobile Network Operator

Defects at Each Stage of Software Development

Requirements

Design

Testing

Coding

Maintenance

0

10

20

30

40

50

60

Perc

enta

ge o

f D

efec

ts

Source: TRW

Cost of Fixing Defects at Each Stage of Software Development

Requirements

Design

Testing

Coding

Maintenance

0

$3,000

$6,000

$9,000

$12,000

$15,000

Cost

Per

Def

ect

Source: TRW

WHERE DOES SECURITY GO?

Er… Castles…

► Perimeter security protects the LAN► Network firewalls► Intrusion detection► Reactive

► Host security protects the machine► Patching (operating systems and applications)► Operational

► Software security protects ALL software► (S)SDLC Think about what this means for your organization!► Constructive

► Data security protects digital assets► Data Security requires understanding of

► AT REST, IN MOTION, and IN USE

NEVER FORGET THE INSIDE

Ways Ahead

EVERYBODY, EVERYWHERE

A Wee Demonstration…

Examining The Problem

(The “Uh-Hoh” Part)

EXAMINING the PROBLEM: PROGRAM INPUT

EXAMINING the PROBLEM: ERRORS and LOGGING

EXAMINING the PROBLEM: Auth & Auth

Applying Your Knowledge

Keep these things in mind at all times!

INPUT VALIDATION IN THEORY

► Determine your output context

► Identify control characters► Ensure output conforms to proper format

OUTPUT ENCODING

ACTIONS: BOTTOM-UP

► A few relatively simple things can make a tangible difference and can help you get started with software security

► Within the next 3 months, you should:► Begin to develop a resource set (e.g., portal)► Start small with simple architecture risk analyses

► Target high-risk or high-profile applications

► Develop and socialize business-case justifications► Make friends in low places!

► Leverage, if applicable, code scanning tools (where available)► Never underestimate the power of simple tools

ACTIONS: TOP-DOWN

Aim for a 6-12 month journey:► Chart out a strategic course of action to get where you want

to be;► Get help: have a gap analysis performed► Make achievable, realistic milestones► Think about measurements & metrics for success

► Use outside help as you need it► Document, share, and learn from your experience!

Thank You!

Session ID:


Benjamin Jun, VP and CTO Cryptography Research Inc.

SEM-001

Crypto 101/Encryption, SSL & Certificates

Slides adapted from: Ivan Ristic, Qualys (RSAC 2011)

Agenda

CRYPTOGRAPHY

VULNERABILITIES

SSL / TLS

CERTIFICATES

CRYPTOGRAPHY

What is Cryptography?

Cryptology

Cryptography

Symmetric encryption

Stream ciphers

Block ciphers

Asymmetric encryption Hash functions Digital

signatures Protocols

Cryptoanalysis

Cryptography is the art and science of keeping messages secure.

What Does Secure Mean?

Always required: ► Confidentiality

► Integrity

► Authentication

► Non-repudiation

Other criteria: ► Interoperability

► Performance

Good guys: ► Alice, Bob

Bad guys: ► Eve (passive, eavesdropper)

► Mallory, Oscar, Trudy (active, man in the middle)

Meet Alice and Bob

► Obfuscation that is fast when you know the secrets, but impossible or slow when you don’t.

► Computational security means that something cannot be broken with available resources, either now or in the future.

► Aspects of complexity: ► Amount of data

► Processing power

► Memory capacity

How Does Encryption Work?

Convenient and fast:

► Common algorithms: RC4, 3DES, AES

► Secret key must be agreed on in advance

► Group communication requires secure

key distribution

► No authentication

Symmetric Encryption

Asymmetric encryption uses two keys; one private and one public. The keys are related.

► RSA, Elliptic Curve, Diffie-Hellman key exchange, Elgamal encryption, and DSA. Also ECDH and ECDSA.

► Enables authentication and secure key exchange.

► Significantly slower than symmetric encryption.

Asymmetric Encryption

Well-known algorithms:

► RSA ► Textbook approach – signing involves “encrypting” w/private key ► In practice, use standard digest and padding method

► DSA, ECDSA

Digital Signatures

► Random numbers are at the heart of cryptography. ► Used for key generation

► Weak keys equal weak encryption

► Types of random number generators: ► True random number generators (TRNG) – truly random

► Pseudorandom number generators (PRNG) – look random

► Cryptographically secure pseudorandom number generators (CSPRNG) – look random and are unpredictable

Random Number Generation

► Hash functions are lossy one-way transformations that output fixed-length data fingerprints. Usually used for: ► Digital signatures

► Integrity validation

► Tokenization (e.g., storing passwords)

► Desirable qualities of hash functions: ► Preimage resistance (one-wayness)

► Weak collision resistance (2nd preimage resistance)

► Strong collision resistance and the Birthday attack

Hash Functions

► Communicating securely requires more effort than just putting the primitives together

Protocols

Message

Digest

Message

Alice’s certificate

Signature

Session key

Encrypted message,

certificate, and

signature

Encrypted session key

Encrypt with session key

Sign with Alice’s private key

Encrypt with Bob’s public key

VULNERABILITIES

Attacks on Cryptography

Cryptoanalysis

Classical cryptoanalysis

Mathematical analysis

Brute-force attacks

Implementation attacks

Social engineering

Example: Brute Force (Cryptanalysis)

DES Keysearch Machine, 1998 (Cryptography Research, AWT, EFF) Tests over 90 billion keys per second, taking an average of less than 5 days to discover a DES key.

US Navy Bombe, 1943 Contains 16 four-rotor Enigma equivalents to perform exhaustive key search.

Simple EM attack with a radio Usable signals even at 10 feet away

Devices Antennas

far field

near field

Receiver ($350) Digitizer, GNU Radio ($1000)

Signal Processing (demodulation, filtering)

DPAWSTM side-channel analysis software

Example: Side channel (Implementation)

► Focus on Mpdp mod p calculation (Mqdq mod q similar)

Example: Side channel (Implementation)

For each bit i of secret dp perform “Square” if (bit i == 1) perform “Multiply” endif endfor

SM S S S S S S S SM S SM SM S S S SM SM S S S S S S S S S

SSL/TLS

► SSL is a hybrid protocol designed to turn an insecure communication channel (regardless of protocol) into a secure one

► Designed by Netscape in 1994, standardized in 1999 as TLS, which is now at version 1.2 (2008, 2011)

► Protocol versions so far: ► SSL v2 - insecure ► SSL v3 - still secure ► TLS v1 - widely used, but not best ► TLS v1.1, v1.2 - not widely used

Introduction to SSL

SSL v2 49.85%

SSL v2 No

Suites 11.93%

No support 38.22%

► The SSL standard packages our knowledge of security protocols for reuse

► Key services: ► Discovery and authentication

► Session key(s) generation

► Communication integrity

► Interoperability

► Extensibility

► Performance

SSL Goals

► SSL cipher suites are a higher-level cryptographic construct, consisting of: ► Key exchange and authentication

► Symmetric session cipher

► Message integrity algorithm

► Examples: ► TLS_DHE_RSA_WITH_AES_256_CBC_SHA

► TLS_RSA_WITH_AES_128_CBC_SHA

► TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

► TLS_RSA_WITH_RC4_128_SHA

SSL Cipher Suites

► The situation is good, overall

► But there are several issues: ► Problems with certificate authorities

► Browsers talk to the sites with broken certificates

► We’re not good at keeping up with protocol evolution: SSLv2 still widely supported; TLS v1.1 and TLS v1.2 virtually not supported.

► Too many plain-text (HTTP) web sites

► Issues related to mixed content (HTTP/HTTPS)

State of SSL

CERTIFICATES

► Digital identity often include a public/private keypair ► Usually exchanged at start of a session

► It is necessary to authenticate the keypair when faced with an active man-in-the-middle attack

► We need third parties to help establish identity – generally a certificate authority (CA)

► Digital certificates contain a public key, some identifying information (e.g., name, address, etc.) and a signature

Digital Certificates

Certificate Contents

Certificate Chaining

Certificate Authorities

► Estimated ~650 certificate authorities (EFF) ► Most browsers trust a small(ish) number of root certs, but the overall

number grows through chaining

► Any CA can issue certificate for any site

► Strong desire to keep certificates in DNS (now that we are starting to implement DNSSEC)

The EFF SSL Observatory https://www.eff.org/observatory

https://www.eff.org/observatory

CONCLUSIONS

Resources

Understanding Cryptography Christof Paar and Jan Pelzl (Springer, 2009)

Applied Cryptography, 2ed Bruce Schneier (Wiley, 1996)

SSL and TLS Eric Rescorla (Addison Wesley, 2001)

SSL Labs www.ssllabs.com Qualys

https://www.ssllabs.com/

► In the first three months, you should: ► Identify where cryptography is used in your organization ► Identify infrastructure required for cryptographic implementations

(key management, certificates)

► Within six months, you should: ► Know what crypto can do. Explain the different security properties.

► Know what crypto can’t do. Gain basic knowledge of implementation security issues

Applying What You Have Learned

QUESTIONS?

Session ID:

Paul Youn iSEC Partners

SEM-001

Mobile Security Introduction

Marc Blanchou iSEC Partners

► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion

Agenda


You’re on your phone right now

Mobile Platforms

Data from IDC Press Release

Millions of

Smartphones

32%

0

200

400

600

800

1000

Q3 2011 Q3 2012

Attack Surface

► Mobile applications here to stay ► More Line of Business apps will go mobile ► Modern phones are complex ► Complexity & attack surface often related ► Can’t stop Employee Liable Devices

Mobile Trend Takeaways

► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Q&A

What could possibly go wrong?

► Application Attack Vectors ► App – to – App ► App – to – OS

► App Installation Vectors ► Poorly policed markets ► 3rd party markets (Amazon, etc) ► SMS/Email ► Exploits ► Sideloading

Malicious Applications

Malicious Applications

► Plankton malware appeared:

► What did “Angry Birds Rio Unlock” do? ► Steal your browser history ► Have the ability to install and add shortcuts

Plankton

►OS vulns are valuable ► iOS: 100-200k

►Android: 30-60k

► Jailbreak research (jailbreakme) ►Zero days are out there

Mobile is a target

► Software-defined radio

► Text messages, voice, data is always readable by active attacker

► Text, voice most likely readable by passive attacker ► Requires more complicated RF stage

Cellular interception for all!

► SSL Observatory Project ► Jesse Burns (iSEC), Peter Eckersley (EFF) ► Data set available on Bittorrent

► Number of Trusted CAs ► Mozilla: 124 trust roots (~60 organizations) ► Microsoft: lists only 19 trust roots in Windows 7

► Silent on-demand updating! ► Can make this 300+ certs

► iOS and Android are close to Mozilla list

► They signed…. 1,482 CAs!

Certificate Trust

► Early 2011 (Comodo):

► DigiNotar:

► Late 2012/early 2013 (TurkTrust):

Oops


Users Hate You (don’t feel bad)

►Phone ►Corporate email ►2nd factor auth ►Payment data ►Angry birds

One password to rule them all

f # 2 M * p 4 a Z & k 1 %

Poor Keyboards

Limited Screen Size

*From RHanson

Details?

► Disabled SSL Certificate Validation

Case Study: Incorrect cert validation

Users will always surprise you

►500k – 1M installs ►Permissions: run at startup, read/write

bookmarks and history, modify contents of your SD card, full network access

What permissions?

► Still available ►Wall of text terms of service ► Served ads and modified browser

behavior ►Could steal your history

Invasive adware (legal Plankton)

► Physical security is a real problem ► Devices will be lost or stolen

The Airline Pocket

Sync Data Leakage

• Images • Application Data • E-Mail • Contacts • ETC…

► Multiple Apps Affected

► 6 of 7 Stored Data Locally

► Significant Reputation Risk

Case Study – Local Data Storage


Hard to get it right

► Mobile applications are still on the Internet: accept both PC and phone connections

► Common Real World Result: ►Primary website secured ►Mobile site unprotected ► Same credentials

► Issues can have worse results than on the

desktop

Mobile Web Attack Surface

► It’s packaged software! ► Indirect Customer Relationship ► Long update lag: ►Users choose not to install patches ►Carrier testing requirements

App. Distribution Challenges

► Inconsistent versions ►On older iOS devices ►More than half of Android devices

contain vulnerabilities

►Vendor specific OS and Software

OS and Software Versions

OS and Software Versions


What to do?

► Claim to ► Improve manageability ► Attempt to provide data segregation ► Encrypt sensitive data (emails, contacts, attachments) ► Usually protected by a PIN (separate from main PIN) ► Enforce strong policies on all compatible devices ► Isolate and improve application security ► Remote Lock and remote Wipe ► Jailbreak detection

MDM / Secure Container Products?

► Full Disk Encryption? ► Not enough

► Tamper resistant chip? ► iOS

► Data Protection API

► Android

► Difficult to do right

Can the data be secured?

► Certificate pinning means you only accept a hardcoded certificate for SSL/TLS

► Can be configured in iOS and Android

► Implement testing

Pin certificates

Remote lock and remote wipe?

► Jailbreak/root detection ► Easily circumvented

► Malware protection ► Application whitelisting on iOS

► Is isolating applications in a ‘Container’ a good idea?

The limits of safety


Don’t throw away your phone

► There are limits to security on a mobile device

► The more attack vectors the harder something is to secure

► Your phone has a very large threat surface compared to most other devices

Be careful with your sensitive data!

► Turn off unnecessary attack surfaces (such as Bluetooth) ► Update and patch your applications ► Use MDM products, just don’t over rely on it ► Make it easy for users:

► Don’t store sensitive data on device (or limit what you cache, such as only recent email)

► Consider using different mobile credentials for your apps

► Use strong credentials

Protect yourself

► Paul Youn ► Technical Director at iSEC Partners ► [email protected]

► Marc Blanchou ► Senior Security Engineer at iSEC Partners ► [email protected]

► Thanks to: ► Alex Stamos ► Mike Warner

Thank You

mailto:[email protected]

mailto:[email protected]

UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame

North American Offices San Francisco Atlanta New York Seattle

Australian Offices Sydney

European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

1Session ID:Session Classification:

Bill DuaneRSA Security

Office of the CTO

Security Basics Seminar:Authentication Technologies

SEM-001

Security Basics Seminar:Authentication Technologies

2

Why Authentication?

3

► That is the eternal question…► It has been in existence as long as people have

existed.► It is often followed by:

► “Have we met before?”► “What is a beautiful person like you doing in a place like this?”► And “Would you like to come up to my place to see my collection

of strong authentication devices???”

► It also happens to be a foundation question for security.

Who Are You?

4

How do you know??

5

► There has been a veritable explosion in consumer facing Internet crime► Phishing and Malware continue to grow at an alarming rate► Fraud Attacks are also growing rapidly► Pranksters and script kiddies have been replaced by professional

criminals, organized crime, and even governments

► In many cases the legal, ethical, and societal implications have not kept pace with the crimes► Well established concepts like jurisdiction, liability, and privacy begin

to crack when the crimes occur across the globe and traverse many countries, political relationships, legal relationships and so on.

Phishing and Fraud

6

Growth of Phishing Attacks

The number of unique phishing attacks was rising to a peak of 40K in August 2009, and has now been harovering ound 24-25K per month.

We clearly are at an inflection point where Phishing is starting to decline, and trojans are increasing.

Ref: http://www.antiphishing.org/

There was a roughly 20% increasein trojans as % of malware betweenH2 2010 and H1 2011; the latest split isshown.•Crimeware steals financial info•Data Stealing/Trojans for system control•Other is the rest including auto-replicating worms, telephone dialer scams, …

7

► There is increasing concern about APTs in the industry, especially in the defense contractors, the intelligence community, and governments► Low and slow; targeting specific people/organizations► Often government sponsored► APT= Advance Persistent Threat

► These situations show the organization, and sophistication of the modern attacker► Military in style► Well funded► Specific objectives/targeted

Growth of Attacks and Attack Methods

8

► During a visit, the Secret Service mentioned that in order to attack 10 million email addresses costs the Phisher only $160, and yields the attacker $124,840 profit► This assumes 50% of the emails bounce, and that only .001% of the

remaining people are duped

► If www.antiphishing.org is correct, and there are about 25,000 new phishing attacks per month…

► Multiplied together you get a whopping possible phishing profit of $3,121,00,000 per month worldwide !!!► Even if the number are off by an entire order of magnitude (unlikely)

it is still a whopping $312million per month worldwide!

The Economics of Phishing

9

Strong authentication could help with many of these problems, except…:► The continues widespread use of passwords as

authenticators► The fact that advanced authentication technologies have

not reached the price points needed to become ubiquitous on the Internet

► The fact that advanced authentication technologies have not reached an ease of use level where a child or my 90 year old grandmother can use them

► The fact that credit cards are static one-factor devices► The fact that databases containing credit cards and

personal information are not encrypted

How does authentication factor in??

10

► Without knowing with a high level of certainty who you are dealing with:► it is not possible to properly assign access control and

other rights► it is not possible to trust a digital signature► in many cases it makes no sense to encrypt data if you

don’t know who you are dealing with

► The basis for all security is authentication

The Need for Authentication

11

► Strong Authentication typically binds an individual to a secret

► The system you are attempting to access has some mechanism to validate that you have the secret► Sometimes the system knows the actual secret► Sometimes the system knows something derived from the secret

► The secret can take many forms► Passwords► Symmetric cryptographic secrets► Asymmetric cryptographic secrets

► The trick is, some secrets are more secret than others…

Authentication

12

Passwords

12

13

Authentication with password

AccessingSystem

Accessed System

Clear-TextPassword

CryptographicHash

Digest

Match

Digest

Digest

14

Passwords using parallel cryptography

AccessingSystem

Accessed SystemClear-Text

Password

Copy of Digest

CryptographicHash

Digest

Response MatchResponse

Combine thechallenge and the digest to produce the

response

Hash

Run the same computation on the

server using the copy of the digest

Response’

Copy of Digest

Hash

Challenge

Generate aRandomNumber

Challenge

15

► Test 1 (London)► >70% revealed their

computer password for a bar of chocolate

► 34% volunteered their password when asked without even needing to be bribed

► 79% unwittingly gave away information that could be used to steal their identity when questioned

► 33% share passwords► On average, people have

to remember 4 passwords

The Problem with Passwords …People!!!

► Test 3 (London)► 81% revealed personal

information for chance to win Easter chocolate► 90% were willing to

give personal info in 2005 for the chance to get theater tix

► People offered up identity info like birth date, mothers maiden name, first school

► 86% gave up pet’s name► 90% gave up home phone

number► After 2 minutes, enough info

was typically gathered to allow an identity attack

► Test 1 (San Francisco)► 67% turned over their

passwords for $3 coffee coupons

► 70% of those who said “no way” gave up significant hints (wife’s name, anniversary date, pet’s name)

► 79% said they use the same password for multiple Web sites

► Nearly 60% have >=4 passwords

► One executive, too busy to stop, sent his secretary back with his password so he could get the free coffee (she gave up hers, too)

16

The Problem with Passwords …

Source: www.unitedmedia.com/comics/dilbert

A more resistant password :1. Pick a passphrase2. Select the first letters of every

word3. add non-alphanumerics4. surrounded with special

characters:

“At 1, Bill presented an Awesome talk on authentication”

A1BpaAtoa^#A1BpaAtoa#^

µ^#A1BpaAtoa#^µ

I’m sure my grandmawill comply…

Where are my yellow stickies?

17

The Fundamental Problem:

Dawn ofComputing

RealityTV

Now Future

Computer PowerBrain PowerPow

er

18

► Passwords have their good points:► They are easy to use► They are easy to remember► They do not require external devices to operate► They are Platform- independent► They have no acquisition cost►Minimal end-user training

The Benefits of Passwords

19

► They are ‘1 static factor’ devices - it’s only something you ‘know’► yellow stickies on your monitor, notes under your keyboard► replay attacks are common

► Can be compromised, without knowing► Social attacks

► Inconsistent formats between applications (Provisioning, synchronization necessary)

► Passwords are actually quite expensive (Operating costs)► Password reset and admin is frequently over 40% of what help desks

do!

The Problems with Passwords

20

► Most passwords are poorly chosen► Your dog’s name, your significant other’s pet name, the word

‘password’► Most passwords are vulnerable to the widely available password

cracking programs

► Poorly chosen passwords significantly reduce the search space for an attacker

► We are entering an age where passwords must be very carefully used, and should not be used for controlling access to critical accounts

The Problems with Passwords

21

One Time Passcodes

21

22

► Authentication tokens are small devices which generate a new “password” (tokencode) for every authentication.

► They contain a secret key (seed) which is shared by an authentication server► Tokens usually have an LCD display, a small microprocessor, and a

battery. Tokens may have a keypad, and a real-time clock

► Tokens do require that the user carry them around, but provide authentication without desktop software

One Time Passcode (OTP) Tokens

23

► Tokens are currently the most cost effective, and easiest to use strong authentication solution► They are common in the enterprise marketplace► They are a proven technology► They are easy to use► There are a number of different types of token:

► Time-based► Challenge-Response► Counter-based

► Two of the biggest issues for the use of tokens in the consumer Internet space include cost, and multi-site token re-use

OTP Tokens

24

Challenge-Response OTP Tokens

Authentication Server

Challenge-ResponseToken

Copy ofSeed

InternalSeed Challenge Challenge

Generate aRandomNumber

User inputs Challengeon the Token Keypad

ResponseUser reads Response

on LCD, and enters it at the logon prompt

Combine the seed and challenge, then hash it

Hash

MatchResponse

Truncate the result as needed to produce the

correct length Response

Copy ofSeed

Response’

Hash

Run the same hash computation on the server using the copy of the seed

Truncate the result and compare Response’ and the received Response

25

Counter-Based OTP Tokens


Counter-BasedToken Copy of

Seed

Passcode

Combine the current time and seed, then ‘hash’ it

Hash

Passcode



Copy ofSeed

Match

Run the same ‘hash’ on the server using the time and the

copy of the seed

Truncate the result and compare Passcode’ and the received Passcode

Passcode’

Hash

InternalSeed

The token has an internal counter

incremented by button presses

The server’s counter increments for each

authentication

26

Time-Based OTP Tokens


Time-BasedToken Copy of

Seed

Passcode

Combine the current time and seed, then ‘hash’ it

Hash

Passcode



Copy ofSeed

Match

Run the same ‘hash’ on the server using the time and the

copy of the seed

Truncate the result and compare Passcode’ and the received Passcode

Passcode’

Hash

InternalSeed

The token has it’s own internal clock

The server’s clock runs independently from the token’s internal clock

27

► As we have seen, there are a variety of OTP tokens available► In addition to the hardware tokens discussed, software

versions are available which run on PCs, notebooks, and other mobile computers such as tablets and smart phones

► OTP tokens continue to be one of the most common strong authentication methods, especially in the enterprise

OTP Tokens

28

Public-Private Key Authentication

29

Public-Private Key Authentication

Random #

Random # Random #

Random #’

Match Generate aRandomNumber

Random #

Client’sPublicKey

Client’sPrivateKey

Server

Client

30

► If you have a certain Public Key, as shown it can be used to verify that the other system has the matching Private Key

► To complete the process of PPK Authentication:► You need to trust that the Public Key is the right

one for an individual► You need to secure the storage of the Private Key

PPK Authentication

31

Trusting the Public Key

X.509 Digital Certificate

“I officially notarize the association between this particular User, and this particular Public Key”

Serial Number: xxxxx

Validity: Nov.08,2003 - 08,2005

User OrganizationCA - Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 -Chelmsford

Public Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl

Signed By: RSA Security

Status:

32

It’s all about Trust:

Serial Number xxxxx:

Validity: Nov.08,1997 - Nov.08,1998

UserOrganizationCA - Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 -Chelmsford

Status:

Public Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl

Signed By: VeriSign, Inc.:

Public Key

Certificate Authority

Private Key

33

► The private key must be securely stored► Smart Cards are ideal► Token protected storage is also very good► Password protected storage is less ideal

► The whole trust of PPK systems comes down to the trust of Certificates and Private Key Storage► And how you verify that the correct person is the

owner of the private key!

Trusting the Private Key

34

Biometrics

34

35

► Alternative to passwords and smartcards► Determine your identity by measuring your personal characteristics

► User friendly► Nothing to remember, nothing to enter

► Hard to mess up► No token to drop or give away► No password to forget, write down or tell a friend

► They can be 2 or 3 factor authenticators► Something you are plus something you have or know

► They are cool

Biometrics

36

► A large number have been proposed► Fingerprints► Retina scan, iris scan ► Facial Recognition► Hand shape► Blood vessels► Voice► Body Odor► DNA (no commercial systems)

► Different characteristics► Cost, convenience, stability, security, spoofing

Different biometrics

37

► Advantages► Some types support cheap sensors► Non-intrusive► Small form factor► Simple to use

► Disadvantages► Identification is not unique

► Best have an error of 1:100 000 (that’s only 17 bits)

► Does not work in all environments► Gloves, worn down fingertips

► Can be stolen without direct contact with user

Example: Fingerprints

38

► Over the last couple of years there have been some interesting biometric developments ► Biometrics have entered the

consumer market in a reasonably large way

► Large numbers of notebooksnow contain a biometric fingerprint sensor

► Match on device functionality is becoming technically reasonable

Biometrics Update

39

► Where do you store the Biometric patterns, and how is that protected?► You use the same fingerprint everywhere► You leave your fingerprint everywhere

► How much ‘training’ is require to get a good template?► There is some part of the population where the Biometric

does not work, for example:► Masonry and other construction workers who have worn down their

fingerprints► The fingerprint of senior citizens cannot be read in many cases► Master criminals or spies who etched their fingerprints off with acids

The issues with Biometrics

40

► For me, perhaps the biggest problem with biometrics is theft of identity, and the related problem of revocation:► Unlike other security credentials, a biometric is you!

► If some evil-doer gets your biometric template, they can impersonate you personally

► How do you deal with the theft of your template?► Lobbing off digits hardly seems appropriate► You only have one voice, two eyes, one body odor, … so

invalidating the compromised biometric is of limited use

The issues with Biometrics

41

Revocable Biometric Templates

The original imageis not used as a template

It is first morphed witha master ‘key’

The resulting horrific morphed image becomes

the master templateIn all subsequent authentications, the raw image is morphed using

the same master key before the biometric authentication is performed

If the morphed template is ever compromised, the original image is not revealed.The master key can then be destroyed and a new one used.

42

RFID

42

43

► In many cases RFID is Identification, not Authentication► The RFID tag asserts it’s identity by broadcasting a unique identifier,

but does not perform a cryptographic operation to prove that it is the authentic tag

► However, sophisticated tags exist, and more are being developed, and as a result, I can see a time where tags will assert identity, then be able to perform something like a challenge-response validation of a symmetric or asymmetric key.

► As a result, they are worth talking about in the context of authentication…

Is RFID Authentication??

44

► Since RFID tags transmit their identity, they can leak privacy information; even when their intended use is over.

► Steamboat Mountain & hospitals are well thought out RFID apps► Benefits thoroughly explained in advance / opt-in

► Some RFID privacy advancements are happening► Kill tags/blocker tags

► The RFID devices must be built on strong cryptography► Data must be encrypted, and should not

be static► Algorithms should be peer reviewed

► TI/Speedpass –Cracked/cloned by RSAlabsand John Hopkins

► ISO14443/EMV (encrypted/dynamic)

► New RFID technologies to watch:► Near-Field Comms► RuBee (Long Wave ID- LWID)

RFID and Privacy

45

► 2006 World Cup Football (Soccer) in Germany► RFID based admission tickets► China Olympics RFID based tickets

► NIST publishes a report warning about the dangers of RFID► Report recommends careful application

► Growth in food tracking area: meat and poultry in Norway; Thai rice; Malaysia livestock; Spanish meat; ► Amish farmers resist RFID tagging of livestock

on religious grounds► Some religious groups resist biometrics

as the ‘mark of the beast’

► Viagra bottles will now have RFID tags to prevent counterfeiting!

► Publicized attacks on MiFare based transit cards

Some Noteworthy Recent RFID Events

46

► Saguaro National Part in Tuscon, AZ to tag cacti withRFID tags to thwart thieves (a Cactus is about $2k

each, the tags are $4); following similar program in Las Vegas.

A few of my favorite RFID news items

Johnathan OxerMelbourne, Australia“Australia’s geekiest geek!”

RFID Tag was implanted tag left armUsed to unlock his car and home

Cool but possibly dangerous…

47

Composite Authentication

47

48

How do humans authenticate?

Looks like John

He’s at John’s House

John has a dog whichhates to be washed

John likes short hair

John has a son

That’s John’s wife

It is John!

49

► We authenticate by combining a set of lower confidence authentications into an aggregate authentication

► The process is not mathematically exact► There is error and low confidence in many of the individual pieces of

data

► However, taken in total, our confidence in the authentication is increased to a level above which we have confidence in the authentication

Human Authentication

50

► This technique is emerging as the new model for electronic authentication

► Composite authentications first started to emerge in the area of on-line banking

► Composite authentications combine a number of weak authentications into a stronger authentication

► While it may be possible to intercept or replay some of the composite parts, it is very difficult to simulate all the parts of a well designed composite

Composite Authentications

51


Is it really Sally? She knew Sally’s password

She is connecting viaSally’s ISP

She is using the samebrowser Sally uses

This is the same computerwhich Sally used before

She is connected at the same time Sally typically connects

She is doing the same operations which Sally typically does

It’s Sally!!

She interacts with thecomputer like Sally

52

► Typically these authentications perform a risk scoring based upon all the data► If the score is too low, the authentication fails► If the score is above a threshold, then the authentication succeeds► If the score between the two:

► The end user may be prompted for more information► Mother’s maiden name, color of first car, …

► Or the user may be contacted through some other out of band method► Calling the end user cell phone

► By their nature, composite authentications are difficult to mathematically compute an effective bit strength for

► And this would miss some of their inherent strengths


53

► I think this is one of the most interesting evolutions in authentication technology to have occurred over the last few years

► The composite mix must be kept fresh, or the attackers will compromise enough of the composite to make it weak► A good composite is diverse, and changes over time

► Watch to see composite authentication branch into the enterprise and other non-banking consumer settings.

► Various frameworks for comparing authentication methods (such as NIST 800-63) have not caught up with this trend yet, so be careful.


54

A couple of Authentication related topics…

55

► Publically, I expressed dismay with the RFID passport proposals► Lack of privacy, lack of encryption, …► Some progress has been made

► Shielded passport cases► Data is encrypted► Auth via open passport data► There still are problems:

► The RFID chips have been cloned► The encryption appears to have been cracked

► Some sites have discussed putting your new passport in a microwave to disable the RFID chip► I don’t recommend that!

Electronic Passports

56

► A US form of government ID is emerging with Real ID► Federal standard for drivers licenses► Digimarc is the leader in this effort► Mandates validation of person

before issuance► Cryptographic security features

► Biometric quality image► Scan of database done for

facial match during issuance► Can be used for Real-Time

► Other features such as ghost imageand micro-fine art; holograms; …

► Enhanced versions (RFID) of this card act as the Western Hemisphere Travel Initiative PASS card

► Some groups are against Real ID on privacy grounds► Tracking individuals, keeping copies of produced documents, centralized database► It is moving forward, currently 25+ states have pass legislation to adopt Real ID► Current plans are that by 2014 most people will be required to have a Real ID document – most

likely a drivers license

Real ID

57

► Many of the same ideas we have talked about apply to credit cards► Like passwords, credit cards are static authenticators► In many ways, credit card numbers are *worse* than passwords:

► Their lifetime is extremely long► Credit Card information is often stored in the clear on merchant systems

► Unlike all modern password systems which do not store clear passwords► The frustrating part is that many security and authentication technologies could be applied to

credit cards today► OTCC – One Time Credit Card► Encryption of merchant databases► Dynamic second factors (like CCV codes)

► Unfortunately these changes will comeabout slowly► EMV and some of the new Mastercard and

Visa initiatives are very good starts► Canada and Mexico are going to EMV

► Will this push fraud into the US??► In the US, real-time authorization with RBA

Credit Card Fraud

58

Wrapping it up….

58

59

How do they compare?

Cost of Authenticator

Rel

ativ

e Se

curi

ty

60

Type Is Key Secret?

Strength Portability Ease of use

Cost

Password Maybe Weak High Easy Very High

OTP Yes Strong High Medium Medium

Smart Card &Certificate

Yes Strong Low Medium High

Biometric No Weak –static

Low Very Easy Medium

RFID No Weak -static

Low Very Easy Low

Composite Typically not

Hard to quantify

Low Easy Low

Credit Card No Weak -static

High Easy Low

How do they compare?

61

Authentication Factors: Something You _____Know Have Are Do

Text PIN IP Address Scratch-off / Bingo Card Fingerprint Keystroke

Dynamics

Visual PIN Browser Type Phone / PDA w/OTP

Hand Geometry Voice Print

Text Password Cookie OTP Token Face

RecognitionAccess Pattern

Life Questions Certificate USB Device Iris Scan

Toolbar / Agent Proximity / Smart Card Retina Scan

Authentication Tiers

Authentication Tiers:

Likely combinations of factors

Low end to high

#1: Composite + Password

#2: Soft Token + Password

#4: Hard Token + PIN

#3: Soft Token + Biometric #5: Hard Token + Biometric

62

There are a few recommendations I can give:► Static Passwords must not be used to protect anything with value► OTP will continue to be strong in the enterprise, but new technologies

like RFID and Biometrics are making inroads► That said, there have been recent significant attacks on the core

algorithms which underlie some OTP tokens – choose wisely.► The first active MITM attacks have appeared

► The emergence of composite authentications, especially when combined with other forms of authentication represent an important new branch on the tree of authentication methods.

► Most importantly, do not standardize on one technique or algorithm!► This is a dynamic environment, and you will need diversity and flexibility to choose the

best authentication solution to meet your needs.

Flexibility and Diversity

63

Thank You…

Questions?

Session ID:


▶ Slide ▶ of 77 SEM-0001

xxxxxxxxxxxx

FIREWALLS AND PERIMETERDEFENSES

William Cheswickcheswick.comhttp://www.cheswick.com/ches

1

Sunday, February 24, 13

http://www.cheswick.com/ches


▶ Slide ▶ of 76

Perimeter Defenses allow one to focus defensive expertise and efforts on a small area

2


▶ Presenter Logo

▶ Slide ▶ of 77

Where do you put them?How many do you need?How do you get through them?How do you test them?

3

Perimeter defenses


▶ Presenter Logo

▶ Slide ▶ of 76 4


Session ID:



xxxxxxxxxxxx

INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES

Presenter’s NamePresenter’s Company / Organization

Co-Presenter’s NameCo-Presenter’s Company / Organization

5


Session ID:



xxxxxxxxxxxx




6


▶ Presenter Logo

▶ Slide ▶ of 77

•1622: Tilly captured the castle after a two-month siege

•1689: Captured by 30,000 French in a few hours

–insufficient number of defenders

7

Heidelberg Castle: failure modes


Session ID:



xxxxxxxxxxxx




▶Scotland Yard

8


Session ID:



xxxxxxxxxxxx




▶Edinburgh castle

9


Session ID:



xxxxxxxxxxxx




10


▶ Presenter Logo

▶ Slide ▶ of 76

Flower Pots!

11


Session ID:



xxxxxxxxxxxx




12


Session ID:



xxxxxxxxxxxx




13


Session ID:



xxxxxxxxxxxx




14


▶ Presenter Logo

▶ Slide ▶ of 76

SecurityDoesn’t HaveTo Be Ugly.

Does it haveto be inconvenient?

No.15


Session ID:



xxxxxxxxxxxx




16


▶ Presenter Logo

▶ Slide ▶ of 76

Deltabarriers

17


▶ Presenter Logo

▶ Slide ▶ of 76 18


Session ID:



xxxxxxxxxxxx




19


▶ Presenter Logo

▶ Slide ▶ of 76

A firewallagainstdemons

20


▶ Slide ▶ of 76

We Use Layers to Achieve Higher Security

21


Session ID:



xxxxxxxxxxxx




23


Session ID:



xxxxxxxxxxxx




Warsaw old city, layer 2

24


Session ID:



xxxxxxxxxxxx




Intimidation is a layer

25


▶ Slide ▶ of 76

Perimeter Defenses don’t scale

26


Session ID:



xxxxxxxxxxxx




▶The Pretty Good Wall of China

27


▶ Presenter Logo

▶ Slide ▶ of 77

Built to keep out the barbarians of the northand their economy

Formed from shorter segmentsGhengis Khan walked past the wall, unopposed, and into Beijing

A wall is a single layer

28

The Great Wall


Session ID:



xxxxxxxxxxxx




29


Session ID:



xxxxxxxxxxxx




30


▶ Presenter Logo

▶ Slide ▶ of 76 31


Session ID:



xxxxxxxxxxxx




▶Parliament: entrance

32


Session ID:



xxxxxxxxxxxx




▶Parliament: exit

33


▶ Slide ▶ of 76

Intranets

34


Session ID:



xxxxxxxxxxxx




35


▶ Presenter Logo

▶ Slide ▶ of 76

AllentownMurray

HillColumbus

Holmdel

SLIPPPPISDNX.25cable

...

Lucent - 130,000, 266K IPaddresses, 3000 nets ann.

MurrayHill

The Internet

~200 business partnersthousands oftelecommuters

36


▶ Slide ▶ of 76

Anything large enough to be called an intranet is probably out of control

40


▶ Presenter Logo

▶ Slide ▶ of 77

“All of [the gateway’s] protection has, by design, left the internal AT&T machines untested---a sort of crunchy shell around a soft, chewy center.”

▶ The Design of a Secure Internet Gateway, W.Cheswick, Proc. of Winter Usenix, Anaheim, 1990

41

A simile for the ages?


▶ Presenter Logo

▶ Slide ▶ of 77

The largest is probably NIPRNET, ~2 million hostsA high tech company has about two active IP addresses per employeeLow tech is around one per employeeSmall ones are enclaves.

42

Fun intranet facts


▶ Presenter Logo

▶ Slide ▶ of 77

For wusses with hosts that can’t hack it on the real InternetA gateway fascist decides which traffic is good and badCheaper than deploying firewalls in every hostBut we do that, too

43

Perimeter Defenses


▶ Presenter Logo

▶ Slide ▶ of 77

They are hard to doThey look easy to doThey provide a false sense of securityThey don’t scaleEverybody scales them

44

Problems with PDs


▶ Presenter Logo

▶ Slide ▶ of 77

Dangerous services are attacked from the outsideWe import trouble, like Buffy’s vampires

emailUSB sticksalien devices

45

How Does Trouble Arrive?


▶ Presenter Logo

▶ Slide ▶ of 77

Network services may have exploitable security holesBest answer: remove servicesPD answer: get out of the game

46

Attack from the outside


▶ Presenter Logo

▶ Slide ▶ of 76 47


▶ Presenter Logo

▶ Slide ▶ of 76 48

“Best block is not be there”-- Mr. Miyagi, Karate Kid


▶ Presenter Logo

▶ Slide ▶ of 77

Firewalls block the bad stuff, and let in the good stuffRouting and addressing tricks also get you out of the game

RFC 1918 addressesIPv6 FD address range

49

Getting out of the game


▶ Presenter Logo

▶ Slide ▶ of 76 ▶to Internet

▶router

▶“inside” hosts (192.168.0.0/16)

▶outside hosts

50


▶ Presenter Logo

▶ Slide ▶ of 77

Indirectly-connected hosts can be scanned by intermediaries

if they are compromised orif spoofed packets are possible

Important: block spoofed packets

51

Key Points to hiding networks


▶ Slide ▶ of 76

Internet Firewalls

52


▶ Presenter Logo

▶ Slide ▶ of 76

Original firewall

53


▶ Presenter Logo

▶ Slide ▶ of 77

“inside” and “outside”the weakest part: thinking of “the inside” as being secure. It mostly isn’t.

54

Firewalls tend to be directional


▶ Presenter Logo

▶ Slide ▶ of 77

Standard servers are too dangerous to expose to outside accessTCP/IP packets are too dangerous

No IP connectivity to outside

55

Behind firewalls


▶ Presenter Logo

▶ Slide ▶ of 76

My (Safer!) Firewall

56


▶ Presenter Logo

▶ Slide ▶ of 76

Referee’s suggestion

57


▶ Presenter Logo

▶ Slide ▶ of 77

Avoids Denial of Service Attacks (DOS) attacks on important hosts

This is a network-level, not host-level problem

Walled garden makes intruders easy to spot, by definitionThey keep a lot of the chaff out

58

Two benefits


▶ Presenter Logo

▶ Slide ▶ of 77

Generally centralized defense against attacksCheaper to focus your smarts in one locationHost-based firewalls blend into host-based security

59

Firewalls


▶ Presenter Logo

▶ Slide ▶ of 77

Packet: usually “packet filter”Circuit: c.f. socksApplication level“Deep packet inspection” (DPI): packet-level analysis of deeper data

60

Levels of firewalls


▶ Presenter Logo

▶ Slide ▶ of 77

Generally fast and cheapGenerally stupid: use tricks to enhance

stateful: keep track of sessions

61

Packet filters


▶ Presenter Logo

▶ Slide ▶ of 77

“Computer acting as a wire”SOCKSSpecific TCP connections copied by a relay programNot used much any more, but can be a convenient tool

62

Circuit level


▶ Presenter Logo

▶ Slide ▶ of 77

Understands the service it is filteringE.g. mailer receives and scans email before forwarding

63

Application level


▶ Presenter Logo

▶ Slide ▶ of 77

Relatively cheap and easy to doCan be done at network speedsNote: not new technology

64

Benefits of DPI


▶ Presenter Logo

▶ Slide ▶ of 77

It is impossible to do correctly, so

good enough has to be good enough

Why? Doing it right requires packet normalization.

65

Problems with DPI


▶ Presenter Logo

▶ Slide ▶ of 77

Fragmented packetsTCP overlap interpretationPacket distance hacksSee Vern Paxson’s work for gory details

66

Packet Normalization Problems


▶ Presenter Logo

▶ Slide ▶ of 77

Block everything by defaultAllow safe stuff throughOutgoing is generally okayUDP is generally not okay

but what about DNS, voice?

67

General Filtering Rules


▶ Presenter Logo

▶ Slide ▶ of 77

RFC1918 addressing insideOutgoing stuff onlyCheap from Costco, etc.You can patch your Windows system in relative safety

68

NAT is a close match for these


▶ Presenter Logo

▶ Slide ▶ of 77

Much harder to filter with firewallsSandboxing seems to be the most promising technologyIt is getting harder to cruise the web safely, even at “safe” sites. (Thank advertising)

69

Invited Attacks


▶ Presenter Logo

▶ Slide ▶ of 77

Alternative to Firewalls and Perimeter Defenses

70

Internet Skinny Dipping


▶ Presenter Logo

▶ Slide ▶ of 77

It can be doneMany services are too dangerous to runRequires some user forbearanceCan defend nicely against insider attacks

71

Strong Host Security


▶ Presenter Logo

▶ Slide ▶ of 77

browsers, etc. are full-featuredfull-featured is a technical term for “full of security bugs”This is an open security problem: better OSes, sandboxing, VMs, etc.iPhone might be leading this!

72

Inviting trouble in


▶ Presenter Logo

▶ Slide ▶ of 77

Does not scaleMedium-level defense at bestNo protection from insider attacks

73

Summary - perimeters


▶ Presenter Logo

▶ Slide ▶ of 77

Useful medium-level defenseLittle protection from invited troubleOne of many tools

74

Summary - firewalls


▶ Presenter Logo

▶ Slide ▶ of 77

We are losing the virus detection warSupply chain attacks are comingThe bad guys only have to find one weaknessPatch analysis reveals weaknesses

75

Many Bad Things are Out There


Session ID:



xxxxxxxxxxxx

FIREWALLS AND PERIMETERDEFENSES

William Cheswickcheswick.comhttp://www.cheswick.com/ches

76




▶ Presenter Logo

▶ Slide ▶ of 76 77


Sem 001 sem-001

Documents

Transcript of Sem 001 sem-001