© 1999, 2000 carnegie mellon university overview of security trends for system and network...
TRANSCRIPT
© 1999, 2000 Carnegie Mellon University
Overview of Security Trends for System and Network Administrators
Networked Systems Survivability ProgramSoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
Sponsored by the United States Department of Defense
© 1999, 2000 Carnegie Mellon University page 2
This Course Provides ...
• Introduction to information security issues and concepts
• Key areas to be addressed for information security
• Foundation for applying best security practices
• Resources for further technical help and training
• Current trends in information security
What are your expectations?
© 1999, 2000 Carnegie Mellon University page 3
Objectives
• Understand the challenges of securing information in a global, dynamic, networked systems environment
• Understand the range of vulnerabilities and threats
• Develop information security strategies and identify resources
• Learn proactive measures you can use to defend and improve your organization’s information security
• Learn ways to improve readiness to respond to and recover from information security incidents
• Understand your vital role as a communicator regarding information security
© 1999, 2000 Carnegie Mellon University page 4
What Is The Internet?
• Collection of networks that communicate
- with a common set of protocols (TCP/IP)
- by multilateral agreement
• Collection of networks with
- no central control
- no central authority
- no common legal oversight or regulations
- no standard acceptable use policy
• “wild west” atmosphere
© 1999, 2000 Carnegie Mellon University page 5
What Is The Internet?
• Physical network connections not important
- leased lines
- dial-up
- wireless
• Logical connectivity
- everything is connected to everything else
© 1999, 2000 Carnegie Mellon University page 6
Internet Security in the Beginnings of the Internet
• Internet started as a research project (ARPANET)
- small community of researchers
- trusted community
• Security was not a primary consideration in the design of Internet protocols
“Security issues are not discussed in this memo.” - many RFC documents
Where Wizards Stay Up Late by Katie Hafner and Matthew Lyon (ISBN 0-684 81201-0)
© 1999, 2000 Carnegie Mellon University page 7
Why Is Internet Security a Problem?
• Security not a design consideration
• Implementing change is difficult
• Openness makes machines easy targets
• Increasing complexity
© 1999, 2000 Carnegie Mellon University page 8
The Beginning of the CERT/CC
postmortem
wormattack
CERT/CCcreated
MorrisWorm
November 1988
© 1999, 2000 Carnegie Mellon University page 9
Who We Are
*FFRDC - Federally Funded Research and Development Center
Networked SystemsSurvivability Program
(FFRDC*)
U.S. DoD -Office of the Under
Secretary(Research andEngineering)
sponsor
SurvivableNetwork
Management
SurvivableNetwork
Technology
© 1999, 2000 Carnegie Mellon University page 10
RepairedSystems
Research Results
Technology Evaluation
Survivable Network Technology
SurvivableNetwork Management
CERTCoordinationCenter
ProtectedSystems
ImprovedSystems
NSS Program Strategies
© 1999, 2000 Carnegie Mellon University page 11
• Initially charged by DARPA* to serve as a focal point for Internet security by
- Fostering collaboration on security issues across the Internet community
- Providing technical assistance to Internet sites
- Analysing vulnerabilities and providing alerts to the Internet community
- Assisting other organisations in the formation of CSIRTs**
- Conducting tutorials, site evaluations, research
*DARPA - U.S. Department of Defense, Defense Advanced Research Projects Agency
**CSIRTs - Computer Security Incident Response Teams
What is the CERT/CC?
© 1999, 2000 Carnegie Mellon University page 12
What is the CERT/CC?
• Responsibilities now include providing
- Internet security information for
– system and network administrators
– technology managers
– policy makers
- Guidance and co-ordination for major Internet security events
– Melissa virus
– Y2K
- Leadership in the response team community
– CSIRT formation and development assistance
© 1999, 2000 Carnegie Mellon University page 13
What is the CERT/CC?
• The CERT/CC focuses specifically on technical issues relating to Internet security
• The CERT/CC does not focus on
- who the intruders are
- where intruders are located (physically)
- motivations of intruders
- monitoring/surveillance of intruders
– other than understanding the technical implications of what the intruder community is doing
© 1999, 2000 Carnegie Mellon University page 14
The CERT®/CC Constituency - Internet
• Global distribution
- more than 72 million host computers as of January 2000*
• Diverse user demographics
- government agencies
- academic and research institutions
- corporate users
- home users
*Source: Internet Software Consortium (http://www.isc.org/)
© 1999, 2000 Carnegie Mellon University page 15
CERT®/CC Principles
• Provide valued services
- proactive as well as reactive
• Ensure confidentiality and impartiality
- we do not identify victims but can pass information anonymously and describe activity without attribution
- unbiased source of trusted information
• Co-ordinate with other organizations and experts
- academic, government, corporate
- distributed model for incident response teams (co-ordination and co-operation, not control)
Principles
© 1999, 2000 Carnegie Mellon University page 16
Current Activities• 24 hour confidential incident response and vulnerability
analysis
• Providing Internet security information to system and network administrators
• Developing a knowledgebase of vulnerability and incident data
• Documenting best practices for information security
• Facilitating the formation and training of new incident response teams
© 1999, 2000 Carnegie Mellon University page 17
Direction of Internet Security
What the Internet community is facing in terms of Internet security in the next few years can be summed up in the following statements:
• The expertise of intruders is increasing
• The sophistication of attacks and intruder tools/toolkits is increasing
• The effectiveness of intruders is increasing (knowledge is being passed to less knowledgeable intruders thus making them effective)
© 1999, 2000 Carnegie Mellon University page 18
Direction of Internet Security
• The number of intrusions is increasing
• The number of companies and users of the Internet is increasing
• The complexity of protocols and applications run on clients and servers attached to the Internet is increasing
• The complexity of the Internet as a network is increasing
© 1999, 2000 Carnegie Mellon University page 19
Direction of Internet Security
• The information infrastructure has many fundamental security design problems that cannot be quickly addressed
• The number of people with security knowledge and expertise is increasing, but at a significantly smaller rate than the increase in the number of Internet users
• The number of security tools available is increasing, but not necessarily as fast as the complexity of software, systems and networks
© 1999, 2000 Carnegie Mellon University page 20
Direction of Internet Security
• The number of incident response teams is increasing, but the ratio of incident response personnel to Internet users is decreasing
• The vendor product development and testing cycle is decreasing
• Vendors continue to produce software with vulnerabilities, including types of vulnerabilities where prevention is well-understood (such as buffer overflows)
© 1999, 2000 Carnegie Mellon University page 21
Course Overview
• Information Security Concepts
• Key Areas
- Communication
- Vulnerabilities and Threats
- Strategies and Tactics
- Planning for Information Security
- Information Security Policy
- Incident Handling
- Making the Case
• Putting it all Together
© 1999, 2000 Carnegie Mellon University page 22
Information Security ConceptsOverview
• An example of an information security incident
• Information Security Model
• Complexity of Security
• Protecting Information Assets and Resources
• Administrative Responsibilities
• Risk and Trust
© 1999, 2000 Carnegie Mellon University page 23
Information Security Breached
New York Times - 9/3/1988
© 1999, 2000 Carnegie Mellon University page 24
Information Security BreachedLessons Learned:
• Intruders actively seek ways to compromise systems
• Vulnerabilities and threats are constantly evolving
• Even sophisticated, security-conscientious organizations need to be vigilant
Notes:
• The signs of an information security compromise are not always readily visible
• Sustaining and improving information security requires continuous, proactive effort and readiness to respond
© 1999, 2000 Carnegie Mellon University page 25
Information States
Security Measures
InformationSecurityProperties
NSTISSI 4011: National Training Standard for Information Systems Security Professionals, 1994
Information Security Model
© 1999, 2000 Carnegie Mellon University page 26
Availability
Integrity
Confidentiality
Information Security Properties
© 1999, 2000 Carnegie Mellon University page 27
Processing
Storage
Transmission
Information States
© 1999, 2000 Carnegie Mellon University page 28
Policy & Procedures
Technology
Education, Training & Awareness
Security Measures
© 1999, 2000 Carnegie Mellon University page 29
Confidentiality
Integrity
Availability
ProcessingStorage
Transmission
Policy & ProceduresTechnology
Education, Training & Awareness
Information Security Model
© 1999, 2000 Carnegie Mellon University page 30
Complexity of Administration
In a networked systems environment, sustaining the security of information assets is a complicated task
• Interpret information security policies to implement appropriate access controls, data protection and capacity
• Establish and implement means to verify user credentials
• Implement and enforce information security policies at a variety of levels - data, host, network, Internet
• Sustain and monitor information security consistently throughout the system and network infrastructure
The complexity increases rapidly with scale
© 1999, 2000 Carnegie Mellon University page 31
Example: Data on a Workstation
© 1999, 2000 Carnegie Mellon University page 32
Employees
© 1999, 2000 Carnegie Mellon University page 33
Removable Media
© 1999, 2000 Carnegie Mellon University page 34
Other Systems on the Network
© 1999, 2000 Carnegie Mellon University page 35
Other Resources on the Network
© 1999, 2000 Carnegie Mellon University page 36
Access to the Internet
© 1999, 2000 Carnegie Mellon University page 37
Access to Other Local Networks
© 1999, 2000 Carnegie Mellon University page 38
Other Routes to the Internet
© 1999, 2000 Carnegie Mellon University page 39
Telephones and Modems
© 1999, 2000 Carnegie Mellon University page 40
Open Network Ports
© 1999, 2000 Carnegie Mellon University page 41
Remote Users
© 1999, 2000 Carnegie Mellon University page 42
Vendor and Contractor Access
© 1999, 2000 Carnegie Mellon University page 43
Access to External Resources
© 1999, 2000 Carnegie Mellon University page 44
Public Information Services
© 1999, 2000 Carnegie Mellon University page 45
Operating Environment
© 1999, 2000 Carnegie Mellon University page 46
Complexity of Administration
• These are a sampling of the issues
• Taking a mistake in just one part of one area can lead to a compromise
© 1999, 2000 Carnegie Mellon University page 47
Protecting Information Assets and Resources
• Avoidance
• Prevention
• Detection
• Containment and Response
• Recovery
• Improvement
© 1999, 2000 Carnegie Mellon University page 48
Administrative Responsibilities• Authorization
• Authentication
• Accountability
• Monitoring
• Response to information security incidents
• Damage assessment and recovery
• Analysis and implementation of security improvements
• System and software deployment, upkeep and retirement
• Backups and “hot spares”
© 1999, 2000 Carnegie Mellon University page 49
Risk and Trust
Managing Risk
• Identify the information assets to be protected
• Prioritize the importance of securing each information asset
• Identify vulnerabilities of each asset, and the threats to it
• Prioritize impact of threats to vulnerabilities
• Select and implement appropriate safeguards
• Assume incidents will occur - “There are no silver bullets”
Trust Dilemma
• You cannot eliminate, nor mitigate all possible risks
• At some point, you have to trust someone or something
© 1999, 2000 Carnegie Mellon University page 50
Exercise: Trust
Complete the exercise on page 1.
© 1999, 2000 Carnegie Mellon University page 51
Information Security ConceptsKey Points
• The goal of information security is to sustain and defend the confidentiality, integrity and availability of information
• Despite your best efforts, you must assume that information security incidents will occur
• Even sophisticated, security-conscientious organizations need to be vigilant
• The complexity of administrating information security increases rapidly with scale
• Sustaining and improving information security is a continuous risk management activity
• At some point, you have to trust someone or something
© 1999, 2000 Carnegie Mellon University page 52
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
© 1999, 2000 Carnegie Mellon University page 53
Communication
Key Areas
© 1999, 2000 Carnegie Mellon University page 54
Communication
Overview
• Meaningful and Effective Communication
• Communicating about Security
• Communication Channels
© 1999, 2000 Carnegie Mellon University page 55
Communication
Meaningful communication
• language
• context
Effective communication
• accuracy and clarity
• relevance to the listener
© 1999, 2000 Carnegie Mellon University page 56
Communicating about Security
YOUOther System and Network Administrators
Information Security Officers and Incident Handling Groups
Management
Information Technology Staff and Systems Developers
Users of Information Systems
Information Service Providers, Vendors and Contractors
© 1999, 2000 Carnegie Mellon University page 57
Communication Channels
Whom do you call?
• Peer system and network administrators
• Management
• Information Security Officers
• Physical Security Staff
• Network Service Providers, IT vendors
• Incident Handling Organizations
Who calls you?
• Whom should they call?
• Who should call you?
© 1999, 2000 Carnegie Mellon University page 58
Exercise: Contact List
Complete the exercise on pages 2 and 3.
© 1999, 2000 Carnegie Mellon University page 59
Communication
Key Points
• Excellent communication skills are a must for computer professionals
• As a computer professional, you have an important role in communicating to others about information security
• Establishing and sustaining communication channels are critically important for information security readiness
© 1999, 2000 Carnegie Mellon University page 60
Communication
Vulnerabilities & Threats
Key Areas
© 1999, 2000 Carnegie Mellon University page 61
Vulnerabilities & Threats
Overview
• Why Care About Vulnerabilities
• Common Terms
• Vulnerabilities
• Threats
• Intruders
• Software Flaws
• Configuration Errors
• Network Intrusions
• Forms of Attack
© 1999, 2000 Carnegie Mellon University page 62
Will Vulnerabilities Be Found?• San Diego Supercomputer Center conducted an
experiment
• Red Hat Linux 5.2 with no security patches installed on machine
• Monitoring established to record traffic to and from host
• Most not otherwise used by staff
See: http://worm.sdsc.edu
© 1999, 2000 Carnegie Mellon University page 63
• 8 hours from install
- probed for Solaris RPC vul, not compromised
• 21 days from install
- 20 exploits tried for vuls including POP, IMAP, telnet, RPC, and mountd
- exploit attempts failed because they were exploits for Red Hat 6.x
• About 40 days from install
- POP server vul compromised
- wipes some system logs
- installs rootkit and sniffer
Will Vulnerabilities Be Found?
© 1999, 2000 Carnegie Mellon University page 64
Common Terms
Vulnerability - A feature or a combination of features of a system that allows an adversary to place the system in a state that is contrary to the desires of the people responsible for the system and increases the probability or magnitude of undesirable behavior in or of the system.
Threat - any circumstance or event with the potential for causing harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service
Safeguard - an action, device, procedure, technique, or other measure that reduces the vulnerability of an information system
© 1999, 2000 Carnegie Mellon University page 65
Common Terms
Incident - An event (or set of related events) in which the information security policies of an organization are violated.
A collection of data representing one or more related attcks. Attacks may be related by attacker, type of attack, objectives, sites, or timing.
Attack - An attempt to breach the security of an information asset or resource
© 1999, 2000 Carnegie Mellon University page 66
Common Terms
Intrusion - A breach in the security of an information asset or resource resulting from a successful attack.
An action conducted by one adversary, the intruder, against another adversary, the victim. The intruder carries out an attack with a specific objective in mind. From the perspective of an administrator responsible for maintaining a system, an attack is a set of one or more events that may have one or more security consequences. From the perspective of an intruder, an attack is a mechanism to fulfill an objective.
© 1999, 2000 Carnegie Mellon University page 67
Common Terms
Intruder - A person who deliberately attempts to breach the security of an information asset or resource.
The person who carries out an attack. Attacker is a common synonym for intruder. The words attacker and intruder apply only after an attack has occurred. A potential intruder may be referred to as an adversary. Since the label of intruder is assigned by the victim of the intrusion and is therefore contingent on the victim’s definition of encroachment, there can be no ubiquitous categorization of actions as being intrusive or not.
© 1999, 2000 Carnegie Mellon University page 68
Common Terms
Trojan Horse - Malicious software or content planted by an intruder on a target system, typically masquerading as a normal or expected program or file. Intruders often install trojan horse versions of system software on systems they have compromised to hide their activities on the system and to illicitly gather information such as users’ account passwords.
Trojan horse software may also be embedded in e-mail attachments in a manner that causes unsuspecting recipients to execute the malicious software when the attachment is opened. Examples include the Melissa macro virus and Happy99.exe trojan horse.
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
© 1999, 2000 Carnegie Mellon University page 69
Common Terms
Compromise - Disclosure of information to unauthorized persons
A breach in the security of an information asset or resource
“root” Compromise - Compromise of an information system resulting in access by an intruder at a level equivalent to that of an administrator (a.k.a. root, superuser) of the system
© 1999, 2000 Carnegie Mellon University page 70
Software and Hardware
Personnel
Environment
Change
Vulnerabilities
© 1999, 2000 Carnegie Mellon University page 71
… to Availability
… to Integrity
... to Confidentiality
Threats Overview
© 1999, 2000 Carnegie Mellon University page 72
Threats to Confidentiality
• Unauthorized access
- observation, eavesdropping, copying, theft
• Inappropriate disclosure
© 1999, 2000 Carnegie Mellon University page 73
Threats to Integrity
• Unauthorized modification or destruction
• Loss of means to authenticate or verify integrity
© 1999, 2000 Carnegie Mellon University page 74
Threats to Availability
• Denial of service
• Theft
• Threats to integrity
- availability of reliable data
• Loss of the means to access data
- passwords, encryption keys,technology
© 1999, 2000 Carnegie Mellon University page 75
Other Threats
Human Error
• Data entry errors
• Improper data handling
- transmission
- processing
- storage
- disposal
• Negligence
© 1999, 2000 Carnegie Mellon University page 76
Other Threats
Environment
• Electromagnetic Interference
• Physical damage due to weather
• Natural disasters
• Armed conflicts
• Loss of power, water, networkor phone connectivity
© 1999, 2000 Carnegie Mellon University page 77
Intruders Overview
• Internal
• External
• Means
• Motive
• Opportunity
© 1999, 2000 Carnegie Mellon University page 78
Internal Intruders
• Employees
• Contractors
• Service personnel
• Visitors
• Covert agents
© 1999, 2000 Carnegie Mellon University page 79
External Intruders
• Former employees
• Contractors
• Clients and Customers
• “Crackers”
• Vandals
• Thieves and Organized Crime
• Business competitors
• Political opponents and Insurgent groups
• Foreign agents
© 1999, 2000 Carnegie Mellon University page 80
Means is the sum of:
• What they know and can learn
- Abundant sources of technical information
• Information from others who can help them
- Mailing lists, conferences, chat rooms
• Tools they have at their disposal to execute an intrusion
- Availability of sophisticated, easy-to-use intruder tools
Intruder Means
© 1999, 2000 Carnegie Mellon University page 81
Evolving Intruder Threat
1975 1980 1985 1990 1995 2000
Low
High
Sophistication of Intruder Attacks
© 1999, 2000 Carnegie Mellon University page 82
Evolving Intruder Threat
1975 1980 1985 1990 1995 2000
Novice
Expert
Technical Knowledge and Skill Required by Intruders
© 1999, 2000 Carnegie Mellon University page 83
Intruder Motives
• Money, profit
• Access to additional resources
• Competitive advantage
- Economic
- Political
• Personal grievance, vengeance
• Curiosity
• Mischief
• Attention
© 1999, 2000 Carnegie Mellon University page 84
Opportunities for Intrusion
• Rapid adoption of computer and network technology in government, industry, and educational organizations
• Internet explosion and e-commerce
• Thousands of exploitable vulnerabilities in technology
• Lack of awareness regarding information security
• Shortage of qualified system and network administrators and information security staff
• Lack of applicable laws and means of enforcement
• International scope
© 1999, 2000 Carnegie Mellon University page 85
Internet Growth
1975 1980 1985 1990 1995 2000
Network Wizards, Inc. Internet Domain Survey Host Count History
50,000,000
40,000,000
30,000,000
0
10,000,000
20,000,000
© 1999, 2000 Carnegie Mellon University page 86
AdvancedIntrudersDiscover NewVulnerability
CrudeExploit Tools
Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Vulnerability Exploit Cycle
© 1999, 2000 Carnegie Mellon University page 87
Software Vulnerabilities
Examples
• Buffer overflows
• Timing windows
Avoiding Software Vulnerabilities
• Defensive Programming
© 1999, 2000 Carnegie Mellon University page 88
Buffer Overflow Example
Subroutine return address
Buffer in the subroutine Buffer
Return Address
© 1999, 2000 Carnegie Mellon University page 89
Buffer Overflow Example
• In a subroutine, the intruder forcesmore data into a buffer than the sizeof the buffer allocated for it
IntruderData
Buffer
Return Address
© 1999, 2000 Carnegie Mellon University page 90
Buffer Overflow Example
• In a subroutine, the intruder forcesmore data into a buffer than the size ofthe buffer allocated for it
• The intruder data spills over onto thesubroutine return address memory cell
• Embedded in the intruder dataare malicious program commandsand a new subroutine return address
• When the subroutine returns, the nextinstructions executed are those givenby the intruder, with the privileges of the program
Buffer
Return Address
© 1999, 2000 Carnegie Mellon University page 91
A real-world timing window problem:
• Call video store
• “Do you have ‘Saving Private Ryan’?”
• “Yes”
• Drive to video store
• Alas, someone retrieved the copy first
You asked an incomplete question.
Should have asked:
• “Do you have ‘Saving Private Ryan’ and if you do, please hold it for me.”
• Better level of atomicity
Timing Window Example
© 1999, 2000 Carnegie Mellon University page 92
TIME PROGRAM
t1 if (file_does_not_exist(some_file)) then
t2 create(some_file);
t3 endif
Stretch the t1 to t2 interval
Change the world during that interval
Timing Window Example
© 1999, 2000 Carnegie Mellon University page 93
How to change the t1 to t2 interval?
• Load the system: run many programs, flood with network traffic, anything to make the system run slower
• Run the race over and over; eventually you’ll win
What to do in the t1 to t2 interval?
• Replace created file with symbolic link
• File then created elsewhere
• If set UID root program, then file created anywhere, or contents abandoned
Timing Window Example
© 1999, 2000 Carnegie Mellon University page 94
TIME PROGRAM ATTACKER
t1 if (…("/tmp/t") then
t1+i symlink("/tmp/t", "/etc/passwd")
t2 create("/tmp/t");
This results in /etc/passwd being “created,” or zeroed, hence a denial of service
Timing Window Example
© 1999, 2000 Carnegie Mellon University page 95
Defensive Programming
• Trusting untrustworthy data
- always check input length
- always use bounded functions
- always check input for unexpected data
- limit acceptable input; reject all violations; provide documented default
• Avoid vulnerable functions such as system() and popen()
• Test all programs thoroughly before deployment
- make testing conditions as realistic as possible
- always check boundary conditions
© 1999, 2000 Carnegie Mellon University page 96
Common Configuration Errors Overview
• Vulnerable default configurations
• Incorrect access controls and execution privileges
• Problems maintaining system and network software
© 1999, 2000 Carnegie Mellon University page 97
Vulnerable Default Configurations• Empty passwords and well-known vendor passwords
• Guest and other default accounts
• Unnecessary features and services enabled
• Remote access enabled
• Logging and auditing features disabled
• Incorrect default access controls
• Need for updated device drivers and software patches
© 1999, 2000 Carnegie Mellon University page 98
Incorrect System Access Controls• Access to administrative systems, programs, and
configuration data
• Access privileges for storage volumes, directories and files
• Remote access to local system resources
• Ownership of files and access privileges retained by terminated accounts
• Access to backup data
© 1999, 2000 Carnegie Mellon University page 99
Incorrect Network Access Controls• Access to administrative capabilities of networked systems
and components
• Router and switch configurations
• Firewall configurations
• Network monitor configurations
• Trust relationships between networked systems
© 1999, 2000 Carnegie Mellon University page 100
Problems Maintaining System and Network Software• Failing to keep software up-to-date regarding security fixes
• Assuming old configuration files will be OK for updated versions of software
• Assuming that new versions of software will have all the security fixes included
• Accepting unwritten default settings (not setting all configuration settings explicitly)
• Inconsistency of software versions and configurations across all systems and network infrastructure components
© 1999, 2000 Carnegie Mellon University page 101
Exercise: Vulnerabilities
Complete the exercise on page 4.
© 1999, 2000 Carnegie Mellon University page 102
Network Intrusions
• Intrusions from remote systems can be achieved in amatter of seconds using automated intruder tools
• Intruders are interested in gaining access to computing resources as well as to private data
• Intruders often compromise a series of remote systems, making it difficult to trace their activities
• Network intrusions originating outside of your jurisdiction and from foreign countries may be impossible to prosecute
© 1999, 2000 Carnegie Mellon University page 103
A Network Intrusion Scenario
© 1999, 2000 Carnegie Mellon University page 104
Intruder Probes a Remote System
© 1999, 2000 Carnegie Mellon University page 105
Exploits a Vulnerability Found
© 1999, 2000 Carnegie Mellon University page 106
Gains Privileged Access
© 1999, 2000 Carnegie Mellon University page 107
Installs Trojan Horse Programs
© 1999, 2000 Carnegie Mellon University page 108
Compromises Other Local Hosts
© 1999, 2000 Carnegie Mellon University page 109
Attacks Other Remote Systems
© 1999, 2000 Carnegie Mellon University page 110
Exploits Connectivity Found
© 1999, 2000 Carnegie Mellon University page 111
Attacks Target System
© 1999, 2000 Carnegie Mellon University page 112
Inflicts Damage
© 1999, 2000 Carnegie Mellon University page 113
Forms of Attack
• Abuse of Access Privileges
• Physical Theft
• Information Gathering
• Password Cracking
• Exploitation of System and Network Vulnerabilities
• Spoofing
• Denial of Service
• Exploitation of Trust
• Network Infrastructure Attacks
• Malicious Code
© 1999, 2000 Carnegie Mellon University page 114
Information Gathering
• Dumpster Diving
• Social Engineering
• Probes
• Network Scans
• Network Mapping
• Keystroke Monitoring
• Packet Sniffing
Probes and network scans are the most commonly reported intruder activity
© 1999, 2000 Carnegie Mellon University page 115
Scans
• Intruders commonly use automated tools to scan networks for vulnerable systems
• Scans may be recognizable in network traffic logs as a series of consecutive probes to a range of system addresses or port numbers
• Stealth scans spread probes out over time to appear inconspicuous within normal traffic patterns
• Intruders employ automated tools to call telephone number ranges in search of modems used for dial-up connections
© 1999, 2000 Carnegie Mellon University page 116
Under normal conditions, the data in a packet transmitted over the network is readonly by the destination system to which it is addressed.
Router
Packet Sniffing
© 1999, 2000 Carnegie Mellon University page 117
When a packet sniffer is present, a copy of all packets that pass by it on the network are covertly captured.
Packet SnifferExecuting
Router
Packet Sniffing
© 1999, 2000 Carnegie Mellon University page 118
Sniffed Telnet Example
© 1999, 2000 Carnegie Mellon University page 119
Denial of Service
• Loss of availability
• Loss of the ability to respond
• Consumption of a limited resource
• Forcing failure or shutdown of a system that
- contains a needed information asset or resource, or
- is required for delivery of an information asset or resource
© 1999, 2000 Carnegie Mellon University page 120
Examples of Denial of Service
Common denials of service launched across networks:
• Mail Bombs
• Ping Floods (e.g. “Smurf” attacks)
• SYN Attacks
• UDP Bounce Attacks
• Distributed Denials of Service
© 1999, 2000 Carnegie Mellon University page 121
Mail Bombs
Floods of e-mail messages intended to consume and exceed your mail system’s capacity to process and store them
• Automated tools can generate a continuous e-mail stream
• Falsified subscriptions of your e-mail address to a large number of automated mailing lists and newsgroups results in a flood of unwanted e-mail
What can you do?
• Require a confirmation message to initiate all subscriptions
• Enable anti-spam measures on mail proxies and servers
© 1999, 2000 Carnegie Mellon University page 122
Ping Floods
Floods of ping requests tie up a system’s ability to respond to legitimate connection requests
Example: “Smurf” attacks
© 1999, 2000 Carnegie Mellon University page 123
. . . .
10.0.0.x network
Attacker
Router
Router Target
1. The attacker forges a ping packet with the source address set to that of the target system
192.168.123.45
“Ping from192.168.123.45to 10.0.0.255”
“Smurf” Attack
© 1999, 2000 Carnegie Mellon University page 124
. . . .
10.0.0.x network
Attacker
Router
Router Target
2. The forged ping packet is sent to the broadcast address of remote networks
192.168.123.45
“Smurf” Attack
Broadcast address 10.0.0.255
© 1999, 2000 Carnegie Mellon University page 125
. . . .
10.0.0.x network
Attacker
Router
Router Target
3. Pinging the broadcast address causes all hosts on that network to respond to the forged ping request
192.168.123.45
“Smurf” Attack
© 1999, 2000 Carnegie Mellon University page 126
. . . .
10.0.0.x network
Attacker
Router
Router Target
4. The hosts on the remote network each return pings to the target host, flooding it with pings
192.168.123.45
“Smurf” Attack
© 1999, 2000 Carnegie Mellon University page 127
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
© 1999, 2000 Carnegie Mellon University page 128
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
• The server keeps track of a limited number of open TCP connections
© 1999, 2000 Carnegie Mellon University page 129
1SYN
2ACK:SYN
3ACK
Client Server
SYN Attacks
TCP session handshake sequence
• The server keeps track of a limited number of open TCP connections
• For each open TCP connection, the server waits a preset interval for the ACK packet in step 3
© 1999, 2000 Carnegie Mellon University page 130
Client Server
SYN Attacks
“Half-open” TCP connections
1SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
© 1999, 2000 Carnegie Mellon University page 131
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
© 1999, 2000 Carnegie Mellon University page 132
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
© 1999, 2000 Carnegie Mellon University page 133
Client Server1
SYN
2ACK:SYN
1SYN
2ACK:SYN
1SYN
. . .
SYN Attacks
“Half-open” TCP connections
• The server receives a number of SYN packets but no subsequent ACK packets within the timeout period
• The server’s pool of open TCP connection slots fills up
• New connection attempts, even legitimate ones, get denied
© 1999, 2000 Carnegie Mellon University page 134
UDP Bounce Attacks
User Datagram Protocol (UDP) is connectionless
UDP versions of diagnostic services simply respond when they receive a packet addressed to them
• echo
• discard
• daytime
• character generator (chargen)
© 1999, 2000 Carnegie Mellon University page 135
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
UDP Bounce Attacks
“To green:chargenFrom yellow:echo”
© 1999, 2000 Carnegie Mellon University page 136
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 137
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to the chargen port of the first target
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 138
• The attacker forges a packet addressed to the chargen port of one target, claiming to originate from the echo port of the other target
• The target receiving the forged packet responds by sending a number of packets to the echo port of the other target
• Every packet received on the echo port is returned back to the chargen port of the first target
• Each packet sent the chargen port gets several back...
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 139
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 140
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 141
• The targets rapidly send an increasing flood of traffic to one another, rendering both systems unable to respond
• The extreme volume of traffic generated between the targets also affects network connectivity of other systems that share the network
Services like echo and chargen should generally be disabled on all systems and filtered at network gateways
UDP Bounce Attacks
chargenecho
© 1999, 2000 Carnegie Mellon University page 142
Typical Distributed DoS Attack
Internet
intruder
© 1999, 2000 Carnegie Mellon University page 143
Step One - Intruder to Handler
Internet
intruder
intruder sendscommands to
handler
© 1999, 2000 Carnegie Mellon University page 144
Step Two - Handler to Agents
Internet
intruder
master sendscommands to agents
© 1999, 2000 Carnegie Mellon University page 145
Step Three - Agents to Victim
Internet
intruder
each agentindependently sendstraffic to the victim
© 1999, 2000 Carnegie Mellon University page 146
DDoS Attack Tools Summary
trin00 and Tribe Flood Network
http://www.cert.org/incident_notes/IN-99-07
Tribe Flood Network 2K
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
Stacheldraht
http://www.cert.org/advisories/CA-2000-01.html
WinTrin00
http://www.cert.org/incident_notes/IN-2000-01.html
mstream
http://www.cert.org/incident_notes/IN-2000-05.html
© 1999, 2000 Carnegie Mellon University page 147
DDOS Communication MethodsTrinoo:
• intruder->handler 27665/tcp
• handler<->agent 27444/udp, 31335/udp
TFN:
• intruder->handler ssh, telnet, ICMP (loki)...
• handler->agent echo_reply/icmp
Stacheldraht:
• intruder->handler 16660/tcp
• handler->agent 65000/tcp, echo_reply/icmp
Shaft:
• intruder->handler 24032/tcp (not 20483/tcp)
• handler<->agent 18753/udp, 20433/udp
© 1999, 2000 Carnegie Mellon University page 148
Exploitation of Trust
It is common to set up trust relationships between networked systems to facilitate convenient access
• single sign-on authentication
• shared network file systems
Trust relationships between systems that rely on network information to identify systems are vulnerable to exploitation by spoofed (i.e. forged) network packets
Example: IP Source Address Spoofing
© 1999, 2000 Carnegie Mellon University page 149
IP Source Address Spoofing
Trusting Host Trusted Host
Intruder’s Host
• 10.1.2.3 (yellow) trusts 10.1.2.4 (green) implicitly
10.1.2.3 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 150
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder spoofs a connection request from 10.1.2.4
10.1.2.3 10.1.2.4
SYN from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 151
IP Source Address Spoofing
Trusting Host Trusted Host
• 10.1.2.3 attempts to acknowledge the connection request
10.1.2.3 10.1.2.4
SYN:ACK to 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 152
IP Source Address Spoofing
Trusting Host Trusted Host
• Normally, 10.1.2.4 would reject the SYN:ACK packet
10.1.2.3 10.1.2.4
RST from 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 153
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder, however, has denied service by 10.1.2.4
10.1.2.3 10.1.2.4
SYN:ACK to 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 154
IP Source Address Spoofing
Trusting Host Trusted Host
• The intruder spoofs an acknowledgment from 10.1.2.4
10.1.2.3 10.1.2.4
ACK from 10.1.2.4Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 155
IP Source Address Spoofing
Trusting Host Trusted Host
• 10.1.2.3 establishes the connection, believing that the intruder’s host is the trusted host, 10.1.2.4
10.1.2.3 10.1.2.4
Intruder’s Hostpretending to be 10.1.2.4
© 1999, 2000 Carnegie Mellon University page 156
Malicious Code
• Viruses
• Trojan Horse Attacks
- Executable content in downloaded files
- Executable web page content: Javascript, Java, ActiveX
- Executable content in e-mail and attached documents
• Worms
Always verify the integrity and authenticity of downloaded content
Always scan content for malicious code before opening
© 1999, 2000 Carnegie Mellon University page 157
Love Letter Worm
• Malicious code that potentially
- generates large amounts of email and entries in the registry
- destroys or hides certain types of files
• Propagates via several methods
- infected files (on local disk and network drives)
- IRC
• Uses social component to facilitate spread
© 1999, 2000 Carnegie Mellon University page 158
Love Letter Worm
• New variants continue to be discovered
• While the worst activity is over, re-infections will continue to occur in the future
See:
http://www.cert.org/advisories/CA-2000-04.html
© 1999, 2000 Carnegie Mellon University page 159
Exercise: Attacks
Complete the exercise on page 5.
© 1999, 2000 Carnegie Mellon University page 160
Vulnerabilities & Threats
Key Points
• The intruder threat is increasing
• Always use defensive programming techniques
• Intruders use sophisticated, automated, easy-to-use tools to launch attacks
• Intruders actively scan networks and probe systems to find vulnerabilities that they can exploit
• Denial of service attacks are common and difficult to avoid
• Intruders often exploit trust relationships among systems
• Always guard against malicious code in content received
© 1999, 2000 Carnegie Mellon University page 161
Communication
Vulnerabilities & Threats
Strategies & Tactics
Key Areas
© 1999, 2000 Carnegie Mellon University page 162
Strategies & Tactics
Overview
• Complexity of Administration
• IT System Life Cycle
• Preparation
• Implementation Challenges
• Strategies for Manageable Security
• Sustaining Security over Time
• Common Security Tactics
© 1999, 2000 Carnegie Mellon University page 163
Exercise: Infrastructure
Complete the exercise on page 6.
© 1999, 2000 Carnegie Mellon University page 164
Complexity of Administration
© 1999, 2000 Carnegie Mellon University page 165
IT System Life Cycle
Initiation and Planning
Development and Acquisition
Preparation and Testing
Implementation
• Education and Training
Operation
• Maintenance and Updates
• Security Monitoring
• Disposal of Information
Termination
© 1999, 2000 Carnegie Mellon University page 166
Preparation
For all systems and networks administered:
• maintain a complete record of all systems and networks
• know what information assets and resources they contain
• know what information security policies apply to them
• know what system and network services are enabled
- e.g., Web, e-mail, and file service, remote login, DNS, etc.
• identify weakest links
• identify means to avoid, prevent, detect and respond to security problems
• document assumptions and tradeoffs
© 1999, 2000 Carnegie Mellon University page 167
Implementation Challenges
• Vendors generally focus their efforts on product features and flexibility, not ease of secure administration
• Existing system and network infrastructure may not support the desired means to secure information
• There may be no way to satisfy all requirements as stated in your organization’s information security policy
• The cost to implement and sustain security measures as required by policy may be prohibitive
© 1999, 2000 Carnegie Mellon University page 168
Strategies for Manageable Security• Take a conservative approach to configuration
• Separate and isolate networks, systems and services
• Create layers of access and diversify safeguards
• Practice vigilance
© 1999, 2000 Carnegie Mellon University page 169
Conservative Approach
• Assume that vulnerabilities exist that you are not aware of
• Start by disabling all capabilities
• Enable only those capabilities that are required, and configure them to maximize security
• Remove all unnecessary software and data
• Carefully consider security implications of all added functionalities
• Apply the Principle of Least Privilege
© 1999, 2000 Carnegie Mellon University page 170
Separate, Isolate and Simplify• Separate and isolate networks, systems, services and data
by role, purpose and security sensitivity
• Establish zones of infrastructure and administration separated by differences in information security policy, e.g.
- Servers vs. client workstations
- Network services per server host
- Internal vs. external (public) accessibility
- Classified vs. non-classified data
• Enforce differences in information security policy between zones
© 1999, 2000 Carnegie Mellon University page 171
Consistency, Depth, Diversity
You’re only ever as secure as your weakest link
• Efforts to secure information are useless if there exist ways to get around them
Layer defenses to limit and contain breaches in security
• Do not assume your access controls and firewalls are impervious
• Perimeter defenses cannot thwart insider threats
Diversify safeguards between layers of access
• Do not let the same vulnerability affect multiple levels
© 1999, 2000 Carnegie Mellon University page 172
Practice Vigilance
• Prepare, test and replicate systems in an isolated, physically secure environment
• Deploy secure system, network and application logging and monitoring capabilities
• Regularly review logs for signs of intrusion
• Look for unexpected changes to directories and files
• Regularly scan for viruses
• Maintain and practice readiness to respond to security incidents
• Keep systems, software and configurations up-to-date
• Actively raise user and management awareness regarding information security
© 1999, 2000 Carnegie Mellon University page 173
Sustaining Security Over TimeThe appropriate information security strategies and tactics to apply will change over time as
• your organization’s needs change
• your system or network requirements change
• new automated tools become available
• new systems are deployed
• new network connectivity is established
• existing systems and software become outdated
• new vulnerabilities are discovered
• intruder attack patterns change
© 1999, 2000 Carnegie Mellon University page 174
Common Security Tactics
• Cryptography
• Firewalls
• Network traffic filtering
• Network traffic monitoring
• Host security
• Security patches and workarounds
• Passwords
• Vulnerability testing
• Virus scanning
• Secure backups
© 1999, 2000 Carnegie Mellon University page 175
Uses of Cryptography
Confidentiality
• Encryption of files and data transmitted over networks
• Encryption of data stored off-line
Integrity Assurance
• Cryptographic checksums to strongly inhibit fraud
Authentication and Non-repudiation
• Public key authentication and digital signatures
Examples:
• Secure e-mail (PGP, S/MIME)
• Secure remote network connections (Secure Shell, VPNs)
© 1999, 2000 Carnegie Mellon University page 176
Network Firewalls
One or more components placed at gateways between networks to enforce information security policy
• Filtering routers
• Bastion hosts and application/service proxies
• Network switches
• Network monitors
Ensure secure administration of firewall components
Reinforce perimeter defenses with host security
© 1999, 2000 Carnegie Mellon University page 177
Minimal Firewall
FirewallRouter
InternalNetwork
ExternalNetwork
© 1999, 2000 Carnegie Mellon University page 178
Firewall + Application Gateway
ExteriorBorderRouter
InteriorFirewallRouter
BastionHost
InternalNetwork
ExternalNetwork
Perimeter Network
© 1999, 2000 Carnegie Mellon University page 179
Multiple Internal Networks
ExteriorBorderRouter
InteriorFirewallRouter
NetworkMonitor
BastionHost
ExternalNetwork
InternalNetwork
InternalNetwork
© 1999, 2000 Carnegie Mellon University page 180
NetworkMonitor
A More Complex Firewall Setup
ExteriorBorderRouter
SpecializedInteriorFirewallSystem
NetworkMonitor
BastionHost
Switch
ExternalNetwork
InternalNetwork
InternalNetwork
© 1999, 2000 Carnegie Mellon University page 181
TCP/IP Network Filtering
Prevent IP Source Address Spoofing across network boundaries
Block Inbound:
• packets with source IP addresses that match an IP address of your internal network
Block Outbound:
• packets with source IP addresses that do not match an IP address of your internal network
Block both inbound and outbound:
• packets with source IP addresses in one of the reserved IP address ranges (RFC 1918)
© 1999, 2000 Carnegie Mellon University page 182
TCP/IP Network Filtering
Inhibit common forms of Denial of Service attacks
• Disable IP directed broadcasts at all routers
Inhibit opportunities for packet sniffing and session hijacking
• Block IP source-routed packets at all routers
© 1999, 2000 Carnegie Mellon University page 183
Host Security Guidelines
• Disable and remove all unnecessary accounts
• Disable and remove all unnecessary network and system services and application software
• Protect all sensitive system and service configuration software and data against unauthorized access
• Configure and enable logging and monitoring mechanisms
• Configure and require strong authentication for access to all information assets and resources
• Use groups to simplify management of access controls
• Regularly check system software and configuration data for unexpected changes
• Avoid implicit trust relationships between hosts
© 1999, 2000 Carnegie Mellon University page 184
Why Care About Patches
of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available.
© 1999, 2000 Carnegie Mellon University page 185
Security Patches and Workarounds
• Stay up-to-date regarding vendor patches and workarounds to address security vulnerabilities
• Verify the integrity and authenticity of all downloaded software before applying it to your systems
• Test patches and workarounds in an isolated, physically secure test environment before deployment
• Deploy security patches and workarounds as soon as possible to reduce exposure to attacks
• Maintain a thorough, up-to-date record of security patches and workarounds that you have applied
© 1999, 2000 Carnegie Mellon University page 186
CERT® Advisories
CERT® Advisories alert you to vulnerabilities for which you should take immediate action
• Description of the vulnerability and its scope
• Potential impact should the vulnerability be exploited
• Solutions or workarounds
• Appendices contain details and vendor information
• Revision history
• PGP signature
© 1999, 2000 Carnegie Mellon University page 187
Other CERT® Publications
The CERT® Coordination Center website (www.cert.org)
• CERT® Summaries
• Vendor-Initiated Bulletins
• CERT® Incident Notes
• CERT® Vulnerability Notes
• CERT® Security Improvement Modules
• Tech Tips
© 1999, 2000 Carnegie Mellon University page 188
Password Guidelines
Passwords are susceptible to cracking and sniffing
• Use one-time passwords wherever possible
If you must use reusable passwords
• Avoid trivial and easily-crackable passwords
• Protect password data against unauthorized access
• Educate all users regarding the critical importance of protecting password confidentiality
For all systems and network components
• Ensure that all accounts have passwords
• Replace all vendor-supplied passwords
© 1999, 2000 Carnegie Mellon University page 189
In an isolated, physically secure test environment:
• Password cracking tools
• Network scanning tools
• System scanning tools
Vulnerability Testing
“Know what the intruders can know about you”
Warning: Make sure you have authority to doso in writing before you engage inany vulnerability testing activities!
© 1999, 2000 Carnegie Mellon University page 190
Virus Scanning
Even the most conscientious users can receive a virus
• Files and media exchanged between employees and with customers or other external contacts
• Data downloaded from remote systems
• E-mail attachments
Measures
• Install and regularly use current virus scanning software
• Keep virus scanners data up-to-date on all systems
• Raise awareness of current and emerging virus threats
• Train users to scan all data received for viruses before use
© 1999, 2000 Carnegie Mellon University page 191
Secure Backups
• Data backups are essential to enable recovery in the event of failures and security incidents
• The confidentiality and integrity of data must be sustained during backup, storage, and restoration
• Data backup media must be protected against theft, modification, and destruction
• The means used to record and read backup media must be maintained as long as that media is used
• Encryption keys and passwords used to protect backup data must be securely escrowed
© 1999, 2000 Carnegie Mellon University page 192
Strategies & Tactics
Key Points
• Good security administration is all about good systems administration
• Take a conservative approach in configuration management
• Separate, isolate and simplify system and network services
• You’re only ever as secure as your weakest link
• Practice vigilance and be prepared for change
• Apply appropriate tactics to sustain and improve security
• Keep systems and network components up-to-date regarding patches and workarounds for security
• Maintain secure backups
© 1999, 2000 Carnegie Mellon University page 193
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Key Areas
© 1999, 2000 Carnegie Mellon University page 194
Planning
Overview
• Importance of planning
• Planning considerations
© 1999, 2000 Carnegie Mellon University page 195
Importance of Planning
You cannot afford to be left wondering what to do when struck by an information security incident
• Your first information security incident could put your organization entirely out of business
“A penny of planning is worth a pound of recovery”
• Time and resources must be allocated for planning
“Do not paint yourself into a corner”
• Information security measures must accommodate change
© 1999, 2000 Carnegie Mellon University page 196
Planning Considerations
Sustaining and improving information security is a complex, continuous, long term process
• Information assets and resources to be protected
• System and network architecture
• Communication channels and reporting procedures
• Proactive security measures and procedures
• Reactive security measures and procedures
• Testing and evaluating your plans
• Keeping plans up-to-date
• Documentation and record keeping
© 1999, 2000 Carnegie Mellon University page 197
Planning
Key Points
• You cannot afford to be left wondering what to do when you are struck by an information security incident
• Time and resources must be allocated for planning
• Proactive and reactive security measures and procedures must be carefully planned and tested
• Maintain documented plans for information security measures, including assumptions and reasoning
© 1999, 2000 Carnegie Mellon University page 198
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Key Areas
© 1999, 2000 Carnegie Mellon University page 199
Information Security Policy
Overview
• Participants and Stakeholders
• Risk Management and Analysis
• Characteristics of an Effective Information Security Policy
• Information Security Policy Issues
• Examples of Information Security Policy Statements
© 1999, 2000 Carnegie Mellon University page 200
Exercise: Information Security Policy
Complete the exercise on pages 7 and 8.
© 1999, 2000 Carnegie Mellon University page 201
Information Security Policy
What shapes the policy?
Who writes and shapes the policy and procedures?
© 1999, 2000 Carnegie Mellon University page 202
PolicyStakeholders
Management Top management (CTO, CIO)
Users
Others (clients, partners)
Network Admin
System Admin
Database Admin
Human Resources
Legal
Information Security Policy
© 1999, 2000 Carnegie Mellon University page 203
Risk Analysis
Steps
1. Identify and assign value to assets
2. Prioritize assets
3. Determine vulnerability to threats and damage potential
4. Prioritize impact of threats
5. Select cost-effective safeguards
© 1999, 2000 Carnegie Mellon University page 204
Characteristics of an Effective Information Security Policy• Long term focus
• Clear and concise
• Role-based
• Realistic
• Specifies areas of responsibility and authority
• Well-defined
• Up-to-date
© 1999, 2000 Carnegie Mellon University page 205
Communications
Privacy
Accountability
Authorization
Violations
Network Traffic
Availability
Auditing
Identification
Authentication
Access
Redundancy
Resources
Supporting Info Risk Reduction
Information Security Policy Topics
Purchasing Guidelines
© 1999, 2000 Carnegie Mellon University page 206
Acceptable Use Policy Issues for Users
• Prohibiting sharing of accounts
• Requiring good passwords
• Guidelines for accessing unprotected programs or files
• Breaking into accounts
• Breaking into systems
• Cracking passwords
• Disrupting service
© 1999, 2000 Carnegie Mellon University page 207
Policy Issues for Privileged (Administrative) Users
• Authority and conditions for reading e-mail of other users
• Accessing protected programs or files
• Disrupting service under specific conditions
• Prohibiting sharing of accounts
• Prohibiting unauthorized creation of user accounts
• Authority and conditions for using vulnerability testing tools
© 1999, 2000 Carnegie Mellon University page 208
Policy Issues Examples
• What are users allowed to do with hardware on their computers?
• How do users gain remote access?
• What guidelines must a laptop user observe?
• How is software evaluated for deployment?
- What process must software pass through before it is installed?
- What files does the software access when running?
© 1999, 2000 Carnegie Mellon University page 209
Security Policy Example 1
Users must not copy software provided by
Organization X to any storage media (floppy disk,
magnetic tape, etc.), transfer such software to another
computer, or disclose such software to outside parties
without written permission from the Director of
Information Technology.
• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 125
© 1999, 2000 Carnegie Mellon University page 210
Security Policy Example 2
Internet access using computers in Organization X is
permissible only when users go through an
Organization X firewall. Other ways to access the
Internet, such as dial-up connections with an Internet
Service Provider (ISP), are prohibited if Organization X
computers are employed.
• Information Security Policies Made Easy, Charles Cresson Wood, 1997, p. 318
© 1999, 2000 Carnegie Mellon University page 211
Information Security Policy
Key Points
• Make information security policy work for you and your organization
• Use risk management and risk analysis methods to shape information security policies
• Know what your organization’s information security policy authorizes you to do as a computer professional, and the conditions under which you can act with authority
© 1999, 2000 Carnegie Mellon University page 212
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Key Areas
© 1999, 2000 Carnegie Mellon University page 213
Incident Handling
Overview
• CERT® Coordination Center Experience
• Intruders: Active and Organized
• Effective Incident Handling
• Incident Handling Steps
© 1999, 2000 Carnegie Mellon University page 214
CERT®/CC Experience
Since 1988 the CERT® Coordination Center has
• Responded to more than 18,000 security incidents that have affected more than 660,000 hosts on the Internet
• Helped to foster the creation of more than 80 incident response teams
© 1999, 2000 Carnegie Mellon University page 215
Recent CERT/CC Experiences 1997 1998 1999 2000*
Incidents handled 3,2853,285 4,942 4,942 9,8599,859 8,8368,836
Vulnerabilities reported 196196 262262 417417 442442
Email msgs processed 38,40638,406 31,93331,933 34,61234,612 26,41326,413
CERT Advisories, VendorBulletins, and Vul Notes 4444 3434 2020 99
CERT Summaries and Incident Notes 66 1515 1313 1010
*January through June of 2000*January through June of 2000
© 1999, 2000 Carnegie Mellon University page 216
Recent CERT®/CC ExperiencesThe increase in incidents in 1998 and 1999 can be attributed to the following factors:
• Significant increase in automated scanning and automated attacks by intruders
• Greater awareness of CERT®/CC by sites
• Increase in sites regularly reporting incidents
• Automated reporting
© 1999, 2000 Carnegie Mellon University page 217
Intruders: Active & Organized
• Telephone/voice message systems
• Bulletin board systems
• Anonymous FTP service
• Internet Relay Chat (IRC) - #hack channel
• Web sites
• Conferences
• Publications
© 1999, 2000 Carnegie Mellon University page 218
Handling Security Incidents
Assume that security incidents will occur
Plan and maintain readiness to handle security incidents
• Without adequate planning, you will incur much greater losses and much greater costs in the recovery effort
Computer Security Incidents Response Teams (CSIRTs)
Do not wait until after an intrusion has occurred to start thinking about how to handle a security incident
© 1999, 2000 Carnegie Mellon University page 219
Effective Incident Handling
The primary goals of incident handling are to:
• Control and minimize damage
• Preserve evidence
• Recover as soon as possible
• Learn enough to help prevent exposure to similar problems in the future
© 1999, 2000 Carnegie Mellon University page 220
1 Prepare
2 Respond
3 Recover
4 Follow-up
Incident Handling Steps
© 1999, 2000 Carnegie Mellon University page 221
1
2
3
4
1
2
3
4
Incident Handling Steps
1 Prepare
2 Respond
3 Recover
4 Follow-up
© 1999, 2000 Carnegie Mellon University page 222
Prepare
Ensure that security policies support incident handling
Plan responses
• Locate backups
• Identify available resources and tools
• Coordinate team members; define roles and responsibilities.
• Establish secure communication channels
• Coordinate with your public relations spokesperson
• Designate a technical lead to work with the public relations spokesperson
• Conduct regular training and readiness drills
© 1999, 2000 Carnegie Mellon University page 223
Respond
• Follow your information security policy and procedures
• Verify the incident
• Analyze the intrusion
• Communicate with appropriate parties
• Handle media inquires through your designated public relations spokesperson
• Collect and protect information
• Contain the intrusion
© 1999, 2000 Carnegie Mellon University page 224
Recover
Eliminate all means of intruder access
• If systems have been compromised
- Restore programs from trusted vendor-supplied media
- Restore data from trusted backups
• Install appropriate patches or fixes
• Modify accounts and passwords as needed
Return systems to normal operation
• Reestablish connectivity
• Monitor systems for further attacks
© 1999, 2000 Carnegie Mellon University page 225
Follow-up
Identify lessons learned and implement improvements
• Assess time and resources used and damage incurred
• Document commands, code, and procedures used in responding
• Support legal activities such as investigation and prosecution if appropriate
• Conduct a postmortem
• Document all findings and lessons learned
• Implement improvements to information security policies, procedures, and measures
© 1999, 2000 Carnegie Mellon University page 226
Exercise: Intrusion Scenarios
Complete the exercise on pages 9 and 10.
© 1999, 2000 Carnegie Mellon University page 227
Incident Handling
Key Points
• Assume that security incidents will occur
• Plan and maintain readiness to handle security incidents
• Follow incident handling steps when security incidents occur
• Implement improvements based on lessons learned
© 1999, 2000 Carnegie Mellon University page 228
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
© 1999, 2000 Carnegie Mellon University page 229
Making the Case for Information Security
Overview
• Making the Case to Stakeholders
• Tools and Resources
© 1999, 2000 Carnegie Mellon University page 230
PolicyStakeholders
Management Top management (CTO, CIO)
Users
Others (clients, partners)
Network Admin
System Admin
Database Admin
Human Resources
Legal
Making the Case
© 1999, 2000 Carnegie Mellon University page 231
Making the Case
Effective information security requires universal participation and awareness among stakeholders
Implementing information security measures requires buy-in, support and resources from management
Resources to help raise awareness
• Computer Security Institute/FBI Computer Crime Survey
• National Infrastructure Protection Center CyberNotes
• Press reports of information security incidents
© 1999, 2000 Carnegie Mellon University page 232
Tools and Resources
Tools for making your case
• Risk management / analysis findings
• Information Security Policy
• Legal obligations
• Data gathering / record keeping - statistics and metrics
• Simple economics argument
Existing resources
• Y2K analyses
• Insurance company evaluations
• Accounting audits
© 1999, 2000 Carnegie Mellon University page 233
Exercise: Getting Support
Complete the exercise on page 11.
© 1999, 2000 Carnegie Mellon University page 234
Making the Case for Information Security
Key Points
• Make the case for information security in language that your stakeholders understand
• Gain and maintain support and resources for information security from stakeholders
• Document the information security effort
© 1999, 2000 Carnegie Mellon University page 235
Putting it all Together
Review
Next Steps
© 1999, 2000 Carnegie Mellon University page 236
Confidentiality
Integrity
Availability
ProcessingStorage
Transmission
Policy & ProceduresTechnology
Education, Training & Awareness
Information Security Model
© 1999, 2000 Carnegie Mellon University page 237
Communication
Vulnerabilities & Threats
Strategies & Tactics
Planning
Information Security Policy
Incident Handling
Making the Case
Key Areas
© 1999, 2000 Carnegie Mellon University page 238
Exercise: Action Plan
Complete the exercise on pages 12 and 13.
© 1999, 2000 Carnegie Mellon University page 239
How To Contact Us
24-hour hotline: +1 412 268 7090
CERT personnel answer 8:30 AM - 5:00PM EST(GMT-5)/EDT (GMT-4) Mon.-Fri. On call for emergencies during otherhours.
FAX: +1 412 268 6989
Anonymous FTP archive: ftp://ftp.cert.org/pub/
Web site: http://www.cert.org
Email: [email protected]
US mail: CERT Coordination CenterSoftware Engineering InstituteCarnegie Melon University4500 Fifth AvenuePittsburgh, PA 15213-3890 USA
© 1999, 2000 Carnegie Mellon University page 240
How To Contact Us
Key ID: 0x6A9591D0Key Type: Diffie-Hellman/DSSExpires: 9/30/00Key Size: 2048/1024Fingerprint: 9E04 84E2 E27A 6A73 9C69
72DE 5AFD 91BE 6A95 91D0UserID: CERT Coordination Center
http://www.cert.org/contact_cert/encryptmail.html
© 1999, 2000 Carnegie Mellon University page 241
How To Contact Us
Key ID: 0x84DF0FD5Key Type: RSAExpires: 9/30/00Key Size: 1024Fingerprint: F8 FD 6B F7 36 B6 E0 86
C5 72 20 6E 5D 66 68 98UserID: CERT Coordination Center
http://www.cert.org/contact_cert/encryptmail.html