1 information security karl f. lutzen, cissp information security officer s&t it information...
TRANSCRIPT
1
Information Security
Karl F. Lutzen, CISSPInformation Security Officer
S&T IT Information Systems Security
2
Who Am I?
• Information Security Officer for S&T• Started with UMR (when it was called that) in
October 1985• Providing network security (in varying
degrees) for over 10 years• Formally providing campus security function
since July 2003 • The gray beard came on mostly after
accepting the position• (still strives for a sense of humor as it keeps me sane.)
3
Information Security Is:•The application of technology and processes to protect data from accidental or intentional misuse persons known or unknown inside or outside of an organization. •By no means strictly a technical aspect, its technical aspects (firewalls, encryption, access controls, etc.) are important, but so are processes applied to ever varying situations. •An increasingly high-profile problem as hackers (or crackers) take advantage of vulnerabilities against parts of an organization’s network either Internet accessible or internal.
What are we trying to protect?
Holistic View
• Pulling all the principles together and applying them in a structured, ever evolving method results an more accurate term:
Information Assurance
7
C I A Triad
• Confidentiality – only authorized people, resources, processes have access
• Integrity – protect data from intentional or accidental changes
• Availability – Data or system is available by authorized users when needed
These three concepts and how they relate to your organization’s mission should be the basis of Information Security decisions.
Physical Security: Data Center
• Facility must be designed to include physical safeguards
• Physical access trumps ALL other forms of security (exception being cryptography if properly implemented)
• No one solution: Each facility needs are unique
Physical Security Process and Plan
• Physical security process– Effectiveness is ensured by making certain that:• Threats have been identified• Associated vulnerabilities have been accurately
characterized, prioritized, and addressed
– Implemented through planning– Supervised and enforced by consistent and
ongoing management
Example
• Below the fortress-like structure lies the vault, – Lined with granite walls – Single blast-proof door that weighs over 22 tons. – No single person is entrusted with the
combination to the vault. • Various staff must dial separate combinations known
only by them. • Beyond the main vault door, smaller internal "cells"
provide further protection.
Example
• The facility is protected by numerous layers of – physical security– alarms– video cameras– armed guards
• Has a separate emergency power plant, water system, and other necessary facilities.
• The facility is ringed with several electrified fences and is under armed guard
Example
• The Facility is within an Army post to provide additional protection. Units include– Apache helicopter gunships– training battalions of the United States Army
Armor School, and– the 3rd Brigade Combat Team of the 1st Infantry
Division totaling over 30,000 soldiers, with associated tanks, armored personnel carriers, attack helicopters, and artillery.
Example
• Army post is close to the middle of the US– Not easy to get to (when originally built)– Provides ample warning time to respond from
foreign attacks
• Previous photo credits:
• http://forum.skyscraperpage.com/showthread.php?t=142754
Physical Security: Data Center• Multiple layers required:– Locks– Cameras– Badges– Security guards/Dogs– Fences– Alarms– Lights– Environment – heating/cooling– Fire suppression– Etc.
Physical Security
• Also important for desktops, laptops, USB memory devices, etc.
• Remember, even a low-tech attack can defeat physical security!
Application Security
• Average sized organization has hundreds of in-house and externally developed applications.
• Business process are continually moving towards web services
• However, data and critical business services are being exposed:– Lack of testing– Insecure applications– Human error (leaving things where they shouldn’t be)
Application Security
• Security must be an integral part of application lifecycle:– from initial concept to final disposal
• A golden rule of application security:– You cannot test in security! It must be designed
into the application and verified each step of the lifecycle.
Peer Reviews – Number One Tool • Requirements phase– Peer Review – conflicts/missing requirements
• Design– Peer Review – conflicts/errors in design
• Coding– Peer Review – errors abound!
• Testing– Peer Review – Testing based on requirements
• Deliverable/Maintenance– Peer review patches are critical!
Network Security
• Network protocols are not secure. – Port scan/direct attack– Malicious Web Sites– Social Engineering– Phishing/Pharming– Denial of Service attacks– Insider attacks– Viruses/Worms– Information Leakage– Others
23
Network Security
• Network designs/implementations require:– IDS/IPS– Firewalls– Routers– Switches (NO HUBS!)– Secured wireless (or not at all).– Traffic shaping– Proxy Servers/DMZ
24
Network Hubs
• Insecure!• No traffic isolation or traffic control • All data is replicated to all ports• Any station on the hub can examine ALL traffic• Collision problems on busy network
Network Security
• Switches are vulnerable– MAC address Flooding
• Other issues on local network– ARP Poisoning– Rogue DHCP Servers– Physical access to wiring closets
Access Control
• A key principle to preserve Confidentiality• Properly implemented Access Controls
ensures only authorized access and denies all else.
• Several methods are used– Mandatory Access Control– Discretionary Access Control– Role Base Access Control
BCP/DRP
• Business Continuity Planning/Disaster Recovery Planning
• An extremely important and rapidly growing part of Information Assurance!
• A proper security program is deficient if there isn’t business continuity and disaster recovery planning
BCP/DRP
• Components of a DRP– Backups– Vendor contracts– Alternate sites• Hot• Warm• Cold• Reciprocal
• Failure to have a BCP/DRP could cost you the business!
Security Architecture
• Framework unifies reusable services and process to implement policy standards and risk management decisions.
• Strategic framework that allows the development and operations staff to align efforts
Security Architecture
• Policies• Standards• Guidelines• Baselines• Procedures
31
Protection Controls
• Directive Controls• Preventative Controls• Detective• Corrective controls• Recovery• Deterrent• Compensating
Risk Management
• Identifying and mitigating risks• What is risk?– Risk = Threat * Vulnerability
• Mitigation can take three forms:– Accept the risk– Mitigate the risk– Transfer the risk
• Residual Risk
Operations Security
• Processes and controls placed around your operations.
• Assures Confidentiality/Integrity• Can help assure availability• Provides mitigation for incidents• Includes HR processes (background checks)!
Audits
• Only good way to find out if controls are working as designed
• Internal vs. External• Legal requirements
Legal, Regulations, Compliance and Investigations
• We are in the “Regulation Age”• There are certain legal requirements and
regulations which apply to many businesses– HIPPA, SOX, GLBA, FERPA, HEA, PCI DSS, PATRIOT
Act, more!• Compliance with these requirements and
regulations are not optional• Passing Audits necessary. Understanding the
requirements and compliance now imperative
Investigations
• Log analysis• Network analysis• Digital Forensics• Evidence handling• eDiscovery
Cryptography
• Understanding how and when cryptography is used is not optional
• Encrypting data is required for eCommerce• Sending certain types of data must be done
securely and only cryptography is the solution.• Implementing it correctly is essential• Many poor implementations have resulted in
breaches
Cryptography
• PKI – provides for nonrepudiation– Sending party later cannot deny they sent it*• *can you think of an exception
• Symmetric key management• Asymmetric (PKI) management
Wow!
• Does this mean a Security Analyst has to master all these areas?
• Very few security professionals are experts in more than 2 or 3 bodies of knowledge
• However, they need to understand all 10 bodies of knowledge and be as proficient as possible in as many as their organization needs – (some exceptions apply. Like man hours
available!)
Summary
• Information Assurance is a very broad field• No one person is an expert in all areas– Specialists – Work together!
• It is rapidly growing and there is a growing demand for professionals
• It is also never boring (maybe tedious at times, but never boring)
Questions?
• If time permits, we’ll look at an Attack
RSA Attack
• March 2011, RSA had a data breach– Attacker stole information which affected some
40 million two-factor authentication tokens– Devices are used in private industry and
government agencies– Produces a 6 digit number every 60 seconds.
RSA Attack Analysis
• An Advanced Persistent Threat (APT)A structured (advanced), targeted attack (persistent), intent on gaining information (threat)
RSA Background
• RSA is a security company that employs a great number of security devices to prevent such a data breach
• Methods used bypassed many of the controls that would otherwise prevented direct attack
Attacker Initial Steps
• Attackers acquired valid email addresses of a small group of employees.
• If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.
Phishing Emails
• Two different phishing emails sent over a two-day period.
• Sent to two small groups of employees, not particularly high profile or high value targets.
• Subject line read: 2011 Recruitment Plan• SPAM filtering DID catch it but put in the Junk
folder
Employee Mistake
• One employee retrieved the email from the Junk mail folder
• Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls
• Spreadsheet contained a zero-day exploit through Adobe Flash (since patched).– Installed a backdoor program to allow access.
Remote Administration Tool (RAT)
• Attackers chose to use the Poison Ivy RAT.– Very tiny footprint– Gives attacker complete control over the system– Set in reverse-connect mode. System reaches out
to get commands. Fairly standard method of getting through firewalls/IPS
Digital Shoulder-Surfing
• Next the attackers just sat back and digitally listened to what was going on with the system
• The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.
Harvesting
• Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts)
• Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.
The Race
• During the stepping from system to system, security controls detected an attack in progress. The race was now on.
• Attacker had to move very quickly during this phase of finding a valuable target.
Data Gathering
• Attacker established access at staging servers at key aggregation points to retrieve data.
• As they visited servers of interest, data was copied to staging servers.
• Staging servers aggregated, compressed, encrypted and then FTP’d the data out.
Receiving Host
• Target receiving data was a compromised host at an external hosting provider.
• Attacker then removed the files from the external compromised host to remove traces of the attack.
• This also hid the attacker’s true identity/location.
Lessons Learned
• Weakest link: A human• Layered Security: Not adequate to prevent
• Upside: Able to implement new security controls to this point were considered too restrictive.
Karl’s Changes
• What follows would be the changes I’d make at RSA.
• Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts.
• If I were to implement these, very likely I’d be doing a different job…
Changes
• Traffic shaping both ways. (Firewall port blocking isn’t enough)
• Block all but specific protocols• IDS/IPS on all those protocols• Aggressive use of DMZ: Isolate systems• Isolate workstations from one another• Clean Access Solutions on all systems
Biggest Change
• Mandatory Monthly Security Awareness training for everyone.
• (breaking it into monthly modules makes it tolerable)
• Needs to be interesting/fun, Door prizes, etc.
RSA Attack: Credits
• http://www.satorys.com/rsa-attack-analysis-lessons-learned/