IA Summer School –Practice

Willis Marti

June 2006

Agenda

• Tuesday– Lecture

• Wednesday– Guest plus Hands-on

• Thursday– Hands-on

• Bibliography

Tuesday Agenda

• Ethics & Overview of ‘Practice’

• Forensics & Legal Issues

• Vulnerabilities

• Threats, Protection & Mitigation

• Incident Response

Wednesday Agenda

• Dr. Dave McIntyre, ICHS

• Lions, Tigers, Bears and Rootkits

• Encryption Tools

• Log Analysis

Thursday Agenda

• Port Scanning

• Packet Analysis

• Attack Scripts

• Intrusion Detection & Prevention

Ethics & Overview

• Ethics is a general term for what is often described as the “science (study) of morality”. In philosophy, ethical behavior is that which is “good” or “right.”

• a set of moral principles or values• Keys:

– More than one way!– A way to judge behavior

More than One System

• Understand your environment– Laws– Regulation– Custom

• Understand your users– Globalization is real– Backgrounds can’t be assumed

What are Ethics?

• According to the Webster Dictionary, ethics is the system or code of morals of a particular person, religion, group or profession.

• Ethics are subject to personal interpretation. Two people may not view the same ethical issue the same way.

What are Ethics? (continued)

• Individuals can choose if they wish to follow the ethical guideline or not.

• Ethical issues are not legal issues.

• Legal issues have documented definitions (laws) and specific consequences if the laws are broken.

• Ethical issues are guidelines set by a specific group of people with no real documented definitions of what is right and what is wrong.

Three Ethical Decision Theories1. Utilitarianism Theory

Considers the ethical issue and its relationship to individuals

Makes decision a decision based on what benefits the most people

"The greater good of the most people".

Utilitarianism Example: An 8:00 am class has 10 students in it. Nine of those

students and the Teaching Assistant (TA) all live in Friley Hall, which is on one side of campus, while one student lives in Hawthorn Court, on the other side of campus. The TA decides to move the lecture to Pearson Hall instead of Lagomarcino Hall, as Pearson is much closer to the ten individuals' dorm than the one individuals' dorm. This benefits 10 people and inconveniences one person, thus more people are benefited than not.

Three Ethical Decision Theories (cont.)

2. Pluralism Theory Believes there are two options in an ethical issue, right and

wrong decisions Pluralism stresses each person has a decision-making duty,

must make ethical decisions based on that duty, and never break away from the decision-making duty.

All decisions are clear-cut, black and white

Pluralism Example:No one should ever lie. Your best friend recently was picked up

for OWI. Ten minutes before the arrest you were in the vehicle and knew your friend was intoxicated. The police have asked about your whereabouts during this time and if you could attest to your friends' intoxicated state. You have to make a decision to lie or tell the truth. You decide to tell the truth because you have a duty to always tell the truth.

Three Ethical Decision Theories (cont.)

3. Rights-based Theory All people have rights, and those rights must be respected Decisions are based on respecting individual rights All decisions are clear-cut, black and white

Rights-based Example:

You are a network administrator with access to many email accounts. The temptation to read personal email is strong. However, you know you should never read a person’s email because it violates a person’s rights to privacy, and resist the temptation.

Ethical Issues Related to Computers

• Fraud

• Program Ownership

• Privacy

Academic Controversy Questions

• What can be done to eliminate the ethical question?

• What is the ethical question in this scenario?

• Justify why the persons actions are right or wrong

• What do you think the right thing is to do? What would you do in this situation?

• What is the individual’s questionable behavior?

• What different views could there be concerning this ethical question?

Novice Academic Controversy #1Josh is an employee at HOW Programs, a programming company

that specializes in writing customized software for large corporations.

Josh's boss, Jo Ann, asked him to write a program enabling ABC Wood Company to analyze their sales and predict what supplies the company should stock up on to maintain a proper inventory.

After sitting down with the ABC Wood Company representatives to get an idea of what they wanted for the program, Josh realized there were commercial software packages that would do bits and pieces of what he wanted to write in his program.

Josh felt he could take a few shortcuts, thus getting the program to ABC sooner if he took the program already written and incorporated it into his program code.

By completing such a large project a few days earlier, Josh received a bonus and promotions.

Were Josh's actions ethical?

Novice Academic Controversy #2

Three years later, Caroline began working at HOW Programs.

She was given a project that required her to write a program that would evaluate inventory and determine the rate of production needed so that inventory would not get too high or too low.

After doing some research on the project, Caroline found a program Josh wrote for the ABC Wood Company.

Caroline realized Josh's project was similar. She decided that a combination of the same basic ideas behind Josh's program and some new program code would work well in her program.

Caroline used pieces of Josh's program as she wrote the remainder of the program. Caroline received a bonus and a promotion because of the program.

Were Caroline's actions ethical?

Bottom Line

• There are standards.

• There are punishments (sanctions).

• It’s not how the user views the ethics/legality of a situation, it’s how your environment views it.

Forensics & Legal Issues

(Computer) Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.

Forensic Subjects

• Computer Crime • Basic Forensic• A Few Technology Issues• Legal Challenges • Search and Seizure of Computers • Collection of Evidence from a “Live” System • Forensic Imaging and Verification • Data Recovery and Analysis • Encryption • Real World

Computer Crime

• What is a computer crime? • Types of evidence • Why collect evidence • The rules of evidence (next slide!)• Locard’s Exchange Principle • Why is computer forensics necessary? • Computer Forensics as part of an Incident

Response Plan

Differing Standards

• Criminal• Civil• Administrative• Sysadmin

• 95%+• 51%• 25% ?• ???

Basic Forensics

• The forensics objective

• The principles of evidential integrity and continuity

• Chain of Custody

• Computer Forensics Methodology

• General Evidence Processing Guidelines and Procedures

A Few Technology Issues

• Types of storage • Hard disks • Review of disk geometry • Tables and file structure • Sectors and clusters • File storage • Unallocated File Space • Spool, Temporary, and

Swap Files • Floppy disks

• Allocated vs. Unallocated space

• Deleted files, File Slack • Computer memory and

RAM Slack • Bios control • Device drivers • Initialization files • The Boot sequence • General overview of

Networks

Search and Seizure of Computers

• Preparing a Forensic Checklist • To seize or not to seize • How to handle a “live” computer • Understanding the boot sequence for forensic

control • What to seize and where to look • Photographing and recording equipment layout • Bagging, tagging and removing equipment • Storage of seized equipment

Collection of Evidence from a “Live”

System • Build Forensic Response Toolkit • Trusted Source Files • Built-in Operating System Utilities • Specialized Windows tools • Analysis of Data • Log Analysis and Correlation • File Access Times • Abnormal Processes • Reviewing Relevant Files • Unusual of Hidden Files

Data Recovery and Analysis

• Overview of analysis software • Demonstration of analysis techniques • Keyword searching • Graphic searching • Producing, viewing, and sorting file listings • Extracting files • Undeleting files • Investigating floppy disks • Use the Forensics Toolkit

Vulnerabilities

• People are our biggest vulnerability.

• People are unavoidable.

Unwarranted Trust

– Address spoofing

– Viruses & worms

– Denial of service attacks

– Packet sniffing

– Password cracking

Everything’s Vulnerable

– Design Vulnerabilities

– Implementation Vulnerabilities

– Configuration Vulnerabilities

– Resource Vulnerabilities

– User Vulnerabilities

– Business Process Vulnerabilities

Why Vulnerabilities

• Engineers assume things should work.

• Rarely does anyone consider deliberate deception.

• Programs and people that lie can gain advantage.

Vulnerability Management

• Process to identify and remediate vulnerabilities in the enterprise to reduce risk posture

• Processes– Asset Classification– Incident, Vulnerability & Threat Handling

• Incident Categorization, Assessment, Response• Vulnerability & Threat Identification and Response

– Enterprise Remediation• Threat/Vulnerability Prioritization, Accountability, etc.• Remediation Tracking

– Metrics

How to Manage

Security Infrastructure: Assess, Plan, ImplementSe

curi

ty P

rog

ram

Va

lue

Security Staff: Expertise, Experience

Security Processes:

Threat, Vuln, IAM, NAC

Security

Metrics

Active Management

• “Discovery Scans”– Frequent Scans to Baseline and Discover Assets– Identify & Classify Assets and Enforce Policies

• Conduct Vulnerability Scans on Critical Assets– Automated Recurring Scans– Shift from Quarterly or Yearly Consultative Scans

• Aggregate, Prioritize and Assign Accountability

• Workflow System to Track Remediation Effort

• Result = Awareness of Critical Assets Exposure

CVE

• http://www.cve.mitre.org/

Threats, Protection & Mitigation

Defining Network Security

Security is prevention of unwanted information transfer

• What are the components?– ...Physical Security– …Operational Security– …Human Factors– …Protocols

Areas for Protection

• Privacy

• Data Integrity

• Authentication/Access Control

• Denial of Service

Security

Threat, Value and Cost Tradeoffs

• Identify the Threats

• Set a Value on Information

• Add up the Costs (to secure)

Cost < Value * Threat *Likelihood

Threats

• Hackers/Crackers (“Joyriders”)

• Criminals (Thieves)

• Rogue Programs (Viruses, Worms)

• Internal Personnel

• System Failures

Network Threats

• IP Address spoofing attacks

• TCP SYN Flood attacks

• Random port scanning of internal systems

• Snooping of network traffic

• Buffer overrun attacks

Network Threats (cont.)

• Backdoor command attacks

• Information leakage attacks via finger, echo, ping, and traceroute commands

• Attacks via download of Java and ActiveX scripts

• TCP Protocol Attacks

Threat, Value and Cost Tradeoffs

• Operations Security

• Host Security

• Firewalls

• Cryptography: Encryption/Authentication

• Monitoring/Audit Trails

Host Security

• Security versus Performance & Functionality

• Unix/Linux, Microsoft Windows, MVS, etc

• Desktops vs Servers

• “Security Through Obscurity”

Host Security (cont)

• Programs

• Configuration

• Regression Testing

Network Security

• Traffic Control

• Not a replacement for Host-based mechanisms

• Firewalls and Monitoring, Encryption

• Choke Points & Performance

• IDS/IPS– NetSQUID

Access Control

• Host-based:– Passwords, etc.

– Directory Rights

– Access Control Lists

– Superusers

• Network-based:– Address Based

– Filters

– Encryption

– Path Selection

Network Security and Privacy

• Protecting data from being read by unauthorized persons.

• Preventing unauthorized persons from inserting and deleting messages.

• Verifying the sender of each message.

• Allowing electronic signatures on documents.

FIREWALLS

• Prevent against (many) attacks

• Access Control

• Authentication

• Logging

• Notifications

Types of Firewalls

• Packet Filters– Network Layer

• Stateful Packet Filters– Network Level

• Circuit-Level Gateways– Session Level

• Application Gateways– Application Level

Presentation

Transport

Network

Session

Data Link

Physical

Application

Packet Level

• Sometimes part of router

• TAMU “Drawbridge”

Campus

ROTW

RouterDrawbridge

Circuit Level

• Dedicated Host

• Socket Interfaces

ROTW

Local FW

Application Level

• Needs a dedicated host• Special Software most everywhere

telnet

ROTW

Firewall

Firewall Installation Issues

DNS

Router

FTP Web Mail

INTERNET

Firewall Installation Issues

• DNS Problems

• Web Server

• FTP Server

• Mail Server

• Mobile Users

• Performance

Address Transparency

• Need to make some addresses visible to external hosts.

• Firewall lets external hosts connect as if firewall was not there.

• Firewall still performs authentication

Network Address Translation

10.0

.0.0

128.

194.

103.

0

FirewallInternet

Gateway

Network Address Translation

ftpd

TCP

IP

Data Link

Hardware

ftp

TCP

IP

Data Link

Hardware

proxy ftp

TCP

IP

Data Link

Hardware

gw control

Host A: Internal HostGateway HostHost B: External Host

DatagramA GW DatagramA B

INTERNET

Virtual Private Networks

Hello

Hello

Hello

Hello

Hello

Hello!@@%* !@@%* !@@%*

Encapsulate

Authenticate

Encrypt

Decapsulate

Authenticate

Decrypt

Creates a “ Virtual Private Network “

VPN Secure Tunnels

• Different types of Tunnels supported

• Encryption

• Secret key used for used for authenticatio and encryption

• Trusted hosts are allowed to use the tunnel on both ends

Summary

• Security must be comprehensive to be effective.

• Remember threat, value, cost when implementing a system.

• Security is achievable, but never 100%.

• Make your system fault tolerant.

NIST Security Mandates

• Develop standards and guidelines for the Federal government

• Improve the overall security of IT products and services

• Make the national infrastructures more secure

NIST Security Guidelines• 800-27, Engineering Principles for IT Security• 800-28, Mobile Code and Active Content• 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-

1 and FIPS 140-2• 800-30, Risk Management Guide for Information Technology Systems• 800-31, Intrusion Detection Systems• 800-32, Intro to Public Key Technology and Federal PKI Infrastructure• 800-33, Underlying Technical Models for Information Technology Security• 800-34, Contingency Planning Guide for Information Technology System• 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques• 800-41, Guidelines on Firewalls and Firewall Policy• 800-44, Guidelines on Securing Public Web Servers• 800-45, Guidelines on Electronic Mail Security• 800-46, Security for Telecommuting and Broadband Communications• 800-47, Security Guide for Interconnecting Information Technology Systems• 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming

SchemeAvailable at http://csrc.nist.gov/publications/nistpubs/index.html

NIST Security Guidelines in Draft (Available now)

• 800-37, Guidelines for the Security Certification and Accreditation (C&A) of Federal Information Technology Systems

• 800-55, Security Metrics Guide for Information Technology Systems• 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC

Authentication Mode • 800-36, Guide to Selecting IT Security Products • 800-35, Guide to IT Security Services • 800-4A, Security Considerations in Federal Information Technology Procurements • 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices • 800-50, Building an Information Technology Security Awareness and Training

Program • 800-43, System Administration Guidance for Windows 2000 Professional • Draft 800-42, Guideline on Network Security Testing

Available at http://csrc.nist.gov/publications/drafts.html

Incident Response

• Provide an effective and efficient means of dealing with the situation in a manner that reduces the potential impact to the organization.

• Provide management with sufficient information in order to decide on an appropriate course of action.

• Maintain or restore business continuity.• Defend against future attacks.• Deter attacks through investigation and

prosecution.

Incident Response – Why is it Critical?

• Resolve the problem– Find out what happened– How it happened– Who did it

• Create a record of the incident for later use• Create a record to observe trends• Create a record to improve processes• Avoid confusion

Elements of Incident Response

• Preparation

• Identification

• Containment

• Eradication

• Recovery

• Follow-up

Preparation

Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel. Preparation limits the potential for damage by ensuring response actions are known and coordinated.

IdentificationThe process of determining whether or not an

incident has occurred and the nature of an incident. Identification may occur through the use of automated network intrusion equipment or by a user or SA.

Identification is a difficult process. Noticing the symptoms of an incident is often difficult. There are many false positives. However, noticing an anomaly should drive the observer to investigate further.

Who can identify an Incident

• Users – My system is slow, my mail is missing, my files have changed

• System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs

• Intrusion Detection Systems and Firewalls – Automatically ID violations to policies

Possible Incident Classifications

• Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization.

• Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization.

• Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source.

Possible Incident Classifications (cont.)

• Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.

• Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems.

• Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization.

• Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb. Usually hidden and some may replicate. Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights.

Possible Incident Classifications (cont.)

Possible Incident Classifications (cont.)

• Hardware/Software Failure – Non-malicious failure of HW or SW assets.

• Infrastructure Failure – Non-malicious failure of supporting infrastructure to include power failure, natural disasters, forced evacuation, and service providers failure to deliver services.

• Unauthorized Utilization of Services – This can include game play, relaying mail without approval, creating dial-up access, use organizational equipment for personal gain, and personal servers on the network.

Containment

The process of limiting the scope and magnitude of an incident.

As soon as it is recognized that an incident has occurred or is occurring, steps should immediately be taken to contain the incident.

Containment - Example• Incidents involving using malicious code are

common, and since malicious code incidents can spread rapidly, massive destruction and compromise of information is possible.

• It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak.– Internet Worm of 1988 attacked 6,000 computers in

the U.S. in one day.– LoveBug Virus affected over 10Million computers

with damage estimated between $2.5B-$10B US– Kournikova worm affects still being analyzed

Eradication

• The process of removing the cause of the incident. – For a virus – anti-virus software is best

– For a network may involve block/filter IP address at the router/firewall

– Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law.

Recovery

• The process of restoring a system to its normal operating status– Unsuccessful incidents – assure system operation

and data not affected– Complex and/or successful incidents – May

require complete restoration from known clean system backups. Essential to assure the backups integrity and to verify restore operation was successful

Follow-Up

• Critical• Helps to improve incident handling procedures• Address efforts to prosecute perpetrators• Activities Include:

– Analyze the Incident and the Response– Analyze the Cost of the Incident– Prepare a Report– Revise Policies and Procedures

Bibliography

• Materials provided electronically– NPS CISR class notes for CS3600– Security White Paper {old}