ia summer school – practice willis marti june 2006
Post on 19-Dec-2015
214 views
TRANSCRIPT
Tuesday Agenda
• Ethics & Overview of ‘Practice’
• Forensics & Legal Issues
• Vulnerabilities
• Threats, Protection & Mitigation
• Incident Response
Wednesday Agenda
• Dr. Dave McIntyre, ICHS
• Lions, Tigers, Bears and Rootkits
• Encryption Tools
• Log Analysis
Thursday Agenda
• Port Scanning
• Packet Analysis
• Attack Scripts
• Intrusion Detection & Prevention
Ethics & Overview
• Ethics is a general term for what is often described as the “science (study) of morality”. In philosophy, ethical behavior is that which is “good” or “right.”
• a set of moral principles or values• Keys:
– More than one way!– A way to judge behavior
More than One System
• Understand your environment– Laws– Regulation– Custom
• Understand your users– Globalization is real– Backgrounds can’t be assumed
What are Ethics?
• According to the Webster Dictionary, ethics is the system or code of morals of a particular person, religion, group or profession.
• Ethics are subject to personal interpretation. Two people may not view the same ethical issue the same way.
What are Ethics? (continued)
• Individuals can choose if they wish to follow the ethical guideline or not.
• Ethical issues are not legal issues.
• Legal issues have documented definitions (laws) and specific consequences if the laws are broken.
• Ethical issues are guidelines set by a specific group of people with no real documented definitions of what is right and what is wrong.
Three Ethical Decision Theories1. Utilitarianism Theory
Considers the ethical issue and its relationship to individuals
Makes decision a decision based on what benefits the most people
"The greater good of the most people".
Utilitarianism Example: An 8:00 am class has 10 students in it. Nine of those
students and the Teaching Assistant (TA) all live in Friley Hall, which is on one side of campus, while one student lives in Hawthorn Court, on the other side of campus. The TA decides to move the lecture to Pearson Hall instead of Lagomarcino Hall, as Pearson is much closer to the ten individuals' dorm than the one individuals' dorm. This benefits 10 people and inconveniences one person, thus more people are benefited than not.
Three Ethical Decision Theories (cont.)
2. Pluralism Theory Believes there are two options in an ethical issue, right and
wrong decisions Pluralism stresses each person has a decision-making duty,
must make ethical decisions based on that duty, and never break away from the decision-making duty.
All decisions are clear-cut, black and white
Pluralism Example:No one should ever lie. Your best friend recently was picked up
for OWI. Ten minutes before the arrest you were in the vehicle and knew your friend was intoxicated. The police have asked about your whereabouts during this time and if you could attest to your friends' intoxicated state. You have to make a decision to lie or tell the truth. You decide to tell the truth because you have a duty to always tell the truth.
Three Ethical Decision Theories (cont.)
3. Rights-based Theory All people have rights, and those rights must be respected Decisions are based on respecting individual rights All decisions are clear-cut, black and white
Rights-based Example:
You are a network administrator with access to many email accounts. The temptation to read personal email is strong. However, you know you should never read a person’s email because it violates a person’s rights to privacy, and resist the temptation.
Academic Controversy Questions
• What can be done to eliminate the ethical question?
• What is the ethical question in this scenario?
• Justify why the persons actions are right or wrong
• What do you think the right thing is to do? What would you do in this situation?
• What is the individual’s questionable behavior?
• What different views could there be concerning this ethical question?
Novice Academic Controversy #1Josh is an employee at HOW Programs, a programming company
that specializes in writing customized software for large corporations.
Josh's boss, Jo Ann, asked him to write a program enabling ABC Wood Company to analyze their sales and predict what supplies the company should stock up on to maintain a proper inventory.
After sitting down with the ABC Wood Company representatives to get an idea of what they wanted for the program, Josh realized there were commercial software packages that would do bits and pieces of what he wanted to write in his program.
Josh felt he could take a few shortcuts, thus getting the program to ABC sooner if he took the program already written and incorporated it into his program code.
By completing such a large project a few days earlier, Josh received a bonus and promotions.
Were Josh's actions ethical?
Novice Academic Controversy #2
Three years later, Caroline began working at HOW Programs.
She was given a project that required her to write a program that would evaluate inventory and determine the rate of production needed so that inventory would not get too high or too low.
After doing some research on the project, Caroline found a program Josh wrote for the ABC Wood Company.
Caroline realized Josh's project was similar. She decided that a combination of the same basic ideas behind Josh's program and some new program code would work well in her program.
Caroline used pieces of Josh's program as she wrote the remainder of the program. Caroline received a bonus and a promotion because of the program.
Were Caroline's actions ethical?
Bottom Line
• There are standards.
• There are punishments (sanctions).
• It’s not how the user views the ethics/legality of a situation, it’s how your environment views it.
Forensics & Legal Issues
(Computer) Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.
Forensic Subjects
• Computer Crime • Basic Forensic• A Few Technology Issues• Legal Challenges • Search and Seizure of Computers • Collection of Evidence from a “Live” System • Forensic Imaging and Verification • Data Recovery and Analysis • Encryption • Real World
Computer Crime
• What is a computer crime? • Types of evidence • Why collect evidence • The rules of evidence (next slide!)• Locard’s Exchange Principle • Why is computer forensics necessary? • Computer Forensics as part of an Incident
Response Plan
Basic Forensics
• The forensics objective
• The principles of evidential integrity and continuity
• Chain of Custody
• Computer Forensics Methodology
• General Evidence Processing Guidelines and Procedures
A Few Technology Issues
• Types of storage • Hard disks • Review of disk geometry • Tables and file structure • Sectors and clusters • File storage • Unallocated File Space • Spool, Temporary, and
Swap Files • Floppy disks
• Allocated vs. Unallocated space
• Deleted files, File Slack • Computer memory and
RAM Slack • Bios control • Device drivers • Initialization files • The Boot sequence • General overview of
Networks
Search and Seizure of Computers
• Preparing a Forensic Checklist • To seize or not to seize • How to handle a “live” computer • Understanding the boot sequence for forensic
control • What to seize and where to look • Photographing and recording equipment layout • Bagging, tagging and removing equipment • Storage of seized equipment
Collection of Evidence from a “Live”
System • Build Forensic Response Toolkit • Trusted Source Files • Built-in Operating System Utilities • Specialized Windows tools • Analysis of Data • Log Analysis and Correlation • File Access Times • Abnormal Processes • Reviewing Relevant Files • Unusual of Hidden Files
Data Recovery and Analysis
• Overview of analysis software • Demonstration of analysis techniques • Keyword searching • Graphic searching • Producing, viewing, and sorting file listings • Extracting files • Undeleting files • Investigating floppy disks • Use the Forensics Toolkit
Unwarranted Trust
– Address spoofing
– Viruses & worms
– Denial of service attacks
– Packet sniffing
– Password cracking
Everything’s Vulnerable
– Design Vulnerabilities
– Implementation Vulnerabilities
– Configuration Vulnerabilities
– Resource Vulnerabilities
– User Vulnerabilities
– Business Process Vulnerabilities
Why Vulnerabilities
• Engineers assume things should work.
• Rarely does anyone consider deliberate deception.
• Programs and people that lie can gain advantage.
Vulnerability Management
• Process to identify and remediate vulnerabilities in the enterprise to reduce risk posture
• Processes– Asset Classification– Incident, Vulnerability & Threat Handling
• Incident Categorization, Assessment, Response• Vulnerability & Threat Identification and Response
– Enterprise Remediation• Threat/Vulnerability Prioritization, Accountability, etc.• Remediation Tracking
– Metrics
How to Manage
Security Infrastructure: Assess, Plan, ImplementSe
curi
ty P
rog
ram
Va
lue
Security Staff: Expertise, Experience
Security Processes:
Threat, Vuln, IAM, NAC
Security
Metrics
Active Management
• “Discovery Scans”– Frequent Scans to Baseline and Discover Assets– Identify & Classify Assets and Enforce Policies
• Conduct Vulnerability Scans on Critical Assets– Automated Recurring Scans– Shift from Quarterly or Yearly Consultative Scans
• Aggregate, Prioritize and Assign Accountability
• Workflow System to Track Remediation Effort
• Result = Awareness of Critical Assets Exposure
Defining Network Security
Security is prevention of unwanted information transfer
• What are the components?– ...Physical Security– …Operational Security– …Human Factors– …Protocols
Security
Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
Cost < Value * Threat *Likelihood
Threats
• Hackers/Crackers (“Joyriders”)
• Criminals (Thieves)
• Rogue Programs (Viruses, Worms)
• Internal Personnel
• System Failures
Network Threats
• IP Address spoofing attacks
• TCP SYN Flood attacks
• Random port scanning of internal systems
• Snooping of network traffic
• Buffer overrun attacks
Network Threats (cont.)
• Backdoor command attacks
• Information leakage attacks via finger, echo, ping, and traceroute commands
• Attacks via download of Java and ActiveX scripts
• TCP Protocol Attacks
Threat, Value and Cost Tradeoffs
• Operations Security
• Host Security
• Firewalls
• Cryptography: Encryption/Authentication
• Monitoring/Audit Trails
Host Security
• Security versus Performance & Functionality
• Unix/Linux, Microsoft Windows, MVS, etc
• Desktops vs Servers
• “Security Through Obscurity”
Network Security
• Traffic Control
• Not a replacement for Host-based mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points & Performance
• IDS/IPS– NetSQUID
Access Control
• Host-based:– Passwords, etc.
– Directory Rights
– Access Control Lists
– Superusers
• Network-based:– Address Based
– Filters
– Encryption
– Path Selection
Network Security and Privacy
• Protecting data from being read by unauthorized persons.
• Preventing unauthorized persons from inserting and deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
FIREWALLS
• Prevent against (many) attacks
• Access Control
• Authentication
• Logging
• Notifications
Types of Firewalls
• Packet Filters– Network Layer
• Stateful Packet Filters– Network Level
• Circuit-Level Gateways– Session Level
• Application Gateways– Application Level
Presentation
Transport
Network
Session
Data Link
Physical
Application
Firewall Installation Issues
• DNS Problems
• Web Server
• FTP Server
• Mail Server
• Mobile Users
• Performance
Address Transparency
• Need to make some addresses visible to external hosts.
• Firewall lets external hosts connect as if firewall was not there.
• Firewall still performs authentication
Network Address Translation
ftpd
TCP
IP
Data Link
Hardware
ftp
TCP
IP
Data Link
Hardware
proxy ftp
TCP
IP
Data Link
Hardware
gw control
Host A: Internal HostGateway HostHost B: External Host
DatagramA GW DatagramA B
INTERNET
Virtual Private Networks
Hello
Hello
Hello
Hello
Hello
Hello!@@%* !@@%* !@@%*
Encapsulate
Authenticate
Encrypt
Decapsulate
Authenticate
Decrypt
Creates a “ Virtual Private Network “
VPN Secure Tunnels
• Different types of Tunnels supported
• Encryption
• Secret key used for used for authenticatio and encryption
• Trusted hosts are allowed to use the tunnel on both ends
Summary
• Security must be comprehensive to be effective.
• Remember threat, value, cost when implementing a system.
• Security is achievable, but never 100%.
• Make your system fault tolerant.
NIST Security Mandates
• Develop standards and guidelines for the Federal government
• Improve the overall security of IT products and services
• Make the national infrastructures more secure
NIST Security Guidelines• 800-27, Engineering Principles for IT Security• 800-28, Mobile Code and Active Content• 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-
1 and FIPS 140-2• 800-30, Risk Management Guide for Information Technology Systems• 800-31, Intrusion Detection Systems• 800-32, Intro to Public Key Technology and Federal PKI Infrastructure• 800-33, Underlying Technical Models for Information Technology Security• 800-34, Contingency Planning Guide for Information Technology System• 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques• 800-41, Guidelines on Firewalls and Firewall Policy• 800-44, Guidelines on Securing Public Web Servers• 800-45, Guidelines on Electronic Mail Security• 800-46, Security for Telecommuting and Broadband Communications• 800-47, Security Guide for Interconnecting Information Technology Systems• 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming
SchemeAvailable at http://csrc.nist.gov/publications/nistpubs/index.html
NIST Security Guidelines in Draft (Available now)
• 800-37, Guidelines for the Security Certification and Accreditation (C&A) of Federal Information Technology Systems
• 800-55, Security Metrics Guide for Information Technology Systems• 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC
Authentication Mode • 800-36, Guide to Selecting IT Security Products • 800-35, Guide to IT Security Services • 800-4A, Security Considerations in Federal Information Technology Procurements • 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices • 800-50, Building an Information Technology Security Awareness and Training
Program • 800-43, System Administration Guidance for Windows 2000 Professional • Draft 800-42, Guideline on Network Security Testing
Available at http://csrc.nist.gov/publications/drafts.html
Incident Response
• Provide an effective and efficient means of dealing with the situation in a manner that reduces the potential impact to the organization.
• Provide management with sufficient information in order to decide on an appropriate course of action.
• Maintain or restore business continuity.• Defend against future attacks.• Deter attacks through investigation and
prosecution.
Incident Response – Why is it Critical?
• Resolve the problem– Find out what happened– How it happened– Who did it
• Create a record of the incident for later use• Create a record to observe trends• Create a record to improve processes• Avoid confusion
Elements of Incident Response
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Follow-up
Preparation
Without adequate preparation, it is extremely likely that response efforts to an incident will be disorganized and that there will be considerable confusion among personnel. Preparation limits the potential for damage by ensuring response actions are known and coordinated.
IdentificationThe process of determining whether or not an
incident has occurred and the nature of an incident. Identification may occur through the use of automated network intrusion equipment or by a user or SA.
Identification is a difficult process. Noticing the symptoms of an incident is often difficult. There are many false positives. However, noticing an anomaly should drive the observer to investigate further.
Who can identify an Incident
• Users – My system is slow, my mail is missing, my files have changed
• System support personnel – servers locked up, files missing, accounts add/deleted, weird stuff happening , anomalies in the logs
• Intrusion Detection Systems and Firewalls – Automatically ID violations to policies
Possible Incident Classifications
• Unauthorized Privileged (root) Access – Access gained to a system and the use of root privileges without authorization.
• Unauthorized Limited (user) Access – Access gained to a system and the use of user privileges without authorization.
• Unauthorized Unsuccessful Attempted Access – Repeated attempt to gain access as root or user on the same host, service, or system with a certain number of connections from the same source.
Possible Incident Classifications (cont.)
• Unauthorized Probe – Any attempt to gather information about a system or user on-line by scanning a site and accessing ports through operating system vulnerabilities.
• Poor Security Practices – Bad passwords, direct privileged logins, etc, which are collected from network monitor systems.
• Denial of Service (DOS) Attacks – Any action that preempts or degrades performance of a system or network affecting the mission, business, or function of an organization.
• Malicious Logic – Self-replicating software that is viral in nature; is disseminated by attaching to or mimicking authorized computer system files; or acts as a trojan horse, worm, malicious scripting, or a logic bomb. Usually hidden and some may replicate. Effects can range from simple monitoring of traffic to complicated automated backdoor with full system rights.
Possible Incident Classifications (cont.)
Possible Incident Classifications (cont.)
• Hardware/Software Failure – Non-malicious failure of HW or SW assets.
• Infrastructure Failure – Non-malicious failure of supporting infrastructure to include power failure, natural disasters, forced evacuation, and service providers failure to deliver services.
• Unauthorized Utilization of Services – This can include game play, relaying mail without approval, creating dial-up access, use organizational equipment for personal gain, and personal servers on the network.
Containment
The process of limiting the scope and magnitude of an incident.
As soon as it is recognized that an incident has occurred or is occurring, steps should immediately be taken to contain the incident.
Containment - Example• Incidents involving using malicious code are
common, and since malicious code incidents can spread rapidly, massive destruction and compromise of information is possible.
• It is not uncommon to find every workstation connected to a LAN infected when there is a virus outbreak.– Internet Worm of 1988 attacked 6,000 computers in
the U.S. in one day.– LoveBug Virus affected over 10Million computers
with damage estimated between $2.5B-$10B US– Kournikova worm affects still being analyzed
Eradication
• The process of removing the cause of the incident. – For a virus – anti-virus software is best
– For a network may involve block/filter IP address at the router/firewall
– Ideally, but difficult, best eradicated by bringing the perpetrators into legal custody and convicting them in a court of law.
Recovery
• The process of restoring a system to its normal operating status– Unsuccessful incidents – assure system operation
and data not affected– Complex and/or successful incidents – May
require complete restoration from known clean system backups. Essential to assure the backups integrity and to verify restore operation was successful
Follow-Up
• Critical• Helps to improve incident handling procedures• Address efforts to prosecute perpetrators• Activities Include:
– Analyze the Incident and the Response– Analyze the Cost of the Incident– Prepare a Report– Revise Policies and Procedures