integrity & policy leticia nisbett lauren walters andrew yao
TRANSCRIPT
INTEGRITY & POLICY
Leticia NisbettLauren Walters
Andrew Yao
2
Overview
Leticia – Basic Integrity and Writing Policies to ensure integrity
Lauren – Access controls Security Models, and Integrity Tools
Andrew – Applications to Case Study and Examples
3
What is Integrity?
Integrity is a VERY important security requirement Protecting your information is highest priority protecting integrity of your network is critical in
ability to protect the information it contains. Can be defined in a number of ways…..
4
How would you define Integrity?
5
Definitions of Integrity
Integrity requires that computer system assets and transmitted information be capable of modification only by authorized parties. not modified by unauthorized persons not created by unauthorized persons
6
Integrity In cryptography and information security
integrity refers to the validity of data.
Integrity can be compromised in two main ways: Malicious altering
Attacker alters account number in a bank transaction Forging an identity document
Accidental altering Transmission errors: “my name Leticia and u have a car” Harddisk crash
** According to Wikipedia
7
Integrity 2 In telecommunication, the term data integrity has the following
meanings: The condition in which data are identically maintained during any
operation, such as transfer, storage, and retrieval. The preservation of data for their intended use.
Specifically, data integrity in a relational database is concerned with three aspects of the data in a database: Accuracy Correctness Validity
*** according to Wikipedia
8
What happens if integrity is compromised?
Modification is an attack on integrity Modification: the data is changed, delayed or
reordered to produce an unauthorized, undesired effect.
A breach in the integrity of your network can be extremely costly in time and effort, and it can open multiple avenues for continued attacks.
9
Network Considerations
When considering what to protect within your network, you are concerned with maintaining the integrity of: the physical network your network software any other network resources your reputation
This Integrity involves the verifiable identity of computers and users proper operation of the services that your network provides and optimal network performance
all these concerns are important in maintaining a productive network environment.
10
Common Methods of Attack on Integrity
The four methods of attack that are commonly used to compromise the integrity of a network: Network packet sniffers IP spoofing Password attacks Application layer attacks
11
Network Packet Sniffers Network packet sniffers can yield critical system information,
such as user account information and passwords. When an attacker obtains the correct account information, he or
she has the run of your network. Worst-case scenario
an attacker gains access to a system-level user account creates a new account that can be used at any time as a back
door can modify system-critical files such as:
the password for the system administrator account the list of services and permissions on file servers the login details for other computers that contain confidential
information.
12
Network Packet Sniffers 2 Packet sniffers provide information about the topology of your
network that many attackers find useful. such as what computers run which services how many computers are on your network which computers have access to others
A network packet sniffer can be modified to interject new information change existing information in a packet.
Attack can cause network connections to shut down prematurely, as well as change critical information within the packet. Imagine modification to the accounting system
13
IP Spoofing IP spoofing can yield access to user accounts and
passwords, and it can also be used in other ways. Attacker emulates one of your internal users in ways that
prove embarrassing for your organization Such attacks are easier when an attacker has a
user account and password Are possible by combining simple spoofing attacks
with knowledge of messaging protocols. Telnetting directly to the SMTP port on a system allows the
attacker to insert bogus sender information.
14
Password Attacks
A brute-force password attack can provide access to accounts that can be used to modify critical network files and services.
Can compromise network's integrity Once an attacker gets the password and gains access to
the system he can modify the routing tables for the network. attacker ensures that all network packets are routed to him
or her before they are transmitted to their final destination
15
Application Layer Attacks
Application Layer attacks can be implemented using several different methods. A common method is exploiting well-known weaknesses in
software commonly found on servers, such as sendmail, PostScript, and FTP.
By exploiting these weaknesses, attackers can gain access to a computer with the permissions of the account running the application
usually a privileged system-level account
16
Application Layer Attacks
Trojan horse attacks implemented using bogus programs that attacker
substitutes for common programs. programs provide all functionality of a normal application or
service also include other features that are known to
the attacker programs can capture sensitive information and distribute it
back to the attacker
17
Network considerations when defining security policies
Three main types of networks must be considered when defining a security policy Trusted Un-trusted Unknown.
18
Trusted Networks Networks inside your network security perimeter. Networks that you are trying to protect.
Someone in the organization administers the computers that comprise these networks (most times)
Organization controls their security measures. Usually, trusted networks are within the security perimeter.
To set up firewall server explicitly identify the type of networks that are attached to the
firewall server through network adapter cards After the initial configuration, the trusted networks include the
firewall server and all networks behind it.One exception to this general rule is the inclusion of virtual private
networks (VPNs)
19
Un-trusted Networks
Networks known to be outside your security perimeter. Un-trusted because they are outside your control No control over the administration or security policies for
these sites Private, shared networks from which you are trying to
protect your network Still need and want to communicate with these networks
although they are un-trusted. To set up the firewall server
explicitly identify the un-trusted networks from which that firewall can accept requests
20
Unknown Networks
Networks that are neither trusted nor un-trusted. Unknown quantities to the firewall because you cannot
explicitly tell the firewall server that the network is a trusted or un-trusted
Unknown networks exist outside your security perimeter By default, all non-trusted networks are considered
unknown networks, and the firewall applies the security policy that is applied to the Internet node in the user interface, which represents all unknown networks.
21
Establishing a Security Perimeter
When you define a network security policy, you must define procedures to safeguard your network and its contents and users against loss and damage.
A network security policy plays a role in enforcing the overall security policy defined by an organization.
22
Establishing a Security Perimeter A critical part of an overall security solution is a network firewall
monitors traffic crossing network perimeters imposes restrictions according to security policy.
Perimeter routers are found at any network boundary between private networks, intranets, extranets, or the Internet.
Firewalls most commonly separate internal (private) and external (public) networks.
A network security policy focuses on controlling the network traffic and usage identifies a network's resources and threats defines network use and responsibilities details action plans for when the security policy is violated
When a network security policy is deployed it should be strategically enforced at defensible boundaries within your network. These strategic boundaries are called perimeter networks.
23
Three Types of Perimeter Networks Exist: Outermost, Internal, and Innermost
24
Example Two-Perimeter Network Security Design
25
Developing Your Security Design
The design of the perimeter network and security policies require certain subjects to be addressed.
26
Important considerations for defining a security policy
1. Know your enemy 2. Count the cost 3. Identify any assumptions 4. Control your secrets 5. Human factors 6. Know your weakness 7. Limit the scope of access 8. Understand your environment 9. Limit your trust 10. Remember physical security 11. Make security pervasive
27
Know Your Enemy
Know attackers or intruders. Consider who might want to circumvent your security measures Identify their motivations. Determine what they might want to do and the damage that they
could cause to your network. Security measures can never make it impossible for a user to
perform unauthorized tasks with a computer system; they can only make it harder.
The goal is to make sure that the network security controls are beyond the attacker's ability or motivation.
28
Count the Cost
Security measures usually reduce convenience, especially for sophisticated users.
Security can delay work and can create expensive administrative and educational overhead.
Security can use significant computing resources and require dedicated hardware.
When you design your security measures, understand their costs and weigh those costs against the potential benefits.
To do that, you must understand the costs of the measures themselves and the costs and likelihood of security breaches. If you incur security costs out of proportion to the actual dangers, you have done yourself a disservice.
29
Identify Any Assumptions
Every security system has underlying assumptions. For example, you might assume that your network
is not tapped, that attackers know less than you do, that they are using standard software, or that a locked room is safe. Be sure to examine and justify your assumptions. Any hidden assumption is a potential security hole.
30
Control Your Secrets
Most security is based on secrets. Eg. Passwords and encryption keys
Too often, the secrets are not all that secret. The most important part of keeping secrets is in knowing the areas that you need to protect.
What knowledge would enable someone to circumvent your system?
You should jealously guard that knowledge and assume that everything else is known to your adversaries.
The more secrets you have, the harder it will be to keep them all. Security systems should be designed so that only a limited number of secrets need to be kept.
31
Human Factors
Many security procedures fail because their designers do not consider how users will react to them. Automatically generated nonsense passwords often written on the
undersides of keyboards- difficult to remember A secure door that leads to the system's only tape drive is sometimes
propped open- for convenience Unauthorized modems are often connected to a network to avoid onerous
dial-in security measures- for expediency If security measures interfere with essential use of the system they will
be resisted and perhaps circumvented. To get compliance, make sure users can get their work done, and must
emphasize (sell) security measures to users. Users must understand and accept the need for security.
32
Human Factors 2 Users can compromise system security, at least to some degree
Passwords can be found out simply by calling legitimate users on the telephone claiming to be a system administrator, and asking for them.
If your users understand security issues, and if they understand the reasons for your security measures, they are far less likely to make an intruder's life easier.
At minimum Users should be taught never to release passwords or other secrets over
unsecured telephone lines or e-mail Users should be wary of people who call them on the telephone and ask
questions Some companies have implemented formalized network security
training so that employees are not allowed access to the Internet until they have completed a formal training program
33
Know Your Weaknesses Every security system has vulnerabilities. You should understand your system's weak points and
know how they could be exploited. You should also know the areas that present the greatest
danger and should prevent access to them immediately. Understanding the weak points is the first step toward
turning them into secure areas.
34
Limit the Scope of Access
You should create appropriate barriers in your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system.
The security of a system is only as good as the weakest security level of any single host in the system.
35
Understand Your Environment
Understanding how your system normally functions, knowing what is expected and what is unexpected, and being familiar with how devices are usually used will help you detect security problems.
Noticing unusual events can help you catch intruders before they can damage the system. Auditing tools can help you detect those unusual events.
36
Limit Your Trust
You should know exactly which software you rely on, and your security system should not have to rely on the assumption that all software is bug-free.
37
Remember Physical Security
Physical access to a computer (or a router) usually gives a sufficiently sophisticated user total control over that computer.
Physical access to a network link usually allows a person to tap that link, jam it, or inject traffic into it. It makes no sense to install complicated software security measures when access to the hardware is not controlled.
38
Make Security Pervasive Administrators, programmers, and users
should consider the security implications of every change they make.
Understanding the security implications of a change takes practice; it requires lateral thinking and a willingness to explore every way that a service could potentially be manipulated.
39
Ten suggested ways to improve the security of your computer!!!
****http://web.mit.edu/ist/topics/security/pamphlets/tensteps.pdf
40
1. patch, Patch, PATCH!
Set up your machine for automatic updates. For Windows:
Start Menu>Control Panel>Services>Windows Update: set to automatic
For Macs System Preferences>Software Update: set to
daily or weekly. For Red Hat Linux, refer to:
http://mit.edu/ist/topics/Linux/rhn.html
41
2. Install anti-virus software.
Install the appropriate version of the antivirus software for your computer.
Set it to scan your files on a regular basis.
*** software is available on IS&T’s Getting Started CD or at http://web.mit.edu/software
42
3. Choose strong passwords.
Some suggestions for choosing strong passwords!!??
43
3. Choose strong passwords.
Choose strong passwords by picking letter, number, and special characters to create a mental image or an acronym that is easy for you to remember.
Change passwords regularly. Do not reuse your password among different
accounts. It’s bad if your email account is hacked, it’s even worse if it’s your email account AND your bank account.
***http://web.mit.edu/network/passwords.html
44
DEMO
MAC Password Helper
45
4. backup, Backup, BACKUP!
Backing up your data on a regular basis helps protect you from the unexpected.
Ask yourself how many days of work you are willing to lose if your computer is compromised and the hackers decide to overwrite your disk space with their favorite movies and music.
***http://web.mit.edu/net-security/www/faq.html#backup
46
5. Control access to your machine.
Don’t leave your machine unattended and logged on.
Don’t leave your PDA unattended in public places.
Disable guest accounts, and delete unused accounts in a timely manner.
***More information on securing your Windows machine can be found at http://web.mit.edu/ist/topics/windows
47
6. Use email safely.
Filter your spam e-mail. Check with the sender when receiving unexpected
attachments from people you know. Never open attachments from people you don’t
know. Always use your virus scanner on any attachment
before opening it. ***MIT Spam Screening is described at http://web.mit.edu/ist/services/email/nospam
48
7. Use secure connections.
Using a secure connection is essential. On the Internet your data is vulnerable unless you do something to protect it.
For Linux, SSH and SCP are best for secure logins and secure file transfers.
For Windows, use Filezilla and SecureFX for file transfers, Host Explorer and SecureCRT for secure remote logins.
***http://web.mit.edu/net-security/www/faq.html#secure-connections
49
8. Encrypt sensitive files.
Sensitive data is frequently stored on your hard drives. Protecting the data can protect you from identity theft.
Encrypt sensitive files. Have password-protected documents.
50
9. Use desktop firewalls.
Apple Mac OS X and Microsoft Windows XP have basic desktop firewalls as part of their operating systems. It is recommended that users activate these firewalls unless there are known software conflicts.
51
10.Stay informed.
To stay current with the latest developments for Windows, Macs, and *nix systems, subscribe to the security-fyi mailing list by visiting
http://mailman.mit.edu/mailman/listinfo/security-fyi
52
Access Controls
Mandatory Access Control Discretionary Access Control Role-Based Access Control
53
Mandatory Access Control
The MAC technique protects and contains computer processes, data, and system devices from being misused.
54
Mandatory Access Control
Four modes of security operation Dedicated Security Mode
All users can access ALL data. System-High Security Mode
All users can access SOME data, based on their need to know.
Compartmented Security Model All users can access SOME data, based on their need to
know and formal access approval. Multilevel Security Mode
All users can access SOME data, based on their need to know, clearance and formal access approval.
55
Discretionary Access Control DAC defines basic access control policies to
objects at the discretion of the object’s owner.
MAC and DAC can be applied
to the same file
56
Role-Based Access Control
RBAC is an new alternative approach to MAC and DAC
Access Control is determined by the job function, not the individual staff member.
57
Access Control
In your opinion, which is the better method for access control? MAC, DAC, and/or RBAC
58
Security Models
Security models are an important concept in the design and analysis of secure computer systems
Examples of security models Information Flow Model* Biba Security Model* Clark-Wilson Model* Chinese Wall Model The Bell-LaPadula Model
59
Information Flow Model
The Information flow model is a variation of the access control model
This model attempts to control the transfer of information from one object to another which is constrained by the two objects’ security attributes
Information can flow to the same or higher level of security
60
The Biba Model
The Biba Integrity Model describes read and write restrictions based on integrity classes of subject and objects
Two main principles: A subject can write to an object only if the integrity
access class of the subject is larger than the integrity class of the object
A subject can read an object only if the integrity access class of the subject is less than that of the integrity class of the object
61
The Biba Model*
Read Write
Layer of
Higher Secrecy
Layer of
Lower Secrecy
Get
Contaminated
Contaminated
Simple
Integrity
Property
Integrity
Star
Property*Official (isc)2 Guide to the CISSP Exam
62
The Clark-Wilson Model
The model address integrity requirements which are based on process and data integrity
The model identifies three rules of integrity Unauthorized users should not make changes Authorized users should not make unauthorized changes The system should maintain internal and external
consistency
Enforce policies by Well-formed transactions Separation of duties
63
The Clark-Wilson Model
Data Constrained data items (CDI) Unconstrained data items (UDI)
Procedures Integrity verification procedure (IVP) Transformation procedure (TP)
64
Example of CW Model
1. Purchasing clerk creates an order for a supply, sending copies to the supplier and the receiving department.
2. Upon receiving the items, a receiving clerk checks the delivery and, if all is well, signs a delivery form. Then the delivery form and original order form will go to the accounting department.
3. Supplier sends an invoice to the accounting department. The accounting clerk will compare the invoice with the original order and delivery form and issues a check to the supplier.
65
Example of CW Model Users?
Purchasing clerk Receiving clerk Supplier Accounting clerk
Constrained Data? Order Delivery form Invoice check
Transformation Procedures? Create order, Send order Create delivery form, Send delivery form, Sign delivery form Create invoice, Send invoice Compare invoice to order And so on…
66
Tools
Integrity Management Software Anti-Virus Software
67
Integrity Management Software
Encryption is most commonly used for secrecy but it can also be used for integrity.
Check for integrity by specifically utilizing… Hash functions Digital Signatures File Size
Example Tripwire Enterprise
68
Hash Functions A public function that maps a plaintext message of
any length to a fixed length hash value Are used as an authenticator Pros
Offers integrity Cons
No confidentiality Examples
CRC MD5 SHA-1
69
Cyclic Redundancy Check
CRC is a type of hash function that is utilized to create a checksum
Useful for error detection, CRC cannot be relied upon to verify data integrity
Example of Tools solely use CRC Crckit
70
Message-Digest Algorithm 5
MD5 is a popular cryptographic function with a 128-bit hash value
Utilized in a variety of security applications Also commonly used for checking the
integrity of files It is computationally unrealistic to find two
messages that have the same message digest
71
Secure Hash Algorithm
SHA is a set of related cryptographic hash functions
SHA-1 is the most commonly used for a large variety of security applications and protocols
SHA-1 is considered the successor to MD5
72
Digital Signatures
Digital signatures also known as public-key digital signature is an encryption scheme utilizing public key cryptography
This method has two complementary algorithms, one for signing and the other for verification, and the output of this process is a digital signature
73
Tripwire Enterprise
http://www.tripwire.com/ Captures a baseline of server file systems,
desktop file systems, directory servers and network device configurations in a known good state, and then automatically performs integrity checks that compare current states against baselines to detect changes.
Tripwire Demo
74
Examples of Integrity Management Software Advanced CheckSum Verifier (ACSV) Advanced Intrusion Detection Environme
nt (AIDE) Cambia CM Crckit FileCheckMD5 FTimes Hashdig Integrit Intrusec CM Jacksum LANGuard Security Integrity Monitor MD5 Hashing Utilities Md5deep Nabou NIST_Crc
Radmind Samhain Secure Hash Signature Generator Sentinel Sha_verify Spidernet SysCheck Sysdiff Tripwire - Commercial Tripwire – OpenSource Veracity System Integrity Assurance ViperDB Yafic Winalysis WinInterrogate Xintegrity
75
Anti-virus Software
The techniques for detecting a virus include Checking unexpected increases in file size Noting changes in timestamps Sudden decreases in free space Calculating checksums Saving images on the internal control tables
and noting unexplained changes
76
Examples ofAnti-virus Software
AntiVir PersonalEdition Classic
AVAST 4 Home Edition AVG Free Edition Bullguard Antivirus
Software, Firewall and Backup
Command Antivirus F-Prot Antivirus for
Windows F-Secure Kaspersky Anti-Virus McAfee VirusScan 2006
NOD32 Antivirus System v2.0
Norton AntiVirus 2002 Panda Titanium Antivirus
2004 PC-cillin Internet Security
2004 Platinum Internet Security
2005 Rising AntiVirus Virex Windows Live OneCare
77
Case Study - Integrity
Hamlet: Being thus be-netted round with villanies,-- I sat me down, Devised a new commission, wrote it fair: He should the bearers put to sudden death. I had my father's signet in my purse, Which was the model of that Danish seal; Subscribed it, gave't the impression, placed it
safely, The changeling never known.
Case study - AttacksAttacks on integrity alter teleprompter speeches/
presentation slides alter scheduling alter voting results alter outgoing media reports
attacker could be other media or outsider
79
Attackers
“The cold passed reluctantly from the earth, and the retiring fogs revealed an army stretched out on the hills, resting.”
- The Red Badge of Courage
80
Case study - Outside attacker
Henry is a member of a small revolutionary anarchist group Assigned to disrupt the event using information warfare tactics.
Attacks from an open wireless network at a public library.
81
“How you gonna call yourself a revolutionary… and you ain’t got no poems?”
-Dewey
QuickTime™ and aH.263 decompressor
are needed to see this picture.
82
Case study - Attacker 1 recon
Scan port 0-65535 with an aggressive stealth scan with OS and application fingerprinting.
# nmap -sS -F -P0 -O -T4 -v –A –p0-65535 [event network address]
Starting nmap 3.50 ( http://www.insecure.org/nmap/ )[...]Interesting ports on contractor2.event.net (XX.227.165.100):(The 65535 ports scanned but not shown below are in state:
filtered)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 3.7.1p1 (protocol 1.99)Running: Linux 2.4.XOS details: Linux 2.4.18 (x86)Uptime 316.585 days[...]
83
Preventing recon
Only open service on the network: contractor left an SSH server running.
How can we prevent the attacker from finding it?
84
Preventing recon cont’d
At the firewall, prevent all incoming connections
Use NAT so internal boxes are not Internet addressable
Put a firewall between Ops and Organization in case a contractor is compromised or malicious.
Policy that no one may run listening servers without IT authorization.
85
Finding vulnerabilities
Henry looks up OpenSSH 3.7.1p1 on various security websites such as SecurityFocus BID and OSVDB.org.
http://www.kb.cert.org/vuls/id/602204
When PAM and SSHv1 are enabled, OpenSSH 3.7.1p1 has a vulnerability that allows an attacker to
login to any account by using a null password.
86
Exploiting OpenSSH
psyche> ssh -1 root@ contractor2.event.net The authenticity of host ‘contractor2.event.net
(XX.227.165.212)' can't be established.RSA1 key fingerprint is
2d:fb:27:e0:ab:ad:de:ad:ca:fe:ba:be:53:02:28:38.
Are you sure you want to continue connecting (yes/no)? yes
[email protected]'s password: # whoamiroot
How could we prevent this?
87
Preventing OpenSSH Exploit
How could we prevent this?
Keep on top of patch management automated scan when they connect to the network
Use “PermitRootLogin no” in sshd_config to prevent root login
88
Dictionary attack on SSH
Henry uses hydra to attempt to do a dictionary attack and guess a user’s password.
$ hydra -L names.txt -P passwords.txt contractor2.event.net ssh2
Hydra v5.2 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
[DATA] 400000 tasks, 1 servers, 400000 login tries (l:1/p:2), ~1 tries per task
[DATA] attacking service ssh2 on port 22[STATUS] attack finished for contractor2.event.net
(waiting for childs to finish)[22][ssh2] host: XX.227.165.212 login: test password:
trustno1
89
Preventing Dictionary Attack
Unable to guess a password for root, but did get user ‘test’ with password ‘trustno1’ (Fox Mulder’s password on The X-Files)
How to prevent this attack?
90
Preventing Dictionary Attack cont’d
Choose strong passwords on all accounts, not just root
Enforceable by having IT people run hydra?
Ban an IP address for some length of time after a certain number of failed attempts.
91
Privilege Escalation
Henry has a user level shell on the contractor’s box.
Inside the firewall, uses same dictionary attack technique to get a user account on the podium server.
Wants to alter the presentations, but can’t with current privileges.
92
Privilege Escalation
$ uname -aLinux podium.event.net 2.4.18 #3-i686+-UP (034) i686 i386 GNU/Linux
This is a relatively old kernel version, and there is a privilege escalation vulnerability in versions below 2.4.22.
http://www.kb.cert.org/vuls/id/301156An integer overflow vulnerability in the brk system call.
93
Privilege Escalation
He downloads and uses a publicly available exploit to get root privileges.
As root, he subtly modifies the saved presentations for several presenters in an embarrassing way.
How to prevent this?
94
Preventing Privilege Escalation
Again patch management, even on computers which are supposedly safe because they’re inside the firewall
Use Tripwire or other integrity checking programs to detect modifications to sensitive files But?
Minimize set of programs which are setuid or run as root
Backups on removable media
95
Attacking the Media: LAN attacks
Media share a wired network. Many network attacks available when on the
same network. ARP poisoning to sniff or do MITM
Alter or forge media reports http://en.wikipedia.org/wiki/ARP_spoofing
96
LAN attacks
SSL not foolproof if MITM possible. Animation at
http://crimemachine.com/Tuts/Flash/SSLMITM.html
97
Preventing LAN attacks
Static ARP/Port Security But?
Detect ARP poisoning with arpwatch But?
Train them not to click through SSL warnings Media connect to home base with VPN
98
Social Engineering
“There was much food for thought in the manner in which he replied. He came near to convincing them by disdaining to produce proofs.”
-The Red Badge of Courage
99
Social Engineering
http://en.wikipedia.org/wiki/The_Yes_Men Set up a fake WTO website. Invited to speak on
behalf of the WTO at events, including a CNBC news program.
Successfully impersonated a Dow Chemical spokesman on BBC television, at a London banking conference, and at Dow’s annual shareholder meeting
In this case study, attacker could speak at event, or could fool the media into printing lies.
How to prevent this?
100
Preventing social engineering
Educate staff to authenticate people and data Run live tests with fake conmen
101
Case study conclusion
It’s about quality, y’all. And mad loot for yours truly.