Peter Leight and Richard Hammer August 2006 What is Defense
advertisement
Peter Leight and Richard Hammer August 2006 What is Defense-in-Depth? • There is no “silver bullet” when it comes to network security • Any layer of protection might fail • Multiple levels of protection must be deployed • Measures must be across a wide range of controls (preventive and detective measures) Security Leadership Essentials – Defense-in-Depth – © 2006 SANS What is Defense-in-Depth? Network security is a comprehensive integrated approach in which multiple solutions are tiered together to accomplish a goal. There is no single security solution that will make an organization secure because any single measure could be bypassed or compromised. In addition, a single solution could potentially be bypassed and miss an attack all together. When protecting any entity, such as the President, there are many people, measures and systems put in place to keep him secure. The same robust approach needs to be applied to your network or any critical asset at your organization. Coors light is the only silver bullet, when it comes to network security there is no single bullet. Multiple measures that compliment each other must be put in place and these measures must be across a variety of control options. For example, you would deploy a preventive measure such as a firewall, a detective measure such as an IDS and a deterrent measure, a guard at your front gate, just to name a few. Even if one of the measures failed the other measure would be able to detect the attack before there was a problem or catch an attack in action, to minimize the amount of damage caused. Peter Leight and Richard Hammer August 2006 Focus of Security is Risk • Security deals with managing risk to your critical assets • Security is basically an exercise in loss reduction • Impossible to totally eliminate risk, we settle for residual risk • Risk is the probability of a threat crossing or touching a vulnerability • Risk is managed by utilizing defense-in-depth (DiD) • Risk = threat x vulnerabilities Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Focus of Security is Risk Risks, threats, and vulnerabilities are highly interrelated. Their relationship can be expressed by this simple formula: Risk (due to a threat) = Threat x Vulnerability (to that threat) This formula shows that risk is directly related to the level of threat and vulnerability you, your systems, or your networks face. Here’s how the formula works: If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be only moderate. For example, if you live in a high crime neighborhood (thus, high threat) but you keep your doors and windows locked (so you have a low vulnerability to that threat), your overall risk is moderate. If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the threat itself is minor (by living in a safe neighborhood), once again you have only a moderate risk factor. If, however, you have a high level of threat potential (a high crime area) and your vulnerability to that threat is very high (no locks), you have a very high risk factor. Peter Leight and Richard Hammer August 2006 Key Focus of Risk • Confidentiality / Disclosure • Integrity / Alteration • Availability / Destruction Integrity Confidentiality Availability Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Key Focus of Risk We’ll start by explaining some fundamental principles that you need to understand and apply everyday in securing your systems. We’ll progress from what exactly it is about our systems that we’re trying to protect – confidentiality, integrity and availability – to the risks our systems face. After looking at threats and vulnerabilities, we’ll talk about an overarching approach to protecting our systems. We’ll show you the importance of layering our protections, with defense-in-depth. This will give you a good foundation for evaluating and securing your systems. Confidentiality, Integrity and Availability What exactly about the system or information do we wish to protect? Traditionally, information security professionals focus on ensuring confidentiality, integrity, and availability. Simply “CIA” in “infosec” jargon, these are three bedrock principles about which we will be concerned. A good habit when first exploring any new business application or system is to think about confidentiality, integrity, and availability – and countermeasures or lack thereof for protecting these. Attacks may come against any or all of these. We will discuss a variety of threats that jeopardize our computer systems. To focus that discussion, we will consider some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we are going to be pointing out Peter Leight and Richard Hammer August 2006 aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss. Let’s use an example: You’ve been assigned to oversee the security of your employer’s new e-commerce site, its first attempt at conducting business directly on the Internet. How do you approach this? What should you consider? What could go wrong? Think C-I-A – confidentiality, integrity, and availability. Customers will expect that the privacy of their credit card numbers, their addresses and phone numbers, and other information shared during the transaction be ensured. These are examples of confidentiality. They will expect quoted prices and product availability to be accurate, the quantities they order at the prices to which they agreed to not be changed, and anything downloaded to be authentic and complete. These are examples of integrity. Customers will expect to be able to place orders when convenient for them, and the employer will want the revenue stream to continue without disruption. These are examples of availability. Keep in mind that the dimensions we have been discussing can be interrelated. An attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entrance to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) would be in jeopardy. Always think C-I-A. Now, we chose a very simple, well-known attack for a reason. A large number (in fact, an embarrassingly large number) of corporate, government, and educational systems that are compromised and exploited are defeated by these well-known, well-publicized attacks. An attack doesn’t have to be the latest and greatest in order to be successful most of the time. Countless numbers of attacks, covering years of experience, are detailed on the Internet and in books and courses. Often these are still viable, especially when defense-in-depth is not being practiced. Peter Leight and Richard Hammer August 2006 Prioritizing CIA • While all three areas of CIA are important to an organization, there is always one area that is more critical than others • Confidentiality – Health Care Organizations – Hospitals • Integrity – Financial Institutions – Banks • Availability – E-commerce based organizations – Online banking Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Prioritizing CIA Which pillar of the CIA triad is most important to your organization? At SANS, we rely on our online resources for class registration and online training, without which we are unable to provide services to our students. Since we can’t operate without students, our priority is availability. After availability, the next most important dimension of CIA is integrity. SANS is the most trusted source for computer security training so our information must be correct. Since the bulk of our information is protected by copyright, even though we have some trade secrets, confidentiality is the least important CIA pillar to SANS. Different organizations will have different priorities in the CIA triad. Confidentiality is usually very important to health care oriented organizations and integrity is important to financial institutions. Understanding what the priorities are for your organization is a tremendous help in prioritizing security plans for your organization, from design to incident response. Peter Leight and Richard Hammer August 2006 What is a Threat? • Validated data – – – – Business goals Validated data Past history Main point of exposure sm rori Ter – Intellectual property M are w al In sid er 5 Primary Threats Natural Disasters He Epid alth emi c • Possible danger • Protect against the ones that are most likely or most worrisome based on: Security Leadership Essentials – Defense-in-Depth – © 2006 SANS What is a Threat? We’ve been talking about what we need to protect, e.g. the confidentiality, integrity, and availability of our systems. Next, we’ll discuss from what we need to protect them – the threats to them and their vulnerabilities to those threats. We’ll see how risk is a function of threat and vulnerability. Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water damage, mechanical breakdowns, accidental errors by systems administrators, and plain old user error. But all of these are called threats. We use threat models to describe a given threat and the harm it could do if the system has a vulnerability. There are a large number of approaches to threat models, but one that you should consider is the one used by Microsoft: http://www.microsoft.com/downloads/details.aspx?FamilyID=62830F95-0E61-4F8788A6-E7C663444AC1&displaylang=en (or type threat model into Google) Peter Leight and Richard Hammer August 2006 As you can see in the diagram, this is a vector oriented approach to Defense-in-Depth. The software tracks the entry points against the protected resources. The software then helps consider the impact threats would have in a structured way. In security discussions you will hear a lot about threats. Threats, in an information security sense, are any activities that represent possible danger to your information or operation. Danger can be thought of as anything that would negatively affect the confidentiality, integrity, or availability of your systems or services. Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk. Threats can come in many different forms and from many different sources. There are physical threats, like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats, like hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation – what business you are in; who your partners and adversaries are; how valuable your information is; how it is stored, maintained, and secured; who has access to it, and a host of other factors. Peter Leight and Richard Hammer August 2006 The point is that there are too many variables to ever protect against all the possible threats to your information. To do so would cost too much money and take too much time and effort. So, you will need to pick and choose against what threats you will protect your systems. Security is as much risk management as anything. You will start by identifying those threats that are most likely to occur or most worrisome to your organization. In this course we focus on five primary threats shown on your slide. Insider threat, is there to remind us that nation states target companies and systematically acquire their intellectual property. Peter Leight and Richard Hammer August 2006 Vulnerabilities • Weaknesses in a system • Vulnerabilities are inherent in complex systems, they will always be present • The majority of vulnerabilities are the result of poor coding practices – Lack of error checking • Vulnerabilities are the gateway by which threats are manifested • Vulnerabilities fall into two categories: – Known, those you can protect against – Unknown or “zero day” Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Vulnerabilities In security terms, a vulnerability is a weakness in your systems or processes that allow a threat to occur. However, simply having a vulnerability by itself is not necessarily a bad thing. It is only when the vulnerability is coupled with a threat that the danger starts to set in. Let’s look at an example. Suppose you like to leave the doors and windows to your house unlocked at night. If you live in the middle of the woods, far away from anyone else, this may not be a bad thing. There really aren’t many people who wander around, and, if you’re high enough on the hill, you’ll be able to see them coming long before they present a danger. So, in this case, the vulnerability of having no locks is there, but there really isn’t any threat to take advantage of that vulnerability. Now suppose you move to a big city full of crime. In fact, this city has the highest burglary rate of any city in the country. If you continue your practice of leaving the doors and windows unlocked, you have exactly the same vulnerability as you had before. However, in the city the threat is that much higher. Thus, your overall danger and risk is much greater. Vulnerabilities are the gateways by which threats are manifested. Therefore, we can think of threats as the agents of risk, the mathematical probability of loss. Without vulnerabilities, threats do not pose a risk to the organization. Of course, vulnerabilities Peter Leight and Richard Hammer August 2006 don’t have to exist solely in software flaws – vulnerabilities can be flawed configurations, poor physical security, poor hiring practices, etc. When we couple vulnerabilities with threats, we introduce risks to an organization. *** Begin Sidebar *** When we talk about identifying vulnerabilities, it is easy to focus on software vulnerabilities, and the difficulty of implementing all encompassing patch-management systems. However, we are introduced to vulnerabilities in a much broader scale, including electronic vulnerabilities from misconfigured software and problems introduced from the rapid deployment of software patches. We are also asked to manage vulnerabilities of the human type – accidental and intentional attacks against information and its storage for example. When assessing safety, we are also concerned about vulnerabilities in our physical structures including fire, water, temperature extremes, toxins and electrical vulnerabilities (loss of power). Assessing vulnerabilities can be a difficult task to complete – it is easy to assess obvious vulnerabilities, but a thorough assessment can take considerably more time. Only with a comprehensive vulnerability assessment can we accurately calculate our overall risk. *** End Sidebar *** Vulnerabilities can be reduced or even prevented, provided of course that you know about them. The problem is that many vulnerabilities lay hidden, undiscovered until somebody finds out about them. Unfortunately, the “somebody” is usually a bad guy. The bad guys always seem to find out about vulnerabilities long before the good guys. Peter Leight and Richard Hammer August 2006 Approaches to DiD • Deploy measures to reduce, eliminate or transfer risk • Five basic approaches – uniform protection – protected enclaves – information centric – threat vector analysis – role-based access control Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Approaches to DID The concept behind Defense-in-Depth is simple. The picture we have painted so far is that a good security architecture, one that can withstand an attack, has many aspects and dimensions. We need to be certain that if one countermeasure fails, there are more behind it. If they all fail, we need to be ready to detect that something has occurred and clean up the mess expeditiously and completely, and then tune our defenses to keep it from happening to us again. We will examine five approaches to Defense-in-Depth. Peter Leight and Richard Hammer August 2006 Uniform Protection - DiD • Most common approach to Defense-inDepth • Firewall, VPN, Intrusion Detection, Antivirus etc • All parts of the organization receive equal protection • Particularly vulnerable to malicious insider attacks Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Uniform Protection – Defense-in-Depth Uniform protection treats all systems as equally important. No special consideration, or protection, is made for the 'crown jewels' of an organization. As a result, this approach can be more vulnerable to malicious insiders, since the systems are not separated or categorized within the network. The majority of attacks succeed because they take advantage of well publicized vulnerabilities for which exploits have been created. The best answer is to patch the systems, but this takes time. Of all the approaches to Defense-in-Depth, this one can be the weakest unless you have a good uniform protection design. This is also by far the most common approach. Peter Leight and Richard Hammer August 2006 Protected Enclaves DiD • Work groups that require additional protection are segmented from the rest of the internal organization • Restricting access to critical segments • DOE “unclean” network • System of VPNs • Internal Firewalls • VLANs and ACLs Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Protected Enclaves – Defense-in-Depth Protected enclaves involve segmenting your network. This can be done by implementing many VPNs across a single network, VLAN segmentation of switches, or firewalls to separate out the network. Peter Leight and Richard Hammer August 2006 Information Centric Defense-in-Depth Network Host Application Info •Identify critical assets and provide layered protection •Data is accessed by applications •Applications reside on hosts •Hosts operate on networks Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Information Centric Defense-in-Depth This slide shows another way to think of the defense-in-depth concept. At the center of the diagram is your information. However, the center can be anything you value, or the answer to the question, “What are you trying to protect?” Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers. Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing. A good start point is to identify your organization's intellectual property, restrict it to a single section of the network, assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network. Peter Leight and Richard Hammer August 2006 Vector Oriented DiD • The threat requires a vector to cross the vulnerability • Stop the ability of the threat to use the vector – USB Thumb Drives – Disable USB – Floppy Drives – Disable – Auto Answer Modems – Digital phone PBX Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Vector Oriented Defense-in-Depth Vector Oriented Defense-in-Depth involves identifying various vectors by which threats can become manifest and providing security mechanisms to shut down the vector. For example, disabling USB thumb drives and floppy drives. Peter Leight and Richard Hammer August 2006 Role-Based Access Control Mary Jim rite ad/W Re ber Mem em be r Role: Engineer M Member Role: Engineer Team Leader Member nly Read/O Write Read/ ber Mem Member Role: Finance Department Joe Project Data Read/Write Financial Data Sam •People identified by their roles •Data is accessed by roles not people •People can have more than one role •More than one role can access the same data Jill Security Leadership Essentials – Defense-in-Depth – © 2006 SANS The last approach to defense-in-depth that we will cover is role-based access control (RBAC). This approach is relatively new and revolves around the use of roles. A role typically reflects a position or function within a company. Network engineer, finance manager, legal secretary, manager, and guest worker are all roles. Access to data is not granted to user accounts. Instead access is granted to one or more roles. Users are then assigned to appropriate roles in the organization For example; the network manager might be assigned the manager role, and the network engineer role. A user can access any data that their roles have access to. For example, this network manager, based on her assigned roles, would have access to generic management data, and network engineering data. If a user changes positions in the company her role changes and what data she can access changes depending on the new roles she is assigned. Users can be assigned more than one role and more than one role can access the same data. For example, the finance manager role and the human resources role might both have access to the salary data for finance employees. By determining access via roles, concepts like separation of duties can be enforced institutionally. It also becomes simpler to change and track access to data when employees are hired, dismissed, or change positions within the company. RBAC is the preferred approach for defense in depth by many government organizations. Peter Leight and Richard Hammer August 2006 Identity, Authentication, Authorization & Accountability • Identity is who you claim to be • Authentication is a process by which you prove you are who you say you are: – – – – Something you know Something you have Something you are Some place you are • Authorization is determining what someone has access to or is allowed to do, after they have been properly authenticated • Accountability deals with knowing who did what and when Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Identity, Authentication, Authorization & Accountability Emphasizing the importance of defense-in-depth lets briefly look at access control. In order to protect critical assets you have to be able to identify, verify, approve and track who has access to given piece of intellectual property (IP). Identification is the process of claiming to be a certain person. Typing in a userID is a form of identification. The problem is anyone could claim they are a given entity, so how do you know that they are who they say they are. This is accomplished through authentication. Authentication is proving that you are who you say you are and is done in one of four ways: Something you know – by remembering a piece of information and presenting it, you can prove that you are who you say you are. The best example of something you know is a password. Passwords are discussed in greater details in the Password Assessment Module. However, there are a number of schemes to encode the password while it resides on the system and when it is being transferred across the network. One of two common techniques is Base64 Encoding, often used by web servers defined by RFC 2045. Because this is a standard encoding method, it only protects against the most casual eavesdropping. Anyone who collects the password in transit can use algorhythm to decode it. In addition, most systems use some kind of cryptographic hash such as RSA or NTLMv2. Peter Leight and Richard Hammer August 2006 Something you have – by possessing something you can prove that you are a given entity. Token based schemes in which you carry a token that generates a new password is an example of something you have. If you have the token and can type in the number on the token screen you can authenticate, otherwise you cannot. Something you are – an alternative way to authenticate is by presenting a unique attribute tied to your physical make-up. This is often called biometrics. Hand scan, thumb prints and retina scans are all examples of biometrics. Someplace you are - GPS or global positioning systems can also be used to authenticate that you are in a given geographic area. With sensitive information you might want to only allow someone to open a document if they are in the walls of a certain five sided building in Washington, DC. Once you have been properly authenticated, you than have to determine what you are allowed or authorized to do on the system. Authorization should be based on a principle of least privilege were an entity is only given the minimal access they need to do their job. After you are allowed to do certain items on a system, you want to make sure individuals are held accountable for their actions and you can trace back what occurred on a system through detailed auditing. As you can see all of these measures work together in synergy to properly protect critical assets. Peter Leight and Richard Hammer August 2006 Controlling Access • Least Privilege – Give someone the least amount of access they need to do their job • Need to Know – Only give them the access when they need it and take it away when it is no longer required • Separation of Duties – Break critical tasks across multiple people to limit your points of exposure • Rotation of Duties – Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and be able to cover their tracks Security Leadership Essentials – Defense-in-Depth – © 2006 SANS Controlling Access Now that we have looked at the role that identification, authentication, authorization and accountability play, we will look at some principles associated with access control that you would utilize to make sure your security is as robust as it can possible be. In assigning access you would give someone the least amount of access they need to do their job. However this access should not be given all of the time, the access should only be granted when it is needed to perform a job function. For example, if I am the director of HR, least privilege would say that I need access to every employees personnel file. On the other hand, need to know would say only give me that access when I have to review a performance assessment and not all of the time. With least privilege we are allowing people to do their job, however we are only given them the minimal access needed and no more. In some situations this works, but what happens in the case where the minimal access granted is still too great a risk and cannot be taken. In those cases, separation of duties needs to be performed, where a given task is split between two individuals so no single individual by themselves can make a decision. Separation of duties works but the more people work together the greater the chance they will collude in order to accomplish a crime. The more people work together the power of separation of duties erodes away because people build trust. To minimize the chance of this occurring, rotation of duties needs to be performed. This is where people are rotated out of certain jobs at set intervals so the chances of two people colluding is minimized.
