Security(Fundamentals)

advertisement
Security Fundamentals
Robin Anderson
UMBC, Office of Information Technology
25-SEPT-2001
1
A Little About Me…
 Unix SysAdmin, Specialist with the Office
of Information Technology at UMBC
 Taught Unix Administration and SANS
Level One Security courses at UMBC
 Certified by the SANS Institute GIAC
program in UNIX Security and Incident
Handling
25-SEPT-2001
2
Topics Outline
 Post-Mortems in the News…
 Identifying Threats
 Countering Threats
 The (Vulnerable) Network
 Questions You Need to Ask
 Recommendations You Want to Make
 Resources Online
25-SEPT-2001
3
What Happened to Amazon®?
 Website defacing:
Hackers broke in & put up phony web pages
(And now, newer worms/viruses are doing the same!)
–
–
–
–
–
–
September 2000:
OPEC 1
February 2000: Amazon® , eBay® 2
November 1999:
NASA/Goddard 3
October 31,1999:
Associated Press® 4
August 1999:
ABC® 5
June 1999:
U.S. Army
25-SEPT-2001
4
What Happened to Yahoo®?
 Denial of Service (DoS)
– February 2000:
Yahoo and CNN 1
 Multiple Hits
– September 2000:
– May 2000:
Slashdot defaced
Slashdot suffered DoS
 The irony is that slashdot.org is a popular
"news for nerds" website
25-SEPT-2001
5
If They’re Vulnerable…
…then you are, too.
25-SEPT-2001
6
The Fundamental Theorem
 You have computers because they perform some
function that furthers your organization’s goals
 If you lose the use of those computers, their
function is compromised
 So - anything that interferes with your
organization’s effort to achieve its goals is a
security concern
25-SEPT-2001
7
What Are You Protecting?
 Information
 Availability of the Systems
 Reputation & Goodwill
25-SEPT-2001
8
Your Information
 Crown Jewels
– Trade secrets, patent ideas, research
 Financial information
 Personnel records
 Organizational structure
25-SEPT-2001
9
Your Availability
 Internal use
– When employees can’t use the network,
servers, or other necessary systems, they can’t
work
 Website / online transactions
– Often when systems are unavailable, the
organization is losing money
25-SEPT-2001
10
Your Reputation
 Public trust
– If your organization is hacked, how reliable will
people think you are you in other areas?
– Who wants to do business with companies that
leak credit card information?
 Being a good neighbor
– Your organization may be hacked so it can be
used as a springboard to attack others
25-SEPT-2001
11
A Simple Network…
Firewall
Router
Router
Internet
25-SEPT-2001
12
… Attacked!
Firewall
Router
1
Router
3
4
2
Internet
5
6
9
7
8
10
25-SEPT-2001
13
What Are These Threats?
1. DoS coming from the Internet
2. Severed Physical link
3. Masquerader / Spoofer
– They look like they’re already inside
4. Password sniffer
25-SEPT-2001
14
What Are These Threats? (2)
5. Alan brought a floppy from home that has
a virus on it
6. Beatrice is about to be fired – and she’s
going to be angry about it
7. Carter is careless with his passwords – he
writes them down and loses the paper
25-SEPT-2001
15
What Are These Threats? (3)
8. David has unprotected shares on his NT
box
9. Evan installed a modem on his PC
(PCAnywhere)
10. Severed Power / HVAC
25-SEPT-2001
16
What Are Threat Vectors?
Vectors are the pathways by which threats
enter your network
25-SEPT-2001
17
Threat Vectors - Internal
 Careless employees
– “Floyd the clumsy janitor”
– “Contraband” hardware / software
– “Oops, did I just type that?”
 Random twits (somewhere between careless & malicious)
 Malicious employees
– Current or former employees with axes to grind
 Anyone who can get physical access
25-SEPT-2001
18
Threat Vectors - External
 Competitors / spies / saboteurs
 Casual & incidental hackers
– Some hackers don’t want your systems except
to use them to get at their real target
 Malicious hackers
 Accidental tourists
 Natural disasters
– Be ready to face down the hurricane
25-SEPT-2001
19
What Are Threat Categories?
Categories are the different kinds of threat
you may encounter
25-SEPT-2001
20
Threat Categories
 Opportunistic
– Basic “ankle biters” and “script kiddies”
– More advanced hackers, hacker groups out
trolling
 Targeted
– These attackers know what they want; anything
from data to disruption to springboards
 “Omnipotent”
– Government-sponsored professional hackers
25-SEPT-2001
21
Threat Consequences
 Bad press
– Breach of confidentiality
• Medical data
• Credit card information
– Attack platform (you’ve been subverted!)
 Loss of income
– How much does it cost you in sales to have your
databases, website, etc, down for any given length of
time?
– Loss of trade secrets (crown jewels)
25-SEPT-2001
22
The 3 Goals of Security
 Ensure Availability
 Ensure Integrity
 Ensure Authorization & Authentication
25-SEPT-2001
23
Threats to Availability
 Denial of Service (DoS)
– Connection flooding
 Destroying data
– Hardware failure
– Manual deletion
– Software agents: virus, trojans
25-SEPT-2001
24
Threats to Integrity
 Hardware failure
 Software corruption
– Buggy software
– Improperly terminated programs
 Attacker altering data
25-SEPT-2001
25
Threats to Authorization
 Attacker stealing data
 Lost / Stolen passwords
 Information Reconnaissance
• Organization information
25-SEPT-2001
26
Countering These Threats…
…is what security is all about.
25-SEPT-2001
27
Defining Security
 Security is a process
– Training is ongoing
• Threats change, admins need to keep up
• Security is inconvenient, all staff needs training
 Security is also about policies
 There is no silver bullet to fix it all
– For example, a firewall won’t save you
• Remember the Maginot Line
25-SEPT-2001
28
Notes:
 The underlying assumption in the next
section is that you, as the auditor, admin, or
manager, are in a position to make security
recommendations
 The following list of questions should not
be considered in any way to be exhaustive,
but a starting point to build your own list
25-SEPT-2001
29
Questions You Need to Ask
 What is the physical access policy to
systems, routers, and backup media?
– Are the servers and main routers in a
controlled-access environment?
– Who monitors access?
 Are desktop systems / workstations
physically secured?
25-SEPT-2001
30
Questions You Need to Ask
 Is there a documented security policy?
– Where is it located?
– Who is responsible for maintaining it?
– Is the policy being consistently enforced?
– Who is the enforcer for the organization?
 Is there a firewall?
– Who maintains it and its rule-sets?
– Do its rules match the policy?
25-SEPT-2001
31
Questions You Need to Ask
 What is the backup policy & schedule?
– What kind of backup media & software is used?
– Where is the backup media stored? Is there an off-site
safe/storage rotation?
– If the systems were utterly destroyed today, how up to
date could you bring their replacements?
– Have the backups ever been tested (via a restore) for
completeness and integrity?
25-SEPT-2001
32
Questions You Need to Ask
 Does the organization know what is on its
network?
– If so, how does it know?
– Where are the records kept?
– Who has access to them?
25-SEPT-2001
33
Questions You Need to Ask
 Are routine network vulnerability scans run?
– If so, what tools are used?
– Where are the reports stored?
– Who has access to the tool and the reports?
 Is any routine network monitoring done?
– If so, what tools are used?
– Where are the reports stored?
– Who has access to the tool and the reports?
25-SEPT-2001
34
Questions You Need to Ask
 What kind of power management
contingencies are available?
–
–
–
–
Uninterruptible Power Supplies (UPS)?
Power regulation?
Backup generators?
Mean time to recovery from outage?
25-SEPT-2001
35
Questions You Need to Ask
 What kind of authentication does your
organization use?
– Passwords
• Multi-use, one-time?
• Expiration?
– Biometric authentication?
– Smart-cards
25-SEPT-2001
36
Questions You Need to Ask
 If you use passwords, how does your
organization replace lost ones?
– Any policy on verifying user’s identity, etc?
25-SEPT-2001
37
Questions You Need to Ask
 What kind of network connections does
your organization allow?
– Are they clear-text protocols (like telnet, rlogin,
rsh, ftp)?
– Can your organization migrate to using
encrypted protocols (like ssh, stunnel, etc)?
25-SEPT-2001
38
Recommendations You Really
Want to Make
 No matter what, recommend a dedicated
security officer
– One individual responsible for security
• NOT the sys admin, network admin
– Qualifications:
• Training
• Certification (CISSP, SANS)
• Demonstrated proficiency
25-SEPT-2001
39
Recommendations You Really
Want to Make
 Routine Vulnerability Scanning
– Tools like Saint, Nessus, Legion, Nmap, SARA
 Principle of Least Privilege
 Documented Procedures for Incident
Handling
25-SEPT-2001
40
So, What Is a Security Officer?
 Protector
– Internal, external
 Assessor
 Monitor
 Contact point
– Law enforcement
– Internal
– External
25-SEPT-2001
41
What Does It All Mean?
 It’s a dangerous world, but we’re not
necessarily doomed!
 Security is an ongoing process (it’s worth repeating!)
– Ask the questions you’ve seen here
– Ask any others you think of
– Ask them all again tomorrow – new challenges
are arising every day!
25-SEPT-2001
42
Acknowledgements
 Andy Johnston, manager and co-conspirator
 Jon Lasser, author of Think UNIX
 Stephen Northcutt, SANS instructor and
author of Network Intrusion Detection
25-SEPT-2001
43
Resources Online
 Training and Certifications
– SANS Institute
http://www.sans.org/
– CISSP “Certification for Information System Security Professional”
http://www.cissps.com
25-SEPT-2001
44
Resources Online (2)
 News & Alerts
– Security Focus
http://www.securityfocus.com/
– CERT was “Computer Emergency Response Team”
http://www.cert.org/
– CIAC “Computer Incident Advisory Capability”
http://ciac.llnl.gov/
25-SEPT-2001
45
Resources Online (3)
 Federal Information Sharing Organizations
– NIPC “National Infrastructure Protection Center”
http://www.nipc.gov
– Infragard “Guarding the Nation’s Infrastructure”
http://www.infragard.net
– Infragard Maryland Chapter
http://www.mdinfragard.org
25-SEPT-2001
46
Resources Online (4)
 SSH
http://www.ssh.fi
http://www.openssh.org
 SSH tunnel
http://linuxdoc.org/HOWTO/mini/VPN.html
http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
 Stunnel
http://mike.daewoo.com.pl/computer/stunnel/
http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/
25-SEPT-2001
47
Resources Online (5)
 Network Monitoring Software
– Snort
http://www.snort.org
 Network Vulnerability Scanners
– Saint
http://wdsilx.wwdsi.com/saint
– Nessus
http://www.nessus.org
25-SEPT-2001
48
Resources Online (6)
 Kerberos
http://web.mit.edu/kerberos/www
 This Presentation
http://www.gl.umbc.edu/~robin/security.html
25-SEPT-2001
49
Download