Chapter 9 Hardware and software controls Overview Password Management Access control lists (ACLs) Firewalls and their capabilities Intrusion Detection/Prevention Systems Patching operating systems and Applications End Point Protection Information security control best practices 2 Background Best known controls Used in almost every computer Not comprehensive list of controls In career Many other controls E.g. Application-specific controls Introduce basics underlying information security controls 3 Help evaluate merits of other controls Passwords Definitions Identification Presentation of a user identity for the system Typically by a username Authentication Establishing confidence in the validity of a claimed identity Typically using a password Secret series of characters known only to owner Design goals of passwords 4 Simple enough for average users Secure enough for most applications Password types Personal identification number (PIN) Short (4-6 digits), numerical password Useful when Small keypads are necessary, e.g. ATM machines, or Regular passwords could potentially create human safety problems E.g. airport fire suppression systems Relatively insecure Short and can be easily guessed Only provide limited security Generally assumes existence of other security mechanisms 5 E.g. daily withdrawal limits and security cameras in ATMs Physical security at airports Password types – contd. Passphrase Sequence of words that serves as a password E.g. - Wow!!!thisis#1clasatschooL Motivation Human brain can only retain up to about 7 chunks of information in short term memory But each chunk can be fairly large So, passphrases can be longer than passwords But easier to remember than an arbitrary sequence of characters However, long passphrase not necessarily safer 6 Simple passphrases such as “thisisthe#1classatschool” can be predictable and easily guessed by attackers Compared to passwords such as “TiT#`CaS.” Password management So far, you have been a user of passwords In profession, you are on the other side Making it all work In particular Information security of passwords in your custody Accomplished through password management Process of defining, implementing, and maintaining password policies throughout an enterprise Reduce likelihood that systems using passwords will be compromised NIST Special publication 800-118 7 Guide to enterprise password management Password management – contd. Information security concerns CIA triad re-introduced Organizations need to protect the confidentiality, integrity, and availability of passwords Asset management terminology Passwords are restricted and essential information assets Loss of confidentiality or integrity can give intruders improper access to information Non-availability of a password can make underlying protected resource unavailable 8 Hence, passwords are restricted assets Hence, passwords are essential Password management – contd. National Institute for Standards and Technology (NIST) Guidelines for minimum recommendations regarding password management Basis for discussion here Specific organizations may have more stringent password management requirements E.g. Banks, hospitals May impose additional requirements Including 9 Requiring mechanisms other than passwords for authentication Password management – contd. For optimal (minimal) investment Begin with recognition of threats which can compromise passwords Take actions to minimize likelihood of these compromises NIST recognizes 4 threats to passwords 10 Password capturing Password guessing and cracking Password replacing Using compromised passwords Password threats Password capturing 1. Ability of an attacker to acquire a password from storage, transmission, or user knowledge and behavior Improper storage Unencrypted transmission Password guessing 2. An intruder makes repeated attempts to authenticate using possible passwords such as default passwords and dictionary words Password cracking Process of generating a character string that matches any existing password string on the targeted system 11 Requires unrestricted access to encrypted versions of saved passwords Password threats – contd. Password replacing 3. Substitution of the user’s existing password with a password known to the attacker Generally happens using various social engineering techniques Exploiting weaknesses in the system’s password reset policies Using compromised passwords 4. Passwords on the system known to unauthorized users May be exploited to launch other social engineering attacks, change file permissions on sensitive files If the compromised password is of a privileged user E.g. an IT administrator Attacker may even be able to modify applications and systems for later exploitation 12 E.g. create a privileged account for himself (most attackers are indeed men!) Password management recommendations Implemented as a password policy Set of rules for using passwords For users What kinds of passwords are allowed For administrators How passwords may be stored, transmitted issued to new users and reset as necessary 13 E.g. length and complexity rules for passwords E.g. account for any industry-specific regulations Password management – contd. Dealing with password guessing and cracking Pay attention to password storage Passwords must be made sufficiently complex Accounts must be locked after many successive failed login attempts 14 Access to files and databases used to store passwords should be tightly restricted Save password hashes, not passwords Encrypt all password exchange Strictly verify identity of all users who attempt to recover forgotten passwords or reset passwords Educate all users of password stealing attempts through phishing attacks, shoulder surfing, and other methods Minimizes opportunities for hackers to guess a password Password management – contd. Password expiration Duration for which password may be used without change Reduces likelihood that compromised password can be used productively Often, passwords collection and password usage are separate operations Creates delay before compromised password is used Password compromise may not be very damaging Problems Particularly in absence of password synchronization or SSO Users forget passwords Costly IT support to recover forgotten passwords Hence Use judiciously 15 If password is changed before the attacker attempts to use it Longest possible durations Password limitations and alternatives Users often forget passwords Help desks to respond to user requests Password reset mechanisms Expensive Challenge questions may not be strong enough Relatively simple social engineering attacks such as phishing can exploit reset mechanisms Hence, considerable interest in developing alternatives Not trivial Users know how to use passwords Limited data available on actual losses suffered by organizations due to password theft Why fix what is not broken Proposals for alternatives Passfaces Draw-a-secret 16 User pre-selects a set of human faces and the user selects a face from this set among those presented during a login attempt Users draw a continuous line across a grid of squares Access control Limiting access to information system resources only to authorized users, programs, processes, or other systems E.g. Locks Access control models Descriptions of the availability of resources in a system Properties of access control models Representation of access control in computer security Represent protection needs of any resource at varying levels of granularity Without unreasonable computational burden on operating system Popular access control models 17 Access control lists (ACLs) Role-based access control (RBAC) Access control lists (ACLs) List of permissions attached to specified objects Use simple syntax to specify Subjects Objects Allowed operations E.g. Network connection ACL: (131.247.93.68, ANY, block) Operating system checks all incoming resource requests 18 Subject: Host 131.247.93.68 Object: ANY resource on the network Operation: Block from passing through the network connection Any ACL entry may prohibit access to the resource Access control lists (ACLs) – contd. Common use Files 1. Specify rights for users or groups to files and executables E.g. chmod command Network connections 2. Specify port numbers and network addresses that may be accessed Common way to implement firewalls Default ACLs Present in most modern operating systems System Administration chapter Provide reasonable levels of security for the average user Properties Some of the simplest controls to implement Basis for many other security controls 19 E.g. prevent over-writing of passwords Access matrix Simple representation of ACLs Subjects attempt operations on objects Operations permitted if allowed by ACL Cells show permissions for subject on object ACL for user on corresponding object E.g. File 1 Subject John is owner Has read and write permissions on file Can assign any permission to any user on file 20 Subject Bob Given read permission Subject Alice Given execute permission John Host 1 Block Objects File 1 File 2 Own Read Read Subjects Bob Alice Block Allow Write Read Execute Read Own Read Write Execute ACL limitations Limited scalability To modify permissions for a specific user Permissions for that user must be modified individually on all objects to which the user has access Not possible to assign permissions based on user responsibilities When user changes roles 21 Role-appropriate permissions for the user must be modified individually on all applicable objects Role based access control (RBAC) Assign permissions to user roles rather than to individual users Roles are created for job functions Users are assigned roles based on responsibilities Access permissions defined for roles Separation between users and access controls As users evolve within the organization Roles can be assigned Access permissions are automatically updated RBAC reduces cost and administrative effort, compared to ACLs 22 But tool support evolving Firewalls Hardware or software that prevent the dangers originating on one network from spreading to another network Allow one network to connect to another network while maintaining some amount of protection E.g. door to a home or office Allow residents to get out of the house Block rain and sleet from entering the home Maintain some degree of confidentiality Serve multiple purposes 23 Restricting entry and exit from the network to carefully specified locations Limiting incoming Internet traffic to specific application running on specific devices Blocking outgoing traffic from hosts suspected to have been compromised Firewalls – contd. Constraints Not generally intended to defend against specialized attacks E.g. Doors of a retail store are not designed to detect shoppers with explosives, or shoplifters Where necessary (e.g. at airports) Left to more specialized controls, e.g. Human inspectors Anti-theft technologies Benefits 24 Very effective and relatively inexpensive first line of defense Defend against large number of common nuisances Firewall arrangement Figure shows typical arrangement 25 Intercept all traffic between the Internet and the organization’s network Implement organization’s traffic rules Internet Local network Firewall Firewall rules Specified using ACL syntax e.g. pass pass pass pass block block 26 in out in out in out quick from 192.168.1.0/24 to 192.168.10.50 quick from 192.168.10.50 to 192.168.1.0/24 log quick from any to any port = 22 log quick from any port = 22 to any all all Firewall limitations Defenseless against insiders and unregulated traffic Defenseless against user practices Protect against attacks originating outside the network Traffic inside the organization does not cross firewall Compromised computer can steal data from other computers Flash storage devices Defenseless against encrypted traffic Cannot be inspected E.g. SSL traffic Configuration 27 Poorly configured firewall Only provides illusion of security Firewall types Packet filtering firewalls 1. Examine protocol header fields to determine entry, e.g. Source and destination IP addresses Destination port address TCP flags Example usage Block incoming packets from ISP with history of sending spam Host or ISP identified by the source IP address field Deep packet inspection firewalls 2. Examine packet data, in addition to protocol headers Compare against database of known malicious payloads 28 Identify payloads that attempt to launch buffer overflow or other attacks Typical firewall organization Typical deployment involves Perimeter firewall Lies between the external network and the organization Allows hosts outside the organization to access public-facing services De-militarized zone Network between external network and organization’s internal network E.g. web, email and DNS. Hosts external services such as http, smtp and DNS Interior firewall Limits access to organization’s internal network Specific applications for requests originating from specific hosts Militarized zone 29 E.g. Student learning system and records database Location of all the organization’s information assets Internet Typical firewall organization – contd. DMZ email DNS www 30 Internal network Basic firewall recommendations Allow users to access to the following services on the Internet Web (port 80, 443) to specified hosts running web servers Email (ports 25, 465, 585, 993, 995) to specified hosts running email DNS (port 53) to specified hosts running the DNS service Remote desktop connections (port 3389) SSH (port 22) to specific UNIX hosts General rules of thumb Allow “secure” services Allow access to “safe” services on designated hosts E.g. email and the web Block legacy, unmaintained services 31 Encrypt transactions In popular use, hence regularly updated SSH (for UNIX connections) and Remote Desktop (for Windows clients) Telnet and FTP Intrusion detection/ prevention systems Intrusion detection systems (IDS) Monitor IT systems for malicious activity or violations of usage policies Two types Network-based Host-based Maximize probability of detecting intrusion attempts Can raise alarms about impending attacks Watching for reconnaissance activity (host and port scans) Software applications on individual hosts Monitor local activity such as file access and system calls for suspicious behavior Most enterprises employ multiple IDSs, each with its own set of rules Monitor network traffic and application protocol activity to identify suspicious connections Usually included in routers and firewalls Often precede large-scale attacks Intrusion prevention systems 32 Build on IDS and attempt to stop potential intrusions Detection methods How do IDS/ IPS detect intrusions? Three methods Signatures Anomalies Compare observed events against defined activities for each protocol state Most commercial implementations use combination of all three 33 Deviations between observed events and defined activity patterns Protocol states Sequence of bytes that is known to be a part of malicious software Maximize effectiveness Detection methods comparison Signature-based Very effective against simple well-known threats Also computationally very efficient Not effective against previously unknown threats, disguised threats and complex threats Uses simple string comparison operations I LOVE YOU virus with email subject line read “job offer for you” Cannot detect attacks composed of multiple events If individual events are potentially legitimate E.g. Cannot detect port scans 34 Every individual probe packet is a well-formed and legitimate packet Detection methods comparison – contd. Anomaly-based Very effective at detecting previously unknown threats, e.g. Malware that sends out large volumes of spam email Malware that uses computer to break passwords Computer's behavior significantly different from established profile Concerns Building profiles can be very challenging, e.g. Computer may perform full backups on last day of the month Large volumes of network data transfer 35 If not included as part of baseline profile, will be flagged Detection methods comparison – contd. Protocol-state-based Aware of allowed operations for a given protocol state, e.g. Able to identify unexpected sequences of commands E.g. issuing same command repeatedly can indicate a brute-force attack Can keep track of the user id used for each session Knows that a user in an unauthenticated state should only attempt a limited number of login attempts, or User in unauthenticated state should only attempt a small set of commands Helpful when investigating an incident. Can include checks for individual commands E.g. monitoring lengths of arguments Limitation 36 Username with a length of 1000 characters can be considered suspicious Username with non-text data is even more unusual and merits flagging Tracking many simultaneous sessions can be extremely resource-intensive IDS/ IPS limitations Two well-known limitations Detection errors 1. Many alarms do not represent real threats Many real threats are missed Very sensitive IDS will detect more real attacks, but also flag many benign transactions as malicious Less sensitive IDS will not raise too many false alarms, but will also miss many real attacks Real attacks are very expensive So organizations generally prefer false positives over false negatives Increases cost of sifting through all alarms raised Evasion 2. Act of conducting malicious activity so that it looks safe, e.g. Called false negatives Reducing one generally increases the other, e.g. Called false positives Conduct port scans extremely slowly (over many days) and from many different sources Malware can be sent as parts of file attachments, and appear legitimate IDS/ IPS therefore cannot be trusted to detect all malicious activity 37 However, like firewalls, very effective as part of overall security deployment Patch management Patch Software that corrects security and functionality problems in software and firmware Also called updates Usually the most effective way to mitigate software vulnerabilities Patch management Process of identifying, acquiring, installing, and verifying patches Many information security frameworks impose patch management requirements E.g. Payment Card Industry (PCI) Data Security Standard (DSS) requires that critical patches must be installed within one month of the release of the patch (PCI DSS 2.0 requirement 6.1.b) Concerns Patches can break existing software 38 Particularly in-house software developed using older technologies Patch management challenges NIST 1. Timing, prioritization and testing Usually necessary to prioritize which patches should be installed first E.g. web servers need to be prioritized over desktops in militarized zone Operational system might fail from patching, causing business disruptions Timing, prioritization and testing are often in conflict Patch bundle solution to conflict Release aggregates of many patches as patch bundles at quarterly or other periodic schedules 39 Issue patches instantly for exploits known to be getting exploited Reduces patch testing effort at organizations and facilitates deployment Patch management challenges – contd. 2. Configuration Often multiple mechanisms for applying patches Competing patch installation procedures can cause conflicts Resolve any conflicts among competing patch application methods Users, particularly power users may override or circumvent patch management processes, e.g. 40 May try to overwrite patches May try to remove previously installed patches May try to install patches that fails organization’s internal tests Therefore identify all ways in which patches could be applied Automatic updates, manual updates, vulnerability scanners Disabling patch management software Installing old and unsupported versions of software Uninstalling patches Patch management challenges – contd. 3. Alternative hosts Diversity in the computing environment May include unsupported hardware Appliances are a particularly interesting case Often manufacturers are not very familiar with the importance of patch management May not support automated procedures for testing and deploying patches Patch management can easily become time consuming and labor intensive Software inventory 4. Organization should maintain current and complete inventory of all patchable software installed on each host in the organization 41 Inventory should also include correct version and patch status Patch management challenges – contd. Resource overload 5. Patch deployment needs to be managed to prevent overload Download speeds can become significantly slow If many hosts start downloading the same large patch at the same time Network bandwidth can also become a constraint Large organizations Particularly if patches are transmitted across continents on WAN networks Common strategies Sizing patch infrastructure to handle expected request volumes Staggering delivery of patches 42 Hard drives hunt for different blocks for each individual host Only deliver patches to a limited number of hosts at any given time Patch management challenges – contd. 6. Implementation verification Forcing required changes on target host so that patch takes effect May require restarting a patched application or service Or, rebooting the entire operating system Or making other changes to the state of the host Can be very difficult to determine if a particular patch has taken effect at a particular host One mechanism Use other methods of confirming installation 43 E.g., using a vulnerability scanner that is independent from the patch management system End-point protection Security implemented at the end user device Desktops, laptops, and mobile devices used directly by consumers of the IT system Typically implemented using specialized software applications Provide services such as Defense of last resort Attempts to pick up security problems missed by network controls such as firewalls and intrusion detection systems Can offer security that organization-wide systems cannot provide E.g. confirm that versions of the operating system, browser etc. on the device are upto-date Alert user if necessary to initiate an update Also provides protection against other compromised devices internal to the network 44 Anti-virus protection Anti-malware protection Intrusion detection Compromised desktop within the network may scan ports as a zombie End-point security software on targeted hosts can detect scans and block requests Detection mechanisms Signatures 1. Traditional method of detecting malicious software Similar to signature-based IDS Reputation 2. Safety of file based on reputation score calculated using file’s observable attributes Over time, reputation scores calculated and updated for every known executable file About 10 billion in number Eliminates need to scan every byte of every file for known malware signatures Greatly speeds virus and malware scanning, freeing up computer resources for productive tasks Computationally efficient at detecting previously unknown threats Previously unknown files naturally receive a low reputation score Like how new borrowers like teenagers begin with a low credit score File used by more users for longer periods of time with no observed malicious effects Reputation score of the file keeps improving 45 Identified by file hash Like how borrowers improve credit ratings through responsible borrowing Overview Password Management Access control lists (ACLs) Firewalls and their capabilities Intrusion Detection/Prevention Systems Patching operating systems and Applications End Point Protection Information security control best practices 46