20121101
advertisement
Information Security: Security Blankets are not Enough Karl F. Lutzen, CISSP S&T Information Security Officer About Me • Karl F. Lutzen – Certified Information Systems Security Professional (CISSP) – S&T Information Security Officer – Instructor for CS 362 • Office – Location: CH 203D – Email: kfl@mst.edu (start here!) Information • “Information” is likely the only asset that can be stolen from you while you still have full possession. • This includes: Data, Personal information, trade secrets, intellectual property, etc. Information • Clearly we need to protect: – The information itself – The systems where it lives – The access to it – And many other aspects Fundamental Principles • Confidentiality • Availability • Integrity Question • How much of the overall security will be technical solutions? Our information lives here: What all do we need to do to protect it? Physical (Environmental) Security • Physical security consist of physically securing the devices: – Locks/Cables, Alarms, Secure rooms, Cameras*, Fences, Lighting, Heating, Cooling, Fire protection, etc. • If you defeat the physical security controls, all other control domains (except one) are defeated. *cameras will likely not prevent a theft. Only deter it or be used for evidence later. Access Control and Methodology • Who has access, how is it controlled, etc. – Authentication • Passphrases, two factor, multi-factor, biometrics – Access Controls (Authorization) • Role Based Access, Mandatory Access Controls, Discretionary Access Controls • Least Privilege and Need to Know Application Development Security • Software Based Controls • Software Development Lifecycle and Principles – Development models: waterfall, spiral, etc. – Code Review Telecommunications and Network Security • Implementing correct protocols • Network services – Firewalls – IDS/IPS – Traffic Shaping • Network Topology Business Continuity Planning(BCP) Disaster Recovery Planning (DRP) • BCP – What controls and process do we need to implement to keep our systems running? – Backups, off-site data storage, cross-training, etc. • DRP – What do we need to do in a crisis? – Response plans, Recovery plans, etc. Security Architecture and Models • Operation modes/protection mechanisms. • Evaluation Criteria • Security Models • Common Flows/Issues: – Covert Channels, timing issues, maintenance hooks, etc. Information Security Governance Risk Management • Policies, Standards, Guidelines and Procedures • Risk Management Tools and Practices • Risk assessment: – Qualitative vs. Quantitative • Planning and Organization Operations Security • • • • • • Administrative Management Operation Controls Auditing Monitoring Intrusion Detection (operational side) Threats/Countermeasures Legal, Regulations, Investigations and Compliance • • • • • Types of computer crimes/attacks Categories of Law Computer Laws Incidents and incident handlings Investigation and Evidence Cryptography • Concepts and Methodologies • Encryption algorithms – Asymmetric vs. symmetric • PKI • Cryptanalysis/Methods of Attacks • Steganography PICK GOOD ALGORITHMS! Original Using ECB Mode Non-ECB ECB = Electronic Codebook. Divide message into blocks, same key encrypts blocks separately. (http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation) Threats to Security • • • • • • • • Viruses and Worms Other Malware and Trojans Social Engineering/Phishing Intruders Insiders Criminal Organizations Terrorists and Information Warfare Insecure Applications Viruses, Worms, Malware, Trojans • Lack of policies/training/procedures – Employees can bring in problems! • Mitigation techniques: – Anti Virus – Firewalls – TRAINING Social Engineering • Multiple methods: – Phone calls – Dumpster Diving – Phishing • Mitigation techniques – Policies/Procedures – Training Intruders • Def: Deliberately accessing systems or networks to which is un-authorized • Types: – Unstructured threat – not after a specific target • Opportunity • Script Kiddies – Structured Threat – Specific target is in mind • Elite hackers Insiders • Most Dangerous! Accounts for 70-75% of all security events • Insiders have access to the keys to the kingdom • Human errors account for many security events • Mitigation – Policies, Procedures, Training, Monitoring, etc Criminal Organizations • With so many business functions now relying on the Internet, crime was sure to follow it. • Attacks: – Fraud, extortion, theft, embezzlement and forgery • Well funded, hire elite hackers, willing to spend years if necessary • Type: Structured attack Two Types of Electronic Crime • Crimes in which the computer was the target of the attack • Incidents in which the computer was a means of perpetrating a criminal act. Threats to Security • The biggest change that has occurred in security over the last 30 years has been the change in the computing environment – Central Mainframes to – Decentralized smaller, yet interconnected, systems – Although we seem to be shifting back towards central data centers for core operations. Avenues of Attack • Types: – Specific target of an attacker – Target of opportunity Steps in an Attack • Reconnaissance – Gather easily available data • Publicly available information from the web • Newspapers • Financial reports (if publicly traded they are available) • Google as an attack tool? Reconnaissance (cont.) – Probing • Ping sweeps – find hosts • Port sweeps – find open ports to then test for holes • Determine OS (can be done quite accurately!) Steps in an attack • Attempt to exploit vulnerabilities • Attempt to gain access through userid/passwords – Brute force – Social engineering • And of course there is simply the physical theft of the system, backup tapes, etc.! Minimizing Attack Avenues • • • • • Patch against vulnerabilities Use of DMZ (system isolation) Firewalls Intrusion detection/prevention systems Minimize open ports/systems directly accessible to the Internet • Good physical security • Good training to negate social engineering attacks RSA Attack • March 2011, RSA had a data breach – Attacker stole information which affected some 40 million two-factor authentication tokens – Devices are used in private industry and government agencies – Produces a 6 digit number every 60 seconds. RSA Attack Analysis • An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat) RSA Background • RSA is a security company that employs a great number of security devices to prevent such a data breach • Methods used bypassed many of the controls that would otherwise prevented direct attack Attacker Initial Steps • Attackers acquired valid email addresses of a small group of employees. • If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier. Phishing Emails • Two different phishing emails sent over a two-day period. • Sent to two small groups of employees, not particularly high profile or high value targets. • Subject line read: 2011 Recruitment Plan • SPAM filtering DID catch it but put in the Junk folder Employee Mistake • One employee retrieved the email from the Junk mail folder • Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls • Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). – Installed a backdoor program to allow access. Remote Administration Tool (RAT) • Attackers chose to use the Poison Ivy RAT. – Very tiny footprint – Gives attacker complete control over the system – Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS Digital Shoulder-Surfing • Next the attackers just sat back and digitally listened to what was going on with the system • The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further. Harvesting • Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) • Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets. The Race • During the stepping from system to system, security controls detected an attack in progress. The race was now on. • Attacker had to move very quickly during this phase of finding a valuable target. Data Gathering • Attacker established access at staging servers at key aggregation points to retrieve data. • As they visited servers of interest, data was copied to staging servers. • Staging servers aggregated, compressed, encrypted and then FTP’d the data out. Receiving Host • Target receiving data was a compromised host at an external hosting provider. • Attacker then removed the files from the external compromised host to remove traces of the attack. • This also hid the attacker’s true identity/location. Lessons Learned • Weakest link: A human • Layered Security: Not adequate to prevent • Upside: Able to implement new security controls to this point were considered too restrictive. Karl’s Changes • What follows would be the changes I’d make at RSA. • Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. • If I were to implement these, very likely I’d be doing a different job… Changes • Traffic shaping both ways. (Firewall port blocking isn’t enough) • Block all but specific protocols • IDS/IPS on all those protocols • Aggressive use of DMZ: Isolate systems • Isolate workstations from one another • Clean Access Solutions on all systems Biggest Change • Mandatory Monthly Security Awareness training for everyone. • (breaking it into monthly modules makes it tolerable) • Needs to be interesting/fun, Door prizes, etc. RSA Attack: Credits • http://www.satorys.com/rsa-attackanalysis-lessons-learned/
