Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu Cyber Security • Security is a big and complex topic. You can’t just say “do these things and you’ll be fine,” though locking down hosts is important • The surface area of the problem is so large that you need to get meta and think about security and what you want to accomplish before you get into checklists 2 What Do You Want to Secure? – – – – – – – – – – – – Secure data in transit? Secure data at rest, on a drive? Identities of people involved in an exercise? Parameters of an exercise, such as the location? Tactics used in a simulation? Prevent your software from being subverted? Prevent your network from being used as a launch pad for attacks on others? Policies and procedures for training personnel? Preventing insider attacks? Physical security? Policies and procedures for what to do in the event of classified data spillage? Probably all of them! • The security domain is full spectrum, all the way from bits and bytes to policy and personnel questions 3 Frameworks For Thinking • Department of Defense Information Assurance Certification and Accreditation Process (DICAP) is an outdated process, no longer used for new accreditation after May 2015, though some sites already certified with DICAP may still exist • National Institute for Standards (NIST) Risk Management Framework is the replacement. Very similar and is used in the rest of the Federal government 4 NIST • http://nvlpubs.nist.gov/nistpubs/SpecialPubli cations/NIST.SP.800-53r4.pdf • How to think about risk mitigation, implement a security plan, and monitor its execution 5 NIST Process 6 Some Security Highlights 7 Who’s attacking? Ego • Ego: undersocialized 13 year olds, the curious, griefers, those looking to prove how smart they are compared to you corporate drones • Often done for bragging rights, or to simply cause problems • Hack the Gibson! 8 Attackers: Money • Attack systems to get PII/financial data such as credit card info, sell it on the black market, hold systems ransom, etc • http://www.businessinsider.com/we-foundout-how-much-money-hackers-actuallymake-2015-7 • Sell compromised • systems to botnets 9 Attackers: Ideology • Opposed to military, opposed to a state or state policies, looking to do damage to it • Snowden (Maybe! Could have been a hostile state asset), Assange, Wikileaks, jihadists, etc 10 Attackers: State Actors • States using cyberattacks to gain information, attack infrastructure, conduct information operations • Russia, China, North Korea, others • OPM hack, Cyber attacks on Estonia and Georgia, Russian forum trolls, etc. • Not necessarily a strong demarcation between states and criminal hackers 11 Networks • Scoping it down to some of the things we talk about in a network class, what are some of the highlights? – Firewalls – Certificate of Networthiness – Secure communications – STIGs 12 Firewalls • A firewall prevents a socket connection from being established. In the elder days of computing you could establish a network connection to any host on the internet. Modern thinking is that this is a really bad idea • Firewalls can exist at multiple levels – Host – Network/Enterprise 13 Host Firewalls Turn on ports only for the absolutely necessary programs 14 Enterprise Firewall Architectures 15 Enterprise Firewall Architectures • Very limited set of hosts that are absolutely required to be deployed in the DMZ – Mail servers, web servers—things the public must be able to contact – Watch them closely, keep them patched – Anything exposed to the internet will be attacked • The internal network—laptops, user desktops, internal servers—are not directly exposed to the internet 16 Firewalls • Are you safe if you use a firewall? What are typical malware vectors? – Downloaded to client from web site while browsing – User clicks on hostile email link – User brings infected computer from home – WiFi connection from host physically off campus • Firewalls help prevent one class of attacks, but are not a cure-all. Expect your network to be attacked from inside as well 17 Networthiness • Often to deploy an application on a DoD network you need a “certificate of networthiness”. The requirements vary by service and network – http://www.atsc.army.mil/tadlp/implementation/c onfig/networthiness.asp – http://www.disa.mil/network-services/ucco – NMCI application certification for a new program seems to run in the high six figures, probably done with contractor assistance 18 Secure Comms • The Big Four of crypto – Authentication – Confidentiality – Integrity – Non-repudiation • State actors have been doing this for centuries. In the last few decades civilians have been paying more attention to it 19 Authentication • Establish the identity of a user, ie that they are who they say the are • Variety of techniques: – Something you know: password – Something you have: a token, such as a CAC card – Something you are: biometric, such as fingerprint, iris scan, signature • Two factor authentication requires two items, ie a CAC card and a PIN 20 Integrity • The message has not been changed since it was created • This is typically done via hashes 21 Integrity:Hashes 22 Integrity: Hashes • A hash converts a message of arbitrary length into a fixed-length “fingerprint” • The slightest change to the message will result in a different hash result • You also have to be alert for replay attacks – User sends authentic message to a bank transferring $100 to someone else; the message is recorded by an attacker and sent 50 times 23 Confidentiality • The data is encrypted in such a way that those without a key can’t read it. What people normally think of as encryption – Symmetric encryption uses the same key for both encoding and decoding – Asymmetric or public key crypto uses one key for encrypting and another, mathematically linked key for decryption 24 Confidentiality: Symmetric 25 Confidentiality: Asymmetric 26 Non-Repudiation • The user can’t deny that a message came from them. Often done via signatures, digital or otherwise – User creates message – A hash creates a short, fixed-length “fingerprint” of the message – The user encrypts it with a private key, and the encrypted hash is attached to the original message – The recipient receives the message, performs the hash on the message himself, decrypts the sender’s hash with the public key, and compares the two – If they match, the message was created by the sender, since only they have the private key – Maybe have to add a nonce (a random number) to the message to prevent replay attacks • This is really a combination of Integrity + Authentication Communications Security • Much more on secure comms later • This has been discussing civilian crypto; DOD crypto is controlled by the NSA, and they have their own ideas and implementations 28 STIGS • Security Technical Implementation Guide • http://iase.disa.mil/stigs/Pages/index.aspx • Instructions for how to lock down a host, switch, router, by brand and OS release 29 STIG • CentOS 6/RHEL 6 STIG includes: 30 STIGs • Similar instructions for Windows, different flavors of Unix, your favorite routers, etc • It’s a labor-intensive process. – Do it once and get a golden master image, which you replicate to all hosts – There are automated configuration tools, such as Puppet, Chef, Ansible, and Salt, that both automate the process of applying a configuration and ensuring it remains in compliance 31 Overall • It’s a big process and it will probably involve contractors 32