Security

advertisement
Security:
Some Highlights of the
Highlights
Don McGregor
Research Associate
MOVES Institute
mcgredo@nps.edu
Cyber Security
• Security is a big and complex topic. You
can’t just say “do these things and you’ll be
fine,” though locking down hosts is important
• The surface area of the problem is so large
that you need to get meta and think about
security and what you want to accomplish
before you get into checklists
2
What Do You Want to Secure?
–
–
–
–
–
–
–
–
–
–
–
–
Secure data in transit?
Secure data at rest, on a drive?
Identities of people involved in an exercise?
Parameters of an exercise, such as the location?
Tactics used in a simulation?
Prevent your software from being subverted?
Prevent your network from being used as a launch pad for attacks on others?
Policies and procedures for training personnel?
Preventing insider attacks?
Physical security?
Policies and procedures for what to do in the event of classified data spillage?
Probably all of them!
• The security domain is full spectrum, all the way from bits and bytes to
policy and personnel questions
3
Frameworks For Thinking
• Department of Defense Information
Assurance Certification and Accreditation
Process (DICAP) is an outdated process, no
longer used for new accreditation after May
2015, though some sites already certified
with DICAP may still exist
• National Institute for Standards (NIST) Risk
Management Framework is the
replacement. Very similar and is used in the
rest of the Federal government
4
NIST
• http://nvlpubs.nist.gov/nistpubs/SpecialPubli
cations/NIST.SP.800-53r4.pdf
• How to think about risk mitigation,
implement a security plan, and monitor its
execution
5
NIST Process
6
Some Security Highlights
7
Who’s attacking? Ego
• Ego: undersocialized 13 year olds, the
curious, griefers, those looking to prove how
smart they are compared to you corporate
drones
• Often done for bragging rights, or to simply
cause problems
• Hack the Gibson!
8
Attackers: Money
• Attack systems to get PII/financial data such
as credit card info, sell it on the black
market, hold systems ransom, etc
• http://www.businessinsider.com/we-foundout-how-much-money-hackers-actuallymake-2015-7
• Sell compromised
• systems to botnets
9
Attackers: Ideology
• Opposed to military, opposed to a state or
state policies, looking to do damage to it
• Snowden (Maybe! Could have been a
hostile state asset), Assange, Wikileaks,
jihadists, etc
10
Attackers: State Actors
• States using cyberattacks to
gain information, attack
infrastructure, conduct
information operations
• Russia, China, North Korea,
others
• OPM hack, Cyber attacks on
Estonia and Georgia, Russian
forum trolls, etc.
• Not necessarily a strong
demarcation between states
and criminal hackers
11
Networks
• Scoping it down to some of the things we
talk about in a network class, what are some
of the highlights?
– Firewalls
– Certificate of Networthiness
– Secure communications
– STIGs
12
Firewalls
• A firewall prevents a socket connection from
being established. In the elder days of
computing you could establish a network
connection to any host on the internet.
Modern thinking is that this is a really bad
idea
• Firewalls can exist at multiple levels
– Host
– Network/Enterprise
13
Host Firewalls
Turn on ports only for the absolutely necessary programs
14
Enterprise Firewall Architectures
15
Enterprise Firewall Architectures
• Very limited set of hosts that are absolutely
required to be deployed in the DMZ
– Mail servers, web servers—things the public
must be able to contact
– Watch them closely, keep them patched
– Anything exposed to the internet will be
attacked
• The internal network—laptops, user
desktops, internal servers—are not directly
exposed to the internet
16
Firewalls
• Are you safe if you use a firewall? What are
typical malware vectors?
– Downloaded to client from web site while
browsing
– User clicks on hostile email link
– User brings infected computer from home
– WiFi connection from host physically off campus
• Firewalls help prevent one class of attacks,
but are not a cure-all. Expect your network
to be attacked from inside as well
17
Networthiness
• Often to deploy an application on a DoD
network you need a “certificate of
networthiness”. The requirements vary by
service and network
– http://www.atsc.army.mil/tadlp/implementation/c
onfig/networthiness.asp
– http://www.disa.mil/network-services/ucco
– NMCI application certification for a new program
seems to run in the high six figures, probably
done with contractor assistance
18
Secure Comms
• The Big Four of crypto
– Authentication
– Confidentiality
– Integrity
– Non-repudiation
• State actors have been doing this for
centuries. In the last few decades civilians
have been paying more attention to it
19
Authentication
• Establish the identity of a user, ie that they
are who they say the are
• Variety of techniques:
– Something you know: password
– Something you have: a token, such as a CAC
card
– Something you are: biometric, such as
fingerprint, iris scan, signature
• Two factor authentication requires two
items, ie a CAC card and a PIN
20
Integrity
• The message has not been changed since it
was created
• This is typically done via hashes
21
Integrity:Hashes
22
Integrity: Hashes
• A hash converts a message of arbitrary
length into a fixed-length “fingerprint”
• The slightest change to the message will
result in a different hash result
• You also have to be alert for replay attacks
– User sends authentic message to a bank
transferring $100 to someone else; the
message is recorded by an attacker and sent 50
times
23
Confidentiality
• The data is encrypted in such a way that
those without a key can’t read it. What
people normally think of as encryption
– Symmetric encryption uses the same key for
both encoding and decoding
– Asymmetric or public key crypto uses one key
for encrypting and another, mathematically
linked key for decryption
24
Confidentiality: Symmetric
25
Confidentiality: Asymmetric
26
Non-Repudiation
• The user can’t deny that a message came from them.
Often done via signatures, digital or otherwise
– User creates message
– A hash creates a short, fixed-length “fingerprint” of the message
– The user encrypts it with a private key, and the encrypted hash is
attached to the original message
– The recipient receives the message, performs the hash on the
message himself, decrypts the sender’s hash with the public key,
and compares the two
– If they match, the message was created by the sender, since only
they have the private key
– Maybe have to add a nonce (a random number) to the message to
prevent replay attacks
• This is really a combination of Integrity + Authentication
Communications Security
• Much more on secure comms later
• This has been discussing civilian crypto;
DOD crypto is controlled by the NSA, and
they have their own ideas and
implementations
28
STIGS
• Security Technical Implementation Guide
• http://iase.disa.mil/stigs/Pages/index.aspx
• Instructions for how to lock down a host,
switch, router, by brand and OS release
29
STIG
• CentOS 6/RHEL 6 STIG includes:
30
STIGs
• Similar instructions for Windows, different
flavors of Unix, your favorite routers, etc
• It’s a labor-intensive process.
– Do it once and get a golden master image,
which you replicate to all hosts
– There are automated configuration tools, such
as Puppet, Chef, Ansible, and Salt, that both
automate the process of applying a
configuration and ensuring it remains in
compliance
31
Overall
• It’s a big process and it will probably involve
contractors
32
Download