Fundamentals)
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Fundamentals) as PDF for free.
More details
- Words: 1,689
- Pages: 49
Security Fundamentals Robin Anderson UMBC, Office of Information Technology
25-SEPT-2001
1
A Little About Me… ♦ Unix SysAdmin, Specialist with the Office
of Information Technology at UMBC
♦ Taught Unix Administration and SANS
Level One Security courses at UMBC
♦ Certified by the SANS Institute GIAC
program in UNIX Security and Incident Handling 25-SEPT-2001
2
Topics Outline ♦ Post-Mortems in the News… ♦ Identifying Threats ♦ Countering Threats ♦ The (Vulnerable) Network ♦ Questions You Need to Ask ♦ Recommendations You Want to Make ♦ Resources Online
25-SEPT-2001
3
What Happened to Amazon ? ®
♦ Website defacing: Hackers broke in & put up phony web pages (And now, newer worms/viruses are doing the same!) – – – – – –
September 2000: OPEC 1 February 2000: Amazon® , eBay® 2 November 1999: NASA/Goddard 3 October 31,1999: Associated Press® 4 August 1999: ABC® 5 June 1999: U.S. Army 25-SEPT-2001
4
What Happened to Yahoo ? ®
♦ Denial of Service (DoS) – February 2000: Yahoo and CNN 1 ♦ Multiple Hits – September 2000: – May 2000:
Slashdot defaced Slashdot suffered DoS
The irony is that slashdot.org is a popular "news for nerds" website 25-SEPT-2001
5
If They’re Vulnerable… …then you are, too.
25-SEPT-2001
6
The Fundamental Theorem ♦ You have computers because they perform some
function that furthers your organization’s goals ♦ If you lose the use of those computers, their
function is compromised ♦ So - anything that interferes with your
organization’s effort to achieve its goals is a security concern 25-SEPT-2001
7
What Are You Protecting? ♦ Information ♦ Availability of the Systems ♦ Reputation & Goodwill
25-SEPT-2001
8
Your Information ♦ Crown Jewels – Trade secrets, patent ideas, research ♦ Financial information ♦ Personnel records ♦ Organizational structure 25-SEPT-2001
9
Your Availability ♦ Internal use – When employees can’t use the network, servers, or other necessary systems, they can’t work ♦ Website / online transactions – Often when systems are unavailable, the organization is losing money
25-SEPT-2001
10
Your Reputation ♦ Public trust – If your organization is hacked, how reliable will people think you are you in other areas? – Who wants to do business with companies that leak credit card information? ♦ Being a good neighbor – Your organization may be hacked so it can be used as a springboard to attack others 25-SEPT-2001
11
A Simple Network… Firewall Router
Router
Internet
25-SEPT-2001
12
… Attacked! Firewall Router 1
Router
3
4
2
Internet
5 6 9
7 8
10 25-SEPT-2001
13
What Are These Threats? 1. DoS coming from the Internet 3. Severed Physical link 5. Masquerader / Spoofer – They look like they’re already inside
♦ Password sniffer 25-SEPT-2001
14
What Are These Threats? (2) ♦ Alan brought a floppy from home that has
a virus on it ♦ Beatrice is about to be fired – and she’s
going to be angry about it ♦ Carter is careless with his passwords – he
writes them down and loses the paper 25-SEPT-2001
15
What Are These Threats? (3) 1. David has unprotected shares on his NT
box 3. Evan installed a modem on his PC
(PCAnywhere) 5. Severed Power / HVAC
25-SEPT-2001
16
What Are Threat Vectors? Vectors are the pathways by which threats enter your network
25-SEPT-2001
17
Threat Vectors - Internal ♦ Careless employees – “Floyd the clumsy janitor” – “Contraband” hardware / software – “Oops, did I just type that?” ♦ Random twits (somewhere between careless & malicious) ♦ Malicious employees – Current or former employees with axes to grind ♦ Anyone who can get physical access 25-SEPT-2001
18
Threat Vectors - External ♦ Competitors / spies / saboteurs ♦ Casual & incidental hackers – Some hackers don’t want your systems except to use them to get at their real target ♦ Malicious hackers ♦ Accidental tourists ♦ Natural disasters – Be ready to face down the hurricane 25-SEPT-2001
19
What Are Threat Categories? Categories are the different kinds of threat you may encounter
25-SEPT-2001
20
Threat Categories ♦ Opportunistic – Basic “ankle biters” and “script kiddies” – More advanced hackers, hacker groups out trolling ♦ Targeted – These attackers know what they want; anything from data to disruption to springboards ♦ “Omnipotent” – Government-sponsored professional hackers 25-SEPT-2001
21
Threat Consequences ♦ Bad press – Breach of confidentiality • Medical data • Credit card information
– Attack platform (you’ve been subverted!)
♦ Loss of income – How much does it cost you in sales to have your databases, website, etc, down for any given length of time? – Loss of trade secrets (crown jewels) 25-SEPT-2001
22
The 3 Goals of Security ♦ Ensure Availability ♦ Ensure Integrity ♦ Ensure Authorization & Authentication
25-SEPT-2001
23
Threats to Availability ♦ Denial of Service (DoS) – Connection flooding ♦ Destroying data – Hardware failure – Manual deletion – Software agents: virus, trojans
25-SEPT-2001
24
Threats to Integrity ♦ Hardware failure ♦ Software corruption – Buggy software – Improperly terminated programs ♦ Attacker altering data
25-SEPT-2001
25
Threats to Authorization ♦ Attacker stealing data ♦ Lost / Stolen passwords ♦ Information Reconnaissance • Organization information
25-SEPT-2001
26
Countering These Threats… …is what security is all about.
25-SEPT-2001
27
Defining Security ♦ Security is a process – Training is ongoing • Threats change, admins need to keep up • Security is inconvenient, all staff needs training
♦ Security is also about policies ♦ There is no silver bullet to fix it all – For example, a firewall won’t save you • Remember the Maginot Line
25-SEPT-2001
28
Notes: ♦ The underlying assumption in the next
section is that you, as the auditor, admin, or manager, are in a position to make security recommendations ♦ The following list of questions should not
be considered in any way to be exhaustive, but a starting point to build your own list 25-SEPT-2001
29
Questions You Need to Ask ♦ What is the physical access policy to
systems, routers, and backup media? – Are the servers and main routers in a controlled-access environment? – Who monitors access?
♦ Are desktop systems / workstations
physically secured? 25-SEPT-2001
30
Questions You Need to Ask ♦ Is there a documented security policy? – Where is it located? – Who is responsible for maintaining it? – Is the policy being consistently enforced? – Who is the enforcer for the organization? ♦ Is there a firewall? – Who maintains it and its rule-sets? – Do its rules match the policy? 25-SEPT-2001
31
Questions You Need to Ask ♦ What is the backup policy & schedule? – What kind of backup media & software is used? – Where is the backup media stored? Is there an off-site safe/storage rotation? – If the systems were utterly destroyed today, how up to date could you bring their replacements? – Have the backups ever been tested (via a restore) for completeness and integrity?
25-SEPT-2001
32
Questions You Need to Ask ♦ Does the organization know what is on its
network? – If so, how does it know? – Where are the records kept? – Who has access to them?
25-SEPT-2001
33
Questions You Need to Ask ♦ Are routine network vulnerability scans run? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports? ♦ Is any routine network monitoring done? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports?
25-SEPT-2001
34
Questions You Need to Ask ♦ What kind of power management
contingencies are available? – – – –
Uninterruptible Power Supplies (UPS)? Power regulation? Backup generators? Mean time to recovery from outage?
25-SEPT-2001
35
Questions You Need to Ask ♦ What kind of authentication does your
organization use? – Passwords • Multi-use, one-time? • Expiration?
– Biometric authentication? – Smart-cards
25-SEPT-2001
36
Questions You Need to Ask ♦ If you use passwords, how does your
organization replace lost ones? – Any policy on verifying user’s identity, etc?
25-SEPT-2001
37
Questions You Need to Ask ♦ What kind of network connections does
your organization allow? – Are they clear-text protocols (like telnet, rlogin, rsh, ftp)? – Can your organization migrate to using encrypted protocols (like ssh, stunnel, etc)?
25-SEPT-2001
38
Recommendations You Really Want to Make ♦ No matter what, recommend a dedicated
security officer
– One individual responsible for security • NOT the sys admin, network admin
– Qualifications: • Training • Certification (CISSP, SANS) • Demonstrated proficiency 25-SEPT-2001
39
Recommendations You Really Want to Make ♦ Routine Vulnerability Scanning – Tools like Saint, Nessus, Legion, Nmap, SARA ♦ Principle of Least Privilege ♦ Documented Procedures for Incident
Handling 25-SEPT-2001
40
So, What Is a Security Officer? ♦ Protector – Internal, external ♦ Assessor ♦ Monitor ♦ Contact point – Law enforcement – Internal – External 25-SEPT-2001
41
What Does It All Mean? ♦ It’s a dangerous world, but we’re not
necessarily doomed! ♦ Security is an ongoing process (it’s worth repeating!) – Ask the questions you’ve seen here – Ask any others you think of – Ask them all again tomorrow – new challenges are arising every day! 25-SEPT-2001
42
Acknowledgements ♦ Andy Johnston, manager and co-conspirator ♦ Jon Lasser, author of Think UNIX ♦ Stephen Northcutt, SANS instructor and
author of Network Intrusion Detection
25-SEPT-2001
43
Resources Online ♦ Training and Certifications – SANS Institute http://www.sans.org/ – CISSP “Certification for Information System Security Professional” http://www.cissps.com
25-SEPT-2001
44
Resources Online (2) ♦ News & Alerts – Security Focus http://www.securityfocus.com/ – CERT was “Computer Emergency Response Team” http://www.cert.org/ – CIAC “Computer Incident Advisory Capability” http://ciac.llnl.gov/ 25-SEPT-2001
45
Resources Online (3) ♦ Federal Information Sharing Organizations
– NIPC “National Infrastructure Protection Center” http://www.nipc.gov – Infragard “Guarding the Nation’s Infrastructure” http://www.infragard.net – Infragard Maryland Chapter http://www.mdinfragard.org 25-SEPT-2001
46
Resources Online (4) ♦ SSH http://www.ssh.fi http://www.openssh.org ♦ SSH tunnel http://linuxdoc.org/HOWTO/mini/VPN.html http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
♦ Stunnel http://mike.daewoo.com.pl/computer/stunnel/ http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/ 25-SEPT-2001
47
Resources Online (5) ♦ Network Monitoring Software – Snort http://www.snort.org ♦ Network Vulnerability Scanners – Saint http://wdsilx.wwdsi.com/saint – Nessus http://www.nessus.org 25-SEPT-2001
48
Resources Online (6) ♦ Kerberos http://web.mit.edu/kerberos/www
♦ This Presentation http://www.gl.umbc.edu/~robin/security.html
25-SEPT-2001
49
25-SEPT-2001
1
A Little About Me… ♦ Unix SysAdmin, Specialist with the Office
of Information Technology at UMBC
♦ Taught Unix Administration and SANS
Level One Security courses at UMBC
♦ Certified by the SANS Institute GIAC
program in UNIX Security and Incident Handling 25-SEPT-2001
2
Topics Outline ♦ Post-Mortems in the News… ♦ Identifying Threats ♦ Countering Threats ♦ The (Vulnerable) Network ♦ Questions You Need to Ask ♦ Recommendations You Want to Make ♦ Resources Online
25-SEPT-2001
3
What Happened to Amazon ? ®
♦ Website defacing: Hackers broke in & put up phony web pages (And now, newer worms/viruses are doing the same!) – – – – – –
September 2000: OPEC 1 February 2000: Amazon® , eBay® 2 November 1999: NASA/Goddard 3 October 31,1999: Associated Press® 4 August 1999: ABC® 5 June 1999: U.S. Army 25-SEPT-2001
4
What Happened to Yahoo ? ®
♦ Denial of Service (DoS) – February 2000: Yahoo and CNN 1 ♦ Multiple Hits – September 2000: – May 2000:
Slashdot defaced Slashdot suffered DoS
The irony is that slashdot.org is a popular "news for nerds" website 25-SEPT-2001
5
If They’re Vulnerable… …then you are, too.
25-SEPT-2001
6
The Fundamental Theorem ♦ You have computers because they perform some
function that furthers your organization’s goals ♦ If you lose the use of those computers, their
function is compromised ♦ So - anything that interferes with your
organization’s effort to achieve its goals is a security concern 25-SEPT-2001
7
What Are You Protecting? ♦ Information ♦ Availability of the Systems ♦ Reputation & Goodwill
25-SEPT-2001
8
Your Information ♦ Crown Jewels – Trade secrets, patent ideas, research ♦ Financial information ♦ Personnel records ♦ Organizational structure 25-SEPT-2001
9
Your Availability ♦ Internal use – When employees can’t use the network, servers, or other necessary systems, they can’t work ♦ Website / online transactions – Often when systems are unavailable, the organization is losing money
25-SEPT-2001
10
Your Reputation ♦ Public trust – If your organization is hacked, how reliable will people think you are you in other areas? – Who wants to do business with companies that leak credit card information? ♦ Being a good neighbor – Your organization may be hacked so it can be used as a springboard to attack others 25-SEPT-2001
11
A Simple Network… Firewall Router
Router
Internet
25-SEPT-2001
12
… Attacked! Firewall Router 1
Router
3
4
2
Internet
5 6 9
7 8
10 25-SEPT-2001
13
What Are These Threats? 1. DoS coming from the Internet 3. Severed Physical link 5. Masquerader / Spoofer – They look like they’re already inside
♦ Password sniffer 25-SEPT-2001
14
What Are These Threats? (2) ♦ Alan brought a floppy from home that has
a virus on it ♦ Beatrice is about to be fired – and she’s
going to be angry about it ♦ Carter is careless with his passwords – he
writes them down and loses the paper 25-SEPT-2001
15
What Are These Threats? (3) 1. David has unprotected shares on his NT
box 3. Evan installed a modem on his PC
(PCAnywhere) 5. Severed Power / HVAC
25-SEPT-2001
16
What Are Threat Vectors? Vectors are the pathways by which threats enter your network
25-SEPT-2001
17
Threat Vectors - Internal ♦ Careless employees – “Floyd the clumsy janitor” – “Contraband” hardware / software – “Oops, did I just type that?” ♦ Random twits (somewhere between careless & malicious) ♦ Malicious employees – Current or former employees with axes to grind ♦ Anyone who can get physical access 25-SEPT-2001
18
Threat Vectors - External ♦ Competitors / spies / saboteurs ♦ Casual & incidental hackers – Some hackers don’t want your systems except to use them to get at their real target ♦ Malicious hackers ♦ Accidental tourists ♦ Natural disasters – Be ready to face down the hurricane 25-SEPT-2001
19
What Are Threat Categories? Categories are the different kinds of threat you may encounter
25-SEPT-2001
20
Threat Categories ♦ Opportunistic – Basic “ankle biters” and “script kiddies” – More advanced hackers, hacker groups out trolling ♦ Targeted – These attackers know what they want; anything from data to disruption to springboards ♦ “Omnipotent” – Government-sponsored professional hackers 25-SEPT-2001
21
Threat Consequences ♦ Bad press – Breach of confidentiality • Medical data • Credit card information
– Attack platform (you’ve been subverted!)
♦ Loss of income – How much does it cost you in sales to have your databases, website, etc, down for any given length of time? – Loss of trade secrets (crown jewels) 25-SEPT-2001
22
The 3 Goals of Security ♦ Ensure Availability ♦ Ensure Integrity ♦ Ensure Authorization & Authentication
25-SEPT-2001
23
Threats to Availability ♦ Denial of Service (DoS) – Connection flooding ♦ Destroying data – Hardware failure – Manual deletion – Software agents: virus, trojans
25-SEPT-2001
24
Threats to Integrity ♦ Hardware failure ♦ Software corruption – Buggy software – Improperly terminated programs ♦ Attacker altering data
25-SEPT-2001
25
Threats to Authorization ♦ Attacker stealing data ♦ Lost / Stolen passwords ♦ Information Reconnaissance • Organization information
25-SEPT-2001
26
Countering These Threats… …is what security is all about.
25-SEPT-2001
27
Defining Security ♦ Security is a process – Training is ongoing • Threats change, admins need to keep up • Security is inconvenient, all staff needs training
♦ Security is also about policies ♦ There is no silver bullet to fix it all – For example, a firewall won’t save you • Remember the Maginot Line
25-SEPT-2001
28
Notes: ♦ The underlying assumption in the next
section is that you, as the auditor, admin, or manager, are in a position to make security recommendations ♦ The following list of questions should not
be considered in any way to be exhaustive, but a starting point to build your own list 25-SEPT-2001
29
Questions You Need to Ask ♦ What is the physical access policy to
systems, routers, and backup media? – Are the servers and main routers in a controlled-access environment? – Who monitors access?
♦ Are desktop systems / workstations
physically secured? 25-SEPT-2001
30
Questions You Need to Ask ♦ Is there a documented security policy? – Where is it located? – Who is responsible for maintaining it? – Is the policy being consistently enforced? – Who is the enforcer for the organization? ♦ Is there a firewall? – Who maintains it and its rule-sets? – Do its rules match the policy? 25-SEPT-2001
31
Questions You Need to Ask ♦ What is the backup policy & schedule? – What kind of backup media & software is used? – Where is the backup media stored? Is there an off-site safe/storage rotation? – If the systems were utterly destroyed today, how up to date could you bring their replacements? – Have the backups ever been tested (via a restore) for completeness and integrity?
25-SEPT-2001
32
Questions You Need to Ask ♦ Does the organization know what is on its
network? – If so, how does it know? – Where are the records kept? – Who has access to them?
25-SEPT-2001
33
Questions You Need to Ask ♦ Are routine network vulnerability scans run? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports? ♦ Is any routine network monitoring done? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports?
25-SEPT-2001
34
Questions You Need to Ask ♦ What kind of power management
contingencies are available? – – – –
Uninterruptible Power Supplies (UPS)? Power regulation? Backup generators? Mean time to recovery from outage?
25-SEPT-2001
35
Questions You Need to Ask ♦ What kind of authentication does your
organization use? – Passwords • Multi-use, one-time? • Expiration?
– Biometric authentication? – Smart-cards
25-SEPT-2001
36
Questions You Need to Ask ♦ If you use passwords, how does your
organization replace lost ones? – Any policy on verifying user’s identity, etc?
25-SEPT-2001
37
Questions You Need to Ask ♦ What kind of network connections does
your organization allow? – Are they clear-text protocols (like telnet, rlogin, rsh, ftp)? – Can your organization migrate to using encrypted protocols (like ssh, stunnel, etc)?
25-SEPT-2001
38
Recommendations You Really Want to Make ♦ No matter what, recommend a dedicated
security officer
– One individual responsible for security • NOT the sys admin, network admin
– Qualifications: • Training • Certification (CISSP, SANS) • Demonstrated proficiency 25-SEPT-2001
39
Recommendations You Really Want to Make ♦ Routine Vulnerability Scanning – Tools like Saint, Nessus, Legion, Nmap, SARA ♦ Principle of Least Privilege ♦ Documented Procedures for Incident
Handling 25-SEPT-2001
40
So, What Is a Security Officer? ♦ Protector – Internal, external ♦ Assessor ♦ Monitor ♦ Contact point – Law enforcement – Internal – External 25-SEPT-2001
41
What Does It All Mean? ♦ It’s a dangerous world, but we’re not
necessarily doomed! ♦ Security is an ongoing process (it’s worth repeating!) – Ask the questions you’ve seen here – Ask any others you think of – Ask them all again tomorrow – new challenges are arising every day! 25-SEPT-2001
42
Acknowledgements ♦ Andy Johnston, manager and co-conspirator ♦ Jon Lasser, author of Think UNIX ♦ Stephen Northcutt, SANS instructor and
author of Network Intrusion Detection
25-SEPT-2001
43
Resources Online ♦ Training and Certifications – SANS Institute http://www.sans.org/ – CISSP “Certification for Information System Security Professional” http://www.cissps.com
25-SEPT-2001
44
Resources Online (2) ♦ News & Alerts – Security Focus http://www.securityfocus.com/ – CERT was “Computer Emergency Response Team” http://www.cert.org/ – CIAC “Computer Incident Advisory Capability” http://ciac.llnl.gov/ 25-SEPT-2001
45
Resources Online (3) ♦ Federal Information Sharing Organizations
– NIPC “National Infrastructure Protection Center” http://www.nipc.gov – Infragard “Guarding the Nation’s Infrastructure” http://www.infragard.net – Infragard Maryland Chapter http://www.mdinfragard.org 25-SEPT-2001
46
Resources Online (4) ♦ SSH http://www.ssh.fi http://www.openssh.org ♦ SSH tunnel http://linuxdoc.org/HOWTO/mini/VPN.html http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
♦ Stunnel http://mike.daewoo.com.pl/computer/stunnel/ http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/ 25-SEPT-2001
47
Resources Online (5) ♦ Network Monitoring Software – Snort http://www.snort.org ♦ Network Vulnerability Scanners – Saint http://wdsilx.wwdsi.com/saint – Nessus http://www.nessus.org 25-SEPT-2001
48
Resources Online (6) ♦ Kerberos http://web.mit.edu/kerberos/www
♦ This Presentation http://www.gl.umbc.edu/~robin/security.html
25-SEPT-2001
49
Related Documents
Fundamentals
November 2019 61
Fundamentals
May 2020 25
Fundamentals
October 2019 60
Fundamentals)
November 2019 55
Gfd Fundamentals
November 2019 15