Download 20121101

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Cross-site scripting wikipedia, lookup

Cracking of wireless networks wikipedia, lookup

Access control wikipedia, lookup

Post-quantum cryptography wikipedia, lookup

Airport security wikipedia, lookup

Cyberwarfare wikipedia, lookup

Unix security wikipedia, lookup

Distributed firewall wikipedia, lookup

Wireless security wikipedia, lookup

Operation AntiSec wikipedia, lookup

Computer and network surveillance wikipedia, lookup

Information security wikipedia, lookup

Cyber-security regulation wikipedia, lookup

Security-focused operating system wikipedia, lookup

Cyberattack wikipedia, lookup

Mobile security wikipedia, lookup

Computer security wikipedia, lookup

Cybercrime countermeasures wikipedia, lookup

Social engineering (security) wikipedia, lookup

Information Security:
Security Blankets are not Enough
Karl F. Lutzen, CISSP
S&T Information Security Officer
About Me
• Karl F. Lutzen
– Certified Information Systems Security
Professional (CISSP)
– S&T Information Security Officer
– Instructor for CS 362
• Office
– Location: CH 203D
– Email: [email protected] (start here!)
• “Information” is likely the only asset that
can be stolen from you while you still have
full possession.
• This includes: Data, Personal information,
trade secrets, intellectual property, etc.
• Clearly we need to protect:
– The information itself
– The systems where it lives
– The access to it
– And many other aspects
Fundamental Principles
• Confidentiality
• Availability
• Integrity
• How much of the overall security will be
technical solutions?
Our information lives here:
What all do we need to do to protect it?
Physical (Environmental)
• Physical security consist of physically
securing the devices:
– Locks/Cables, Alarms, Secure rooms,
Cameras*, Fences, Lighting, Heating,
Cooling, Fire protection, etc.
• If you defeat the physical security controls, all
other control domains (except one) are
*cameras will likely not prevent a theft. Only deter it or be used for
evidence later.
Access Control and Methodology
• Who has access, how is it controlled,
– Authentication
• Passphrases, two factor, multi-factor,
– Access Controls (Authorization)
• Role Based Access, Mandatory Access
Controls, Discretionary Access Controls
• Least Privilege and Need to Know
Application Development Security
• Software Based Controls
• Software Development Lifecycle and
– Development models: waterfall, spiral, etc.
– Code Review
Telecommunications and Network Security
• Implementing correct protocols
• Network services
– Firewalls
– Traffic Shaping
• Network Topology
Business Continuity Planning(BCP)
Disaster Recovery Planning (DRP)
• BCP – What controls and process do we
need to implement to keep our systems
– Backups, off-site data storage, cross-training,
• DRP – What do we need to do in a crisis?
– Response plans, Recovery plans, etc.
Security Architecture and Models
• Operation modes/protection
• Evaluation Criteria
• Security Models
• Common Flows/Issues:
– Covert Channels, timing issues,
maintenance hooks, etc.
Information Security Governance
Risk Management
• Policies, Standards, Guidelines and
• Risk Management Tools and Practices
• Risk assessment:
– Qualitative vs. Quantitative
• Planning and Organization
Operations Security
Administrative Management
Operation Controls
Intrusion Detection (operational side)
Legal, Regulations,
Investigations and Compliance
Types of computer crimes/attacks
Categories of Law
Computer Laws
Incidents and incident handlings
Investigation and Evidence
• Concepts and Methodologies
• Encryption algorithms
– Asymmetric vs. symmetric
• Cryptanalysis/Methods of Attacks
• Steganography
Using ECB Mode
ECB = Electronic Codebook. Divide message into blocks, same
key encrypts blocks separately.
Threats to Security
Viruses and Worms
Other Malware and Trojans
Social Engineering/Phishing
Criminal Organizations
Terrorists and Information Warfare
Insecure Applications
Viruses, Worms, Malware,
• Lack of policies/training/procedures
– Employees can bring in problems!
• Mitigation techniques:
– Anti Virus
– Firewalls
Social Engineering
• Multiple methods:
– Phone calls
– Dumpster Diving
– Phishing
• Mitigation techniques
– Policies/Procedures
– Training
• Def: Deliberately accessing systems
or networks to which is un-authorized
• Types:
– Unstructured threat – not after a specific
• Opportunity
• Script Kiddies
– Structured Threat – Specific target is in
• Elite hackers
• Most Dangerous! Accounts for 70-75%
of all security events
• Insiders have access to the keys to the
• Human errors account for many security
• Mitigation
– Policies, Procedures, Training, Monitoring,
Criminal Organizations
• With so many business functions now
relying on the Internet, crime was sure
to follow it.
• Attacks:
– Fraud, extortion, theft, embezzlement and
• Well funded, hire elite hackers, willing to
spend years if necessary
• Type: Structured attack
Two Types of Electronic
• Crimes in which the computer was the
target of the attack
• Incidents in which the computer was a
means of perpetrating a criminal act.
Threats to Security
• The biggest change that has occurred in
security over the last 30 years has been
the change in the computing
– Central Mainframes to
– Decentralized smaller, yet interconnected,
– Although we seem to be shifting back towards
central data centers for core operations.
Avenues of Attack
• Types:
– Specific target of an attacker
– Target of opportunity
Steps in an Attack
• Reconnaissance
– Gather easily available data
• Publicly available information from the web
• Newspapers
• Financial reports (if publicly traded they are
• Google as an attack tool?
Reconnaissance (cont.)
– Probing
• Ping sweeps – find hosts
• Port sweeps – find open ports to then test for
• Determine OS (can be done quite accurately!)
Steps in an attack
• Attempt to exploit vulnerabilities
• Attempt to gain access through
– Brute force
– Social engineering
• And of course there is simply the
physical theft of the system, backup
tapes, etc.!
Minimizing Attack Avenues
Patch against vulnerabilities
Use of DMZ (system isolation)
Intrusion detection/prevention systems
Minimize open ports/systems directly
accessible to the Internet
• Good physical security
• Good training to negate social
engineering attacks
RSA Attack
• March 2011, RSA had a data breach
– Attacker stole information which affected
some 40 million two-factor authentication
– Devices are used in private industry and
government agencies
– Produces a 6 digit number every 60
RSA Attack Analysis
• An Advanced Persistent Threat (APT)
A structured (advanced),
targeted attack (persistent),
intent on gaining information (threat)
RSA Background
• RSA is a security company that
employs a great number of security
devices to prevent such a data breach
• Methods used bypassed many of the
controls that would otherwise prevented
direct attack
Attacker Initial Steps
• Attackers acquired valid email
addresses of a small group of
• If the attackers did a full spam to all
possible addresses, it gives them away
and prevention/detection by RSA is
much easier.
Phishing Emails
• Two different phishing emails sent over
a two-day period.
• Sent to two small groups of employees,
not particularly high profile or high value
• Subject line read: 2011 Recruitment
• SPAM filtering DID catch it but put in the
Junk folder
Employee Mistake
• One employee retrieved the email from
the Junk mail folder
• Email contained an Excel spreadsheet
entitled: 2001 Recruitment Plan.xls
• Spreadsheet contained a zero-day
exploit through Adobe Flash (since
– Installed a backdoor program to allow
Remote Administration Tool (RAT)
• Attackers chose to use the Poison Ivy
– Very tiny footprint
– Gives attacker complete control over the
– Set in reverse-connect mode. System
reaches out to get commands. Fairly
standard method of getting through
Digital Shoulder-Surfing
• Next the attackers just sat back and
digitally listened to what was going on
with the system
• The initial system/user didn’t have
adequate access for their needs so they
needed to take a step to another system
to go further.
• Initial platform wasn’t adequate,
attackers harvested credentials: user,
domain admin, service accounts)
• Next, performed privilege escalation on
non-admin users on other targeted
systems. Goal: gain access to high
value systems/targets.
The Race
• During the stepping from system to
system, security controls detected an
attack in progress. The race was now
• Attacker had to move very quickly
during this phase of finding a valuable
Data Gathering
• Attacker established access at staging
servers at key aggregation points to
retrieve data.
• As they visited servers of interest, data
was copied to staging servers.
• Staging servers aggregated,
compressed, encrypted and then FTP’d
the data out.
Receiving Host
• Target receiving data was a
compromised host at an external
hosting provider.
• Attacker then removed the files from the
external compromised host to remove
traces of the attack.
• This also hid the attacker’s true
Lessons Learned
• Weakest link: A human
• Layered Security: Not adequate to
• Upside: Able to implement new security
controls to this point were considered
too restrictive.
Karl’s Changes
• What follows would be the changes I’d
make at RSA.
• Note, they are a commercial company
and do not have the open requirements
higher education has. Two different
• If I were to implement these, very likely
I’d be doing a different job…
• Traffic shaping both ways. (Firewall port
blocking isn’t enough)
• Block all but specific protocols
• IDS/IPS on all those protocols
• Aggressive use of DMZ: Isolate systems
• Isolate workstations from one another
• Clean Access Solutions on all systems
Biggest Change
• Mandatory Monthly Security Awareness
training for everyone.
• (breaking it into monthly modules
makes it tolerable)
• Needs to be interesting/fun, Door
prizes, etc.
RSA Attack: Credits