Download 20121101

Information Security:
Security Blankets are not Enough
Karl F. Lutzen, CISSP
S&T Information Security Officer
About Me
• Karl F. Lutzen
– Certified Information Systems Security
Professional (CISSP)
– S&T Information Security Officer
– Instructor for CS 362
• Office
– Location: CH 203D
– Email: [email protected] (start here!)
Information
• “Information” is likely the only asset that
can be stolen from you while you still have
full possession.
• This includes: Data, Personal information,
trade secrets, intellectual property, etc.
Information
• Clearly we need to protect:
– The information itself
– The systems where it lives
– The access to it
– And many other aspects
Fundamental Principles
• Confidentiality
• Availability
• Integrity
Question
• How much of the overall security will be
technical solutions?
Our information lives here:
What all do we need to do to protect it?
Physical (Environmental)
Security
• Physical security consist of physically
securing the devices:
– Locks/Cables, Alarms, Secure rooms,
Cameras*, Fences, Lighting, Heating,
Cooling, Fire protection, etc.
• If you defeat the physical security controls, all
other control domains (except one) are
defeated.
*cameras will likely not prevent a theft. Only deter it or be used for
evidence later.
Access Control and Methodology
• Who has access, how is it controlled,
etc.
– Authentication
• Passphrases, two factor, multi-factor,
biometrics
– Access Controls (Authorization)
• Role Based Access, Mandatory Access
Controls, Discretionary Access Controls
• Least Privilege and Need to Know
Application Development Security
• Software Based Controls
• Software Development Lifecycle and
Principles
– Development models: waterfall, spiral, etc.
– Code Review
Telecommunications and Network Security
• Implementing correct protocols
• Network services
– Firewalls
– IDS/IPS
– Traffic Shaping
• Network Topology
Business Continuity Planning(BCP)
Disaster Recovery Planning (DRP)
• BCP – What controls and process do we
need to implement to keep our systems
running?
– Backups, off-site data storage, cross-training,
etc.
• DRP – What do we need to do in a crisis?
– Response plans, Recovery plans, etc.
Security Architecture and Models
• Operation modes/protection
mechanisms.
• Evaluation Criteria
• Security Models
• Common Flows/Issues:
– Covert Channels, timing issues,
maintenance hooks, etc.
Information Security Governance
Risk Management
• Policies, Standards, Guidelines and
Procedures
• Risk Management Tools and Practices
• Risk assessment:
– Qualitative vs. Quantitative
• Planning and Organization
Operations Security
•
•
•
•
•
•
Administrative Management
Operation Controls
Auditing
Monitoring
Intrusion Detection (operational side)
Threats/Countermeasures
Legal, Regulations,
Investigations and Compliance
•
•
•
•
•
Types of computer crimes/attacks
Categories of Law
Computer Laws
Incidents and incident handlings
Investigation and Evidence
Cryptography
• Concepts and Methodologies
• Encryption algorithms
– Asymmetric vs. symmetric
• PKI
• Cryptanalysis/Methods of Attacks
• Steganography
PICK GOOD ALGORITHMS!
Original
Using ECB Mode
Non-ECB
ECB = Electronic Codebook. Divide message into blocks, same
key encrypts blocks separately.
(http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation)
Threats to Security
•
•
•
•
•
•
•
•
Viruses and Worms
Other Malware and Trojans
Social Engineering/Phishing
Intruders
Insiders
Criminal Organizations
Terrorists and Information Warfare
Insecure Applications
Viruses, Worms, Malware,
Trojans
• Lack of policies/training/procedures
– Employees can bring in problems!
• Mitigation techniques:
– Anti Virus
– Firewalls
– TRAINING
Social Engineering
• Multiple methods:
– Phone calls
– Dumpster Diving
– Phishing
• Mitigation techniques
– Policies/Procedures
– Training
Intruders
• Def: Deliberately accessing systems
or networks to which is un-authorized
• Types:
– Unstructured threat – not after a specific
target
• Opportunity
• Script Kiddies
– Structured Threat – Specific target is in
mind
• Elite hackers
Insiders
• Most Dangerous! Accounts for 70-75%
of all security events
• Insiders have access to the keys to the
kingdom
• Human errors account for many security
events
• Mitigation
– Policies, Procedures, Training, Monitoring,
etc
Criminal Organizations
• With so many business functions now
relying on the Internet, crime was sure
to follow it.
• Attacks:
– Fraud, extortion, theft, embezzlement and
forgery
• Well funded, hire elite hackers, willing to
spend years if necessary
• Type: Structured attack
Two Types of Electronic
Crime
• Crimes in which the computer was the
target of the attack
• Incidents in which the computer was a
means of perpetrating a criminal act.
Threats to Security
• The biggest change that has occurred in
security over the last 30 years has been
the change in the computing
environment
– Central Mainframes to
– Decentralized smaller, yet interconnected,
systems
– Although we seem to be shifting back towards
central data centers for core operations.
Avenues of Attack
• Types:
– Specific target of an attacker
– Target of opportunity
Steps in an Attack
• Reconnaissance
– Gather easily available data
• Publicly available information from the web
• Newspapers
• Financial reports (if publicly traded they are
available)
• Google as an attack tool?
Reconnaissance (cont.)
– Probing
• Ping sweeps – find hosts
• Port sweeps – find open ports to then test for
holes
• Determine OS (can be done quite accurately!)
Steps in an attack
• Attempt to exploit vulnerabilities
• Attempt to gain access through
userid/passwords
– Brute force
– Social engineering
• And of course there is simply the
physical theft of the system, backup
tapes, etc.!
Minimizing Attack Avenues
•
•
•
•
•
Patch against vulnerabilities
Use of DMZ (system isolation)
Firewalls
Intrusion detection/prevention systems
Minimize open ports/systems directly
accessible to the Internet
• Good physical security
• Good training to negate social
engineering attacks
RSA Attack
• March 2011, RSA had a data breach
– Attacker stole information which affected
some 40 million two-factor authentication
tokens
– Devices are used in private industry and
government agencies
– Produces a 6 digit number every 60
seconds.
RSA Attack Analysis
• An Advanced Persistent Threat (APT)
A structured (advanced),
targeted attack (persistent),
intent on gaining information (threat)
RSA Background
• RSA is a security company that
employs a great number of security
devices to prevent such a data breach
• Methods used bypassed many of the
controls that would otherwise prevented
direct attack
Attacker Initial Steps
• Attackers acquired valid email
addresses of a small group of
employees.
• If the attackers did a full spam to all
possible addresses, it gives them away
and prevention/detection by RSA is
much easier.
Phishing Emails
• Two different phishing emails sent over
a two-day period.
• Sent to two small groups of employees,
not particularly high profile or high value
targets.
• Subject line read: 2011 Recruitment
Plan
• SPAM filtering DID catch it but put in the
Junk folder
Employee Mistake
• One employee retrieved the email from
the Junk mail folder
• Email contained an Excel spreadsheet
entitled: 2001 Recruitment Plan.xls
• Spreadsheet contained a zero-day
exploit through Adobe Flash (since
patched).
– Installed a backdoor program to allow
access.
Remote Administration Tool (RAT)
• Attackers chose to use the Poison Ivy
RAT.
– Very tiny footprint
– Gives attacker complete control over the
system
– Set in reverse-connect mode. System
reaches out to get commands. Fairly
standard method of getting through
firewalls/IPS
Digital Shoulder-Surfing
• Next the attackers just sat back and
digitally listened to what was going on
with the system
• The initial system/user didn’t have
adequate access for their needs so they
needed to take a step to another system
to go further.
Harvesting
• Initial platform wasn’t adequate,
attackers harvested credentials: user,
domain admin, service accounts)
• Next, performed privilege escalation on
non-admin users on other targeted
systems. Goal: gain access to high
value systems/targets.
The Race
• During the stepping from system to
system, security controls detected an
attack in progress. The race was now
on.
• Attacker had to move very quickly
during this phase of finding a valuable
target.
Data Gathering
• Attacker established access at staging
servers at key aggregation points to
retrieve data.
• As they visited servers of interest, data
was copied to staging servers.
• Staging servers aggregated,
compressed, encrypted and then FTP’d
the data out.
Receiving Host
• Target receiving data was a
compromised host at an external
hosting provider.
• Attacker then removed the files from the
external compromised host to remove
traces of the attack.
• This also hid the attacker’s true
identity/location.
Lessons Learned
• Weakest link: A human
• Layered Security: Not adequate to
prevent
• Upside: Able to implement new security
controls to this point were considered
too restrictive.
Karl’s Changes
• What follows would be the changes I’d
make at RSA.
• Note, they are a commercial company
and do not have the open requirements
higher education has. Two different
beasts.
• If I were to implement these, very likely
I’d be doing a different job…
Changes
• Traffic shaping both ways. (Firewall port
blocking isn’t enough)
• Block all but specific protocols
• IDS/IPS on all those protocols
• Aggressive use of DMZ: Isolate systems
• Isolate workstations from one another
• Clean Access Solutions on all systems
Biggest Change
• Mandatory Monthly Security Awareness
training for everyone.
• (breaking it into monthly modules
makes it tolerable)
• Needs to be interesting/fun, Door
prizes, etc.
RSA Attack: Credits
• http://www.satorys.com/rsa-attackanalysis-lessons-learned/