Information Security:Security Blankets are not Enough

Karl F. Lutzen, CISSP

S&T Information Security Officer

About Me

• Karl F. Lutzen– Certified Information Systems Security

Professional (CISSP)– S&T Information Security Officer– Instructor for CS 362

• Office– Location: 203D Centennial Hall– Email: kfl@mst.edu (start here!)

Information

• “Information” is likely the only asset that can be stolen from you while you still have full possession.

• This includes: Data, Personal information, trade secrets, intellectual property, etc.

Information

• Clearly we need to protect:– The information itself– The systems where it lives– The access to it– And many other aspects

Fundamental Principles

• Confidentiality

• Availability

• Integrity

Question

• How much of the overall security will be technical solutions?

Our information lives here:

What all do we need to do to protect it?

Physical (Environmental) Security

• Physical security consist of physically securing the devices:– Locks/Cables, Alarms, Secure rooms,

Cameras*, Fences, Lighting, Heating, Cooling, Fire protection, etc.

• If you defeat the physical security controls, all other control domains (except one) are defeated.

*cameras will likely not prevent a theft. Only deter it or be used for evidence later.

Access Control and Methodology

• Who has access, how is it controlled, etc.– Authentication

• Passphrases, two factor, multi-factor, biometrics

– Access Controls• Role Based Access, Mandatory Access

Controls, Discretionary Access Controls

• Least Privilege and Need to Know

Application Development Security

• Software Based Controls

• Software Development Lifecycle and Principles– Development models: waterfall, spiral, etc.– Code Review

Telecommunications and Network Security

• Implementing correct protocols

• Network services– Firewalls– IDS/IPS– Traffic Shaping

• Network Topology

Business Continuity Planning(BCP)Disaster Recovery Planning (DRP)

• BCP – What controls and process do we need to implement to keep our systems running?– Backups, off-site data storage, cross-training,

etc.

• DRP – What do we need to do in a crisis?– Response plans, Recovery plans, etc.

Security Architecture and Models

• Operation modes/protection mechanisms.

• Evaluation Criteria

• Security Models

• Common Flows/Issues:– Cover Channels, timing issues,

maintenance hooks, etc.

Information Security Governance Risk Management

• Policies, Standards, Guidelines and Procedures

• Risk Management Tools and Practices

• Risk assessment: – Qualitative vs. Quantitative

• Planning and Organization

Operations Security

• Administrative Management

• Operation Controls

• Auditing

• Monitoring

• Intrusion Detection (operational side)

• Threats/Countermeasures

Legal, Regulations, Investigations and Compliance

• Types of computer crimes/attacks

• Categories of Law

• Computer Laws

• Incidents and incident handlings

• Investigation and Evidence

Cryptography

• Concepts and Methodologies

• Encryption algorithms– Asymmetric vs. symmetric

• PKI

• Cryptanalysis/Methods of Attacks

• Steganography

PICK GOOD ALGORITHMS!

Original Using ECB Mode Non-ECB

ECB = Electronic Codebook. Divide message into blocks, same key encrypts blocks separately.

(http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation)

Threats to Security

• Viruses and Worms• Other Malware and Trojans• Social Engineering/Phishing• Intruders• Insiders• Criminal Organizations• Terrorists and Information Warfare• Insecure Applications

Viruses, Worms, Malware, Trojans

• Lack of policies/training/procedures– Employees can bring in problems!

• Mitigation techniques:– Anti Virus– Firewalls– TRAINING

Social Engineering

• Multiple methods:– Phone calls– Dumpster Diving– Phishing

• Mitigation techniques– Policies/Procedures– Training

Intruders• Def: Deliberately accessing systems

or networks to which is un-authorized

• Types:– Unstructured threat – not after a specific

target• Opportunity• Script Kiddies

– Structured Threat – Specific target is in mind

• Elite hackers

Insiders

• Most Dangerous! Accounts for 70-75% of all security events

• Insiders have access to the keys to the kingdom

• Human errors account for many security events

• Mitigation– Policies, Procedures, Training, Monitoring, etc

Criminal Organizations

• With so many business functions now relying on the Internet, crime was sure to follow it.

• Attacks:– Fraud, extortion, theft, embezzlement and

forgery

• Well funded, hire elite hackers, willing to spend years if necessary

• Type: Structured attack

Two Types of Electronic Crime

• Crimes in which the computer was the target of the attack

• Incidents in which the computer was a means of perpetrating a criminal act.

Threats to Security

• The biggest change that has occurred in security over the last 30 years has been the change in the computing environment – Central Mainframes to– Decentralized smaller, yet interconnected,

systems– Although we seem to be shifting back towards

central data centers for core operations.

Avenues of Attack

• Types:– Specific target of an attacker

– Target of opportunity

Steps in an Attack

• Reconnaissance– Gather easily available data

• Publicly available information from the web• Newspapers• Financial reports (if publicly traded they are

available)• Google as an attack tool?

Reconnaissance (cont.)

– Probing• Ping sweeps – find hosts• Port sweeps – find open ports to then test for

holes• Determine OS (can be done quite accurately!)

Steps in an attack

• Attempt to exploit vulnerabilities

• Attempt to gain access through userid/passwords– Brute force– Social engineering

• And of course there is simply the physical theft of the system, backup tapes, etc.!

Minimizing Attack Avenues• Patch against vulnerabilities• Use of DMZ (system isolation)• Firewalls• Intrusion detection/prevention systems• Minimize open ports/systems directly

accessible to the Internet• Good physical security• Good training to negate social engineering

attacks

RSA Attack

• March 2011, RSA had a data breach– Attacker stole information which affected

some 40 million two-factor authentication tokens

– Devices are used in private industry and government agencies

– Produces a 6 digit number every 60 seconds.

RSA Attack Analysis

• An Advanced Persistent Threat (APT)A structured (advanced),

targeted attack (persistent),

intent on gaining information (threat)

RSA Background

• RSA is a security company that employs a great number of security devices to prevent such a data breach

• Methods used bypassed many of the controls that would otherwise prevented direct attack

Attacker Initial Steps

• Attackers acquired valid email addresses of a small group of employees.

• If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

Phishing Emails

• Two different phishing emails sent over a two-day period.

• Sent to two small groups of employees, not particularly high profile or high value targets.

• Subject line read: 2011 Recruitment Plan• SPAM filtering DID catch it but put in the

Junk folder

Employee Mistake

• One employee retrieved the email from the Junk mail folder

• Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls

• Spreadsheet contained a zero-day exploit through Adobe Flash (since patched).– Installed a backdoor program to allow access.

Remote Administration Tool (RAT)

• Attackers chose to use the Poison Ivy RAT.– Very tiny footprint– Gives attacker complete control over the

system– Set in reverse-connect mode. System

reaches out to get commands. Fairly standard method of getting through firewalls/IPS

Digital Shoulder-Surfing

• Next the attackers just sat back and digitally listened to what was going on with the system

• The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

Harvesting

• Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts)

• Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

The Race

• During the stepping from system to system, security controls detected an attack in progress. The race was now on.

• Attacker had to move very quickly during this phase of finding a valuable target.

Data Gathering

• Attacker established access at staging servers at key aggregation points to retrieve data.

• As they visited servers of interest, data was copied to staging servers.

• Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

Receiving Host

• Target receiving data was a compromised host at an external hosting provider.

• Attacker then removed the files from the external compromised host to remove traces of the attack.

• This also hid the attacker’s true identity/location.

Lessons Learned

• Weakest link: A human

• Layered Security: Not adequate to prevent

• Upside: Able to implement new security controls to this point were considered too restrictive.

Karl’s Changes

• What follows would be the changes I’d make at RSA.

• Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts.

• If I were to implement these, very likely I’d be doing a different job…

Changes

• Traffic shaping both ways. (Firewall port blocking isn’t enough)

• Block all but specific protocols• IDS/IPS on all those protocols• Aggressive use of DMZ: Isolate systems• Isolate workstations from one another• Clean Access Solutions on all systems

Biggest Change

• Mandatory Monthly Security Awareness training for everyone.

• (breaking it into monthly modules makes it tolerable)

• Needs to be interesting/fun, Door prizes, etc.

RSA Attack: Credits

• http://www.satorys.com/rsa-attack-analysis-lessons-learned/