Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | hester-jacobs |
View: | 216 times |
Download: | 1 times |
Information Security:Security Blankets are not Enough
Karl F. Lutzen, CISSP
S&T Information Security Officer
About Me
• Karl F. Lutzen– Certified Information Systems Security
Professional (CISSP)– S&T Information Security Officer– Instructor for CS 362
• Office– Location: 203D Centennial Hall– Email: [email protected] (start here!)
Information
• “Information” is likely the only asset that can be stolen from you while you still have full possession.
• This includes: Data, Personal information, trade secrets, intellectual property, etc.
Information
• Clearly we need to protect:– The information itself– The systems where it lives– The access to it– And many other aspects
Fundamental Principles
• Confidentiality
• Availability
• Integrity
Question
• How much of the overall security will be technical solutions?
Our information lives here:
What all do we need to do to protect it?
Physical (Environmental) Security
• Physical security consist of physically securing the devices:– Locks/Cables, Alarms, Secure rooms,
Cameras*, Fences, Lighting, Heating, Cooling, Fire protection, etc.
• If you defeat the physical security controls, all other control domains (except one) are defeated.
*cameras will likely not prevent a theft. Only deter it or be used for evidence later.
Access Control and Methodology
• Who has access, how is it controlled, etc.– Authentication
• Passphrases, two factor, multi-factor, biometrics
– Access Controls• Role Based Access, Mandatory Access
Controls, Discretionary Access Controls
• Least Privilege and Need to Know
Application Development Security
• Software Based Controls
• Software Development Lifecycle and Principles– Development models: waterfall, spiral, etc.– Code Review
Telecommunications and Network Security
• Implementing correct protocols
• Network services– Firewalls– IDS/IPS– Traffic Shaping
• Network Topology
Business Continuity Planning(BCP)Disaster Recovery Planning (DRP)
• BCP – What controls and process do we need to implement to keep our systems running?– Backups, off-site data storage, cross-training,
etc.
• DRP – What do we need to do in a crisis?– Response plans, Recovery plans, etc.
Security Architecture and Models
• Operation modes/protection mechanisms.
• Evaluation Criteria
• Security Models
• Common Flows/Issues:– Cover Channels, timing issues,
maintenance hooks, etc.
Information Security Governance Risk Management
• Policies, Standards, Guidelines and Procedures
• Risk Management Tools and Practices
• Risk assessment: – Qualitative vs. Quantitative
• Planning and Organization
Operations Security
• Administrative Management
• Operation Controls
• Auditing
• Monitoring
• Intrusion Detection (operational side)
• Threats/Countermeasures
Legal, Regulations, Investigations and Compliance
• Types of computer crimes/attacks
• Categories of Law
• Computer Laws
• Incidents and incident handlings
• Investigation and Evidence
Cryptography
• Concepts and Methodologies
• Encryption algorithms– Asymmetric vs. symmetric
• PKI
• Cryptanalysis/Methods of Attacks
• Steganography
PICK GOOD ALGORITHMS!
Original Using ECB Mode Non-ECB
ECB = Electronic Codebook. Divide message into blocks, same key encrypts blocks separately.
(http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation)
Threats to Security
• Viruses and Worms• Other Malware and Trojans• Social Engineering/Phishing• Intruders• Insiders• Criminal Organizations• Terrorists and Information Warfare• Insecure Applications
Viruses, Worms, Malware, Trojans
• Lack of policies/training/procedures– Employees can bring in problems!
• Mitigation techniques:– Anti Virus– Firewalls– TRAINING
Social Engineering
• Multiple methods:– Phone calls– Dumpster Diving– Phishing
• Mitigation techniques– Policies/Procedures– Training
Intruders• Def: Deliberately accessing systems
or networks to which is un-authorized
• Types:– Unstructured threat – not after a specific
target• Opportunity• Script Kiddies
– Structured Threat – Specific target is in mind
• Elite hackers
Insiders
• Most Dangerous! Accounts for 70-75% of all security events
• Insiders have access to the keys to the kingdom
• Human errors account for many security events
• Mitigation– Policies, Procedures, Training, Monitoring, etc
Criminal Organizations
• With so many business functions now relying on the Internet, crime was sure to follow it.
• Attacks:– Fraud, extortion, theft, embezzlement and
forgery
• Well funded, hire elite hackers, willing to spend years if necessary
• Type: Structured attack
Two Types of Electronic Crime
• Crimes in which the computer was the target of the attack
• Incidents in which the computer was a means of perpetrating a criminal act.
Threats to Security
• The biggest change that has occurred in security over the last 30 years has been the change in the computing environment – Central Mainframes to– Decentralized smaller, yet interconnected,
systems– Although we seem to be shifting back towards
central data centers for core operations.
Avenues of Attack
• Types:– Specific target of an attacker
– Target of opportunity
Steps in an Attack
• Reconnaissance– Gather easily available data
• Publicly available information from the web• Newspapers• Financial reports (if publicly traded they are
available)• Google as an attack tool?
Reconnaissance (cont.)
– Probing• Ping sweeps – find hosts• Port sweeps – find open ports to then test for
holes• Determine OS (can be done quite accurately!)
Steps in an attack
• Attempt to exploit vulnerabilities
• Attempt to gain access through userid/passwords– Brute force– Social engineering
• And of course there is simply the physical theft of the system, backup tapes, etc.!
Minimizing Attack Avenues• Patch against vulnerabilities• Use of DMZ (system isolation)• Firewalls• Intrusion detection/prevention systems• Minimize open ports/systems directly
accessible to the Internet• Good physical security• Good training to negate social engineering
attacks
RSA Attack
• March 2011, RSA had a data breach– Attacker stole information which affected
some 40 million two-factor authentication tokens
– Devices are used in private industry and government agencies
– Produces a 6 digit number every 60 seconds.
RSA Attack Analysis
• An Advanced Persistent Threat (APT)A structured (advanced),
targeted attack (persistent),
intent on gaining information (threat)
RSA Background
• RSA is a security company that employs a great number of security devices to prevent such a data breach
• Methods used bypassed many of the controls that would otherwise prevented direct attack
Attacker Initial Steps
• Attackers acquired valid email addresses of a small group of employees.
• If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.
Phishing Emails
• Two different phishing emails sent over a two-day period.
• Sent to two small groups of employees, not particularly high profile or high value targets.
• Subject line read: 2011 Recruitment Plan• SPAM filtering DID catch it but put in the
Junk folder
Employee Mistake
• One employee retrieved the email from the Junk mail folder
• Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls
• Spreadsheet contained a zero-day exploit through Adobe Flash (since patched).– Installed a backdoor program to allow access.
Remote Administration Tool (RAT)
• Attackers chose to use the Poison Ivy RAT.– Very tiny footprint– Gives attacker complete control over the
system– Set in reverse-connect mode. System
reaches out to get commands. Fairly standard method of getting through firewalls/IPS
Digital Shoulder-Surfing
• Next the attackers just sat back and digitally listened to what was going on with the system
• The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.
Harvesting
• Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts)
• Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.
The Race
• During the stepping from system to system, security controls detected an attack in progress. The race was now on.
• Attacker had to move very quickly during this phase of finding a valuable target.
Data Gathering
• Attacker established access at staging servers at key aggregation points to retrieve data.
• As they visited servers of interest, data was copied to staging servers.
• Staging servers aggregated, compressed, encrypted and then FTP’d the data out.
Receiving Host
• Target receiving data was a compromised host at an external hosting provider.
• Attacker then removed the files from the external compromised host to remove traces of the attack.
• This also hid the attacker’s true identity/location.
Lessons Learned
• Weakest link: A human
• Layered Security: Not adequate to prevent
• Upside: Able to implement new security controls to this point were considered too restrictive.
Karl’s Changes
• What follows would be the changes I’d make at RSA.
• Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts.
• If I were to implement these, very likely I’d be doing a different job…
Changes
• Traffic shaping both ways. (Firewall port blocking isn’t enough)
• Block all but specific protocols• IDS/IPS on all those protocols• Aggressive use of DMZ: Isolate systems• Isolate workstations from one another• Clean Access Solutions on all systems
Biggest Change
• Mandatory Monthly Security Awareness training for everyone.
• (breaking it into monthly modules makes it tolerable)
• Needs to be interesting/fun, Door prizes, etc.
RSA Attack: Credits
• http://www.satorys.com/rsa-attack-analysis-lessons-learned/