# Security Essentials Day 2 Threat and the Need for Defense in Depth

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:31

0
90
lượt xem
4

## Security Essentials Day 2 Threat and the Need for Defense in Depth

Mô tả tài liệu

Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus will be on defense in depth. This is a term that was coined by the Department of Defense and is a crucially important concept in information assurance. The topics that we are going to cover areshown below.

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Security Essentials Day 2 Threat and the Need for Defense in Depth

1. Security Essentials Day 2 Threat and the Need for Defense in Depth Information Assurance Foundations - SANS ©2001 1 Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus will be on defense in depth. This is a term that was coined by the Department of Defense and is a crucially important concept in information assurance. The topics that we are going to cover are shown below. Security Fundamentals Confidentiality, Integrity, Availability Threat and risk Security Policy What it is and what it is not How to implement an effective policy Passwords Overview of passwords LC3 Crack Incident Handling 6 step guide Information Warfare Defensive strategies Offensive strategies Web security Web security vulnerabilities Web security defenses These are all components of a defense in depth risk management framework as we will explain in our next slide titled, “Defense in Depth.” 1-1
2. Defense in Depth We have covered: perimeter defense, vulnerability scanning, host and network intrusion detection, honeypots/honeynets and risk assessment; is there more? Now, we add security policy, password strength and assessment, incident handling, information warfare and web security. Defense in Depth - SANS ©2001 2 Are we there yet? Sorry, not yet. The slide shows that while we have covered a lot of important topics, we still have a ways to go! The concept behind defense in depth is conceptually simple. The picture we have painted so far is that a good security architecture, one that can withstand the threat, has many aspects and dimensions. We need to be certain that if one countermeasure fails, there are more behind it. If they all fail, we need to be ready to detect that something has occurred and clean up the mess expeditiously and completely, and then tune our defenses to keep it from happening to us again. One of the most effective attacks that penetrates standard perimeters is malicious code. These are things like viruses and Trojan software. They come in as attachments to email messages and on those floppies we bring in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON. These can do a lot of damage. Most people have heard of BackOrifice and NetBus but there are a score of other Trojans. The best defense is keeping your anti-virus software up-to-date, and scanning at the firewall, server, and desktop level. It isn’t particularly expensive or hard, but it takes discipline. I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur. That's just basic, sensible auditing and they don't turn it on. If there is ever a problem, how will we run it to ground? You may or may not be in a position where you can affect whether these things are done at your organizational level, but you can often take the responsibility for your office, shop, division, or desktop. There are even personal firewall software products – like TCP Wrappers, BlackICE Defender, Zone Alarm, Norton Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide perimeter protection at the host level. I use a personal firewall on my home systems when I connect to my ISP so that I can stop the simple attacks that many of my friends have experienced. The threat is targeting each of us. What role and responsibility are you willing to accept for defense in depth? 1-2
4. Agenda • Principles of attack and defense • Risk and threats • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures • Summary Defense in Depth - SANS ©2001 4 This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed against our computer systems. To focus that discussion, we will be concerned with some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we are going to be pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss. So if you are new to security, or if you just want a quick review, the way I think about these things is – a credit card. Have you ever had a credit card not be accepted? Three different times in a row, when I was buying tires at a local store in my town, my credit card did not clear. All three times, the bank said their computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to me! I live in a small town and a lot of people know me – and so to have my card rejected was very embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An example of a confidentiality defense is the way that “padlock” on the bottom of your Internet browser closes (for Netscape) or appears (with Internet Explorer) when you are executing a secure transaction -- the bit stream is encrypted to foil casual eavesdroppers. An example of an integrity attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or modifying the balance of someone else’s account. We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock Principles.” 1-4
5. Three Bedrock Principles • Confidentiality • Integrity Confidentiality • Availability Integrity Availability Defense in Depth - SANS ©2001 5 Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, on the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when they gain entrance to the system. And they can even use an availability attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) are in jeopardy. Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an embarrassingly large number) of corporate, government, and educational systems that are compromised and exploited are defeated by these well-known, well-published attacks. Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We use threat models to describe a given threat and the harm it could do if the system has a vulnerability as we will see on our next slide titled, “Threats.” 1-5
9. The Threat Model • Threat • Vulnerability • Compromise Vulnerabilities are the gateways by which threats are manifested. Defense in Depth - SANS ©2001 9 On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there people with the capability and inclination to attack - and quite possibly harm - your computer systems and networks? What is the probability of that happening? The probability is high that any non-private address will be targeted several times a year. The most common countermeasure for most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the time. So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its specific vulnerability, the result can easily be system compromise. Again, the most common tactic is to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s highly recommended. Even the most open universities or other research environments that require themselves to be very open should be able to do some perimeter defense, even if they can only do it at the department or building level, or even if they can only do it at the host level. In the past few slides, we have been discussing theory that provides a framework to understand and use tools like the ones we discussed in risk management – the big picture. Now we want to move away from theory a bit into some historical applications of confidentiality, integrity, and availability. Our next slide is titled, “Four Lessons From History.” 1-9
10. Four Lessons From History • Morris worm – Availability - 1988 • Melissa – Availability - 1999 • W32.SirCam worm – Confidentiality - 2001 • Code Red II – Integrity - 2001 Defense in Depth - SANS ©2001 10 Hopefully, we can learn enough from history to help prevent us from having to repeat it. The attacks we are going to discuss, perhaps the three most famous information security defense failures are: the Morris worm, SirCam, and Code Red variant II. These span from 1998 to 2001. We don’t have time in this course to explore each of these in great detail, but you should be familiar with each of these as a security professional. As homework, please try an internet search for these attacks and read a bit more. There are information security lessons that we ought to be able to learn from these well- known attacks. In each case, there was a computer system vulnerability, and it was exploited. In each of the cases, there was an absence of defense in depth. In fact, in the case of most systems affected by the Morris worm, and the Code Red attack, the exploit did not have to penetrate any defensive perimeters. So, that’s “defense in shallow!” As we go through each of the attacks, try to look out for the three primary security dimensions: confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist in the first place. The vulnerability is listed in every case; so please note how the threat was able to exploit the vulnerability to compromise or affect the target system(s). 1 - 10
11. The Morris Worm • Availability attack (Denial of Service) • Common vulnerabilities in fingerd and sendmail allowed rapid replication • Internet communications effectively lost Defense in Depth - SANS ©2001 11 If you haven’t read Zen and the Art of the Internet, you probably should. It is available at http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html. We’ll do a small reading from that section: “On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated -- there was a bug. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than$53,000. The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email, and a hole in the finger daemon fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked. Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help retard the speed of the worm. Another method was also discovered at Purdue and widely published. The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the Internet.” Additional information on the Morris worm can be found at http://www.software.com.pl/newarchive/misc/Worm/darbyt/pages/worm.html. 1 - 11
12. Morris Worm – Defense in Depth • Threat – No perimeter defense (directly accessible from the Internet) – Multiple services on same system – Unpatched systems • DiD – Separation of services – Apply patches Defense in Depth - SANS ©2001 12 Robert Morris released the worm to illustrate the problem with unpatched systems. If finger had been running on a separate system from the mail system, the Internet would have been more resilient against the attack. 1 - 12