Security Essentials Day 2 Threat and the Need for Defense in Depth

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:31

lượt xem

Security Essentials Day 2 Threat and the Need for Defense in Depth

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus will be on defense in depth. This is a term that was coined by the Department of Defense and is a crucially important concept in information assurance. The topics that we are going to cover areshown below.

Chủ đề:

Nội dung Text: Security Essentials Day 2 Threat and the Need for Defense in Depth

  1. Security Essentials Day 2 Threat and the Need for Defense in Depth Information Assurance Foundations - SANS ©2001 1 Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus will be on defense in depth. This is a term that was coined by the Department of Defense and is a crucially important concept in information assurance. The topics that we are going to cover are shown below. Security Fundamentals Confidentiality, Integrity, Availability Threat and risk Security Policy What it is and what it is not How to implement an effective policy Passwords Overview of passwords LC3 Crack Incident Handling 6 step guide Information Warfare Defensive strategies Offensive strategies Web security Web security vulnerabilities Web security defenses These are all components of a defense in depth risk management framework as we will explain in our next slide titled, “Defense in Depth.” 1-1
  2. Defense in Depth We have covered: perimeter defense, vulnerability scanning, host and network intrusion detection, honeypots/honeynets and risk assessment; is there more? Now, we add security policy, password strength and assessment, incident handling, information warfare and web security. Defense in Depth - SANS ©2001 2 Are we there yet? Sorry, not yet. The slide shows that while we have covered a lot of important topics, we still have a ways to go! The concept behind defense in depth is conceptually simple. The picture we have painted so far is that a good security architecture, one that can withstand the threat, has many aspects and dimensions. We need to be certain that if one countermeasure fails, there are more behind it. If they all fail, we need to be ready to detect that something has occurred and clean up the mess expeditiously and completely, and then tune our defenses to keep it from happening to us again. One of the most effective attacks that penetrates standard perimeters is malicious code. These are things like viruses and Trojan software. They come in as attachments to email messages and on those floppies we bring in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON. These can do a lot of damage. Most people have heard of BackOrifice and NetBus but there are a score of other Trojans. The best defense is keeping your anti-virus software up-to-date, and scanning at the firewall, server, and desktop level. It isn’t particularly expensive or hard, but it takes discipline. I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur. That's just basic, sensible auditing and they don't turn it on. If there is ever a problem, how will we run it to ground? You may or may not be in a position where you can affect whether these things are done at your organizational level, but you can often take the responsibility for your office, shop, division, or desktop. There are even personal firewall software products – like TCP Wrappers, BlackICE Defender, Zone Alarm, Norton Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide perimeter protection at the host level. I use a personal firewall on my home systems when I connect to my ISP so that I can stop the simple attacks that many of my friends have experienced. The threat is targeting each of us. What role and responsibility are you willing to accept for defense in depth? 1-2
  3. Defense In Depth (2) Network Host Application Info Defense in Depth - SANS ©2001 3 This diagram shows another way to think of the Defense In Depth concept. At the center of the diagram is your information. However, the center can be anything you value, or the answer to the question, “What are you trying to protect?” Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers. Using a Defense in Depth strategy does not make it impossible to get to your core resources – the resource at the center of the diagram. For example, your defense layers might be trivial or easy to compromise. However, a well-thought-out Defense in Depth strategy, utilizing the strongest protections feasibly possible at each layer, present a formidable defense against would-be attackers. Next, we are going to take you on a tour of three famous attacks to see what lessons we can learn from them. Along the way, we are going to discuss the three key dimensions of protection and attack. Most of you are already familiar with them. They are: confidentiality, integrity, and availability. Throughout the Security Essentials program, you will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may experience attacks against these dimensions. We can think of these as the “primary colors” of information assurance. By mixing and matching these -- and we do mix and match, because they are interrelated -- we are able to develop either a very strong attack, or develop a strong defense. On our next slide, titled, “Agenda,: let’s take a look at the material we are about to explore. 1-3
  4. Agenda • Principles of attack and defense • Risk and threats • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures • Summary Defense in Depth - SANS ©2001 4 This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed against our computer systems. To focus that discussion, we will be concerned with some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we are going to be pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss. So if you are new to security, or if you just want a quick review, the way I think about these things is – a credit card. Have you ever had a credit card not be accepted? Three different times in a row, when I was buying tires at a local store in my town, my credit card did not clear. All three times, the bank said their computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to me! I live in a small town and a lot of people know me – and so to have my card rejected was very embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An example of a confidentiality defense is the way that “padlock” on the bottom of your Internet browser closes (for Netscape) or appears (with Internet Explorer) when you are executing a secure transaction -- the bit stream is encrypted to foil casual eavesdroppers. An example of an integrity attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or modifying the balance of someone else’s account. We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock Principles.” 1-4
  5. Three Bedrock Principles • Confidentiality • Integrity Confidentiality • Availability Integrity Availability Defense in Depth - SANS ©2001 5 Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, on the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when they gain entrance to the system. And they can even use an availability attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) are in jeopardy. Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an embarrassingly large number) of corporate, government, and educational systems that are compromised and exploited are defeated by these well-known, well-published attacks. Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We use threat models to describe a given threat and the harm it could do if the system has a vulnerability as we will see on our next slide titled, “Threats.” 1-5
  6. Threats • Activity that represents possible danger • Can come in different forms & from different sources • You can’t protect against all threats • Protect against the ones that are most likely or most worrisome based on: – Business goals – Validated data – Industry best practice Defense in Depth - SANS ©2001 6 In security discussions you will hear a lot about threats. Threats, in an information security sense, are any activity that represent possible danger to your information. Danger can be thought of as anything that would negatively affect the confidentiality, integrity, or availability of your systems or services. Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk. Threats can come in many different forms and from many different sources. There are physical threats, like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats like hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation – what business you are in, who your partners and enemies are, how valuable your information is, how it is stored, maintained and secured, who has access to it, and a host of other factors. The point is there are too many variables to ever possibly protect against all the possible threats to your information. To do so would cost too much money, take too much time, and too much effort. So, you will need to pick and choose what threats you will protect against. You will start by identifying those threats that are most likely to occur or most worrisome to your organization. The way to do this is by identifying three primary areas of threat. The first is based on your business goals. If your business is heavily dependent on a patented formula you would consider theft of that formula to be a likely threat. If your business is the movement of fund transfers over a network, you would consider attacks on that network link to be a likely threat. These are two examples of business- based threats. The second type of threats are those based on validated data. If your web site is repeatedly hacked through your firewall, you would consider Internet hackers to be a major threat. If your main competitor always manages to find out key confidential information about your business plans, you would start considering corporate espionage a threat. These are examples of threats identified because of validated instances of damage based on those threats. In some ways these may be the most serious, because they have already happened and are likely to happen again in the future. The final type of threats are those that are widely known in the security industry. To protect against them is just good common sense. That is why we put badge readers and guards in buildings, why we use passwords on our computer systems, and why we keep secret information locked in a safe. We may not have had attacks against any of these, but it is commonly understood to be foolish not to do so. 1-6
  7. Vulnerabilities • Weaknesses that allow threats to happen • Must be coupled with a threat to have an impact • Can be prevented (if you know about them) Defense in Depth - SANS ©2001 7 The third element of the risk spectrum is the notion of Vulnerabilities. (Remember that the first two elements are risk and threats.) In security terms, a vulnerability is a weakness in your systems or processes that allows a threat to occur. However, simply having a vulnerability by itself is not a bad thing. It is only when the vulnerability is coupled with a threat that the danger starts to set in. Let’s look at an example. Suppose you like to leave the doors and windows to your house unlocked at night. If you live in the middle of the woods, far away from anyone else, this may not be a bad thing. There really aren’t many people that wander around and, if you’re high enough on the hill, you’ll be able to see them coming long before they present a danger. So, in this case, the vulnerability of having no locks is there, but there really isn’t any threat to take advantage of that vulnerability. Now suppose you move to a big city full of crime. In fact, this city has the highest burglary rate of any city in the country. If you continue your practice of leaving the doors and windows unlocked, you have exactly the same vulnerability as you had before. However, in the city the threat is that much higher. Thus, your overall danger and risk is much greater. Vulnerabilities can be reduced or even prevented, provided, of course, that you know about them. The problem is that many vulnerabilities lay hidden, undiscovered until somebody finds out about them. Unfortunately, the “somebody” is usually a bad guy. The bad guys always seem to find out about vulnerabilities long before the good guys. 1-7
  8. Relating Risk, Threat and Vulnerability Risk = Threat x Vulnerability Defense in Depth - SANS ©2001 8 OK, we’ve spent the last few slides talking about risks, threats, and vulnerabilities. The three concepts are extremely interrelated. Their relationship can be found in this simple formula: Risk = Threat x Vulnerability This formula shows that risk is directly related to the level of threat and vulnerability you, your systems, or your networks face. Here’s how the formula works: If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be very low. In the example we used before, if you live in a high crime neighborhood (thus, high threat) but you keep your doors and windows locked (so you have a low vulnerability), your overall risk is very low. If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the threat itself is minor (by living in the woods), once again you have a very low risk factor. If, however, you have a high level of threat potential (a high crime area) and your vulnerability to that threat is very high (no locks), you have a high risk factor. Of course, this formula is nice, but keep in mind that, as we stated way up front, there are no absolutes in security. Thus it is usually impossible to assign numeric values to areas like threats and vulnerabilities, so this formula should be used as an aid to guide your thinking rather than an absolute mathematical calculation. When you begin to get into discussions and arguments about risks, threats, and vulnerabilities (and yes, you will get into arguments about this stuff) you can refer back to this basic formula to help guide you in your decision making process. 1-8
  9. The Threat Model • Threat • Vulnerability • Compromise Vulnerabilities are the gateways by which threats are manifested. Defense in Depth - SANS ©2001 9 On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there people with the capability and inclination to attack - and quite possibly harm - your computer systems and networks? What is the probability of that happening? The probability is high that any non-private address will be targeted several times a year. The most common countermeasure for most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the time. So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its specific vulnerability, the result can easily be system compromise. Again, the most common tactic is to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s highly recommended. Even the most open universities or other research environments that require themselves to be very open should be able to do some perimeter defense, even if they can only do it at the department or building level, or even if they can only do it at the host level. In the past few slides, we have been discussing theory that provides a framework to understand and use tools like the ones we discussed in risk management – the big picture. Now we want to move away from theory a bit into some historical applications of confidentiality, integrity, and availability. Our next slide is titled, “Four Lessons From History.” 1-9
  10. Four Lessons From History • Morris worm – Availability - 1988 • Melissa – Availability - 1999 • W32.SirCam worm – Confidentiality - 2001 • Code Red II – Integrity - 2001 Defense in Depth - SANS ©2001 10 Hopefully, we can learn enough from history to help prevent us from having to repeat it. The attacks we are going to discuss, perhaps the three most famous information security defense failures are: the Morris worm, SirCam, and Code Red variant II. These span from 1998 to 2001. We don’t have time in this course to explore each of these in great detail, but you should be familiar with each of these as a security professional. As homework, please try an internet search for these attacks and read a bit more. There are information security lessons that we ought to be able to learn from these well- known attacks. In each case, there was a computer system vulnerability, and it was exploited. In each of the cases, there was an absence of defense in depth. In fact, in the case of most systems affected by the Morris worm, and the Code Red attack, the exploit did not have to penetrate any defensive perimeters. So, that’s “defense in shallow!” As we go through each of the attacks, try to look out for the three primary security dimensions: confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist in the first place. The vulnerability is listed in every case; so please note how the threat was able to exploit the vulnerability to compromise or affect the target system(s). 1 - 10
  11. The Morris Worm • Availability attack (Denial of Service) • Common vulnerabilities in fingerd and sendmail allowed rapid replication • Internet communications effectively lost Defense in Depth - SANS ©2001 11 If you haven’t read Zen and the Art of the Internet, you probably should. It is available at We’ll do a small reading from that section: “On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated -- there was a bug. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000. The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email, and a hole in the finger daemon fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked. Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help retard the speed of the worm. Another method was also discovered at Purdue and widely published. The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the Internet.” Additional information on the Morris worm can be found at 1 - 11
  12. Morris Worm – Defense in Depth • Threat – No perimeter defense (directly accessible from the Internet) – Multiple services on same system – Unpatched systems • DiD – Separation of services – Apply patches Defense in Depth - SANS ©2001 12 Robert Morris released the worm to illustrate the problem with unpatched systems. If finger had been running on a separate system from the mail system, the Internet would have been more resilient against the attack. 1 - 12
  13. Melissa Virus • Availability attack • New “strain” slipped through most perimeters • Users activated macro despite warnings Defense in Depth - SANS ©2001 13 The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most well- known and widely-spread macro virus infections to date. Many sites were aware of Melissa on Friday, others over the weekend, and of course still others found out Monday morning, so that March 29 was indeed a challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at the host level, had been developed and published by the Computer Emergency Response Team (CERT) at Carnegie Mellon. According to Network Associates’ web site (, the virus was first discovered on an "" newsgroup and spread rapidly. This extraordinarily rapid spread of Melissa serves as a warning of how fast a virus with an unknown signature can spread. If you examine the virus source code, you can see the virus replicated so rapidly by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book. Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop systems running Microsoft’s Outlook email client were directly affected. However, even systems that did not spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial losses are in the area of lost productivity. This is a big availability attack. - Some sites have reported that they shut down email entirely for multiple days. - Others lost email connectivity for several hours while cleaning the virus from their servers. - System administrators and help desk resources were tied up fighting the virus for periods ranging from three to five days at most affected organizations. The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious attacks than Melissa. And I find this quite interesting because almost all actual users of Microsoft Office products rarely take advantage of the macro language. 1 - 13
  14. Melissa Virus – Defense in Depth • Threat – Danger of monoculture – Inadequate security awareness – Failure to filter principle of least privilege • DiD – Simpler email – Unable to detect state • Amount of email flowing into a system at a given point in time Defense in Depth - SANS ©2001 14 Melissa was able to spread very quickly because everyone was running the same system. This allowed an attacker to find a single problem and use it to impact companies large and small. 1 - 14
  15. W32.SirCam • Confidentiality attack, mailed out random files from hard drive • Discovered July 2001 • Spread by mail attachments or unprotected shares Double file extensions: subject.doc.exe Defense in Depth - SANS ©2001 15 SirCam was able to spread either by unprotected shares or as an email message. You will recall from Day 1, Legion is a tool to scan for these Windows unprotected shares. The email message attack contains an attachment with the classic double file extension e.g. As a reminder, we were introduced to this trick with sexxxymovie.mpeg.exe on newsgroups to encourage users to download a variant of SubSeven. The most common first extensions were .doc and .xls, but many others are possible. The second extension will be something executable, such as .exe, .com, or .bat. The attached file contains both the malicious code decoy file copied from the sending infected system. This attack actually has elements of confidentiality, integrity, and availability. The availability attack was partly because it deleted files, also, if a number of systems were infected, it put a heavy load on the mail relay system (the computer that funnels an organization’s email to and from the Internet). The integrity attack includes the fact that copies of malicious code were copied to multiple locations on the hard drive. We will look at this problem more with Code Red. The confidentiality attack was very serious. SirCam chose random files from the hard drive to send out as the decoy mail message. Over thousands and thousands of mail messages, many of these turned out to be private for proprietary information. Additional information about SirCam can be found here: On the next slide titled, “Why So Many Users Executed SirCam,” we learn why so many people actually double-clicked on the attachment. 1 - 15
  16. Why so many users executed SirCam Windows Explorer, tools, folder options Defense in Depth - SANS ©2001 16 Though many users will doubleclick on anything, years of security awareness training has taught a lot of people not to doubleclick on executable files from strangers. Many of the recipients had no clue they were opening an attachment with malicious code for two reasons. First, if the machine is configured like the slide above, the file will of course appear without the .exe, .com, or .bat extensions. Second, since the file contains a valid file, chosen at random from the sending infected system, there really is a .doc or .xls file to look at. The unsuspecting victim never sees the malicious code. Your next slide is titled, Search For Unprotected Shares Before SirCam Finds Them.” Since this is such a big issue, we are going to introduce a new tool to help us find these and other problems. Its called DumpSec. 1 - 16
  17. Search For Unprotected Shares Before SirCam Finds Them DumpSec actually does a lot more than just find shares Defense in Depth - SANS ©2001 17 Unprotected shares are much-sought-after treasures for attackers. Depending on which share is unprotected, it could lead to a full compromise of the system. However, this tool can do a lot more. Let’s take a quick tour. 1 - 17
  18. DumpSec Features • Dumps user, group, and replication information • Dumps file system, registry, printers and shares permission and audit settings • Dumps password policies • Lists installed and running services Defense in Depth - SANS ©2001 18 Like SCAT, DumpSec provides a host of information grouped in an easy to find manner. DumpSec is a great aid to auditors. But, what makes it attractive to attackers is that it can be used in conjunction with the null session vulnerability that violates the confidentiality of the system. 1 - 18
  19. Null Session net use \\\IPC$ “” /USER:”” Defense in Depth - SANS ©2001 19 The null session exploit is an attack against confidentiality. In essence, it’s just “finger” on steroids. The attacker “logs in” to the Windows NT or Windows 2000 system using the “net use” command listed on your slide. After logging in, it is possible to gather a great deal of information from the Windows registry. Though this could be done by hand, it would be very tedious, so there are tools to make this a reasonable task. The tool shown in the screen shot is DumpSec by SomarSoft. It was available for free from, but they seem to have disappeared, which is a tragedy. They were wonderful folks and were among the first folks to develop security information and tools for NT. However, the software is still out on the Internet if you search with an internet search. DumpSec is available from either or [Editors Note: the web site is again functioning. CMW] The screenshot shown on the slide was from before I entered the “null session”. Afterwards, I would be able to enumerate boatloads of information about users, if that system was vulnerable to a null session attack. Enumerate is a popular term in the industry to describe what we used to call “depth first, breadth second” searches. So what? Why do you care? Well, if you find a PDC or BDC (Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long list of user names, including all the members of the Administrator group. Then you could try consecutive ‘net uses’, trying different passwords. I am not really big on passwords, since they can be sniffed, or attacked by brute force, but they do have their place. There are a lot of weak passwords out there and every little bit helps. So, the longer we delay an attacker while they try dictionary attacks on our passwords, the more likely we are to catch them in the act. 1 - 19
  20. Gather User Information Defense in Depth - SANS ©2001 20 After executing the null session command we just showed you, DumpSec provides broad access to information about the valid users of a system. This information can be put to a myriad of uses. The last logon time can indicate if an account is active. This can help the attacker to determine its suitability for brute force attacks. If you were so silly as to not require users to have passwords, this would be painfully obvious to an attacker. RAS information can also indicate other systems that may not be as well-secured that could be used as a backdoor entry point to the main server. Keep in mind that on Day 1, we showed how to eliminate or control anonymous access to a Windows 2000 system using administrative tools and configuring the security policy to control this. 1 - 20
Đồng bộ tài khoản