1 / 57

Defense-in-Depth

Defense-in-Depth. Securing Your System Using a Layered Security Approach. By Richard Hammer LANL LA-UR-08-2558. Overview. Relative Risks Threat Vectors What attackers need us to do Things Everyone Can do Client protections Summary. Goal!. Secure your system so you:

abowen
Download Presentation

Defense-in-Depth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense-in-Depth Securing Your System Using a Layered Security Approach By Richard Hammer LANL LA-UR-08-2558

  2. Overview • Relative Risks • Threat Vectors • What attackers need us to do • Things Everyone Can do • Client protections Summary

  3. Goal! • Secure your system so you: • Do not lose your identity if system is stolen • Feel comfortable storing and processing personal, financial, business, and sensitive information • Feel comfortable making online transactions

  4. Old and New Threats

  5. What attackers need from us! • Need us to execute a program • Need us to NOT securely configure our programs • Need us to NOT pay attention • Need us to NOT patch • Need us to be careless, gullible or curious • Need us to NOT understand the technology • “It’s that easy because we allow it to be that easy” Frank Abagnale

  6. Things we all can learn to DO! • Compute as an Unprivileged User if possible • Understand E-mail • Understand Web Browsing • Encrypt our Data • Know what is connecting in/out • Actually do it!

  7. Hackers do not like unprivileged users • They cannot change system settings • They cannot install programs that change system settings • They cannot undo security settings • Reboot will normally put system back into secure state again.

  8. Which is more secure? • Storing your credit card in your wallet Or • Storing your credit card number on your computer

  9. Protecting data at rest (Powered Off) • Physical Security • Encryption • Nothing else will work • Remove the disk • Reset password • Boot off cracker media • T up a Macintosh

  10. Harddrive/File Encryption • Truecrypt, Guardian Edge, WinMagic, PGP, Pointsec, Cypherix, Calibex, TrueCrypt, Many more! • Hardware • Fortezza • Harddrives • Windows EFS/BitLocker • Apple FileVault • Bcrypt • Entrust ICE • Entrust & PGP

  11. Apple FileVault

  12. Built-in Windows encryption

  13. System Up and You Are Logged In(Includes Sleep Mode) • No longer protecting Data • Full disk encryption • Hardware encryption • Windows EFS/BitLocker or FileVault • Protecting data until password entered • Encrypted Disk Image (MacOSX) • Entrust, PGP, TrueCrypt, Bcrypt • Other 3rd party encryption products

  14. Entrust/PGP File Encrypt Options

  15. Goals of Cryptosystems! Ensure: • Confidentiality • Integrity • Authentication • Non-Repudiation

  16. Cryptosystems Problems? • You might lock yourself out forever! • Key Management • Key Distribution • Password/Passphrase Protection • Can’t encrypt/decrypt offline? • Speed? • Export? (GOV export authorized)

  17. What will Defeat Encryption • Not protecting the password • Sleep mode and fast switching • Freeze spray, shutdown/leave • Malware • Keyboard Loggers • E-mail Infections • Not paying attention to warning messages • Backups

  18. Understanding e-mail • Clear text e-mail is completely unreliable. • How do you recognize bogus e-mail? • What is URL redirection? • How do you protect yourself? • Outlook?

  19. Why you should not Trust Clear Text e-mail • Do not know who sent it • Do not know who sees it • Do not know where it went • Do not know who read it • Do not know if content changed • Still on server, backups? • Sys Admins have full access

  20. Encrypting e-mail? • Only Intended Recipients can read messages or open files • Data has not been modified • Data is from the expected source • Not seen on the wire • Not just SSL/TLS to server • PGP/SMIME/Entrust

  21. Entrust Encryption Example?

  22. PGP/SMIME Encryption Example?

  23. SMIME/PGP/Entrust e-mail

  24. Phishing right here in LA! • Guy Lisella “Anytime they ask for personal information, it’s a scam.” • Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text e-mail! • If unsure, call them.

  25. How do you recognize bogus e-mail? • Do you know the sender? • Is the offer “too good to be true?” • Embedded links that point to an address that doesn’t appear right. • Your email address is not listed on the “TO” or “CC”. • The “FROM” & “Return-Path” don’t match. • Unexpected attachments.

  26. What is wrong?

  27. Understanding URLs/Redirection • http://computername.domainname/directoryname/indexfile.html Where you thought you were going: http://www.dncu.com/login.aspx?update http://63.214.247.170/login.aspx?update Where you are redirected: http://www.dncu.org.hi-position.com/register/login.html Computer name – www Domainname – dncu.org.hi-position.com IP Address – No longer registered, but was 202.168.210.1XX Directory – register Index file – login.html

  28. Look at the e-mail header • Eudora – Blah, Blah, Blah • Outlook – View Options or Right Click Options • Webmail – Click on Full Headers • Thunderbird – Menu Bar, VIEW/HEADER, ALL

  29. Give me the money

  30. Stop Right There!

  31. E-mail client configuration • Do NOT auto execute anything • Do NOT automatically download HTML graphics • Do NOT display graphics in message • Do NOT allow executable html content • Do NOT display emotions as a graphic • Do NOT use Microsoft viewer.

  32. Entourage Settings

  33. Before and After (Mac Mail) <Display Remote Images in HTML Message>

  34. What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect.

  35. Virus protection caught it three weeks later, don’t be the first to open it!

  36. Which is more secure? • Paying for a dinner with a credit card Or • Online purchase

  37. Compare the two!

  38. Web Browser Security • Understand how it works • SSL/TSL • Privacy Settings • Security Settings • “Warn me” is always a good option when not sure • Scripts • Understand Threats • Internet Explorer?

  39. Web Access (SSL/TLS) • SSL Developed by Netscape (1994) • Certificate Exchange • System to System • Certificate Authority • Should only use SSL 3.0 or TLS 1.0 • Is it secure? • Redirection • Man-in-Middle Attack

  40. Keeping Track of State • SessionID https://ucfy.ucop.edu/ucfy/BaseServlet;jsessionid=0000q9ZvjIPe7xWTjxeftFjTqBy:-1 • Cookie • Persistent • Non- Persistent • Hidden Form Element

  41. Firefox Security Settings

  42. Man-in-Middle

  43. Warning, should I proceed?

  44. Secure ???

  45. Clearing Privacy Settings (Firefox) <Tools><Options>

  46. Security Settings (Firefox) <Tools><Options>

  47. Firefox - noscript <Tools><Options>

  48. Firefox – noscript (2)

  49. Secure Web Transactions • Open New Browser • Ensure SSLv3/TLS • You initiate connection • Only go to sites associated with transaction • Use noscript and only allow needed scripts • Pay attention to error messages • Logout when done • Close browser and clear settings

  50. Personal Application layer firewalls • ZoneAlarm • Little Snitch/Apple Firewall combo • In/Out protection • Can distinguish between different programs connecting out on same port • Will teach you which applications really connect out from your system

More Related