Computer and network security l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 103

Computer and Network Security PowerPoint PPT Presentation

Computer and Network Security Iain Moffat B.Sc(Hons) CEng MIET Chairman IET Anglian Coastal You are Not Alone …. Contents What is Computer Security? Data Protection Principles and the DPA The Security Implementation Process The threats to your computer and network Security Policies

Download Presentation

Computer and Network Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer and network security l.jpg

Computer and Network Security

Iain Moffat B.Sc(Hons) CEng MIET

Chairman

IET Anglian Coastal


You are not alone l.jpg

You are Not Alone ….


Contents l.jpg

Contents

  • What is Computer Security?

  • Data Protection Principles and the DPA

  • The Security Implementation Process

  • The threats to your computer and network

  • Security Policies

  • Risk/Impact Assessment

  • Countermeasures

  • Checking Security

  • Investigation and Evidence


What is computer security l.jpg

What is computer security?

Protection of computer hardware and software from loss, damage or theft


Data protection l.jpg

Data Protection


Data protection principles l.jpg

Data Protection Principles

  • Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

    (a) at least one of the conditions in Schedule 2 is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  • Personal data shall be accurate and, where necessary, kept up to date.

  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  • Personal data shall be processed in accordance with the rights of data subjects under this Act.

  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

    From the Data Protection Act 1998 Schedule 1 part 1:http://www.opsi.gov.uk/acts/acts1998/19980029.htm#aofs


Security processs l.jpg

Security Processs

2

POLICIES

COUNTER

MEASURES

3

THREATS

1

4

INCIDENTS

AUDITS

5


The threats l.jpg

THE THREATS


The threats9 l.jpg

The Threats

  • Fire

  • Flood

  • Theft

  • Vandalism

  • Impersonation

  • Junk Mail


The threats10 l.jpg

The Threats

  • Fire

    • Purely a physical threat

    • Results in data loss, loss of money invested in equipment, and downtime

  • Flood

  • Theft

  • Vandalism

  • Impersonation

  • Junk Mail


  • The threats11 l.jpg

    The Threats

    • Fire

    • Flood

      • Purely a physical threat

      • Results in data loss, loss of money invested in equipment, and downtime

  • Theft

  • Vandalism

  • Impersonation

  • Junk Mail


  • The threats12 l.jpg

    The Threats

    • Fire

    • Flood

    • Theft

      • Has physical and electronic forms

      • May involve hardware, data or both

      • Stolen data may be hard to replace

      • Stolen data may facilitate other crimes (eg. Impersonation)

      • Causes financial loss and loss of reputation

  • Vandalism

  • Impersonation

  • Junk Mail


  • The threats13 l.jpg

    The Threats

    • Fire

    • Flood

    • Theft

    • Vandalism

      • Has Physical and Electronic forms

      • May cause downtime and/or data loss

      • Causes financial loss and loss of reputation

  • Impersonation

  • Junk Mail


  • The threats14 l.jpg

    The Threats

    • Fire

    • Flood

    • Theft

    • Vandalism

    • Impersonation

      • Primarily an electronic threat

      • Leads to financial loss and loss of reputation

  • Junk Mail


  • The threats15 l.jpg

    The Threats

    • Fire

    • Flood

    • Theft

    • Vandalism

    • Impersonation

    • Junk Mail

      • Used to be mostly a waste of time and bandwidth

      • Now a carrier for malicious software


    Where threats come from l.jpg

    Where Threats Come From

    • People with access to your computer

    • Removable media (tapes, disks etc)

    • Malicious Software

      • Trojans

      • Viruses

      • Worms

      • Exploits and Rootkits

      • Spyware

  • Network Connections

  • Confidence Tricks


  • Malicious software l.jpg

    Malicious Software


    Malicious software18 l.jpg

    Malicious Software

    • Trojans

    • Viruses

    • Worms

    • Exploits and Rootkits

    • Spyware

    • Password Capture or “Phishing”


    Malicious software19 l.jpg

    Malicious Software

    • Trojans

      • Programs that claim to do one thing but actually do something unwanted

      • Need to be loaded and run by an authorised user of the system

      • Limited to the access rights of that user

      • Often used as a loader for rootkits or spyware

      • Nowadays usually downloaded by a misleading/bogus website or a link in SPAM email messages

  • Viruses

  • Worms

  • Exploits and Rootkits

  • Spyware

  • Password Capture or “Phishing”


  • Malicious software20 l.jpg

    Malicious Software

    • Trojans

    • Viruses

      • Self replicating programs

      • May just install a replicator on an infected machine or deliver a “payload” program to do its makers work on your PC

      • Payload may be destructive or spyware

      • Historically spread using infected DOS floppy disks

      • Nowadays found as macros in documents or downloadable programs

  • Worms

  • Exploits and Rootkits

  • Spyware

  • Password Capture or “Phishing”


  • Malicious software21 l.jpg

    Malicious Software

    • Trojans

    • Viruses

    • Worms

      • Self-replicating programs that spread from machine to machine over a network

      • May carry destructive or spyware payloads

      • Rely on vulnerable network services to infect new victims

      • Common in UNIX systems in 1980s, nowadays more common in Windows environments

  • Exploits and Rootkits

  • Spyware

  • Password Capture or “Phishing”


  • Malicious software22 l.jpg

    Malicious Software

    • Trojans

    • Viruses

    • Worms

    • Exploits and Rootkits

      • Exploits are bugs in an operating system that allow a local or remote user to get admin-level access

      • Hackers ‘exploit’ these bugs to write programs that install a permanent remote access kit which gives them access to a compromised system

      • The remote access kit gives them root (UNIX) or administrator (Windows) access and hides itself from normal operating system file and process lists

  • Spyware

  • Password Capture or “Phishing”


  • Malicious software23 l.jpg

    Malicious Software

    • Trojans

    • Viruses

    • Worms

    • Exploits and Rootkits

    • Spyware

      • Usually installed by a trojan or worm

      • May log key strokes or URLs visited

      • Originally an unethical form of market research

      • Now used by organised crime to steal passwords

  • Password Capture or “Phishing”


  • Malicious software24 l.jpg

    Malicious Software

    • Trojans

    • Viruses

    • Worms

    • Exploits and Rootkits

    • Spyware

    • Password Capture or “Phishing”

      • Originally done by faking a login screen on a mainframe terminal or by faking dial-back

      • Now usually a link to a web site

      • Purports to be an urgent message from e-bay, paypal or a bank containing a link to click

      • Link text says http://some.bank.com/login.html but underlying code says http://some.hackers.hijacked.server/fakelogin.html


    Network threats l.jpg

    Network Threats

    • Wire Taps / Eavesdropping

      • Primarily a risk in shared media (eg. wireless 802.11)

      • Leads to data loss and may facilitate Man-in-Middle or Impersonation attacks in the future

      • Password sniffing is a specific form of this threat

  • Man in the Middle

    • Primarily a risk in multi-hop links

    • Requires access to a link carrying all traffic between end systems

  • Impersonation

    • Use of false credentials to log in to network services

    • DNS Poisoning

  • Denial of Service

    • Primarily a risk to sites with limited internet access bandwidth

    • High volumes of unwanted inbound traffic may bring down servers or squeeze out legitimate traffic

  • Bandwidth Theft

    • unauthorised connections to your WLAN may steal your internet access bandwidth


  • Security policies l.jpg

    Security Policies


    Security policies27 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

    • Network Software

    • Network Connectivity

    • 3rd. Party Access

    • Audit and Logging

    • Patching and Updates


    Security policies28 l.jpg

    Security Policies

    • Physical Security

      • Siting to avoid flood and fire risks

      • Locks and chains

      • Computer room access controls

      • Laptop security in transit and in use

      • Backups

      • Off site storage of backup and rebuild media

      • Availability of replacement hardware

  • User Access

  • Removable Media

  • Network Software

  • Network Connectivity

  • 3rd. Party Access

  • Audit and Logging

  • Patching and Updates


  • Security policies29 l.jpg

    Security Policies

    • Physical Security

    • User Access

      • Who has administrative access (can add users or programs)

      • Password policies (length, complexity and change period)

      • Identity and background checks prior to granting access

      • Password reset process must prove that the real user is asking

      • 7x24 or restricted access hours

      • Separation of roles (user vs administrator)

      • Audit and removal of expired or unused access

      • Shared user accounts are dangerous (undermine audit trail)

      • Users must be warned that unauthorised access is illegal

      • Users must be informed of the scope and purpose of permitted access

      • Users must be informed and/or trained in data protection

  • Removable Media

  • Network Software

  • Network Connectivity

  • 3rd. Party Access

  • Audit and Logging

  • Patching and Updates


  • Security policies30 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

      • How to store backups away from harm

      • Potentially different content/retention profiles for archives and backups

      • Need to have software to read old archives and install old backups

      • Need to ensure that media are still readable after time

      • Consider retention period (legal and practical constraints may apply)

      • Consider risk from imported media (virus etc)

      • How to ensure timely identification and destruction of redundant media

      • Need to control introduction of new media from outside

  • Network Software

  • Network Connectivity

  • 3rd. Party Access

  • Audit and Logging

  • Patching and Updates


  • Security policies31 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

    • Network Software

      • Minimise visible network presence

      • Turn off unwanted network services (need mail on web server?)

      • Avoid use of unsafe protocols (eg. TELNET or FTP send unencrypted passwords)

      • Use safe/encrypted protocols (SSH, HTTPS)

      • Avoid programs or configurations that auto-open received files

  • Network Connectivity

  • 3rd. Party Access

  • Audit and Logging

  • Patching and Updates


  • Security policies32 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

    • Network Software

    • Network Connectivity

      • Firewalls are essential

      • Identify security domains in your network and outside

      • Identify necessary connections by source, destination and protocol between machines or domains

      • Configure firewall rules to permit only these connections

      • Log permitted but potentially dangerous traffic

      • Maintain a low profile to the internet – minimise visible network services exposed to the outside by your firewall

    • 3rd. Party Access

    • Audit and Logging

    • Patching and Updates


    Security policies33 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

    • Network Software

    • Network Connectivity

    • 3rd. Party Access

      • 3rd party maintainers or outsource staff may need remote or on site access

      • Ensure that work is controlled and staff are trustworthy

      • Ensure that confidentiality agreements are in place before granting access

      • Shut off remote access when not in use

      • Log or supervise support access

      • Review and if possible disable ‘phone home’ features for vendor support unless you are trying to fix a problem

      • Test automatic updates on a sacrificial machine before allowing network-wide deployment in your business

  • Audit and Logging

  • Patching and Updates


  • Security policies34 l.jpg

    Security Policies

    • Physical Security

    • User Access

    • Removable Media

    • Network Access

    • Network Connectivity

    • 3rd. Party Access

    • Audit and Logging

      • Logs help diagnose problems and are evidence of misuse

      • Excessive logs may be a security risk (eg unencrypted data or disk full)

      • Should be sufficient to determine who did what when

      • Should not be an easier alternative to keystroke logging or wire tapping

      • Useless as an audit trail if login accounts are shared

      • Must be protected from modification – ideally best sent to a dedicated server in real time over the network using SYSLOG (Unix and Network) or MOM (Windows)

      • Content and retention of logs must satisfy data protection and privacy laws

  • Patching and Updates


  • Patching and updates l.jpg

    Patching and Updates

    • Physical Security

    • User Access

    • Removable Media

    • Network Software

    • Network Connectivity

    • 3rd. Party Access

    • Audit and Logging

    • Patching and Updates

      • Hackers are always finding new bugs

      • Software vendors are always fixing them

      • You must monitor vendor websites or mailing lists

      • Also check CERT, UNIRAS and ISC alerts frequently

      • If you have resources test and deploy patches in a controlled way

      • If not subscribe to windows update or its Linux counterparts

      • Upgrade the OS before it becomes unsupported


    Risk assessment l.jpg

    Risk Assessment


    Risk assessment factors l.jpg

    Risk Assessment Factors

    • Business or domestic

      • Business needs to consider employees as a risk

      • Domestic users have only external threats

  • Single or Multi-User

    • Multi-User systems need to consider who can see what

    • Single user systems only need to prevent accidental damage (by running trojans as an administrator)

  • Networked or Standalone

    • Networked systems are at risk from outside

    • Physical access is needed to harm standalone systems

    • Internet-connected networks are at greater risk than isolated ones


  • Risk assessment process l.jpg

    Risk Assessment Process

    • Make a list of risks

    • Determine probability of each one happening

    • Determine cost of each one if it happens

    • Calculate cost * probability for each one

    • Deal with the worst first

    • It is worth paying £(cost * probability) to fixeach risk that has been identified.


    Countermeasures l.jpg

    Countermeasures


    Countermeasures40 l.jpg

    Countermeasures

    • Physical Security

    • User Access Control

    • Removable Media Control

    • Network Software

    • Network Access

    • File Permissions and Security

    • 3rd. Party Access

    • Audit and Logging


    Physical security l.jpg

    Physical Security

    • Separate components of large systems across multiple sites

      • Clustering for high availability

      • Live/Standby operation for less critical system

      • Consider using test/development system as a cold standby

      • Standby systems are only useful if data and software are up to date

      • Need to rehearse failover and failback

    • Keep taking the backups!

      • Test Backup and restore process regularly

      • Keep all media needed to reinstall your software

      • Test that media are still readable from time to time

      • Ensure backups are stored as securely as the live data (or more so)

      • Review availability of hardware and upgrade or buy spares when it is near end of life

      • Don’t keep backups and live systems in the same room (and if possible not in the same building)

    • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)

    • Don’t put computers under water pipes or tanks

    • Don’t use floor-standing computers or storage furniture in rooms liable to flooding

    • Ensure that temperature and humidity are monitored nd alarmed in computer rooms

    • Ensure that media stores are dry and free from dust and insects


    Physical security42 l.jpg

    Physical Security

    • Separate components of large systems across multiple sites

    • Keep taking the backups!

    • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)

    • Don’t put computers under water pipes or tanks

    • Don’t use floor-standing computers or storage furniture in rooms liable to flooding

    • Ensure that temperature and humidity are monitored nd alarmed in computer rooms

    • Ensure that media stores are dry and free from dust and insects


    Physical security43 l.jpg

    Physical Security

    • Separate components of large systems across multiple sites

      • Clustering for high availability

      • Live/Standby operation for less critical system

      • Consider using test/development system as a cold standby

      • Standby systems are only useful if data and software are up to date

      • Need to rehearse failover and failback

    • Keep taking the backups!

    • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)

    • Don’t put computers under water pipes or tanks

    • Don’t use floor-standing computers or storage furniture in rooms liable to flooding

    • Ensure that temperature and humidity are monitored nd alarmed in computer rooms

    • Ensure that media stores are dry and free from dust and insects


    Physical security44 l.jpg

    Physical Security

    • Separate components of large systems across multiple sites

    • Keep taking the backups!

      • Test Backup and restore process regularly

      • Keep all media needed to reinstall your software

      • Test that media are still readable from time to time

      • Ensure backups are stored as securely as the live data (or more so)

      • Review availability of hardware and upgrade or buy spares when it is near end of life

      • Don’t keep backups and live systems in the same room (and if possible not in the same building)

    • Keep critical computers in a separate locked room (which also helps with noise and dust and air conditioning)

    • Don’t put computers under water pipes or tanks

    • Don’t use floor-standing computers or storage furniture in rooms liable to flooding

    • Ensure that temperature and humidity are monitored nd alarmed in computer rooms

    • Ensure that media stores are dry and free from dust and insects


    User account security l.jpg

    User Account Security

    • Separation of Priveliege

    • Password Policies

    • Clean Up Afterwards

    • No Shared Accounts


    Separation of priveliege l.jpg

    Separation of Priveliege

    • Create separate administrative and normal users even on a single-user system to limit the damage that can be done by mistakes or infection in normal use

      • Use administrative accounts only to install software or change system configuration

      • Never use an administrative account for normal e-mailing or web browsing

      • Use normal accounts for all dangerous activities so that a trojan or virus will not run as administrator

    • Wherever possible configure network services (mail, file and web servers) to run under dedicated user accounts rather than as administrator so a remote attack not only has to get control of them but then also gain administrative rights

    • Separate administrative and audit functions under separate user accounts if the operating system allows it, so that someone cannot do an unauthorised change and then cover up by changing the logs


    Password policies l.jpg

    Password Policies

    • There are several good password guessing programs in the field and as computers get faster they become a bigger risk

    • Always change default passwords in operating systems and applications as soon as you take delivery or install them

    • Minimum recommendations are

      • 6 character normal passwords

      • 8 to 10 character administrative passwords

      • Change passwords at least every 90 days

      • Change passwords ASAP if keylogging or dishonesty is suspected

      • Change passwords ASAP if an employee leaves

      • Must not be a dictionary word

      • Substitution of letters for numbers is not enough (eg “pa33w0rd”)

      • Combinations of words or words and non-guessable numbers are stronger (eg. “pass3249w0rd” or “random.nothing”

      • Random, machine generated passwords are non-memorable and need to be written down (which is a greater risk)

    • Passwords must be non-reversibly encrypted when stored on disk

    • Passwords must never ever under any circumstances be shared


    Clean up afterwards l.jpg

    Clean Up Afterwards

    • Remove user accounts when employees leave

    • Search disk for passwords or password bypass

      • eg. unix .rhosts and .netrc files

    • Audit the user list frequently and ensure that

      • All users are still employed at your site

      • All users have the lowest priveliege level that will let them do their work

      • Any application program ‘users’ are still needed

      • User information (real name, phone) is correct


    No shared accounts l.jpg

    No Shared Accounts

    • Shared Accounts prevent effective auditing since more than one person knows the same username and password

    • Each human user must have their own login account for auditing to be effective

    • If there is more than one system administrator then it is better to have multiple administrative accounts than to share one account and password

      • Directly possible by assigning users to the “Administrators” group in Windows

      • Requires use of “SUDO” or custom-written software in Unix or Linux systems

    • Where accounts have to be shared then it is best to configure it so that users have to log in as themselves and then switch to the shared account


    Removable media l.jpg

    Removable Media

    • Removable Media are

      • Floppy disks, CD-Roms, DVDs and tapes

      • The traditional infection vector for trojans and viruses

      • The main risk of data loss from your site

    • Consider laptops as removable media

    • New Removable Media must

      • Be clearly labelled with date, privacy marking and contents

      • Be stored as securely as the computers they came from (or more so)

      • Be securely destroyed when no longer required

        • Physical destruction by fire or cutting up is recommended

        • Deleting files just marks space as reusable

        • Must delete contents and overwrite with random data prior to sale or reuse

      • Be adequately protected in a risky environment

        • Encrypt sensitive files on media that will be posted

        • Ensure laptops taken off site have passwords and encrypted hard disks

    • Incoming Removable Media must

      • Be virus checked (preferably on a non-networked ‘sheep dip’ computer

      • Be expected and from a trustworthy source (beware magazine cover CDs)


    File permissions l.jpg

    File Permissions

    • File Permissions and Privilege Separation work together

      • Only administrators can write or update system files

      • Only administrators can change other users files

      • Normal users can read system files

      • It’s a policy decision whether users can read each other’s files

    • UNIX defaults to a strict implementation

    • Win2K and XP can be strict but default to an open model for backward compatibility with Windows 3.1 and 95/98


    File security l.jpg

    File Security

    • Anti Virus Tools

      • Periodically or on-demand scan files for virus signatures

      • Scan word documents for macro viruses prior to opening

      • Intercept file-open requests to the OS and compare files to a signature library before passing data to applications

      • Intercept mail send and receive requests to the OS and scan incoming and outgoing mail

    • Anti-Spyware Tools

      • Inspect registry for traces left by spyware

      • May block or query registry changes

      • Pre-emptively block creation of registry keys used

      • Periodically or on-demand scan files on disk for spyware signatures

    • Regular Updates to Signature Library are Critical


    Safe operating practices l.jpg

    Safe Operating Practices

    • Avoid auto-opening attachments and embedded links in mail messages

      • Turn off message preview functions in E-Mail programs

      • Never click on links in mail messages – copy link text into a browser window

      • Never click ‘unsubscribe’ links in junk mail messages

    • Suppress Junk Mail

      • Use an ISP which provides SPAM filtering

      • If your company has its own mail server use something like SpamAssassin

    • Beware new websites and links from search engines

      • Disable client-side code (java, javascript and activeX) or use a dumb browser (eg. Early Netscape) to preview new sites

      • Only enable client-side code on trusted sites

      • Consider copying “untrusted zone” settings to “internet zone” in IE6 and putting known good sites (www.theiet.org, etc) in the trusted zone explicitly


    Slide54 l.jpg

    Internet Zone

    Restricted Zone


    Network software l.jpg

    Network Software

    • Modern computers come with many network services

      • Mail servers

      • Print Servers

      • File Sharing

      • Remote Procedure Calls (RPC)

      • SQL Databases

      • Web Servers

      • Remote Desktop Access / X-Windows / VNC

  • Most are enabled by default in Windows 2000/XP

  • Most are disabled by default in Windows 2003 Server

  • UNIX and Linux distributions are somewhere between

  • Only active network services are vulnerable to attack

  • To minimise the “attack surface” of your systems you need to turn off the ones you don’t plan to use

    • Review control panel > administrative tools > services on Windows

    • Review /etc/inetd.conf or /etc/xinetd on Linux and Unix systems

  • Be aware of “loopback” connections when client (user interface) and server (backend) portions of an application run on the same machine


  • Software firewalls l.jpg

    Software Firewalls

    • Linux and Windows have software “firewalls”

      • Microsoft Windows Firewall or (Win2003) IPSEC Filters

      • Linux IPTables and IPChains

    • Not true firewalls – really only modifications to the network I/O driver

    • These block or restrict incoming traffic based on source and destination IP Address to hide network services that are needed locally but should not be shared

    • 3rd-party Windows firewalls (eg ZoneAlarm, Sygate and Norton) can prevent applications accessing the network outbound until you have permitted them to do so

    • Microsoft Windows Firewall has a simple fixed configuration that permits anything outbound and replies inbound

    • 3rd. Party Windows firewalls start with a “Block Everything” policy and are generally configured by learning – they ask what to do each time they see anything new

    • Linux IPTables is configured by user-written files

    Application

    Server

    “Firewall”

    Original Driver


    Network connections l.jpg

    Network Connections

    • A networked computer is no longer alone

    • There are around 100 million Internet users world wide

    • Based on the UK prison population at least 160,000 of them are crooks

    • It is therefore necessary to protect your computers from attack via the internet


    Interconnect policies l.jpg

    Interconnect Policies

    • You should consider what connections to permit between your network and the outside

    • The template for describing a connection is as follows

      • Source IP or subnet

      • Destination IP or subnet

      • Protocol (Port)

      • Is authentication required


    Simple home policy set l.jpg

    Simple (Home) Policy Set


    3 rd party access l.jpg

    3rd. Party Access

    • Maintainers have access to your data

    • Manage remote access

      • Turn off ‘phone home’ functions if you can

      • Firewall them or unplug the modem if you can’t

      • Windows and AntiVirus/AntiSpyware updates are a necessary risk

    • Manage on-site maintainance technicians

      • Ensure on site maintainers sign a non-disclosure agreement and are escorted at all times

      • Insist that all media used by on-site maintainers are virus-scanned

      • Check that on-site engineers have correct windows updates and current AV signatures before connecting to your network

    • Minimise risk of sending data off site

      • Use physically separate data and OS disks and remove data disks prior to sending machines for repair

      • Clear empty space on disks of machines sent for repair

      • Minimise data that will be left on a failed disk drive

        • Use cleanup tools (eg. Window Washer from www.webroot.com ) to regularly clean up recycle bins and caches

        • Use sdelete (from www.sysinternals.com) to overwrite and erase free space


    Audit trails l.jpg

    Audit Trails

    • To understand and clean up an incident you need to know what happened

    • To prosecute you need evidence

      • WHO did it (implies no shared accounts and traceability of accounts to people)

      • WHAT they did(implies need for transaction logging when sensitve data is changed)

      • WHEN they did it (implies need for timestamps and accurate synchronised system clocks)

      • WHERE they did it (Implies need for logging of source IP or terminal line)

      • Evidence trail must withstand suggestions of tampering (Implies frequent backup to write-once media which should be checked in to a 3rd party store)

    • Keep baseline full backups after system builds (and after each major update) on non-alterable media so you can detect all changes (including unauthorised ones) later


    Logging l.jpg

    LOGGING

    • Logging

      • Keep a separate dedicated SYSLOG server with restricted user access for UNIX and Network equipment so audit trails are protected if a server is compromised

      • Use a central MOM server with restricted user access to log events for Microsoft platforms

      • Use centralised password services (LDAP, Windows Active Directory, TACACS+) rather than local passwords on each machine to log access “off the box”

      • Use a firewall to separate log (SYSLOG or MOM) and password (LDAP, NIS, TACACS+ or Active Directory) servers from the rest of the network

      • Isolate and analyse infected/compromised systems prior to rebuild (or at least clone the disks)

    • Beware of logging too much data (since the logfiles themselves will become sensitive data)

      • Do log that “Iain from IP 1.2.3.4 paid £10.34 for an XYZ at 18:43 with VISA”

      • Don’t log the card number in full !! – if you must log just a few digits

      • Log primary key only not full customer address record !!

      • Where possible customer and user primary keys should be public domain info or anonymous numeric IDs

      • Do not combine debug and audit data in the same logs

      • Turn off debug-level logging unless you are debugging

      • Delete logs after a reasonable interval (seek legal advice for your circumstances)


    Network implementation l.jpg

    Network Implementation

    (A Refresher Course)


    Network types l.jpg

    Network Types

    • Point to Point

      • Modem connection

      • Leased line

    • Broadcast

      • Ethernet

      • Wireless

    • Switched

      • X.25

    SWITCH


    Routed networks l.jpg

    SWITCH

    Routed Networks

    • A hierarchy of broadcast or switched networks

    • Connected by point to point links

    • Between “Gateways” or “Routers”

    • Traffic is routed hop by hop between sites


    The internet l.jpg

    The Internet

    • Based on DoD ARPANET (1970)

    • Current form (IP Version 4) since 1980

    • IP V6 used in some mobile networks

    • Packet Switched (40 to 1500 byte packets)

    • Primitive Layering (not quite OSI !!!)

      • Uses any available physical/data link layer

      • Internet Protocol stateless transport layer

      • Step by step routing between nodes

      • Multiple session-layer protocols

        • TCP (session oriented)

        • UDP (message oriented)

        • ICMP (diagnostic and control)

        • GRE and IPSEC (Virtual Private Networks)

        • RIP, OSPF and BGP (routing information exchange)


    Ip addresses l.jpg

    IP Addresses

    • Each IP V4 address is globally unique

    • Each IP V4 address has 4 octets/bytes eg.85.189.17.65

    • Each Octet has a value between 1 and 255

    • The address is split into network and host parts

    • The network part is used to route traffic to your network

      • Comparable to the street address or post code of a building

    • The host part identifies the host inside your network

      • Comparable to a room number in a building

    • Eg. a /24 subnet has 24 bits (3 octets) of network and the remaining octet identifies a host:85.189.17.65

    NETWORK PART

    HOST PART


    Private ip addresses l.jpg

    Private IP Addresses

    • Normal IP addresses are globally unique

      • allocated by regional internet registries

      • routable over public networks

    • 3 IP address blocks are allocated for private use under RFC1918

      • 10.0.0.0 to 10.255.255.255

      • 172.0.0.0 to 172.32.255.255

      • 192.168.0.0 to 192.168.255.255

      • Anyone can use RFC1918 IPs

      • Public networks must not route traffic addressed to them

    • RFC1918 addresses should be used in private networks

    • Network Address Translation (NAT)is required to interconnect RFC1918 and public networks


    Ip routing l.jpg

    IP Routing

    • Routers hold routing tables for network addresses

    • Traffic routes hop by hop towards the destination according to the best known route in subset of the routing table held in each router

    • Each host and router has a “default route” or “default gateway” to destinations not in its table

    • Addresses with the same network address and different host addresses are in the local LAN and can be reached without going through the gateway

    • The “Netmask” specifies the bits in the host address that form the network address. A bit set to ‘1’ in the netmask forms part of the network address eg. netmask 255.255.255.0 specifies 3 bytes of network address (sometimes called a /24 or class C network)


    Ip routing 2 l.jpg

    IP Routing (2)

    Server

    THE INTERNET

    • Netmask is /24Network part is 192.168.1

    • From 192.168.1.2 to 192.168.1.4:Network parts are the same – send over LAN

    • From 192.168.1.1 to 1.2.3.4:Network parts are different – send to default gateway 192.168.1.254Default gateway sends to internet

    1.2.3.4

    Outside IP

    11.12.13.14

    Router orFirewall

    Inside IP

    192.168.1.254

    Local LAN

    192.168.1.0/24

    192.168.1.2

    192.168.1.3

    192.168.1.4

    Local Computers


    Network address translation l.jpg

    Network Address Translation

    Server

    THE INTERNET

    • Router translates inside addresses to outside as packets pass through

    • Allows reuse of scarce IP addresses

    • Allows multiple inside users to share one outside IP address

    • Prevents outside attackers reaching inside computers directly

    11.12.13.14 towww.xyz.com

    Outside IP

    11.12.13.14

    www.xyz.com

    To 11.12.13.14

    Router orFirewall

    192.168.1.1 towww.xyz.com

    Local LAN

    192.168.1.0/24

    www.xyz.com to192.168.1.1

    192.168.1.2

    192.168.1.3

    192.168.1.4

    192.168.1.1

    Local Computers


    Dynamic nat l.jpg

    Dynamic NAT

    Server

    THE INTERNET

    • One outside IP

    • Multiple inside IPs

    • Router uses different outbound port numbers for each connection

    • Router knows inside IP for reply packets based on port used

    • Does not work for unsolicited inbound traffic

    11.12.13.14:32000 towww.xyz.com

    Outside IP

    11.12.13.14

    www.xyz.com:80

    To 11.12.13.14:32000

    Router orFirewall

    192.168.1.1:32000 towww.xyz.com:80

    Local LAN

    192.168.1.0/24

    192.168.1.1

    192.168.1.2

    192.168.1.3

    192.168.1.4

    Local Computers


    Static nat l.jpg

    Static NAT

    Server

    THE INTERNET

    • Each inside IP maps to one outside IP

    • Outside IPs are independent of router IP

    • Port numbers preserved through NAT

    • Allows incoming traffic to outside IP

    • Needs inbound access lists to stop unwanted traffic getting to inside network

    11.12.13.15 towww.xyz.com

    Router IP

    11.12.13.14

    www.xyz.com

    To 11.12.13.15

    NAT TABLE:

    192.168.1.1 towww.xyz.com

    192.168.1.1 > 11.12.13.15

    192.168.1.2 > 11.12.13.16

    192.168.1.3 > 11.12.13.17

    192.168.1.4 > 11.12.13.18

    Local LAN 192.168.1.0/24

    192.168.1.1

    192.168.1.2

    192.168.1.3

    192.168.1.4

    Local Computers


    Domain name service dns l.jpg

    Domain Name Service (DNS)

    • IP addresses are non memorable and change frequently

    • DNS provides long lasting plain language names mapped to addresses

      • Eg. 85.189.17.65 = router.moffatig.com

    • DNS is a distributed hierarchical database

    • Root Servers are managed by US Government

    • Country and subject domains are managed by various agencies and contractors eg.

      • .co.uk by nominet, a non-profit organisation

      • .com and .net by Versign, inc.

    • Most Internet Service Providers, Universities and Companies operate local DNS cache servers

    • Local users always query the cache server

    • Cache servers query up the chain until they find a name<>address mapping or fail

    • Successful lookups are stored for a configurable time in the cache


    Tcp and udp ports l.jpg

    TCP and UDP Ports

    • TCP and UDP append a ‘port’ to the network address to identify a program or service running on each endpoint computer

    • The port is a 16 bit field in the TCP or UDP header so 65536 are available

    • The combination of address, protocol and port is called a “socket”

    • In general ports above 32,000 are used to source outbound connections

    • Ports below 1024 are used for well-known services

      • TCP:80world wide web

      • TCP:25SMTP mail delivery

      • UDP:53Domain Name Service (DNS)


    Secure network design l.jpg

    Secure Network Design

    • NAT or DMZ

      • Network Address Translation (NAT) ‘hides’ a local network behind a single external internet connection

      • A DMZ provides 2 layers of defence and is better at blocking unwanted outbound traffic

    • NAT is appropriate to home and branch office environments

    • A DMZ is better suited to larger sites that have their own web and mail servers

    • DMZ proxies also allow mail and web traffic monitoring and control


    Simple nat network l.jpg

    Simple NAT Network

    THE INTERNET

    • Typical Home LAN

    • One Outside IP

    • Multiple inside IPs

    • Any inside PC can connect outbound

    • No unsolicited traffic is allowed inbound

    • Not well suited to local web or mail servers

    • Can’t stop key loggers etc ‘phoning home’ without risk of blocking wanted outbound traffic.

    Permit OnlyReplies IN

    Router orFirewall

    Permit Any OUT

    Local LAN

    Local Computers


    Dmz network l.jpg

    DMZ Network

    THE INTERNET

    • No direct external connections

    • All traffic is filtered by secure servers in the DMZ

    • Safer and more controlled solution for large sites

    • Outbound connections via web proxies in DMZ only

    • Inbound connections to mail/web/file servers in DMZ only

    • Inside firewall permits DMZ Local traffic only

    • Outside firewall permits Local DMZ traffic only.

    MailServer

    WebProxy

    Permit OnlyDMZ traffic IN

    Outside or “Screen”Router or Firewall

    Inside or “Choke”Router or Firewall

    DMZ LAN

    Permit onlyto DMZ

    Local LAN

    Local Computers


    Firewalls and routers l.jpg

    Firewalls and Routers

    THE INTERNET

    • Firewalls and routers connect two networks

    • Firewalls inspect traffic passing through and understand application protocol

    • Routers inspect individual packets and don’t understand connection state

    Permit OnlyReplies IN

    Router orFirewall

    Permit Any OUT

    Local LAN

    Local Computers


    Firewalls vs routers l.jpg

    Firewalls vs Routers

    • Firewalls

      • based on general purpose microprocessors

      • aware of application sessions

      • can implement complex rules

      • Usually have graphical management interface

      • 10-1000Mbits/s throughput

      • include basic IP routing functions

    • Routers

      • based on custom silicon in large part

      • process packets individually

      • Usually have text configuration file

      • better at implementing simple rules on fast links

      • better at complex IP routing protocols

      • 10Mbits/s to 10GBits/s throughput


    Firewall inspection l.jpg

    Firewall Inspection

    From: http://www.checkpoint.com/support/technical/documents/FWOpenLook.pdf


    Checkpoint firewall 1 gui l.jpg

    Checkpoint Firewall-1 GUI

    From: http://www.checkpoint.com/support/technical/documents/FWOpenLook.pdf


    Router acl process l.jpg

    Router ACL process

    Packet In

    Permit

    Permit

    Permit

    Rule N

    Rule 1

    Rule 2

    Packet Out

    Deny

    Deny

    DISCARD

    DISCARD

    Default

    DISCARD

    LOG

    LOG

    • Note:

    • This process is completely stateless (per-packet)

    • Normally packets that reach the default-deny are not logged

    • Performance is improved by putting frequently hit rules first


    Example router acl l.jpg

    Example Router ACL

    access-list 101 remark *** Internet Inbound ACL

    access-list 101 remark *** ICMP and established at top for efficiency

    access-list 101 permit tcp any 85.189.17.64 0.0.0.7 established

    access-list 101 permit icmp any 85.189.17.64 0.0.0.7 echo-reply

    access-list 101 permit icmp any 85.189.17.64 0.0.0.7 unreachable

    access-list 101 permit icmp any 85.189.17.64 0.0.0.7 ttl-exceeded

    access-list 101 permit icmp any 85.189.17.68 0.0.0.3 echo

    access-list 101 permit icmp any host 85.189.17.65 echo

    access-list 101 remark *** Top 4 NAT IPs are statics for server

    access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq www

    access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq 443

    access-list 101 permit tcp any 85.189.17.68 0.0.0.3 eq smtp

    etc etc etc


    Proxies l.jpg

    Proxies

    • Intercept outbound communications

    • Apply filtering rules

    • Block dangerous content inbound

    • Can be

      • “opt in” – requiring browser configuration

      • “transparent” – using network to redirect web traffic through the proxy

    • All users appear to a web server as coming from the proxy


    Proxy operation l.jpg

    Proxy Operation

    Web Server

    www.xyz.com

    THE INTERNET

    connect to: www.xyz.com

    GET:

    /index.html

    Access Rules

    Proxy Server

    Log Files

    192.168.0.253

    Connect to: 192.168.0.253

    GET: http://www.xyz.com/index.html


    Available proxy solutions l.jpg

    Available Proxy Solutions

    • Windows - Microsoft ISA Server:http://www.microsoft.com/isaserver/default.mspx

    • UNIX/Linux – squid proxy:http://www.squid-cache.org/

    • Self contained appliance – Netapp Netcache:http://www.netapp.com/products/netcache/bluecoat.html


    Investigating problems l.jpg

    Investigating Problems


    Local investigation tools l.jpg

    Local Investigation Tools

    • Evidence Preservation

      • Norton Ghost

      • UNIX or Windows disk mirroring

    • Audit Logs

      • Windows Event Log or MOM

      • Log files in C:\Windows or C:\WinNT

      • UNIX Syslog and /var/log files

      • Firewall or Router logs


    Remote investigation tools l.jpg

    Remote Investigation Tools

    • Nslookup

    • Traceroute (unix) or tracert (Windows)

    • Whois

    • Port Scanners


    Nslookup l.jpg

    NSLOOKUP

    • Name to Address Mapping

    • Address to Name Mapping


    Traceroute l.jpg

    Traceroute

    • Finds path to remote host or IP

    • Will usually identify the attacker’s ISP


    Whois l.jpg

    WHOIS

    • Provides lookup of registered domain name and IP address owners

    • 3 regional registries for IP addresses

      • RIPE (Europe):

      • ARIN (Americas):

      • APNIC (Asia/Pacific):

    • Registries for each domain ending

      • .com: www.netsol.com

      • .co.uk: www.nominet.co.uk


    Port scanners l.jpg

    Port Scanners

    • Not nice to use on other people

    • A good thing for scanning one’s own network for security holes

    • I recommend NMAP which is included in many Linux distributions


    Packet sniffers l.jpg

    Packet Sniffers

    • Easiest independent check on traffic

    • May also spot private data and passwords in transit

    • Built in to most UNIX versions

      • snoop in Sun Solaris

      • tcpdump in Linux and BSD

    • Freeware for Windows

      • ethereal

      • wireshark


    Slide101 l.jpg

    WEB02:~# tcpdump -i eth0 -s 0 -x port 80

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

    17:28:37.651756 IP web02.moffatig.com.47731 > 213.120.156.179.www: S 2409488259:

    2409488259(0) win 5840 <mss 1460,sackOK,timestamp 2867567837 0,nop,wscale 0>

    0x0000: 4500 003c 435e 4000 4006 c186 c0a8 0303 E..<C^@.@.......

    0x0010: d578 9cb3 ba73 0050 8f9d df83 0000 0000 .x...s.P........

    0x0020: a002 16d0 89b1 0000 0204 05b4 0402 080a ................

    0x0030: aaeb 9cdd 0000 0000 0103 0300 ............

    17:28:40.651910 IP web02.moffatig.com.47731 > 213.120.156.179.www: S 2409488259:

    2409488259(0) win 5840 <mss 1460,sackOK,timestamp 2867570838 0,nop,wscale 0>

    0x0000: 4500 003c 435f 4000 4006 c185 c0a8 0303 E..<C_@.@.......

    0x0010: d578 9cb3 ba73 0050 8f9d df83 0000 0000 .x...s.P........

    0x0020: a002 16d0 7df8 0000 0204 05b4 0402 080a ....}...........

    0x0030: aaeb a896 0000 0000 0103 0300 ............

    17:28:45.603093 IP 193.113.37.9.20654 > web02.moffatig.com.www: S 2349994328:234

    9994328(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 8486240 0>

    0x0000: 4500 003c 12ff 0000 3406 c997 c171 2509 E..<....4....q%.

    0x0010: c0a8 0303 50ae 0050 8c12 1158 0000 0000 ....P..P...X....

    0x0020: a002 ffff 3498 0000 0204 05b4 0103 0300 ....4...........

    0x0030: 0101 080a 0081 7d60 0000 0000 ......}`....


    Current security issues l.jpg

    Current Security issues

    • BOTNETS

      • Networks of hijacked PCs controlled remotely to send SPAM or do denial-of-service attacks on a remote system

      • Defeats most attempts to trace source of an attack

      • Will require strict control of outbound traffic to stop infected PCs registering with a botnet

    • Highly randomised SPAM mail

      • Difficult to get rid of by subject or keyword filters

      • Distasteful or destructive content hidden in image files or embedded URLs

      • Requires pattern recognition to reliably block

      • The world really needs mailscanners that can interpret images


    Further reading l.jpg

    Further Reading

    • Data Protection Act 1998:http://www.opsi.gov.uk/acts/acts1998/19980029.htm#aofs

    • Regulation of Investigatory Powers Act 2000: http://www.opsi.gov.uk/Acts/acts2000/20000023.htm

    • Computer Misuse Act 1990:http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

    • Regional Address Registries:http://www.ripe.net/http://www.arin.net/index.shtmlhttp://www.apnic.net

    • Computer Security Alerts: UNIRAS (UK): http://www.uniras.gov.uk/niscc/index-en.htmlUSCERT:http://www.cert.org/ISC:http://isc.sans.org/

    • Microsoft Baseline Security Analyser:http://www.microsoft.com/technet/security/tools/mbsahome.mspx


  • Login