510 likes | 518 Views
Information Security: Security Blankets are not Enough. Karl F. Lutzen, CISSP S&T Information Security Officer. About Me. Karl F. Lutzen Certified Information Systems Security Professional (CISSP) S&T Information Security Officer Instructor for CS 362 Office Location: CH 203D
E N D
Information Security:Security Blankets are not Enough Karl F. Lutzen, CISSP S&T Information Security Officer
About Me • Karl F. Lutzen • Certified Information Systems Security Professional (CISSP) • S&T Information Security Officer • Instructor for CS 362 • Office • Location: CH 203D • Email: kfl@mst.edu (start here!)
Information • “Information” is likely the only asset that can be stolen from you while you still have full possession. • This includes: Data, Personal information, trade secrets, intellectual property, etc.
Information • Clearly we need to protect: • The information itself • The systems where it lives • The access to it • And many other aspects
Fundamental Principles • Confidentiality • Availability • Integrity
Question • How much of the overall security will be technical solutions?
Our information lives here: What all do we need to do to protect it?
Physical (Environmental) Security • Physical security consist of physically securing the devices: • Locks/Cables, Alarms, Secure rooms, Cameras*, Fences, Lighting, Heating, Cooling, Fire protection, etc. • If you defeat the physical security controls, all other control domains (except one) are defeated. *cameras will likely not prevent a theft. Only deter it or be used for evidence later.
Access Control and Methodology • Who has access, how is it controlled, etc. • Authentication • Passphrases, two factor, multi-factor, biometrics • Access Controls (Authorization) • Role Based Access, Mandatory Access Controls, Discretionary Access Controls • Least Privilege and Need to Know
Application Development Security • Software Based Controls • Software Development Lifecycle and Principles • Development models: waterfall, spiral, etc. • Code Review
Telecommunications and Network Security • Implementing correct protocols • Network services • Firewalls • IDS/IPS • Traffic Shaping • Network Topology
Business Continuity Planning(BCP)Disaster Recovery Planning (DRP) • BCP – What controls and process do we need to implement to keep our systems running? • Backups, off-site data storage, cross-training, etc. • DRP – What do we need to do in a crisis? • Response plans, Recovery plans, etc.
Security Architecture and Models • Operation modes/protection mechanisms. • Evaluation Criteria • Security Models • Common Flows/Issues: • Covert Channels, timing issues, maintenance hooks, etc.
Information Security Governance Risk Management • Policies, Standards, Guidelines and Procedures • Risk Management Tools and Practices • Risk assessment: • Qualitative vs. Quantitative • Planning and Organization
Operations Security • Administrative Management • Operation Controls • Auditing • Monitoring • Intrusion Detection (operational side) • Threats/Countermeasures
Legal, Regulations, Investigations and Compliance • Types of computer crimes/attacks • Categories of Law • Computer Laws • Incidents and incident handlings • Investigation and Evidence
Cryptography • Concepts and Methodologies • Encryption algorithms • Asymmetric vs. symmetric • PKI • Cryptanalysis/Methods of Attacks • Steganography
PICK GOOD ALGORITHMS! Original UsingECB Mode Non-ECB ECB = Electronic Codebook. Divide message into blocks, same key encrypts blocks separately. (http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation)
Threats to Security • Viruses and Worms • Other Malware and Trojans • Social Engineering/Phishing • Intruders • Insiders • Criminal Organizations • Terrorists and Information Warfare • Insecure Applications
Viruses, Worms, Malware, Trojans • Lack of policies/training/procedures • Employees can bring in problems! • Mitigation techniques: • Anti Virus • Firewalls • TRAINING
Social Engineering • Multiple methods: • Phone calls • Dumpster Diving • Phishing • Mitigation techniques • Policies/Procedures • Training
Intruders • Def: Deliberately accessing systems or networks to which is un-authorized • Types: • Unstructured threat – not after a specific target • Opportunity • Script Kiddies • Structured Threat – Specific target is in mind • Elite hackers
Insiders • Most Dangerous! Accounts for 70-75% of all security events • Insiders have access to the keys to the kingdom • Human errors account for many security events • Mitigation • Policies, Procedures, Training, Monitoring, etc
Criminal Organizations • With so many business functions now relying on the Internet, crime was sure to follow it. • Attacks: • Fraud, extortion, theft, embezzlement and forgery • Well funded, hire elite hackers, willing to spend years if necessary • Type: Structured attack
Two Types of Electronic Crime • Crimes in which the computer was the target of the attack • Incidents in which the computer was a means of perpetrating a criminal act.
Threats to Security • The biggest change that has occurred in security over the last 30 years has been the change in the computing environment • Central Mainframes to • Decentralized smaller, yet interconnected, systems • Although we seem to be shifting back towards central data centers for core operations.
Avenues of Attack • Types: • Specific target of an attacker • Target of opportunity
Steps in an Attack • Reconnaissance • Gather easily available data • Publicly available information from the web • Newspapers • Financial reports (if publicly traded they are available) • Google as an attack tool?
Reconnaissance (cont.) • Probing • Ping sweeps – find hosts • Port sweeps – find open ports to then test for holes • Determine OS (can be done quite accurately!)
Steps in an attack • Attempt to exploit vulnerabilities • Attempt to gain access through userid/passwords • Brute force • Social engineering • And of course there is simply the physical theft of the system, backup tapes, etc.!
Minimizing Attack Avenues • Patch against vulnerabilities • Use of DMZ (system isolation) • Firewalls • Intrusion detection/prevention systems • Minimize open ports/systems directly accessible to the Internet • Good physical security • Good training to negate social engineering attacks
RSA Attack • March 2011, RSA had a data breach • Attacker stole information which affected some 40 million two-factor authentication tokens • Devices are used in private industry and government agencies • Produces a 6 digit number every 60 seconds.
RSA Attack Analysis • An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat)
RSA Background • RSA is a security company that employs a great number of security devices to prevent such a data breach • Methods used bypassed many of the controls that would otherwise prevented direct attack
Attacker Initial Steps • Attackers acquired valid email addresses of a small group of employees. • If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.
Phishing Emails • Two different phishing emails sent over a two-day period. • Sent to two small groups of employees, not particularly high profile or high value targets. • Subject line read: 2011 Recruitment Plan • SPAM filtering DID catch it but put in the Junk folder
Employee Mistake • One employee retrieved the email from the Junk mail folder • Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls • Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). • Installed a backdoor program to allow access.
Remote Administration Tool (RAT) • Attackers chose to use the Poison Ivy RAT. • Very tiny footprint • Gives attacker complete control over the system • Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS
Digital Shoulder-Surfing • Next the attackers just sat back and digitally listened to what was going on with the system • The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.
Harvesting • Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) • Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.
The Race • During the stepping from system to system, security controls detected an attack in progress. The race was now on. • Attacker had to move very quickly during this phase of finding a valuable target.
Data Gathering • Attacker established access at staging servers at key aggregation points to retrieve data. • As they visited servers of interest, data was copied to staging servers. • Staging servers aggregated, compressed, encrypted and then FTP’d the data out.
Receiving Host • Target receiving data was a compromised host at an external hosting provider. • Attacker then removed the files from the external compromised host to remove traces of the attack. • This also hid the attacker’s true identity/location.
Lessons Learned • Weakest link: A human • Layered Security: Not adequate to prevent • Upside: Able to implement new security controls to this point were considered too restrictive.
Karl’s Changes • What follows would be the changes I’d make at RSA. • Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. • If I were to implement these, very likely I’d be doing a different job…
Changes • Traffic shaping both ways. (Firewall port blocking isn’t enough) • Block all but specific protocols • IDS/IPS on all those protocols • Aggressive use of DMZ: Isolate systems • Isolate workstations from one another • Clean Access Solutions on all systems
Biggest Change • Mandatory Monthly Security Awareness training for everyone. • (breaking it into monthly modules makes it tolerable) • Needs to be interesting/fun, Door prizes, etc.