Infosec Workshop - PacINET 2007

  • 2,403 views
Uploaded on

Full day workshop on Information Security delivered at PacINET 2007 in Honiara, Solomon Islands.

Full day workshop on Information Security delivered at PacINET 2007 in Honiara, Solomon Islands.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,403
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
193
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PacINET 2007
      • Information Security Workshop
      • August 21, 2007
  • 2. Presenter
    • Chris Hammond-Thrasher
      • 10 years of ICT consulting in Canada
      • Was a Senior Management Consultant in Security, Privacy, and Technical Risk for Fujitsu Consulting Canada
      • MLIS (I am a librarian)
      • CISSP (I am a security manager)
      • Currently USP Library Systems Manager
      • Author of the Digital Fiji blog <http://dfiji.blogspot.com/>
  • 3. Agenda
      • Part 0: Why are we here?
      • Part 1: Information security?
      • Part 2: What an information security team needs to know
      • Part 3: Security incidents
      • Part 4: Top ten infosec tools
  • 4. Goals
      • To show participants the scope of the field of information security management
      • To demonstrate that there is an ethical responsibility that goes along with information security skills (aka h4X0r 5k1775)
      • To entice participants to lobby their employers, educational institutions, and professional organizations to provide them with more infosec training and certification opportunities
      • To establish a need for regional infosec cooperation – we need a PacCERT!
  • 5. Part 0 – Why are we here?
  • 6. A war zone
    • Leading up to the 1991 invasion of Iraq
      • The American NSA disabled Iraqi air defense computers with virus laden printers sold to Iraq through Jordanians
    • <Dorithy Denning, Information Warfare and Security. Addison-Wesley: Boston. 1999.>
  • 7. A war zone
    • The cost of cybercrime
      • A 2005 FBI study found that 90% of US companies suffered security incidents
      • Cybercrime cost US companies an average of US$24,000 last year
      • The total cost of cybercrime in the US, in 2005 alone, was over US$400 billion
    • <http://www.uneca.org/e-trade/Presentations/ Network%20Security%20and%20Applications%20-%20Global%20Perspective%20-%20Michael%20Bitz.ppt>
  • 8. A war zone
    • Human rights, China, and Yahoo
      • “The House Foreign Affairs Committee has ordered an investigation into Yahoo’s role in the prosecution of Shi Tao, a journalist and Yahoo Mail user, who was arrested in 2004 by Chinese officials after Yahoo cooperated with their request for information. The committee’s interest in the matter was sparked by new documents that suggest Yahoo gave information to Chinese authorities knowing that it could lead to the reporter’s arrest.”
      • <http://digitaldaily.allthingsd.com/20070808/yahoo-china/>
  • 9. A war zone
    • 2007 Estonian cyber attack
      • “ The May events followed the Estonian [pop. 1.3 million] decision to dismantle and move a symbolically significant Russian war memorial... Many of the early attacks that subsequently overwhelmed Estonia's Web servers, banks, and government email systems were rudimentary, with instructions widely posted on these blogs telling people how to send manual pings to the country's servers. But more sophisticated tools soon were used, with botnets flooding Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.”
      • <http://blog.wired.com/27bstroke6/2007/08/stonias-lesson-.html>
  • 10. A war zone
    • Phishing, Internet fraud, and identity theft
      • A 2004 study reported that 685,000 Americans had experienced identity theft and collectively lost US$680 million
      • In 2005, Israelis lost US$10 million to similar crimes
    • <http://www.crime-research.org/news/31.10.2006/2325/>
  • 11. A Pacific war zone?
    • The coming battle
      • Oceania (not including Aus and NZ) has 510,890 Internet users out of a population of 9,209,260 or roughly 0.5%
      • While the global Internet user growth rate from 2000 to 2007 is 225%, it is as high as 1,100% in Samoa, 833% in Fiji, and 320% in the Solomon Islands
    • <http://www.internetworldstats.com/stats6.htm>
  • 12. A Pacific war zone?
    • The South Pacific is catching up...
      • All of the bad things about the Internet come along with the good
      • We are in a good position because we only have to glance over the ocean to see exactly what problems have already started coming our way, including which solutions are effective, and which solutions are not worth doing
      • Building information security capacity takes time – we need to start now!
  • 13. A Pacific war zone
    • The time is ripe to create regional infosec organizations, the first of which ought to be a Pacific Computer Emergency Response Team (PacCERT)
      • Coordinate ISP's and other high-tech organization's responses to major security incidents
      • Support under-skilled law enforcement agencies
      • Respond to security incidents and proactively prevent them
    • Regional corporate and governmental cooperation is required to make this happen
  • 14. Part 1 - Infosec?
  • 15. Part 1 - Infosec?
    • What is information security?
      • Outline
        • Definitions
        • Professional organizations
        • Certifications
        • Heros and villains
  • 16. My definition
    • Information security is the art, science, and practice of protecting information systems against willful or accidental harm.
  • 17. ISO definition
    • ISO 17799 [now ISO 27002] defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:
    • Confidentiality – ensuring that information is accessible only to those authorized to have access.
    • Integrity – safeguarding the accuracy and completeness of information and processing methods.
    • Availability – ensuring that authorized users have access to information and associated assets when required.
    • Tom Carlson, Information Security Management, <http://www.netbotz.com/library/ISO_17799.pdf> 2001
  • 18. CIA
    • Confidentiality
      • Information should only be available to its intended reader (possibly a person or software)
    • Integrity
      • Information should only be alterable by those who are permitted to do so
    • Availability
      • Information should be available to those who need it when they need it
  • 19. Risks, threats, and vulns
    • Risk
      • The magnitude of a risk equals the cost of the one time occurrence of a threat multiplied by its estimated frequency of occurrence
      • R = (one time cost) x (frequency)
      • Threats which pose a small cost, such as “I forgot my password”, but occur frequently may pose a significant risk
      • Threats that occur infrequently, such as water damage in the new server room, but have high one time costs may not be significant risks
  • 20. Risks, threats, and vulns
    • Threats
      • Or threat events, are events which may compromise the CIA of your information assets
      • i.e. Theft of equipment or virus infections
    • Vulnerabilities
      • Exploitable weaknesses
      • i.e. Buffer overflows or poorly trained staff
  • 21. Controls
    • Administrative
      • Implemented in policy and procedure
      • i.e. Criminal screening or user awareness programs
    • Logical
      • Implemented in hardware and software
      • i.e. Network firewalls, ACLs, or the principal of least privilege
    • Physical
      • Implemented in real space
      • i.e. Locked doors, security guards, or fire control
  • 22. Controls
    • Preventative
      • Reduce the likelihood of threat events occurring
      • i.e. Firewalls, intrusion prevention, or strong passwords
    • Detection
      • Detecting attempted or successful incidents
      • i.e. Network and host-based IDSes or vigilant users
    • Mitigating
      • Reduces the impact of security incidents
      • i.e. Backups or an incident response team
  • 23. Professional organizations
    • Anti-Virus Information Exchange Network (AVIEN) <http://www.avien.org/>
    • Center for Secure Information Systems (CSIS) <http://www.isse.gmu.edu/~csis/>
    • Computer Security Institute <http://www.gocsi.com/>
    • Computing Technology Industry Association (CompTIA) <http://www.comptia.org/>
    • Information Systems Audit and Control Association (ISACA) <http://www.isaca.org/>
    • Information Systems Security Association, Inc. (ISSA) <http://www.issa.org/>
    • International Association for Computer Systems Security, Inc. (IACSS) <http://www.iacss.com/>
    • International Federation for Information Processing (IFIP) Technical Committee 11 (TC-11) on Security and Protection in Information Systems <http://www.ifip.tu-graz.ac.at/TC11/>
    • International Information Systems Security Certification Consortium (ISC2) <http://www.isc2.org/>
    • National White Collar Crime Center <http://www.nw3c.org/>
    • SANS Institute <http://www.sans.org/>
  • 24. Certifications
    • The big ones:
      • CISSP from (ISC)2 <http://www.isc2.org/>
      • CISA from ISACA <http://www.isaca.org/>
      • CISM from ISACA <http://www.isaca.org/>
      • GIAC certifications from SANS <http://www.giac.org/>
    • Notable vendor certifications:
      • CISCO <http://www.cisco.com/>
      • CheckPoint <http://www.checkpoint.com/services/education>
  • 25. Heros
  • 26. Gaius Julius Caesar (100 BC - 44 BC) Protected military communications with the Caesar Cipher. This cipher works by shifting all of the letters in the alphabet by a given number (the key) to create a garbled message. Example: Caesar cipher with a key of 3 abcdefghijklmnopqrstuvwxyz ^^^^^^^^^^^^^^^^^^^^^^^^^^ cdefghijklmnopqrstuvwxyzab Plaintext: inthe begin ningt herew asdar kness andvo id Ciphertext: kpvjg dgikp pkpiv jgtgy cufct mpguu cpfxq kf
  • 27. Alan Turing (1912 - 1954) An English mathematician and code breaker. Turing was instrumental in breaking German World War II naval codes. He also envisaged a kind of computer known now as a Turing machine in: “On computable numbers, with an application to the Entscheidunsproblem.” 1936. And created the definitive test for artificial intelligence known as the Turing test in: “Computing machinery and intelligence.” 1950. Mind, 59, pp. 433-460.
  • 28. Bruce Schneier (1963 - ) Cryptographer turned author, Schneier is one of the leading voices in both information security in the USA. He is also one of the most significant critics of American homeland security policy. Examples: Applied Cryptography, 1996, John Whiley & Sons http://www.schneier.com/blog/
  • 29. Whitfield Diffie (1944 - ) and Martin Hellman (1945 - ) Cryptologists and inventors of the Diffie-Hellman key exchange algorythm in 1976. The DH algorithm provided a radical new way for two parties to exchange secrets. The DH algorithm and its derivatives are the cornerstones of many public key encryption protocols in use today.
  • 30. Villains? <http://www.neatorama.com/2006/08/28/a-short-history-of-hacking> Robert Morris Wrote the first worm in 1988 Kevin Mitnick Arrested in 1995 and now a consultant Kevin Paulson (aka Dark Dante) Arrested in 1991 and now Senior Editor at Wired Jon Johansen (aka DVD Jon) wrote DeCSS at the age of 15 David Smith Wrote the Melissa virus in 1999 which caused US$500 million in damages R2-D2 Repeated violations of Imperial systems John Draper (aka Cap'n Crunch) Phone phreak 1972
  • 31. Part 2 - knowledge
  • 32. Part 2 - knowledge
    • What an information security, or infosec , team needs to know
      • Outline
        • Infosec domains
        • Infosec team critical success factors
  • 33. Domain 1 – access control
    • Access control may be applied at the network level, host level, application level, or even for individual functions or data elements
    • Access control has two components
      • Identity management
        • Ensuring that users are who they say they are
        • Identity management systems use up to three factors to identify users
          • Something you know: passwords or phrases
          • Something you have: a card, RFID tag, or other device
          • Something you are (biometrics): finger prints, retina patterns, etc.
  • 34. Domain 1 – access control
      • Authorization
        • Authorization is the mechanism that determines what a user is allowed to do or see in a system
        • Often this takes the form of an access control list (ACL) which lists what actions a user or group of users is permitted to take against which system objects
  • 35. Domain 2 – application sec.
      • Security considerations should play a prominent role in all phases of the application development life cycle
      • All user input should be cleaned and validated before processing
      • Security testing is not the same as functional testing
      • Web application require testing against known web app. vulnerabilities
      • Applications that handle sensitive information should require security certification before going live and recertification after major upgrades
  • 36. Domain 3 – bc and drp
    • Business continuity planning
      • Planning to ensure that critical business processes are resilient to change and attack
        • Understand your organization's risk tolerance
        • Define what a critical business process is for your organization
        • Identify which business processes are critical
        • Identify potential threats
        • Develop strategies that minimize interruptions critical process due to known (or likely) threats
  • 37. Domain 3 – bc and drp
    • Disaster Recovery Planning
      • Developing and testing procedures that will allow critical systems to recover from severe change or attack
        • Ideally, complete the BCP first
        • Identify information systems that are required to support critical business processes
        • Develop plans to minimize down-time if an environmental change or attack destroys the system hardware and/or software
        • Strategies include co-location, hot and cold stand-byes, etc.
  • 38. Domain 4 - cryptography
    • Two methods of sending secret messages
      • Hiding the message: stenography
      • Jumbling the message so that it is mathematically difficult to un-jumble: cryptography
    • Cryptography can provide other functions
      • Verifiable message integrity
      • Key exchange
      • Non-repudiation
      • Source/destination validation
      • Secure time-stamping
  • 39. Domain 4 - cryptography
    • Ciphers
      • Symmetric
        • Summetric ciphers use one key to encrypt and decrypt
        • This creates a problem of key management – how to securely get the key to everyone who needs it without compromising it
        • i.e. DES, 3DES, twofish, blowfish, and AES
      • Asymmetric
        • Assymetric ciphers use a pair of keys for calculation – one is kept private and the other is shared publically
        • Assymetric ciphers require large keys and are computationally intensive
        • i.e. RSA and El Gamal
  • 40. Domain 4 - cryptography
    • Digests
      • Also known as checksums or cryptographic hashes
      • A kind of one-way function
      • They do not have a key
      • They generate a fixed length output from variable length input
      • The input cannot be reconstructed from the output
      • Useful in establishing message integrity
  • 41. Domain 4 - cryptography
    • Protocols
      • Cryptographic protocols define a processing sequence using one or more ciphers to perform a secure transaction
      • i.e. SSL/TLS, ssh, and SKIP
      • SSL v2, SSL v3, and TLS 1
        • Secures US$ billions of Internet transactions
        • Can encrypt TCP communications (i.e. HTTP -> HTTPS)
        • Provides confidentiality without previous key exchange
        • Provides end-point validation with signed certificates
  • 42. Domain 5 – risk management
    • We defined risks and threats in Part 1
    • Risk management is central to infosec management as it provides a rationale for allocating limited resources
    • i.e. If a risk assessment reveals that a company stands to lose US$10,000 annually due to malware, there is a strong business case to invest in a US$20,000 antivirus infrastructure.
  • 43. Domain 5 – risk management
    • Q: How do I do a risk assessment?
    • A: Unfortunately, that topic requires an entire workshop to itself.
      • Identify information assets and their value or sensitivity
      • Identify potential threats
      • For each asset, estimate the damage caused by a one-time occurrence of each threat
      • For each asset-threat pair, estimate the frequency of occurrence to arrive at an estimate of risk
  • 44. Domain 6 – law, ethics, etc
    • Infosec professionals need to be familiar with intellectual property law, privacy law, and computer crime law in their jurisdiction
    • In the South Pacific, several countries lack all three!
    • Many infosec certifications require that certification holders submit to a code of ethics
    • Typically, these codes forbid scanning, attacking, sniffing, testing, etc. without first obtaining informed consent from the target.
  • 45. Domain 7 – operations sec
    • Security operations include
      • Information classification
      • Security testing on an ongoing basis and with major system changes
      • Incident response and prevention
      • Monitoring logs
        • Network IDS, host IDS, firewall, VPN, and others
      • Liaising with ICT managers and practitioners
      • Reviewing infosec information from outside sources
        • i.e. Full disclosure list, bugtrac list, Internet Storm Center, national and regional CERTs (we need a PacCERT!)
  • 46. Domain 7 – operations sec
    • One of the most important and commonly overlooked activities is an infosec awareness program
      • Staff that understand the reasons behind security policies are less likely to circumvent them
      • Trained staff are more likely to notice suspicious activity
      • Infosec is complicated and constantly changing – people need regular reminders
  • 47. Domain 8 – physical sec
    • Rule #1: if an attacker can gain physical access to your hardware, it is only a matter of time before they gain complete control
    • The design and equipping of server rooms and data centers is well understood. Consult an expert if you are putting one together.
    • Network equipment, including “wiring closets”, personal computers, and mobile devices are too often ignored
  • 48. Domain 8 – physical sec
    • Principles
      • Off site backups!
      • Allow only trusted individuals access
      • Allow access only on a need-to-access basis
      • Protect against environmental changes
        • Loss of power
        • High temperature
        • Moisture
        • Fire
  • 49. Domain 9 – sec architecture
    • Security architecture is the ongoing process of planning security infrastructure and activities across an entire organization
      • Responsible for enterprise wide security policies
        • i.e. Information classification, acceptable use, and roles
      • Setting security technology standards
        • i.e. Standards for hardening critical servers, brand of firewall to be used at all branch offices, password policies, and high-level network design
      • Planning enterprise-wide security technologies
        • i.e. Single sign-on (SSO), IDS sensor deployment across a large network, and VPN infrastructure for teleworkers
  • 50. Domain 10 – t/c and network
    • Telecommunications and network security
      • Requires advanced knowledge of communications protocols and technologies
        • OSI network model
        • TCP/IP networking including ARP, UDP, and ICMP
      • Perimeter security
      • Encrypted communications channels
      • Network intrusion detection and prevention
      • Telephone security
      • Traffic control – firewall rules and routing tables
  • 51. Infosec team success
    • In addtion to knowledge of the 10 domains, a successful infosec team requires,
    • a clear mandate,
    • the right number of staff,
    • the right policies and procedures,
    • the right tools, and
    • support from management
  • 52. Part 3 - incidents
  • 53. Part 3 - incidents
    • Security incidents
      • Outline
        • Anatomy of a hacker attack
        • Other common incidents
        • Incident response fundamentals
  • 54. Anatomy of an attack
    • Step 1 – gather information (mostly passive)
    • Step 2 – find vulnerabilities (mostly active)
    • Step 3 – exploit vulnerabilities
    • Step 4 – conceal activity (cover your tracks)
  • 55. Anatomy of an attack
    • Step 1 – gather information (mostly passive)
      • Attacker's activities
        • whois on target address
        • Surf target website
        • Google target <http://johnny.ihackstuff.com/ >
      • Detection
        • Very difficult as this is all normal activity
  • 56. Anatomy of an attack
    • Step 2 – find vulnerabilities (mostly active)
      • Attacker's activities
        • Port scans with tools such as nmap
        • Sniffing with tools such as Wireshark or Ettercap
        • Vulnerability scanning with tools such as Nessus
      • Detection
        • Intrusion detection systems (IDS) such as snort can detect many port scans and vulnerability scans
        • Passive sniffing is hard to detect. There are tools such as Ettercap that can identify NICs in promiscuous mode.
        • ARP cache poisoning and other attacks that facilitate sniffing on switched networks can also be detected by some IDSes, firewalls, switches, and other tools
  • 57. Anatomy of an attack
    • Step 3 – exploit vulnerabilities
      • Attacker's activities
        • Attack software weaknesses with exploit code. The metasploit framework is a toolkit for developing exploits.
        • Attack passwords
      • Detection
        • IDSes can detect many application attacks as well as large volumes of login attempts
        • Some applications will log failed login attempts
        • Host-based intrusion detection tools such as tripwire and logwatch can detect some suspicious activities
  • 58. Anatomy of an attack
    • Step 4 – conceal activity
      • Attacker activities
        • Edit suspicious activities out of system logs
        • Install backdoors or rootkits to facilitate future concealed access to the target
      • Detection
        • Host-based intrusion detection tools can detect some of these activities
        • Virus scanners and rootkit checkers can sometimes find rootkits – but not always!
  • 59. Other common incidents
    • Most security incidents do not involve a classic “hack”
    • Some common incidents
      • Malware infection: virus, trojan, worm, spyware, etc.
      • Insider attack
      • DoS
      • Lost or stolen passwords
      • Web application attacks: css, sql injection, etc.
      • Social engineering
  • 60. Incident response basics
      • Have an Incident Response Team with well defined roles before an incident happens
      • Have written procedures for incident handling
      • Have clear lines of communication
        • Who decides whether it is bad enough to phone the police?
        • Which managers need to be informed?
      • Decide when and how you will quarantine potentially compromised equipment
        • Who decides when it is better to be offline than insecure?
  • 61. Part 4 - tools
  • 62. Part 4 - tools
    • Top 10 free infosec tools
      • Wireshark (windows, linux/unix)
      • nmap (windows, linux/unix)
      • Nessus (windows, linux/unix)
      • Snort (windows, linux/unix)
      • Clam AV (windows, linux/unix)
      • Tor (windows, linux/unix)
      • ssh (windows, linux/unix)
      • John the ripper (windows, linux/unix)
      • Ettercap (windows, but best on linux/unix)
      • Cain and Abel (windows)
  • 63. Thank you for your time. Make good choices. Chris Hammond-Thrasher MLIS, CISSP USP Library Systems Manager / Blogger [email_address] [email_address] [email_address] http://dfiji.blogspot.com/
  • 64. Photo credits
    • All photos used in this presentation are available under a Creative Commons license
    • Credits
      • Camera http://www.flickr.com/photos/bhikku/
      • Keys http://www.flickr.com/photos/kk/
      • Superheros http://www.flickr.com/photos/jcroft/
      • Schneier http://www.flickr.com/photos/quinnums
      • Diffie/Hellman http://www.flickr.com/photos/dfarber
      • R2-D2 http://www.flickr.com/photos/revlimit/
      • Foil hat http://www.flickr.com/photos/nicmcphee
      • Incident http://www.flickr.com/photos/mjb
      • Palm pilot http://www.flickr.com/photos/splorp
      • Gateway http://www.flickr.com/photos/cromaducale