PacINET 2007 Information Security Workshop August 21, 2007

Information Security Workshop

August 21, 2007

Presenter Chris Hammond-Thrasher 10 years of ICT consulting in Canada Was a Senior Management Consultant in Security, Privacy, and Technical Risk for Fujitsu Consulting Canada MLIS (I am a librarian) CISSP (I am a security manager) Currently USP Library Systems Manager Author of the Digital Fiji blog <http://dfiji.blogspot.com/>

Chris Hammond-Thrasher

10 years of ICT consulting in Canada

Was a Senior Management Consultant in Security, Privacy, and Technical Risk for Fujitsu Consulting Canada

MLIS (I am a librarian)

CISSP (I am a security manager)

Currently USP Library Systems Manager

Author of the Digital Fiji blog <http://dfiji.blogspot.com/>

Agenda Part 0: Why are we here? Part 1: Information security? Part 2: What an information security team needs to know Part 3: Security incidents Part 4: Top ten infosec tools

Part 0: Why are we here?

Part 1: Information security?

Part 2: What an information security team needs to know

Part 3: Security incidents

Part 4: Top ten infosec tools

Goals To show participants the scope of the field of information security management To demonstrate that there is an ethical responsibility that goes along with information security skills (aka h4X0r 5k1775) To entice participants to lobby their employers, educational institutions, and professional organizations to provide them with more infosec training and certification opportunities To establish a need for regional infosec cooperation – we need a PacCERT!

To show participants the scope of the field of information security management

To demonstrate that there is an ethical responsibility that goes along with information security skills (aka h4X0r 5k1775)

To entice participants to lobby their employers, educational institutions, and professional organizations to provide them with more infosec training and certification opportunities

To establish a need for regional infosec cooperation – we need a PacCERT!

Part 0 – Why are we here?

A war zone Leading up to the 1991 invasion of Iraq The American NSA disabled Iraqi air defense computers with virus laden printers sold to Iraq through Jordanians <Dorithy Denning, Information Warfare and Security. Addison-Wesley: Boston. 1999.>

Leading up to the 1991 invasion of Iraq

The American NSA disabled Iraqi air defense computers with virus laden printers sold to Iraq through Jordanians

<Dorithy Denning, Information Warfare and Security. Addison-Wesley: Boston. 1999.>

A war zone The cost of cybercrime A 2005 FBI study found that 90% of US companies suffered security incidents Cybercrime cost US companies an average of US$24,000 last year The total cost of cybercrime in the US, in 2005 alone, was over US$400 billion <http://www.uneca.org/e-trade/Presentations/ Network%20Security%20and%20Applications%20-%20Global%20Perspective%20-%20Michael%20Bitz.ppt>

The cost of cybercrime

A 2005 FBI study found that 90% of US companies suffered security incidents

Cybercrime cost US companies an average of US$24,000 last year

The total cost of cybercrime in the US, in 2005 alone, was over US$400 billion

<http://www.uneca.org/e-trade/Presentations/ Network%20Security%20and%20Applications%20-%20Global%20Perspective%20-%20Michael%20Bitz.ppt>

A war zone Human rights, China, and Yahoo “The House Foreign Affairs Committee has ordered an investigation into Yahoo’s role in the prosecution of Shi Tao, a journalist and Yahoo Mail user, who was arrested in 2004 by Chinese officials after Yahoo cooperated with their request for information. The committee’s interest in the matter was sparked by new documents that suggest Yahoo gave information to Chinese authorities knowing that it could lead to the reporter’s arrest.” <http://digitaldaily.allthingsd.com/20070808/yahoo-china/>

Human rights, China, and Yahoo

“The House Foreign Affairs Committee has ordered an investigation into Yahoo’s role in the prosecution of Shi Tao, a journalist and Yahoo Mail user, who was arrested in 2004 by Chinese officials after Yahoo cooperated with their request for information. The committee’s interest in the matter was sparked by new documents that suggest Yahoo gave information to Chinese authorities knowing that it could lead to the reporter’s arrest.”

<http://digitaldaily.allthingsd.com/20070808/yahoo-china/>

A war zone 2007 Estonian cyber attack “ The May events followed the Estonian [pop. 1.3 million] decision to dismantle and move a symbolically significant Russian war memorial... Many of the early attacks that subsequently overwhelmed Estonia's Web servers, banks, and government email systems were rudimentary, with instructions widely posted on these blogs telling people how to send manual pings to the country's servers. But more sophisticated tools soon were used, with botnets flooding Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.” <http://blog.wired.com/27bstroke6/2007/08/stonias-lesson-.html>

2007 Estonian cyber attack

“ The May events followed the Estonian [pop. 1.3 million] decision to dismantle and move a symbolically significant Russian war memorial... Many of the early attacks that subsequently overwhelmed Estonia's Web servers, banks, and government email systems were rudimentary, with instructions widely posted on these blogs telling people how to send manual pings to the country's servers. But more sophisticated tools soon were used, with botnets flooding Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.”

<http://blog.wired.com/27bstroke6/2007/08/stonias-lesson-.html>

A war zone Phishing, Internet fraud, and identity theft A 2004 study reported that 685,000 Americans had experienced identity theft and collectively lost US$680 million In 2005, Israelis lost US$10 million to similar crimes <http://www.crime-research.org/news/31.10.2006/2325/>

Phishing, Internet fraud, and identity theft

A 2004 study reported that 685,000 Americans had experienced identity theft and collectively lost US$680 million

In 2005, Israelis lost US$10 million to similar crimes

<http://www.crime-research.org/news/31.10.2006/2325/>

A Pacific war zone? The coming battle Oceania (not including Aus and NZ) has 510,890 Internet users out of a population of 9,209,260 or roughly 0.5% While the global Internet user growth rate from 2000 to 2007 is 225%, it is as high as 1,100% in Samoa, 833% in Fiji, and 320% in the Solomon Islands <http://www.internetworldstats.com/stats6.htm>

The coming battle

Oceania (not including Aus and NZ) has 510,890 Internet users out of a population of 9,209,260 or roughly 0.5%

While the global Internet user growth rate from 2000 to 2007 is 225%, it is as high as 1,100% in Samoa, 833% in Fiji, and 320% in the Solomon Islands

<http://www.internetworldstats.com/stats6.htm>

A Pacific war zone? The South Pacific is catching up... All of the bad things about the Internet come along with the good We are in a good position because we only have to glance over the ocean to see exactly what problems have already started coming our way, including which solutions are effective, and which solutions are not worth doing Building information security capacity takes time – we need to start now!

The South Pacific is catching up...

All of the bad things about the Internet come along with the good

We are in a good position because we only have to glance over the ocean to see exactly what problems have already started coming our way, including which solutions are effective, and which solutions are not worth doing

Building information security capacity takes time – we need to start now!

A Pacific war zone The time is ripe to create regional infosec organizations, the first of which ought to be a Pacific Computer Emergency Response Team (PacCERT) Coordinate ISP's and other high-tech organization's responses to major security incidents Support under-skilled law enforcement agencies Respond to security incidents and proactively prevent them Regional corporate and governmental cooperation is required to make this happen

The time is ripe to create regional infosec organizations, the first of which ought to be a Pacific Computer Emergency Response Team (PacCERT)

Coordinate ISP's and other high-tech organization's responses to major security incidents

Support under-skilled law enforcement agencies

Respond to security incidents and proactively prevent them

Regional corporate and governmental cooperation is required to make this happen

Part 1 - Infosec?

Part 1 - Infosec? What is information security? Outline Definitions Professional organizations Certifications Heros and villains

What is information security?

Outline

Definitions

Professional organizations

Certifications

Heros and villains

My definition Information security is the art, science, and practice of protecting information systems against willful or accidental harm.

Information security is the art, science, and practice of protecting information systems against willful or accidental harm.

ISO definition ISO 17799 [now ISO 27002] defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of: Confidentiality – ensuring that information is accessible only to those authorized to have access. Integrity – safeguarding the accuracy and completeness of information and processing methods. Availability – ensuring that authorized users have access to information and associated assets when required. Tom Carlson, Information Security Management, <http://www.netbotz.com/library/ISO_17799.pdf> 2001

ISO 17799 [now ISO 27002] defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:

Confidentiality – ensuring that information is accessible only to those authorized to have access.

Integrity – safeguarding the accuracy and completeness of information and processing methods.

Availability – ensuring that authorized users have access to information and associated assets when required.

Tom Carlson, Information Security Management, <http://www.netbotz.com/library/ISO_17799.pdf> 2001

CIA Confidentiality Information should only be available to its intended reader (possibly a person or software) Integrity Information should only be alterable by those who are permitted to do so Availability Information should be available to those who need it when they need it

Confidentiality

Information should only be available to its intended reader (possibly a person or software)

Integrity

Information should only be alterable by those who are permitted to do so

Availability

Information should be available to those who need it when they need it

Risks, threats, and vulns Risk The magnitude of a risk equals the cost of the one time occurrence of a threat multiplied by its estimated frequency of occurrence R = (one time cost) x (frequency) Threats which pose a small cost, such as “I forgot my password”, but occur frequently may pose a significant risk Threats that occur infrequently, such as water damage in the new server room, but have high one time costs may not be significant risks

Risk

The magnitude of a risk equals the cost of the one time occurrence of a threat multiplied by its estimated frequency of occurrence

R = (one time cost) x (frequency)

Threats which pose a small cost, such as “I forgot my password”, but occur frequently may pose a significant risk

Threats that occur infrequently, such as water damage in the new server room, but have high one time costs may not be significant risks

Risks, threats, and vulns Threats Or threat events, are events which may compromise the CIA of your information assets i.e. Theft of equipment or virus infections Vulnerabilities Exploitable weaknesses i.e. Buffer overflows or poorly trained staff

Threats

Or threat events, are events which may compromise the CIA of your information assets

i.e. Theft of equipment or virus infections

Vulnerabilities

Exploitable weaknesses

i.e. Buffer overflows or poorly trained staff

Controls Administrative Implemented in policy and procedure i.e. Criminal screening or user awareness programs Logical Implemented in hardware and software i.e. Network firewalls, ACLs, or the principal of least privilege Physical Implemented in real space i.e. Locked doors, security guards, or fire control

Administrative

Implemented in policy and procedure

i.e. Criminal screening or user awareness programs

Logical

Implemented in hardware and software

i.e. Network firewalls, ACLs, or the principal of least privilege

Physical

Implemented in real space

i.e. Locked doors, security guards, or fire control

Controls Preventative Reduce the likelihood of threat events occurring i.e. Firewalls, intrusion prevention, or strong passwords Detection Detecting attempted or successful incidents i.e. Network and host-based IDSes or vigilant users Mitigating Reduces the impact of security incidents i.e. Backups or an incident response team

Preventative

Reduce the likelihood of threat events occurring

i.e. Firewalls, intrusion prevention, or strong passwords

Detection

Detecting attempted or successful incidents

i.e. Network and host-based IDSes or vigilant users

Mitigating

Reduces the impact of security incidents

i.e. Backups or an incident response team

Professional organizations Anti-Virus Information Exchange Network (AVIEN) <http://www.avien.org/> Center for Secure Information Systems (CSIS) <http://www.isse.gmu.edu/~csis/> Computer Security Institute <http://www.gocsi.com/> Computing Technology Industry Association (CompTIA) <http://www.comptia.org/> Information Systems Audit and Control Association (ISACA) <http://www.isaca.org/> Information Systems Security Association, Inc. (ISSA) <http://www.issa.org/> International Association for Computer Systems Security, Inc. (IACSS) <http://www.iacss.com/> International Federation for Information Processing (IFIP) Technical Committee 11 (TC-11) on Security and Protection in Information Systems <http://www.ifip.tu-graz.ac.at/TC11/> International Information Systems Security Certification Consortium (ISC2) <http://www.isc2.org/> National White Collar Crime Center <http://www.nw3c.org/> SANS Institute <http://www.sans.org/>

Anti-Virus Information Exchange Network (AVIEN) <http://www.avien.org/>

Center for Secure Information Systems (CSIS) <http://www.isse.gmu.edu/~csis/>

Computer Security Institute <http://www.gocsi.com/>

Computing Technology Industry Association (CompTIA) <http://www.comptia.org/>

Information Systems Audit and Control Association (ISACA) <http://www.isaca.org/>

Information Systems Security Association, Inc. (ISSA) <http://www.issa.org/>

International Association for Computer Systems Security, Inc. (IACSS) <http://www.iacss.com/>

International Federation for Information Processing (IFIP) Technical Committee 11 (TC-11) on Security and Protection in Information Systems <http://www.ifip.tu-graz.ac.at/TC11/>

International Information Systems Security Certification Consortium (ISC2) <http://www.isc2.org/>

National White Collar Crime Center <http://www.nw3c.org/>

SANS Institute <http://www.sans.org/>

Certifications The big ones: CISSP from (ISC)2 <http://www.isc2.org/> CISA from ISACA <http://www.isaca.org/> CISM from ISACA <http://www.isaca.org/> GIAC certifications from SANS <http://www.giac.org/> Notable vendor certifications: CISCO <http://www.cisco.com/> CheckPoint <http://www.checkpoint.com/services/education>

The big ones:

CISSP from (ISC)2 <http://www.isc2.org/>

CISA from ISACA <http://www.isaca.org/>

CISM from ISACA <http://www.isaca.org/>

GIAC certifications from SANS <http://www.giac.org/>

Notable vendor certifications:

CISCO <http://www.cisco.com/>

CheckPoint <http://www.checkpoint.com/services/education>

Heros

Gaius Julius Caesar (100 BC - 44 BC) Protected military communications with the Caesar Cipher. This cipher works by shifting all of the letters in the alphabet by a given number (the key) to create a garbled message. Example: Caesar cipher with a key of 3 abcdefghijklmnopqrstuvwxyz ^^^^^^^^^^^^^^^^^^^^^^^^^^ cdefghijklmnopqrstuvwxyzab Plaintext: inthe begin ningt herew asdar kness andvo id Ciphertext: kpvjg dgikp pkpiv jgtgy cufct mpguu cpfxq kf

Alan Turing (1912 - 1954) An English mathematician and code breaker. Turing was instrumental in breaking German World War II naval codes. He also envisaged a kind of computer known now as a Turing machine in: “On computable numbers, with an application to the Entscheidunsproblem.” 1936. And created the definitive test for artificial intelligence known as the Turing test in: “Computing machinery and intelligence.” 1950. Mind, 59, pp. 433-460.

Bruce Schneier (1963 - ) Cryptographer turned author, Schneier is one of the leading voices in both information security in the USA. He is also one of the most significant critics of American homeland security policy. Examples: Applied Cryptography, 1996, John Whiley & Sons http://www.schneier.com/blog/

Whitfield Diffie (1944 - ) and Martin Hellman (1945 - ) Cryptologists and inventors of the Diffie-Hellman key exchange algorythm in 1976. The DH algorithm provided a radical new way for two parties to exchange secrets. The DH algorithm and its derivatives are the cornerstones of many public key encryption protocols in use today.

Villains? <http://www.neatorama.com/2006/08/28/a-short-history-of-hacking> Robert Morris Wrote the first worm in 1988 Kevin Mitnick Arrested in 1995 and now a consultant Kevin Paulson (aka Dark Dante) Arrested in 1991 and now Senior Editor at Wired Jon Johansen (aka DVD Jon) wrote DeCSS at the age of 15 David Smith Wrote the Melissa virus in 1999 which caused US$500 million in damages R2-D2 Repeated violations of Imperial systems John Draper (aka Cap'n Crunch) Phone phreak 1972

Part 2 - knowledge

Part 2 - knowledge What an information security, or infosec , team needs to know Outline Infosec domains Infosec team critical success factors

What an information security, or infosec , team needs to know

Outline

Infosec domains

Infosec team critical success factors

Domain 1 – access control Access control may be applied at the network level, host level, application level, or even for individual functions or data elements Access control has two components Identity management Ensuring that users are who they say they are Identity management systems use up to three factors to identify users Something you know: passwords or phrases Something you have: a card, RFID tag, or other device Something you are (biometrics): finger prints, retina patterns, etc.

Access control may be applied at the network level, host level, application level, or even for individual functions or data elements

Access control has two components

Identity management

Ensuring that users are who they say they are

Identity management systems use up to three factors to identify users

Something you know: passwords or phrases

Something you have: a card, RFID tag, or other device

Something you are (biometrics): finger prints, retina patterns, etc.

Domain 1 – access control Authorization Authorization is the mechanism that determines what a user is allowed to do or see in a system Often this takes the form of an access control list (ACL) which lists what actions a user or group of users is permitted to take against which system objects

Authorization

Authorization is the mechanism that determines what a user is allowed to do or see in a system

Often this takes the form of an access control list (ACL) which lists what actions a user or group of users is permitted to take against which system objects

Domain 2 – application sec. Security considerations should play a prominent role in all phases of the application development life cycle All user input should be cleaned and validated before processing Security testing is not the same as functional testing Web application require testing against known web app. vulnerabilities Applications that handle sensitive information should require security certification before going live and recertification after major upgrades

Security considerations should play a prominent role in all phases of the application development life cycle

All user input should be cleaned and validated before processing

Security testing is not the same as functional testing

Web application require testing against known web app. vulnerabilities

Applications that handle sensitive information should require security certification before going live and recertification after major upgrades

Domain 3 – bc and drp Business continuity planning Planning to ensure that critical business processes are resilient to change and attack Understand your organization's risk tolerance Define what a critical business process is for your organization Identify which business processes are critical Identify potential threats Develop strategies that minimize interruptions critical process due to known (or likely) threats

Business continuity planning

Planning to ensure that critical business processes are resilient to change and attack

Understand your organization's risk tolerance

Define what a critical business process is for your organization

Identify which business processes are critical

Identify potential threats

Develop strategies that minimize interruptions critical process due to known (or likely) threats

Domain 3 – bc and drp Disaster Recovery Planning Developing and testing procedures that will allow critical systems to recover from severe change or attack Ideally, complete the BCP first Identify information systems that are required to support critical business processes Develop plans to minimize down-time if an environmental change or attack destroys the system hardware and/or software Strategies include co-location, hot and cold stand-byes, etc.

Disaster Recovery Planning

Developing and testing procedures that will allow critical systems to recover from severe change or attack

Ideally, complete the BCP first

Identify information systems that are required to support critical business processes

Develop plans to minimize down-time if an environmental change or attack destroys the system hardware and/or software

Strategies include co-location, hot and cold stand-byes, etc.

Domain 4 - cryptography Two methods of sending secret messages Hiding the message: stenography Jumbling the message so that it is mathematically difficult to un-jumble: cryptography Cryptography can provide other functions Verifiable message integrity Key exchange Non-repudiation Source/destination validation Secure time-stamping

Two methods of sending secret messages

Hiding the message: stenography

Jumbling the message so that it is mathematically difficult to un-jumble: cryptography

Cryptography can provide other functions

Verifiable message integrity

Key exchange

Non-repudiation

Source/destination validation

Secure time-stamping

Domain 4 - cryptography Ciphers Symmetric Summetric ciphers use one key to encrypt and decrypt This creates a problem of key management – how to securely get the key to everyone who needs it without compromising it i.e. DES, 3DES, twofish, blowfish, and AES Asymmetric Assymetric ciphers use a pair of keys for calculation – one is kept private and the other is shared publically Assymetric ciphers require large keys and are computationally intensive i.e. RSA and El Gamal

Ciphers

Symmetric

Summetric ciphers use one key to encrypt and decrypt

This creates a problem of key management – how to securely get the key to everyone who needs it without compromising it

i.e. DES, 3DES, twofish, blowfish, and AES

Asymmetric

Assymetric ciphers use a pair of keys for calculation – one is kept private and the other is shared publically

Assymetric ciphers require large keys and are computationally intensive

i.e. RSA and El Gamal

Domain 4 - cryptography Digests Also known as checksums or cryptographic hashes A kind of one-way function They do not have a key They generate a fixed length output from variable length input The input cannot be reconstructed from the output Useful in establishing message integrity

Digests

Also known as checksums or cryptographic hashes

A kind of one-way function

They do not have a key

They generate a fixed length output from variable length input

The input cannot be reconstructed from the output

Useful in establishing message integrity

Domain 4 - cryptography Protocols Cryptographic protocols define a processing sequence using one or more ciphers to perform a secure transaction i.e. SSL/TLS, ssh, and SKIP SSL v2, SSL v3, and TLS 1 Secures US$ billions of Internet transactions Can encrypt TCP communications (i.e. HTTP -> HTTPS) Provides confidentiality without previous key exchange Provides end-point validation with signed certificates

Protocols

Cryptographic protocols define a processing sequence using one or more ciphers to perform a secure transaction

i.e. SSL/TLS, ssh, and SKIP

SSL v2, SSL v3, and TLS 1

Secures US$ billions of Internet transactions

Can encrypt TCP communications (i.e. HTTP -> HTTPS)

Provides confidentiality without previous key exchange

Provides end-point validation with signed certificates

Domain 5 – risk management We defined risks and threats in Part 1 Risk management is central to infosec management as it provides a rationale for allocating limited resources i.e. If a risk assessment reveals that a company stands to lose US$10,000 annually due to malware, there is a strong business case to invest in a US$20,000 antivirus infrastructure.

We defined risks and threats in Part 1

Risk management is central to infosec management as it provides a rationale for allocating limited resources

i.e. If a risk assessment reveals that a company stands to lose US$10,000 annually due to malware, there is a strong business case to invest in a US$20,000 antivirus infrastructure.

Domain 5 – risk management Q: How do I do a risk assessment? A: Unfortunately, that topic requires an entire workshop to itself. Identify information assets and their value or sensitivity Identify potential threats For each asset, estimate the damage caused by a one-time occurrence of each threat For each asset-threat pair, estimate the frequency of occurrence to arrive at an estimate of risk

Q: How do I do a risk assessment?

A: Unfortunately, that topic requires an entire workshop to itself.

Identify information assets and their value or sensitivity

Identify potential threats

For each asset, estimate the damage caused by a one-time occurrence of each threat

For each asset-threat pair, estimate the frequency of occurrence to arrive at an estimate of risk

Domain 6 – law, ethics, etc Infosec professionals need to be familiar with intellectual property law, privacy law, and computer crime law in their jurisdiction In the South Pacific, several countries lack all three! Many infosec certifications require that certification holders submit to a code of ethics Typically, these codes forbid scanning, attacking, sniffing, testing, etc. without first obtaining informed consent from the target.

Infosec professionals need to be familiar with intellectual property law, privacy law, and computer crime law in their jurisdiction

In the South Pacific, several countries lack all three!

Many infosec certifications require that certification holders submit to a code of ethics

Typically, these codes forbid scanning, attacking, sniffing, testing, etc. without first obtaining informed consent from the target.

Domain 7 – operations sec Security operations include Information classification Security testing on an ongoing basis and with major system changes Incident response and prevention Monitoring logs Network IDS, host IDS, firewall, VPN, and others Liaising with ICT managers and practitioners Reviewing infosec information from outside sources i.e. Full disclosure list, bugtrac list, Internet Storm Center, national and regional CERTs (we need a PacCERT!)

Security operations include

Information classification

Security testing on an ongoing basis and with major system changes

Incident response and prevention

Monitoring logs

Network IDS, host IDS, firewall, VPN, and others

Liaising with ICT managers and practitioners

Reviewing infosec information from outside sources

i.e. Full disclosure list, bugtrac list, Internet Storm Center, national and regional CERTs (we need a PacCERT!)

Domain 7 – operations sec One of the most important and commonly overlooked activities is an infosec awareness program Staff that understand the reasons behind security policies are less likely to circumvent them Trained staff are more likely to notice suspicious activity Infosec is complicated and constantly changing – people need regular reminders

One of the most important and commonly overlooked activities is an infosec awareness program

Staff that understand the reasons behind security policies are less likely to circumvent them

Trained staff are more likely to notice suspicious activity

Infosec is complicated and constantly changing – people need regular reminders

Domain 8 – physical sec Rule #1: if an attacker can gain physical access to your hardware, it is only a matter of time before they gain complete control The design and equipping of server rooms and data centers is well understood. Consult an expert if you are putting one together. Network equipment, including “wiring closets”, personal computers, and mobile devices are too often ignored

Rule #1: if an attacker can gain physical access to your hardware, it is only a matter of time before they gain complete control

The design and equipping of server rooms and data centers is well understood. Consult an expert if you are putting one together.

Network equipment, including “wiring closets”, personal computers, and mobile devices are too often ignored

Domain 8 – physical sec Principles Off site backups! Allow only trusted individuals access Allow access only on a need-to-access basis Protect against environmental changes Loss of power High temperature Moisture Fire

Principles

Off site backups!

Allow only trusted individuals access

Allow access only on a need-to-access basis

Protect against environmental changes

Loss of power

High temperature

Moisture

Fire

Domain 9 – sec architecture Security architecture is the ongoing process of planning security infrastructure and activities across an entire organization Responsible for enterprise wide security policies i.e. Information classification, acceptable use, and roles Setting security technology standards i.e. Standards for hardening critical servers, brand of firewall to be used at all branch offices, password policies, and high-level network design Planning enterprise-wide security technologies i.e. Single sign-on (SSO), IDS sensor deployment across a large network, and VPN infrastructure for teleworkers

Security architecture is the ongoing process of planning security infrastructure and activities across an entire organization

Responsible for enterprise wide security policies

i.e. Information classification, acceptable use, and roles

Setting security technology standards

i.e. Standards for hardening critical servers, brand of firewall to be used at all branch offices, password policies, and high-level network design

Planning enterprise-wide security technologies

i.e. Single sign-on (SSO), IDS sensor deployment across a large network, and VPN infrastructure for teleworkers

Domain 10 – t/c and network Telecommunications and network security Requires advanced knowledge of communications protocols and technologies OSI network model TCP/IP networking including ARP, UDP, and ICMP Perimeter security Encrypted communications channels Network intrusion detection and prevention Telephone security Traffic control – firewall rules and routing tables

Telecommunications and network security

Requires advanced knowledge of communications protocols and technologies

OSI network model

TCP/IP networking including ARP, UDP, and ICMP

Perimeter security

Encrypted communications channels

Network intrusion detection and prevention

Telephone security

Traffic control – firewall rules and routing tables

Infosec team success In addtion to knowledge of the 10 domains, a successful infosec team requires, a clear mandate, the right number of staff, the right policies and procedures, the right tools, and support from management

In addtion to knowledge of the 10 domains, a successful infosec team requires,

a clear mandate,

the right number of staff,

the right policies and procedures,

the right tools, and

support from management

Part 3 - incidents

Part 3 - incidents Security incidents Outline Anatomy of a hacker attack Other common incidents Incident response fundamentals

Security incidents

Outline

Anatomy of a hacker attack

Other common incidents

Incident response fundamentals

Anatomy of an attack Step 1 – gather information (mostly passive) Step 2 – find vulnerabilities (mostly active) Step 3 – exploit vulnerabilities Step 4 – conceal activity (cover your tracks)

Step 1 – gather information (mostly passive)

Step 2 – find vulnerabilities (mostly active)

Step 3 – exploit vulnerabilities

Step 4 – conceal activity (cover your tracks)

Anatomy of an attack Step 1 – gather information (mostly passive) Attacker's activities whois on target address Surf target website Google target <http://johnny.ihackstuff.com/ > Detection Very difficult as this is all normal activity

Step 1 – gather information (mostly passive)

Attacker's activities

whois on target address

Surf target website

Google target <http://johnny.ihackstuff.com/ >

Detection

Very difficult as this is all normal activity

Anatomy of an attack Step 2 – find vulnerabilities (mostly active) Attacker's activities Port scans with tools such as nmap Sniffing with tools such as Wireshark or Ettercap Vulnerability scanning with tools such as Nessus Detection Intrusion detection systems (IDS) such as snort can detect many port scans and vulnerability scans Passive sniffing is hard to detect. There are tools such as Ettercap that can identify NICs in promiscuous mode. ARP cache poisoning and other attacks that facilitate sniffing on switched networks can also be detected by some IDSes, firewalls, switches, and other tools

Step 2 – find vulnerabilities (mostly active)

Attacker's activities

Port scans with tools such as nmap

Sniffing with tools such as Wireshark or Ettercap

Vulnerability scanning with tools such as Nessus

Detection

Intrusion detection systems (IDS) such as snort can detect many port scans and vulnerability scans

Passive sniffing is hard to detect. There are tools such as Ettercap that can identify NICs in promiscuous mode.

ARP cache poisoning and other attacks that facilitate sniffing on switched networks can also be detected by some IDSes, firewalls, switches, and other tools

Anatomy of an attack Step 3 – exploit vulnerabilities Attacker's activities Attack software weaknesses with exploit code. The metasploit framework is a toolkit for developing exploits. Attack passwords Detection IDSes can detect many application attacks as well as large volumes of login attempts Some applications will log failed login attempts Host-based intrusion detection tools such as tripwire and logwatch can detect some suspicious activities

Step 3 – exploit vulnerabilities

Attacker's activities

Attack software weaknesses with exploit code. The metasploit framework is a toolkit for developing exploits.

Attack passwords

Detection

IDSes can detect many application attacks as well as large volumes of login attempts

Some applications will log failed login attempts

Host-based intrusion detection tools such as tripwire and logwatch can detect some suspicious activities

Anatomy of an attack Step 4 – conceal activity Attacker activities Edit suspicious activities out of system logs Install backdoors or rootkits to facilitate future concealed access to the target Detection Host-based intrusion detection tools can detect some of these activities Virus scanners and rootkit checkers can sometimes find rootkits – but not always!

Step 4 – conceal activity

Attacker activities

Edit suspicious activities out of system logs

Install backdoors or rootkits to facilitate future concealed access to the target

Detection

Host-based intrusion detection tools can detect some of these activities

Virus scanners and rootkit checkers can sometimes find rootkits – but not always!

Other common incidents Most security incidents do not involve a classic “hack” Some common incidents Malware infection: virus, trojan, worm, spyware, etc. Insider attack DoS Lost or stolen passwords Web application attacks: css, sql injection, etc. Social engineering

Most security incidents do not involve a classic “hack”

Some common incidents

Malware infection: virus, trojan, worm, spyware, etc.

Insider attack

DoS

Lost or stolen passwords

Web application attacks: css, sql injection, etc.

Social engineering

Incident response basics Have an Incident Response Team with well defined roles before an incident happens Have written procedures for incident handling Have clear lines of communication Who decides whether it is bad enough to phone the police? Which managers need to be informed? Decide when and how you will quarantine potentially compromised equipment Who decides when it is better to be offline than insecure?

Have an Incident Response Team with well defined roles before an incident happens

Have written procedures for incident handling

Have clear lines of communication

Who decides whether it is bad enough to phone the police?

Which managers need to be informed?

Decide when and how you will quarantine potentially compromised equipment

Who decides when it is better to be offline than insecure?

Part 4 - tools

Part 4 - tools Top 10 free infosec tools Wireshark (windows, linux/unix) nmap (windows, linux/unix) Nessus (windows, linux/unix) Snort (windows, linux/unix) Clam AV (windows, linux/unix) Tor (windows, linux/unix) ssh (windows, linux/unix) John the ripper (windows, linux/unix) Ettercap (windows, but best on linux/unix) Cain and Abel (windows)

Top 10 free infosec tools

Wireshark (windows, linux/unix)

nmap (windows, linux/unix)

Nessus (windows, linux/unix)

Snort (windows, linux/unix)

Clam AV (windows, linux/unix)

Tor (windows, linux/unix)

ssh (windows, linux/unix)

John the ripper (windows, linux/unix)

Ettercap (windows, but best on linux/unix)

Cain and Abel (windows)

Thank you for your time. Make good choices. Chris Hammond-Thrasher MLIS, CISSP USP Library Systems Manager / Blogger [email_address] [email_address] [email_address] http://dfiji.blogspot.com/

Photo credits All photos used in this presentation are available under a Creative Commons license Credits Camera http://www.flickr.com/photos/bhikku/ Keys http://www.flickr.com/photos/kk/ Superheros http://www.flickr.com/photos/jcroft/ Schneier http://www.flickr.com/photos/quinnums Diffie/Hellman http://www.flickr.com/photos/dfarber R2-D2 http://www.flickr.com/photos/revlimit/ Foil hat http://www.flickr.com/photos/nicmcphee Incident http://www.flickr.com/photos/mjb Palm pilot http://www.flickr.com/photos/splorp Gateway http://www.flickr.com/photos/cromaducale

All photos used in this presentation are available under a Creative Commons license

Credits

Camera http://www.flickr.com/photos/bhikku/

Keys http://www.flickr.com/photos/kk/

Superheros http://www.flickr.com/photos/jcroft/

Schneier http://www.flickr.com/photos/quinnums

Diffie/Hellman http://www.flickr.com/photos/dfarber

R2-D2 http://www.flickr.com/photos/revlimit/

Foil hat http://www.flickr.com/photos/nicmcphee

Incident http://www.flickr.com/photos/mjb

Palm pilot http://www.flickr.com/photos/splorp

Gateway http://www.flickr.com/photos/cromaducale