The 300 Leonidas Solution


Published on

The final presentation slides for Penn State SRA 221: Overview of Information Security project

Anastassia I
Albert C
Brian R
Matt M
Renee S

Published in: Education, Technology
  • Be the first to comment

The 300 Leonidas Solution

  2. 2. PROJECT TEAM III <ul><li>MEMBERS </li></ul><ul><li>Anastassia I </li></ul><ul><li>Albert C </li></ul><ul><li>Brian R </li></ul><ul><li>Matt M </li></ul><ul><li>Renee S </li></ul>
  3. 3. Leonidas InfoSec, LLC Executive Level Leadership
  4. 4. Malicious Attackers, Tonight You Dine in Hell!
  5. 5. Virtualize the Network with Leonidas Clones
  6. 6. Leonidas Fights for the Future of the Free Enterprise <ul><li>Virtualization will move processing power back to the mainframe </li></ul><ul><li>Virtualization redefines rapid development and disaster recovery </li></ul><ul><li>Virtualization makes baseline management easy </li></ul><ul><li>Open Source software is coming to a level of maturity </li></ul>
  7. 8. Purpose <ul><li>To ensure our stakeholders the privacy that is required by law and that should be granted. </li></ul><ul><li>Stakeholders: </li></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>Business partners </li></ul></ul><ul><ul><li>Shareholders </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>Employees </li></ul></ul>
  8. 9. <ul><li>NETWORK SECURITY MANAGEMENT </li></ul><ul><ul><ul><li>Firewall Rule Configuration </li></ul></ul></ul><ul><ul><ul><li>Logging and Auditing </li></ul></ul></ul><ul><ul><ul><li>Network Topology </li></ul></ul></ul><ul><li>NETWORK SECURITY OPERATIONS </li></ul><ul><ul><ul><li>Intrusion Detection System </li></ul></ul></ul><ul><ul><ul><li>Remote Access </li></ul></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul>Overview
  9. 10. Network Security Operations <ul><li>Firewall </li></ul><ul><li>Filter out unnecessary packets </li></ul><ul><li>Install firewall software onto server </li></ul><ul><li>Regulate flow of traffic into and out of the First Apple Bank </li></ul><ul><li>Prevent network intrusion of the First Apple Bank private network </li></ul><ul><li>Allow white listed traffic </li></ul><ul><li>Detect automated (pings) malicious intrusion attempts </li></ul><ul><li>Facilitate and not disrupt connectivity and legitimate data transfer </li></ul>
  10. 11. Network Security Operations <ul><li>Intrusion Detection System </li></ul><ul><li>Monitor network activity </li></ul><ul><li>Scan for malicious intents </li></ul><ul><li>Provide notification for unauthorized entry attempts </li></ul><ul><li>Integrate system with log management and firewalls to create a firm reporting structure </li></ul>
  11. 12. Network Security Management <ul><li>Firewall Rule Configuration </li></ul><ul><li>Permit necessary business services; email, http, VPN, SSH, ICMP, etc. </li></ul><ul><li>Drop any other packets not explicitly allowed </li></ul><ul><li>Examine packet and header information </li></ul>
  12. 13. Network Security Management <ul><li>Logging & Auditing </li></ul><ul><li>Create centralized logging and auditing </li></ul><ul><li>Collect logs from firewall, authentication center, and IDS </li></ul><ul><li>Parse logs and extract information of interest </li></ul><ul><li>Dump firewall and IDS logs into storage file </li></ul><ul><li>Provide real-time event viewing </li></ul><ul><li>Flag suspicious activities in logs </li></ul>
  13. 14. Network Security Management <ul><li>Network Topology </li></ul><ul><li>Map hierarchy and architecture of the First Apple Bank network infrastructure </li></ul><ul><li>Separate sensitive and confidential data storage from day to day network </li></ul><ul><li>Provide a frame work for the most effective network organization structure according to the principle of least privileged </li></ul>
  14. 15. Remote Access Solution Goals <ul><li>Use multi-level authentication </li></ul><ul><li>Ensure non-repudiation and authenticity of First Apple Bank employees who are working remotely </li></ul><ul><li>Deploy protocols for privileged revocation </li></ul><ul><li>Properly implement and secure certificate authority </li></ul><ul><li>Provide near-transparent security and authentication via SSH tunnels </li></ul>
  15. 16. <ul><li>OpenSSH </li></ul><ul><li>VNC4 </li></ul><ul><li>Uses Advanced Encryption Standard with 128-bit keys for encryption </li></ul><ul><li>Uses 2048-bit RSA Authentication </li></ul><ul><li>May use ECC in the future </li></ul><ul><li>allows the client to control his or her workstation remotely as if he or she were physically at the computer </li></ul><ul><li>present a login screen to the remote client </li></ul>Remote Access Solution
  16. 17. Why SSH and VNC? <ul><li>SSH two-factor System: </li></ul><ul><ul><li>Needs both a password and the private key to authenticate </li></ul></ul><ul><ul><li>Private key is stored for the session, making reauthentication is quick and transparent to the end-user should the session be interrupted. </li></ul></ul>Diffie-Helman Secure key exchange
  17. 18. <ul><li>TECHNICAL, PHYSICAL & PERSONNEL POLICIES </li></ul>Detailed Security Plan
  18. 19. <ul><li>Personnel Security </li></ul><ul><li>Physical Security </li></ul><ul><ul><li>Recruiting employees </li></ul></ul><ul><ul><li>Security Awareness </li></ul></ul><ul><ul><li>Employee practices </li></ul></ul><ul><ul><li>Location of server room </li></ul></ul><ul><ul><li>Authentication systems </li></ul></ul><ul><ul><li>Physical material </li></ul></ul><ul><ul><li>Building infrastructure </li></ul></ul>Security Plan
  19. 20. Personnel Security Plan <ul><li>Recruiting trustworthy employees </li></ul><ul><ul><li>Background checks for convictions of felony or misdemeanor </li></ul></ul><ul><ul><li>Drug tests and credit score report </li></ul></ul><ul><ul><li>Proper signatures/recommendations from previous employer(s) </li></ul></ul><ul><li>Security Awareness </li></ul><ul><ul><li>Facility security organization and operation </li></ul></ul><ul><ul><li>Types of physical and cyber security barriers </li></ul></ul><ul><ul><li>Social Engineering </li></ul></ul><ul><li>Employee Practices </li></ul><ul><ul><li>Only business activities can be performed at the server room </li></ul></ul><ul><ul><li>Personnel should keep visitors on a bare minimum, and the must sign in the guest log </li></ul></ul><ul><ul><li>Cleaning/maintenance staff should be escorted by IT personnel when working in the secured area </li></ul></ul>
  20. 21. Physical Security Plan <ul><li>Server room location </li></ul><ul><ul><li>Cannot be near public area </li></ul></ul><ul><ul><li>Should be in the interior, away from windows </li></ul></ul><ul><li>Authentication systems </li></ul><ul><ul><li>RFID and magnetic strip photo-card </li></ul></ul><ul><ul><li>Key-code entry </li></ul></ul><ul><ul><li>Biometrics (if practical) </li></ul></ul><ul><li>Physical material </li></ul><ul><ul><li>Server room door must not be made of or contain glass </li></ul></ul><ul><ul><li>Wall construction of the server room will be slab-to-slab with Sound Transmission Class 40 or better </li></ul></ul><ul><li>Building infrastructure </li></ul><ul><ul><li>Surveillance system </li></ul></ul><ul><ul><li>Security guards (1 or 2, non-firearm equipped) </li></ul></ul><ul><ul><li>Standard smoke detectors and fire alarms </li></ul></ul><ul><ul><li>Intruder alarm </li></ul></ul>
  21. 22. Network Topology
  22. 23. <ul><li>PROTOTYPE/DEMONSTRATION </li></ul>Technical Implementation
  23. 24. Virtualbox <ul><li>Virtualbox is free, open-source virtualization software developed by Sun, Inc. It creates virtual machines upon which nearly any operating system can be run. Users can customize the amount of RAM, hard drive size, network adapters, etc. as needed. </li></ul><ul><li> </li></ul>
  24. 25. Ubuntu 7.10 <ul><li>Ubuntu is a distribution of Linux that focuses on ease of use, compatibility, and security. Ubuntu 7.10, released in October of 2007, was the operating system detailed in the project outline provided and has since been superseded by Ubuntu 8.10, the Intrepid Ibex. </li></ul><ul><li> </li></ul>
  25. 26. Synaptic Package Manager <ul><li>The APT framework </li></ul><ul><li>Makes installing popular packages as simple as sudo apt-get install openssh </li></ul><ul><li>Manages updates and dependencies as well </li></ul><ul><li> </li></ul>
  26. 27. Other helpful documentation <ul><li>Manpages </li></ul><ul><ul><li>Documentation included with most installed software </li></ul></ul><ul><li>The command-line (xterm) </li></ul><ul><ul><li>NIST PUBLICATIONS </li></ul></ul><ul><ul><ul><li>SP 800-39: Managing Risk </li></ul></ul></ul><ul><ul><ul><li>SP 800-41: Guidelines to Firewall Policy </li></ul></ul></ul><ul><ul><ul><li>SP 800-94: Guide to Intrusion Detection and Prevention Systems </li></ul></ul></ul><ul><ul><ul><li>FIPS 196: Public-Key Authentication </li></ul></ul></ul>
  27. 28. <ul><li>AKA LEONIDAS </li></ul>Creating a master image
  28. 29. 1. The master image <ul><li>Install all the necessary software onto a master leonidas. </li></ul><ul><li>Use Vboxmanage to clone the hard drive image, essentially making duplicate machines. </li></ul><ul><li>Easy to simulate back-ups. </li></ul><ul><li>Spend less time installing and configuring software </li></ul>
  29. 30. 2. Choose your services <ul><li>Install and configure Kerberos, OpenLDAP, et al. </li></ul><ul><li>Write in necessary hosts files. </li></ul><ul><li>Copy public keypairs where needed. </li></ul><ul><li>Define strict user and group policies: don’t let anyone but superusers change things! </li></ul>
  30. 31. <ul><li>VIRTUALBOX CAPABILITIES </li></ul><ul><li>THE COMMANDLINE:VBOXMANAGE </li></ul><ul><li>VIRTUAL TESTBED DEMO </li></ul><ul><li>REMOTE ACCESS DEMO </li></ul><ul><ul><li>Snort, Firestarter </li></ul></ul><ul><ul><li>SSH and VNC </li></ul></ul><ul><ul><li>Kerberos ticketing </li></ul></ul>DEMONSTRATION
  31. 32. Problems Encountered
  32. 33. Problems Encountered <ul><li>SAMPLE PROBLEMS </li></ul><ul><li>Ubuntu networking problems. </li></ul><ul><li>Resource issues (no mainframe!). </li></ul><ul><li>Lack of free resources on security policies for financial industry. </li></ul><ul><li>SUGGESTED SOLUTIONS </li></ul><ul><li>More time and money: </li></ul><ul><li>5 months and $1.2m </li></ul><ul><li>Talk to virtualization expert (Vbox developers at Sun) </li></ul><ul><li>Talk to industry people. </li></ul>
  33. 34. Summary of Findings
  34. 35. Risk Assessment and Mitigation
  35. 36. Technical Vulnerabilities <ul><li>Technical vulnerabilities are dynamic and can be fixed by keeping systems patched to date. </li></ul>
  36. 37. Procedural and Physical Vulnerabilities <ul><li>Any violation of security standards set by the ISO, NIST, regulatory policy, and company defined policy. </li></ul><ul><ul><li>i.e Employee revealing sensitive or confidential pieces of information such as cardholder data, company infrastructure, or government data </li></ul></ul><ul><li>Lack of a surveillance system, door locks, card entry systems, RFID sensors, motion sensors, security personnel and biometrics put a server room and IT infrastructure at risk. </li></ul>
  37. 38. Data Risks <ul><li>Consumer </li></ul><ul><ul><li>Personal information </li></ul></ul><ul><ul><li>Account information </li></ul></ul><ul><ul><li>Financial information </li></ul></ul><ul><li>Employee </li></ul><ul><ul><li>Personal information </li></ul></ul><ul><li>Company </li></ul><ul><ul><li>Email data </li></ul></ul><ul><ul><li>IP addresses </li></ul></ul><ul><ul><li>Specific security configurations </li></ul></ul>
  38. 39. Least Risk Option Combination Assessment
  39. 40. Mitigation <ul><li>Industry standards </li></ul><ul><ul><li>ASC X9 Financial Industry Standards </li></ul></ul><ul><ul><ul><li>Data and information security </li></ul></ul></ul><ul><ul><li>NIST SP 800-39 </li></ul></ul><ul><ul><ul><li>Practices for managing risk in information systems </li></ul></ul></ul><ul><ul><li>Federal FIPS 196 </li></ul></ul><ul><ul><ul><li>Advanced encryption standard </li></ul></ul></ul><ul><li>Technical fixes </li></ul><ul><ul><li>Preventative controls </li></ul></ul><ul><ul><ul><li>Baseline patching </li></ul></ul></ul><ul><ul><ul><li>Encryption </li></ul></ul></ul><ul><ul><li>Detective controls </li></ul></ul><ul><ul><ul><li>IDS </li></ul></ul></ul>
  40. 41. Mitigation <ul><li>Operational policy </li></ul><ul><ul><li>Least privilege </li></ul></ul><ul><ul><li>Defense in depth </li></ul></ul><ul><ul><li>“ Need to know” information </li></ul></ul><ul><li>Training and education of employees </li></ul><ul><ul><li>Social engineering deterrents </li></ul></ul><ul><ul><li>Employee responsibilities </li></ul></ul>
  41. 43. <ul><li>QUESTIONS </li></ul>FIN