Upload
samuel-grant
View
219
Download
0
Embed Size (px)
Citation preview
Things To Come
• Need for policies and procedures
• Proper staffing and funding
• Clear, consistent, and followed plans
Stanford Infrastructure
• 55,000 registered nodes
• 58,000 active principles
• 800 MB/day web data alone
• 3.5 million/day email messages
• 200 to 700 mb/s bandwidth
Why Security?
• Do your users have any expectation of privacy?
• Do you have assets that need protecting?
• Have you considered the cost of system compromises vs. protection?
Incident Type Comparison
31%
12%23%
19%
11%4%
FY97FY97
5% 0%16%
5%
19%
55%
FY00FY00
5 %0%
1 6 %
5 %
1 9 %
5 5 %
Abuse/Harassment Denial of ServiceMisuse of University Resources Account Compromise (attempts)System Compromise(attempts) Network Scans
Worried about Privacy?
• School Records– Directories (FERPA)
– Homework
• Hospital/Medical Records– HIPPA
Computer Security Is...
Primarily risk management by ensuring:
• Confidentiality
• Integrity
• Availability
System Confidentiality
[root@topsecret cctest]# pwd
/var/lib/mysql/cctest
[root@topsecret cctest]# strings customer.MYD
david brumley
351 Monroe Palo Alto
Anton Ushakov
590 Escondido Mall
Russ Alberry
101 Great America Parkway
[root@topsecret cctest]# strings orders.MYD
9 piece knife set
34233394134272MasterCard
9910
Sickle and Hammer
543543545345452Visa
0120
3 towels
656565655555Visa
9920
Many believe there is nothing valuable on their system, but:• System can serve to launch attacks• There may be unexpected information on the host
Network Sniffers
psych-Wylie-NT.Stanford.EDU => pobox3.Stanford.EDU [110]USER sleeplesPASS passwordSTATUIDLQUIT
----- [FIN]
psych-3354-dreamscape.Stanford.EDU => daydream.Stanford.EDU [23] !'''#P38400,38400#dreamscape.stanford.edu:0'DISPLAYdreamscape.stanford.edu:0XTERMoscarpassword2elmjjjjjjjjjjjjjjjjjjjjjj----- [Timed Out]
voodoo.Stanford.EDU => lucas.Stanford.EDU [21](#USER menonPASS password3SYSTPORT 171,65,60,163,5,104LISTCWD /home/pub/garyCWD /home/pub/CWD /home/
----- [Timed Out]
psych-3367-macG3.Stanford.EDU => elaine18.Stanford.EDU [23]%%jboyett%IR.STANFORD.EDU@(P^$:-)':ca<`%.+vc6s}DF~T[f8FLc|vI;#wG\CN6MYlP%6M-&&&&& #'$&&Y`&&VT100&wl\cfCCSDK) >aWHW^H>rGhsN{q0jxU`&$$ vQa;j:T8%H>VzL d>7s_----- [Timed Out]
University Of Washington Sniffer
Summer 2000:
• NT IIS Web Server compromise
• Password sniffer installed
• Exposed 5000 medical records
Ensuring Confidentiality
• Strong Authentication– No clear text logins
• Kerberos• SSH
• Strong Authorization– AFS
– Directory ACL’s
Compromises of Integrity
• ls (dir) - doesn’t show intruders files
• ps (task manager) - doesn’t show intruders processes
• ifconfig - doesn’t show interface in promisc mode
• zap - cleans log files
• fix - fixes timestamp and checksum info
• chfn - gives root shell with proper arg
• login - gives root shell w/ proper password
• inetd (runs network services like “telnet”) - gives full access on a particular port
Integrity Compromise Example
Normal System:sunset:security> telnet elaineTrying 171.64.15.86...Connected to elaine21.stanford.edu.Escape character is '^]'.
UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU)
elaine21.Stanford.EDU login:
Hacked System:sunset:security> telnet jimi-hendrix 1524
Trying 171.65.38.180...Connected to jimi-hendrix.Stanford.EDU (171.65.38.180).Escape character is '^]'.
# ls -altr /; total 1618-r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrcdrwx------ 2 root root 8192 Apr 14 1999 lost+founddrwxr-xr-x 1 root root 9 Apr 14 1999 bindrwxrwxr-x 2 root sys 512 Apr 14 1999 mnt
Ensuring Integrity - Axioms
• All programs are buggy– The larger the program, the more
bugs it will have
• If a program isn’t ran, it doesn’t matter if it’s buggy– Hosts should run as few services as
possible
Building Integrity
• Create easy to use resources for system security:– Templates
– Distributions
– Best use documents
• Defense in Depth is the goal
0
50
100
150
200
250
1 3 5 7 9
11
13
15
17
19
21
23
Number of Hosts
To
tal T
ime
BeforeCloning
AfterCloning
Threats to Availability
• System intrusion
• Denial of Service Attack
• Domain Name Hijack/Modifications
The Master Plan
• Asses situation
• Create policies, procedures, and implementation plan
• Create infrastructure
• Maintain infrastructure
• Lather, rinse, repeat.
Getting Started
• Assessing where you are at:– What policies exist?
– What staff is already in place?
– What services are offered?
– What services will be offered?
Policy Key Points
• What are you protecting?
• Who has authority?
• What are the resources for?
• What organizational units are there?
The Key
The policy must be approved at the highest levels in order to deal with irate:
• Nobel prize laureates
• Crafty Students
• Other political entities
Security Office Plan
• Plan base authentication, authorization, and integrity mechanisms
• Work with infrastructure groups to utilize security resources
• Educated the community
Creating Infrastructure
Major points in an assessment:
• Create scalable architectures
• Create robust architectures
• Create low-risk architectures
Allocating Resources
• Staff and budget are needed, but security gets easier and cheaper as time goes on.
• Fundamental knowledge for computer security staff is knowledge of operating systems and programming
• Leverage off existing infrastructure to minimize long-term cost
The Benefits
• Guaranteed and quick response
• Guaranteed responsibility
• Protection
• Be a good net-citizen
Quick Response
From: [email protected]
Sent: Saturday, May 29, 1999 5:46 AM
Subject:
As we'll know how fxxxxx Stanford housing situation is, still our
hypocrit spic-and-nigger loving administration has done nothing but
keep accepting more and more of these motherxxxxx black jelly
beans.
These dirty cheating son of xxxxx
....[edited]....
================================================================
Firstname Lastname
Engineering-Economic Systems & Operations Research
Address
Stanford University
Stanford CA 94305
http://www.geocities.com/CollegePark/Grounds/2511
Quick Response
• August 8, 1999– 46 Solaris machines compromised
– trin00 installed
– 24 hours for cleanup
• Quite possibly avoided large scale internet attack
Public Service
• Feb 1999 - ShadowKnight compromises Stanford hosts
• Feb 1999 - Aug 1999 Stanford monitors hacker
• Nov 2000 - Jason Diekman, aka ShadowKnight, convicted
Protect
• Assess critical infrastructure security
• Legal point of contact for problems
• Advise and help deploy security infrastructure
• Help keep network available for academic use