NuGenSoft/CERTConf 2000/Intro Introduction to Information Security Presented to CERTConf 2000 September 26, 2000 Stephen M. Nugen, CISSP [email protected]

NuGenSoft/CERTConf 2000/Intro

Introduction to Information Security

Presented to CERTConf 2000

September 26, 2000

Stephen M. Nugen, [email protected]

2

NuGenSoft


Overview

PurposeProvide a broad, brief, overview of information securityContext for understanding more detailed sessions

Common vocabularyProblem domain... ThreatsSolution domain... Responses

Pointers to helpful Resources

Speaker prejudices20+ years IT and IT-related R&DFounder and CTO of NuGenSoftCertified Information Systems Security Professional (CISSP)

Informal style... questions [email protected]

3

NuGenSoft


Overview cont’d

Information systems securityDiscipline that protects the confidentiality, integrity, and availability of

information and information servicesaka

Network security, Computer securityInformation assurance, Information operationsCyberSecurity, CyberWarfare, Cyberattack

Remember C-I-AConfidentiality: protecting from unauthorized disclosureIntegrity: protecting from unauthorized modificationAvailability: making data accessible when needed, reliably

InfoSec discipline includesTechnologiesPolicies; processesOperations

4

NuGenSoft


Threat

Threat topicsDifferent types of malicious softwareCommon program threatsPort Scans and SniffersDenial of serviceMisrepresentationVandalismTheftOther vulnerabilitiesSize and trends

5

NuGenSoft


Threat | Malware

VirusesSelf-replicating programsOftentimes attached to a host file

Boot sectorSystem fileDocument (macro)

WormsPropagate through networksEx: Lovebug... email attachment propagated through email to other

recipients

6

NuGenSoft


Threat | Malware cont’d

Trojan HorseMalicious program disguised as something benignTwo parts

Visible useful partInvisible malicious part... may be destructive or create vulnerability for

future exploitationReplicate through users sharing files

Ex: Fun executableVisible effect: Entertaining cartoonConcealed effect: Installs remote-control programReplicates: Users share with each other via email, floppy disk, etc.

Note: These different types not mutually exclusive

7

NuGenSoft


Threat | Program Threats

Logic bombHidden program activated under certain conditionsEx:

if lookup of “Bill Ellison” in payroll file fails then for every entry in payroll file if entry.salary > 100K then set entry.salary = 10K endif endfor endif

Back doorHole in system security deliberately installed by designers or

maintainersIntent not always sinister

8

NuGenSoft


Threat | Program Threats cont’d

Remote control programsAllow remote control of local workstationEffect may be known (presumably benign) or unknown (presumably

malicious)Ex: PCAnywhereEx: BackOrficeEx: Zombie (compromised PC does what its master commands)

Buffer overflowsExploits unintentional vulnerabilities in programs, oftentimes less-

tested error-recovery routinesSophisticated hackers able to cause their data (really hand-crafted

instructions) to overflow internal data structures into control registers

9

NuGenSoft


Threat | Program Threats cont’d

Browser componentsActiveX or JAVA applets downloaded automatically from web pageJAVA applets constrained to sandbox, but implementation errors can

be exploitedActiveX components unrestricted, security depends on evaluating

their source Trusted components oftentimes marked safe for scripting

Provides useful functionalityProvides potential vulnerabilities

10

NuGenSoft


Threat | Port Scans

Send a packet to a specific machine, particular port... analyze the response (if any)

Part of a classic attack strategyReconnaissance:

Determine which ports are openWhat services are respondingUse responses to determine version of operating system, web server, etc.

Planning: Use results of port scans to select tools and methods for specific operating system, services, etc.RootShell.com and other hacker sites have helpful search engines...

Attack: Focused attack, customized to target systemNote: Newer attack forms just attack blindly without prior port

scans... lower probability of success, but much faster and no prior warnings

11

NuGenSoft


Threat | Port Scans cont’d

Port scanning very prevalentLots of good toolsSecurity assessments and self-defense strategies usually include

scanning yourself

Folks disagree about the criminality of port scansLike someone looking in a storefront window?Like someone trying the doors, after normal business hours?Like someone testing your doors and windows while you sleep?

12

NuGenSoft


Threat | Sniffers

Capture all the packets on a LAN (or WAN) segmentNormally, NIC ignores all packets except the ones addressed to

specific machineNIC in promiscuous mode processes every packetDifficult to detect when purely passive

Have to cut TX-line or configure very carefully so sniffer system doesn’t respond to anything

Used maliciously toCapture passwordsObtain credit card numbers, etc.

Used legitimatelyTo diagnose difficult network problemsBy intrusion detection systems

13

NuGenSoft


Threat | Denial of Service

DefinitionAimed at making services unavailableCalled by some the “ultimate Internet security nemesis”aka DoS

Simple typesCommunications-level

Ex: Flood the server with SYN packets from one or more sources, overwhelming the TPC/IP protocol stack resources

Service basedEx: Send malformed header to listening RPC service, forcing server into

spinning error recovery

Network-basedEx: Compromise a router or assume its identify... Then, send ICMP

messages to clients telling them their access is unalloyed or the network is unreachable

14

NuGenSoft


Threat | DoS cont’d

Simple types cont’dDistributed

Utilize an army of Zombie PCs, previously compromised via a virus, trojan, etc..

Multiple sources harder to counter

Traffic from each individual source may appear legit

Systems unable to cope with aggregation of multiple simultaneous sources... especially when consuming extra resources recovering from protocol errors, etc.

15

NuGenSoft


Threat | DoS cont’d

ExampleThreat

When systems boot, they broadcast a message indicating their identity (IP address)

A malicious system can be configured to respond to every such broadcast with “Hey, I’m already using that IP address!”

Thus, to avoid an IP conflict, booting system fails to initialize its networking services

RecoveryFind the box... good luck, they can be very small

Disable Proxy ARP service on the system (or remove the system from the LAN)

Reboot every affected system

16

NuGenSoft


Threat | Misrepresentation

Router spoofingMachine X claims to be the trusted router

Enables redirectionEnables denial of service and man-in-the-middle attacks

Man-in-the-middleCan read (snoop) and/or change contents in-transit

EmailPurchase ordersQuotes

Packet filtering with detailed time-stamped logs help to detect these attacks

17

NuGenSoft


Threat | Misrepresentation cont’d

Web spoofingEntice users to link through hacker-controlled portalHacker portal does pass-through and

Can monitor everythingCan modify the response returned by the legitimate server to something

more interesting...

1: Request 2: Request

3: Legitresponse

4: Monitor and/ormodify response

5: SpoofedResponse

UserHacker-

Controlled Server/Portal-A

Legitimate Web Server-B

18

NuGenSoft


Threat | Vandalism

Rewriting someone else’s web page to display the vandal’s message

Classic examplesDepartment of Justice; August 1996

Hackers vandalized www.usdoj.gov with swastikas, obscene pictures, and criticisms of the CDA

CIA; September 1996Vandalized www.odci.gov/cia with “Welcome to the Central Stupidity Agency”, etc.

Air Force; December 1996Vandalized www.af.mil with X-rated picture captioned “This is what the government

is doing to you.”Example: NASA; March 1997

Vandalized www.nasa.gov with references to the Internet Liberation Front (ILF)

More recent examples include World Trade Organization Activist organizations urging DoS attacks on others

19

NuGenSoft


Threat | Theft

Types of theftTheft of moneyTheft of servicesTheft of intellectual property

Direct gainExtortionMaking valuable IP public domain, adversely impacting its copyright

status

Theft of reputation... similar to vandalism and denial of service

20

NuGenSoft


Threat | Theft cont’d

Ex: Trojan horse dialerVisitors to www.1adult.com offered the opportunity to view free

pictures using special download softwareSpecial download software

Lowers modem volumeDisconnects from ISPReconnects to an overseas ISP

Thought to be Moldova, later found to be CanadaVery high connect fees, charged to their modem telephone line

Some customers preferred to pay very high phone bills than to explain them... (social engineering)

Ex: Two hackers stole communication company’s 5-year plan for cellular systemsDemanded $2M to destroy the systemMade their demands through an ISP owned by the same company...

21

NuGenSoft


Threat | Theft cont’d

Ex: Cereal companiesCompany-A secretly develops new cerealCompany-B releases a nearly identical product just before

Company-ACompany-A loses $1BCoincidence or industrial espionage?

Ex: Adult entertainment company hires hacker to download all content from a competing siteFilters usually prevent massive downloadsHacker succeeded, posted content to newsgroupsPotentially weakens copyright protection of stolen content

22

NuGenSoft


Threat | Other Vulnerabilities

Browser flawsHostile servers can exploit weaknesses in MS IE and Netscape

Communicator to access local files, etcA continuous journey of discovery, response, etc.

Untrusted hackers aren’t breaking in... trusted employees are unwittingly opening the door by accessing hostile web pages

Server flawsHackers can exploit server-side vulnerabilities, installing hostile code

on a trusted server that exploits clients

Cross-site scripting complicates the issue... only countermeasure is good server-side defensive programming

23

NuGenSoft


Threat | Vulnerabilities cont’d

Network print serversPrinter vendors slower to add strong security featuresEx: SpaWar

Intruder hacked into the printer and reconfigured the routing tables on other SpaWar equipment.

Files were hijacked from printing queue, sent to server in Russia, and then sent back to SpaWar printer... hijacker can keep a copy or even modify

Noticed only when impatient user investigated why he had to wait so long for his job to start printing

24

NuGenSoft



WiretappingOmaha’s telephone infrastructure fairly old, relatively easy to crack Access to public telephone lines uncontrolled

Toadstools and manholes not lockedDetermining which wiring pair belongs to the target is easy...just call the

number from a cell phone and feel for the ring current

PBXs complicate the problem, but only a little...PBX’s can be hackedAccess to company wiring closets gained through social engineeringMost PBX’s have a feature that allows a single extension to hard-

assigned to a specific loopTypically used for the operator or executivesHackers like this feature

Most speaker phones can be remotely commanded for listening, even when the phone is on-hook

25

NuGenSoft



Pager messages can be interceptedEx: White House Communications Agency, 1997

Hackers intercepted and published transcripts from pager messages sent while the President was visiting Philadelphia

No national security compromise, but unearthed vulnerability and romantic affairs among White House staff

26

NuGenSoft


Threat | Size

Difficult to measureOrganizations don’t detect or report every incidentHackers sometimes credited for IT problems not related to InfoSecInfoSec firms influencing demand for the their products and services

1998 poll of 163 organizations31% reported $123M in damages69% couldn’t even quantify their damage

1998 FBI study of 428 intrusions in US21% initiated by disgruntled employees17% initiated by independent hackers11% initiated by U.S. competitors 6% initiated by foreign competitors

1999 survey of 185 Fortune 500 firmsClean-up costs and lost productivity due to worms and viruses $7.5B

for first half of 1999

27

NuGenSoft


Threat | Size cont’d

1999 survey of Fortune 1000 companies$45B in losses from theft of proprietary informationUnknown how much of that was sponsored by competitors’

Earlier survey found more than half of 600 companies surveyed felt their competitors were likely source of cyberattack

2000 survey of large corporations and government agenciesComputer Security Institute, March 2000 with FBI participation90% detected computer security breaches in previous 12-months

70% reported “serious” breaches74% reported financial losses

42%, or 273 organizations, able and willing to quantify their loss: $265MMost serious financial losses from theft of proprietary information

28

NuGenSoft


Threat | Size cont’d

2000 survey of 4,900 IT professionals across 30 nationsInformationWeek and PricewaterhouseCoopers, July 2000Only 50,000 US firms large enough to be impacted by and able to

accurately tally to cost of software virusesUS impact: $266B

Represents 2.5% of Gross Domestic ProductMuch more than $15B estimated for 1999, different methodsLost productivity: ~7,000 person-years

Worldwide impact: $1.6T

29

NuGenSoft


Threat | Trends

Subjective views (multiple sources)Decentralized multi-vendor systems make it harder to rely on

vendors to detect and close vulnerabilitiesSome vulnerabilities can’t be closed by software vendors... closure has to

come from overworked application and web programmers

Increasing complexity of software increases the probability and number of vulnerabilitiesSome experts more pessimistic today than two years ago

Number of good hacker tools is increasing, making it easier to hackEven for the technically-challenged “script-kiddies”Internet provides powerful opportunities for knowledge-sharing,

collaborationCopying costs are negligible

30

NuGenSoft


Threat | Trends cont’d

AI techniquesConflict of interest disclosure: NuGenSoft’s focus areaAI techniques can be used to discover vulnerabilities and exploitsProvided with public-domain case histories of past exploits, Case

Based Reasoning technologies can be used to generate plausible hypotheses of what other vulnerabilities are present/exploitable

Goal-directed scripts can test the hypotheses on private client-server LANs... 24X7... undetectedSimple as iterating over field lengths, header contents, ports, etc..Analyze responses

Delayed response may indicate server-intensive error processing... Denial of Service vulnerabilityNo response may indicate crashed service... Denial Of Service... maybe even a buffer overflow opportunity

Hypothesis: Attackers that develop new tools offline over 6-mo, 24X7, enjoy computational advantage over defenders responding real-time

31

NuGenSoft


Threat | Trends cont’d

Demand for solutions exceeds supplyDemand increasing rapidlySupply effectively flat or increasing slowly

Best countermeasure: specialized human expertise... Security specialistsSystem administrators

...Who are well-trained, experienced, informedTraining: Certifications and education initiatives increase supply but at a

lower rate than demandStaying informed very hard and time-consuming

Nearly impossible when working full-timeCISSP and SANS certifications expire without continuing education and/or periodic retestEffectively decreases supply

Government speaker: “Wanting a security consultant real bad may mean getting a security consultant real bad.”

32

NuGenSoft


Responses

OverviewPolicy... processes

Policy comes firstTechnical countermeasures need to consider the risk... the likelihood of

compromise, associated damaged

TechnologiesImplementing the policies

AssessmentMeasure operations to assess how well are implemented technologies

and processes satisfying management policies

33

NuGenSoft


Response | Policy

Define security policy as part of risk managementOrganization managers responsible for policyIncludes disaster recoveryPlan, in advance, how to respond to successful InfoSec attacks

Define the team who will respond to security incidentsDesired: Decide, in advance, to commit necessary resources and

endurance to prosecute intruders

Separation of dutiesDon’t put ultimate trust in anyone... not even system administratorsSeparate duties so that no single person can maliciously

compromise the system undetectedProbability of detection increases with the number of people involvedMandatory vacations

34

NuGenSoft


Response | Policy cont’d

Enable auditsTurn on system accounting (event logging)... configure for maximum

granularityLog files will be large, but disk space is cheapDetailed log files hard to review, but tools help

Good hack tools exist for deleting or modifying log files, soProtect their accessIf possible, log to a different system, not connected via LAN/WAN... use a

serial connection to standalone system with minimal O/S for example

Manage audit trails (system logs) to preserve an unbroken chain of evidence that can be used to prosecute criminal behavior

Employers’ written policiesSigned ‘fair use’ agreements recommendedValid even if employees don’t sign so long as the employees know they

exist

35

NuGenSoft


Response | Technology

TopicsAuthenticationFirewallsIntrusion DetectionCryptography

Authentication... based onSomething you know

Password

Something you ownATM cardCoded ID badge

Something you areBiometricsFingerprint scanner

...best practice: require two elements... ATM card + PIN

36

NuGenSoft


FirewallsPartition, manage multiple operating zonesFirewalls used be 2-port (concept and implementation)

Internal (trusted)External (untrusted)

Today, most firewalls are 3-port...Internal (sort of trusted)External (untrusted, lawless)DMZ (war zone)

Response | Technology cont’d

Semi-protected DMZProtected private network

Have to expose DMZ for customer access

Hide private network... NAT, etc.

InternalFirewall

Eng Wkstns

ExternalFirewall

Untrusted Internet ConnectionRouter

Web Srvr

DNS

E-Mail

Monitor...

Payroll DB Srver

37

NuGenSoft



Firewalls cont’dEvolving

From filters based on source address, destination address, and type of service... to policy-based rules

Internal firewalls used to protect trusted internal networks from each otherDilbert example: Isolate/protect Engineering LAN from Executive

Management

Firewalls not enough...New viruses and Trojans like BO2K-variations can vary their signature

(size, port, location, checksum, etc.) to slip past even good firewallsSome claim 70% of firewalls can be penetratedOrganizations relying on perimeter firewalls for network security are like

Tootsie Rolls... hard on the outside, but soft and chewy insideOverloading of http (via port 80) may render traditional firewalls less

effective

38

NuGenSoft



Intrusion detection systems (IDS)IDS systems like a video camera at a convenience store

Passive, don’t prevent crimes/hackingBut, provide evidence... help to eliminate repeat offenders

Three typesPacket-basedNetwork-basedHost-based

39

NuGenSoft



Intrusion detection cont’dPacket-based intrusion detection

Packet filtering: Examine every packet for known attack signaturesProblem-1:

Detection uses known signatures (from hacks that were already successful somewhere)But, once the vendor includes that attack signatures, hackers switch to another strategy with a new signature, unknown to intrusion detection software

Problem-2There are 2,500-5,000 known attack signatures to compare with every packet But, comparative engines can only compare packets to an active set of <200 signaturesSometimes, old methods work once again...

40

NuGenSoft



Intrusion detection cont’dNetwork-based intrusion detection

Look for social-engineering influences by determining who’s talking to who and whenInside-to-inside probably OK...Inside-to-outside and outside-to-inside maybe OKOutside-to-outside a definite problem

Pattern-based: search for changes, deviations from “normal”Search for off-nominal network behavior... Day-worker Bob logging in at 3:00AM Search for changes in user behavior... Changes in what network resources they use... Changes in what files they access

41

NuGenSoft



Intrusion detection cont’dHost-based intrusion detection (host misuse detection)

Lots of vendor toolsSome use expert system technology to enforce security policies;

constantly re-learn user’s usage patterns

42

NuGenSoft



CryptographyMotivation

Protecting information by ensuring its integrity and confidentiality... even as it travels over untrusted networks

Includes authentication and non-repudiation services... digital signatures for example

Private-key encryptionRequires sender and receiver to share the same key... exchanging it

before exchanging informationRelatively fastEx: DES, IDEA, RC2, RC4, RC5, Blowfish

Public-key encryptionUses key pairs (mathematically-related)

Public portion publishedPrivate portion kept secret

Doesn’t require senders and receivers to exchange private keys firstMuch slower than private-key

43

NuGenSoft



Cryptography cont’dPublic-key encryption

Uses key pairs (math-related)Public portion publishedPrivate portion kept secret

Doesn’t require senders and receivers to exchange keys first

Much slower than private-key

ExampleAuthenticates the sender

Only the sender knows secret key corresponding to sender’s public key

Ensures confidentialityOnly intended receiver knows secret

key corresponding to receiver’s public key

Note: Message digests more efficient

ciphertext-2

plaintext

ciphertext-1

sender’s private key

encrypt

Sender

receiver’s public key

encrypt

plaintext

ciphertext-1

receiver’sprivate key

decrypt

Receiver

senders public key

decrypt

UntrustedTransport

44

NuGenSoft



Cryptography cont’dHybrid

Use public-key to establish and share a private keyUse private-key for bulk data encryption

Public Key Infrastructure (PKI)A method of binding a user to their public key via a certificate from a

trusted authority

45

NuGenSoft



Cryptography cont’dAuthentication via challenge handshake

Prove possession of a secret as proof of identity without disclosing the secret

[1] User’s non-secret credentials (username) and corresponding secret (password) stored on server

[2] User provides their username to server

[3] Server generates the challenge... a random string and sends to user

[4] User combines the challenge with their password, hashes it, and responds with the result

[5] Server reverses the process using its copy of the user’s secret password... if the message matches the random string, the user is authenticated

Note: The secret password itself is never disclosed

User

Server1

2

3

4

5

46

NuGenSoft


Response | Assessments

Three partsExternal: access from internetDial-in: find modems inside the firewallInternal: done on-site, connected to the LAN

External (aka perimeter check, external IP assessment, network assessment)Reconnaissance (discovery)

What the external hacker seesWhat devices are visibleWhat ports are openWhat services are accessible

TechniquesPublic information, e.g. WHOIS DB... ISP info for hosted web sitesICMP sweeps, e.g. PingPort scans

47

NuGenSoft


Response | Assessments cont’d

External cont’dTarget vulnerabilities

Banner analysis... server response to port scansUse DB of techniquesUse search engines at hacker sites like RootShell

ExploitAutomatic attack toolsMan-in-the-middle attacksSecondary exploitation... penetrate one machine, launch new attacks

from it

48

NuGenSoft


Response | Assessments cont’d

Dial-inIncludes a war-dialer to detect modems connected to trusted LAN,

Servers, or workstationsExecute during the day and at off-hours (unannounced) to detect

modems turned on by employees when they want to work from home

Three steps: find, identify, penetrateBe certain to check digital lines such as IDSN, DSL

InternalFBI study showed 75-80% of all [detected] attacks came from the

inside...An uncertain risk: are companies responsible when their employees [or

others] use company resources to attack other computer systems?

May include developing profiles of normal employee useIs it really trusted employee Bob logging in at 10:30PM, or a member of

the cleaning crew using Bob’s username and password?Why is Dilbert accessing the HR DB through remote access?

49

NuGenSoft


Resources

Big caveat: Necessarily incomplete... a samplingCERTConf speakers

CERTConf 1999CERTConf 2000CERTConf 2001

NebraskaCERTwww.nebraskacert.orgCyber Security Forum (CSF)

Outreach program meeting monthly, everyone welcome

CISSP trainingTwo classes so farNumber of Omaha-area CISSP increased from two to ten with still more

getting ready to test

50

NuGenSoft


Resources cont’d

GovernmentCERT

Operated by CMU under DoD contract, along with SEICERT teams exist at company, regional, agency, and national levelCERT issues advisories only for the most critical incidents...less-critical

vulnerabilities posted on web pagewww.cert.org

Federal Best Security Practices (BSPs)Drill-down for useful checklistsbsp.cio.gov

NISTComputer Security Resource Clearinghousecsrc.nist.gov

51

NuGenSoft


Resources cont’d

NIPCNational Infrastructure Protection Center

Interagency effort, led by FBIOmaha FBI office is NIPC-aware

CyberNotes useful source of detailed informationwww.nipc.gov

InfraGardA public outreach program under NIPC

FBI facilitates the program, but does not run itInfraGard members run their local chapters... varies by location

Non-disclosureMembers required to sign non-disclosure agreements for InfraGard-provided informationInformation provided by other InfraGard membersInformation provided by NIPC just to InfraGard members

Local chapter in Omaha...

52

NuGenSoft


Resources cont’d

Online sampler... portals, conferences, etc.www.sans.orgwww.isc2.orgwww.icsa.netwww.ntsecurity.netwww.antionline.comwww.securityportal.comwww.securityfocus.comwww.counterpane.comwww.gocsi.com

Local educationPKI IS&T (UNO)Creighton UniversityCollege of Saint MaryIowa State UniversityNBDC

53

NuGenSoft


Resources cont’d

Newsletters, emailSecurity Wire Digest from www.infosecuritymag.comSecurity Update from www.win2000mag.comMicrosoft Product Security from www.microsoft.com/technet/security

Print magazinesMagazines specific to your operating system(s)Information Security... www.infosecuritymag.comSC Magazine... www.infosecnews.com

BooksToo many to list... new ones always being publishedSend focused request to [email protected]

54

NuGenSoft


Questions... Discussion

Documents

NuGenSoft/CERTConf 2000/Intro Introduction to Information Security Presented to CERTConf 2000 September 26, 2000 Stephen M. Nugen, CISSP [email protected]