Embed Size (px)
Citation preview
SecurityinLayersandAttackmitigation
1
Vulnerabilities
• Aflaworweaknessinasystem'sdesign,implementation,oroperationandmanagementthatcouldbeexploitedtoviolatethesystem'ssecuritypolicy.
2
Botnet
Command&Control
botnet
3
UnevenPlayingField
• Thedefenderhastothinkabouttheentireperimeter,alltheweakness
• Theattackerhastofindonlyoneweakness
• Thisisnotgoodnewsfordefenders
4
AttackSurface
• EntirePerimeteryouhavetoDefend
Web ServerDNS
SMTP
Power Fiber
Application
Firewall
5
SoftGooeyInside
• Butitisnotjusttheperimeter!
Web ServerDNS
SMTP
Power Fiber
Application
Firewall
USB SticksFishing
SpearfishingPasswords
Ex-EmployeesSysadmins
6
LayersofProtection
• Firewalls(thoughtherearelaptopsontheinside)• IntrusionDetectionSystems• LoggingSystemsandAnalysis• ProtectingtheFirewalls,IDSs,andLoggingSystems
• Andwhatdoyouhave?
7
AMuchBiggerAttackSurface
• USDoDdatashowsonaverage1/3ofvulnerabilitiesingovernmentsystemsareinthesecuritysoftware
8
It’stheSoftware!
• “Insteadoffocusingontheimpactofthehacks,weshoulddigforthereasonsthesesystemsweresovulnerableinthefirstplace.Almostwithoutfail,therootcauseisbadsoftware.”-- GaryMcGraw
• ButWeHavetoDefendtheEntireAttackSurface
9
NetworkInfrastructure
• Routers(androutingprotocols)
• Switchesandothernetworkelements
• InfrastructureServices:DNS,DHCP,LDAP,Microsoftstuff
10
Links
• Primaryriskiswiretapping• Easilydefeatedbyencryption—butarepeople
usingit?• Mostencryptiondoesn’tprotectagainsttraffic
analysis—butthatisn’tineveryone’sthreatmodel
• Link-layerencryptionprotectsagainstmosttrafficanalysis,butithastobedoneoneveryvulnerablelink
11
CryptoisnottheWeakness
• Commonly,theencryptiontechnologyisfineandisnotbroken
• Aslongasyouhavenotinventedyourown• TheweaknessisOpSec,OperationalSecurity
Practices• KeyManagement• WeakKeysandAntiqueCryptoAlgorithms• SendingCleartext
12
TrafficAnalysis
• Looksatexternalcharacteristicsoftraffic:whotalkstowhom,sizeofmessages,etc.
• Veryvaluabletointelligenceagencies,police,etc.• Whoworkswithwhom?Whogivesordersto
whom?• Notgenerallyusefulforordinarythieves,though
sophisticatedattackerscoulduseittofindtargets
13
Solutions
• UseVPNsorapplication-levelencryption• Uselinkencryptionforhigh-risklinks(e.g.,WiFi)• Alsouselinkencryptionforaccesscontrol
(especiallyWiFi)• Don’tworryabouttrafficanalysis—unlessyour
enemyisanintelligenceagency.Ofcourseitis!
14
(IsWiFi Safe?)
• Insideanorganization,WiFi+WPA2Enterpriseisgenerallysafeenoughwithoutfurthercrypto• However,it’shardertotraceaninfectedhostthat’s
doingaddress-spoofing
• ForexternalWiFi,alwaysusecryptoabovethelink,preferablyVPNs• Makesureyoudomutualauthentication
• ThereissomeresidualriskifyourVPNdoesn’tdropunencryptedinboundtraffic
15
SwitchesandtheLike
• Compromisedswitchescanbeusedforeavesdropping
• Specialriskinsomesituations:reconfiguredVLANs• VLANsprovidegoodtrafficseparationbetweenuser
groups• EspeciallyusefulagainstARP- andMAC-spoofing
attackers
• Otherdangerpoint:themonitoringport
16
ARPandMACSpoofing
• ARPmapstheIPaddressdesiredtoaMACaddress
• SwitcheslearnwhatMACaddressesareonwhatports,androutetrafficaccordingly
• IfamalicioushostsendsouttrafficwiththewrongMACaddress,theswitchwillsendtraffictoit
• IfamalicioushostrepliestoanARPqueryforsomeothermachine,themalicioushostwillreceivethetraffic,butthismightbenoticed
17
Address-SpoofingHappens
• Afewyearsago,someonespoofedtheIPandMACaddressesofauniversity’sFTPserver
• TheattackingmachinewasinanotherbuildingbutonthesameVLAN
• NoonehadnoticedtheintermittentfailuresoftheFTPservice
• Themachinehadbeenpenetrated6monthsearlier....
• SwitchesshouldlogMACandIPaddresseschanges,andkeepthoselogsforalongtime
18
Defenses
• Hardenswitchaccess• ACLs• ssh-onlyaccess,andonlyusingpublic/privatekeypairs;
nopasswords
• Separatesegments
19
Routers
• Routerscanbeusedforthesamesortsofattacksasswitches
• Becauseroutersinherentlyseparatedifferentnetworks,theyalwaysdefendagainstcertainkindsofaddressspoofing• Thismakesthemtargets
• Worseyet,routerscanlaunchroutingprotocolattacks
20
RoutingProtocolAttacks:Effects
• Trafficisdiverted• Attackercanseethetrafficanddotrafficanalysis• Attackercanmodifypackets• Attackercandroppackets• Attackercanhijackprefixes
• End-to-endcryptocanprotectthepackets’contents,butcan’tstoptrafficanalysisordenialofservice
21
WhyisRoutingSecurityDifferent?
• Mostsecurityfailuresareduetobuggycode,buggyprotocols,orbuggysysadmins
• Routingsecurityproblemshappenwheneverythingisworkingright,butsomepartydecidestolie.Theproblemisadishonestparticipant
• Mostrouterscanlieviaanyroutingprotocolsthey’reusing
22
DefendingAgainstRoutingAttacks
• Mustknowauthoritativeownerofprefixes• Generallydonewithacertificatesignedbythe
addressspaceowner• BeingrolledouttodayasRPKI• Allroutingannouncementsmustbedigitally
signed• Eachrouterneedsaroute-signingcertificate• Allsignaturesmustbeoverthefullpath;
signaturesarethusnested• IntheIETFprocessasBGPSEC
23
NetworkServices
• Certaincoreservicesareubiquitous—andfrequentlyattacked• DNS• DHCP• SMTP• Assortedlocalservices:fileservers,printers,LDAP,and
more
• Thesearethemeans,notthegoalsoftheattackers
24
DNS
• DNSresponsesareeasilyspoofedbyattackers• Cachecontamination• QueryIDguessing• DeliberatetinkeringbyISPs,nation-states,hotels,etc.
• Becauseresponsesarecached,client/serverauthenticationcan’tsolveit.
• Musthavedigitallysignedrecords(DNSSEC)
25
SMTP
• Historically,amajorattacktarget;principleimplementationswereverybuggy
• Today,thebigproblemisspam;mustkeepattackersfromspamming/fishingyourusers,andfromusingyoutospreadspam
• Spearfishingisthemajorpenetration• Secondaryissue:separateinsideandoutside
emailsystems—insideemailoftenhassensitiveinformation
26
EncryptedEmail
• Emailmessagesthemselvescanbeencrypted:usefulforend-to-endsecurity• ButS/MIMEandPGParehardtouse,andtheir
absencewillnotbenoticed
• SMTPcanbeencrypted,too• Notthatcrucialforsite-to-siterelaying(but
eavesdroppersdoexist);veryimportantforauthenticatedemailsubmission
• Yourusersmustauthenticatesomehow—viaIPaddressifinside;viacredentialsifroaming—beforesendingmailthroughyouroutboundSMTPserver
27
LocalServices
• RarelydirectlyaccessiblefromtheInternet;(ab)usedafterinitialpenetration• Virusspreading• Filecontents,intargetedattacks• Privilegeescalation
• Quiteoftenbuggy,butthere’slittlechoiceaboutrunningthem;they’renecessaryforscalabilityandproductivity
28
ApplicationServices
• Datacenter-resident:deliverservicestotheoutsideworld
• Obviousexample:HTTP
• But—HTTPisgenerallyafrontendforavitaldatabase
• Aprimetarget
29
TargetingApplicationServices
• Generallyexposedtotheoutside—andyoucan’tfirewallthem,becausetheymustbeexposedtotheoutside
• Theservercanbeusedforthebadguys’content:phishingservers,“warez” sites,more
• Thedatabaseoftenholdsveryvaluableinformation,likecreditcards
• Thereareusuallyconnectionsfromtheseserversbackintothecorporation
30
UserMachines
• Ordinarydesktopsaretargets,too• Plantkeystrokeloggerstostealpasswords,especiallyforfinancialsites• Turnintobots—bandwidthiswhatmatters• Turnintospam/spearfishingengines;usemachine’sprivileges(generallybasedonnetworklocation)tosendoutspamthroughtheauthorizedSMTPserver
31
Users
• Usersmakemistakes• Theyclickonthingstheyshouldn’t• Theyvisitdangeroussites• Theymistakephishingemailsfortherealthing• Theydon’tkeeptheirsystemsuptodate• “PEBCAK”:ProblemExistsBetweenChairandKeyboard
• (It’snoteventheirfault;oursystemsarehorriblydesigned)
32
SocialEngineering
• Phishingandother‘clickbait’arethemostcommonandmostdangerousformsofSocialEngineering
• ClickononebadURLandyourcomputerisinfected
• ‘Spearphishing’iswhenphishingemailseemstocomefromsomeoneyouknow
• WhenmywifesendsaURLorattachesafile,IaskinSignalorSkypeifitisreal
33
SocialEngineering
• Trytotrickpeopleintodoingthingstheyshouldn’t
• Peoplewanttohelp• Walkinthedoordressedasadeliveryorrepairperson• Callandsoundlikeaninsider:“Chris,couldyoureset
mypasswordonserver#3inrack7?ItsconnectiontotheRADIUSserverishung.”
• Averydifferentskillthanpurelytechnicalstuff—butveryusefultoo
34
