SECURITY: THE BIG PICTURE

SECURITY: THE BIG PICTURESECURITY: THE BIG PICTURE

Ayal RosenbergPDEV

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun Tzu – The Art of War

“A new military revolution has emerged. The revolution is essentially a Transformation from the mechanized warfare of the industrial age to the information warfare of the information age. Information warfare is a war of decisions and control, a war of knowledge, and a war of intellect. The aim of information warfare will be gradually changed from ‘preserving oneself and wiping out the enemy’ to ‘preserving oneself and controlling the opponent’. Information warfare includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare and structural sabotage. Under today’s technological conditions, the ‘all conquering stratagems’ of Sun Tzu more than two millennia ago – ‘vanquishing the enemy without fighting’ and subduing the enemy by ‘soft strike’ or ‘soft destruction’ – could finally be truly realized.”

Chinese Army newspaper Jiefangjun Bao – May 1996

• ATTACKS• ADVERSARIES• SECURITY NEEDS• TECHNOLOGIES• NETWORKED COMPUTER SECURITY• PROCESSES

“Security is a process not a product” - Bruce Scheier


• CRIMINAL ATTACKS• PRIVACY VIOLATIONS• PUBLICITY ATTACKS

• Fraud• Scams• Destructive Attacks• Intellectual Property Theft (Piracy)• Brand Theft

How can I acquire the maximum financial return by attacking the system?

• Targeted Attacks • Data Harvesting• Surveillance• Databases• Traffic Analysis• Massive Electronic Surveillance

• Bad Press costs more than theft • Inform criminals who can exploit the news• Denial of Service

How can I get famous by attacking the system?


• Objectives• Access• Resources• Expertise• Risk

Crooks haven’t changed. It’s just that cyberspace is the new place for them to ply their trade.

• HACKERS• LONE CRIMINALS• MALICIOUS INSIDERS• INDUSTRIAL ESPIONAGE• PRESS• ORGANIZED CRIME• POLICE• TERRORISTS• NATIONAL INTELLIGENCE• INFO-WARRIORS


• Privacy• Multi-Level Security• Anonymity• Authentication• Integrity• Audit• Electronic Currency• Proactive Solutions


• CRYPTOGRAPHY• COMPUTER SECURITY• IDENTIFICATION & AUTHORIZATION

Cryptography is not a panacea.You need more than it for security – but it is essential.

You don’t have to understand the math.You do have to understand the ramifications.

A group of people use private knowledge to keep messages secret from third parties.

• Distribution of keys• Storing of keys• Destruction of keys• Proliferation of pair-wise keys in symmetric mode• Performance degradation in asymmetric mode

Fund ManagerBroker

Compose Message

Encrypt Message with key

Receive Encrypted Message

Decrypt Message with Key

Broker

Generate Public key and distribute

Compose Message

Encrypt Message with Public key

Send Message

Decrypt Message with Private key

• Cipher Text Only Attack• Known Plain Text Attacks• Chosen Plain Text Attacks• Brute Force Attacks

• Distribution of keys• Storing of keys• Destruction of keys• Proliferation of pair-wise keys in symmetric mode• Performance degradation in asymmetric mode

• Message Authentication Codes• Symmetric Algorithms: HMAC or NMAC

• One-Way Hash Functions• Secure Hash Algorithm (SHA1)• Secure Hash Standard (SHS)• RIPEMD-160 (EU)• MD5 (?) MD4 - obsolete

• Digital Signatures• Public and private keys.• Sender encrypts with private and receiver decrypts with public.• Allows for non-repudiation.•Digital Signature Algorithm (DSA)• Digital Signature Standard (DSS)

Confidentiality !!!Stop unauthorized users from reading sensitive information.

Integrity !!!Every piece of data should be as the last authorized modifier left it.

Availability!!The property of being accessible and useable upon demand by an authorized entity.

Access Control = Confidentiality + Integrity + Availability

• Security Kernels• Reference Monitor• Trusted Computing Base• Secure Kernel

• OS Evaluation Criteria• C2• ISO 15408

Who are you and can you prove it!!

Allow authorized users in!

Keep unauthorized users out!

• Username and Password• Username – identification• Password - proof of identification

• Biometrics• Biometric came from the person at verification time• Biometric matches master on file

• Access Tokens• Password for tokens -> PIN

• Authentication Protocols• Cryptographic authentication over a network• Salt• Kerberos

• Single Sign On• Incompatible legacy• Single point of failure

Server X

Client

Kerberos Server

Request to logon onto Machine X

Check to see if Client has permission to log on to Server XKerberos sends ticket and session key for authentication to Client

Use the session key to create an authenticatorSend authenticator and session key to Server X

Server X validates ticket and session key with long term key

Server X issues with a long term key by Kerbros

Long term key

Session key

Session key


• MALICIOUS SOFTWARE• NETWORK SECURITY• NETWORK DEFENCES

• Payload and Propagation• Classifications

• Viruses• Worms• Trojan Horses

• Modular Code Problem • Isolation and Memory Safety• Access Control at the interfaces• Code Signing

• Mobile Code• Web Security

• SSL• Cross Site Scripting• Cookie Abuse• Web Service Scripts

• Router Vulnerability• Password Sniffing • IP Spoofing• DNS Security• Denial of Service Attacks• Distributed Denial of Service Attacks

Mainly TCP/IP protocolPost office not Telephone company!

• FIRE-WALLS• Attacks

• Go around• Sneak key in• Take over

• Types: Packet Filters & Proxy Gateways

• DEMILITARIZED ZONES (DMZ) • Connect disjointed pieces of network• Connect mobile, roaming users

• VIRTUAL PRIVATE NETWORKS (VPN)• Misuse detection• Anomaly detection

• INTRUSION DETECTION SYSTEMS (IDSs)• HONEY POTS & ALARMS• VULNERABILITY SCANNERS


“The problem is that security measures such as cryptography, secure kernels, Firewalls and everything else work much better in theory than they do in practice. In other words: Security flaws in the implementation are much more common and much more serious than security flaws in design. Design is about software reliability”

- Bruce Schneier

“Products have problems - and they are getting worse. The only reasonable thing to do is to create processes that accept this reality. We must implement these processes to get as much safety as possible.”- Bruce Schneier

• PRINCIPLES• DETECTION & RESPONSE• COUNTER-ATTACK• RISK MANAGEMENT

• Compartmentalize• Secure the weakest link• Use Choke Points• In-depth Defense• Fail Securely• Leverage Unpredictability• Embrace Simplicity

•“Complexity is the worst enemy if security!”• “Be as simple as possible but no simpler” - Einstein

• Enlist Users• Assure• Question• Trust no one – especially yourself!!!!

• Detect Attacks• Analyze Attacks

• Detection• Localization• Identification• Assessment

• Respond to Attacks• Make the problem go away• Catch the Attacker

• Be Vigilant• Continuous• Immediateness• Prteparedness

• Watch the Watchers• Recover from Attacks

• Recover from compromise

“Detection is more important than prevention!”

“The best defense is attack!!!”

“Attacker is a tortoise; Defender must be a fox!”

“There is no 100% security!”

“Identify the risk then either accept it, or reduce it or insure against it.”

“Security does not have to be perfect but risks have to be manageable.”

“Outsource to experts!”

“How big is the potential loss?”

“We don’t know!!”

“How likely is the loss to occur?”

“We don’t know.”

“How much is your company worth?”

“One billion rands!”

“The premium will be one billion rands!”

“I’ve realized that the fundamental problems in security are nolonger about technology; they’re about how to use technology.”

“There is no way to turn security into a product.”

“It’s more and more about process.”

- Bruce Schneier


Documents

SECURITY: THE BIG PICTURE