Computer Security I

CS 456
Security I
Configure a secure client
Anomymous Browseing
Encrypted e-mail
Cryptography
Information Security Systems Engineering
Trust Models, Threat Models
Secure Systems Test & Evaluation
Systems Security Testing
 CS 456
Security I
Requirements:
No Whining
1 Paper
1 Secure e-mail
1 AD Lab
1 Crypto Project
1 Midterm
1 Final
 CSIA Track

WARNING
The material that you will learn in the CSIA track is dual
use.
The ethical and legal implications of your use of
information and techniques presented should always be
part of your decisions.
 Information Systems Security
Information assurance

Electronic information
Ubiquity
Importance
Corruptibility
Information systems
Characteristics
Types
Pervasive
 Information Assurance
Security

Keep information in a known and trusted state that can be

used appropriately.
 Trust

Generally an entity can be said to 'trust' a second entity

when the first entity makes an assumption that the
second entity will behave exactly as the first entity
expects
ITU-T X.509, 3.3.54
 Threats

Threat profiles identify specific threats that are most

likely to put your environment at risk.
Unauthorized probing of system or data
Unauthorized access
Introduction of malicious code
Unauthorized modification or disclosure of data
Denial of service attacks
 Vulnerabilities

Vulnerabilities are characteristics of an information

system's architecture, implementation, use or
maintenance that has or could compromise the
information.
 Electronic Information

Data
Communications
Executables
System states
Analog information
 Information Security Model

Information States

Security Measures
i on g
i ss ge s in
m r a es

Training
n s Sto oc
a r
Tr
Critical Information

Policies
Characteristics

Technology
Confidentiality

Integrity

Availability
 Information States

Transmission
Storage
Processing
 Information Transmission

Space
Radio waves
Copper
Analog
Digital
Glass
Snell's Law
 Information Storage

All of the obvious

However
Caches
HW Buffers
Store and forward technologies
Copy machines (20 GB storage)
Cell phones (Rupert Murdock)`
 Information Processing

Altered executables
Introduced executables
Scripts
 Information Security Model

Information States

Security Measures
i o n
iss ge in g
n sm or a ess

Training
ra S t r oc
T
Critical Information

Policies
Characteristics

Technology
Confidentiality

Integrity

Availability
 Critical Information Characteristics

Confidentiality
Integrity
Availability
 CIA
Confidentiality
Only those who are authorized have access in information
Integrity
Information is in a known and trusted state
Availability
Information is available when needed
 Confidentiality

Keeping information secret

Encryption
Authentication
Authorization
Non-repudiation
 Integrity

Making sure the information is as it should be.

Message authentication code
Message digests
 Availability

Making the information is available when it is

requested.
System design
Appropriate confidentiality and integrity techniques
No DdoS bad, bad, bad
 Information Security Model

Information States

Security Measures
i o n
iss ge in g
n sm or a ess

Training
ra S t r oc
T
Critical Information

Policies
Characteristics

Technology
Confidentiality

Integrity

Availability
 Security Measures

Technology
Policies & Procedures
Training & Awareness
 Technology Measures

Programs
Software
Architecture
Design
Etc.
 Policy and Procedures

What to do
How to do it
What is permissible
What is not
 Policies

Sample Policies
www.sans.org/resources/policies
Many of these policies are part of the Employee
Handbook
These are the laws of the Corp
 Procedures

Step by step description on how do something

Update anti-virus program
Configure a firewall
Etc.
 Training

Training is dumb
Training is everything
Training, Education & Awareness
The most important security measure
Understanding:
Reasons for security
Reasons for info protection
Results of not doing it
Information Security Architecture

Management Stuff
 Organization

Legal
Counsel CEO

CIO CFO

Compliance Security Security

Officer Officer Team
 Plans
Business Plan
IT Plan
Site Security Plan
Disaster Recovery Plan
Business Continuity Plan
Incident Response Plan
 IT Security Plan
Introduction
Mission
Scope
Relation to Business Plan
Strategic IT Goals
Accessibility
Role of technology in corporation
Role of technology in business
Security
 Security Controls
Administrative Controls
Policies & Procedures for operations
HR concerns Employee termination procedure
Technical Controls
Security appliances/controls HW and SW
Firewalls, HIDS, etc.
Physical Controls
Protection of facilities and equipment
Locks, AC, fire abatement
Physical access trumps all
http://www.sans.org/critical-security-controls/guidelines.php
 Data Classification
Risk Based
Time Value
Indefinite, long term, intermediate, critical
 System Development
Unix philosophy:
Write programs that do one thing and do it well. Write programs to
work together. Write programs to handle text streams, because that is
a universal interface.
Mike Gancarz* sums up the Unix philosophy:
1. Small is beautiful.
2. Make each program do one thing well.
3. Build a prototype as soon as possible.
4. Choose portability over efficiency.
5. Store data in flat text files.
6. Use software leverage to your advantage.
7. Use shell scripts to increase leverage and portability.
8. Avoid captive user interfaces.
9. Make every program a filter.
 SANS
Critical Security Controls
http://www.sans.org/critical-security-controls/guidelines.php
A Prioritized Baseline Of Information Security Measures And
Controls
Important for Large Distributed Organizations
 Guiding Principles
Address the most common and damaging attacks
Consistent controls across the organization
Automated where possible
Continuously measured (automate, learn scripting)
Measure effectiveness
 Critical Security Controls
Version 3.1
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations,
and Servers Secure
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Configurations for Network Devices such as Firewalls, Routers, and Switches
 Critical Security Controls
Version 3.1
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
15. Controlled Access Based on Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
 Inventory of Authorized and Unauthorized
Devices

Attackers continuously monitor networks

Unprotected components, Misconfigured, Unpatched
Deploy an automated asset inventory discovery tool
Protect the asset inventory
Build inventory of information assets
Detect unauthorized asset within 24 hours and isolate
 Inventory of Authorized and Unauthorized
Software

List of approved/necessary SW for each system

Deploy/build SW inventory tool
Include patch level
Deploy application white listing tool
Identify applications that require air-gapped systems
Attempts to install unapproved SW identified and
isolated within 24 hours
 Secure Configurations for Hardware and
Software

Attackers again use network monitoring

Develop standard HW configurations for laptops,
workstations and servers
Develop secure standard images for each category of
HW
Any deviations are documented and put under CM
 Vulnerability Assessment and Remediation

Continuous
Automated vulnerability scanners
Correlate with event logs
Immediate remediation
Patches must be evaluated on a test bench
 Malware Defenses

Continuously monitor workstations, servers, etc.

Up-to-date anti-virus protection with daily updates
No auto-run from USBs, CDs, etc.
Automated scan of all removable media
E-mail scans especially attachments
Outbound traffic monitored
Large encrypted outbound traffic flagged
 Application Software Security

Web application firewall

Inspects all traffic to the application
Encrypted traffic should be decrypted and inspected
Explicit error checking of all input
Test all in-house and third party applications
Harden all data bases
Remove all unnecessary code from the system
 Wireless Device Control

Each device connected has an authorized configuration

and a documented owner
All access points are managed
Network scanning tools used
No rogue access points
Use WIDS
Access points are tuned to minimize leakage
Use WPA2 for all traffic
 Data Recovery Capability

Automatic backups
Incremental regularly
Extensive testing of the backup system
All backups should be encrypted
Backup media should be protected with physical security
 Security Skills Assessment

Security awareness training

Validated with policies and training
Awareness assessment via quizzes
Conduct exercises
Remediation for the slackers
 Configurations for Network Devices

Firewalls, Routers, and Switches

Use standard secure configurations
Configurations should be documented and reviewed
All interconnects between different security levels should
enforce ingress and egress filtering
All network devices should use 2 factor authentication
 Limitation and Control of Network Ports,
Protocols, and Services

Drop all traffic unless explicitly allowed

Regular port scans
Only servers/services visible to the Internet should be
specifically required by the business
All services needed for business should be reviewed
quarterly
Application firewalls in front of critical servers
 Controlled Use of Administrative Privileges

Inventory all administrative accounts

Validate each account with each person
Password acceptance and protection
Administrator accounts used only for administrative
activities
Admin passwords are different from user passwords
Log all account creation and destruction activities
 Boundary Defense
Maintain black lists of IP addresses
Deploy IDSs anad IPSs at all security levels
Record packets that pass through the DMZ
Clear separation of DMZ from internal networks
All WWW, FTP and SSH pass through a proxy on the
DMZ
Remote login (VPN) use 2 factor authentication
 Maintenance, Monitoring, and Analysis of
Security Audit Logs

Validate audit logs for all HW and SW installed on it

Enough log storage space
All remote access is logged verbosely
Weekly reports on log anomalies
Ensure time on all devices is sync'd to a valid time
source
All traffic through a boundary device is logged
Use dedicated logging devices
 Controlled Access Based on Need to Know
Establish a data classification scheme
Based on sensitivity and impact of exposure
File shares have defined controls that specify
authenticated users
Detailed logging of access to nonpublic data
Segment network into trust levels
Encrypt higher level data when in a lower level
Use of USB devices severely limited and controlled
 Account Monitoring and Control

Disable all unused and unconnected accounts

Daily reports of account anomalies
Locked out, disabled, password violations
Unused
Disable on termination
Encrypt and move when account is locked out
Excessive login attempts
Daily log of unusual account activity
 Data Loss Prevention
20 TB of sensitive data have been exfiltrated
Deploy storage encryption SW
Monitor outbound traffic
Periodic scans of servers for unencrypted sensitive data
types
Use outbound proxies to monitor outbound
documents/info
Systems will write to only approved USB devices (serial
no.)
 Incident Response Capability

Written incident response plan and procedures

Assign IR responsibilities to specific people
Response time and reports specified
Computer anomaly reporting guidelines
 Secure Network Engineering

At least a 3 tiered network design

DMZ, middleware, and private network
Compartmentalize data accordingly
Designed for rapid deployment of ACLs, rules,
signatures, etc.
Segment the enterprise into multiple separate trust
zones with boundary defenses
 Penetration Tests and Red Team Exercises

Regular external and internal penetration tests

Regular red team exercises
Response to attacks and breaches
Fix everything found to be bad
Reduce the readable network/security files
Social engineering should be part of the penetration
testing
Use test beds for some of the testing