Title: DefenseinDepth
1Defense-in-Depth
Securing Your System Using a Layered Security
Approach
- By
- Richard Hammer
- LANL
- LA-UR-08-2558
2Overview
- Relative Risks
- Threat Vectors
- What attackers need us to do
- Things Everyone Can do
- Client protections Summary
3Goal!
- Secure your system so you
- Do not lose your identity if system is stolen
- Feel comfortable storing and processing personal,
financial, business, and sensitive information - Feel comfortable making online transactions
4Old and New Threats
5What attackers need from us!
- Need us to execute a program
- Need us to NOT securely configure our programs
- Need us to NOT pay attention
- Need us to NOT patch
- Need us to be careless, gullible or curious
- Need us to NOT understand the technology
- Its that easy because we allow it to be that
easy - Frank Abagnale
6Things we all can learn to DO!
- Compute as an Unprivileged User if possible
- Understand E-mail
- Understand Web Browsing
- Encrypt our Data
- Know what is connecting in/out
- Actually do it!
7Hackers do not like unprivileged users
- They cannot change system settings
- They cannot install programs that change system
settings - They cannot undo security settings
- Reboot will normally put system back into secure
state again.
8Which is more secure?
- Storing your credit card in your wallet
- Or
- Storing your credit card number on your computer
9Protecting data at rest (Powered Off)
- Physical Security
- Encryption
- Nothing else will work
- Remove the disk
- Reset password
- Boot off cracker media
- T up a Macintosh
10Harddrive/File Encryption
- Truecrypt, Guardian Edge, WinMagic, PGP,
Pointsec, Cypherix, Calibex, TrueCrypt, Many
more! - Hardware
- Fortezza
- Harddrives
- Windows EFS/BitLocker
- Apple FileVault
- Bcrypt
- Entrust ICE
- Entrust PGP
11Apple FileVault
12Built-in Windows encryption
13System Up and You Are Logged In(Includes Sleep
Mode)
- No longer protecting Data
- Full disk encryption
- Hardware encryption
- Windows EFS/BitLocker or FileVault
- Protecting data until password entered
- Encrypted Disk Image (MacOSX)
- Entrust, PGP, TrueCrypt, Bcrypt
- Other 3rd party encryption products
14Entrust/PGP File Encrypt Options
15Goals of Cryptosystems!
- Ensure
- Confidentiality
- Integrity
- Authentication
- Non-Repudiation
16Cryptosystems Problems?
- You might lock yourself out forever!
- Key Management
- Key Distribution
- Password/Passphrase Protection
- Cant encrypt/decrypt offline?
- Speed?
- Export? (GOV export authorized)
17What will Defeat Encryption
- Not protecting the password
- Sleep mode and fast switching
- Freeze spray, shutdown/leave
- Malware
- Keyboard Loggers
- E-mail Infections
- Not paying attention to warning messages
- Backups
18Understanding e-mail
- Clear text e-mail is completely unreliable.
- How do you recognize bogus e-mail?
- What is URL redirection?
- How do you protect yourself?
- Outlook?
19Why you should not Trust Clear Text e-mail
- Do not know who sent it
- Do not know who sees it
- Do not know where it went
- Do not know who read it
- Do not know if content changed
- Still on server, backups?
- Sys Admins have full access
20Encrypting e-mail?
- Only Intended Recipients can read messages or
open files - Data has not been modified
- Data is from the expected source
- Not seen on the wire
- Not just SSL/TLS to server
- PGP/SMIME/Entrust
21Entrust Encryption Example?
22PGP/SMIME Encryption Example?
23SMIME/PGP/Entrust e-mail
24Phishing right here in LA!
- Guy Lisella
- Anytime they ask for personal information, its
a scam. - Legitimate businesses will NEVER ASK for personal
information to be transmitted over clear text
e-mail! - If unsure, call them.
25How do you recognize bogus e-mail?
- Do you know the sender?
- Is the offer too good to be true?
- Embedded links that point to an address that
doesnt appear right. - Your email address is not listed on the TO or
CC. - The FROM Return-Path dont match.
- Unexpected attachments.
26What is wrong?
27Understanding URLs/Redirection
- http//computername.domainname/directoryname/index
file.html - Where you thought you were going
- http//www.dncu.com/login.aspx?update
- http//63.214.247.170/login.aspx?update
- Where you are redirected
- http//www.dncu.org.hi-position.com/register/login
.html - Computer name www
- Domainname dncu.org.hi-position.com
- IP Address No longer registered, but was
202.168.210.1XX - Directory register
- Index file login.html
28Look at the e-mail header
- Eudora Blah, Blah, Blah
- Outlook View Options or Right Click Options
- Webmail Click on Full Headers
- Thunderbird Menu Bar, VIEW/HEADER, ALL
29Give me the money?
30Stop Right There!
31E-mail client configuration
- Do NOT auto execute anything
- Do NOT automatically download HTML graphics
- Do NOT display graphics in message
- Do NOT allow executable html content
- Do NOT display emotions as a graphic
- Do NOT use Microsoft viewer.
32Entourage Settings
33Before and After (Mac Mail)
ltDisplay Remote Images in HTML Messagegt
34Whats Wrong? Unknown sender, not addressed to
me, has an attachment I did not expect.
35Virus protection caught it three weeks later,
dont be the first to open it!
36Which is more secure?
- Paying for a dinner with a credit card
- Or
- Online purchase
37Compare the two!
38Web Browser Security
- Understand how it works
- SSL/TSL
- Privacy Settings
- Security Settings
- Warn me is always a good option when not sure
- Scripts
- Understand Threats
- Internet Explorer?
39Web Access (SSL/TLS)
- SSL Developed by Netscape (1994)
- Certificate Exchange
- System to System
- Certificate Authority
- Should only use SSL 3.0 or TLS 1.0
- Is it secure?
- Redirection
- Man-in-Middle Attack
40Keeping Track of State
- SessionID
- https//ucfy.ucop.edu/ucfy/BaseServletjsessionid
0000q9ZvjIPe7xWTjxeftFjTqBy-1 - Cookie
- Persistent
- Non- Persistent
- Hidden Form Element
41Firefox Security Settings
42Man-in-Middle
43Warning, should I proceed?
44Secure ???
45Clearing Privacy Settings (Firefox)
ltToolsgtltOptionsgt
46Security Settings (Firefox)
ltToolsgtltOptionsgt
47Firefox - noscript
ltToolsgtltOptionsgt
48Firefox noscript (2)
49Secure Web Transactions
- Open New Browser
- Ensure SSLv3/TLS
- You initiate connection
- Only go to sites associated with transaction
- Use noscript and only allow needed scripts
- Pay attention to error messages
- Logout when done
- Close browser and clear settings
50Personal Application layer firewalls
- ZoneAlarm
- Little Snitch/Apple Firewall combo
- In/Out protection
- Can distinguish between different programs
connecting out on same port - Will teach you which applications really connect
out from your system
51Connecting out, Really?
52Same Port, different program
53Client Protection Summary
- User vs Admin Privilege
- Virus Protection
- Spyware/Adaware Protection
- Keep Systems Applications patched
- Backup your data
- Secure Program Settings, dont Auto execute and
turn off autoplay.
54Client Protection Summary
- DO NOT open attachments unless you expect them.
- Dont click on embedded links
- Pay attention to warning messages
- POP-UP blockers
- Clear privacy settings
- noscript
55Client Protection Summary
- If its too good to be TRUE, it is!
- When configuring programs keep personal
information to a minimum. - Remove programs you dont need
- Stay away from shady web sites
- One-time Credit Card Numbers
- Shutdown when not using
- Disconnect from network if you dont need to be
on it.
56Client Protection Summary
- Encrypt sensitive information
- Application Layer Personal Firewall
- Outlook and Internet Explorer
- Consider replacing these programs.
- Keep them patched.
57Educate Yourself!