Privacy and Security: Practical Considerations

1
Privacy and SecurityPractical Considerations

• Science Applications International Corporation
• Common Criteria Testing Laboratory
• Robert Williamson,
• AVP, SAIC CCTL
• June 9, 2005

2
Concern for Practical IT Security

• Things that need to be protected
• Root causes of IT threats
• External threats
• Internal threats
• Exploits

3
Specific IT Security Context

• Organizations with research grants
• Things that need to be protected
• Data
• Analysis
• Reporting
• Critical program resources (e.g. funding,
  personnel)

4
Data

• Resident source data for research input
• Portable media
• Servers (university, government, medical
  facilities)
• Local data to facilitate analysis
• Copies of resident data
• Extracts from resident data
• Locally created

5
Local Data Copy for Analysis

• Local storage perhaps on a server
• Remote access type and purpose
• Authenticated for use
• Access to data
• Input
• Change data, alter format
• Report

6
Tools for Analysis

• Programs
• Program assurance
• Program integrity
• Program Source
• Locally written
• Development paradigm
• Documentation
• Testing
• Share ware
• Purchase (SPSS)

7
Reporting

• Report generation
• Extracts, drafts
• Report distribution
• Extracts for focused review
• Drafts for technical review
• Drafts for peer review
• Final for sponsor review
• Final for public distribution
• Press Releases

8
Critical Program Resources

• Grant Management
• Purpose maintain focus
• Progress milestone reviews
• Directives from sponsor
• Contacts knowledgeable sources
• Funding
• Accounts
• Charges

9
Root Causes of Security Problems

• In this order of importance
• Policies
• Behavior
• Technology

10
Root Causes of Security Problems

• Policy
• Reactionary security architectures and firewalls
• Not supported by administrators, users, or
  vendors
• Not reflected in contracts, procurements, or
  practices
• Not integrated with technology evolution

11
Root Causes of Security Problems

• Behavior
• Lack of awareness, training, and certification on
  security
• Code of Conduct is not enforced or well defined
  
• Lessons learned are not shared or internalized
• Passwords are easy to guess or easy to compromise
• Inadequate personnel screening and exit procedures

12
Root Causes of Security Problems

• Technology
• Insufficient access control for increasingly
  powerful diagnostic tools
• Holes in firewalls and perimeter buffer zones
  (DMZ)
• Inadequate software change controls
• Immature software
• Inability to determine attacks launched
• Inability to determine successful attacks

13
Technology Threat Sources
Intentional
Unintentional

• Software bugs
• System overloads
• Hardware failures
• Poorly trained administrators
• and custodians
• Errors and accidents

Outsider
Insider

• Hacker/Phreaker
• Competitor
• Fraudster
• Terrorist

• Dishonest or disgruntled employee, partner,
• outsource employee, contract employee

14
Insider Threat

• Most of the incidents (83) were executed
  physically from within the insiders organization
  and took place during normal business hours.
• Intelligence Alert from the World Wide ISAC
  August 26, 2004

15
Insider Threats

• Read Insider Threat Study Computer System
  Sabotage in Critical Infrastructure Sectors
  (http//www.cert.org/)
• Insider threats are avoided using appropriate
  policies and IT products that provide assurance

16
Insider vs Outsider Threats

• Read Insider Threat Study Computer System
  Sabotage in Critical Infrastructure Sectors
  (http//www.cert.org/)
• Polled 500 security and law enforcement
  executives on issues related to electronic crimes
• 70 percent of respondents identified whether
  outsiders or insiders were responsible for an
  e-crime or intrusion committed in 2003,
• 71 reported that one or more attacks were known
  or suspected to have come from outsiders compared
  to
• 29 from insiders. Respondents identified current
  or former employees and contractors

17
IT Products with Security Features

• Use IT security products that have
• Documented design
• All external interfaces are documented
• All external interfaces that enforce security are
  thoroughly tested
• Guidance documents are examined against the
  design and guidance is tested.

18
IT Products with Security Features

• Select products that have completed a third party
  review of their security functions
• ISO 9000 repeatability
• ICSA (http//www.icsalabs.com/)
• feature tests, standard tests
• Common Criteria (http//niap.nist.gov/cc-scheme/)
• Evaluate design,
• Evaluate guidance and map to design
• Evaluate vendor tests and map to design and
  guidance
• Test product, search for vulnerabilities.

19
External Threats - Attack Tools are Now Easier to
Deploy

• Sources
• CERT Coordination Center
• Network Reliability and Interoperability Council

Y2K enabled hacking
Tools Techniques
stealth / advanced scanning techniques
High
Distributed denial of service / advanced virus
/ worm techniques
packet spoofing
denial of service
sniffers
SONET backbone attacks
scanners/sweepers
automated probes
GUI
network element Trojans
back doors
Threat
network mgmt. diagnostics
disabling audits
PAD to PAD
burglaries
Hijacking sessions
Skills Knowledge Required
Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
1980
1985
1990
1995
2000
20
Exploits Social Engineering

• Social Engineering
• The act of tricking another person into telling
  confidential information by posing as an
  authorized individual to that information.
  All-in-one CISSP Certification
• Advancements in Technology are making it easier
• Internet search engines and databases provide
  abundant information. Hi nurse, I am Doctor fil
  in name
• Art of Subversive Psychology
• Increased security measures make psychological
  attacks easier because users think data is safe.
  (Susan Thunder - psychological attacker)
• Dumpster Diving
• One persons trash is another persons treasure

21
Exploits Phishing

• Type of spoofing or social engineering that baits
  humans into revealing information that should be
  protected
• Solicited through email and links to fraudulent
  websites
• Spyware, addware

22
Exploits Phishing example (Regions Bank)
Fake (Phishers) Website
Actual Bank Website
23
Exploiting Wireless
Access Point
Local Area Network
IEEE 802.11 Wireless
IEEE 803.2 Wire

• Radio and Light-based Wireless
• Eavesdropping
• Jamming
• Weak Encryption
• Inadequate Network Configuration

24
Exploiting Web Traffic
OK!
Please Send Me Content!
Internet
Server
HTML, Audio, Video, ActiveX, Javascript, Java,
Web Bug, Malicious Code

• Cross-site Scripting
• Parameter Tampering
• Hidden Field Manipulation
• Backdoors and Debug Options
• Stealth Commanding
• Spyware

• Forceful Browsing
• Application Buffer Overflows
• Third Party Misconfigurations
• Malicious Requests
• Malicious Response Script Viruses
• Malicious Applications Mobile Code

25
Threat - Malicious Code

• The old days Trojans, worms, backdoors and
  viruses
• The hard part is getting somebody to run your
  program in the first place
• Spreading of code primarily by infected floppies
  or downloaded (FTP) files
• Mobile Code
• Java, Active X (JavaScript is limited in its
  impact)
• Integrated HTML and automatic opening of
  attachments have made e-mail an easy vector for
  malicious code
• Cell Phone Virus
• Targets Symbian Operating System (June 2000)
• For incident response, use a basic phone
• Disable exotic features
• Spyware Attacks on privacy and security
• Tracker cookies
• Key Loggers

26
SANS Top 20 Tech Threats October 2004

• Top Vulnerabilities to Windows Systems
• W1 Web Servers Services
• W2 Workstation Service
• W3 Windows Remote Access Services
• W4 Microsoft SQL Server (MSSQL)
• W5 Windows Authentication
• W6 Web Browsers
• W7 File-Sharing Applications
• W8 LSAS Exposures
• W9 Mail Client
• W10 Instant Messaging

• Top Vulnerabilities to UNIX Systems
• U1 BIND Domain Name System
• U2 Web Server
• U3 Authentication
• U4 Version Control Systems
• U5 Mail Transport Service
• U6 Simple Network Management Protocol (SNMP)
• U7 Open Secure Sockets Layer (SSL)
• U8 Misconfiguration of Enterprise Services
  NIS/NFS
• U9 Databases
• U10 Kernel

SysAdmin, Network, Audit, Security
(SANS) Institute publishes a Top 20. A good
start. www.sans.org/top20/
27
Contact Information

• Robert Williamson
• AVP, SAIC Common Criteria Testing Laboratory
• (410)953-6819 (703)450-4198
• robert.l.williamson.jr_at_saic.com
• Julie Taylor
• SAIC CCTL Director
• 410-953-6877
• julie.y.taylor_at_saic.com