The Security State of Mind

1
The Security State of Mind

• Chet Uber
• CTO/World Media Company
• 1999 CERT Conference Tutorial

2
Chets Disclaimer

• The opinions expressed are mine and mine alone,
  they are not those of my employer World Media
  Company, or our parent The Omaha-World Herald.
• If you are easily upset by non-traditional in
  your face discussions of security methodology you
  had better leave now.

3
Presentation Premise

• The danger posed by intruders and those that wish
  you harm, are FAR underestimated. We have not
  seen the tip of the iceberg, and the only folks
  that really understand the implications are the
  NSA, DOD and DOE. The statement concerning the
  NSA, DOD and DOE is conjecture on my part.

4
What is theSecurity State of Mind (SSM)?

• The Security State of Mind has to do with using
  every means at your disposal to design and
  implement unwavering Security-in-Depth. A sign
  that you have the SSM is when upper management
  and your coworkers constantly say, You are
  really being paranoid about this.

5
What is theSecurity State of Mind (SSM)?

• The proof that you have the SSM is that you know
  your paranoia is really just you very clear
  picture of the reality of the situation at hand.
• One of the tenants of the SSM is the
  understanding that business is war, and that
  everyone is a potential enemy.

6
What the SSM tells us!

• There is no such thing as a 100 secure system
  or network.
• That human beings are the weakest link in the
  implementation of security policies.
• That there is a trade-off between the amount of
  security and usability.

7
State of the Union address for the networked
open system environment
8
The security field is neither stable nor
globally understood, and with the inclusion of
the Internet has led to a condition where
greater than 75 of these networks are highly
vulnerable-- July 1999, ISS Inc.
9
A recent report was prepared by WarRoom Research,
LLC in support of the Senates Permanent
Subcommitte on Investigations which involved
among others the FBI, Ernst Young
LLP/InformationWeek, Computer Security Institute,
GAO, and the U.S. Military Services
10
The following conclusions were put forward in the
WarRoom report ...
11
The human threats are growing in numbers and
sophistication.
12
61 of those organizations responding to the
WarRoom Survey had experienced an internal attack
within the past 12 months.
13
58 of those organizations responding to the
survey had experienced an external attack within
the past 12 months.
14
The vulnerability conditions associated with our
networks are well known and understood.
15
Vulnerability is worsened by the availability of
free hacker tools on the Internet.
16
Over 45 of the reported attacks were associated
with advanced technical hacking techniques for
example sniffers, theft of password files,
vulnerability probing/scanning, Trojan logon,
etc.
17
Incident rates are increasingly alarming
18
The impact associated with attacks continues to
move up and off the chart.
19
Over 45 of the internal attacks resulted in
losses over 200,000.
20
Over 15 of the internal attacks resulted in
losses over 1,000,000.
21
Over 50 of the external attacks result in
losses over 200,000.
22
Over 17 of the external attacks resulted in
losses over 1,000,000.
23
In broad terms what should be done by those with
the SSM and why traditional security measures
are not enough!
24
Making A Good Start!

• Definition of sound processes.
• Creation of meaningful and enforceable security
  policies.
• Proper implementation of organizational
  safeguards.
• Establishment of ways in which security can be
  measured.

25
Direct Risk Mitigation

• Identification and Authentication
• Encryption
• Access Control
• Note - This Interim step can give a false sense
  of security

26
Risk Analysis Policy Direct Technical
Countermeasures Traditional Security
SafeguardsThis is 40-60 of the overall
solution when implemented properly
27
Items not addresses by Traditional Approach

• An active, highly knowledgeable, evolving threat
• The greatly reduced network security decision and
  response cycle
• Low User Awareness levels
• Highly dynamic vulnerability conditions

28
A Solid Security Program

• Adhere to sound standardization processes
• Implement valid procedures and technical
  solutions
• Provide for system audits intended to support
  potential attack or system misuse analysis

29
Adaptive Security ModelTraditional Security
SafeguardsThreat/Vulnerability Monitoring
Threat/Vulnerability Detection
Threat/Vulnerability Response Adaptive Security
30
Ensure all applicable vulnerabilities are secured
across the entire network
31
Ensure all systems are configured in a secure
manner consistent with organizational policy
32
Ensure all potentially hostile threats are
detected, monitored, and responded to in a timely
appropriate manner.
33
Provide real-time, on-the-fly, technical
reconfiguration of threat access routes.
34
Provide timely security alerts and tasking to
those responsible for addressing network threats
and vulnerabilities.
35
Provide accurate network security audit and
trends analysis data in support of security
program planning and assessment efforts.
36
Two examples of a dramatic change in knowledge
based in real world experience.
37
The EFFs Project Deep Crack

• The EFF lead a concerted effort to develop a
  machine specifically designed to break DES
  encryption. This effort was funded with a
  250,000 grant and produced a machine that
  rendered keys in days and finally hours. A book
  Cracking DES includes all the schematics and
  code. The design is such that the application of
  MONEY would accelerate the time to minutes.
  There are literally millions of DES protected
  files.

38
PRESS RELEASE CWI, Amsterdam - August 26, 1999
Security of E-commerce threatened by 512-bit
number factorization
39
On August 22 1999, a team of scientists from six
different countries, led by Herman te Riele of
CWI (Amsterdam), found the prime factors of
512-bit number, whose size models 5 of the keys
used for protection of electronic commerce on the
Internet. This result shows, much earlier than
expected at the start of E-commerce, that the
popular key-size of 512 bits is no longer safe
against even a moderately powerful attacker. The
amount of money protected by 512-bit keys is
immense. Many billions of dollars per day are
flowing through financial institutions such as
banks and stock exchanges.
40
The factored key is a model of a so-called
"public key" in the well-known RSA cryptographic
system which was designed in the mid-seventies by
Rivest, Shamir and Adleman at the Massachusets
Institute of Technology in Cambridge, USA. At
present, this system is used extensively in
hardware and software to protect electronic data
traffic such as in the international version of
the SSL (Security Sockets Layer) Handshake
Protocol
41
Apart from its practical implications, the
factorization is a scientific breakthrough 25
years ago, 512-bit numbers (about 155 decimals)
were thought virtually impossible to factor.
Estimates based on the then-fastest known
algorithms and computers predicted a CPU time of
more than 50 billion (50 000 000 000) years.The
factored number, indicated by RSA-155, was taken
from the "RSA Challenge List", which is used as a
yardstick for the security of the RSA
cryptosystem.
42
In order to find the prime factors of RSA-155,
about 300 fast SGI and SUN workstations and
Pentium PCs have spent about 35 years of
computing time. The computers were running in
parallel -- mostly overnight and at weekends --
and the whole task was finished in about seven
calendar-months.
43
The following organizations have made their
workstation and PC computing power available to
this project Centre Charles Hermite (Nancy,
France), Citibank (Parsippany, NJ, USA), CWI
(Amsterdam), Ecole Polytechnique/CNRS (Palaiseau,
France), Entrust Technologies (Ottawa, Canada),
Lehigh University (Bethlehem, Pa, USA), the
Medicis Center at Ecole Polytechnique (Palaiseau,
France), Microsoft Research (Cambridge, UK), Sun
Microsystems Professional Services (Camberley,
UK), The Australian National University Canberra,
Australia), University of Sydney Australia).
44
In addition, an essential step of the project
which requires 2 Gbytes of internal memory has
been carried out on the Cray C916 supercomputer
at SARA (Academic Computing Centre
Amsterdam).Given the current big distributed
computing projects on Internet with hundreds of
thousands of participants, e.g., to break RSA's
DES Challenge or trace extra-terrestrial
messages, it is possible to reduce the time to
factor a 512-bit number from seven months to one
week. For comparison, the amount of computing
time needed to factor RSA-155 was less than 2 of
the time needed to break RSA's DES challenge.
45
The number and the found factors are RSA-155
10941738641570527421809707322040357612003732945
44920599091384213147634998428893478471799725789126
73324976257528997818337970765372440271467435315933
54333897102639592829741105772054196573991675900
71656780803806680334193352179071130777910660348
83801684548209272203600128786792079585759892915222
70608237193062808643
46
A broad stroke view of things that are typically
of interest to Network Security Administrators.
Note the vast scope of topics is not at all
inclusive taken from a typical IT security
schedule
47
Overview of Network Security

• Defining the problem
• Security Policy
• Attacker Methods
• Incident Response
• Legal Considerations

48
Network Services

• Client/Server Computing
• UNIX versus Windows NT

49
Attack Methods

• Types of attacks
• Misadministration
• Software Bugs
• Denial of Service

50
Logging, Auditing, and Detection

• UNIX versus Windows NT
• Auditing
• Vulnerability Detection
• Vulnerability Detection Tools
• Intrusion Detection

51
WWW Security

• General Server Security
• WWW Server Security
• WWW Client Security

52
An Overview of Firewalls

• Firewall versus Host Security
• Categories of Firewalls
• The Weaknesses of Firewalls

53
Packet Filters

• TCP/IP Packets
• Packet Filters and the Client/Server model

54
Proxy Servers

• Definition Proxy Servers
• Gauntlet Firewall
• Firewall-1

55
Firewall Architecture

• Bastion Hosts
• The dual-homed screening router
• The dual-homed bastion host
• The dual-homed Proxy server
• The screened Bastion Host
• Screened subnet
• The screened subnet architecture

56
Firewall Architecture (2)

• The multiple bastion host approach
• Belt-and-Suspenders

57
Secure Communications and Authentication

• Features of cryptography
• Classes of cryptographic systems
• Digital Signatures
• Applications of encryption

58
SSM Standard Operating ProceduresThe
EssenceThe AttitudeSome Basic Tasks
59
For the love of Pete -- Turn on accounting, and
make it as granular as possible.
60
Just because you are paranoid does not mean they
arent out to get you.

• When your boss tells you that you are
  over-reacting and just plain paranoid, tell him
  that someone has to be and that paranoia is just
  a case of seeing things clearly.

61
ROI is not always a good indicator of success in
the security arena and neither is TCO. Sometimes
is costs what it costs.
62
To Darn Bad (TBD)

• There is always a trade off of ease of use and
  security. If a policy meets resistance because of
  its effect on the end-user, tell them TDB.
• TDB should be what you say to yourself. What you
  say to the user is that it is policy from the
  highest level.
• TBD is the mildest form of this attitude.

63
Log, Log, Log, Log, Log, Log and Log some more

• Employ logging at the system level, as well as
  using additional tools.
• Log all systems via serial connection to a
  central system, which is not connected to the
  network in any way.
• Print a paper log of from the central system.
  Consider using special paper.

64
You have to make a decision in the beginning
about whether or not you have intestinal
fortitude, the endurance and the money to do what
needs to be done to prosecute the intruders.
65
An unbroken chain of evidence is essential in
order to prosecute. This means time stamped logs
and other auditing and accounting measures.
66
Public Key CryptographyIKE - Internet Key
ExchangePKI - Public Key Infrastructure
67
End-user Hardware

• Remove or disable floppy drives.
• Disable CD-ROM drives.
• Enable BIOS passwords.
• Physically cover all unused serial, USB,
  parallel, SCSI and other ports not used.
• Employ something you own, something you know, and
  something you are.

68
End-User Software

• Lock down all desktops and install software via a
  standardized and secure methodology. Many
  products are available for this function.
• When the end-users complain about the fascism and
  low productivity remember that it is just TDB.

69
Switching to the Desktop

• There is the very real internal threat in
  hub-based access level schemas. The end-users
  have the ability to sniff traffic that is not
  theres
• Switching allows electrical segmentation, and
  makes sniffing much more difficult -- and general
  not possible

70
Realize that there is no such thing as a secure
system -- get over it and move on!

• Take all steps a reasonable and prudent person
  would, but forget about your bosses demands for a
  100 guaranteed secured network. This is a
  reality check.

71
Top-Level Buy-in

• A couple of years ago, I was sitting in on a
  company that had brought in a Demming
  statistical improvement specialist. Half way
  through, the President and General Manager got up
  and said very vocally. This is not something I
  need to be concerned about. Imagine the effect
  on the rest of the attendees

72
Employ Intrusion Detection Technologies

• There is a great benefit to employing an
  intrusion detection system even with the still
  high-degree of false positives.

73
Encourage the open source peer-review model of
development and implementation

• In a recent call for papers by DARPA regarding
  using Windows NT for security research every
  scientist made a similar statement -- without
  source code to the security layer, it is
  impossible to determine the real security risks

74
Everyday there will be new threats

• Get used to it, live it, breathe it, immerse
  yourself in it. This fact will never change, and
  hampers entities from implementing anything

75
Check out your People

• The individuals who are ultimately responsible
  for the design and implementation of your
  security should be beyond reproach with regards
  to there risk factor
• Check Backgrounds
• Monitor
• Be Vigilant

76
Employee a Password Escrow System

• Do not let passwords to the core facility rattle
  around in peoples heads and on pieces of paper.
• Employee and electronic password management
  system (PMS) which utilizes diskettes or other
  media to give you access.
• The PMS should not be on the network.

77
Something you know.Something you have.Something
you are. Something you know.Something you
have.Something you are.
78
Something you know.Something you have.Something
you are. Something you know.Something you
have.Something you are.
79
Something you know.Something you have.Something
you are. Something you know.Something you
have.Something you are.
80
Something you know.Something you have.Something
you are. Something you know.Something you
have.Something you are.
81
Always look at the worst case scenario

• Designing your security policies and enforcement
  of the same should account for the worst case
  scenario.
• If I here about how much trust someone has in so
  and so one more time, I think I will puke.
• Trust no one.

82
Disaster Recovery

• Disaster recovery is as important, if not more,
  than security is.
• If you cant recover from the worst case
  scenario, then you have a problem.
• Run drills on a regular basis, as you would fire
  drills.
• Always use the VERIFY option when creating backups

83
MANTRAP MANTRAPMANTRAP MANTRAPMANTRAP
MANTRAPMANTRAP MANTRAPMANTRAP MANTRAPMANTRAP
MANTRAPMANTRAP MANTRAPMANTRAP MANTRAP
84
Standards Organizations to be concerned with in
this area include ISO, ANSI, IEEE, IETF, and
W3C. Of special note is the Security Group of
IETF and its various committees.
85
Always use conduit!

• It is very easy to place passive taps on copper
  wiring trunks and cables through the use of a
  vampire tap and other methodologies.
• Conduit makes rewiring easier. Make sure your
  pipe is fat enough to handle upgrades.
• Conduit protects cable from physical damage

86
If you can afford it use fiber

• Fiber optics cabling gives you high-bandwidth
  today with room to grow for tomorrow but most
  importantly it is almost impossible to tap
  passively.
• Fiber optics do not give of EMF, and are
  therefore not subject to the Van Eck effect and
  reduce remote passive monitoring capabilities.

87
The watcher of the watcher of the watcher of the
watcher

• It is generally given as a problem in first year
  accounting, about when the cost of additional
  checks and balances are feasible. Normally the
  Parking Lot Attendant is used as the example.
  This is a valid exercise to go through when
  creating layers of security.

88
Always practice security in Depth!
89
Host-based security is not enough
90
Network based security is not enough
91
Firewalls are not enough
92
Physical security measures are not enough!
93
Fundamental Problem

• Most of you will walk out of this tutorial, and
  say -- I knew those things.
• A large percentage of people will get back to
  work and still not do anything about it.
• There is Knowledge in knowing, but there is
  Wisdom in execution. And there is the need of
  strong character and persuasion to accomplish the
  task.

94
Avoid Services which pass login and password
information in plain text

• Use SSH instead of Telnet whenever possible.
• Make sure the version of email you have does not
  pass login information.

95
Official Motto of the Practitioners of SSM

• I will practice and teach Eternal Vigilance
• I have a resounding will to accomplish the
  implementation necessary.
• I will avoiding making special cases for
  end-users who complain about Fascism.
• I will compel management to accept the need for
  SSM even at the risk of losing my job (This is
  the acid test).