PacINET 2007

Information Security Workshop

August 21, 2007

Presenter

Chris Hammond-Thrasher

10 years of ICT consulting in Canada

Was a Senior Management Consultant in Security, Privacy, and Technical Risk for Fujitsu Consulting Canada

MLIS (I am a librarian)

CISSP (I am a security manager)

Currently USP Library Systems Manager

Author of the Digital Fiji blog

Agenda

Part 0: Why are we here?

Part 1: Information security?

Part 2: What an information security team needs to know

Part 3: Security incidents

Part 4: Top ten infosec tools

Goals

To show participants the scope of the field of information security management

To demonstrate that there is an ethical responsibility that goes along with information security skills (aka h4X0r 5k1775)

To entice participants to lobby their employers, educational institutions, and professional organizations to provide them with more infosec training and certification opportunities

To establish a need for regional infosec cooperation we need a PacCERT!

Part 0 Why are we here?

A war zone

Leading up to the 1991 invasion of Iraq

The American NSA disabled Iraqi air defense computers with virus laden printers sold to Iraq through Jordanians

A war zone

The cost of cybercrime

A 2005 FBI study found that 90% of US companies suffered security incidents

Cybercrime cost US companies an average of US$24,000 last year

The total cost of cybercrime in the US, in 2005 alone, was over US$400 billion

A war zone

Human rights, China, and Yahoo

The House Foreign Affairs Committee has ordered an investigation into Yahoos role in the prosecution of Shi Tao, a journalist and Yahoo Mail user, who was arrested in 2004 by Chinese officials after Yahoo cooperated with their request for information. The committees interest in the matter was sparked by new documents that suggest Yahoo gave information to Chinese authorities knowing that it could lead to the reporters arrest.

A war zone

2007 Estonian cyber attack

The May events followed the Estonian [pop. 1.3 million] decision to dismantle and move a symbolically significant Russian war memorial... Many of the early attacks that subsequently overwhelmed Estonia's Web servers, banks, and government email systems were rudimentary, with instructions widely posted on these blogs telling people how to send manual pings to the country's servers. But more sophisticated tools soon were used, with botnets flooding Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.

A war zone

Phishing, Internet fraud, and identity theft

A 2004 study reported that 685,000 Americans had experienced identity theft and collectively lost US$680 million

In 2005, Israelis lost US$10 million to similar crimes

A Pacific war zone?

The coming battle

Oceania (not including Aus and NZ) has 510,890 Internet users out of a population of 9,209,260 or roughly 0.5%

While the global Internet user growth rate from 2000 to 2007 is 225%, it is as high as 1,100% in Samoa, 833% in Fiji, and 320% in the Solomon Islands

A Pacific war zone?

The South Pacific is catching up...

All of the bad things about the Internet come along with the good

We are in a good position because we only have to glance over the ocean to see exactly what problems have already started coming our way, including which solutions are effective, and which solutions are not worth doing

Building information security capacity takes time we need to start now!

A Pacific war zone

The time is ripe to create regional infosec organizations, the first of which ought to be a Pacific Computer Emergency Response Team (PacCERT)

Coordinate ISP's and other high-tech organization's responses to major security incidents

Support under-skilled law enforcement agencies

Respond to security incidents and proactively prevent them

Regional corporate and governmental cooperation is required to make this happen

Part 1 - Infosec?

Part 1 - Infosec?

What is information security?

Outline

Definitions

Professional organizations

Certifications

Heros and villains

My definition

Information security is the art, science, and practice of protecting information systems against willful or accidental harm.

ISO definition

ISO 17799 [now ISO 27002] defines information as an asset that may exist in many forms and has value to an organization. The goal of information security is to suitably protect this asset in order to ensure business continuity, minimize business damage, and maximize return on investments. As defined by ISO 17799, information security is characterized as the preservation of:

Confidentiality ensuring that information is accessible only to those authorized to have access.

Integrity safeguarding the accuracy and completeness of information and processing methods.

Availability ensuring that authorized users have access to information and associated assets when required.

Tom Carlson, Information Security Management, 2001

CIA

Confidentiality

Information should only be available to its intended reader (possibly a person or software)

Integrity

Information should only be alterable by those who are permitted to do so

Availability

Information should be available to those who need it when they need it

Risks, threats, and vulns

Risk

The magnitude of a risk equals the cost of the one time occurrence of a threat multiplied by its estimated frequency of occurrence

R = (one time cost) x (frequency)

Threats which pose a small cost, such as I forgot my password, but occur frequently may pose a significant risk

Threats that occur infrequently, such as water damage in the new server room, but have high one time costs may not be significant risks

Risks, threats, and vulns

Threats

Or threat events, are events which may compromise the CIA of your information assets

i.e. Theft of equipment or virus infections

Vulnerabilities

Exploitable weaknesses

i.e. Buffer overflows or poorly trained staff

Controls

Administrative

Implemented in policy and procedure

i.e. Criminal screening or user awareness programs

Logical

Implemented in hardware and software

i.e. Network firewalls, ACLs, or the principal of least privilege

Physical

Implemented in real space

i.e. Locked doors, security guards, or fire control

Controls

Preventative

Reduce the likelihood of threat events occurring

i.e. Firewalls, intrusion prevention, or strong passwords

Detection

Detecting attempted or successful incidents

i.e. Network and host-based IDSes or vigilant users

Mitigating

Reduces the impact of security incidents

i.e. Backups or an incident response team

Professional organizations

Anti-Virus Information Exchange Network (AVIEN)

Center for Secure Information Systems (CSIS)

Computer Security Institute

Computing Technology Industry Association (CompTIA)

Information Systems Audit and Control Association (ISACA)

Information Systems Security Association, Inc. (ISSA)

International Association for Computer Systems Security, Inc. (IACSS)

International Federation for Information Processing (IFIP) Technical Committee 11 (TC-11) on Security and Protection in Information Systems

International Information Systems Security Certification Consortium (ISC2)

National White Collar Crime Center

SANS Institute

Certifications

The big ones:

CISSP from (ISC)2

CISA from ISACA

CISM from ISACA

GIAC certifications from SANS

Notable vendor certifications:

CISCO

CheckPoint

Heros

Gaius Julius Caesar (100 BC -44 BC)

Protected military communications with the Caesar Cipher. This cipher works by shifting all of the letters in the alphabet by a given number (the key) to create a garbled message.

Example:Caesar cipher with a key of 3

abcdefghijklmnopqrstuvwxyz^^^^^^^^^^^^^^^^^^^^^^^^^^cdefghijklmnopqrstuvwxyzab

Plaintext:inthe begin ningt herew asdar kness andvo id

Ciphertext:kpvjg dgikp pkpiv jgtgy cufct mpguu cpfxq kf

Alan Turing (1912 - 1954)

An English mathematician and code breaker. Turing was instrumental in breaking German World War II naval codes.

He also envisaged a kind of computer known now as a Turing machine in:

On computable numbers,with an application to theEntscheidunsproblem. 1936.

And created the definitive test for artificial intelligence known as the Turing test in:

Computing machinery and intelligence. 1950. Mind, 59, pp. 433-460.

Bruce Schneier (1963 - )

Cryptographer turned author, Schneier is one of the leading voices in both information security in the USA. He is also one of the most significant critics of American homeland security policy.

Examples:

Applied Cryptography, 1996, John Whiley & Sons

http://www.schneier.com/blog/

Whitfield Diffie (1944 - ) and Martin Hellman (1945 - )

Cryptologists and inventors of the Diffie-Hellman key exchange algorythm in 1976. The DH algorithm provided a radical new way for two parties to exchange secrets. The DH algorithm and its derivatives are the cornerstones of many public key encryption protocols in use today.

Villains?

Robert MorrisWrote the firstworm in 1988

Kevin MitnickArrested in1995 and nowa consultant

Kevin Paulson(aka Dark Dante)Arrested in 1991and now SeniorEditor at Wired

Jon Johansen(aka DVD Jon)wrote DeCSSat the age of 15

David SmithWrote the Melissavirus in 1999 whichcaused US$500million in damages

R2-D2Repeatedviolations ofImperialsystems

John Draper(akaCap'n Crunch)Phone phreak1972

Part 2 - knowledge

Part 2 - knowledge

What an information security, or infosec, team needs to know

Outline

Infosec domains

Infosec team critical success factors

Domain 1 access control

Access control may be applied at the network level, host level, application level, or even for individual functions or data elements

Access control has two components

Identity management

Ensuring that users are who they say they are

Identity management systems use up to three factors to identify users

Something you know: passwords or phrases

Something you have: a card, RFID tag, or other device

Something you are (biometrics): finger prints, retina patterns, etc.

Domain 1 access control

Authorization

Authorization is the mechanism that determines what a user is allowed to do or see in a system

Often this takes the form of an access control list (ACL) which lists what actions a user or group of users is permitted to take against which system objects

Domain 2 application sec.

Security considerations should play a prominent role in all phases of the application development life cycle

All user input should be cleaned and validated before processing

Security testing is not the same as functional testing

Web application require testing against known web app. vulnerabilities

Applications that handle sensitive information should require security certification before going live and recertification after major upgrades

Domain 3 bc and drp

Business continuity planning

Planning to ensure that critical business processes are resilient to change and attack

Understand your organization's risk tolerance

Define what a critical business process is for your organization

Identify which business processes are critical

Identify potential threats

Develop strategies that minimize interruptions critical process due to known (or likely) threats

Domain 3 bc and drp

Disaster Recovery Planning

Developing and testing procedures that will allow critical systems to recover from severe change or attack

Ideally, complete the BCP first

Identify information systems that are required to support critical business processes

Develop plans to minimize down-time if an environmental change or attack destroys the system hardware and/or software

Strategies include co-location, hot and cold stand-byes, etc.

Domain 4 - cryptography

Two methods of sending secret messages

Hiding the message: stenography

Jumbling the message so that it is mathematically difficult to un-jumble: cryptography

Cryptography can provide other functions

Verifiable message integrity

Key exchange

Non-repudiation

Source/destination validation

Secure time-stamping

Domain 4 - cryptography

Ciphers

Symmetric

Summetric ciphers use one key to encrypt and decrypt

This creates a problem of key management how to securely get the key to everyone who needs it without compromising it

i.e. DES, 3DES, twofish, blowfish, and AES

Asymmetric

Assymetric ciphers use a pair of keys for calculation one is kept private and the other is shared publically

Assymetric ciphers require large keys and are computationally intensive

i.e. RSA and El Gamal

Domain 4 - cryptography

Digests

Also known as checksums or cryptographic hashes

A kind of one-way function

They do not have a key

They generate a fixed length output from variable length input

The input cannot be reconstructed from the output

Useful in establishing message integrity

Domain 4 - cryptography

Protocols

Cryptographic protocols define a processing sequence using one or more ciphers to perform a secure transaction

i.e. SSL/TLS, ssh, and SKIP

SSL v2, SSL v3, and TLS 1

Secures US$ billions of Internet transactions

Can encrypt TCP communications (i.e. HTTP -> HTTPS)

Provides confidentiality without previous key exchange

Provides end-point validation with signed certificates

Domain 5 risk management

We defined risks and threats in Part 1

Risk management is central to infosec management as it provides a rationale for allocating limited resources

i.e. If a risk assessment reveals that a company stands to lose US$10,000 annually due to malware, there is a strong business case to invest in a US$20,000 antivirus infrastructure.

Domain 5 risk management

Q: How do I do a risk assessment?

A: Unfortunately, that topic requires an entire workshop to itself.

Identify information assets and their value or sensitivity

Identify potential threats

For each asset, estimate the damage caused by a one-time occurrence of each threat

For each asset-threat pair, estimate the frequency of occurrence to arrive at an estimate of risk

Domain 6 law, ethics, etc

Infosec professionals need to be familiar with intellectual property law, privacy law, and computer crime law in their jurisdiction

In the South Pacific, several countries lack all three!

Many infosec certifications require that certification holders submit to a code of ethics

Typically, these codes forbid scanning, attacking, sniffing, testing, etc. without first obtaining informed consent from the target.

Domain 7 operations sec

Security operations include

Information classification

Security testing on an ongoing basis and with major system changes

Incident response and prevention

Monitoring logs

Network IDS, host IDS, firewall, VPN, and others

Liaising with ICT managers and practitioners

Reviewing infosec information from outside sources

i.e. Full disclosure list, bugtrac list, Internet Storm Center, national and regional CERTs (we need a PacCERT!)

Domain 7 operations sec

One of the most important and commonly overlooked activities is an infosec awareness program

Staff that understand the reasons behind security policies are less likely to circumvent them

Trained staff are more likely to notice suspicious activity

Infosec is complicated and constantly changing people need regular reminders

Domain 8 physical sec

Rule #1: if an attacker can gain physical access to your hardware, it is only a matter of time before they gain complete control

The design and equipping of server rooms and data centers is well understood. Consult an expert if you are putting one together.

Network equipment, including wiring closets, personal computers, and mobile devices are too often ignored

Domain 8 physical sec

Principles

Off site backups!

Allow only trusted individuals access

Allow access only on a need-to-access basis

Protect against environmental changes

Loss of power

High temperature

Moisture

Fire

Domain 9 sec architecture

Security architecture is the ongoing process of planning security infrastructure and activities across an entire organization

Responsible for enterprise wide security policies

i.e. Information classification, acceptable use, and roles

Setting security technology standards

i.e. Standards for hardening critical servers, brand of firewall to be used at all branch offices, password policies, and high-level network design

Planning enterprise-wide security technologies

i.e. Single sign-on (SSO), IDS sensor deployment across a large network, and VPN infrastructure for teleworkers

Domain 10 t/c and network

Telecommunications and network security

Requires advanced knowledge of communications protocols and technologies

OSI network model

TCP/IP networking including ARP, UDP, and ICMP

Perimeter security

Encrypted communications channels

Network intrusion detection and prevention

Telephone security

Traffic control firewall rules and routing tables

Infosec team success

In addtion to knowledge of the 10 domains, a successful infosec team requires,

a clear mandate,

the right number of staff,

the right policies and procedures,

the right tools, and

support from management

Part 3 - incidents

Part 3 - incidents

Security incidents

Outline

Anatomy of a hacker attack

Other common incidents

Incident response fundamentals

Anatomy of an attack

Step 1 gather information (mostly passive)

Step 2 find vulnerabilities (mostly active)

Step 3 exploit vulnerabilities

Step 4 conceal activity (cover your tracks)

Anatomy of an attack

Step 1 gather information (mostly passive)

Attacker's activities

whois on target address

Surf target website

Google target

Detection

Very difficult as this is all normal activity

Anatomy of an attack

Step 2 find vulnerabilities (mostly active)

Attacker's activities

Port scans with tools such as nmap

Sniffing with tools such as Wireshark or Ettercap

Vulnerability scanning with tools such as Nessus

Detection

Intrusion detection systems (IDS) such as snort can detect many port scans and vulnerability scans

Passive sniffing is hard to detect. There are tools such as Ettercap that can identify NICs in promiscuous mode.

ARP cache poisoning and other attacks that facilitate sniffing on switched networks can also be detected by some IDSes, firewalls, switches, and other tools

Anatomy of an attack

Step 3 exploit vulnerabilities

Attacker's activities

Attack software weaknesses with exploit code. The metasploit framework is a toolkit for developing exploits.

Attack passwords

Detection

IDSes can detect many application attacks as well as large volumes of login attempts

Some applications will log failed login attempts

Host-based intrusion detection tools such as tripwire and logwatch can detect some suspicious activities

Anatomy of an attack

Step 4 conceal activity

Attacker activities

Edit suspicious activities out of system logs

Install backdoors or rootkits to facilitate future concealed access to the target

Detection

Host-based intrusion detection tools can detect some of these activities

Virus scanners and rootkit checkers can sometimes find rootkits but not always!

Other common incidents

Most security incidents do not involve a classic hack

Some common incidents

Malware infection: virus, trojan, worm, spyware, etc.

Insider attack

DoS

Lost or stolen passwords

Web application attacks: css, sql injection, etc.

Social engineering

Incident response basics

Have an Incident Response Team with well defined roles before an incident happens

Have written procedures for incident handling

Have clear lines of communication

Who decides whether it is bad enough to phone the police?

Which managers need to be informed?

Decide when and how you will quarantine potentially compromised equipment

Who decides when it is better to be offline than insecure?

Part 4 - tools

Part 4 - tools

Top 10 free infosec tools

Wireshark (windows, linux/unix)

nmap (windows, linux/unix)

Nessus (windows, linux/unix)

Snort (windows, linux/unix)

Clam AV (windows, linux/unix)

Tor (windows, linux/unix)

ssh (windows, linux/unix)

John the ripper (windows, linux/unix)

Ettercap (windows, but best on linux/unix)

Cain and Abel (windows)

Thank you for your time.

Make good choices.

Chris Hammond-Thrasher MLIS, CISSPUSP Library Systems Manager / Bloggerthrashor@gmail.comhammondthrasher_c@usp.ac.fjthrashor@skypehttp://dfiji.blogspot.com/

Photo credits

All photos used in this presentation are available under a Creative Commons license

Credits

Camera http://www.flickr.com/photos/bhikku/

Keys http://www.flickr.com/photos/kk/

Superheros http://www.flickr.com/photos/jcroft/

Schneier http://www.flickr.com/photos/quinnums

Diffie/Hellman http://www.flickr.com/photos/dfarber

R2-D2 http://www.flickr.com/photos/revlimit/

Foil hat http://www.flickr.com/photos/nicmcphee

Incident http://www.flickr.com/photos/mjb

Palm pilot http://www.flickr.com/photos/splorp

Gateway http://www.flickr.com/photos/cromaducale

Click to edit the title text format

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level