security in the trenches

04/22/2304/22/23

Security in the TrenchesSecurity in the Trenches

04/22/2304/22/23

Who are the defenders in the Who are the defenders in the trenches?trenches?

Security staffSecurity staff

• Monitor threats and behavior without invading Monitor threats and behavior without invading privacyprivacy

• Tactical calculation of acceptable risk and Tactical calculation of acceptable risk and responseresponse

• Design trenches that allow free flow of information Design trenches that allow free flow of information and servicesand services

• Respond to breeches and threats without causing Respond to breeches and threats without causing harmharm

04/22/2304/22/23


Everyone at a keyboardEveryone at a keyboard

Everyone with a network connectionEveryone with a network connection

Everyone that uses or manages Everyone that uses or manages Information TechnologyInformation Technology

04/22/2304/22/23


StudentsStudents

• Exposed to constant scans, malicious messages, and Exposed to constant scans, malicious messages, and fraud attempts.fraud attempts.

• Can’t trust messages from their friends or even the Can’t trust messages from their friends or even the administration or support organization (administration or support organization ([email protected]@jmu.edu, , [email protected]@jmu.edu ) )

• Computer malfunctions and compromise of personal Computer malfunctions and compromise of personal information and accountsinformation and accounts

• Potential identity theft victims when central stores of Potential identity theft victims when central stores of information are compromisedinformation are compromised

mailto:[email protected]

mailto:[email protected]

04/22/2304/22/23


FacultyFaculty

• Exposed to constant scans, malicious messages, and fraud Exposed to constant scans, malicious messages, and fraud attempts.attempts.

• Threat environment makes it difficult to experiment safely.Threat environment makes it difficult to experiment safely.

• Confidential commercial research may be compromisedConfidential commercial research may be compromised

• Fulfilling grant security requirements complicate research Fulfilling grant security requirements complicate research efforts efforts

• Lose valuable messages in storm of SPAMLose valuable messages in storm of SPAM

• Unable to get or share information because criminal element Unable to get or share information because criminal element has made it too riskyhas made it too risky

04/22/2304/22/23


StaffStaff


• Safeguard information of constituentsSafeguard information of constituents

• Spyware calls burying support resources making them Spyware calls burying support resources making them unavailable to othersunavailable to others

• Responding to constant stream of threats.Responding to constant stream of threats.

• Fear of being the person who makes the next headlines by Fear of being the person who makes the next headlines by clicking the wrong thing.clicking the wrong thing.

• Loss of trustLoss of trust

04/22/2304/22/23


ManagementManagement


• Strategic calculation of acceptable risk and response Strategic calculation of acceptable risk and response

• Hesitant to offer forward thinking services because of risk.Hesitant to offer forward thinking services because of risk.

• Headlines don’t explain “acceptable” and “residual” risk.Headlines don’t explain “acceptable” and “residual” risk.

• Risk is always unacceptable if an incident occurs.Risk is always unacceptable if an incident occurs.

• Growing security expenditures take from line of business needsGrowing security expenditures take from line of business needs

04/22/2304/22/23

Who are the defenders in the Who are the defenders in the trenchestrenches

General PublicGeneral Public

• Exposed to constant scans, malicious Exposed to constant scans, malicious messages, and fraud attempts.messages, and fraud attempts.

• Lose battles daily for control of their Lose battles daily for control of their computers, documents, and accountscomputers, documents, and accounts

• Deluged with simplistic, ineffective, overly Deluged with simplistic, ineffective, overly complex, sensationalist, and/or accusing complex, sensationalist, and/or accusing advice.advice.

04/22/2304/22/23

WE ARE ALL IN THE TRENCHES!WE ARE ALL IN THE TRENCHES!

Defending:Defending:

• Our own computer and informationOur own computer and information

• Our constituent’s information and Our constituent’s information and servicesservices

• Our organization’s information and Our organization’s information and servicesservices

04/22/2304/22/23

Trench WarfareTrench Warfare Trench - a long, narrow ditch dug by soldiers for Trench - a long, narrow ditch dug by soldiers for cover and concealmentcover and concealment Trench Warfare – form of fighting whereby Trench Warfare – form of fighting whereby two sides fight each other from two sides fight each other from

opposing trenchesopposing trenches

Conscription – a system of Conscription – a system of compulsory recruitmentcompulsory recruitment for the armed forces for the armed forces Home Front – the name given to the part of war that was Home Front – the name given to the part of war that was not actively not actively

involvedinvolved in the fighting but which was vital to it in the fighting but which was vital to it No-man’s land – the No-man’s land – the barren territory that lay between the opposingbarren territory that lay between the opposing Allied Allied

and German trenches on the Western Frontand German trenches on the Western Front

Attrition – strategy of wearing down the enemy through continual attack Attrition – strategy of wearing down the enemy through continual attack and pressureand pressure

Deterrent – something designed to stop a person or people from doing Deterrent – something designed to stop a person or people from doing somethingsomething

Entrenched – to be fixed or deeply rooted in an areaEntrenched – to be fixed or deeply rooted in an area Retaliation – to fight back, revengeRetaliation – to fight back, revenge Shell shock – medical condition caused by prolonged exposure to the Shell shock – medical condition caused by prolonged exposure to the

distressing experiences of trench warfaredistressing experiences of trench warfare Stand-down – name given to the daily evening routine in the trenchesStand-down – name given to the daily evening routine in the trenches

04/22/2304/22/23

Who is the Enemy?Who is the Enemy? VandalsVandals Joy RidersJoy Riders Graffiti artistsGraffiti artists Kids and professionalsKids and professionals ThievesThieves ExtortionistsExtortionists ManipulatorsManipulators VoyeursVoyeurs EgotistsEgotists Competitors (business, Competitors (business,

romance, research, etc.)romance, research, etc.) Free loadersFree loaders AnarchistsAnarchists ExploitersExploiters TerroristsTerrorists

Multiple simultaneous Multiple simultaneous enemiesenemies

Multiple motivationsMultiple motivations Varying capabilitiesVarying capabilities

04/22/2304/22/23

Where are the enemies’ trenches?Where are the enemies’ trenches?

They have none!They have none!

Worldwide, Worldwide, instantinstant mobility mobility Worldwide, Worldwide, anonymousanonymous mobility mobility Worldwide, Worldwide, unrestrictedunrestricted mobility mobility

At every network connectionAt every network connection At every keyboardAt every keyboard At every exposed web siteAt every exposed web site

04/22/2304/22/23

Guerilla WarfareGuerilla Warfare Guerrilla warfare operates with small, mobile and flexible combat Guerrilla warfare operates with small, mobile and flexible combat

groups without a front line groups without a front line

Guerrilla tactics are based on ambush, sabotage, espionage, and Guerrilla tactics are based on ambush, sabotage, espionage, and avoiding the response of the defenders through greater mobilityavoiding the response of the defenders through greater mobility

The mobility provided by the Internet and the ability to The mobility provided by the Internet and the ability to commandeer computers results in the attackers being able to commandeer computers results in the attackers being able to wage wage open warfareopen warfare on the defenders with relative anonymity. on the defenders with relative anonymity.

Freely available weaponry on the InternetFreely available weaponry on the Internet

Mercenaries – BOTSMercenaries – BOTS

Smart bombs - viruses, wormsSmart bombs - viruses, worms

04/22/2304/22/23

Where are our weaknesses?Where are our weaknesses? Our networks provide attacker Our networks provide attacker

mobilitymobility

• GlobalGlobal• LimitlessLimitless• UnauthenticatedUnauthenticated

04/22/2304/22/23

What are our Weaknesses?What are our Weaknesses? Networks and Societies Must Have Networks and Societies Must Have

Cooperation to WorkCooperation to Work

• Throwing bricks through windowsThrowing bricks through windows• Driving down the wrong side of the streetDriving down the wrong side of the street• Stealing mail from mailboxesStealing mail from mailboxes• Can you secure your house or car?Can you secure your house or car?

The Internet extends the reach of The Internet extends the reach of uncooperative membersuncooperative members

04/22/2304/22/23

Where are our weaknesses?Where are our weaknesses? Our Systems provide soft targetsOur Systems provide soft targets

• Complex – error prone in design, Complex – error prone in design, implementation, configuration, and implementation, configuration, and usageusage

• Defective security controlsDefective security controls• Lack of access controls in most default Lack of access controls in most default

configurationsconfigurations• Not designed for hostile environmentNot designed for hostile environment• Not maintained for hostile environmentNot maintained for hostile environment

04/22/2304/22/23

Where are our weaknesses?Where are our weaknesses?

We, ourselves, provide opportunityWe, ourselves, provide opportunity

• Complexity breeds mistakesComplexity breeds mistakes DecisionsDecisions DesignDesign ImplementationImplementation ConfigurationConfiguration OperationOperation

• PrioritiesPriorities We cannot spend all our time on defense nor make all our decisions based on security.We cannot spend all our time on defense nor make all our decisions based on security. The attackers have no such limitationsThe attackers have no such limitations AcceptableAcceptable risk risk

• Conflicting Business GoalsConflicting Business Goals Desire for universal, easy accessibilityDesire for universal, easy accessibility

• Minimize access controls for location, method, source, or destinationMinimize access controls for location, method, source, or destination Desire for autonomy and personalizationDesire for autonomy and personalization

• Minimize policies, procedures, standards, and controlsMinimize policies, procedures, standards, and controls Desire for privacyDesire for privacy

• Minimize identification and monitoringMinimize identification and monitoring Transparent securityTransparent security

04/22/2304/22/23

Where are Our Weaknesses?Where are Our Weaknesses? An intruder only has to find one entry An intruder only has to find one entry

point. point.

A defender has to close or watch all A defender has to close or watch all entry points.entry points.

One mistake, one oversight, one One mistake, one oversight, one wrong mouse click creates wrong mouse click creates opportunity for the attackeropportunity for the attacker

04/22/2304/22/23

Battle StatisticsBattle Statistics Thousands of infected Thousands of infected

e-mail messages e-mail messages received dailyreceived daily

60%+ of incoming e-60%+ of incoming e-mail messages are mail messages are SPAM – dozens, SPAM – dozens, sometimes hundreds, sometimes hundreds, containing fraud containing fraud attempts such as attempts such as phishing and Nigeria phishing and Nigeria scamsscams

04/22/2304/22/23

Battle StatisticsBattle Statistics Malicious Instant Message EventsMalicious Instant Message Events

04/22/2304/22/23

Battle StatisticsBattle Statistics

Malicious Web SitesMalicious Web Sites

04/22/2304/22/23

Battle StatisticsBattle Statistics Incoming Network ScansIncoming Network Scans

04/22/2304/22/23

Symantec Internet Security Threat Symantec Internet Security Threat Report January-June 2005Report January-June 2005

10,866 new Windows viruses10,866 new Windows viruses• Of the 50 most common reported, 74% expose Of the 50 most common reported, 74% expose

confidential informationconfidential information

10,352 BOTS detected per day10,352 BOTS detected per day

1,862 new software defects1,862 new software defects• Average time to exploit – 6 daysAverage time to exploit – 6 days• Average time to patch – 54 daysAverage time to patch – 54 days

5.7 million fraudulent “phishing” email messages 5.7 million fraudulent “phishing” email messages per dayper day

04/22/2304/22/23

Issues and IncidentsIssues and Incidents Lifetime of unpatched Lifetime of unpatched

computer computer Malware sophisticationMalware sophistication

• Security software Security software neutralizationneutralization

• Back channel Back channel communications, instant communications, instant notificationnotification

• BOTSBOTS• Distributed Denial of ServiceDistributed Denial of Service• RootkitsRootkits• KeyloggersKeyloggers

Unrecognized malware Unrecognized malware Exploits of unfixed defectsExploits of unfixed defects Below the radar Below the radar

communicationscommunications Social engineeringSocial engineering

DDOSDDOS E-goldE-gold E-bay hijackE-bay hijack E-bay phishE-bay phish IM keylogger data streamIM keylogger data stream Organized crimeOrganized crime Targeted spam – Lexus NexusTargeted spam – Lexus Nexus Higher Education incidentsHigher Education incidents Credit Card battleCredit Card battle One mistakeOne mistake

04/22/2304/22/23

What are we trying to protect?What are we trying to protect?

• ConfidentialityConfidentiality• IntegrityIntegrity• AvailabilityAvailability

……if we don’t protect them we may if we don’t protect them we may have…have…

04/22/2304/22/23

If we don’t protect C-I-A we may If we don’t protect C-I-A we may have…have…

LiabilityLiability Operational disruptionOperational disruption TheftTheft VandalismVandalism Loss of reputation, confidence, and/or trustLoss of reputation, confidence, and/or trust

...which may lead to the loss of…...which may lead to the loss of…

04/22/2304/22/23

Which may lead to the loss of…Which may lead to the loss of…• TimeTime• MoneyMoney• FreedomFreedom• JobsJobs• MissionMission• Quality of Life (in the worst case, life itself – Quality of Life (in the worst case, life itself –

health, military, terrorism)health, military, terrorism)

04/22/2304/22/23

Security GoalSecurity Goal ReduceReduce the the riskrisk of loss to an acceptable level of loss to an acceptable level

• We can not eliminate risk. There will always be residual risk.We can not eliminate risk. There will always be residual risk.

• Reducing risk will always have costs:Reducing risk will always have costs: Time (always)Time (always) MoneyMoney AccessAccess ConvenienceConvenience PrivacyPrivacy FreedomFreedom ComplaintsComplaints Quality of lifeQuality of life Service deliveryService delivery

Compare to costs of security incidents on previous slide - balanceCompare to costs of security incidents on previous slide - balance

04/22/2304/22/23

Security KeystonesSecurity Keystones

Access Control

Monitoring andResponse

AwarenessRisk Assessment

Policies and Procedures

Security

04/22/2304/22/23

Security KeystonesSecurity Keystones AwarenessAwareness of the risks and a desire to do something to reduce of the risks and a desire to do something to reduce

those risksthose risks AssessmentAssessment of the risks and a willingness to accept the costs of of the risks and a willingness to accept the costs of

addressing unacceptable risks leading toaddressing unacceptable risks leading to Policies and proceduresPolicies and procedures to reduce the risks to an acceptable level to reduce the risks to an acceptable level ControlsControls enforcing the policies and procedures enforcing the policies and procedures MonitoringMonitoring operation of the controls and compliance with policies operation of the controls and compliance with policies

and proceduresand procedures RespondingResponding to non-compliance incidents to non-compliance incidents and altered risk and altered risk

assessment parametersassessment parameters through changing awareness through changing awareness RepeatRepeat as necessary as necessary

Best practices and common sense can shorten the process, Best practices and common sense can shorten the process, though without detailed analysis and comparisons, one may be led though without detailed analysis and comparisons, one may be led into a false sense of security and/or unproductive efforts.into a false sense of security and/or unproductive efforts.

04/22/2304/22/23

Security KeystonesSecurity Keystones No one keystone can stand aloneNo one keystone can stand alone

No keystone is infallible.No keystone is infallible.

Multiple layers of each keystone Multiple layers of each keystone provide the best protection to provide the best protection to minimize effects of failures and minimize effects of failures and mistakesmistakes

04/22/2304/22/23

Keystone – Risk AssessmentKeystone – Risk Assessment The factors that go into a risk The factors that go into a risk

assessment are constantly changing.assessment are constantly changing. ValueValue ThreatsThreats VulnerabilitiesVulnerabilities ProbabilitiesProbabilities ExposureExposure Attack ActivityAttack Activity MotivationMotivation

04/22/2304/22/23

Keystone – Risk AssessmentsKeystone – Risk Assessments Risk = Consequence x (threat x vulnerability)Risk = Consequence x (threat x vulnerability)

• Consequences are rising rapidly as more services and Consequences are rising rapidly as more services and data are made accessible online and systems are data are made accessible online and systems are interconnectedinterconnected

• Threats are rising rapidly as attacks grow in number and Threats are rising rapidly as attacks grow in number and sophisticationsophistication

• Vulnerabilities are still rising as software gets more Vulnerabilities are still rising as software gets more complex, services are pushed out faster, more services complex, services are pushed out faster, more services are exposed, automated exploit kits proliferate, and are exposed, automated exploit kits proliferate, and businesses struggle with global competitionbusinesses struggle with global competition

Risk will increase for the foreseeable futureRisk will increase for the foreseeable future

04/22/2304/22/23

Generalizing Risk Assessment – Generalizing Risk Assessment – Best PracticesBest Practices

Provide access only to that which is Provide access only to that which is needed (default deny and least privilege)needed (default deny and least privilege)

Defense in depth (i.e. redundant layers)Defense in depth (i.e. redundant layers)

These fundamental security principles These fundamental security principles haven’t changed in centuries. We ignore haven’t changed in centuries. We ignore them at our peril.them at our peril.

04/22/2304/22/23

Keystone - Policies and ProceduresKeystone - Policies and Procedures

Surrounds the whole processSurrounds the whole process

Like a risk assessment, usually lags Like a risk assessment, usually lags the environment and is difficult to the environment and is difficult to implement for varying, complex implement for varying, complex systems needing good reaction systems needing good reaction times.times.

04/22/2304/22/23

Keystone – Access ControlKeystone – Access ControlLayered Defense TheoryLayered Defense Theory

Big Bad InternetGeneral AccessSensitive SystemsCore Systems

04/22/2304/22/23

Keystone – Access ControlKeystone – Access ControlLayered Defense PracticeLayered Defense Practice

Big Bad InternetGeneral AccessSensitive SystemsCore Systems

Self Service Student

Information and Human

Resources Systems

Backup Systems

Faculty/Staff (indirect path)

Desktops and other unidentified

sensitive systems

04/22/2304/22/23

What Data is on Your Desktops?What Data is on Your Desktops? GradesGrades SSNSSN Credit CardsCredit Cards Performance EvaluationsPerformance Evaluations MedicalMedical ResumesResumes ResearchResearch VendorVendor PurchasingPurchasing Financial ReportsFinancial Reports Organizational PlanningOrganizational Planning Environmental control systemsEnvironmental control systems Credit card processing systemsCredit card processing systems Building entry and security Building entry and security

systemssystems ID/debit card systemsID/debit card systems

Office desktops?Office desktops? Home desktops?Home desktops? Laptops?Laptops? CD?CD? USB Drive?USB Drive? Floppy?Floppy? Cell phone?Cell phone? PDA?PDA? Shared folder?Shared folder?

One mistakeOne mistake

04/22/2304/22/23

Keystone - Access ControlKeystone - Access Control Granting access indicates explicit trustGranting access indicates explicit trust

Not controlling access indicates implicit trustNot controlling access indicates implicit trust

• To readTo read• To alterTo alter• To destroyTo destroy

The more we depend upon trust, the less control we have.The more we depend upon trust, the less control we have.

• SPAMSPAM• Network access – Scanning, bandwidth depletion, denial of service attacks, Network access – Scanning, bandwidth depletion, denial of service attacks,

exploit attempts, unauthorized account access, patch urgencyexploit attempts, unauthorized account access, patch urgency• Computer access – running malicious programs, unsafe configurations, Computer access – running malicious programs, unsafe configurations,

incompatible configurationsincompatible configurations• Inappropriate useInappropriate use

04/22/2304/22/23

Trust => RiskTrust => Risk Ignorance (failure of awareness)Ignorance (failure of awareness) Faulty Risk Assessment assumptionsFaulty Risk Assessment assumptions Failed Access ControlsFailed Access Controls Failed Monitoring ProcessesFailed Monitoring Processes Inadequate ResponseInadequate Response Inappropriate UseInappropriate Use ======================================== Misplaced TRUSTMisplaced TRUSTUnaccepted Access ====> Unaccepted RiskUnaccepted Access ====> Unaccepted Risk

The more we trust, the more we better monitor.The more we trust, the more we better monitor.

04/22/2304/22/23

Keystone - MonitoringKeystone - Monitoring We have to monitor unless:We have to monitor unless:

• Our trust in everything is 100% justifiedOur trust in everything is 100% justified

• The factors that went into the risk assessment don’t changeThe factors that went into the risk assessment don’t change

• We’re not interested in detecting when we’re the victim of the We’re not interested in detecting when we’re the victim of the residual assumed risk.residual assumed risk.

As malware and attacks move toward encrypted open ports As malware and attacks move toward encrypted open ports (web), monitoring is going to be a lot harder.(web), monitoring is going to be a lot harder.

The more we trust, the more we better monitor.The more we trust, the more we better monitor.

04/22/2304/22/23

Risk EvolutionRisk Evolution DecreasingDecreasing

• Fundamental operating system and server Fundamental operating system and server defectsdefects

IncreasingIncreasing• Human error due to complexityHuman error due to complexity• Desktops Desktops • Distributed data exposureDistributed data exposure• Client applicationsClient applications• Web applicationsWeb applications

04/22/2304/22/23

Key Defense Improvements for Key Defense Improvements for Today’s Threat EnvironmentToday’s Threat Environment

Reduce exposure Reduce exposure • Default deny networksDefault deny networks• Default deny computers (least privilege Default deny computers (least privilege

accounts e.g. non-Administrator)accounts e.g. non-Administrator)

Increase monitoringIncrease monitoring

Reduce reaction time to the inevitable Reduce reaction time to the inevitable security failure and new threatsecurity failure and new threat

Awareness != EducationAwareness != Education

04/22/2304/22/23

WE ARE ALL IN THE TRENCHES!WE ARE ALL IN THE TRENCHES!

Defending:Defending:

• Our own computer and informationOur own computer and information

• Our constituent’s information and Our constituent’s information and servicesservices

• Our organization’s information and Our organization’s information and servicesservices

security in the trenches

Documents

malicious messages

constant scans

fraud attempts

responsedesign trenches

german trenches

information technologywho

valuable messages

trust messages