Title: Technical Risk Technical Remediation Technical Myth Mike Scher Director of Labs Neohapsis, Inc.
1Technical Risk Technical Remediation Technical
MythMike ScherDirector of LabsNeohapsis, Inc.
2Neohapsis 101 - Who we are and what we do
- Information Security Consultancy with an emphasis
on RD and QA/QC - Network Computing Magazine's Chicago Lab
- Producers of the SANS Security Alert Consensus
Newsletter (SAC) - Security Design, Testing, Forensics
3Managing Technical Risks
- Legal Risk Management
- Infrastructure Security
- Financial Risk Management (Insurance)
- Risk Transfer and Due Diligence
4Technical Risks
- Risks to Systems
- Process Disruption
- Access to data
- Risks to Data
- Data can be disclosed or stolen
- Data can be altered
- Data can be destroyed
- Data can become unavailable
5How Technical Risks to Data Ripen
- Gaps
- Lack of policy
- regarding access to and placement of sensitive
data - Lack of technical access controls
- that implement system and data access policies
- Lack of policy verification and enforcement
- that audits technical access controls
6How Technical Risks to Data Ripen
- Ambiguities or lapses
- Ambiguity or oversight in policy
- from no authoritative source of policy
interpretation - Ambiguity or oversight in application of
technical access controls - from no authoritative source of technical policy
planning and review
7How Technical Risks to Data Ripen
- Technical failures in access controls
- Complexity of technical security systems
- System interactions
- Unpredictable failure modes
- Inability to validate security aspects of
vendor-provided systems, including security
systems - Technical limitations of corporate test groups
- Time and materials limitations of testing
- Legal limits from statute and license
8Protections for Data
- WHO - Authentication systems
- IDs
- Passwords
- Certificates
- Tokens
- WHAT and HOW - Access control / authorization
systems - Firewalls (and intrusion prevention)
- Routers, switches
- Operating system controls
- WWHW Review - Audit Systems
- Intrusion Detection
- Logging
- Event aggregation and analysis (SIM)
9AAA
- Authentication systems validate who it is
- Access control systems limit what they can do
- Audit Systems review who did what, when
10Policy is Critical
- Without coordination of Who, What, and How, and
the ability to test and audit, security is a
matter of reaction - Reactive security is costly
- Reactive security is ultimately ineffectual
- Policy, well-implemented and reviewed, means
proactive security, anticipating needs
11Examples of Technical Risks
- External Access Controls
- Too many internal applications open to outside
- VPN and dial-up access based on weak access
controls - Access to Internal applications dependent on 3rd
partys security - Online Applications
- User account guessing (weak access controls)
- Session ID spoofing/guessing
- Insufficient input data scrubbing
- SQL tampering
- Arbitrary command execution
- Cross-site scripting
- Audit Issues
- No or unverifiable history of who accessed what
- No ability to monitor copies of data
12Authentication
- User identification
- Who do you claim to be?
- Note the use of the term claim
- Examples
- a userid jsmither
- a name Joshua Smither
- a SS 111-11-1111
- An e-mail address jsmither_at_example.com
- Not always unique, even on the system
13Authentication (cont.)
- User identification Something else
- Reasonable association of the person with the ID
presented - Why reasonable?
- All access controls can be defeated
- Many can be spoofed
- Reasonability depends (ideally) on a risk
analysis - What does the ID guard?
14Authentication (cont.)
- PLUS Something else (How can I reasonably assume
you are who you claim to be?) - Password
- Digital Certificate
- One-time password (e.g., tokens)
- Biometric
- ANI (caller-ID)
- Physical locality (including IP address)
- Combinations of techniques
15Passwords
- Passwords
- Generally reusable
- Mandatory change periods
- Minimums on password length, strength
16Digital Certificates
- Based on difficulty of factoring the huge product
of two very large, prime numbers - Secure websites (SSL)
- Public/Private Key encryption (PGP)
- A uses Bs PUBLIC key to send to B
- B uses Bs PRIVATE key to read it
- B uses As PUBLIC key to respond
17Digital Certificates (cont.)
- -----BEGIN CERTIFICATE-----
- MIIDxDCCAy2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBozELMA
kGA1UEBhMCVVMx - ETAP5thsbAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMR
IwEAYDVQQKEwlO - ZW9oYXBzaXMxFzAVBgNVBAsTDk5lb2hhcHNpcyBMYWJzMRkwFw
YDVQQDExBjYS5u - ZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3N0bWFzdG
VyQG5lb2hhcHNp - cy5jb20wHhcNMDExMTE2MDA0MTA0W7hdtyExMTE0MDA0MTA0Wj
CBozELMAkGA1UE - BhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaG
ljYWdvMRIwEAYD - VQQKEwlOZW9oYXBzaXMxFzpol91VBAsTDk5lb2hhcHNpcyBMYW
JzMRkwFwYDVQQD - ExBjYS5uZW9oYXBzaXMuY29tMScwJQYJKoZIhvcNAQkBFhhob3
N0bWFzdGVyQG5l - b2hhcHNpcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAo
GBANn6Cz0ypg/m - dAjEqiGA2A/effpuk69akqCIdfkjC6YtG/DKIgR8M7pjPldU
PWaJxPZbnjTprx - OJylGLGl8n7RpqCi3ZM7MCi5VJ66B/ImxCAXhLnE0FJV/i3ONl
wEQq5/voYwvv4z - JL0H2IMMvC1iltw8shH1ZqhUSXyIlIhAgMBAAGjggEEMIIBAD
AdBgNVHQ4EFgQU - r9QFcUHlpDEMt8/8MmAjtu/Z8cwgdAGA1UdIwSByDCBxYAUr9
QFcUHlpDEMt8/8 - Mm8jtu/Z8ehgamkgaYwgaMxCzAJBgNVBAYTAlVTMREwDwYDVQ
QIEwhJbGxpbm9p - czEQMA4GA1UEBxMHQ2hpY2FnbzESMBAGA1UEChMJTmVvaGFwc2
lzMRcwFQYDVQQL - Ew5OZW9oYXBzaXMgTGFiczEZMBcGA1UEAxMQY2EubmVvaGFwc2
lzLmNvbTEnMCUG - CSqGSIb3DQ87bd3YaG9zdGwta52lckBupl81wXBzaXMuY29tgg
EAMAwGA1UdEwQF - MAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdQFklXZfla9kehgwJ
miIqGfwVOzVDdP
18Tokens and Smart Cards
- Tokens (One-Time Passwords)
- Brands
- SecurID
- Axent (Symantec) Defender
- SecureComputing Safeword
- Cryptocard
- Smartcards
- Memory Smart Cards strore information (such as
a Digital Certificate) - True Smart Cards do the math internally
19Biometrics
- Familiar territory in forensics work
- The goal is, ultimately, to do what we do in
real life to recognize the person - Convergence (accuracy of readers) remains a
critical issue with fairly high false negatives
and some disturbing false positive numbers in
recent testing
20Locality
- Door-mounted card readers, hand-print readers,
keypads, etc. - Car door PIN locks
- Keys in locks
- ANI (Automatic Number Identification)
- Secure terminals in secure locations
- IP addresses (in some cases)
21Problems in Authentication
- Username/Password
- Easily stolen when sent in clear
- Or via trojan horse programs, worms, viruses
- Can be weak or strong (vs. guessing or
cracking) - Weak mouser1 (guessable)
- r!verb3d (crackable)
- Strong 9i63vDvK
- When they are memorable, they are weak
- When they are strong, they are unmanageable
- People almost always either pick weak passwords
or they record their passwords someplace handy
(perhaps protected by a single password) - Anyone can use anyone elses password
22Problems in Authentication (cont.)
- Digital Certificates
- Large password protected by a small password
- File can be taken just like any other
- Users password to activate the certificate may
be - Guessed
- Cracked
- Snooped
- More like a rubberstamp signature in a locked
drawer - But owner may have no indication of its theft
- Rebuttable presumption of identity unlikely to
ever be rebutted
23Problems in Authentication (cont.)
- Biometrics
- Biometrics are static, and easily copied once
known - Never-ending escalation of spoofing tricks
against the reader, never-ending need to upgrade
readers - Remote biometric authentication raises issues
- Credentials injected into the stream
- Biometric readers use a variety of cryptographic
methods to ensure data integrity and reader
legitimacy - At that point, biometrics are a fixed password in
a public-key authentication system
24Problems in Authentication (cont.)
- IP addresses (network locality)
- Spoofable for some kinds of connections
- Dont establish that the user initiated the
action
25Authentication as Evidence
- Combining unintended authenticators with
intentional authenticators increases evidentiary
value - Example DNR time of day IP username and
password files found on users system
26Problems in Authentication (cont.)
- DNR IP time of day username and password
files found on users system - Was it the user?
- Or was it a worm?
- Or was it an electronic intruder using the
persons computer? - Other, circumstantial evidence may defeat such
assertions
27Authorization Systems
- Essentially Access Control Lists (ACLs)
- On Firewalls / IPS
- On Gateways and Routers
- On Servers
- On Workstations
28Firewalls
- Help provide an initial layer of defense at
boundaries - Provide network accounting mechanisms
- Can be used as a broad access control device
- Some firewalls can do ACL and pattern-based
content control including virus filtering
29Firewalls (cont.)
30Firewalls (cont.)
- All firewalls are not created equal
- Proxy vs. stateful
- Proxy vs. Proxy
- Proxy vs. IPS
- There is no best firewall
- Dont solve host/server-level problems
- Have a history of their own security problems
- Often provide a false sense of security
31(No Transcript)
32Gateways
- Whose traffic goes where and how?
- Gateways dont just include firewalls
- Alternate Routers
- Wireless
- Dial-up
- Legacy (X.25)
- Virtual Private Network (VPN) gateways
- Any information security program must take all
gateways to the corporate network into account.
33VPNs
- VPN
- Simulate a point-to-point, dedicated telco line
as closely as reasonably possible - Identify user or remote network (authentication)
- Limit access (authorization)
- Log accesses and violations (accounting)
34(No Transcript)
35(No Transcript)
36VPNs (cont.)
- Inherently serve one real purpose
- Make doing a very risky thing as safe as
reasonably possible - Then why do we use them?
- Costs
- Also, costs
- Oh, and costs, too.
37VPNs (cont.)
- (Not to mention, costs.)
- The Big Myths about VPNs
- inherently add security
- authenticate end-users
- ensure authorized use
- always less expensive than dedicated telco
connectivity
38VPNs (cont.)
- Risks (especially in connecting a home user to
the enterprise network) are significant - Privacy of the connection and authentication
traffic - Theft/compromise of authentication credentials
- End users system used as live gateway to private
network after the user authenticates - End user fooled into authenticating to trojan
gateway - Store-and-forward (time-delayed) attacks from
compromised end-user system
39Logs (audit trails) and Authentication
- System logs of who was on what system when
depend on Authentication credentials of the user - Authentication credentials are often combined for
greater assurance - password biometric locality
- token(one-time password) password locality
40Intrusion Detection Systems
- Misuse detection vs. Anomaly detection
- Host based (HIDS) vs. Network based (NIDS)
- HIDS Active Audit trail monitoring
- NIDS Snooping network traffic for signs of
malfeasance - Almost all report to a central collection,
correlation and alert-generating server - Useful as an early-warning system and for
trending trouble areas - Useful for some types of after-the-fact damage
analysis
41The Upshot
- Defense in depth is becoming the new best
practice in most industries - Use firewalls at least at corporate borders
- Use IDS internally and at borders
- Secure servers and put IT policies in place to
maintain their security - Use strong authentication devices for all remote
access - Use VPNs with strong authentication and limit
remote users capabilities - Defense in depth requires coordinated,
intelligent policies, risk analysis, and regular
technical review - Never assume a product is so secure that it is
all you need for security even a firewall - IT staff need to get and stay up to date,
reviewing new issues almost on a daily basis - Manage IT risks as a part of conducting business
42Questions
43URLs
- Us http//www.neohapsis.com
- Many security mailing list archives
http//archives.neohapsis.com - Security Alert Consensus (SAC)
http//www.sans.org/sansnews/ - Mike mscher_at_neohapsis.com