Information Security Fundamentals

1
Information Security Fundamentals
2
What is Computer Security?

• The practice of enabling access to computers,
  networks, systems and services to perform
  authorized functions without the risk of
  compromise

3
What is Information Security?

• The practice of enabling access to information
  without risk of
• Misappropriation
• Inadvertent disclosure
• Denial of Access

4
Why is it hard?

• Core elements of our infrastructure were not
  designed with security in mind
• Internetworking Unix Windows
• Lack of security professionals
• Only recently has computer security become a
  practice that is taught, measured, and researched
• Failure of business methods
• Ultimately business trade offs are make by
  executives individuals - security purchases
  and policy vs the risk of an incident

5
Why should you care?

• Increasing liability by statute
• GLB, HIPPA, SOX, State of California SB 1386
• now 37 other states have a adopted similar
  statutes
• Increasing awareness at the federal level
• Homeland Security
• Gilmore Commission
• Recommending corporate liability for failure to
  implement adequate security measures

6
Business Risks

• Loss of / damage to valuable company assets
  (information, IP)
• Repair replacement costs
• Interruption of operations
• Loss of competitive advantage
• Loss of revenue
• Fraud
• Bad publicity

7
Recent Example

• TJX
• Had all the requisite security solutions
• Passed their security audits
• Was PCI compliant
• But
• Breach occurred 17 months before detected
• An unauthorized intruder" gained access and
  obtained
• 40,000,000 credit/debit card account numbers with
  expiration dates
• Encrypted personal identification numbers
• Result
• Led to fraud in several states and overseas
• 40 of 60 reporting member banks suffered card
  compromise
• Millions of dollars in forensics - ongoing
• Lead to material loss disclosed on SEC filing
• Lawsuits are likely

http//www.smh.com.au/news/Technology/TJX-Thieves-
Had-Time-to-Steal-Trip-Up/2007/04/14/1175971386089
.html
8
Security Rule 1

• Security is an adjective not a noun

9
Subjects Objects

• Subjects
• Entities that ACT
• Objects
• Entities that are ACTED upon
• Many entities can be both depending upon the
  context

10
Some examples of Subjects

• Users
• System programs
• Viruses

11
Some examples of Objects

• Files
• Networks
• Systems

12
The 4 As
Authentication
Authorization
What am I permitted to do?
Who or what am I
Access Control
Audit Monitoring
Rules that grant or deny access to a resource
Log and monitor what actually happens
13
What do we apply the 4As to?

• Humans
• Systems
• Networks
• Applications
• Data

14
Relationship of Subjects Objects

• Security rules govern the behavior of subjects
  and objects.
• Different operating systems and networks provide
  different defacto security rules

15
Basic Rules

• Operating Systems grant rights to Subjects
• Eg. Users
• access to files
• access to the network
• Access to hardware resources (keyboard, screen,
  disk)

16
File Access Rights

• Operands
• Read
• Write
• Execute
• Append
• Create
• Delete
• Share (windows)

• Subjects
• Process (an instance of a program)
• Users

17
Examples

• Administrators in windows can update or change
  any file.

18
OS Rights

• Windows grants sharing rights on the directory
• Different rights for local users vs network

19
A little bit about files

• Most objects in operating systems are files
• Directories
• Executables
• Data
• Even devices have a representation in the file
  system

20
FilesMost file systems are hierarchical
Directories
User Files
Device drivers
21
Windows File System
22
Devices are represented as files
23
Why are device files important

• Many malware programs attach to these device
  files especially in windows
• Keystroke loggers
• Vulnerabilities (i.e. software programming
  errors) leave the door open for hackers.

24
One use for a keystroke logger

• Find a wife

25
Netman vulnerability

• Microsoft Windows Network Connections Service
  netman.dll Remote DoSPosted on 14 July 2005
• Vulnerability DescriptionWindows contains a
  flaw that may allow a remote denial of service.
  The issue is due to an error in a function within
  netman.dll that when given a large integer will
  result in loss of availability for the network
  connections service.
• Solution DescriptionCurrently, there are no
  known upgrades, patches, or workarounds available
  to correct this issue.
• Products

26
Keystroke Loggers

• Top Keystroke LoggerAwarenessTech.com/Keystroke_L
  ogger      Monitor keystrokes, emails more.
  Free demo. Money back guarantee!
• Spector Keystroke Loggerwww.spectorsoft.com     
  PC Magazine Editors' Choice. Record everything
  they type online.
• The Spy Storewww.thespystore.com      PC
  surveillance equipment (hardware software),
  more.

27
More keystroke loggers

• Catch a Cheating SpouseYesterday, He Installed
  PC Pandora Today, She was Busted
  Online!www.PCPandora.com
• Download free keylogger - "Perfect Keylogger" -
  invisible Vista ...
• Keylogger with remote installation function,
  records keystrokes, ICQ/AIM chats, websites
  visited, makes screenshots and monitors the
  clipboard.www.blazingtools.com/bpk.html -
• http//en.wikipedia.org/wiki/Keystroke_logging

28
Keystroke Loggers

• Why are there so many? How risky are they?

29
The New Money

• Todays computers are the new banks
• Todays money
• Social Security Numbers
• Protected Health Information
• Personal Information
• Bank Accounts
• Credit Card Information
• Financial Records
• Proprietary Data
• National Security

"Go where the money is ... and go there often."
Willy Sutton, Bank Robber
30
How to prevent keystroke logging

• Kernel based loggers cant install without admin
  permission
• But other loggers can
• Be careful about pop-ups and attachments

31
How to detect keystroke loggers

• Antispyware but it doesnt catch everything
  some
• Some decent ones
• Windows Defender (free to microsoft XP customers
  no Win 2K support)
• Pctools
• Webroot
• Observe programs that are running
• http//cybercoyote.org/security/serv-comp.htm
• Has a list of standard services but this is
  HARD

32
Example Windows Defender Scan
33
Windows Defender Options
34
Try to limit services running

• http//cybercoyote.org/security/serv-comp.htm

35
How to mitigate a keystroke logger

• Carefully configure your desktop firewall
• But this is very hard
• Use a whitelisting kernel level technology
• But no shareware available
• Behavioral analysis Intrusion Prevention

36
Sidebar into firewalls

• And why they are hard to use with keystroke
  loggers
• IP addresses
• XXX.XXX.XXX.XXXPORT
• Firewalls grant or deny access based on IP
  address/port pairs

37
Internet uses IPv4 addresses are 32 bits
long range from 1.0.0.0 to 223.255.255.255 0.0.0.0
to 0.255.255.255 and 224.0.0.0 to
255.255.255.255 have special uses IPv4
address has a network portion
38
Firewalls
39
Traditional Edge Firewall Rules
40
Desktop Firewalls are different

• No into/out of physical ports
• Most assume the user is trusted

41
Windows Firewall
42
Windows Firewall
43
Windows Firewalls

• 192.168.0.180 would connect to the web server
  on my network firewall at home connecting out
• But should skype be allowed to connect in to my
  browser?

44
Keystroke loggers

• And in fact all backdoor type programs
• Connect to a remote site to send stolen
  information
• The dumb ones use proprietary connections
• The smart ones use legitimate programs - browsers
  (IE), email (SMTP)
• Whats a poor firewall to do?

45
Conclusion

• Desktop firewalls dont help with mitigating
  keystroke loggers

46
Other keystroke logger mitigations

• White listing or Grey listing Behavioral
  analysis
• While Listing
• allow only the programs on the list to run

47
Some white listing companies

• www.stillsecure.com
• www.solidcore.com
• www.coretrace.com
• http//www.bit9.com/flash/demo-parity.php

48
Conclusion

• White listing is great if you have
• Static desktops
• Full time staff
• An application use policy
• Lots of cash

49
Keystroke logger mitigation

• Behavioral Analysis
• Uses a variety of techniques to determine
  unusual behavior
• Thresholding
• Anomaly detection
• Statistical analysis
• Operate on OS calls

50
Block device low level routines

• The BDD dll must contain the following exported
  routines
• xxx_Deinit
• xxx_Init
• xxx_Open
• xxx_Close
• xxx_Read
• xxx_Write
• xxx_Seek
• xxx_IOControl
• xxx_PowerDown
• xxx_PowerUp

51
Behavioral Analysis

• Operates on OS calls
• Doesnt keep track of application data (eg which
  web site was visited)
• Has one big problem
• False positives

52
Summary

• Weve talked about file systems and access to
  them
• Users and programs are granted access based on
  what the operating system offers
• But on windows we often operate as a system user
  (admin) with access rights to everything
• Time for Rule 2

53
Security Rule 2

• If security gets in the way of performance,
  reliability or job function it is thrown out
• Unless you are in a regulated industry

54
Rights

• Subjects and Objects can have different rights
• Rights can be inherited
• Rights can be temporarily granted

55
Database Program (read write database files)
Read
User
Read
Read and Write (RW)
Database Files RW
56
Install Program (setup.exe)
User
System Files
57
Why is inheritance important?

• Most viruses worms install on PCs as a result
  of user action.
• If the users email program didnt inherent
  administrative rights, (and pass it on to the
  virus) most malware would be ineffective

58
Access

• Most sophisticated access can be expressed as
  read/write primitives
• Can you think how to express delete as
  read/write?
• How is delete different from Erase?