The Security State of Mind - PowerPoint PPT Presentation


PPT – The Security State of Mind PowerPoint presentation | free to download - id: 23f881-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

The Security State of Mind


The Security State of Mind has to do with using every means at your disposal to ... That there is a trade-off between the amount of security and usability. ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 96
Provided by: chet6
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The Security State of Mind

The Security State of Mind
  • Chet Uber
  • CTO/World Media Company
  • 1999 CERT Conference Tutorial

Chets Disclaimer
  • The opinions expressed are mine and mine alone,
    they are not those of my employer World Media
    Company, or our parent The Omaha-World Herald.
  • If you are easily upset by non-traditional in
    your face discussions of security methodology you
    had better leave now.

Presentation Premise
  • The danger posed by intruders and those that wish
    you harm, are FAR underestimated. We have not
    seen the tip of the iceberg, and the only folks
    that really understand the implications are the
    NSA, DOD and DOE. The statement concerning the
    NSA, DOD and DOE is conjecture on my part.

What is the Security State of Mind (SSM)?
  • The Security State of Mind has to do with using
    every means at your disposal to design and
    implement unwavering Security-in-Depth. A sign
    that you have the SSM is when upper management
    and your coworkers constantly say, You are
    really being paranoid about this.

What is the Security State of Mind (SSM)?
  • The proof that you have the SSM is that you know
    your paranoia is really just you very clear
    picture of the reality of the situation at hand.
  • One of the tenants of the SSM is the
    understanding that business is war, and that
    everyone is a potential enemy.

What the SSM tells us!
  • There is no such thing as a 100 secure system
    or network.
  • That human beings are the weakest link in the
    implementation of security policies.
  • That there is a trade-off between the amount of
    security and usability.

State of the Union address for the networked
open system environment
The security field is neither stable nor
globally understood, and with the inclusion of
the Internet has led to a condition where
greater than 75 of these networks are highly
vulnerable -- July 1999, ISS Inc.
A recent report was prepared by WarRoom Research,
LLC in support of the Senates Permanent
Subcommitte on Investigations which involved
among others the FBI, Ernst Young
LLP/InformationWeek, Computer Security Institute,
GAO, and the U.S. Military Services
The following conclusions were put forward in the
WarRoom report ...
The human threats are growing in numbers and
61 of those organizations responding to the
WarRoom Survey had experienced an internal attack
within the past 12 months.
58 of those organizations responding to the
survey had experienced an external attack within
the past 12 months.
The vulnerability conditions associated with our
networks are well known and understood.
Vulnerability is worsened by the availability of
free hacker tools on the Internet.
Over 45 of the reported attacks were associated
with advanced technical hacking techniques for
example sniffers, theft of password files,
vulnerability probing/scanning, Trojan logon,
Incident rates are increasingly alarming
The impact associated with attacks continues to
move up and off the chart.
Over 45 of the internal attacks resulted in
losses over 200,000.
Over 15 of the internal attacks resulted in
losses over 1,000,000.
Over 50 of the external attacks result in
losses over 200,000.
Over 17 of the external attacks resulted in
losses over 1,000,000.
In broad terms what should be done by those with
the SSM and why traditional security measures
are not enough!
Making A Good Start!
  • Definition of sound processes.
  • Creation of meaningful and enforceable security
  • Proper implementation of organizational
  • Establishment of ways in which security can be

Direct Risk Mitigation
  • Identification and Authentication
  • Encryption
  • Access Control
  • Note - This Interim step can give a false sense
    of security

Risk Analysis Policy Direct Technical
Countermeasures Traditional Security
Safeguards This is 40-60 of the overall
solution when implemented properly
Items not addresses by Traditional Approach
  • An active, highly knowledgeable, evolving threat
  • The greatly reduced network security decision and
    response cycle
  • Low User Awareness levels
  • Highly dynamic vulnerability conditions

A Solid Security Program
  • Adhere to sound standardization processes
  • Implement valid procedures and technical
  • Provide for system audits intended to support
    potential attack or system misuse analysis

Adaptive Security Model Traditional Security
Safeguards Threat/Vulnerability Monitoring
Threat/Vulnerability Detection
Threat/Vulnerability Response Adaptive Security
Ensure all applicable vulnerabilities are secured
across the entire network
Ensure all systems are configured in a secure
manner consistent with organizational policy
Ensure all potentially hostile threats are
detected, monitored, and responded to in a timely
appropriate manner.
Provide real-time, on-the-fly, technical
reconfiguration of threat access routes.
Provide timely security alerts and tasking to
those responsible for addressing network threats
and vulnerabilities.
Provide accurate network security audit and
trends analysis data in support of security
program planning and assessment efforts.
Two examples of a dramatic change in knowledge
based in real world experience.
The EFFs Project Deep Crack
  • The EFF lead a concerted effort to develop a
    machine specifically designed to break DES
    encryption. This effort was funded with a
    250,000 grant and produced a machine that
    rendered keys in days and finally hours. A book
    Cracking DES includes all the schematics and
    code. The design is such that the application of
    MONEY would accelerate the time to minutes.
    There are literally millions of DES protected

PRESS RELEASE CWI, Amsterdam - August 26, 1999
Security of E-commerce threatened by 512-bit
number factorization
On August 22 1999, a team of scientists from six
different countries, led by Herman te Riele of
CWI (Amsterdam), found the prime factors of
512-bit number, whose size models 5 of the keys
used for protection of electronic commerce on the
Internet. This result shows, much earlier than
expected at the start of E-commerce, that the
popular key-size of 512 bits is no longer safe
against even a moderately powerful attacker. The
amount of money protected by 512-bit keys is
immense. Many billions of dollars per day are
flowing through financial institutions such as
banks and stock exchanges.
The factored key is a model of a so-called
"public key" in the well-known RSA cryptographic
system which was designed in the mid-seventies by
Rivest, Shamir and Adleman at the Massachusets
Institute of Technology in Cambridge, USA. At
present, this system is used extensively in
hardware and software to protect electronic data
traffic such as in the international version of
the SSL (Security Sockets Layer) Handshake
Apart from its practical implications, the
factorization is a scientific breakthrough 25
years ago, 512-bit numbers (about 155 decimals)
were thought virtually impossible to factor.
Estimates based on the then-fastest known
algorithms and computers predicted a CPU time of
more than 50 billion (50 000 000 000) years. The
factored number, indicated by RSA-155, was taken
from the "RSA Challenge List", which is used as a
yardstick for the security of the RSA
In order to find the prime factors of RSA-155,
about 300 fast SGI and SUN workstations and
Pentium PCs have spent about 35 years of
computing time. The computers were running in
parallel -- mostly overnight and at weekends --
and the whole task was finished in about seven
The following organizations have made their
workstation and PC computing power available to
this project Centre Charles Hermite (Nancy,
France), Citibank (Parsippany, NJ, USA), CWI
(Amsterdam), Ecole Polytechnique/CNRS (Palaiseau,
France), Entrust Technologies (Ottawa, Canada),
Lehigh University (Bethlehem, Pa, USA), the
Medicis Center at Ecole Polytechnique (Palaiseau,
France), Microsoft Research (Cambridge, UK), Sun
Microsystems Professional Services (Camberley,
UK), The Australian National University Canberra,
Australia), University of Sydney Australia).
In addition, an essential step of the project
which requires 2 Gbytes of internal memory has
been carried out on the Cray C916 supercomputer
at SARA (Academic Computing Centre
Amsterdam). Given the current big distributed
computing projects on Internet with hundreds of
thousands of participants, e.g., to break RSA's
DES Challenge or trace extra-terrestrial
messages, it is possible to reduce the time to
factor a 512-bit number from seven months to one
week. For comparison, the amount of computing
time needed to factor RSA-155 was less than 2 of
the time needed to break RSA's DES challenge.
The number and the found factors are RSA-155
54333897 102639592829741105772054196573991675900
716567808038066803341933521790711307779 10660348
A broad stroke view of things that are typically
of interest to Network Security Administrators.
Note the vast scope of topics is not at all
inclusive taken from a typical IT security
Overview of Network Security
  • Defining the problem
  • Security Policy
  • Attacker Methods
  • Incident Response
  • Legal Considerations

Network Services
  • Client/Server Computing
  • UNIX versus Windows NT

Attack Methods
  • Types of attacks
  • Misadministration
  • Software Bugs
  • Denial of Service

Logging, Auditing, and Detection
  • UNIX versus Windows NT
  • Auditing
  • Vulnerability Detection
  • Vulnerability Detection Tools
  • Intrusion Detection

WWW Security
  • General Server Security
  • WWW Server Security
  • WWW Client Security

An Overview of Firewalls
  • Firewall versus Host Security
  • Categories of Firewalls
  • The Weaknesses of Firewalls

Packet Filters
  • TCP/IP Packets
  • Packet Filters and the Client/Server model

Proxy Servers
  • Definition Proxy Servers
  • Gauntlet Firewall
  • Firewall-1

Firewall Architecture
  • Bastion Hosts
  • The dual-homed screening router
  • The dual-homed bastion host
  • The dual-homed Proxy server
  • The screened Bastion Host
  • Screened subnet
  • The screened subnet architecture

Firewall Architecture (2)
  • The multiple bastion host approach
  • Belt-and-Suspenders

Secure Communications and Authentication
  • Features of cryptography
  • Classes of cryptographic systems
  • Digital Signatures
  • Applications of encryption

SSM Standard Operating Procedures The
Essence The Attitude Some Basic Tasks
For the love of Pete -- Turn on accounting, and
make it as granular as possible.
Just because you are paranoid does not mean they
arent out to get you.
  • When your boss tells you that you are
    over-reacting and just plain paranoid, tell him
    that someone has to be and that paranoia is just
    a case of seeing things clearly.

ROI is not always a good indicator of success in
the security arena and neither is TCO. Sometimes
is costs what it costs.
To Darn Bad (TBD)
  • There is always a trade off of ease of use and
    security. If a policy meets resistance because of
    its effect on the end-user, tell them TDB.
  • TDB should be what you say to yourself. What you
    say to the user is that it is policy from the
    highest level.
  • TBD is the mildest form of this attitude.

Log, Log, Log, Log, Log, Log and Log some more
  • Employ logging at the system level, as well as
    using additional tools.
  • Log all systems via serial connection to a
    central system, which is not connected to the
    network in any way.
  • Print a paper log of from the central system.
    Consider using special paper.

You have to make a decision in the beginning
about whether or not you have intestinal
fortitude, the endurance and the money to do what
needs to be done to prosecute the intruders.
An unbroken chain of evidence is essential in
order to prosecute. This means time stamped logs
and other auditing and accounting measures.
Public Key Cryptography IKE - Internet Key
Exchange PKI - Public Key Infrastructure
End-user Hardware
  • Remove or disable floppy drives.
  • Disable CD-ROM drives.
  • Enable BIOS passwords.
  • Physically cover all unused serial, USB,
    parallel, SCSI and other ports not used.
  • Employ something you own, something you know, and
    something you are.

End-User Software
  • Lock down all desktops and install software via a
    standardized and secure methodology. Many
    products are available for this function.
  • When the end-users complain about the fascism and
    low productivity remember that it is just TDB.

Switching to the Desktop
  • There is the very real internal threat in
    hub-based access level schemas. The end-users
    have the ability to sniff traffic that is not
  • Switching allows electrical segmentation, and
    makes sniffing much more difficult -- and general
    not possible

Realize that there is no such thing as a secure
system -- get over it and move on!
  • Take all steps a reasonable and prudent person
    would, but forget about your bosses demands for a
    100 guaranteed secured network. This is a
    reality check.

Top-Level Buy-in
  • A couple of years ago, I was sitting in on a
    company that had brought in a Demming
    statistical improvement specialist. Half way
    through, the President and General Manager got up
    and said very vocally. This is not something I
    need to be concerned about. Imagine the effect
    on the rest of the attendees

Employ Intrusion Detection Technologies
  • There is a great benefit to employing an
    intrusion detection system even with the still
    high-degree of false positives.

Encourage the open source peer-review model of
development and implementation
  • In a recent call for papers by DARPA regarding
    using Windows NT for security research every
    scientist made a similar statement -- without
    source code to the security layer, it is
    impossible to determine the real security risks

Everyday there will be new threats
  • Get used to it, live it, breathe it, immerse
    yourself in it. This fact will never change, and
    hampers entities from implementing anything

Check out your People
  • The individuals who are ultimately responsible
    for the design and implementation of your
    security should be beyond reproach with regards
    to there risk factor
  • Check Backgrounds
  • Monitor
  • Be Vigilant

Employee a Password Escrow System
  • Do not let passwords to the core facility rattle
    around in peoples heads and on pieces of paper.
  • Employee and electronic password management
    system (PMS) which utilizes diskettes or other
    media to give you access.
  • The PMS should not be on the network.

Something you know. Something you have. Something
you are. Something you know. Something you
have. Something you are.
Something you know. Something you have. Something
you are. Something you know. Something you
have. Something you are.
Something you know. Something you have. Something
you are. Something you know. Something you
have. Something you are.
Something you know. Something you have. Something
you are. Something you know. Something you
have. Something you are.
Always look at the worst case scenario
  • Designing your security policies and enforcement
    of the same should account for the worst case
  • If I here about how much trust someone has in so
    and so one more time, I think I will puke.
  • Trust no one.

Disaster Recovery
  • Disaster recovery is as important, if not more,
    than security is.
  • If you cant recover from the worst case
    scenario, then you have a problem.
  • Run drills on a regular basis, as you would fire
  • Always use the VERIFY option when creating backups

Standards Organizations to be concerned with in
this area include ISO, ANSI, IEEE, IETF, and
W3C. Of special note is the Security Group of
IETF and its various committees.
Always use conduit!
  • It is very easy to place passive taps on copper
    wiring trunks and cables through the use of a
    vampire tap and other methodologies.
  • Conduit makes rewiring easier. Make sure your
    pipe is fat enough to handle upgrades.
  • Conduit protects cable from physical damage

If you can afford it use fiber
  • Fiber optics cabling gives you high-bandwidth
    today with room to grow for tomorrow but most
    importantly it is almost impossible to tap
  • Fiber optics do not give of EMF, and are
    therefore not subject to the Van Eck effect and
    reduce remote passive monitoring capabilities.

The watcher of the watcher of the watcher of the
  • It is generally given as a problem in first year
    accounting, about when the cost of additional
    checks and balances are feasible. Normally the
    Parking Lot Attendant is used as the example.
    This is a valid exercise to go through when
    creating layers of security.

Always practice security in Depth!
Host-based security is not enough
Network based security is not enough
Firewalls are not enough
Physical security measures are not enough!
Fundamental Problem
  • Most of you will walk out of this tutorial, and
    say -- I knew those things.
  • A large percentage of people will get back to
    work and still not do anything about it.
  • There is Knowledge in knowing, but there is
    Wisdom in execution. And there is the need of
    strong character and persuasion to accomplish the

Avoid Services which pass login and password
information in plain text
  • Use SSH instead of Telnet whenever possible.
  • Make sure the version of email you have does not
    pass login information.

Official Motto of the Practitioners of SSM
  • I will practice and teach Eternal Vigilance
  • I have a resounding will to accomplish the
    implementation necessary.
  • I will avoiding making special cases for
    end-users who complain about Fascism.
  • I will compel management to accept the need for
    SSM even at the risk of losing my job (This is
    the acid test).