Download - 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology
![Page 1: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/1.jpg)
25-SEPT-2001 1
Security Fundamentals
Robin Anderson
UMBC, Office of Information Technology
![Page 2: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/2.jpg)
25-SEPT-2001 2
A Little About Me…
Unix SysAdmin, Specialist with the Office of Information Technology at UMBC
Taught Unix Administration and SANS Level One Security courses at UMBC
Certified by the SANS Institute GIAC program in UNIX Security and Incident Handling
![Page 3: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/3.jpg)
25-SEPT-2001 3
Topics Outline
Post-Mortems in the News… Identifying Threats Countering Threats The (Vulnerable) Network Questions You Need to Ask Recommendations You Want to Make Resources Online
![Page 4: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/4.jpg)
25-SEPT-2001 4
What Happened to Amazon®?
Website defacing: Hackers broke in & put up phony web pages
(And now, newer worms/viruses are doing the same!)
– September 2000: OPEC 1
– February 2000: Amazon® , eBay® 2
– November 1999: NASA/Goddard 3
– October 31,1999: Associated Press® 4
– August 1999: ABC® 5
– June 1999: U.S. Army
![Page 5: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/5.jpg)
25-SEPT-2001 5
What Happened to Yahoo®?
Denial of Service (DoS)– February 2000: Yahoo and CNN 1
Multiple Hits– September 2000: Slashdot defaced– May 2000: Slashdot suffered DoS
The irony is that slashdot.org is a popular "news for nerds" website
![Page 6: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/6.jpg)
25-SEPT-2001 6
If They’re Vulnerable…
…then you are, too.
![Page 7: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/7.jpg)
25-SEPT-2001 7
The Fundamental Theorem
You have computers because they perform some function that furthers your organization’s goals
If you lose the use of those computers, their function is compromised
So - anything that interferes with your organization’s effort to achieve its goals is a security concern
![Page 8: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/8.jpg)
25-SEPT-2001 8
What Are You Protecting?
Information
Availability of the Systems
Reputation & Goodwill
![Page 9: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/9.jpg)
25-SEPT-2001 9
Your Information
Crown Jewels– Trade secrets, patent ideas, research
Financial information
Personnel records
Organizational structure
![Page 10: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/10.jpg)
25-SEPT-2001 10
Your Availability
Internal use– When employees can’t use the network,
servers, or other necessary systems, they can’t work
Website / online transactions– Often when systems are unavailable, the
organization is losing money
![Page 11: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/11.jpg)
25-SEPT-2001 11
Your Reputation
Public trust– If your organization is hacked, how reliable
will people think you are you in other areas?– Who wants to do business with companies that
leak credit card information?
Being a good neighbor– Your organization may be hacked so it can be
used as a springboard to attack others
![Page 12: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/12.jpg)
25-SEPT-2001 12
A Simple Network…
Internet
RouterFirewall
Router
![Page 13: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/13.jpg)
25-SEPT-2001 13
… Attacked!
Internet
RouterFirewall
Router
79
8
1
6
5
4
3
2
10
![Page 14: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/14.jpg)
25-SEPT-2001 14
What Are These Threats?
1. DoS coming from the Internet
2. Severed Physical link
3. Masquerader / Spoofer– They look like they’re already inside
4. Password sniffer
![Page 15: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/15.jpg)
25-SEPT-2001 15
What Are These Threats? (2)
5. Alan brought a floppy from home that has a virus on it
6. Beatrice is about to be fired – and she’s going to be angry about it
7. Carter is careless with his passwords – he writes them down and loses the paper
![Page 16: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/16.jpg)
25-SEPT-2001 16
What Are These Threats? (3)
8. David has unprotected shares on his NT box
9. Evan installed a modem on his PC (PCAnywhere)
10. Severed Power / HVAC
![Page 17: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/17.jpg)
25-SEPT-2001 17
What Are Threat Vectors?
Vectors are the pathways by which threats enter your network
![Page 18: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/18.jpg)
25-SEPT-2001 18
Threat Vectors - Internal
Careless employees– “Floyd the clumsy janitor”– “Contraband” hardware / software – “Oops, did I just type that?”
Random twits (somewhere between careless & malicious)
Malicious employees– Current or former employees with axes to grind
Anyone who can get physical access
![Page 19: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/19.jpg)
25-SEPT-2001 19
Threat Vectors - External
Competitors / spies / saboteurs Casual & incidental hackers
– Some hackers don’t want your systems except to use them to get at their real target
Malicious hackers Accidental tourists Natural disasters
– Be ready to face down the hurricane
![Page 20: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/20.jpg)
25-SEPT-2001 20
What Are Threat Categories?
Categories are the different kinds of threat you may encounter
![Page 21: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/21.jpg)
25-SEPT-2001 21
Threat Categories
Opportunistic– Basic “ankle biters” and “script kiddies”– More advanced hackers, hacker groups out
trolling Targeted
– These attackers know what they want; anything from data to disruption to springboards
“Omnipotent”– Government-sponsored professional hackers
![Page 22: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/22.jpg)
25-SEPT-2001 22
Threat Consequences Bad press
– Breach of confidentiality• Medical data• Credit card information
– Attack platform (you’ve been subverted!)
Loss of income– How much does it cost you in sales to have your
databases, website, etc, down for any given length of time?
– Loss of trade secrets (crown jewels)
![Page 23: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/23.jpg)
25-SEPT-2001 23
The 3 Goals of Security
Ensure Availability
Ensure Integrity
Ensure Authorization & Authentication
![Page 24: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/24.jpg)
25-SEPT-2001 24
Threats to Availability
Denial of Service (DoS)– Connection flooding
Destroying data– Hardware failure– Manual deletion– Software agents: virus, trojans
![Page 25: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/25.jpg)
25-SEPT-2001 25
Threats to Integrity
Hardware failure
Software corruption– Buggy software– Improperly terminated programs
Attacker altering data
![Page 26: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/26.jpg)
25-SEPT-2001 26
Threats to Authorization
Attacker stealing data
Lost / Stolen passwords
Information Reconnaissance• Organization information
![Page 27: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/27.jpg)
25-SEPT-2001 27
Countering These Threats…
…is what security is all about.
![Page 28: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/28.jpg)
25-SEPT-2001 28
Defining Security
Security is a process– Training is ongoing
• Threats change, admins need to keep up
• Security is inconvenient, all staff needs training
Security is also about policies There is no silver bullet to fix it all
– For example, a firewall won’t save you• Remember the Maginot Line
![Page 29: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/29.jpg)
25-SEPT-2001 29
Notes:
The underlying assumption in the next section is that you, as the auditor, admin, or manager, are in a position to make security recommendations
The following list of questions should not be considered in any way to be exhaustive, but a starting point to build your own list
![Page 30: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/30.jpg)
25-SEPT-2001 30
Questions You Need to Ask
What is the physical access policy to systems, routers, and backup media?– Are the servers and main routers in a
controlled-access environment?– Who monitors access?
Are desktop systems / workstations physically secured?
![Page 31: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/31.jpg)
25-SEPT-2001 31
Questions You Need to Ask
Is there a documented security policy?– Where is it located?– Who is responsible for maintaining it?– Is the policy being consistently enforced?– Who is the enforcer for the organization?
Is there a firewall?– Who maintains it and its rule-sets?– Do its rules match the policy?
![Page 32: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/32.jpg)
25-SEPT-2001 32
Questions You Need to Ask
What is the backup policy & schedule?
– What kind of backup media & software is used?
– Where is the backup media stored? Is there an off-site safe/storage rotation?
– If the systems were utterly destroyed today, how up to date could you bring their replacements?
– Have the backups ever been tested (via a restore) for completeness and integrity?
![Page 33: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/33.jpg)
25-SEPT-2001 33
Questions You Need to Ask
Does the organization know what is on its network?
– If so, how does it know?– Where are the records kept?– Who has access to them?
![Page 34: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/34.jpg)
25-SEPT-2001 34
Questions You Need to Ask
Are routine network vulnerability scans run?– If so, what tools are used?
– Where are the reports stored?
– Who has access to the tool and the reports?
Is any routine network monitoring done?– If so, what tools are used?
– Where are the reports stored?
– Who has access to the tool and the reports?
![Page 35: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/35.jpg)
25-SEPT-2001 35
Questions You Need to Ask
What kind of power management contingencies are available?
– Uninterruptible Power Supplies (UPS)?– Power regulation?– Backup generators? – Mean time to recovery from outage?
![Page 36: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/36.jpg)
25-SEPT-2001 36
Questions You Need to Ask
What kind of authentication does your organization use?– Passwords
• Multi-use, one-time?
• Expiration?
– Biometric authentication?– Smart-cards
![Page 37: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/37.jpg)
25-SEPT-2001 37
Questions You Need to Ask
If you use passwords, how does your organization replace lost ones?
– Any policy on verifying user’s identity, etc?
![Page 38: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/38.jpg)
25-SEPT-2001 38
Questions You Need to Ask
What kind of network connections does your organization allow?– Are they clear-text protocols (like telnet, rlogin,
rsh, ftp)?– Can your organization migrate to using
encrypted protocols (like ssh, stunnel, etc)?
![Page 39: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/39.jpg)
25-SEPT-2001 39
Recommendations You Really Want to Make No matter what, recommend a dedicated
security officer
– One individual responsible for security• NOT the sys admin, network admin
– Qualifications:• Training• Certification (CISSP, SANS)• Demonstrated proficiency
![Page 40: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/40.jpg)
25-SEPT-2001 40
Recommendations You Really Want to Make
Routine Vulnerability Scanning– Tools like Saint, Nessus, Legion, Nmap, SARA
Principle of Least Privilege
Documented Procedures for Incident Handling
![Page 41: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/41.jpg)
25-SEPT-2001 41
So, What Is a Security Officer?
Protector– Internal, external
Assessor Monitor Contact point
– Law enforcement– Internal– External
![Page 42: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/42.jpg)
25-SEPT-2001 42
What Does It All Mean?
It’s a dangerous world, but we’re not necessarily doomed!
Security is an ongoing process (it’s worth repeating!)
– Ask the questions you’ve seen here– Ask any others you think of– Ask them all again tomorrow – new challenges
are arising every day!
![Page 43: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/43.jpg)
25-SEPT-2001 43
Acknowledgements
Andy Johnston, manager and co-conspirator
Jon Lasser, author of Think UNIX
Stephen Northcutt, SANS instructor and author of Network Intrusion Detection
![Page 44: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/44.jpg)
25-SEPT-2001 44
Resources Online
Training and Certifications
– SANS Institute
http://www.sans.org/
– CISSP “Certification for Information System Security Professional”
http://www.cissps.com
![Page 45: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/45.jpg)
25-SEPT-2001 45
Resources Online (2)
News & Alerts– Security Focus
http://www.securityfocus.com/ – CERT was “Computer Emergency Response Team”
http://www.cert.org/ – CIAC “Computer Incident Advisory Capability”
http://ciac.llnl.gov/
![Page 46: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/46.jpg)
25-SEPT-2001 46
Resources Online (3)
Federal Information Sharing Organizations– NIPC “National Infrastructure Protection Center”
http://www.nipc.gov– Infragard “Guarding the Nation’s Infrastructure”
http://www.infragard.net
– Infragard Maryland Chapter
http://www.mdinfragard.org
![Page 47: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/47.jpg)
25-SEPT-2001 47
Resources Online (4) SSH
http://www.ssh.fi http://www.openssh.org
SSH tunnelhttp://linuxdoc.org/HOWTO/mini/VPN.html http://www.ccs.neu.edu/groups/systems/howto/howto-sshtunnel.html
Stunnelhttp://mike.daewoo.com.pl/computer/stunnel/http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/
![Page 48: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/48.jpg)
25-SEPT-2001 48
Resources Online (5)
Network Monitoring Software– Snort
http://www.snort.org
Network Vulnerability Scanners– Saint
http://wdsilx.wwdsi.com/saint – Nessus
http://www.nessus.org
![Page 49: 25-SEPT-20011 Security Fundamentals Robin Anderson UMBC, Office of Information Technology](https://reader035.vdocuments.us/reader035/viewer/2022062717/56649e1a5503460f94b07873/html5/thumbnails/49.jpg)
25-SEPT-2001 49
Resources Online (6)
Kerberoshttp://web.mit.edu/kerberos/www
This Presentationhttp://www.gl.umbc.edu/~robin/security.html