© minder chen, 1998-2002 security - 1 internet security minder chen [email protected]
TRANSCRIPT
© Minder Chen, 1998-2002 Security - 2
References• Information Security Management Handbook, 4th edition, edited by
Micki Krause and Harold F. Tipton. • The SANS Security Policy Project
www.sans.org/newlook/resources/policies/policies.htm
• Sample Policies and Procedures– www.sans.org/newlook/resources/policies/Appdb.doc
• SANS Security Policy Project at http://www.sans.org/newlook/resources/policies/policies.htm
• Policy Primer at http://www.sans.org/newlook/resources/policies/Policy_Primer.pdf
• Sample Policies and Procedures at http://www.information-security-policies-and-standards.com/
• HIPAA FAQ at http://www.rx2000.org/KnowledgeCenter/hipaa/hipfaq.htm
• ICAT Top Ten List• http://icat.nist.gov/icat.cfm?function=topten
© Minder Chen, 1998-2002 Security - 3
Ten Immutable Laws of Security1. If a bad guy can persuade you to run his program on
your computer, it’s not your computer anymore2. If a bad guy can alter the OS on your computer, it’s not
your computer anymore3. If a bad guy has unrestricted physical access to your
computer, it’s not your computer anymore4. If you allow a bad guy to upload programs to your web
site, it’s not your site anymore5. Weak passwords trump strong security6. A machine is only as secure as the administrator is
trustworthy7. Encrypted data is only as secure as the decryption key8. An out of date virus scanner is only marginally better
than no virus scanner at all9. Absolute anonymity isn't practical, in real life or on the
web10. Technology is not a panacea
© Minder Chen, 1998-2002 Security - 4
Ten Immutable Laws of Security Administration1. Nobody believes anything bad can happen to them,
until it does. 2. Security only works if the secure way also happens to
be the easy way. 3. If you don't keep up with security fixes, your network
won't be yours for long. 4. It doesn't do much good to install security fixes on a
computer that was never secured to begin with. 5. Eternal vigilance is the price of security. 6. There really is someone out there trying to guess your
passwords. 7. The most secure network is a well-administered one. 8. The difficulty of defending a network is directly
proportional to its complexity. 9. Security isn't about risk avoidance; it's about risk
management. 10. Technology is not a panacea
© Minder Chen, 1998-2002 Security - 5
Security Services (OSI definition)• Access control: Protects against unauthorized use
• Authentication: Provides assurance of someone's identity
• Confidentiality: Protects against disclosure to unauthorized identities
• Integrity: Protects from unauthorized data alteration
• Non-repudiation: Protects against originator of communications later denying it
Source: http://www.cs.auckland.ac.nz/~pgut001/tutorial/
© Minder Chen, 1998-2002 Security - 6
Security Mechanisms• Three basic building blocks are used:
– Encryption is used to provide confidentiality, can provide authentication and integrity protection
– Digital signatures are used to provide authentication, integrity protection, and non-repudiation
– Checksums/hash algorithms are used to provide integrity protection, can provide authentication
• One or more security mechanisms are combined to provide a security service
© Minder Chen, 1998-2002 Security - 7
10 Domains of Computer Security• Domain 1 addresses access controlaccess control. Access control
consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.
• Domain 2 addresses communications securitycommunications security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.
© Minder Chen, 1998-2002 Security - 8
Continued…• Domain 3 addresses risk management and
business continuity planning. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.
• Domain 4 addresses policy, standards, and policy, standards, and organizationorganization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.
© Minder Chen, 1998-2002 Security - 9
Continued…• Domain 5 addresses computer architecture and computer architecture and
system securitysystem security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. PC and LAN security issues, problems, and countermeasures are also in this domain.
• Domain 6 addresses law, investigation, and ethicslaw, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.
© Minder Chen, 1998-2002 Security - 10
Continued…• Domain 7 addresses application program securityapplication program security.
Application security involves the controls placed within the application program to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.
• Domain 8 addresses cryptographycryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.
© Minder Chen, 1998-2002 Security - 11
Continued…• Domain 9 addresses (computer) operations securityoperations security.
Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.
• Domain 10 addresses physical securityphysical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.
© Minder Chen, 1998-2002 Security - 12
The 20 Most Critical Internet Security Vulnerabilities
• G1 - Default installs of operating systems and applications– G1.1 Description– G1.2 Systems impacted: – G1.3 CVE entries: – G1.4 How to determine if you are vulnerable: – G1.5 How to protect against it
• G2 - Accounts with No Passwords or Weak Passwords• G3 - Non-existent or Incomplete Backups• G4 - Large number of open ports• G5 – Not filtering packets for correct incoming and
outgoing addresses• G6 - Non-existent or incomplete logging• G7 - Vulnerable CGI Programs• Plus 6 Windows and 7 Unix Vulnerabilities
© Minder Chen, 1998-2002 Security - 13
Level of Control • Security needs and culture play major
role.• Security policies MUST balance level of
control with level of productivity.• If policies are too restrictive, people will
find ways to circumvent controls.• Technical controls are not always
possible.• You must have management commitment
on the level of control.
© Minder Chen, 1998-2002 Security - 14
Solution for Systems Architecture: Internet Data Center
© Minder Chen, 1998-2002 Security - 15
http
://img
.cmpn
et.com
/nc/815
/grap
hics/hotspo
ts.pd
f
© Minder Chen, 1998-2002 Security - 16
People, Process, Product challenges?
People
ProcessProd
uct
• Products lack security features
• Products have bugs• Many issues are not
addressed by technical standards
• Too hard to stay in the know andup-to-date
• Designing for security• Roles & responsibilities• Auditing, tracking, follow-up• Calamity plans• Staying up-to-date with
security development
• Lack of knowledge• Lack of commitment• Human error
© Minder Chen, 1998-2002 Security - 17
The Challenge of Security
Provide services… Web access, e-mail, file access, messaging
while protecting your assets. Financial data, CPU cycles, network resources,
intellectual property, customer information
The right access The right access to the right contentto the right content
by the right peopleby the right people
Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with.
© Minder Chen, 1998-2002 Security - 18
Life Was Much Simpler Back Then…
Mainframe– Terminal access– “Glass house”– Physical security, limited connectivity
© Minder Chen, 1998-2002 Security - 19
Life Was Much Simpler Back Then…
Client-Server– LAN connectivity– File/print services– Limited external access
© Minder Chen, 1998-2002 Security - 20
Life Became Complex After Internet
Then the world Then the world became complex became complex and difficult…and difficult…
The Internet– “Always on”– E-mail, instant
messaging– The Web
InternetInternet
© Minder Chen, 1998-2002 Security - 21
Business Impact• According to the Computer Crime and Security Survey 2001, by the
Computer Security Institute (CSI) and the FBI:– Quantified financial losses of at least $377M, or $2M per
survey respondent
– 40% detected system penetration from the outside; up from 25% in 2000
– 94% detected computer viruses; 85% detected them in 2000
• InformationWeek estimates:– Security breaches cost businesses $1.4 trillion worldwide this year
– 2/3 of companies have experienced viruses, worms, or Trojan Horses
– 15% have experienced Denial of Service attacks
Security Breaches Have Real Costs
Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2001Source: InformationWeek.com, 10/15/01
© Minder Chen, 1998-2002 Security - 22
High Profile Security Threats• Hostile Code
– Viruses– Worms– Trojan horses
• Denial of Service• Web page defacement• Eavesdropping, Interception• Identity theft
Common Methods of Cyber-CrimesCommon Methods of Cyber-Crimes
© Minder Chen, 1998-2002 Security - 23
Security Framework
ProcessProcess
TechnologyTechnology
PeoplePeople
Planning for securityPlanning for security PreventionPrevention Detection Detection ReactionReaction
Baseline technologyBaseline technology Standards, Encryption, ProtectionStandards, Encryption, Protection Product security featuresProduct security features Security tools and productsSecurity tools and products
Dedicated staffDedicated staff TrainingTraining Security - a mindset and a prioritySecurity - a mindset and a priority External peopleExternal people
© Minder Chen, 1998-2002 Security - 24
Traditional Definitions of Availability
Redundant Architectures Specialized Logic and Components
Redundant system components,RAID for Data
$1OM
$1M
$1OOK
$1OK
1OO1O1O.1
Avg Syst
Price
Downtime Hrs./Syst/Yr
System Availability
99.999% 99.99% 99.9% 99.0%
As systems approach 100% uptime, costs begin to skyrocket, demonstrating diminishing returns on your investment.
While continuous business operation is often desired, solutions guaranteeing zero-downtime are often cost-prohibitive, especially after weighing all risks of failure and determining what kind of downtime is acceptable for your needs.
Contiguous Processing
Fault Tolerant
Fault Resilient
High Availability
Commercial Availability
Utmost Reliability, Data Integrity and Security built in, 24x7 systems monitoring, business continuity services
Multiple Machines with Recovery Mechanisms, 24x7 proactive & reactive support
© Minder Chen, 1998-2002 Security - 25
SiteBeyond the Building
The Continuity Continuum
Increasing cost, functionality and complexity
ApplicationSystem Interaction
DataBeyond the Box
PlatformIn the Box
Redundant Systems/Load BalancingServer, Storage, Network availability
Clustering/Application FailoverContinuous application access
High Availability Server SystemsHot- swappable, redundant components with Mission-critical support
Rapid Equipment ReplacementVendor services and financing programs
SAN, NAS & DASContinuous data access
Backup and RestoreReal-time tape backup, Off-site storage
Site/ Datacenter FailoverRe-route data to replication/mirrored sites
Commercial Recovery SitesResuming in hot, cold, mobile or host facilities
Maintaining the availability systems critical to ongoing government operations during a system failure or service outage. Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system
© Minder Chen, 1998-2002 Security - 26
1000-5000VA UPS
Large Organization Continuity Scenario
StorageAreaNetwork (SAN)
Network/CommunicationsFibre ChannelPower
T1 or T3(SDSL or Fractional T1 backup)
Backup agent
Production Servers• File/print• Messaging/email• Database• Web serving• Applications
Clients
Mobile andWorkstationUsers
Business
Continuity
Plan
Business
Continuity
Plan
Expansion enclosures…
5000-16,000 VA UPS
Redundant Servers• Active-Passive• Active-Active
Automatic application failover Transparent to end-usersPlanned maintenance & upgrades
Tape BackupLibrary
Fully redundant storage, 64 serversExpandable up to 8.7TB capacityHot swap drives and componentsInternal disks RAID 5
Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5
Tape autoloader14.4 TB capacity216-650GB/hour
© Minder Chen, 1998-2002 Security - 27
Encryption
• Name: – Shared cipher keys– Symmetric keys– Secret keys– Single keys
• Problem: Key distribution
• Methods: – Data Encryption
Standard (DES)
• Name: – Public cipher keys– Asymmetric keys– Public keys– A pair of keys (Public key,
Private Key)
• Problem: Time consuming to process long message
• Methods: – RSA– PGP: Pretty Good
Privacy
© Minder Chen, 1998-2002 Security - 28
Single Key
Test
Encryption Uftu Decryption
Test
Transmitted
Plaintext(Clear text)
Plaintext
Same Key
Ciphertext
Encryption: Right shift with keyKey: 1Decryption: Right shift with -(key)
© Minder Chen, 1998-2002 Security - 29
Public Key for Encryption
Top Secret
Encryption%$#
7@fa!sDecryption
TopSecret
Transmitted
Sender Receiver
Public/PrivateKey Pair
Ciphertext
Sender generates a pair of key, distribute the public key for all to see (may be listed in directories), and keep the private key to itself.
Receiver's Public Key
Receiver'sPrivate Key
© Minder Chen, 1998-2002 Security - 30
Public Key for Authentication
Contact
Decryption%$#
7@fa!sEncryption
Contact
Transmitted
Receiver BSender A
Public/PrivateKey Pair
Digital Signature
Sender's Public Key
Sender'sPrivate Key
(Signed contract)
Authenticated that the contact is from the Sender A
To send this contact securely, sender A still need to use B's public key to encrypt the digital signature and receiver B will use its private key to decrypt the digital signature.
To send this contact securely, sender A still need to use B's public key to encrypt the digital signature and receiver B will use its private key to decrypt the digital signature.
© Minder Chen, 1998-2002 Security - 31
Digital Signatures and Digital Envelopes• Digital signatures are used to
confirm authorship, not to encrypt a message. The sender uses his or her private key to generate a digital signature string that is bundled with the message. Upon receipt of the message, the recipient uses the sender's public key to validate the signature. Because only the signer's public key can be used to validate the signature, the digital signature is proof that the message sender's identity is authentic.
• Digital envelopes are used to send private messages that can only be understood by a specific recipient. To create a digital envelope, the sender encrypts the message using the recipient's public key. The message can only be decrypted using the recipient's private key, so only the recipient is able to understand the message.
Authentication
Privacy
© Minder Chen, 1998-2002 Security - 32
SSL• Provides server authentication, encryption, and data
integrity.• Authentication assures the client that data is being sent
to the correct server and that the server is secure.• Encryption assures that the data cannot be read by
anyone other than the secure target server.• Data integrity assures that the data being transferred has
not been altered.• Must obtain an SSL digital certificate for your host
computers.– http://www.verisign.com– Http://www.rsa.com
© Minder Chen, 1998-2002 Security - 33
SSL Architecture
Internet Site
NetworkNetworkInterfaceInterfaceNetworkNetworkInterfaceInterface
InternetInternetLayerLayerInternetInternetLayerLayer IP
TransportTransportLayerLayerTransportTransportLayerLayer UDP TCP
ApplicationApplicationLayerLayerApplicationApplicationLayerLayer
HTTP
CacheCache
FTP
Windows Sockets FileSystemSecure Sockets Layer
© Minder Chen, 1998-2002 Security - 34
Creating an SSL Session
Request a public key from server
Send server's public key to the browser
Negotiate security measures to be used
Single session key generated by browser
Use Server's public key to encrypt
Use Server's private key to decrypt
© Minder Chen, 1998-2002 Security - 35
Creating an SSL SessionAn SSL session, which encrypts all data between the client and server, is created using
the following process:
1. The Web browser establishes a secure communication link with the Web server.
2. The Web server sends the browser a copy of its certificate along with its public key. (The certificate enables the browser to confirm the server's identity and the integrity of the Web content.)
3. The Web browser and the server engage in a negotiating exchange to determine the degree of encryption to use for securing communications, typically 40 or 128 bits. The stronger 128-bit encryption is currently allowed only in the United States and Canada due to U.S. government export restrictions.
4. The Web browser generates a session key, and encrypts it with the server's public key. The browser then sends the encrypted session key to the Web server.
5. Using its own private key, the server decrypts the session key and establishes a secure channel.
6. The Web server and the browser then use the session key to encrypt and decrypt transmitted data.
© Minder Chen, 1998-2002 Security - 36
SSL• The SSL protocol secures data communication through
– Server authentication: Authentication ensures that data is sent to the correct server and that the server is secure.
– Data encryption: Encryption ensures that the data sent is read only by the secure target server.
– Data integrity: Data integrity ensures that the data received by the target server has not been altered in any way.
• Using SSL requires an SSL digital certificate.
• The primary difference between SSL 2.0 and SSL 3.0 is that SSL 3.0 supports client certificates.
• In Internet Information Server, not only can you control whether SSL is required for access to a particular virtual server or folder, but you can also decide whether that server or folder requires a client certificate.