© minder chen, 1998-2002 security - 1 internet security minder chen [email protected]

© Minder Chen, 1998-2002 Security - 1

Internet SecurityMinder Chen

[email protected]


References• Information Security Management Handbook, 4th edition, edited by

Micki Krause and Harold F. Tipton. • The SANS Security Policy Project

www.sans.org/newlook/resources/policies/policies.htm

• Sample Policies and Procedures– www.sans.org/newlook/resources/policies/Appdb.doc

• SANS Security Policy Project at http://www.sans.org/newlook/resources/policies/policies.htm

• Policy Primer at http://www.sans.org/newlook/resources/policies/Policy_Primer.pdf

• Sample Policies and Procedures at http://www.information-security-policies-and-standards.com/

• HIPAA FAQ at http://www.rx2000.org/KnowledgeCenter/hipaa/hipfaq.htm

• ICAT Top Ten List• http://icat.nist.gov/icat.cfm?function=topten


Ten Immutable Laws of Security1. If a bad guy can persuade you to run his program on

your computer, it’s not your computer anymore2. If a bad guy can alter the OS on your computer, it’s not

your computer anymore3. If a bad guy has unrestricted physical access to your

computer, it’s not your computer anymore4. If you allow a bad guy to upload programs to your web

site, it’s not your site anymore5. Weak passwords trump strong security6. A machine is only as secure as the administrator is

trustworthy7. Encrypted data is only as secure as the decryption key8. An out of date virus scanner is only marginally better

than no virus scanner at all9. Absolute anonymity isn't practical, in real life or on the

web10. Technology is not a panacea


Ten Immutable Laws of Security Administration1. Nobody believes anything bad can happen to them,

until it does. 2. Security only works if the secure way also happens to

be the easy way. 3. If you don't keep up with security fixes, your network

won't be yours for long. 4. It doesn't do much good to install security fixes on a

computer that was never secured to begin with. 5. Eternal vigilance is the price of security. 6. There really is someone out there trying to guess your

passwords. 7. The most secure network is a well-administered one. 8. The difficulty of defending a network is directly

proportional to its complexity. 9. Security isn't about risk avoidance; it's about risk

management. 10. Technology is not a panacea


Security Services (OSI definition)• Access control: Protects against unauthorized use

• Authentication: Provides assurance of someone's identity

• Confidentiality: Protects against disclosure to unauthorized identities

• Integrity: Protects from unauthorized data alteration

• Non-repudiation: Protects against originator of communications later denying it

Source: http://www.cs.auckland.ac.nz/~pgut001/tutorial/


Security Mechanisms• Three basic building blocks are used:

– Encryption is used to provide confidentiality, can provide authentication and integrity protection

– Digital signatures are used to provide authentication, integrity protection, and non-repudiation

– Checksums/hash algorithms are used to provide integrity protection, can provide authentication

• One or more security mechanisms are combined to provide a security service


10 Domains of Computer Security• Domain 1 addresses access controlaccess control. Access control

consists of all of the various mechanisms (physical, logical, and administrative) used to ensure that only authorized persons or processes are allowed to use or access a system. Three categories of access control focus on: (1) access control principles and objectives, (2) access control issues, and (3) access control administration.

• Domain 2 addresses communications securitycommunications security. Communications security involves ensuring the integrity and confidentiality of information transmitted via telecommunications media as well as ensuring the availability of the telecommunications media itself. Three categories of communications security are: (1) telecommunications security objectives, threats, and countermeasures; (2) network security; and (3) Internet security.


Continued…• Domain 3 addresses risk management and

business continuity planning. Risk management encompasses all activities involved in the control of risk (risk assessment, risk reduction, protective measures, risk acceptance, and risk assignment). Business continuity planning involves the planning of specific, coordinated actions to avoid or mitigate the effects of disruptions to normal business information processing functions.

• Domain 4 addresses policy, standards, and policy, standards, and organizationorganization. Policies are used to describe management intent, standards provide a consistent level of security in an organization, and an organization architecture enables the accomplishment of security objectives. Four categories include: (1) information classification, (2) security awareness, (3) organization architecture, and (4) policy development.


Continued…• Domain 5 addresses computer architecture and computer architecture and

system securitysystem security. Computer architecture involves the aspects of computer organization and configuration that are employed to achieve computer security while system security involves the mechanisms that are used to maintain the security of system programs. PC and LAN security issues, problems, and countermeasures are also in this domain.

• Domain 6 addresses law, investigation, and ethicslaw, investigation, and ethics. Law involves the legal and regulatory issues faced in an information security environment. Investigation consists of guidelines and principles necessary to successfully investigate security incidents and preserve the integrity of evidence. Ethics consists of knowledge of the difference between right and wrong and the inclination to do the right thing.


Continued…• Domain 7 addresses application program securityapplication program security.

Application security involves the controls placed within the application program to support the security policy of the organization. Topics discussed include threats, applications development, availability issues, security design, and application/data access control.

• Domain 8 addresses cryptographycryptography. Cryptography is the use of secret codes to achieve desired levels of confidentiality and integrity. Two categories focus on: (1) cryptographic applications and uses and (2) crypto technology and implementations. Included are basic technologies, encryption systems, and key management methods.


Continued…• Domain 9 addresses (computer) operations securityoperations security.

Computer operations security involves the controls over hardware, media and the operators with access privileges to these. Several aspects are included — notably, operator controls, hardware controls, media controls trusted system operations, trusted facility management, trusted recovery, and environmental contamination control.

• Domain 10 addresses physical securityphysical security. Physical security involves the provision of a safe environment for information processing activities with a focus on preventing unauthorized physical access to computing equipment. Three categories include: (1) threats and facility requirements, (2) personnel physical access control, and (3) microcomputer physical security.


The 20 Most Critical Internet Security Vulnerabilities

• G1 - Default installs of operating systems and applications– G1.1 Description– G1.2 Systems impacted: – G1.3 CVE entries: – G1.4 How to determine if you are vulnerable: – G1.5 How to protect against it

• G2 - Accounts with No Passwords or Weak Passwords• G3 - Non-existent or Incomplete Backups• G4 - Large number of open ports• G5 – Not filtering packets for correct incoming and

outgoing addresses• G6 - Non-existent or incomplete logging• G7 - Vulnerable CGI Programs• Plus 6 Windows and 7 Unix Vulnerabilities


Level of Control • Security needs and culture play major

role.• Security policies MUST balance level of

control with level of productivity.• If policies are too restrictive, people will

find ways to circumvent controls.• Technical controls are not always

possible.• You must have management commitment

on the level of control.


Solution for Systems Architecture: Internet Data Center


http

://img

.cmpn

et.com

/nc/815

/grap

hics/hotspo

ts.pd

f


People, Process, Product challenges?

People

ProcessProd

uct

• Products lack security features

• Products have bugs• Many issues are not

addressed by technical standards

• Too hard to stay in the know andup-to-date

• Designing for security• Roles & responsibilities• Auditing, tracking, follow-up• Calamity plans• Staying up-to-date with

security development

• Lack of knowledge• Lack of commitment• Human error


The Challenge of Security

Provide services… Web access, e-mail, file access, messaging

while protecting your assets. Financial data, CPU cycles, network resources,

intellectual property, customer information

The right access The right access to the right contentto the right content

by the right peopleby the right people

Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with.


Life Was Much Simpler Back Then…

Mainframe– Terminal access– “Glass house”– Physical security, limited connectivity


Life Was Much Simpler Back Then…

Client-Server– LAN connectivity– File/print services– Limited external access


Life Became Complex After Internet

Then the world Then the world became complex became complex and difficult…and difficult…

The Internet– “Always on”– E-mail, instant

messaging– The Web

InternetInternet


Business Impact• According to the Computer Crime and Security Survey 2001, by the

Computer Security Institute (CSI) and the FBI:– Quantified financial losses of at least $377M, or $2M per

survey respondent

– 40% detected system penetration from the outside; up from 25% in 2000

– 94% detected computer viruses; 85% detected them in 2000

• InformationWeek estimates:– Security breaches cost businesses $1.4 trillion worldwide this year

– 2/3 of companies have experienced viruses, worms, or Trojan Horses

– 15% have experienced Denial of Service attacks

Security Breaches Have Real Costs

Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2001Source: InformationWeek.com, 10/15/01


High Profile Security Threats• Hostile Code

– Viruses– Worms– Trojan horses

• Denial of Service• Web page defacement• Eavesdropping, Interception• Identity theft

Common Methods of Cyber-CrimesCommon Methods of Cyber-Crimes


Security Framework

ProcessProcess

TechnologyTechnology

PeoplePeople

Planning for securityPlanning for security PreventionPrevention Detection Detection ReactionReaction

Baseline technologyBaseline technology Standards, Encryption, ProtectionStandards, Encryption, Protection Product security featuresProduct security features Security tools and productsSecurity tools and products

Dedicated staffDedicated staff TrainingTraining Security - a mindset and a prioritySecurity - a mindset and a priority External peopleExternal people


Traditional Definitions of Availability

Redundant Architectures Specialized Logic and Components

Redundant system components,RAID for Data

$1OM

$1M

$1OOK

$1OK

1OO1O1O.1

Avg Syst

Price

Downtime Hrs./Syst/Yr

System Availability

99.999% 99.99% 99.9% 99.0%

As systems approach 100% uptime, costs begin to skyrocket, demonstrating diminishing returns on your investment.

While continuous business operation is often desired, solutions guaranteeing zero-downtime are often cost-prohibitive, especially after weighing all risks of failure and determining what kind of downtime is acceptable for your needs.

Contiguous Processing

Fault Tolerant

Fault Resilient

High Availability

Commercial Availability

Utmost Reliability, Data Integrity and Security built in, 24x7 systems monitoring, business continuity services

Multiple Machines with Recovery Mechanisms, 24x7 proactive & reactive support


SiteBeyond the Building

The Continuity Continuum

Increasing cost, functionality and complexity

ApplicationSystem Interaction

DataBeyond the Box

PlatformIn the Box

Redundant Systems/Load BalancingServer, Storage, Network availability

Clustering/Application FailoverContinuous application access

High Availability Server SystemsHot- swappable, redundant components with Mission-critical support

Rapid Equipment ReplacementVendor services and financing programs

SAN, NAS & DASContinuous data access

Backup and RestoreReal-time tape backup, Off-site storage

Site/ Datacenter FailoverRe-route data to replication/mirrored sites

Commercial Recovery SitesResuming in hot, cold, mobile or host facilities

Maintaining the availability systems critical to ongoing government operations during a system failure or service outage. Recovering from unplanned, catastrophic events or disasters in an orderly, timely, appropriate manner based on the risk, costs and importance of the business system


1000-5000VA UPS

Large Organization Continuity Scenario

StorageAreaNetwork (SAN)

Network/CommunicationsFibre ChannelPower

T1 or T3(SDSL or Fractional T1 backup)

Backup agent

Production Servers• File/print• Messaging/email• Database• Web serving• Applications

Clients

Mobile andWorkstationUsers

Business

Continuity

Plan

Business

Continuity

Plan

Expansion enclosures…

5000-16,000 VA UPS

Redundant Servers• Active-Passive• Active-Active

Automatic application failover Transparent to end-usersPlanned maintenance & upgrades

Tape BackupLibrary

Fully redundant storage, 64 serversExpandable up to 8.7TB capacityHot swap drives and componentsInternal disks RAID 5

Rack-dense form factorRedundant power supplies, fans, NICsHot swap drives and componentsInternal disks RAID 0/5

Tape autoloader14.4 TB capacity216-650GB/hour


Encryption

• Name: – Shared cipher keys– Symmetric keys– Secret keys– Single keys

• Problem: Key distribution

• Methods: – Data Encryption

Standard (DES)

• Name: – Public cipher keys– Asymmetric keys– Public keys– A pair of keys (Public key,

Private Key)

• Problem: Time consuming to process long message

• Methods: – RSA– PGP: Pretty Good

Privacy


Single Key

Test

Encryption Uftu Decryption

Test

Transmitted

Plaintext(Clear text)

Plaintext

Same Key

Ciphertext

Encryption: Right shift with keyKey: 1Decryption: Right shift with -(key)


Public Key for Encryption

Top Secret

Encryption%$#

7@fa!sDecryption

TopSecret

Transmitted

Sender Receiver

Public/PrivateKey Pair

Ciphertext

Sender generates a pair of key, distribute the public key for all to see (may be listed in directories), and keep the private key to itself.

Receiver's Public Key

Receiver'sPrivate Key


Public Key for Authentication

Contact

Decryption%$#

7@fa!sEncryption

Contact

Transmitted

Receiver BSender A

Public/PrivateKey Pair

Digital Signature

Sender's Public Key

Sender'sPrivate Key

(Signed contract)

Authenticated that the contact is from the Sender A

To send this contact securely, sender A still need to use B's public key to encrypt the digital signature and receiver B will use its private key to decrypt the digital signature.

To send this contact securely, sender A still need to use B's public key to encrypt the digital signature and receiver B will use its private key to decrypt the digital signature.


Digital Signatures and Digital Envelopes• Digital signatures are used to

confirm authorship, not to encrypt a message. The sender uses his or her private key to generate a digital signature string that is bundled with the message. Upon receipt of the message, the recipient uses the sender's public key to validate the signature. Because only the signer's public key can be used to validate the signature, the digital signature is proof that the message sender's identity is authentic.

• Digital envelopes are used to send private messages that can only be understood by a specific recipient. To create a digital envelope, the sender encrypts the message using the recipient's public key. The message can only be decrypted using the recipient's private key, so only the recipient is able to understand the message.

Authentication

Privacy


SSL• Provides server authentication, encryption, and data

integrity.• Authentication assures the client that data is being sent

to the correct server and that the server is secure.• Encryption assures that the data cannot be read by

anyone other than the secure target server.• Data integrity assures that the data being transferred has

not been altered.• Must obtain an SSL digital certificate for your host

computers.– http://www.verisign.com– Http://www.rsa.com


SSL Architecture

Internet Site

NetworkNetworkInterfaceInterfaceNetworkNetworkInterfaceInterface

InternetInternetLayerLayerInternetInternetLayerLayer IP

TransportTransportLayerLayerTransportTransportLayerLayer UDP TCP

ApplicationApplicationLayerLayerApplicationApplicationLayerLayer

HTTP

CacheCache

FTP

Windows Sockets FileSystemSecure Sockets Layer


Creating an SSL Session

Request a public key from server

Send server's public key to the browser

Negotiate security measures to be used

Single session key generated by browser

Use Server's public key to encrypt

Use Server's private key to decrypt


Creating an SSL SessionAn SSL session, which encrypts all data between the client and server, is created using

the following process:

1. The Web browser establishes a secure communication link with the Web server.

2. The Web server sends the browser a copy of its certificate along with its public key. (The certificate enables the browser to confirm the server's identity and the integrity of the Web content.)

3. The Web browser and the server engage in a negotiating exchange to determine the degree of encryption to use for securing communications, typically 40 or 128 bits. The stronger 128-bit encryption is currently allowed only in the United States and Canada due to U.S. government export restrictions.

4. The Web browser generates a session key, and encrypts it with the server's public key. The browser then sends the encrypted session key to the Web server.

5. Using its own private key, the server decrypts the session key and establishes a secure channel.

6. The Web server and the browser then use the session key to encrypt and decrypt transmitted data.


SSL• The SSL protocol secures data communication through

– Server authentication: Authentication ensures that data is sent to the correct server and that the server is secure.

– Data encryption: Encryption ensures that the data sent is read only by the secure target server.

– Data integrity: Data integrity ensures that the data received by the target server has not been altered in any way.

• Using SSL requires an SSL digital certificate.

• The primary difference between SSL 2.0 and SSL 3.0 is that SSL 3.0 supports client certificates.

• In Internet Information Server, not only can you control whether SSL is required for access to a particular virtual server or folder, but you can also decide whether that server or folder requires a client certificate.

© minder chen, 1998-2002 security - 1 internet security minder chen [email protected]

Documents