current threats

Motto

Thou shalt never assume

The Rogue Warrior's Eight Commandment of SpecWar

Richard MarcinkoUS Navy Seal

THREATSCurrent Threats

Attackers

External don’t know anything about your

environment can try brute force passwords at most vulnerability scanning

Internal most severe threat know their environment have already at least some level of

access can steal data they are authorized to

read

Protection: External Attackers

Firewalls Antispam/Antimalware Software Updates Account Lockout

Current threats

Assuming Physical security

computers data

Passwords cracking, keyloggers

Eavesdropping wired/wireless networks

Spam/malware directed attacks

Remote Access from unsecure computers

Data theft by authorized readers currently one of the most underestimated problem

ASSUMPTIONSCurrent Threats

Vulnerabilities

Examples: My wife crossing a road PKI misconfiguration in a bank Hidden accounts after virus attack Malicious mail from home vs. from work

Protection: Assumptions

Never assume anything Be careful Know your enemy Don’t do anything you don’t

understand

PHYSICAL SECURITYCurrent Threats

Machines

Servers rack security

Data storage Client computers

desktops, notebooks usually caching data

Peripherals Remote offices

Network

Wireless AirPCap

Wired USB Ethernet switch + netbook

Vulnerabilities

Computers easily accessed by a lot of people employees maintenance staff theft from branch offices

Attacks stealing the whole machine stealing the data only

Physical access = local administrator

Protection: Physical access Limit physical access Place computers/storage into secure

locations +hardware locks, cables

Define security boundaries data stolen passwords compromised

Encryption BitLocker, TrueCrypt

Protection: BitLocker

Provide password on startup prevents other from becoming an

administrator Use TPM

Trusted Policy Module stores the password on mother board checks signatures of BIOS, CMOS, MBR,

Boot Sector, loader etc. Windows 7 Enterprise/Ultimate

PASSWORDSCurrent Threats

Vulnerabilities

Keyloggers software hardware

Cache Cracking

Local Password Storage

Full-text passwords IE autocomplete password “lockers” fingerprint readers service/scheduled-tasks accounts

Password hashes local user accounts all domain accounts on Domain

Controllers password caches

Password Cracking

Windows MD4 Hashes local storage LAN network capture PPTP VPN

Offline Rainbow Tables

severe up to 7 characters (minutes)

Protection: Passwords

Use smart cards vs. fingerprints convenient (3-5 characters PIN) still secure than passwords

Require strong passwords Procedures, policies and audit

Never type sensitive passwords on insecure computers

Training

Protection: Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256



Protection: Smart Cards

Algoritmus Porovnání10 znaků heslo US-ASCII 70 bitSHA-1 80 bitRSA 2048 112 bitSHA-256 128 bit

Algoritmus Náročnost Doba10 znaků heslo US-ASCII 1 2 500 let

SHA-1 1024x lepší 2 600 000 let

RSA 2048 4 398 046 511 104x lepší 11 000 biliónů let

SHA-256 2^58x lepší -

Protection: Password Policies For the whole domain only

Windows 2003 Domain Function Level and older

For individual groups/users Granular Password Policies Windows 2008 Domain Functional Level

and newer Non-complex password example

login: Ondrej password: #.J@mES-BonD58

EAVESDROPPINGCurrent Threats

Vulnerabilities

Free network access No network traffic encryption People ignore warnings ARP poisoning

Protection: Eavesdropping

Implement IPSec/SSL encryption Always encrypt WiFi

not only require authentication Implement 802.1x for network

access Implement ARP protection Train people

Protection: 802.1x

Switch

Switch

Switch

PC

PC

PC

PCPrinte

r

PC PC

PC

PC

SECURE SOCKET LAYERCurrent Threats

Secure Socket Layer / IPSec

WebServer

Client

Certificate

Public key

Private key

Public key

Secure Socket Layer

WebServerClient

Certificate

Public key

Private keyRandom

Random Data

Attacking SSL

WebServer

Client

Certificate

Public key

Private key

Attacker

False Certificate

Public key

Private key

SSL Certificate prices

Verisign – 1999 300$ year

Thawte – 2003 150$ year

Go Daddy – 2005 30$ year

GlobalSign – 2006 250$ year

StartCom – 2009 free

SSL Assurance

Email loopback confirmation Requires just a valid email address No assurance about the target

identity

EV browsers

Browser VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0

EV Certificate prices

Verisign – 1999 1500$ year

Thawte – 2003 600$ year

Go Daddy – 2005 100$ year

GlobalSign – 2006 900$ year

StartCom – 2009 50$ year

TMG Forward SSL Inspection

No SSL Inspection

TMG CA Not Trusted

Web Server Certificate

TMG CA Trusted on the Client

SPAM/MALWARECurrent Threats

Vulnerabilities

No real prevention against spam Spam created anonymously

no traces/auditing Directed attacks cannot be

automatically recognized Users tend to use same passwords

for more services Stability and performance

Spam Threats

Phishing Hoax

think something do something online do something physically!

Personal reputation after forwarding

Malware Threats

Virus must be first detected after infection!

Backdoors just download the real infection does antimalware know what exactly it

was? Reinstallation of the whole

environment!

Protection: Spam and malware Train people

Implement antispam/antimalware Words/Open Relay Lists etc. SenderID

REMOTE ACCESSCurrent Threats

Vulnerabilities

Prone to keylogger attacks when used with passwords

Can be connected from quite anywhere insecure home computers, internet cafes

Some protocols not secure PPTP – passwords hashes offline cracking

Client VPN Comparison

VPN Connection requirements Logon

Client Availability

Authentic.

RDPTCP 3389server certificate (not required)

random keys (D-H)certificate private key (2048bit)

Windows XP

passwordsmart card

RDS/TS Gateway

TCP 443server certificate


Windows XP

passwordsmart card

PPTP GRE + TCP 1723depends on password qualityvulnerable to offline cracking

MS-DOSpasswordsmart card

L2TP

IPSec ESP + UDP 500/4500server certificateclient computer certificate


Windows 98

passwordsmart card

SSTP TCP 443server certificate


Windows Vista

passwordsmart card

Protection: Remote Access

Use RDP when possible sends only keystrokes and mouse receives only pictures

Use L2TP or SSTP IPSec or SSL encrypts the channel with strong random

private keys (2048 bit etc.) IPSec requires and limits connection to

those who have client computer certificate Implement VPN Quarantine

LAN

DirectAccessClien

tClient

Client DA

Server

AUTHORIZED USERSCurrent Threats

Vulnerabilities

Authorized users can read print copy send emails upload FTP/SSL/VPN

Protection: Authorized users Procedures Limit public online access and

services Limit use of removable hardware Use some Rights Management

software Data Leakage Protection

TAKEAWAYCurrent Threats

Takeaway

Anything you don’t have under your direct control is insecure

Don’t use insecure computers Use strong passwords or rather

smart cards Encrypt data and transmissions Never trust email

current threats

Documents

truecrypt protection

bitlockerprovide password

password policiesfor

characters pinstill

brute force passwords

bankhidden accounts

enterprise security

characters minutesprotection