inf526: secure systems administrationusing the .htaccess file. • pep: • pdp: • pap: • pip:...

INF526: Secure Systems Administration

Quiz Review andAdversarial Security Planning

(continued)

Prof. Clifford Neuman

Lecture 58 February 2017OHE100C

Class Presentation Schedule2/8 Miles Wright-Walker - Developing adversarial security plan

2/15 Matthew Jackoski - Red Teaming / Pen Testing Tools 2/22 Abdulla Binkulaib - Developing a response plan3/1 Jikun Li - Linux security administration3/8 Daniel Dmytrisin - Network security components & Tech 3/22 Haibo Zhang - Network Security administration3/29 Mariam Fahad Bubeshait - Configuration Management4/5 Mohammed Alsubaie – SIEM and Intrusion Detection4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics4/19 Andrew Gronski - Accreditation and acceptance testing

1

But First – Review of Quiz 1

Policy Administration - A system is secure if it correctly applies policies for access to system resources. The application of policy has several distinct components that may occur in different places, or different modules within a system.

– Policy Enforcement Point– Policy Decision Point– Policy Administration Point– Policy Information Point

2

Web ServerFor each of the systems described below, use your best explanation to describe what constitutes each function and where that function occurs in the system or supporting infrastructure.• Access control for files exported through a web server

such as apache when page permissions are managed using the .htaccess file.

• PEP: • PDP: • PAP: • PIP:

3

Appliance FirewallFor each of the systems described below, use your best explanation to describe what constitutes each function and where that function occurs in the system or supporting infrastructure.• Filtering of packets passing through an appliance firewall. • PEP: • PDP: • PAP: • PIP:

4

Unix/Linux FilesystemFor each of the systems described below, use your best explanation to describe what constitutes each function and where that function occurs in the system or supporting infrastructure.• Access to local files with standard unix permissions on a

system running Linux or Unix. • PEP: • PDP: • PAP: • PIP:

5

Banking ApplicationFor each of the systems described below, use your best explanation to describe what constitutes each function and where that function occurs in the system or supporting infrastructure.• Access to your customers account balance through a web

server in the banking example that we have been discussing in class.

• PEP: • PDP: • PAP: • PIP:

6

Minimization

Minimization, Provide examples of minimization, and steps that you can take to achieve such minimization, in each of the situations discussed below.• Reduction of the attack surface for servers

running within your corporate network.

7

Minimization

Minimization, Provide examples of minimization, and steps that you can take to achieve such minimization, in each of the situations discussed below.• Reduction of impact for insider threats, or for

compromise resulting from subversion of server processes.

8

Minimization

Minimization, Provide examples of minimization, and steps that you can take to achieve such minimization, in each of the situations discussed below.• Reduction of the impact to other systems on your

network when one system is compromised or subverted.

9

Security Requirements Documents

List the kinds of requirements that should be specified in a security requirements document.

– Include a 1 or 2 sentence description of what is described by the requirement. (A security requirements document might sometimes be referred to as a security policy, or an organizational security policy, but I am avoiding the term “security policy” because that term is sometimes used to refer to other policies within a system. Here I am concerned with the broader use of the term. )

• Physical Security Requirements– Includes placement of devices, requirements for

physical protection such as locks, doors, cages, cables, building defenses, and protection of portable media. Could include tempest requirements, visibility requirements, and screening on entrance or exit from a facility.

10

TrialPaySB

Security Requirements Documents

• Personnel Security Requirements– Includes information on required reference checks,

criminal background checks, training, code of conduct, and procedures for revoking access and vetting for special access.

• Authentication and Identity Management Policies– Requirements for multi-factor authentication, password

strength, no sharing of accounts, federated identity management, password resets, etc.

11

Data Protection Policies

• Information Flow Policies (MAC)– Marking, removal of media, who may access, non-

disclosure requirements.– Encryption requirements for data in place or in transit.

• Email and communication policies• Software installation and access policies• Monitoring policies

• Others?

12

INF526:Security Systems Administration

Student PresentationAdversarial Security Planning

M.S. Candidate Myles Wright-Walker

February 8, 2017

What is an Adversarial Security Plan?• An adversarial security plan enables an entity to develop

an awareness of their networks and systems in order to protect data, safeguard their operations, and guard their infrastructure.

14

Purpose of an Adversarial Security Plan

• Predicting intentions and future actions of malicious entities

• Limit attack surface

• Assist in developing a containment architecture in case of breach

15

What is Situational Awareness?

• The United States Marine Corps defines situational awareness as the:

“Knowledge and understanding of the current situation which promotes timely, relevant, and

accurate assessment of friendly, enemy, and other operations within the battlespace in order to facilitate decision making” (MCRP 5-12A).

16

Situational Awareness in Regards to Cyber Security

• Within the cyber domain, this doctrine of situational awareness provides:

1. A precise understanding of the resources within your systems and network.

2. An accurate awareness of the operations and personnel that contribute to the overall function of the system and network.

17

Situational Awareness in Regards to Cyber Security

3. An accurate and in-depth assessment of current resources and operations as well as weaknesses

4. An understanding of an adversaries potential targets and what can be used to exploit them to cripple systems.

5. Provides flexibility.

18

Elements of Developing Cyber Situational Awareness

NIST Cybersecurity and Cyber Infrastructure and Key Resources (CIKR) Framework.

19

Goals of Attackers: Methodology• Attackers generally implement the following

methodology:1. Reconnaissance Information gathering, What/ Who is the target?

2. Scanning/ Enumerating What is the attack surface? Ex: Access points/ open ports, live

hosts, accounts, policies, etc.3. Gaining Access Breaching systems, executing malicious software

4. Maintaining Access Establishing backdoors, unpatched systems

5. Clearing Evidence Decoy traffic, log manipulation, obfuscation of identity

20

Goals of Attackers: Targets• As stated in the previous lecture, adversaries will target:

– The weakest link within a target system or network• Example: Unpatched systems

– Weaknesses within the system environment• Example: Open ports, weak security mechanism policies

– Subversion of defenses• Example: IDS evasion, disabling firewalls

21

Goals of Attackers: Tools• Reconnaissance

1. DNS Look Up root# whois abc.com

2. Getting IP Addresses Use a “whois” client

3. Trace the IP root# traceroute abc.com

4. Identify servers Use the host command

• Scanning and Enumerating Targets– Port/ TCP scanning, Nmap, and Nessus

22

Goals of Attackers: Tools• Gaining Access

– Metasploit, oclHashcat

• Maintaining Access– Establishing backdoor through creating user accounts or taking

over unused accounts.– Metasploit Meterperter

• Clearing Evidence– VPN service/ Other Encrypted Communication– Proxies– Botnet– Log Manipulation (Not Always Plausible)

23

Consequences of Breach• In order to understand the consequences of an attack, it

is necessary to develop a risk model, with the purpose of:– Reducing, avoiding, accepting, and transferring risk

Remember from INF519: Risk of an Attack = Vulnerability x Threat

orRisk = Cost x Probability of an Attack

Outlined in: NIST 800-39 Managing Information Security Risk & NIST 800-30 Guidance for Conducting Risk Assessments

24

Prioritizing Resources for Defense• In order to defend your network and system against

attacks, it is necessary to develop a threat model with the purpose of:

– Identifying threats• Vulnerabilities• Deficiencies in security requirements and design

– Identifying countermeasures• Technical mechanisms• Administrative and physical controls• Personnel Security and Training• Physical Security

– Identifying weakest link through being repeatable

25

Case Study• Consider you work at a data center in charge of

centralizing an organization’s IT operations and equipment. You are instructed to ensure that the data stored within the server room is secure.

• Environmental Factors:– The room is secured through two factor authentication.– Personnel who access the server room require an escort of

equal or higher clearance.– The HVAC systems are controlled through a 3rd party– All the appropriate MAC and DAC policies are implemented.

26

Case Study1. Set Goals and Objectives of Organization (Top-Level

Awareness).a) Identify who you are protecting, what you are protecting, where

you are protecting said assets, and why.

2. Identify assets, systems, and networks.

3. Assess Risk.a) Enumerate threats, vulnerabilities, impact, likelihood (of attack

and success), predisposing conditions, and countermeasures.

27

Case Study4. Prioritize Resources

a) Set metrics to identify what assets require the most security and implement security mechanisms appropriately

5. Implement Situational Awareness Security Plan

6. Measure and monitor effectiveness.a) Verify implemented mechanisms are configured and working

properly.b) Determine ongoing effectiveness.c) Identify and take into consideration risk impacting changes to

systems and network, and act accordingly.

28

INF526: Secure Systems Administration

Virtualization

Prof. Clifford Neuman

Lecture 58 February 2017OHE100C

Virtualization

• Management– You can running many more “machines” and create

new ones in an automated manner.– This is useful for server farms.

• Separation– “Separate” machines provide a fairly strong, though

coarse grained level of protection.– Because the isolation can be configured to be almost

total, there are fewer special cases or management interfaces to get wrong.

Virtualization and Containment

• The separation provided by virtualization may be just what is needed to keep data managed by trusted applications out of the hands of other processes.

• But a VM would have to make sure the data is protected on disk as well.

Virtualization

• Operating Systems are all about virtualization–One of the most important function of a

modern operating system is managing virtual address spaces.

–But most operating systems do this for applications, not for other OSs.

Virtualization and Administration

• Issues affecting administration of virtual machines– Containment– Side Channels– Throwaway mentality– Stateless machines– Privileged remote access– Less physical or siloed specialization– Relationship to cloud computing

33

Virtualization of the OS

• Some have said that all problems in computer science can be handled by adding a later of indirection.– Others have described solutions as reducing the

problem to a previously unsolved problem.• Virtualization of OS’s does both.

– It provides a useful abstraction for running guest OS’s.

– But the guest OS’s have the same problems as if they were running natively.

Is Virtualization Different?

• Same problems– Most of the problems handled by hypervisors are the

same problems handled by traditional OS’s• But the Abstractions are different

– Hypervisors present a hardware abstraction.• E.g. disk blocks

– OS’s present and application abstraction.• E.g. files

Virtualization

• Running multiple operating systems simultaneously.– OS protects its own objects from within– Hypervisor provides partitioning of

resources between guest OS’s.

Managing Virtual Resource

• Page faults typically trap to the Hypervisor (host OS). – Issues arise from the need to replace page tables

when switching between guest OS’s.– Xen places itself in the Guest OS’s first region of

memory so that the page table does not need to be rewitten for traps to the Hypervisor.

• Disks managed as block devices allocated to guest OS’s, so that the Xen code to protect disk extents can be as simple as possible.

Virtualization

• Operating Systems are all about virtualization–One of the most important functions of

a modern operating system is managing virtual address spaces.

–But most operating systems do this for applications, not for other OSs.

Virtualization of the OS

• Some have said that all problems in computer science can be handled by adding a layer of indirection.– Others have described solutions as reducing the

problem to a previously unsolved problem.• Virtualization of OS’s does both.

– It provides a useful abstraction for running guest OS’s.

– But the guest OS’s have the same problems as if they were running natively.

What is the benefit of virtualization

• Management– You can run many more “machines” and create new

ones in an automated manner.– This is useful for server farms.

• Separation– “Separate” machines provide a fairly strong, though

coarse grained level of protection.– Because the isolation can be configured to be almost

total, there are fewer special cases or management interfaces to get wrong.

What makes virtualization hard

• Operating systems are usually written to assume that they run in privileged mode.

• The Hypervisor (the OS of OS’s) manages the guest OS’s as if they are applications.

• Some architecture provide more than two “Rings” which allows the guest OS to reside between the two states.– But there are still often assumptions in

coding that need to be corrected in the guest OS.

Managing Virtual Resource

• Page faults typically trap to the Hypervisor (host OS). – Issues arise from the need to replace page tables

when switching between guest OS’s.– Xen places itself in the Guest OS’s first region of

memory so that the page table does not need to be rewritten for traps to the Hypervisor.

• Disks managed as block devices allocated to guest OS’s, so that the Xen code protects disk extents and is as simple as possible.

Partitioning of Resources

• Fixed partitioning of resources makes the job of managing the Guest OS’s easier, but it is not always the most efficient way to partition.– Resources unused by one OS (CPU,

Memory, Disk) are not available to others.• But fixed provisioning prevents use of

resources in one guest OS from effecting performance or even denying service to applications running in other guest OSs.

The Security of Virtualization

• +++ Isolation and protection between OS’s can be simple (and at a very coarse level of granularity).

• +++ This coarse level of isolation may be an easier security abstraction to conceptualize than the finer grained policies typically encountered in OSs.

• --- Some malware (Blue pill) can move the real OS into a virtual machine from within which the host OS (the Malware) can not be detected.

Virtualization and Trusted Computing

• The separation provided by virtualization may be just what is needed to keep data managed by trusted applications out of the hands of other processes.

• But a trusted Guest OS would have to make sure the data is protected on disk as well.

XEN Hypervisor Intro

• An x86 virtual machine monitor • Allows multiple commodity operating systems

to share conventional hardware in a safe and resource managed fashion,

• Provides an idealized virtual machine abstraction to which operating systems such as Linux, BSD and Windows XP, can be portedwith minimal effort.

• Design supports 100 virtual machine instances simultaneously on a modern server.

Arun Viswanathan(Slides primarily from XEN website

http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html)

Para-Virtualization in Xen

• Xen extensions to x86 arch – Like x86, but Xen invoked for privileged ops– Avoids binary rewriting– Minimize number of privilege transitions into Xen– Modifications relatively simple and self-contained

• Modify kernel to understand virtualised env.– Wall-clock time vs. virtual processor time

• Desire both types of alarm timer– Expose real resource availability

• Enables OS to optimise its own behaviour



Copyright © 1995-2012 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE

Xen 3.0 Architecture

Event Channel Virtual MMUVirtual CPU Control IF

Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE)

NativeDeviceDrivers

GuestOS(XenLinux)

Device Manager & Control s/w

VM0

GuestOS(XenLinux)

UnmodifiedUser

Software

VM1

Front-EndDevice Drivers

GuestOS(XenLinux)

UnmodifiedUser

Software

VM2

Front-EndDevice Drivers

UnmodifiedGuestOS(WinXP))

UnmodifiedUser

Software

VM3

Safe HW IF

Xen Virtual Machine Monitor

Back-End

VT-x

x86_32x86_64

IA64

AGPACPIPCI

SMPFront-End

Device Drivers




x86 CPU virtualization

Xen runs in ring 0 (most privileged)Ring 1/2 for guest OS, 3 for user-space

GPF if guest attempts to use privileged instrXen lives in top 64MB of linear addr space

Segmentation used to protect Xen as switching page tables too slow on standard x86

Hypercalls jump to Xen in ring 0Guest OS may install ‘fast trap’ handler

Direct user-space to guest OS system callsMMU virtualisation: shadow vs. direct-mode




VMWare

Goals - provide ability to run multiple operating systems, and to run untrusted code safely. Isolation primarily from guest OS to the outside. This can provide

isolation betweenguest OS’s

Often configured torun inside a largerhost OS, but alsosupport a VMMlayer as an option.

Figure by Carl Waldspurger - VMWARE


VMWare Memory VirtualizationFigure by Carl Waldspurger - VMWARE

Intercepts MMU manipulating functions such as functions that change page table or TLB

Manages shadowpage tables withVM to MachineMappings

Kept in syncusing physicalto page mappingsof VMM.

Virtualization and Containment

• Stronger containment than within O/S

• Weaker than provided in segregated hardware

• Can provide visibility into VM by security tools

• Concern with subversion of Host/Hypervisor

52

Virtualization and Side Channels

– Multi-Tenant architecture (cloud)– Ability to monitor performance and power to monitor

and spy on activities in other virtual machines.

53

Virtualization and Throwaway

– VM’s can be recreated easily and automatically.– This allows administrators to be careless– It allows fast recovery– But new instance of machine has same vulnerabilities

of compromised machine.

54

Stateless Virtualizaton

• Tendency to store persistent data on separate services such as NAS.

• Those external services must be considered part of attack surface.

• Local state such as logs might be lost, use network based monitoring.

55

Privileges and Virtualizaton

• Inherent privleges used to be based on access to console and the physical machine.

• Console access is “remote” when using virtual machines, and thus such access may be available without true physical access.

56

No Silos in Virtualizaton

• System Administrator functions used to be specialized: Backup, hardware, OS, applications.

• With virtualization, almost all is an application.• Therefore administrators now need full range of

knowledge.

57

Virtualizaton and the Cloud

• What happens when you “outsource” administration of your VMs.– Policy on assignment to providers– Accreditation of providers– Need visibility through “information points” in policy

evaluation.– Side channels an issue for multi-tenancy.

58

Group Exercise One

• Decide on the software components to be deployed to implement software requirements on next slide.– Custom development should be simple scripts.– Use packages for database and other components.

• Decide on the VM’s to be created to run those software components.– You can run more than one software component within a VM if you

choose.– Decide on the methods you will use to contain access to those software

components, and to the information managed by those components.• Configure communication between VM’s and to the outside• Install packages• Write scripts and demonstrate basic flow through system.• Report on progress as group now by email on Tuesday 7 Feb.

59

Group 1• Abdullah Binkulaib and Dan Dmytrisin have provided initial

information, but are having difficulty engaging the rest of group one.

60

Group 2• Submitted a requirements and design document

– Include project scope and assumptions– Data classes, User Classes, and Protection Domains– System Components– System Design

• Including Data Flow Diagrams• Including Network Diagrams

– Development timeline through end of February

61

Banking

• Your organization must:– Maintain a database of account holders– A database of account balances– Enable web access by customers who:

• Can update their personal information• Check their account balance• Transfer funds to another account (by number)• View transactions on their account• Submit an image of a check for deposit

– (check should be viewable, but you do not need to scan it or process it)

• Access is needed– Via web from the open internet– Outbound email confirming transactions– All other interactions may be limited by information flow policies

to internal machines.

62

Preparation for Lab Activities• Install free version of vmplayer or

virtualbox on your own machine• Configure some version / dist of Linux as a

guest OS.• Run two instances simultaneously• Configure to allow network communication

between the two VMs.• Install a web server on one of the VMs.• Configure Dynamic DNS (e.g. no-ip.com)

to enable connection to the server from the internet.

16

Connecting to VMs• VNC – Virtual Network Computing

– Install TightVNC or other Client on machine from whichaccess is attempted.

– Install and configure VNC server on Virtual Machine– A VNC Server can be run inside your VM, or in the hypervisor

• Inside the VM is likely easier• Portmapping a must

– Find the IP using dynamic DNS– But multiple VM’s on a shared NAT need to be mapped manually to

different ports.• We are trying to gain access to a server under which you can

run VM’s which you would connect to the same way you would here, via VNC– Address mapping would be easier.

64