Richard Bejtlich / rbejtlich@saball.comSenior Engineer

Managed Network Security Opertations

Ball Aerospace & Technologies Corp.San Antonio, TX

24 Oct 01

Entering the Security Arena

Introduction

• Bejtlich = 'bate-lik"

• Senior engineer for managed network security operations, BATC (2001-)

• Former captain at US Air Force Computer Emergency Response Team (1998-2001)

• Student of network-based intrusion detection, computer forensics

• http://bejtlich.net

Outline

• Philosophy

• Planning

• Prevention

• Detection

• Response

• Personnel development• Thank you to Dreamworks LLC and Universal Studios for Gladiator photos

How can we best defend the empire against the barbarians of

the North?

Philosophy

Philosophy

• What is security?

• Preservation of confidentiality, integrity, and availability of an organization's resources

• Why does security matter?

• Owners must trust their resources to do business

• Customers avoid organizations they don't trust

• Regulators disallow business without safeguards

Philosophy

• How can security be achieved?

• Plan by developing a security policy

• Prevent exploitation where possible

• Detect exploitation when it happens

• React to exploitation, then resume operations

• Constantly assess the tools and processes implementing these steps

• Ensure your people are qualified

Who wants to write a security policy? Anyone? Anyone?

Planning

Planning

• Security cannot be achieved without policy

• Written policy recommended, but not always needed in small, simple operations

• Without a written policy, it is difficult to enforce your security objectives

• Every computing resource is a manifestation of your security policy

Planning

• What should a security policy discuss?

• Acceptable use of resources (CPU, bandwidth)

• Allow peer-to-peer (Gnutella, Napster), chat (IRC, AIM), remote control (VNC, pcAnywhere)?

• Prohibitions on installing software, especially tools which may be used to escalate privileges

• No reasonable expectation of privacy

• If management doesn't agree, forget it

Planning

• Minimum preparation for incident response

• System administrator contact list; include names, titles, and numbers for home/cell phones

• Network provider contact list

• Management contact list (include PR and legal)

• Agree upon response prior to compromise

• Pursue and monitor with law enforcement help?

• Recover, secure, and press on?

Planning

• Back-ups can save the day

• Copying critical files to tape, Zip, Jazz, CD-R

• Hard copies may be warranted

• Redundancy helps preserve availability

• Network connectivity (separate ISPs)

• Electricity (Uninterruptable Power Supplies)

• Hot spares (web servers, network devices)

Sire, let me show you the latest offering from our security vendors.

Prevention

Prevention

• Prevention is continous implemention of processes and tools to preserve security

• Prevention relies upon understanding user and customer needs

• Prevention demands appreciation of capabilities and intentions of intruders

• Balancing user needs vs. threats is key

Prevention

• What exactly must be prevented?

• Confidentiality: exposure of information and resources to unauthorized parties

• Integrity: manipulation of information and resources by unauthorized parties

• Availability: preservation of ability of authorized parties to access information and resources

Prevention

• Who constitutes the threat?

• Disgruntled, curious, and former users

• Competitors collecting business intelligence

• Foreign intelligence services

• Pranksters

• Technologically literate activists

• Forces of nature

Prevention

• Risk = vulnerability X threat X recovery cost

• A new vulnerability for Windows 2000 appears: you run Solaris, so vulnerability is zero

• A new vulnerability for Windows 2000 appears: no one knows how to exploit it, so threat is zero

• It takes zero effort to resume operations after compromise: recovery cost is zero

• Taken collectively, risk is generally not zero

Prevention

• Core principles

• Grant users the least amount of privilege necessary to perform their work

• Implement multiple, independent levels of defense which do not "fail open"

• Learn of new vulnerabilities and apply countermeasures in a timely manner

• Prevent what you can and detect everything else

Prevention

• Core technologies

• Screening/filtering routers

• Firewalls

• Virtual Private Networks

• Authentication services

• Anti-virus applications

• Technology is only as useful as the operator who configures and uses it

We detect clouds over Rome. Does this augur a dark future?

Detection

Detection

• Prevention will never be 100% successful

• Ignorance is not bliss. Ignorance causes:

• Systematic, long-term compromise

• Subtle manipulation of information for evil means

• Complete loss of confidence by users, customers

• Legal and financial losses in many cases

• Detection is not optional. How one performs detection is the question.

Detection

• Detection should be implemented in layers, as prevention is. Detect at these locations:

• Network perimeter

• Demilitarized zone

• Bastion hosts

• Critical internal hosts

• User workstations, if managable

• Remote locations (e.g., home laptops)

Detection

• Detection methodology

• Baseline your systems processes. Know what services should be active on each.

• Baseline your network traffic. Recognize normal internal and external patterns of use.

• Implement processes and tools to detect deviations from these baselines.

• Devote resources to these processes and tools

Detection

• Detection technologies

• Router and firewall logs

• Network-based intrusion detection systems

• Host-based intrusion detection systems

• Anti-virus software

• Personal workstation intrusion detection systems

• Network traffic profiling software

• Human brains

Detection

• Challenges to detection

• Staying current with attack methods and tools

• Numerous vulnerabilities discovered each week

• Intruders constantly devise ways to evade standard detection methods

• Do-it-yourself sensors are difficult to use

• Staffing sufficient numbers of appropriately trained and compensated personnel

This is how WE deal with compromise, pal!

Response

Response

• Don't panic! Implement your plan.

• Contact response personnel by phone, not email

• Contain the intruder by isolating the victim host

• Decide if you want to recover or pursue

• If recovering: determine method of compromise, patch exploited system, then return to service

• If pursuing: augment detection, refine isolation, then return to service until objectives satisfied

Response

• Response considerations

• System administrators may have more latitude for collection than law enforcement

• Reporting incidents to law enforcement helps the community at large and shows you treat exploitation seriously

• Evidence collected for prosecution must withstand intense scrutiny by defense lawyers

We shall assemble a force to be reckoned with. Whom shall test

our defenses?

Personnel Development

Personnel Development

• Your security is only as sound as the personnel planning and implementing your prevention, detection, and response

• UNIX administrators are not comfortable with Windows environments, and vice versa

• Training is a retention device, not a way for employees to learn-and-leave

• Lack of training = organizational suicide

Personnel Development

• Reputable training mechanisms:

• Books: "My Picks" at http://bejtlich.net

• Conferences: http://www.sans.org

• Certifications: CISSP at http://www.isc2.org

• Mentoring and in-house programs

• Beware false prophets!

I declare victory over the network intruders!

Conclusion

Conclusion

• Security is a never-ending journey

• Any positive steps are better than nothing

• A small amount of effort can eliminate 80% of your vulnerabilities

• A moderate amount of effort can eliminate 90%

• A huge effort can eliminate 95%

• Nothing can eliminate the remaining 5%