security: some highlights of the highlights don mcgregor research associate moves institute...
TRANSCRIPT
Security:Some Highlights of the
HighlightsDon McGregor
Research Associate
MOVES Institute
2
Cyber Security
• Security is a big and complex topic. You can’t just say “do these things and you’ll be fine,” though locking down hosts is important
• The surface area of the problem is so large that you need to get meta and think about security and what you want to accomplish before you get into checklists
3
What Do You Want to Secure?– Secure data in transit?– Secure data at rest, on a drive?– Identities of people involved in an exercise?– Parameters of an exercise, such as the location?– Tactics used in a simulation?– Prevent your software from being subverted?– Prevent your network from being used as a launch pad for attacks on others?– Policies and procedures for training personnel?– Preventing insider attacks?– Physical security?– Policies and procedures for what to do in the event of classified data spillage?– Probably all of them!
• The security domain is full spectrum, all the way from bits and bytes to policy and personnel questions
4
Frameworks For Thinking
• Department of Defense Information Assurance Certification and Accreditation Process (DICAP) is an outdated process, no longer used for new accreditation after May 2015, though some sites already certified with DICAP may still exist
• National Institute for Standards (NIST) Risk Management Framework is the replacement. Very similar and is used in the rest of the Federal government
5
NIST
• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• How to think about risk mitigation, implement a security plan, and monitor its execution
6
NIST Process
7
Some Security Highlights
8
Who’s attacking? Ego• Ego: undersocialized 13 year olds, the
curious, griefers, those looking to prove how smart they are compared to you corporate drones
• Often done for bragging rights, or to simply cause problems
• Hack the Gibson!
9
Attackers: Money
• Attack systems to get PII/financial data such as credit card info, sell it on the black market, hold systems ransom, etc
• http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7
• Sell compromised • systems to botnets
10
Attackers: Ideology
• Opposed to military, opposed to a state or state policies, looking to do damage to it
• Snowden (Maybe! Could have been a hostile state asset), Assange, Wikileaks, jihadists, etc
11
Attackers: State Actors
• States using cyberattacks to gain information, attack infrastructure, conduct information operations
• Russia, China, North Korea, others
• OPM hack, Cyber attacks on Estonia and Georgia, Russian forum trolls, etc.
• Not necessarily a strong demarcation between states and criminal hackers
12
Networks
• Scoping it down to some of the things we talk about in a network class, what are some of the highlights?– Firewalls– Certificate of Networthiness– Secure communications– STIGs
13
Firewalls
• A firewall prevents a socket connection from being established. In the elder days of computing you could establish a network connection to any host on the internet. Modern thinking is that this is a really bad idea
• Firewalls can exist at multiple levels– Host– Network/Enterprise
14
Host Firewalls
Turn on ports only for the absolutely necessary programs
15
Enterprise Firewall Architectures
16
Enterprise Firewall Architectures
• Very limited set of hosts that are absolutely required to be deployed in the DMZ– Mail servers, web servers—things the public
must be able to contact– Watch them closely, keep them patched– Anything exposed to the internet will be
attacked
• The internal network—laptops, user desktops, internal servers—are not directly exposed to the internet
17
Firewalls
• Are you safe if you use a firewall? What are typical malware vectors?– Downloaded to client from web site while
browsing– User clicks on hostile email link– User brings infected computer from home– WiFi connection from host physically off campus
• Firewalls help prevent one class of attacks, but are not a cure-all. Expect your network to be attacked from inside as well
18
Networthiness
• Often to deploy an application on a DoD network you need a “certificate of networthiness”. The requirements vary by service and network– http://www.atsc.army.mil/tadlp/implementation/c
onfig/networthiness.asp
– http://www.disa.mil/network-services/ucco– NMCI application certification for a new program
seems to run in the high six figures, probably done with contractor assistance
19
Secure Comms
• The Big Four of crypto– Authentication– Confidentiality– Integrity– Non-repudiation
• State actors have been doing this for centuries. In the last few decades civilians have been paying more attention to it
20
Authentication
• Establish the identity of a user, ie that they are who they say the are
• Variety of techniques:– Something you know: password– Something you have: a token, such as a CAC
card– Something you are: biometric, such as
fingerprint, iris scan, signature
• Two factor authentication requires two items, ie a CAC card and a PIN
21
Integrity
• The message has not been changed since it was created
• This is typically done via hashes
22
Integrity:Hashes
23
Integrity: Hashes
• A hash converts a message of arbitrary length into a fixed-length “fingerprint”
• The slightest change to the message will result in a different hash result
• You also have to be alert for replay attacks– User sends authentic message to a bank
transferring $100 to someone else; the message is recorded by an attacker and sent 50 times
24
Confidentiality
• The data is encrypted in such a way that those without a key can’t read it. What people normally think of as encryption– Symmetric encryption uses the same key for
both encoding and decoding– Asymmetric or public key crypto uses one key
for encrypting and another, mathematically linked key for decryption
25
Confidentiality: Symmetric
26
Confidentiality: Asymmetric
Non-Repudiation
• The user can’t deny that a message came from them. Often done via signatures, digital or otherwise– User creates message– A hash creates a short, fixed-length “fingerprint” of the message– The user encrypts it with a private key, and the encrypted hash is
attached to the original message– The recipient receives the message, performs the hash on the
message himself, decrypts the sender’s hash with the public key, and compares the two
– If they match, the message was created by the sender, since only they have the private key
– Maybe have to add a nonce (a random number) to the message to prevent replay attacks
• This is really a combination of Integrity + Authentication
28
Communications Security
• Much more on secure comms later• This has been discussing civilian crypto;
DOD crypto is controlled by the NSA, and they have their own ideas and implementations
29
STIGS
• Security Technical Implementation Guide• http://iase.disa.mil/stigs/Pages/index.aspx• Instructions for how to lock down a host,
switch, router, by brand and OS release
30
STIG
• CentOS 6/RHEL 6 STIG includes:
31
STIGs
• Similar instructions for Windows, different flavors of Unix, your favorite routers, etc
• It’s a labor-intensive process. – Do it once and get a golden master image,
which you replicate to all hosts– There are automated configuration tools, such
as Puppet, Chef, Ansible, and Salt, that both automate the process of applying a configuration and ensuring it remains in compliance
32
Overall
• It’s a big process and it will probably involve contractors