Security Fundamentals

Robin Anderson UMBC, Office of Information Technology



A Little About Me…
♦ Unix SysAdmin, Specialist with the Office

of Information Technology at UMBC

♦ Taught Unix Administration and SANS

Level One Security courses at UMBC

♦ Certified by the SANS Institute GIAC

program in UNIX Security and Incident Handling
25-SEPT-2001 2

Topics Outline
♦ Post-Mortems in the News… ♦ Identifying Threats ♦ Countering Threats ♦ The (Vulnerable) Network ♦ Questions You Need to Ask ♦ Recommendations You Want to Make ♦ Resources Online



What Happened to Amazon ?
♦ Website defacing: Hackers broke in & put up phony web pages (And now, newer worms/viruses are doing the same!)
– – – – – – September 2000: OPEC 1 February 2000: Amazon® , eBay® 2 November 1999: NASA/Goddard 3 October 31,1999: Associated Press® 4 August 1999: ABC® 5 June 1999: U.S. Army
25-SEPT-2001 4

What Happened to Yahoo ?

♦ Denial of Service (DoS) – February 2000: Yahoo and CNN 1 ♦ Multiple Hits – September 2000: – May 2000:

Slashdot defaced Slashdot suffered DoS

 The irony is that is a popular "news for nerds" website
25-SEPT-2001 5

If They’re Vulnerable… …then you are, too.



The Fundamental Theorem
♦ You have computers because they perform some

function that furthers your organization’s goals
♦ If you lose the use of those computers, their

function is compromised
♦ So - anything that interferes with your

organization’s effort to achieve its goals is a security concern
25-SEPT-2001 7

What Are You Protecting?
♦ Information ♦ Availability of the Systems ♦ Reputation & Goodwill



Your Information
♦ Crown Jewels – Trade secrets, patent ideas, research ♦ Financial information ♦ Personnel records ♦ Organizational structure
25-SEPT-2001 9

Your Availability
♦ Internal use – When employees can’t use the network, servers, or other necessary systems, they can’t work ♦ Website / online transactions – Often when systems are unavailable, the organization is losing money



Your Reputation
♦ Public trust – If your organization is hacked, how reliable will people think you are you in other areas? – Who wants to do business with companies that leak credit card information? ♦ Being a good neighbor – Your organization may be hacked so it can be used as a springboard to attack others
25-SEPT-2001 11

A Simple Network…
Firewall Router Router




… Attacked!
Firewall Router 1 Internet 2 5 6 9 8 10
25-SEPT-2001 13


Router 4


What Are These Threats?
1. DoS coming from the Internet 3. Severed Physical link 5. Masquerader / Spoofer
– They look like they’re already inside

♦ Password sniffer
25-SEPT-2001 14

What Are These Threats? (2)
♦ Alan brought a floppy from home that has

a virus on it
♦ Beatrice is about to be fired – and she’s

going to be angry about it
♦ Carter is careless with his passwords – he

writes them down and loses the paper
25-SEPT-2001 15

What Are These Threats? (3)
1. David has unprotected shares on his NT

3. Evan installed a modem on his PC

5. Severed Power / HVAC



What Are Threat Vectors?
Vectors are the pathways by which threats enter your network



Threat Vectors - Internal
♦ Careless employees – “Floyd the clumsy janitor” – “Contraband” hardware / software – “Oops, did I just type that?” ♦ Random twits (somewhere between careless & malicious) ♦ Malicious employees – Current or former employees with axes to grind ♦ Anyone who can get physical access
25-SEPT-2001 18

Threat Vectors - External
♦ Competitors / spies / saboteurs ♦ Casual & incidental hackers – Some hackers don’t want your systems except to use them to get at their real target ♦ Malicious hackers ♦ Accidental tourists ♦ Natural disasters – Be ready to face down the hurricane
25-SEPT-2001 19

What Are Threat Categories?
Categories are the different kinds of threat you may encounter



Threat Categories
♦ Opportunistic – Basic “ankle biters” and “script kiddies” – More advanced hackers, hacker groups out trolling ♦ Targeted – These attackers know what they want; anything from data to disruption to springboards ♦ “Omnipotent” – Government-sponsored professional hackers
25-SEPT-2001 21

Threat Consequences
♦ Bad press – Breach of confidentiality
• Medical data • Credit card information

– Attack platform (you’ve been subverted!)

♦ Loss of income – How much does it cost you in sales to have your databases, website, etc, down for any given length of time? – Loss of trade secrets (crown jewels)
25-SEPT-2001 22

The 3 Goals of Security
♦ Ensure Availability ♦ Ensure Integrity ♦ Ensure Authorization & Authentication



Threats to Availability
♦ Denial of Service (DoS) – Connection flooding ♦ Destroying data – Hardware failure – Manual deletion – Software agents: virus, trojans



Threats to Integrity
♦ Hardware failure ♦ Software corruption – Buggy software – Improperly terminated programs ♦ Attacker altering data



Threats to Authorization
♦ Attacker stealing data ♦ Lost / Stolen passwords ♦ Information Reconnaissance
• Organization information



Countering These Threats… …is what security is all about.



Defining Security
♦ Security is a process – Training is ongoing
• Threats change, admins need to keep up • Security is inconvenient, all staff needs training

♦ Security is also about policies ♦ There is no silver bullet to fix it all – For example, a firewall won’t save you
• Remember the Maginot Line



♦ The underlying assumption in the next

section is that you, as the auditor, admin, or manager, are in a position to make security recommendations
♦ The following list of questions should not

be considered in any way to be exhaustive, but a starting point to build your own list
25-SEPT-2001 29

Questions You Need to Ask
♦ What is the physical access policy to

systems, routers, and backup media?
– Are the servers and main routers in a controlled-access environment? – Who monitors access?

♦ Are desktop systems / workstations

physically secured?
25-SEPT-2001 30

Questions You Need to Ask
♦ Is there a documented security policy? – Where is it located? – Who is responsible for maintaining it? – Is the policy being consistently enforced? – Who is the enforcer for the organization? ♦ Is there a firewall? – Who maintains it and its rule-sets? – Do its rules match the policy?
25-SEPT-2001 31

Questions You Need to Ask
♦ What is the backup policy & schedule?
– What kind of backup media & software is used? – Where is the backup media stored? Is there an off-site safe/storage rotation? – If the systems were utterly destroyed today, how up to date could you bring their replacements? – Have the backups ever been tested (via a restore) for completeness and integrity?



Questions You Need to Ask
♦ Does the organization know what is on its

– If so, how does it know? – Where are the records kept? – Who has access to them?



Questions You Need to Ask
♦ Are routine network vulnerability scans run? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports? ♦ Is any routine network monitoring done? – If so, what tools are used? – Where are the reports stored? – Who has access to the tool and the reports?



Questions You Need to Ask
♦ What kind of power management

contingencies are available?
– – – – Uninterruptible Power Supplies (UPS)? Power regulation? Backup generators? Mean time to recovery from outage?



Questions You Need to Ask
♦ What kind of authentication does your

organization use?
– Passwords
• Multi-use, one-time? • Expiration?

– Biometric authentication? – Smart-cards



Questions You Need to Ask
♦ If you use passwords, how does your

organization replace lost ones?
– Any policy on verifying user’s identity, etc?



Questions You Need to Ask
♦ What kind of network connections does

your organization allow?
– Are they clear-text protocols (like telnet, rlogin, rsh, ftp)? – Can your organization migrate to using encrypted protocols (like ssh, stunnel, etc)?



Recommendations You Really Want to Make
♦ No matter what, recommend a dedicated

security officer

– One individual responsible for security
• NOT the sys admin, network admin

– Qualifications:
• Training • Certification (CISSP, SANS) • Demonstrated proficiency
25-SEPT-2001 39

Recommendations You Really Want to Make
♦ Routine Vulnerability Scanning – Tools like Saint, Nessus, Legion, Nmap, SARA ♦ Principle of Least Privilege ♦ Documented Procedures for Incident

25-SEPT-2001 40

So, What Is a Security Officer?
♦ Protector – Internal, external ♦ Assessor ♦ Monitor ♦ Contact point – Law enforcement – Internal – External
25-SEPT-2001 41

What Does It All Mean?
♦ It’s a dangerous world, but we’re not

necessarily doomed!
♦ Security is an ongoing process (it’s worth repeating!) – Ask the questions you’ve seen here – Ask any others you think of – Ask them all again tomorrow – new challenges are arising every day!
25-SEPT-2001 42

♦ Andy Johnston, manager and co-conspirator ♦ Jon Lasser, author of Think UNIX ♦ Stephen Northcutt, SANS instructor and

author of Network Intrusion Detection



Resources Online
♦ Training and Certifications
– SANS Institute – CISSP “Certification for Information System Security Professional”



Resources Online (2)
♦ News & Alerts – Security Focus – CERT was “Computer Emergency Response Team” – CIAC “Computer Incident Advisory Capability”
25-SEPT-2001 45

Resources Online (3)
♦ Federal Information Sharing Organizations

– NIPC “National Infrastructure Protection Center” – Infragard “Guarding the Nation’s Infrastructure” – Infragard Maryland Chapter
25-SEPT-2001 46

Resources Online (4)
♦ SSH ♦ SSH tunnel

♦ Stunnel
25-SEPT-2001 47

Resources Online (5)
♦ Network Monitoring Software – Snort ♦ Network Vulnerability Scanners – Saint – Nessus
25-SEPT-2001 48

Resources Online (6)
♦ Kerberos

♦ This Presentation



Sign up to vote on this title
UsefulNot useful