CSE 4482: Computer Security Management: Assessment and Forensics Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition. 1
Managing Firewalls Any firewall device must have its own configuration • Regulates its actions • Regardless of firewall implementation Policy regarding firewall use • Should be articulated before made operable Configuring firewall rule sets can be difficult • Each firewall rule must be carefully crafted, placed into the list in the proper sequence, debugged, and tested Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.) Configuring firewall rule sets (cont’d.) • Proper sequence: perform most resource-intensive actions after the most restrictive ones • Reduces the number of packets that undergo intense scrutiny Firewalls deal strictly with defined patterns of measured observation • Are prone to programming errors, flaws in rule sets, and other inherent vulnerabilities Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.) Firewalls are designed to function within limits of hardware capacity • Can only respond to patterns of events that happen in an expected and reasonably simultaneous sequence Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.) Firewall best practices • All traffic from the trusted network allowed out • The firewall is never accessible directly from the public network • Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall • Should be routed to a SMTP gateway • All Internet Control Message Protocol (ICMP) data should be denied Management of Information Security, 3rd ed.
Managing Firewalls (cont’d.) Firewall best practices (cont’d.) • Telnet (terminal emulation) access to all internal servers from the public networks should be blocked • When Web services are offered outside the firewall • HTTP traffic should be handled by some form of proxy access or DMZ architecture Management of Information Security, 3rd ed.
Next: dealing with intrusions • Intrusion detection and prevention • Intrusion: attacker attempts to gain entry or disrupt normal operation • Examples: password cracking, unauthorized data access, unauthorized software installation, unauthorized configuration changes, denial of service attacks
Typical intrusion steps • Initial reconnaissance (IP addrs, names, platforms…) • Network probes: port scanning, ping • Breaking in: gaining access to systems • Take over the network: install rootkits,.. • Launch main attack: steal data, modify content, denial of service attacks,…
Intrusion detection A possible scenario (http://flylib.com/books/4/213/1/html/2/images/fig04_13.jpg)
Intrusion Detection and Prevention Systems The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies Can detect an intrusion Can also prevent that intrusion from successfully attacking the organization by means of an active response Management of Information Security, 3rd ed.
Intrusion Detection and Prevention Systems (cont’d.) IDPSs work like burglar alarms • Administrators can choose the alarm level • Can be configured to notify administrators via e-mail and numerical or text paging Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired Active solutions! Management of Information Security, 3rd ed.
Intrusion Detection and Prevention Systems (cont’d.) The newer IDPS technologies • Different from older IDS technologies • IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding • Types of response techniques: • The IDPS stops the attack itself • The IDPS changes the security environment • The IDPS changes the attack’s content Management of Information Security, 3rd ed.
Intrusion Detection and Prevention Systems (cont’d.) IDPSs are either host based to protect server or host information assets network based to protect network information assets, or IDPS detection methods Signature based Statistical anomaly based Management of Information Security, 3rd ed.
Intrusion Detection and Prevention Systems (cont’d.) Figure 10-9 Intrusion detection and prevention systems Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Host-based IDPS Resides on a particular computer or server and monitors activity only on that system Benchmark and monitor the status of key system files and detect when intruder creates, modifies, or deletes files Most HIDPSs work on the principle of configuration or change management Advantage over NIDPS: can usually be installed so that it can access information encrypted when traveling over network From Principles of Information Security, Fourth Edition
Host-Based IDPS (contd.) Configures and classifies various categories of systems and data files HIDPSs provide only a few general levels of alert notification Unless the HIDPS is very precisely configured, benign actions can generate a large volume of false alarms HIDPSs can monitor multiple computers simultaneously Management of Information Security, 3rd ed.
Advantages of HIDPSs Can detect local events on host systems and detect attacks that may elude a network-based IDPS Functions on host system, where encrypted traffic will have been decrypted and is available for processing Not affected by use of switched network protocols Can detect inconsistencies in how applications and systems programs were used by examining records stored in audit logs From Principles of Information Security, Fourth Edition
Disadvantages of HIDPSs Pose more management issues Vulnerable both to direct attacks and attacks against host operating system Does not detect multi-host scanning, nor scanning of non-host network devices Susceptible to some denial-of-service attacks Can use large amounts of disk space Can inflict a performance overhead on its host systems From Principles of Information Security, Fourth Edition
Network-Based IDPS Resides on computer or appliance connected to segment of an organization’s network; looks for signs of attacks Installed at specific place in the network where it can watch traffic going into and out of particular network segment Monitor network traffic • When a predefined condition occurs, notifies the appropriate administrator Management of Information Security, 3rd ed.
Network-Based IDPS - contd Looks for patterns of network traffic Match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred Yield many more false-positive readings than host-based IDPSs Management of Information Security, 3rd ed.
Advantages of NIDPSs Good network design and placement of NIDPS can enable organization to use a few devices to monitor large network NIDPSs are usually passive and can be deployed into existing networks with little disruption to normal network operations NIDPSs not usually susceptible to direct attack and may not be detectable by attackers From Principles of Information Security, Fourth Edition
Disadvantages of NIDPSs Can become overwhelmed by network volume and fail to recognize attacks Require access to all traffic to be monitored Cannot analyze encrypted packets Cannot reliably ascertain if attack was successful or not Some forms of attack are not easily discerned by NIDPSs, specifically those involving fragmented packets From Principles of Information Security, Fourth Edition
Signature-Based IDPS Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures • Also called knowledge-based IDPS • The signatures must be continually updated as new attack strategies emerge • A weakness of this method: • If attacks are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events Management of Information Security, 3rd ed.
Statistical Anomaly-Based IDPS Also called behavior-based IDPS First collects data from normal traffic and establishes a baseline • Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline • When activity falls outside the baseline parameters (clipping level), The IDPS notifies the administrator Management of Information Security, 3rd ed.
Statistical Anomaly-Based IDPS-2 Advantages: Able to detect new types of attacks, because it looks for abnormal activity of any type IDPS can detect new types of attacks Disadvantages Requires much more overhead and processing capacity than signature-based May generate many false positives Management of Information Security, 3rd ed.
Selecting IDPS Approaches and Products Technical and policy considerations What is your systems environment? What are your security goals and objectives? What is your existing security policy? Organizational requirements and constraints What are requirements that are levied from outside the organization? What are your organization’s resource constraints? Principles of Information Security, Fourth Edition
Selecting IDPS Approaches and Products - contd IDPSs product features and quality Is the product sufficiently scalable for your environment? How has the product been tested? What is the user level of expertise targeted by the product? Is the product designed to evolve as the organization grows? What are the support provisions for the product? Principles of Information Security, Fourth Edition
IDPS: Strengths IDPSs perform the following functions well: Monitoring and analysis of system events and user behaviors Testing security states of system configurations Baselining security state of system and tracking changes Recognizing system event patterns matching known attacks Recognizing activity patterns that vary from normal activity Principles of Information Security, Fourth Edition 28
IDPS: Strengths - contd IDPSs perform the following functions well: (cont’d.) • Managing OS audit and logging mechanisms and data they generate • Alerting appropriate staff when attacks are detected • Measuring enforcement of security policies encoded in analysis engine • Providing default information security policies • Allowing non-security experts to perform important security monitoring functions Principles of Information Security, Fourth Edition 29
IDPSs: Limitations IDPSs cannot perform the following functions: Compensating for weak/missing security mechanisms in protection infrastructure Instantaneously detecting, reporting, responding to attack when there is heavy network or processing load Detecting new attacks or variants of existing attacks Effectively responding to attacks by sophisticated attackers Investigating attacks without human intervention Principles of Information Security, Fourth Edition
IDPSs: Limitations (contd.) IDPSs cannot perform the following functions (cont’d.): Resisting attacks intended to defeat or circumvent them Compensating for problems with fidelity of data sources Dealing effectively with switched networks Principles of Information Security, Fourth Edition
Deployment and Implementation of an IDPS An IDPS can be implemented as Centralized: all IDPS control functions are implemented and managed in a central location Fully distributed: all control functions are applied at the physical location of each IDPS component Partially distributed: combines the two; while individual agents can still analyze and respond to local threats, they report to a hierarchical central facility to enable organization to detect widespread attacks Principles of Information Security, Fourth Edition 32
Figure 7-4 Centralized IDPS Control13 Principles of Information Security, Fourth Edition
Figure 7-5 Fully Distributed IDPS Control14 Principles of Information Security, Fourth Edition
Figure 7-6 Partially Distributed IDPS Control15 Principles of Information Security, Fourth Edition
Deployment and Implementation of an IDPS (cont’d.) IDPS deployment Like decision regarding control strategies, decision about where to locate elements of intrusion detection systems can be art in itself Planners must select deployment strategy that is based on careful analysis of organization’s information security requirements but, at the same time, causes minimal impact NIDPS and HIDPS can be used in tandem to cover both individual systems that connect to an organization’s networks and networks themselves Principles of Information Security, Fourth Edition
Deploying network-based IDPSs Location 1: Behind each external firewall, in the network DMZ Location 2: Outside an external firewall Location 3: On major network backbones Location 4: On critical subnets NIST recommends four locations for NIDPS sensors Principles of Information Security, Fourth Edition
Deploying host-based IDPSs Proper implementation of HIDPSs can be a painstaking and time-consuming task Deployment begins with implementing most critical systems first Installation continues until either all systems are installed or the organization reaches planned degree of coverage it is willing to live with Principles of Information Security, Fourth Edition
Measuring IDPS Effectiveness IDPSs are evaluated using four dominant metrics: thresholds, blacklists and whitelists, alert settings, and code viewing and editing Evaluation of IDPS might read: at 100 Mb/s, IDS was able to detect 97% of directed attacks Since developing this collection can be tedious, most IDPS vendors provide testing mechanisms that verify systems are performing as expected Principles of Information Security, Fourth Edition
Measuring IDPS Effectiveness - 2 Some of these testing processes will enable the administrator to: Record and retransmit packets from real virus or worm scan Record and retransmit packets from a real virus or worm scan with incomplete TCP/IP session connections (missing SYN packets) Conduct a real virus or worm scan against an invulnerable system Principles of Information Security, Fourth Edition
Managing IDPS If there is no response to an alert, then an alarm does no good IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats A properly configured IDPS can translate a security alert into different types of notifications • A poorly configured IDPS may yield only noise Management of Information Security, 3rd ed.
Managing IDPS – contd. Most IDPSs monitor systems using agents • Software that resides on a system and reports back to a management server Consolidated enterprise manager • Software that allows the security professional to collect data from multiple host- and network-based IDPSs and look for patterns across systems and subnetworks • Collecting responses from all IDPSs • Used to identify cross-system probes and intrusions Management of Information Security, 3rd ed.
Wireless Networking Protection Most organizations that make use of wireless networks use an implementation based on the IEEE 802.11 protocol The size of a wireless network’s footprint • Depends on the amount of power the transmitter/receiver wireless access points (WAP) emit • Sufficient power must exist to ensure quality connections within the intended area • But not allow those outside the footprint to connect Management of Information Security, 3rd ed.
Wireless Networking Protection - 2 War driving • Moving through a geographic area or building, actively scanning for open or unsecured WAPs Common encryption protocols used to secure wireless networks • Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA) Management of Information Security, 3rd ed.
Wired Equivalent Privacy (WEP) Provides a basic level of security to prevent unauthorized access or eavesdropping Does not protect users from observing each others’ data Has several fundamental cryptological flaws • Resulting in vulnerabilities that can be exploited, which led to replacement by WPA Management of Information Security, 3rd ed.
Wi-Fi Protected Access (WPA) WPA is an industry standard • Created by the Wi-Fi Alliance Some compatibility issues with older WAPs IEEE 802.11i • Has been implemented in products such as WPA2 • WPA2 has newer, more robust security protocols based on the Advanced Encryption Standard • WPA /WPA 2 provide increased capabilities for authentication, encryption, and throughput Management of Information Security, 3rd ed.
Wi-Max Wi-Max (WirelessMAN) • An improvement on the technology developed for cellular telephones and modems • Developed as part of the IEEE 802.16 standard • A certification mark that stands for Worldwide Interoperability for Microwave Access Management of Information Security, 3rd ed.
Bluetooth A de facto industry standard for short range (approx 30 ft) wireless communications between devices The Bluetooth wireless communications link can be exploited by anyone within range • Unless suitable security controls are implemented In discoverable mode devices can easily be accessed • Even in nondiscoverable mode, the device is susceptible to access by other devices that have connected with it in the past Management of Information Security, 3rd ed.
Bluetooth (cont’d.) Does not authenticate connections • It does implement some degree of security when devices access certain services like dial-up accounts and local-area file transfers To secure Bluetooth enabled devices: • Turn off Bluetooth when you do not intend to use it • Do not accept an incoming communications pairing request unless you know who the requestor is Management of Information Security, 3rd ed.
Managing Wireless Connections One of the first management requirements is to regulate the size of the wireless network footprint • By adjusting the placement and strength of the WAPs Select WPA or WPA2 over WEP Protect preshared keys Management of Information Security, 3rd ed.