780 likes | 877 Vues
Presented by: James Nelson. Information Security Concepts Implemented. CERT Conference 2000. PRESENTATION NOTE.
E N D
Presented by:James Nelson Information Security Concepts Implemented CERT Conference 2000
PRESENTATION NOTE As I present today, I will pose questions to everyone in the room. I am soliciting your thought processes. I would appreciate it if everyone would quietly observe and make notes of any questions they might have. While I am confident we will be able to get through all of my materials today; however, I am not fully confident that we will be able to cover all of the questions at the end of the presentation. I will be happy to respond to questions via email at a later time. Please come forward and introduce yourself after the presentation so we can exchange business cards.
“Relate Something Real and Complement Academic” In ACADEMIC environments, we work with • PHILOSOPHIES • CONCEPTS • THEORIES In the realm of “something real” we start with a problem (usually business) and work toward the solution.
“Relate Something Real and Complement Academic” From http://www.sans.org/mistakes.htm The top mistakes people make that lead to security breaches: (paraphrased) Users open unsolicited email attachments, fail to keep application patches installed, install trojan games or screen savers, forget about backups, and use modems while connected to the LAN.
“Relate Something Real and Complement Academic” Also paraphrased from mistakes.htm Generally, Senior Executives assigned untrained people to maintain security, fail to relate information security and business problems directly, rely heavily on firewalls, fail to realize the value of their information and reputation, authorized reactive short-term fixes, and pretend problems will “go away” by ignoring them.
“Relate Something Real and Complement Academic” According to http://www.sans.org/newlook/resources/errors.htm, the top management errors leading to vulnerability were as determined by 1,850 computer security experts and managers meeting at the SAN99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999.
“Relate Something Real and Complement Academic” Also paraphrased from mistakes.htm IT people network unhardened systems or systems with default accounts and passwords, don’t patch security holes when discovered, don’t use encryption to manage devices, give out passwords over the phone, don’t test “current” backups, run unnecessary services, implement open firewalls, don’t properly address viruses, and fail to educate their peers and users.
How can we apply the philosophies, concepts and theories . . . . . ………. of security to the the real world? What core concept needs to be applied? Use forethought to build security into the implemented process. Why? Security costs far more to add as an afterthought than it does to implement in the first place! It is important to understand how closely information security and sound business processes are related.
IT IS IMPORTANT FOR MANAGERS TO UNDERSTAND BOTH TOPICS Today, there are still many (highly paid) managers that do not fully understand information security. If a manager can’t perceive the right thing as the “mistake” they can’t address the issue appropriately. Once a manager is able to understand the relationship between information security and sound business process, they are able to make the critical decisions required to adjust their practices and properly address security issues. I will start with basic security concepts. . . . . . .
ALWAYS USE PRODUCTS WITH THE MARKS OF GOOD DESIGN But what are the”marks of good design”? They are really a collection of concepts that form the mold for a reasonably secure system. When the “marks of good design” are built into a system and implemented correctly, the end result will be a reasonably secure system. (Note: I said a REASONABLY SECURE system.)
THE MARKS OF GOOD DESIGN Uniqueness and 1:1 ratio of User to ID’s, Least Privilege, Dual Control Points, Role Separation, Separation of Duties, Time Synchronization, Artificially Intelligent Logging Mechanisms, Log Retention, Log Correlation, Reaction or Response Mechanisms, Encryption Mechanisms, Strong (two-factor) Authentication, Auditing Mechanisms, and Finite Tunable Security Controls. (there are more)
THE MARKS OF GOOD DESIGN Got all that? Moving right along………. JUST KIDDING! !
THE MARKS OF GOOD DESIGN What do I mean by Uniqueness and 1:1 ratio of User to ID’s? The defined set of credentials to be used as a regular means to access a system must be assigned to one individual who is held responsible for the use (or misuse) of the credentials.
THE MARKS OF GOOD DESIGN Uniqueness and 1:1 ratio of User to ID’s Commonly, organizations fail to to implement methods to ensure individual accountability through uniqueness. The most commonly observed failure points are caused by poor control of built-in system ID’s, poor password selection by users, and bad password management schemes for built-in credentials (which should be used for EMERGENCY USE ONLY!)
THE MARKS OF GOOD DESIGN Uniqueness and 1:1 ratio of User to ID’s Real world examples: I’ve seen several organizations choose a “standard password” for their root or administrator accounts across multiple systems rather than granting the required access through assigned security credentials and the use to utilities similar to sudo.
THE MARKS OF GOOD DESIGN Define Least Privilege: Assigning a minimum set of allowed operations or account credentials that are PROVEN to be required to perform a task. I can’t count the number of times I have had to SET file system permissions and registry permissions for an application. Vendor need to build quality installation programs and stop CLAIMING their products NEED administrator access. Some do need administrator privileges, but most do not.
THE MARKS OF GOOD DESIGN Define Dual Control Points: The practice of using separate vendors and control mechanisms to accomplish a singled desired control. Commonly used in environments where the requirement to “fail safe” is present. Example: An internet router purchased from Vendor X and a firewall purchased from Vendor Y that are both configured to use least privilege in and out all of their interfaces.
THE MARKS OF GOOD DESIGN Dual Control Points: Are they really that important? You decide! I had a system out on the internet that was protected by TCP wrappers and several other hardening techniques. I even had the system configured to page me. The system was completely wiped when a hole in the TCP wrapper logic allowed the attacker to use a buffer overflow technique to break into the system and take root.
THE MARKS OF GOOD DESIGN Dual Control Points: The lesson on why to use them doesn’t have to be learned “the hard way”! Had I bothered to implement access lists on the internet router to match my TCP wrapper configuration, I would have been able to share the entire weekend with my family on the first mother’s day after our son was born. Instead, I spent most of the weekend performing a disaster recovery. Now WE ALL know! (yes it was successful) True story!
THE MARKS OF GOOD DESIGN Define Role Separation: A method to improve security where security roles are assigned to a users’ required duties and implemented using least privilege for each roles independent of the any other role. Example: assigning administrators a special user ID and process for reading email so their admin access can not be used to run malicious code (viruses).
THE MARKS OF GOOD DESIGN Role Separation Consider: What would happen if an email worm was released that would identify and disable all administrator accounts it could find ending with the account currently being used? When an administrator opens the email? A domain guest or user opens the email?
THE MARKS OF GOOD DESIGN Define Separation of Duties: Implementing carefully designed checks and balances in processes instead of assigning all credentials necessary to perform the process to a single individual or group of individuals. Separation of duties are typically used when a high degree of trust and assurance is required to accomplish a task.
THE MARKS OF GOOD DESIGN Separation of Duties:. Example: It takes many people to access the vaults at Fort Knox. From time-to-time fork-lifts areused to move pallets of gold bars around inside the fault. If a single bar of gold was taken, the financial loss encountered would be very high. (Currently over $200K for a 50 LB bar)
THE MARKS OF GOOD DESIGN Define Time Synchronization: A method to ensure that the time across multiple system is exactly the same. Audit logs can show time-stamps on events as they occur on a give system. Without an implemented method to synchronize the time across all the systems on a given network, audit logs are extremely difficult to interpret.
THE MARKS OF GOOD DESIGN Time Synchronization is the most commonly overlooked (or ignored) easy to implement security measure. Generally it does not matter if the time is wrong as long as it is consistent between systems. When enterprises start connecting their networks together for business-to-business transactions, then then it becomes important for the time to be in sync with world time.
THE MARKS OF GOOD DESIGN Define Artificially Intelligent Logging Mechanisms: Information collection systems able to increase or decrease the amount of information being requested from a monitored process based on the interpreted information collected from the process previously. AI Logging Mechanisms are still a bleeding-edge (and therefore rarely implemented) technology. They are a very important part of highly secure application models because they offer low-overhead and yield highly useful security information.
THE MARKS OF GOOD DESIGN Define Log Retention Systems: A repository based mechanism constructed to enable administrators to perform time or event based (or both) management of information (storage and retrieval) from network devices, servers, or applications. Log retention mechanisms are usually consist of a very large central repository and logic that can determine what to store, how to store it, and how to retrieve it. Advance systems enable administrators to easily retrieve logs as needed and build reports based on the data.
THE MARKS OF GOOD DESIGN Define Log Correlation: The process of following a chain of events through their logical access path on (indirectly) related systems. Typically, log correlation systems are useful for interpreting activity on multiple systems (firewalls, database servers, application servers, database servers, etc). Log correlation is great for reporting.
THE MARKS OF GOOD DESIGN Define Reaction or Response Mechanisms: Systems designed to take predetermined automated actions in reply to a sequence of events or act on the recognition of the events by sending information so the events can be acted upon manually. Reaction or Response Mechanisms rarely exist independent of reduction and correlation systems. Reaction or Response Mechanisms are typically built into Intrusion Detection or Prevention Systems. (depending on how and how fast the system can react)
THE MARKS OF GOOD DESIGN Define Encryption Mechanisms: Systems designed to systematically transform data into an unreadable format and recover with the key. Encryption is commonly used to protect information as it travels over a network on as it is stored on a file server. Encryption systems are able to guarantee the integrity of data and also that it is accessible only by authorized parties with the key. DANGER-- don’t lose the key or the information will be unrecoverable!
THE MARKS OF GOOD DESIGN Define Strong (two-factor) Authentication: An identification and verification system able to provide a highly secure way of guaranteeing whatever passed the verification is REALLY who or what they are representing themselves as. The algorithms vary, but they all consist of something the requester had and something the requester knows. Encryption keys are commonly used as well as user ID’s and passwords.
THE MARKS OF GOOD DESIGN Describe a Complete and Accurate Auditing Mechanism: Systems that precisely record events with full detail of the inputs to the event and the output of the event. Complete and Accurate Auditing Mechanisms should list the credential held, the credential required if it is different, if the transaction was successful or it failed, and perform the task equally for everyone. Complete auditing systems need report capabilities.
THE MARKS OF GOOD DESIGN Describe Finite Tunable Security Controls: Systems that implement a very high degree of granularity to their internal protection and authorization systems. Finite Tunable Security Controls will provide the means for administrators to specify EXACTLY what they want something to be allowed to do-- no more and no less. They are mission critical to systems being implemented with least privilege.
THE MARKS OF GOOD DESIGN When I introduced the “marks of good design” I talked about REASONABLY SECURE systems. Which came first-- the system, the threat, or the method to protect? Let’s go back to the origin of the problem with the age old chicken/egg analogy.
Which came first . . . . . . . chicken or the egg? If the chicken is a defenseless network and the egg is the means to protect, then what happens if there weren’t any chickens? There wouldn’t be any problems in the first place! We wouldn’t develop the means to protect We wouldn’t have anything to protect There wouldn’t be anything to protect against!
Analogies Aside . . . . The majority of the vulnerable systems out there are vulnerable because they are not addressing one area WHAT AREA WASN’T ADDRESSED? HINT: It’s not development. It is not QA.
Analogies Aside . . . . The majority of the vulnerable systems out there are vulnerable because they are not addressing one area WHAT AREA WASN’T ADDRESSED? In the DESIGN STAGE, developers and systems personnel had the opportunity to build controls, reaction mechanisms, audit mechanisms, and protection means into the application. Why didn’t they?
Security Improvements Through Superior Implementation In the implementation stage, administrators have the opportunity to improve security by using proven implementation methods. Through product selection and component architecture they can enhance security with: Additional Mechanisms for audit trails, anomaly detection, anomaly reaction, and low-level controls. Hardened installations Why didn’t they?
THE LONG-TERM SOLUTION Design and implementation mistakes both occur when unsound business processes “go live” and start guiding projects to achieve their desired goals. Process owners must realize and address the undesirable consequences of their “cost control measures” or “rapid development efforts”. What needs to be fixed first? The design process, or the implementation process, or the business process?
HOW MANY OF YOU HAVE TAKEN HISTORY ? SHOW OF HANDS: How many of you have taken history? Look around the room. What is the core thing historians preach OVER and OVER again? Why does history repeat itself? Because we don’t learn from our mistakes and take the necessary steps to correct the associated cause and resulting problems!
WAIT, I THOUGHT PRODUCT X WAS SUCH A GREAT APPLICATION! What happens if a GREAT application was developed several years ago but was improperly implemented? What about if the product has not been changed to keep current with today’s technology? VULNERABILITIES HAPPEN!
WHY DO VULNERABLE SYSTEMS KEEP TURNING UP? Sites all over the world are being turned into examples daily. Why not improve security by embracing the marks of good design? Long-term changes are necessary to close common vulnerabilities. When business processes design applications without addressing the means to properly protect the organization against exposure, the resulting implemented systems clearly violate widely known best practices.
BUSINESS DECISIONS ARE ASSOCIATED WITH VULNERABILY? Real world examples: Clustering software using password auth Code to change passwords through the web Clearly, the products do not have the marks of good design. Someone made the feature, and nobody with enough pull to be heard had the good sense to have the features improved or removed. The vulnerabilities were not a huge surprise to me or any other professional I have talked to.
VULNERABILITIES THAT ARE NOT A SECURITY PROBLEM ? ? If a business decision caused a vulnerability, the root of the vulnerability is a BUSINESS PROBLEM! Many security professionals have observed a trend where business owners categorize security holes a “security problem”. This incorrect assumption results in no change to business process. Vulnerabilities continue to be introduced until the BUSINESS OWNER take responsibility for the failure points in their process.
HOW DO COMPANIES FIX BUSINESS PROBLEMS? They take responsibility for the problem they are trying to address, change their business HABITS, and revisit everything that occurred while they were off-track. I don’t think I need to mention any tire companies or recent recalls to drive this point home, but it can’t hurt.
THE CYCLE OF CRIME A criminal will continue their cycle of crime and punishment until they recognize that the laws are not going to change and they look to themselves to stop the change. If a criminal keeps ending up in jail, society does not generally blame the law, society blames the criminal. It is not a new concept or idea, but applying this logic to business may be new to some.
DON’T FOLLOW THE LAWS OF BEST PRACTICE AND BE PUNISHED Businesses can not afford to continue accepting functional but architecturally inferior software. Business can’t afford to continue accepting the status quo and operating on inferior systems. Solid software and systems architectures can be properly designed ONCE base on best practices and built into customizable modular systems. Where would the graphical user interface as we know it be if companies had not made development libraries that could be leveraged?
DON’T FOLLOW THE LAWS OF BEST PRACTICE AND BE PUNISHED REASONABLLY SECURE is a very important thing. Test security for failure points that will fail open or fail closed. Identify which is a higher risk and take measures to avoid it. In a system where the timely storage and retrieval is mission critical, controls that are not extremely reliable are a risk in themselves. Governments have fallen because they were TOO secure. They were not able get weapons out of their extremely secure armaments after the two people who knew the unlock codes were killed.
STEP UP TO THE PLATE Many security vendors have lead by example. THEIR software incorporates strong authentication mechanisms, advanced logging mechanisms, and high quality encryption. Some of them have implemented separation of duties, least privilege, and time synchronization. None of the architectures I have observed are ideal, but applications designers and developers from other sectors have a great opportunity to learn by example.
WHERE TO START Since it is a business problem, business process is the logical choice. In order to do that, the business leaders will have to dive in and define their company’s requirements. They will need to define the rules for new systems. The next logical step is to build a computer security and information assurance with a team of security analysts and auditors. Seek their help in writing policies that will take a phased approach so existing systems may gradually come into compliance with the requirements or be selectively phased out.