Security Essentials Day Threat and the Need for Defense in Depth Information Assurance Foundations - SANS ©2001 Welcome As we begin day 2, or the second major set of courses in Security Essentials, the focus will be on defense in depth This is a term that was coined by the Department of Defense and is a crucially important concept in information assurance The topics that we are going to cover are shown below Security Fundamentals Confidentiality, Integrity, Availability Threat and risk Security Policy What it is and what it is not How to implement an effective policy Passwords Overview of passwords LC3 Crack Incident Handling step guide Information Warfare Defensive strategies Offensive strategies Web security Web security vulnerabilities Web security defenses These are all components of a defense in depth risk management framework as we will explain in our next slide titled, “Defense in Depth.” 1-1 Defense in Depth We have covered: perimeter defense, vulnerability scanning, host and network intrusion detection, honeypots/honeynets and risk assessment; is there more? Now, we add security policy, password strength and assessment, incident handling, information warfare and web security Defense in Depth - SANS ©2001 Are we there yet? Sorry, not yet The slide shows that while we have covered a lot of important topics, we still have a ways to go! The concept behind defense in depth is conceptually simple The picture we have painted so far is that a good security architecture, one that can withstand the threat, has many aspects and dimensions We need to be certain that if one countermeasure fails, there are more behind it If they all fail, we need to be ready to detect that something has occurred and clean up the mess expeditiously and completely, and then tune our defenses to keep it from happening to us again One of the most effective attacks that penetrates standard perimeters is malicious code These are things like viruses and Trojan software They come in as attachments to email messages and on those floppies we bring in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON These can a lot of damage Most people have heard of BackOrifice and NetBus but there are a score of other Trojans The best defense is keeping your anti-virus software up-to-date, and scanning at the firewall, server, and desktop level It isn’t particularly expensive or hard, but it takes discipline I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur That's just basic, sensible auditing and they don't turn it on If there is ever a problem, how will we run it to ground? You may or may not be in a position where you can affect whether these things are done at your organizational level, but you can often take the responsibility for your office, shop, division, or desktop There are even personal firewall software products – like TCP Wrappers, BlackICE Defender, Zone Alarm, Norton Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide perimeter protection at the host level I use a personal firewall on my home systems when I connect to my ISP so that I can stop the simple attacks that many of my friends have experienced The threat is targeting each of us What role and responsibility are you willing to accept for defense in depth? 1-2 Defense In Depth (2) Network Host Application Info Defense in Depth - SANS ©2001 This diagram shows another way to think of the Defense In Depth concept At the center of the diagram is your information However, the center can be anything you value, or the answer to the question, “What are you trying to protect?” Around that center you build successive layers of protection In the diagram, the protection layers are shown as blue rings In this example, your information is protected by your application The application is protected by the security of the host it resides on, and so on In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers Using a Defense in Depth strategy does not make it impossible to get to your core resources – the resource at the center of the diagram For example, your defense layers might be trivial or easy to compromise However, a well-thought-out Defense in Depth strategy, utilizing the strongest protections feasibly possible at each layer, present a formidable defense against would-be attackers Next, we are going to take you on a tour of three famous attacks to see what lessons we can learn from them Along the way, we are going to discuss the three key dimensions of protection and attack Most of you are already familiar with them They are: confidentiality, integrity, and availability Throughout the Security Essentials program, you will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may experience attacks against these dimensions We can think of these as the “primary colors” of information assurance By mixing and matching these and we mix and match, because they are interrelated we are able to develop either a very strong attack, or develop a strong defense On our next slide, titled, “Agenda,: let’s take a look at the material we are about to explore 1-3 Agenda • Principles of attack and defense • Risk and threats • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures • Summary Defense in Depth - SANS ©2001 This slide shows the main topics we are going to cover We will discuss the threats that are arrayed against our computer systems To focus that discussion, we will be concerned with some of the more famous attacks that have occurred Now, information assurance can get really complex, but these kinds of problems decompose nicely As we work our way through the material, we are going to be pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss So if you are new to security, or if you just want a quick review, the way I think about these things is – a credit card Have you ever had a credit card not be accepted? Three different times in a row, when I was buying tires at a local store in my town, my credit card did not clear All three times, the bank said their computers were down Well, that is an availability attack Well, it certainly felt like an attack to me! I live in a small town and a lot of people know me – and so to have my card rejected was very embarrassing Confidentiality makes sure that no one but you knows your credit card number An example of a confidentiality defense is the way that “padlock” on the bottom of your Internet browser closes (for Netscape) or appears (with Internet Explorer) when you are executing a secure transaction the bit stream is encrypted to foil casual eavesdroppers An example of an integrity attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or modifying the balance of someone else’s account We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock Principles.” 1-4 Three Bedrock Principles • Confidentiality • Integrity • Availability Confidentiality Integrity Availability Defense in Depth - SANS ©2001 Keep in mind that the keys we have been discussing are interrelated So, an attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file Now, this would breach the confidentiality of this sensitive information (the password file) Then, on the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords Then, with a stolen password, the attacker can execute an integrity attack when they gain entrance to the system And they can even use an availability attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report his existence When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) are in jeopardy Now, I chose a very simple, well-known attack for a reason A large number (in fact, an embarrassingly large number) of corporate, government, and educational systems that are compromised and exploited are defeated by these well-known, well-published attacks Now, not all the bad things that happen to computer systems are attacks per se There are fires, water damage, mechanical breakdowns, and plain old user error But all of these are called threats We use threat models to describe a given threat and the harm it could if the system has a vulnerability as we will see on our next slide titled, “Threats.” 1-5 Threats • Activity that represents possible danger • Can come in different forms & from different sources • You can’t protect against all threats • Protect against the ones that are most likely or most worrisome based on: – Business goals – Validated data – Industry best practice Defense in Depth - SANS ©2001 In security discussions you will hear a lot about threats Threats, in an information security sense, are any activity that represent possible danger to your information Danger can be thought of as anything that would negatively affect the confidentiality, integrity, or availability of your systems or services Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk Threats can come in many different forms and from many different sources There are physical threats, like fires, floods, terrorist activities, and random acts of violence And there are electronic threats like hackers, vandals, and viruses Your particular set of threats will depend heavily on your situation – what business you are in, who your partners and enemies are, how valuable your information is, how it is stored, maintained and secured, who has access to it, and a host of other factors The point is there are too many variables to ever possibly protect against all the possible threats to your information To so would cost too much money, take too much time, and too much effort So, you will need to pick and choose what threats you will protect against You will start by identifying those threats that are most likely to occur or most worrisome to your organization The way to this is by identifying three primary areas of threat The first is based on your business goals If your business is heavily dependent on a patented formula you would consider theft of that formula to be a likely threat If your business is the movement of fund transfers over a network, you would consider attacks on that network link to be a likely threat These are two examples of businessbased threats The second type of threats are those based on validated data If your web site is repeatedly hacked through your firewall, you would consider Internet hackers to be a major threat If your main competitor always manages to find out key confidential information about your business plans, you would start considering corporate espionage a threat These are examples of threats identified because of validated instances of damage based on those threats In some ways these may be the most serious, because they have already happened and are likely to happen again in the future The final type of threats are those that are widely known in the security industry To protect against them is just good common sense That is why we put badge readers and guards in buildings, why we use passwords on our computer systems, and why we keep secret information locked in a safe We may not have had attacks against any of these, but it is commonly understood to be foolish not to so 1-6 Vulnerabilities • Weaknesses that allow threats to happen • Must be coupled with a threat to have an impact • Can be prevented (if you know about them) Defense in Depth - SANS ©2001 The third element of the risk spectrum is the notion of Vulnerabilities (Remember that the first two elements are risk and threats.) In security terms, a vulnerability is a weakness in your systems or processes that allows a threat to occur However, simply having a vulnerability by itself is not a bad thing It is only when the vulnerability is coupled with a threat that the danger starts to set in Let’s look at an example Suppose you like to leave the doors and windows to your house unlocked at night If you live in the middle of the woods, far away from anyone else, this may not be a bad thing There really aren’t many people that wander around and, if you’re high enough on the hill, you’ll be able to see them coming long before they present a danger So, in this case, the vulnerability of having no locks is there, but there really isn’t any threat to take advantage of that vulnerability Now suppose you move to a big city full of crime In fact, this city has the highest burglary rate of any city in the country If you continue your practice of leaving the doors and windows unlocked, you have exactly the same vulnerability as you had before However, in the city the threat is that much higher Thus, your overall danger and risk is much greater Vulnerabilities can be reduced or even prevented, provided, of course, that you know about them The problem is that many vulnerabilities lay hidden, undiscovered until somebody finds out about them Unfortunately, the “somebody” is usually a bad guy The bad guys always seem to find out about vulnerabilities long before the good guys 1-7 Relating Risk, Threat and Vulnerability Risk = Threat x Vulnerability Defense in Depth - SANS ©2001 OK, we’ve spent the last few slides talking about risks, threats, and vulnerabilities The three concepts are extremely interrelated Their relationship can be found in this simple formula: Risk = Threat x Vulnerability This formula shows that risk is directly related to the level of threat and vulnerability you, your systems, or your networks face Here’s how the formula works: If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be very low In the example we used before, if you live in a high crime neighborhood (thus, high threat) but you keep your doors and windows locked (so you have a low vulnerability), your overall risk is very low If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the threat itself is minor (by living in the woods), once again you have a very low risk factor If, however, you have a high level of threat potential (a high crime area) and your vulnerability to that threat is very high (no locks), you have a high risk factor Of course, this formula is nice, but keep in mind that, as we stated way up front, there are no absolutes in security Thus it is usually impossible to assign numeric values to areas like threats and vulnerabilities, so this formula should be used as an aid to guide your thinking rather than an absolute mathematical calculation When you begin to get into discussions and arguments about risks, threats, and vulnerabilities (and yes, you will get into arguments about this stuff) you can refer back to this basic formula to help guide you in your decision making process 1-8 The Threat Model • Threat • Vulnerability • Compromise Vulnerabilities are the gateways by which threats are manifested Defense in Depth - SANS ©2001 On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are manifested” So, for a threat model to have any meaning at all, there has to be a threat Are there people with the capability and inclination to attack - and quite possibly harm - your computer systems and networks? What is the probability of that happening? The probability is high that any non-private address will be targeted several times a year The most common countermeasure for most organizations is to deploy firewalls or other perimeter devices These work quite well to reduce the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the time So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its specific vulnerability, the result can easily be system compromise Again, the most common tactic is to protect systems with perimeter devices such as firewalls It’s cost-effective, it’s practical, and it’s highly recommended Even the most open universities or other research environments that require themselves to be very open should be able to some perimeter defense, even if they can only it at the department or building level, or even if they can only it at the host level In the past few slides, we have been discussing theory that provides a framework to understand and use tools like the ones we discussed in risk management – the big picture Now we want to move away from theory a bit into some historical applications of confidentiality, integrity, and availability Our next slide is titled, “Four Lessons From History.” 1-9 Four Lessons From History • Morris worm – Availability - 1988 • Melissa – Availability - 1999 • W32.SirCam worm – Confidentiality - 2001 • Code Red II – Integrity - 2001 Defense in Depth - SANS ©2001 10 Hopefully, we can learn enough from history to help prevent us from having to repeat it The attacks we are going to discuss, perhaps the three most famous information security defense failures are: the Morris worm, SirCam, and Code Red variant II These span from 1998 to 2001 We don’t have time in this course to explore each of these in great detail, but you should be familiar with each of these as a security professional As homework, please try an internet search for these attacks and read a bit more There are information security lessons that we ought to be able to learn from these wellknown attacks In each case, there was a computer system vulnerability, and it was exploited In each of the cases, there was an absence of defense in depth In fact, in the case of most systems affected by the Morris worm, and the Code Red attack, the exploit did not have to penetrate any defensive perimeters So, that’s “defense in shallow!” As we go through each of the attacks, try to look out for the three primary security dimensions: confidentiality, integrity, and availability Consider how the defenses for each failed, or did not exist in the first place The vulnerability is listed in every case; so please note how the threat was able to exploit the vulnerability to compromise or affect the target system(s) - 10 Search For Unprotected Shares Before SirCam Finds Them DumpSec actually does a lot more than just find shares Defense in Depth - SANS ©2001 17 Unprotected shares are much-sought-after treasures for attackers Depending on which share is unprotected, it could lead to a full compromise of the system However, this tool can a lot more Let’s take a quick tour - 17 DumpSec Features • Dumps user, group, and replication information • Dumps file system, registry, printers and shares permission and audit settings • Dumps password policies • Lists installed and running services Defense in Depth - SANS ©2001 18 Like SCAT, DumpSec provides a host of information grouped in an easy to find manner DumpSec is a great aid to auditors But, what makes it attractive to attackers is that it can be used in conjunction with the null session vulnerability that violates the confidentiality of the system - 18 Null Session net use \\172.20.244.164\IPC$ “” /USER:”” Defense in Depth - SANS ©2001 19 The null session exploit is an attack against confidentiality In essence, it’s just “finger” on steroids The attacker “logs in” to the Windows NT or Windows 2000 system using the “net use” command listed on your slide After logging in, it is possible to gather a great deal of information from the Windows registry Though this could be done by hand, it would be very tedious, so there are tools to make this a reasonable task The tool shown in the screen shot is DumpSec by SomarSoft It was available for free from www.systemtools.com, but they seem to have disappeared, which is a tragedy They were wonderful folks and were among the first folks to develop security information and tools for NT However, the software is still out on the Internet if you search with an internet search DumpSec is available from either www.somarsoft.com or www.systemtools.com [Editors Note: the web site www.systemtools.com is again functioning CMW] The screenshot shown on the slide was from before I entered the “null session” Afterwards, I would be able to enumerate boatloads of information about users, if that system was vulnerable to a null session attack Enumerate is a popular term in the industry to describe what we used to call “depth first, breadth second” searches So what? Why you care? Well, if you find a PDC or BDC (Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long list of user names, including all the members of the Administrator group Then you could try consecutive ‘net uses’, trying different passwords I am not really big on passwords, since they can be sniffed, or attacked by brute force, but they have their place There are a lot of weak passwords out there and every little bit helps So, the longer we delay an attacker while they try dictionary attacks on our passwords, the more likely we are to catch them in the act - 19 Gather User Information Defense in Depth - SANS ©2001 20 After executing the null session command we just showed you, DumpSec provides broad access to information about the valid users of a system This information can be put to a myriad of uses The last logon time can indicate if an account is active This can help the attacker to determine its suitability for brute force attacks If you were so silly as to not require users to have passwords, this would be painfully obvious to an attacker RAS information can also indicate other systems that may not be as well-secured that could be used as a backdoor entry point to the main server Keep in mind that on Day 1, we showed how to eliminate or control anonymous access to a Windows 2000 system using administrative tools and configuring the security policy to control this - 20 Review Password Policies The tool from www.cisecurity.org for Windows 2000 will also check password policy, but not to this extent Defense in Depth - SANS ©2001 21 Account and audit policies lets the attacker know what they can get away with If no lockout policy exists, the attacker knows their free to launch an aggressive brute force crack attempt If no logon auditing is done on logons, the attacker knows they can operate freely at any hour because their logons will not be recorded - 21 Determine Running Services Defense in Depth - SANS ©2001 22 Knowing what services are running on a system helps the attacker focus their attack Careful review may indicate a service with known vulnerabilities, such as the Indexing Services exploited by the Code Red variants, are running For an auditor this is an important starting point in hardening a system By disabling unneeded services the likelihood of such a vulnerable service running is reduced If system administrators had applied this methodology, the magnitude of the effects of Code Red would have been substantially reduced - 22 SirCam – Defense in Depth • Threat – User awareness training – Filtering of traffic • DiD – Filtering at the local system – Understanding traffic flow – Encryption at rest – Early detection and reaction Defense in Depth - SANS ©2001 23 SirCam took advantage of the fact that most people had the false impression that email is trusted Instead of questioning why they were getting a certain email or even blocking the attachments, most users opened the attachment and infected their system - 23 Code Red II • Integrity attack, left system defenseless • Discovered July 2001 • Vulnerable IIS servers, many users were not aware they were running • 100,000 plus compromises Defense in Depth - SANS ©2001 24 The code red worm uses the same mechanism as the original Code Red worm to infect vulnerable computers That is, the worm looks for systems running IIS that have not patched the unchecked buffer vulnerability in idq.dll or removed the ISAPI script mappings The worm exploits the vulnerability to inject itself Note that IIS is often installed by other applications and may be installed without the user's knowledge Next, we will take a look at the infection rate - 24 The rate of infection was far faster than any previous attack This graph, based on www.incidents.org data, shows the scan rate This means that if there was an Internet facing vulnerable system on August or 2, it almost had to be infected Next, we will consider the state the system was placed in with respect to system integrity - 25 Viewing Infected System’s C Drive Defense in Depth - SANS ©2001 26 Code Red II is more dangerous than the original Code Red, because it opens backdoors on infected servers that allow any follow-on remote attacker to execute arbitrary commands A number of files are placed on a victim system, but this file, root.exe is the backdoor Note that it is being accessed by a standard web browser - 26 The Integrity Problem • A number of files including backdoors are added to the system • The system typically sits exposed for days before being patched • Can we actually expect > 100,000 systems will be reformatted and reloaded? Vulnerable systems have been harvested since CR II Defense in Depth - SANS ©2001 27 The only thing to to be truly safe is to reformat the hard drive and reinstall all the software (including all relevant security patches and service packs) It is possible to remove the files and registry settings left by the worm, but it is not possible to know what an attacker who took advantage of the backdoor might have done Also see the note above: Even if you not find signs of infection, but your server has been left unpatched while this worm was circulating, you should reformat and reinstall An attacker could have used the worm's backdoors to make malicious changes to your system and then cleaned up after the worm There is really no way to tell That said, if you absolutely cannot rebuild the system and must by necessity go the route of just removing the worm from an infected system, several vendors have released tools to help you remove the worm and its associated backdoors Most of the information about Code Red is based on the analysis of Vicki Irwin from the Incidents.Org team - 27 Code Red – Defense in Depth • Threat – No perimeter defense – Default installation of an OS – Unpatched systems – One application automatically installing another • DiD – Separation of services – Apply patches – Understand product and system content Defense in Depth - SANS ©2001 28 Code Red shows what happens when you run unprotected software or are not aware of what software is running on your system - 28 What Worms Teach Us About Configuration Management • Risk assumed by one is shared by all • With SirCam and Code Red, one poorly configured system could spread the attack to others by email or other vectors • Assess and baseline your network • Personal building permits Defense in Depth - SANS ©2001 29 The primary attacker strategy is to scan, looking for a vulnerable system, and then establish a beachhead or foothold by compromising that system Then the vulnerable host that got compromised can be used to attack other systems, either in the same facility or in other organizations This is one reason for the statement that “risk assumed by one is shared by all” In the early stages of protecting a site, a perimeter defense such as a firewall is about the only reasonable thing you can While chokepoint defenses such as firewalls can yield some protection to internal systems, they can be circumvented in a number of ways, so the organization turns its focus to identifying and fixing vulnerabilities – what we call “hardening” systems It takes a lot of energy to get to a known, reasonable configuration How you maintain that state? Configuration management is the discipline of establishing a known baseline condition, and then managing that condition Now, of course change is inevitable, and change is generally thought of in two major categories: repairs and improvements (I am personally quite perplexed why fixing something that is broken isn’t an improvement, but that’s another story.) While vulnerabilities may occur while fixing something, they are far, far more likely to occur when deploying something new We can label adding software, upgrades, new features, new systems, all of these things as “new construction” Before you can new construction you need a building permit, and part of the building permit process is a design review and an inspection The building permit process gives the organization an opportunity to ensure that the new construction introduces no new vulnerabilities into an organization Of course, it’s not foolproof, but it sure is better than not doing anything at all And it has a lot of benefits! Perhaps the most significant is that the earlier in the development life cycle you identify a problem, the cheaper it is to fix it All improvement starts with one person willing to exert the energy needed to make a difference If your organization doesn’t have configuration management, and doesn’t plan to ever implement configuration management, you can still implement configuration management on the things that you are responsible for You can add to your personal IA policy that before you build new construction, you are going to develop a test for it and make sure you have thought through how to back out the change if it doesn’t work For configuration to be truly successful, we need instrumentation such as system scanners, network mapping, and vulnerability scanners to detect unauthorized change Only a facility with an accurate baseline is likely to practice anomaly detection, to find attacks for which there are no known signatures - 29 Defense in Depth Summary Now that we have seen the types of attacks or almost all information warfare class attacks, let’s learn how to use security policy, password strength and assessment, incident handling and improved web security to protect our networks Defense in Depth - SANS ©2001 30 As we move forward in our course, let’s keep these large scale attacks in mind Every tool, technology, or concept that we are going to talk about can be employed in building a defense in depth architecture - 30 Course Revision History Defense in Depth - SANS ©2001 v1.1 Oct 24, 1999 S Northcutt v1.2 Jun 19, 2000 v1.3 edited by J Kolde, reconciled with audio 6/28/00 v1.4 – edited by J Kolde, adjusted grayscale for b/w printing – 22 Nov 2000 v1.41 – editor’s note on slide 7, F Kerby - 13 January 2001 v1.5 – update S Northcutt, new audio v1.6 - updated by Eric Cole, new slides and flow control v1.7 – edited and audio recorded by Carla Wendt, 11 May 2001 v1.7a – modified title page – J Kolde – June 2001 v1.8 – edited by J Kolde, minor edits – July 2001 v1.9 – edited and added exercises by E Cole – 10 Aug 2001 v1.10 – updated E Cole – Nov 2001 v1.11 – edited and audio recorded by C Wendt – Jan 2002 - 31 31 ... harvested since CR II Defense in Depth - SANS ? ?20 01 27 The only thing to to be truly safe is to reformat the hard drive and reinstall all the software (including all relevant security patches and service... In Depth (2) Network Host Application Info Defense in Depth - SANS ? ?20 01 This diagram shows another way to think of the Defense In Depth concept At the center of the diagram is your information... confidentiality, integrity, and availability; and you may experience attacks against these dimensions We can think of these as the “primary colors” of information assurance By mixing and matching these and