1 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 1 Information Assurance Foundations Core issues and challenges Stephen Northcutt The SANS Institute Hello. My name is Stephen Northcutt and the material we are going to cover this next hour is central to understanding the theory and practice of information security. This is a foundational course, developed for the SANS LevelOne Security Essentials certification program. When you complete this course there will be a quiz available from the SANS web page to help reinforce the material and ensure your mastery of it. In the next 45 minutes or so, I am going to take you on a tour of three famous attacks to see what lessons we can learn from them. Along the way, we are going to discuss the three key dimensions of protection and attack. Most of you are already familiar with them. They are: confidentiality, integrity, and availability. Throughout the LevelOne Security Essentials certification program, you will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may experience attacks against these dimensions. We can think of these as the “primary colors” of information assurance. By mixing and matching these and we do mix and match, because they are interrelated we are able to develop either a very strong attack, or develop a strong defense. 2 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 2 Agenda • Principles of attack and defense • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures •Summary The next slide is titled “Agenda”. This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed against our computer systems. To focus that discussion, we will be concerned with some of the more famous attacks that have occurred. Now, information assurance can get really complex, but these kinds of problems decompose nicely. As we work our way through the material, we are going to be pointing out aspects of the confidentiality, integrity, and availability, in both the attacks and also the defenses we discuss. So if you are new to security, or if you just want a quick review, the way I think about these things is – a credit card. Have you ever had a credit card not be accepted? Three different times in a row, when I was buying tires at a local store in my town, my credit card did not clear. All three times, the bank said their computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to me! I live in a small town and a lot of people know me – and so to have my card rejected was very embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An example of a confidentiality defense is the way that “key” on the bottom of your browser turns solid when you are executing a secure transaction the bit stream is encrypted to foil casual eavesdroppers. An example of an integrity attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or modifying the balance of someone else’s account. 3 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 3 Three Bedrock Principles • Confidentiality • Integrity • Availability Your next slide is titled “Three Bedrock Principles”. Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, on the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when they gain entrance to the system. And they can even use an availability attack as part of this overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity and availability) are in jeopardy. Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an embarrassingly large number) of corporate, government, and educational systems that are compromised and exploited are defeated by these well-known, well-published attacks. Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We use threat models to describe a given threat and the harm it could do if the system has a vulnerability. 4 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 4 The LevelOne Threat Model • Threat • Vulnerability •Compromise Vulnerabilities are the gateways by which threats are manifested. The next slide is titled “The LevelOne Threat Model.” On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there people with the capability and inclination to attack - and quite possibly harm - your computer systems and networks? What is the probability of that happening? The probability is high that any non-private address will be targeted several times a year. The most common countermeasure for most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the time. We will be discussing threats in greater detail in another LevelOne course in this very same step – it is called the “Internet Threat Briefing”. So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its specific vulnerability, the result can easily be system compromise. Again, the most common tactic is to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s highly recommended. Even the most open universities or other research environments that require themselves to be very open should be able to do some perimeter defense, even if they can only do it at the department or building level, or even if they can only do it at the host level. Now we are ready to see what the LevelOne program is designed to do. It will teach you to identify and repair the system and network vulnerabilities that allow many of the most well-known confidentiality, integrity, and availability attacks to succeed. In that way, if your perimeter defense should ever fail for any reason, you greatly reduce the risk of harm. 5 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 5 Three Lessons From History • Morris worm • Kevin Mitnick • Melissa virus Your next slide is titled “Three Lessons From History”. Perhaps the three most famous information security defense failures are: the Morris worm, Mitnick attack, and Melissa virus. We don’t have time in this course to explore each of these in detail, but you should be familiar with each of these as a security professional. As homework, please try a ‘net search for these attacks and read a bit more. There are information security lessons that we ought to be able to learn from these well-known attacks. In each case, there was a computer system vulnerability, and it was exploited. In each of the cases, there was an absence of defense in depth. In fact, in the case of the Mitnick attack and most systems affected by the Morris worm, the exploit did not have to penetrate any defensive perimeters. So, that’s “defense in shallow”! As we go through each of the attacks, try to look out for the three primary security dimensions: confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist in the first place. The vulnerability is listed in every case; so please note how the threat was able to exploit the vulnerability to compromise or affect the target system(s). 6 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 6 The Morris Worm • Availability attack (denial of service) • Common vulnerabilities in fingerd and sendmail allowed rapid replication • Internet communications effectively lost Your next slide is titled “The Morris Worm”. If you haven’t read Zen and the Art of the Internet , you probably should. It is available at http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html. We’ll do a small reading from that section: “On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered that the program was replicating and reinfecting machines at a much faster rate than he had anticipated there was a bug. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at many sites, including universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000. The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email, and a hole in the finger daemon fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had copies of the program and were actively disassembling it (returning the program back into its source form) to try to figure out how it worked. Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help retard the speed of the worm. Another method was also discovered at Purdue and widely published. The information didn't get out as quickly as it could have, however, since so many sites had completely disconnected themselves from the Internet.” 7 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 7 K. Mitnick vs. T. Shimomura • Confidentiality, integrity and availability attack • Reconnaissance probing to determine trust relationship (“r utilities”) • IP spoofing to act as one side of trust relationship • Lack of site or system perimeter defenses to retard or defeat attack Your next slide is titled, “K. Mitnick vs. T. Shimomura”. It was Christmas Eve, December 1994, when Kevin Mitnick executed his famous attack against Tsutomu Shimomura. How did he defeat one of the most skilled security information professionals in the country? Was it wizardry? No, it was a combination of basic attack principles, along with one neat technical hack that allowed this attack to succeed. First, there was a confidentiality attack. There was no firewall, or perimeter defense, so it was possible to probe the facility to gather information. From the reconnaissance probing, Mitnick was able to discover that there was a trust relationship between two of Shimomura’s systems. Next, Mitnick exploited an availability vulnerability with an attack called a SYN flood to silence one half of the trust relationship. With the real server unavailable, he assumed that system’s identity by spoofing and attacked the integrity of the trust relationship. When he got control of the system, he was able to steal many sensitive files, including closely held security programs that were virtually irreplaceable. When considering the damage to your organization from a threat, be sure to consider what would happen if your organization’s most important secrets were lost. It is worth noting that even if all this had succeeded (which it did), the actual attack would have failed if there had been one more layer of defense - such as a system perimeter like TCP Wrappers with a “deny all computers and then only allow trusted hosts to access the system” defensive policy. (Editor’s note: TCPWrappers would likely NOT stop this attack. Mitnick spoofed Shimomura’s address so that Mitnick’s computer appeared to be at the address used by Shimomura. The additional layer of defense that COULD prevent the attack from succeeding would be to configure the border router to block incoming packets with a source address that matched the site’s internal address. – JFK) 8 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 8 Melissa Virus • Availability attack • New “strain” slipped through most perimeters • Users activated macro despite warnings • Evidence of the danger of monoculture Your next slide is titled, “Melissa Virus”. The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most well- known and widely-spread macro virus infections to date. Many sites were aware of Melissa on Friday, others over the weekend, and of course still others found out Monday morning, so that March 28 was indeed a challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at the host level, had been developed and published by the Computer Emergency Response Team (CERT) at Carnegie Mellon. According to Network Associates’ (NAI’s) web site, the virus was first discovered on an "alt.sex" newsgroup and spread rapidly. This extraordinarily rapid spread of Melissa serves as a warning of how fast a virus with an unknown signature can spread. If you examine the virus source code, you can see the virus replicated so rapidly by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book. Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop systems running Microsoft’s Outlook email client were directly affected. However, even systems that did not spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial losses are in the area of lost productivity. This is a big availability attack. - Some sites have reported that they shut down email entirely for multiple days. - Others lost email connectivity for several hours while cleaning the virus from their servers. - System administrator and help desk resources were tied up fighting the virus for periods ranging from three to five days at most affected organizations. The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious attacks than Melissa. And I find this quite interesting because almost all actual users of Microsoft Office products rarely take advantage of the macro language. 9 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 9 Midpoint Review • Principles of attack and defense • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures •Summary Your next slide is titled “Midpoint Review”. At this point we are familiar with the basic security principles of confidentiality, integrity, and availability. We have examined how these principles come into play with three famous attacks: the Morris worm, the Mitnick attack, and the Melissa Word macro virus. We have also discussed the threat model and its relationship to vulnerabilities. Vulnerabilities are the gateways by which threats are made manifest. So next, let’s drill down into vulnerabilities a bit more and examine the types of things that are commonly exploited. Keep in mind that there are broad-based threats, but on the whole a particular type of threat has to find its matching vulnerability. This is one reason the wise security professional is concerned about confidentiality attacks such as reconnaissance probes - if the attacker can determine our specific configurations, they can direct the appropriate attacks against our assets, and may well succeed. So let’s start this section by taking a quick look at three common vulnerabilities that involve Windows, Unix, and networking, and discuss how they work - keeping in mind the basic security failures that occur to make these attacks possible. These vulnerabilities that we will talk about are: - a confidentiality vulnerability called Windows NT null sessioning; - a network availability vulnerability called echo – chargen; - an integrity vulnerability against Unix systems: the IMAP buffer overflow. 10 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 10 Null Session net use \\172.20.244.164\IPC$ “” /USER:”” Your next slide is titled “Null Session”. The null session exploit is an attack against confidentiality. In essence, it’s just “finger” on steroids. The attacker “logs in” to the Windows NT system using the “net use” command listed on your slide. After logging in, it is possible to gather a great deal of information from the Windows Registry. Though this could be done by hand, it would be very tedious, so there are tools to make this a reasonable task. The tool shown in the screen shot is DumpACL by SomarSoft. It was available for free from www.somarsoft.com, but they seem to have disappeared, which is a tragedy. They were wonderful folks and were among the first folks to develop security information and tools for NT. However, the software is still out on the Internet if you search with a ‘net search. (Editor’s note: SomarSoft has granted distribution rights for its tools, including DumpACL (now called DumpSec) to SystemTools.com. DumpSec can be obtained from either http://www.somarsoft.com or http://www.systemtools.com. - JEK) The screenshot shown on the slide was from before I entered the “null session”. Afterwards, I would be able to enumerate boatloads of information about users, if that system was vulnerable to a null session attack. Enumerate is a popular term in the industry to describe what we used to call “depth first, breadth second” searches. So what? Why do you care? Well, if you find a PDC or BDC (Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long list of user names, including all the members of the Administrator group. Then you could try consecutive ‘net uses’, trying different passwords. I am not really big on passwords, since they can be sniffed, or attacked by brute force, but they do have their place. There are a lot of weak passwords out there and every little bit helps. So, the longer we delay an attacker while they try dictionary attacks on our passwords, the more likely we are to catch them in the act. [...]... receives data Vulnerability scans to locate echo, chargen, daytime ports are highly recommended Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 11 Your next slide is titled “Echo – Chargen” This is a classic availability attack On your slide you have a trace of network traffic packet header information showing two systems expending all their resources talking back and forth, but with... countermeasures • Summary Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 22 Your last slide is titled “Putting it all Together” We have covered a lot of ground and have laid a solid foundation for the coursework that lies ahead LevelOne is designed to equip system administrators and security professionals to identify and repair vulnerabilities and so achieve defense in depth The information. .. over the system 12 Summary of Vulnerabilities • These common, well known problems are being exploited every day! • Most common operating systems and the networks they attach to are vulnerable Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 13 Your next slide is titled “Summary of Vulnerabilities” To summarize the vulnerabilities section, we just took a quick look at three common ones:... hooked up to the Internet, there is a way to attack them 13 Roadmap • Principles of attack and defense • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures • Summary Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 14 Your next slide is titled “Roadmap” So what to do? Well, clearly we need to get a lot better at finding and correcting these vulnerabilities... Perimeter Defense • Doors and locks on doors – Lock the windows too • Perimeters inside perimeters • Should chokepoints fail closed? – Every device can fail Be sure it fails to a known state Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 16 Your next slide is titled “The Role of Perimeter Defense” Since there are more vulnerabilities than we can possibly correct, what are we going... the defenses based on the analysis of the attack) Protect, Detect, React 16 The Role of Intrusion Detection Protect Detect React Anomalous Events IDS Analyst Report Known | Unknown Analyze Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 17 Intrusion detection is at least partly misnamed Generally, what is detected are attempts, and most of the time they are simply reconnaissance... Incident Handling • Prepare, detect, contain, eradicate, recover, lessons learned • Role of CIRTs and law enforcement • Personal incident handling policy • Allows organization to accept risks Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 18 Your next slide is titled “Incident Handling” Bad things happen, and that is why incident response is a critically important capability for a... LevelTwo Advanced Incident Handling and Hacker Exploits module – JEK) 18 Configuration Management • Risk assumed by one is shared by all • Baseline • Building permits • Personal building permits Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 19 Your next slide is titled “Configuration Management” The primary attacker strategy is to scan, looking for a vulnerable system, and then establish... there are no known signatures 19 Why Policy Really Matters • Randall Schwartz case • Policy as insurance • Policy to define domains of responsibility • Personal policy • Good Policy/Bad Policy Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 20 How many times have you tried to go do the right thing and you get the answer, “Sorry, but that’s against policy” You may find it hard to believe... list or you wear a pager, you need a personal policy! 20 Defense in Depth • Perimeter protection • Anti-virus • Basic auditing (NT/Unix/Linux) • What is your role and responsibility for these? Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 21 The next slide is titled “Defense in Depth” Are we there yet? The picture we have painted so far is that a good security architecture, one that . 1 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 1 Information Assurance Foundations Core issues and challenges Stephen. develop either a very strong attack, or develop a strong defense. 2 Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 2 Agenda • Principles