Tom Crimmins & Anthony Kava ICIT Mid-Year Conference 2007

Transcription

1 Tom Crimmins & Anthony Kava ICIT Mid-Year Conference 2007

2 If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier 2

3 It is not the spoon that bends but yourself Process Not a Product Cat and Mouse Building Insecurity Afterwards 3

4 Crunchy Throughout Weakest Link Failure Types Brittle Resilient Countermeasures Prevention Detection Response 4

5 Assets Cost Trade-offs Attackers Threat Risk Examples Script Kiddiez Guys in Ski Masks 5

6 Step 1: What assets are you trying to protect? Step 2: What are the risks to those assets? Step 3: How well does the security solution mitigate those risks? Step 4: What other risks does the security solution cause? Step 5: What costs and trade-offs does the security solution impose? Finally: Is the countermeasure worth it? 6

7 Solution: From Address / User List, Out of Band PIN Delivery, Timeout Step 1: What assets are you trying to protect? AD Account Info / Status, Backup Operations, Network Info Step 2: What are the risks to those assets? Intel for Attack, DoS, AD Account Compromise Step 3: How well does the security solution mitigate those risks? Pretty well attacker must spoof address plus intercept telephone call Step 4: What other risks does the security solution cause? No obvious risks introduced (outside of risks inherent with CentComm system) Step 5: What costs and trade-offs does the security solution impose? User must memorize or record PIN, transactions take longer with PIN, handshake Finally: Is the countermeasure worth it? Yes, it makes CentComm a viable tool for IT use while protecting assets at risk 7

8 Solution: From Address / User List, RSA Tokens Step 1: What assets are you trying to protect? AD Account Info / Status, Backup Operations, Network Info Step 2: What are the risks to those assets? Intel for Attack, DoS, AD Account Compromise Step 3: How well does the security solution mitigate those risks? Very well attacker must spoof address plus calculate RSA PIN (short life) Step 4: What other risks does the security solution cause? No obvious risks introduced (outside of risks inherent with CentComm system) Step 5: What costs and trade-offs does the security solution impose? RSA solution=$$$,user must have RSA token, transactions take longer with PIN, handshake Finally: Is the countermeasure worth it? No, because the financial cost is not necessary for the level of security required 8

9 Please Do Not Take Sales People's Advice 9

10 The Basics Physical Access Trumps All Copper RF Light DEMO: Tapping Copper 10

11 Port Watcher (Passive) Port Security (Active) 802.1x Authentication DoS VLAN (802.1q) Tagging Attacks 11

12 The Role of the Firewall Routers VPN Your Network at Their Fingertips Tunneling Crunchy Network (Yummy Rehash) DEMO: Cain ARP Poisoning / WireShark Sniffing 12

13 Layer 5 Definition Why We Won t Talk About It Layer 6 Crypto (TLS/SSL) XML* / MIME * XML is Layer 6 when it is used to serialize objects 13

14 Common Attacks SQL Injection CGI Vulnerabilities (e.g., phonebook) Buffer Overflows Other OS / Application Vulnerabilities Exploiting Design Flaws DEMO: Nmap / Metasploit / Cain 14

15 Names have been changed to protect the innocent (us) Three examples from the PottCounty IT files Commonality of Design Flaws Security as a Feature vs. Integration 15

16 Name: App #1 Category: Direct database application (No middleware) Authentication: Windows authentication to DBMS. Flaw: Requires users to be in db_owner role. Attacker(s): Disgruntled employees Comments: Privileges are enforced at the client side. Don't use the client. Also, a command line parameter will allow you to identify yourself as another user with more privileges. Band-Aid: None. Just hope no one knows SQL or figures out the command line parameter. 16

17 Name: App #2 Category: Client-server App (flat-file database) Authentication: Shared passwords Flaw: Run arbitrary commands as server account Attacker(s): Anyone with access to the client, but can probably be duplicated without the client (We weren't that bored) Comments: Commands can be run prior to authentication at the privilege level of the account running the server component. Band-Aid: Worked with vendor for patch (if you want to call it that). Made exploitation more obscure but still possible. 17

18 Name: App #3 Category: Direct database application Authentication: Password stored in database (Sweet cipher, by the way). ODBC password stored in encrypted file. Flaw: Decryption key for ODBC password stored in executable. Not plain text, but theoretically retrievable by disassembly (Yes, we do have lives) Attacker(s): Anyone (with lots of time) that has access to the encrypted password file and the executable. Comments: This is a better setup than App #1, but the account used for the ODBC connection still has DBO access. Default password is simple, and it is a pain to change it. Band-Aid: Optionally the password file can be moved from the client to a network share, but this is not the default. 18

19 Social Engineering Countermeasures Policies Training Data Loss / (Un)Trusted Parties DEMO: Caller ID Spoofing DEMO: Social Engineering 19

20 Vendor Promises Feel-good Measures Security by Obscurity EXAMPLE: Questionable Math 20

21 Questionable Example (was: Conclusion) Effectiveness: Given that 2 reactive technologies (FW & AV) give 2x security effectiveness Virtualization of these same 2 technologies give 4x security effectiveness In our simple example we go from 4x security effectiveness to 16x security effectiveness (The standard unit for security effectiveness is a Kava)

22 Trust No One There are No Coincidences Paul is the Walrus The Four-digit Extended Zip Code (FEMA Relocation) The only way to achieve true computer security is not to use a computer 22

23 FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless! -- Cereal Killer Hackers 23