Data Protection: Firewalls, Intrusion Detection & Audit Issues
July 30, 2008
Presented By: Azhar Ahmad Sahibzada, Deputy CISO, Information Security Division, Askari Bank Limited.
�Data Protection
CISO = Chief Information Security Officer (CISO)
Job that focuses on Information Security within an organization
Responsibilities vary depending on needs of organisation but often include responsibility for:
Security Security Security Security Security
Office Mission and Mandate Development Office Governance Policy Development and Management Training and Awareness Development Project Portfolio Development
The CISO reports either to the Chief Information Officer (CIO) or to the Chief Executive Officer (CEO)
�What Is Data
DATA is information that has been translated into a form that is more convenient to move or process.
Relative to today's computers and transmission media, data is information converted into binary digital form
�The Three Tenets of Computer Security
Confidentiality Unauthorized users cannot access data Integrity Unauthorized users cannot manipulate/destroy data Availability Unauthorized users cannot make system resources unavailable to legitimate users
�The Three Tenets of Computer Security
�Data Protection
Threat any event which could have an undesirable impact Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset Risk the potential for harm or loss, including the degree of confidence of the estimate
�Data Protection
The management of risk is called Risk Management
�Data Protection
In Information Security, a "risk" is defined as a function of three variables: The probability that there's a threat
The probability that there are any vulnerabilities
The Potential Impact If any of these variables approaches zero, the overall risk approaches zero.
�Data Protection
TRANSACTION/OPERATIONS RISK CREDIT RISK LIQUIDITY, INTEREST RATE, PRICE/MARKET RISKS COMPLIANCE/LEGAL RISK STRATEGIC RISK
�Data Protection
�Relationship Among Security Components
�Definitions
Due Care
minimum and customary practice of responsible protection of assets that reflects a community or societal norm
Due Diligence
prudent management and execution of due care
12
�Controls
�Vulnerabilities
Physical Natural
Floods, earthquakes, terrorists, power outage, lightning
Hardware/Software Media
Corrupt electronic media, stolen disk drives
Emanation Communications Human
Social engineering, disgruntled staff
14
�Security Management Planning
Identify potential losses if security is not properly implemented:
Trade Secrets Confidential Information Personal E-Mail Adverse Publicity Viruses, worms, malicious Java and ActiveX applications Denial of Service Hard drive reformats, router reconfigurations financials Hacked Web Pages Breach of Human Resources information
15
�Information Valuation
Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business Continuity
16
�Threats
Unauthorized access Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Safety Improper use of technology Repetition of errors Cascading of errors
17
�Threats
Illogical processing Translation of user needs (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse
�Data Protection
FIREWALLS
�Data Protection
A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria
�Data Protection
A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).
�A TYPICAL BANK NETWORK
Kiosk
Extranet
Utility Company Residential, Home Office Mobile Banking
INTERNET
Firewall Central Host Branch 3 E-Commerce
Firewall
Branch 2
BANK INTRANET
ATM ATM Switch
Branch 1
Network Management
Data Warehouse
Call Center
�Firewall Terms
Network address translation (NAT)
Internal addresses unreachable from external network Hosts that are directly reachable from untrusted networks
can be router or firewall term
DMZ - De-Militarized Zone
ACL - Access Control List
�Firewall Terms
Choke, Choke router
A router with packet filtering rules (ACLs) enabled
Gate, Bastion Host, Dual Homed Host
A server that provides packet filtering and/or proxy services A server that provides application proxies
Proxy Server
�Firewall types
Packet-filtering router
Most common Uses Access Control Lists (ACL)
Port Source/destination address
Screened host
Packet-filtering and Bastion host Application layer proxies
Screened subnet (DMZ)
2 packet filtering routers and bastion host(s) Most secure
�Firewall mechanisms
Proxy servers
Intermediary Think of Bank Teller
Stateful Inspection
State and context analyzed on every packet in connection
�Web Security
Secure sockets Layer (SSL)
Transport layer security (TCP based) Widely used for web based applications by convention, https:\\
Secure Hypertext Transfer Protocol (S-HTTP)
Less popular than SSL Used for individual messages rather than sessions
Secure Electronic Transactions (SET)
PKI Financial data Supported by VISA, MasterCard, Microsoft, Netscape
�Common Attacks
�Spoofing
TCP Sequence number prediction UDP - trivial to spoof
DNS - spoof/manipulate IP/hostname pairings Source Routing
�Sniffing
Passive attack Monitor the wire for all traffic most effective in shared media networks Sniffers used to be hardware, now are a standard software tool
�Session Hijacking
Uses sniffer to detect sessions, get pertinent session info (sequence numbers, IP addresses) Actively injects packets, spoofing the client side of the connection, taking over session with server Bypasses I&A controls Encryption is a countermeasure, stateful inspection can be a countermeasure
�IP Fragmentation
Use fragmentation options in the IP header to force data in the packet to be overwritten upon reassembly
Used to circumvent packet filters
�Syn Floods
Remember the TCP handshake?
Syn, Syn-Ack, Ack
Send a lot of Syns Dont send Acks Victim has a lot of open connections, cant accept any more incoming connections Denial of Service
�Access Controls
�What is Access Control?
Access Control is the heart of security Definitions: The ability to allow only authorized users, programs or processes system or resource access The granting or denying, according to a particular security model, of certain permissions to access a resource An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on preestablished rules.
35
�How can AC be implemented?
Hardware Software
Application Protocol
(Kerberos, IPSec)
Physical
Logical (policies)
36
�What does AC hope to protect?
Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every Network Operating System (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
37
�Proactive Access Control
Awareness Training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures
38
�Physical Access Control
Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens 39 Guard dogs
�Varied types of Access Control
Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models: Biba Take/Grant Clark/Wilson Bell/LaPadula Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.
40
�Authentication
3 types of authentication:
Something you know - Password, PIN, mothers maiden name, passcode Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA
41
�Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication.
ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For highest security
Username + Password + Fingerprint Username + Passcode + SecurID token
42
�Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. Dictionary attacks are only feasible because users choose easily guessed passwords! Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
43
�Password Attacks
Brute force
l0phtcrack
Crack John the Ripper for a comprehensive listing, see Alan Lustiger or attend his presentation at the CSI conference in November
Dictionary
Trojan horse login program
44
�Classic Password Rules
The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or typetin
Dont use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults
45
�Password Management
Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and changes Use last login dates in banners
46
�Tokens
Used to facilitate one-time passwords Physical card SecurID S/Key Smart card Access token
47
�Data Protection
INTRUSION DETECTION
�Intrusion Detection Systems
IDS monitors system or network for attacks IDS engine has a library and set of signatures that identify an attack Adds defense in depth Should be used in conjunction with a system scanner (CyberCop, ISS S3) for maximum security
49
�Intrusion Detection (IDS)
Host or network based
Context and content monitoring Positioned at network boundaries
Basically a sniffer with the capability to detect traffic patterns known as attack signatures
�IDS Attacks
Insertion Attacks
Insert information to confuse pattern matching
Evasion Attacks
Trick the IDS into not detecting traffic Example - Send a TCP RST with a TTL setting such that the packet expires prior to reaching its destination
�Attacks
Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break-in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs
52
�Monitoring
IDS Logs Audit trails Network tools
Tivoli Spectrum OpenView
53
�Data Protection
AUDIT ISSUES
�Nature and Extent of ComputerRelated Crime
Typology
Input Tampering: Entry of Fraudulent or False Data Throughput Tampering: Altering Computer Instructions Output Tampering: Theft of Information
Most Common Crimes
Input and Output Type Fraudulent Disbursements Fabrication of Data
�Computer Crime
Computer Crime as a Separate Category
Rules of Property: Lack of Tangible Assets Rules of Evidence: Lack of Original Documents Threats to Integrity and Confidentiality: Goes beyond
normal definition of a loss
Value of Data: Difficult to Measure. Cases of Restitution
only for Media
Terminology: Statues have not kept pace. Is Computer
Hardware Machinery? Does Software quality as Supplies.
�Computer Crime (continued)
Computer Crime is Hard to Define
Lack of Understanding Laws are Inadequate: Slow to Keep Pace with
Rapidly Changing Technology
Multiple Roles for Computers Object of a Crime: Target of an Attack Subject of a Crime: Used to attack (impersonating a network node) Medium of a Crime: Used as a Means to Commit a Crime (Trojan Horse)
�Computer Crime (continued)
Difficulties in Prosecution
Understanding: Judges, Lawyers, Police, Jurors Evidence: Lack of Tangible Evidence Forms of Assets: e.g., Magnetic Particles, Computer Time Juveniles: Many Perpetrators are Juveniles Adults Dont Take Juvenile Crime Seriously
�The Computer Criminal
Personal Motivations
Economic Egocentric Ideological Psychotic
�The Computer Criminal (continued)
Environmental Motivations
Work Environment Reward System Level of Interpersonal Trust Ethical Environment Stress Level Internal Controls Environment
�The Control Environment
Factors that Encourage Crime
Motivation Personal Inducements Prevention Measures
Factors that Discourage Crime
Internal Controls Systems Access Control Systems Auditing Supervision
Detection Measures
�COMPUTER CRIME INVESTIGATION
�Investigation Steps
Detection and Containment
Accidental Discovery Audit Trail Review Real-Time Intrusion Monitoring Limit Further Loss Reduction in Liability
Report to Management
Immediate Notification Limit Knowledge of Investigation Use Out-of-Band Communications
�Investigation Steps (continued)
Preliminary Investigation
Determine if a Crime has Occurred Review Complaint Inspect Damage Interview Witnesses Examine Logs Identify Investigation Requirements
�Investigation Steps (continued)
Disclosure Determination Determine if Disclosure is Required by Law Determine if Disclosure is Desired Caution in Dealing with the Media Courses of Action Do Nothing Surveillance Eliminate Security Holes Is Police Report Required? Is Prosecution a Goal?
�Investigation Steps (continued)
Conducting the Investigation
Investigative Responsibility Internal Investigation External Private Consultant Investigation Local/State/Federal Investigation Factors Cost Legal Issues (Privacy, Evidence, Search & Seizure) Information Dissemination Investigative Control
�Investigative Process
Identify Potential Suspects
Insiders Outsiders Collaboration
Identify Potential Witnesses
Who to Interview Who to Conduct Interview
�Industrial Espionage
Camouflaged Questioning of Competitors Employees Direct Observation under Secret Conditions False Job Interviews False Negotiations Use of Professional Investigators Hiring Competitors Employees Trespassing Bribing Suppliers and Employees Planting Agent on Competitor Payroll Eavesdropping Theft of Information Blackmail and Extortion
�QUESTIONS?
Thank You
