CIT 480: Securing Computer Systems. Putting It All Together

Transcription

1 CIT 480: Securing Computer Systems Putting It All Together

2 Assurance 1. Asset identification 1. Systems and information assets. 2. Infrastructure model and control 1. Network diagrams and inventory database. 2. Change control. 3. Threat analysis and prediction 4. Response coordination 1. Attack identification. 2. Incident response team.

3 Asset Identification Information Assets Databases, files, backup tapes, paper files. Software Assets Application and system software. Physical Assets Computers, network gear, storage media, generators. Services Subscriptions to databases like Lexis-Nexis Utility services like power, AC, etc. Outsourced services like voice, vending, etc.

4 Asset Valuation 1. How important is the asset to organization success? 2. How much revenue does the asset generate? 3. How expensive would the asset be to replace? 4. What other costs (legal liability, reputation damage) could be incurred by attacks on asset?

5 Evaluating Risk 1. Which threats present danger to asset? 2. What components of security (CIA) are threatened in which states of information? 3. What vulnerabilities exist that could lead to exploitation of asset? 4. What security controls could mitigate those vulnerabilities?

6 Components of Security Integrity Confidentiality Availability

7 Other Security Components Authenticity Anonymity Assurance

8 States of Information 1. Storage: information in memory or disk that is not currently being accessed. 2. Processing: information currently being used by processor. 3. Transmission: information in transit between one node and another on a network. Is your information protected in all three states?

9 Security Controls Security controls are policies, technologies, or human factors that avoid, reduce, or counteract security risks. Controls act in three main ways: Prevention: prevent attackers from violating security policy. Ex: firewall. Detection: detect attackers violation of security policy. Ex: anti-virus. Recovery: stop attack, assess and repair damage. Ex: backups.

10 Prevention Firewalls Prevent unauthorized network connections. Authentication Prevent unauthorized users from using system. File Access Control Prevent unauthorized access to files. Cryptography Prevent confidentiality violation even if intruder has access to data.

11 Detection Change management process Require security approval of network changes. Intrusion detection Automated network and/or host based intrusion detection systems. Network scans Audit network for rogue/missing machines. Verify security status of each network device. Log monitoring Monitor sensitive logs (e.g. firewall) in real time.

12 Recovery Snapshots Filesystem and VM snapshots allow reversion to a previous correct state of the system. Version Control Systems Version control systems like git allow sets of files to be reverted to a previous correct state. Configuration Management Systems like puppet automatically deploy servers based on configuration stored in a version control system. Backups Off-system/site backups permit recovery when all is lost.

13 Evaluating Security Controls 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does the security control mitigate those risks? 4. What additional risks does the security control cause? 5. What costs and trade-offs does the security control impose?

14 Authentication Authentication is the act of verifying than an entity is who or what they claim they are. Authentication can be based on 1. What the entity knows (e.g., passwords) 2. What the entity has (e.g., access card) 3. What the entity is (e.g., fingerprints) Or a combination of two or more of 1..3, which is known as Multi Factor Authentication (MFA).

15 Access Control

16 Cryptography The message M is called the plaintext. Alice will convert plaintext M to an encrypted form using an encryption algorithm E that outputs a ciphertext C for M. Sender Communication channel Recipient encrypt decrypt ciphertext plaintext plaintext shared secret key Attacker (eavesdropping) shared secret key

17 Detection Outcomes Actual Result Good Bad Measured Result Good Bad True Positive False Positive False Negative True Negative

18 Security Principles Compromise recording Economy of mechanism Fail-safe defaults Work factor Complete mediation Security Principles Psychological acceptability Open design Least common mechanism Least privilege Separation of privilege

19 Defense in Depth Data Application Host Internal network Perimeter Physical security Policies and procedures Authentication, ACLs, encryption, backups Secure programming, input validation, black and white box testing OS hardening, authentication, security patch management, AV, HIDS, nmap, and vulnerability scans Network segments (VLANs), NIDS, firewall, Nmap, and vulnerability scans Firewalls, border routers, VPNs, wireless security (802.11i) Guards, locks, cameras, RFIDs Security policies, procedures, and education

20 Threat Model A threat model describes which threats exist to a system, their capabilities, resources, motivations, and risk tolerance. Also known as an adversary model. Are you worried about broad or targeted threats? Are your threats able to develop their own tools or just use off the shelf tools? Do you keep enough data about historical incidents to know capabilities and motivations?

21 Who are the threats? IBM X-Force 2012 Trend and Risk Report

22 Incident Response 1. Preparation for attack (before attack detected) 2. Identification of attack 3. Containment of attack (confinement) 4. Damage assessment 5. Preserve evidence (if necessary) 6. Eradication of attack (stop attack) 7. Recovery from attack (restore to secure state) 8. Follow-up to attack (analysis and other actions)

23 Learning More at NKU Minors and Certificates Minors: Information Security, Computer Forensics Certificate in Cybersecurity (BS/IT cybersecurity track) Classes BIS 382: Principles of Information Security CIT 430: Computer Forensics CIT 484: Network Security CIT 481: Cybersecurity Capstone CSC 482: Computer Security CSC 483: Cryptology

24 Local Security Groups NKU Cyber Defense Team Cincinnati Digital Forensics Working Group Infragard Ohio Information Security Forum OWASP Cincinnati

25 Local Security Events Bsides Cincy (May) Ohio Infosec Forum Dayton, OH) DerbyCon Louisville, KY) NKU Annual Security Symposium (October)

26 Certifications General CISSP and related certifications from (ISC) 2 CISM from ISACA Security+ from CompTIA Technical GIAC certificate family from SANS Certified Ethical Hacker (CEH) from EC-Council Government CNSS 4011, 4012, and 4013 CAE (Cybersecurity Certificate) Vendor Specific CCNA Security, CCNP Security, CCIE Security

27 Security Careers Threat analysis and intelligence gathering Digital Forensics System and Data Administration Network Administration and Defense Systems Security Analysis Vulnerability Assessment and Management Incident Response Penetration Testing Information Systems Security Management

28 Job Titles Security Analyst Security Auditor Security Engineer Security Architect Security Administrator Security Specialist Forensic Analyst Incident Responder Malware Analyst Penetration Tester Vulnerability Researcher Job Prefixes Application Data Computer Information Mobile Network Software System Web

29 Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at