Transcript The Security State of Mind

The Security State of
Mind
Chet Uber
CTO/World Media Company
1999 CERT Conference Tutorial
Chet’s Disclaimer
The opinions expressed are mine and
mine alone, they are not those of my
employer World Media Company, or our
parent The Omaha-World Herald.
 If you are easily upset by nontraditional in your face discussions of
security methodology you had better
leave now.

Presentation Premise

The danger posed by intruders and
those that wish you harm, are FAR
underestimated. We have not seen
the tip of the iceberg, and the only
folks that really understand the
implications are the NSA, DOD and
DOE. The statement concerning the
NSA, DOD and DOE is conjecture on
my part.
What is the
Security State of Mind
(SSM)?

The Security State of Mind has to do
with using every means at your disposal
to design and implement unwavering
Security-in-Depth. A sign that you have
the SSM is when upper management
and your coworkers constantly say, “You
are really being paranoid about this.”
What is the
Security State of Mind
(SSM)?
The proof that you have the SSM is that
you know your paranoia is really just
you very clear picture of the reality of
the situation at hand.
 One of the tenants of the SSM is the
understanding that business is war, and
that everyone is a potential enemy.

What the SSM tells us!
There is no such thing as a “100%
secure system or network.”
 That human beings are the weakest link
in the implementation of security
policies.
 That there is a trade-off between the
amount of security and usability.

‘State of the Union’
address for the
networked open
system
environment
“The security field is
neither stable nor globally
understood, and with the
inclusion of the Internet
has led to a condition
where … greater than
75% of these networks
are highly vulnerable”
-- July 1999, ISS Inc.
A recent report was prepared by
WarRoom Research, LLC in
support of the Senates
Permanent Subcommitte on
Investigations which involved
among others; the FBI, Ernst &
Young LLP/InformationWeek,
Computer Security Institute,
GAO, and the U.S. Military
Services
The following
conclusions were
put forward in the
WarRoom report ...
“The human
threats are
growing in
numbers and
sophistication.”
“61% of those
organizations
responding to the
WarRoom Survey had
experienced an internal
attack within the past
12 months.”
“58% of those
organizations responding
to the survey had
experienced an external
attack within the past 12
months.”
“The vulnerability
conditions associated
with our networks
are well known and
understood.”
“Vulnerability is
worsened by the
availability of free
hacker tools on the
Internet.”
45%
“Over
of the
reported attacks were
associated with advanced
technical hacking
techniques; for example
sniffers, theft of password
files, vulnerability
probing/scanning, Trojan
logon, etc.”
“Incident rates
are increasingly
alarming”
“The impact
associated with
attacks continues
to move up and off
the chart.”
“Over 45% of the
internal attacks
resulted in losses
over $200,000.”
“Over 15% of the
internal attacks
resulted in losses
over $1,000,000.”
“Over 50% of the
external attacks
result in losses
over $200,000.”
“Over 17% of the
external attacks
resulted in losses
over $1,000,000.”
In broad terms what
should be done by
those with the SSM;
and why traditional
security measures are
not enough!
Making A Good Start!
Definition of sound processes.
 Creation of meaningful and enforceable
security policies.
 Proper implementation of organizational
safeguards.
 Establishment of ways in which security
can be measured.

Direct Risk Mitigation
 Identification
and
Authentication
 Encryption
 Access Control
 Note* - This Interim step can give
a false sense of security
Risk Analysis
+ Policy
+ Direct Technical
Countermeasures
= Traditional Security
Safeguards
This is 40-60% of the
overall solution when
implemented properly
Items not addresses by
Traditional Approach
An active, highly knowledgeable,
evolving threat
 The greatly reduced network security
decision and response cycle
 Low User Awareness levels
 Highly dynamic vulnerability conditions

A Solid Security Program
Adhere to sound standardization
processes
 Implement valid procedures and
technical solutions
 Provide for system audits intended to
support potential attack or system
misuse analysis

Adaptive Security
Model
Traditional Security Safeguards
+Threat/Vulnerability Monitoring
+ Threat/Vulnerability Detection
+ Threat/Vulnerability Response
= Adaptive Security
Ensure all
applicable
vulnerabilities are
secured across the
entire network
Ensure all systems
are configured in a
secure manner
consistent with
organizational policy
Ensure all potentially
hostile threats are
detected, monitored,
and responded to in a
timely appropriate
manner.
Provide real-time, onthe-fly, technical
reconfiguration of
threat access routes.
Provide timely security
alerts and tasking to
those responsible for
addressing network
threats and
vulnerabilities.
Provide accurate
network security audit
and trends analysis data
in support of security
program planning and
assessment efforts.
Two examples of
a dramatic
change in
knowledge based
in real world
experience.
The EFF’s Project “Deep
Crack”
The EFF lead a concerted effort to develop a
machine specifically designed to break DES
encryption. This effort was funded with a
$250,000 grant and produced a machine
that rendered keys in days and finally hours.
A book “Cracking DES” includes all the
schematics and code. The design is such
that the application of $MONEY$ would
accelerate the time to minutes. There are
literally millions of DES protected files.
PRESS RELEASE
CWI, Amsterdam - August 26, 1999
Security of E-commerce
threatened by 512-bit
number factorization
“On August 22 1999, a team of scientists
from six different countries, led by Herman
te Riele of CWI (Amsterdam), found the
prime factors of 512-bit number, whose
size models 5% of the keys used for
protection of electronic commerce on the
Internet. This result shows, much earlier
than expected at the start of E-commerce,
that the popular key-size of 512 bits is no
longer safe against even a moderately
powerful attacker. The amount of money
protected by 512-bit keys is immense.
Many billions of dollars per day are flowing
through financial institutions such as banks
and stock exchanges.”
“The factored key is a model of a socalled "public key" in the well-known
RSA cryptographic system which was
designed in the mid-seventies by
Rivest, Shamir and Adleman at the
Massachusets Institute of Technology
in Cambridge, USA. At present, this
system is used extensively in hardware
and software to protect electronic data
traffic such as in the international
version of the SSL (Security Sockets
Layer) Handshake Protocol”
“Apart from its practical implications, the
factorization is a scientific breakthrough:
25 years ago, 512-bit numbers (about 155
decimals) were thought virtually
impossible to factor. Estimates based on
the then-fastest known algorithms and
computers predicted a CPU time of more
than 50 billion (50 000 000 000) years.
The factored number, indicated by RSA155, was taken from the "RSA Challenge
List", which is used as a yardstick for the
security of the RSA cryptosystem.”
“In order to find the prime
factors of RSA-155, about 300
fast SGI and SUN workstations
and Pentium PCs have spent
about 35 years of computing
time. The computers were
running in parallel -- mostly
overnight and at weekends -and the whole task was finished
in about seven calendarmonths.”
“The following organizations have made their
workstation and PC computing power
available to this project: Centre Charles
Hermite (Nancy, France), Citibank
(Parsippany, NJ, USA), CWI (Amsterdam),
Ecole Polytechnique/CNRS (Palaiseau,
France), Entrust Technologies (Ottawa,
Canada), Lehigh University (Bethlehem, Pa,
USA), the Medicis Center at Ecole
Polytechnique (Palaiseau, France), Microsoft
Research (Cambridge, UK), Sun
Microsystems Professional Services
(Camberley, UK), The Australian National
University Canberra, Australia), University of
Sydney Australia).”
“In addition, an essential step of the project
which requires 2 Gbytes of internal memory
has been carried out on the Cray C916
supercomputer at SARA (Academic Computing
Centre Amsterdam).
Given the current big distributed computing
projects on Internet with hundreds of
thousands of participants, e.g., to break RSA's
DES Challenge or trace extra-terrestrial
messages, it is possible to reduce the time to
factor a 512-bit number from seven months to
one week. For comparison, the amount of
computing time needed to factor RSA-155 was
less than 2% of the time needed to break
RSA's DES challenge.”
The number and the found factors are:
RSA-155 =
10941738641570527421809707322040357612003
73294544920599091384213147634998428893478
47179972578912673324976257528997818337970
76537244027146743531593354333897
=
10263959282974110577205419657399167590071
6567808038066803341933521790711307779
*
10660348838016845482092722036001287867920
7958575989291522270608237193062808643
A broad stroke view of
things that are typically of
interest to Network
Security Administrators.
Note the vast scope of
topics is not at all inclusive
* taken from a typical IT security
schedule
Overview of Network Security
Defining the problem
 Security Policy
 Attacker Methods
 Incident Response
 Legal Considerations

Network Services
Client/Server Computing
 UNIX versus Windows NT

Attack Methods
Types of attacks
 Misadministration
 Software Bugs
 Denial of Service

Logging, Auditing, and
Detection
UNIX versus Windows NT
 Auditing
 Vulnerability Detection
 Vulnerability Detection Tools
 Intrusion Detection

WWW Security
General Server Security
 WWW Server Security
 WWW Client Security

An Overview of Firewalls
Firewall versus Host Security
 Categories of Firewalls
 The Weaknesses of Firewalls

Packet Filters
TCP/IP Packets
 Packet Filters and the Client/Server
model

Proxy Servers
Definition: Proxy Servers
 Gauntlet Firewall
 Firewall-1

Firewall Architecture
Bastion Hosts
 The dual-homed screening router
 The dual-homed bastion host
 The dual-homed Proxy server
 The screened Bastion Host
 Screened subnet
 The screened subnet architecture

Firewall Architecture (2)
The multiple bastion host approach
 Belt-and-Suspenders

Secure Communications
and Authentication
Features of cryptography
 Classes of cryptographic systems
 Digital Signatures
 Applications of encryption

SSM Standard Operating
Procedures
The Essence
The Attitude
Some Basic Tasks
For the love of Pete
-- Turn on
accounting, and
make it as granular
as possible.
Just because you are
paranoid does not mean
they aren’t out to get you.

When your boss tells you that you are
over-reacting and just plain paranoid,
tell him that someone has to be; and
that paranoia is just a case of seeing
things clearly.
ROI is not always a
good indicator of
success in the security
arena; and neither is
TCO. Sometimes is
costs what it costs.
To Darn Bad (TBD)
There is always a trade off of ease of
use and security. If a policy meets
resistance because of its effect on the
end-user, tell them TDB.
 TDB should be what you say to yourself.
What you say to the user is that it is
policy from the highest level.
 TBD is the mildest form of this attitude.

Log, Log, Log, Log, Log,
Log and Log some more
Employ logging at the system level, as
well as using additional tools.
 Log all systems via serial connection to
a central system, which is not
connected to the network in any way.
 Print a paper log of from the central
system. Consider using special paper.

You have to make a
decision in the beginning
about whether or not you
have intestinal fortitude,
the endurance and the
money to do what needs
to be done to prosecute
the intruders.
An unbroken chain of
evidence is essential in
order to prosecute. This
means time stamped logs
and other auditing and
accounting measures.
Public Key Cryptography
IKE - Internet Key
Exchange
PKI - Public Key
Infrastructure
End-user Hardware
Remove or disable floppy drives.
 Disable CD-ROM drives.
 Enable BIOS passwords.
 Physically cover all unused serial, USB,
parallel, SCSI and other ports not used.
 Employ something you own, something
you know, and something you are.

End-User Software
Lock down all desktops and install
software via a standardized and secure
methodology. Many products are
available for this function.
 When the end-users complain about the
fascism and low productivity remember
that it is just TDB.

Switching to the Desktop
There is the very real internal threat in
hub-based access level schemas. The
end-users have the ability to sniff traffic
that is not there’s
 Switching allows electrical
segmentation, and makes sniffing much
more difficult -- and general not
possible

Realize that there is no
such thing as a secure
system -- get over it and
move on!
Take all steps a reasonable and
prudent person would, but forget
about your bosses demands for a
100% guaranteed secured
network. This is a reality check.
Top-Level Buy-in

A couple of years ago, I was sitting in
on a company that had brought in a
“Demming” statistical improvement
specialist. Half way through, the
President and General Manager got up
and said very vocally. “This is not
something I need to be concerned
about.” Imagine the effect on the rest
of the attendees
Employ Intrusion
Detection Technologies
There is a great benefit to
employing an intrusion detection
system even with the still highdegree of false positives.
Encourage the open
source peer-review model
of development and
implementation
In a recent call for papers by DARPA
regarding using Windows NT for security
research; every scientist made a similar
statement -- “without source code to the
security layer, it is impossible to determine the
real security risks”
Everyday there will be
new threats
Get used to it, live it, breathe it,
immerse yourself in it. This fact
will never change, and hampers
entities from implementing
anything
Check out your People
The individuals who are ultimately
responsible for the design and
implementation of your security should
be beyond reproach with regards to
there risk factor
 Check Backgrounds
 Monitor
 Be Vigilant

Employee a Password
Escrow System
Do not let passwords to the core facility
rattle around in peoples heads and on
pieces of paper.
 Employee and electronic password
management system (PMS) which
utilizes diskettes or other media to give
you access.
 The PMS should not be on the network.

Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Something you know.
Something you have.
Something you are.
Always look at the worst
case scenario
Designing your security policies and
enforcement of the same should
account for the worst case scenario.
 If I here about how much trust
someone has in so and so one more
time, I think I will puke.
 Trust no one.

Disaster Recovery
Disaster recovery is as important, if not
more, than security is.
 If you can’t recover from the worst case
scenario, then you have a problem.
 Run drills on a regular basis, as you
would fire drills.
 Always use the VERIFY option when
creating backups

MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
MANTRAP MANTRAP
Standards Organizations
to be concerned with in
this area include; ISO,
ANSI, IEEE, IETF, and
W3C. Of special note is the
Security Group of IETF and
its various committees.
Always use conduit!
It is very easy to place passive taps on
copper wiring trunks and cables
through the use of a “vampire tap” and
other methodologies.
 Conduit makes rewiring easier. Make
sure your pipe is fat enough to handle
upgrades.
 Conduit protects cable from physical
damage

If you can afford it use fiber
Fiber optics cabling gives you highbandwidth today with room to grow for
tomorrow; but most importantly it is
almost impossible to tap passively.
 Fiber optics do not give of EMF, and are
therefore not subject to the Van Eck
effect and reduce remote passive
monitoring capabilities.

The watcher of the
watcher of the watcher of
the watcher

It is generally given as a problem in first
year accounting, about when the cost
of additional checks and balances are
feasible. Normally the “Parking Lot
Attendant” is used as the example. This
is a valid exercise to go through when
creating layers of security.
Always
practice
security in
Depth!
Host-based
security is
not enough
Network
based
security is
not enough
Firewalls
are not
enough
Physical
security
measures are
not enough!
Fundamental Problem
Most of you will walk out of this tutorial,
and say -- I knew those things.
 A large percentage of people will get
back to work and still not do anything
about it.
 There is Knowledge in knowing, but
there is Wisdom in execution. And there
is the need of strong character and
persuasion to accomplish the task.

Avoid Services which pass
login and password
information in plain text
Use SSH instead of Telnet whenever
possible.
 Make sure the version of email you
have does not pass login information.

Official Motto of the
Practitioners of SSM




I will practice and teach Eternal Vigilance
I have a resounding will to accomplish the
implementation necessary.
I will avoiding making special cases for endusers who complain about Fascism.
I will compel management to accept the need
for SSM even at the risk of losing my job
(This is the acid test).