1 Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part VI Stephen Fried 2 Information Security: The Big Picture - SANS GIAC © 2000 2 Certificates • Certificates match an identity with a public key • Similar to a driver’s license or passport • Validated by a Certificate Authority • Certificates have many uses –Encryption – Authentication – Verification Most of us have either a drivers license or a passport. These are official government documents that match an external representation of yourself (in this case, your picture) with an official recognition of your identity, for example a government or state seal. By using one of these documents you are reasonably able to prove your identity to someone. (OK, many of us had fake drivers licenses when we were kids, but let’s ignore those for now.) There is an equivalent concept in the information security world. It’s called a “certificate.” A certificate is a small piece of code that matches an external representation of yourself (in this case your public key) with an official recognition of your identity. So, for example, you might have a certificate that says “Public Key 12345 belongs to Alice Smith.” Like the Motor Vehicle Agency in the real world, there is an agency that certifies certificates in the computer world. It’s called a Certificate Authority, or CA. A CA is a group or agency that certifies and manages collections of certificates for use in encryption and verification purposes. We’ll talk more about Certificate Authorities in the next slide. There are many uses for certificates, and more are being found every day. Essentially, every time you need access to someone’s public key, you can look up that person in the CA’s registry to get their key. And because the CA is supposed to validate the identity of the person before certifying their key, you can be reasonably assured that the key is legitimate for that person. Likewise, when you get a key and certificate from someone you can look them up in the CA to see if the key you got is indeed the legitimate key for that person. 3 Information Security: The Big Picture - SANS GIAC © 2000 3 X.509 • ISO Authentication Framework • Provides for authentication across networks • Binds unique name for a user to public key • Provides structure for public key certificates • Contains identifying info – version, algorithm, CA name, valid dates, etc. If the world is moving toward the use of certificates, there must be some formal standard for specifying the use and format of certificates. There is, and it’s called the ISO Authentication Framework, more commonly known as the X.509 protocols. The X.509 standard provides the framework for handling authentication across systems and networks. X.509 also defines a structure that public key certificates must follow in order to be universally accepted. There are three primary pieces of information contained in an X.509 certificate. The first is called the Distinguished Name, or DN. The DN is a unique name assigned to each user. The second is the user’s public key. Finally, the third important piece of information contained in an X.509 certificate is the digital signature of the Certificate Authority that has issued and certified the certificate. Without these three vital pieces of information, the certificate is useless in an authentication or repudiation sense. These are not the only pieces of information contained in a certificate. A valid certificate also contains the version number of the certificate. There have been several versions of the X.509 format. The current version is version 3. There is also an identifier to indicate the encryption and signature algorithm used to sign the certificate. Without knowing what algorithm was used to sign the certificate there is no way of verifying the signature. A certificate also contains validation dates. These are the dates that the certificate was issued and the date it expires. Applications should always check to make sure a certificate it is using or accepting is still valid. 4 Information Security: The Big Picture - SANS GIAC © 2000 4 Certificate Issues • Multiple CAs • CA Trust Like everything else in the information security world, the use of certificates is not as clean and easy as you might first think. This slide will describe some of the issues you may need to be concerned with before you begin using certificates. The first, and most important fact is that there is no single Certificate Authority for everyone. Maybe someday there will be, but for now we must deal with the fact that there will be multiple CAs for a long time to come. There can also be many different forms of CAs. You may have a CA run by your employer that certifies keys for your business dealings, you may have a second CA run by your bank that certifies your keys for handling Internet purchases, and you may have a third CA run by your brokerage for your stock trading account. Consider the situation as similar to the credit card industry today. You probably have more than one credit card and you use each for different types of purchases. However, the credit card industry is mature enough that you can pretty much be assured that whatever card you use, it will most likely be accepted by any merchant. Of course, there are still the odd cards that are used for specialty applications. For example, the card issued by your wholesale grocery club probably won’t be accepted for the purchase of an airline ticket. By and large, most of the major cards are accepted everywhere. Unfortunately, the CA industry is not that mature. For now, each CA must issue and manage its own certificates. So, for instance, you generally can not assume that the key managed by your business CA will be recognized by your bank’s CA and vice versa. The good news is that the situation is changing slowly. We are beginning to see small alliances of CAs that will trust each other’s certificates. For instance, two companies that do a lot of work together might instruct their respective CAs to accept and trust certificates from either of the companies. In this way, a person from Company A can send a certificate to a person in Company B. The person in Company B will look up the certificate in Company B’s CA. Company B’s CA will recognize that the certificate was issued by Company A and, since it trusts Company A’s authority to issue certificate, sends back a reply to the Company B person that the certificate is legitimate. 5 Information Security: The Big Picture - SANS GIAC © 2000 5 Certificate Issues • Certificate chaining • Certificate revocation • The Public Key Infrastructure Certificate chaining is another issue that must be dealt with. To show an example of certificate chaining, imagine that HiTech, Inc., a PC manufacturing company, wants to set up their own in-house CA. Unfortunately, none of the software in use at HiTech will recognize HiTech as a CA. So, they contract with CertCo, a commercial Certificate Authority, to set up the HiTech CA. In order to allow applications to recognize the HiTech CA automatically, they chain their certificates to CertCo. So, when a HiTech user tries to verify a certificate issued by the HiTech CA, it will not initially trust it. However, if it starts going up the CA chain it will see that the issuing CA for HiTech is CertCo. Now there’s a name it can trust! I could probably go further, but I think you get the idea. Although this is a bit of a contrived example, certificate and CA chaining can be a practical solution in situations where technical, geographic, organizational, or legal restrictions prevent the use of a single CA for everybody. As people begin to use certificates more and more, there will be a need to revoke certificates. People will move, change names, job functions, have their certificates stolen, and so on, and the certificates associated with their former roles will need to be revoked and replaced with new certificates. This process is called certificate revocation. In theory, certificate revocation should be easy, but in actually it’s very hard. A large part of this is that the Certificate Authority “industry” (for lack of a better term) is still in its infancy. Some of you may be old enough to remember back when credit cards were first coming into widespread use. When you went to a merchant and handed them your card, they didn’t swipe it through a reader and wait for a reply from credit card central to see if your card was valid or not. In those days, each merchant had a little booklet full of thousands of invalid or revoked card numbers. They would look up your number in the book and if it was there it meant your card was invalid. If your number wasn’t there it meant the card was OK and they would continue to process your charge. It was a large, manual, painful system for both the merchant and the customer, but it worked because new technology hadn’t yet been developed to automate the transaction. Well, Certificate Authority technology is in the same stage of development as credit card books were in. There are many processes that are difficult, manual, and sometimes painful to go through, but eventually, somebody will develop technology that will tie it all together. Let’s just hope that day comes sooner, rather than later. Finally, a last word about encryption and certificates. All the things we have discussed in the last few slides – the encryption, certificates, certificate authorities, trust, chaining, revocation, etc – are all part of a concept called the Public Key Infrastructure, or PKI. PKI is a concept used to describe all the processes, policies, procedures and technologies used to enable the use of certificates for identification, authorization, and encryption. The deployment of a successful PKI is an essential step for anybody who wants to deploy a successful e-commerce service. 6 Information Security: The Big Picture - SANS GIAC © 2000 6 Encryption Export/Import Issues • Many governments regulate encryption –Import –Export –Domestic Use • Check with legal counsel before importing or exporting your encryption technology If you plan to use encryption globally for your business you should be aware that many countries, including the United States, restrict the use of encryption technology in some form or another. The term “encryption technology” is somewhat vague and is interpreted differently by different countries, but it usually means either hardware or software that can be used to encrypt information for storage or transmission. The restrictions usually fall into one of three categories. First is import. Some countries restrict the importation of encryption technology. This means you can’t bring encryption devices or software into the country without some sort of license or permit from the government. Some countries do not allow any encryption at all to be imported. The second area is export. Some countries restrict the export of encryption technology out of the country. The US is among these, but recent changes in the export laws have relaxed the restrictions somewhat. The final area is called domestic use. Some countries restrict the use of encryption within its borders, either by its citizens or by non-resident foreign nationals. As stated before, the laws and regulations change from country to country, they often change without notice, and understanding the various laws takes a lot of skill and education. If you are planning to use or distribute any product or service that uses encryption you should always consult an attorney that specializes in export laws before proceeding. Failing to do so can result in delayed distribution for your product, fines for your company, or even jail in some extreme cases. 7 Information Security: The Big Picture - SANS GIAC © 2000 7 Privacy • “The right to be left alone” • Interpreted differently in different countries • Is often mandated by law • Is often expected on the Internet • Personal privacy vs. corporate privacy • Companies should have a “privacy policy” for customer information • Individuals should expect one Privacy means many things to many people. Supreme Court Justice Louis Brandeis once stated that “privacy is the right to be left alone.” However, that is just one facet of privacy. Generally, privacy is the expectation that personal information about yourself (for example your physical characteristics, your friends, your medical information, or your political beliefs, etc.) are your property and the decision as to whether anyone else has the right to know that information should be yours and yours alone. Privacy is also interpreted differently in different legal systems. In the United States, the right to privacy is not explicitly granted in the Constitution, but court cases and legal precedents have given US citizens certain specific rights to privacy. In other countries, privacy is an explicit right given to the people by their governments. Unfortunately, however, there are still some countries where citizens have no right to privacy at all. There is also a difference in your privacy rights when you are acting as an employee of a company. Although you may have privacy protection under your country’s laws, many companies specifically tell their employees that within their roles as employees they have no privacy. The company may have the right to examine your work, your e-mail, your phone conversations, or anything else you may do as an employee of the company. You should check with your employer to see what your company’s policy is. Whether or not a specific country or company affords its people privacy rights, privacy is something citizens of the Internet have come to expect in many of the transactions that occur every day, particularly when dealing with business or financial transactions. As you wander through the Internet, you leave little traces of yourself and your travels at every site you visit. However, there are many services available which will allow you to retain some of your privacy on the internet. Anonymous remailers will alter your e-mail so that the recipient will not know who it was sent by. And Web anonymizers will strip out all identifying information from your browser transmissions so that web sites you visit can not identify you. Over the past few years, the concept of a “privacy policy” has come into existence. A privacy policy tells customers or associates of a company how that company will use personal information about them. Privacy policies vary from company to company, but most deal with collection of personal information, giving or selling of that information to other companies, and giving the customer the option of correcting or removing their information from the company’s databases. As the concept becomes more and more prevalent, customers will begin expecting to see them on the web sites they visit, and begin to avoid web sites that do not have them. Privacy is a sensitive and sometimes controversial issue, and one that will be around for a long time to come. 8 Information Security: The Big Picture - SANS GIAC © 2000 8 OECD Privacy Guidelines • “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” • Regulate collection and flow of personal information between EU countries • Provides that member countries must conform to existing privacy laws – Extends to those exchanging personal data with member countries • “Personal Data” means any information relating to an identified or identifiable individual In response to the growing concern over privacy on the web, and the apparent lack of care that many organizations take to protect the privacy of their customers and employees, the Organization for Economic Cooperation and Development (OECD) developed the “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,” more commonly known as the EU (for the European Union) Privacy Directive. The Privacy Directive was one of the first organized international attempts to make protection of personal information a matter of law and subject to legal, and more importantly, economic penalties for failure to afford such protections. The guidelines were originally developed in 1980 and became fully effective in the fall of 1998. The overall principle of the Guidelines is that organizations must regulate the collection and flow of personal information about people. This includes protecting the information within an organization and particularly when transferring the information between EU countries and between EU Members and non-EU members. The Guidelines state that EU member countries must abide by existing national and international privacy laws. This also extends to non-member countries that need to exchange personal data with member countries. The EU Guidelines center around the concept of “Personal Data.” This is also often referred to as Personally Identifiable Information (PII). Personal Data is any information that relates to an identified person, or that can easily lead to the identification of an unknown person. Thus, information such as “half the people in this group have a rare disease” is not necessarily considered Personal Data, whereas “John, Mary, and Sue have a rare disease” would be considered personally identifiable information. Another example would be to say that the statement “the person living at 123 Main Street is a Communist” contains personal data, because even though a specific person was not named, if there is only one person living at 123 Main Street you’ve pretty much got them pegged. The Privacy Directive states that member countries must take all reasonable and appropriate steps to ensure that transborder flows of personal information are uninterrupted and secure. They must permit free flow to countries who comply with the guidelines, but they may restrict certain types of data. In addition, member countries must avoid developing laws that would create obstacles to transborder flows of personal data that are overly excessive. They must provide the means by which individuals can enforce their privacy rights and ensure that there is no unfair discrimination against the subjects of data collection. 9 Information Security: The Big Picture - SANS GIAC © 2000 9 OECD Privacy Directive Principles • Collection Limitation • Data Quality • Purpose Specification • Use Limitation •Security Safeguards • Openness • Individual Participation • Accountability The Privacy Directives have 8 distinct principles that EU members must abide by. The Collection Limitation Principle states that there should be no limits to the collection of personal data, any such data should be obtained by lawful and fair means and, where appropriate, with the consent of the data subject. The Data Quality Principle states that personal Data should be relevant to the purposes for which it is to be used and should be accurate, complete, and kept up-to-date. The Purpose Specification Principle states that the purposes for which personal data are collected should be specified not later than at the time the data is collected. In addition, subsequent use should be limited to the fulfillment of those purposes. The Use Limitation Principle states that personal data should not be disclosed, made available or otherwise used for purposes other than those specified without the consent of the data subject or by authority of law. The Security Safeguard Principle states that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure. The Openness Principle states that there should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. The Individual Participation Principle states that an individual should have the right to find out if there is personal data collected about them, to obtain this information at a reasonable charge, to appeal any denial of access to such information, and to challenge data relating to him and, if successful, to have the data erased, rectified, completed, or amended. The Accountability Principle states that a data controller should be accountable for complying with measures which are related to the other principles. 10 Information Security: The Big Picture - SANS GIAC © 2000 10 Privacy’s “Safe Harbor” • US approach is different from the EU approach • Concerns with “adequacy” standard • Organizations within the “Safe Harbor” would be presumed “adequate” • Organizations can come within Safe Harbor by self-certification While the OECD guidelines work fine for members of the European Union, it does not necessarily coincide with practices in other parts of the world, particularly in the US. The US approach to privacy is markedly different from the EU. In the US, citizens have an expectation of privacy in many circumstances and that expectation has been upheld by several landmark court cases. However, the US does not have a national privacy law as do many European countries. Privacy laws are mostly left up to the various states to implement, making national enforcement next to impossible. The end result is that different organizations in the US treat privacy differently. Unfortunately, the OECD guidelines specify that member states should not transfer personal data to any country that does not provide an adequate level of privacy protection. Since there is no standardization of privacy policies in the US, most US companies technically would not pass this adequacy standard. It is for this reason that the US Department of Commerce began discussions with the European Commission to create a “safe harbor” for US companies that choose to voluntarily adhere to certain privacy principles. According to the proposal, organizations within the safe harbor would have a presumption of adequacy, and transfers from the European Community to them could continue. Organizations could come within the safe harbor by self-certifying that they adhere to certain privacy principles. According to the safe harbor proponents, the proposal has several advantages. First, they provide for adequate privacy protection for European citizens. They also reflect the US views on privacy and allow for relevant US legislation and public interest requirements. Finally, it provides a predictable and cost-effective framework for the private sector. The Safe Harbor principles have been in discussion for over a year and talks have stalled several times. If passed, it would open up a large opportunity for US companies that are now threatened with an inability to share information with their European counterparts. [...]... ways – Shared disks – Downloaded programs – E-mail • Preventing spread – Use good, up-to-date anti-virus software – Multiple levels (gateway, server, desktop) Information Security: The Big Picture - SANS GIAC © 2000 30 Viruses can spread in many ways The creators of viruses are often extremely clever in the methods and lengths to which they will go to spread their destruction In the old days, before the. .. be In either case, the user then has a response which he then sends off to the server The server, meanwhile, has not been idly standing by waiting for the response It has calculated its own response to the challenge When the response comes back from the user, the server will compare the user’s response to the one it generated and is expecting If the two match, the user is authenticated and the processing... Server 6 Information Security: The Big Picture - SANS GIAC © 2000 23 There are four components of a Kerberos system First is the Kerberos client This is the computer used by the user to run applications and work interactively with the network The second piece is the Kerberos Authentication Server This is the server that handles authentication services for clients The third component is the Ticket Granting... systems The server then sends the challenge to the user The user then must do something with that challenge in order to obtain the proper response Typically, the challenge is entered into a hand-held device along with a PIN number or password The device takes this information and generates the response In other cases, the user looks up the challenge in a table or database to determine what the appropriate... a virusinfected program as an attachment When the user executes the program, the virus is launched Typically, the virus will go through the user’s address book, sending copies of the virus to anybody on that list Preventing the spread of viruses is no simple matter It requires a complete anti-virus approach The best defense is to select and use a good anti-virus package There are many good ones on the. .. that have not yet implemented one of the newer authentication protocols One of the basic problems with PAP is that the password never changes and it is sent to the authentication device in the clear over the network If an attacker learns the password for the device (which is generally easy to do) they will be able to replay that password to authenticate their own device In general, PAP is seen as a weak... devices • Weak authentication Information Security: The Big Picture - SANS GIAC © 2000 17 The Password Authentication Protocol (PAP) was one of the first protocols in widespread use and is one of the most basic PAP uses a static password for authentication and it provides that password whenever it is requested The PAP protocol is supported on many types of network devices, particularly older devices that... encryption Information Security: The Big Picture - SANS GIAC © 2000 20 One of the earliest more advanced authentication protocols was the Terminal Access Controller Access Control System, or TACACS TACACS was developed to allow terminal servers, devices that attach dial-up devices like modems to networks, to authenticate users before allowing them access to the network The terminal servers are the “Terminal... the disk called the boot sector The boot sector instructs the computer how to load the operating system from the rest of the disk If the boot sector is corrupted, the computer can be instructed to destroy data or perform other malicious tasks System infectors alter the machine code or operating system portions of the computer By replacing portions of the operating system with virus-infected code, the. .. insert themselves into these packages and, when the user starts the program, the virus executes and begins to its work Because most macro systems allow the program to run operating system commands, macro viruses can be extremely creative in the damage they do For example, many of the most recent macro viruses instruct their programs to open the user’s e-mail package and send e-mail to everyone in the . Information Security: The Big Picture - SANS GIAC © 2000 1 Information Security: The Big Picture – Part VI Stephen Fried 2 Information Security: The Big. that information to other companies, and giving the customer the option of correcting or removing their information from the company’s databases. As the