Thông tin tài liệu
1
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
1
Information Assurance
Foundations
Core issues and challenges
Stephen Northcutt
The SANS Institute
Hello. My name is Stephen Northcutt and the material we are going to cover this next hour is central
to understanding the theory and practice of information security. This is a foundational course,
developed for the SANS LevelOne Security Essentials certification program. When you complete
this course there will be a quiz available from the SANS web page to help reinforce the material and
ensure your mastery of it.
In the next 45 minutes or so, I am going to take you on a tour of three famous attacks to see what
lessons we can learn from them. Along the way, we are going to discuss the three key dimensions of
protection and attack. Most of you are already familiar with them. They are: confidentiality,
integrity, and availability. Throughout the LevelOne Security Essentials certification program, you
will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may
experience attacks against these dimensions. We can think of these as the “primary colors” of
information assurance. By mixing and matching these and we do mix and match, because they are
interrelated we are able to develop either a very strong attack, or develop a strong defense.
2
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
2
Agenda
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
The next slide is titled “Agenda”.
This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed
against our computer systems. To focus that discussion, we will be concerned with some of the more
famous attacks that have occurred. Now, information assurance can get really complex, but these
kinds of problems decompose nicely. As we work our way through the material, we are going to be
pointing out aspects of the confidentiality, integrity, and availability, in both the attacks and also the
defenses we discuss. So if you are new to security, or if you just want a quick review, the way I
think about these things is – a credit card.
Have you ever had a credit card not be accepted? Three different times in a row, when I was buying
tires at a local store in my town, my credit card did not clear. All three times, the bank said their
computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to
me! I live in a small town and a lot of people know me – and so to have my card rejected was very
embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An
example of a confidentiality defense is the way that “key” on the bottom of your browser turns solid
when you are executing a secure transaction the bit stream is encrypted to foil casual
eavesdroppers. An example of an integrity attack would be telling someone they lie so much, their
own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be
spoofing by using someone else’s credit card, or modifying the balance of someone else’s account.
3
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
3
Three Bedrock Principles
• Confidentiality
• Integrity
• Availability
Your next slide is titled “Three Bedrock Principles”.
Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file.
Now, this would breach the confidentiality of this sensitive information (the password file). Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute
an integrity attack when they gain entrance to the system. And they can even use an availability
attack as part of this overall effort to neutralize alarms and defensive systems, so they can’t report
his existence. When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy.
Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks.
Now, not all the bad things that happen to computer systems are attacks per se. There are fires,
water damage, mechanical breakdowns, and plain old user error. But all of these are called threats.
We use threat models to describe a given threat and the harm it could do if the system has a
vulnerability.
4
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
4
The LevelOne Threat Model
• Threat
• Vulnerability
•Compromise
Vulnerabilities are the gateways by which threats are manifested.
The next slide is titled “The LevelOne Threat Model.”
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year. The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices. These work quite well to
reduce the volume of attacks that originate from the Internet, but they don’t protect systems from
insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the
time. We will be discussing threats in greater detail in another LevelOne course in this very same
step – it is called the “Internet Threat Briefing”.
So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise. Again, the most common tactic is
to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s
highly recommended. Even the most open universities or other research environments that require
themselves to be very open should be able to do some perimeter defense, even if they can only do it
at the department or building level, or even if they can only do it at the host level.
Now we are ready to see what the LevelOne program is designed to do. It will teach you to identify
and repair the system and network vulnerabilities that allow many of the most well-known
confidentiality, integrity, and availability attacks to succeed. In that way, if your perimeter defense
should ever fail for any reason, you greatly reduce the risk of harm.
5
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
5
Three Lessons From History
• Morris worm
• Kevin Mitnick
• Melissa virus
Your next slide is titled “Three Lessons From History”.
Perhaps the three most famous information security defense failures are: the Morris worm, Mitnick
attack, and Melissa virus. We don’t have time in this course to explore each of these in detail, but
you should be familiar with each of these as a security professional. As homework, please try a ‘net
search for these attacks and read a bit more. There are information security lessons that we ought to
be able to learn from these well-known attacks. In each case, there was a computer system
vulnerability, and it was exploited.
In each of the cases, there was an absence of defense in depth. In fact, in the case of the Mitnick
attack and most systems affected by the Morris worm, the exploit did not have to penetrate any
defensive perimeters. So, that’s “defense in shallow”!
As we go through each of the attacks, try to look out for the three primary security dimensions:
confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist
in the first place. The vulnerability is listed in every case; so please note how the threat was able to
exploit the vulnerability to compromise or affect the target system(s).
6
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
6
The Morris Worm
• Availability attack (denial of
service)
• Common vulnerabilities in
fingerd
and
sendmail
allowed rapid
replication
• Internet communications effectively
lost
Your next slide is titled “The Morris Worm”.
If you haven’t read Zen and the Art of the Internet
, you probably should. It is available at
http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html. We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He
chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated
there was a bug. Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution. Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection. However, because the network route was
clogged, this message did not get through until it was too late. Computers were affected at many sites,
including universities, military sites, and medical research facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a
system and waits for other systems to connect to it and give it email, and a hole in the finger daemon
fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had
copies of the program and were actively disassembling it (returning the program back into its source form)
to try to figure out how it worked.
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued
spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help
retard the speed of the worm. Another method was also discovered at Purdue and widely published. The
information didn't get out as quickly as it could have, however, since so many sites had completely
disconnected themselves from the Internet.”
7
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
7
K. Mitnick vs. T. Shimomura
• Confidentiality, integrity and availability
attack
• Reconnaissance probing to determine
trust relationship (“r utilities”)
• IP spoofing to act as one side of trust
relationship
• Lack of site or system perimeter
defenses to retard or defeat attack
Your next slide is titled, “K. Mitnick vs. T. Shimomura”.
It was Christmas Eve, December 1994, when Kevin Mitnick executed his famous attack against
Tsutomu Shimomura. How did he defeat one of the most skilled security information professionals
in the country? Was it wizardry? No, it was a combination of basic attack principles, along with one
neat technical hack that allowed this attack to succeed.
First, there was a confidentiality attack. There was no firewall, or perimeter defense, so it was
possible to probe the facility to gather information. From the reconnaissance probing, Mitnick was
able to discover that there was a trust relationship between two of Shimomura’s systems.
Next, Mitnick exploited an availability vulnerability with an attack called a SYN flood to silence
one half of the trust relationship. With the real server unavailable, he assumed that system’s identity
by spoofing and attacked the integrity of the trust relationship. When he got control of the system,
he was able to steal many sensitive files, including closely held security programs that were virtually
irreplaceable. When considering the damage to your organization from a threat, be sure to consider
what would happen if your organization’s most important secrets were lost.
It is worth noting that even if all this had succeeded (which it did), the actual attack would have
failed if there had been one more layer of defense - such as a system perimeter like TCP Wrappers
with a “deny all computers and then only allow trusted hosts to access the system” defensive policy.
(Editor’s note: TCPWrappers would likely NOT stop this attack. Mitnick spoofed Shimomura’s
address so that Mitnick’s computer appeared to be at the address used by Shimomura. The
additional layer of defense that COULD prevent the attack from succeeding would be to configure
the border router to block incoming packets with a source address that matched the site’s internal
address. – JFK)
8
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
8
Melissa Virus
• Availability attack
• New “strain” slipped through most
perimeters
• Users activated macro despite
warnings
• Evidence of the danger of
monoculture
Your next slide is titled, “Melissa Virus”.
The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most well-
known and widely-spread macro virus infections to date. Many sites were aware of Melissa on Friday, others
over the weekend, and of course still others found out Monday morning, so that March 28 was indeed a
challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at
the host level, had been developed and published by the Computer Emergency Response Team (CERT) at
Carnegie Mellon.
According to Network Associates’ (NAI’s) web site, the virus was first discovered on an "alt.sex" newsgroup
and spread rapidly. This extraordinarily rapid spread of Melissa serves as a warning of how fast a virus with an
unknown signature can spread. If you examine the virus source code, you can see the virus replicated so rapidly
by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book.
Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop
systems running Microsoft’s Outlook email client were directly affected. However, even systems that did not
spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on
the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no
explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial
losses are in the area of lost productivity. This is a big availability attack.
- Some sites have reported that they shut down email entirely for multiple days.
- Others lost email connectivity for several hours while cleaning the virus from their servers.
- System administrator and help desk resources were tied up fighting the virus for periods ranging from three to
five days at most affected organizations.
The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious
attacks than Melissa. And I find this quite interesting because almost all actual users of Microsoft Office
products rarely take advantage of the macro language.
9
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
9
Midpoint Review
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
Your next slide is titled “Midpoint Review”.
At this point we are familiar with the basic security principles of confidentiality, integrity, and
availability. We have examined how these principles come into play with three famous attacks: the
Morris worm, the Mitnick attack, and the Melissa Word macro virus.
We have also discussed the threat model and its relationship to vulnerabilities. Vulnerabilities are
the gateways by which threats are made manifest. So next, let’s drill down into vulnerabilities a bit
more and examine the types of things that are commonly exploited. Keep in mind that there are
broad-based threats, but on the whole a particular type of threat has to find its matching
vulnerability. This is one reason the wise security professional is concerned about confidentiality
attacks such as reconnaissance probes - if the attacker can determine our specific configurations,
they can direct the appropriate attacks against our assets, and may well succeed.
So let’s start this section by taking a quick look at three common vulnerabilities that involve
Windows, Unix, and networking, and discuss how they work - keeping in mind the basic security
failures that occur to make these attacks possible. These vulnerabilities that we will talk about are:
- a confidentiality vulnerability called Windows NT null sessioning;
- a network availability vulnerability called echo – chargen;
- an integrity vulnerability against Unix systems: the IMAP buffer overflow.
10
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
10
Null Session
net use \\172.20.244.164\IPC$ “” /USER:””
Your next slide is titled “Null Session”.
The null session exploit is an attack against confidentiality. In essence, it’s just “finger” on steroids.
The attacker “logs in” to the Windows NT system using the “net use” command listed on your slide.
After logging in, it is possible to gather a great deal of information from the Windows Registry.
Though this could be done by hand, it would be very tedious, so there are tools to make this a
reasonable task. The tool shown in the screen shot is DumpACL by SomarSoft. It was available for
free from www.somarsoft.com, but they seem to have disappeared, which is a tragedy. They were
wonderful folks and were among the first folks to develop security information and tools for NT.
However, the software is still out on the Internet if you search with a ‘net search.
(Editor’s note:
SomarSoft has granted distribution rights for its tools, including DumpACL (now called DumpSec) to
SystemTools.com. DumpSec can be obtained from either http://www.somarsoft.com or
http://www.systemtools.com. - JEK)
The screenshot shown on the slide was from before I entered the “null session”. Afterwards, I would
be able to enumerate boatloads of information about users, if that system was vulnerable to a null
session attack. Enumerate is a popular term in the industry to describe what we used to call “depth
first, breadth second” searches. So what? Why do you care? Well, if you find a PDC or BDC
(Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long
list of user names, including all the members of the Administrator group. Then you could try
consecutive ‘net uses’, trying different passwords. I am not really big on passwords, since they can
be sniffed, or attacked by brute force, but they do have their place. There are a lot of weak
passwords out there and every little bit helps. So, the longer we delay an attacker while they try
dictionary attacks on our passwords, the more likely we are to catch them in the act.
[...]... receives data Vulnerability scans to locate echo, chargen, daytime ports are highly recommended Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 11 Your next slide is titled “Echo – Chargen” This is a classic availability attack On your slide you have a trace of network traffic packet header information showing two systems expending all their resources talking back and forth, but with... countermeasures • Summary Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 22 Your last slide is titled “Putting it all Together” We have covered a lot of ground and have laid a solid foundation for the coursework that lies ahead LevelOne is designed to equip system administrators and security professionals to identify and repair vulnerabilities and so achieve defense in depth The information. .. over the system 12 Summary of Vulnerabilities • These common, well known problems are being exploited every day! • Most common operating systems and the networks they attach to are vulnerable Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 13 Your next slide is titled “Summary of Vulnerabilities” To summarize the vulnerabilities section, we just took a quick look at three common ones:... hooked up to the Internet, there is a way to attack them 13 Roadmap • Principles of attack and defense • Three famous attacks • Introduction to vulnerabilities • Basic countermeasures • Summary Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 14 Your next slide is titled “Roadmap” So what to do? Well, clearly we need to get a lot better at finding and correcting these vulnerabilities... Perimeter Defense • Doors and locks on doors – Lock the windows too • Perimeters inside perimeters • Should chokepoints fail closed? – Every device can fail Be sure it fails to a known state Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 16 Your next slide is titled “The Role of Perimeter Defense” Since there are more vulnerabilities than we can possibly correct, what are we going... the defenses based on the analysis of the attack) Protect, Detect, React 16 The Role of Intrusion Detection Protect Detect React Anomalous Events IDS Analyst Report Known | Unknown Analyze Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 17 Intrusion detection is at least partly misnamed Generally, what is detected are attempts, and most of the time they are simply reconnaissance... Incident Handling • Prepare, detect, contain, eradicate, recover, lessons learned • Role of CIRTs and law enforcement • Personal incident handling policy • Allows organization to accept risks Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 18 Your next slide is titled “Incident Handling” Bad things happen, and that is why incident response is a critically important capability for a... LevelTwo Advanced Incident Handling and Hacker Exploits module – JEK) 18 Configuration Management • Risk assumed by one is shared by all • Baseline • Building permits • Personal building permits Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 19 Your next slide is titled “Configuration Management” The primary attacker strategy is to scan, looking for a vulnerable system, and then establish... there are no known signatures 19 Why Policy Really Matters • Randall Schwartz case • Policy as insurance • Policy to define domains of responsibility • Personal policy • Good Policy/Bad Policy Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 20 How many times have you tried to go do the right thing and you get the answer, “Sorry, but that’s against policy” You may find it hard to believe... list or you wear a pager, you need a personal policy! 20 Defense in Depth • Perimeter protection • Anti-virus • Basic auditing (NT/Unix/Linux) • What is your role and responsibility for these? Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001 21 The next slide is titled “Defense in Depth” Are we there yet? The picture we have painted so far is that a good security architecture, one that . 1
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
1
Information Assurance
Foundations
Core issues and challenges
Stephen. develop either a very strong attack, or develop a strong defense.
2
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
2
Agenda
• Principles
Ngày đăng: 24/01/2014, 09:20
Xem thêm: Tài liệu Information Assurance Foundations pptx, Tài liệu Information Assurance Foundations pptx