Embed Size (px)
Citation preview
CSIS 3756Security Design
Mr. Mark Welton
Course Requirements Prerequisities:
◦ CSCI 5806 or CSIS 3755◦ CIS 1525 or CIS 3718
Books For Course:◦ Material online, in class, and Safari Books Online will be
used for this class
What This Course IS NOT
This is not a hacking course This is not an introduction course This is not a course where we will only deal
will the operating system itself in isolation
What This Course IS
A course on operating system security concepts, techniques and applications including MS Windows and LINUX/UNIX platforms.
Course Discription for CSIS 3756
In my opinion this can not be done by only looking at the operating system in isolation
Today’s enterprise environments are comprised of multiple systems interconnected providing services to companies customers
It is these interconnections that has changed the world of computing and security today
It is all about the data!
My opinion of what CSIS 3756 is…
You can only learn how to design a security environment if you understand how it should be configured and how to determine what it is you are protecting
You must understand risk and how it REALLY can be of use
You need to understand how things REALLY work (theory is nice but you better know how to apply it)
“A wise man walks with his head bowed, humble like the dust” Pilot episode of Kung Fu
My opinion of what CSIS 3756 is…
To be a security professional you must understand not only the previous concepts but you must understand that….
Lastly….
It is called
penetration testing
Penetration testers have permission to test the systems hackers don’t
Security is the process of maintaining an acceptable level of perceived risk
Dr. Mitch Kabay, wrote that “security is a process, not an end state.”
So what is the process…
What is Security?
The Security Process
Assessment is preparation for the other three components
deals with policies, procedures, laws, regulations, budgeting, and other managerial duties, plus technical evaluation of one’s security posture
Failure to account for any of these elements harms all of the operations that follow
Why is this?
Assessment
Protection is the application of countermeasures to reduce the likelihood of compromise
What are some of these countermeasures and why do we use them?
Protection
Detection is the process of identifying intrusions
Intrusions are policy violations or computer security incidents
Kevin Mandia and Chris Prosise define an incident as any “unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.”
What are some examples?
Detection
Response is the process of validating the fruits of detection and taking steps to remediate intrusions
Response activities include “patch and proceed” as well as “pursue and prosecute.”
“patch and proceed” focuses on restoring functionality to damaged assets and moving on
“pursue and prosecute” seeks legal remedies by collecting evidence to support action against the offender
How does the CIA model help us meet the security process?
Response
Risk is the possibility of suffering harm or loss Risk is a measure of danger to an asset An asset is anything of value (to who?) In a security context risk refers to
information, hardware, intellectual property, prestige, and reputation
The risk should be defined explicitly, such as “risk of compromise of the integrity of our customer database” or “risk of denial of service to our online banking portal.”
What is Risk?
risk = threat × vulnerability × asset value
Risk Equation
A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset
Structured threats are adversaries with a formal methodology, a financial sponsor, and a defined objective◦ include economic spies, organized criminals, terrorists,
foreign intelligence agencies, and so-called information warriors
Unstructured threats lack the methodology, money, and objective of structured threats◦ include “recreational” crackers, malware without a
defined object beyond widespread infection, and malicious insiders who abuse their status
Threat
Threats are expressed within threat models, which are descriptions of the environment into which an asset is introduced
The method by which a threat can harm an asset is an exploit◦ An exploit can be wielded in real time by a human
or can be codified into an automated tool The process by which the intentions and
capabilities of threats are assessed is called threat analysis
Threat
A vulnerability is a weakness in an asset that could lead to exploitation
A well-designed software product should perform its intended function and do no more
A Web server intended to publish pages in the inetpub/wwwroot directory should not allow users to escape that folder and access the command shell or other files on the system
Vulnerability
The asset value is a measurement of the time and resources needed to replace an asset or restore it to its former state
Cost of replacement is an equivalent term A database server hosting client credit card
information is assumed to have a higher value or cost of replacement than a workstation in a testing laboratory (Why?)
Cost can also refer to the value of an organization's reputation, brand, or trust held by the public
Asset
Security Policies only deal with the business processes that are important to the company
“…the process of transaction for purchase must meet compliance of PCI, …”
“…Managed antivirus software must be run and monitored on each system…”
Does it really tell us where we need to put firewall, IDS, how servers should be configured, what defines manage antivirus?
Would it matter if it did?
What About the Security Policy?
let's consider the risk to a public Web server operated by the Polish Ministry of Defense (www.wp.mil.pl)
On September 3, 2003, Polish army forces assumed control of the Multinational Division Central South in Iraq
A hypothetical anti–Iraq war hacker group, Code Not Bombs, reads the press release at www.nato.int and is angry about Poland's involvement in the war
One of their young coders, N@te, doesn't like Poland's involvement and wants to embarrass the Polish military by placing false news stories on the Ministry of Defense's Web site
A Look at Risk
He discovers that although www.wp.mil.pl is running Apache, its version of OpenSSL is old and subject to a buffer-overflow attack
The Polish military spends $10,000 (or the Polish equivalent) per year maintaining its Web server
Damage to national prestige from an attack would be several times greater
A Look at Risk
risk = threat × vulnerability × asset value We will let a value of 5 equal a severe
value, while a 1 is a minor value
A Look at Risk
Factor Description Assessment
Rationale
Threat N@te, a coder in the Code Not Bombs activist group
5 He possesses the capabilities and intentions to damage the Polish Web site
Vulnerability Unpatched OpenSSL process on www.wp.mil.pl
5 Vulnerability allows remote root compromise, giving N@te total control. No countermeasures limiting attacker access are deployed
Asset value Somewhere on the order of $10,000 or more
4 The Web server itself merits a rating of 2 or 3 as a public relations page, but the damage to Polish prestige is higher
Risk Loss of integrity and control of the www.wp.mil.pl Web site
100 Risk is the product of threat × vulnerability × asset value. Out of a possible total of 125 for a 1 to 5 scale, a rating of 100 is a grave risk
Remember that security is the process of maintaining an acceptable level of perceived risk
??????????
So What is the Security of the Web Server?
What if the Polish military is unaware that anyone would think to harm its Web server?
0 X 5 X 4 = 0 What if the security administrators believe
the threat to www.wp.mil.pl is zero? Then the perceived risk of loss is zero Perception is a key to understanding
security How can we deal with this perception
problem?
So What is the Security of the Web Server?
Once threat are identified, the presence of vulnerability takes on new importance
Vulnerabilities only have value if there is a threat to use it
If we identify threats correctly as they relate to an asset value then as vulnerabilities change we will then know where to place our resources
So What is the Security of the Web Server?
If the threat to the asset is high ◦ likelihood of a threat to want to use the
vulnerability and the higher value of the asset Then if the SSL vulnerability is announced
you can use countermeasures on the asset Countermeasures are steps to limit the
possibility of an incident or the effects of compromise
What are the countermeasures that can be used on the web server?
So What is the Security of the Web Server?
It make you look at your environment like “they” would not how you would (what does this mean?)
Security policies do not tell us the assets that are important just the business practices that is important. We need to relate these practices to the assets
When new vulnerabilities come out you want to KNOW what assets are important
It should have a direct impact on your security design (we do not have unlimited money and resources)
So why do we care about risk then?
