Upload
others
View
26
Download
1
Embed Size (px)
Citation preview
1
Computer SecurityFundamentals
Paul Weinstein
Waubonsie Consulting
November 15, 2002
2
Introduction
• who i am
• what i plan to say
– personal experience• pitfalls
• planning
• resources
• questions
3
“Persons attempting to find amotive in this narrative will beprosecuted;persons attempting tofind a moral will be banished;
persons attempting to find a plotwill be shot.”
Notice
- Preface for The Adventures of Huck Finn By Mark Twain
6
Pitfalls: Security Through Obscurity
Outside Connection Attempts to Firewall, October 14-15 2002, 752 Total Requests
70%12%
6%6%
6%port 137 (netbios) port 1433 (ms-sql)port 80 (http) port 445 (smb)(ftp, smtp, ssh, other)
7
Pitfalls: Have No Fear, I Don’t Use
Microsoft
“The long BSD tradition of cautiousdevelopment, extensive peer review,and thorough testing makes them someof the most reliable software everdeveloped. In fact, as far as anyoneknows, only one worm has ever beendeveloped that attacked any of the
BSDs.”
- Source: “The BSDs: Sophisticated, Powerful, and (Mostly) Free”<http://www.extremetech.com/print_article/0,3998,a=31573,00.asp>
8
Pitfalls: Have No Fear, I Don’t Use
Microsoft
“since June … Microsoft, of Redmond, Wash., hasreleased six patches … for Windows XP Pro. However,the list of patches included in the new Service Pack
1 for XP Pro shows 30 security-related fixes,including several that were never publicized or
issued separately.”
However, in the same time frame, “Red Hat Inc., ofRaleigh, N.C., for example, has issued fixes for 35
security problems in its Red Hat Linux 7.3.”
- Source: “Open Source: A False Sense of Security?”<http://www.eweek.com/article2/0,3959,579097,00.asp>
11
Creating a Plan:Creating a Policy
• what is this system for?• who will be using thissystem?
• what network services areneeded?
• how do these services work?• how can i secure these neededservices?
12
Creating a Plan:Creating a Policy
• discovering a vulnerability
• find the fix, workaround
• applying fix, workaround
13
Creating a Plan:Eternal Vigilance
• being the bad guy, enforceyour policy– known vulnerability + slow onapplying fixes = troubles
15
Resources
• cert– http://www.cert.org
•vulnerability– cause & effect
•fixes– vendor patches, upgrades
• cve– http://cve.mitre.org/
•vulnerability dictionary
16
Resources
• commercial vendor– red hat <-> microsoft
– i.e. know you vendor
• open source community– users, developers
– mailing lists, web sites
17
Resources
Cuckoo’s Egg: Trackinga Spy Through the Mazeof Computer Espionage
By Cliff Stoll
ISBN No. 0743411463
18
Resources
Secrets and Lies:Digital Security in a
Networked World
By Bruce Schneier
ISBN No. 0471253111
19
Resources
The Code Book: TheScience of Secrecy from
Ancient Egypt toQuantum Cryptography
by Simon Singh
ISBN No. 0385495323
20
Additional Resources:This Presentation
• http://www.weinstein.org/work/presentations/oshca/computer_security/
• http://www.weinstein.org/work/presentations/oshca/computer_security.pdf
• small plug:– upcoming book, Professional Apache Security,Wrox Press
– whitepaper, Apache and OpenSSL– consulting, Waubonsie Consulting,http://www.waubonsie.com,<[email protected]>
21
What I Said
• pitfalls– security through obscurity– its not just microsoft– access, remote & physical
• planning– create a policy– stick with it
• resources– cert, http://www.cert.org– cve, http://www.cve.mitre.org/– commercial vendor– open source community– books