1

Computer SecurityFundamentals

Paul Weinstein

Waubonsie Consulting

<pdw@waubonsie.com>

November 15, 2002

2

Introduction

• who i am

• what i plan to say

– personal experience• pitfalls

• planning

• resources

• questions

3

“Persons attempting to find amotive in this narrative will beprosecuted;persons attempting tofind a moral will be banished;

persons attempting to find a plotwill be shot.”

Notice

- Preface for The Adventures of Huck Finn By Mark Twain

4

Pitfalls

5

Pitfalls: Security Through Obscurity

• home network:

6

Pitfalls: Security Through Obscurity

Outside Connection Attempts to Firewall, October 14-15 2002, 752 Total Requests

70%12%

6%6%

6%port 137 (netbios) port 1433 (ms-sql)port 80 (http) port 445 (smb)(ftp, smtp, ssh, other)

7

Pitfalls: Have No Fear, I Don’t Use

Microsoft

“The long BSD tradition of cautiousdevelopment, extensive peer review,and thorough testing makes them someof the most reliable software everdeveloped. In fact, as far as anyoneknows, only one worm has ever beendeveloped that attacked any of the

BSDs.”

- Source: “The BSDs: Sophisticated, Powerful, and (Mostly) Free”<http://www.extremetech.com/print_article/0,3998,a=31573,00.asp>

8

Pitfalls: Have No Fear, I Don’t Use

Microsoft

“since June … Microsoft, of Redmond, Wash., hasreleased six patches … for Windows XP Pro. However,the list of patches included in the new Service Pack

1 for XP Pro shows 30 security-related fixes,including several that were never publicized or

issued separately.”

However, in the same time frame, “Red Hat Inc., ofRaleigh, N.C., for example, has issued fixes for 35

security problems in its Red Hat Linux 7.3.”

- Source: “Open Source: A False Sense of Security?”<http://www.eweek.com/article2/0,3959,579097,00.asp>

9

Pitfalls:What’s Wrong with This Picture?

• home office:

10

Creating a Plan

11

Creating a Plan:Creating a Policy

• what is this system for?• who will be using thissystem?

• what network services areneeded?

• how do these services work?• how can i secure these neededservices?

12

Creating a Plan:Creating a Policy

• discovering a vulnerability

• find the fix, workaround

• applying fix, workaround

13

Creating a Plan:Eternal Vigilance

• being the bad guy, enforceyour policy– known vulnerability + slow onapplying fixes = troubles

14

Resources

15

Resources

• cert– http://www.cert.org

•vulnerability– cause & effect

•fixes– vendor patches, upgrades

• cve– http://cve.mitre.org/

•vulnerability dictionary

16

Resources

• commercial vendor– red hat <-> microsoft

– i.e. know you vendor

• open source community– users, developers

– mailing lists, web sites

17

Resources

Cuckoo’s Egg: Trackinga Spy Through the Mazeof Computer Espionage

By Cliff Stoll

ISBN No. 0743411463

18

Resources

Secrets and Lies:Digital Security in a

Networked World

By Bruce Schneier

ISBN No. 0471253111

19

Resources

The Code Book: TheScience of Secrecy from

Ancient Egypt toQuantum Cryptography

by Simon Singh

ISBN No. 0385495323

20

Additional Resources:This Presentation

• http://www.weinstein.org/work/presentations/oshca/computer_security/

• http://www.weinstein.org/work/presentations/oshca/computer_security.pdf

• small plug:– upcoming book, Professional Apache Security,Wrox Press

– whitepaper, Apache and OpenSSL– consulting, Waubonsie Consulting,http://www.waubonsie.com,<pdw@waubonsie.com>

21

What I Said

• pitfalls– security through obscurity– its not just microsoft– access, remote & physical

• planning– create a policy– stick with it

• resources– cert, http://www.cert.org– cve, http://www.cve.mitre.org/– commercial vendor– open source community– books

22

Questions