Presented by: James Nelson Information Security Concepts Implemented CERT Conference 2000

Presented by:Presented by:

James NelsonJames NelsonPresented by:Presented by:

James NelsonJames Nelson

Information Security Concepts Implemented

CERT Conference 2000

PRESENTATION NOTEPRESENTATION NOTEPRESENTATION NOTEPRESENTATION NOTE

As I present today, I will pose questions to everyone in the room. I am soliciting your thought processes. I would appreciate it if everyone would quietly observe and make notes of any questions they might have. While I am confident we will be able to get through all of my materials today; however, I am not fully confident that we will be able to cover all of the questions at the end of the presentation. I will be happy to respond to questions via email at a later time.

Please come forward and introduce yourself after the presentation so we can exchange business cards.

““Relate Something Real and Relate Something Real and

Complement Academic” Complement Academic” ““Relate Something Real and Relate Something Real and

Complement Academic” Complement Academic”

In ACADEMIC environments, we work with

• PHILOSOPHIES

• CONCEPTS

• THEORIES

In the realm of “something real” we start with a problem (usually business) and work toward the solution.




From http://www.sans.org/mistakes.htm

The top mistakes people make that lead to security breaches: (paraphrased)

Users open unsolicited email attachments, fail to keep application patches installed, install trojan games or screen savers, forget about backups, and use modems while connected to the LAN.




Also paraphrased from mistakes.htm

Generally, Senior Executives assigned untrained people to maintain security, fail to relate information security and business problems directly, rely heavily on firewalls, fail to realize the value of their information and reputation, authorized reactive short-term fixes, and pretend problems will “go away” by ignoring them.




According to http://www.sans.org/newlook/resources/errors.htm, the top management errors leading to vulnerability were as determined by 1,850 computer security experts and managers meeting at the SAN99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999.




Also paraphrased from mistakes.htm

IT people network unhardened systems or systems with default accounts and passwords, don’t patch security holes when discovered, don’t use encryption to manage devices, give out passwords over the phone, don’t test “current” backups, run unnecessary services, implement open firewalls, don’t properly address viruses, and fail to educate their peers and users.

How can we apply the How can we apply the

philosophies, concepts and philosophies, concepts and

theories . . . . . theories . . . . .

How can we apply the How can we apply the

philosophies, concepts and philosophies, concepts and

theories . . . . . theories . . . . .

………. of security to the the real world?

What core concept needs to be applied?

Use forethought to build security into the implemented process.

Why?

Security costs far more to add as an afterthought than it does to implement in the first place! It is important to understand how closely information security and sound business processes are related.

IT IS IMPORTANT FOR IT IS IMPORTANT FOR

MANAGERS TO MANAGERS TO

UNDERSTAND BOTH TOPICSUNDERSTAND BOTH TOPICS

IT IS IMPORTANT FOR IT IS IMPORTANT FOR

MANAGERS TO MANAGERS TO

UNDERSTAND BOTH TOPICSUNDERSTAND BOTH TOPICS

Today, there are still many (highly paid) managers that do not fully understand information security. If a manager can’t perceive the right thing as the “mistake” they can’t address the issue appropriately.

Once a manager is able to understand the relationship between information security and sound business process, they are able to make the critical decisions required to adjust their practices and properly address security issues. I will start with basic security concepts. . . . . . .

ALWAYS USE PRODUCTS ALWAYS USE PRODUCTS

WITH THE MARKS OF WITH THE MARKS OF

GOOD DESIGNGOOD DESIGN

ALWAYS USE PRODUCTS ALWAYS USE PRODUCTS

WITH THE MARKS OF WITH THE MARKS OF

GOOD DESIGNGOOD DESIGN But what are the”marks of good design”?But what are the”marks of good design”?

They are really a collection of They are really a collection of concepts that form the mold for a concepts that form the mold for a reasonably secure system. When the reasonably secure system. When the “marks of good design” are built into a “marks of good design” are built into a system and implemented correctly, the system and implemented correctly, the end result will be a reasonably secure end result will be a reasonably secure system.system.(Note: I said a REASONABLY SECURE system.)(Note: I said a REASONABLY SECURE system.)

THE MARKS OF GOOD THE MARKS OF GOOD

DESIGNDESIGNTHE MARKS OF GOOD THE MARKS OF GOOD

DESIGNDESIGN

Uniqueness and 1:1 ratio of User to ID’s, Least

Privilege, Dual Control Points, Role Separation,

Separation of Duties, Time Synchronization,

Artificially Intelligent Logging Mechanisms, Log

Retention, Log Correlation, Reaction or Response

Mechanisms, Encryption Mechanisms, Strong (two-

factor) Authentication, Auditing Mechanisms, and

Finite Tunable Security Controls. (there are more)



DESIGNDESIGN

Got all that?

Moving right along……….

JUST KIDDING! ! JUST KIDDING! !



DESIGNDESIGN

What do I mean by Uniqueness and 1:1 ratio of User to ID’s?

The defined set of credentials to be used as a regular means to access a system must be assigned to one individual who is held responsible for the use (or misuse) of the credentials.



DESIGNDESIGN

Commonly, organizations fail to to implement methods to ensure individual accountability through uniqueness. The most commonly observed failure points are caused by poor control of built-in system ID’s, poor password selection by users, and bad password management schemes for built-in credentials (which should be used for EMERGENCY USE ONLY!)

Uniqueness and 1:1 ratio of User to ID’s



DESIGNDESIGN

I’ve seen several organizations choose a “standard password” for their root or administrator accounts across multiple systems rather than granting the required access through assigned security credentials and the use to utilities similar to sudo.

Uniqueness and 1:1 ratio of User to ID’s Real world examples:



DESIGNDESIGN

I can’t count the number of times I have had to SET file system permissions and registry permissions for an application. Vendor need to build quality installation programs and stop CLAIMING their products NEED administrator access. Some do need administrator privileges, but most do not.

Assigning a minimum set of allowed operations or account credentials that are PROVEN to be required to perform a task.

Define Least Privilege:



DESIGNDESIGN Define Dual Control Points: The practice of using separate vendors and control mechanisms to accomplish a singled desired control. Commonly used in environments where the requirement to “fail safe” is present.

Example: An internet router purchased from Vendor X and a firewall purchased from Vendor Y that are both configured to use least privilege in and out all of their interfaces.



DESIGNDESIGN

Dual Control Points: Are they really that important?

You decide! I had a system out on the internet that was protected by TCP wrappers and several other hardening techniques. I even had the system configured to page me. The system was completely wiped when a hole in the TCP wrapper logic allowed the attacker to use a buffer overflow technique to break into the system and take root.



DESIGNDESIGN

Dual Control Points: The lesson on why to use them doesn’t have to be learned “the hard way”!

Had I bothered to implement access lists on the internet router to match my TCP wrapper configuration, I would have been able to share the entire weekend with my family on the first mother’s day after our son was born. Instead, I spent most of the weekend performing a disaster recovery. Now WE ALL know! (yes it was successful) True story!



DESIGNDESIGN

Define Role Separation:

A method to improve security where security roles are assigned to a users’ required duties and implemented using least privilege for each roles independent of the any other role.

Example: assigning administrators a special user ID and process for reading email so their admin access can not be used to run malicious code (viruses).



DESIGNDESIGN

Role Separation Consider: What would happen if an email worm was released that would identify and disable all administrator accounts it could find ending with the account currently being used? When an administrator opens the email? A domain guest or user opens the email?



DESIGNDESIGN

Define Separation of Duties:

Implementing carefully designed checks and balances in processes instead of assigning all credentials necessary to perform the process to a single individual or group of individuals.

Separation of duties are typically used when a high degree of trust and assurance is required to accomplish a task.



DESIGNDESIGN

Separation of Duties:.

Example: It takes many people to access the vaults at Fort Knox. From time-to-time fork-lifts are used to move pallets of gold bars around inside the fault. If a single bar of gold was taken, the financial loss encountered would be very high. (Currently over $200K for a 50 LB bar)



DESIGNDESIGN

Define Time Synchronization: A method to ensure that the time across multiple system is exactly the same.

Audit logs can show time-stamps on events as they occur on a give system. Without an implemented method to synchronize the time across all the systems on a given network, audit logs are extremely difficult to interpret.



DESIGNDESIGN

Time Synchronization is the most commonly overlooked (or ignored) easy to implement security measure. Generally it does not matter if the time is wrong as long as it is consistent between systems. When enterprises start connecting their networks together for business-to-business transactions, then then it becomes important for the time to be in sync with world time.



DESIGNDESIGNDefine Artificially Intelligent Logging Mechanisms:

Information collection systems able to increase or decrease the amount of information being requested from a monitored process based on the interpreted information collected from the process previously.

AI Logging Mechanisms are still a bleeding-edge (and therefore rarely implemented) technology. They are a very important part of highly secure application models because they offer low-overhead and yield highly useful security information.



DESIGNDESIGNDefine Log Retention Systems:

A repository based mechanism constructed to enable administrators to perform time or event based (or both) management of information (storage and retrieval) from network devices, servers, or applications.Log retention mechanisms are usually consist of a very large central repository and logic that can determine what to store, how to store it, and how to retrieve it. Advance systems enable administrators to easily retrieve logs as needed and build reports based on the data.



DESIGNDESIGN

Define Log Correlation:

The process of following a chain of events through their logical access path on (indirectly) related systems.

Typically, log correlation systems are useful for interpreting activity on multiple systems (firewalls, database servers, application servers, database servers, etc). Log correlation is great for reporting.


DESIGN DESIGN THE MARKS OF GOOD THE MARKS OF GOOD

DESIGN DESIGN

Define Reaction or Response Mechanisms: Systems designed to take predetermined automated actions in reply to a sequence of events or act on the recognition of the events by sending information so the events can be acted upon manually. Reaction or Response Mechanisms rarely exist independent of reduction and correlation systems. Reaction or Response Mechanisms are typically built into Intrusion Detection or Prevention Systems. (depending on how and how fast the system can react)



DESIGNDESIGN

Define Encryption Mechanisms:Systems designed to systematically transform data into an unreadable format and recover with the key.

Encryption is commonly used to protect information as it travels over a network on as it is stored on a file server. Encryption systems are able to guarantee the integrity of data and also that it is accessible only by authorized parties with the key. DANGER-- don’t lose the key or the information will be unrecoverable!



DESIGNDESIGN

Define Strong (two-factor) Authentication:

An identification and verification system able to provide a highly secure way of guaranteeing whatever passed the verification is REALLY who or what they are representing themselves as.

The algorithms vary, but they all consist of something the requester had and something the requester knows. Encryption keys are commonly used as well as user ID’s and passwords.



DESIGNDESIGN

Complete and Accurate Auditing Mechanisms should list the credential held, the credential required if it is different, if the transaction was successful or it failed, and perform the task equally for everyone. Complete auditing systems need report capabilities.

Systems that precisely record events with full detail of the inputs to the event and the output of the event.

Describe a Complete and Accurate Auditing Mechanism:



DESIGNDESIGN

Describe Finite Tunable Security Controls:

Systems that implement a very high degree of granularity to their internal protection and authorization systems.

Finite Tunable Security Controls will provide the means for administrators to specify EXACTLY what they want something to be allowed to do-- no more and no less. They are mission critical to systems being implemented with least privilege.



DESIGNDESIGN

When I introduced the “marks of good design” I talked about REASONABLY SECURE systems.

Which came first-- the system, the threat, or the method to protect?

Let’s go back to the origin of the problem with the age old chicken/egg analogy.

. . . chicken or the egg?. . . chicken or the egg?. . . chicken or the egg?. . . chicken or the egg?

There wouldn’t be any problems in the first place!

We wouldn’t develop the means to protect

We wouldn’t have anything to protect

There wouldn’t be anything to protect against!

If the chicken is a defenseless network and the egg is the means to protect, then what happens if there weren’t any chickens?

Which came first . . . . Which came first . . . . Which came first . . . . Which came first . . . .

Analogies Aside . . . Analogies Aside . . . ..Analogies Aside . . . Analogies Aside . . . ..

The majority of the vulnerable systems out there are vulnerable because they are not addressing one area

WHAT AREA WASN’T ADDRESSED?

HINT: It’s not development. It is not QA.

Analogies Aside . . . Analogies Aside . . . ..Analogies Aside . . . Analogies Aside . . . ..

The majority of the vulnerable systems out there are vulnerable because they are not addressing one area

WHAT AREA WASN’T ADDRESSED?

In the DESIGN STAGE, developers and systems personnel had the opportunity to build controls, reaction mechanisms, audit mechanisms, and protection means into the application.

Why didn’t they?

Security Improvements Security Improvements

Through Superior Through Superior

ImplementationImplementation

Security Improvements Security Improvements

Through Superior Through Superior

ImplementationImplementation

In the implementation stage, administrators have the opportunity to improve security by using proven implementation methods. Through product selection and component architecture they can enhance security with:

Additional Mechanisms for audit trails, anomaly detection, anomaly reaction, and low-level controls.

Hardened installations

Why didn’t they?

THE LONG-TERM SOLUTIONTHE LONG-TERM SOLUTIONTHE LONG-TERM SOLUTIONTHE LONG-TERM SOLUTION

Design and implementation mistakes both occur when unsound business processes “go live” and start guiding projects to achieve their desired goals. Process owners must realize and address the undesirable consequences of their “cost control measures” or “rapid development efforts”.

What needs to be fixed first? The design process, or the implementation process, or the business process?

HOW MANY OF YOU HAVE HOW MANY OF YOU HAVE

TAKEN HISTORY ?TAKEN HISTORY ?HOW MANY OF YOU HAVE HOW MANY OF YOU HAVE

TAKEN HISTORY ?TAKEN HISTORY ?

SHOW OF HANDS: SHOW OF HANDS: How many of you have How many of you have taken history? Look around the room.taken history? Look around the room.

What is the core thing historians preach What is the core thing historians preach OVER and OVER again?OVER and OVER again?

Why does history repeat itself?Why does history repeat itself?

Because we don’t learn from our mistakes Because we don’t learn from our mistakes and take the necessary steps to correct the and take the necessary steps to correct the associated cause and resulting problems!associated cause and resulting problems!

WAIT, I THOUGHT WAIT, I THOUGHT

PRODUCT X WAS SUCH A PRODUCT X WAS SUCH A

GREAT APPLICATION!GREAT APPLICATION!

WAIT, I THOUGHT WAIT, I THOUGHT

PRODUCT X WAS SUCH A PRODUCT X WAS SUCH A

GREAT APPLICATION!GREAT APPLICATION!

What happens if a GREAT application was developed several years ago but was improperly implemented? What about if the product has not been changed to keep current with today’s technology?

VULNERABILITIES HAPPEN!

WHY DO VULNERABLE WHY DO VULNERABLE

SYSTEMS KEEP TURNING SYSTEMS KEEP TURNING

UP?UP?

WHY DO VULNERABLE WHY DO VULNERABLE

SYSTEMS KEEP TURNING SYSTEMS KEEP TURNING

UP?UP?

Sites all over the world are being turned into examples daily. Why not improve security by embracing the marks of good design? Long-term changes are necessary to close common vulnerabilities. When business processes design applications without addressing the means to properly protect the organization against exposure, the resulting implemented systems clearly violate widely known best practices.

BUSINESS DECISIONS ARE BUSINESS DECISIONS ARE

ASSOCIATED WITH ASSOCIATED WITH

VULNERABILY?VULNERABILY?

BUSINESS DECISIONS ARE BUSINESS DECISIONS ARE

ASSOCIATED WITH ASSOCIATED WITH

VULNERABILY?VULNERABILY?

Real world examples:

Clustering software using password auth

Code to change passwords through the web

Clearly, the products do not have the marks of good design. Someone made the feature, and nobody with enough pull to be heard had the good sense to have the features improved or removed. The vulnerabilities were not a huge surprise to me or any other professional I have talked to.

VULNERABILITIES THAT VULNERABILITIES THAT

ARE NOT A SECURITY ARE NOT A SECURITY

PROBLEM ? ?PROBLEM ? ?

VULNERABILITIES THAT VULNERABILITIES THAT

ARE NOT A SECURITY ARE NOT A SECURITY

PROBLEM ? ?PROBLEM ? ?

If a business decision caused a vulnerability, the root of the vulnerability is a BUSINESS PROBLEM!

Many security professionals have observed a trend where business owners categorize security holes a “security problem”. This incorrect assumption results in no change to business process. Vulnerabilities continue to be introduced until the BUSINESS OWNER take responsibility for the failure points in their process.

HOW DO COMPANIES FIX HOW DO COMPANIES FIX

BUSINESS PROBLEMS?BUSINESS PROBLEMS?HOW DO COMPANIES FIX HOW DO COMPANIES FIX

BUSINESS PROBLEMS?BUSINESS PROBLEMS?

They take responsibility for the problem they are trying to address, change their business HABITS, and revisit everything that occurred while they were off-track.

I don’t think I need to mention any tire companies or recent recalls to drive this point home, but it can’t hurt.

THE CYCLE OF CRIMETHE CYCLE OF CRIMETHE CYCLE OF CRIMETHE CYCLE OF CRIME

A criminal will continue their cycle of crime and punishment until they recognize that the laws are not going to change and they look to themselves to stop the change.

If a criminal keeps ending up in jail, society does not generally blame the law, society blames the criminal. It is not a new concept or idea, but applying this logic to business may be new to some.

DON’T FOLLOW THE DON’T FOLLOW THE

LAWS OF BEST PRACTICE LAWS OF BEST PRACTICE

AND BE PUNISHEDAND BE PUNISHED




Businesses can not afford to continue accepting functional but architecturally inferior software. Business can’t afford to continue accepting the status quo and operating on inferior systems.

Solid software and systems architectures can be properly designed ONCE base on best practices and built into customizable modular systems. Where would the graphical user interface as we know it be if companies had not made development libraries that could be leveraged?







REASONABLLY SECURE is a very important thing. Test security for failure points that will fail open or fail closed. Identify which is a higher risk and take measures to avoid it. In a system where the timely storage and retrieval is mission critical, controls that are not extremely reliable are a risk in themselves.

Governments have fallen because they were TOO secure. They were not able get weapons out of their extremely secure armaments after the two people who knew the unlock codes were killed.

STEP UP TO THE PLATESTEP UP TO THE PLATESTEP UP TO THE PLATESTEP UP TO THE PLATE

Many security vendors have lead by example.

THEIR software incorporates strong authentication mechanisms, advanced logging mechanisms, and high quality encryption. Some of them have implemented separation of duties, least privilege, and time synchronization. None of the architectures I have observed are ideal, but applications designers and developers from other sectors have a great opportunity to learn by example.

WHERE TO STARTWHERE TO STARTWHERE TO STARTWHERE TO START

Since it is a business problem, business process is the logical choice. In order to do that, the business leaders will have to dive in and define their company’s requirements. They will need to define the rules for new systems.

The next logical step is to build a computer security and information assurance with a team of security analysts and auditors. Seek their help in writing policies that will take a phased approach so existing systems may gradually come into compliance with the requirements or be selectively phased out.


Many corporations have a standard set of paperwork defining the majority of their security parameters going into a process. The initial security parameters are authored based on the principles the company wishes to enforce on all implementations. In the intent stage, the details are documented according to how the parties expect them to be resolved. In the final agreement, the final designed process with all changes is documented. Sample Network Memo’s of Understanding (MOU) documents are available on the internet. I strongly encourage their use.


Example of the process in action: Hypothetically speaking, company X has a policy that states:

“X will control all access into and out of X’s network”, “X will not be responsible for controlling access into or out of a third party’s network”, “X intends to implement the processes using least privilege”, “X will implement dual control points”, “X will acquire and configure their own hardware and retain ownership of the hardware”, “X reserves will abandon work in progress if the above guiding principles of security are properly supported”.

NOW WHAT?NOW WHAT? NOW WHAT?NOW WHAT?

The next step after new processes are in place is to begin the clean-up effort.

Clean-up can take MANY years and move in SEVERAL phases. In the mean-time old systems can impose an incredible level of risk on an organization. Intrusion Detection and Prevention Systems were invented to address this issue.

IDSIDS IDSIDS What are Intrusion Detection Systems?

Intrusion Detection Systems are software specifically designed to recognize patterns of unwelcome behavior. IDS can provide a means to log attempts, stop attempts in progress, and close holes identified to match known attack patterns by blocking the required sequence from occurring. They are a set of tools commonly used to identify and manage risk.

IPSIPSIPSIPS What are Intrusion Prevention Systems?

Intrusion Prevention Systems are software specifically designed to recognize security weaknesses, prioritize the vulnerabilities, and help administrators correct the situation. Some report a vulnerability while others prevent the vulnerability from being exploited.

SOUNDS GOOD BUT WHAT’S SOUNDS GOOD BUT WHAT’S

THE CATCH?THE CATCH?SOUNDS GOOD BUT WHAT’S SOUNDS GOOD BUT WHAT’S

THE CATCH?THE CATCH?Intrusion Detection and Prevention Systems were invented as a bandage (or quick fix) organizations could use to enhance the security of systems that lack (or poorly implement) the marks of good design. They offer a set of tools, not repair parts.

Intrusion Detection and Prevention Systems should be used to provide the secondary layer of control. Well designed software should be used to provide the first (most difficult to break) layer.

Quick-fix technology is often abused and misused. Any serious system with an identifiable degree of exposure should have the required controls already. ID and IP systems should COMPLEMENT the application controls. They should not be the only thing with the ability to record, report, and react.

ALARM SYSTEMS ARE NOT ALARM SYSTEMS ARE NOT

DEADBOLTSDEADBOLTSALARM SYSTEMS ARE NOT ALARM SYSTEMS ARE NOT

DEADBOLTSDEADBOLTS

Intrusion Detection and Prevention Systems were not created to be the “end all, be all” long-term solution to the business problem. They can not change business habits. They can not make security have an active role in the design and implementation of a business process so the business process can react based on security events.

Everyone knows that alarm systems do not serve the same purpose as a deadbolt, steel doors, or window bars. ID&P systems are alarm systems.

SHOW OF HANDS: how many you have locks on your doors?

Care to guess how many would raise their hands if I asked how many of us have alarms? Which is the basic security element?

THE MEAT AND THE MEAT AND

POTATOESPOTATOESTHE MEAT AND THE MEAT AND

POTATOESPOTATOES

What we are going to talk about in the rest of this presentation is the “meat and potatoes” of Intrusion Detection and Prevention Systems.

There are several things they CAN do and several things they CAN’T do. (there are also gray areas-- things they can do but really shouldn’t be doing long-term)

They fit together to make a great collection of sensors and reaction mechanisms. They make a REALLY BAD basic element of network security.

ID&P SYSTEMS CANID&P SYSTEMS CANID&P SYSTEMS CANID&P SYSTEMS CAN Complement other security controlsComplement other security controls Capture events on a network and report themCapture events on a network and report them Assist administrators in the identification of riskAssist administrators in the identification of risk Report attack sequences and take action (in real time Report attack sequences and take action (in real time

sometimes)sometimes)

ID&P SYSTEMS CAN ’ TID&P SYSTEMS CAN ’ TID&P SYSTEMS CAN ’ TID&P SYSTEMS CAN ’ T Replace sound security practice or known best-practice security and auditing Replace sound security practice or known best-practice security and auditing

principles discussed earlierprinciples discussed earlier Least PrivilegeLeast Privilege Dual Control PointsDual Control Points Separation of DutiesSeparation of Duties Role separationRole separation Time SynchronizationTime Synchronization

Implement security or create additional people resources. Implement security or create additional people resources. Properly designed ID&P systems take time to implement, maintain, manage, and generate Properly designed ID&P systems take time to implement, maintain, manage, and generate

progress toward intrusion prevention.progress toward intrusion prevention.

Make up for bad network or application designMake up for bad network or application design Make up for or fix problematic business processMake up for or fix problematic business process Reliably implement controls if they don’t exist in the designed architecture on Reliably implement controls if they don’t exist in the designed architecture on

their own.their own. They are audit/reporting mechanism that, at best, can provide a last resort fail-safe They are audit/reporting mechanism that, at best, can provide a last resort fail-safe

mechanism.mechanism.

ID&P SYSTEMS: THE ID&P SYSTEMS: THE

GREY AREASGREY AREASID&P SYSTEMS: THE ID&P SYSTEMS: THE

GREY AREASGREY AREASID&P systems were born out of the need for an ID&P systems were born out of the need for an automated means to reduce and summarize logs automated means to reduce and summarize logs systems that typically nobody had bothered to enable systems that typically nobody had bothered to enable or review before. They can’t reduce or summarize or review before. They can’t reduce or summarize logs if the logs are not turned on.logs if the logs are not turned on. Some ID&P Systems help with audit log analysisSome ID&P Systems help with audit log analysis Some provide the means for a logging methodology with Some provide the means for a logging methodology with

support for:support for: ReductionReduction RetentionRetention CorrelationCorrelation ReactionReaction

WHAT ARE YOU TRYING WHAT ARE YOU TRYING

TO DO?TO DO?WHAT ARE YOU TRYING WHAT ARE YOU TRYING

TO DO?TO DO?

System owners who wish to protect their networks, System owners who wish to protect their networks, systems, and data from intruders need to identify up-systems, and data from intruders need to identify up-front how they intend to do it.front how they intend to do it.

Are they trying toAre they trying to A) Stop attackers dead in their tracks and send a A) Stop attackers dead in their tracks and send a strong strong

message to look elsewhere for an easy message to look elsewhere for an easy target and target and complement other security controls.complement other security controls.

B) Provide investigators with the required information B) Provide investigators with the required information necessary to successfully prosecute individuals who are in necessary to successfully prosecute individuals who are in violation of their country’s lawsviolation of their country’s laws

C) All of the aboveC) All of the above

WHAT ARE YOU TRYING WHAT ARE YOU TRYING

TO DO?TO DO?WHAT ARE YOU TRYING WHAT ARE YOU TRYING

TO DO?TO DO?

The actions required to be successful in their eyes are The actions required to be successful in their eyes are entirely dependent on what it is they are trying to entirely dependent on what it is they are trying to accomplish.accomplish.

A properly deployed ID&P system’s presence on the A properly deployed ID&P system’s presence on the networks it is monitoring should be nearly networks it is monitoring should be nearly undetectable. They must not open vulnerabilities undetectable. They must not open vulnerabilities which could potentially be used as an entry point to which could potentially be used as an entry point to compromise or take down the systems. If they fail in compromise or take down the systems. If they fail in this key area, they have caused the very thing they this key area, they have caused the very thing they were designed to protect against! were designed to protect against!

IS IT MAGIC?IS IT MAGIC?IS IT MAGIC?IS IT MAGIC?

I’ve touched on what ID&P systems can and can’t I’ve touched on what ID&P systems can and can’t do, but I have not talked about what types there are do, but I have not talked about what types there are or how they perform their “magic”. or how they perform their “magic”.

I am going to show you a matrix of twelve different I am going to show you a matrix of twelve different areas of coverage then identify what areas are most areas of coverage then identify what areas are most commonly missed.commonly missed.

What coverage types, vulnerability types, and What coverage types, vulnerability types, and reporting types encompass the areas loosely referred reporting types encompass the areas loosely referred to as ID&P systems? Let’s see how we did.to as ID&P systems? Let’s see how we did.

THE MATRIXTHE MATRIXTHE MATRIXTHE MATRIX

Intrusion Detection and Prevention Systems can be Intrusion Detection and Prevention Systems can be made to catch events at a network, operating system, made to catch events at a network, operating system, or application level. They can catch things that are or application level. They can catch things that are always present or things that come and go. They can always present or things that come and go. They can show administrators things in real time or when they show administrators things in real time or when they perform an event report analysis.perform an event report analysis.

I have just described the elements of the matrix.I have just described the elements of the matrix.


Legend: RT= Real Time Discovery and ReportingRB=On Demand only Discovery and Reporting

Static Dynamic

Network

OperatingSystem

Application

RT RB RT RB

What areas are typically covered by properly implemented What areas are typically covered by properly implemented and maintained ID&P systems?and maintained ID&P systems?


Areas commonly covered.Areas commonly covered.


Static Dynamic

Network

OperatingSystem

Application

RT RB RT RB


Areas commonly covered manually by security analyst Areas commonly covered manually by security analyst professionals.professionals.


Static Dynamic

Network

OperatingSystem

Application

RT RB RT RB


Areas commonly missed by IDS systems and security analyst professionals. The area marks Areas commonly missed by IDS systems and security analyst professionals. The area marks the greatest threat because the industry lacks available counter-measures to mitigate the riskthe greatest threat because the industry lacks available counter-measures to mitigate the risk


Static Dynamic

Network

OperatingSystem

Application

RT RB RT RB

WHAT DOES THE MATIX WHAT DOES THE MATIX

MEAN?MEAN?WHAT DOES THE MATIX WHAT DOES THE MATIX

MEAN?MEAN?

Network: a device put in place on the network Network: a device put in place on the network which operates independently of all functional which operates independently of all functional network equipment and servers for the sole purpose network equipment and servers for the sole purpose of monitoring, logging, intrusion detection, and of monitoring, logging, intrusion detection, and intrusion prevention.intrusion prevention.

These are sniffer or scanner based systems.These are sniffer or scanner based systems.



MEAN?MEAN?

Operating System: Software installed on functional Operating System: Software installed on functional network equipment and servers for the purpose of network equipment and servers for the purpose of monitoring, logging, intrusion detection, and intrusion monitoring, logging, intrusion detection, and intrusion prevention. OS based measures demand a portion of prevention. OS based measures demand a portion of they resources on each system and typically do not focus they resources on each system and typically do not focus on the network layer. OS based system are able to on the network layer. OS based system are able to perform more advanced operations or detect anomaly perform more advanced operations or detect anomaly patters specific to the host. OS based IDS agents are able patters specific to the host. OS based IDS agents are able to catch things that network based solutions miss. These to catch things that network based solutions miss. These are usually application layer based and very dependent are usually application layer based and very dependent on logs.on logs.



MEAN?MEAN?

Application: Software installed on functional Application: Software installed on functional network equipment and servers for the purpose of network equipment and servers for the purpose of monitoring, logging, intrusion detection, and monitoring, logging, intrusion detection, and intrusion prevention based on the individual intrusion prevention based on the individual sequences of events inside a program. Application sequences of events inside a program. Application level systems detect changes to the system for the level systems detect changes to the system for the purpose of anomaly identification, automatic purpose of anomaly identification, automatic counter-measures, and reporting. They are designed counter-measures, and reporting. They are designed to monitor events beyond the scope of of network or to monitor events beyond the scope of of network or OS based software.OS based software.



MEAN?MEAN?

Static: Security risks that exist continually until Static: Security risks that exist continually until configurations are changed to mitigate the risk.configurations are changed to mitigate the risk.

Dynamic: Security risks that are based on real-time Dynamic: Security risks that are based on real-time attack sequence pattern detection or the changing status attack sequence pattern detection or the changing status of a system.of a system.

Real time: Reporting mechanisms that operate at the Real time: Reporting mechanisms that operate at the same speed as the system being monitored.same speed as the system being monitored.

Report based: informative mechanisms that do not Report based: informative mechanisms that do not provide information until they are told to. (or bother to provide information until they are told to. (or bother to gather the information sometimes) gather the information sometimes)



MEAN?MEAN?

Network Dynamic Report Based systems entail Network Dynamic Report Based systems entail reviewing logs from all network equipment, reviewing logs from all network equipment, firewalls, servers, Intrusion Detection Systems, and firewalls, servers, Intrusion Detection Systems, and Intrusion Prevention Systems then carefully Intrusion Prevention Systems then carefully reviewing the information for inconsistencies. It reviewing the information for inconsistencies. It requires manpower, and can’t be reasonably replaced requires manpower, and can’t be reasonably replaced by software solutions. Little software outside of by software solutions. Little software outside of database importing/reporting tools exist to make this database importing/reporting tools exist to make this job easier. job easier.



MEAN?MEAN?

Application Dynamic Real Time and Report Based Application Dynamic Real Time and Report Based systems entail designing and building “hacker smart” systems entail designing and building “hacker smart” applications by applying anomaly discovery logic a a applications by applying anomaly discovery logic a a granular level focused toward each individual routine granular level focused toward each individual routine inside of each and every application. Very little inside of each and every application. Very little exists by the way of standards for applications that exists by the way of standards for applications that would allow engineers to leverage ID or IPS would allow engineers to leverage ID or IPS technology here; therefore, very little is available to technology here; therefore, very little is available to cover the application threat scenarios correctly. cover the application threat scenarios correctly.

WHAT’S MISSING?WHAT’S MISSING?WHAT’S MISSING?WHAT’S MISSING?

There are other elements of risk identification and There are other elements of risk identification and mitigation such as new device discovery, and new mitigation such as new device discovery, and new attack discovery. attack discovery.

Organizations should allocate a portion of their funds Organizations should allocate a portion of their funds for the discovery element because it is very difficult for the discovery element because it is very difficult to protect from a threat unless it is known about and to protect from a threat unless it is known about and addressed in a timely manner.addressed in a timely manner.

Hardware and software management can an should Hardware and software management can an should be addressed directly by this area.be addressed directly by this area.

THE FUTURETHE FUTURETHE FUTURETHE FUTURE

As standards unfold and products are released for As standards unfold and products are released for application level RT and RB ID&P, organizations application level RT and RB ID&P, organizations will need to focus their security system growth in will need to focus their security system growth in these areas. these areas.

To be successful, logging levels for individual To be successful, logging levels for individual transactions must be controllable by the application transactions must be controllable by the application level security systems. Application error reporting level security systems. Application error reporting and application security systems must be able to feed and application security systems must be able to feed each other information logically, or things may be each other information logically, or things may be missed.missed.

THE FUTURETHE FUTURETHE FUTURETHE FUTURE

The concept:The concept:

IDS

specialized SNMPmib for app

counters queriedby an enterprise

minotoring system

ApplicationsReporting

LogReduction

Reportingand DB

IDS Reporting Tool

Response Team

query

centralmonitoring

monitoring

Documents

Presented by: James Nelson Information Security Concepts Implemented CERT Conference 2000