Security and the System Administrator

Page 1© Deloitte & Touche 2000

Security and the System Administrator


William Hugh Murray24 East Avenue

Suite 1362New Canaan, CT 06840

(203)[email protected]



Bio William Hugh Murray

Bill Murray is information system security consultant toDeloitte & Touche. He has more than thirty-five yearsexperience in data processing and more than twenty insecurity.

During more than twenty-five years with IBM his managementresponsibilities included development of access controlprograms, advising IBM customers on security, and thearticulation of the security product plan.

In 1987 he received the Fitzgerald Memorial Award forleadership in data security. In 1989 he received the JosephJ. Wasserman Award for contributions to security, audit andcontrol.

Mr. Murray holds the Bachelor of Science degree in BusinessAdministration from Louisiana State University, and is agraduate of the Jesuit Preparatory High School of NewOrleans.



Abstract

Everything that business or government does with computers or communications becomes part of the social and economic infra-structure of the twenty-first century. Much of the configuration and operation of this novel and critical infrastructure will be in the hands of the system and network administrators. They are often the first to be called when the infrastructure is stressed or breaks, but their training is often on-the-job, remedial, and late. Although they understand the weaknesses and limitations of their materials all too well, they are rarely taught how to compensate for those weaknesses. Out of necessity, their security approach tends to be reactive and remedial.

This presentation will provide system and network administrators with a set of broadly applicable strategies and proactive approaches they can use to protect systems from outside interference and contamination, provide appropriate application con-trols, and protect their networks from undesired traffic. Among other things, it will address policy and service-level agreements; when to plan and for what; effective use of access controls; strong network perimeters and how to compensate for leaks; and how to use weak materials to build strong systems.



Security Objectives

Protect Applications from Interference or Contamination

Preserve Confidentiality, Integrity, and Availability of Data

Protect employees from temptation and suspicion Preserve the continuity of the business Protect Management from Charges of Imprudence



$

Security

Cost of Losses



$

Security

Cost of Losses

Cost of Security



$

Security

Cost of Losses

Cost of SecurityTotal Cost



Character of Costs

Cost of Losses:

infrequent irregular uncertain unexpected threatening

Cost of Security:

frequent regular certain budgeted cost of doing business



Sources of loss



Other sources of loss

All acts by outsiders

malicious programs Trojan Horses Viruses Logic bombs Worms Other

espionage



Consequences

Frequency

Lo Hi

Lo

Hi

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

Hi Empty

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

Hi

Trivial

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

HiFireFraudEarthquake

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

HiInsurance & Planning

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

Hi

Errors &Omissions

Jacobson’s Window



Consequences

Frequency

Lo Hi

Lo

Hi

Security &Management

Jacobson’s Window



Characterization of Threats and Vulnerabilities

natural v. accidental v. insiders v. passive v. manual v. trial and error v. local v.

man-made

intentional

outsiders

active

automatic

systematic

global



Attacks & Attackers

“social engineering” guessing short dictionary or sweet list long dictionary exhaustive browsing eavesdropping spoofing

password grabbers Trojan Horses



Targets

Targets of Opportunity highly visible low cost of attack unknown value of success



Cost of Attack

WorkAccess Indifference to detectionSpecial KnowledgeTime to corrective actionAny one can reduce the requirements for any of the

others; there is enough of these in the world to break any system.



Cost of Attack





Cost of Attack





Targets

Targets of Opportunity highly visible low cost of attack unknown value of success

Targets of Choice expected value of success greater than expected cost of attack



Value of Success

Computer timeData, information, knowledge,

application valueAccess to other networks IdentityAnonymityTrust or confidence



Cost to Victim

Loss of confidentialityLoss of integrity Loss of reliability and trust Loss of use Liability to third partiesLoss of resources for restoration



Cost of System Security is measured in :

GeneralityFlexibilityPerformance And Functionality

Get used to it!



Courtney’s Laws

Nothing useful can be said about security except in the context of an application and an environment.

Never spend more money eliminating a vulnerability than tolerating it will cost you.

There are management solutions to technical problems but there are no technical solutions to management problems.



safe environment management direction supervision accountability copies of the data access control secret codes (crypto) contingency planning

Efficient Security Measures:



Policy

A statement of management’s intent Expressed as objectives or practices Translated to access control policy Mapped to a system policy



Why Systems Fail?

Poor Design Inadequate Materials Poor Fabrication Poor Maintenance Improper Operation Abuse and Misuse



Sufficient Conditions for the Success of a Virus

Large population of similar machines

Sharing within the populationA place for the virus to store the

replicaA way for it to get itself executed(Creates replicas faster than they

are destroyed)



Enterprise Security in the 90s

Inadequate expression of management intent

Multiple signons, ids, and passwords Multiple points of control Unsafe defaults Complex administration Late recognition of problems

We are being overwhelmed once more!



Recommendations

Prefer single application or single user system to multi-application multi-user (think servers)

Hide operating systems from the network

Restrict write access…. ….to a single process per

object Restrict read access to

mutable objects….. …. to those who can

change them Application end-to-end

encryption (PPTP, L2TP, other)

Scan for viruses in and out

Scan for viruses on desktop and servers.

Scan for viruses Layer your defenses. Prefer application-aware

composed firewalls between layers.

Man the walls! Economy of Logon Client-side strong

authentication



Strong Authentication

Two kinds of evidence from list of something one person knows (e.g., pass-phrase) has, (token) is, (biometric, e.g., visage) or can do (e.g., speech)

At least one of which is resistant to replay



“We are not building toy systems anymore.”

Documents

Security and the System Administrator