Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
6/26/18
1
Issue Date:
Revision:
25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:
1
Network Security Fundamentals
Why Security?
• The Internet was initially designed for connectivity – Trust is assum ed, no security– Security protoco ls added on top of the TC P/IP
• Fundamental aspects of information must be protected– C onfidentia l data– Em ployee in form ation
– Business m odels– Protect identity and resources
• The Internet has become fundamental to our daily activities (business, work, and personal)
2
6/26/18
2
Internet Evolution
Different ways to handle security as the Internet evolves
LAN connectivity Application-specificMore online content
Application/data hosted in the “cloud”
3
Recent Incidents
• Slingshot (March 2018) - APT– Active since 2012!
– Compromise MikroTik routers• not much clarity to on how they do it, but assumed to be based on
the ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red
– replace one of the dll in the router's file system with a malicious one (ipv4.dll)• loaded into user's computer when they run the Winbox tool
– Once infected• capture screenshots, collect network info, passwords on browsers,.
keystrokes etc
4
6/26/18
3
Recent Incidents
• Meltdown/Spectre (Jan 2018)– Exploits processor vulnerabilities!• Intel, AMD, ARM
– Meltdown (CVE-2017-5754):• Breaks the isolation between programs &
OS• An application could read kernel memory
locations
– Spectre (CVE-2017-5753/CVE-2017-5715)• Breaks isolation between applications• An application could read other application
memory
5
Recent Incidents• (Not)Petya Ransom ware/W iper (June 2017)
– Exploited a backdoor in MeDoc accounting suite• Update pushed on June 22 from an update server (stolen credentials)• proxied to the attacker’s machine (176.31.182.167)
– Spread laterally across the network (June 27)• EternalBlue exploit (SMB exploit: MS17-010)• through PsExec/WMIC using clear-text passwords from memory• C:\Windows\perfc.dat hosted the post-exploit code (called byrundll32.exe)
6This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
6/26/18
4
Recent Incidents• WannaCry Ransomware (May 2017)– As of 12 May, 45K attacks across 74 countries– Rem ote code execution in SMBv1 using EternalB lue explo it• TCP 445, or via NetBIOS (UDP/TCP 135-139)
– Patch released on 14 March 2017 (MS17-010)• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
– Explo it re leased on 14 April 2017
7
Recent Incidents
• SHA-1 is broken (Feb 23, 2017)– collid ing PDF files: obtain sam e SHA-1 hash of two d ifferent
pdf files, which can be abused as a valid signature on the second PDF file.• https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
8
6/26/18
5
Recent Incidents
• San Francisco Rail System Hacker Hacked (Nov 2016)– Ransom ware attack on San Francisco public transit gave
everyone a free ride (cryptom 27@ yandex.com )• Encrypts boot sectors (ransom for decryption) - Mamba
– Java vulnerability not patched (Security A lert CVE-2015-4852 since Nov 2015 from Oracle )
9
Shodan.io
10
IoT onlineCan be searched!
6/26/18
6
haveibeenpwned.com• Have you been compromised?
11
2 factor authentication ---https://www.turnon2fa.com/tutorials
Let’s Encrypt
12
6/26/18
7
Goals of Information Security
Confidentiality Integrity Availability
SECURITY
prevents unauthorized use or disclosure of information
safeguards the accuracy and completeness of information
authorized users have reliable and timely access to information
13
Threats, Vulnerability, and Risks
• Threat– circum stance or event w ith potentia l to cause harm to a netw orked
system
• Vulnerability– A w eakness that can be explo ited
• Software bugs• Design flaws• Configuration mistakes• Lack of encryption
• Risk– The like lihood that a particu lar vu lnerability w ill be explo ited
14
6/26/18
8
Threat
• “a motivated, capable adversary”• Examples:
– H um an Threats• Intentional or unintentional• Malicious or benign
– N atura l Threats• Earthquakes, tornadoes, floods, landslides
– Environm enta l Threats• Long-term power failure, pollution, liquid leakage
15
Vulnerability
• A weakness in security procedures, network design, or implementation that can be exploited to violate a corporate security policy– Softw are bugs– C onfiguration m istakes
– N etw ork design flaw– Lack of encryption
• Where to check for vulnerabilities?• Exploit
– Taking advantage of a vu lnerability
16
6/26/18
9
Risk
• Likelihood that a vulnerability will be exploited• Some questions:
– H ow like ly is it to happen?– W hat is the leve l o f risk if w e decide to do noth ing?
– W ill it resu lt in data loss? – W hat is the im pact on the reputation of the com pany?
• Categories:– H igh, m edium or low risk
17
Risk = Threat * Vulnerability(* Impact)
The Threat Matrix
18
Degree of Focus
Opportunistic hacks
Joy hacks Targeted attacks
Advanced Persistent Threats
S o u r c e : T h in k in g S e c u r it y – S t e v e M . B e l lo v in
6/26/18
10
Joy Hacks
• For fun - with little skill using known exploits
• Minimal damage - especially unpatched machines
• Random targets – anyone they can hit
• Most hackers start this way – learning curve
19
Opportunistic Hacks
• Skilled (often very skilled) - also don’t care whom they hit– Know m any d ifferent vu lnerabilities and techniques
• Profiting is the goal - bank account thefts, botnets, ransomwares….– W annaC ry? Petya?
• Most phishers, virus writers, etc.
20
6/26/18
11
Targeted Attacks
• Have a specific target!
• Research the target and tailor attacks– physica l reconnaissance
• At worst, an insider (behind all your defenses)– N ot so happy
• Tools like “spear-phishing”
• May use 0-days
21
Advanced Persistent Threats
• Highly skilled (well funded) - specific targets– M ostly 0-days
• Sometimes (not always) working for a nation-state– Think S tuxnet (up to four 0-days w ere used)
• May use non-cyber means:– burg lary, bribery, and b lackm ail
• Note: many lesser attacks blamed on APTs
22
6/26/18
12
Are you a Target?
• Biggest risk?– assum ing you are not in teresting enough!
• Vendors/System Integrators and their take on security:– E ither underw helm ing or O verw helm ing L
23
Defense Strategies
• Depends on what you’re trying to protect
• Tactics that keep out teenagers won’t keep out a well-funded agency
• But stronger defenses are often much more expensive, and cause great inconvenience
24
6/26/18
13
Against Joy Hacks
• By definition, joy hackers use known exploits
• Patches exist for known holes:– U p to date system patches
– U p to date antiv irus database
• Ordinary enterprise-grade firewalls will also repel them
25
Opportunistic Hacks
• Sophisticated techniques used
• You need multiple layers of defense– U p to date patches and anti-v irus– F irew alls
– In trusion detection– Lots o f a ttention to log files
26
6/26/18
14
Targeted Attacks
• Targeted attacks exploit knowledge of target– Try to b lock or detect reconnaissance– Security po lic ies and procedures m atter a lo t
• How do you respond to phone callers?• What do people do with unexpected attachments?• USB sticks in the parking
• Hardest case: disgruntled employee or ex-employee– A lready behind your defenses
– Think M anning & Snow den
27
Advanced Persistent Threats
• L very very hard defend against!• Use all of the previous defenses• There are no sure answers• Pay special attention to policies and procedures• Investigate all oddities
28
6/26/18
15
Putting CIA in Context
• Scenario: XYZ has a webmail for employees to access their email accounts.Sometimes they share reports and communicate with customers.– C onfidentia lity:
• Username and password (or user credentials) to access webmail should only be known to the user. Contents of the email communication should only be available to the intended recipients only.
– In tegrity:• Emails that are received or sent out are not modified from their original form.
– Availab ility:• Since email communication is critical to the company, this email service must be
available all the time
• Question: Think about what we can put in place to make sure the CIA can be achieved
29
Causes of Security Related Issues
• Protocol error– N o one gets it right the first tim e
• Software bugs– Is it a bug or feature ?
• Active attack– Target contro l/m anagem ent p lane
– Target data p lane– M ore probable than you th ink !
• Configuration mistakes– M ost com m on form of prob lem
30
6/26/18
16
Threat & Threat Source Example
31
Vulnerability Threat-Source Threat Action
Critical vulnerability in a web server software was identified butsoftware patches have not been applied
Unauthorized users (i.e. Internal employees, hackers, criminals)
Obtaining unauthorized access to information (files, sensitiveinformation on the web server
Terminated employees credentials (username & password) are notremoved from the system
Terminated Employees Accessing companies systems and proprietary information
What Can Intruders Do?
• Eavesdrop - compromise routers, links, or DNS• Send arbitrary messages (spoof IP headers and options)• Replay recorded messages• Modify messages in transit• Write malicious code and trick people into running it• Exploit bugs in software to ‘take over’ machines and use
them as a base for future attacks
32
6/26/18
17
Attack Motivation
• Criminal– C rim inal w ho use critica l in frastructure as a too ls to com m it crim e– Their m otivation is m oney
• War Fighting/Espionage/Terrorist– W hat m ost people th ink of w hen ta lk ing about threats to critica l
in frastructure
• Patriotic/Principle– Large groups of people m otivated by cause - be it national pride or a
passion aka Anonym ous
33
Attack Motivation
• Nation States want SECRETS
• Organized criminals want MONEY• Protesters or activists want ATTENTION
• Hackers and researchers want KNOWLEDGE
34
S o u r c e : N A N O G 6 0 k e y n o t e p r e s e n t a t io n b y J e f f M o s s , F e b 2 0 1 4
6/26/18
18
Goals are Determined by
• Services offered vs. security provided– Each service offers its ow n security risk
• Ease of use vs. security– Easiest system to use a llow s access to any user w ithout passw ord
• Cost of security vs. risk of loss– C ost to m ainta in
35
G oals m ust be com m unicated to a ll use rs, sta ff, m anagers, th rough a se t o f security ru les ca lled “security po licy”
Example of Security Controls
36
Category Example of Controls Purpose
Policy & Procedure
Cyber Security Policy, Incident Handling Procedure
Make everyone aware of the importance of security, define role and responsibilities, scope of the problem
Technical Firewall, Intrusion DetectionSystem, Anti Virus Software
Prevent and detect potential attacks, mitigate risk of breach at the network or system layer
Physical CCTV, Locks, Secure working space
Prevent physical theft information assets or unauthorized physicalaccess
6/26/18
19
CSIRT / CERT
• Computer Security Incident Response Team or Computer Emergency Response Teams
• A CSIRT performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency
• Must react to reported security incidents or threat • In ways which the specific community agrees to be
in its general interest• T = Team = Entity (Unit/Organization) that does IR
work!
37
Constituency
• A C S IRT serves its constituent
• C onstituency he lp defines: – What is the purpose & nature of
the CSIRT – Who is the CSIRT Serving– What types of security incidents
the CSIRT handles – What are the relationship with
other CSIRTs
• Exam ple of C onstituents:
– Enterprise / Single Organization – Sector Based – Critical Infrastructure – Product – National / Country
– Customer
• C onstituents m ight overlap – Co-ordination is key
– CSIRT of the “Last Resort”
38
6/26/18
20
Different Types of CSIRTs
• Enterprise CSIRTs– p ro v id e in c id e n t h a n d lin g s e rv ic e s to th e ir p a re n t
o rg a n iz a tio n . T h is c o u ld b e a C S IR T fo r a b a n k , a m a n u fa c tu r in g c o m p a n y , a n IS P , a u n iv e rs ity , o r a fe d e ra l a g e n c y .
• National CSIRTs– p ro v id e in c id e n t h a n d lin g s e rv ic e s to a c o u n try .
• Coordination Centers– c o o rd in a te a n d fa c il ita te th e h a n d lin g o f in c id e n ts a c ro s s
v a r io u s C S IR T s . E x a m p le s in c lu d e th e C E R T C o o rd in a tio n
C e n te r o r th e U n ite d S ta te s C o m p u te r E m e rg e n c y R e a d in e s s T e a m (U S -C E R T ).
(Source: US-CERT https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm)
• Analysis Centers– fo c u s o n s y n th e s iz in g d a ta fro m v a r io u s
s o u rc e s to d e te rm in e tre n d s a n d p a tte rn s in in c id e n t a c tiv ity . T h is in fo rm a tio n c a n b e u s e d to h e lp p re d ic t fu tu re a c tiv ity o r to p ro v id e e a r ly w a rn in g
w h e n th e a c tiv ity m a tc h e s a s e t o f p re v io u s ly d e te rm in e d c h a ra c te r is tic s .
• Vendor Teams– h a n d le re p o rts o f v u ln e ra b il it ie s in th e ir
s o ftw a re o r h a rd w a re p ro d u c ts . T h e y
m a y w o rk w ith in th e o rg a n iz a tio n to d e te rm in e if th e ir p ro d u c ts a re v u ln e ra b le a n d to d e v e lo p re m e d ia tio n
a n d m itig a tio n s tra te g ie s . A v e n d o r te a m m a y a ls o b e th e in te rn a l C S IR T fo r a v e n d o r o rg a n iz a tio n .
• Incident Response Providers– o ffe r in c id e n t h a n d lin g s e rv ic e s a s a fo r-
fe e s e rv ic e to o th e r o rg a n iz a tio n s .
39
Why a CSIRT?
• Security Incidents H appen!
– Execute incident response plans
– Assurance to customers and stakeholders
– Best Practice
• M itigate Loss or D am age
– Point of Contact
– Governance
• C om pliance to S tandards
– Cyber Security Framework
– ISO 27001, ITIL – Compliance with Law or
Regulations
• Security Im provem ents
– Analyze Incidents and Provide Lessons Learned
• R esource A llocation
– Dedicated Service(s)
– Human Resources, Skills – Specific Polices and SOPs
– Point of Contact
40
6/26/18
21
in e tn u m : 1 .1 .1 .0 - 1 .1 .1 .2 5 5
n e tn a m e : A P N IC - L A B S
d e s c r : R e s e a r c h p r e f ix fo r A P N IC L a b s
d e s c r : A P N IC
c o u n t r y : A Ua d m in - c : A R 3 0 2 - A P
te c h - c : A R 3 0 2 - A P
m n t - b y : A P N IC - H M
m n t - r o u te s : M A IN T - A U - A P N IC - G M 8 5 - A P
m n t - ir t : IR T - A P N IC R A N D N E T - A Us ta tu s : A S S IG N E D P O R T A B L E
c h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 1 4 0 5 0 7
c h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 1 4 0 5 1 2
s o u r c e : A P N IC
ir t : IR T - A P N IC R A N D N E T - A U
a d d r e s s : P O B o x 3 6 4 6
a d d r e s s : S o u th B r is b a n e , Q L D 4 1 0 1
a d d r e s s : A u s t r a l ia
e - m a il : a b u s e @ a p n ic .n e ta b u s e - m a ilb o x : a b u s e @ a p n ic .n e t
a d m in - c : A R 3 0 2 - A P
te c h - c : A R 3 0 2 - A P
a u th : # F i l t e r e d
m n t - b y : M A IN T - A U - A P N IC - G M 8 5 - A Pc h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 11 0 9 2 2
s o u r c e : A P N IC
Whois Database: Incident Response Team Object
41
Summary
• Use proper crypto
• Multi-layered security– U pdated patches and AVs– Backup im portant data
– F irew alls– ID S /IPS (anom aly detection)
• Strictly follow security procedures– R evise and audit frequently
42This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.
6/26/18
22
Challenges in Implementing Security
• Many
– Lack of Aw areness
– N ot enough resources
– W e are m oving too slow
• Root Cause?
• Challenges to Security Professionals– D on’t know w here to start
– Too m any th ings to learn & m aster
– Too expensive to do tra in ing and certifications
– N o support from end-users & top m anagem ent
– 24x7 expectations - I have m y ow n life !
43
Computer Security
44
6/26/18
23
Solutions
• Make security a priority (Sell it)• Don’t reinvent the wheel• Keep on learning• Keep sharing and contributing
45
46