6/26/18

1

Issue Date:

Revision:

25-29 June 2018PacNOG 22, Honiara, Solomon IslandsSupported by:

1

Network Security Fundamentals

Why Security?

• The Internet was initially designed for connectivity – Trust is assum ed, no security– Security protoco ls added on top of the TC P/IP

• Fundamental aspects of information must be protected– C onfidentia l data– Em ployee in form ation

– Business m odels– Protect identity and resources

• The Internet has become fundamental to our daily activities (business, work, and personal)

2

6/26/18

2

Internet Evolution

Different ways to handle security as the Internet evolves

LAN connectivity Application-specificMore online content

Application/data hosted in the “cloud”

3

Recent Incidents

• Slingshot (March 2018) - APT– Active since 2012!

– Compromise MikroTik routers• not much clarity to on how they do it, but assumed to be based on

the ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red

– replace one of the dll in the router's file system with a malicious one (ipv4.dll)• loaded into user's computer when they run the Winbox tool

– Once infected• capture screenshots, collect network info, passwords on browsers,.

keystrokes etc

4

6/26/18

3

Recent Incidents

• Meltdown/Spectre (Jan 2018)– Exploits processor vulnerabilities!• Intel, AMD, ARM

– Meltdown (CVE-2017-5754):• Breaks the isolation between programs &

OS• An application could read kernel memory

locations

– Spectre (CVE-2017-5753/CVE-2017-5715)• Breaks isolation between applications• An application could read other application

memory

5

Recent Incidents• (Not)Petya Ransom ware/W iper (June 2017)

– Exploited a backdoor in MeDoc accounting suite• Update pushed on June 22 from an update server (stolen credentials)• proxied to the attacker’s machine (176.31.182.167)

– Spread laterally across the network (June 27)• EternalBlue exploit (SMB exploit: MS17-010)• through PsExec/WMIC using clear-text passwords from memory• C:\Windows\perfc.dat hosted the post-exploit code (called byrundll32.exe)

6This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.

6/26/18

4

Recent Incidents• WannaCry Ransomware (May 2017)– As of 12 May, 45K attacks across 74 countries– Rem ote code execution in SMBv1 using EternalB lue explo it• TCP 445, or via NetBIOS (UDP/TCP 135-139)

– Patch released on 14 March 2017 (MS17-010)• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

– Explo it re leased on 14 April 2017

7

Recent Incidents

• SHA-1 is broken (Feb 23, 2017)– collid ing PDF files: obtain sam e SHA-1 hash of two d ifferent

pdf files, which can be abused as a valid signature on the second PDF file.• https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

8

6/26/18

5

Recent Incidents

• San Francisco Rail System Hacker Hacked (Nov 2016)– Ransom ware attack on San Francisco public transit gave

everyone a free ride (cryptom 27@ yandex.com )• Encrypts boot sectors (ransom for decryption) - Mamba

– Java vulnerability not patched (Security A lert CVE-2015-4852 since Nov 2015 from Oracle )

9

Shodan.io

10

IoT onlineCan be searched!

6/26/18

6

haveibeenpwned.com• Have you been compromised?

11

2 factor authentication ---https://www.turnon2fa.com/tutorials

Let’s Encrypt

12

6/26/18

7

Goals of Information Security

Confidentiality Integrity Availability

SECURITY

prevents unauthorized use or disclosure of information

safeguards the accuracy and completeness of information

authorized users have reliable and timely access to information

13

Threats, Vulnerability, and Risks

• Threat– circum stance or event w ith potentia l to cause harm to a netw orked

system

• Vulnerability– A w eakness that can be explo ited

• Software bugs• Design flaws• Configuration mistakes• Lack of encryption

• Risk– The like lihood that a particu lar vu lnerability w ill be explo ited

14

6/26/18

8

Threat

• “a motivated, capable adversary”• Examples:

– H um an Threats• Intentional or unintentional• Malicious or benign

– N atura l Threats• Earthquakes, tornadoes, floods, landslides

– Environm enta l Threats• Long-term power failure, pollution, liquid leakage

15

Vulnerability

• A weakness in security procedures, network design, or implementation that can be exploited to violate a corporate security policy– Softw are bugs– C onfiguration m istakes

– N etw ork design flaw– Lack of encryption

• Where to check for vulnerabilities?• Exploit

– Taking advantage of a vu lnerability

16

6/26/18

9

Risk

• Likelihood that a vulnerability will be exploited• Some questions:

– H ow like ly is it to happen?– W hat is the leve l o f risk if w e decide to do noth ing?

– W ill it resu lt in data loss? – W hat is the im pact on the reputation of the com pany?

• Categories:– H igh, m edium or low risk

17

Risk = Threat * Vulnerability(* Impact)

The Threat Matrix

18

Degree of Focus

Opportunistic hacks

Joy hacks Targeted attacks

Advanced Persistent Threats

S o u r c e : T h in k in g S e c u r it y – S t e v e M . B e l lo v in

6/26/18

10

Joy Hacks

• For fun - with little skill using known exploits

• Minimal damage - especially unpatched machines

• Random targets – anyone they can hit

• Most hackers start this way – learning curve

19

Opportunistic Hacks

• Skilled (often very skilled) - also don’t care whom they hit– Know m any d ifferent vu lnerabilities and techniques

• Profiting is the goal - bank account thefts, botnets, ransomwares….– W annaC ry? Petya?

• Most phishers, virus writers, etc.

20

6/26/18

11

Targeted Attacks

• Have a specific target!

• Research the target and tailor attacks– physica l reconnaissance

• At worst, an insider (behind all your defenses)– N ot so happy

• Tools like “spear-phishing”

• May use 0-days

21

Advanced Persistent Threats

• Highly skilled (well funded) - specific targets– M ostly 0-days

• Sometimes (not always) working for a nation-state– Think S tuxnet (up to four 0-days w ere used)

• May use non-cyber means:– burg lary, bribery, and b lackm ail

• Note: many lesser attacks blamed on APTs

22

6/26/18

12

Are you a Target?

• Biggest risk?– assum ing you are not in teresting enough!

• Vendors/System Integrators and their take on security:– E ither underw helm ing or O verw helm ing L

23

Defense Strategies

• Depends on what you’re trying to protect

• Tactics that keep out teenagers won’t keep out a well-funded agency

• But stronger defenses are often much more expensive, and cause great inconvenience

24

6/26/18

13

Against Joy Hacks

• By definition, joy hackers use known exploits

• Patches exist for known holes:– U p to date system patches

– U p to date antiv irus database

• Ordinary enterprise-grade firewalls will also repel them

25

Opportunistic Hacks

• Sophisticated techniques used

• You need multiple layers of defense– U p to date patches and anti-v irus– F irew alls

– In trusion detection– Lots o f a ttention to log files

26

6/26/18

14

Targeted Attacks

• Targeted attacks exploit knowledge of target– Try to b lock or detect reconnaissance– Security po lic ies and procedures m atter a lo t

• How do you respond to phone callers?• What do people do with unexpected attachments?• USB sticks in the parking

• Hardest case: disgruntled employee or ex-employee– A lready behind your defenses

– Think M anning & Snow den

27

Advanced Persistent Threats

• L very very hard defend against!• Use all of the previous defenses• There are no sure answers• Pay special attention to policies and procedures• Investigate all oddities

28

6/26/18

15

Putting CIA in Context

• Scenario: XYZ has a webmail for employees to access their email accounts.Sometimes they share reports and communicate with customers.– C onfidentia lity:

• Username and password (or user credentials) to access webmail should only be known to the user. Contents of the email communication should only be available to the intended recipients only.

– In tegrity:• Emails that are received or sent out are not modified from their original form.

– Availab ility:• Since email communication is critical to the company, this email service must be

available all the time

• Question: Think about what we can put in place to make sure the CIA can be achieved

29

Causes of Security Related Issues

• Protocol error– N o one gets it right the first tim e

• Software bugs– Is it a bug or feature ?

• Active attack– Target contro l/m anagem ent p lane

– Target data p lane– M ore probable than you th ink !

• Configuration mistakes– M ost com m on form of prob lem

30

6/26/18

16

Threat & Threat Source Example

31

Vulnerability Threat-Source Threat Action

Critical vulnerability in a web server software was identified butsoftware patches have not been applied

Unauthorized users (i.e. Internal employees, hackers, criminals)

Obtaining unauthorized access to information (files, sensitiveinformation on the web server

Terminated employees credentials (username & password) are notremoved from the system

Terminated Employees Accessing companies systems and proprietary information

What Can Intruders Do?

• Eavesdrop - compromise routers, links, or DNS• Send arbitrary messages (spoof IP headers and options)• Replay recorded messages• Modify messages in transit• Write malicious code and trick people into running it• Exploit bugs in software to ‘take over’ machines and use

them as a base for future attacks

32

6/26/18

17

Attack Motivation

• Criminal– C rim inal w ho use critica l in frastructure as a too ls to com m it crim e– Their m otivation is m oney

• War Fighting/Espionage/Terrorist– W hat m ost people th ink of w hen ta lk ing about threats to critica l

in frastructure

• Patriotic/Principle– Large groups of people m otivated by cause - be it national pride or a

passion aka Anonym ous

33

Attack Motivation

• Nation States want SECRETS

• Organized criminals want MONEY• Protesters or activists want ATTENTION

• Hackers and researchers want KNOWLEDGE

34

S o u r c e : N A N O G 6 0 k e y n o t e p r e s e n t a t io n b y J e f f M o s s , F e b 2 0 1 4

6/26/18

18

Goals are Determined by

• Services offered vs. security provided– Each service offers its ow n security risk

• Ease of use vs. security– Easiest system to use a llow s access to any user w ithout passw ord

• Cost of security vs. risk of loss– C ost to m ainta in

35

G oals m ust be com m unicated to a ll use rs, sta ff, m anagers, th rough a se t o f security ru les ca lled “security po licy”

Example of Security Controls

36

Category Example of Controls Purpose

Policy & Procedure

Cyber Security Policy, Incident Handling Procedure

Make everyone aware of the importance of security, define role and responsibilities, scope of the problem

Technical Firewall, Intrusion DetectionSystem, Anti Virus Software

Prevent and detect potential attacks, mitigate risk of breach at the network or system layer

Physical CCTV, Locks, Secure working space

Prevent physical theft information assets or unauthorized physicalaccess

6/26/18

19

CSIRT / CERT

• Computer Security Incident Response Team or Computer Emergency Response Teams

• A CSIRT performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency

• Must react to reported security incidents or threat • In ways which the specific community agrees to be

in its general interest• T = Team = Entity (Unit/Organization) that does IR

work!

37

Constituency

• A C S IRT serves its constituent

• C onstituency he lp defines: – What is the purpose & nature of

the CSIRT – Who is the CSIRT Serving– What types of security incidents

the CSIRT handles – What are the relationship with

other CSIRTs

• Exam ple of C onstituents:

– Enterprise / Single Organization – Sector Based – Critical Infrastructure – Product – National / Country

– Customer

• C onstituents m ight overlap – Co-ordination is key

– CSIRT of the “Last Resort”

38

6/26/18

20

Different Types of CSIRTs

• Enterprise CSIRTs– p ro v id e in c id e n t h a n d lin g s e rv ic e s to th e ir p a re n t

o rg a n iz a tio n . T h is c o u ld b e a C S IR T fo r a b a n k , a m a n u fa c tu r in g c o m p a n y , a n IS P , a u n iv e rs ity , o r a fe d e ra l a g e n c y .

• National CSIRTs– p ro v id e in c id e n t h a n d lin g s e rv ic e s to a c o u n try .

• Coordination Centers– c o o rd in a te a n d fa c il ita te th e h a n d lin g o f in c id e n ts a c ro s s

v a r io u s C S IR T s . E x a m p le s in c lu d e th e C E R T C o o rd in a tio n

C e n te r o r th e U n ite d S ta te s C o m p u te r E m e rg e n c y R e a d in e s s T e a m (U S -C E R T ).

(Source: US-CERT https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm)

• Analysis Centers– fo c u s o n s y n th e s iz in g d a ta fro m v a r io u s

s o u rc e s to d e te rm in e tre n d s a n d p a tte rn s in in c id e n t a c tiv ity . T h is in fo rm a tio n c a n b e u s e d to h e lp p re d ic t fu tu re a c tiv ity o r to p ro v id e e a r ly w a rn in g

w h e n th e a c tiv ity m a tc h e s a s e t o f p re v io u s ly d e te rm in e d c h a ra c te r is tic s .

• Vendor Teams– h a n d le re p o rts o f v u ln e ra b il it ie s in th e ir

s o ftw a re o r h a rd w a re p ro d u c ts . T h e y

m a y w o rk w ith in th e o rg a n iz a tio n to d e te rm in e if th e ir p ro d u c ts a re v u ln e ra b le a n d to d e v e lo p re m e d ia tio n

a n d m itig a tio n s tra te g ie s . A v e n d o r te a m m a y a ls o b e th e in te rn a l C S IR T fo r a v e n d o r o rg a n iz a tio n .

• Incident Response Providers– o ffe r in c id e n t h a n d lin g s e rv ic e s a s a fo r-

fe e s e rv ic e to o th e r o rg a n iz a tio n s .

39

Why a CSIRT?

• Security Incidents H appen!

– Execute incident response plans

– Assurance to customers and stakeholders

– Best Practice

• M itigate Loss or D am age

– Point of Contact

– Governance

• C om pliance to S tandards

– Cyber Security Framework

– ISO 27001, ITIL – Compliance with Law or

Regulations

• Security Im provem ents

– Analyze Incidents and Provide Lessons Learned

• R esource A llocation

– Dedicated Service(s)

– Human Resources, Skills – Specific Polices and SOPs

– Point of Contact

40

6/26/18

21

in e tn u m : 1 .1 .1 .0 - 1 .1 .1 .2 5 5

n e tn a m e : A P N IC - L A B S

d e s c r : R e s e a r c h p r e f ix fo r A P N IC L a b s

d e s c r : A P N IC

c o u n t r y : A Ua d m in - c : A R 3 0 2 - A P

te c h - c : A R 3 0 2 - A P

m n t - b y : A P N IC - H M

m n t - r o u te s : M A IN T - A U - A P N IC - G M 8 5 - A P

m n t - ir t : IR T - A P N IC R A N D N E T - A Us ta tu s : A S S IG N E D P O R T A B L E

c h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 1 4 0 5 0 7

c h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 1 4 0 5 1 2

s o u r c e : A P N IC

ir t : IR T - A P N IC R A N D N E T - A U

a d d r e s s : P O B o x 3 6 4 6

a d d r e s s : S o u th B r is b a n e , Q L D 4 1 0 1

a d d r e s s : A u s t r a l ia

e - m a il : a b u s e @ a p n ic .n e ta b u s e - m a ilb o x : a b u s e @ a p n ic .n e t

a d m in - c : A R 3 0 2 - A P

te c h - c : A R 3 0 2 - A P

a u th : # F i l t e r e d

m n t - b y : M A IN T - A U - A P N IC - G M 8 5 - A Pc h a n g e d : h m - c h a n g e d @ a p n ic .n e t 2 0 11 0 9 2 2

s o u r c e : A P N IC

Whois Database: Incident Response Team Object

41

Summary

• Use proper crypto

• Multi-layered security– U pdated patches and AVs– Backup im portant data

– F irew alls– ID S /IPS (anom aly detection)

• Strictly follow security procedures– R evise and audit frequently

42This document is uncontrolled when printed. Before use, check the APNIC electronic master document to verify that this is the current version.

6/26/18

22

Challenges in Implementing Security

• Many

– Lack of Aw areness

– N ot enough resources

– W e are m oving too slow

• Root Cause?

• Challenges to Security Professionals– D on’t know w here to start

– Too m any th ings to learn & m aster

– Too expensive to do tra in ing and certifications

– N o support from end-users & top m anagem ent

– 24x7 expectations - I have m y ow n life !

43

Computer Security

44

6/26/18

23

Solutions

• Make security a priority (Sell it)• Don’t reinvent the wheel• Keep on learning• Keep sharing and contributing

45

46