950 likes | 974 Views
The Security State of Mind. Chet Uber CTO/World Media Company 1999 CERT Conference Tutorial. Chet’s Disclaimer. The opinions expressed are mine and mine alone, they are not those of my employer World Media Company, or our parent The Omaha-World Herald.
E N D
The Security State of Mind Chet Uber CTO/World Media Company 1999 CERT Conference Tutorial
Chet’s Disclaimer • The opinions expressed are mine and mine alone, they are not those of my employer World Media Company, or our parent The Omaha-World Herald. • If you are easily upset by non-traditional in your face discussions of security methodology you had better leave now.
Presentation Premise • The danger posed by intruders and those that wish you harm, are FAR underestimated. We have not seen the tip of the iceberg, and the only folks that really understand the implications are the NSA, DOD and DOE. The statement concerning the NSA, DOD and DOE is conjecture on my part.
What is theSecurity State of Mind (SSM)? • The Security State of Mind has to do with using every means at your disposal to design and implement unwavering Security-in-Depth. A sign that you have the SSM is when upper management and your coworkers constantly say, “You are really being paranoid about this.”
What is theSecurity State of Mind (SSM)? • The proof that you have the SSM is that you know your paranoia is really just you very clear picture of the reality of the situation at hand. • One of the tenants of the SSM is the understanding that business is war, and that everyone is a potential enemy.
What the SSM tells us! • There is no such thing as a “100% secure system or network.” • That human beings are the weakest link in the implementation of security policies. • That there is a trade-off between the amount of security and usability.
‘State of the Union’ address for the networked open system environment
“The security field is neither stable nor globally understood, and with the inclusion of the Internet has led to a condition where … greater than 75% of these networks are highly vulnerable”-- July 1999, ISS Inc.
A recent report was prepared by WarRoom Research, LLC in support of the Senates Permanent Subcommitte on Investigations which involved among others; the FBI, Ernst & Young LLP/InformationWeek, Computer Security Institute, GAO, and the U.S. Military Services
The following conclusions were put forward in the WarRoom report ...
“The human threats are growing in numbers and sophistication.”
“61% of those organizations responding to the WarRoom Survey had experienced an internal attack within the past 12 months.”
“58% of those organizations responding to the survey had experienced an external attack within the past 12 months.”
“The vulnerability conditions associated with our networks are well known and understood.”
“Vulnerability is worsened by the availability of free hacker tools on the Internet.”
“Over 45% of the reported attacks were associated with advanced technical hacking techniques; for example sniffers, theft of password files, vulnerability probing/scanning, Trojan logon, etc.”
“The impact associated with attacks continues to move up and off the chart.”
“Over 45% of the internal attacks resulted in losses over $200,000.”
“Over 15% of the internal attacks resulted in losses over $1,000,000.”
“Over 50% of the external attacks result in losses over $200,000.”
“Over 17% of the external attacks resulted in losses over $1,000,000.”
In broad terms what should be done by those with the SSM; and why traditional security measures are not enough!
Making A Good Start! • Definition of sound processes. • Creation of meaningful and enforceable security policies. • Proper implementation of organizational safeguards. • Establishment of ways in which security can be measured.
Direct Risk Mitigation • Identification and Authentication • Encryption • Access Control • Note* - This Interim step can give a false sense of security
Risk Analysis+ Policy+ Direct Technical Countermeasures= Traditional Security SafeguardsThis is 40-60% of the overall solution when implemented properly
Items not addresses by Traditional Approach • An active, highly knowledgeable, evolving threat • The greatly reduced network security decision and response cycle • Low User Awareness levels • Highly dynamic vulnerability conditions
A Solid Security Program • Adhere to sound standardization processes • Implement valid procedures and technical solutions • Provide for system audits intended to support potential attack or system misuse analysis
Adaptive Security ModelTraditional Security Safeguards+Threat/Vulnerability Monitoring+ Threat/Vulnerability Detection+ Threat/Vulnerability Response= Adaptive Security
Ensure all applicable vulnerabilities are secured across the entire network
Ensure all systems are configured in a secure manner consistent with organizational policy
Ensure all potentially hostile threats are detected, monitored, and responded to in a timely appropriate manner.
Provide real-time, on-the-fly, technical reconfiguration of threat access routes.
Provide timely security alerts and tasking to those responsible for addressing network threats and vulnerabilities.
Provide accurate network security audit and trends analysis data in support of security program planning and assessment efforts.
Two examples of a dramatic change in knowledge based in real world experience.
The EFF’s Project “Deep Crack” The EFF lead a concerted effort to develop a machine specifically designed to break DES encryption. This effort was funded with a $250,000 grant and produced a machine that rendered keys in days and finally hours. A book “Cracking DES” includes all the schematics and code. The design is such that the application of $MONEY$ would accelerate the time to minutes. There are literally millions of DES protected files.
PRESS RELEASE CWI, Amsterdam - August 26, 1999 Security of E-commerce threatened by 512-bit number factorization
“On August 22 1999, a team of scientists from six different countries, led by Herman te Riele of CWI (Amsterdam), found the prime factors of 512-bit number, whose size models 5% of the keys used for protection of electronic commerce on the Internet. This result shows, much earlier than expected at the start of E-commerce, that the popular key-size of 512 bits is no longer safe against even a moderately powerful attacker. The amount of money protected by 512-bit keys is immense. Many billions of dollars per day are flowing through financial institutions such as banks and stock exchanges.”
“The factored key is a model of a so-called "public key" in the well-known RSA cryptographic system which was designed in the mid-seventies by Rivest, Shamir and Adleman at the Massachusets Institute of Technology in Cambridge, USA. At present, this system is used extensively in hardware and software to protect electronic data traffic such as in the international version of the SSL (Security Sockets Layer) Handshake Protocol”
“Apart from its practical implications, the factorization is a scientific breakthrough: 25 years ago, 512-bit numbers (about 155 decimals) were thought virtually impossible to factor. Estimates based on the then-fastest known algorithms and computers predicted a CPU time of more than 50 billion (50 000 000 000) years.The factored number, indicated by RSA-155, was taken from the "RSA Challenge List", which is used as a yardstick for the security of the RSA cryptosystem.”
“In order to find the prime factors of RSA-155, about 300 fast SGI and SUN workstations and Pentium PCs have spent about 35 years of computing time. The computers were running in parallel -- mostly overnight and at weekends -- and the whole task was finished in about seven calendar-months.”
“The following organizations have made their workstation and PC computing power available to this project: Centre Charles Hermite (Nancy, France), Citibank (Parsippany, NJ, USA), CWI (Amsterdam), Ecole Polytechnique/CNRS (Palaiseau, France), Entrust Technologies (Ottawa, Canada), Lehigh University (Bethlehem, Pa, USA), the Medicis Center at Ecole Polytechnique (Palaiseau, France), Microsoft Research (Cambridge, UK), Sun Microsystems Professional Services (Camberley, UK), The Australian National University Canberra, Australia), University of Sydney Australia).”
“In addition, an essential step of the project which requires 2 Gbytes of internal memory has been carried out on the Cray C916 supercomputer at SARA (Academic Computing Centre Amsterdam).Given the current big distributed computing projects on Internet with hundreds of thousands of participants, e.g., to break RSA's DES Challenge or trace extra-terrestrial messages, it is possible to reduce the time to factor a 512-bit number from seven months to one week. For comparison, the amount of computing time needed to factor RSA-155 was less than 2% of the time needed to break RSA's DES challenge.”
The number and the found factors are: RSA-155 =10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897=102639592829741105772054196573991675900716567808038066803341933521790711307779*106603488380168454820927220360012878679207958575989291522270608237193062808643
A broad stroke view of things that are typically of interest to Network Security Administrators. Note the vast scope of topics is not at all inclusive* taken from a typical IT security schedule
Overview of Network Security • Defining the problem • Security Policy • Attacker Methods • Incident Response • Legal Considerations
Network Services • Client/Server Computing • UNIX versus Windows NT
Attack Methods • Types of attacks • Misadministration • Software Bugs • Denial of Service
Logging, Auditing, and Detection • UNIX versus Windows NT • Auditing • Vulnerability Detection • Vulnerability Detection Tools • Intrusion Detection