320 likes | 570 Views
CSIS 3756 Security Design. Mr. Mark Welton. Course Requirements. Prerequisities : CSCI 5806 or CSIS 3755 CIS 1525 or CIS 3718 Books For Course: Material online , in class, and Safari Books Online will be used for this class. What This Course IS NOT. This is not a hacking course
E N D
CSIS 3756Security Design Mr. Mark Welton
Course Requirements • Prerequisities: • CSCI 5806 or CSIS 3755 • CIS 1525 or CIS 3718 • Books For Course: • Material online, in class, and Safari Books Online will be used for this class
This is not a hacking course • This is not an introduction course • This is not a course where we will only deal will the operating system itself in isolation
Course Discription for CSIS 3756 • A course on operating system security concepts, techniques and applications including MS Windows and LINUX/UNIX platforms.
My opinion of what CSIS 3756 is… • In my opinion this can not be done by only looking at the operating system in isolation • Today’s enterprise environments are comprised of multiple systems interconnected providing services to companies customers • It is these interconnections that has changed the world of computing and security today • It is all about the data!
My opinion of what CSIS 3756 is… • You can only learn how to design a security environment if you understand how it should be configured and how to determine what it is you are protecting • You must understand risk and how it REALLY can be of use • You need to understand how things REALLY work (theory is nice but you better know how to apply it) • “A wise man walks with his head bowed, humble like the dust” Pilot episode of Kung Fu
Lastly…. • To be a security professional you must understand not only the previous concepts but you must understand that….
It is called penetration testing Penetration testers have permission to test the systems hackers don’t
What is Security? • Security is the process of maintaining an acceptable level of perceived risk • Dr. Mitch Kabay, wrote that “security is a process, not an end state.” • So what is the process…
Assessment • Assessment is preparation for the other three components • deals with policies, procedures, laws, regulations, budgeting, and other managerial duties, plus technical evaluation of one’s security posture • Failure to account for any of these elements harms all of the operations that follow • Why is this?
Protection • Protection is the application of countermeasures to reduce the likelihood of compromise • What are some of these countermeasures and why do we use them?
Detection • Detection is the process of identifying intrusions • Intrusions are policy violations or computer security incidents • Kevin Mandia and Chris Prosise define an incident as any “unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.” • What are some examples?
Response • Response is the process of validating the fruits of detection and taking steps to remediate intrusions • Response activities include “patch and proceed” as well as “pursue and prosecute.” • “patch and proceed” focuses on restoring functionality to damaged assets and moving on • “pursue and prosecute” seeks legal remedies by collecting evidence to support action against the offender • How does the CIA model help us meet the security process?
What is Risk? • Risk is the possibility of suffering harm or loss • Risk is a measure of danger to an asset • An asset is anything of value (to who?) • In a security context risk refers to information, hardware, intellectual property, prestige, and reputation • The risk should be defined explicitly, such as “risk of compromise of the integrity of our customer database” or “risk of denial of service to our online banking portal.”
Risk Equation risk = threat × vulnerability × asset value
Threat • A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset • Structured threats are adversaries with a formal methodology, a financial sponsor, and a defined objective • include economic spies, organized criminals, terrorists, foreign intelligence agencies, and so-called information warriors • Unstructured threats lack the methodology, money, and objective of structured threats • include “recreational” crackers, malware without a defined object beyond widespread infection, and malicious insiders who abuse their status
Threat • Threats are expressed within threat models, which are descriptions of the environment into which an asset is introduced • The method by which a threat can harm an asset is an exploit • An exploit can be wielded in real time by a human or can be codified into an automated tool • The process by which the intentions and capabilities of threats are assessed is called threat analysis
Vulnerability • A vulnerability is a weakness in an asset that could lead to exploitation • A well-designed software product should perform its intended function and do no more • A Web server intended to publish pages in the inetpub/wwwroot directory should not allow users to escape that folder and access the command shell or other files on the system
Asset • The asset value is a measurement of the time and resources needed to replace an asset or restore it to its former state • Cost of replacement is an equivalent term • A database server hosting client credit card information is assumed to have a higher value or cost of replacement than a workstation in a testing laboratory (Why?) • Cost can also refer to the value of an organization's reputation, brand, or trust held by the public
What About the Security Policy? • Security Policies only deal with the business processes that are important to the company • “…the process of transaction for purchase must meet compliance of PCI, …” • “…Managed antivirus software must be run and monitored on each system…” • Does it really tell us where we need to put firewall, IDS, how servers should be configured, what defines manage antivirus? • Would it matter if it did?
A Look at Risk • let's consider the risk to a public Web server operated by the Polish Ministry of Defense (www.wp.mil.pl) • On September 3, 2003, Polish army forces assumed control of the Multinational Division Central South in Iraq • A hypothetical anti–Iraq war hacker group, Code Not Bombs, reads the press release at www.nato.int and is angry about Poland's involvement in the war • One of their young coders, N@te, doesn't like Poland's involvement and wants to embarrass the Polish military by placing false news stories on the Ministry of Defense's Web site
A Look at Risk • He discovers that although www.wp.mil.pl is running Apache, its version of OpenSSL is old and subject to a buffer-overflow attack • The Polish military spends $10,000 (or the Polish equivalent) per year maintaining its Web server • Damage to national prestige from an attack would be several times greater
A Look at Risk • risk = threat × vulnerability × asset value • We will let a value of 5 equala severe value, while a 1 is a minor value
So What is the Security of the Web Server? • Remember that security is the process of maintaining an acceptable level of perceived risk • ??????????
So What is the Security of the Web Server? • What if the Polish military is unaware that anyone would think to harm its Web server? • 0 X 5 X 4 = 0 • What if the security administrators believe the threat to www.wp.mil.pl is zero? • Then the perceived risk of loss is zero • Perception is a key to understanding security • How can we deal with this perception problem?
So What is the Security of the Web Server? • Once threat are identified, the presence of vulnerability takes on new importance • Vulnerabilities only have value if there is a threat to use it • If we identify threats correctly as they relate to an asset value then as vulnerabilities change we will then know where to place our resources
So What is the Security of the Web Server? • If the threat to the asset is high • likelihood of a threat to want to use the vulnerability and the higher value of the asset • Then if the SSL vulnerability is announced you can use countermeasures on the asset • Countermeasures are steps to limit the possibility of an incident or the effects of compromise • What are the countermeasures that can be used on the web server?
So why do we care about risk then? • It make you look at your environment like “they” would not how you would (what does this mean?) • Security policies do not tell us the assets that are important just the business practices that is important. We need to relate these practices to the assets • When new vulnerabilities come out you want to KNOW what assets are important • It should have a direct impact on your security design (we do not have unlimited money and resources)