ITS101: Theory and Practice of Campus Computer Security Course Syllabus Revision 2.1 > Syllabus Course Motivation [1] Approach Hire people Train whom we have People embedded in units do the heavy lifting Incident response Security assessments Coordinate with central office Provides protection closest to what we want to protect Take-aways Handle incidents Perform security assessments Day to day security work Monitor firewalls Monitor intrusion detection Communicate to wider campus Actively participate in campus security field trips Know how to find and stay current security tools mailing lists A healthy paranoia Threats Internal External "Script kiddies" Hackers Organized crime National agencies Fundamental Weaknesses Internet Weaknesses Anybody can connect Anybody can read your traffic Anybody can change your traffic Anybody can deny having sent you anything Service dependencies (e.g. DNS, NTP) Host Weaknesses Host-specific vulnerabilities Windows UN*X Mac OS X Architecture-specific vulnerabilities Stack smashing StackGuard w^x Shared libraries Fundamental Weakness of the Response He who defends everything defends nothing Usually one step behind ("0day exploits") 24/7 attacks, in volume The Reality Today Why You are Here Acquire fundamentals of platforms & protocols Understand U-M central services architectures Learn about virus and worm operation, recognition, eradication Course Organization [1] Lecture - 1-2:30 mwf (4.5 h/wk) Lab - 2:30-4:30 mwf (6.0 h/wk) Reading Assignments Fundamental Concepts [R] Host Platform Applications Libraries Operating System Networking Fundamentals Ethernet, FDDI, ATM ARPANET, model Internet protocols Routing, BGP, OSPF, ASNs IP ICMP ARP, RARP DSN UDP TCP Multicast Network Architecture - Up Close Network Architecture - Small company Network Architecture - Big Picture peering arrangements SLAs Internet2 vs. commodity Network Security IAA Model Identification Authentication (incl. mutual) Authorization Elements of Security Confidentiality Integrity Non-repudiation Security Policy CSIRTs Security Paradigms Cryptography Strong vs. Weak (pseudo-random XOR vs. 3DES, AES) Recent crypto developments Symmetric Asymmetric certificates X.509 CA chains Mutual authentication PKI DES, 3DES AES Practical Cryptography Kerberos PGP, GPG SSH Name spaces Examples Kerberos 4,5 Microsoft extensions trusted third party SSL SSH GRIDs Globus GRID UN*X security fundamentals [R] Users and passwords Users, Groups, Superuser UN*X Filesystem Backups Defending your accounts Integrity management Auditing and logging Protecting against programmed threats File systems NFS AFS NFSv4 Network Stack Security Model User vs. Kernel space Super user & setuid Resource limits Quotas Chroot Jails Example: BSD jail implementation Patching Philosophy Methodology Example: radmind Windows security fundamentals [3,4,5,6] [Kirk Soluk, ITSS] I. Fundamental Concepts and Tools a. Win32 API b. Services, Routines, Functions i. Win32 Functions ii. System Services iii. Internal Routines iv. User-Mode Services (TList) v. DLLÕs c. Processes and Threads (PView, Task Manager) d. Virtual Memory e. Kernel Mode versus User Mode (Perfmon) f. Objects and Handles (WinObj) g. Security (Pview) h. Registry (Regedit) i. Networking (ntstat, tlist/pview) II. Architecture Overview a. Key System Components i. Environment Subsystems (exetype.exe, regedit session manager) ii. NTDLL.DLL iii. Executive iv. Kernel (depends.exe) v. HAL (winmsd.exe) vi. Device Drivers b. Key System Processes and Files i. Idle ii. System Process iii. Hardware Abstraction Layer (hal.dll) iv. Executive and Kernel (ntoskernl.exe) v. Session Manager (smss.exe) vi. Win32 Subsystem (csrss.exe) vii. Win32 Sybsystem DLLÕs (kernel32.dll) viii. Logon Process (winlogon.exe) ix. Local Security Authority (lsass.exe) x. Services Controller (services.exe) III. Security Services a. The Gold Standard (Authentication, Authorization, Audit) i. Authentication (Local Focus) 1. Definition, Types 2. NTLM, Smart Cards (X.509 Cert based auth) 3. Logon versus Authentication a. Token Creation (Groups, SIDS) ii. Authorization 1. Goal 2. Discretionary Access Control (Security Descriptors, DACLs, ACEs) a. NTFS b. Inheritance Model c. File Security versus Share Security 3. User Privileges 4. Access Check (Token against DACL) 5. Software Restriction Policies 6. Application-Specific Permissions 7. Authorization Manager iii. Audit 1. Goal: Intrusion Detection versus Forensic Auditing 2. System Access Control Lists 3. Audit Process b. Network Security i. Authentication 1. NTLM pass thru, Kerberos, SSPI, Negotiate, RADIUS 2. Active Directory 3. Domains, Forests 4. Trust Services (secure channels) 5. Logon versus Network Authentication a. Token Creation b. SID Filtering c. Group Expansion 6. Unix Interop (?) ii. Windows Networking 1. NetBT 2. SMB (SMB Signing) 3. DCOM/RPC (Integrity and Encryption) 4. Named Pipes iii. Other Integrity and Encryption Services 1. SSL/TLS 2. IPsec 3. EFS 4. CryptoAPI (for storing secrets) 5. S/MIME iv. PKI (?) 1. Certificate Services v. Packet Filtering 1. Firewalls a. Windows Firewall b. RRAS Firewall c. TCP/IP Firewall d. IPsec as a packet filtering engine e. Named Pipe Firewall 2. ISA Server (?) IV. Security Features != Security a. Risk Management b. General Threats and Countermeasures (i.e. corresponding mitigation techniques) V. Practical Security a. Windows Default Security i. Strategy\Changes between NT4, Win2k, WinXP, WSO3 b. Attack Surface Reduction i. Services, Ports and Protocols 1. SMB, LanManCompatibilityLevel ii. Demystifying Null Sessions and RestrictAnonymous c. Principle of Least Privilege (Client and Server-Side) i. Vendor Management d. Securing Domain Controllers e. IPsec Scenarios f. Deploying Multi-Tiered Applications on the Internet g. IE Security h. XP/SP2 Security Enhancements VI. Security Management a. Group Policy i. OU Structure and Precedence ii. Default Policies b. Security Configuration Toolset c. Microsoft Security Operations and Best Practice Guides i. Other Resources VII. Patch Management a. SMS, SUS b. MBSA VIII. IIS\Web Security a. IIS5 versus IIS6 b. Securing Web-Based Services IX. Futures a. SCW b. ACS c. TrustBridge\Indigo d. Quarantine e. Mako f. Geneva g. WUS h. LUA Web security fundamentals [7] Concepts HTTP Cookies SSL/TLS Authentication, mutual authentication CoSign CGI Web servers Fundamentals Apache IIS .NET Fundamentals Security What to worry about? Server flaws Server misconfigurations CGI/3rd party module flaws Browser security Browser Security ActiveX Controls Java Cross-Site Scripting Cross-Zone/Cross-Domain Vulnerabilities Malicious Scripting, Active Content, and HTML Neighborhood Watches Netcraft toolbar Google warning Threats [18,19] Concepts Models Insider Outsider Methodologies Access DOS DDOS Vulnerabilities Password attacks Buffer overflow Heap overflow Arc injection (e.g. return-into-libc) Trojans Viruses Worms Keystroke loggers Hardware Software Social Engineering Spyware Adware Grayware Bots Botnets Spam Phishing Pharming U-M Network Architecture [9] [Kurt Hillig, ITCS] Network Fundamentals OSI 7-layer model OSI layers 1-4: Ethernet and IP IP subnetting and routing Virtualizing the network Network security Basic objectives: CIA Vulnerabilities and defenses for layers 1-4 U-M Wireless Architecture [10] [Dennis Ward, ITCS] RF/PHY (physical) Wireless protocols Wireless security VPN WEP WPA 1 WPA 2 Vulnerabilities/attacks SSID Mac spoofing Man in the middle WEP key cracking Denial of Service Dictionary attacks Rogue APs Wireless Architecture at U-M Virtual Architecture Access points - RF BlueSocket Network authentication Future U-M Authentication (Kerberos, Kx.509, CoSign) [13] [Kevin McGowan] Introduction What is CoSign: Open source WebISO CoSign login sequence Login screen U-M Kerberos principal Friend accounts Avoiding the login screen kx.509 x.509 SPNGO Logout Future plans CoSign protected services web.mail.umich.edu Law & Business school BlueSocket networks wolverineaccess.umich.edu directory.umich.edu ... hundreds more Installing mod_cosign Supported platforms Apache 1.3 & 2.x IIS Java (J2EE Servlet Filter) Authenticated proxy Risks CoSign/Weblogin servers are attractive targets Browser is trusted Cookies are replayable U-M Resources [8] ITSS Virus Busters IT User Advocate Network Information Database (NICR) Network Operations Center (NOC) Hackfinder Internet Storm Center US-CERT Practical Windows Security in LSA [17] [Chris Brenner] Countermeasures - Network-based [15A] Firewalls Concepts Types Packet Level Application Level Architectures Internet/Extranet Intranets DMZs Strengths & Weaknesses "Reverse" Firewalling VPNs [15B] [Walt Reynolds] Definitions VPN Uses Types of VPNs Application SSH Protocol IPSec SSL Other PPTP, L2TP, MPLS IPSec details SSL details Pros and cons of IPSec vs. SSL Future directions Scanning Concepts Port Scanning Stealth Scans OS Fingerprinting Traffic analysis Countermeasures - Intrusion Detection and Prevention [16] [Matt Bing] Introduction Intrusion Detection Systems (IDS) How IDS really work Sniffing Sensor placement Signature vs. anomaly Alerts IDS cons Accepts arbitrary input Doesn't prevent attacks False positives/negatives Vulnerable to obfuscation Doesn't handle encryption Drops packets IDS pros Understand the limits SNORT Definition Example: write SNORT rule Countermeasures Evaluating IDS Intrusion Prevention Systems (IPS) Definition Admits trivial self-DOS Do not run IPS Future of IDS Host-based IDS (HIDS) Tripwire Incident response [20] Introduction CSIRT (Computer Security Incident Response Team) Framework Mission statement Constituency Place in organization Relationship to others Promoting the CSIRT Gaining trust CSIRT within an organization Security team Relationship to risk management CSIRT reactive services Alerts and warnings Incident handling CSIRT proactive services Announcements Technology watch Security Audit and Assessments Configuration & maintenance of security tools,applications, and infrastructures Development of security tools Intrusion detection services Security-related information dissemination CSIRT Security Quality Management Services Risk Analysis Security Consulting Awareness building Education/training Product evaluation/certification Business continuity/disaster recovery planning? CSIRT information flow CSIRT policies Basic policy attributes Policy content features Quality assurance Legal issues CSIRT incident handling service Service description Service functions overview Triage Handling Announcement Feedback CSIRT team operations Operational elements Fundamental policies Continuity assurance Short, medium, long term Workflow management Out-of-hours coverage Security management Confidentiality, availability, integrity Staff issues Forensics [21,22] Introduction Digital evidence Definition Examples Definition of forensic science Examples Locard's exchange principle Digital evidence Criminal activity Who collects digital evidence Privacy safeguards Applying forensic science to computers Direct vs. hearsay evidence Key aspects to processing evidence Recognition Preservation, collection, documentation Methods of collection Techniques Tools: dd, ps, lsof Documenting evidence Chain of custody Classification, comparison, individualization Reconstruction Recovering deleted objects Digital evidence on computer networks Internet applications and services WWW Email Newsgroups Chat networks Crime on the protocol stack Application Transport & network Data link & physical Laws, jurisdiction, search & seizure Timeline of computer crime law Risk assessment [2A] Concepts Risk analysis Identify assets Identify risks to those assets Develop procedures to mitigate those risks Risk avoidance National Infrastructure Protection Center (NIPC) risk assessment model Asset assessment Identify undesirable events Identify effect of loss Determine value of asset based on severity of effect High, medium, low 1 .. 10 Threat assessment Focus on adversaries and events that affect assets Specify intent, capability, history Determine threat level Vulnerability assessment Look for exploitable situations Determine vulnerability level Risk assessment Risk = loss effect * threat * vulnerability Risk measures are subjective high * low * medium = ? Optional: add countermeasure Countermeasure options U-M Virtual Firewall [12] [Dennis Neil] Security assessment [2B] [Kirk Soluk] RECON University policies and procedures [23] [Paul Howell] Review University computer security policies Existing SPG computer security policies Proper Use of Info Tech Resources Privacy and the Need to Monitor and Access Records Institutional Data Resource Management Policy Identification and Access Control Cards Identity Misrepresentation Review state and federal laws Existing State of Michigan computer crime statutes Unauthorized access to computers Using a computer to defraud Federal computer crime statutes Computer Fraud and Abuse Act Wiretap Act Patriot Act Dealing with court orders and law enforcement Subpoenas Search warrants Law enforcement agencies without a search warrant Authorization to perform security work The matrix Obtaining authorization Network registry (NICR) Incident response and escalation Sharing incident information Dealing with the media Ethics`for CISSP Act honorably, honestly, justly, responsibly, and legally Provide diligent and competent service to principals FOIA issues, including common misconceptions and recommended procedures [23] [Lee Doyle et al] University of Michigan - MAIS Case Study [Seth Meyer, Dennis Neil] [11] Countermeasures - UN*X Host-based Operating system configurations Service/daemon selection and configurations Logging Concepts Creating a logging service Monitoring a logging service Analyzing the log files Port scanning and analysis BIOS settings preventing thumb drives preventing diskette boot Turning off unnecessary services Rule of Embarrassment Backups Patch Management University of Michigan Email Architecture Antivirus Antispam Storage Architecture Internet Resources SANS Top-20 Internet Storm Center Vulnwatch Bugtraq CERT CVE lists.netsys.com Full disclosure www.securityfocus.com Vulndev FocusIDS www.insecure.org/tools.html Top 75 security tools Worst Practices Cleartext passwords Password policies Firewalls Wireless behind the firewall Java in PDFs Not checking input scripts sql injection automation (google attack) ... have to get it right the first time Miscellaneous & course wrap-up Auditability of OpenBSD vs. Windows Proactive vs. reactive defenses Rootkits CSS Grid GSI Take-aways Handle incidents Perform security assessments Day to day security work Monitor firewalls Monitor intrusion detection Communicate to wider campus Actively participate in campus security field trips Know how to find and stay current security tools mailing lists A healthy paranoia Final thoughts > References: Applied Cryptography, Bruce Schneier Digital Evidence and Computer Crime, Eoghan Casey, Academic Press, 2000. Firewalls and Internet Security, Cheswick (2nd ed!) General Security Risk Assessment Guideline, ASIS Handbook for Computer Security Response Teams (CSIRTs), SEI Internet2 Effective Security Practices Guide Practical UNIX and Internet Security, Garfinkel, Spafford, and Schwartz Risk Management: An Essential Guide to Protecting Critical Assets, National Infrastructure Protection Center, November 2002. TCP/IP Illustrated, Richard Stevens The Shellcoder's Handbook The Tao of Network Security Monitoring, Bejtlich WI-FOO: The Secrets of Wireless Hacking, Vladimirov, Gavrilenko, and Mikhailovsky Hacking Exposed series Netsec, Richard Stallman Secrets and Lies, Bruce Schneier > Tools: tcpdump windump ethereal, tethereal argus snort nessus commercial: eeye retina iss cisco span port, flow trace wireless: netstumbler dstumbler prism2ctl/prism2dump/dwepdump/dwepcrack kismet/bsd-airtools defensive: tripwire systrace privsep investigative: whois traceroute, tcptraceroute libnids forensic: helix encase hacker tools: netcat hping nemesis ettercap xprobe nmap amap nbtscan nikto dsniff tcpreplay metasploit additional: johntheripper firewalk datarescue.com/idapro disassembler general: man ps top lsof strace (truss) ltrace strings