M11 Network Security and Intrusion Prevention

avatar
Created by
Fernando Villareal

Cards (47)

  • Intrusion Prevention
    •Security Policy - well written and enforced◦ Prioritized assets / mission-oriented protection◦ Effective controls (but minimum necessary)◦ Patching security holes; zero-day attacks◦ Acceptable use policy◦ User training◦ Audit and review (annual or more often) Critical piece of Defense-in-Depth
  • Intrusion Prevention
    •Physical Security◦ Physical access to servers critical◦ Booting to DVD/USB (Knoppix or similar)◦ WLANs present eavesdropping challenge◦ Circuit taps◦ Secure switch technology◦Armored cable◦ Fiber optic cables difficult to tap
  • Intrusion Prevention
    •Types of intruders◦ “Script kiddies” – novices using public software◦ Recreational hackers ◦ Motivated by philosophy or for fun◦ Professional hackers - espionage or fraud◦ Advanced persistent threat (APT)◦ State-sponsored(?)◦ Organizational employees (insider threat)
  • Intrusion Prevention
    •Some common “penetration testing” tools◦ Metasploit - Framework with exploits, payloads Nmap - Scanner 
  • Intrusion Prevention
    •Firewalls restrict access to the network◦ Often also function as routers, or vice-versa• Packet-level firewalls (most basic)◦ Examine the source/destination address of every packet◦ Network & Transport layers - IP addresses, port IDs ◦ Using access control list (ACL) rules, decide which packets are allowed or denied
  • Intrusion Prevention
    •Packet-level firewall
  • Intrusion Prevention
    •Application-level firewalls◦ Examine traffic thru layer 5 for anomalous behavior◦ Rules based on HTTP, SMTP, other layer 5 commands & data◦ Often serve as Proxy Firewall/Application Gateway◦ Often include stateful inspection (stateful firewalls)◦ Monitor/use TCP connection status
  • Intrusion Prevention
    •Network address translation (NAT) “Firewall” ◦ Converts/obscures internal IP addresses◦ Usually converts publicly routable address to private address◦ Motivations: security and IPv4 address conservation
  • Intrusion Prevention
    Note how network architecture contributes to security
  • Intrusion Prevention
    •Firewalls are a network defense appliance. Others:◦ Intrusion Detection Systems (IDS) - Passive monitoring and logging; analysis off-line minimizes throughput impact◦ Network vs Host-based (NIDS/HIDS)◦ Intrusion Prevention Systems (IPS) - Active blocking based upon sophisticated rulesets; high throughput impact◦ Next-Generation Firewalls (NGFW)◦ Highly sophisticated rulesets; all protocols◦Capable of deep packet inspection (DPI)◦ Desktop/Personal Firewalls. Some IDS/IPS/NGFW can examine encrypted traffic
  • Intrusion Prevention
    •Various client/server attack vectors◦ Application and OS software must be regularly patched◦ Exploits discovered, but unpatched present zero-day vulnerabilities◦ All OSs are vulnerable (arguments abound)◦ Trojan horses--often delivered as part of social engineering technique◦ Typically contain Rootkit/Bootkit malware◦ Spyware/AdwareLess overtly malicious, still dangerous
  • Intrusion Prevention - Encryption 1

    •Encryption is disguising information using mathematical rules, providing confidentiality• Effectiveness of encryption based on◦ The strength of the algorithm◦ The strength of the key (assuming it is unavailable)• Often the algorithm is widely known
  • Intrusion Prevention - Encryption 2

    •Symmetric encryption◦ Uses a single key for encrypting and decrypting◦ Challenge in sharing key (Key Management)◦ National Institute of Standards & Technology (NIST) manages primary single-key encryption algorithms◦ Data Encryption Standard (DES) & Triple DES (3DES)◦ Rarely used today; 56-bit DES key easily broken◦ Advanced encryption standard (AES)◦ USG & worldwide standard for single-key encryption◦ 256 bit key; infeasible to crack by brute force today
  • Intrusion Prevention - Encryption 3
  • Intrusion Prevention - Encryption 4

    •Asymmetric (public-key) encryption◦ A pair of different keys are used◦ One key designated as public key; can be freely shared◦ The other key is designated the secret private key◦ When a message is encrypted using one key, it can only be decrypted with the other (invertible)◦ Based on mathematical calculations (one-way functions) that are easy in one direction but difficult in reverse◦ex: RSA (Rivest-Shamir-Adleman) implementation
  • Intrusion Prevention - Encryption 5
  • Intrusion Prevention - Encryption 5

    •Asymmetric (public-key encryption)◦ The public key infrastructure (PKI) is a set of hardware, software, organizations, and policies to associate a set of keys with an individual/organization◦ Certificate authorities (CAs) are trusted organizations that issue digital certificates proving that an individual or organization owns a public key◦ Digital certificates can be used to authenticate messages
  • Intrusion Prevention - Encryption 6
  • Intrusion Prevention - Encryption 7

    •Applications of encryption◦ Pretty good privacy (PGP) is used for encrypting email and some files◦ Transport layer security (TLS) succeeds secure sockets layer (SSL) - primary encryption protocol on the Internet (web applications)◦ Starts with client-server handshake for PKI authentication, server’s public key◦ IP security protocol (IPSec) - network layer encryption protocol◦ IPSec tunnel mode encrypts/encapsulates entire IP packet
  • Intrusion Prevention - Authentication
    •User authentication◦ User profiles are used to manage access to resources◦ Types of authentication◦ Something you know - passwords/passphrases, PINs◦ Something you have - access cards, tokens, phones◦ Something you are - biometrics: fingerprint, retina scan◦ Using multiple types of authentication provides increased security (multi-factor authentication)◦Most organizations moving to centralized authentication◦ Kerberos
  • Intrusion Prevention
    •Decryption tactics◦ Usually trying to crack a password◦ Brute-force attack - trying every possible key◦Dictionary attack - try combinations of words◦ Rainbow tables - precomputed password hash reversal •Social engineering◦ Users are often the weakest link in security◦ Phishing/Whaling
  • Intrusion Prevention
  • Recommended Practices
    •Clear disaster recovery plan• Strong security policy◦ Rigorously enforced◦ User training• Use of security controls• Defense in depth - layers of security
  • Implications for cyber security
    •Fastest growing area of networking• Cost of security expected to increase◦ More sophisticated controls◦ More sophisticated attacks◦ Cybersecurity expertise in high demand• Plenty of indicators, correlation hard
  • Importance of Network Security
    •The rise of the Internet has completely redefined the nature of information security• The number of security incidents grows by about 30% per year ◦ In 2016, about 50 million passwords were stolen ◦ A survey of 1,500 U.S. adults found that 51% had experienced some form of cyber security incident in 2016 • Laws have been slow to catch up to cyber crime• Transborder cyber crime is increasing 
  • Organizations Focused on Cyber Crime
    •Many organizations, private and public, focus on helping individuals, organizations, and governments to protect themselves from criminals operating on the Internet (cybercriminals)◦ CERT (Computer Emergency Response Team) at Carnegie Mellon University ◦ APWG (Anti-Phishing Working Group)◦ McAfeeSymantec
  • The Rise of Cyber Crime
    •Cyber crime is now a profession for profit• Hacktivism (the use of hacking techniques to bring attention to a larger political or social goal) has become more common • The increase in mobile devices offers a very fertile environment for exploitation 
  • The Need for Network Security
    •Network security is critical because of the:◦ Increased potential vulnerability of an organization’s assets ◦ Increased rates of well-publicized security break-ins◦Huge losses associated with the security failures◦ Need to protect customer privacy and the risk of identity theft◦ Value of the data stored on most organizations’ networks and the value provided by the application systems in use (far exceeding the cost of the networks themselves) 
  • The CIA Triad - The three goals of security
  • Security Threats
    Threats to Business Continuity
    Disruption - Ex: switch failure, cable cut
    Destruction of data - Ex: virus destroys files
    Disasters - Ex: fire burns down data center
    Threat of Unauthorized Access/Intrusion
    External attackers gaining access
    Most unauthorized access incidents involve employees
    Principle of least privilege
  • Network Controls
    •Network controls are safeguards that reduce or eliminate threats to network security◦ Preventative controls◦ Mitigate or stop a person from acting or an event from occurring◦ Act as a deterrent by discouraging or restraining◦ Detective controls◦ Reveal or discover unwanted events (e.g., auditing)◦ Documenting events for potential evidence◦ Corrective controlsRemedy an unwanted event or intrusion
  • Network Controls
    Many organizations (gov’t and industry) have adopted the National Institute of Standards & Technology (NIST) Cybersecurity Framework: Key Underlying Principle: Defense in Depth
  • Risk Assessment
    •A key step in developing a secure network• Assigns level of risks to various threats• Risk assessment frameworks◦ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)◦ Control Objectives for Information and Related Technology (COBIT)◦ Risk Management Guide for Information Technology Systems (NIST guide)*
    *Outdated, see NIST Cybersecurity Framework
  • Risk Assessment
    •Most risk assessment frameworks include these five steps 1. Develop risk measurement criteria 2. Inventory IT assets 3. Identify threats 4. Document existing controls 5. Identify improvements. Many alternative models exist.  Important points:
    •Risk is combination of potential impact and likelihood• Risks should be quantified/prioritized and matched to threats
    1. Develop Risk Measurement Criteria
    •Examine how threats impact the organization.• Five impact areas: financial, productivity, reputation, safety, legal  • Prioritize and evaluate each measure.• Sample:
  • 2. Inventory IT Assets
    •Document and evaluate why each asset is important to the organization, and identify the owner• Sample:
  • 3. Identify Threats
    •Any potential occurrence that can do harm, interrupt the systems using the network, or cause a monetary loss to the organization• Create threat scenarios that describe how an asset can be compromised by a threat◦ Likelihood of occurrence◦ Potential consequences of threat◦ Risk scores quantify the impact and likelihood of occurrence. Simplistic Risk Formula:
    Risk = Impact x Likelihood
  • Likelihood of Common Threats
  • 4. Document Existing Controls
    •Identify controls and determine how they will be used in the risk control strategy◦ Accept it◦ Organizations may choose to take no actions for risks that have low impacts◦ Mitigate it◦ Use of control to remove or reduce impact of threat◦ Share it◦ Transferring all or part of impact (e.g., insurance)◦ Defer it◦ For non-imminent risks
  • 5. Identify Improvements
    •It is infeasible to fully mitigate all risks• Evaluate adequacy of the controls and degree of risk associated with each threat• Establish priorities for dealing with threats to network security• Develop a policy which implements the improvements / risk mitigation strategy