1. The Security State of Mind Chet Uber CTO/World Media Company 1999 CERT Conference Tutorial

2. Chet’s Disclaimer n The opinions expressed are mine and mine alone, they are not those of my employer World Media Company, or our parent The Omaha-World Herald. n If you are easily upset by non- traditional in your face discussions of security methodology you had better leave now.

3. Presentation Premise Presentation Premise n The danger posed by intruders and those that wish you harm, are FAR underestimated. We have not seen the tip of the iceberg, and the only folks that really understand the implications are the NSA, DOD and DOE. The statement concerning the NSA, DOD and DOE is conjecture on my part.

4. What is the Security State of Mind (SSM)? n The Security State of Mind has to do with using every means at your disposal to design and implement unwavering Security-in-Depth. A sign that you have the SSM is when upper management and your coworkers constantly say, “You are really being paranoid about this.”

5. What is the Security State of Mind (SSM)? n The proof that you have the SSM is that you know your paranoia is really just you very clear picture of the reality of the situation at hand. n One of the tenants of the SSM is the understanding that business is war, and that everyone is a potential enemy.

6. What the SSM tells us! n There is no such thing as a “100% secure system or network.” n That human beings are the weakest link in the implementation of security policies. n That there is a trade-off between the amount of security and usability.

7. ‘State of the Union’ address for the networked open system environment

8. “The security field is neither stable nor globally understood, and with the inclusion of the Internet has led to a condition where … greater than 75% of these networks are highly vulnerable” -- July 1999, ISS Inc.

9. A recent report was prepared by WarRoom Research, LLC in support of the Senates Permanent Subcommitte on Investigations which involved among others; the FBI, Ernst & Young LLP/InformationWeek, Computer Security Institute, GAO, and the U.S. Military Services

10. The following conclusions were put forward in the WarRoom report...

11. “The human threats are growing in numbers and sophistication.”

12. “61% of those organizations responding to the WarRoom Survey had experienced an internal attack within the past 12 months.”

13. “58% of those organizations responding to the survey had experienced an external attack within the past 12 months.”

14. “The vulnerability conditions associated with our networks are well known and understood.”

15. “Vulnerability is worsened by the availability of free hacker tools on the Internet.”

16. “Over 45% of the reported attacks were associated with advanced technical hacking techniques; for example sniffers, theft of password files, vulnerability probing/scanning, Trojan logon, etc.”

17. “Incident rates are increasingly alarming”

18. “The impact associated with attacks continues to move up and off the chart.”

19. “Over 45% of the internal attacks resulted in losses over $200,000.”

20. “Over 15% of the internal attacks resulted in losses over $1,000,000.”

21. “Over 50% of the external attacks result in losses over $200,000.”

22. “Over 17% of the external attacks resulted in losses over $1,000,000.”

23. In broad terms what should be done by those with the SSM; and why traditional security measures are not enough!

24. Making A Good Start! n Definition of sound processes. n Creation of meaningful and enforceable security policies. n Proper implementation of organizational safeguards. n Establishment of ways in which security can be measured.

25. Direct Risk Mitigation n Identification and Authentication n Encryption n Access Control n Note* - This Interim step can give a false sense of security

26. Risk Analysis + Policy + Direct Technical Countermeasures = Traditional Security Safeguards This is 40-60% of the overall solution when implemented properly

27. Items not addresses by Traditional Approach n An active, highly knowledgeable, evolving threat n The greatly reduced network security decision and response cycle n Low User Awareness levels n Highly dynamic vulnerability conditions

28. A Solid Security Program n Adhere to sound standardization processes n Implement valid procedures and technical solutions n Provide for system audits intended to support potential attack or system misuse analysis

29. Adaptive Security Model Traditional Security Safeguards +Threat/Vulnerability Monitoring + Threat/Vulnerability Detection + Threat/Vulnerability Response = Adaptive Security

30. Ensure all applicable vulnerabilities are secured across the entire network

31. Ensure all systems are configured in a secure manner consistent with organizational policy

32. Ensure all potentially hostile threats are detected, monitored, and responded to in a timely appropriate manner.

33. Provide real-time, on- the-fly, technical reconfiguration of threat access routes.

34. Provide timely security alerts and tasking to those responsible for addressing network threats and vulnerabilities.

35. Provide accurate network security audit and trends analysis data in support of security program planning and assessment efforts.

36. Two examples of a dramatic change in knowledge based in real world experience.

37. The EFF’s Project “Deep Crack” The EFF lead a concerted effort to develop a machine specifically designed to break DES encryption. This effort was funded with a $250,000 grant and produced a machine that rendered keys in days and finally hours. A book “Cracking DES” includes all the schematics and code. The design is such that the application of $MONEY$ would accelerate the time to minutes. There are literally millions of DES protected files.

38. PRESS RELEASE CWI, Amsterdam - August 26, 1999 Security of E-commerce threatened by 512-bit number factorization

39. “On August 22 1999, a team of scientists from six different countries, led by Herman te Riele of CWI (Amsterdam), found the prime factors of 512-bit number, whose size models 5% of the keys used for protection of electronic commerce on the Internet. This result shows, much earlier than expected at the start of E-commerce, that the popular key-size of 512 bits is no longer safe against even a moderately powerful attacker. The amount of money protected by 512-bit keys is immense. Many billions of dollars per day are flowing through financial institutions such as banks and stock exchanges.”

40. “The factored key is a model of a so- called "public key" in the well-known RSA cryptographic system which was designed in the mid-seventies by Rivest, Shamir and Adleman at the Massachusets Institute of Technology in Cambridge, USA. At present, this system is used extensively in hardware and software to protect electronic data traffic such as in the international version of the SSL (Security Sockets Layer) Handshake Protocol”

41. “Apart from its practical implications, the factorization is a scientific breakthrough: 25 years ago, 512-bit numbers (about 155 decimals) were thought virtually impossible to factor. Estimates based on the then-fastest known algorithms and computers predicted a CPU time of more than 50 billion (50 000 000 000) years. The factored number, indicated by RSA- 155, was taken from the "RSA Challenge List", which is used as a yardstick for the security of the RSA cryptosystem.”

42. “In order to find the prime factors of RSA-155, about 300 fast SGI and SUN workstations and Pentium PCs have spent about 35 years of computing time. The computers were running in parallel -- mostly overnight and at weekends -- and the whole task was finished in about seven calendar- months.”

43. “The following organizations have made their workstation and PC computing power available to this project: Centre Charles Hermite (Nancy, France), Citibank (Parsippany, NJ, USA), CWI (Amsterdam), Ecole Polytechnique/CNRS (Palaiseau, France), Entrust Technologies (Ottawa, Canada), Lehigh University (Bethlehem, Pa, USA), the Medicis Center at Ecole Polytechnique (Palaiseau, France), Microsoft Research (Cambridge, UK), Sun Microsystems Professional Services (Camberley, UK), The Australian National University Canberra, Australia), University of Sydney Australia).”

44. “In addition, an essential step of the project which requires 2 Gbytes of internal memory has been carried out on the Cray C916 supercomputer at SARA (Academic Computing Centre Amsterdam). Given the current big distributed computing projects on Internet with hundreds of thousands of participants, e.g., to break RSA's DES Challenge or trace extra-terrestrial messages, it is possible to reduce the time to factor a 512-bit number from seven months to one week. For comparison, the amount of computing time needed to factor RSA-155 was less than 2% of the time needed to break RSA's DES challenge.”

45. The number and the found factors are: RSA-155 = 10941738641570527421809707322040357612003 73294544920599091384213147634998428893478 47179972578912673324976257528997818337970 76537244027146743531593354333897 = 10263959282974110577205419657399167590071 6567808038066803341933521790711307779 * 10660348838016845482092722036001287867920 7958575989291522270608237193062808643

46. A broad stroke view of things that are typically of interest to Network Security Administrators. Note the vast scope of topics is not at all inclusive * taken from a typical IT security schedule

47. Overview of Network Security n Defining the problem n Security Policy n Attacker Methods n Incident Response n Legal Considerations

48. Network Services n Client/Server Computing n UNIX versus Windows NT

49. Attack Methods n Types of attacks n Misadministration n Software Bugs n Denial of Service

50. Logging, Auditing, and Detection n UNIX versus Windows NT n Auditing n Vulnerability Detection n Vulnerability Detection Tools n Intrusion Detection

51. WWW Security n General Server Security n WWW Server Security n WWW Client Security

52. An Overview of Firewalls n Firewall versus Host Security n Categories of Firewalls n The Weaknesses of Firewalls

53. Packet Filters n TCP/IP Packets n Packet Filters and the Client/Server model

54. Proxy Servers n Definition: Proxy Servers n Gauntlet Firewall n Firewall-1

55. Firewall Architecture n Bastion Hosts n The dual-homed screening router n The dual-homed bastion host n The dual-homed Proxy server n The screened Bastion Host n Screened subnet n The screened subnet architecture

56. Firewall Architecture (2) n The multiple bastion host approach n Belt-and-Suspenders

57. Secure Communications and Authentication n Features of cryptography n Classes of cryptographic systems n Digital Signatures n Applications of encryption

58. SSM Standard Operating Procedures The Essence The Attitude Some Basic Tasks

59. For the love of Pete -- Turn on accounting, and make it as granular as possible.

60. Just because you are paranoid does not mean they aren’t out to get you. n When your boss tells you that you are over-reacting and just plain paranoid, tell him that someone has to be; and that paranoia is just a case of seeing things clearly.

61. ROI is not always a good indicator of success in the security arena; and neither is TCO. Sometimes is costs what it costs.

62. To Darn Bad (TBD) n There is always a trade off of ease of use and security. If a policy meets resistance because of its effect on the end-user, tell them TDB. n TDB should be what you say to yourself. What you say to the user is that it is policy from the highest level. n TBD is the mildest form of this attitude.

63. Log, Log, Log, Log, Log, Log and Log some more n Employ logging at the system level, as well as using additional tools. n Log all systems via serial connection to a central system, which is not connected to the network in any way. n Print a paper log of from the central system. Consider using special paper.

64. You have to make a decision in the beginning about whether or not you have intestinal fortitude, the endurance and the money to do what needs to be done to prosecute the intruders.

65. An unbroken chain of evidence is essential in order to prosecute. This means time stamped logs and other auditing and accounting measures.

66. Public Key Cryptography IKE - Internet Key Exchange PKI - Public Key Infrastructure

67. End-user Hardware n Remove or disable floppy drives. n Disable CD-ROM drives. n Enable BIOS passwords. n Physically cover all unused serial, USB, parallel, SCSI and other ports not used. n Employ something you own, something you know, and something you are.

68. End-User Software n Lock down all desktops and install software via a standardized and secure methodology. Many products are available for this function. n When the end-users complain about the fascism and low productivity remember that it is just TDB.

69. Switching to the Desktop n There is the very real internal threat in hub-based access level schemas. The end-users have the ability to sniff traffic that is not there’s n Switching allows electrical segmentation, and makes sniffing much more difficult -- and general not possible

70. Realize that there is no such thing as a secure system -- get over it and move on! Take all steps a reasonable and prudent person would, but forget about your bosses demands for a 100% guaranteed secured network. This is a reality check.

71. Top-Level Buy-in n A couple of years ago, I was sitting in on a company that had brought in a “Demming” statistical improvement specialist. Half way through, the President and General Manager got up and said very vocally. “This is not something I need to be concerned about.” Imagine the effect on the rest of the attendees

72. Employ Intrusion Detection Technologies There is a great benefit to employing an intrusion detection system even with the still high- degree of false positives.

73. Encourage the open source peer-review model of development and implementation In a recent call for papers by DARPA regarding using Windows NT for security research; every scientist made a similar statement -- “without source code to the security layer, it is impossible to determine the real security risks”

74. Everyday there will be new threats Get used to it, live it, breathe it, immerse yourself in it. This fact will never change, and hampers entities from implementing anything

75. Check out your People n The individuals who are ultimately responsible for the design and implementation of your security should be beyond reproach with regards to there risk factor n Check Backgrounds n Monitor n Be Vigilant

76. Employee a Password Escrow System n Do not let passwords to the core facility rattle around in peoples heads and on pieces of paper. n Employee and electronic password management system (PMS) which utilizes diskettes or other media to give you access. n The PMS should not be on the network.

77. Something you know. Something you have. Something you are. Something you know. Something you have. Something you are.

81. Always look at the worst case scenario n Designing your security policies and enforcement of the same should account for the worst case scenario. n If I here about how much trust someone has in so and so one more time, I think I will puke. n Trust no one.

82. Disaster Recovery n Disaster recovery is as important, if not more, than security is. n If you can’t recover from the worst case scenario, then you have a problem. n Run drills on a regular basis, as you would fire drills. n Always use the VERIFY option when creating backups

83. MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP

84. Standards Organizations to be concerned with in this area include; ISO, ANSI, IEEE, IETF, and W3C. Of special note is the Security Group of IETF and its various committees.

85. Always use conduit! n It is very easy to place passive taps on copper wiring trunks and cables through the use of a “vampire tap” and other methodologies. n Conduit makes rewiring easier. Make sure your pipe is fat enough to handle upgrades. n Conduit protects cable from physical damage

86. If you can afford it use fiber n Fiber optics cabling gives you high- bandwidth today with room to grow for tomorrow; but most importantly it is almost impossible to tap passively. n Fiber optics do not give of EMF, and are therefore not subject to the Van Eck effect and reduce remote passive monitoring capabilities.

87. The watcher of the watcher of the watcher of the watcher n It is generally given as a problem in first year accounting, about when the cost of additional checks and balances are feasible. Normally the “Parking Lot Attendant” is used as the example. This is a valid exercise to go through when creating layers of security.

88. Always practice security in Depth!

89. Host-based security is not enough

90. Network based security is not enough

91. Firewalls are not enough

92. Physical security measures are not enough!

93. Fundamental Problem n Most of you will walk out of this tutorial, and say -- I knew those things. n A large percentage of people will get back to work and still not do anything about it. n There is Knowledge in knowing, but there is Wisdom in execution. And there is the need of strong character and persuasion to accomplish the task.

94. Avoid Services which pass login and password information in plain text n Use SSH instead of Telnet whenever possible. n Make sure the version of email you have does not pass login information.

95. Official Motto of the Practitioners of SSM n I will practice and teach Eternal Vigilance n I have a resounding will to accomplish the implementation necessary. n I will avoiding making special cases for end- users who complain about Fascism. n I will compel management to accept the need for SSM even at the risk of losing my job (This is the acid test).