U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR Securing Your System Using a Layered Security Approach
U N C L A S S I F I E D Overview Relative Risks Threat Vectors What attackers need us to do Things Everyone Can do Client protections Summary
U N C L A S S I F I E D Goal! Secure your system so you: –Do not lose your identity if system is stolen –Feel comfortable storing and processing personal, financial, business, and sensitive information –Feel comfortable making online transactions
U N C L A S S I F I E D Old and New Threats
U N C L A S S I F I E D What attackers need from us! Need us to execute a program Need us to NOT securely configure our programs Need us to NOT pay attention Need us to NOT patch Need us to be careless, gullible or curious Need us to NOT understand the technology “It’s that easy because we allow it to be that easy” Frank Abagnale
U N C L A S S I F I E D Things we all can learn to DO! Compute as an Unprivileged User if possible Understand Understand Web Browsing Encrypt our Data Know what is connecting in/out Actually do it!
U N C L A S S I F I E D Hackers do not like unprivileged users They cannot change system settings They cannot install programs that change system settings They cannot undo security settings Reboot will normally put system back into secure state again.
U N C L A S S I F I E D Which is more secure? Storing your credit card in your wallet Or Storing your credit card number on your computer
U N C L A S S I F I E D Protecting data at rest (Powered Off) Physical Security Encryption Nothing else will work –Remove the disk –Reset password –Boot off cracker media –T up a Macintosh
U N C L A S S I F I E D Harddrive/File Encryption Truecrypt, Guardian Edge, WinMagic, PGP, Pointsec, Cypherix, Calibex, TrueCrypt, Many more! Hardware –Fortezza –Harddrives Windows EFS/BitLocker Apple FileVault Bcrypt Entrust ICE Entrust & PGP
U N C L A S S I F I E D Apple FileVault
U N C L A S S I F I E D Built-in Windows encryption
U N C L A S S I F I E D System Up and You Are Logged In (Includes Sleep Mode) No longer protecting Data –Full disk encryption –Hardware encryption –Windows EFS/BitLocker or FileVault Protecting data until password entered –Encrypted Disk Image (MacOSX) –Entrust, PGP, TrueCrypt, Bcrypt –Other 3 rd party encryption products
U N C L A S S I F I E D Entrust/PGP File Encrypt Options
U N C L A S S I F I E D Goals of Cryptosystems! Ensure: Confidentiality Integrity Authentication Non-Repudiation
U N C L A S S I F I E D Cryptosystems Problems? You might lock yourself out forever! Key Management Key Distribution Password/Passphrase Protection Can’t encrypt/decrypt offline? Speed? Export? (GOV export authorized)
U N C L A S S I F I E D What will Defeat Encryption Not protecting the password Sleep mode and fast switching Freeze spray, shutdown/leave Malware –Keyboard Loggers – Infections Not paying attention to warning messages Backups
U N C L A S S I F I E D Understanding Clear text is completely unreliable. How do you recognize bogus ? What is URL redirection? How do you protect yourself? Outlook?
U N C L A S S I F I E D Why you should not Trust Clear Text e- mail Do not know who sent it Do not know who sees it Do not know where it went Do not know who read it Do not know if content changed Still on server, backups? Sys Admins have full access
U N C L A S S I F I E D Encrypting ? Only Intended Recipients can read messages or open files Data has not been modified Data is from the expected source Not seen on the wire Not just SSL/TLS to server PGP/SMIME/Entrust
U N C L A S S I F I E D Entrust Encryption Example?
U N C L A S S I F I E D PGP/SMIME Encryption Example?
U N C L A S S I F I E D SMIME/PGP/Entrust
U N C L A S S I F I E D Phishing right here in LA! Guy Lisella “Anytime they ask for personal information, it’s a scam.” Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text ! If unsure, call them.
U N C L A S S I F I E D How do you recognize bogus ? Do you know the sender? Is the offer “too good to be true?” Embedded links that point to an address that doesn’t appear right. Your address is not listed on the “TO” or “CC”. The “FROM” & “Return-Path” don’t match. Unexpected attachments.
U N C L A S S I F I E D What is wrong?
U N C L A S S I F I E D Understanding URLs/Redirection Where you thought you were going: Where you are redirected: Computer name – www Domainname – dncu.org.hi-position.com IP Address – No longer registered, but was XX Directory – register Index file – login.html
U N C L A S S I F I E D Look at the header Eudora – Blah, Blah, Blah Outlook – View Options or Right Click Options Webmail – Click on Full Headers Thunderbird – Menu Bar, VIEW/HEADER, ALL
U N C L A S S I F I E D Give me the money
U N C L A S S I F I E D Stop Right There!
U N C L A S S I F I E D client configuration Do NOT auto execute anything Do NOT automatically download HTML graphics Do NOT display graphics in message Do NOT allow executable html content Do NOT display emotions as a graphic Do NOT use Microsoft viewer.
U N C L A S S I F I E D Entourage Settings
U N C L A S S I F I E D Before and After (Mac Mail)
U N C L A S S I F I E D What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect.
U N C L A S S I F I E D Virus protection caught it three weeks later, don’t be the first to open it!
U N C L A S S I F I E D Which is more secure? Paying for a dinner with a credit card Or Online purchase
U N C L A S S I F I E D Compare the two!
U N C L A S S I F I E D Web Browser Security Understand how it works SSL/TSL Privacy Settings Security Settings “Warn me” is always a good option when not sure Scripts Understand Threats Internet Explorer?
U N C L A S S I F I E D Web Access (SSL/TLS) SSL Developed by Netscape (1994) Certificate Exchange System to System Certificate Authority Should only use SSL 3.0 or TLS 1.0 Is it secure? Redirection Man-in-Middle Attack
U N C L A S S I F I E D Keeping Track of State SessionID nid=0000q9ZvjIPe7xWTjxeftFjTqBy:-1 Cookie –Persistent –Non- Persistent Hidden Form Element
U N C L A S S I F I E D Firefox Security Settings
U N C L A S S I F I E D Man-in-Middle
U N C L A S S I F I E D Warning, should I proceed?
U N C L A S S I F I E D Secure ???
U N C L A S S I F I E D Clearing Privacy Settings (Firefox)
U N C L A S S I F I E D Security Settings (Firefox)
U N C L A S S I F I E D Firefox - noscript
U N C L A S S I F I E D Firefox – noscript (2)
U N C L A S S I F I E D Secure Web Transactions Open New Browser Ensure SSLv3/TLS You initiate connection Only go to sites associated with transaction Use noscript and only allow needed scripts Pay attention to error messages Logout when done Close browser and clear settings
U N C L A S S I F I E D Personal Application layer firewalls ZoneAlarm Little Snitch/Apple Firewall combo In/Out protection Can distinguish between different programs connecting out on same port Will teach you which applications really connect out from your system
U N C L A S S I F I E D Connecting out, Really?
U N C L A S S I F I E D Same Port, different program
U N C L A S S I F I E D Client Protection Summary User vs Admin Privilege Virus Protection Spyware/Adaware Protection Keep Systems & Applications patched Backup your data Secure Program Settings, don’t Auto execute and turn off autoplay.
U N C L A S S I F I E D Client Protection Summary DO NOT open attachments unless you expect them. Don’t click on embedded links Pay attention to warning messages POP-UP blockers Clear privacy settings noscript
U N C L A S S I F I E D Client Protection Summary If it’s “too good to be TRUE,” it is! When configuring programs keep personal information to a minimum. Remove programs you don’t need Stay away from shady web sites One-time Credit Card Numbers Shutdown when not using Disconnect from network if you don’t need to be on it.
U N C L A S S I F I E D Client Protection Summary Encrypt sensitive information Application Layer Personal Firewall Outlook and Internet Explorer: –Consider replacing these programs. –Keep them patched.
U N C L A S S I F I E D Educate Yourself!