Data Protection: Firewalls, Intrusion Detection & Audit Issues

July 30, 2008

Presented By: Azhar Ahmad Sahibzada, Deputy CISO, Information Security Division, Askari Bank Limited.

Data Protection
CISO = Chief Information Security Officer (CISO)
Job that focuses on Information Security within an organization
Responsibilities vary depending on needs of organisation but often include responsibility for:

Security Security Security Security Security

Office Mission and Mandate Development Office Governance Policy Development and Management Training and Awareness Development Project Portfolio Development

The CISO reports either to the Chief Information Officer (CIO) or to the Chief Executive Officer (CEO)

What Is Data
DATA is information that has been translated into a form that is more convenient to move or process.

Relative to today's computers and transmission media, data is information converted into binary digital form

The Three Tenets of Computer Security

Confidentiality Unauthorized users cannot access data Integrity Unauthorized users cannot manipulate/destroy data Availability Unauthorized users cannot make system resources unavailable to legitimate users

The Three Tenets of Computer Security

Data Protection

Threat any event which could have an undesirable impact Vulnerability absence or weakness of a risk-reducing safeguard, potential to allow a threat to occur with greater frequency, greater impact, or both Exposure a measure of the magnitude of loss or impact on the value of the asset Risk the potential for harm or loss, including the degree of confidence of the estimate

Data Protection
The management of risk is called Risk Management

Data Protection
In Information Security, a "risk" is defined as a function of three variables: The probability that there's a threat

The probability that there are any vulnerabilities

Data Protection

TRANSACTION/OPERATIONS RISK CREDIT RISK LIQUIDITY, INTEREST RATE, PRICE/MARKET RISKS COMPLIANCE/LEGAL RISK STRATEGIC RISK

Data Protection

Relationship Among Security Components

Definitions

Due Care

minimum and customary practice of responsible protection of assets that reflects a community or societal norm

Due Diligence

prudent management and execution of due care

12

Controls

Vulnerabilities

Physical Natural

Floods, earthquakes, terrorists, power outage, lightning

Hardware/Software Media

Corrupt electronic media, stolen disk drives

Emanation Communications Human

Social engineering, disgruntled staff

14

Security Management Planning

Trade Secrets Confidential Information Personal E-Mail Adverse Publicity Viruses, worms, malicious Java and ActiveX applications Denial of Service Hard drive reformats, router reconfigurations financials Hacked Web Pages Breach of Human Resources information
15

Information Valuation

Information has cost/value Acquire/develop/maintain Owner/Custodian/User/Adversary Do a cost/value estimate for Cost/benefit analysis Integrate security in systems Avoid penalties Preserve proprietary information Business Continuity

16

Threats

Unauthorized access Hardware failure Utility failure Natural disasters Loss of key personnel Human errors Neighborhood hazards Tampering Disgruntled employees Emanations Safety Improper use of technology Repetition of errors Cascading of errors
17

Threats

Illogical processing Translation of user needs (technical requirements) Inability to control technology Equipment failure Incorrect entry of data Concentration of data Inability to react quickly Inability to substantiate processing Concentration of responsibilities Erroneous/falsified data Misuse

Data Protection
FIREWALLS

Data Protection
A firewall is a device or set of devices configured to permit, deny, encrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria

Data Protection
A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A TYPICAL BANK NETWORK

Kiosk

Extranet

Utility Company Residential, Home Office Mobile Banking

INTERNET
Firewall Central Host Branch 3 E-Commerce

Firewall

Branch 2

BANK INTRANET

ATM ATM Switch

Branch 1

Network Management

Data Warehouse

Call Center

Firewall Terms

Network address translation (NAT)

Internal addresses unreachable from external network Hosts that are directly reachable from untrusted networks
can be router or firewall term

DMZ - De-Militarized Zone

ACL - Access Control List

Firewall Terms

Choke, Choke router

A router with packet filtering rules (ACLs) enabled

Gate, Bastion Host, Dual Homed Host

A server that provides packet filtering and/or proxy services A server that provides application proxies

Proxy Server

Firewall types

Packet-filtering router

Most common Uses Access Control Lists (ACL)

Port Source/destination address

Screened host

Packet-filtering and Bastion host Application layer proxies

Screened subnet (DMZ)

2 packet filtering routers and bastion host(s) Most secure

Firewall mechanisms

Proxy servers

Intermediary Think of Bank Teller

Stateful Inspection

State and context analyzed on every packet in connection

Web Security

Secure sockets Layer (SSL)

Transport layer security (TCP based) Widely used for web based applications by convention, https:\\

Secure Hypertext Transfer Protocol (S-HTTP)

Less popular than SSL Used for individual messages rather than sessions

Secure Electronic Transactions (SET)

PKI Financial data Supported by VISA, MasterCard, Microsoft, Netscape

Common Attacks

Spoofing

TCP Sequence number prediction UDP - trivial to spoof

DNS - spoof/manipulate IP/hostname pairings Source Routing

Sniffing

Passive attack Monitor the wire for all traffic most effective in shared media networks Sniffers used to be hardware, now are a standard software tool

Session Hijacking

Uses sniffer to detect sessions, get pertinent session info (sequence numbers, IP addresses) Actively injects packets, spoofing the client side of the connection, taking over session with server Bypasses I&A controls Encryption is a countermeasure, stateful inspection can be a countermeasure

IP Fragmentation

Use fragmentation options in the IP header to force data in the packet to be overwritten upon reassembly

Used to circumvent packet filters

Syn Floods

Remember the TCP handshake?

Syn, Syn-Ack, Ack

Send a lot of Syns Dont send Acks Victim has a lot of open connections, cant accept any more incoming connections Denial of Service

Access Controls

What is Access Control?

Access Control is the heart of security Definitions: The ability to allow only authorized users, programs or processes system or resource access The granting or denying, according to a particular security model, of certain permissions to access a resource An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on preestablished rules.
35

How can AC be implemented?

Hardware Software
Application Protocol

(Kerberos, IPSec)

Physical

Logical (policies)
36

What does AC hope to protect?

Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every Network Operating System (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
37

Proactive Access Control

Awareness Training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures

38

Physical Access Control

Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens 39 Guard dogs

Varied types of Access Control

Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models: Biba Take/Grant Clark/Wilson Bell/LaPadula Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.

40

Authentication
3 types of authentication:

Something you know - Password, PIN, mothers maiden name, passcode Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA
41

Multi-factor authentication

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication.

ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT default)

3-factor authentication -- For highest security

Username + Password + Fingerprint Username + Passcode + SecurID token

Problems with passwords

Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. Dictionary attacks are only feasible because users choose easily guessed passwords! Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
43

Password Attacks

Brute force

l0phtcrack
Crack John the Ripper for a comprehensive listing, see Alan Lustiger or attend his presentation at the CSI conference in November

Dictionary

Trojan horse login program

Classic Password Rules

The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or typetin
Dont use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults
45

Password Management

Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and changes Use last login dates in banners

46

Tokens

Used to facilitate one-time passwords Physical card SecurID S/Key Smart card Access token

47

Data Protection
INTRUSION DETECTION

Intrusion Detection Systems

IDS monitors system or network for attacks IDS engine has a library and set of signatures that identify an attack Adds defense in depth Should be used in conjunction with a system scanner (CyberCop, ISS S3) for maximum security
49

Intrusion Detection (IDS)

Host or network based

Basically a sniffer with the capability to detect traffic patterns known as attack signatures

IDS Attacks

Insertion Attacks

Insert information to confuse pattern matching

Evasion Attacks

Trick the IDS into not detecting traffic Example - Send a TCP RST with a TTL setting such that the packet expires prior to reaching its destination

Attacks

Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break-in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs

52

Monitoring

IDS Logs Audit trails Network tools

Tivoli Spectrum OpenView

53

Data Protection
AUDIT ISSUES

Nature and Extent of ComputerRelated Crime

Typology

Input Tampering: Entry of Fraudulent or False Data Throughput Tampering: Altering Computer Instructions Output Tampering: Theft of Information

Most Common Crimes

Input and Output Type Fraudulent Disbursements Fabrication of Data

Computer Crime

Computer Crime as a Separate Category

Rules of Property: Lack of Tangible Assets Rules of Evidence: Lack of Original Documents Threats to Integrity and Confidentiality: Goes beyond
normal definition of a loss

Value of Data: Difficult to Measure. Cases of Restitution

Terminology: Statues have not kept pace. Is Computer

Computer Crime (continued)

Computer Crime is Hard to Define

Lack of Understanding Laws are Inadequate: Slow to Keep Pace with

Multiple Roles for Computers Object of a Crime: Target of an Attack Subject of a Crime: Used to attack (impersonating a network node) Medium of a Crime: Used as a Means to Commit a Crime (Trojan Horse)

Computer Crime (continued)

Difficulties in Prosecution

Understanding: Judges, Lawyers, Police, Jurors Evidence: Lack of Tangible Evidence Forms of Assets: e.g., Magnetic Particles, Computer Time Juveniles: Many Perpetrators are Juveniles Adults Dont Take Juvenile Crime Seriously

The Computer Criminal

Personal Motivations

Economic Egocentric Ideological Psychotic

The Computer Criminal (continued)

Environmental Motivations

Work Environment Reward System Level of Interpersonal Trust Ethical Environment Stress Level Internal Controls Environment

The Control Environment

Factors that Encourage Crime

Motivation Personal Inducements Prevention Measures

Factors that Discourage Crime

Internal Controls Systems Access Control Systems Auditing Supervision

Detection Measures

COMPUTER CRIME INVESTIGATION

Investigation Steps

Detection and Containment

Accidental Discovery Audit Trail Review Real-Time Intrusion Monitoring Limit Further Loss Reduction in Liability

Report to Management

Immediate Notification Limit Knowledge of Investigation Use Out-of-Band Communications

Investigation Steps (continued)

Determine if a Crime has Occurred Review Complaint Inspect Damage Interview Witnesses Examine Logs Identify Investigation Requirements

Investigation Steps (continued)

Disclosure Determination Determine if Disclosure is Required by Law Determine if Disclosure is Desired Caution in Dealing with the Media Courses of Action Do Nothing Surveillance Eliminate Security Holes Is Police Report Required? Is Prosecution a Goal?

Investigation Steps (continued)

Conducting the Investigation

Investigative Responsibility Internal Investigation External Private Consultant Investigation Local/State/Federal Investigation Factors Cost Legal Issues (Privacy, Evidence, Search & Seizure) Information Dissemination Investigative Control

Investigative Process

Identify Potential Suspects

Insiders Outsiders Collaboration

Identify Potential Witnesses

Who to Interview Who to Conduct Interview

Industrial Espionage

Camouflaged Questioning of Competitors Employees Direct Observation under Secret Conditions False Job Interviews False Negotiations Use of Professional Investigators Hiring Competitors Employees Trespassing Bribing Suppliers and Employees Planting Agent on Competitor Payroll Eavesdropping Theft of Information Blackmail and Extortion

QUESTIONS?

Thank You