Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute...
-
Upload
elmer-harrell -
Category
Documents
-
view
219 -
download
4
Transcript of Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute...
![Page 1: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/1.jpg)
Security:Some Highlights of the
HighlightsDon McGregor
Research Associate
MOVES Institute
![Page 2: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/2.jpg)
2
Cyber Security
• Security is a big and complex topic. You can’t just say “do these things and you’ll be fine,” though locking down hosts is important
• The surface area of the problem is so large that you need to get meta and think about security and what you want to accomplish before you get into checklists
![Page 3: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/3.jpg)
3
What Do You Want to Secure?– Secure data in transit?– Secure data at rest, on a drive?– Identities of people involved in an exercise?– Parameters of an exercise, such as the location?– Tactics used in a simulation?– Prevent your software from being subverted?– Prevent your network from being used as a launch pad for attacks on others?– Policies and procedures for training personnel?– Preventing insider attacks?– Physical security?– Policies and procedures for what to do in the event of classified data spillage?– Probably all of them!
• The security domain is full spectrum, all the way from bits and bytes to policy and personnel questions
![Page 4: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/4.jpg)
4
Frameworks For Thinking
• Department of Defense Information Assurance Certification and Accreditation Process (DICAP) is an outdated process, no longer used for new accreditation after May 2015, though some sites already certified with DICAP may still exist
• National Institute for Standards (NIST) Risk Management Framework is the replacement. Very similar and is used in the rest of the Federal government
![Page 5: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/5.jpg)
5
NIST
• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• How to think about risk mitigation, implement a security plan, and monitor its execution
![Page 6: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/6.jpg)
6
NIST Process
![Page 7: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/7.jpg)
7
Some Security Highlights
![Page 8: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/8.jpg)
8
Who’s attacking? Ego• Ego: undersocialized 13 year olds, the
curious, griefers, those looking to prove how smart they are compared to you corporate drones
• Often done for bragging rights, or to simply cause problems
• Hack the Gibson!
![Page 9: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/9.jpg)
9
Attackers: Money
• Attack systems to get PII/financial data such as credit card info, sell it on the black market, hold systems ransom, etc
• http://www.businessinsider.com/we-found-out-how-much-money-hackers-actually-make-2015-7
• Sell compromised • systems to botnets
![Page 10: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/10.jpg)
10
Attackers: Ideology
• Opposed to military, opposed to a state or state policies, looking to do damage to it
• Snowden (Maybe! Could have been a hostile state asset), Assange, Wikileaks, jihadists, etc
![Page 11: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/11.jpg)
11
Attackers: State Actors
• States using cyberattacks to gain information, attack infrastructure, conduct information operations
• Russia, China, North Korea, others
• OPM hack, Cyber attacks on Estonia and Georgia, Russian forum trolls, etc.
• Not necessarily a strong demarcation between states and criminal hackers
![Page 12: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/12.jpg)
12
Networks
• Scoping it down to some of the things we talk about in a network class, what are some of the highlights?– Firewalls– Certificate of Networthiness– Secure communications– STIGs
![Page 13: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/13.jpg)
13
Firewalls
• A firewall prevents a socket connection from being established. In the elder days of computing you could establish a network connection to any host on the internet. Modern thinking is that this is a really bad idea
• Firewalls can exist at multiple levels– Host– Network/Enterprise
![Page 14: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/14.jpg)
14
Host Firewalls
Turn on ports only for the absolutely necessary programs
![Page 15: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/15.jpg)
15
Enterprise Firewall Architectures
![Page 16: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/16.jpg)
16
Enterprise Firewall Architectures
• Very limited set of hosts that are absolutely required to be deployed in the DMZ– Mail servers, web servers—things the public
must be able to contact– Watch them closely, keep them patched– Anything exposed to the internet will be
attacked
• The internal network—laptops, user desktops, internal servers—are not directly exposed to the internet
![Page 17: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/17.jpg)
17
Firewalls
• Are you safe if you use a firewall? What are typical malware vectors?– Downloaded to client from web site while
browsing– User clicks on hostile email link– User brings infected computer from home– WiFi connection from host physically off campus
• Firewalls help prevent one class of attacks, but are not a cure-all. Expect your network to be attacked from inside as well
![Page 18: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/18.jpg)
18
Networthiness
• Often to deploy an application on a DoD network you need a “certificate of networthiness”. The requirements vary by service and network– http://www.atsc.army.mil/tadlp/implementation/c
onfig/networthiness.asp
– http://www.disa.mil/network-services/ucco– NMCI application certification for a new program
seems to run in the high six figures, probably done with contractor assistance
![Page 19: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/19.jpg)
19
Secure Comms
• The Big Four of crypto– Authentication– Confidentiality– Integrity– Non-repudiation
• State actors have been doing this for centuries. In the last few decades civilians have been paying more attention to it
![Page 20: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/20.jpg)
20
Authentication
• Establish the identity of a user, ie that they are who they say the are
• Variety of techniques:– Something you know: password– Something you have: a token, such as a CAC
card– Something you are: biometric, such as
fingerprint, iris scan, signature
• Two factor authentication requires two items, ie a CAC card and a PIN
![Page 21: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/21.jpg)
21
Integrity
• The message has not been changed since it was created
• This is typically done via hashes
![Page 22: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/22.jpg)
22
Integrity:Hashes
![Page 23: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/23.jpg)
23
Integrity: Hashes
• A hash converts a message of arbitrary length into a fixed-length “fingerprint”
• The slightest change to the message will result in a different hash result
• You also have to be alert for replay attacks– User sends authentic message to a bank
transferring $100 to someone else; the message is recorded by an attacker and sent 50 times
![Page 24: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/24.jpg)
24
Confidentiality
• The data is encrypted in such a way that those without a key can’t read it. What people normally think of as encryption– Symmetric encryption uses the same key for
both encoding and decoding– Asymmetric or public key crypto uses one key
for encrypting and another, mathematically linked key for decryption
![Page 25: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/25.jpg)
25
Confidentiality: Symmetric
![Page 26: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/26.jpg)
26
Confidentiality: Asymmetric
![Page 27: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/27.jpg)
Non-Repudiation
• The user can’t deny that a message came from them. Often done via signatures, digital or otherwise– User creates message– A hash creates a short, fixed-length “fingerprint” of the message– The user encrypts it with a private key, and the encrypted hash is
attached to the original message– The recipient receives the message, performs the hash on the
message himself, decrypts the sender’s hash with the public key, and compares the two
– If they match, the message was created by the sender, since only they have the private key
– Maybe have to add a nonce (a random number) to the message to prevent replay attacks
• This is really a combination of Integrity + Authentication
![Page 28: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/28.jpg)
28
Communications Security
• Much more on secure comms later• This has been discussing civilian crypto;
DOD crypto is controlled by the NSA, and they have their own ideas and implementations
![Page 29: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/29.jpg)
29
STIGS
• Security Technical Implementation Guide• http://iase.disa.mil/stigs/Pages/index.aspx• Instructions for how to lock down a host,
switch, router, by brand and OS release
![Page 30: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/30.jpg)
30
STIG
• CentOS 6/RHEL 6 STIG includes:
![Page 31: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/31.jpg)
31
STIGs
• Similar instructions for Windows, different flavors of Unix, your favorite routers, etc
• It’s a labor-intensive process. – Do it once and get a golden master image,
which you replicate to all hosts– There are automated configuration tools, such
as Puppet, Chef, Ansible, and Salt, that both automate the process of applying a configuration and ensuring it remains in compliance
![Page 32: Security: Some Highlights of the Highlights Don McGregor Research Associate MOVES Institute mcgredo@nps.edu.](https://reader037.fdocuments.us/reader037/viewer/2022103101/5697bfb91a28abf838c9f95b/html5/thumbnails/32.jpg)
32
Overall
• It’s a big process and it will probably involve contractors