The Security State of Mind

“The security field is neither stable nor globally understood, and with the inclusion of the Internet has led to a condition where … greater than 75% of these networks are highly vulnerable” -- July 1999, ISS Inc.

A recent report was prepared by WarRoom Research, LLC in support of the Senates Permanent Subcommitte on Investigations which involved among others; the FBI, Ernst & Young LLP/InformationWeek, Computer Security Institute, GAO, and the U.S. Military Services

The following conclusions were put forward in the WarRoom report ...

“The human threats are growing in numbers and sophistication.”

“61% of those organizations responding to the WarRoom Survey had experienced an internal attack within the past 12 months.”

“58% of those organizations responding to the survey had experienced an external attack within the past 12 months.”

“The vulnerability conditions associated with our networks are well known and understood.”

“Vulnerability is worsened by the availability of free hacker tools on the Internet.”

“Over 45% of the reported attacks were associated with advanced technical hacking techniques; for example sniffers, theft of password files, vulnerability probing/scanning, Trojan logon, etc.”

“Incident rates are increasingly alarming”

“The impact associated with attacks continues to move up and off the chart.”

“Over 45% of the internal attacks resulted in losses over $200,000.”

“Over 15% of the internal attacks resulted in losses over $1,000,000.”

“Over 50% of the external attacks result in losses over $200,000.”

“Over 17% of the external attacks resulted in losses over $1,000,000.”

In broad terms what should be done by those with the SSM; and why traditional security measures are not enough!

Making A Good Start!

Direct Risk Mitigation

Risk Analysis + Policy + Direct Technical Countermeasures = Traditional Security Safeguards This is 40-60% of the overall solution when implemented properly

Items not addresses by Traditional Approach

A Solid Security Program

Adaptive Security Model Traditional Security Safeguards +Threat/Vulnerability Monitoring + Threat/Vulnerability Detection + Threat/Vulnerability Response = Adaptive Security

Ensure all applicable vulnerabilities are secured across the entire network

Ensure all systems are configured in a secure manner consistent with organizational policy

Ensure all potentially hostile threats are detected, monitored, and responded to in a timely appropriate manner.

Provide real-time, on-the-fly, technical reconfiguration of threat access routes.

Provide timely security alerts and tasking to those responsible for addressing network threats and vulnerabilities.

Provide accurate network security audit and trends analysis data in support of security program planning and assessment efforts.

Two examples of a dramatic change in knowledge based in real world experience.

The EFF’s Project “Deep Crack”

Slide 38

“On August 22 1999, a team of scientists from six different countries, led by Herman te Riele of CWI (Amsterdam), found the prime factors of 512-bit number, whose size models 5% of the keys used for protection of electronic commerce on the Internet. This result shows, much earlier than expected at the start of E-commerce, that the popular key-size of 512 bits is no longer safe against even a moderately powerful attacker. The amount of money protected by 512-bit keys is immense. Many billions of dollars per day are flowing through financial institutions such as banks and stock exchanges.”

“The factored key is a model of a so-called "public key" in the well-known RSA cryptographic system which was designed in the mid-seventies by Rivest, Shamir and Adleman at the Massachusets Institute of Technology in Cambridge, USA. At present, this system is used extensively in hardware and software to protect electronic data traffic such as in the international version of the SSL (Security Sockets Layer) Handshake Protocol”

“Apart from its practical implications, the factorization is a scientific breakthrough: 25 years ago, 512-bit numbers (about 155 decimals) were thought virtually impossible to factor. Estimates based on the then-fastest known algorithms and computers predicted a CPU time of more than 50 billion (50 000 000 000) years. The factored number, indicated by RSA-155, was taken from the "RSA Challenge List", which is used as a yardstick for the security of the RSA cryptosystem.”

“In order to find the prime factors of RSA-155, about 300 fast SGI and SUN workstations and Pentium PCs have spent about 35 years of computing time. The computers were running in parallel -- mostly overnight and at weekends -- and the whole task was finished in about seven calendar-months.”

“The following organizations have made their workstation and PC computing power available to this project: Centre Charles Hermite (Nancy, France), Citibank (Parsippany, NJ, USA), CWI (Amsterdam), Ecole Polytechnique/CNRS (Palaiseau, France), Entrust Technologies (Ottawa, Canada), Lehigh University (Bethlehem, Pa, USA), the Medicis Center at Ecole Polytechnique (Palaiseau, France), Microsoft Research (Cambridge, UK), Sun Microsystems Professional Services (Camberley, UK), The Australian National University Canberra, Australia), University of Sydney Australia).”

“In addition, an essential step of the project which requires 2 Gbytes of internal memory has been carried out on the Cray C916 supercomputer at SARA (Academic Computing Centre Amsterdam). Given the current big distributed computing projects on Internet with hundreds of thousands of participants, e.g., to break RSA's DES Challenge or trace extra-terrestrial messages, it is possible to reduce the time to factor a 512-bit number from seven months to one week. For comparison, the amount of computing time needed to factor RSA-155 was less than 2% of the time needed to break RSA's DES challenge.”

The number and the found factors are: RSA-155 = 10941738641570527421809707322040357612003732945449205990913842131476349984288934784717997257891267332497625752899781833797076537244027146743531593354333897 = 102639592829741105772054196573991675900716567808038066803341933521790711307779 * 106603488380168454820927220360012878679207958575989291522270608237193062808643

A broad stroke view of things that are typically of interest to Network Security Administrators. Note the vast scope of topics is not at all inclusive * taken from a typical IT security schedule

Overview of Network Security

Network Services

Attack Methods

Logging, Auditing, and Detection

WWW Security

An Overview of Firewalls

Packet Filters

Proxy Servers

Firewall Architecture

Firewall Architecture (2)

Secure Communications and Authentication

SSM Standard Operating Procedures The Essence The Attitude Some Basic Tasks

For the love of Pete -- Turn on accounting, and make it as granular as possible.

Just because you are paranoid does not mean they aren’t out to get you.

ROI is not always a good indicator of success in the security arena; and neither is TCO. Sometimes is costs what it costs.

To Darn Bad (TBD)

Log, Log, Log, Log, Log, Log and Log some more

You have to make a decision in the beginning about whether or not you have intestinal fortitude, the endurance and the money to do what needs to be done to prosecute the intruders.

An unbroken chain of evidence is essential in order to prosecute. This means time stamped logs and other auditing and accounting measures.

Public Key Cryptography IKE - Internet Key Exchange PKI - Public Key Infrastructure

End-user Hardware

End-User Software

Switching to the Desktop

Realize that there is no such thing as a secure system -- get over it and move on!

Top-Level Buy-in

Employ Intrusion Detection Technologies

Encourage the open source peer-review model of development and implementation

Everyday there will be new threats

Check out your People

Employee a Password Escrow System

Something you know. Something you have. Something you are. Something you know. Something you have. Something you are.

Always look at the worst case scenario

Disaster Recovery

MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP MANTRAP

Standards Organizations to be concerned with in this area include; ISO, ANSI, IEEE, IETF, and W3C. Of special note is the Security Group of IETF and its various committees.

Always use conduit!

If you can afford it use fiber

The watcher of the watcher of the watcher of the watcher

Always practice security in Depth!

Host-based security is not enough

Network based security is not enough

Firewalls are not enough

Physical security measures are not enough!

Fundamental Problem

Avoid Services which pass login and password information in plain text

Official Motto of the Practitioners of SSM

The Security State of Mind

Click here to start

Back to the Main Page

Table of contents

Back to the Main Page