Security FundamentalsA Little About Me…Topics OutlineWhat Happened to Amazon®?What Happened to Yahoo®?If They’re Vulnerable…The Fundamental TheoremWhat Are You Protecting?Your InformationYour AvailabilityYour ReputationA Simple Network…… Attacked!What Are These Threats?What Are These Threats? (2)What Are These Threats? (3)What Are Threat Vectors?Threat Vectors - InternalThreat Vectors - ExternalWhat Are Threat Categories?Threat CategoriesThreat ConsequencesThe 3 Goals of SecurityThreats to AvailabilityThreats to IntegrityThreats to AuthorizationCountering These Threats…Defining SecurityNotes:Questions You Need to AskSlide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Recommendations You Really Want to MakeSlide 40So, What Is a Security Officer?What Does It All Mean?AcknowledgementsResources OnlineResources Online (2)Resources Online (3)Resources Online (4)Resources Online (5)Resources Online (6)25-SEPT-2001 1Security FundamentalsRobin AndersonUMBC, Office of Information Technology25-SEPT-2001 2A Little About Me…Unix SysAdmin, Specialist with the Office of Information Technology at UMBCTaught Unix Administration and SANS Level One Security courses at UMBCCertified by the SANS Institute GIAC program in UNIX Security and Incident Handling25-SEPT-2001 3Topics OutlinePost-Mortems in the News…Identifying ThreatsCountering ThreatsThe (Vulnerable) NetworkQuestions You Need to AskRecommendations You Want to MakeResources Online25-SEPT-2001 4What Happened to Amazon®?Website defacing: Hackers broke in & put up phony web pages(And now, newer worms/viruses are doing the same!)–September 2000: OPEC 1–February 2000: Amazon® , eBay® 2 –November 1999: NASA/Goddard 3–October 31,1999: Associated Press® 4–August 1999: ABC® 5–June 1999: U.S. Army25-SEPT-2001 5What Happened to Yahoo®?Denial of Service (DoS)–February 2000: Yahoo and CNN 1Multiple Hits–September 2000: Slashdot defaced–May 2000: Slashdot suffered DoS The irony is that slashdot.org is a popular "news for nerds" website25-SEPT-2001 6If They’re Vulnerable……then you are, too.25-SEPT-2001 7The Fundamental TheoremYou have computers because they perform some function that furthers your organization’s goalsIf you lose the use of those computers, their function is compromisedSo - anything that interferes with your organization’s effort to achieve its goals is a security concern25-SEPT-2001 8What Are You Protecting?InformationAvailability of the SystemsReputation & Goodwill25-SEPT-2001 9Your InformationCrown Jewels–Trade secrets, patent ideas, researchFinancial informationPersonnel recordsOrganizational structure25-SEPT-2001 10Your AvailabilityInternal use–When employees can’t use the network, servers, or other necessary systems, they can’t workWebsite / online transactions–Often when systems are unavailable, the organization is losing money25-SEPT-2001 11Your ReputationPublic trust–If your organization is hacked, how reliable will people think you are you in other areas?–Who wants to do business with companies that leak credit card information? Being a good neighbor–Your organization may be hacked so it can be used as a springboard to attack others25-SEPT-2001 12A Simple Network…InternetRouterFirewallRouter25-SEPT-2001 13 … Attacked!InternetRouterFirewallRouter7981654321025-SEPT-2001 14What Are These Threats?1. DoS coming from the Internet2. Severed Physical link3. Masquerader / Spoofer– They look like they’re already inside4. Password sniffer25-SEPT-2001 15What Are These Threats? (2)5. Alan brought a floppy from home that has a virus on it6. Beatrice is about to be fired – and she’s going to be angry about it7. Carter is careless with his passwords – he writes them down and loses the paper25-SEPT-2001 16What Are These Threats? (3)8. David has unprotected shares on his NT box9. Evan installed a modem on his PC (PCAnywhere)10. Severed Power / HVAC25-SEPT-2001 17What Are Threat Vectors?Vectors are the pathways by which threats enter your network25-SEPT-2001 18Threat Vectors - InternalCareless employees–“Floyd the clumsy janitor”–“Contraband” hardware / software –“Oops, did I just type that?”Random twits (somewhere between careless & malicious)Malicious employees–Current or former employees with axes to grindAnyone who can get physical access25-SEPT-2001 19Threat Vectors - ExternalCompetitors / spies / saboteursCasual & incidental hackers–Some hackers don’t want your systems except to use them to get at their real targetMalicious hackersAccidental touristsNatural disasters–Be ready to face down the hurricane25-SEPT-2001 20What Are Threat Categories?Categories are the different kinds of threat you may encounter25-SEPT-2001 21Threat CategoriesOpportunistic–Basic “ankle biters” and “script kiddies”–More advanced hackers, hacker groups out trollingTargeted–These attackers know what they want; anything from data to disruption to springboards“Omnipotent”–Government-sponsored professional hackers25-SEPT-2001 22Threat ConsequencesBad press–Breach of confidentiality•Medical data•Credit card information–Attack platform (you’ve been subverted!)Loss of income–How much does it cost you in sales to have your databases, website, etc, down for any given length of time?–Loss of trade secrets (crown jewels)25-SEPT-2001 23The 3 Goals of SecurityEnsure AvailabilityEnsure IntegrityEnsure Authorization & Authentication25-SEPT-2001 24Threats to AvailabilityDenial of Service (DoS)–Connection floodingDestroying data–Hardware failure–Manual deletion–Software agents: virus, trojans25-SEPT-2001 25Threats to IntegrityHardware failureSoftware corruption–Buggy software–Improperly terminated programsAttacker altering data25-SEPT-2001 26Threats to AuthorizationAttacker stealing dataLost / Stolen passwordsInformation Reconnaissance•Organization information25-SEPT-2001 27Countering These Threats……is what security is all about.25-SEPT-2001 28Defining SecuritySecurity is a process–Training is ongoing•Threats change, admins need to keep up•Security is inconvenient, all staff needs trainingSecurity is also about policiesThere is no silver bullet to fix it all–For example, a firewall won’t save you•Remember the Maginot Line25-SEPT-2001