640 likes | 701 Views
Defense-in-Depth. Securing Your System Using a Layered Security Approach. By Richard Hammer LANL LA-UR-08-2558. Overview. Relative Risks Threat Vectors What attackers need us to do Things Everyone Can do Client protections Summary. Goal!. Secure your system so you:
E N D
Defense-in-Depth Securing Your System Using a Layered Security Approach By Richard Hammer LANL LA-UR-08-2558
Overview • Relative Risks • Threat Vectors • What attackers need us to do • Things Everyone Can do • Client protections Summary
Goal! • Secure your system so you: • Do not lose your identity if system is stolen • Feel comfortable storing and processing personal, financial, business, and sensitive information • Feel comfortable making online transactions
What attackers need from us! • Need us to execute a program • Need us to NOT securely configure our programs • Need us to NOT pay attention • Need us to NOT patch • Need us to be careless, gullible or curious • Need us to NOT understand the technology • “It’s that easy because we allow it to be that easy” Frank Abagnale
Things we all can learn to DO! • Compute as an Unprivileged User if possible • Understand E-mail • Understand Web Browsing • Encrypt our Data • Know what is connecting in/out • Actually do it!
Hackers do not like unprivileged users • They cannot change system settings • They cannot install programs that change system settings • They cannot undo security settings • Reboot will normally put system back into secure state again.
Which is more secure? • Storing your credit card in your wallet Or • Storing your credit card number on your computer
Protecting data at rest (Powered Off) • Physical Security • Encryption • Nothing else will work • Remove the disk • Reset password • Boot off cracker media • T up a Macintosh
Harddrive/File Encryption • Truecrypt, Guardian Edge, WinMagic, PGP, Pointsec, Cypherix, Calibex, TrueCrypt, Many more! • Hardware • Fortezza • Harddrives • Windows EFS/BitLocker • Apple FileVault • Bcrypt • Entrust ICE • Entrust & PGP
System Up and You Are Logged In(Includes Sleep Mode) • No longer protecting Data • Full disk encryption • Hardware encryption • Windows EFS/BitLocker or FileVault • Protecting data until password entered • Encrypted Disk Image (MacOSX) • Entrust, PGP, TrueCrypt, Bcrypt • Other 3rd party encryption products
Goals of Cryptosystems! Ensure: • Confidentiality • Integrity • Authentication • Non-Repudiation
Cryptosystems Problems? • You might lock yourself out forever! • Key Management • Key Distribution • Password/Passphrase Protection • Can’t encrypt/decrypt offline? • Speed? • Export? (GOV export authorized)
What will Defeat Encryption • Not protecting the password • Sleep mode and fast switching • Freeze spray, shutdown/leave • Malware • Keyboard Loggers • E-mail Infections • Not paying attention to warning messages • Backups
Understanding e-mail • Clear text e-mail is completely unreliable. • How do you recognize bogus e-mail? • What is URL redirection? • How do you protect yourself? • Outlook?
Why you should not Trust Clear Text e-mail • Do not know who sent it • Do not know who sees it • Do not know where it went • Do not know who read it • Do not know if content changed • Still on server, backups? • Sys Admins have full access
Encrypting e-mail? • Only Intended Recipients can read messages or open files • Data has not been modified • Data is from the expected source • Not seen on the wire • Not just SSL/TLS to server • PGP/SMIME/Entrust
Phishing right here in LA! • Guy Lisella “Anytime they ask for personal information, it’s a scam.” • Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text e-mail! • If unsure, call them.
How do you recognize bogus e-mail? • Do you know the sender? • Is the offer “too good to be true?” • Embedded links that point to an address that doesn’t appear right. • Your email address is not listed on the “TO” or “CC”. • The “FROM” & “Return-Path” don’t match. • Unexpected attachments.
Understanding URLs/Redirection • http://computername.domainname/directoryname/indexfile.html Where you thought you were going: http://www.dncu.com/login.aspx?update http://63.214.247.170/login.aspx?update Where you are redirected: http://www.dncu.org.hi-position.com/register/login.html Computer name – www Domainname – dncu.org.hi-position.com IP Address – No longer registered, but was 202.168.210.1XX Directory – register Index file – login.html
Look at the e-mail header • Eudora – Blah, Blah, Blah • Outlook – View Options or Right Click Options • Webmail – Click on Full Headers • Thunderbird – Menu Bar, VIEW/HEADER, ALL
E-mail client configuration • Do NOT auto execute anything • Do NOT automatically download HTML graphics • Do NOT display graphics in message • Do NOT allow executable html content • Do NOT display emotions as a graphic • Do NOT use Microsoft viewer.
Before and After (Mac Mail) <Display Remote Images in HTML Message>
What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect.
Virus protection caught it three weeks later, don’t be the first to open it!
Which is more secure? • Paying for a dinner with a credit card Or • Online purchase
Web Browser Security • Understand how it works • SSL/TSL • Privacy Settings • Security Settings • “Warn me” is always a good option when not sure • Scripts • Understand Threats • Internet Explorer?
Web Access (SSL/TLS) • SSL Developed by Netscape (1994) • Certificate Exchange • System to System • Certificate Authority • Should only use SSL 3.0 or TLS 1.0 • Is it secure? • Redirection • Man-in-Middle Attack
Keeping Track of State • SessionID https://ucfy.ucop.edu/ucfy/BaseServlet;jsessionid=0000q9ZvjIPe7xWTjxeftFjTqBy:-1 • Cookie • Persistent • Non- Persistent • Hidden Form Element
Clearing Privacy Settings (Firefox) <Tools><Options>
Security Settings (Firefox) <Tools><Options>
Firefox - noscript <Tools><Options>
Secure Web Transactions • Open New Browser • Ensure SSLv3/TLS • You initiate connection • Only go to sites associated with transaction • Use noscript and only allow needed scripts • Pay attention to error messages • Logout when done • Close browser and clear settings
Personal Application layer firewalls • ZoneAlarm • Little Snitch/Apple Firewall combo • In/Out protection • Can distinguish between different programs connecting out on same port • Will teach you which applications really connect out from your system