4.4 METHODS OF DEFENSE
4.4 METHODS OF DEFENSE
Computer crime is certain to continue. The goal of computer security is to institute controls that preserve secrecy, integrity, and availability. Sometimes these controls are able to prevent attacks;other less powerful methods can only detect a breach as or after it occurs.
In this section we will survey the controls that attempt to prevent exploitation of the vulnerabilities of computing systems.
1.Encryption
The most powerful tool in providing computer security is coding. By transforming data so that it is unintelligible to the outside observer, the value of an interception and the possibility of a modification or a fabrication are almost nullified.
Encryption provides secrecy for data. Additionally, encryption can be used to achieve integrity, since data that cannot be read generally also cannot be changed. Furthermore, encryption is important in protocols, which are agreed-upon sequences of actions to accomplish some tasks. Some protocols ensure availability of resources. Thus, encryption is at the heart of methods for ensuring all three goals of computer security.
Encryption is an important tool in computer security, but one should not overrate its importance. Users must understand that encryption does not solve all computer security problems. Furthermore, if encryption is not used properly, it can have no effect on security or can, in fact, degrade the performance of the entire system. Thus, it is important to know the situations in which encryption is useful and to use it effectively.
2.Software Controls
Programs themselves are the second link in computer security. Programs must be secure enough to exclude outside attack. They must also be developed and maintained so that one can be confident of the dependability of the programs.
Program controls include the following kinds of things:
· Development controls, which are standards under which a program is designed, coded, tested, and maintained.
· Operating system controls, which are limitations enforced by the operating system to protect each user from all other users.
· Internal program controls that enforce security restrictions, such as access limitations in a database management program.
· Software controls may use tools such as hardware components, encryption, or information gathering. Software controls generally affect users directly, and so they are often the first aspects of computer security that come to mind. Because they influence the way users interact with a computing system, software controls must be carefully designed. Ease of use and potency are often competing goals in the design of software controls.
3.Hardware Controls
Numerous hardware devices have been invented to assist in computer security. These devices range from hardware implementations of encryption to locks limiting access to theft protection to devices to verify users' identities.
(1)Policies.
Some controls on computing systems are achieved through added hardware or software features, as described above. Other controls are matters of policy. In fact, some of the simplest controls, such as frequent changes of passwords, can be achieved at essentially no cost but with tremendous effect.
Legal and ethical controls are an important part of computer security. The law is slow to evolve, and the technology involving computers has emerged suddenly. Although legal protection is necessary and desirable, it is not as dependable in this area as it would be in more well-understood and long-standing crimes.
The area of computer ethics is likewise unclear, not that computer people are unethical, but rather that society in general and the computing community in particular have not adopted formal standards of ethical behavior. Some organizations are attempting to devise codes of ethics for computer professionals. Although these are important, before codes of ethics become widely accepted and therefore effective, the computing community and the general public need to understand what kinds of behavior are inappropriate and why.
(2)Physical Controls.
Some of the easiest, most effective, and least expensive controls are physical controls. Physical controls include locks on doors, guards at entry points, backup copies of important software and data, and physical site planning that reduces the risk of natural disasters. Often the simple physical controls are overlooked while more sophisticated approaches are sought.
(3)Effectiveness of Controls.
Merely having controls does no good unless they are used properly. The next section contains a survey of some factors that affect the effectiveness of controls.
①Awareness of Problem.
People using controls must be convinced of the need for security;people will willingly cooperate with security requirements only if they understand why security is appropriate in each specific situation. Many users, however, are unaware of the need for security, especially in situations in which a group has recently undertaken a computing task that was previously performed by a central computing department.
②Likelihood of Use.
Of course, no control is effective unless it is used. The lock on a computer room door does no good if people block the door open. During World War II code clerks used outdated codes because then had already learned them and could encode messages rapidly. Unfortunately, the opposite side had already broken some of those codes and could decode those messages easily.
③Principle of Effectiveness.
Controls must be used to be effective. They must be efficient, easy to use, and appropriate.
This principle implies that computer security controls must be efficient enough, in terms of time, memory space, human activity, or other resources used, so that using the control does not seriously affect the task being protected. Controls should be selective so that they do not exclude legitimate accesses.
4.Overlapping Controls
Several different controls may apply to one exposure. For example, security for a microcomputer application may be provided by a combination of controls on program access to the data, on physical access to the microcomputer and storage media, and even by file locking to control access to the processing programs. This situation is shown in Fig. 4-2.
Fig. 4-2 Overlapping Controls
5.Periodic Review
Few controls are permanently effective. Just when the security specialist finds a way to secure assets against certain kinds of attacks, the opposition doubles its efforts in an effort to defeat the security mechanism. Thus, judging the effectiveness of a control is an ongoing task.
KEYWORDS
|
encryption |
加密 |
|
computer crime |
计算机犯罪 |
|
code |
代码,密码 |
|
protocol |
协议 |
NOTES
(1)encryption(加密)。对数据进行编码以防止非授权访问的过程,尤其是在传输过程中。加密通常基于一个对解码异常重要的密钥。美国国家标准局(U.S.National Bureau of Standards)制定了一个非常复杂的加密标准(DES),提供了很多的加密文档的方法。
(2)computer crime(计算机犯罪)。未经授权的个人对计算机的非法使用。它们中有的人是出于兴趣(如计算机黑客),有的人则是受利益所驱动(如小偷)。
(3)code(代码,密码)。代码:由可读懂的语句组成,这些语句是由程序员用某种编程语言写成的。与源代码相对的是机器码,机器码由大量可被计算机识别并执行的指令组成,这些指令是由源代码转换过来的。密码则是一种符号系统,用于将信息从一种形式转换成另一种形式。这种用于转换信息以便将信息隐藏的码常被称为密码。
(4)protocol(协议)。一套规则或标准,它用于在计算机之间建立连接并以尽可能小的错误率交换信息。这个词也常被用于描述通信中各个不同方面的标准,例如文件传输、握手、网络传输等。
EXERCISES
1. True / False.
(1) The most powerful tool in providing computer security is coding.
(2) Some less powerful methods of defense are able to prevent attacks.
(3) Encrypted data is unintelligible to the outside observer.
(4) We can't overrate encryption's importance.
(5) Development controls are limitations by the operating system.
(6) Access limitations in a data base management program are internal program controls.
(7) Ease of use and potency are often cooperative goals in the design of software controls.
(8) Policies in hardware controls are complex controls.
(9) Legal protection is not as dependable in computing area.
(10) The area of computer ethics is likewise unclear.
(11) Control is effective unless it is used.
(12) Overlapping controls combined several different controls to one exposure.
2. Fill in the blank with appropriate words or phrases.
(1)The goal of computer security is to preserve .
(2)Methods of defense provided in this text include .
(3)Encryption can be used to achieve of data.
(4)Some ensure availability of resources.
(5)Types of abuse in computing systems include .
(6) of programs must be confident in the development and maintenance of the programs.
(7)Tools used by software controls involve .
(8)Hardware controls include .
(9)The simplest control in policies is .
(10)Physical controls in computing systems include of important software and data.
(11)Factors that affect the effectiveness of controls are .
(12)Principle of Effectiveness means that computer security controls must be efficient enough, in terms of .
A.hardware components, encryption, or information gathering
B.backup copies
C.secrecy, integrity, and availability
D.frequent changes of passwords
E.Developer
F.integrity
G.awareness of problem and likelihood of use
H.encryption, software controls, hardware controls, overlapping controls and periodic review
I.hardware, software and data
J.time, memory space, human activity, or other resources used
K.hardware implementations of encryption, locks limiting access to theft protection and devices to verify users' identities
L.protocols
READING MATERIALS
Host-based IPS guards endpoints
As network threats continue to grow in number and sophistication, a new technology offers an additional layer of protection. Host-based intrusion-prevention system (HIPS) technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network, providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.
HIPS technology is extremely accurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI.
HIPS deployments generally involve two components, a series of agents and a management and reporting interface. Installed on servers, HIPS agents are designed to run indefinitely with little or no administrative overhead, and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.
In practice, agents continually verify the validity of application instructions by performing checks against their origin, preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition, they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.
The HIPS management and reporting interface enables thousands of agents to be deployed, managed and upgraded across an enterprise network. The interface, which is often Web-based to provide universal accessibility, allows network and security staff to perform configuration changes, monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports, assigning users and roles according to policy, and maintaining a comprehensive audit trail.
An HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The previously unknown Sasser code passed through unpatched firewalls undetected, reaching unprotected servers. As the code entered the memory of the unprotected server, it immediately executed a buffer overflow that gave a remote host system-level control of that server, enabling further attacks from within an enterprise network.
In contrast, the protected server's HIPS agent can examine, for example, the Sasser code as it enters the server's memory. The agent's real-time check of the code reveals the buffer overflow mechanism, a process that violates the ABI. It immediately stops the code from execution without affecting the server's performance, and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.
SECURING THE WINDOWS SERVER ENVIRONMENT
In the Windows environment, there are many security issues. Depending on which version you are running, security can be abysmal or it can be excellent. Windows NT is very easily compromised unless all of the vendor recommended patches are installed. The Windows 2000 server is better than Windows NT; however, it is still susceptible to many of the same control issues. The Windows 2003 server is a dramatic improvement over both of these operating systems. While I try not to make costly recommendations, the sooner you move to Windows 2003 and implement the stronger control structure that is available in that operating system, the sooner your data will be protected.
It is not just the servers that are at risk. Hackers love to go after workstations, as they are usually poorly controlled. I suggest that you immediately upgrade the workstations to Windows XP professional version. It is only a matter of time until you will have to upgrade the server and the workstation operating systems. You should bite the bullet sooner rather than later to properly protect your data and programs.
That said, let me take you through the process of testing (or hacking) security in the Windows environment. First, let me state that all of the tools I mention in this section are available on the Canaudit web site (http://www.canaudit.com). Just download them when you are ready to do your audit or security review. The first tool I use is Solar Winds, IP browser. This tool uses the Simple Network Management Protocol to scrounge information about the machines on the internal network. If it identifies a Windows 2000 or Windows NT with a default community string (public or private), at the click of a button, it will provide a list of all the account names on the server. Since there are often accounts that do not have a password or have a password equal to the account name, it usually does not take long to guess a valid account and password combination. An example of the data produced by Solar Winds IP Network Browser is:
# Subnet_xxx.xxx.xx.1___255.255.255.0.txt exported on 5/4/2003 6:14:50 PM
# IP Network Browser version 5.0.127
xxx.xxx.xxx.7:
Windows NT Domain Controller
Community String: public
Accounts
Administrator
alexander
audrey
bob
gateway
Guest
mario
Psoft
support
test
TsInternetUser
Shares
SYSVOL
path: C:\WINNT\SYSVOL\sysvol
Comment: Logon server share
mspclnt
Path: C:\lolgistics\clients
Comment:
NETLOGON
Path: C:\WINNT\SYSVOL\sysvol\ezbroadnet.com\SCRIPTS
Comment: Logon server share
Users
Path: d:\users
Comment:
Psoft
Path: E:\Psoft
Comment:
Not only do we now have accounts on this machine, but also we know that PeopleSoft is installed on it because of the Psoft share and the Psoft account. But before we even try to guess any passwords, another tool, called ChkLock, is run. It displays the security settings on Windows 2000 and NT machines that have NetBIOS open and accessible to remote users. From a security standpoint, this tool enables one to quickly identify machines that do not have intruder lockout activated or that have inconsistent account and security policies.
F:\chklock>chklock xxx.xxx.xxx.7
ChkLock version 1.0a by Peyton Engel (pengel@berbee.com)
Minimum Password Length:0 characters.
Maximum Password Age: 42 days.
Minimum Password Age:passwords may be changed immediately.
Logoff Forced After:users are not forced to log off.
Password Uniqueness Depth:no password history is kept.
Lockout Duration:30 minutes.
Lockout Reset Window:30 minutes.
Lockout Threshold:account lockout is turned off.
This machine's logon role:primary domain controller.
The name of the domain is: HQMAIN。
As you can see in the above example, there is no account lockout. Once a hacker is sure that they will not be locked out of an account, they can attempt to guess passwords. If the intruder is lucky enough to find a domain controller that does not have intruder lockout, he or she can then run NBTEnum against it. This tool will automatically determine if any accounts have no password or a password equal to the account name. It will also determine which accounts have administrator rights. If this is a hacker's lucky day, and it often is, he will find an administrator account and password. If not, he can attempt to brute force some of the administrator accounts.
If the servers are secure, then the hacker will run Cerberus Internet Scanner (CIS) or NBTEnum against a workstation. He may find a password for an administrator empowered account. Using that account, he will download the local machine password file and crack it. The target is the help desk account and password or another administrator empowered account and password that matches an account on the domain controller. Once he has that, he can simply log onto the domain controller and capture and crack the password file. When the cracking is completed, he then uses finger against the UNIX machines to find an account that is common between the Windows and the UNIX machines. After logging onto the UNIX machines with that account and password, a security Domino effect is set up, as the passwords cracked on one machine enable hackers to take control of other machines until they own the assets they want: your employee names, addresses, social security numbers, and other confidential information.
Network Issues
Once the operating systems are hardened, the next level of security is the network itself. (See also Network Auditing: A Control Assessment Approach, Gordon Smith, John Wiley & Sons, 1999, which covers this quite well.) In this book, it is necessary to cover the main points to ensure that the network and network devices protect the servers and the data. The most important control is to segment the network using routers, switches, or internal firewalls. Network segmentation, used properly, can restrict a hacking incident to a single network segment. This limits the damage that can be done when the network is penetrated and increases the likelihood that the intrusion will be detected in a timely manner.
That said, there are some key issues on the network side that must be addressed. One of my biggest concerns is that Simple Network Management Protocol (SNMP) will be active when it is not needed. If SNMP is enabled on your network, tools such as Solar Winds can be used to quickly document the network. Network equipment, servers, workstations, printers, and other devices that use a community string (SNMP password) can bleed information if the community string can be guessed or brute forced by Solar winds or other tools.
Many of our clients have a community string of public which enables us to see information such as account names, services running on the machine, and network routes that exist. With a community string of private, we can often download network device configurations which enables us to modify the configurations or worse, take control of the network devices. If you are using SNMP on the inside of your network, make sure that the community strings are complex (eight characters long, with a special character in positions 2 through 6). Also, the SNMP password should be changed on a regular basis, especially when there is network staff turnover.
Another control would be to set up a honey pot on the inside of the network. This will identify when a machine is scanned with a product such as Solar winds or Super Scan. I like a free tool called Back Officer Friendly that tells me when my box is being scanned. There are commercial versions of this product and other products that perform the same function. The point to remember is that normally an SNMP or port scan is one of the first things a hacker will do when they penetrate a network.
I love controls that are free because that often is the budget for network security. One of my favorite free controls is the ability to use router encryption to encrypt and decrypt data before it is transmitted across network segments. Encrypting this data prevents hackers and other nefarious people from sniffing accounts, passwords, or data off the network.
The next issue for discussion is external connections to the internal network. This includes modems, wireless connectivity, trading partner connections, and rogue Internet connections. Despite decades of warnings from both auditors and security professionals, we still find poorly secured modems, which I define as a modern that accepts inbound calls and permits repeated attempts to guess account names and passwords. In just about every network Canaudit has audited, we have found several poorly secured modems. Once found, we do the same thing a hacker would do. We scope the network access we have and identify poorly secured machines. Once that is done, we harvest passwords and crack them. It is a good day for the bad guys if they find a poorly secured version of PCAnywhere. (PCAnywhere is a great product; however, some people do not install it with the recommended controls, a strong account and password combination and encryption.) Once we are on a PCAnywhere machine, we can upload software such as network scanners and other attack tools. Once we fire them off, we can log off, and then come back in later to check the results. If this is done over a weekend, we can generally get a very good idea of the network map and attack the critical machines. Three simple controls will reduce the likelihood that PCAnywhere can be used in an unauthorized manner. The first is to ensure that accounts have strong passwords and intrusion detection is activated. When a hacker makes repeated attempts to guess passwords, PCAnywhere will disconnect them. If logging is turned on, then you will know someone has tried to guess passwords. (Only one control is listed.)
A Point-to-Point Protocol (PPP) connection is even better than PCAnywhere because it provides access to UNIX machines and network equipment. It is important that you seek out and find all modems, particularly those that are poorly secured. We use PhoneSweep from Sandstorm Enterprises as a war dialer. This product does an excellent job of finding modems and determining the operating system behind the modem. It also produces a distribution quality report. We suggest that war dialing be done once a month for small organizations and continuously for larger organizations.
Before putting modems behind us, I want to dispel any thoughts that modems are too slow to steal a large amount of information. One of our clients is a large regional bank that has Internet banking and statement distribution. We were able to bypass the firewall when we found a poorly secured modem. We connected to it and proceeded to download thousands of bank statements that contained a significant amount of confidential information. Yes, it took all weekend, but no one noticed until we showed the data to them at the end of the audit. Just because a modem is slow does not mean it is not an effective tool to compromise your e-business data.
Poorly secured wireless networks (especially 802.11b, the most common type) also pose a significant risk to your E-commerce data. On numerous occasions, I have sat in the parking lot of a client's facility and was able to access their network, sniff passwords, and harvest customer data. The wireless connections permitted me to bypass the firewall. Once onto the network, it does not take long to find web servers, Enterprise Resource Management (ERP) servers, and human resources information (just look for the Psoft or PSHR machine). Once onto these servers, we can download the data at speeds of up to 22 Mbps. Now through wider-fi (IEEE 802.16), which enables wireless access throughout a city or Metropolitan Area Network (MAN), we will see even greater growth in wireless communications.
My concern is not with the technology. My concern is that it has to be properly installed, secured, and managed. If someone is encrypting the signals with WEP (Wireless Equivalent Privacy), this is not strong encryption. Using a product such as AirSnort or Wepcrack, WEP can be cracked in minutes, once enough data is captured (usually 4 to 16 hours to trap enough data for the WEP keys to be cracked). I suggest your organization perform regular wireless sweeps to identify unauthorized and poorly secured wireless access points. Don't be surprised if you find that consultants working at your location are using it, or that users may set up their own wireless connections. Also, be careful of the newer laptop computers. Many of them come with wireless cards that may be activated. Once this machine is plugged into your network, it is possible that your internal data may be compromised.
Trading partner connections also can be an entry point. Often banks, investment firms, suppliers, and large clients are permitted to connect directly to your network. These connections are critical to ensure that business interactions flow smoothly and profitably. However, it is also necessary to ensure that the trading partners are restricted (using a firewall or network device filters) to the transactions they need to perform on the servers they need to access. Also, ensure that you are monitoring transaction volume or unusual increases in data traffic over the trading partner connection. If outbound traffic is increasing, then your data could be marching down the circuit, with your trading partner's network as a conduit.