System Security Roadmap

Diomidis Spinellis
Department of Management Science and Technology
Athens University of Economics and Business
Athens, Greece
dds@aueb.gr

Security Infrastructure

Management commitment
Resources to back security policies and procedures
Staff dedicated to security tasks
Security mission statement
Security awareness training program
Security policies and procedures
- Clearly defined
- Implemented
- Documented
- Supplied to everyone within your organization
Strong flow of information to and from the appropriate groups
Security incident response team
External and internal security perimeter controls
Host and network based security auditing tools

Security Infrastructure Investment

Getting the management commitment

Risk analysis
Demonstrate threat (e.g. network sniffing) probes.
Run scanning tools against your network (be careful)
Impact on company image
Impact of DOS attack
Information on other attacks

Management-related Security Problems

No dedicated staff
Insufficient resources
Lack of management support
Staff with no authority to deploy appropriate security measures
Failure to install vendor patches for known security problems.
No monitoring and restricting network access to internal hosts.
Not using sufficient authentication and authorization systems for remote access.
Failure to implement or enforce procedures and standards when installing new devices on the network.
Security through obscurity

Security Mission Statement

The security mission statement is determined by a number of factors:

Security expectations of users and customers
Customer loss by security breaches
Customer loss by impaired functionality (due to security)
Past down-time and monetary loss due to security incidents
Insider threats
User trust
Local and remote access
On-line sensitive or personal information
Loss due to compromise or theft
Different levels of security for different parts of your organization
- ERP systems
- Development
- Customer support
Cost of negative publicity
Existing security guidelines, regulations, or laws
Conflict of business requirements and security
Importance of confidentiality, integrity, availability
Business needs
Financial constraints

Security Support Personnel Duties

Auditing

Help an organization balance resources expended against the most likely areas of weaknesses.

Audit Type	Reason
New System Installation Security Audits	Ensure conformance to existing policies and a standard system configuration.
Regular Automated System Audit Checks	Reveal a "visitation" by an intruder or illicit activity by insiders.
Random Security Audit Checks	Test for conformance to security policies and standards (by finding illicit activity) , Check for the existence of a specific class of problems (e.g., the presence of a vulnerability reported by a vendor).
Nightly Audits of Critical Files	Assess the integrity of critical files (e.g., the password file) Integrity of databases (e.g., payroll or sales and marketing information).
User Account Activity Audits	Detect dormant, invalid, misused accounts.
Periodic audits and vulnerability assessments	Determine overall state of your security infrastructure.

Internet Attack Methods

Exploitation of vulnerabilities in vendor programs.
Exploitation of cgi-bin vulnerabilities.
Email bombing, spamming and relaying through other sites.
Exploitation of misconfigured anonymous FTP and web servers.
Exploitation of named/BIND vulnerabilities.
Exploitation of mail transfer agents and mail readers.
Denial of Services (DoS) attacks using various methods.
Sending hostile code and attack programs as mail attachments or browsed page contents.

Incident Response

Don't panic!
Evaluate the situation
- Has attacker succeeded?
- Is the attack in progress?
Follow your organizations policies and procedures,
Use the appropriate chain of command when notifying other people or organizations.
Contact incident response agencies appropriate for your site
Make communication via an out-of-band method (e.g., a phone call) to ensure intruders do not intercept information.
Document your actions
- persons contacted
- phone calls made
- files modified
- system jobs stopped
Snapshot the system
Make copies of files the intruders may have left or touched and store them off-line.
- Malicious code
- Log files
If you are unsure of what actions to take, seek additional help and guidance before removing files or halting system processes.
Involve security department
- Physical access
- Insider
- Law enforcement officers
Plan

Incident Response Centers

CERT(sm) Coordination Center
http://www.cert.org/
email cert@cert.org or call +1 412 268-7090

GRNET-CERT

Computer Emergency Responce Team for the Greek National Research Network

E-Mail: grnet-cert@grnet.gr (mailto:grnet-cert@grnet.gr)

Network Operations Center, University of the Aegean, 30 Voulgaroktonou str, Athens 114 72, Greece

Telephone: +30 - 210 - 649 - 2056
Telefax: +30 - 210 - 649 - 2499
World Wide Web: http://cert.grnet.gr (http://cert.grnet.gr)

Network Management Center
National Technical University of Athens
Iroon Polytechnioy 9
Zografou, GR 157 80
Athens
Greece
phone [+30-210] 772.1860
fax [+30-210] 772.1866
http://www.ntua.gr/grnet-cert/grnet-cert.html (http://www.ntua.gr/grnet-cert/grnet-cert.html)

Software Installation Practices

Modify default software installation to

remove unnecessary software,
turn off unneeded services,
close extraneous ports.

Develop standard installation guidelines for all operating systems and applications used by the organization.

Authentication Practices

Audit the accounts on your systems and create a master list
Develop procedures for adding authorized accounts to the list, and for removing accounts when they are no longer in use.
Validate the list on a regular basis to make sure no new accounts have been added and that unused accounts have been removed.
Run a password cracking tool against the accounts looking for weak or no passwords. (Make sure you have official written permission before employing a password cracking tool.)
Train users
Install password checking tools
Use alternative authentication methods

Backup Practices

Inventory critical systems
Are there backup procedures for those systems?
Is the backup interval acceptable?
Are those systems being backed up according to the procedures?
Has the backup media been verified to make sure the data is being backed up accurately?
Is the backup media properly protected in-house and with off-site storage?
Are there copies of the operating system and any restoration utilities stored off-site (including necessary license keys)?
Have restoration procedures been validated and tested?

Port Filtering Practices

Configure router
Install a firewall
Use a port scanner (e.g. nmap, netstat)
Turn-off services (/etc/inetd.conf, /etc/rc*, services)

Evaluating Vulnerabilities

For each vulnerability we need to now:

Systems impacted
How to determine if we are vulnerable
How to protect against it

Common Unix Vulnerabilities

U1 BIND Domain Name System
U2 Web Server
U3 Authentication
U4 Version Control Systems
U5 Mail Transport Service
U6 Simple Network Management Protocol (SNMP)
U7 Open Secure Sockets Layer (SSL)
U8 Misconfiguration of Enterprise Services NIS/NFS
U9 Databases
U10 Kernel

(From the Twenty Most Critical Internet Security Vulnerabilities
2004
Copyright 2001-2004, The SANS Institute
http://www.sans.org/top20.htm (http://www.sans.org/top20.htm))

Common Windows Vulnerabilities

W1 Web Servers and Services
W2 Workstation Service
W3 Windows Remote Access Services
W4 Microsoft SQL Server (MSSQL)
W5 Windows Authentication
W6 Web Browsers
W7 File-Sharing Applications
W8 LSAS Exposures
W9 Mail Client
W10 Instant Messaging

(From the Twenty Most Critical Internet Security Vulnerabilities
2004
Copyright 2001-2004, The SANS Institute
http://www.sans.org/top20.htm (http://www.sans.org/top20.htm))

Home-user Tips

(Excerpted from http://www.nipc.gov/warnings/computertips.htm (http://www.nipc.gov/warnings/computertips.htm))

Use strong passwords.
Make regular backups of critical data.
Use virus protection software.
Use a firewall as a gatekeeper between your computer and the Internet.
Do not keep computers online when not in use.
Do not open e-mail attachments from strangers or suspicious attachments.
Regularly download security patches from your software vendors.

System Administrator Best Practices

Knowledge update
System and console - physical security
Keep your systems lean and mean
Superuser password
Delegating superuser tasks
User passwords
User terminals
Restrict users (shell, remote access)
User education
Keep your systems up to date
Vulnerability testing
Monitor your systems periodically
Configuration documentation
Backup and disaster recovery

Low-cost Security Improvements

Doing it on a shoestring basis:

Document and publish what you expect your system support staff to do with respect to security.
Configure your border routers to deny all unnecessary incoming traffic.
Identify and protect your most valuable assets first.
Secure the perimeter and core systems.
Simplify.
Use freeware vulnerability assessment tools to conduct a self-assessment of your network and computers. Publish the results internally to management staff.
Install freeware host and network based auditing and traffic analysis tools on critical hosts.
Monitor output and logs on a daily basis.

Free Tool Repositories

Security Web Sites

Security Books

Firewalls and Internet Security by Bill Cheswick and Steve Bellovin
Practical UNIX and Internet Security, 2nd Edition by Simson Garfinkel and Gene Spafford

Ross Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, New York, 2001.
Friedrich L. Bauer. Decrypted Secrets: Methods and Maxims of Cryptology. Springer Verlag, 1997.
J. Glenn Brookshear. Computer Science, pages 128–128, 164–166. Addison-Wesley, 8th edition, 2004.
Dorothy Elizabeth Robling Denning. Cryptography and Data Security. Addison-Wesley, 1983.
Peter J. Denning. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990.
Tom Forester and Perry Morrison. Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. MIT Press, Cambridge, 1990.
Dieter Gollmann. Computer Security. John Wiley & Sons, New York, 1999.
Michael Howard and David LeBlanc. Writing Secure Code. Microsoft Press, Redmond, WA, second edition, 2003.
David Kahn. The Codebreakers: The Story of Secret Writing. Scribner, New York, 1996.
Gary McGraw and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. Wiley, New York, 1999.
Peter G. Neumann. Computer Related Risks. Addison-Wesley, 1995.
David L. Oppenheimer, David A. Wagner, and Michele D. Crabb. System Security: A Management Perspective. Short Topics in System Administration. USENIX Association, Berkeley, CA, 1997.
Eric Rescorla. SSL and TLS. Addison-Wesley, 2001.
Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. Web Security Sourcebook. John Wiley & Sons, New York, 1997.
Bruce Schneier. Applied Cryptography. Wiley, New York, second edition, 1996.
Bruce Schneier. Secrets & Lies: Digital Security in a Networked World. Wiley Computer Publishing, New York, 2000.
John Viega and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001.
Elizabeth Zwicky, Simon Cooper, and D. Brent Chapman. Building Internet Firewalls. O'Reilly and Associates, Sebastopol, CA, second edition, 2000.

Articles

Anish Bhinami. Securing the commercial internet. Communications of the ACM, 39(6):29–35, June 1996.
Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. Model for evaluating security investments. Communications of the ACM, 47(7):87–92, July 2004.
Commission of the European Communities. Glossary of information systems security. DGXIII, INFOSEC Programme/S2001, 1993.
Commission of the European Communities. Risk analysis methods database. DGXIII, INFOSEC Programme/S2014, 1993.
United Kingdom Central Computer and Telecommunication Agency, United Kingdom. CCTA Risk Analysis and Management Method: User Manual., version 3.0 edition, 1996. HMSO.
Eric Dubois and Suchun Wu. A framework for dealing with and specifying security requirements in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 88–99. Chapman & Hall, 1996.
C. Ellison and B. Schneier. Ten risks of pki: What you're not being told about public key infrastructure. Computer Security Journal, 16(1):1–7, 2000.
J. H. P. Eloff, L. Labuschagne, and K. P. Badenhorst. A comparative framework for risk analysis methods. Computers & Security, 12(6):597–603, October 1993.
M. E. Kabay. The NCSA Guide ot Enterprise Security: Protecting Information Assets. McGraw-Hill, 1996.
Ravi Sandhu, Edward Coyne, Hal Feinstein, and Charles Youman. Role-based access control: A multi-dimensional view. In 10th Annual Computer Security Applications Conference, pages 54–62. IEEE Computer Society Press, 1994.
Richard G. Wilsher and Helmut Kurth. Security assurance in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 74–87. Chapman & Hall, 1996.

Contents