Скачать презентацию UNCLASSIFIED Defense-in-Depth Securing Your System Using a Layered Скачать презентацию UNCLASSIFIED Defense-in-Depth Securing Your System Using a Layered

52945ca740e9c7b4e73bdb12dd2c4386.ppt

  • Количество слайдов: 57

UNCLASSIFIED Defense-in-Depth Securing Your System Using a Layered Security Approach By Richard Hammer LANL UNCLASSIFIED Defense-in-Depth Securing Your System Using a Layered Security Approach By Richard Hammer LANL LA-UR-08 -2558 UNCLASSIFIED

UNCLASSIFIED Overview • Relative Risks • Threat Vectors • What attackers need us to UNCLASSIFIED Overview • Relative Risks • Threat Vectors • What attackers need us to do • Things Everyone Can do • Client protections Summary UNCLASSIFIED

UNCLASSIFIED Goal! • Secure your system so you: – Do not lose your identity UNCLASSIFIED Goal! • Secure your system so you: – Do not lose your identity if system is stolen – Feel comfortable storing and processing personal, financial, business, and sensitive information – Feel comfortable making online transactions UNCLASSIFIED

UNCLASSIFIED Old and New Threats UNCLASSIFIED UNCLASSIFIED Old and New Threats UNCLASSIFIED

UNCLASSIFIED What attackers need from us! • • • Need us to execute a UNCLASSIFIED What attackers need from us! • • • Need us to execute a program Need us to NOT securely configure our programs Need us to NOT pay attention Need us to NOT patch Need us to be careless, gullible or curious Need us to NOT understand the technology • “It’s that easy because we allow it to be that easy” Frank Abagnale UNCLASSIFIED

UNCLASSIFIED Things we all can learn to DO! • Compute as an Unprivileged User UNCLASSIFIED Things we all can learn to DO! • Compute as an Unprivileged User if possible • Understand E-mail • Understand Web Browsing • Encrypt our Data • Know what is connecting in/out • Actually do it! UNCLASSIFIED

UNCLASSIFIED Hackers do not like unprivileged users • They cannot change system settings • UNCLASSIFIED Hackers do not like unprivileged users • They cannot change system settings • They cannot install programs that change system settings • They cannot undo security settings • Reboot will normally put system back into secure state again. UNCLASSIFIED

UNCLASSIFIED Which is more secure? • Storing your credit card in your wallet Or UNCLASSIFIED Which is more secure? • Storing your credit card in your wallet Or • Storing your credit card number on your computer UNCLASSIFIED

UNCLASSIFIED Protecting data at rest (Powered Off) • Physical Security • Encryption • Nothing UNCLASSIFIED Protecting data at rest (Powered Off) • Physical Security • Encryption • Nothing else will work – Remove the disk – Reset password – Boot off cracker media – T up a Macintosh UNCLASSIFIED

UNCLASSIFIED Harddrive/File Encryption • Truecrypt, Guardian Edge, Win. Magic, PGP, Pointsec, Cypherix, Calibex, True. UNCLASSIFIED Harddrive/File Encryption • Truecrypt, Guardian Edge, Win. Magic, PGP, Pointsec, Cypherix, Calibex, True. Crypt, Many more! • Hardware – Fortezza – Harddrives • • • Windows EFS/Bit. Locker Apple File. Vault Bcrypt Entrust ICE Entrust & PGP UNCLASSIFIED

UNCLASSIFIED Apple File. Vault UNCLASSIFIED UNCLASSIFIED Apple File. Vault UNCLASSIFIED

UNCLASSIFIED Built-in Windows encryption UNCLASSIFIED UNCLASSIFIED Built-in Windows encryption UNCLASSIFIED

UNCLASSIFIED System Up and You Are Logged In (Includes Sleep Mode) • No longer UNCLASSIFIED System Up and You Are Logged In (Includes Sleep Mode) • No longer protecting Data – Full disk encryption – Hardware encryption – Windows EFS/Bit. Locker or File. Vault • Protecting data until password entered – Encrypted Disk Image (Mac. OSX) – Entrust, PGP, True. Crypt, Bcrypt – Other 3 rd party encryption products UNCLASSIFIED

UNCLASSIFIED Entrust/PGP File Encrypt Options UNCLASSIFIED UNCLASSIFIED Entrust/PGP File Encrypt Options UNCLASSIFIED

UNCLASSIFIED Goals of Cryptosystems! Ensure: • Confidentiality • Integrity • Authentication • Non-Repudiation UNCLASSIFIED UNCLASSIFIED Goals of Cryptosystems! Ensure: • Confidentiality • Integrity • Authentication • Non-Repudiation UNCLASSIFIED

UNCLASSIFIED Cryptosystems Problems? • • You might lock yourself out forever! Key Management Key UNCLASSIFIED Cryptosystems Problems? • • You might lock yourself out forever! Key Management Key Distribution Password/Passphrase Protection Can’t encrypt/decrypt offline? Speed? Export? (GOV export authorized) UNCLASSIFIED

UNCLASSIFIED What will Defeat Encryption • Not protecting the password • Sleep mode and UNCLASSIFIED What will Defeat Encryption • Not protecting the password • Sleep mode and fast switching • Freeze spray, shutdown/leave • Malware – Keyboard Loggers – E-mail Infections • Not paying attention to warning messages • Backups UNCLASSIFIED

UNCLASSIFIED Understanding e-mail • Clear text e-mail is completely unreliable. • How do you UNCLASSIFIED Understanding e-mail • Clear text e-mail is completely unreliable. • How do you recognize bogus e-mail? • What is URL redirection? • How do you protect yourself? • Outlook? UNCLASSIFIED

UNCLASSIFIED Why you should not Trust Clear Text e-mail • Do not know who UNCLASSIFIED Why you should not Trust Clear Text e-mail • Do not know who sent it • Do not know who sees it • Do not know where it went • Do not know who read it • Do not know if content changed • Still on server, backups? • Sys Admins have full access UNCLASSIFIED

UNCLASSIFIED Encrypting e-mail? • Only Intended Recipients can read messages or open files • UNCLASSIFIED Encrypting e-mail? • Only Intended Recipients can read messages or open files • Data has not been modified • Data is from the expected source • Not seen on the wire • Not just SSL/TLS to server • PGP/SMIME/Entrust UNCLASSIFIED

UNCLASSIFIED Entrust Encryption Example? UNCLASSIFIED UNCLASSIFIED Entrust Encryption Example? UNCLASSIFIED

UNCLASSIFIED PGP/SMIME Encryption Example? UNCLASSIFIED UNCLASSIFIED PGP/SMIME Encryption Example? UNCLASSIFIED

UNCLASSIFIED SMIME/PGP/Entrust e-mail UNCLASSIFIED UNCLASSIFIED SMIME/PGP/Entrust e-mail UNCLASSIFIED

UNCLASSIFIED Phishing right here in LA! • Guy Lisella “Anytime they ask for personal UNCLASSIFIED Phishing right here in LA! • Guy Lisella “Anytime they ask for personal information, it’s a scam. ” • Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text e-mail! • If unsure, call them. UNCLASSIFIED

UNCLASSIFIED How do you recognize bogus e-mail? • Do you know the sender? • UNCLASSIFIED How do you recognize bogus e-mail? • Do you know the sender? • Is the offer “too good to be true? ” • Embedded links that point to an address that doesn’t appear right. • Your email address is not listed on the “TO” or “CC”. • The “FROM” & “Return-Path” don’t match. • Unexpected attachments. UNCLASSIFIED

UNCLASSIFIED What is wrong? UNCLASSIFIED UNCLASSIFIED What is wrong? UNCLASSIFIED

UNCLASSIFIED Understanding URLs/Redirection • http: //computername. domainname/directoryname/indexfile. html Where you thought you were going: UNCLASSIFIED Understanding URLs/Redirection • http: //computername. domainname/directoryname/indexfile. html Where you thought you were going: http: //www. dncu. com/login. aspx? update http: //63. 214. 247. 170/login. aspx? update Where you are redirected: http: //www. dncu. org. hi-position. com/register/login. html Computer name – www Domainname – dncu. org. hi-position. com IP Address – No longer registered, but was 202. 168. 210. 1 XX Directory – register Index file – login. html UNCLASSIFIED

UNCLASSIFIED Look at the e-mail header • • Eudora – Blah, Blah Outlook – UNCLASSIFIED Look at the e-mail header • • Eudora – Blah, Blah Outlook – View Options or Right Click Options Webmail – Click on Full Headers Thunderbird – Menu Bar, VIEW/HEADER, ALL UNCLASSIFIED

UNCLASSIFIED Give me the money UNCLASSIFIED UNCLASSIFIED Give me the money UNCLASSIFIED

UNCLASSIFIED Stop Right There! UNCLASSIFIED UNCLASSIFIED Stop Right There! UNCLASSIFIED

UNCLASSIFIED E-mail client configuration • Do NOT auto execute anything • Do NOT automatically UNCLASSIFIED E-mail client configuration • Do NOT auto execute anything • Do NOT automatically download HTML graphics • Do NOT display graphics in message • Do NOT allow executable html content • Do NOT display emotions as a graphic • Do NOT use Microsoft viewer. UNCLASSIFIED

UNCLASSIFIED Entourage Settings UNCLASSIFIED UNCLASSIFIED Entourage Settings UNCLASSIFIED

UNCLASSIFIED Before and After (Mac Mail) <Display Remote Images in HTML Message> UNCLASSIFIED UNCLASSIFIED Before and After (Mac Mail) UNCLASSIFIED

UNCLASSIFIED What’s Wrong? Unknown sender, not addressed to me, has an attachment I did UNCLASSIFIED What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect. UNCLASSIFIED

UNCLASSIFIED Virus protection caught it three weeks later, don’t be the first to open UNCLASSIFIED Virus protection caught it three weeks later, don’t be the first to open it! UNCLASSIFIED

UNCLASSIFIED Which is more secure? • Paying for a dinner with a credit card UNCLASSIFIED Which is more secure? • Paying for a dinner with a credit card Or • Online purchase UNCLASSIFIED

UNCLASSIFIED Compare the two! UNCLASSIFIED UNCLASSIFIED Compare the two! UNCLASSIFIED

UNCLASSIFIED Web Browser Security • Understand how it works • SSL/TSL • Privacy Settings UNCLASSIFIED Web Browser Security • Understand how it works • SSL/TSL • Privacy Settings • Security Settings • “Warn me” is always a good option when not sure • Scripts • Understand Threats • Internet Explorer? UNCLASSIFIED

UNCLASSIFIED Web Access (SSL/TLS) • • SSL Developed by Netscape (1994) Certificate Exchange System UNCLASSIFIED Web Access (SSL/TLS) • • SSL Developed by Netscape (1994) Certificate Exchange System to System Certificate Authority • Should only use SSL 3. 0 or TLS 1. 0 • Is it secure? • Redirection • Man-in-Middle Attack UNCLASSIFIED

UNCLASSIFIED Keeping Track of State • Session. ID https: //ucfy. ucop. edu/ucfy/Base. Servlet; jsessio UNCLASSIFIED Keeping Track of State • Session. ID https: //ucfy. ucop. edu/ucfy/Base. Servlet; jsessio nid=0000 q 9 Zvj. IPe 7 x. WTjxeft. Fj. Tq. By: -1 • Cookie – Persistent – Non- Persistent • Hidden Form Element UNCLASSIFIED

UNCLASSIFIED Firefox Security Settings UNCLASSIFIED UNCLASSIFIED Firefox Security Settings UNCLASSIFIED

UNCLASSIFIED Man-in-Middle UNCLASSIFIED UNCLASSIFIED Man-in-Middle UNCLASSIFIED

UNCLASSIFIED Warning, should I proceed? UNCLASSIFIED UNCLASSIFIED Warning, should I proceed? UNCLASSIFIED

UNCLASSIFIED Secure ? ? ? UNCLASSIFIED UNCLASSIFIED Secure ? ? ? UNCLASSIFIED

UNCLASSIFIED Clearing Privacy Settings (Firefox) <Tools><Options> UNCLASSIFIED UNCLASSIFIED Clearing Privacy Settings (Firefox) UNCLASSIFIED

UNCLASSIFIED Security Settings (Firefox) <Tools><Options> UNCLASSIFIED UNCLASSIFIED Security Settings (Firefox) UNCLASSIFIED

UNCLASSIFIED Firefox - noscript <Tools><Options> UNCLASSIFIED UNCLASSIFIED Firefox - noscript UNCLASSIFIED

UNCLASSIFIED Firefox – noscript (2) UNCLASSIFIED UNCLASSIFIED Firefox – noscript (2) UNCLASSIFIED

UNCLASSIFIED Secure Web Transactions • Open New Browser • Ensure SSLv 3/TLS • You UNCLASSIFIED Secure Web Transactions • Open New Browser • Ensure SSLv 3/TLS • You initiate connection • Only go to sites associated with transaction • Use noscript and only allow needed scripts • Pay attention to error messages • Logout when done • Close browser and clear settings UNCLASSIFIED

UNCLASSIFIED Personal Application layer firewalls • Zone. Alarm • Little Snitch/Apple Firewall combo • UNCLASSIFIED Personal Application layer firewalls • Zone. Alarm • Little Snitch/Apple Firewall combo • In/Out protection • Can distinguish between different programs connecting out on same port • Will teach you which applications really connect out from your system UNCLASSIFIED

UNCLASSIFIED Connecting out, Really? UNCLASSIFIED UNCLASSIFIED Connecting out, Really? UNCLASSIFIED

UNCLASSIFIED Same Port, different program UNCLASSIFIED UNCLASSIFIED Same Port, different program UNCLASSIFIED

UNCLASSIFIED Client Protection Summary • • • User vs Admin Privilege Virus Protection Spyware/Adaware UNCLASSIFIED Client Protection Summary • • • User vs Admin Privilege Virus Protection Spyware/Adaware Protection Keep Systems & Applications patched Backup your data Secure Program Settings, don’t Auto execute and turn off autoplay. UNCLASSIFIED

UNCLASSIFIED Client Protection Summary • DO NOT open attachments unless you expect them. • UNCLASSIFIED Client Protection Summary • DO NOT open attachments unless you expect them. • Don’t click on embedded links • Pay attention to warning messages • POP-UP blockers • Clear privacy settings • noscript UNCLASSIFIED

UNCLASSIFIED Client Protection Summary • If it’s “too good to be TRUE, ” it UNCLASSIFIED Client Protection Summary • If it’s “too good to be TRUE, ” it is! • When configuring programs keep personal information to a minimum. • Remove programs you don’t need • Stay away from shady web sites • One-time Credit Card Numbers • Shutdown when not using • Disconnect from network if you don’t need to be on it. UNCLASSIFIED

UNCLASSIFIED Client Protection Summary • Encrypt sensitive information • Application Layer Personal Firewall • UNCLASSIFIED Client Protection Summary • Encrypt sensitive information • Application Layer Personal Firewall • Outlook and Internet Explorer: – Consider replacing these programs. – Keep them patched. UNCLASSIFIED

UNCLASSIFIED Educate Yourself! UNCLASSIFIED UNCLASSIFIED Educate Yourself! UNCLASSIFIED