SECURITY CONTROLS
7CCSMSEM Security Management Dr. Jose M. Such
Learning Outcomes
• Types of Security Controls
• Technical Security Controls
• Malware threats
• Controls against malware
• Controls for Networks and Communications
Types of Security Controls
TECHNICAL (Firewall)
PROCEDURAL (Clear Desk Policy)
SECURITY CONTROLS
PHYSICAL (secure physical storage)
Types of Security Controls
• There are many security controls that can be used to mitigate risks.
• Examples of useful collections:
• The 20 CIS Critical Security Controls For Effective Cyber Defense
(available from KEATS)
• ISO27000-series
• They describe security controls more abstractly, rather than mentioning specific products
TECHNICAL SECURITY CONTROLS
Malware
• Threat Agents leverage Malware (MALicious SotWARE) to:
• Gain Access
• Worms, Virus, Trojans, Spyware
• Maintain Access
• Backdoors, Spyware
Video (Stuxnet)
Viruses
• A piece of code like any other but with malicious intent
• From the most simple (like delete all the files in the local computer)
to most complex ones.
• It replicates itself within a system, but it usually requires intervention to infect other systems
• E.g. executing a file in a system.
Virus Replication
Executable file (.EXE) before infection
Executable file (.EXE) after infection
File Header IP
Start of Program End of Program
File Header IP
Start of Program End of Program
Virus Code
Worms
• Worms are very similar to viruses, but they can actively distribute themselves
• Exploit vulnerabilities in software or hardware: • Auto-execution in removable devices
• Vulnerabilities in remote services (e.g. SMB)
Trojans
Legitimate Program
Dropper
Malware (or Backdoor/Rootkit)
Trojan
Example Trojan: DNSChanger
• 1) User is prompted to download a new codec for videos • 2) User downloads and installs the codec
• 3) User can watch videos normally
• But under the hood:
• Local DNS settings changed -> DNS server changed!
Backdoors
• A way of bypassing normal authentication controls
• It can be software or hardware
• Two main software types:
• Service running in a port locally, accepting remote connections
• E.g. install a ftp server and connect to retrieve files in the infected machine
• Program running locally that connects to remote services • E.g. connect to a remote system waiting for instructions
Botnets
Source: Wikimedia
Example of Botnet
Spyware
• Browsing spyware
• Records Internet activity and
visited sites • Keyloggers
• Record key strokes • Camera spyware
• Record from webcam, integrated camera (green led light can be turned off).
• Messaging spyware
• Records Skype etc.
Ransomware
• Special information:
• Encrypts the victims data and holds them to ransom.
• If ransom is paid, the data is decrypted and the ransomware will delete itself.
• Example WannaCry
• 75,000 successful infections across 99 countries
• 40 NHS organisations affected
Routes of Infection
Sources of infection again?
• Infected Media • USB, CD/DVD
• Via e-mail as an attachment
• Via a malicious website
• Across Networks
• Worms can propagate across networks, wide or local area, and may spread through unprotected systems.
• Wired and Wireless
• Smartphones and apps (BYOD)
How do we control and prevent malware?
”The countermeasures required to detect and defeat malware depend on the configuration of the systems and networks to be defended and continually need to be updated to deal with the latest threats. A single computer, connected to a broadband connection at home, is very different from a global corporate network or a small organisation.”
Alexander, David. Information Security Management Principles. BCS Learning & Development Ltd.
Patch Software
Patch Software
• Not always obvious and doesn’t relate to any form of specialist malware application.
The worst vulnerability is the zero-day exploit.
• Malware exploits vulnerabilities in software.
Why? There is no protection unless your software is updated!
• Worse, when the patch/update is released,
Worse, when the patch/update is released,
hackers reverse-engineer it to write the hackers reverse-engineer it to find the
exploit!
• Keep software up to date!
exploit!
Patch Software
• The Slammer worm took advantage of a weakness for which a patch that had been issued over six months previously.
• The program exploited a buffer overflow bug in Microsoft’s SQL Server and Desktop Engine database products. Although the MS02-039 patch had been released six months earlier, many organizations had not yet applied it.
• What about Zero-day vulnerabilities?
• Unreported vulnerabilities for which there is not a patch.
”Hardening”
“Harden” the operating system (and web browser)
• AppliestoOperatingSystemsandApplicationslikeWebBrowsers Do not use default passwords or open configurations.
Do not install unnecessary features or applications.
• Donotinstallunnecessaryfeaturesorapplications.
Disallow installation of new software without admin privileges
• Donotusedefaultpasswordsoropenconfigurations.
Do not give users admin privileges (i.e. all users are logged in as restricted)
• Disallowinstallationofnewsoftwarewithoutadminprivileges • Onlydownload/installsoftwarefromtrustedsources
• Freeware is known to come with many surprises!
• Donotgiveusersadminprivileges(i.e.allusersareloggedinasrestricted)
Anti-virus
Anti-Virus
• •
•
• •
Install an anti-virus scanner.
It scans all files on the computer to
Install an anti-virus scanner.
detect if they look like a known
It scans all files on the computer to detect if they look like a known virus.
virus.
If so, it’ll fight the virus and remove
If so, it’ll fight the virus and remove it.
it.
But keep it up to date too!!
Of course, viruses are smart. They can sometimes fight back.
Of course, viruses are smart. They can sometimes fight back.
Anti-virus
Anti-Virus
• Only protects against (similar) “seen” malware.
• And “seen” by the company producing it sometimes only!
It scans all files on the computer to detect if they look like a known virus.
Install an anti-virus scanner.
• Virus total (www.virustotal.com)
If so, it’ll fight the virus and remove it.
• Maximises the changes of seen malware as it uses the anti-virus software of all
Of course, viruses are smart. They can major companies sometimes fight back.
• Some vendors also offer the capability to discover new malware
• E.g. FireEye, by looking at undesired behaviour rather than analysing the software itself
File Integrity Monitoring
• Keep track of the state of individuals files or the whole file system • Particularly useful to keep a closer eye to Information Assets
• Every unexpected change is detected as breaking integrity
• A FIM process consists of the following steps (Source: TripWire):
1. Set policy: Start by defining your policy, identifying which files on which devices need to be monitored.
2. Baseline files: Then ensure the files you assess are in a known good state. This may involve evaluating version, creation and modification dates, or any other file attribute.
3. Monitor & Reconcile Changes: You may see hundreds of file changes on a normal day on a single system. Knowing a good change from a bad one is essential.
4. Alert: When unauthorized changes are detected, focus on the highest priority alerts and take corrective action before more damage is done.
5. Report: FIM is required for PCI compliance and most other standards. Clear reports with the ability to drill-down are important both for operational processes and audit compliance.
Host Firewall / Intrusion Detection System
• Also called “Personal” Firewall
• It basically tries to enforce a “white list” of applications from the network/Internet that is allowed to connect with a particular host (computer/device).
• As opposed to a network (as we’ll see later).
• Personal firewalls may also provide some level of intrusion detection
• allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.
Host Firewalls / Intrusion Detection Systems
• Limitations:
• If the system has been compromised by malware, these programs can also manipulate the firewall, because both are running on the same system and potentially by the same user.
• It may be possible to bypass or even completely shut down software firewalls in such a manner.
• A firewall can’t notify, if it has been incorrectly configured.
• The alerts generated can possibly desensitize users to alerts by warning the user of actions that may not be malicious.
E-mail scanners
E-mail scanners
• Scan and warn users of malicious e-mails
• Scan incoming files for
viruses and warn the
user if the e-mail looks
Scan and warn users of malicious e-mails
like a typical fraudulent
Scan incoming files for viruses and warn the
m
e
s
s
a
g
e
.
us
Typically comes for free when using a large
er if
e
-m
ai
l lo
ok
s like a typical fraudulent
the
message.
• Typically comes for free e-mail provider like gmail, outlook, etc.
when using a large e- mail provider like gmail, outlook, etc.
Other Countermeasures
• Check for (specially for backdoors):
• processes running, open ports, network activity, Startup programs
• This could also be carried out using some of the Assurance Techniques mentioned for Vulnerability Assessment
• e.g. Vulnerability Scans (open ports and services running)
• Assurance Techniques are sometimes referred to as especial types of Security Controls.
What to look for in a manufacturer’s product?
• Read independent reviews
• Highdegreeofeffectivenessindetectingandremovingmalware?
• Frequency of updates
• Isthescannerstillmaintained?Isitawareofthenewmalwarethreats?
• Whitelist of accepted executables
• Lettheorganisationcontrolwhatcanbeexecutedontheirnetwork
• Reputable company
• Ifyouaregoingtobuyanexpensivelicence,makesurethecompanywillstick
around!
• Impact on operations
• Ifthescannerwillmeanyouremployeescannolongerdotheirwork,you’ll need to find another solution.
QUIZ TIME!
Go to: PollEv.com/josesuch498
What about
NETWORKS, COMMUMNICATIONS, and INFRASTRUCTURES
??
Why do we want to protect our networks?
• Let’s say there are 2.5 billion people on the Internet
• Even if only a tiny percent (i.e. 1%) of that population are “malice”… …. That is still 25,000,000 potential attackers!!!!!
What are the access points to Computer/Devices?
Hard-wired connections
Terminal or PC in an office
A console on a server
A broadband connection
A router for a connection from another network
Wireless connections
Laptops
Mobile devices (tablets, phones) Wireless Routers
Wifi / 4G
Example Network Threat
Man in the middle attack
An attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
Basically, all communication is sent via the
hacker. If it is not a “secure communication channel”, then the hacker can view and alter messages at will.
P.s. An enterprise firewall doesn’t protect against this attack if it is an internal attacker!
Network Security Controls
• Examples of Network Security Controls include those: • Based on Cryptographic primitives and infrastructure • Preventing and/or detecting intruders in the network
• Managing the topology of the Network
Cryptography-based Controls
• Cryptography: the practice and study of techniques for secure communication in the presence of third parties called adversaries. (Wikipedia)
• But cryptography is so much more than the above definition!
• Confidentiality
• Nobody else can see the plain text
• Integrity
• The data has not been changed, deleted or inserted.
• Authentication
• The person is who they claim to be
• Non-repudiation
• The sender cannot later deny sending the message (or its content)
Cryptography-based Controls
• Authentication via Public-key Infrastructure
• PKI provides a mechanism for both endpoints (i.e. computers) to
authenticate with each other.
Unlocked: Authentication via Public-key
• This is required to establish an authenticated and end-to-end
communication channel.
Infrastructure
Cryptography-based Controls
• But not just authentication
• PKI provides End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages.
• The “man in the middle” can only see encrypted garbage, and cannot Unlocked: Authentication via Public-key
read or alter the messages in transit!
Infrastructure
Cryptography-based Controls
• Virtual Private Network (VPN) Unlocked: Virtual Private Network
U•nelxotecnkdseadp:riVvairtetunaetlwPorrkivacarotessNaeputwbliocrk network, and enables users to send and
A virtual private network (VPN) extends a private network across a
receive data across shared or public networks
public network, and enables users to send and receive data across A virtual private network (VPN) extends a private network across a
sharsedifotrhpeubirliccnoetmwoprkustainsgif tdheirvciocmepsutwingedrevicdeisrewcertelydirectly public network, and enables users to send and receive data across
connected to the private network. (Wikipedia)
shared or public networks as if their computing devices were directly
connected to the private network. (Wikipedia)
connected to the private network. (Wikipedia)
Firewalls (again)
• Network Firewalls
• Prevent unwanted intrusions into an organisation’s network
• Checks incoming and outgoing traffic, and it only allows it to go through the firewall if it complies with the rules defined
• e.g.basedonIPaddressesandports Firewall
Install a firew
A firewall is a network security to prevent unauthorized acc private networ
It basically tries to enforce applications from the networ
allowed to connect with th
all
syste ess to k.
a “whit k/intern is com
m o
e e
p
Intrusion Detection Systems (IDS)
• Rough idea “IDS Does for networks what AVs do with incoming files”
• Detects unwanted intrusions in an organisation’s network.
• Misuse-based
• Rely on models of malicious behaviour (traditionally signatures)
• Anomaly-based
• Rely on models of normal behaviour
• Examples:
Bro
Network Partitioning
Restrict Access by Network Partition
Network partitioning is the process of creating zone servers. Each zone is completely independent of other zones.
In other words, we can disconnect a set of servers from the wider network. If this network is hacked, the hackers cannot access the disconnected partition.
Sometimes partitioning is necessary. In finance the data server might be completely partitioned to protect against insider trading.
Network Partitioning (II)
A Network’s Demilitarized Zone (DMZ)
A physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet. (Wikipedia)
QUIZ TIME!
Go to: PollEv.com/josesuch498