Security Essentials Day 2 Threat and the Need for Defense in Depth
Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus
will be on defense in depth. This is a term that was coined by the Department of Defense and is a
crucially important concept in information assurance. The topics that we are going to cover areshown below.
Security Essentials
Day 2
Threat and the Need for
Defense in Depth
Information Assurance Foundations - SANS ©2001 1
Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus
will be on defense in depth. This is a term that was coined by the Department of Defense and is a
crucially important concept in information assurance. The topics that we are going to cover are
shown below.
Security Fundamentals
Confidentiality, Integrity, Availability
Threat and risk
Security Policy
What it is and what it is not
How to implement an effective policy
Passwords
Overview of passwords
LC3
Crack
Incident Handling
6 step guide
Information Warfare
Defensive strategies
Offensive strategies
Web security
Web security vulnerabilities
Web security defenses
These are all components of a defense in depth risk management framework as we will explain in
our next slide titled, “Defense in Depth.”
1-1
Defense in Depth
We have covered: perimeter defense, vulnerability
scanning, host and network intrusion detection,
honeypots/honeynets and risk assessment; is there
more?
Now, we add security policy, password strength and
assessment, incident handling, information warfare and
web security.
Defense in Depth - SANS ©2001 2
Are we there yet? Sorry, not yet. The slide shows that while we have covered a lot of important topics, we
still have a ways to go! The concept behind defense in depth is conceptually simple. The picture we have
painted so far is that a good security architecture, one that can withstand the threat, has many aspects and
dimensions. We need to be certain that if one countermeasure fails, there are more behind it. If they all fail,
we need to be ready to detect that something has occurred and clean up the mess expeditiously and
completely, and then tune our defenses to keep it from happening to us again.
One of the most effective attacks that penetrates standard perimeters is malicious code. These are things like
viruses and Trojan software. They come in as attachments to email messages and on those floppies we bring
in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON. These
can do a lot of damage. Most people have heard of BackOrifice and NetBus but there are a score of other
Trojans. The best defense is keeping your anti-virus software up-to-date, and scanning at the firewall, server,
and desktop level. It isn’t particularly expensive or hard, but it takes discipline.
I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur.
That's just basic, sensible auditing and they don't turn it on. If there is ever a problem, how will we run it to
ground? You may or may not be in a position where you can affect whether these things are done at your
organizational level, but you can often take the responsibility for your office, shop, division, or desktop. There
are even personal firewall software products – like TCP Wrappers, BlackICE Defender, Zone Alarm, Norton
Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide
perimeter protection at the host level. I use a personal firewall on my home systems when I connect to my ISP
so that I can stop the simple attacks that many of my friends have experienced. The threat is targeting each of
us. What role and responsibility are you willing to accept for defense in depth?
1-2
Defense In Depth (2)
Network
Host
Application
Info
Defense in Depth - SANS ©2001 3
This diagram shows another way to think of the Defense In Depth concept. At the center of the
diagram is your information. However, the center can be anything you value, or the answer to the
question, “What are you trying to protect?” Around that center you build successive layers of
protection. In the diagram, the protection layers are shown as blue rings. In this example, your
information is protected by your application. The application is protected by the security of the host
it resides on, and so on. In order to successfully get your information, an attacker would have to
penetrate through your network, your host, your application, and finally your information protection
layers.
Using a Defense in Depth strategy does not make it impossible to get to your core resources – the
resource at the center of the diagram. For example, your defense layers might be trivial or easy to
compromise. However, a well-thought-out Defense in Depth strategy, utilizing the strongest
protections feasibly possible at each layer, present a formidable defense against would-be attackers.
Next, we are going to take you on a tour of three famous attacks to see what lessons we can learn
from them. Along the way, we are going to discuss the three key dimensions of protection and
attack. Most of you are already familiar with them. They are: confidentiality, integrity, and
availability. Throughout the Security Essentials program, you will be deploying countermeasures to
protect confidentiality, integrity, and availability; and you may experience attacks against these
dimensions. We can think of these as the “primary colors” of information assurance. By mixing and
matching these -- and we do mix and match, because they are interrelated -- we are able to develop
either a very strong attack, or develop a strong defense. On our next slide, titled, “Agenda,: let’s take
a look at the material we are about to explore.
1-3
Agenda
• Principles of attack and defense
• Risk and threats
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
• Summary
Defense in Depth - SANS ©2001 4
This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed
against our computer systems. To focus that discussion, we will be concerned with some of the more
famous attacks that have occurred. Now, information assurance can get really complex, but these
kinds of problems decompose nicely. As we work our way through the material, we are going to be
pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the
defenses we discuss. So if you are new to security, or if you just want a quick review, the way I
think about these things is – a credit card.
Have you ever had a credit card not be accepted? Three different times in a row, when I was buying
tires at a local store in my town, my credit card did not clear. All three times, the bank said their
computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to
me! I live in a small town and a lot of people know me – and so to have my card rejected was very
embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An
example of a confidentiality defense is the way that “padlock” on the bottom of your Internet
browser closes (for Netscape) or appears (with Internet Explorer) when you are executing a secure
transaction -- the bit stream is encrypted to foil casual eavesdroppers. An example of an integrity
attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha -
well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or
modifying the balance of someone else’s account.
We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock
Principles.”
1-4
Three Bedrock Principles
• Confidentiality
• Integrity Confidentiality
• Availability
Integrity Availability
Defense in Depth - SANS ©2001 5
Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file.
Now, this would breach the confidentiality of this sensitive information (the password file). Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute
an integrity attack when they gain entrance to the system. And they can even use an availability
attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report
his existence. When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy.
Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks.
Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water
damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We
use threat models to describe a given threat and the harm it could do if the system has a
vulnerability as we will see on our next slide titled, “Threats.”
1-5
Threats
• Activity that represents possible danger
• Can come in different forms & from
different sources
• You can’t protect against all threats
• Protect against the ones that are most
likely or most worrisome based on:
– Business goals
– Validated data
– Industry best practice
Defense in Depth - SANS ©2001 6
In security discussions you will hear a lot about threats. Threats, in an information security sense, are
any activity that represent possible danger to your information. Danger can be thought of as anything
that would negatively affect the confidentiality, integrity, or availability of your systems or services.
Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk.
Threats can come in many different forms and from many different sources. There are physical threats,
like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats like
hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation – what
business you are in, who your partners and enemies are, how valuable your information is, how it is
stored, maintained and secured, who has access to it, and a host of other factors.
The point is there are too many variables to ever possibly protect against all the possible threats to your
information. To do so would cost too much money, take too much time, and too much effort. So, you
will need to pick and choose what threats you will protect against. You will start by identifying those
threats that are most likely to occur or most worrisome to your organization.
The way to do this is by identifying three primary areas of threat. The first is based on your business
goals. If your business is heavily dependent on a patented formula you would consider theft of that
formula to be a likely threat. If your business is the movement of fund transfers over a network, you
would consider attacks on that network link to be a likely threat. These are two examples of business-
based threats.
The second type of threats are those based on validated data. If your web site is repeatedly hacked
through your firewall, you would consider Internet hackers to be a major threat. If your main competitor
always manages to find out key confidential information about your business plans, you would start
considering corporate espionage a threat. These are examples of threats identified because of validated
instances of damage based on those threats. In some ways these may be the most serious, because they
have already happened and are likely to happen again in the future.
The final type of threats are those that are widely known in the security industry. To protect against
them is just good common sense. That is why we put badge readers and guards in buildings, why we use
passwords on our computer systems, and why we keep secret information locked in a safe. We may not
have had attacks against any of these, but it is commonly understood to be foolish not to do so.
1-6
Vulnerabilities
• Weaknesses that allow threats to
happen
• Must be coupled with a threat to
have an impact
• Can be prevented (if you know
about them)
Defense in Depth - SANS ©2001 7
The third element of the risk spectrum is the notion of Vulnerabilities. (Remember that the first two
elements are risk and threats.) In security terms, a vulnerability is a weakness in your systems or
processes that allows a threat to occur. However, simply having a vulnerability by itself is not a bad
thing. It is only when the vulnerability is coupled with a threat that the danger starts to set in. Let’s
look at an example.
Suppose you like to leave the doors and windows to your house unlocked at night. If you live in the
middle of the woods, far away from anyone else, this may not be a bad thing. There really aren’t
many people that wander around and, if you’re high enough on the hill, you’ll be able to see them
coming long before they present a danger. So, in this case, the vulnerability of having no locks is
there, but there really isn’t any threat to take advantage of that vulnerability.
Now suppose you move to a big city full of crime. In fact, this city has the highest burglary rate of
any city in the country. If you continue your practice of leaving the doors and windows unlocked,
you have exactly the same vulnerability as you had before. However, in the city the threat is that
much higher. Thus, your overall danger and risk is much greater.
Vulnerabilities can be reduced or even prevented, provided, of course, that you know about them.
The problem is that many vulnerabilities lay hidden, undiscovered until somebody finds out about
them. Unfortunately, the “somebody” is usually a bad guy. The bad guys always seem to find out
about vulnerabilities long before the good guys.
1-7
Relating Risk, Threat and
Vulnerability
Risk = Threat x Vulnerability
Defense in Depth - SANS ©2001 8
OK, we’ve spent the last few slides talking about risks, threats, and vulnerabilities. The three
concepts are extremely interrelated. Their relationship can be found in this simple formula:
Risk = Threat x Vulnerability
This formula shows that risk is directly related to the level of threat and vulnerability you, your
systems, or your networks face. Here’s how the formula works:
If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be
very low. In the example we used before, if you live in a high crime neighborhood (thus, high threat)
but you keep your doors and windows locked (so you have a low vulnerability), your overall risk is
very low.
If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the
threat itself is minor (by living in the woods), once again you have a very low risk factor.
If, however, you have a high level of threat potential (a high crime area) and your vulnerability to
that threat is very high (no locks), you have a high risk factor.
Of course, this formula is nice, but keep in mind that, as we stated way up front, there are no
absolutes in security. Thus it is usually impossible to assign numeric values to areas like threats and
vulnerabilities, so this formula should be used as an aid to guide your thinking rather than an absolute
mathematical calculation. When you begin to get into discussions and arguments about risks, threats,
and vulnerabilities (and yes, you will get into arguments about this stuff) you can refer back to this
basic formula to help guide you in your decision making process.
1-8
The Threat Model
• Threat
• Vulnerability
• Compromise
Vulnerabilities are the gateways
by which threats are manifested.
Defense in Depth - SANS ©2001 9
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year. The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce
the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or
attacks like macro viruses which are able to pass through firewalls about 99% of the time.
So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise. Again, the most common tactic is
to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s
highly recommended. Even the most open universities or other research environments that require
themselves to be very open should be able to do some perimeter defense, even if they can only do it
at the department or building level, or even if they can only do it at the host level.
In the past few slides, we have been discussing theory that provides a framework to understand and
use tools like the ones we discussed in risk management – the big picture. Now we want to move
away from theory a bit into some historical applications of confidentiality, integrity, and availability.
Our next slide is titled, “Four Lessons From History.”
1-9
Four Lessons From History
• Morris worm – Availability - 1988
• Melissa – Availability - 1999
• W32.SirCam worm – Confidentiality
- 2001
• Code Red II – Integrity - 2001
Defense in Depth - SANS ©2001 10
Hopefully, we can learn enough from history to help prevent us from having to repeat it. The attacks
we are going to discuss, perhaps the three most famous information security defense failures are: the
Morris worm, SirCam, and Code Red variant II. These span from 1998 to 2001. We don’t have time
in this course to explore each of these in great detail, but you should be familiar with each of these as
a security professional. As homework, please try an internet search for these attacks and read a bit
more. There are information security lessons that we ought to be able to learn from these well-
known attacks. In each case, there was a computer system vulnerability, and it was exploited.
In each of the cases, there was an absence of defense in depth. In fact, in the case of most systems
affected by the Morris worm, and the Code Red attack, the exploit did not have to penetrate any
defensive perimeters. So, that’s “defense in shallow!”
As we go through each of the attacks, try to look out for the three primary security dimensions:
confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist
in the first place. The vulnerability is listed in every case; so please note how the threat was able to
exploit the vulnerability to compromise or affect the target system(s).
1 - 10
The Morris Worm
• Availability attack (Denial of
Service)
• Common vulnerabilities in fingerd
and sendmail allowed rapid
replication
• Internet communications effectively
lost
Defense in Depth - SANS ©2001 11
If you haven’t read Zen and the Art of the Internet, you probably should. It is available at
http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html. We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He
chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated --
there was a bug. Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution. Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection. However, because the network route was
clogged, this message did not get through until it was too late. Computers were affected at many sites,
including universities, military sites, and medical research facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a
system and waits for other systems to connect to it and give it email, and a hole in the finger daemon
fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had
copies of the program and were actively disassembling it (returning the program back into its source form)
to try to figure out how it worked.
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued
spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help
retard the speed of the worm. Another method was also discovered at Purdue and widely published. The
information didn't get out as quickly as it could have, however, since so many sites had completely
disconnected themselves from the Internet.”
Additional information on the Morris worm can be found at
http://www.software.com.pl/newarchive/misc/Worm/darbyt/pages/worm.html.
1 - 11
Morris Worm –
Defense in Depth
• Threat
– No perimeter defense (directly accessible
from the Internet)
– Multiple services on same system
– Unpatched systems
• DiD
– Separation of services
– Apply patches
Defense in Depth - SANS ©2001 12
Robert Morris released the worm to illustrate the problem with unpatched systems. If finger had
been running on a separate system from the mail system, the Internet would have been more resilient
against the attack.
1 - 12
Melissa Virus
• Availability attack
• New “strain” slipped through most
perimeters
• Users activated macro despite
warnings
Defense in Depth - SANS ©2001 13
The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most well-
known and widely-spread macro virus infections to date. Many sites were aware of Melissa on Friday, others
over the weekend, and of course still others found out Monday morning, so that March 29 was indeed a
challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at
the host level, had been developed and published by the Computer Emergency Response Team (CERT) at
Carnegie Mellon.
According to Network Associates’ web site (www.nai.com), the virus was first discovered on an "alt.sex"
newsgroup and spread rapidly. This extraordinarily rapid spread of Melissa serves as a warning of how fast a
virus with an unknown signature can spread. If you examine the virus source code, you can see the virus
replicated so rapidly by going through Microsoft Outlook address books and sending itself to the first 50 entries
in each book.
Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop
systems running Microsoft’s Outlook email client were directly affected. However, even systems that did not
spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on
the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no
explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial
losses are in the area of lost productivity. This is a big availability attack.
- Some sites have reported that they shut down email entirely for multiple days.
- Others lost email connectivity for several hours while cleaning the virus from their servers.
- System administrators and help desk resources were tied up fighting the virus for periods ranging from three
to five days at most affected organizations.
The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious
attacks than Melissa. And I find this quite interesting because almost all actual users of Microsoft Office
products rarely take advantage of the macro language.
1 - 13
Melissa Virus –
Defense in Depth
• Threat
– Danger of monoculture
– Inadequate security awareness
– Failure to filter principle of least privilege
• DiD
– Simpler email
– Unable to detect state
• Amount of email flowing into a system at a given point in
time
Defense in Depth - SANS ©2001 14
Melissa was able to spread very quickly because everyone was running the same system. This
allowed an attacker to find a single problem and use it to impact companies large and small.
1 - 14
W32.SirCam
• Confidentiality attack, mailed out
random files from hard drive
• Discovered July 2001
• Spread by mail attachments or
unprotected shares
Double file extensions: subject.doc.exe
Defense in Depth - SANS ©2001 15
SirCam was able to spread either by unprotected shares or as an email message. You will recall from
Day 1, Legion is a tool to scan for these Windows unprotected shares. The email message attack
contains an attachment with the classic double file extension e.g. subject_of_email_message.zip.exe.
As a reminder, we were introduced to this trick with sexxxymovie.mpeg.exe on newsgroups to
encourage users to download a variant of SubSeven.
The most common first extensions were .doc and .xls, but many others are possible. The second
extension will be something executable, such as .exe, .com, or .bat. The attached file contains both
the malicious code decoy file copied from the sending infected system.
This attack actually has elements of confidentiality, integrity, and availability. The availability attack
was partly because it deleted files, also, if a number of systems were infected, it put a heavy load on
the mail relay system (the computer that funnels an organization’s email to and from the Internet).
The integrity attack includes the fact that copies of malicious code were copied to multiple locations
on the hard drive. We will look at this problem more with Code Red.
The confidentiality attack was very serious. SirCam chose random files from the hard drive to send
out as the decoy mail message. Over thousands and thousands of mail messages, many of these
turned out to be private for proprietary information.
Additional information about SirCam can be found here:
http://www.symantec.com/avcenter/venc/data/[email protected]
On the next slide titled, “Why So Many Users Executed SirCam,” we learn why so many people
actually double-clicked on the attachment.
1 - 15
Why so many users executed SirCam
Windows Explorer, tools,
folder options
Defense in Depth - SANS ©2001 16
Though many users will doubleclick on anything, years of security awareness training has taught a
lot of people not to doubleclick on executable files from strangers. Many of the recipients had no
clue they were opening an attachment with malicious code for two reasons. First, if the machine is
configured like the slide above, the file will of course appear without the .exe, .com, or .bat
extensions. Second, since the file contains a valid file, chosen at random from the sending infected
system, there really is a .doc or .xls file to look at. The unsuspecting victim never sees the malicious
code.
Your next slide is titled, Search For Unprotected Shares Before SirCam Finds Them.” Since this is
such a big issue, we are going to introduce a new tool to help us find these and other problems. Its
called DumpSec.
1 - 16
Search For Unprotected Shares
Before SirCam Finds Them
DumpSec actually does a lot more than just find shares
Defense in Depth - SANS ©2001 17
Unprotected shares are much-sought-after treasures for attackers. Depending on which share is
unprotected, it could lead to a full compromise of the system. However, this tool can do a lot more.
Let’s take a quick tour.
1 - 17
DumpSec Features
• Dumps user, group, and replication
information
• Dumps file system, registry,
printers and shares permission and
audit settings
• Dumps password policies
• Lists installed and running services
Defense in Depth - SANS ©2001 18
Like SCAT, DumpSec provides a host of information grouped in an easy to find manner. DumpSec
is a great aid to auditors. But, what makes it attractive to attackers is that it can be used in
conjunction with the null session vulnerability that violates the confidentiality of the system.
1 - 18
Null Session
net use \\172.20.244.164\IPC$ “” /USER:””
Defense in Depth - SANS ©2001 19
The null session exploit is an attack against confidentiality. In essence, it’s just “finger” on steroids.
The attacker “logs in” to the Windows NT or Windows 2000 system using the “net use” command
listed on your slide. After logging in, it is possible to gather a great deal of information from the
Windows registry. Though this could be done by hand, it would be very tedious, so there are tools to
make this a reasonable task. The tool shown in the screen shot is DumpSec by SomarSoft. It was
available for free from www.systemtools.com, but they seem to have disappeared, which is a
tragedy. They were wonderful folks and were among the first folks to develop security information
and tools for NT. However, the software is still out on the Internet if you search with an internet
search. DumpSec is available from either www.somarsoft.com or www.systemtools.com. [Editors
Note: the web site www.systemtools.com is again functioning. CMW]
The screenshot shown on the slide was from before I entered the “null session”. Afterwards, I would
be able to enumerate boatloads of information about users, if that system was vulnerable to a null
session attack. Enumerate is a popular term in the industry to describe what we used to call “depth
first, breadth second” searches. So what? Why do you care? Well, if you find a PDC or BDC
(Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long
list of user names, including all the members of the Administrator group. Then you could try
consecutive ‘net uses’, trying different passwords. I am not really big on passwords, since they can
be sniffed, or attacked by brute force, but they do have their place. There are a lot of weak
passwords out there and every little bit helps. So, the longer we delay an attacker while they try
dictionary attacks on our passwords, the more likely we are to catch them in the act.
1 - 19
Gather User Information
Defense in Depth - SANS ©2001 20
After executing the null session command we just showed you, DumpSec provides broad access to
information about the valid users of a system. This information can be put to a myriad of uses.
The last logon time can indicate if an account is active. This can help the attacker to determine its
suitability for brute force attacks.
If you were so silly as to not require users to have passwords, this would be painfully obvious to an
attacker.
RAS information can also indicate other systems that may not be as well-secured that could be used
as a backdoor entry point to the main server.
Keep in mind that on Day 1, we showed how to eliminate or control anonymous access to a
Windows 2000 system using administrative tools and configuring the security policy to control this.
1 - 20