Providing a Secure Architecture
Hacking and the deployment of an appropriate security architecture are at the forefront of every company’s attention. As many companies are experiencing their systems being hacked, security architectures can be put in place to minimize the severity of such attacks. The process begins with attempting to think like a hacker. This approach helps companies find vulnerabilities that they were not aware of and may not even have been able to envision.
Providing a Secure Architecture
There are four primary topics of secure architectures:
1. Isolation and least privilege
2. Access control concepts
3. Operating systems isolation
4. Browser isolation and least privilege
Within these topics, there are three main principles that help ensure a secure design:
1. Compartmentalization and isolation of data
2. Defense in depth by utilizing more than one security mechanism
3. Keeping the design simple yet effective
Privilege is an ability to access or modify a resource and to separate and limit the interaction between modules. Least privilege is the concept that a system module should only have the minimal privileges needed for its intended purposes and the entities it deals with, including people, processes, and devices. People should be assigned the fewest privileges consistent with their assigned duties and functions. For example, designing a restrictive “need-to-know” approach indicates zero access by default and then provides security privileges as required.
Figure 5.1 Reference monitor review of user data requests.
Figure 5.2 Permissions to read or write to/from specific files.
An example of these is the principle of least privilege. This means that systems should only have the minimal amount of privileges required to complete the designated tasks. Granting too much system access to a miniscule task could be catastrophic if that task and eventually the entire system were compromised. For example, Sendmail was a utility within UNIX that had notorious vulnerabilities that could grant a hacker access to critical information by overflowing system buffers and then executing hacker software to compromise the entire system.
Access control is another key concept of secure system architecture. To access the system, a user must pass through a reference monitor before the user is granted access to secure files. This process is depicted in Figure 5.1.
However, this is not the only access control that is implemented within a secure architecture. Each resource that can be accessed can also have access controls associated with them, including read, write, and execute privileges, each depending on the level of access that is granted to a specific user. An example of this is illustrated in Figure 5.2.
Access control is an approach to restricting system access only to authorized users. The system knows who the user is, and their identity is authenticated by name, password, or further identification credentials. Any user’s access request or process is passed through a reference monitor acting as a gatekeeper and must be validated before the user or the process is granted access. There are two types of implementation concepts to accomplish this task—access control lists (ACLs) and access capabilities. ACLs associate a list with each object and the reference monitor checks the user/group against the list after the user or process has first been authenticated. First, authentication must occur, and then access to certain files and systems must be separately granted through matching by means of the ACLs, which identify which of the many researches a particular user or process is allowed access to. Capabilities do not require reauthentication but rather are assigned by means of an unforgettable ticket, managed by either a random bit sequence on a ticket or by the operating system maintaining a ticket file.
In addition, role-based access control (RBAC) can be utilized for access control by assigning permissions to a set of users or groups to enable or restrict those users to perform specific roles or be assigned to specific resources. For example, roles can consist of individuals assigned to engineering, marketing, or projects and can be assigned to access specific resources such as servers 1, 2, 3, or a combination thereof.
Operating systems also have the ability to provide security and control access by managing computer hardware and software resources. The operating system can assign permissions or access rights to specific users and groups of users by controlling the ability of those users to view or make changes to the contents of specific files and file systems.
UNIX access control systems have at least one user with the right to access (a granted privilege) any file of the system that is available to the root user and has the assigned special “root” ID, allowing one to bypass access control restrictions. In the UNIX file access control list, each file has an owner who has read, write, and execute permissions assigned by the root owner. Only this root owner can change permissions for the file. This is a flexible system and provides some protection for most users, but it can be too tempting to rely only on root privileges for security since there is no way to gain a root privilege without all root privileges being granted. Weaknesses with UNIX isolation and privileges can exist in the following:
■ Network-facing daemons: These can expose root processes with network ports open to all remote parties.
■ Rootkits: These allow system extension via dynamically loaded kernel modules.
■ Environment variables: LIBPATH is a system variable on UNIX computer operating systems that is used in the runtime linking process, where it influences the search order for shared libraries at alternate locations. It is considered an environment variable similar to the variable LD LIBRARY PATH on IBM’s AIX UNIX Operating Systems.
■ Shared resources: Since any process can create files in/tmp directory, an untrusted process may create files that are used by arbitrary system processes.
■ Time-of-check-to-time-of-use (TOCTTOU): Typically, a root process uses a system call to determine if the initiating user has permission to access a particular file, for example, /tmp/X. After access is authorized and before the file is opened, the user may change the file/tmp/X to a symbolic link to a target file/etc/shadow.
Microsoft Windows access control is generally more flexible than UNIX and incorporates the additional concepts of tokens and security attributes. Windows uses security ID (SID) to replace user ID (UID) for users, groups, computers, domains, and domain members. Windows also uses tokens to verify security context, privileges, accounts, and groups, as well as a security reference monitor to examine the identity security context of a process or thread and to look for a user attempting to temporarily adopt the security context of a real, normally authorized user. Weaknesses with Windows isolation and privileges can exist in the following:
■ Rootkits leveraging dynamically loaded kernel modules
■ Windows registry: Global hierarchical database to store data for all programs
■ Enabled by default: Full permissions and functionality enabled
Browser Isolation and Least Privilege
The web browser enforces its own internal policy. If the browser implementation is corrupted, this mechanism becomes unreliable, and websites are designed to rely on existing browser security policies. Browser design decisions require compatibility with many types of system. A browser is only as useful as the sites it can render, which make it difficult to enforce “clean slate” design approaches. In a browser with process isolation, the isolated processes may still be allowed limited but controlled interaction between processes. However, this is meant to occur only if the processes mutually accept collaboration over the shared, interprocess communication (IPC) channels such as shared memory local sockets or Internet sockets. With this scheme, most of the process’s memory is isolated from other processes, except the variables/memory, where the process is allowing input from the collaborating processes.
Another key aspect of security is obviously preventing hijacking attacks. There are three main approaches to deal with hijacking: first, detecting and fixing known bugs in applications and system software as soon as they are made available; then, where buffer overflows occur and some are legitimate, conceding the overflows but preventing associated code execution; and last, adding specific run-time code to detect overflow exploits that might occur.
Key to developing a secure architecture is having the ability to think like a hacker. To think like a hacker, it is important to understand the full spectrum of cyber criminals. There are state-sponsored cyber criminals (like the Chinese Deep Panda and Russian groups), political extremist cyber criminals (the hacker group Anonymous), cyber-criminal organizations (the Mexican mafia), criminal gangs that use stolen information such as those in South Florida and the Bahamas, and rogue cyber criminals (a “script kiddie”). By understanding the spectrum of the hacking community, organizations can better understand and anticipate the severity of a threat and attribute unwanted activity to one of these classifications based on the nature and severity of the threat.
There are a number of ways that a hacker can go about entering an unauthorized system. Exploratory research of the network must first be done so that the hacker can gain detailed information on the company they will be penetrating and its people. While this is the most important aspect of security, it is a key step that most organizations gloss over when it comes to cyber security. Companies provide technical barriers to entry into their computer environment but ignore their most vulnerable component—protecting passwords and access credentials. Stealing passwords and other access credentials are the most common means for hackers to gain access to into systems. The most common method, as described in the discussion in Chapter 2 on the Anthem break-in, are spear phishing, honeypots, and the downloading of keylogging routines to discover passwords and two-factor identification information and then to discover the complete layout of the company’s information environment.
There are then a number of technical ways that hackers can crack a user’s encrypted password, once acquired. Hackers currently use graphics processing units (GPUs) to calculate various character combinations in order to brute force the eventual cracking of a user’s password and allow a complete download of a company’s password file. GPUs are used in this situation due to their high rate of calculation speed when running a password-cracking algorithm.
Overall, designing secure systems must be at the forefront of a system administrator’s mind. However, it also helps to think of how vulnerabilities within code can be patched by simply thinking like a hacker. Recognizing that passwords are still the biggest way that hackers gain access to systems allows system administrators to implement better password policies for their companies and to train all employees to be aware of the techniques that hackers use to trick employees into giving up their passwords and ID information.
In order to defend against hackers and potential attacks, it is important to first understand the process that hackers use when sizing up potential targets. There follows a brief summary of the steps taken by hackers before, during, and after an attack:
1. Perform reconnaissance
2. Identify appropriate targets with particularly useful passwords—systems technicians
3. Attract the victim using spear phishing, honeypots, and watering holes
4. Gain control
5. Exfiltrate data and conscript
6. Incorporate persistent presence enabling software with the target company’s systems
7. Hide all evidence of the entry
8. Continue to use the company’s systems as a testbed for new versions of the malware and entirely new malware
9. Use one company’s resources to invade and commandeer interconnected companies
10. Get out and hide
Antivirus software can help save users between some of the later stages. It is not a save all, though, since antivirus software can only detect what it understands. Exploits such as Zero Day have been generally undetectable as a result of their having been entered by a trusted employee and embedded in critical command and control (C&C) systems by a trusted source. It is difficult to deter attacks that do not appear on attack radars in the first place. If it’s not what you are looking for, it is just harder to discover and eliminate.
Spear Phishing and Behavioral Attacks
Spear phishing plays on the trust, behavior, and perception of targeted users. The most common attacking method is through e-mail. The metaphor of phishing is about luring a broad range of users into completing a specific action. This differs from spear phishing, which is targeted at a specific individual or a select group of individuals. Spear phishing behaves more like an intelligent spam and can defeat even the most advanced and skeptical of users. This method becomes most effective when the credibility of the situation is accurate and it is mixed with a technical wrapping, such as spoofing the e-mail domain of a trusted source and asking for a response to a common request—such as a request to open a form and fill in your annual goals, which you then forward to your supervisor. It happens all the time correctly and can happen once with a hacker.
Spoofing, Digital Misrepresentation, and Mobile Security
Many individuals have a false perception that since their mobile devices are simple to use, they are not subject to same dangerous situations that plague standard computing devices. What plagues smartphones and other mobile devices is that they are almost always transmitting information, and they are frequently and consistently connected. In 2012, over 1.6 million Americans had information taken from them through the use of their smartphone. Some companies have created remote wipe features as a method to prevent data from being used once it has been maliciously stolen.
QUESTIONS
1. List the four main topics of secure architectures.
2. How do you prevent hijacking attacks?
3. What is the most popular way for hackers to get into systems?
4. What are the key elements to providing a secure architecture?