Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System - PowerPoint PPT Presentation

Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator

Security in HPC • HPC is especially a target for hackers and malicious acts Why?

Security in HPC • PresCge • CompuCng resources – Financial Gain – Break encrypCon – To facilitate a7acks elsewhere • Academic research • DOE/NIH/DOD funded projects

Common Security Goals • C.I.A. Triad: – ConfidenCally: keep others from having access to your data without permission – Integrity: keep others from altering your data without permission – Availability: informaCon should be accessible and modifiable in a Cmely fashion by those with permission to do so

Types of Security • Physical Security • Computer Security • Network Security

VulnerabiliCes vs. Threats/A7acks • Vulnerabili*es come from inside the system • Threats come from outside the system • A threat is blocked by the removal of a vulnerability • Vulnerabili*es allow a2acks to take place • An a2ack is an acCon to harm the system by exploiCng a vulnerability of the system

4 Basic Types of Threats/A7acks • Eavesdropping • AlteraCon • Denial-of-Service (DoS) • Masquerading

Eavesdropping • The intercep*on of informaCon/data intended for someone else during its transmission • Doesn’t include modificaCon • Examples: – Packet sniffers: monitor nearby Internet traffic – Computer surveillance

AlteraCon • Unauthorized modifica*on of informaCon • Examples: – Computer viruses which modify criCcal system files – Man-in-the-middle (MitM) a7ack: informaCon is modified and retransmi7ed along a network stream

MitM A7ack Example h7ps://www.veracode.com/security/man-middle-a7ack

Denial-of-Service (DoS) • The interrupCon or degradaCon of a data service or informaCon access • Examples: - E-mail spam: to the degree that it is meant to slow down an e-mail server - Denial-of-Service (DoS) a7acks • Make a machine or network resource unavailable to its intended users • Overwhelming a web server, bringing down a website • Consume memory or CPU resources of a server

Masquerading • The fabricaCon of informaCon that is purported to be from someone who is not the actual author • Examples: – E-mail spam – Phishing for informaCon that could be used for idenCfy thea or other digital thea – Spoofing of IP addresses, websites, official communicaCon 12

Specific Examples of Threats/A7acks • Heartbleed – Vulnerability in the OpenSSL library used by majority of servers, especially web & mail servers, to secure communicaCon & data channels – Discovered/disclosed in April 2014; vulnerability existed for around two years prior; close to 70% of web affected – Allowed hackers to be able to obtain usernames/passwords, encrypCon keys, and other sensiCve informaCon that was stored in the server’s memory – Affected a large majority of the CRC’s servers; All were patched shortly aaer disclosure – More info: h7ps://heartbleed.com/

Social Engineering • Techniques involving the use of human insiders to circumvent computer security soluCons • Social engineering a7acks can be powerful! • Oaen the biggest vulnerability can be the human being who is in charge of administraCng the system

Types of Social Engineering • PretexCng: creaCng a story that convinces an administrator or operator into revealing info • BaiCng: offering a kind of “gia” to get a user or agent to perform an insecure acCon (i.e. free stuff if you download some virus) • Quid pro quo (“something for something”): offering an acCon or service and then expecCng something in return

PretexCng Example

Well-Known Services/Ports • SSH (Secure Shell) – Port 22 over TCP – Used to administer a machine remotely – Also used by SCP (Secure Copy) and SFTP • HTTP/HTTPS (Web) – Port 80 over TCP (HTTP, Unencrypted) – Port 443 over TCP (HTTPS, Encrypted) • FTP/SFTP (File Transfer Protocol) – Port 21 over TCP (FTP, Unencrypted) – Port 115 over TCP (SFTP, Encrypted)

Defending Against A7acks • Firewalls – Can help protect a network by filtering incoming or outgoing network traffic based on a predefined set of rules, called firewall policies – Policies are based on properCes of the packets being transmi7ed, such as: • The protocol being used, such as TCP or UDP • The source and desCnaCon IP addresses and ports • The payload of the packet being transmi7ed

Defending Against A7acks (cont.) • Use of secure, hard-to-guess passwords – CombinaCon of upper-case, lower-case, numbers, and special characters (&, ^, !, ., *, @, etc.) – Do NOT use dicConary words! – Should be at least 8 characters in length (if not longer) – Don’t re-use passwords for mulCple services/sites – Use a password manager (LastPass, 1Password, etc.)

h7ps://xkcd.com/936/

Defending Against A7acks (cont.) • Employ Access Control Lists (ACLs) – Restrict access to only those who need access • Keep systems/devices patched with the latest security updates (Important!) • Use secure communicaCon channels – HTTPS à Use HTTPS Everywhere! • h7ps://www.eff.org/HTTPS-everywhere

What Does the CRC Do? • Physical security: Union StaCon • Firewalls: OIT Border Firewall, iptables on individual machines • Vulnerability Scanning • Secure passwords; limited “root” access • Use of Access Control Lists (ACLs) • Apply security updates & fix vulnerabiliCes • DenyHosts: block known bad host IPs

Vulnerability Scanning • QualysGuard Vulnerability Management h7ps://www.qualys.com • Scans for vulnerabiliCes on our machines • Find and patch vulnerabiliCes before they can get exploited • Weekly scans of our public network infrastructure

Real Life Example • “Stuxnet: Anatomy of a Computer Virus” : – h7ps://vimeo.com/25118844

QuesCons?