Computer Security Summer Scholars 2018 Matt Vander Werf HPC System - - PowerPoint PPT Presentation

Computer Security

Summer Scholars 2018 Matt Vander Werf HPC System Administrator

Security in HPC

• HPC is especially a target for hackers and

malicious acts

Why?

Security in HPC

• Prestige
• Computing resources

– Financial Gain – Break encryption – To facilitate attacks elsewhere

• Academic research
• DOE/NSF/NIH/DOD funded projects

Common Security Goals

• C.I.A. Triad:

– Confidentially: keep others from having access to your data without permission – Integrity: keep others from altering your data without permission – Availability: information should be accessible and modifiable in a timely fashion by those with permission to do so

Types of Security

• Physical Security
• Computer Security
• Network Security

Vulnerabilities vs. Threats/Attacks

• Vulnerabilities come from inside the system
• Threats come from outside the system
• A threat is blocked by the removal of a vulnerability
• Vulnerabilities allow attacks to take place
• An attack is an action to harm the system by

exploiting a vulnerability of the system

4 Basic Types of Threats/Attacks

• Eavesdropping
• Alteration
• Denial-of-Service (DoS)
• Masquerading

Eavesdropping

• The interception of information/data intended for

someone else during its transmission

• Doesn’t include modification
• Examples:

– Packet sniffers: monitor nearby Internet traffic – Computer surveillance

Alteration

• Unauthorized modification of information
• Examples:

– Computer viruses which modify critical system files – Man-in-the-middle (MitM) attack: information is modified and retransmitted along a network stream

MitM Attack Example

https://www.veracode.com/security/man-middle-attack

Denial-of-Service (DoS)

• The interruption or degradation of a data service or

information access

• Examples:
• E-mail spam: to the degree that it is meant to slow

down an e-mail server

• Denial-of-Service (DoS) attacks
• Make a machine or network resource

unavailable to its intended users

• Overwhelming a web server, bringing down a

website

• Consume memory or CPU resources of a server
• https://www.digitalattackmap.com

Masquerading

• The fabrication of information that is purported to be

from someone who is not the actual author

• Examples:

– E-mail spam – Phishing for information that could be used for identify theft or other digital theft – Spoofing of IP addresses, websites, official communication

Phishing

• Phishing is a very common occurrence
• Over 1.2 million unique e-mail campaigns in

2016, a 65% increase over 2015

• Annual worldwide impact as high as $5 billion

(2014)

• Can be used by a ransomware attack
• https://www.youtube.com/watch?v=AHJzSuW

cpOc

Specific Examples of Threats/Attacks

• Heartbleed

– Vulnerability in the OpenSSL library used by majority of servers, especially web & mail servers, to secure communication & data channels – Discovered/disclosed in April 2014; vulnerability existed for around two years prior; close to 70% of web affected – Allowed hackers to be able to obtain usernames/passwords, encryption keys, and other sensitive information that was stored in the server’s memory – Affected a large majority of the CRC’s servers; All were patched shortly after disclosure – More info: https://heartbleed.com/

Social Engineering

• Techniques involving the use of human

insiders to circumvent computer security solutions

• Social engineering attacks can be powerful!
• Often the biggest vulnerability can be the

human being who is in charge of administrating the system

Types of Social Engineering

• Pretexting: creating a story that convinces an

administrator or operator into revealing info

• Baiting: offering a kind of “gift” to get a user
• r agent to perform an insecure action (i.e.

free stuff if you download some virus)

• Quid pro quo (“something for something”):
• ffering an action or service and then

expecting something in return

Pretexting Example

Social Engineering Example

• “What is Your Password?”:

– https://www.youtube.com/watch?v=opRMrEfAIiI

• “What’s Your Password?” (v2):

– https://www.youtube.com/watch?v=UzvPP6_LRH c

Ransomware

• Type of malicious software that blocks access

to the victim's data or threatens to publish or delete it until a ransom is paid (usually in Bitcoins).

• Examples: CryptoLocker, WannaCry,

Petya/NotPetya

• https://www.youtube.com/watch?v=d_dyi9C

Wieo

Well-Known Services/Ports

• SSH (Secure Shell)

– Port 22 over TCP – Used to administer a machine remotely – Also used by SCP (Secure Copy) and SFTP

• HTTP/HTTPS (Web)

– Port 80 over TCP (HTTP, Unencrypted) – Port 443 over TCP (HTTPS, Encrypted)

• FTP/SFTP (File Transfer Protocol)

– Port 21 over TCP (FTP, Unencrypted) – Port 115 over TCP (SFTP, Encrypted)

Defending Against Attacks

• Firewalls

– Can help protect a network by filtering incoming

• r outgoing network traffic based on a predefined

set of rules, called firewall policies – Policies are based on properties of the packets being transmitted, such as:

• The protocol being used, such as TCP or UDP
• The source and destination IP addresses and ports
• The payload of the packet being transmitted

Defending Against Attacks (cont.)

• Use of secure, hard-to-guess passwords

– Combination of upper-case, lower-case, numbers, and special characters (&, ^, !, ., *, @, etc.) – Do NOT use dictionary words or phrases! – Should be at least 10 characters in length (if not longer!) – Don’t re-use passwords for multiple services/sites – Use a password manager (LastPass, 1Password, etc.)

https://xkcd.com/936/

Defending Against Attacks (cont.)

• Employ Access Control Lists (ACLs)

– Restrict access to only those who need access

• Keep systems/devices patched with the latest

security updates (Important!)

• Use secure communication channels

– HTTPS à Use HTTPS Everywhere!

• https://www.eff.org/HTTPS-everywhere
• Use an Ad Blocker (uBlock Origin, Adblock

Plus, etc.)

What Does the CRC Do?

• Physical security: Union Station
• Firewalls: OIT Border Firewall, iptables on

individual machines

• Vulnerability Scanning
• Secure passwords; limited “root” access
• Use of Access Control Lists (ACLs)
• Apply security updates & fix vulnerabilities
• DenyHosts: block known bad host IPs

Vulnerability Scanning

• Nessus Professional Vulnerability Scanner
• Scans for vulnerabilities on our systems
• Find and patch vulnerabilities before they can

get exploited

• Weekly scans of our public network

infrastructure

Real Life Example

• “Stuxnet: Anatomy of a Computer Virus”:

– https://vimeo.com/25118844 (2011)

• Zero Days (documentary):

– http://www.zerodaysfilm.com/ – http://www.imdb.com/title/tt5446858/

Real Life Example

• “Hackers Remotely Kill a Jeep on the Highway—

With Me in It”: – https://www.youtube.com/watch?v=MK0SrxBC1x s (2015) – https://blog.kaspersky.com/blackhat-jeep- cherokee-hack-explained/9493/

Real Life Example

• “Hacking a "Smart" Sniper Rifle | Security”:

– https://www.youtube.com/watch?v=BJPCYdjrNWs (2015)

Questions?