Computer Security Summer Scholars 2016 Ma7 Vander Werf HPC System - - PowerPoint PPT Presentation

Computer Security

Summer Scholars 2016 Ma7 Vander Werf HPC System Administrator

Security in HPC

• HPC is especially a target for hackers and

malicious acts

Why?

Security in HPC

• PresCge
• CompuCng resources

– Financial Gain – Break encrypCon – To facilitate a7acks elsewhere

• Academic research
• DOE/NIH/DOD funded projects

Common Security Goals

• C.I.A. Triad:

– ConfidenCally: keep others from having access to your data without permission – Integrity: keep others from altering your data without permission – Availability: informaCon should be accessible and modifiable in a Cmely fashion by those with permission to do so

Types of Security

• Physical Security
• Computer Security
• Network Security

VulnerabiliCes vs. Threats/A7acks

• Vulnerabili*es come from inside the system
• Threats come from outside the system
• A threat is blocked by the removal of a vulnerability
• Vulnerabili*es allow a2acks to take place
• An a2ack is an acCon to harm the system by

exploiCng a vulnerability of the system

4 Basic Types of Threats/A7acks

• Eavesdropping
• AlteraCon
• Denial-of-Service (DoS)
• Masquerading

Eavesdropping

• The intercep*on of informaCon/data intended for

someone else during its transmission

• Doesn’t include modificaCon
• Examples:

– Packet sniffers: monitor nearby Internet traffic – Computer surveillance

AlteraCon

• Unauthorized modifica*on of informaCon
• Examples:

– Computer viruses which modify criCcal system files – Man-in-the-middle (MitM) a7ack: informaCon is modified and retransmi7ed along a network stream

MitM A7ack Example

h7ps://www.veracode.com/security/man-middle-a7ack

Denial-of-Service (DoS)

• The interrupCon or degradaCon of a data service or

informaCon access

• Examples:
• E-mail spam: to the degree that it is meant to slow

down an e-mail server

• Denial-of-Service (DoS) a7acks
• Make a machine or network resource

unavailable to its intended users

• Overwhelming a web server, bringing down a

website

• Consume memory or CPU resources of a server

Masquerading

• The fabricaCon of informaCon that is purported to

be from someone who is not the actual author

• Examples:

– E-mail spam – Phishing for informaCon that could be used for idenCfy thea or other digital thea – Spoofing of IP addresses, websites, official communicaCon

12

Specific Examples of Threats/A7acks

• Heartbleed

– Vulnerability in the OpenSSL library used by majority of servers, especially web & mail servers, to secure communicaCon & data channels – Discovered/disclosed in April 2014; vulnerability existed for around two years prior; close to 70% of web affected – Allowed hackers to be able to obtain usernames/passwords, encrypCon keys, and other sensiCve informaCon that was stored in the server’s memory – Affected a large majority of the CRC’s servers; All were patched shortly aaer disclosure – More info: h7ps://heartbleed.com/

Social Engineering

• Techniques involving the use of human

insiders to circumvent computer security soluCons

• Social engineering a7acks can be powerful!
• Oaen the biggest vulnerability can be the

human being who is in charge of administraCng the system

Types of Social Engineering

• PretexCng: creaCng a story that convinces an

administrator or operator into revealing info

• BaiCng: offering a kind of “gia” to get a user
• r agent to perform an insecure acCon (i.e.

free stuff if you download some virus)

• Quid pro quo (“something for something”):
• ffering an acCon or service and then

expecCng something in return

PretexCng Example

Well-Known Services/Ports

• SSH (Secure Shell)

– Port 22 over TCP – Used to administer a machine remotely – Also used by SCP (Secure Copy) and SFTP

• HTTP/HTTPS (Web)

– Port 80 over TCP (HTTP, Unencrypted) – Port 443 over TCP (HTTPS, Encrypted)

• FTP/SFTP (File Transfer Protocol)

– Port 21 over TCP (FTP, Unencrypted) – Port 115 over TCP (SFTP, Encrypted)

Defending Against A7acks

• Firewalls

– Can help protect a network by filtering incoming

• r outgoing network traffic based on a predefined

set of rules, called firewall policies – Policies are based on properCes of the packets being transmi7ed, such as:

• The protocol being used, such as TCP or UDP
• The source and desCnaCon IP addresses and ports
• The payload of the packet being transmi7ed

Defending Against A7acks (cont.)

• Use of secure, hard-to-guess passwords

– CombinaCon of upper-case, lower-case, numbers, and special characters (&, ^, !, ., *, @, etc.) – Do NOT use dicConary words! – Should be at least 8 characters in length (if not longer) – Don’t re-use passwords for mulCple services/sites – Use a password manager (LastPass, 1Password, etc.)

h7ps://xkcd.com/936/

Defending Against A7acks (cont.)

• Employ Access Control Lists (ACLs)

– Restrict access to only those who need access

• Keep systems/devices patched with the latest

security updates (Important!)

• Use secure communicaCon channels

– HTTPS à Use HTTPS Everywhere!

• h7ps://www.eff.org/HTTPS-everywhere

What Does the CRC Do?

• Physical security: Union StaCon
• Firewalls: OIT Border Firewall, iptables on

individual machines

• Vulnerability Scanning
• Secure passwords; limited “root” access
• Use of Access Control Lists (ACLs)
• Apply security updates & fix vulnerabiliCes
• DenyHosts: block known bad host IPs

Vulnerability Scanning

• QualysGuard Vulnerability Management

h7ps://www.qualys.com

• Scans for vulnerabiliCes on our machines
• Find and patch vulnerabiliCes before they can

get exploited

• Weekly scans of our public network

infrastructure

Real Life Example

• “Stuxnet: Anatomy of a Computer Virus”:

– h7ps://vimeo.com/25118844

QuesCons?