1
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
1
Information Assurance
Foundations
Core issues and challenges
Stephen Northcutt
The SANS Institute
Hello. My name is Stephen Northcutt and the material we are going to cover this next hour is central
to understanding the theory and practice of information security. This is a foundational course,
developed for the SANS LevelOne Security Essentials certification program. When you complete
this course there will be a quiz available from the SANS web page to help reinforce the material and
ensure your mastery of it.
In the next 45 minutes or so, I am going to take you on a tour of three famous attacks to see what
lessons we can learn from them. Along the way, we are going to discuss the three key dimensions of
protection and attack. Most of you are already familiar with them. They are: confidentiality,
integrity, and availability. Throughout the LevelOne Security Essentials certification program, you
will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may
experience attacks against these dimensions. We can think of these as the “primary colors” of
information assurance. By mixing and matching these and we do mix and match, because they are
interrelated we are able to develop either a very strong attack, or develop a strong defense.
2
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
2
Agenda
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
The next slide is titled “Agenda”.

This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed
against our computer systems. To focus that discussion, we will be concerned with some of the more
famous attacks that have occurred. Now, information assurance can get really complex, but these
kinds of problems decompose nicely. As we work our way through the material, we are going to be
pointing out aspects of the confidentiality, integrity, and availability, in both the attacks and also the
defenses we discuss. So if you are new to security, or if you just want a quick review, the way I
think about these things is – a credit card.
Have you ever had a credit card not be accepted? Three different times in a row, when I was buying
tires at a local store in my town, my credit card did not clear. All three times, the bank said their
computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to
me! I live in a small town and a lot of people know me – and so to have my card rejected was very
embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An
example of a confidentiality defense is the way that “key” on the bottom of your browser turns solid
when you are executing a secure transaction the bit stream is encrypted to foil casual
eavesdroppers. An example of an integrity attack would be telling someone they lie so much, their
own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be
spoofing by using someone else’s credit card, or modifying the balance of someone else’s account.
3
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
3
Three Bedrock Principles
• Confidentiality
• Integrity
• Availability
Your next slide is titled “Three Bedrock Principles”.
Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file.
Now, this would breach the confidentiality of this sensitive information (the password file). Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute

an integrity attack when they gain entrance to the system. And they can even use an availability
attack as part of this overall effort to neutralize alarms and defensive systems, so they can’t report
his existence. When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy.
Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks.
Now, not all the bad things that happen to computer systems are attacks per se. There are fires,
water damage, mechanical breakdowns, and plain old user error. But all of these are called threats.
We use threat models to describe a given threat and the harm it could do if the system has a
vulnerability.
4
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
4
The LevelOne Threat Model
• Threat
• Vulnerability
•Compromise
Vulnerabilities are the gateways by which threats are manifested.
The next slide is titled “The LevelOne Threat Model.”
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year. The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices. These work quite well to
reduce the volume of attacks that originate from the Internet, but they don’t protect systems from
insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the
time. We will be discussing threats in greater detail in another LevelOne course in this very same
step – it is called the “Internet Threat Briefing”.

So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise. Again, the most common tactic is
to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s
highly recommended. Even the most open universities or other research environments that require
themselves to be very open should be able to do some perimeter defense, even if they can only do it
at the department or building level, or even if they can only do it at the host level.
Now we are ready to see what the LevelOne program is designed to do. It will teach you to identify
and repair the system and network vulnerabilities that allow many of the most well-known
confidentiality, integrity, and availability attacks to succeed. In that way, if your perimeter defense
should ever fail for any reason, you greatly reduce the risk of harm.
5
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
5
Three Lessons From History
• Morris worm
• Kevin Mitnick
• Melissa virus
Your next slide is titled “Three Lessons From History”.
Perhaps the three most famous information security defense failures are: the Morris worm, Mitnick
attack, and Melissa virus. We don’t have time in this course to explore each of these in detail, but
you should be familiar with each of these as a security professional. As homework, please try a ‘net
search for these attacks and read a bit more. There are information security lessons that we ought to
be able to learn from these well-known attacks. In each case, there was a computer system
vulnerability, and it was exploited.
In each of the cases, there was an absence of defense in depth. In fact, in the case of the Mitnick
attack and most systems affected by the Morris worm, the exploit did not have to penetrate any
defensive perimeters. So, that’s “defense in shallow”!
As we go through each of the attacks, try to look out for the three primary security dimensions:
confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist
in the first place. The vulnerability is listed in every case; so please note how the threat was able to

exploit the vulnerability to compromise or affect the target system(s).
6
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
6
The Morris Worm
• Availability attack (denial of
service)
• Common vulnerabilities in
fingerd
and
sendmail
allowed rapid
replication
• Internet communications effectively
lost
Your next slide is titled “The Morris Worm”.
If you haven’t read Zen and the Art of the Internet
, you probably should. It is available at
We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He
chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated
there was a bug. Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution. Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection. However, because the network route was
clogged, this message did not get through until it was too late. Computers were affected at many sites,
including universities, military sites, and medical research facilities. The estimated cost of dealing with the

worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a
system and waits for other systems to connect to it and give it email, and a hole in the finger daemon
fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had
copies of the program and were actively disassembling it (returning the program back into its source form)
to try to figure out how it worked.
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued
spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help
retard the speed of the worm. Another method was also discovered at Purdue and widely published. The
information didn't get out as quickly as it could have, however, since so many sites had completely
disconnected themselves from the Internet.”
7
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
7
K. Mitnick vs. T. Shimomura
• Confidentiality, integrity and availability
attack
• Reconnaissance probing to determine
trust relationship (“r utilities”)
• IP spoofing to act as one side of trust
relationship
• Lack of site or system perimeter
defenses to retard or defeat attack
Your next slide is titled, “K. Mitnick vs. T. Shimomura”.
It was Christmas Eve, December 1994, when Kevin Mitnick executed his famous attack against
Tsutomu Shimomura. How did he defeat one of the most skilled security information professionals
in the country? Was it wizardry? No, it was a combination of basic attack principles, along with one
neat technical hack that allowed this attack to succeed.
First, there was a confidentiality attack. There was no firewall, or perimeter defense, so it was
possible to probe the facility to gather information. From the reconnaissance probing, Mitnick was

able to discover that there was a trust relationship between two of Shimomura’s systems.
Next, Mitnick exploited an availability vulnerability with an attack called a SYN flood to silence
one half of the trust relationship. With the real server unavailable, he assumed that system’s identity
by spoofing and attacked the integrity of the trust relationship. When he got control of the system,
he was able to steal many sensitive files, including closely held security programs that were virtually
irreplaceable. When considering the damage to your organization from a threat, be sure to consider
what would happen if your organization’s most important secrets were lost.
It is worth noting that even if all this had succeeded (which it did), the actual attack would have
failed if there had been one more layer of defense - such as a system perimeter like TCP Wrappers
with a “deny all computers and then only allow trusted hosts to access the system” defensive policy.
(Editor’s note: TCPWrappers would likely NOT stop this attack. Mitnick spoofed Shimomura’s
address so that Mitnick’s computer appeared to be at the address used by Shimomura. The
additional layer of defense that COULD prevent the attack from succeeding would be to configure
the border router to block incoming packets with a source address that matched the site’s internal
address. – JFK)
8
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
8
Melissa Virus
• Availability attack
• New “strain” slipped through most
perimeters
• Users activated macro despite
warnings
• Evidence of the danger of
monoculture
Your next slide is titled, “Melissa Virus”.
The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most well-
known and widely-spread macro virus infections to date. Many sites were aware of Melissa on Friday, others
over the weekend, and of course still others found out Monday morning, so that March 28 was indeed a

challenging day. By late Friday, an excellent description of the virus, including how to identify and contain it at
the host level, had been developed and published by the Computer Emergency Response Team (CERT) at
Carnegie Mellon.
According to Network Associates’ (NAI’s) web site, the virus was first discovered on an "alt.sex" newsgroup
and spread rapidly. This extraordinarily rapid spread of Melissa serves as a warning of how fast a virus with an
unknown signature can spread. If you examine the virus source code, you can see the virus replicated so rapidly
by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book.
Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop
systems running Microsoft’s Outlook email client were directly affected. However, even systems that did not
spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on
the virus. Moreover, the cost of dealing with Melissa is in the millions of dollars. How did a virus that does no
explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial
losses are in the area of lost productivity. This is a big availability attack.
- Some sites have reported that they shut down email entirely for multiple days.
- Others lost email connectivity for several hours while cleaning the virus from their servers.
- System administrator and help desk resources were tied up fighting the virus for periods ranging from three to
five days at most affected organizations.
The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious
attacks than Melissa. And I find this quite interesting because almost all actual users of Microsoft Office
products rarely take advantage of the macro language.
9
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
9
Midpoint Review
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
Your next slide is titled “Midpoint Review”.

At this point we are familiar with the basic security principles of confidentiality, integrity, and
availability. We have examined how these principles come into play with three famous attacks: the
Morris worm, the Mitnick attack, and the Melissa Word macro virus.
We have also discussed the threat model and its relationship to vulnerabilities. Vulnerabilities are
the gateways by which threats are made manifest. So next, let’s drill down into vulnerabilities a bit
more and examine the types of things that are commonly exploited. Keep in mind that there are
broad-based threats, but on the whole a particular type of threat has to find its matching
vulnerability. This is one reason the wise security professional is concerned about confidentiality
attacks such as reconnaissance probes - if the attacker can determine our specific configurations,
they can direct the appropriate attacks against our assets, and may well succeed.
So let’s start this section by taking a quick look at three common vulnerabilities that involve
Windows, Unix, and networking, and discuss how they work - keeping in mind the basic security
failures that occur to make these attacks possible. These vulnerabilities that we will talk about are:
- a confidentiality vulnerability called Windows NT null sessioning;
- a network availability vulnerability called echo – chargen;
- an integrity vulnerability against Unix systems: the IMAP buffer overflow.
10
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
10
Null Session
net use \\172.20.244.164\IPC$ “” /USER:””
Your next slide is titled “Null Session”.
The null session exploit is an attack against confidentiality. In essence, it’s just “finger” on steroids.
The attacker “logs in” to the Windows NT system using the “net use” command listed on your slide.
After logging in, it is possible to gather a great deal of information from the Windows Registry.
Though this could be done by hand, it would be very tedious, so there are tools to make this a
reasonable task. The tool shown in the screen shot is DumpACL by SomarSoft. It was available for
free from www.somarsoft.com, but they seem to have disappeared, which is a tragedy. They were
wonderful folks and were among the first folks to develop security information and tools for NT.
However, the software is still out on the Internet if you search with a ‘net search.

(Editor’s note:
SomarSoft has granted distribution rights for its tools, including DumpACL (now called DumpSec) to
SystemTools.com. DumpSec can be obtained from either or
. - JEK)
The screenshot shown on the slide was from before I entered the “null session”. Afterwards, I would
be able to enumerate boatloads of information about users, if that system was vulnerable to a null
session attack. Enumerate is a popular term in the industry to describe what we used to call “depth
first, breadth second” searches. So what? Why do you care? Well, if you find a PDC or BDC
(Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long
list of user names, including all the members of the Administrator group. Then you could try
consecutive ‘net uses’, trying different passwords. I am not really big on passwords, since they can
be sniffed, or attacked by brute force, but they do have their place. There are a lot of weak
passwords out there and every little bit helps. So, the longer we delay an attacker while they try
dictionary attacks on our passwords, the more likely we are to catch them in the act.
11
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
11
08:08:16 spoofed.net.echo > 172.31.203.17.chargen: udp
08:21:48 spoofed.net.echo > 192.168.14.50.chargen: udp
08:25:12 spoofed.net.echo > 192.168.102.3.chargen: udp
08:42:22 spoofed.net.echo > 192.168.18.28.chargen: udp
08:47:21 spoofed.net.echo > 172.31.130.93.chargen: udp
08:51:27 spoofed.net.echo > 172.31.153.78.chargen: udp
08:53:13 spoofed.net.echo > 172.31.146.49.chargen: udp
Vulnerability scans to locate echo, chargen, daytime ports are highly recommended
echo port 7: will echo
back any data it
receives
chargen port 19: will transmit a
stream of characters when it

receives data
Echo-Chargen
Your next slide is titled “Echo – Chargen”.
This is a classic availability attack. On your slide you have a trace of network traffic packet header
information showing two systems expending all their resources talking back and forth, but with no
messages of value being passed. If you send a packet to the echo port with the word “hello”, it will
respond back “hello”. If you connect to the chargen port, it generates a string of characters. Soooo,
what if you spoof as the Internet address of the host with the echo port open and send a packet to the
host with the chargen…who sends a string of characters back to the echo host’s echo port…which
echoes those packets and sends them back to chargen host’s chargen port…and so on. There is no
logical reason for having these services available, but you see them active on hosts (and sometimes
routers) time and time again. Remember the TV commercial where the whole football stadium was
sucked into the argument over whether some cool refreshing malt beverage “tasted great” or was
“less filling”? Well, that could happen in your organization on your network if you are vulnerable to
echo - chargen.
This oscillation will also work with echo to daytime and echo to quote of the day as well.
12
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
12
Signature IMAP
00:25:09.57 prober.2666 > relay.143: S 111:111(0) win 0
00:25:09.59 prober.2666 > relay.143: S 111:111(0) win 0
00:42:50.79 prober.2666 > web.143: S 111:111(0) win 0
00:43:24.05 prober.2666 > relay.143: S 111:111(0) win 0
00:43:24.07 prober.2666 > relay.143: S 111:111(0) win 0
00:44:20.42 prober.2666 > relay2.143: S 111:111(0) win 0
00:44:42.62 prober.2666 > ns2.143: S 111:111(0) win 0
00:44:42.64 prober.2666 > ns2.143: S 111:111(0) win 0
00:44:42.67 prober.2666 > ns1.143: S 111:111(0) win 0
This tool crafts packets with a SEQ Number of 111

Your next slide is titled “Signature IMAP”.
We have covered a confidentiality attack and an availability attack; now let’s look at an integrity
attack. IMAP is a popular mail service on the Internet. The IMAP service is located at the well-
known port 143, as you can see on your slides in front of the big “S”.
This attack has a signature that makes it really easy to detect. Note the “111:111” beginning and
ending sequence numbers that are circled on our slide. We can tell when this particular attack
software is being used, just by those “111”s. Later in the LevelOne training, we will discuss how
firewalls often disrupt attacks by preventing the connections from being established. After all, that is
their purpose – to block packets except those destined for particular ports or those from two or three
particular addresses. Therefore it is a rare opportunity to be able to fingerprint a particular attack
exploit as early as the first packet in a connection attempt (what we call a SYN packet).
Now, if the attack succeeded, it would use a buffer overflow. So what is a buffer overflow? Well,
they come from programming errors where there is expected to be a maximum number of characters
to accept as input to a program. The overflow part means that after the maximum number of
characters, the input becomes executable code that is used to take over the system.
13
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
13
Summary of Vulnerabilities
• These common, well known
problems are being exploited every
day!
• Most common operating systems
and the networks they attach to
are vulnerable
Your next slide is titled “Summary of Vulnerabilities”.
To summarize the vulnerabilities section, we just took a quick look at three common ones: null
sessioning, echo-chargen, and an IMAP buffer overflow. These vulnerabilities affected Windows
NT, networked systems, and Unix respectively. There are two points here that I think it’s really
important that we understand.

First, these vulnerabilities were selected because they are very well known, and the exploits that take
advantage of these vulnerabilities are very widely available. There are a fairly sizable number of
these very well known attacks, and if you instrument a site with a large Internet presence with
intrusion detection, you will detect attacks with these exploits almost every day. So why do
attackers keep trying? Surely all those obvious holes are closed? No - not by a long shot! I have
found these “gimmes” are just a bit challenging to find, close, and keep closed. Just today, at one of
the sites I am responsible for, we found there was no password on any of the hubs or routers. You
want to talk about a huge hole? A gaping cavern! I was speechless!
The second point about these vulnerabilities is that they are almost universal. We have seen
examples for networks, Unix, and Windows, and I have little doubt that if Commodore 64s are
hooked up to the Internet, there is a way to attack them.
14
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
14
Roadmap
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
Your next slide is titled “Roadmap”.
So what to do? Well, clearly we need to get a lot better at finding and correcting these
vulnerabilities. This is the primary thrust of the LevelOne program. However, since we can never
eliminate all the vulnerabilities, we need to establish a perimeter defense and deploy
countermeasures to make it harder for the attackers to make contact with the vulnerabilities and -
should it happen - to mitigate the damage. These countermeasures would include things like
assessment to find the problems; firewalls; intrusion detection; incident handling; good policy; and
configuration management. The essential principle here is to use a variety of disciplines to make the
enterprise harder to attack, and more robust in the event of an attack.
We want to find the holes and close them before the attackers find them and exploit them. How do

we do that? It turns out that a network-based vulnerability scanner is cost-effective and very
efficient for locating vulnerabilities. These are available for both Unix and NT, and they range from
free to fairly pricey. As long as you are spraying packets all over your network, you might as well
use that exercise for your organization’s maximum advantage and use the information that you
collect to generate an accurate network map. On our next slide, titled “Assessment,” we will take a
closer look at the techniques we can use to locate these vulnerabilities and fix them, before those
who would take advantage of us find them.
15
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
15
Assessment
• Network mapping
• Network vulnerability assessment
• Host vulnerability assessment
• Back doors
• Fix the problems!
The title of your next slide is “Assessment”.
I continue to be amazed by how dynamic large networks are. Hosts – even whole subnetworks –
come and go. By running network mapping tools on a fairly regular basis (read: every day), it is
possible to keep track of networks over time. Where I work, we have built scripts that use a tool
called nmap, and we try to run it every day, so there is a pretty good chance that we will detect the
changes to our environment.
Now, it turns out that modern networks, operating systems, and programs are extremely complicated
and can exhibit a boatload of vulnerabilities. If you were to run a network-based vulnerability
scanner (such as Saint, nmap, ISS Security Scanner or NAI’s Cybercop) on a facility of any size, the
odds are you would uncover a large number of potential vulnerabilities. The report might be so
daunting that you might feel that there is no hope whatsoever. I know that is the way I felt at a
previous job when I first ran Satan - there were so many dangerous vulnerabilities listed, I didn’t
think I would ever get them all corrected. So a process to manage the cleanup, to fix these
vulnerabilities, is just as important as running the assessment tool in the first place.

A network-based scanner certainly does collect and report a lot of valuable information, but it can
only see the world from a certain perspective. A host-based vulnerability scanner can find lots of
potential problems a network-based tool can’t find. You know, one of the most famous host-based
scanners is the now pretty aged COPS program for Unix computers.
Since modems are standard on computers these days, there is a very high probability that you may
have backdoors into your network. By backdoors we mean access points other than the primary
connection to the Internet. There are phone scanners such as ToneLoc or PhoneSweep that can find
modems on auto-answer, but this is a very hard problem.
16
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
16
The Role of Perimeter Defense
• Doors and locks on doors
–Lock the windows too
• Perimeters inside perimeters
• Should chokepoints fail closed?
–Every device can fail. Be sure it fails
to a known state
Your next slide is titled “The Role of Perimeter Defense”.
Since there are more vulnerabilities than we can possibly correct, what are we going to do? Most of us simply
sigh and count on our firewalls and other perimeter defenses. In some sense, that is certainly what I do.
Military history teaches us very clearly though, that if we are going to depend on perimeter defenses, we need
to secure the entire perimeter. If you are going away on a vacation for two weeks you probably lock the
windows of your house as well as the doors.
So, a final point in evaluating or designing perimeters that we want to consider is “permission to fail”. You see,
everything fails under some condition, so we must plan for it. For instance, if perimeters are so important to
securing our facility, then if they fail we need them to fail to a known state. The common wisdom is for them
to fail safe, or fail closed – so, if your firewall failed, no packets would would be forwarded from one network
interface to the other. Now, this is very valuable from a confidentiality and integrity standpoint. But it could
negatively affect availability (or allow a denial of service attack), especially since the firewall typically is a

bottleneck or choke point into our organization. And that serves as another example of why confidentiality,
integrity and availability should never be considered separately when evaluating the potential risk of a security
architecture.
At this time I would like to introduce a new term, one that underlies good information assurance practice:
defense in depth. One layer of defenses is just not enough. A firewall is good, but a firewall coupled with
system defenses such as NukeNabber for Windows, or TCP Wrappers for Linux is much better. A firewall and
system defenses, coupled with intrusion detection systems that identify attacks so that we can analyze the
attacks and tune our perimeter defenses, allows us to reach a solid security posture – the kind that lets me sleep
at night! On the next slide, titled “The Role Of Intrusion Detection,” I am going to discuss a model that that I
have found to be helpful in over a decade in information security with a very strong focus on intrusion
detection. It is to Protect (secure the systems to the extent possible), Detect (learn to detect and analyze the
attacks directed against my organization), React (strengthen the defenses based on the analysis of the attack).
Protect, Detect, React.
17
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
17
The Role of Intrusion
Detection
Protect Detect React
Anomalous Events
Known | Unknown
Report
Analyze
IDS
Analyst
Intrusion detection is at least partly misnamed. Generally, what is detected are attempts, and most of
the time they are simply reconnaissance probes. On the other hand, reconnaissance probes most
assuredly are confidentiality attacks. It may be a bad idea to view intelligence gathering efforts,
however, as “intrusions” because probes are completely legal in some countries, and almost never
punished in countries where they aren’t legal.

Now, I have to confess, the Protect, Detect, React model that I am showing you on your slide is
part of a bigger model – the United States Department of Defense’s Information Assurance model:
Protect, Detect, React, Defend, Reconstitute, and Recover. There are two primary roles for intrusion
or anomaly detection systems in this model.
The analyst observes and analyzes the attack and reconnaissance-gathering attempts and ensures the
organization’s defenses are properly configured to withstand these confidentiality, integrity, or
availability attacks. These activities support the protect aspect of the model. So we see them
coming in, we analyze them, we make sure our defenses will hold, the shields are holding. This type
of analysis helps the organization to resist the current threat – the most current threat - arrayed
against it, and it promotes sound security engineering. However, I have to tell you, it is the road less
traveled.
The more common application of intrusion detection systems is that of a “burglar alarm”. When
they match a known attack signature, they raise an alarm in near-real-time. Experience has shown
that the majority of these attacks will turn out to be “false positives”. The real detects, the ones that
are not false positives, put the organization in a foot race with the attacker. If it is a one-packet kill
and it penetrated the perimeter, the odds are very high that we will detect the event after it happened
– near-real-time is too late! However, if the intrusion attempt is part of a sequence of actions, it is
entirely possible the attack can be neutralized by a variety of responses, ranging from dropping the
connection to firing back with forged RST (reset) packets.
18
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
18
Incident Handling
• Prepare, detect, contain, eradicate,
recover, lessons learned
• Role of CIRTs and law enforcement
• Personal incident handling policy
• Allows organization to accept risks
Your next slide is titled “Incident Handling”.
Bad things happen, and that is why incident response is a critically important capability for a robust

organization. Computer incidents are not limited to computer network attacks. When we were
developing the SANS book Incident Handling Step by Step
, several of the contributors stated the
largest computer incident they had ever been involved with was the Northridge earthquake in
California.
All organizations have incident response functionality; that is, they will respond to an incident in
some manner. However, it may not be a formalized process. Since handlers are often working
under stressful conditions, a formal process can help prevent mistakes while under fire. A formal
process can also help to reduce problems when the organization must interface with CIRTs
(Computer Incident Response Teams) and law enforcement agencies. The most well-known process
for incident handling is the six step model: prepare, detect, contain, eradicate, recover and lessons
learned. This process is taught in the LevelOne program, and it dovetails well with the IA model we
just discussed for intrusion detection. A formal (trained, practiced) capability will allow the
organization to prepare, and should produce a more effective capability.
You know, in order to do business on the Internet, you’ve got to take some risk. It’s pretty simple.
You’re going to have to open some holes in your firewall, these sorts of things. And so the
organization that has an effective incident handling team can take a little more risk, because in the
event something bad happens, they can reconstitute and recover and get back in the game pretty darn
quickly.
Every member of your organization is an incident handler in some sense. In the LevelOne program,
we will learn both the theory and pragmatics of incident handling.
(Editor’s note: Incident Handling is
discussed briefly in LevelOne, but covered in depth in the LevelTwo Advanced Incident Handling and Hacker
Exploits module. – JEK)
19
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
19
Configuration Management
• Risk assumed by one is shared by
all

• Baseline
• Building permits
• Personal building permits
Your next slide is titled “Configuration Management”.
The primary attacker strategy is to scan, looking for a vulnerable system, and then establish a beachhead or foothold by
compromising that system. Then the vulnerable host that got compromised can be used to attack other systems, either in
the same facility or in other organizations. This is one reason for the statement that “risk assumed by one is shared by
all”. In the early stages of protecting a site, a perimeter defense such as a firewall is about the only reasonable thing you
can do. While chokepoint defenses such as firewalls can yield some protection to internal systems, they can be
circumvented in a number of ways, so the organization turns its focus to identifying and fixing vulnerabilities – what we
call “hardening” systems. It takes a lot of energy to get to a known, reasonable configuration. How do you maintain that
state?
Configuration management is the discipline of establishing a known baseline condition, and then managing that
condition. Now, of course change is inevitable, and change is generally thought of in two major categories: repairs and
improvements. (I am personally quite perplexed why fixing something that is broken isn’t an improvement, but that’s
another story.) While vulnerabilities may occur while fixing something, they are far, far more likely to occur when
deploying something new. We can label adding software, upgrades, new features, new systems, all of these things as
“new construction”.
Before you can do new construction you need a building permit, and part of the building permit process is a design
review and an inspection. The building permit process gives the organization an opportunity to ensure that the new
construction introduces no new vulnerabilities into an organization. Of course, it’s not foolproof, but it sure is better than
not doing anything at all. And it has a lot of benefits! Perhaps the most significant is that the earlier in the development
life cycle you identify a problem, the cheaper it is to fix it. All improvement starts with one person willing to exert the
energy needed to make a difference. If your organization doesn’t have configuration management, and doesn’t plan to
ever implement configuration management, you can still implement configuration management on the things that you are
responsible for. You can add to your personal IA policy that before you build new construction, you are going to
develop a test for it and make sure you have thought through how to back out the change if it doesn’t work.
For configuration to be truly successful, we need instrumentation such as system scanners, network mapping, and
vulnerability scanners to detect unauthorized change. Only a facility with an accurate baseline is likely to practice
anomaly detection, to find attacks for which there are no known signatures.

20
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
20
Why Policy Really Matters
• Randall Schwartz case
• Policy as insurance
• Policy to define domains of
responsibility
• Personal policy
• Good Policy/Bad Policy
How many times have you tried to go do the right thing and you get the answer, “Sorry, but that’s
against policy”. You may find it hard to believe when I tell you that policy can work for you! The
Randall Schwartz case is a well-known example. Randall, a renowned perl programmer and system
administrator, ran crack - a password testing program - and found himself in legal trouble. They
were actually trying to lock him up.
Hello! In LevelOne we are going to encourage you to run crack and/or L0phtCrack to assess your
systems. But make sure you have a SIGNED policy first. Not a verbal, not an email message; a
signed policy. Accept no substitute! Think of it as your “get out of jail free” card. I would no more
recommend jumping out of an airplane without life insurance than running crack without a signed
“insurance” policy.
Good policy, then, can be your friend. It can determine who can make the hard calls in an
emergency and under what conditions. If you are required to handle emergencies of any sort, you
should create a personal policy. Whatever your job title or situation, there are things you are allowed
to do. And under emergency conditions, you are probably allowed to do more! Write it down – it
shouldn’t be more than two pages. Thick tomes are a sure sign of bad policy! Brief your personal
policy to your co-workers, brief it at least one management level up, and get it signed. You sign it,
too. Is that really necessary? Look - if you are on a callback list or you wear a pager, you need a
personal policy!
21
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001

21
• Perimeter protection
•Anti-virus
• Basic auditing (NT/Unix/Linux)
• What is your role and responsibility
for these?
Defense in Depth
The next slide is titled “Defense in Depth”.
Are we there yet? The picture we have painted so far is that a good security architecture, one that can
withstand the threat, has many aspects and dimensions. To borrow another expression from the Department of
Defense, we need defense in depth - we need to be intrusion tolerant. We need to be certain that if one
countermeasure fails, there are more behind it. If they all fail, we need to be ready to detect that something
has occurred and clean up the mess expeditiously and completely, and then tune our defenses to keep it from
happening to us again.
One of the most effective attacks that penetrates standard perimeters is malicious code. These are things like
viruses and Trojan software. They come in as attachments to email messages and on those floppies we bring
in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON. These
can do a lot of damage. Most people have heard of BackOrifice and NetBus but there are a score of other
Trojans. The best defense is keeping your anti-virus software up to date, and scanning at the firewall, server,
and desktop level. It isn’t particularly expensive or hard, but it takes discipline.
I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur.
That's just basic, sensible auditing and they don't turn it on. If there is ever a problem, how will we run it to
ground? You may or may not be in a position where you can affect whether these things are done at your
organizational level, but you can often take the responsibility for your office, shop, division, or desktop.
There are even personal firewall software products – like TCP Wrappers, NukeNabber, BackOfficer Friendly,
AtGuard, ConSeal – these range from free to commercial software, and they provide perimeter protection at
the host level. I use a personal firewall on my home systems when I connect to my ISP so that I can stop the
simple attacks that many of my friends have experienced. The threat is targeting each of us. What role and
responsibility are you willing to accept for defense in depth?
(Editor’s note: AtGuard was purchased by Symantec

and is now Norton Internet Security; ConSeal still offers its PC Firewall product, but ConSeal Private Desktop was
purchased by McAfee and is now McAfee Personal Firewall. These products are discussed later in LevelOne. – JEK)
22
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
22
Putting it all Together
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
• Summary
Your last slide is titled “Putting it all Together”.
We have covered a lot of ground and have laid a solid foundation for the coursework that lies ahead.
LevelOne is designed to equip system administrators and security professionals to identify and repair
vulnerabilities and so achieve defense in depth.
The information security field is challenging and dynamic. It’s actually full of fear, that’s what it is!! Every
day you come in and you have no idea if you’re going to be able to handle the problems of that day…
You will be expected to master a wide range of material that ranges from firewalls to policy. I was promoted
recently to a security manager position and I found out that we could not hire the people – the trained people
– my organization needed. I was really getting frustrated - we had money, plenty of it, and we couldn’t staff
the positions with qualified employees. We needed professionals with experience in incident handling,
perimeter design, intrusion detection, configuration management, vulnerability assessment, and repair. This is
a significant problem, and it’s at least national, if not international! I asked around and all my peers had the
same issue: they couldn’t find the trained people either. Want to know the worst part? There were areas that I
knew I was deficient in as well. They included NT vulnerability assessment and security perimeters for
switched networks. None of us know – well, at least most of us don’t know – all of the things that we need to
know in order to really do our job.
So, when I accepted the offer to develop LevelOne, I did it to make a difference – to improve my skills so I
could raise the bar at my facility. This curriculum has been revised over one hundred times. It is based on the
advice and comments from many business sectors and all levels of organizations system administrators to

CIOs. The combination of core knowledge, specific training and hands-on testing is already making a
difference both in government and private sector organizations. This is a demanding program. You can’t
simply sit through a certain number of hours of training. You can’t even just take a test and be done with it.
You have to demonstrate mastery of critical skills. That takes work and persistence. If you stick with it, you
will have the tools and techniques you need to make a difference and you will have a resume that makes a
manager like me smile!
23
Information Assurance Foundations - SANS GIAC LevelOne © 2000, 2001
23
Course Revision History
v1.1 Oct 24, 1999
v1.2 Jun 19, 2000
v1.3 edited by J. Kolde, reconciled with audio 6/28/00
v1.4 – edited by J. Kolde, adjusted grayscale for b/w printing – 22 Nov 2000
v1.41 – editor’s note on slide 7, F. Kerby - 13 January 2001