Your SlideShare is downloading. ×
Kevin Cardwell
1
 Dispelling myths
 Ingress and Egress
 Hardening
 The good and the bad
 Memory analysis
 Server 2008/2012 security e...
 The compromise was inevitable!
 APT, sophisticated attackers etc etc
MYTH!
2011 – 94% servers
2012 – 54%
Mobile - 71%
...
 Traffic coming into your network
 Implemented by almost all organizations
 Security policy determines what is allowed ...
 One of the most neglected areas of filtering
◦ Most organizations neglect to filter traffic leaving their network
◦ Even...
 If site is not 24/7
◦ Shut off access going out to the Internet
 Block the well known malware ports of communication
 ...
 Harden them!
 OWASP application testing guide
 www.owasp.org
 Harden the SQL databases
◦ Upgrade MS to SQL Server 200...
 NSA Guides
◦ http://www.nsa.gov/ia/guidance/security_configur
ation_guides/index.shtml
 Center for Internet Security
◦ ...
 Provided by Microsoft
 Can customize
 Allows for baseline comparisons
9
 Application Whitelisting
 Patch Applications
 Patch Operating System
 Minimize the number of users with privileged
ri...
11
 We have gotten better at security
 The hackers have gotten better at hacking
 Patch system is broken
 Residual risk
...
13
 We have to run several tools to extract
needed information
◦ Executable image
◦ Command used to invoke
◦ Runtime
◦ Secur...
15
16
17
 Process dissection
◦ Process explorer
18
 None of the previous tools will work in most
cases
 Perpetrators write their tools to avoid these
 Have to analyze the...
20
Source: Kaspersky Lab US
21
 Enhanced Mitigation Experience Toolkit
◦ Microsoft tool
 DEP and others => adds obstacles to exploitation
 Apply it to...
23
24
25
 Network Access Protection
◦ Restrict access based on client health
 Public Key Infrastructure
◦ Bind user identity to a...
 Secure boot
◦ Taken from Windows 8
◦ Hardware protection capable
 DNSSEC
◦ Robust and improved from Server 2008
 Data ...
Source: www.buildwindows.com 28
 Standard as of 2009
◦ Assigns a DevID to a device
 Hardware based
 TPM?
29
 Attacks are on the rise
 MTPM
◦ Expected release ?
 Was in 2012
◦ Provides hardware based protection of phones
 Devic...
 Segmentation and isolation
 Bind ports inside the bastion host
External
network
Screening
router
Bastion
host
DMZ
DMZ A...
32
33
34
35
 DNS Firewalls
 Internal Honeypots!
36
Upcoming SlideShare
Loading in...5
×

Kevin Cardwell "Defense is not that hard? So, why is so many not doing it right?"

835

Published on

According to the Verizon data breech report 90% of the attacks were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large companies failing at the fundamentals of defense? Why! In this presentation I will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. I will discuss the steps you need to take to defend from the majority of the known attacks. I will show the need and importance for analyzing your systems live memory. The talk will conclude with the importance of adding hardware based protection to your defenses. It is time we test the skills of the hacktivists and start at least doing the fundamentals right.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
835
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Kevin Cardwell "Defense is not that hard? So, why is so many not doing it right?""

  1. 1. Kevin Cardwell 1
  2. 2.  Dispelling myths  Ingress and Egress  Hardening  The good and the bad  Memory analysis  Server 2008/2012 security enhancements  BYOD security  “out of the box” network design 2
  3. 3.  The compromise was inevitable!  APT, sophisticated attackers etc etc MYTH! 2011 – 94% servers 2012 – 54% Mobile - 71% 2012 – 78% low difficulty 3
  4. 4.  Traffic coming into your network  Implemented by almost all organizations  Security policy determines what is allowed and configured in the filters  No traffic arriving at the perimeter should have an internal source address ◦ Commonly referred to as sanity checking  RFC 2267 provides guidance for filters to prevent denial-of-service attacks  Block ICMP Echo Reply messages to the broadcast address  Bogon Filtering CaseStudy of malware infection => 64% of traffic blocked by bogon filtering 4
  5. 5.  One of the most neglected areas of filtering ◦ Most organizations neglect to filter traffic leaving their network ◦ Even after the rise of DDoS attacks, many organizations still do not ◦ There will always be some out there who never will  These sites are used as amplifiers to attack other networks  The concept is simple:  Most attacks use a spoofed address to attack as the source ◦ When you egress filter, then the packet is dropped  Blackhole routing Do not allow traffic to leave your network that does not have a source address from within your network DDoS = distributed denial of service 5
  6. 6.  If site is not 24/7 ◦ Shut off access going out to the Internet  Block the well known malware ports of communication  http  ssh  https  Etc ◦ Monitor for attempts  All malware will attempt outbound connections  If no one is there, should be none  If 24/7 ◦ Only monitor critical systems  Servers should not initiate connections to the Internet ◦ Subscribe to a service  Watch for lookups of known malware nets 6
  7. 7.  Harden them!  OWASP application testing guide  www.owasp.org  Harden the SQL databases ◦ Upgrade MS to SQL Server 2008 or beyond ◦ Follow application hardening guides 7
  8. 8.  NSA Guides ◦ http://www.nsa.gov/ia/guidance/security_configur ation_guides/index.shtml  Center for Internet Security ◦ Benchmarks  www.cisecurity.org 8
  9. 9.  Provided by Microsoft  Can customize  Allows for baseline comparisons 9
  10. 10.  Application Whitelisting  Patch Applications  Patch Operating System  Minimize the number of users with privileged rights ◦ Disable the local admin account on domain computers 10
  11. 11. 11
  12. 12.  We have gotten better at security  The hackers have gotten better at hacking  Patch system is broken  Residual risk  www.zerodayinitiative.com 12
  13. 13. 13
  14. 14.  We have to run several tools to extract needed information ◦ Executable image ◦ Command used to invoke ◦ Runtime ◦ Security context ◦ DLLs and modules ◦ Memory 14
  15. 15. 15
  16. 16. 16
  17. 17. 17
  18. 18.  Process dissection ◦ Process explorer 18
  19. 19.  None of the previous tools will work in most cases  Perpetrators write their tools to avoid these  Have to analyze the raw image  Can do manually  Tools work the best 19
  20. 20. 20
  21. 21. Source: Kaspersky Lab US 21
  22. 22.  Enhanced Mitigation Experience Toolkit ◦ Microsoft tool  DEP and others => adds obstacles to exploitation  Apply it to one application at a time ◦ Harden legacy applications ◦ Temporary protection against known zero-day ◦ Permanent protection against targeted applications  Adobe etc  27 sample exploits ◦ EMET  Mitigated 22 of 27 easily  Mitigated all but 1 => Firefox => patch or use another 22
  23. 23. 23
  24. 24. 24
  25. 25. 25
  26. 26.  Network Access Protection ◦ Restrict access based on client health  Public Key Infrastructure ◦ Bind user identity to a public key  Trace origin of ownership ◦ Distributed trust hierarchies  RODC ◦ Read Only Domain Controllers  Software restriction policies ◦ Can allow or block based on hash, name, signature or origin 26
  27. 27.  Secure boot ◦ Taken from Windows 8 ◦ Hardware protection capable  DNSSEC ◦ Robust and improved from Server 2008  Data classification built-in  ServerCore ◦ Can optionally load GUI and unload it 27
  28. 28. Source: www.buildwindows.com 28
  29. 29.  Standard as of 2009 ◦ Assigns a DevID to a device  Hardware based  TPM? 29
  30. 30.  Attacks are on the rise  MTPM ◦ Expected release ?  Was in 2012 ◦ Provides hardware based protection of phones  Device identity ◦ Similar to the TPM  Optimized for mobile platform ◦ Apple?  Did not participate  Proprietary solution - ????? 30
  31. 31.  Segmentation and isolation  Bind ports inside the bastion host External network Screening router Bastion host DMZ DMZ App Servers IDS 31
  32. 32. 32
  33. 33. 33
  34. 34. 34
  35. 35. 35
  36. 36.  DNS Firewalls  Internal Honeypots! 36

×