Your SlideShare is downloading. ×
Kevin Cardwell "Defense is not that hard? So, why is so many not doing it right?"
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Kevin Cardwell "Defense is not that hard? So, why is so many not doing it right?"

695
views

Published on

According to the Verizon data breech report 90% of the attacks were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large …

According to the Verizon data breech report 90% of the attacks were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large companies failing at the fundamentals of defense? Why! In this presentation I will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. I will discuss the steps you need to take to defend from the majority of the known attacks. I will show the need and importance for analyzing your systems live memory. The talk will conclude with the importance of adding hardware based protection to your defenses. It is time we test the skills of the hacktivists and start at least doing the fundamentals right.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
695
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Kevin Cardwell 1
  • 2.  Dispelling myths  Ingress and Egress  Hardening  The good and the bad  Memory analysis  Server 2008/2012 security enhancements  BYOD security  “out of the box” network design 2
  • 3.  The compromise was inevitable!  APT, sophisticated attackers etc etc MYTH! 2011 – 94% servers 2012 – 54% Mobile - 71% 2012 – 78% low difficulty 3
  • 4.  Traffic coming into your network  Implemented by almost all organizations  Security policy determines what is allowed and configured in the filters  No traffic arriving at the perimeter should have an internal source address ◦ Commonly referred to as sanity checking  RFC 2267 provides guidance for filters to prevent denial-of-service attacks  Block ICMP Echo Reply messages to the broadcast address  Bogon Filtering CaseStudy of malware infection => 64% of traffic blocked by bogon filtering 4
  • 5.  One of the most neglected areas of filtering ◦ Most organizations neglect to filter traffic leaving their network ◦ Even after the rise of DDoS attacks, many organizations still do not ◦ There will always be some out there who never will  These sites are used as amplifiers to attack other networks  The concept is simple:  Most attacks use a spoofed address to attack as the source ◦ When you egress filter, then the packet is dropped  Blackhole routing Do not allow traffic to leave your network that does not have a source address from within your network DDoS = distributed denial of service 5
  • 6.  If site is not 24/7 ◦ Shut off access going out to the Internet  Block the well known malware ports of communication  http  ssh  https  Etc ◦ Monitor for attempts  All malware will attempt outbound connections  If no one is there, should be none  If 24/7 ◦ Only monitor critical systems  Servers should not initiate connections to the Internet ◦ Subscribe to a service  Watch for lookups of known malware nets 6
  • 7.  Harden them!  OWASP application testing guide  www.owasp.org  Harden the SQL databases ◦ Upgrade MS to SQL Server 2008 or beyond ◦ Follow application hardening guides 7
  • 8.  NSA Guides ◦ http://www.nsa.gov/ia/guidance/security_configur ation_guides/index.shtml  Center for Internet Security ◦ Benchmarks  www.cisecurity.org 8
  • 9.  Provided by Microsoft  Can customize  Allows for baseline comparisons 9
  • 10.  Application Whitelisting  Patch Applications  Patch Operating System  Minimize the number of users with privileged rights ◦ Disable the local admin account on domain computers 10
  • 11. 11
  • 12.  We have gotten better at security  The hackers have gotten better at hacking  Patch system is broken  Residual risk  www.zerodayinitiative.com 12
  • 13. 13
  • 14.  We have to run several tools to extract needed information ◦ Executable image ◦ Command used to invoke ◦ Runtime ◦ Security context ◦ DLLs and modules ◦ Memory 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18.  Process dissection ◦ Process explorer 18
  • 19.  None of the previous tools will work in most cases  Perpetrators write their tools to avoid these  Have to analyze the raw image  Can do manually  Tools work the best 19
  • 20. 20
  • 21. Source: Kaspersky Lab US 21
  • 22.  Enhanced Mitigation Experience Toolkit ◦ Microsoft tool  DEP and others => adds obstacles to exploitation  Apply it to one application at a time ◦ Harden legacy applications ◦ Temporary protection against known zero-day ◦ Permanent protection against targeted applications  Adobe etc  27 sample exploits ◦ EMET  Mitigated 22 of 27 easily  Mitigated all but 1 => Firefox => patch or use another 22
  • 23. 23
  • 24. 24
  • 25. 25
  • 26.  Network Access Protection ◦ Restrict access based on client health  Public Key Infrastructure ◦ Bind user identity to a public key  Trace origin of ownership ◦ Distributed trust hierarchies  RODC ◦ Read Only Domain Controllers  Software restriction policies ◦ Can allow or block based on hash, name, signature or origin 26
  • 27.  Secure boot ◦ Taken from Windows 8 ◦ Hardware protection capable  DNSSEC ◦ Robust and improved from Server 2008  Data classification built-in  ServerCore ◦ Can optionally load GUI and unload it 27
  • 28. Source: www.buildwindows.com 28
  • 29.  Standard as of 2009 ◦ Assigns a DevID to a device  Hardware based  TPM? 29
  • 30.  Attacks are on the rise  MTPM ◦ Expected release ?  Was in 2012 ◦ Provides hardware based protection of phones  Device identity ◦ Similar to the TPM  Optimized for mobile platform ◦ Apple?  Did not participate  Proprietary solution - ????? 30
  • 31.  Segmentation and isolation  Bind ports inside the bastion host External network Screening router Bastion host DMZ DMZ App Servers IDS 31
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35
  • 36.  DNS Firewalls  Internal Honeypots! 36

×