A VIRTUAL STRATEGIC SECURITY PROGRAM BY THE LEONIDAS INFOSEC, LLC. The 300 Leonidas Solution

PROJECT TEAM III MEMBERS Anastassia I Albert C Brian R Matt M Renee S

MEMBERS

Anastassia I

Albert C

Brian R

Matt M

Renee S

Leonidas InfoSec, LLC Executive Level Leadership

Malicious Attackers, Tonight You Dine in Hell!

Virtualize the Network with Leonidas Clones

Leonidas Fights for the Future of the Free Enterprise Virtualization will move processing power back to the mainframe Virtualization redefines rapid development and disaster recovery Virtualization makes baseline management easy Open Source software is coming to a level of maturity

Virtualization will move processing power back to the mainframe

Virtualization redefines rapid development and disaster recovery

Virtualization makes baseline management easy

Open Source software is coming to a level of maturity

Purpose To ensure our stakeholders the privacy that is required by law and that should be granted. Stakeholders: Clients Business partners Shareholders Customers Employees

To ensure our stakeholders the privacy that is required by law and that should be granted.

Stakeholders:

Clients

Business partners

Shareholders

Customers

Employees

NETWORK SECURITY MANAGEMENT Firewall Rule Configuration Logging and Auditing Network Topology NETWORK SECURITY OPERATIONS Intrusion Detection System Remote Access Firewalls Overview

NETWORK SECURITY MANAGEMENT

Firewall Rule Configuration

Logging and Auditing

Network Topology

NETWORK SECURITY OPERATIONS

Intrusion Detection System

Remote Access

Firewalls

Network Security Operations Firewall Filter out unnecessary packets Install firewall software onto server Regulate flow of traffic into and out of the First Apple Bank Prevent network intrusion of the First Apple Bank private network Allow white listed traffic Detect automated (pings) malicious intrusion attempts Facilitate and not disrupt connectivity and legitimate data transfer

Firewall

Filter out unnecessary packets

Install firewall software onto server

Regulate flow of traffic into and out of the First Apple Bank

Prevent network intrusion of the First Apple Bank private network

Allow white listed traffic

Detect automated (pings) malicious intrusion attempts

Facilitate and not disrupt connectivity and legitimate data transfer

Network Security Operations Intrusion Detection System Monitor network activity Scan for malicious intents Provide notification for unauthorized entry attempts Integrate system with log management and firewalls to create a firm reporting structure

Intrusion Detection System

Monitor network activity

Scan for malicious intents

Provide notification for unauthorized entry attempts

Integrate system with log management and firewalls to create a firm reporting structure

Network Security Management Firewall Rule Configuration Permit necessary business services; email, http, VPN, SSH, ICMP, etc. Drop any other packets not explicitly allowed Examine packet and header information

Firewall Rule Configuration

Permit necessary business services; email, http, VPN, SSH, ICMP, etc.

Drop any other packets not explicitly allowed

Examine packet and header information

Network Security Management Logging & Auditing Create centralized logging and auditing Collect logs from firewall, authentication center, and IDS Parse logs and extract information of interest Dump firewall and IDS logs into storage file Provide real-time event viewing Flag suspicious activities in logs

Logging & Auditing

Create centralized logging and auditing

Collect logs from firewall, authentication center, and IDS

Parse logs and extract information of interest

Dump firewall and IDS logs into storage file

Provide real-time event viewing

Flag suspicious activities in logs

Network Security Management Network Topology Map hierarchy and architecture of the First Apple Bank network infrastructure Separate sensitive and confidential data storage from day to day network Provide a frame work for the most effective network organization structure according to the principle of least privileged

Network Topology

Map hierarchy and architecture of the First Apple Bank network infrastructure

Separate sensitive and confidential data storage from day to day network

Provide a frame work for the most effective network organization structure according to the principle of least privileged

Remote Access Solution Goals Use multi-level authentication Ensure non-repudiation and authenticity of First Apple Bank employees who are working remotely Deploy protocols for privileged revocation Properly implement and secure certificate authority Provide near-transparent security and authentication via SSH tunnels

Use multi-level authentication

Ensure non-repudiation and authenticity of First Apple Bank employees who are working remotely

Deploy protocols for privileged revocation

Properly implement and secure certificate authority

Provide near-transparent security and authentication via SSH tunnels

OpenSSH VNC4 Uses Advanced Encryption Standard with 128-bit keys for encryption Uses 2048-bit RSA Authentication May use ECC in the future allows the client to control his or her workstation remotely as if he or she were physically at the computer present a login screen to the remote client Remote Access Solution

OpenSSH

VNC4

Uses Advanced Encryption Standard with 128-bit keys for encryption

Uses 2048-bit RSA Authentication

May use ECC in the future

allows the client to control his or her workstation remotely as if he or she were physically at the computer

present a login screen to the remote client

Why SSH and VNC? SSH two-factor System: Needs both a password and the private key to authenticate Private key is stored for the session, making reauthentication is quick and transparent to the end-user should the session be interrupted. Diffie-Helman Secure key exchange

SSH two-factor System:

Needs both a password and the private key to authenticate

Private key is stored for the session, making reauthentication is quick and transparent to the end-user should the session be interrupted.

TECHNICAL, PHYSICAL & PERSONNEL POLICIES Detailed Security Plan

TECHNICAL, PHYSICAL & PERSONNEL POLICIES

Personnel Security Physical Security Recruiting employees Security Awareness Employee practices Location of server room Authentication systems Physical material Building infrastructure Security Plan

Personnel Security

Physical Security

Recruiting employees

Security Awareness

Employee practices

Location of server room

Authentication systems

Physical material

Building infrastructure

Personnel Security Plan Recruiting trustworthy employees Background checks for convictions of felony or misdemeanor Drug tests and credit score report Proper signatures/recommendations from previous employer(s) Security Awareness Facility security organization and operation Types of physical and cyber security barriers Social Engineering Employee Practices Only business activities can be performed at the server room Personnel should keep visitors on a bare minimum, and the must sign in the guest log Cleaning/maintenance staff should be escorted by IT personnel when working in the secured area

Recruiting trustworthy employees

Background checks for convictions of felony or misdemeanor

Drug tests and credit score report

Proper signatures/recommendations from previous employer(s)

Security Awareness

Facility security organization and operation

Types of physical and cyber security barriers

Social Engineering

Employee Practices

Only business activities can be performed at the server room

Personnel should keep visitors on a bare minimum, and the must sign in the guest log

Cleaning/maintenance staff should be escorted by IT personnel when working in the secured area

Physical Security Plan Server room location Cannot be near public area Should be in the interior, away from windows Authentication systems RFID and magnetic strip photo-card Key-code entry Biometrics (if practical) Physical material Server room door must not be made of or contain glass Wall construction of the server room will be slab-to-slab with Sound Transmission Class 40 or better Building infrastructure Surveillance system Security guards (1 or 2, non-firearm equipped) Standard smoke detectors and fire alarms Intruder alarm

Server room location

Cannot be near public area

Should be in the interior, away from windows

Authentication systems

RFID and magnetic strip photo-card

Key-code entry

Biometrics (if practical)

Physical material

Server room door must not be made of or contain glass

Wall construction of the server room will be slab-to-slab with Sound Transmission Class 40 or better

Building infrastructure

Surveillance system

Security guards (1 or 2, non-firearm equipped)

Standard smoke detectors and fire alarms

Intruder alarm

Network Topology

PROTOTYPE/DEMONSTRATION Technical Implementation

PROTOTYPE/DEMONSTRATION

Virtualbox Virtualbox is free, open-source virtualization software developed by Sun, Inc. It creates virtual machines upon which nearly any operating system can be run. Users can customize the amount of RAM, hard drive size, network adapters, etc. as needed. http://virtualbox.org

Virtualbox is free, open-source virtualization software developed by Sun, Inc. It creates virtual machines upon which nearly any operating system can be run. Users can customize the amount of RAM, hard drive size, network adapters, etc. as needed.

http://virtualbox.org

Ubuntu 7.10 Ubuntu is a distribution of Linux that focuses on ease of use, compatibility, and security. Ubuntu 7.10, released in October of 2007, was the operating system detailed in the project outline provided and has since been superseded by Ubuntu 8.10, the Intrepid Ibex. http://ubuntu.com

Ubuntu is a distribution of Linux that focuses on ease of use, compatibility, and security. Ubuntu 7.10, released in October of 2007, was the operating system detailed in the project outline provided and has since been superseded by Ubuntu 8.10, the Intrepid Ibex.

http://ubuntu.com

Synaptic Package Manager The APT framework Makes installing popular packages as simple as sudo apt-get install openssh Manages updates and dependencies as well http://wiki.debian.org/Apt

The APT framework

Makes installing popular packages as simple as sudo apt-get install openssh

Manages updates and dependencies as well

http://wiki.debian.org/Apt

Other helpful documentation Manpages Documentation included with most installed software The command-line (xterm) NIST PUBLICATIONS SP 800-39: Managing Risk SP 800-41: Guidelines to Firewall Policy SP 800-94: Guide to Intrusion Detection and Prevention Systems FIPS 196: Public-Key Authentication

Manpages

Documentation included with most installed software

The command-line (xterm)

NIST PUBLICATIONS

SP 800-39: Managing Risk

SP 800-41: Guidelines to Firewall Policy

SP 800-94: Guide to Intrusion Detection and Prevention Systems

FIPS 196: Public-Key Authentication

AKA LEONIDAS Creating a master image

AKA LEONIDAS

1. The master image Install all the necessary software onto a master leonidas. Use Vboxmanage to clone the hard drive image, essentially making duplicate machines. Easy to simulate back-ups. Spend less time installing and configuring software

Install all the necessary software onto a master leonidas.

Use Vboxmanage to clone the hard drive image, essentially making duplicate machines.

Easy to simulate back-ups.

Spend less time installing and configuring software

2. Choose your services Install and configure Kerberos, OpenLDAP, et al. Write in necessary hosts files. Copy public keypairs where needed. Define strict user and group policies: don’t let anyone but superusers change things!

Install and configure Kerberos, OpenLDAP, et al.

Write in necessary hosts files.

Copy public keypairs where needed.

Define strict user and group policies: don’t let anyone but superusers change things!

VIRTUALBOX CAPABILITIES THE COMMANDLINE:VBOXMANAGE VIRTUAL TESTBED DEMO REMOTE ACCESS DEMO Snort, Firestarter SSH and VNC Kerberos ticketing DEMONSTRATION

VIRTUALBOX CAPABILITIES

THE COMMANDLINE:VBOXMANAGE

VIRTUAL TESTBED DEMO

REMOTE ACCESS DEMO

Snort, Firestarter

SSH and VNC

Kerberos ticketing

Problems Encountered

Problems Encountered SAMPLE PROBLEMS Ubuntu networking problems. Resource issues (no mainframe!). Lack of free resources on security policies for financial industry. SUGGESTED SOLUTIONS More time and money: 5 months and $1.2m Talk to virtualization expert (Vbox developers at Sun) Talk to industry people.

SAMPLE PROBLEMS

Ubuntu networking problems.

Resource issues (no mainframe!).

Lack of free resources on security policies for financial industry.

SUGGESTED SOLUTIONS

More time and money:

5 months and $1.2m

Talk to virtualization expert (Vbox developers at Sun)

Talk to industry people.

Summary of Findings

Risk Assessment and Mitigation

Technical Vulnerabilities Technical vulnerabilities are dynamic and can be fixed by keeping systems patched to date.

Technical vulnerabilities are dynamic and can be fixed by keeping systems patched to date.

Procedural and Physical Vulnerabilities Any violation of security standards set by the ISO, NIST, regulatory policy, and company defined policy. i.e Employee revealing sensitive or confidential pieces of information such as cardholder data, company infrastructure, or government data Lack of a surveillance system, door locks, card entry systems, RFID sensors, motion sensors, security personnel and biometrics put a server room and IT infrastructure at risk.

Any violation of security standards set by the ISO, NIST, regulatory policy, and company defined policy.

i.e Employee revealing sensitive or confidential pieces of information such as cardholder data, company infrastructure, or government data

Lack of a surveillance system, door locks, card entry systems, RFID sensors, motion sensors, security personnel and biometrics put a server room and IT infrastructure at risk.

Data Risks Consumer Personal information Account information Financial information Employee Personal information Company Email data IP addresses Specific security configurations

Consumer

Personal information

Account information

Financial information

Employee

Personal information

Company

Email data

IP addresses

Specific security configurations

Least Risk Option Combination Assessment

Mitigation Industry standards ASC X9 Financial Industry Standards Data and information security NIST SP 800-39 Practices for managing risk in information systems Federal FIPS 196 Advanced encryption standard Technical fixes Preventative controls Baseline patching Encryption Detective controls IDS

Industry standards

ASC X9 Financial Industry Standards

Data and information security

NIST SP 800-39

Practices for managing risk in information systems

Federal FIPS 196

Advanced encryption standard

Technical fixes

Preventative controls

Baseline patching

Encryption

Detective controls

IDS

Mitigation Operational policy Least privilege Defense in depth “ Need to know” information Training and education of employees Social engineering deterrents Employee responsibilities

Operational policy

Least privilege

Defense in depth

“ Need to know” information

Training and education of employees

Social engineering deterrents

Employee responsibilities

QUESTIONS FIN

QUESTIONS