Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

INFRAGARD 2014: Back to basics security

1,130 views

Published on

This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.

Published in: Internet, Technology
  • Be the first to comment

INFRAGARD 2014: Back to basics security

  1. 1. Enterprise security back to basics Joel Cardella
  2. 2. My profile • Joel Cardella • Over 20 years in IT; operations, data center, application development, architecture and security • Regional Security Officer for North Americas • Global company (41,000 users) with local information security control (8,500 users)
  3. 3. Assumptions • You have some basic understanding of information security • You are aware that some risks exist in your enterprise • You have in some ways secured your enterprise, using basic security techniques • Firewalls • Policy control • User access rights • You are running a mostly Microsoft environment, with some variations • Active Directory authentication • Active Directory User & Computer management • You are worried that you may have missed something
  4. 4. Assumptions • You are confident of your existing processes • ARE YOU SURE? • You need more robust controls • You need better ways to measure • You are immature in security and need to improve your posture
  5. 5. Why this talk? You can pay now, or you can pay more later … but you will eventually have to pay
  6. 6. Who benefits from this talk? • Practitioner • You need to implement or improve • New to infosec • Veteran – everyone needs reminders! • Manager • Know your people, their skills and knowledge • Know your business and how you support it • Executive • Know what questions to ask • Know your risks
  7. 7. LET’S TALK RISK
  8. 8. Risk Defined in Security Terms (Offense) (Defense) Likelihood Impact THREATS X VULNERABILITIES = RISK Reduces Risk Drives risk calculation Threats increase risk Dealing with vulnerabilities reduces risk When a threat connects with a vulnerability, there is impact Source: Dr Eric Cole, SANS
  9. 9. What risk can we control? THREATS X VULNERABILITIES X TIME = RISK No control Direct ControlIndirect Control (Vendor reliance) Direct Control (Issuing patches & updates) None of these values is ever zero, but we should work toward zero
  10. 10. Where do we start? Source: http://www.northropgrumman.com/AboutUs/Contracts/ManagedServices/Pages/SecurityServices.aspx
  11. 11. Back to basics – The Pareto Principle • In your enterprise, can you manage to the 80/20 rule? • If you can focus on 20% of your basics, you can address 80% of your risk • Vendors love to focus on the other 80% • This is the sexy space, where the talking points come from • So the inverse would also be accurate, where looking at the bottom 80% only addresses 20% of the risk!
  12. 12. Case study • A major retailer was “Target-ed” by a very sophisticated malware attack • It gained major media attention, and prompted a congressional inquiry • It is the first case in which a CEO was ousted due to a security event (though it was also likely driven by the PR disaster)
  13. 13. Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ 40 Million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013. 70 Million The number of records stolen that included the name, address, email address and phone number of Target shoppers. $200 Million Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach. 46% The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before. ($480M) $53.7 Million The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70). 1M – 3M The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest.
  14. 14. Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ $100 Million The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards. 0 The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach. 0 The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP). $55 Million The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.
  15. 15. Media focuses on thisThe problem starts here!
  16. 16. Let’s start at the very beginning… A phishing email is sent to Target vendor Vendor is successfully phished, vendor account is compromised Adversary logs into Target systems with Vendor account Once successfully logged in, adversary launches a privilege escalation attack Once successful, the adversary can now traverse the Target network unfettered, create more accounts, create file shares, etc Hilarity ensues Even if this is not precisely what occurred it is a great example of typical attack vectors
  17. 17. From the Bloomberg article • ”Target’s system, like any standard corporate network, is segmented so that the most sensitive parts—including customer payments and personal data—are walled off from other parts of the network and, especially, the open Internet.” • “Target’s walls obviously had holes.” http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
  18. 18. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated How could Back to Basics have prevented either of these scenarios? V P N AD V P N AD
  19. 19. BEFORE YOU START…
  20. 20. Security basics • Security requires resources; you must invest to get a return • If you don’t invest the resources, you will increase the vulnerability and likelihood • Basics should include • Prevention • Detection • Response • Recovery
  21. 21. Things to remember • Act/think like an adversary; be hostile toward your own network and you will learn things you did not know existed • Find and understand your baselines • Document your findings; document everything • Make a plan • Decide what you want to address • Keep your scope small (80/20) • Go back and do it all again • Verify your assumptions, verify your baselines • Document changes • Continuously improve
  22. 22. Business context is everything • Do you understand your business? • How does your IT infrastructure support your business? • Do you understand the functions of your IT segments, and how they support your business operations? • Example: Is your website critical to your business? • How will your firewall affect this? Does it have anything to do with it? • Document it!
  23. 23. FOUNDATIONAL APPROACHES
  24. 24. SANS 20 Critical Security Controls 3 1: Inventory of Authorized and Unauthorized Devices 3 2: Inventory of Authorized and Unauthorized Software 5 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 4: Continuous Vulnerability Assessment and Remediation 7 5: Malware Defenses 2 6: Application Software Security 2 7: Wireless Access Control 2 8: Data Recovery Capability 1 9: Security Skills Assessment and Appropriate Training to Fill Gaps 1 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 4 11: Limitation and Control of Network Ports, Protocols, and Services 9 12: Controlled Use of Administrative Privileges 2 13: Boundary Defense 5 14: Maintenance, Monitoring, and Analysis of Audit Logs 1 15: Controlled Access Based on the Need to Know 9 16: Account Monitoring and Control 4 17: Data Protection 6 18: Incident Response and Management 1 19: Secure Network Engineering 2 20: Penetration Tests and Red Team Exercises 73 Quick Wins Quick wins provide significant risk reductionwithout major financial, procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls. Source: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
  25. 25. AU Defence Signals Directorate
  26. 26. Rapid approach to the basics • Application whitelisting (CSC 2/DSD 1) • Use of standard, secure system configurations (CSC 3) • Patch application software within 48 hours (CSC 4/DSD 2) • Patch system software within 48 hours (CSC 4/DSD 3) • Reduce number of users with administrative privileges (CSC 3 and 12/DSD 4) • DSD suggests these will fit into the Pareto principle and address 80% of your risks
  27. 27. DSD ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Application whitelistingof permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers. Essential Medium High Medium Yes Yes Yes Yes Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest version of applications. Essential Low High High No Yes Possible No Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP. Essential Low Medium Medium No Yes Possible No Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. Essential Medium Medium Low No Possible Yes No Reconnaissance Good Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
  28. 28. SIMPLE APPROACH TO THE BASICS
  29. 29. Targeted basics • Reconnaissance • Network segmentation • Account management • Controlled access • Auditing/accounting • Physical Security • Backup Strategy • Governance
  30. 30. Basics explained • WHAT TO ASK • Questions to ask both down and up • WHAT TO DO • Steps you can take • TOOLBOX • Tools you can use • HOW IT APPLIES • How it can mitigate the problem in our case study
  31. 31. RECONNAISSANCE
  32. 32. Recon – WHAT TO ASK • What are your assets? • Hardware • Software • Are you aware of authorized vs unauthorized assets? • Can you tell when this changes? • ARE YOU SURE?
  33. 33. Recon – WHAT TO DO • Create a standard user account • Login in from the outside and from the inside (both sides of your firewall) • Where can you go? What can you see? What do you have access to? • Do you understand what you are seeing? • Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried • Threat modeling works well here
  34. 34. Recon – TOOLBOX • Standard RDP / SSH • Inventory tools • Spiceworks (http://www.spiceworks.com) • BelArc (http://www.belarc.com) • Lansweeper (http://www.lansweeper.com) • System Management Tools • SCCM/Altiris/Dameware • Threat modeling info • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update- on-Story-Driven-Security.aspx
  35. 35. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Recon would show us what this account can actually do with its privilege V P N AD V P N AD
  36. 36. NETWORK SEGMENTATION
  37. 37. Network segmentation – WHAT TO ASK • Do you have network segmentation? • Protected enclaves can be formed with firewalls, VPNs, VLANS and Access Control Lists and Network Access Control • Do you allow access to any network resources from the outside? • How are they controlled? • ARE YOU SURE?
  38. 38. Network segmentation – WHAT TO DO • Create a “secure zone” using your smart switches or firewall rules • External and internal (non-employees vs employees) • Internal zones (trusted and untrusted) • You should have a basic classification scheme to decide what will fall into these zones • Document this! • Inside the trusted zone, allow only certain accounts or certain systems to talk to each other • Never let generic user or non-privileged accounts access to critical server infrastructure at the OS layer • Accounts which use VPN logins should be limited by ACLs or IP address • For example: separate your public and private wireless spaces using firewall rules • Limit VPN access per account using IP ACLs
  39. 39. Network segmentation – TOOLBOX • Some free firewall tools to help you • http://www.solarwinds.com/products/freetools/firewall- browser.aspx • http://www.fwbuilder.org/ • This is going to take a lot of time and investment • You have to have subject matter expertise • You have to make ongoing reviews; frequency depends on how many changes happen • Make it worth it; document everything
  40. 40. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Changes over time to firewall rules create holes Network segmentation is in place … but is it working as designed? This requires the most care and feeding of any basic control V P N AD V P N AD
  41. 41. ACCOUNT MANAGEMENT
  42. 42. Account management – WHAT TO ASK • What types of accounts exist in your enterprise? • Do you know who owns those accounts? • Do you know if those accounts are still valid? • If you have system or service accounts, do you know what they have access to (zones)? • ARE YOU SURE?
  43. 43. Account management – WHAT TO DO • Manage your accounts by policy and technical enforcement • Expire passwords/password complexity • Use ACLs to manage access to your systems • Restrict access within your zones • Enforce 2nd factor authentication for vendor/contractor access • For employees if you can! For everyone! • Inventory your accounts and their parameters • Know your vendors by their accounts
  44. 44. Key quotes • “In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two- factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.” - http://krebsonsecurity.com/2014/02/email- attack-on-vendor-set-up-breach-at-target/ In all fairness to Ms. Litan, I disagree. Why? Because they were not sure.
  45. 45. Account management – TOOLBOX • Fail2ban (Unix) • http://sourceforge.net/projects/fail2ban/ • Winfail2ban • http://winfail2ban.sourceforge.net/ • 2nd factor authentication • Google Authenticator - https://support.google.com/accounts/answer/1066447?hl=en • Microsoft Phonefactor - http://technet.microsoft.com/en- us/magazine/dn448533.aspx • Duo Security – https://www.duosecurity.com/ • Windows Powershell • http://technet.microsoft.com/en-us/scriptcenter/ee861518.aspx • Get-ADUser -Filter * -SearchBase "DC=ad,DC=company,DC=com" KEY SECURITY STRATEGY!
  46. 46. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege 2nd factor authentication would have prevented BOTH scenarios! V P N AD 2nd factor challenge V P N AD 2nd factor challenge Internal firewalls have holes Internal firewalls have holes
  47. 47. CONTROLLED ACCESS
  48. 48. Controlled access – WHAT TO ASK • What systems can talk to each other? • Are they in different zones? Do they need to be? • Do your business people have access to information they do not need to do their jobs? • Do your administrators have more access than they need to do their jobs? • What about non-admins? • ARE YOU SURE?
  49. 49. Controlled access – WHAT TO DO • Access based on need to know/need to work • Classification scheme is needed for this • Establish a policy of access based on need to know/need to work • Establish approval mechanism for special exceptions • Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix • Enforce SoD through system constraints and involve the business in the SoD approvals
  50. 50. Controlled access – TOOLBOX • Don’t allow continuous membership in Enterprise Admins or Schema Admins • Limit access to these groups to senior admins only • Monitor additions to Domain Admins group and keep this group as small as possible • Monitor groups for changes • SCOM • Netwrix (http://www.netwrix.com/) • Quest tools (http://www.quest.com/) • Within AD, delegate authority – slightly more secure approach • http://technet.microsoft.com/en- us/magazine/2007.02.activedirectory.aspx • Use AD security groups / delegation to restrict access to resources based on SoD matrix
  51. 51. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Controlled access only allows logins from certain accounts Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Controlled access would not allow the escalation attack, and/or alert to the attempt V P N AD V P N AD
  52. 52. AUDITING/ACCOUNTING
  53. 53. Auditing/Accounting – WHAT TO ASK • Do you have logs? • Where do they log to? • Who has access to the logs? • Do you understand them? • Are they resistant to change? • ARE YOU SURE????
  54. 54. Auditing/Accounting – WHAT TO DO • Logging needs to be actionable • Start small; then get better • Set up a central logging server and point your logs to that • Allow only authorized persons access to this server • Then parse your logs using a tool like Splunk, or Windows Security and Operations Center
  55. 55. Auditing/Logging – TOOLBOX • https://www.sans.org/reading- room/whitepapers/logging/discovering-security-events- interest-splunk-34272 • [WinEvent] >sourcetype="WinEventLog:Security" ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 3 • [XSS] >source="/var/log/my-app/application.log" “&#” OR “script” OR "`" OR "cookie" OR "alert" OR "%00“ • [SQL Inj] >source="/var/log/my-app/application.log" (‘ AND =) OR (‘ AND ;) OR (drop table) OR -- Author: Carrie Roberts
  56. 56. Not a preventive measure • This is not a preventive measure, however it does allow for: • Detection of events in real time (with tools that do this) • Forensic examination of events after the fact • Leaves a trail that can be used to identify attack patterns • You MUST make your logs resilient to change • Log everything to a central server, or mirror them • Restrict access to this system to only authorized security persons • Trust but verify
  57. 57. PHYSICAL SECURITY
  58. 58. Physical security – WHAT TO ASK • Do you allow OEM devices to be connected to your network? • Do you allow vendors/contractors access to facility and internal network? • Do you have mobile devices in your enterprise? • How do you secure them? • You know what I’m going to say! • Are you sure?
  59. 59. Physical security – WHAT TO DO • USB sticks • Use GPOs to restrict what can connect to your network (least cost) or use DLP software to restrict data that can be moved (most costly) • Disable Autorun (GPO) • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock; this may be the most meaningful with the least amount of impact • Encryption of data at rest • Awareness of connected devices
  60. 60. Physical security – TOOLBOX • ADM templates to disable USB • http://blogs.technet.com/b/danstolts/archive/2009/01/21/disabl e-adding-usb-drive-and-memory-sticks-via-group-policy-and- group-policy-preferences.aspx • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock (GPO); this may be the most meaningful with the least amount of impact • Encryption of data at rest (Bitlocker) • Awareness of connected devices • Simple Powershell commands • http://help.outlook.com/en-us/140/gg985420.aspx
  61. 61. Physical Security Described • Physical security would not have been applicable to our case study • Physical security is important when you have non-employees in a facility that can access your internal network • Physical security is important when you have assets that travel outside your network
  62. 62. BACKUP STRATEGY
  63. 63. Backup strategy – WHAT TO ASK • Do you have a backup strategy? • Is it documented? • Does it align with your business needs? • Backups cost money, time and resources • Do you back up more than you need? • Do you have resources to verify/restore backups? • Do you regularly test backups? • When was the last time you did and what were the results? • Did you document this? • ARE YOU SURE?
  64. 64. Backup strategy – WHAT TO DO • Create a policy for regular backups • Identify critical systems & backup frequency • If you have a DRD in place make sure it’s being adhered to • Document a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) for your backups • This aligns with disaster planning • Must be done in alignment with your business • VERIFY YOUR BACKUPS • This is not negotiable or avoidable!
  65. 65. Back to Basics ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Reconnaissance Excellent Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
  66. 66. GOVERNANCE TOOLBOX
  67. 67. Change management • Who approves your security changes? • Is this documented and reviewed periodically? • Who reviews your security changes for accuracy? • Who follows up to verify the changes are still accurate? • Document reasons for changes, approvals and mitigations • ARE YOU SURE?
  68. 68. Establish a governance calendar • The calendar contains your regular cadence of review activity • You can script reminders to the entities responsible for the review • SharePoint • Google scripts (Google calendar) • http://corporateservices.schwab.com/public/corporate/compliance_ solutions • Work this activity into your existing processes so they get prioritized • Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these activities
  69. 69. TO CONCLUDE…
  70. 70. Important Enterprise Infosec Lessons • There is no magic bullet – infosec is multi-layered and multi- disciplinary • Infosec will cost you time, money and resources – measure your value appropriately • Infosec is an active discipline; it requires care and feeding, you cannot install and forget • Time is the enemy of infosec; the longer it takes, the higher the risks • Infosec is a value add for your business, and it is up to you to show it • Infosec is not a department of “no.” Market yourself like a startup
  71. 71. Security basics put simply… • 1. If you think technology can fix security, you don’t understand technology and you don’t understand security. • 2. The root cause of a security incident is rarely about the technology and almost always about the implementation. • 3. Humans will always be the weakest link in the security chain. Awareness will mitigate the vast majority of your security issues … spend time and money on educating everyone in your company about security.
  72. 72. APPENDIX
  73. 73. Tools & references list • http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site • http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights delegation • http://sectools.org/ - List of pay and free network tools • http://www.poshsec.com/ - Powershell scripts that support the 20 CSC • http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35 • http://www.counciloncybersecurity.com – Council on Cybersecurity • https://www.sans.org/reading-room/whitepapers/logging/discovering- security-events-interest-splunk-34272 - Carrie Roberts white paper on logging • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story- Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling • http://www.theguardian.com/commentisfree/2014/may/06/target-credit- card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current state of the Target breach and some of the false pretense
  74. 74. Contact info • Joel Cardella • Twitter: @JoelConverses • Email: jscardella@pobox.com • IRC: #misec on Freenode (joel_s_c)

×