It's 2012 and My Network Got Hacked - Omar Santos


Published on

Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.

Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

It's 2012 and My Network Got Hacked - Omar Santos

  1. 1. Its 2012 and My Network Got Hacked
  2. 2. the good guys need to be correct 100% of the time
  3. 3. the bad guys need to be correct just ONCE
  4. 4. Ten years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password.“End of security training.”
  5. 5. Today Your Workers areLoaded with Devices, and Not Overly Concerned About Security
  6. 6. According to PAST Studies“the Internet” will DOUBLE in size every 5.32 years.
  7. 7. More Connected Devices than People Source: Cisco ISBG
  8. 8. 5 billion mobile users by 2016Source: Cisco VNI Global Mobile Data Forecast
  9. 9. Remote Access and BYOD
  10. 10. What About Social Media?
  11. 11. Cybercrime Return on Investment Matrix Source: Cisco Annual Security Report
  12. 12. Vulnerability and Threat Categories Source: Cisco Annual Security Report
  13. 13. malware encounters per month (11 per day!)
  14. 14. 200%increase over the same period a year ago…
  15. 15. Is that scary?
  16. 16. Well…It will probably get worse!
  17. 17. Free It Up? or Lock It Down?
  18. 18. How Do you Measure Security?
  19. 19. Agenda: Case Studies Case Study 1: Remote Access VPN #FAIL Case Study 2: Great Homework! Case Study 3: Awesome New leet Gadgets Case Study 4: Pwning the Data Center
  20. 20. TemplatesYour own sub headlineREMOTE ACCESS VPN#FAILCASE STUDY 1
  21. 21. Remote AccessHow Admins Continue to #FAILWhat Happened? How It Happened… Unauthorized Access via 1 Attacker Exploited the “Authentication Bypass Clientless SSL VPN several Vulnerability” described in times for about 3-4 weeks. CVE-2010-0568 The Cisco ASA was not patched for the vulnerability Attacker was able to compromise other internal systems and stole several documents / information.
  22. 22. How It Was Detected…Your own sub headline Uh? In a monthly VPN activity report admins Monthly VPN Activity Report noticed that a user called anonwannabe logged in several times for a period of 3-4 weeks. Say What!?!?! The username did not conform to their User anonwannabe?? active directory standards. Seriously? After further investigation, they found that OLD CVE! VPN authentication was being bypassed in their Cisco ASA cluster as a result of CVE- CVE-2010-0568 2010-0568.
  23. 23. What Technologies Did You Have In Place? Only allowed VPN traffic to ASAs External user authentication AD/NTLM authentication ASA VPN Cluster Idle and session timeouts Road warriors Leveraged DAP Disabled Split-tunneling VPN traffic inspected by IPS© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
  24. 24. Patch Management – Proactive SecurityVulnerabilityAnnounced Identify Patch/Fix is by Vendor Workarounds Tested Identify Patch/Fix is Patch is Affected Obtained Implemented Devices Identification/ Fix Tested and Awareness Correlation Implemented• You need to keep • Identify vulnerable • Test up with devices • Certify vulnerability • Identify potential Image/Software announcements workarounds and • Implement from vendors at network mitigations all times.
  25. 25. Incident Management – Reactive SecurityT0 Te Ti Tc TEvent Tincident Tcontainment (Te-To) (Ti-Te) (Tc-Ti)To = Time when an event occurs on the networkTe = Time when the event is detected on the networkTi = Time when the event is classified as an incidentTc = Time when the incident is contained on the network
  26. 26. Analyzing and Applying SecurityBusiness Relevance Security Policies Security Principals Security Actions Identify Business Goals Threat and Risk and Objectives Assessment Visibility Monitor Correlate??? Security Policies Harden Threats to Goals Control Isolate Security and Objectives Operations EnforceSpecific business goals, and the Describes the iterative Describes the primary security Describes essential actionsthreats to goal attainment development and monitoring of principals that are affected by that enable Visibility and security policies security policies Control
  27. 27. A framework for the key principals required by a network to achieve a strong security posture Security Control Framework Total Visibility Complete Control Identity, Trust, Compliance, Event, and Security Policy Enforcement and Event Performance Monitoring MitigationIdentify Monitor Correlate Harden Isolate Enforce Separate and Observe and Build Withstand and create Ensure networkIdentify who or monitor intelligence recover from boundaries conforms to awhat is using activities from activities security around users, desired state orthe network occurring on the occurring on the anomalies traffic and behavior network network devices Increase Security and Resiliency in Networks and Services
  28. 28. Creating Security MetricsProvides tool for security folks to measure the effectiveness of variouscomponents of their security programs, product or process, and the abilityof staff to address security issues for which they are responsibleCan also help identify the level of risk in not taking a given action, and inthat way provide guidance in prioritizing corrective actionsWith gained knowledge, security managers can better answer hardquestions from their executives and others, such as:Are we more secure today Have we improved from Are we secure enough?than we were before? last year?
  29. 29. Operational Security Metrics • How long does it take to identify an event? Incident • How long does it take to identify an incident?Management • How long does it take to contain an incident? • What percent of devices are in compliance with Device certified software imageCompliance • What percent of devices are in compliance with standard configuration templates?
  30. 30. Operational Security Metrics • How long does it take you to become aware of the new vulnerability announcements from vendors? • How long does it take to identify affected devices? PatchManagement • How long does it take to implement workarounds (when available)? • How long does it take for you to test and implement the fix/patch?
  31. 31. TemplatesYour own sub headlineGREAT HOMEWORKAND CLEVER ATTACKCASE STUDY 1
  32. 32. What Happened.. Attacker Compromised Users and were able to gain access to higher-profile user information and data. I have NO clue what’s happening© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
  33. 33. How It Happened.. 1 6 Data was Found users transferred to target externally from sites like Facebook 3 5 Data was Naïve users acquired opened the from exploit that targeted 2 installed a You Got servers backdoor.Sent Mail!!!Targetedemail with 4malicious Other users and devicesattachment were attacked for escalation of privileges
  34. 34. How *It* was Detected..They were notified by external sources that severalinternal confidential records/documents wereposted. After post-incident forensic activity, theyfound several machines communicating over TCPport 6969 outside of the US
  35. 35. What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Core Layer Redundancy (Logical & Physical) NetFlow and Event Monitoring Distribution Layer Firewalls Intrusion Prevention Systems (IPS) Control Plane Policing (CoPP) Virtual Switch Systems (VSS) Access Layer Endpoint Protection (AV, FW) Layer 2 and 3 security practices
  36. 36. Quick Analysis of the Attack Exploited Human Weaknesses Exploited Zero-day vulnerabilities Exploited Gaps in Infrastructure Exploited Gaps in Network Monitoring
  37. 37. All Those Technologies and Still Got Pwned? E-Reputation Monitoring and Control Social Media Email Why allowedUser Awareness Training Threats Reputation traffic to ports Security Web known for Policies Reputation Botnets? Emerging Threats Is monitoring Leverage enabled on all Training: network and • Facebook security • APWG devices? • Stop Badware
  38. 38. Operational Security Metrics UserAwareness • What percent of employees have read and Training acknowledged the corporate security policies • What percent of unauthorized data flows are found on firewallsMonitoring • What percent of network and security devices are being remotely monitored? • What percent of network is being content filtered
  39. 39. TemplatesYour own sub headlineLEET GADGETS CANGO SHOPPING!CASE STUDY 1
  40. 40. Acme Industries:Branch Office Network Branch Network 1 Private Corporate WAN Network Branch Network 2
  41. 41. How It Happened.. Our retail store in Mobile, Alabama was, apparently, not physically secured. Finally, they Hackers plugged transferred sensitive and hid a wireless data outside of the DEVICE on the network network They sniffed traffic They controlled the to extract user router over an credentials with encrypted wireless escalated privileges connection
  42. 42. How *It* was Detected..Law enforcement agenciestraced a number of fraudulentpurchases all over the country,with one commonality – allvictims had used their cards inour company stores.
  43. 43. What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Branch Network Redundancy (Logical & Physical) NetFlow and Event Monitoring PrivateCorporate WANNetwork Routing Protocol Security WAN edge acting as firewall & IPS Control Plane Policing (CoPP) QoS for traffic prioritization GETVPN to encrypt all WAN traffic
  44. 44. What stops someone from plugging this in?
  45. 45. All Those Technologies and Still Got Pwned? Network Device Shutting down Unlocked/unrest Physical SecurityAAA Management Restricted Access Authentication? unused ports? ricted wiring Network User closets? Authentication? Traffic filtering Guest Access from branch to Monitoring via with network corporate cameras? restrictions? network?
  46. 46. Operational Security Metrics • What percent of unauthorized devices are on Device the network? • How long does it take to locate device from its Identity IP address in real-time?Management • How long does it take to locate device from its IP address using historical logs? • What percent of unauthorized users are on User the network • How long does it take to identify user from its Identity IP address in real-time?Management • How long does it take to identify user from its IP address from historical logs?
  47. 47. TemplatesYour own sub headlinePWNING THE DC!CASE STUDY 1
  48. 48. What Happened!?!? Hackers stole customer data that was stored in a datacenter in North Carolina.
  49. 49. How Did It Happen.. Corporate Network Cat 6k Cat 6k Data Center CoreA newly installed server hosting an in-house-developed application was Nexus Nexus Aggregation Layer 7k 7k ASAcompromised andASA attacker was able to 5585X 5585Xgain access to numerous records fromother servers and databases. ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN N SAN UCS Storage Storage
  50. 50. Quick Analysis of the Attack Exploited Vulnerability in Open Source Software used in new application along with other insecure coding practices Exploited zero-day vulnerabilities in underlying Linux Operating System Exploited Gaps in DC Infrastructure
  51. 51. What Technologies Did You Have In Place?Firewalls, IPS, WAFs, Netflow Cat 6k Data Center Cat 6k Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585X ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
  52. 52. Firewalls at the aggregation layer Corporate Network excellent filtering provide an point and first layer of Cat 6k protection. Cat 6k Data Center Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585XHowever, they do not provide ACE + WAF Services Layerisolation betweenservers/services Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
  53. 53. All Those Technologies and Still Got Pwned? Keep up with 3rd Party Isolation providesApplication Security DC Infrastructure Security Patches the first layer of security for the data center and server- Secure Code Best farm. Practices: Depending on the - Static Analysis goals of the design it - ASLR, X-Space can be achieved - Safe C Libraries and through the use of OWASP Java libraries firewalls, access lists, VLANS, and/or physical separation.
  54. 54. What Happens in a Virtualized Environment.. Traffic flows within virtualized environments sometimes do not even touch physical devices. For example, traffic between these VMs do not even leave the physical hardware.
  55. 55. Virtual Security Gateways (VSGs) • You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000V distributed virtual switch is deployed. • One or more instances can be deployed on a per-tenant basis. • Tenants are isolated from each other, so no traffic can cross tenant boundaries. • You can deploy the Cisco VSG at the tenant level, at the virtual data center (vDC) level, and at the vApp level.
  56. 56. Operational Security Techniquesand Metrics • How often do you perform application robustness audits (i.e., fuzzing, secure coding best practices, and patching)?Application • What percentage of allRobustness. applications are tested for security vulnerabilities in a consistent and repeatable manner?
  58. 58. THANK YOU! Your Logo