The document discusses the evolution of network security concerns from 2012, highlighting the frequency of cyberattacks, the inadequacies in current security measures, and case studies of security breaches. It emphasizes the need for proactive patch management, incident management, and the establishment of effective security policies to mitigate risks. Additionally, it explores the influence of social media, device vulnerabilities, and the importance of security metrics in evaluating organizational security posture.

1. It's 2012 and My Network Got Hacked

2. the good guys need to be correct
100%
of the time

3. the bad guys need to be correct just
ONCE

4. Ten years ago,
employees were
assigned laptops
and told not to lose
them.
They were given
logins to the
company network,
and told not to tell
anyone their
password.
“End of security training.”

5. Today Your Workers are
Loaded with Devices, and Not Overly
Concerned About Security

6. According to PAST Studies
“the Internet” will DOUBLE
in size every 5.32 years.

7. More Connected Devices than People
Source: Cisco ISBG

8. 5 billion mobile users
by 2016
Source: Cisco VNI Global Mobile Data Forecast

10. Remote Access and BYOD

11. What About
Social Media?

12. Cybercrime Return on Investment Matrix
Source: Cisco Annual Security Report

13. Vulnerability and Threat Categories
Source: Cisco Annual Security Report

14. malware encounters per month
(11 per day!)

15. 200%
increase over the same period a year ago…

16. Is that scary?

17. Well…
It will probably get worse!

18. Free It Up?
or
Lock It Down?

19. How Do you Measure Security?

20. Agenda: Case Studies
Case Study 1: Remote Access VPN #FAIL
Case Study 2: Great Homework!
Case Study 3: Awesome New leet Gadgets
Case Study 4: Pwning the Data Center

21. Templates
Your own sub headline
REMOTE ACCESS VPN
#FAIL
CASE STUDY 1

22. Remote Access
How Admins Continue to #FAIL
What Happened? How It Happened…
Unauthorized Access via
1 Attacker Exploited the
“Authentication Bypass
Clientless SSL VPN several Vulnerability” described in
times for about 3-4 weeks. CVE-2010-0568
The Cisco ASA was not patched for
the vulnerability
Attacker was able to compromise
other internal systems and stole
several documents / information.

23. How It Was Detected…
Your own sub headline
Uh?
In a monthly VPN activity report admins
Monthly VPN Activity Report noticed that a user called anonwannabe
logged in several times for a period of 3-4
weeks.
Say What!?!?!
The username did not conform to their
User anonwannabe?? active directory standards.
Seriously?
After further investigation, they found that
OLD CVE! VPN authentication was being bypassed in
their Cisco ASA cluster as a result of CVE-
CVE-2010-0568 2010-0568.

24. What Technologies Did You Have In
Place?
Only allowed VPN traffic to ASAs
External user authentication
AD/NTLM authentication
ASA
VPN
Cluster Idle and session timeouts
Road warriors Leveraged DAP
Disabled Split-tunneling
VPN traffic inspected by IPS
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

25. Patch Management – Proactive Security
Vulnerability
Announced Identify Patch/Fix is
by Vendor Workarounds Tested
Identify Patch/Fix is Patch is
Affected Obtained Implemented
Devices
Identification/ Fix Tested and
Awareness
Correlation Implemented
• You need to keep • Identify vulnerable • Test
up with devices • Certify
vulnerability • Identify potential Image/Software
announcements workarounds and • Implement
from vendors at network mitigations
all times.

26. Incident Management – Reactive Security
T0 Te Ti Tc
TEvent Tincident Tcontainment
(Te-To) (Ti-Te) (Tc-Ti)
To = Time when an event occurs on the network
Te = Time when the event is detected on the network
Ti = Time when the event is classified as an incident
Tc = Time when the incident is contained on the network

27. Analyzing and Applying Security
Business Relevance Security Policies Security Principals Security Actions
Identify
Business Goals Threat and Risk
and Objectives Assessment Visibility Monitor
Correlate
???
Security
Policies
Harden
Threats to Goals
Control Isolate
Security
and Objectives Operations
Enforce
Specific business goals, and the Describes the iterative Describes the primary security Describes essential actions
threats to goal attainment development and monitoring of principals that are affected by that enable Visibility and
security policies security policies Control

28. A framework for the key principals required by a network to achieve a
strong security posture
Security Control Framework
Total Visibility Complete Control
Identity, Trust, Compliance, Event, and Security Policy Enforcement and Event
Performance Monitoring Mitigation
Identify Monitor Correlate Harden Isolate Enforce
Separate and
Observe and Build
Withstand and create Ensure network
Identify who or monitor intelligence
recover from boundaries conforms to a
what is using activities from activities
security around users, desired state or
the network occurring on the occurring on the
anomalies traffic and behavior
network network
devices
Increase Security and Resiliency in Networks and Services

29. Creating Security Metrics
Provides tool for security folks to measure the effectiveness of various
components of their security programs, product or process, and the ability
of staff to address security issues for which they are responsible
Can also help identify the level of risk in not taking a given action, and in
that way provide guidance in prioritizing corrective actions
With gained knowledge, security managers can better answer hard
questions from their executives and others, such as:
Are we more secure today Have we improved from
Are we secure enough?
than we were before? last year?

30. Operational Security Metrics
• How long does it take to identify an event?
Incident
• How long does it take to identify an incident?
Management
• How long does it take to contain an incident?
• What percent of devices are in compliance with
Device certified software image
Compliance
• What percent of devices are in compliance with
standard configuration templates?

31. Operational Security Metrics
• How long does it take you to become aware
of the new vulnerability announcements
from vendors?
• How long does it take to identify affected
devices?
Patch
Management • How long does it take to implement
workarounds (when available)?
• How long does it take for you to test and
implement the fix/patch?

32. Templates
Your own sub headline
GREAT HOMEWORK
AND CLEVER ATTACK
CASE STUDY 1

33. What Happened..
Attacker Compromised Users
and were able to gain access
to higher-profile user
information and data.
I have NO clue
what’s happening
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

34. How It Happened..
1 6
Data was
Found users transferred
to target externally
from sites
like
Facebook
3 5
Data was
Naïve users
acquired
opened the
from
exploit that
targeted
2 installed a
You Got servers
backdoor.
Sent Mail!!!
Targeted
email with 4
malicious
Other users and devices
attachment
were attacked for
escalation of privileges

35. How *It* was Detected..
They were notified by external sources that several
internal confidential records/documents were
posted. After post-incident forensic activity, they
found several machines communicating over TCP
port 6969 outside of the US

36. What Technologies Did You Have In Place?
AAA in all Networking Devices
Secure Protocols such as SSH
Core Layer
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Distribution Layer
Firewalls
Intrusion Prevention Systems (IPS)
Control Plane Policing (CoPP)
Virtual Switch Systems (VSS)
Access Layer Endpoint Protection (AV, FW)
Layer 2 and 3 security practices

37. Quick Analysis of the Attack
Exploited Human Weaknesses
Exploited Zero-day vulnerabilities
Exploited Gaps in Infrastructure
Exploited Gaps in Network Monitoring

38. All Those Technologies and Still Got Pwned?
E-Reputation
Monitoring and Control
Social Media Email Why allowed
User Awareness Training
Threats Reputation traffic to ports
Security Web known for
Policies Reputation Botnets?
Emerging
Threats Is monitoring
Leverage enabled on all
Training: network and
• Facebook
security
• APWG devices?
• Stop Badware

39. Operational Security Metrics
User
Awareness • What percent of employees have read and
Training acknowledged the corporate security policies
• What percent of unauthorized data flows are
found on firewalls
Monitoring • What percent of network and security devices are
being remotely monitored?
• What percent of network is being content filtered

40. Templates
Your own sub headline
LEET GADGETS CAN
GO SHOPPING!
CASE STUDY 1

41. Acme Industries:
Branch Office Network
Branch Network 1
Private
Corporate WAN
Network
Branch Network 2

42. How It Happened..
Our retail store in
Mobile, Alabama
was, apparently, not
physically secured.
Finally, they Hackers plugged
transferred sensitive and hid a wireless
data outside of the DEVICE on the
network network
They sniffed traffic They controlled the
to extract user router over an
credentials with encrypted wireless
escalated privileges connection

43. How *It* was Detected..
Law enforcement agencies
traced a number of fraudulent
purchases all over the country,
with one commonality – all
victims had used their cards in
our company stores.

44. What Technologies Did You Have
In Place?
AAA in all Networking Devices
Secure Protocols such as SSH
Branch Network
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Private
Corporate WAN
Network Routing Protocol Security
WAN edge acting as firewall & IPS
Control Plane Policing (CoPP)
QoS for traffic prioritization
GETVPN to encrypt all WAN traffic

45. What stops someone from plugging this in?

46. All Those Technologies and
Still Got Pwned?
Network Device Shutting down Unlocked/unrest
Physical Security
AAA Management
Restricted Access
Authentication? unused ports? ricted wiring
Network User closets?
Authentication? Traffic filtering
Guest Access from branch to Monitoring via
with network corporate cameras?
restrictions? network?

47. Operational Security Metrics
• What percent of unauthorized devices are on
Device the network?
• How long does it take to locate device from its
Identity IP address in real-time?
Management • How long does it take to locate device from its
IP address using historical logs?
• What percent of unauthorized users are on
User the network
• How long does it take to identify user from its
Identity IP address in real-time?
Management • How long does it take to identify user from its
IP address from historical logs?

48. Templates
Your own sub headline
PWNING THE DC!
CASE STUDY 1

49. What Happened!?!?
Hackers stole customer data that
was stored in a datacenter in North
Carolina.

50. How Did It Happen..
Corporate Network
Cat 6k Cat 6k
Data Center
Core
A newly installed server hosting an in-
house-developed application was Nexus Nexus Aggregation Layer
7k 7k ASA
compromised andASA attacker was able to
5585X 5585X
gain access to numerous records from
other servers and databases.
ACE + WAF Services Layer
Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN
N SAN
UCS
Storage
Storage

51. Quick Analysis of the Attack
Exploited Vulnerability in Open Source
Software used in new application along with
other insecure coding practices
Exploited zero-day vulnerabilities in
underlying Linux Operating System
Exploited Gaps in DC Infrastructure

52. What Technologies Did You Have In
Place?
Firewalls, IPS, WAFs, Netflow Cat 6k
Data Center Cat 6k
Core
Nexus Nexus Aggregation Layer
7k 7k ASA
ASA
5585X 5585X
ACE + WAF Services Layer
Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN SAN
UCS
Storage
Storage

53. Firewalls at the aggregation layer
Corporate Network excellent filtering
provide an
point and first layer of
Cat 6k
protection.
Cat 6k
Data Center
Core
Nexus Nexus Aggregation Layer
7k 7k ASA
ASA
5585X 5585X
However, they do not provide
ACE + WAF Services Layer
isolation between
servers/services Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN SAN
UCS
Storage
Storage

54. All Those Technologies and Still Got
Pwned?
Keep up with 3rd Party Isolation provides
Application Security
DC Infrastructure
Security Patches the first layer of
security for the data
center and server-
Secure Code Best farm.
Practices:
Depending on the
- Static Analysis
goals of the design it
- ASLR, X-Space can be achieved
- Safe C Libraries and through the use of
OWASP Java libraries firewalls, access lists,
VLANS, and/or
physical separation.

55. What Happens in a Virtualized
Environment..
Traffic flows within
virtualized environments
sometimes do not even
touch physical devices.
For example, traffic
between these VMs do
not even leave the
physical hardware.

56. Virtual Security Gateways (VSGs)
• You can transparently insert a
Cisco VSG into the VMware
vSphere environment where
the Cisco Nexus 1000V
distributed virtual switch is
deployed.
• One or more instances can
be deployed on a per-tenant
basis.
• Tenants are isolated from
each other, so no traffic can
cross tenant boundaries.
• You can deploy the Cisco
VSG at the tenant level, at
the virtual data center (vDC)
level, and at the vApp level.

57. Operational Security Techniques
and Metrics
• How often do you perform
application robustness audits
(i.e., fuzzing, secure coding best
practices, and patching)?
Application • What percentage of all
Robustness. applications are tested for
security vulnerabilities in a
consistent and repeatable
manner?

58. SECURITY METRICS

59. THANK YOU!
Your Logo