11. The Lifecycle Security Model Key To Success Identify systems and assets on the network and identify critical vulnerability points Define and document an organizational security policy Identify changes to network infrastructure and compliance with policies
12. Strategic Business Risks Regulatory Action Corporate Liability Indirect Costs Loss of Customer Confidence
13.
14. Security Critical to e-Business Success Importance of Security in eBusiness Solution Decision Criteria Source: IDC
15. Source: survey of 538 computer security professionals conducted by the Computer Security Institute (CSI) and the US Federal Bureau of Investigation (FBI) . Soaring Costs and Security Breaches
19. Average Reported Losses Unauthorized Insider Access Theft of Proprietary Information Outside System Penetration Financial Fraud Sabotage and Denial of Services 2000 CSI/FBI Computer Crime and Security Survey $1.1 M + $1.0 M + $617,000 $536,000 $172,000
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34. Denial of Service Example: LAND Attack Spoofed IP Packet Packet is sent back to itself Again, again, .. Land Unix-Server CRASH
35.
36.
37.
38. The New “Integrated Threats” Internet Nimda Worm Example Workstation A security threat or attack that uses multiple methods to propagate Nimda $500M + Code Red $2.5B Workstation Via Email File Server Workstation Mail Server Firewall Web Server Via Web Page Web Server Mail Gateway
39. Rapid, Multiple Ways to Spread Internet Nimda Worm Example 1. Worm arrives by email – uses Mime exploit to execute by just reading or previewing file. Infected systems use worm’s own SMTP server to send emails to others. 2. Users visiting compromised Web servers prompted to download infected file containing worm as attachment. Workstation Via Email File Server Workstation Mail Server Firewall Web Server Via Web Page Workstation Web Server Mail Gateway
40. Just “Any” Firewall Won’t Be Effective Internet Nimda Worm Example Workstation 3. Infected systems scan for unpatched IIS servers, then use Unicode Web Traversal exploit to gain control of the target server. Commands/messages embedded creating non-RFC compliant HTTP protocol packets. Create DOS with outbound traffic. 4. Nimda scans for and attacks hard disks with file sharing enabled, creates an open network share and guest account with admin privileges. File Server Mail Server Firewall Web Server Mail Gateway Workstation Via Email Web Server Via Web Page Workstation
41.
42.
43.
44.
45.
46. Example Blended Threat Incident Blended Threats use worms, email and application vulnerabilities, and network shares to gain control of systems BT BT BT BT BT BT BT BT BT BT BT
58. Vulnerability Management - Scan Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems Firewall Probe for Vulnerabilities Probe for Vulnerabilities
59. Vulnerability Management If you know where you are vulnerable and the risk these vulnerabilities pose to your organization, efficient steps can be taken to pro-actively close the vulnerabilities and mitigate the risk to an acceptable level.
77. Deployment Example Desktops Public Web Servers Telecommuters Customers & Partners Servers VelociRaptor Router Corporate Network Partner Web Servers Branch Office Central Administrator Internet
78. VPN - Office-to-office and Client Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
79.
80.
81.
82.
83. VPN Deployment Scenarios Public Servers Symantec Enterprise Firewall Router Symantec Enterprise VPN Public Servers Symantec Enterprise Firewall With VPN Router Internal Network Public Servers Symantec Enterprise Firewall Router Internal Network Symantec Enterprise VPN Internal Network Internet Internet Internet
84. Personal Firewall with Client VPN Web FTP Telnet SQLNet Other Attacker Internal network VPN User without firewall Internet Personal Firewall Web FTP Telnet SQLNet Other VPN User with firewall
85. Anti-virus - Multi-tier Approach Firewall Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems AV AV AV AV AV AV AV AV AV AV AV
86. Virus Evolution Mass Mailer Viruses (LoveLetter/Melissa) Remote Control Trojan (NetBus) Polymorphic Viruses (Tequila) PDA Virus (Palm Liberty) Macro Viruses Source: Symantec Number of Known Viruses
87.
88. Symantec Multi-tier Virus Protection Gateway/ Firewall Gateways: Solaris Win NT/2000 Firewalls: Solaris Win NT/2000 Server Win NT/2000 NetWare MS Exchange Lotus Notes AIX OS/390 OS/400 OS/2 Desktop Win9x/NT/2000/WinME DOS/Win16 OS/2 Macintosh
123. Web Access Management Firewall E-mail servers Groupware Servers Database Servers File Servers Customers Partners Branch Office Wireless Device Web Server Telecommuters Modems
124. Traditional Web Access Management Auth. DB DB Auth. DB DB Secure (Trusted) Network Service Network (DMZ) Web Users & Internet Firewall Web Servers & Content Application Servers Application Servers Hacker
125. Secure Web Access Management Proxy Server NT Auth Agent Authentication Mechanism(s) Secure (Trusted) Network Service Network (DMZ) Web Users & Internet Firewall LDAPAuth Agent Other Auth Agents Central Management Server Web Servers & Content PKI Auth Agent
126.
127.
128.
129.
130. Enterprise Security Management Anti-Virus Firewall Content Filtering Vulnerability Management Web Access Management Intrusion Detection Web Gateways Mail Gateways Mail Servers File Servers Remote Users Desktops Policy Management Security Management Console Incident Management Logging Reporting Alerting Updates
132. Client Server Gateway Current State of the Security Market: Multi-Tier; Multi-Vendor
133.
134.
135. Step 1: Building a Security Policy Mandate to implement security Standard to measure security Basis for all security technology and procedures Policy Standards Procedures, Guidelines & Practices Corporate Security Policy
136. Build your own security policy ? FFIEC – 12 CFR 364 COPPA FDA C6 HIPAA GLBA EUDPD Government Regulations HIPAA Security & Privacy Rule OCC OTS FFIEC FDIC FRB NCUA SEC – 17 CFR 248 FTC – 16 CFR 313 HIPAA still in progress CC BITS TSSIT Policy Standards Procedures, Guidelines & Practices
139. Certification and/or Attestation BS7799 SAS70 Safe Harbor SysTrust WebTrust ISO17799 Compliance Checking Bring Systems into Compliance HIPAA Security
140. ESM assess and comply Actual Environment ESM COMPLIANCE Policy Standards Procedures, Guidelines & Practices
141. How to Stop an Integrated Threat Internet Nimda Worm Example Workstation Anti Virus Blocks known viruses & worms Scan and inspect all SMTP, HTTP and FTP Detects worm infection Repairs infected files Firewalls Full inspection FW to block all non-RFC compliant traffic Full inspection FW to block outbound server initiated traffic Full isnpection FW to block specific exploits & logs activity Intrusion Detection Detects directory traversal exploit traffic Detects probing , specific intrusions & DOS attacks Logs can identify systems compromised Take action – block traffic Vulnerability Management Server software to: Identify patches not installed Identify weak security settings Identify unneeded services running Workstation Via Email File Server Workstation Mail Server Web Server Via Web Page Web Server Mail Gateway
142. Multiple Defenses Work The Best Internet Nimda Worm Example Workstation Anti Virus Firewalls Intrusion Detection Vulnerability Management Workstation Via Email File Server Workstation Mail Server Web Server Via Web Page Web Server Mail Gateway
143. Typical Perimeter Threats Internet Probing Back-door attacks DOS attacks IP spoofing attacks Theft, Sabotage Web defacement Macro Virus (WM32) Mobile Code (Melissa) Block specific exploits Direct & inspect traffic AV on gw, servers, ws Block known exploits via SMTP protocol Detect & clean files Network IDS Detect attacks Alert / Log Workstation Via Email File Server Workstation Mail Server Firewall Hacker Cracker Web Server Mail Gateway
150. User SMTP server 1. User sends file to HTML-based e-mail system CarrierScan Servers 3. CSS scans file and finds and cleans virus. Successful Story: CarrierScan Server in Yahoo Environment 5. CGI forwards e-mail to SMTP server Web Server CGI script sends to CSS 2. Passed to CGI script 4. File returned to web server Note: 1M to 1.2M e-mail send/receive per day