Best practices in NIPS - IDC Sofia - March 2010EQS Group
They were called "Network Intrusion Detection Systems" first - today we call them "Network Intrusion Prevention Systems". Those tools have been around for several years, and are now experiencing a second youth once they are part of new compliance requirements and helps in meet your mitigation measures and policies. But are those systems really useful and provide an effective security tool? Many says, that if not implemented correctly, they can be easily bypassed. Is that true? and so, how should I implement them? Is my current deployment really optimal? Are NIPS really worth their (high) cost? This presentation aims at shredding some light - or at least, to give some tool, to start looking at NIPS from a more realistic point of view, out of the vendors' hype.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
This document provides an overview of social engineering and how to mitigate social engineering risks. It defines social engineering as manipulating people into taking actions or divulging information. Social engineering attacks are categorized as computer-based (e.g. phishing emails) or human-based (e.g. in-person interactions). The document outlines common social engineering techniques like pretexting, reverse social engineering, and exploiting human behaviors. It emphasizes that effective mitigation requires a layered approach including security policies, employee awareness training, and incident response plans to address the ongoing social engineering threat.
Endpoint security involves securing devices like laptops and ensuring they comply with security policies before being granted network access. Major endpoint security solutions include Cisco NAC, Microsoft NAP, and TCG's Trusted Network Connect standard, but all take the approach of evaluating devices and enforcing admission control policies using tools like 802.1x and RADIUS. While endpoint security is important, it also requires significant resources to deploy and its solutions are still evolving.
The document discusses Damballa's advanced threat protection and detection capabilities. It highlights that Damballa can discover hidden threats that have gone undetected, terminate criminal communications to reduce risk, and provide the earliest detection of emerging threats. It explains that Damballa shifts the focus from protection to active threat monitoring and detection using advanced threat intelligence and machine learning to identify hidden infections on networks and endpoints. Damballa provides appliances and solutions that pinpoint compromised assets and criminal activity through network monitoring and host forensics.
A review of anomaly based intrusions detection in multi tier web applicationsiaemedu
This document provides a review of anomaly-based intrusion detection techniques for multi-tier web applications. It begins with an introduction to intrusion detection systems and the differences between misuse detection and anomaly detection. It then reviews several existing anomaly detection approaches including rule-based systems, multimodal approaches, state transition analysis, profiling of internal application states, and combined approaches that analyze both web requests and database queries. The key advantages and disadvantages of each technique are discussed. Overall, the document analyzes different methods for building behavior models and detecting anomalies to identify intrusions in complex multi-tier web applications.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
Best practices in NIPS - IDC Sofia - March 2010EQS Group
They were called "Network Intrusion Detection Systems" first - today we call them "Network Intrusion Prevention Systems". Those tools have been around for several years, and are now experiencing a second youth once they are part of new compliance requirements and helps in meet your mitigation measures and policies. But are those systems really useful and provide an effective security tool? Many says, that if not implemented correctly, they can be easily bypassed. Is that true? and so, how should I implement them? Is my current deployment really optimal? Are NIPS really worth their (high) cost? This presentation aims at shredding some light - or at least, to give some tool, to start looking at NIPS from a more realistic point of view, out of the vendors' hype.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
Yehia Mamdouh @ DTS Solution - The Gentleman ThiefShah Sheikh
This document provides an overview of social engineering and how to mitigate social engineering risks. It defines social engineering as manipulating people into taking actions or divulging information. Social engineering attacks are categorized as computer-based (e.g. phishing emails) or human-based (e.g. in-person interactions). The document outlines common social engineering techniques like pretexting, reverse social engineering, and exploiting human behaviors. It emphasizes that effective mitigation requires a layered approach including security policies, employee awareness training, and incident response plans to address the ongoing social engineering threat.
Endpoint security involves securing devices like laptops and ensuring they comply with security policies before being granted network access. Major endpoint security solutions include Cisco NAC, Microsoft NAP, and TCG's Trusted Network Connect standard, but all take the approach of evaluating devices and enforcing admission control policies using tools like 802.1x and RADIUS. While endpoint security is important, it also requires significant resources to deploy and its solutions are still evolving.
The document discusses Damballa's advanced threat protection and detection capabilities. It highlights that Damballa can discover hidden threats that have gone undetected, terminate criminal communications to reduce risk, and provide the earliest detection of emerging threats. It explains that Damballa shifts the focus from protection to active threat monitoring and detection using advanced threat intelligence and machine learning to identify hidden infections on networks and endpoints. Damballa provides appliances and solutions that pinpoint compromised assets and criminal activity through network monitoring and host forensics.
A review of anomaly based intrusions detection in multi tier web applicationsiaemedu
This document provides a review of anomaly-based intrusion detection techniques for multi-tier web applications. It begins with an introduction to intrusion detection systems and the differences between misuse detection and anomaly detection. It then reviews several existing anomaly detection approaches including rule-based systems, multimodal approaches, state transition analysis, profiling of internal application states, and combined approaches that analyze both web requests and database queries. The key advantages and disadvantages of each technique are discussed. Overall, the document analyzes different methods for building behavior models and detecting anomalies to identify intrusions in complex multi-tier web applications.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
This document provides a summary of techniques that internet service providers (ISPs) can use to improve their security and resistance to attacks. It discusses preparing the network operations center (NOC) team through training, tools, and procedures. Key mitigation techniques discussed include securing network devices, establishing collaboration communities, implementing remote triggered black hole filtering, and gaining total network visibility through data collection and analysis.
Damballa automated breach defense june 2014Ricardo Resnik
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
The document discusses cybersecurity and why a technological approach alone is not sufficient. It argues that cybersecurity is a socio-technical problem, as technology cannot guarantee reliability and human and organizational factors like insider threats, procedures, carelessness, and social engineering present vulnerabilities. A holistic approach is needed across personal, organizational, national, and international levels that includes deterrence, awareness, realistic procedures, monitoring, and cooperation.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Ensure Software Security already during developmentIT Weekend
"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that."
Lucas v. Stockhausen
Software Security Consultant
Complete network security protection for sme's within limited resourcesIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller
enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an
individualized security plan. In addition to providing the top ten free or affordable tools get some sort of
semblance of security implemented, the paper also provides best practices on the topics of Authentication,
Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods
employed have been implemented at Company XYZ referenced throughout.
This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
The document discusses server security threats and vulnerabilities. It outlines prevention methods like implementing security measures and detection procedures. Some threats include unused open ports, unpatched services, inattentive administration, and default passwords. The document recommends keeping services updated, using secure protocols, monitoring servers, and conducting vulnerability assessments. Government regulations mandate security procedures to protect electronic systems and transactions.
This document contains the professional profile and work history of Mike Miller, an IT security veteran of 20 years. He has extensive experience in security roles such as responding to incidents, building infrastructures to protect data, detecting attacks, analyzing incidents, halting enemy actions, and recovering from security events. Miller is fluent in many security technologies including Palo Alto, Security Onion, SIEM tools, forensics tools, vulnerability scanning, and network/OS management. His work history includes positions as a Principal CSIRT Engineer and Senior Security Engineer for IHS Markit and Colorado state agencies.
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
Jump Start Your Application Security KnowledgeDenim Group
How to Jump-Start Your Application Security Knowledge
For the Network Security Guy Who Knows Nothing about Web Applications
Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.
Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.
Cybersecurity involves protecting individuals, businesses, and governments from cyber threats on computers and the internet. It is a broad field that includes threat analysis, security technologies, policies and laws. Cybersecurity problems stem from technical issues as well as human and organizational factors. It aims to prevent malicious cyber attacks and accidental damage. Attacks can come from inside or outside an organization and include fraud, spying, stalking, assault, and warfare between nations. The scale of the problem is large but difficult to measure fully. Cybersecurity issues have arisen because the internet was not designed with security in mind and prioritizes convenience, while widespread connectivity has increased risks.
This document discusses security challenges in virtualized environments. It notes that virtualization limits monitoring to coarse-grained visibility, and full virtualization eliminates network visibility altogether. This hinders security, compliance, and performance monitoring. The document introduces the Phantom virtual tap solution from Net Optics, which provides full visibility into inter-VM traffic and bridges this traffic to physical security tools. It also discusses the Phantom Manager administration platform and how the Net Optics solution achieves monitoring standards in virtual environments.
Network security monitoring with open source toolsterriert
The document discusses implementing network security monitoring using open source tools. It begins with an introduction to network security monitoring (NSM) and its goal of collecting and analyzing different types of network data to detect and respond to intrusions. It then discusses recommended platforms and operating systems for NSM, such as various free/open BSD systems. Next, it covers ways to capture network traffic, including using hubs, taps, inline devices, or SPAN ports. It proceeds to describe the four types of data collected in NSM - full content, session, event, and statistical data. For each, it provides examples of open source tools and compares them to commercial options. Finally, it discusses the open source tool Sguil, which implements
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
This document summarizes Marco Ermini's presentation on achieving PCI-DSS compliance through network security implementations. The presentation discusses using network-based approaches to meet various PCI-DSS requirements, including using network security scanners to verify password security, patch management, and system hardening. It also addresses using intrusion detection/prevention systems, web application firewalls, and database activity monitors to help meet encryption, access control, and logging requirements.
This document provides an overview of the Secure Software Development Lifecycle (SSDLC). It discusses how SSDLC differs from traditional development by focusing on security requirements, design, testing, and operations. Key aspects include threat modeling to identify risks, the principle of least privilege, extensive testing and logging, and having policies and response plans for security incidents. The goal of SSDLC is to build resilience, stability, and trust into software through a more proactive and defensive approach throughout the entire development lifecycle.
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
This document provides 10 tips for strengthening an insider threat program. It emphasizes the importance of collecting the right types of metadata on user activities rather than personal information. This includes data on unusual file transfers, printing, and application usage both on and off the corporate network. It also stresses the need to understand the full context and intent of anomalous behaviors to determine the appropriate response. Monitoring for early signs of reconnaissance of security controls and data aggregation can help catch threats before data theft occurs. The document recommends balancing privacy, visibility, and performance when implementing insider threat detection tools and techniques.
This document provides a summary of techniques that internet service providers (ISPs) can use to improve their security and resistance to attacks. It discusses preparing the network operations center (NOC) team through training, tools, and procedures. Key mitigation techniques discussed include securing network devices, establishing collaboration communities, implementing remote triggered black hole filtering, and gaining total network visibility through data collection and analysis.
Damballa automated breach defense june 2014Ricardo Resnik
This document discusses the need for advanced threat protection and containment solutions due to the high percentage of cyber attacks that go undetected for months. It notes that traditional prevention-focused security approaches are no longer sufficient. The document then highlights statistics on the financial and resource costs of cyber attacks. It introduces Damballa's automated breach defense platform, which uses behavioral analytics to automatically identify active threats, regardless of prior knowledge. The platform aims to enable a breach resistant organization. The document concludes by presenting several customer case studies where Damballa helped reduce costs, detection times, and improve visibility and response.
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organization’s intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the country’s national security itself.
The document discusses cybersecurity and why a technological approach alone is not sufficient. It argues that cybersecurity is a socio-technical problem, as technology cannot guarantee reliability and human and organizational factors like insider threats, procedures, carelessness, and social engineering present vulnerabilities. A holistic approach is needed across personal, organizational, national, and international levels that includes deterrence, awareness, realistic procedures, monitoring, and cooperation.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Ensure Software Security already during developmentIT Weekend
"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that."
Lucas v. Stockhausen
Software Security Consultant
Complete network security protection for sme's within limited resourcesIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller
enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an
individualized security plan. In addition to providing the top ten free or affordable tools get some sort of
semblance of security implemented, the paper also provides best practices on the topics of Authentication,
Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods
employed have been implemented at Company XYZ referenced throughout.
This document discusses proactive security intelligence for smart utilities. It covers the threat landscape including sophisticated malware like Stuxnet, targeted attacks using zero-days and social engineering, and high-volume attacks. It notes challenges in securing critical infrastructures due to their use of common operating systems and protocols. The document advocates taking a performance and analytics-driven approach to proactive security using network simulation, penetration testing, and predictive modeling to identify exposures before they can be exploited.
The document discusses server security threats and vulnerabilities. It outlines prevention methods like implementing security measures and detection procedures. Some threats include unused open ports, unpatched services, inattentive administration, and default passwords. The document recommends keeping services updated, using secure protocols, monitoring servers, and conducting vulnerability assessments. Government regulations mandate security procedures to protect electronic systems and transactions.
This document contains the professional profile and work history of Mike Miller, an IT security veteran of 20 years. He has extensive experience in security roles such as responding to incidents, building infrastructures to protect data, detecting attacks, analyzing incidents, halting enemy actions, and recovering from security events. Miller is fluent in many security technologies including Palo Alto, Security Onion, SIEM tools, forensics tools, vulnerability scanning, and network/OS management. His work history includes positions as a Principal CSIRT Engineer and Senior Security Engineer for IHS Markit and Colorado state agencies.
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
Jump Start Your Application Security KnowledgeDenim Group
How to Jump-Start Your Application Security Knowledge
For the Network Security Guy Who Knows Nothing about Web Applications
Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.
Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.
Cybersecurity involves protecting individuals, businesses, and governments from cyber threats on computers and the internet. It is a broad field that includes threat analysis, security technologies, policies and laws. Cybersecurity problems stem from technical issues as well as human and organizational factors. It aims to prevent malicious cyber attacks and accidental damage. Attacks can come from inside or outside an organization and include fraud, spying, stalking, assault, and warfare between nations. The scale of the problem is large but difficult to measure fully. Cybersecurity issues have arisen because the internet was not designed with security in mind and prioritizes convenience, while widespread connectivity has increased risks.
This document discusses security challenges in virtualized environments. It notes that virtualization limits monitoring to coarse-grained visibility, and full virtualization eliminates network visibility altogether. This hinders security, compliance, and performance monitoring. The document introduces the Phantom virtual tap solution from Net Optics, which provides full visibility into inter-VM traffic and bridges this traffic to physical security tools. It also discusses the Phantom Manager administration platform and how the Net Optics solution achieves monitoring standards in virtual environments.
Network security monitoring with open source toolsterriert
The document discusses implementing network security monitoring using open source tools. It begins with an introduction to network security monitoring (NSM) and its goal of collecting and analyzing different types of network data to detect and respond to intrusions. It then discusses recommended platforms and operating systems for NSM, such as various free/open BSD systems. Next, it covers ways to capture network traffic, including using hubs, taps, inline devices, or SPAN ports. It proceeds to describe the four types of data collected in NSM - full content, session, event, and statistical data. For each, it provides examples of open source tools and compares them to commercial options. Finally, it discusses the open source tool Sguil, which implements
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
This document provides an overview of network security architectures and firewalls. It discusses challenges with current firewall models and compliance-focused approaches. Recommendations include establishing an information classification matrix to design network segmentation, focusing on containment and monitoring over rules, and integrating security into the overall enterprise architecture using frameworks like OSA and SABSA. References are provided for additional information on these topics.
Achieving PCI-DSS compliance with network security implementations - April 2011EQS Group
This document summarizes Marco Ermini's presentation on achieving PCI-DSS compliance through network security implementations. The presentation discusses using network-based approaches to meet various PCI-DSS requirements, including using network security scanners to verify password security, patch management, and system hardening. It also addresses using intrusion detection/prevention systems, web application firewalls, and database activity monitors to help meet encryption, access control, and logging requirements.
This document provides an overview of the Secure Software Development Lifecycle (SSDLC). It discusses how SSDLC differs from traditional development by focusing on security requirements, design, testing, and operations. Key aspects include threat modeling to identify risks, the principle of least privilege, extensive testing and logging, and having policies and response plans for security incidents. The goal of SSDLC is to build resilience, stability, and trust into software through a more proactive and defensive approach throughout the entire development lifecycle.
10 Tips to Strengthen Your Insider Threat Program Dtex Systems
This document provides 10 tips for strengthening an insider threat program. It emphasizes the importance of collecting the right types of metadata on user activities rather than personal information. This includes data on unusual file transfers, printing, and application usage both on and off the corporate network. It also stresses the need to understand the full context and intent of anomalous behaviors to determine the appropriate response. Monitoring for early signs of reconnaissance of security controls and data aggregation can help catch threats before data theft occurs. The document recommends balancing privacy, visibility, and performance when implementing insider threat detection tools and techniques.
Small Business Administration RecommendationsMeg Weber
This document provides an overview of a training course on cybersecurity for small businesses. The key topics covered in the course include: defining cybersecurity and explaining its importance; identifying common cyber threats like website tampering, data theft, and viruses; determining the level of risk to a business from cyber threats; and best practices for protecting information like establishing security policies and training employees on security procedures. The goal of the course is to help small businesses understand cybersecurity risks and take steps to secure their information and systems.
This paper discusses the question of optimizing security decisions in an organization, based on the information provided by the technical security infrastructure.
The document summarizes the top 10 security risks for 2011 as identified by Redspin Security Team. It discusses each risk in 1-2 paragraphs addressing the risk and providing recommendations. The key risks addressed include: mobile devices in the enterprise, social media information disclosure, virtualization sprawl, third-party mobile applications, vendor management, SQL injection, risk management, wireless networks, inadequate testing programs, and lack of a mobile device security policy. For each issue, it identifies the risks and provides clear and actionable recommendations for organizations to mitigate the risks.
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
The purpose of this paper is to present a comprehensive budget conscious security plan for smaller enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an individualized security plan. In addition to providing the top ten free or affordable tools get some sort of semblance of security implemented, the paper also provides best practices on the topics of Authentication, Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods employed have been implemented at Company XYZ referenced throughout.
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
The document provides guidance on how to prevent, detect, and react to ransomware incidents. For detection, it recommends techniques to gain advantage over malicious behavior during an attack, including reducing the blast radius through network segmentation, blocking propagation and detonation with endpoint protection, reducing payloads activated through user education, and preparing and rehearsing response with incident response playbooks. It also stresses the importance of incident response, situational awareness, and using incidents to improve security capabilities.
How to protect your company’s computer systems against penetration and attack; the dangers of security lapses in corporate computer
systems and Internet architecture, and specific methodologies for evaluating your company’s security, detecting intrusions and responding effectively.
The document summarizes a panel discussion on security and hacking held by the Tech Talent Meetup. The panel of security experts from various companies discussed why security is important, greatest risks and threats, how companies can protect data, career opportunities in security, and tips for personal online security. Some key points included prioritizing security of important data, investing in staff training, focusing on detection over prevention, and using tools like password managers and two-factor authentication.
The Silver Bullet of Cyber Security v1.1William Kiss
While there is no single solution to prevent cyber attacks, there are basic steps that companies often overlook that leave them vulnerable. These include failing to identify where sensitive data is stored and located, whether backups exist and have been tested, and what would happen if this data was stolen or encrypted. It is important to retain a cybersecurity consultant to assess strengths, weaknesses, opportunities and threats; be proactive by selecting an incident response team before an attack; and continuously test and revise response plans to help secure an organization's critical data and systems.
The document discusses threat modeling for web applications. It begins by defining threat modeling as an approach for analyzing security before coding to identify, mitigate, and prioritize threats. It then outlines the threat modeling process, including when to conduct it, who should be involved, how to describe the application, identify threats and potential weaknesses, determine mitigations, and document findings. Key points are that threat modeling finds different flaws than other security activities, involves understanding business objectives and technical details, and provides guidance for further security work.
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
Work from Home - Practical Advice on Operations and Security Impact and what to do about it.
DR and BCP Planning Ideas
Widening Attack Surface Solutions
Managing Threats Solutions
This document provides an introduction to network and security for Elastix systems. It discusses that security is a broad topic that requires constant monitoring and improvement. The document outlines four layers of security: firewalls, authentication, obfuscation, and monitoring. It warns of "script kiddies" who use automated tools to find vulnerabilities, and stresses the importance of strong passwords and monitoring logs. The overall message is that security requires ongoing effort across multiple layers to protect systems from evolving threats.
"Cybercriminals are more aggressive and technically proficient - they are professional, industrialized with well-defined organizational structures" "It’s now more than ever IT security professionals, businesses, agencies, and authorities need to collaborate and function as a unified force, exchanging resources, information, and intelligence to reduce the threat of Cybercriminal activities."
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
This document discusses network security recommendations for small to medium businesses. It begins by acknowledging hackers' skills and describes how hacking has evolved over time. It then provides six suggestions for improving network security: 1) update all computers regularly, 2) don't rely solely on WSUS for updates, 3) patching alone is not enough, additional verification is needed, 4) unanticipated hardware/software pose risks, 5) embrace application automation, and 6) use a single integrated solution for management. It promotes GFI LanGuard as a solution that provides patch management, vulnerability assessment, asset inventory, auditing and compliance features to help secure a network.
Chapter 5Overview of SecurityTechnologiesWe can’t hWilheminaRossi174
Chapter 5
Overview of Security
Technologies
“We can’t help everyone, but everyone can help someone.” —Ronald Reagan
This chapter discusses the use of technologies that have evolved to support and enhance
network security. Many of these technologies are used today without the user under-
standing when or where they operate. After reading this chapter, you will understand the
benefits of these technologies, where they operate, and some of the operational risks
associated with them. By the end of this chapter, you should know and be able to explain
the following:
■ How you can employ packet filtering to reduce threats to a network
■ Understand precisely what stateful packet inspection is, and why its important for
firewalls to use this technique
■ The role and placement of a proxy technology within a secure network
■ Network Address Translation (NAT) and how you can use it to allow the Internet to
continue to grow in IPv4
■ How Public Key Infrastructure (PKI) has the potential to protect the flow of informa-
tion in a global manner
Answering these key questions and understand the concepts behind them will enable you
to understand the overall characteristics and importance of the security technologies cov-
ered in this chapter. By the time you finish this book, you will have a solid appreciation for
network security, its issues, how it works, and why it is important.
So far, this book has painted in broad strokes the steps an attacker could possibly take to
gain access to sensitive resources. The first step in protecting these assets is the global
security policy created by combining the many aspects discussed in Chapter 2, “Security
Policies.” This chapter introduces some of the more broadly used security technologies.
Each of these technologies contains a concept or specific role that increases the security
of your network when designed and implemented in a layered design.
128 Network Security First-Step
Security First Design Concepts
Network security can be a hydra (many-headed beast) with regard to potential attacks and
threats against the network. The resources and opinions on this subject are incredible, and
opinions vary greatly depending on whom you ask. For example, in 2004 when I wrote the
first edition of this book, a simple Google search on “designing a secure network”
returned almost half a million results. In 2012, that same search string returns more than
five and a quarter million hits. It is no wonder that conflicting security concepts bombard
people, causing a great deal of confusion. To be honest, if you were to look up network
security books, any bookstore also reveals almost as many!
The point is that experts in each area of network design have written so much on design-
ing secure network architecture that to try to do the subject justice here is beyond the
scope of this book. Books and websites deal with every aspect of network security, server
security, application security, and so forth. We endeavor to prov ...
The document discusses approaches for ensuring IT security for NGOs with global presences and limited resources. It emphasizes managing security through the lens of people, procedures, and tools. The presentation outlines key premises of information security, such as treating it as a lifestyle rather than an event. It provides suggestions for dealing with challenges like maintaining security on a limited budget and in a global setting. It stresses the importance of having the right people, clear and simple procedures, and tools used to implement security policies.
Similar to Top risks in using NIPS - Brighttalk - July 2010 (20)
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
Another day, another article praising blockchain’s untapped potential: it will start a new era, revolution the financial system, disrupt every industry and will change the world. Or will it not? and is that really what I need for my next project?
After this presentation, you will be able to:
- Understand the basic of blockchains as compared to other traditional (both centralized and distributed) technologies such as relational databases and identity management systems.
- Identify the characteristics of a potentially successful blockchain project, versus one that should be tackled with "traditional" technology.
- What are the main factors that tell an initiative is or is not a good candidate for a blockchain project, and how to find a topic which may be a good candidate within your organization.
- How to answer the excessive counter-critiques, such as that there is no good use for blockchains at all. This is obviously not true and there are very good examples of successful projects, from which we can learn the essentials.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Architecting Security across global networksEQS Group
The document discusses identifying networks in a complex company. It describes challenges with the company's asset database, including many outdated or duplicate entries for operating systems and support groups. It also notes the network maps and asset database do not have a clear correspondence to the physical network. The document advocates identifying currently used versus legacy systems, their functions, vulnerabilities, and how they are arranged on the network. It contrasts firewall-based versus routing-based network planning and some pros and cons of the firewall approach.
313 – Security Challenges in Healthcare IoT - MEEQS Group
The document discusses security challenges for medical IoT devices. It begins with background on cyber-physical systems, Industry 4.0, and the context of IoT. It then presents a threat model for medical IoT devices, outlining risks across the device lifecycle from physical security to orchestration issues. Regulatory requirements for medical device cybersecurity from the FDA and EU are summarized. Suggestions for improvement include standardizing network communication, strengthening regulations, adopting a security-by-design approach, and supporting secure and agile software updates.
1. Top risks associated in implementing
Network Intrusion Prevention Systems
Marco Ermini
Vodafone Technology – Information Services / ICT Security department
8th July, 2010
1 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master
2. How can this help you?
What is and is not about – but it can help for
This presentation is not about…
> …explaining what NIPS are – but let’s be clear about what you can expect
> …choosing a vendor/brand – but we will gain some instrument useful for that
> …discussing if you need a NIPS or not, or which other technology do you need
> … “off the shelves” or “vendor provided” best practices
– you can just Google for “be s t p ra c tic e s intrus io n p re ve ntio n” - that will do the job!
> I assume you need and want NIPS, or you already have NIPS, and you want to be
aware of the rop risks associated with…
– …selection
– …configuration
– …deployment
– …management
What you are looking for, are best practices to make your investment worth
2 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
3. W is speaking?
ho
This is not a bio…
W are you listening to me? – 1/
hy 2
> I am supposed to know what I am talking about
> Yes, that’s my daily job. No, I am not a trainer or something like that
> No, this is not academia or pure science. There is hardly here!
> I know what the market offers. Everyone can download Snort. It’s not about that
> I have a realistic – and holistic – view about this technology
> Yes, I have been under real attacks. And not just once! And I am aware of risks
> I am a customer of NIPS. I don’t sell them. I will not try to contact you and sell you
anything
> Yes, this will be my personal, partial, questionable, but realistic point of view
You are not drinking from the fountain of truth
(for what that matters, this never happens…)
3 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
4. W is this for?
ho
Why do you care?
W are you listening to me? – 2/
hy 2
> You are a security or network engineer, and need to…
– be aware of the risks associated with this deployment
– are thinking/need to deploy NIPS into your networks
> You are just curious
– graduate student getting into the network and/or security job World
– experienced security or network personnel trying to understand risks associated
with NIPS
This is meant to be an interactive presentation.
You are welcome to share your expectation, doubts, questions!
4 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
5. W are the top risk categories with NIPS? 1/
hat 2
There are both intrinsic risks and mistakes
W are the common mistakes with NIPS?
hat
> They are deployed in the wrong place in the network
> No monitoring or ineffective monitoring – no one is there around that can
access and use them when it is needed
> There is no tuning – they are deployed and then forgot
– Are running the “suggested” or “default” rule sets from the supplier
– No protection because of fear of false positives
– Too aggressive protection causes false positives
– A new one coming: thinking it is enough to send events to a SIEM
> Are confused with NIDS (detection) – I know IDS + I know Firewalls = I
know NIPS? Wrong…
> Not having operational procedures for their management and set up
5 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
6. W are the top risk categories with NIPS? 2/
hat 2
There are both intrinsic risks and mistakes
W are the intrinsic risks with NIPS?
hat
> Think they are a “transparent wire” on the network – wrong: they do
interfere with network traffic
> They are not optimised because of lack of knowledge and skills of
managers/technicians/consultants
> They are not optimised because lack of knowledge of the inner networks
and applications they are defending
> There are false expectations about the technology
– it is assumed they are invincible and/or protect against “0-days attacks”
or DDoS
– you are subject to (vendors-diffused?) urban legends (“behavioural
based”? “auto-learn”?)
– they are deployed even when other technologies (DAM, WAF, etc.) would
be more appropriate
> Signature or normalisation behaviour are often not testable
6 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
7. Compulsory checklist for NIPS deployment
If you don’t do that, you are doomed
> Do not plan on the fact that they can’t be bypassed. In many cases, they will be.
– Ever heard of “TSL/SSL”, “event horizon” and “inspect 512 bytes only”?
> Do not plan on the fact that they cannot be detected. They often can be.
> You need to use them in conjunction with other instruments
– Coordination between different departments of your organisation
> You need to update, patch the NIPS, and update their signatures
> You need to continually follow and profile the design of your network, applications,
business
> They will not protect you against real 0-days or DDoS (despite what vendors say)
> You cannot treat them as NIDS – they are a specific tool (i.e., cannot afford false
positives)
> You need to establish a metric and evaluate the real improvements over the overall
security
> You need to have operational procedures to use NIPS on the network
> You need to enable useful signatures and test them in production
> You need to spend money if you want a good product
7 Presentation title in footer Version steps, you better avoid the risk and don’t deploy
January 3, 2013
Confidentiality level on title master
If you are not prepared for those number on title master
Department on title master
8. W can I have from NIPS?
hat
What does my company need?
I can use NIPS for…
> Mitigate and prevent specific attacks. For the rest, you need to integrate with other
tools
– Will not protect against all of the web application attacks, DDoS, malware…
– Will protect against many – but if you want a locked down environment, you need
to complement with other tools
– 100% protection is not realistic, 0-days and DDoS protection are (mostly)
marketing
> As an effective tool for immediate reaction to threats
– They are in-line, ready and conceived to be used to react to attacks
> Enforce company policies
– Security is a process, not a product (Bruce Schneier). NIPS must be part of the
process
– Many can do traffic shaping/policing
– Some can communicate with NAC/NAP or firewalls
– CISO/CSO position: job security comes first – packet loss in not an option
> Can do tunnel inspection, stop exploits, detect anomalies and normalise traffic,
detect scans…
8 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
They can be an effective tool if understood and used wisely
9. Border deployment best practices
Border edges of the Data Centre/border routers
> Can be the first barrier against malware and attacks against publically-exposed
services
– Cannot do miracles, generally do not inspect TLS/SSL/VPN/encrypted protocols
– Often cannot scan inside emails – mail servers today use SMTP over TLS
– Will only detect what is in the their event horizon – or add latency (“network
tarpiting”)
> Better have them working in conjunction with other tools that work on the border
routers/firewalls
– Before or after routers/firewalls? Depends on your policies and requirements
> They can apply traffic policing/shaping
– Probably the best tool against P2P/Skype/etc.
> Fine-Tuning is difficult and management of it can turn to nightmare
> You need to pre-emptively discuss with your ISP and establish a network security
policy
> Evaluate the impact on the performances, discuss fragmentation/flooding attacks
with vendor
> Remain realistic: they will add latency and will be bypassed
9 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
Department on title master
10. Inner deployment best practices
Protection of the services
> They can be deployed strategically in front of an important service
– Achieving compliance? PCI-DSS? SOX?
– Web Application protection (HTML/JavaScript/IFRAME attacks, SQL Injection,
CSS, …)
> They can sit around in the network (more typical for NIDS deployment)
– Enterprise Office network – connected with NAC/NAP and block the rogue clients
on the switch
– Inside a DMZ/production segment – need to create a specific profile – can hook to
VPN concentrators
> What is your policy?
– I want to prevent everything that is attempted against me – deploy wide rule set
– I want only to protect against attacks that can hit me – deploy specific rule set
> What is the default fall-back scenario?
– Pass-through or drop?
> Which signatures to use? Generic, vulnerability based, exploit based?
Again: remain focused on making them an useful tool!
10 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
11. Determine which signatures you want in place
How to evaluate and tune your rule set
> Three main kinds of signatures
– Generic – standard pattern matching – easy to evade
– usually shellcodes/dumb behaviour (brute force login attempts, non standard
port usage,…)
– often will trigger on unsecure but “corporate accepted” behaviours (login as
root,...)
– need to tune thresholds/trigger points
– Vector based –more advanced pattern – less easy to evade, less prone to false
positives
– protection against a v ulne ra bility , not an e x p lo it
– needs more powerful and “smart” engine, and a performing device – network
latency…
– Exploit based – protection against a specific attack – trivial to evade
– minimum false positives
– link cleaning against “script kiddies”
> Establish your baseline for a specific environment/sensor
> Tune the other normalisation or behavioural parameters based on the applications
11 Presentation title in footer Version number on title master January 3, 2013
Confidentiality level on title master
you have
Department on title master
12. Baseline rule set tuning and deployment
Measure security improvements (or worsening…)
Suggestion for a best practice
> Agree on a deployment window
– Verify if important things are going to happen… don’t deploy before a new release
of a software or a brand new service for the public “goes live”!
> Monitor - for a couple of hours thereafter
– inside the maintenance window for “immediate” issues – customer-facing services
blocked?
> Monitor - for a couple of days thereafter
– for “slow on-set” issues – administrative access, less often used services
> Have a roll-back plan available – for the maintenance window and “slow on-set”
issues
> Create a periodic report over the differences within the baseline
– Intelligence reports are preferred by CISO/CSO – but you need a tool to specify
– If you prefer: a report about attacks mitigated/prevented/observed
> Make the report visible to the upper management
Something changes in the service/
network? Repeat the process!
12 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
13. Monitoring
Don’t forget them!
> Monitor against profiles/rule sets that are useful
– You need to have a network diagram/map of your networks and services
– You need to profile
– the services you are protecting
– the traffic of your networks
– After this, you need then to tailor your rule sets again and repeat the process
> Attention to outsourced managed SOC: some uses statistical tools on which I have
concerns
> There is no magic wand, or bayesian-behavioural-self adapting etc. – this is
marketing
> You need correlation with other tools – anti viruses, firewalls, NIDS, network
scanners…
> You need to have personnel monitoring 24X7X365 that can also access and know
how to use the NIPS, and processes and procedures to act in case of incident
Again: remain focused on making them an useful tool!
13 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
14. Measure effectiveness
Because you have to renew your contracts sooner or later
> How they did behave under attack?
– Have they detected it at all?
– Have they been useful in mitigating it?
– Were they manageable under attack?
> Peer with other NIPS customers
– Different companies, also from different market segments
> Do not blindly believe the vendors. Use basic math.
> Be paranoid
> Finally: create reports that are readable
– Your management doesn’t understand a bunch of IP addresses and the signature
names
Again: remain focused on making them an useful tool!
14 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
15. Correlation and SOC
Effective security 24X7X365
Some best practices
> Do not import all of your events into your SEM/SIM tool
– Often you just overwhelm it, even with NIPS
– Do not work “statistically” and blindly about your network architecture and
applications
> The policies/rule sets you deployed on the NIPS have an impact on what you get!
– Sometimes you pay the SEM/SIM license or the outsourced SOC by the number
of events you are sending them!
> Does the SOC (either out-sourced or in-sourced) have access to the NIPS?
– Have you defined a user management for the NIPS?
– What about operational procedures?
– What about technical skills of the personnel?
> Forensic importance – but balance with event database’s growth and disk space
Again and again: remain focused on making them an useful tool!
15 Department on title mastertitle in footer Version number on title master
Presentation January 3, 2013
Confidentiality level on title master
16. Thank you.
Any question?
16 Presentation title in footer Confidentiality level on title master January 3, 2013
Department on title master Version number on title master
Editor's Notes
- Monitoring – Security Operation Centre - Tuning – avoid false positives If they are enabled, they are ignored because too many false positives - NIDS are born to report, NIPS are born to kill. NIDS in paranoid mode causes many false positives, NIPS kill the network or your event DB - NIPS add latency and false positives - NIPS interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping – they can also be detected, for instance through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity
- Monitoring – Security Operation Centre - Tuning – avoid false positives If they are enabled, they are ignored because too many false positives - NIDS are born to report, NIPS are born to kill. NIDS in paranoid mode causes many false positives, NIPS kill the network or your event DB - NIPS add latency and false positives - NIPS interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping – they can also be detected, for instance through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity
- Coordination with firewall teams - Latency calculations - NIPS can be detected because they interfere with the traffic – because of the way they are deployed, tarpiting for SMTP and HTTP checks, RST sent to close connections and free resources, bandwidth shaping, or through fragment identification number (IP ID), window size, ISN or TTL changes, multicast/broadcast sensitivity - HW costs: FGPA/ASICs are expensive, multi-core technology is very useful, network processors
Communicate with firewalls – bad idea Detection mechanism should be at around 90% to optimise for traffic speed/minimum latency DDoS vs flash-crowd ISN number generation for SYNcookies for DoS protection – limited capabilities – firewall more adequate place Security is a process but you still need a brain
Performance impact: latency – VoIP cannot afford it, will inspect the whole HTTP session and delay the last packet (fragmentation?) Fragmentation and syn attacks – flooding attacks: incomplete handshakes, pending established sessions, smurf (reflection), anomalies, incorrect values and checksums, fragmentation – trivial techniques, but difficult to respond, especially on asymmetric traffic and in a stateful way Consider bypass switches for deployment Fine tuning possible if protection of few similar services, almost impossible for hundreds/thousands of servers, rarely possible for each network parameter, to be checked against every new patch/upgrade
Consider bypass switches Three kind of signatures – generic (detect standard patterns, basic behavioral), vulnerability (vector) based, Exploit based (most accurate)
How to measure security improvements (or worsening) Three kind of signatures – generic (NULL/NOP sleds, thresholds/trigger tuning), Vulnerability (vector) based, Exploit based (most accurate)
How to measure security improvements (or worsening) Three kind of signatures – generic (basic behavioral), Vulnerability (vector) based, Exploit based (most accurate)
Statistical tools on NIPS events are worthless, if they are not correlated with the actual services in place – need to have a network and services map Security concern of letting security events go out of the company
SEM/SIM tool have no forensic relevance, but the policies deployed determine if the payload is saved in the event DB