View
216
Download
0
Tags:
Embed Size (px)
Citation preview
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
Security staffSecurity staff
• Monitor threats and behavior without invading Monitor threats and behavior without invading privacyprivacy
• Tactical calculation of acceptable risk and Tactical calculation of acceptable risk and responseresponse
• Design trenches that allow free flow of Design trenches that allow free flow of information and servicesinformation and services
• Respond to breeches and threats without Respond to breeches and threats without causing harmcausing harm
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
Everyone at a keyboardEveryone at a keyboard
Everyone with a network connectionEveryone with a network connection
Everyone that uses or manages Everyone that uses or manages Information TechnologyInformation Technology
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
StudentsStudents
• Exposed to constant scans, malicious messages, and Exposed to constant scans, malicious messages, and fraud attempts.fraud attempts.
• Can’t trust messages from their friends or even the Can’t trust messages from their friends or even the administration or support organization (administration or support organization ([email protected]@jmu.edu, , [email protected]@jmu.edu ) )
• Computer malfunctions and compromise of personal Computer malfunctions and compromise of personal information and accountsinformation and accounts
• Potential identity theft victims when central stores of Potential identity theft victims when central stores of information are compromisedinformation are compromised
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
FacultyFaculty
• Exposed to constant scans, malicious messages, and fraud Exposed to constant scans, malicious messages, and fraud attempts.attempts.
• Threat environment makes it difficult to experiment safely.Threat environment makes it difficult to experiment safely.
• Confidential commercial research may be compromisedConfidential commercial research may be compromised
• Fulfilling grant security requirements complicate research Fulfilling grant security requirements complicate research efforts efforts
• Lose valuable messages in storm of SPAMLose valuable messages in storm of SPAM
• Unable to get or share information because criminal element Unable to get or share information because criminal element has made it too riskyhas made it too risky
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
StaffStaff
• Exposed to constant scans, malicious messages, and fraud Exposed to constant scans, malicious messages, and fraud attempts.attempts.
• Safeguard information of constituentsSafeguard information of constituents
• Spyware calls burying support resources making them Spyware calls burying support resources making them unavailable to othersunavailable to others
• Responding to constant stream of threats.Responding to constant stream of threats.
• Fear of being the person who makes the next headlines by Fear of being the person who makes the next headlines by clicking the wrong thing.clicking the wrong thing.
• Loss of trustLoss of trust
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenches?trenches?
ManagementManagement
• Exposed to constant scans, malicious messages, and fraud Exposed to constant scans, malicious messages, and fraud attempts.attempts.
• Strategic calculation of acceptable risk and response Strategic calculation of acceptable risk and response
• Hesitant to offer forward thinking services because of risk.Hesitant to offer forward thinking services because of risk.
• Headlines don’t explain “acceptable” and “residual” risk.Headlines don’t explain “acceptable” and “residual” risk.
• Risk is always unacceptable if an incident occurs.Risk is always unacceptable if an incident occurs.
• Growing security expenditures take from line of business needsGrowing security expenditures take from line of business needs
04/18/2304/18/23
Who are the defenders in the Who are the defenders in the trenchestrenches
General PublicGeneral Public
• Exposed to constant scans, malicious Exposed to constant scans, malicious messages, and fraud attempts.messages, and fraud attempts.
• Lose battles daily for control of their Lose battles daily for control of their computers, documents, and accountscomputers, documents, and accounts
• Deluged with simplistic, ineffective, overly Deluged with simplistic, ineffective, overly complex, sensationalist, and/or accusing complex, sensationalist, and/or accusing advice.advice.
04/18/2304/18/23
WE ARE ALL IN THE TRENCHES!WE ARE ALL IN THE TRENCHES!
Defending:Defending:
• Our own computer and informationOur own computer and information
• Our constituent’s information and Our constituent’s information and servicesservices
• Our organization’s information and Our organization’s information and servicesservices
04/18/2304/18/23
Trench WarfareTrench Warfare Trench - a long, narrow ditch dug by soldiers for Trench - a long, narrow ditch dug by soldiers for cover and concealmentcover and concealment Trench Warfare – form of fighting whereby Trench Warfare – form of fighting whereby two sides fight each other from two sides fight each other from
opposing trenchesopposing trenches
Conscription – a system of Conscription – a system of compulsory recruitmentcompulsory recruitment for the armed forces for the armed forces Home Front – the name given to the part of war that was Home Front – the name given to the part of war that was not actively not actively
involvedinvolved in the fighting but which was vital to it in the fighting but which was vital to it No-man’s land – the No-man’s land – the barren territory that lay between the opposingbarren territory that lay between the opposing Allied Allied
and German trenches on the Western Frontand German trenches on the Western Front
Attrition – strategy of wearing down the enemy through continual attack Attrition – strategy of wearing down the enemy through continual attack and pressureand pressure
Deterrent – something designed to stop a person or people from doing Deterrent – something designed to stop a person or people from doing somethingsomething
Entrenched – to be fixed or deeply rooted in an areaEntrenched – to be fixed or deeply rooted in an area Retaliation – to fight back, revengeRetaliation – to fight back, revenge Shell shock – medical condition caused by prolonged exposure to the Shell shock – medical condition caused by prolonged exposure to the
distressing experiences of trench warfaredistressing experiences of trench warfare Stand-down – name given to the daily evening routine in the trenchesStand-down – name given to the daily evening routine in the trenches
04/18/2304/18/23
Who is the Enemy?Who is the Enemy? VandalsVandals Joy RidersJoy Riders Graffiti artistsGraffiti artists Kids and professionalsKids and professionals ThievesThieves ExtortionistsExtortionists ManipulatorsManipulators VoyeursVoyeurs EgotistsEgotists Competitors (business, Competitors (business,
romance, research, etc.)romance, research, etc.) Free loadersFree loaders AnarchistsAnarchists ExploitersExploiters TerroristsTerrorists
Multiple simultaneous Multiple simultaneous enemiesenemies
Multiple motivationsMultiple motivations Varying capabilitiesVarying capabilities
04/18/2304/18/23
Where are the enemies’ trenches?Where are the enemies’ trenches?
They have none!They have none!
Worldwide, Worldwide, instantinstant mobility mobility Worldwide, Worldwide, anonymousanonymous mobility mobility Worldwide, Worldwide, unrestrictedunrestricted mobility mobility
At every network connectionAt every network connection At every keyboardAt every keyboard At every exposed web siteAt every exposed web site
04/18/2304/18/23
Guerilla WarfareGuerilla Warfare Guerrilla warfare operates with small, mobile and flexible combat Guerrilla warfare operates with small, mobile and flexible combat
groups without a front line groups without a front line
Guerrilla tactics are based on ambush, sabotage, espionage, and Guerrilla tactics are based on ambush, sabotage, espionage, and avoiding the response of the defenders through greater mobilityavoiding the response of the defenders through greater mobility
The mobility provided by the Internet and the ability to The mobility provided by the Internet and the ability to commandeer computers results in the attackers being able to commandeer computers results in the attackers being able to wage wage open warfareopen warfare on the defenders with relative anonymity. on the defenders with relative anonymity.
Freely available weaponry on the InternetFreely available weaponry on the Internet
Mercenaries – BOTSMercenaries – BOTS
Smart bombs - viruses, wormsSmart bombs - viruses, worms
04/18/2304/18/23
Where are our weaknesses?Where are our weaknesses?
Our networks provide attacker Our networks provide attacker mobilitymobility
• GlobalGlobal• LimitlessLimitless• UnauthenticatedUnauthenticated
04/18/2304/18/23
What are our Weaknesses?What are our Weaknesses?
Networks and Societies Must Have Networks and Societies Must Have Cooperation to WorkCooperation to Work
• Throwing bricks through windowsThrowing bricks through windows• Driving down the wrong side of the streetDriving down the wrong side of the street• Stealing mail from mailboxesStealing mail from mailboxes• Can you secure your house or car?Can you secure your house or car?
The Internet extends the reach of The Internet extends the reach of uncooperative membersuncooperative members
04/18/2304/18/23
Where are our weaknesses?Where are our weaknesses?
Our Systems provide soft targetsOur Systems provide soft targets
• Complex – error prone in design, Complex – error prone in design, implementation, configuration, and implementation, configuration, and usageusage
• Defective security controlsDefective security controls• Lack of access controls in most default Lack of access controls in most default
configurationsconfigurations• Not designed for hostile environmentNot designed for hostile environment• Not maintained for hostile environmentNot maintained for hostile environment
04/18/2304/18/23
Where are our weaknesses?Where are our weaknesses?
We, ourselves, provide opportunityWe, ourselves, provide opportunity
• Complexity breeds mistakesComplexity breeds mistakes DecisionsDecisions DesignDesign ImplementationImplementation ConfigurationConfiguration OperationOperation
• PrioritiesPriorities We cannot spend all our time on defense nor make all our decisions based on security.We cannot spend all our time on defense nor make all our decisions based on security. The attackers have no such limitationsThe attackers have no such limitations AcceptableAcceptable risk risk
• Conflicting Business GoalsConflicting Business Goals Desire for universal, easy accessibilityDesire for universal, easy accessibility
• Minimize access controls for location, method, source, or destinationMinimize access controls for location, method, source, or destination Desire for autonomy and personalizationDesire for autonomy and personalization
• Minimize policies, procedures, standards, and controlsMinimize policies, procedures, standards, and controls Desire for privacyDesire for privacy
• Minimize identification and monitoringMinimize identification and monitoring Transparent securityTransparent security
04/18/2304/18/23
Where are Our Weaknesses?Where are Our Weaknesses?
An intruder only has to find one entry An intruder only has to find one entry point. point.
A defender has to close or watch all A defender has to close or watch all entry points.entry points.
One mistake, one oversight, one One mistake, one oversight, one wrong mouse click creates wrong mouse click creates opportunity for the attackeropportunity for the attacker
04/18/2304/18/23
Battle StatisticsBattle Statistics Thousands of infected Thousands of infected
e-mail messages e-mail messages received dailyreceived daily
60%+ of incoming e-60%+ of incoming e-mail messages are mail messages are SPAM – dozens, SPAM – dozens, sometimes hundreds, sometimes hundreds, containing fraud containing fraud attempts such as attempts such as phishing and Nigeria phishing and Nigeria scamsscams
04/18/2304/18/23
Battle StatisticsBattle Statistics
Malicious Instant Message EventsMalicious Instant Message Events
04/18/2304/18/23
Symantec Internet Security Threat Symantec Internet Security Threat Report January-June 2005Report January-June 2005
10,866 new Windows viruses10,866 new Windows viruses• Of the 50 most common reported, 74% expose Of the 50 most common reported, 74% expose
confidential informationconfidential information
10,352 BOTS detected per day10,352 BOTS detected per day
1,862 new software defects1,862 new software defects• Average time to exploit – 6 daysAverage time to exploit – 6 days• Average time to patch – 54 daysAverage time to patch – 54 days
5.7 million fraudulent “phishing” email messages 5.7 million fraudulent “phishing” email messages per dayper day
04/18/2304/18/23
Issues and IncidentsIssues and Incidents Lifetime of unpatched Lifetime of unpatched
computer computer Malware sophisticationMalware sophistication
• Security software Security software neutralizationneutralization
• Back channel Back channel communications, instant communications, instant notificationnotification
• BOTSBOTS• Distributed Denial of ServiceDistributed Denial of Service• RootkitsRootkits• KeyloggersKeyloggers
Unrecognized malware Unrecognized malware Exploits of unfixed defectsExploits of unfixed defects Below the radar Below the radar
communicationscommunications Social engineeringSocial engineering
DDOSDDOS E-goldE-gold E-bay hijackE-bay hijack E-bay phishE-bay phish IM keylogger data streamIM keylogger data stream Organized crimeOrganized crime Targeted spam – Lexus NexusTargeted spam – Lexus Nexus Higher Education incidentsHigher Education incidents Credit Card battleCredit Card battle One mistakeOne mistake
04/18/2304/18/23
What are we trying to protect?What are we trying to protect?
• ConfidentialityConfidentiality• IntegrityIntegrity• AvailabilityAvailability
……if we don’t protect them we may if we don’t protect them we may have…have…
04/18/2304/18/23
If we don’t protect C-I-A we may If we don’t protect C-I-A we may have…have…
LiabilityLiability Operational disruptionOperational disruption TheftTheft VandalismVandalism Loss of reputation, confidence, and/or trustLoss of reputation, confidence, and/or trust
...which may lead to the loss of…...which may lead to the loss of…
04/18/2304/18/23
Which may lead to the loss of…Which may lead to the loss of…
• TimeTime• MoneyMoney• FreedomFreedom• JobsJobs• MissionMission• Quality of Life (in the worst case, life itself – Quality of Life (in the worst case, life itself –
health, military, terrorism)health, military, terrorism)
04/18/2304/18/23
Security GoalSecurity Goal
ReduceReduce the the riskrisk of loss to an acceptable level of loss to an acceptable level
• We can not eliminate risk. There will always be residual risk.We can not eliminate risk. There will always be residual risk.
• Reducing risk will always have costs:Reducing risk will always have costs: Time (always)Time (always) MoneyMoney AccessAccess ConvenienceConvenience PrivacyPrivacy FreedomFreedom ComplaintsComplaints Quality of lifeQuality of life Service deliveryService delivery
Compare to costs of security incidents on previous slide - balanceCompare to costs of security incidents on previous slide - balance
04/18/2304/18/23
Security KeystonesSecurity Keystones
Access Control
Monitoring andResponse
AwarenessRisk Assessment
Policies and Procedures
Security
04/18/2304/18/23
Security KeystonesSecurity Keystones AwarenessAwareness of the risks and a desire to do something to reduce of the risks and a desire to do something to reduce
those risksthose risks AssessmentAssessment of the risks and a willingness to accept the costs of of the risks and a willingness to accept the costs of
addressing unacceptable risks leading toaddressing unacceptable risks leading to Policies and proceduresPolicies and procedures to reduce the risks to an acceptable level to reduce the risks to an acceptable level ControlsControls enforcing the policies and procedures enforcing the policies and procedures MonitoringMonitoring operation of the controls and compliance with policies operation of the controls and compliance with policies
and proceduresand procedures RespondingResponding to non-compliance incidents to non-compliance incidents and altered risk and altered risk
assessment parametersassessment parameters through changing awareness through changing awareness RepeatRepeat as necessary as necessary
Best practices and common sense can shorten the process, Best practices and common sense can shorten the process, though without detailed analysis and comparisons, one may be led though without detailed analysis and comparisons, one may be led into a false sense of security and/or unproductive efforts.into a false sense of security and/or unproductive efforts.
04/18/2304/18/23
Security KeystonesSecurity Keystones
No one keystone can stand aloneNo one keystone can stand alone
No keystone is infallible.No keystone is infallible.
Multiple layers of each keystone Multiple layers of each keystone provide the best protection to provide the best protection to minimize effects of failures and minimize effects of failures and mistakesmistakes
04/18/2304/18/23
Keystone – Risk AssessmentKeystone – Risk Assessment
The factors that go into a risk The factors that go into a risk assessment are constantly changing.assessment are constantly changing.
ValueValue ThreatsThreats VulnerabilitiesVulnerabilities ProbabilitiesProbabilities ExposureExposure Attack ActivityAttack Activity MotivationMotivation
04/18/2304/18/23
Keystone – Risk AssessmentsKeystone – Risk Assessments Risk = Consequence x (threat x vulnerability)Risk = Consequence x (threat x vulnerability)
• Consequences are rising rapidly as more services and Consequences are rising rapidly as more services and data are made accessible online and systems are data are made accessible online and systems are interconnectedinterconnected
• Threats are rising rapidly as attacks grow in number and Threats are rising rapidly as attacks grow in number and sophisticationsophistication
• Vulnerabilities are still rising as software gets more Vulnerabilities are still rising as software gets more complex, services are pushed out faster, more services complex, services are pushed out faster, more services are exposed, automated exploit kits proliferate, and are exposed, automated exploit kits proliferate, and businesses struggle with global competitionbusinesses struggle with global competition
Risk will increase for the foreseeable futureRisk will increase for the foreseeable future
04/18/2304/18/23
Generalizing Risk Assessment – Generalizing Risk Assessment – Best PracticesBest Practices
Provide access only to that which is Provide access only to that which is needed (default deny and least privilege)needed (default deny and least privilege)
Defense in depth (i.e. redundant layers)Defense in depth (i.e. redundant layers)
These fundamental security principles These fundamental security principles haven’t changed in centuries. We ignore haven’t changed in centuries. We ignore them at our peril.them at our peril.
04/18/2304/18/23
Keystone - Policies and ProceduresKeystone - Policies and Procedures
Surrounds the whole processSurrounds the whole process
Like a risk assessment, usually lags Like a risk assessment, usually lags the environment and is difficult to the environment and is difficult to implement for varying, complex implement for varying, complex systems needing good reaction systems needing good reaction times.times.
04/18/2304/18/23
Keystone – Access ControlKeystone – Access ControlLayered Defense TheoryLayered Defense Theory
Big Bad Internet
General Access
Sensitive Systems
Core Systems
04/18/2304/18/23
Keystone – Access ControlKeystone – Access ControlLayered Defense PracticeLayered Defense Practice
Big Bad Internet
General Access
Sensitive Systems
Core Systems
Self Service Student
Information and Human
Resources Systems
Backup Systems
Faculty/Staff (indirect path)
Desktops and other unidentified
sensitive systems
04/18/2304/18/23
What Data is on Your Desktops?What Data is on Your Desktops? GradesGrades SSNSSN Credit CardsCredit Cards Performance EvaluationsPerformance Evaluations MedicalMedical ResumesResumes ResearchResearch VendorVendor PurchasingPurchasing Financial ReportsFinancial Reports Organizational PlanningOrganizational Planning Environmental control systemsEnvironmental control systems Credit card processing systemsCredit card processing systems Building entry and security Building entry and security
systemssystems ID/debit card systemsID/debit card systems
Office desktops?Office desktops? Home desktops?Home desktops? Laptops?Laptops? CD?CD? USB Drive?USB Drive? Floppy?Floppy? Cell phone?Cell phone? PDA?PDA? Shared folder?Shared folder?
One mistakeOne mistake
04/18/2304/18/23
Keystone - Access ControlKeystone - Access Control Granting access indicates explicit trustGranting access indicates explicit trust
Not controlling access indicates implicit trustNot controlling access indicates implicit trust
• To readTo read• To alterTo alter• To destroyTo destroy
The more we depend upon trust, the less control we have.The more we depend upon trust, the less control we have.
• SPAMSPAM• Network access – Scanning, bandwidth depletion, denial of service attacks, Network access – Scanning, bandwidth depletion, denial of service attacks,
exploit attempts, unauthorized account access, patch urgencyexploit attempts, unauthorized account access, patch urgency• Computer access – running malicious programs, unsafe configurations, Computer access – running malicious programs, unsafe configurations,
incompatible configurationsincompatible configurations• Inappropriate useInappropriate use
04/18/2304/18/23
Trust => RiskTrust => Risk Ignorance (failure of awareness)Ignorance (failure of awareness) Faulty Risk Assessment assumptionsFaulty Risk Assessment assumptions Failed Access ControlsFailed Access Controls Failed Monitoring ProcessesFailed Monitoring Processes Inadequate ResponseInadequate Response Inappropriate UseInappropriate Use ======================================== Misplaced TRUSTMisplaced TRUSTUnaccepted Access ====> Unaccepted RiskUnaccepted Access ====> Unaccepted Risk
The more we trust, the more we better monitor.The more we trust, the more we better monitor.
04/18/2304/18/23
Keystone - MonitoringKeystone - Monitoring We have to monitor unless:We have to monitor unless:
• Our trust in everything is 100% justifiedOur trust in everything is 100% justified
• The factors that went into the risk assessment don’t changeThe factors that went into the risk assessment don’t change
• We’re not interested in detecting when we’re the victim of the We’re not interested in detecting when we’re the victim of the residual assumed risk.residual assumed risk.
As malware and attacks move toward encrypted open ports As malware and attacks move toward encrypted open ports (web), monitoring is going to be a lot harder.(web), monitoring is going to be a lot harder.
The more we trust, the more we better monitor.The more we trust, the more we better monitor.
04/18/2304/18/23
Risk EvolutionRisk Evolution
DecreasingDecreasing• Fundamental operating system and server Fundamental operating system and server
defectsdefects
IncreasingIncreasing• Human error due to complexityHuman error due to complexity• Desktops Desktops • Distributed data exposureDistributed data exposure• Client applicationsClient applications• Web applicationsWeb applications
04/18/2304/18/23
Key Defense Improvements for Key Defense Improvements for Today’s Threat EnvironmentToday’s Threat Environment
Reduce exposure Reduce exposure • Default deny networksDefault deny networks• Default deny computers (least privilege Default deny computers (least privilege
accounts e.g. non-Administrator)accounts e.g. non-Administrator)
Increase monitoringIncrease monitoring
Reduce reaction time to the inevitable Reduce reaction time to the inevitable security failure and new threatsecurity failure and new threat
Awareness != EducationAwareness != Education
04/18/2304/18/23
WE ARE ALL IN THE TRENCHES!WE ARE ALL IN THE TRENCHES!
Defending:Defending:
• Our own computer and informationOur own computer and information
• Our constituent’s information and Our constituent’s information and servicesservices
• Our organization’s information and Our organization’s information and servicesservices