Embed Size (px)
Citation preview
Cybersecurity that actually works
Mike HarrisInformation Security Officer
Columbia Insurance Group
and Adjunct Professor (Informatics@Mizzou)
CISSP, HCISPP(and a bunch of expired certs of all kinds)
What I am going to talk about
• When did CIA change to CIANA?
• Having a Plan
• Most likely targets
• Human factors security
• Policy, procedure, rules, everyone on board
• Strong identity control
• Know your assets
• Drowning in Logs, meaningful Metrics, actionable alerts
• Endpoint protection• Segmented network zones and
micro-segmentation• Data exfiltration; watch the border
both directions• Cyber security myths, cruel lies, and
just sales FUD
When did that change? blame NSA
• Remember the triad “CIA” • Confidentiality
• Integrity
• Availability
• Has become 5 Pillars1. Confidentiality
2. Integrity
3. Availability
4. Non-repudiation
5. Authentication
Have a plan & document it (WISP)
• A Written Information security program may be required• Required by Massachusetts data protection regulation (201 CMR 17)• Required by Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. • State data laws are starting to require WISP too (SC, others still in committee)
• Governance, risk and compliance: • Set the organization’s security strategy and enable governance functions to
manage security risk. • Policies needs to evolve to address changing risks in the IT environments.• Train your employees, set expectations, include gamification • Having a plan is needed to assure an organization’s ability to quickly adapt to
disruptions while maintaining continuous business operations and safeguarding customer information, assets and reputation.
WISP continued (what should be in it)
• Security architecture and engineering description
• Plan and document solutions to protect enterprise from known and potential risks and threats.
• Build and enhance technical security investments, ensuring expected business value and risk reduction are actually achieved.
• Agile best practice methods isn’t just for software, It can be used to establish solutions that are resilient, flexible and efficient.
• Five pillars of cyber security can be applied to provide standardization and automation. (CIANA remember her?)
WISP continued
• Define and document Information security operations• Manage and operate security solutions to help detect security vulnerabilities and
events that pose risks to the enterprise. • Either in-house or out-sourced work, even hybrid approach, play to your groups
strengths backfill or outsource weaknesses.
• Include • Platform management (protect the special sauce that makes you profitable &unique• Operational process (ITIL, COBIT etc.)• Standards enforcement with help from HR• Threat and vulnerability management• Incident response• Business continuity & disaster recovery plans and testing• Hardware software and people lifecycle management• Keep useful operational metrics to prove constant improvement.
WISP continued
• Cyber defense operations: • Respond, investigate and remediate incidents and potential breaches• Enhancing architecture and operations through continuous feedback. • Restrict pivot attacks through host-based security tools and system hardening and
inappropriate lateral movement with network segmentation and intentional choke points and air gaps.
• Understand activity and traffic, correlate malicious activities and identity anomalous or abnormal use of accounts and systems understand data flows.
• Quarantine the compromised area of the network, prevent exfiltration of data, eradicate the threat and resume normal business operations.
• Business engagement• Incorporate cybersecurity into everyday business decisions processes and
interactions with the customer.
Think about a WIPP to go with your WISP
• Privacy legislation is on the way, be ready think about this and start documenting NOW
• Privacy regulations call out protections beyond security
• Having a Written Information Privacy Plan is the flip of the coin of your WISP
• California has passes statewide Privacy regulations
• Having a privacy plan is required by HIPAA
• Regulators and auditors are starting to look for both Security and Privacy plans in a formalized way
Most likely targets
• Hackers are more opportunistic than you, Follow the Money.
• Follow (and secure) the data they can use to make or extort money.
• If it is important to your business, then it is important to the competition, to hackers, and to fraudsters
• You have already been completely mapped and targeted, get over it.
• Your personal information has been compromised 5 to 8 times already so has everyone else's, get over it.
• Insider threats know your most precious assets, and how to access and or compromise them, they probably use them daily.
• Literally, sit down and think about what would harm your business most quickly and most severely and remediate that first, rinse and repeat.
• Ask the people who use the systems day and night what worries them and how would they compromise, abuse & misuse the systems (they probably already are)
Users are a huge threat – Human factors
• 92% of breaches start with a phishing message (new report 9/10/10 says 99%)
• 76% of businesses have been a victim of some kind of phishing attack
• Ransomware usually requires some human action
• Crypto jacking is real especially on unprotected mobile devices (phones)
• 22% of employees and small to midsized organizations have lost a company issued device
• Only 35% used a password or PIN (really?)
• Dell research found a staggering 45% of employees across organizations admit to engaging in unsafe behavior
• Train your people! Set appropriate expectations by documenting the consequences of risky behavior
• Expect them to circumvent controls so audit and verify
Policy, Procedures and Rules
• Everyone must follow them, no exceptions, must be supported and embraced from the CEO to the part-time unpaid intern and everyone in between
• Policies must define both what you can’t do, but also what you must do• Document them authoritatively where any and all can find and refer to
them• Spell out how they are enforced and the repercussions for failing to follow
them• Review and update them regularly (minimum yearly) • Retrain all staff about them regularly.• Document all exceptions granted and make sure those who enforce them
are aware of and can find exceptions when needed• Policy and procedure are the rules you can use to control the behavior of
humans and mitigate the threat they pose
Strong Identity control is a must
• No shared credentials ever, even for public data
• User identity is critical
• So is knowing the server and service you are connecting to
• How do you verify? Passphrase, 2FA, face pic, system details
• What verification do you trust (is DNS, IP, system name enough)
• Do you verify certificates? To assure trust, to assure date validation.
• Do you verify hashes?
• How do you keep and protect your certificates?
• What changes do you alert on in your logs?
Know your assets
• What services do you offer externally
• What services are allowed point to point internally
• More on segmentation and Micro-segmentation later
• Do you document what you intend
• Do you test what you have documented
• Have you assigned criticality by business activity• By server • By IP (think multiple interfaces, virtual and soft interfaces too)• By service or protocol (before and after wrappers or redirection)• By thread or stream• By source and destination
Knowing your assets (more)
• What controls protect higher levels of criticality
• Do you log more or react differently for higher levels of criticality
• Do you statistically sample more at higher levels
• Do all highly privileged accounts and actions have 100% documented accountability? if not have you documented when and why?
• What you can prove with non-repudiation may save your job one day
• It might just make the case against a hacker, intruder or fraudster
Don’t drown in your logs
• If you never look at it why are you logging it
• Even if you look at it if you don’t intend to act, why keep it
• Consolidate the logs you care about
• SIEM is hard, in depth knowledge of the network and service environment is absolutely required
• Document what actions you took and automate what you can (DevSecOps?)
• Start off small, increase as events warrant it, is ok to tune with real events
• Work backwards from most likely and most harmful events to determine what you need
• Don’t bite off more than you can chew (have time to deal with)
• Don’t bury your system in more than can be rationally verified and acted upon
• Throwing every possible log from all systems in there and letting the SIEM sort it out does not work, there is no magic in that box.
Security Metrics that matter
• What are your Risks, how do you quantify them• Indicators of Compromise in your environment• Baseline events requiring action• Defensive alerts and false positives, AV, FW, SEIM etc.• Event response speed aka time to cleanup• Outstanding audit items or vulnerability findings• Patches released but not yet applied• Password resets, forced vs requested, keep reasons trend line• Reported spam junk mail and phishing• See NIST 800-55
Endpoint protection• Not just for workstations
• Servers can be an endpoint and are a user controlled device sometimes too
• Servers can almost always run AV products but may need special configuration or exceptions on a directory application or service basis
• Correlate logs for AV events, don’t rely on users to tell you about alerts or warnings
• Keep AV engine and definitions up to date
• Application Whitelists, Blacklists, and Greylists can help control what should run and what can’t
• AD and policy controls can help to eliminating remote PowerShell, Mimikatz and other common utilities used to compromise systems
• Don’t forget e-mail malware protections; that’s still a source 25 years later
• If you are not controlling Local Admin you aren’t controlling anything
Segmented zones and micro-segmentation
• Thoughtful segmentation need not be micro, virtualized or software defined
• Start by mirroring zones of control within the network infrastructure by department, information classification, vendor and other meaningful real world controls
• If you would have segregated the network in an un-virtualized design you need to invest in appropriate segmentation in virtual or cloud designs too.
• If you have invested in large scale virtualization use the lateral movement tools and software network controls that protect your investment and data
• Map and understand your data flows as well as your network connectivity and firewall rules
• Know and document source, destination, protocol, and route for every data flow
Data exfiltration watch the border in both directions• Insider often aiding external individual exfiltrating data
• Average 7 month discovery delay, often by 3rd parties
• Flash and portable drives make it possible to move huge amounts of data
• IDS and log review only have 3% discovery rate (2015 data) , not looking for exfiltration
• Everybody blocks all but intended inbound traffic but do you do any inspection?
• Watching inbound flows for attacks and Ddos and overly aggressive applications aka streaming and floods
• Watch DMZ and external services for unintended outbound flows both out to internet but also out to your internal network, encryption makes that even harder.
• DNS encapsulation is real, slow but effective (DNS Tunneling) look 255 byte repetitive flows as well as destinations that don’t make sense
• Many covert and even blatantly visible channels E-mail, HTTP/S, FTP, Remote access, Conf. Apps
• Not just abused protocols, Dropbox and file sharing exfiltration is common if allowed
• Usually a post exploit analysis identifies content via packet analysis
Finishing up with Myths and crewel lies(If time permits)
1. Move it to the cloud, that will fix it
2. Encryption secures everything
3. Blockchain will secure everything
4. Artificial Intelligence will save us\
Myth 1 Move it to the cloud, that will fix it
• Moving to the Cloud as is, “Lift and Shift”, is a recipe for disaster
• Test and early build systems are a ripe target for attack
• Good key management, rights management and 2FA are critical
• Out of sight our of mind adds risk
• Logging becomes even more important, automated alerts are key
• Automation and Agile happen at system speed not human time
• Use the opportunity to rebuild in a better and more sustainable way
Myth 2 Encryption secures everything
• Just because it is encrypted doesn’t mean it is secure or private
• Weak encryption is still all over the place
• Backdoors have been implemented
• Bad key management is common (the key under the welcome mat)
• Encryption does not guarantee integrity or correctness
• Man in the middle attacks & session hijacking common
• Does not protect from ransomware
Myth 3 Blockchain will secure everything
• What Blockchain is• Nonrepudable flat common transaction record• A shared ledger of sequentially stored items, single verifiable truth• Avoids fraud and tampering
• What Blockchain isn’t• Not free, Not fast, Not private• Not always anonymous• Not invulnerable to attack
• Useful tool not a universal tool
• Like any other software, Only as good as their design and implementation (February MITM crypto wallet example)
Myth 4 Artificial Intelligence will save us
• If you believe CSO magazine…AI will take care of;1. Detecting and helping to thwart cyberattacks in progress2. Threat intelligence3. Identifying, prioritizing and helping to remediate existing vulnerabilities 4. Security monitoring5. Detecting malware, including ransomware phishing attacks6. Examining code for vulnerabilities7. Data categorization8. Honeypots9. Predict and adapt to future threats
• Do you believe the hype? • Who is going to teach it?• How much tweaking and training for YOUR environment?
Questions, Comments & Complaints
• Low volume twitter feed for my students
and coconspirators (1 to 3 posts a month)
• https://twitter.com/freeinfosecnews
•Mike Harris• Information Security Officer
• Columbia Insurance Group
• and Adjunct Professor (Informatics@Mizzou)
• CISSP, HCISPP
