Upload
majkicnet
View
1.041
Download
0
Embed Size (px)
Citation preview
Interested in learningmore about security?
SANS InstituteInfoSec Reading RoomThis paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Human Being FirewallThis publication seeks to assist organizations in mitigating the risks from Human based attacks which iscapable of circumventing wide range of deployed controls by publishing the culture of Defending people bypeople , defining the new concept of Human being firewall , how it could be applied to maintain a goodsecurity posture & finally providing practical guidance on responding to incidents effectively andefficiently.
Copyright SANS InstituteAuthor Retains Full Rights
AD
GIAC (GCIH) Gold Certification
GIAC (GCIH) Gold Certification
Author:MuhammadEL‐Harmeel,[email protected]:JeffTurner
Accepted:December4th2008
Abstract
mateurs hack systems, professionals hack people.” Bruce Schneier. If you
really believe in this quote like me then it’s worth giving this paper a hit. This
publication seeks to assist organizations in mitigating the risks from Human-
based attacks, which are capable of circumventing a wide range of deployed controls by
publishing the culture of “defending people by people.” This paper defines the new
concept of the “Human being firewall,” how it could be applied to maintain a good
security posture, and finally providing practical guidance on responding to incidents
effectively and efficiently.
A
Human Being Firewall “It’s not a terminology…It’s a real methodology”
2
MuhammadEL‐[email protected]
Introduction
Why don’t we have people in our organizations whose main job is to detect and
react for human based attacks, we may have a firewall box that can defend against
computer based attacks but we still need a new trend that defend against human based
attacks.
A seasoned hacker from my perspective is not the one who is only equipped with
a lot of weapons talented by many years experience that could be manipulated in various
ways to successfully complete an attack, he is just having the passion driven by
innovation to successfully complete the attack with the minimal amount of time, using
the simplest tool available, as the wisdom voice would tell (Go for the easiest).
Awareness is considered a major issue when it comes to security, with respect to
this point of view I consider hacking humans is the niftiest weapon within the hacking
arsenal, it’s available to everyone, need no previous experience to realize how to handle
human beings and control their actions in a manner that makes them do whatever you
want to do in a stealthy way.
Security professionals should understand the limitations of both hardware and
software to provide a truly secure environment; they should go beyond this concept and
try to evaluate the real risk presented through the existence of humans as a vital factor in
the security chain which considered the weakest link of the security chain.
Through ages security geeks have been in a battle trying to secure their assets,
investing a lot of money in the process of hardening their networks with whatever they
can do to prevent intruders from penetrating their networks , but it was never going to be
like that, it’s all about the art of (where , when and how) to do this.
Have you ever figured out that investing money to protect people from such
attacks like social engineering worth it?.....can you tell what is the usefulness of a box
that’s secured with a stateful inspection firewall, censored with an IPS, armed with 24
Human Being Firewall “It’s not a terminology…It’s a real methodology”
3
MuhammadEL‐[email protected]
digit password and multifactor authentication, has no capability to be managed remotely
and finally located in a secure room protected with biometric access control IF:
This box is administered by a careless admin who has no problem to leave the box
unlocked while getting a cup of tea!
1. Main Part 1.1. Definitions 1.1.1. Social Engineering
According to SearchSecurity.com Definitions
Social engineering is a term that describes a non-technical kind of intrusion that
relies heavily on human interaction and often involves tricking other people to break
normal security procedures. A social engineer runs what used to be called a "con game".
For example, a person using social engineering to break into a computer network
would try to gain the confidence of someone who is authorized to access the network in
order to get them to reveal information that compromises the network's security. They
might call the authorized employee with some kind of urgent problem; social engineers
often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to
vanity, appeal to authority, and old-fashioned eavesdropping are typical social
engineering techniques.
1.1.2. Computer based attacks
It can be defined as that type of attacks that targets only computer systems and
has nothing to do with humans; the target is a pure box.
1.1.3. Human based attacks
It can be defined as that type of attacks that targets humans only, it doesn’t matter
if computer system get involved or not, in other words the target is a pure human
regardless the means used to accomplish this.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
4
MuhammadEL‐[email protected]
1.1.4. Human Being Firewall
An individual who is employed with the task of defending against human based
attacks which targets employees within the organization, using variety of methods (i.e.
awareness sessions, inspecting information traversing the organization and ensuring
confidentiality).
1.2. Analogy Regarding the analogy between using boxes and humans to defend and secure our
networks, we will go through mapping and applying this on the main device used to
secure networks, first we will pass by defining this device then demonstrating how its
roles can be assigned to humans to operate in a similar manner on order to defend against
human based attacks.
1.2.1. Firewall analogy
Webopedia.com has defined a firewall as a system designed to prevent
unauthorized access to or from a private network. Firewalls can be implemented in both
hardware and software, or a combination of both. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through the
firewall, which examines each message and blocks those that do not meet the specified
security criteria
Human Being Firewall “It’s not a terminology…It’s a real methodology”
5
MuhammadEL‐[email protected]
MicrosoftCorporation.(August24,2001).[Graphillustrationtheoperationofthefirewall].
As stated, the main role of the firewall is to prevent unauthorized traffic in both
directions: inbound and outbound by mapping this concept into human being firewall we
will come through this:
Operational Modes
1. Packet filtering
2. Proxy server
3. Stateful packet filtering
This was for the network firewall, but what about human being firewall?
Basically there would be slice difference between network and human being firewall; the
mentioned modes could be mapped into the following modes related to human being
firewall like this
• (Information filtering mode) Human being firewall can operate in
information filtering mode, information should be classified into categories, any
communication is explicitly denied, a rule should be assigned defining any type of
communication that should be allowed.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
6
MuhammadEL‐[email protected]
• (Proxy mode) human being firewall should be doing any type of
communication acting on behalf of the communicator if the information is going to leave
or enter the entity.
• (Stateful information filtering mode) despite the previous modes where
it’s required to have policy which control actions, in this mode it will be up to the human
being firewall to decide which information should enter or leave the entity according to
each situation (more suitable for complex environments) without a prior permission for
each communication.
Hint: this mode is totally undesirable and should be avoided using the security
policy as a reference and decision maker, it’s not recommended to operate in this mode
with human being firewall with experience in this field less than 5 years.
After mapping the three Firewall technologies into human being firewall, we will
continue to map other concepts as well.
Defining Networks
Like any other network device it needs to be configured properly to get it work
efficiently, thus this person should be provided with a holistic overview of the entity, it’s
departments and the employees working within it, this would enhance the performance of
this person by familiarizing him with the valuable assets of the entity and what type of
information should be protected.
Access List
Firewall access list will be mapped into the security policy, as the access list will
be the decision maker of what should be passing through our network and what
shouldn’t, the same concept will be applied to the security policy that will guide this
person of what Information is allowed to enter or leave the entity.
AAA (Authentication-Authorization-Accounting)
The concept of AAA can be applied to human being firewall as well, we can
summarize this concept in the following questions:
1. Authentication = who are you?
Human Being Firewall “It’s not a terminology…It’s a real methodology”
7
MuhammadEL‐[email protected]
The human being firewall should authenticate any user prior to allowing any type
of communication traversing the entity
2. Authorization = what you can do?
After passing the authentication process successfully authorization should be done
to ensure that the communicator has the right to do what he wants to do, for example a
user with in the RandD department for company X needs to communicate another user
within the RandD department for Y company, to allow this type of communication…two
actions should be done:
Firstly authenticating the user (ensuring that this user is really working for
company X and he is part of the RandD department)
Secondly authorizing the user (ensuring that this user has the right to directly
communicate with his destination), according to the security policy direct communication
isn’t allowed between RandD employees and any external entity, thus preventing
information leakage or red hunting
3. Accounting = what did you did?
The most important part of this portion is accounting or logging, any type of
communication should be logged for review if needed, this will ensure the following:
• Ability to track any process for later analysis if incident was in
place
• Creating a baseline for our Information security posture which
would help in detecting abnormal activities
VLANS
According to Wikipedia.com, A virtual LAN, commonly known as a VLAN, is a
group of hosts with a common set of requirements that communicate as if they were
attached to the Broadcast domain, regardless of their physical location. A VLAN has the
same attributes as a physical LAN, but it allows for end stations to be grouped together
even if they are not located on the same physical place.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
8
MuhammadEL‐[email protected]
It’s so simple to map this concept into our desired human being firewall, roles
will include the following:
• Dividing the organization into small entities, each entity will share the
same name and attributes
• Each entity will be assigned a security level that reflect its desired level of
importance
• Entities with higher security level will be able to communicate entities
with lower security level, vice versa will be denied
• Like VLANS, employees from the same entity might be located over
different physical locations and still able to communicate each other
Fault tolerance
Applying this concept here will differ a little from its traditional definition, this
means that this person shouldn't be the single point of failure in the security chain, having
another secondary human being firewall (substitute) for this person would help in case of
the unavailability of the primary one, also synchronization should be done within small
time intervals to keep both of them up to date.
Testing the process
Ensuring that the deployed human being firewall is operational and working fine
is extremely important, a test should be conducted to ensure how the human being
firewall will react to a real incident(where no place for single fault) , this would be
accomplished by trying to violate the approved security policy that control this process.
One thing to put in mind when doing this is the complete sudden of conducting
this test without any prior knowledge for the human being firewall, that would mimic
how would the deployed human being firewall react in case of real incident.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
9
MuhammadEL‐[email protected]
1.3. Case Study
1.3.1. Overview
Secure-n is an organization that works in the field of information technology as a
system integrator, it consist of three subsidiaries: network solutions, security and
multimedia.
The security department is responsible for providing security service for other
organizations by delivering state of art (network assessment-pen testing and risk
assessment service).In order to do this task, the security service team should be provided
with confidential information about the target organization like (network devices
configurations, web application source code and network diagrams).
First we will go through defining the individuals and entities embedded in this
scenario:
Entities
1-Secure-n Corporation: system integrator (the target).
2-Globa-n Corporation: Secure-n (competitor).
3-Global-x Corporation: Fake identity to mask the real identity of Global-n. Corp
(the attacker)
Individuals
1-Omar Yakan: the bad guy within Global-n, he has been assigned the task of
finding a way to disrupt Secure-n business activities.
2-Adam Mohamed: Security Presales Manager at Secure-n Corp.
3-Ahmed Noor: Senior Information Security Engineer at Secure-n Corp.
The attack
Human Being Firewall “It’s not a terminology…It’s a real methodology”
10
MuhammadEL‐[email protected]
Global-n is a wild competitor for Secure-n Corporation, after Secure-n
Corporation has been a leading system integrator in the market Global-n is now in the
mission of bypassing Secure-n Corporation using any mean to get this done.
Global-n has contacted Secure-n Corporation with a fake identity (Global-x) for a
foreign company which is located outside the country claiming its need for a security
service solution, they asked for a contact person at Secure-n Corporation.
To do this a normal visit to Secure-n website revealed the e-mail address of the
security service
According to Global-x claim that they are located outside the country, Secure-n
Corporation has no options to communicate with Global-x other than via E-mails.After
getting the E-mail address of the Security Service department from Secure-n website
Global-n contacted Secure-n with the fake identity (Global-x)
Human Being Firewall “It’s not a terminology…It’s a real methodology”
11
MuhammadEL‐[email protected]
After receiving this E-mail, Secure-n replied with the following
Human Being Firewall “It’s not a terminology…It’s a real methodology”
12
MuhammadEL‐[email protected]
Till now it seems that everything is going to be fine with no abnormal or
suspicious activities that could render the curious of Secure-n staff. Now we can dive
deeply into the attack, the following was another bundle of words that’s even niftier than
CSRF attack.
The reply from Omar Yakan was such a professional one to continue in gaining
the trust without any doubts
Human Being Firewall “It’s not a terminology…It’s a real methodology”
13
MuhammadEL‐[email protected]
Leveraging another e-mail from Omar Yakan to Ahmed Noor before he even
reply his old e-mail was another tactic used by Omar to push on Ahmed in order not to
give him the chance to investigate more about Global-x identity.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
14
MuhammadEL‐[email protected]
Ahmed was in trouble right now as he can’t disclose those reports to Global-x as
the signed non-disclosure agreement would subject him to legal penalties, but he also
doesn’t want to lose this wealthy client (Global-x).He also needs to prove the
professionalism of his work and state of art delivered services.After deep thinking
Ahmed has come into removing any data from the report that are related to the previous
customer and then sending the customized report for Global-x for further analysis.
Ahmed replied Omar with the following e-mail
Human Being Firewall “It’s not a terminology…It’s a real methodology”
15
MuhammadEL‐[email protected]
To get familiar with what Ahmed could has been done with the report to obscure
the identity of the customer let’s take a look on the following shots taken from the
attached report
Human Being Firewall “It’s not a terminology…It’s a real methodology”
16
MuhammadEL‐[email protected]
Human Being Firewall “It’s not a terminology…It’s a real methodology”
17
MuhammadEL‐[email protected]
Human Being Firewall “It’s not a terminology…It’s a real methodology”
18
MuhammadEL‐[email protected]
Human Being Firewall “It’s not a terminology…It’s a real methodology”
19
MuhammadEL‐[email protected]
Now after we have got an over view of how this report would look like we will
explain how this could be a key element in leveraging a successful attack against Secure-
n Corporation.The main concern of Omar Yakan was to know the obscured identity of
this customer represented in that report.
It was clear that Ahmed Noor was able to mask or scramble any line of the report
that could disclose the name or even the IP related to the customer so he thought that
nothing else within the report could represent a real threat in revealing the identity of his
customer, But I am sorry to tell that he was totally wrong……let’s see why!
Omar was smart enough just to highlight one of the screen shots that could help
him in identifying the identity of the masked customer. Please take a deep look at the
Human Being Firewall “It’s not a terminology…It’s a real methodology”
20
MuhammadEL‐[email protected]
following shot and think for a while what could be extracted from it to help revealing the
identity of the customer
After deep inspection Omar just took notes about this
Human Being Firewall “It’s not a terminology…It’s a real methodology”
21
MuhammadEL‐[email protected]
1-The time at which this pen-test was conducted (may be it worth nothing for the
time to be known…Ahmed thought that).
2-The ISP which is providing the customer with internet services.
Far by now Omar was able to know valuable information that would help him in
the process of identifying the identity of the masked customer, but he still needs more
information to make sure whose report was that. More investigations were done by Omar
to collect information; surfing Secure-n web site may be a good idea……Omar thinks
Omar was right about this idea as he found the following page on the website
Human Being Firewall “It’s not a terminology…It’s a real methodology”
22
MuhammadEL‐[email protected]
Navigating to that link resulted in the following page
Human Being Firewall “It’s not a terminology…It’s a real methodology”
23
MuhammadEL‐[email protected]
For instance Omar thought that he has nothing to lose investigating this
Corporation (Thunder Gas), he tried to do more information gathering about this
corporation.A simple queries using Sam Spade and other WHOIS utilities was enough to
confirm that the sample report was really relevant to that Corporation (Thunder
Gas).......do you know why?
Remember the valuable information which was noted by Omar before? The time
at which the PEN-TEST was conducted and and the ISP serving this customer. It was
clear by now that Thunder Gas is served by the same ISP that was listed in the report
Human Being Firewall “It’s not a terminology…It’s a real methodology”
24
MuhammadEL‐[email protected]
By now Omar was 70% sure that the report is related to Thunder Gas Corporation
but he still needs to make sure of that before carrying out the last phase of the attack.As
Omar believes that the internet is treasury place full of vital information, Omar decided to
search the internet for something that could help him more.
Trying the following search string in Google (Thunder+Gas+Secure-n) returned
many search results and simply the first link was an article of a public IT magazine
contains the following:
“Secure-n Delivers Thunder Gas Security Service (15/2/2008)
Thunder Gas, the biggest Petroleum Company in Egypt designated Secure-n to secure its infrastructure. The new process Secure-n implemented includes Assessing network infrastructure, web applications and compliance issues Due to Secure-n expansions; it became an urgent need to ensure the confidentiality of its data”
Human Being Firewall “It’s not a terminology…It’s a real methodology”
25
MuhammadEL‐[email protected]
After Comparing the two dates listed in the report and the article Omar was totally
sure that the report was really related to Thunder Gas Corporation, by now Omar is
absolutely capable of doing damaging harm to Secure-n reputation by disclosing the
confidential data he got right now, more over, Secure-n may be subjected to Legal
accountability and other penalties according to the signed NDA.
1.4. The Defense
“An ounce of prevention is worth a pound of cure”, Benjamin Franklin
That’s our message that should be considered for every individual working within
the information security field.Before we delve into showing steps that should have been
taken to keep that attack has the minimal effect on the operation we will pass by some
preventive actions that a human being firewall would implement to help mitigating such
type of attacks.
1.4.1. Preventive Actions
Security awareness
Microsoft has its own vision regarding security awareness; it tells that People are
the last line of defense against threats such as malicious code, disgruntled employees, and
malicious third parties. Therefore, people need to be educated on what your organization
considers appropriate security-conscious behavior, and also what security best practices
they need to incorporate in their daily business activities. This kit was created to provide
guidance, samples, and templates for creating a security awareness program.
InfoSecurityLab stated that topics covered in security awareness training should
include:
Human Being Firewall “It’s not a terminology…It’s a real methodology”
26
MuhammadEL‐[email protected]
• The nature of sensitive material and physical assets they may come in
contact with, such as trade secrets, privacy concerns and government
classified information.
• Never send sensitive information via email.
• Employee and contractor responsibilities in handling sensitive
information, including review of employee nondisclosure agreements.
• Do not cut and paste potentially sensitive information from any
proprietary or confidential business application into emails or otherwise
distribute sensitive information insecurely to customers.
• Only share customer data with internal personnel on a need-to-know basis.
• Requirements for proper handling of sensitive material in physical form,
including marking, transmission, storage and destruction.
• Proper methods for protecting sensitive information on computer systems,
including password policy and use of two-factor authentication.
• Other computer security concerns, including malware, phishing, social
engineering, etc.
• Workplace security, including building access, wearing of security badges,
reporting of incidents, forbidden articles, etc.
• Consequences of failure to properly protect information, including
potential loss of employment, economic consequences to the firm, damage
to individuals whose private records are divulged, and possible civil and
criminal penalties.
Being security aware means you understand that there is the potential for some
people to deliberately or accidentally steal, damage, or misuse the data that is stored
within a company's computer systems and throughout its organization. Therefore, it
would be prudent to support the assets of the institution (information, physical, and
personal) by trying to stop that from happening.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
27
MuhammadEL‐[email protected]
Data Loss Prevention (DLP)
“You have to understand what kind of sensitive data you have and do a risk
evaluation of what happens if data is exposed or gets in the wrong hands”. Thomas
Raschke
So you really shouldn’t underestimate the danger you would face if your business
secrets get disclosed.
“DLP solutions both protect sensitive data and provide insight into the use of
content within the enterprise. Few Enterprises classify data beyond that which is public,
and everything else. DLP helps organizations better understand their data and improved
their ability to classify and manage content.” Rich Mogull. (n.d) .Understanding and
selecting a DLP solution
You can expect the following after maintaining a good DLP solution according to
searchsecurity.techtarget.com.au:
• Protect information from accidental disclosure - Employees have access to an
organization's most sensitive information, but some simply are not aware of the
dangers inherent in sending data over the Internet. For example, a new finance
employee sending a confidential document to an offsite accounting firm may
decide to attach the document to an email without realizing that it's being sent in
clear text across the Internet. It is the responsibility of the organization to ensure
that the proper steps are taken to tag all confidential data. DLP products ensure
that confidential and critical information is appropriately tagged so that
employees cannot accidentally disclose it. Tagging is the process of classifying
which data on a system is confidential, and marking it appropriately. Because of
this labeling, an employee that accidentally or maliciously attempts to disclose
confidential information may be denied. For example, a sensitive file that is
Human Being Firewall “It’s not a terminology…It’s a real methodology”
28
MuhammadEL‐[email protected]
tagged can be restricted from being sent via email and instant messaging
programs.
• Protecting information from malicious intent (internal and external) - Disgruntled
employees continue to be a primary driver of data theft. Implementing DLP can
restrict the channels in which employees can transfer data. DLP can also prevent
confidential data from being copied to USB devices, external hard drives and
iPods.
• Meeting regulatory compliance requirements - Many organizations need to
comply with certain government regulations, be it SOX, GLBA, HIPAA or all of
the above. DLP technology seems likely to play a major part in assisting with
regulatory compliance requirements this year. HIPAA, for example, requires that
all healthcare information remain confidential, and a DLP strategy is not only a
means of protecting such information, it's also a way to demonstrate that the
organization is taking the appropriate steps outlined in the regulation.
We should emphasize that we should expect the worst when implementing our
controls and hope for the best to happen, sooner or later an attack is going to occur, it’s
not a matter of “if” but “when”.
The next section will be demonstrating how a well planned incident handling
strategy will manage to help in fast healing from the effects of such attacks.Let’s Apply
the Six-Step process (preparation-identification-containment-eradication-recovery-lesson
learned) for incident handling.
1.5. Incident Handling Process
1.5.1. Preparation
This phase is almost the same in any case, as it outlines how we should be
prepared and ready for dealing with the incident in such a mature manner that would help
Human Being Firewall “It’s not a terminology…It’s a real methodology”
29
MuhammadEL‐[email protected]
in fast recovery and ensuring the integrity of the evidences. Considering the following
guidelines would help in getting our team ready to handle incidents:
• Obtain management support (very important otherwise the whole plan will be
useless).
• Identify contacts in other organizations (legal, law enforcement, partners...).
• Identify your team members who will be working through the incident.
• Train the team, practice...practice...practice.
• consider out of band communications (as this won’t affect our scenario but it’s
really a vital step that mustn’t be ignored)
• Document every step you do.
• Update a disaster recovery plan.
Scenariomapping
Demonstrating how the new concept of Human Being Firewall could be merged
with the 6-steps process for incident handling if applicable.
• Mode of operation: The dedicated human being firewall will be operating
in the stateful information filtering mode, thus he has the rights to decide
what information should leave or enter the organization, as he has the
authority for doing that…he would be inspecting any attachments leaving
the entity for abnormal activities
• Defining networks: Human being firewall should be provided with
detailed information about the corporate structure, design and provided
services.
This should be supported with a well documentation showing the role and
authority of each employee within the corporation.The first thing comes to mind in this
Human Being Firewall “It’s not a terminology…It’s a real methodology”
30
MuhammadEL‐[email protected]
phase is legal contracts and penalties, thus he should spend an adequate time
understanding the nature of Secure-n structure, tasks and even partners and competitors
in order to get a holistic overview .
• Defining the policy: as the most important part of a security process,
security policy should be defined
In her GSEC practical assignment Kerry D. McConnell illustrated those tips
briefly into the following:
a. Develop policies that you plan to enforce.
b. Develop security policies that do not require updates too frequently.
c. Differentiate between policy and standards or recommendation.
d. Include employees from other department in the development of the
policy.
e. Make it available to everyone.
f. Easily understood, far away from complicated terms.
Make sure your legal department is involved.
Till now all of the above actions will not affect our attack in a direct manner, it’s
just a proactive action that would help in maintaining a good preparation plan. If the
above tasks were executed precisely, we would maintain a well prepared human being
firewall who would be ready for identifying attacks and reacting for it in a mature
manner.
1.5.2. Identification
We can refer to identification as detecting deviation from the norm and attempts
to do harm. Identifying both the incident and the person who should identify it is a
critical mission, you should be able to know how do you identify an incident using (IDS
alerts, failed or unexplained events, system reboots, poor performance)...Correlating
evidences isn’t an easy task at all; you must be capable of determining whether it’s an
Human Being Firewall “It’s not a terminology…It’s a real methodology”
31
MuhammadEL‐[email protected]
event or an incident? Keep in mind that reporting events as incidents (false positive)
would reduce your credibility, another thing to put in mind is notifying the correct
person.
Points to keep in mind:
• Be willing to alert early.
• Maintain situational awareness.
• Provide indications and warnings.
• Fuse or correlate information.
Scenario mapping
How would the human being firewall identify the attack?
Based on the provided information he has obtained from the preparation phases he
is supposed to successfully identify the attack. Applying the following concept would
significantly have an impact on identifying the attack
• Authentications: who are you?
Human being firewall should interfere with any type of communications that
traverse the entity, thus the first challenging task that would face him is to check the
identity of Global-x Corporation.Restrictive actions should be taken to ensure the success
of this task; if he was lucky enough to complete this task successfully he would render
the whole attack ineffective.
Another vector that would increase the probability of identifying the attack is
asking for a sample report, it’s not common for asking for things like that so it worth
investigating addressing a request like that. As supposed to alert early, the human being
firewall would prefer to alert early at this stage even there is probability to be false
positive alarm.After identifying the attack and alerting, communications should be done
between the human being firewall and the communicator to familiarize him with the
nature of attack and what could be expected as consequences from attacks like those
Human Being Firewall “It’s not a terminology…It’s a real methodology”
32
MuhammadEL‐[email protected]
1.5.3. Containment
Enlarging the scale of the attack is mostly one of the goals a hacker will try to
achieve; causing a wide range of the infected systems would be his ultimate goal.From
this perspective we should successfully stop the danger vector from spreading across the
network, this should be done by keeping the effect of the attack down to the minimal
level. Things shouldn’t go worse. Decisions should be taken in a fast manner that stop the
damage
Scenario mapping
We aren’t supposed to be dealing with this phase right now if we were able to
identify the attack successfully at early stages and keep it useless in a manner that won’t
leave any effects that should be contained. But based on the defense in depth concept we
would suppose that the attack was executed, addressing how the human being firewall
would play a major role in the containment phase.
Ahmed Noor would be directed by the human being firewall to stop any type of
communication with the alleged customer Global-x, by doing such action we will be sure
by now that at least we would stop the bleeding and stop the attack from causing much
more damage.
1.5.4. Eradication
Now with the bleeding stopped, our goal is to get rid of the intruder’s artifacts.
Consider the following points:
• Fix the problem before going back online.
• Determine the cause not the symptoms.
• Improve defense.
• Make sure compromise doesn’t recur.
Scenario mapping
Human Being Firewall “It’s not a terminology…It’s a real methodology”
33
MuhammadEL‐[email protected]
Removing the vulnerability that the attacker used to exploit is the goal of this
phase. It’s clear that lack of security awareness is the main reason that helped in
completing the attack successfully; more over it’s a clear violation for the policy as for
the policy states that individuals aren’t authorized to share customers date with external
personnel
It would be the human being firewall to apply the second pillar of AAA
2-Authorization: what can you do?
According to the policy Ahmed Noor should be advised that he isn’t authorized to
share customer’s data with external personnel. Far by now it’s supposed that the
vulnerability which caused the attack was eradicated in a manner that stops attackers
from exploiting it again.
1.5.5. Recovery
Our goal will be shifted to put the impacted items (items might include
computers, network devices and even individuals).
• Make sure you don’t restore compromised item (Code, workstation or
even an employee).
• Validate the system (verifying the operation was successful and the system
is in its normal state).
• Be careful deciding when to restore operations (System owner or
business).
• Monitor the restored item very closely.
Scenario mapping
There is no doubt that Ahmed Noor’s actions should be monitored by the human
being firewall closely for a period of time to ensure that he was back to normal operation
without any chance for being exploited again.
Human Being Firewall “It’s not a terminology…It’s a real methodology”
34
MuhammadEL‐[email protected]
1.5.6. Lessons Learned
Improving our capabilities and operations to prevent it from happening again, one
way to improve is to learn from our mistakes and move on to make new mistakes instead
of repeating the old ones. This is the main goal of this phase. To obtain the ultimate
usefulness of this phase we are expected to have as many evidences as we can that would
show us that nature and tactic used by the attacker to complete his attack successfully.
Again, it’s the human being firewall task to implement the third pillar of AAA concept
3- Accounting = what did you did?
Documentation is a key element in case of incidents, remember that in case of incidents
there will be always lack of evidences so by documenting every type of communication
traversing the entity we still would have evidences that would support our legal situation
in case of being charged.
Key points to be considered:
• Identify the most relevant conclusions and areas for improvement.
• Develop a report and try to get consensus.
• Conduct a follow-up meeting within 24 hours of the end of the incident.
• Send recommendation to the management, including a cost analysis.
1.5.7. Conclusion
Human Being Firewall “It’s not a terminology…It’s a real methodology”
35
MuhammadEL‐[email protected]
Through this paper we have gone through a real world scenario as a proof of
concept that there are new breeds of attacks already exists around us that could cause a
severe harm. We could mitigate those types of attacks by the new concept of “Defending
people by people”.
We do shouldn’t underestimate the danger that we face when we manipulate
attacks that targets humans, realizing that the most valuable asset we have is our
employees so we are expected to do a good job securing them and keeping them safe
from human based attacks.
Human being firewall should be considered the most valuable and effective way
in defending those type of attacks, it really should be considered in every organization
that do believe it needs to maintain a good security posture.
1.6. References Abby Christopher. The human firewall. Retrieved December 7, 2008 from
http://www.networkworld.com/research/2003/0526human.html?page=1
Articlesbase.com, (2007), Security Awareness, Retrieved December 10,2008 from
http://www.practicalecommerce.com/articles/170-eCommerce-Fraud-Build-a-
Human-Firewall
Cert.org (2008), Computer Security Incident Response Team FAQ, Retrieved December
12, 2008 from http://www.cert.org/csirts/csirt_faq.html
Kerry D. McConnell. (2002), How to Develop Good Security Policies and Tips on
Assessment and Enforcement, Retrieved December 17, 2008, from
www.giac.org/certified_professionals/practicals/gsec/1811.php
Human Being Firewall “It’s not a terminology…It’s a real methodology”
36
MuhammadEL‐[email protected]
Microsoft Corporation. (n.d). Security Awareness. Retrieved December 9, 2008 from
http://technet.microsoft.com/en-us/security/cc165442.aspx
Microsoft Corporation. (August 24, 2001). Graph illustration the operation of the
firewall. Retrieved September 20, 2008 from
http://www.microsoft.com/middleeast/windows/windowsxp/home/using/howto/ho
menet/protect.aspx
National institute of standards and technology. (2003). Building an Information
Technology Security Awareness and Training Program. Retrieved December 7,
2008 from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
National institute of standards and technology. (2003). Establishing a Computer Security
Incident Response Capability (CSIRC). Retrieved December 7, 2008 from
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Rich Mogull. (n.d) .Understanding and selecting a DLP solution, Retrieved November
21, 2008,, from http://www.sans.org/reading_room/dlp/87.pdf
SearchSecurity.com Definitions. (2006),Retrieved October 2, 2008, from
http://www.searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html
Webopedia.com Definitions. (2004). Retrieved December 3, 2008, from
http://www.webopedia.com/TERM/f/firewall.html
Wikipedia.com (n.d.).VLAN definition, Retrieved December 1, 2008, from
http://en.wikipedia.org/wiki/VLAN
-
Last Updated: March 23rd, 2016
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS Secure Europe 2016 Amsterdam, NL Apr 04, 2016 - Apr 16, 2016 Live Event
SANS Atlanta 2016 Atlanta, GAUS Apr 04, 2016 - Apr 09, 2016 Live Event
SANS Northern Virginia - Reston 2016 Reston, VAUS Apr 04, 2016 - Apr 09, 2016 Live Event
Threat Hunting and Incident Response Summit New Orleans, LAUS Apr 12, 2016 - Apr 19, 2016 Live Event
SANS Secure Canberra 2016 Canberra, AU Apr 18, 2016 - Apr 23, 2016 Live Event
SANS SEC301 London '16 London, GB Apr 18, 2016 - Apr 22, 2016 Live Event
SANS Pen Test Austin Austin, TXUS Apr 18, 2016 - Apr 23, 2016 Live Event
ICS Amsterdam 2016 Amsterdam, NL Apr 18, 2016 - Apr 23, 2016 Live Event
SANS Copenhagen 2016 Copenhagen, DK Apr 25, 2016 - Apr 30, 2016 Live Event
SANS Security West 2016 San Diego, CAUS Apr 29, 2016 - May 06, 2016 Live Event
SANS SEC542 Budapest Budapest, HU May 02, 2016 - May 07, 2016 Live Event
SANS FOR508 Hamburg in German Hamburg, DE May 09, 2016 - May 14, 2016 Live Event
SANS Houston 2016 Houston, TXUS May 09, 2016 - May 14, 2016 Live Event
SANS Baltimore Spring 2016 Baltimore, MDUS May 09, 2016 - May 14, 2016 Live Event
SANS Prague 2016 Prague, CZ May 09, 2016 - May 14, 2016 Live Event
SANS Stockholm 2016 Stockholm, SE May 09, 2016 - May 14, 2016 Live Event
SANS Melbourne 2016 Melbourne, AU May 16, 2016 - May 21, 2016 Live Event
Beta 2 Cincinnati - ICS456 Covington, KYUS May 16, 2016 - May 20, 2016 Live Event
Security Operations Center Summit & Training Crystal City, VAUS May 19, 2016 - May 26, 2016 Live Event
ICS410 at NFA Cybersikkerhet 2016 Oslo, NO May 23, 2016 - May 24, 2016 Live Event
SANS SEC401 Luxembourg en francais Luxembourg, LU May 30, 2016 - Jun 04, 2016 Live Event
SANSFIRE 2016 Washington, DCUS Jun 11, 2016 - Jun 18, 2016 Live Event
SANS Pen Test Berlin 2016 Berlin, DE Jun 20, 2016 - Jun 25, 2016 Live Event
SANS Philippines 2016 Manila, PH Jun 20, 2016 - Jun 25, 2016 Live Event
SANS Secure Singapore 2016 OnlineSG Mar 28, 2016 - Apr 09, 2016 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced