Cisco Security Consulting Services Update

Transcription

1 1 Cisco Security Consulting Services Update Session 2 Presentation_ID.scr 1

2 Agenda Security Philosophy Security Consulting Offerings Cisco Security Service Differentiators Case Studies 3 Background Security posture assessments, ethical hacking, penetration tests, etc. To some extent, all have different goals, perspectives, methodologies Cisco security consulting expertise, philosophy, and methodology grounded in previous experience 4 Presentation_ID.scr 2

3 Influential Experience Air Force Information Warfare Center One of first dedicated efforts to audit network security WheelGroup Corporation Gained prominence by advancing this methodology, highlighted in part by Fortune cover story Joined Cisco in March 1998 As part of WheelGroup acquisition 1990 s USAF Why Do You Need Security Consulting? To find out what you have on the network With networks changing so much, few organizations have an idea of what they actually have on the network How can you secure something that you don t know you have? 6 Presentation_ID.scr 3

4 Why Do You Need Security Consulting? To find out where your problems are Virtually all networks have problems, the difficulty is detecting them and their location The best intentions go nowhere without direction 7 Why Do You Need Security Consulting? To find out what to do about the problems Many problems can be corrected in house, it s just a matter of knowing what to do Very few network administrators have the time, experience, and the resulting expertise to address the intricacies of security issues 8 Presentation_ID.scr 4

5 Traditional, Old World Security Philosophy Develop Policy + Implement Security Products + Inspect Once in a While No Dedicated Security Staff! Handle Incidents as They Occur Result = Full of Risk and Contrary to Business Operations 9 New World Security Philosophy: The Security Wheel Consider Security as a Business Function A Continual, Multistage Process Focused on Incremental Improvement Secure Manage and Improve Corporate Security Policy Monitor and Respond Test 10 Presentation_ID.scr 5

6 Service Overview Cisco Security SWAT Team Very operationally focused Just hardcore, security experts Not trying to be all things to all people Offerings: Incident control and recovery Security posture assessments 11 Target Market Cisco A-list Fortune 1000 (80%of client base) IT-intensive organizations Clients come from a wide range of vertical industries, including leaders in: Finance Energy Transportation Retail Manufacturing 12 Presentation_ID.scr 6

7 Incident Control and Recovery (ICR) Short Notice, Emergency Engagements when the Network Is Undergoing or Has Very Recently Suffered an Attack Intent is to: Contain attacker Eliminate attacker s access to network Identify source of attack (if possible) and Help client restore network to preattack status More tactical in nature; not intended for protracted legal fight 13 The Security Wheel and ICR Secure Manage and Improve Corporate Security Policy Monitor and Respond Test The Primary Focus of an ICR Is to Dramatically and Quickly Improve the State of the Network which Is Suffering from a Hostile Event 14 Presentation_ID.scr 7

8 Security Posture Assessment (SPA) Operational, Comprehensive Analysis of the Security State of the Network Cisco security consulting s flagship offering Not a policy-only study or employee interview focused Not social engineering Not user training Not pointing fingers at security staff Not trying to have all security needs outsourced Rather, an influx of expertise and assistance to existing staff to advance security on network 15 The Security Wheel and SPA Secure Manage and Improve Corporate Security Policy Monitor and Respond SPA Provides a Snapshot of the Security State of the Network with Clear Understanding of How to Improve It Test SPA Allows You to Verify the Security Policy You ve Developed Is Properly Implemented and Maintained 16 Presentation_ID.scr 8

9 SPA = External, Dial, Internal Analysis Internet Router External Dial Assessment WAN Enterprise Network Internal IP Network Assessment External IP Assessment 17 Assessment Process Network mapping Host discovery Service discovery Targeting (potential vulnerabilities) Exploitation (confirmed vulnerabilities) Focused but no denial of service exploits Data management Analysis, recommendations, trends 18 Presentation_ID.scr 9

10 Result Communications Executive summary Metrics/graphs to quantify security posture and show trends/deltas Metrics set baselines, show improvements, and justify budgets and resources Technical appendices Which systems (IP address), have what vulnerabilities and how to fix them Information communicated via: Formal presentation, hardcopy, softcopy 19 Cisco Differentiators Personnel As far as qualifications go, reading the supplied consultant profiles is like placing a Tom Clancy character in a William Gibson novel You can t help but get the feeling these people are pretty serious about security Network Computing Magazine April Presentation_ID.scr 10

11 Cisco Differentiators Personnel Primarily from government/military backgrounds such as: AFIWC, SEC, White House, NSA, CIA Served on UN Inspection Teams to Iraq Briefed National Security Council White Hat experience Not exhackers; most have had top secret clearances or higher Not script kiddies Not dependant on automated tools to do work 21 Proprietary tools Differentiators Scanning tool is proprietary and developed and maintained in-house Beyond standard commercial tools Don t go to a dentist to have teeth cleaned with toothbrush Proprietary tools are highly efficient; Permits consultants, instead of development staff, to add new vulnerabilities and modify code on the fly during an engagement 22 Presentation_ID.scr 11

12 Singular focus Differentiators Operational network security experts Not trying to be all things to all people Don t perform policy-only engagements, accounting, implementation, business consulting, etc. Large-scale expertise Focused and experienced in servicing Cisco s largest, most complex networked customers: Two of top 10 U.S. banks Two Fortune 50 manufacturing clients 23 Differentiators Comprehensive approach Looking for all the ways in, not just a sampling subset Confirm the presence of vulnerabilities on network Get root, prove the danger Perform secondary exploitation Detailed analysis of how vulnerabilities can be used together to gain unauthorized access 24 Presentation_ID.scr 12

13 Differentiators Proven methodology and results Years of specialized experience Over 100 assessments performed Featured on the cover of Fortune Ranked #1 in industry by 25 Results Samples Networks where Cisco has proven vulnerabilities and gained root: Money transfer pipelines Intensive care units Air traffic control systems Payroll/product ordering systems Manufacturing lines 26 Presentation_ID.scr 13

14 Results Samples Clients have 66 Class A network address spaces 100% root access IT department through a modem 16 unknown, unprotected internet access lines Five weeks of intensive work but only two users detected odd activity 27 Results Samples (Cont.) Firewall set to default configuration of zero for 13 months Standardized network equipment passwords: One compromise=network Example: Every Cisco router has cisco as userid and password Over 140,000 userid and password pairs from financial institution captured unencrypted 28 Presentation_ID.scr 14

15 Vulnerabilities to Network Attack (Industry-Wide Average) Internet External Exploitation 65+% Vulnerable Dial-In Exploitation Internal Exploitation 75% Vulnerable 95+% Vulnerable Externally with Secondary Exploitation 100% Vulnerable Source: Cisco Security Posture Assessments All figures are approximate 29 Common Findings External, perimeter systems mostly secure individually but not together; gaps common Dial-in systems are very vulnerable Internally, security is practically nonexistent Vast majority of clients don t know of the systems that are on the network You can t secure it if you don t know it s there 30 Presentation_ID.scr 15

16 Common Findings All Clients Could be Secure Most of the Time and for Relatively Little Cost Just Need Insight, Process, and Desire 31 Summary Industry Leading, Credible Professionals using Focused Operational Security Expertise to Help Organizations Control the Security of Their Networks 32 Presentation_ID.scr 16

17 More Information Via the Web: Via 33 Contact Doug Webster Manager, Security Consulting Marketing Presentation_ID.scr 17

18 Please Complete Your Evaluation Form Session Presentation_ID.scr 18