BOOTSTRAPPING YOUR INFORMATION SECURITY PROGRAM. Brian

Transcription

1 BOOTSTRAPPING YOUR INFORMATION SECURITY PROGRAM Brian

2 GOALS OF BOOTSTRAPPING Gain visibility Build capability Form relationships Get quick wins Establish trust

3 Visibility Relationships Data Discovery Intrusion Detection Capability Visibility Capability Visibility Relationships Project Review Incident Response Capability Relationships

4 INTRUSION DETECTION

5 ESTABLISH CONTACT Requirements: Access to DNS records Access to WHOIS records (ARIN) Someone to read those s! Mailbox Area Mandatory Abuse reports Mandatory SMTP issues Optional Networking issues Optional Security issues Optional DNS issues Optional Web issues INTRUSION DETECTION

6 ESTABLISH CONTACT Network Whois record Queried whois.arin.net with "n "... NetRange: CIDR: /16 OriginAS: NetName: NYU-NET NetHandle: NET Parent: NET NetType: Direct Assignment OrgName: New York University OrgId: NYU Address: 726 Broadway, 8th Floor - ITS OrgAbuseHandle: TSSI-ARIN OrgAbuseName: Technology Security Services - ITS OrgAbusePhone: OrgAbuse abuse@nyu.edu OrgAbuseRef: INTRUSION DETECTION

7 Source: INTRUSION DETECTION

8 INTRUSION DETECTION

9 NETWORK MONITORING Requirements: Internet Router Servers Choke point (span, etc.) Server Intermediate sys admin Time to tune Time to process (just kidding!) Sensor Desktops Rule-based IDS Console/SIEM Flow monitor Intelligence Feeds INTRUSION DETECTION

10 NETWORK MONITORING::ALT Requirements: Internet Router Servers Choke point (span, etc.) Server Basic sys admin (less) tuning (less) processing Desktops Bonus: DNS logs! INTRUSION DETECTION

11 Quickly builds: capability and visibility INTRUSION DETECTION

12 INCIDENT RESPONSE

13 TRACKING DOWN HOSTS Greetings, The following host(s) has been identified as being infected with Pushdo/Cutwail. The host(s) might also be sending spam, as well sending traffic to random webservers [1]. description address timestamp in UTC d-prt Pushdo xxx.yyy T19:21:19Z key: s-prt = source port; prtcl = protocol; dest-addr = destination address; d-prt = destination port INCIDENT RESPONSE

14 TRACKING DOWN HOSTS 1) NAT -> internal ip NAT/PAT logs Proxy logs 3) MAC -> Location CAM tables Useful naming scheme Cable tracing?!? 2)Internal ip -> MAC DHCP Server Logs ARP logs Static ip allocation INCIDENT RESPONSE

15 Wireless. Bleh. INCIDENT RESPONSE

16 Log. Everything. INCIDENT RESPONSE

17 STARTING LOGS Requirements: Log server Lots of disk! Basic sys admin Minimally log Central authentication NAT/PAT/Proxy DHCP Consider adding DNS queries Active Directory Webmail SMTP VPN All firewall logs Major systems AV INCIDENT RESPONSE

18 Nuke From Orbit (NFO) It s the only way to be sure. INCIDENT RESPONSE

19 WORKFLOW Every ticketing system sucks. Here at Best Practical, we're really proud of the fact that RT sucks less than everything else out there and helps many thousands of organizations around the world get their work done with less pain and suffering. INCIDENT RESPONSE

20 WORKFLOW Requirements: Server aliases Basic sys admin A little Perl INCIDENT RESPONSE

21 Quickly builds: capability and relationships INTRUSION DETECTION

22 PROJECT REVIEW

23 Security tasked to project Write memos Security meets with project team Secure? No Project Manager Stops project? No Fight! Yes Yes Liar Call it a win PROJECT REVIEW

24 We should not accept risk. INTRUSION DETECTION

25 PROJECT REVIEW

26 SECURITY REVIEW IN 4 HOURS 1. Vendor asserts compliance requirements (5m) 2. Vendor fills out questionnaire (5m) 3. Review questionnaire (1 hours) 4. Research vendor (1 hour) 5. Discuss questionnaire with vendor and project team (1 hour) 6. Summarize findings (1 hour) PROJECT REVIEW

27 SECURITY REVIEW IN 2 HOURS 1. Vendor asserts compliance requirements (5m) 2. Vendor fills out questionnaire (5m) 3. Review questionnaire (2 hours) 4. Research vendor (1 hour) 5. Discuss questionnaire with vendor and project team (1 hour) 6. Summarize findings (1 hour) PROJECT REVIEW

28 Quickly builds: capability, visibility and relationships PROJECT REVIEW

29 DATA DISCOVERY

30 ANSWER ME THESE QUESTIONS THREE 1. What kind of data do you deal with regularly? 2. Where does it live and go? 3. What s your biggest data security concern? PROJECT REVIEW

31 WATCH OUT FOR Authoritative financials Credit Card Numbers Social Security Numbers Patient data Intellectual property Human/civil rights work Interesting to state actors Compliance risk Threat risk PROJECT REVIEW

32 Quickly builds: visibility and relationships DATA DISCOVERY

33 CONCLUSION

34 Visibility Relationships Data Discovery Intrusion Detection Capability Visibility Capability Visibility Relationships Project Review Incident Response Capability Relationships CONCLUSION

35 CODA: PERSUASION AND CHANGE Harnessing the Science of Persuasion 6 Principles of Persuasion 12 Angry Men CONCLUSION

36 OK, NOW WHAT? Security Incident Management Essentials Introduction to Security Onion RTIR Incident Handline Workflow (JANET) NYU Data and Computer Security Policy Educause/I2 Information Security Guide CONCLUSION

37