1 IT Security: New Trends, Ancient Techniques Alec Muffett Chief Architect, Security Sun Professional Services EMEA
2 Alec Muffett: Work SunPS Europe, Mid-East & Africa Chief Architect for Security, EMEA 18+ years of Network Security 12+ years for Sun Microsystems Specialising in: Network Architecture Network Security Auditing Authentication & Cryptography
3 Alec Muffett: Leisure Open Source Author Crack Password Cracker CrackLib Password Integrity Checker Original USENET Security FAQ Various other security stuff RSA Factorisation BlackNet: 384-bit Secret/PGP key break RSA155: world's first 512bit RSA break
4 Proposition There are many security components available today... Components == Tools, Utilities, Appliances... Available across many platforms... Addressing many specific security risks... Multi-billion dollar industry But...
5 Proposition Many useful security components are available, but... They are easily misassembled, misused or misconfigured They are often better used in combination, rather than individually
6 Further... Regarding components People tend to seek homogeneity, whereas diversity yields greater robustness, at the cost of management complexity Without proper design/architecture, you will be wasting your money It is perfectly possible to spend $1,000,000's and yet have a terribly insecure network... It is further possible to spend almost nothing, and yet improve your security enormously.
7 Therefore, today... We shall: review what may go wrong. review how it can go wrong. suggest a strategy, even a design philosophy which helps to address it.
8 As a first illustration... Consider this problem: The misassembly of security components Viz: Right Components, Put Together Wrong Example: TopBox Breaking Video (2m 50s)
10 So Let's... Recap some history of IT Security Compare it to the State of the Art Review individual security tools, and the issues they sought to address Determine whether we are still defending against the older security issues
11 IT Security A Rough History
12 IT Security Eras Computers too complex for ordinary people yielding security through obscurity
13 IT Security Eras Advisory separation of different users within a computer Technology (mostly) not advanced enough to support mandatory separation. Lack of VM, etc
14 IT Security Eras Partitioning of file access via robust file permissions Strong virtual memory to enforce mandatory user/program separation......but not in all platforms (eg: Personal Computers)
15 IT Security Eras Password security extended to basic network services Networking too complex for ordinary people yielding security through obscurity again...yet early buffer-overflow exploits occur Personal Computers virus-ridden from lack of technology to implement integrity Compartmented/Certified Systems considered exotic ; Military & Banking only?
16 IT Security Eras now Partitioning of service access via firewalls Firewalling used as panacea Impact upon network architecture and throughput Personal Computers begin to employ strong permissions, VM (etc) to ensure integrity......boosting subsequent growth in macroviruses and active-content exploits in popular applications, to fill the gap.
17 IT Security Future? What is the next big, open resource that is fit to protect with mandatory controls? Encapsulated Data Security / Per-Object Crypto? Proximity wireless / Bluetooth? SMS-Firewalling & Antivirus? Your guess is as good as mine...
18 Implementation Cycles Generalising: New resource/tool becomes available Identity, Filestore, Network, ... Resource/tool grows in popularity Access restriction to/by the resource is layered-on afterwards Passwords, Permissions, Firewalls, Virus scanner...
19 Security Deployment Problem: Access controls which are designed after the fact are often sub-optimal Eg: Password protection on plaintext HTTP Eg: Session-State Cookies in HTTP Eg: 40-bit WEP in b Arguably all of the above could have been forseen and implemented properly
20 Security Deployment In security, often only the latest trendy issues are managed......to the detriment of others. Weak file permissions on a big server Ignored because: The firewall does all our security!!! How many people here have hardened every server they own?
21 So Why Do Security? What are we protecting? Data has value to us, and to others. Data is valuable but intrinsically defenceless. Data exists in more places for shorter or longer periods of time caches, routers; how many of these places do you actually own? How shall we protect it? So what we actually do to protect that which we value?
22 Issues of Implementation We actually protect the containers where data exists! But: data exists in many places! Hence the need to defend: Multiple data containers In multiple places At the same time. This explains why security is complicated
23 Same Problems, Repeating Rough Categories of Challenge: Over-reliance on one security technology Blithe trust in what you are told Reusable weak authentication The right tools, put together wrongly
24 Same Problems, Repeating Overreliance upon single technologies Obscurity Permissions Passwords Firewalls IDS For instance: Potato famine Antibiotic Resistance
25 Same Problems, Repeating Blithe trust in what you are told Unauthenticated identity Buffer overflows (sometimes) WWW Cookies For instance: Forged passports / identity papers Social engineering
26 Same Problems, Repeating Reusable weak authentication Plaintext passwords Unencrypted Communications Compare: Story of Ali-Baba and the 40 Thieves Reusable Password: Open Sesame Published circa 950AD A 1000-year-old IT security issue!
27 Same Problems, Repeating Right Tools, Assembled Wrongly Firewalls with far too many holes Firewalls with too much complexity Same firewall technology everywhere Poor Network Design Example: Simple SSL Accelerator (later...)
28 Attempts to Address Security: End To End Security
29 End-to-End: Communication Client (eg: browser) Server (eg: bank) Secure & Authenticated Communication
32 End-to-End: Quality Quality of Implementation in all things, at all levels Quality of Components
33 End-to-End: 4-D Security Quality of Implementation in all things, at all levels Application Application Integration Remote Access Authentication Client Antivirus Server Firewall Software Platform & OE Intrusion Detection Storage & Network, Other HW Physically Secure Apparently Confusing, but...
34 End-to-End: Simple 4-D Security Quality Integration Function Source Destination Function Foundation...actually rather simple.
35 When 2-D Drawings Fail... There is even a fifth, Human dimension to security, that which pertains to having correct People, Policy and Procedure - there are probably more.
36 Now consider: Does your security solution address all of these dimensions?
37 Better Security Through Better Design
38 Design Example: SSL
39 Design Example: Theory
40 Design Example: Oops!
41 Better Design
42 Solution? How do we address these challenges? Clever Network Design Bear risks in mind when laying-out architecture Build so that (some) problems never arise Clever Host Design Build computers so they are less-subject to attack Build computers for extra robustness Overall: apply Defence In Depth philosophy So, what is Defence in Depth?
43 The Philosophy of Defence In Depth
44 Defence in Depth Motto #1 Use multiple, independent, different, mutually-reinforcing security technologies Motto #2 Use whatever works, is manageable and available, and configure them sensibly and as simply as possible Motto #3 Employ a default-deny approach I.e., you can only access that which we publish
45 Defence in Depth Use of: Multiple Independent Different Mutually-Reinforcing...Security Technologies Not a 100% solution......but nothing is!
46 Defence in Depth Compare: Castle Defences Castle Video (6m33s)
48 Key Points Defence in Depth Use of different technologies with different failure modes Layers of security work to reduce profile available for attack You only see 10% of 10% of 10% of attacks... There may be loss of some auditing information between layers, but... Are you doing security research, or are you trying to defend yourself?
49 How Much Depth? When do I stop adding layers? Good question! Depends upon what you are trying to protect. Judgement call Personally, I reckon when all major risks have been mitigated twice, in different, independent ways, that's the minimum.
50 How robust is it? A very good approach to security......although it is not a 100% solution...its ablative shield approach yields better security than other monolithic solutions. You will never get 100% security, anyway. But things can still go wrong... For illustration...
51 If Implemented Well...
52 If Implemented Badly...
53 Extremes of Available Choice
54 Summary Defence in Depth Is a 7000-year-old approach to security that works really well Avoids monolithic security issues and monoculture syndrome Easy / inexpensive to build, but requires conscientious management and some forethought. Investment in this methodology will last for a long time
55 Summary Security requires continual investment Why audit, if you never read the logs? Why have intrusion detection, if you don't want to wake up at 0300h? Together, these yield budget justification! Why implement security, and yet fail to check its continued effectiveness over time? Healthchecks will yield ROI figures! Why protect, if you do not value?
56 Truisms Security is not a product......it is a process!...or, personally speaking: Security is not a process......it is a lifestyle!
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) firstname.lastname@example.org Open Web Application Security Project http://www.owasp.org
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006 Ivan Ristic Thinking Stone email@example.com +44 7766 508 210 Copyright 2006 - The OWASP Foundation Permission is granted
Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be
Securing Internet Facing Applications Ten years ago protecting the corporate network meant deploying traditional firewalls and intrusion detection solutions at the perimeter of the trusted network in order
Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
What is VNC VNC Solutions and Related Security Concerns VNC is basically a remote desktop protocol. VNC stands for Virtual Network Computing. VNC is cross platform making it an ideal solution for IT environments
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can
CRYPTZONE WHITE PAPER Does your Citrix or Terminal Server environment have an Achilles heel? Moving away from IP-centric to role-based access controls to secure Citrix and Terminal Server user access cryptzone.com
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
Operating System Security Klaus Schütz Windows OS Security Microsoft Redmond Before I start My VP love(d) me A frustrated friend 1 Agenda Evolution of Threats Client vs. Server Security Operating System
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
Society for Information Management The Projected Top 5 Security Issues of 2010 Steve Erdman CSO and Staff Security Consultant of SecureState Network +, MCP Precursor 2009 has been a difficult year in Information
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
Trend Micro, Incorporated A brief guide to adding encryption as an extra layer of security to protect your company in today s high risk email environment. A Trend Micro White Paper I February 2009 A brief
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware
SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of
The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services firstname.lastname@example.org 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify
TESTING & INTEGRATION GROUP SOLUTION GUIDE AppDirector Load balancing IBM Websphere and AppXcel INTRODUCTION...2 RADWARE APPDIRECTOR...3 RADWARE APPXCEL...3 IBM WEBSPHERE...4 SOLUTION DETAILS...4 HOW IT
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
Secure Software Programming and Vulnerability Analysis Christopher Kruegel email@example.com http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
Eleventh Hour Security+ Exam SYO-201 Study Guide I do Dubrawsky Technical Editor Michael Cross AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO SYNGRESS.
Protecting Web Application Delivery with Citrix Application Firewall Johnson Mok Systems Engineer Citrix Systems, Inc. Six Keys to Successful App Delivery Optimizing Web Application Delivery Citrix NetScaler
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
PSN compliant remote access Whitepaper March 2015 www.celestix.com/directaccess DirectAccess and IPsec connectivity in the public sector Mobile working in the public sector is nothing new but in recent
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
Risks with web programming technologies Steve Branigan Lucent Technologies Risks with web programming technologies Abstract Java applets and their kind are bringing new life to the World Wide Web. Through
white paper Unisys Internet Remote Support Systems & Technology, CMP-based Servers Introduction Remote Support is a method of connecting to remotely located systems for remote administration, real-time
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers
OWASP Top 10 for IoT - Explained Table of Contents Introduction... 1 Insecure Web Interface... 2 Insufficient Authentication/Authorization... 3 Insecure Network Services... 3 Lack of Transport Encryption...
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and
Network Segmentation in Virtualized Environments B E S T P R A C T I C E S ware BEST PRAC TICES Table of Contents Introduction... 3 Three Typical Virtualized Trust Zone Configurations... 4 Partially Collapsed
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
Threat Intelligence Pty Ltd firstname.lastname@example.org 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group email@example.com 1 (604) 961-0701 If you know the enemy and know yourself, you
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations
CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information
Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led
IT 4823 Information Security Administration Securing Operating Systems June 18 Security Maintenance Practices Basic proactive security can prevent many problems Maintenance involves creating a strategy
Summary This document is aimed at professional network administrators. The information in this document is of a rather technical nature and very detailed. Based on this information, IT professionals can
solution brief Trend Micro Cloud and Data Center Security Secure virtual, cloud, physical, and hybrid environments easily and effectively introduction As you take advantage of the operational and economic
Transition Networks White Paper Why Authentication Matters YOUR NETWORK. OUR CONNECTION. : Why Authentication Matters For most organizations physical security is a given. Whether it is video surveillance,
INTRODUCING ON DEMAND FILE SERVER FROM BT WHOLESALE APPLICATION STORE WHAT IS ON DEMAND FILE SERVER? The three most common technology challenges facing every small business are data storage, information
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP firstname.lastname@example.org Security Security is recognized as essential to protect vital processes and the systems that provide those
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
KERIO TECHNOLOGIES, INC. KERIO WINROUTE FIREWALL 6.1 REVIEWER S GUIDE JUNE 2005 WHAT IS KERIO? Kerio Technologies, Inc. provides Internet messaging and firewall software solutions for small to medium sized
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
Commercial Banking Customers Securing Your Business s Bank Account Trusteer Rapport Resource Guide For Business Banking January 2014 Table of Contents 1. Introduction 3 Who is Trusteer? 3 2. What is Trusteer