1 IT Security: New Trends, Ancient Techniques Alec Muffett Chief Architect, Security Sun Professional Services EMEA
2 Alec Muffett: Work SunPS Europe, Mid-East & Africa Chief Architect for Security, EMEA 18+ years of Network Security 12+ years for Sun Microsystems Specialising in: Network Architecture Network Security Auditing Authentication & Cryptography
3 Alec Muffett: Leisure Open Source Author Crack Password Cracker CrackLib Password Integrity Checker Original USENET Security FAQ Various other security stuff RSA Factorisation BlackNet: 384-bit Secret/PGP key break RSA155: world's first 512bit RSA break
4 Proposition There are many security components available today... Components == Tools, Utilities, Appliances... Available across many platforms... Addressing many specific security risks... Multi-billion dollar industry But...
5 Proposition Many useful security components are available, but... They are easily misassembled, misused or misconfigured They are often better used in combination, rather than individually
6 Further... Regarding components People tend to seek homogeneity, whereas diversity yields greater robustness, at the cost of management complexity Without proper design/architecture, you will be wasting your money It is perfectly possible to spend $1,000,000's and yet have a terribly insecure network... It is further possible to spend almost nothing, and yet improve your security enormously.
7 Therefore, today... We shall: review what may go wrong. review how it can go wrong. suggest a strategy, even a design philosophy which helps to address it.
8 As a first illustration... Consider this problem: The misassembly of security components Viz: Right Components, Put Together Wrong Example: TopBox Breaking Video (2m 50s)
10 So Let's... Recap some history of IT Security Compare it to the State of the Art Review individual security tools, and the issues they sought to address Determine whether we are still defending against the older security issues
11 IT Security A Rough History
12 IT Security Eras Computers too complex for ordinary people yielding security through obscurity
13 IT Security Eras Advisory separation of different users within a computer Technology (mostly) not advanced enough to support mandatory separation. Lack of VM, etc
14 IT Security Eras Partitioning of file access via robust file permissions Strong virtual memory to enforce mandatory user/program separation......but not in all platforms (eg: Personal Computers)
15 IT Security Eras Password security extended to basic network services Networking too complex for ordinary people yielding security through obscurity again...yet early buffer-overflow exploits occur Personal Computers virus-ridden from lack of technology to implement integrity Compartmented/Certified Systems considered exotic ; Military & Banking only?
16 IT Security Eras now Partitioning of service access via firewalls Firewalling used as panacea Impact upon network architecture and throughput Personal Computers begin to employ strong permissions, VM (etc) to ensure integrity......boosting subsequent growth in macroviruses and active-content exploits in popular applications, to fill the gap.
17 IT Security Future? What is the next big, open resource that is fit to protect with mandatory controls? Encapsulated Data Security / Per-Object Crypto? Proximity wireless / Bluetooth? SMS-Firewalling & Antivirus? Your guess is as good as mine...
18 Implementation Cycles Generalising: New resource/tool becomes available Identity, Filestore, Network, ... Resource/tool grows in popularity Access restriction to/by the resource is layered-on afterwards Passwords, Permissions, Firewalls, Virus scanner...
19 Security Deployment Problem: Access controls which are designed after the fact are often sub-optimal Eg: Password protection on plaintext HTTP Eg: Session-State Cookies in HTTP Eg: 40-bit WEP in b Arguably all of the above could have been forseen and implemented properly
20 Security Deployment In security, often only the latest trendy issues are managed......to the detriment of others. Weak file permissions on a big server Ignored because: The firewall does all our security!!! How many people here have hardened every server they own?
21 So Why Do Security? What are we protecting? Data has value to us, and to others. Data is valuable but intrinsically defenceless. Data exists in more places for shorter or longer periods of time caches, routers; how many of these places do you actually own? How shall we protect it? So what we actually do to protect that which we value?
22 Issues of Implementation We actually protect the containers where data exists! But: data exists in many places! Hence the need to defend: Multiple data containers In multiple places At the same time. This explains why security is complicated
23 Same Problems, Repeating Rough Categories of Challenge: Over-reliance on one security technology Blithe trust in what you are told Reusable weak authentication The right tools, put together wrongly
24 Same Problems, Repeating Overreliance upon single technologies Obscurity Permissions Passwords Firewalls IDS For instance: Potato famine Antibiotic Resistance
25 Same Problems, Repeating Blithe trust in what you are told Unauthenticated identity Buffer overflows (sometimes) WWW Cookies For instance: Forged passports / identity papers Social engineering
26 Same Problems, Repeating Reusable weak authentication Plaintext passwords Unencrypted Communications Compare: Story of Ali-Baba and the 40 Thieves Reusable Password: Open Sesame Published circa 950AD A 1000-year-old IT security issue!
27 Same Problems, Repeating Right Tools, Assembled Wrongly Firewalls with far too many holes Firewalls with too much complexity Same firewall technology everywhere Poor Network Design Example: Simple SSL Accelerator (later...)
28 Attempts to Address Security: End To End Security
29 End-to-End: Communication Client (eg: browser) Server (eg: bank) Secure & Authenticated Communication
32 End-to-End: Quality Quality of Implementation in all things, at all levels Quality of Components
33 End-to-End: 4-D Security Quality of Implementation in all things, at all levels Application Application Integration Remote Access Authentication Client Antivirus Server Firewall Software Platform & OE Intrusion Detection Storage & Network, Other HW Physically Secure Apparently Confusing, but...
34 End-to-End: Simple 4-D Security Quality Integration Function Source Destination Function Foundation...actually rather simple.
35 When 2-D Drawings Fail... There is even a fifth, Human dimension to security, that which pertains to having correct People, Policy and Procedure - there are probably more.
36 Now consider: Does your security solution address all of these dimensions?
37 Better Security Through Better Design
38 Design Example: SSL
39 Design Example: Theory
40 Design Example: Oops!
41 Better Design
42 Solution? How do we address these challenges? Clever Network Design Bear risks in mind when laying-out architecture Build so that (some) problems never arise Clever Host Design Build computers so they are less-subject to attack Build computers for extra robustness Overall: apply Defence In Depth philosophy So, what is Defence in Depth?
43 The Philosophy of Defence In Depth
44 Defence in Depth Motto #1 Use multiple, independent, different, mutually-reinforcing security technologies Motto #2 Use whatever works, is manageable and available, and configure them sensibly and as simply as possible Motto #3 Employ a default-deny approach I.e., you can only access that which we publish
45 Defence in Depth Use of: Multiple Independent Different Mutually-Reinforcing...Security Technologies Not a 100% solution......but nothing is!
46 Defence in Depth Compare: Castle Defences Castle Video (6m33s)
48 Key Points Defence in Depth Use of different technologies with different failure modes Layers of security work to reduce profile available for attack You only see 10% of 10% of 10% of attacks... There may be loss of some auditing information between layers, but... Are you doing security research, or are you trying to defend yourself?
49 How Much Depth? When do I stop adding layers? Good question! Depends upon what you are trying to protect. Judgement call Personally, I reckon when all major risks have been mitigated twice, in different, independent ways, that's the minimum.
50 How robust is it? A very good approach to security......although it is not a 100% solution...its ablative shield approach yields better security than other monolithic solutions. You will never get 100% security, anyway. But things can still go wrong... For illustration...
51 If Implemented Well...
52 If Implemented Badly...
53 Extremes of Available Choice
54 Summary Defence in Depth Is a 7000-year-old approach to security that works really well Avoids monolithic security issues and monoculture syndrome Easy / inexpensive to build, but requires conscientious management and some forethought. Investment in this methodology will last for a long time
55 Summary Security requires continual investment Why audit, if you never read the logs? Why have intrusion detection, if you don't want to wake up at 0300h? Together, these yield budget justification! Why implement security, and yet fail to check its continued effectiveness over time? Healthchecks will yield ROI figures! Why protect, if you do not value?
56 Truisms Security is not a product......it is a process!...or, personally speaking: Security is not a process......it is a lifestyle!
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) email@example.com Open Web Application Security Project http://www.owasp.org
Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006 Ivan Ristic Thinking Stone firstname.lastname@example.org +44 7766 508 210 Copyright 2006 - The OWASP Foundation Permission is granted
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be
Securing Internet Facing Applications Ten years ago protecting the corporate network meant deploying traditional firewalls and intrusion detection solutions at the perimeter of the trusted network in order
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
Society for Information Management The Projected Top 5 Security Issues of 2010 Steve Erdman CSO and Staff Security Consultant of SecureState Network +, MCP Precursor 2009 has been a difficult year in Information
Designing and Coding Secure Systems Kenneth Ingham and Anil Somayaji September 29, 2009 1 Course overview This class covers secure coding and some design issues from a language neutral approach you can
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS
Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order
What is VNC VNC Solutions and Related Security Concerns VNC is basically a remote desktop protocol. VNC stands for Virtual Network Computing. VNC is cross platform making it an ideal solution for IT environments
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
Permeo Technologies WHITE PAPER HIPAA Compliancy and Secure Remote Access: Challenges and Solutions 1 Introduction The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 has had an
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
OWASP Top 10 for IoT - Explained Table of Contents Introduction... 1 Insecure Web Interface... 2 Insufficient Authentication/Authorization... 3 Insecure Network Services... 3 Lack of Transport Encryption...
An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware
Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:
Secure Software Programming and Vulnerability Analysis Christopher Kruegel email@example.com http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
Trend Micro, Incorporated A brief guide to adding encryption as an extra layer of security to protect your company in today s high risk email environment. A Trend Micro White Paper I February 2009 A brief
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
The Risks that Pen Tests don t Find 13 April 2012 Gary Gaskell Infosec Services firstname.lastname@example.org 0438 603 307 Copyright The Foundation Permission is granted to copy, distribute and/or modify
HughesNet Broadband VPN End-to-End Security Using the Cisco 87x HughesNet Managed Broadband Services includes a high level of end-to-end security features based on a robust architecture designed to meet
IT 4823 Information Security Administration Securing Operating Systems June 18 Security Maintenance Practices Basic proactive security can prevent many problems Maintenance involves creating a strategy
CRYPTZONE WHITE PAPER Does your Citrix or Terminal Server environment have an Achilles heel? Moving away from IP-centric to role-based access controls to secure Citrix and Terminal Server user access cryptzone.com
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations
Firewalls and Network Defence Harjinder Singh Lallie (September 12) 1 Lecture Goals Learn about traditional perimeter protection Understand the way in which firewalls are used to protect networks Understand
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
INTRODUCING ON DEMAND FILE SERVER FROM BT WHOLESALE APPLICATION STORE WHAT IS ON DEMAND FILE SERVER? The three most common technology challenges facing every small business are data storage, information
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
User Security Education and System Hardening Topic 1: User Security Education You have probably received some form of information security education, either in your workplace, school, or other settings.
Notes on Domino Black Hat Las Vegas 2003 Aldora Louw PricewaterhouseCoopers Lotus Domino is inherently secure...a Misconception!!! Security is Not Automatic!!!! Slide #2 Security Requires Planning Design
SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of
TESTING & INTEGRATION GROUP SOLUTION GUIDE AppDirector Load balancing IBM Websphere and AppXcel INTRODUCTION...2 RADWARE APPDIRECTOR...3 RADWARE APPXCEL...3 IBM WEBSPHERE...4 SOLUTION DETAILS...4 HOW IT
Network Segmentation in Virtualized Environments B E S T P R A C T I C E S ware BEST PRAC TICES Table of Contents Introduction... 3 Three Typical Virtualized Trust Zone Configurations... 4 Partially Collapsed
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group email@example.com 1 (604) 961-0701 If you know the enemy and know yourself, you
Mandatory Knowledge Units 1.0 Core2Y 1.1 Basic Data Analysis The intent of this Knowledge Unit is to provide students with basic abilities to manipulate data into meaningful information. 1.1.1 Topics Summary
CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
Eleventh Hour Security+ Exam SYO-201 Study Guide I do Dubrawsky Technical Editor Michael Cross AMSTERDAM BOSTON HEIDELBERG LONDON NEWYORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO SYNGRESS.
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
CSE331: Introduction to Networks and Security Lecture 1 Fall 2006 Basic Course Information Steve Zdancewic lecturer Web: http://www.cis.upenn.edu/~stevez E-mail: firstname.lastname@example.org Office hours: Tues.
PSN compliant remote access Whitepaper March 2015 www.celestix.com/directaccess DirectAccess and IPsec connectivity in the public sector Mobile working in the public sector is nothing new but in recent
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
CONTENTS 1.0 Introduction 2.0 Why we are different? 2.1 What can a Firewall do? 2.2 What can an Intrusion Detection System do? 2.3 What can a Mail Security System do? 2.4 What can Defencity NetSecure do?
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation
KERIO TECHNOLOGIES, INC. KERIO WINROUTE FIREWALL 6.1 REVIEWER S GUIDE JUNE 2005 WHAT IS KERIO? Kerio Technologies, Inc. provides Internet messaging and firewall software solutions for small to medium sized
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server
Operating System Security Klaus Schütz Windows OS Security Microsoft Redmond Before I start My VP love(d) me A frustrated friend 1 Agenda Evolution of Threats Client vs. Server Security Operating System
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
white paper Unisys Internet Remote Support Systems & Technology, CMP-based Servers Introduction Remote Support is a method of connecting to remotely located systems for remote administration, real-time
PRIVACY, SECURITY AND THE VOLLY SERVICE Delight Delivered by EXECUTIVE SUMMARY The Volly secure digital delivery service from Pitney Bowes is a closed, secure, end-to-end system that consolidates and delivers