NETWORK SECURITY. 3 Key Elements

Transcription

1 NETWORK SECURITY 3 Key Elements

2 OVERVIEW Network is fast becoming critical and required infrastructure in organizations or even in our live nowadays. Human networking is important in many aspects especially on knowledge and information sharing, cooperations and yeah also important for your insurance and MLM business as well ;) Also do you notice that almost every important information, documents, data traverse in form of digital pulse from one connected devices to another? Based on this, it is very, very, very important for us to ensure that the confidentiality, integrity and the availability of these information remain intact

3 OVERVIEW In order to achieve these, it is important for any organization to have a good approach on their own network security practice Hence this presentation will touch on the 3 key elements that you need to take into consideration: Process, Technology and People. You will not become an hacker or become Schenier s or Bejtlich type of person once this presentation ends as this presentation is a high level approach and not a technical training as well (you can call me for training afterwards ;) ) Hopefully this presentation will give you an additional knowledge and maybe a new approach for your network security. So let s begin

4 Network Security : 1st Element PROCESS

5 PROCESS Security Definition Why process? Bruce Schneier stated that Security is a process, not a product in Cryptogram Magazine 2000 Dr. Mitch Kabay who is the CTO and Program Director for Master of Science in Information Assurance, Norwich University, Northfield, VT, USA in Risk Digest 1998 stated that Security is a process, not an end state Richard Bejtlich, the Director of Incident Response for General Electric defined security as a process of maintaining an acceptable level of perceived risk in his book titled The Tao of Network Security Monitoring Beyond Intrusion Detection. Hence it is appropriate for me to touch on the importance of process in network security.

6 Process The security process Generally we can safely define that the security process will have assessment, protection, detection and response process. Assessment is the precursor for other processes where we perform evaluation not only in sense of technology that we possessed but also caters other matter as well like budget, policies and plans like BCP or Incident Response Plan. Protection process can be defined as preparation or risk mitigation process based on the result of our assessment. Detection process is meant for detecting any possible intrusion or policy violation Response is a process of remediating any intrusion where the compromised assets functionality will be restored and the attacker will be pursuit legally or the victim decided just to move on.

7 PROCESS

8 PROCESS Assessment Basically assessment process will give you some indicators of your security posture. Ever heard about Security Posture Assessment? There are many types of assessment that can be done and these type of assessments will not cover only on technology aspect but other as well Security Audit, Penetration testing, vulnerability scanning, signal attacks are one of the assessment disciplines that can be done in this process So let us explore a bit on what are the area that usually will be assessed.

9 Process Type of assessment

10 Process Type of assessment Security Audit Evaluation of how closely a policy or procedure matches the specified action. Are Security Policies actually used or adhered to? Are they sufficient? Vulnerability Scanning A process of identifying vulnerable services and applications on the network Tools such as Nessus, nikto, wikto, can be used to automatically scan a single host or more.

11 Process Type of assessment Penetration Testing (Ethical Hacks) Simulates the types of attacks that can be launched across the internet. Will target any available services and applications or the ones reported by the vulnerability scanning. Stolen Equipment Attack Closely related to physical security and communication security. The objective is to see what information is stored on company laptops and other easily accessible systems Encryption is the number one defense for stolen equipment attacks.

12 Process Type of assessment Physical Entry Seek to test the organization s physical controls Systems such as doors, gates, locks, guards, CCTV, and alarm are tested to see whether they can be bypassed Signal Security Attack Tasked with looking for wireless access points and modem. The objective is to see whether these devices are secure or not or sufficient authorization control implemented.

13 Process Type of assessment Social Engineering Attack Target an organization s employees and seeks to manipulate them in order to gain privileged information Proper controls, policies and procedures and users awareness can overcome this type of attack

14 Process Type of assessment It is important for you to determine what kind of assessment required for your organization Also important to have internal and external party to perform this exercise. Internal and External assessment. The time gap between each assessment also important. If the gap is too wide then you may overlooked some of critical issues of your systems and if the gap is too short then it would be impractical (Like your administrator has something else to do ;)

15 Process - Protection Once you obtained the result of the assessment exercise, it is time to perform some preparation or protection activities. If your procedures and policies are inadequate to cover some issue, you need to work on it. If the vulnerabilities discovered can lead the system to be compromised, appropriate patching or work-around are required. Also this is the good time to fine tuning your detection or filtering mechanism. If you do not have resources to perform this, you can call any MSSP or the best thing is call us at SCAN ;) Also make sure that all systems have their own warning banners. This will limit the presumption of privacy of your users. It will save you a lot of trouble when handling insider threat. Trust me..

16 Process - Detection I did mention the needs of having your assessment to be performed within acceptable time gap. So what if an attack on a new vulnerability published in between of our assessment occurs? That is why my friend, detection process is very critical in order to reduce the risk of our network being compromised. Within the detection process, we will have collection, identification, validation and escalation process as well.

17 Process Detection process

18 Process Detection process For collection process, it is important to collect all the necessary information in order to assist analysts performing the identification more effectively Usually the type of data required are statistical data, session data, alerts data and if possible, full content data. Statistical data will provide an overview of the traffics captured like the percentage of protocols used within the captured communication traffics. Session data is about the summary of communication between hosts or devices. This includes source and destination IPs, ports, protocols and amount of data exchanged

19 Process - Detection Alerts data is the ones generated by your beloved IDS or perhaps IPS as well. This data will provide some useful indicators on possible breach (if properly tuned) Full content data will provide information beyond the session or transport layer. Every single bit will be recorded and presented. Resources issue like storage is the main obstacle to have this kind of data collected. With these kind of data made available to the analyst, it will make the identification process whether the traffics should fall into malicious or normal category more effective.

20 Process Detection Validation process involves on categorizing the security incidents that we have detected during the identification process. The severity level of the security incidents will depending on the type category they will be in. However it is important for you to determine the severity level of each category that suits your organization. The severity level will determine the acceptable response time of Incident Handling or Response within SOP for your own internal CSIRT team or within SLA with your MSSP.

21 Process Response This is the most overlooked process (from my experience) We have to remember, a process is something that is continuous and must have no full stop. What will happen IF one of your servers that contains critical information of your organization was compromised or brought down by DoS attack? Do you have the resources to: Perform Incident Handling Perform Incident Response If yes then good for you, if not, then you can start to find one or contact me ;)

22 Process Response First of all, you need to have your own Computer Security Incident Response Team (CSIRT) This team must consists NOT ONLY technical or security guys but must include all parties that expected to be affected if any security incident occurred. Security staff, system and network administrators, Human resource, legal counsel, public relation and do not ever forget to include one representative from executive management as well. You want a guide? Go here :

23 Process Response You have the team now and of cause you need to have Incident Response Plan as well. This will ensure that everything will be conducted in a proper and systematical way. This Incident Response Plan (IRP) is a product of negotiation between each CSIRT team member. Basically it is about each of the team members roles and responsibilities A good sample document on IRP can be found at Or you google it and look for Incident Response Plan. Choose the most suitable plan for your organization. Remember, the IRP that you ll download later just only for guidelines. You must formulate your own IRP suitable to your organization.

24 Process Response It is important for the CSIRT to have full support from the management This will cut (hopefully) the bureaucracy limitations especially on decision making regarding the security incident. Time is crucial when perform incident handling especially during the containment phase. CSIRT also must be able to advise the management whether to pursuit and prosecute or patch and proceed regarding on the incident. An response Noted and necessary actions taken to your MSSP Security Alerts notification is not a good example. Try to perform some drill perhaps once a year just to make sure that everybody involves will now what to do once the actual response required.

25 Network Security : 2nd Element TECHNOLOGY

26 Technology It is important for you to determine or identify what kind of technology required by your organization in order to reduce the risk of being compromised. But you also need to identify whether the current technology that you have can meet the requirement? For a big corporation or organization, purchasing new devices perhaps is not a big issue (maybe) Some organizations perhaps have their own limitation for this purpose. They have to make use whatever that they have. And some organizations simply do not care.

27 Technology Open Source VS Closed Source This is the hotly debated topic not only in digital security world. Some of you might favour the open source applications and some are not. For closed source advocates, they do believe in security by obscurity while open source guys said that they are more secure because the codes can be reviewed and fixed. However I do believe it does not matter whether your are using open source or closed source, as long as you know what you are doing

28 Technology Open Source There is not point if you adapt or implement any tools/equipment or devices without understanding its underlying technology What kind of benefits that you will get from using snort as your IDS when you failed to understand its decision making logic? It is a very grave mistake if you decided to use open source application solely because you do not have to pay a single cent. The beauty of open source application is the ability for you to do customization of that application to suits your need. By the way there is always communities who provide fixes, support or workaround for any flaws of bugs discovered Do you have the resources to maintain these applications?

29 Technology Closed source If you have the financial means then closed source applications are suitable for you. By the way some of these products have the upper hands over their open source counterpart. You do not need to allocate large resources to manage those as bulk of the work will be done by the provider. But the downside is you will depend on how quick the response from the vendor to fix or to produce any flaws that may exist or discovered. Compared to open source, only selected group of people will have access to the codes thus sometimes the patches or fixes will have long period of delay before released.

30 Technology The best way During the assessment phase, identify what kind of technology currently that you have and the one that you need. Identify the resources whether in sense of financial or manpower to acquire that technology. Implement what you need but not what you want. Remember, latest is not always the best. Identify the optimization level of your current technology. You may want the latest firewall but if the features are similar, why you need to get a new one? A blend of open and closed source applications is the best approach (like your pool servers or back up servers)

31 Technology The best way Do you aware that all these security devices are meant to prevent or detect known attacks OR to prevent or detect any repetition of 0 dayz attacks? So the best thing is to forget the VS thing (Linux VS Windows, IDS VS IPS) Our goal is to reduce the risk. It is a good thing to have IDS AND IPS implemented in your network. You may have commercial product as your IPS and open source application like snort as you IDS. Try to make your network watchable, offers minimized services, can be controlled and always kept current Defensible Network

32 Technology Not the only one Bear in mind that technology ONLY to assist human on performing their task more efficient and productive, not the other way around. It doesn t matter how advance your technology is, in my opinion nothing could replace human judgement and intuition. In other words, human intervention is required especially when dealing with your network security posture.

33 Network Security : 3 rd Element HUMAN

34 HUMAN Why? Tools or devices can only function based on the instructions given to them. The output of their functions will provide some information for human to perform their tasks or job. In security perspective, the security devices will produce indicators for any anomaly or sign of intrusions on the network. However these indicators mostly lacking of one thing: context Context is the ability to understand the nature of an event with respect to all other aspects of an organization's environment

35 Human Why? Example : If a server was compromised during a penetration testing exercise, IDS will produce indicators telling that intrusion occurs. Only human can make the call whether the indicators really indicating real intrusion or not. As for the case above, it will not be declared as incident as it was performed by authorized party. Human will scrutinize the indicators and correlate those with other useful information. Once the analysis concluded, then he or she will generate appropriate warning and escalate it to related personnel or decision maker. Those warnings my friends are the security alerts notifications that you received from your MSSP

36 Human Skills and Knowledge It is important for the people who performing their job to have adequate knowledge and skills on what he suppose to do. A network administrator should have knowledge on what he has within his network such as the devices, hosts, segments and in fact he also need to know his normal network behavior. Same thing goes for the system administrators, security personnel or even the IT manager as well. Without skilled personnel managing your network, it will make compromising your network much easier. I am not talking about managing your security yet ;)

37 Human Skills and Knowledge Why would I say that? Just imagine if one of your hosts was compromised and start communicating with the attacker through DNS traffic? IF the administrator did not know his network traffic behavior, I can bet he will dismiss these via DNS backdoor traffic as normal. Same goes to the analyst, if he or she failed to provide appropriate context for the indicators, then the possibility to generate false positive warning is high What scares me more is for false negative attacks.

38 Human User Awareness Some people said, it is useless to educate users as the tendency to forget whatever they have learned is high Other people said, it is really, really, really useless to educate the users I used to agree on this and in fact I did believe that we should educate the management instead the users Why? Because they are the decision and policy maker. The users will have to follow whatever decision or policy decided by the management. I wish

39 Human User Awareness Now I believe users are the ones that need the awareness We can see that the attackers now shifting their targets towards users. The obvious proof on this is the rise of the Botnets. Why you need to crack your head 0wning a server when you can 0wn and control thousands of hosts? More and more advisories on browsers flaws and vulnerability published on the web. Every single day we will receive spam s which can lead to phising sites How many users who just execute the updates attached in the from microsoft?

40 Human User Awareness Thus, it is critical to ensure that the user awareness program will be conducted continuously. Policy, procedures, regulation can only be followed by the users when they understands the impact that they may caused if not followed. (Disciplinary actions will provide immediate result though) Let the users know when and where to report if they can see any indicators of possible breached occurs. Users are the likely source of detecting any skilled attacker. Their reports or complaints on their machines behavior may indicate something illegitimate may occurs.

41 Human Improvement As we know now, security is an ongoing process. We usually ensure that our technology will always be updated to keep with the current trend (or because our competitor is using it ;) ) Of cause we also need competent personnel to managed these new technologies. New technologies comes with new vulnerabilities and attack vectors, meaning we need to upgrade our security team to enable them defending the new technology. These will only be achieved via trainings, seminars and workshops And yes, they need to be assessed and evaluated once they attended any trainings

42 CONCLUSION Security is not defined by any tools, brands, or applications and also security can never guarantee that your network is 100% secure. We have to be prepared as eventually our network WILL BE compromised. Why? Because we have to remember that some of the attackers are smarter than we and some of their methodology or techniques are unpredictable. What we can do is to minimize the risk of being compromised Follow the security process diligently, use appropriate technology and competent people to use it for defending our assets from being compromised from either externally or internally. Manage your security by fact, not by belief.

43 Any Questions?

44 CONTACT

45 THANK YOU