BOOTSTRAPPING YOUR INFORMATION SECURITY PROGRAM. Brian Smith-Sweeney bsmithsweeney@nyu.edu @bsmithsweeney

BOOTSTRAPPING YOUR INFORMATION SECURITY PROGRAM Brian Smith-Sweeney bsmithsweeney@nyu.edu @bsmithsweeney

GOALS OF BOOTSTRAPPING Gain visibility Build capability Form relationships Get quick wins Establish trust

Visibility Relationships Data Discovery Intrusion Detection Capability Visibility Capability Visibility Relationships Project Review Incident Response Capability Relationships

INTRUSION DETECTION

ESTABLISH CONTACT Requirements: Access to DNS records Access to WHOIS records (ARIN) Someone to read those emails! Mailbox Area Mandatory abuse@<domain> Abuse reports Mandatory postmaster@<domain> SMTP issues Optional noc@<domain>.edu Networking issues Optional security@<domain>.edu Security issues Optional hostmaster@<domain>.edu DNS issues Optional webmaster@<domain>.edu Web issues INTRUSION DETECTION

ESTABLISH CONTACT Network Whois record Queried whois.arin.net with "n 128.122.0.0"... NetRange: 128.122.0.0-128.122.255.255 CIDR: 128.122.0.0/16 OriginAS: NetName: NYU-NET NetHandle: NET-128-122-0-0-1 Parent: NET-128-0-0-0-0 NetType: Direct Assignment OrgName: New York University OrgId: NYU Address: 726 Broadway, 8th Floor - ITS OrgAbuseHandle: TSSI-ARIN OrgAbuseName: Technology Security Services - ITS OrgAbusePhone: +1-212-998-3333 OrgAbuseEmail: abuse@nyu.edu OrgAbuseRef: http://whois.arin.net/rest/poc/tssi-arin INTRUSION DETECTION

Source: http://security.arizona.edu/report-incident http://www.nyu.edu/its/security/contact/ INTRUSION DETECTION

http://www.shadowserver.org/wiki/pmwiki.php/involve/getreportsonyournetwork https://postmaster.live.com/snds/ http://www.team-cymru.org/services/tcconsole/ INTRUSION DETECTION

NETWORK MONITORING Requirements: Internet Router Servers Choke point (span, etc.) Server Intermediate sys admin Time to tune Time to process (just kidding!) Sensor Desktops Rule-based IDS Console/SIEM Flow monitor Intelligence Feeds INTRUSION DETECTION

NETWORK MONITORING::ALT Requirements: Internet Router Servers Choke point (span, etc.) Server Basic sys admin (less) tuning (less) processing Desktops Bonus: DNS logs! INTRUSION DETECTION

Quickly builds: capability and visibility INTRUSION DETECTION

INCIDENT RESPONSE

TRACKING DOWN HOSTS Greetings, The following host(s) has been identified as being infected with Pushdo/Cutwail. The host(s) might also be sending spam, as well sending traffic to random webservers [1]. description address timestamp in UTC d-prt +-------------+-----------------+----------------------+-------+ Pushdo 216.165.xxx.yyy 2014-06-02T19:21:19Z 25 +-------------+-----------------+----------------------+-------+ key: s-prt = source port; prtcl = protocol; dest-addr = destination address; d-prt = destination port INCIDENT RESPONSE

TRACKING DOWN HOSTS 1) NAT -> internal ip NAT/PAT logs Proxy logs 3) MAC -> Location CAM tables Useful naming scheme Cable tracing?!? 2)Internal ip -> MAC DHCP Server Logs ARP logs Static ip allocation INCIDENT RESPONSE

Wireless. Bleh. INCIDENT RESPONSE

Log. Everything. INCIDENT RESPONSE

STARTING LOGS Requirements: Log server Lots of disk! Basic sys admin Minimally log Central authentication NAT/PAT/Proxy DHCP Consider adding DNS queries Active Directory Webmail SMTP VPN All firewall logs Major systems AV INCIDENT RESPONSE

Nuke From Orbit (NFO) It s the only way to be sure. INCIDENT RESPONSE

WORKFLOW Every ticketing system sucks. Here at Best Practical, we're really proud of the fact that RT sucks less than everything else out there and helps many thousands of organizations around the world get their work done with less pain and suffering. http://www.bestpractical.com INCIDENT RESPONSE

WORKFLOW Requirements: Server Email aliases Basic sys admin A little Perl INCIDENT RESPONSE

Quickly builds: capability and relationships INTRUSION DETECTION

PROJECT REVIEW

Security tasked to project Write memos Security meets with project team Secure? No Project Manager Stops project? No Fight! Yes Yes Liar Call it a win PROJECT REVIEW

We should not accept risk. INTRUSION DETECTION

PROJECT REVIEW

SECURITY REVIEW IN 4 HOURS 1. Vendor asserts compliance requirements (5m) 2. Vendor fills out questionnaire (5m) 3. Review questionnaire (1 hours) 4. Research vendor (1 hour) 5. Discuss questionnaire with vendor and project team (1 hour) 6. Summarize findings (1 hour) PROJECT REVIEW

SECURITY REVIEW IN 2 HOURS 1. Vendor asserts compliance requirements (5m) 2. Vendor fills out questionnaire (5m) 3. Review questionnaire (2 hours) 4. Research vendor (1 hour) 5. Discuss questionnaire with vendor and project team (1 hour) 6. Summarize findings (1 hour) PROJECT REVIEW

Quickly builds: capability, visibility and relationships PROJECT REVIEW

DATA DISCOVERY

ANSWER ME THESE QUESTIONS THREE 1. What kind of data do you deal with regularly? 2. Where does it live and go? 3. What s your biggest data security concern? PROJECT REVIEW

WATCH OUT FOR Authoritative financials Credit Card Numbers Social Security Numbers Patient data Intellectual property Human/civil rights work Interesting to state actors Compliance risk Threat risk PROJECT REVIEW

Quickly builds: visibility and relationships DATA DISCOVERY

CONCLUSION

Visibility Relationships Data Discovery Intrusion Detection Capability Visibility Capability Visibility Relationships Project Review Incident Response Capability Relationships CONCLUSION

CODA: PERSUASION AND CHANGE Harnessing the Science of Persuasion 6 Principles of Persuasion 12 Angry Men CONCLUSION

OK, NOW WHAT? Security Incident Management Essentials http://www.ren-isac.net/docs/security_incident_management_essentials_v4.pdf Introduction to Security Onion https://code.google.com/p/security-onion/wiki/introductiontosecurityonion RTIR Incident Handline Workflow (JANET) http://www.bestpractical.com/static/rtir/janet-workflow.pdf NYU Data and Computer Security Policy http://www.nyu.edu/its/policies/sec_compdata.html Educause/I2 Information Security Guide https://wiki.internet2.edu/confluence/display/2014infosecurityguide CONCLUSION