policies - NY Capital Region Chapter

Download Report

Transcript policies - NY Capital Region Chapter 

Network Security and its
Impact on Network
Continuity
What you don't know can hurt you!
What is “Network Security”?



"Network security consists of the provisions made in
an underlying computer network infrastructure,
policies adopted by the network administrator to
protect the network and the network-accessible
resources from unauthorized access and consistent
and continuous monitoring and measurement of its
effectiveness (or lack) combined together."
Source: http://en.wikipedia.org/wiki/Network_security
Information Security is related to, but not identical
with, Network Security
Impact of non-secure network
infrastructure on an organization



Loss of Services

Website/Server Down

Loss of Sales

Loss of Time
Loss of Data

Proprietary Information

Sensitive Information

Customer Information
Loss of Reputation

Adverse publicity

Loss of Customers

Known as an easy mark on hacker forums
Threats

External

Hackers

Enter network using simple or advanced techniques

Use “sociological hacking” techniques

Have a lot of time and good, free tools



NMAP

MetaSploit

MilW0rm

Netcat
“Phishing”

“Pharming”--Much more dangerous than Phishing
Malware

Malicious code on websites

Malicious email attachments
A Simple Hack

Hacker scans random network with NMAP

Bad luck! It happens to be yours

Hacker discovers Website has sensitive information stored on it

Hacker uses sensitive information, e.g. user names, passwords to
begin cracking network

Hacker gains access to network after a few weeks of “brute force”
attacks

Hacker finds unpatched Windows XP machine and plants malware on
it

Hacker finds backup password file in c:\windows\repair\sam and
cracks local admin password

Hacker tries access to another machine with local admin password,
which is usually the same across an organization

A lot of information can be gathered, including server names and
addresses, access to email etc.

You are p0wned!
More Advanced Techniques

Hacker scans network and finds services available over the Internet

Only HTTP (TCP Port 80) on one server is open to the Internet
with only established connections permitted out (Stateful
Inspection)

Hacker uses crafted module with MetaSploit from information
gleaned from Milw0rm to compromise server and install
“Netcat”

Hacker redirects traffic over permitted port using Netcat
listening on HTTP, bypassing outbound firewall rules

See above

You are p0wned!
Anatomy of a Pharming Attack
Malware


Trojans

Usually downloaded by user

Do not self replicate

Send information from compromised host and also listen for
connections
Worms

Can be downloaded or can self replicate

Usually attack major services, such as HTTP and SQL

Can reside in memory, i.e. no file is resident on hard disk
Threats

Internal Threats

Disgruntled Employees



Can be very dangerous if technically savvy
Usually steal or remove information—sabotage with “logic
bomb”
No outbound traffic filtering

Web filtering

Email filtering

Instant Messaging

P2P (Person to Person)

Unauthorized Wireless Access Points

Credential Sharing

Unpatched or Misconfigured machines
There is some Hope!

A well designed network can mitigate many types of risks and threats

Controls and Monitors

Policies and Procedures


Some network designs are legally mandated:

HIPPA http://www.cms.hhs.gov/HIPAAGenInfo/


Health Insurance Industry
Sarbanes-Oxley (SARBOX)


May include audits and Penetration Tests
Financial Industry
Some are Industry Standards

PCI https://www.pcisecuritystandards.org/


Credit Card Industry
NIST http://www.nist.gov/index.html
Controls and Monitoring


Controls can allow or disallow traffic or access. Controls require little or no
intervention. Controls can be dangerous, configure with care!
Examples

Firewalls allow or block traffic according to configured Access
Control List (ACL) Firewalls typically block traffic from the
Internet into a private network

Application Firewalls look inside network information sent and
determine if packet is permitted or not, and then take
configured action. WebSense will block all Nazi sites

Antvirus Software can remove existing malware and/or stop
malware from changing the configuration of the machine

Intrusion Prevention Systems look for known “evil” packets and
block them

Log Monitoring can show when an event occurred, and show
trends over time, e.g. SPLUNK
Policies and Procedures


Policies require intervention to work
Effective Policies and Procedures need to be known by required users and
backed up by management

Policies and Procedures can have legal ramifications

A Procedure implements a policy

Examples

“Least Privilege”

Web Usage Policies

Disaster Recovery Procedures

User creation, change and deletion procedures
Basic Secure Network Design

Firewall traffic between different Security Zones

All machines in one zone have one network access policy

To traverse a zone, information must pass through ACL



Separate network for Internet facing servers such as
web and database servers with ACLs controlling
access to internal network
Typical “office” machines do not have direct access to
sensitive servers unless required
Monitor traffic

Unauthorized or “odd” information is flagged for review


A packet with 10,000 As is probably a buffer overflow
attempt
Investigate repeated “denies” on an ACL from a
particular host
Basic Secure Network Design

IPS events should be reviewed

Trend analysis—over time engineers become familiar with what
“normal” traffic is

Can correlate information from multiple sensors to discover
coordinated attacks

IPS needs to be tuned, and automatically denying traffic can be
dangerous, use with care!
Basic Secure Network Design

Host based protection for Servers and Workstations

Active Directory Policies

Hardens machines against e.g. Denial of Service
(DOS)
“Labrea” hosts
Windows Firewall




Antivirus


Also useful for alarms and backtracking outbreaks
Host Based IPS


Can turn off NetBios, LDAP etc via policy
Also useful for alarms and backtracking outbreaks
Knowledgeable users!!!!!!
Testing Security-Assessment

Network Security Assessment

Find Every Host

Find vulnerabilities

Test fail over scenarios

Review Logs and Event Handling

Check compliance with stated policy, e.g. password expiration
Testing Security-Penetration Test


Exploit discovered vulnerabilities, no “false positives”
Can find cracks in security design, e.g. non encrypted admin passwords to
access patch server which are not normally monitored, can find flaws in
web applications

Also tests incident response

Can be “Black Box”, “White Box” or “Grey Box”

Black Box-target is unaware and no information is supplied to
pen tester

White Box-Pen tester and target cooperate

Grey Box-Some information is shared between pen tester and
target
Q&A
Questions?