1 / 17

Hacking Exposed 7 Network Security Secrets & Solutions

Hacking Exposed 7 Network Security Secrets & Solutions. Chapter 12 Countermeasure Cookbook. Introduction. Attack-centric view from this book vs. building more secure systems Asymmetry of risk management Attacker’s advantage, defender’s dilemma Best countermeasure strategies

nalani
Download Presentation

Hacking Exposed 7 Network Security Secrets & Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Exposed 7Network Security Secrets & Solutions Chapter 12 Countermeasure Cookbook

  2. Introduction • Attack-centric view from this book vs. building more secure systems • Asymmetry of risk management • Attacker’s advantage, defender’s dilemma • Best countermeasure strategies • General strategies • Usability vs. security • Increase the “cost” of attack • (Re)move the asset, separation of duties, AAA (authenticate, authorize, audit), layering, adaptive enhancement, orderly failure, policy and training, simple/cheap/easy • Example scenarios • Desktop scenarios, several scenarios, network scenarios, Web application and database scenarios, mobile scenarios

  3. (Re)move the Asset • Remove the target of the attack • Example: database index • A website collects personally identifiable info like government-issued identification number • To more reliably index customers in a database • But it is not needed by the business • Why not use non-identifiable randomly generated values to index? • Better than encrypting the data that the business doesn’t really need!

  4. Separation of Duties • Prevent, detect, and respond • Parallel countermeasures, e.g. host intrusion protection, network intrusion detection, incident response process execution • People, process, and technology • Nature of parallel countermeasures • Mix and match the above in a matrix! • Checks and balances • Coordination of duties • Ask different accountable persons to work on the same task • Preventing collusion: e.g. detection folks & reaction folks • Providing checks and balances: e.g. set firewall rules to block access to a vulnerable service

  5. Authenticate, Authorize, Audit • Know users, limit what they can access, and check access logs • Off-the-shelf authentication solutions • Multifactor solutions: RSA SecureID • Online services: Windows LiveIDand OpenID • Frameworks: Oauth and SAML • Customized authorization solutions • Role-based, claims-based, mandatory vs. discretionary, digital right management • e.g. Microsoft’s Mandatory Integrity Controls (MIC) • Protected Mode Internet Explorer (PMIE): isolate a compromised web browser to a limited set of objects within the user’s authenticated session • Audit on authentication and authorization • Who did what to which, when, and how

  6. Layering • Defense-in-depth or compensating controls • Linear countermeasures vs. parallel countermeasures • Layer of IT stack • Physical: secured facility • Network: firewall, ACL • Host: endpoint software, host-level firewall and antimalware/antivirus • Application: patch vulnerabilities • Logical: access control on app’s capability and data

  7. Adaptive Enhancement • Turned on and off • Examples • WAF (Web Application Firewall) turned on if a certain vulnerability cannot be patched until the next release • Reactive compensation • Additional challenge factor during authentication if a user logs in less normally • Predictive compensation • Bank of America’s SafePass feature for online banking: additional password for mobile devices • Predictive compensation

  8. Orderly Failure • Risk management • Plan your failure – self-defeating • Worst-case scenario • All or some components fail • Security features fail • Reactive countermeasures • Annual “fire drills” • Test people, process, and technology • Check failover mechanisms • After failure: fail closed or fail open?

  9. Policy and Training • Security policy • Context where countermeasures are implemented • System owner’s intent • Countermeasures prescribed by security policy • Training • How can you do the right thing if you don’t know what the right thing is? • Integrated into daily workflows of affected parties • Not disruptive hours of class training • SecureAssist from Cigital: “security spell check” in code writing

  10. Simple, Cheap, and Easy • KISS (Keep it simple and stupid) for countermeasure design • 2012 Verizon Data Breach Report • 63% of recommended preventive countermeasures were simple and cheap • 3~5% were difficult and expensive • Identify and solve obvious problems • Not necessarily “manual and home-grown” • Often more cost-effective to deploy “umbrella” countermeasures (e.g. firewall) to compensate for vast sea of vulnerabilities

  11. Desktop Scenarios • Remove the asset • Data leak prevention (DLP) across enterprise • AAA for consolidated remote access • Instrument the endpoint • Antimalware, configuration management, log shipping, HIPS, file system integrity monitor (tripwire) • Network-based countermeasures • Signature-based detection • Top talkers for data exfiltration • Reactive countermeasures • Most desktop malware install persistence mechanism leveraging Windows ASEPs (AutoStart Extensibility Points) hooks • Orderly failure by a forensic agent • Policy enforcement if possible

  12. Server Scenarios (1/2) • Administrative privilege restriction • Strong AAA, e.g. Xsuite • IAM (identity and Access Management): entitlement review, e.g. Sarbanes-Oxley or SOX • Hardening root access in UNIX: cracklib (password composition tool), Secure Remote Password (authentication and key exchange), OpenSSH, pam_passwdqc (password length check), pam_lockout (account lockout) • Minimal attack surface • Disabling unnecessary services: less listening services/ports, less doors – legacy NetBIOS, SMB • Using Windows Firewall to restrict access to services

  13. Server Scenarios (2/2) • Strong maintenance practices • Windows security patching guidance • Automated patch management tool, e.g. SMS (System Management Server) • Workaround in a window of exposure before patch release: inbound port blocking • Active monitoring, backup, and response • Customized detection and response plans for new vulnerabilities

  14. Network Scenarios • Lower-layer TCP/IP firewall: ports • Upper-layer application firewall: SQL injection, cross-site scripting, etc. • Deploy more granular firewalls with visibility and control at higher layers • Segment networks with higher risk from ones with greater sensitivity: DMZ • Attacks on network itself • Eavesdropping and traffic redirection (ARP spoofing): limit broadcast domains, authentication and encryption with 802.1X and WPA2 Enterprise • DoS: asymmetrical attack pattern, Prolexic service • DNS exploit: pay attention on configuration (restrict zone transfers and recursive queries)

  15. Web Application and Database Scenarios • Off-the-shelf (OTS) components • OTS packages: web servers, shopping carts, blog management, social interaction (web chat), etc. • Configure properly and patch religiously • Strong DAM (Database Activity Monitoring) with blocking capability • Custom-developed application code • Security program on code development • BSIMM (Cigital’s Building Security In Maturity Model): downloadable framework and tools to assess yourself

  16. Mobile Scenarios • Impact due to device theft, remote hacking, malicious apps, phone/SMS fraud, etc. • Remove the data • Whether the most sensitive data should be downloaded to devices • Physical control of attackers: device debug mode, rooting, jailbreaking, etc. • Keep a separate (physical or virtual) device for sensitive activities • Enable password lock and device wipe on successive failed logins • Keep system and application software up-to-date • Be very selective about apps you download • Install MDM (mobile device management) and/or security software

  17. Summary • Usage vs. security • Diversification in countermeasures: multiple parallel or serial obstacles • Keep it simple and stupid. • Empirical studies by VDBR (Verizon Data Breach Report)

More Related