GSEC 401.2 Defense In Depth

Risk Analysis Questions

* Before a company spends a dollar of it's money or a minute of its time; answer the 3 questions ------------- 1) What is the *Risk* 2) Is it the *Highest Priority* risk 3) *Cost Effective* way of reducing the risk

Network Visibility Tree

* Breakdown by IP Address and Port ex 10.0.0.X / \ 10.0.0.3 10.0.0.10 / | \ / | \ 23 110 5150 43 210 443 * Identify unnecessary use of ports

defense in depth

* Diversify to keep the vulnerabilities at a minimum

Policy Focus

* Focus on the problem * Recognize the symptoms, but keep the focus on the problem

Inbound Network Traffic

* Monitor Inbound network prevention

Outbound Network Traffic

* Monitor Outbound network detection * Majority of problems are outbound

Viruses

* Typically targeted at users * requires an executable 1) Parasitic malware that relies on executable code insertion and user interaction to spread

Business Impact Analysis (BIA)

*Guard rails against serious disaster that will shut the business down 1) Determine the Maximum Tolerable Downtime 2) BIA useful for DRP 3) BIA evaluates the effect of a disaster over a period of time 4) Builds on the Risk Assessment Results

Eradication (Incident Handling)

*MOST CRITICAL STEP* 1) Fix the problem before putting the resources back online 2) Determine the cause, not the symptoms 3) Identify and remove back doors 4) Improve defenses 5) Perform Vulnerability analysis 6) Ensure REINFECTION does not occur

Business Continuity Plan

*Proactive* Over Arching strategic planning focused on the processes and proactively fixing them before they occur

Disaster Recovery Plan

*Reactive* Reactive plan to fix, repair and recover from incidents

Key Mistakes (Incident Handling)

*number 1 mistake* 1) Failure to report or ask for help 2) Incomplete/non-existent notes 3) Mishandling/destroying evidence 4) Failure to create working backup 5) Failure to contain or eradicate 6) Failure to prevent re-infection 7) Failure to apply lessons learned

Availability vs Destruction

Accessible when needed by those who need it

Recovery (Incident Handling)

1) *Ensure compromised code is not restored* 2) Validate the system 3) Decide when to restore operations 4) Monitor the systems very closely

Containment (Incident Handling)

1) *GOAL* is to stabilize the environment 2) Make a backup of the system for analysis 3) Incident Handler should not make things WORSE 4) Secure the Area 5) Physical vs. Virtual Containment 6) Changes Passwords Locally

SALT (Unix)

1) 8 digit random string of characters associated with a set of characters 2) Stings are individual and unique to each entry 3) Minimizes the effectiveness of Rainbow Tables

Managing Access

1) Account Administration 2) Maintenance 3) Monitoring 4) Revocation

Malware defense techniques

1) Activity monitoring programs 2) Malware scanners 3) File and resource integrity checking 4) stripping e-mail attachments 5) remember defense-in-depth 6) Patch all systems

Define an Incident

1) Adverse event in an information system and/or network, or the threat of the occurrence of such an event 2) Implies harm, or the attempt to do harm 3) A single event may or may not be an event * All Incidents are composed of and EVENT but not All Events are Incidents

Copyright

1) All copyrights own to the organization 2) Must be listed in the NDA 3) Anything created in a LEGAL LAWFUL Manner belongs to the company

Incident Handling Fundamentals

1) An action plan for dealing with intrusions, cyber-theft, denial of service, malicious code, fire, floods and other security-related events 2) Intentional of unintentional

Define an Event

1) Any observable occurrence in a system and/or network 2) Observable events compose an incident

Information Warfare Theory

1) Asymmetric warfare 2) Indications and warning 3) Players and roles 4) Measures of effectiveness 5) Cycle time

Worm

1) Attack systems through known vulnerabilities 2) Automatically scan for more systems to attack * often targets servers 3) Lower system defenses, install a rootkit or rootshell, and/or inform the attacker the system has been compromised * often 'burrows' or runs on an internal network * New worms attacks private IP's

Brute Force Attack

1) Attempts every combination of characters 2) Will always work 3) Slow and Methodical

Role-Based (RBAC)

1) Based on group membership 2) Can only be in one role at a time

Separation of Duties (Controlling Access)

1) Break critical tasks across multiple people to limit your point of exposure

Contingency Planning

1) Business Continuity Plan 2) Disaster Recovery Plan

Data Classification

1) Categories to reflect needs of a company 2) Minimum of two categories 2a) Public: information for public use or will not damage the company 2b) Private (not releasable to the public): detrimental impact if information becomes public knowledge

Rotation of Duties (Controlling Access)

1) Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position 2) Be able to cover their tracks and minimizes the chance of *collusion*

Hybrid Attack

1) Combination of Dictionary and Brute force attack 2) Faster then Brute force and more accurate then Dictionary

Policy Procedures

1) Complement the Policy 2) Detailed step by step of stipulations in Policies 3) References the polices

3 Goals of Security (CIA Triad)

1) Confidentiality / Disclosure 2) Integrity / Alteration 3) Availability / Destruction

Burden of Proof (Incident Handling)

1) Criminal Case: 90% 2) Civil Case: 51%

Change Control

1) Critical to success 2) A way to detect when a change occurs to that baseline

Malware

1) Destruction of Data 2) Leaking Confidential Information 3) Providing a backdoor access 4) Countless other opportunities

Authorization (IAAA)

1) Determining what someone has access to or is allowed to do after the authentication

Types of Password Assessment

1) Dictionary Attacks 2) Hybrid Attack 3) Brute Force Attack 4) Precomputation brute force attack (Rainbow table)

Direct Evidence (Incident Handling)

1) Direct evidence comes from what the Incident Handler actually saw or experienced 2) Not what the Incident Handler surmised

Access Control Techniques

1) Discretionary Access Control (DAC) 2) Mandatory Access Control (MAC)

Chain of Custody (Incident Handling)

1) Document (accurately) evidence items and its custody, transfer, and disposition 2) Maintain a provable chain of custody 2a) Attestation 2b) Collect 2c) Ensure evidence is auditable 2d) Sign and seal

Need to Know (Controlling Access)

1) Grant access to what is needed when they need it 2) Take it away from when time elapses

Least Privilege (Controlling Access)

1) Grant the least amount of access required to perform their duties

Irreversible

1) Hashing of information 2) One way transformation 3) Recommended

Incident Response Plans

1) Help to know what to do when and incident occurs 1a) planning is everything

Standard

1) High level overview of policy

IAAA

1) Identification 2) Authentication 3) Authorization 4) Accountability

Information Centric

1) Identify critical assets and provide layered protection 2) Data is accessed by applications 3) Applications reside on hosts 4) Hosts operate on networks

Lessons Learned (Incident Handling)

1) Identify the most relevant conclusions and areas for improvements 2) Develop a report with a consensus 3) Conduct lessons learned within 24 hours 4) Send recommendations to management 4a) Include cost analysis

Indications and Warnings

1) In an information economy, events in the "real world" must be reflected on the net 2) Collected and analyzed data might include indications, some of which raise warnings. 3) Warnings should be analyzed and appropriate action taken

Monitoring (Managing Access)

1) Includes auditing access authorizations and failures

Accountatbility (IAAA)

1) Knowing who did what and when 2) Accurate and extensive logs

Security Policies

1) Laws of Securing a network 2) Short and concise *6-10 pages Max* 3) Written for the Common User 3a) 'Speed Limit Sign' model: Concise, readable, digestible

Controlling Access

1) Least Privilege 2) Need to Know 3) Separation of Duties 4) Rotation of Duties

Token-Based

1) List of permitted objects for each user

Dictionary Attack

1) List of words 2) Fast 3) Not guaranteed to work

List-Based

1) List or permitted users for each object

Access control View of Material

1) List-Based 2) Token-Based

Implementation of Access Control

3) Role-Based (RBAC) 4) Ruleset-Based (RSBAC)

Preparation (Incident Handling)

1) MOST Critical and often Overlooked ** Assume the attacker is better, smarter and faster then you ** 2) Use Out of Band Communication 3) Policy 3a) Organizational Approach 3b) Inter-Organizational 4) Obtain MANAGEMENT SUPPORT 5) Identify contacts in other organizations (legal, law enforcement, partners) 6) Select Team Members *carefully* 7) Compensate Team Members 8) Update Disaster Recovery plan 9) Have Emergency Communications Plan 10) Escrow passwords and encryption keys 11) Provide Training 12) Provide checklist and procedures 13) Have jump bag (equipment) with everything you need to handle an incident

Discretionary (DAC)

1) Managed by Users

Uniform Protection

1) Most common approach to DiD 2) Firewall, VPN, Intrusion, Detection, Antivirus, Patching 3) All parts of the organization receive equal protection 4) Treats all the systems the same

Three TOP 20 Lists (Outbound Traffic)

1) Number Connections 2) Length of Connections 3) Amount of Data ------------------------ (High false positives, but increase the accuracy of Vulnerabilities) 4a) Percent of Encrypted Traffic 4b) Destination IP Address

Single Sign-On (SSO)

1) Only log on once 2) Credentials are carries with the user 3) Simplifies User management 4) Only have to remember one set of credentials 5) Used with Multi-Factor Authentication

Account Administration (Managing Access )

1) Only setup accounts for those who need them 2) Use best practice

Business Continuity Plan (BCP) Key Components

1) Planning 1a) Assess - Identify threats 1b) Evaluate - likelyhood and impact of each threat 2) BCP 2a) Prepare - contingent operations 2b) Mitigate - reduce or eliminate risks 3) DCP 3a) Respond - minimize the impact 3b) Recover - return to normal

Non-Disclosure Agreement

1) Policy covers use, control, and enforcement of NDA 2) Protects both parties *Must be one-sided* 3) Protects sensitive information 4) A legal document has a certain specific requirements

Effective Policy Triad

1) Policy: Should be measurable and tied to a metric (Realistic) 2) Training: Understanding of Policies and procedures (Achievable) 3) Awareness: Changes behavior and attitude (Specific)

Six Step Incident Handling

1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery 6) Lessons Learned

Password Hash Strength

1) Quality of Algorithm 2) Key Length 3) CPU Cycle 4) Character set support 5) Password length

NTLMv2

1) Randomizes a string a characters associated with a password 2) Uses Domain name, server challenge and other variables to randomize the hash 3) Minimizes the effectiveness of Rainbow Tables

Real Evidence (Incident Handling)

1) Real evidence is the tangible 1a) Computes, USBs etc

Attacker Kill Chain

1) Recon 2) Scanning **** THREAT OF ADVERSE EVENT **** (ratio of threats to events (2000:1) 3) Exploitation **** ADVERSE EVENT **** 4) Create Backdoor 5) Cover tracks

Revocation [Off-Boarding] (Managing Access)

1) Removal of access when necessary

ISO 17799 (Incident Handling)

1) Report security breaches and cyber crimes

Mandatory (MAC)

1) Requires matching classification and clearance for access

Reversible Encryption

1) Reversible Algorithms 2) Symmetric and Asymmetric 3) Not recommended for passwords

Maintenance (Managing Access)

1) Review account data for errors and inconsistencies

Ruleset-Based (RSBAC)

1) Rules for specific Objects 2) Used with firewalls

Propagation Techniques

1) Social Networking 2) Email attachments 3) Web browsing 4) Removable media 5) Network Vulnerabilities

Baseline

1) Standard implemented for all like devices and processes

Incident Response Personality Traits

1) Stay Calm Under Pressure 2) TEAM PLAYER

Vector-Oriented

1) The threat requires a vector to cross the vulnerability 2) Stop the ability of th threat to use the vector: a) USB Thumb drives - Disable USB b) Auto Answer Modems - Digital Phone PBX

4 approaches to Defense In Depth

1) Uniform Protection 2) Protected Enclaves 3) Information Centric 4) Threat Vector Analysis

Rainbow Table (Precomunation attack)

1) Uses the Hash associated with the passwords

Asymmetric Warfare

1) Using unconventional means (USS Cole, Twin Towers, etc) to create chaos and discontent

Identification (Incident Handling)

1) Who should identify an incident? 2) How do you identify an incident? 2a) IDS alerts, failed or unexplained events, poor performance 3) Alert early without 'jumping to conclusions' 3a) look at all facts 3b) accurate reporting 4) Notify correct people 5) Utilize Help Desk or other 'on board' staff to track inforamtion 6) Assign a primary handler 7) *Do Not MODIFY Information* 8) Identify possible witnesses and evidence 9) Determine whether an event is an incident 10) Identify evidence

Protected Enclaves

1) Work groups that require additional protection are segmented from the rest of the internal organization 2) Restricting access to critical segments 3) Internal Firewalls 4) VLANs and ACLs

Identification (IAAA)

1) You are who you claim to be

Guidelines

1) hints, tips and 'tricks' of policies

Configuration Management

1) the discipline of establishing a known baseline condition, and then managing that condition 1a) Accurate baseline document

Integrity vs Alteration

Authentic an complete. Sufficient and Accurate Trustworthy and reliable

Top 5 List of Threats

Critical Data and Process that support it Likely Threats Most likely Vulnerabilities

Confidentiality vs Disclosure

Only shared among authorized persons or organisations

Authentication (IAAA)

Process by which you prove you are who you say you are: a) Something you know b) Something you have c) Something you are d) Some place you are

*SMART* Test for Polices

S - Specific M - Measurable A - Achievable R - Realistic T - Time-based

Hash Tags are stored in

SAM database (Windows) ETSE database (Unix)

Risk (Formula)

Threat x Vulnerability (to that threat)

Reduce Risk

To reduce risk lets reduce Vulnerabilities

Questions for CEOs

What are the things that worry you most? What could cause you to be removed from the board? What keeps you up at night?