GSEC 401.2 Defense In Depth
Risk Analysis Questions
* Before a company spends a dollar of it's money or a minute of its time; answer the 3 questions ------------- 1) What is the *Risk* 2) Is it the *Highest Priority* risk 3) *Cost Effective* way of reducing the risk
Network Visibility Tree
* Breakdown by IP Address and Port ex 10.0.0.X / \ 10.0.0.3 10.0.0.10 / | \ / | \ 23 110 5150 43 210 443 * Identify unnecessary use of ports
defense in depth
* Diversify to keep the vulnerabilities at a minimum
Policy Focus
* Focus on the problem * Recognize the symptoms, but keep the focus on the problem
Inbound Network Traffic
* Monitor Inbound network prevention
Outbound Network Traffic
* Monitor Outbound network detection * Majority of problems are outbound
Viruses
* Typically targeted at users * requires an executable 1) Parasitic malware that relies on executable code insertion and user interaction to spread
Business Impact Analysis (BIA)
*Guard rails against serious disaster that will shut the business down 1) Determine the Maximum Tolerable Downtime 2) BIA useful for DRP 3) BIA evaluates the effect of a disaster over a period of time 4) Builds on the Risk Assessment Results
Eradication (Incident Handling)
*MOST CRITICAL STEP* 1) Fix the problem before putting the resources back online 2) Determine the cause, not the symptoms 3) Identify and remove back doors 4) Improve defenses 5) Perform Vulnerability analysis 6) Ensure REINFECTION does not occur
Business Continuity Plan
*Proactive* Over Arching strategic planning focused on the processes and proactively fixing them before they occur
Disaster Recovery Plan
*Reactive* Reactive plan to fix, repair and recover from incidents
Key Mistakes (Incident Handling)
*number 1 mistake* 1) Failure to report or ask for help 2) Incomplete/non-existent notes 3) Mishandling/destroying evidence 4) Failure to create working backup 5) Failure to contain or eradicate 6) Failure to prevent re-infection 7) Failure to apply lessons learned
Availability vs Destruction
Accessible when needed by those who need it
Recovery (Incident Handling)
1) *Ensure compromised code is not restored* 2) Validate the system 3) Decide when to restore operations 4) Monitor the systems very closely
Containment (Incident Handling)
1) *GOAL* is to stabilize the environment 2) Make a backup of the system for analysis 3) Incident Handler should not make things WORSE 4) Secure the Area 5) Physical vs. Virtual Containment 6) Changes Passwords Locally
SALT (Unix)
1) 8 digit random string of characters associated with a set of characters 2) Stings are individual and unique to each entry 3) Minimizes the effectiveness of Rainbow Tables
Managing Access
1) Account Administration 2) Maintenance 3) Monitoring 4) Revocation
Malware defense techniques
1) Activity monitoring programs 2) Malware scanners 3) File and resource integrity checking 4) stripping e-mail attachments 5) remember defense-in-depth 6) Patch all systems
Define an Incident
1) Adverse event in an information system and/or network, or the threat of the occurrence of such an event 2) Implies harm, or the attempt to do harm 3) A single event may or may not be an event * All Incidents are composed of and EVENT but not All Events are Incidents
Copyright
1) All copyrights own to the organization 2) Must be listed in the NDA 3) Anything created in a LEGAL LAWFUL Manner belongs to the company
Incident Handling Fundamentals
1) An action plan for dealing with intrusions, cyber-theft, denial of service, malicious code, fire, floods and other security-related events 2) Intentional of unintentional
Define an Event
1) Any observable occurrence in a system and/or network 2) Observable events compose an incident
Information Warfare Theory
1) Asymmetric warfare 2) Indications and warning 3) Players and roles 4) Measures of effectiveness 5) Cycle time
Worm
1) Attack systems through known vulnerabilities 2) Automatically scan for more systems to attack * often targets servers 3) Lower system defenses, install a rootkit or rootshell, and/or inform the attacker the system has been compromised * often 'burrows' or runs on an internal network * New worms attacks private IP's
Brute Force Attack
1) Attempts every combination of characters 2) Will always work 3) Slow and Methodical
Role-Based (RBAC)
1) Based on group membership 2) Can only be in one role at a time
Separation of Duties (Controlling Access)
1) Break critical tasks across multiple people to limit your point of exposure
Contingency Planning
1) Business Continuity Plan 2) Disaster Recovery Plan
Data Classification
1) Categories to reflect needs of a company 2) Minimum of two categories 2a) Public: information for public use or will not damage the company 2b) Private (not releasable to the public): detrimental impact if information becomes public knowledge
Rotation of Duties (Controlling Access)
1) Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position 2) Be able to cover their tracks and minimizes the chance of *collusion*
Hybrid Attack
1) Combination of Dictionary and Brute force attack 2) Faster then Brute force and more accurate then Dictionary
Policy Procedures
1) Complement the Policy 2) Detailed step by step of stipulations in Policies 3) References the polices
3 Goals of Security (CIA Triad)
1) Confidentiality / Disclosure 2) Integrity / Alteration 3) Availability / Destruction
Burden of Proof (Incident Handling)
1) Criminal Case: 90% 2) Civil Case: 51%
Change Control
1) Critical to success 2) A way to detect when a change occurs to that baseline
Malware
1) Destruction of Data 2) Leaking Confidential Information 3) Providing a backdoor access 4) Countless other opportunities
Authorization (IAAA)
1) Determining what someone has access to or is allowed to do after the authentication
Types of Password Assessment
1) Dictionary Attacks 2) Hybrid Attack 3) Brute Force Attack 4) Precomputation brute force attack (Rainbow table)
Direct Evidence (Incident Handling)
1) Direct evidence comes from what the Incident Handler actually saw or experienced 2) Not what the Incident Handler surmised
Access Control Techniques
1) Discretionary Access Control (DAC) 2) Mandatory Access Control (MAC)
Chain of Custody (Incident Handling)
1) Document (accurately) evidence items and its custody, transfer, and disposition 2) Maintain a provable chain of custody 2a) Attestation 2b) Collect 2c) Ensure evidence is auditable 2d) Sign and seal
Need to Know (Controlling Access)
1) Grant access to what is needed when they need it 2) Take it away from when time elapses
Least Privilege (Controlling Access)
1) Grant the least amount of access required to perform their duties
Irreversible
1) Hashing of information 2) One way transformation 3) Recommended
Incident Response Plans
1) Help to know what to do when and incident occurs 1a) planning is everything
Standard
1) High level overview of policy
IAAA
1) Identification 2) Authentication 3) Authorization 4) Accountability
Information Centric
1) Identify critical assets and provide layered protection 2) Data is accessed by applications 3) Applications reside on hosts 4) Hosts operate on networks
Lessons Learned (Incident Handling)
1) Identify the most relevant conclusions and areas for improvements 2) Develop a report with a consensus 3) Conduct lessons learned within 24 hours 4) Send recommendations to management 4a) Include cost analysis
Indications and Warnings
1) In an information economy, events in the "real world" must be reflected on the net 2) Collected and analyzed data might include indications, some of which raise warnings. 3) Warnings should be analyzed and appropriate action taken
Monitoring (Managing Access)
1) Includes auditing access authorizations and failures
Accountatbility (IAAA)
1) Knowing who did what and when 2) Accurate and extensive logs
Security Policies
1) Laws of Securing a network 2) Short and concise *6-10 pages Max* 3) Written for the Common User 3a) 'Speed Limit Sign' model: Concise, readable, digestible
Controlling Access
1) Least Privilege 2) Need to Know 3) Separation of Duties 4) Rotation of Duties
Token-Based
1) List of permitted objects for each user
Dictionary Attack
1) List of words 2) Fast 3) Not guaranteed to work
List-Based
1) List or permitted users for each object
Access control View of Material
1) List-Based 2) Token-Based
Implementation of Access Control
3) Role-Based (RBAC) 4) Ruleset-Based (RSBAC)
Preparation (Incident Handling)
1) MOST Critical and often Overlooked ** Assume the attacker is better, smarter and faster then you ** 2) Use Out of Band Communication 3) Policy 3a) Organizational Approach 3b) Inter-Organizational 4) Obtain MANAGEMENT SUPPORT 5) Identify contacts in other organizations (legal, law enforcement, partners) 6) Select Team Members *carefully* 7) Compensate Team Members 8) Update Disaster Recovery plan 9) Have Emergency Communications Plan 10) Escrow passwords and encryption keys 11) Provide Training 12) Provide checklist and procedures 13) Have jump bag (equipment) with everything you need to handle an incident
Discretionary (DAC)
1) Managed by Users
Uniform Protection
1) Most common approach to DiD 2) Firewall, VPN, Intrusion, Detection, Antivirus, Patching 3) All parts of the organization receive equal protection 4) Treats all the systems the same
Three TOP 20 Lists (Outbound Traffic)
1) Number Connections 2) Length of Connections 3) Amount of Data ------------------------ (High false positives, but increase the accuracy of Vulnerabilities) 4a) Percent of Encrypted Traffic 4b) Destination IP Address
Single Sign-On (SSO)
1) Only log on once 2) Credentials are carries with the user 3) Simplifies User management 4) Only have to remember one set of credentials 5) Used with Multi-Factor Authentication
Account Administration (Managing Access )
1) Only setup accounts for those who need them 2) Use best practice
Business Continuity Plan (BCP) Key Components
1) Planning 1a) Assess - Identify threats 1b) Evaluate - likelyhood and impact of each threat 2) BCP 2a) Prepare - contingent operations 2b) Mitigate - reduce or eliminate risks 3) DCP 3a) Respond - minimize the impact 3b) Recover - return to normal
Non-Disclosure Agreement
1) Policy covers use, control, and enforcement of NDA 2) Protects both parties *Must be one-sided* 3) Protects sensitive information 4) A legal document has a certain specific requirements
Effective Policy Triad
1) Policy: Should be measurable and tied to a metric (Realistic) 2) Training: Understanding of Policies and procedures (Achievable) 3) Awareness: Changes behavior and attitude (Specific)
Six Step Incident Handling
1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery 6) Lessons Learned
Password Hash Strength
1) Quality of Algorithm 2) Key Length 3) CPU Cycle 4) Character set support 5) Password length
NTLMv2
1) Randomizes a string a characters associated with a password 2) Uses Domain name, server challenge and other variables to randomize the hash 3) Minimizes the effectiveness of Rainbow Tables
Real Evidence (Incident Handling)
1) Real evidence is the tangible 1a) Computes, USBs etc
Attacker Kill Chain
1) Recon 2) Scanning **** THREAT OF ADVERSE EVENT **** (ratio of threats to events (2000:1) 3) Exploitation **** ADVERSE EVENT **** 4) Create Backdoor 5) Cover tracks
Revocation [Off-Boarding] (Managing Access)
1) Removal of access when necessary
ISO 17799 (Incident Handling)
1) Report security breaches and cyber crimes
Mandatory (MAC)
1) Requires matching classification and clearance for access
Reversible Encryption
1) Reversible Algorithms 2) Symmetric and Asymmetric 3) Not recommended for passwords
Maintenance (Managing Access)
1) Review account data for errors and inconsistencies
Ruleset-Based (RSBAC)
1) Rules for specific Objects 2) Used with firewalls
Propagation Techniques
1) Social Networking 2) Email attachments 3) Web browsing 4) Removable media 5) Network Vulnerabilities
Baseline
1) Standard implemented for all like devices and processes
Incident Response Personality Traits
1) Stay Calm Under Pressure 2) TEAM PLAYER
Vector-Oriented
1) The threat requires a vector to cross the vulnerability 2) Stop the ability of th threat to use the vector: a) USB Thumb drives - Disable USB b) Auto Answer Modems - Digital Phone PBX
4 approaches to Defense In Depth
1) Uniform Protection 2) Protected Enclaves 3) Information Centric 4) Threat Vector Analysis
Rainbow Table (Precomunation attack)
1) Uses the Hash associated with the passwords
Asymmetric Warfare
1) Using unconventional means (USS Cole, Twin Towers, etc) to create chaos and discontent
Identification (Incident Handling)
1) Who should identify an incident? 2) How do you identify an incident? 2a) IDS alerts, failed or unexplained events, poor performance 3) Alert early without 'jumping to conclusions' 3a) look at all facts 3b) accurate reporting 4) Notify correct people 5) Utilize Help Desk or other 'on board' staff to track inforamtion 6) Assign a primary handler 7) *Do Not MODIFY Information* 8) Identify possible witnesses and evidence 9) Determine whether an event is an incident 10) Identify evidence
Protected Enclaves
1) Work groups that require additional protection are segmented from the rest of the internal organization 2) Restricting access to critical segments 3) Internal Firewalls 4) VLANs and ACLs
Identification (IAAA)
1) You are who you claim to be
Guidelines
1) hints, tips and 'tricks' of policies
Configuration Management
1) the discipline of establishing a known baseline condition, and then managing that condition 1a) Accurate baseline document
Integrity vs Alteration
Authentic an complete. Sufficient and Accurate Trustworthy and reliable
Top 5 List of Threats
Critical Data and Process that support it Likely Threats Most likely Vulnerabilities
Confidentiality vs Disclosure
Only shared among authorized persons or organisations
Authentication (IAAA)
Process by which you prove you are who you say you are: a) Something you know b) Something you have c) Something you are d) Some place you are
*SMART* Test for Polices
S - Specific M - Measurable A - Achievable R - Realistic T - Time-based
Hash Tags are stored in
SAM database (Windows) ETSE database (Unix)
Risk (Formula)
Threat x Vulnerability (to that threat)
Reduce Risk
To reduce risk lets reduce Vulnerabilities
Questions for CEOs
What are the things that worry you most? What could cause you to be removed from the board? What keeps you up at night?