Post on 26-Jan-2015
description
Enterprise security back to basicsJoel Cardella
My profile• Joel Cardella• Over 20 years in IT; operations, data center, application
development, architecture and security• Regional Security Officer for North Americas• Global company (41,000 users) with local information security
control (8,500 users)
Assumptions• You have some basic understanding of information security• You are aware that some risks exist in your enterprise• You have in some ways secured your enterprise, using basic
security techniques• Firewalls• Policy control• User access rights
• You are running a mostly Microsoft environment, with some variations• Active Directory authentication• Active Directory User & Computer management
• You are worried that you may have missed something
Assumptions• You are confident of your existing processes • ARE YOU SURE?
• You need more robust controls
• You need better ways to measure
• You are immature in security and need to improve your posture
Why this talk?
You can pay now, or you can pay more later … but you will eventually have to pay
Who benefits from this talk?• Practitioner• You need to implement or improve
• New to infosec• Veteran – everyone needs reminders!
• Manager• Know your people, their skills and knowledge • Know your business and how you support it
• Executive• Know what questions to ask• Know your risks
LET’S TALK RISK
Risk Defined in Security Terms
(Offense) (Defense)
Likelihood Impact
THREATS X VULNERABILITIES = RISK
Reduces Risk
Drives risk calculation
Threats increase riskDealing with vulnerabilities reduces riskWhen a threat connects with a vulnerability, there is impact
Source: Dr Eric Cole, SANS
What risk can we control?
THREATS X VULNERABILITIES X TIME = RISK
No control Direct ControlIndirect Control (Vendor reliance)Direct Control (Issuing patches & updates)
None of these values is ever zero, but we should work toward zero
Where do we start?
Source: http://www.northropgrumman.com/AboutUs/Contracts/ManagedServices/Pages/SecurityServices.aspx
Back to basics – The Pareto Principle
• In your enterprise, can you manage to the 80/20 rule?• If you can focus on 20% of your basics, you can address 80% of
your risk
• Vendors love to focus on the other 80% • This is the sexy space, where the talking points come from• So the inverse would also be accurate, where looking at the
bottom 80% only addresses 20% of the risk!
Case study• A major retailer was “Target-ed” by a very sophisticated
malware attack
• It gained major media attention, and prompted a congressional inquiry
• It is the first case in which a CEO was ousted due to a security event (though it was also likely driven by the PR disaster)
Case study – the numbers
Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
40 MillionThe number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
70 MillionThe number of records stolen that included the name, address, email address and phone number of Target shoppers.
$200 MillionEstimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
46%The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before. ($480M)
$53.7 MillionThe income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).
1M – 3MThe estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest.
Case study – the numbers
Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
$100 MillionThe number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.
0The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach.
0 The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).
$55 MillionThe number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.
Media focuses on this The problem starts here!
Let’s start at the very beginning…A phishing email is sent to Target vendor
Vendor is successfully phished, vendor account is compromised
Adversary logs into Target systems with Vendor account
Once successfully logged in, adversary launches a privilege escalation attack
Once successful, the adversary can now traverse the Target network unfettered, create more accounts, create file shares, etc
Hilarity ensuesEven if this is not precisely what occurred it is a great example of typical attack vectors
From the Bloomberg article• ”Target’s system, like any standard corporate network, is
segmented so that the most sensitive parts—including customer payments and personal data—are walled off from other parts of the network and, especially, the open Internet.”
• “Target’s walls obviously had holes.”
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 1 – Vendor account has no privilege
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 2 – Vendor account has privileges escalated
How could Back to Basics have prevented either of these scenarios?
VPN
AD
VPN
AD
BEFORE YOU START…
Security basics• Security requires resources; you must invest to get a return
• If you don’t invest the resources, you will increase the vulnerability and likelihood
• Basics should include• Prevention• Detection• Response• Recovery
Things to remember• Act/think like an adversary; be hostile toward your own
network and you will learn things you did not know existed• Find and understand your baselines• Document your findings; document everything• Make a plan• Decide what you want to address• Keep your scope small (80/20)
• Go back and do it all again• Verify your assumptions, verify your baselines• Document changes• Continuously improve
Business context is everything• Do you understand your business?
• How does your IT infrastructure support your business?
• Do you understand the functions of your IT segments, and how they support your business operations?• Example: Is your website critical to your business?
• How will your firewall affect this? Does it have anything to do with it?
• Document it!
FOUNDATIONAL APPROACHES
SANS 20 Critical Security Controls
3 1: Inventory of Authorized and Unauthorized Devices 3 2: Inventory of Authorized and Unauthorized Software 5 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 4: Continuous Vulnerability Assessment and Remediation 7 5: Malware Defenses 2 6: Application Software Security 2 7: Wireless Access Control 2 8: Data Recovery Capability 1 9: Security Skills Assessment and Appropriate Training to Fill Gaps 1 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 4 11: Limitation and Control of Network Ports, Protocols, and Services 9 12: Controlled Use of Administrative Privileges 2 13: Boundary Defense 5 14: Maintenance, Monitoring, and Analysis of Audit Logs 1 15: Controlled Access Based on the Need to Know 9 16: Account Monitoring and Control 4 17: Data Protection 6 18: Incident Response and Management 1 19: Secure Network Engineering 2 20: Penetration Tests and Red Team Exercises
73 Quick WinsQuick wins provide significant risk reduction without major financial, procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls.
Source: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
AU Defence Signals Directorate
Rapid approach to the basics• Application whitelisting (CSC 2/DSD 1)• Use of standard, secure system configurations (CSC 3)• Patch application software within 48 hours (CSC 4/DSD 2)• Patch system software within 48 hours (CSC 4/DSD 3)• Reduce number of users with administrative privileges (CSC 3
and 12/DSD 4)
• DSD suggests these will fit into the Pareto principle and address 80% of your risks
DSD ratings
Mitigation strategy
Overall security
effectiveness
User resistan
ce
Upfront cost (staff,
equipment, technical
complexity)
Maintenance cost (mainly
staff)
Helps detect
intrusions
Helps mitigate intrusion stage 1:
code execution
Helps mitigate intrusion stage 2: network
propagation
Helps mitigate intrusion stage 3:
data exfiltrati
onApplication whitelistingof permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers.
Essential Medium High Medium Yes Yes Yes Yes
Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest version of applications.
Essential Low High High No Yes Possible No
Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP.
Essential Low Medium Medium No Yes Possible No
Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.
Essential Medium Medium Low No Possible Yes No
Reconnaissance Good Low Low Low Yes Possible Yes NoNetwork segmentation Excellent Low Medium Low No Possible Yes YesAccount management Excellent Medium Low Low No Yes Yes Possible
Controlled access Essential Medium Medium Low No Possible Yes NoAuditing/accounting Excellent Low High Medium Yes No No No
Physical Security Good High Low Medium No Yes Yes YesBackup Strategy Excellent Low High Medium No No No Yes
Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
SIMPLE APPROACH TO THE BASICS
Targeted basics• Reconnaissance • Network segmentation• Account management• Controlled access• Auditing/accounting• Physical Security• Backup Strategy• Governance
Basics explained• WHAT TO ASK• Questions to ask both down and up
• WHAT TO DO• Steps you can take
• TOOLBOX• Tools you can use
• HOW IT APPLIES• How it can mitigate the problem in our case study
RECONNAISSANCE
Recon – WHAT TO ASK• What are your assets?• Hardware• Software
• Are you aware of authorized vs unauthorized assets?
• Can you tell when this changes?
• ARE YOU SURE?
Recon – WHAT TO DO• Create a standard user account
• Login in from the outside and from the inside (both sides of your firewall)
• Where can you go? What can you see? What do you have access to?
• Do you understand what you are seeing?
• Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried
• Threat modeling works well here
Recon – TOOLBOX• Standard RDP / SSH• Inventory tools• Spiceworks (http://www.spiceworks.com)• BelArc (http://www.belarc.com)• Lansweeper (http://www.lansweeper.com)• System Management Tools
• SCCM/Altiris/Dameware
• Threat modeling info• http://
www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven-Security.aspx
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 1 – Vendor account has no privilege
Systems allow account logins at the OS
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 2 – Vendor account has privileges escalated
Systems allow account logins at the OS but only for privilege
Recon would show us what this account can actually do with its privilege
VPN
AD
VPN
AD
NETWORK SEGMENTATION
Network segmentation – WHAT TO ASK• Do you have network segmentation?• Protected enclaves can be formed with firewalls, VPNs, VLANS
and Access Control Lists and Network Access Control
• Do you allow access to any network resources from the outside? • How are they controlled?
• ARE YOU SURE?
Network segmentation – WHAT TO DO
• Create a “secure zone” using your smart switches or firewall rules• External and internal (non-employees vs employees)• Internal zones (trusted and untrusted)
• You should have a basic classification scheme to decide what will fall into these zones
• Document this!
• Inside the trusted zone, allow only certain accounts or certain systems to talk to each other• Never let generic user or non-privileged accounts access to critical
server infrastructure at the OS layer• Accounts which use VPN logins should be limited by ACLs or IP
address• For example: separate your public and private wireless spaces using
firewall rules• Limit VPN access per account using IP ACLs
Network segmentation – TOOLBOX
• Some free firewall tools to help you• http://www.solarwinds.com/products/freetools/firewall-browser.
aspx• http://www.fwbuilder.org/
• This is going to take a lot of time and investment• You have to have subject matter expertise• You have to make ongoing reviews; frequency depends on how
many changes happen• Make it worth it; document everything
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 1 – Vendor account has no privilege
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 2 – Vendor account has privileges escalated
Changes over time to firewall rules create holes
Network segmentation is in place … but is it working as designed?This requires the most care and feeding of any basic control
VPN
AD
VPN
AD
ACCOUNT MANAGEMENT
Account management – WHAT TO ASK
• What types of accounts exist in your enterprise?
• Do you know who owns those accounts?
• Do you know if those accounts are still valid?
• If you have system or service accounts, do you know what they have access to (zones)?
• ARE YOU SURE?
Account management – WHAT TO DO
• Manage your accounts by policy and technical enforcement• Expire passwords/password complexity• Use ACLs to manage access to your systems• Restrict access within your zones• Enforce 2nd factor authentication for vendor/contractor access
• For employees if you can! For everyone!
• Inventory your accounts and their parameters
• Know your vendors by their accounts
Key quotes• “In fairness to Target, if they thought their network was
properly segmented, they wouldn’t have needed to have two-factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.” - http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
In all fairness to Ms. Litan, I disagree.Why? Because they were not sure.
Account management – TOOLBOX
• Fail2ban (Unix)• http://sourceforge.net/projects/fail2ban/
• Winfail2ban• http://winfail2ban.sourceforge.net/
• 2nd factor authentication• Google Authenticator -
https://support.google.com/accounts/answer/1066447?hl=en• Microsoft Phonefactor - http://
technet.microsoft.com/en-us/magazine/dn448533.aspx• Duo Security – https://www.duosecurity.com/
• Windows Powershell• http://technet.microsoft.com/en-us/scriptcenter/ee861518.aspx• Get-ADUser -Filter * -SearchBase "DC=ad,DC=company,DC=com"
KEY SECURITY STRATEGY!
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 1 – Vendor account has no privilege
Systems allow account logins at the OS
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 2 – Vendor account has privileges escalated
Systems allow account logins at the OS but only for privilege
2nd factor authentication would have prevented BOTH scenarios!
VPN
AD
2nd factor challenge
VPN
AD
2nd factor challenge
Internal firewalls have holes
Internal firewalls have holes
CONTROLLED ACCESS
Controlled access – WHAT TO ASK
• What systems can talk to each other?• Are they in different zones? Do they need to be?
• Do your business people have access to information they do not need to do their jobs?
• Do your administrators have more access than they need to do their jobs?• What about non-admins?
• ARE YOU SURE?
Controlled access – WHAT TO DO
• Access based on need to know/need to work• Classification scheme is needed for this
• Establish a policy of access based on need to know/need to work• Establish approval mechanism for special exceptions
• Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix
• Enforce SoD through system constraints and involve the business in the SoD approvals
Controlled access – TOOLBOX• Don’t allow continuous membership in Enterprise Admins or
Schema Admins • Limit access to these groups to senior admins only
• Monitor additions to Domain Admins group and keep this group as small as possible
• Monitor groups for changes • SCOM• Netwrix (http://www.netwrix.com/)• Quest tools (http://www.quest.com/)
• Within AD, delegate authority – slightly more secure approach• http://technet.microsoft.com/en-us/magazine/2007.02.activedir
ectory.aspx• Use AD security groups / delegation to restrict access to
resources based on SoD matrix
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 1 – Vendor account has no privilege
Controlled access only allows logins from certain accounts
VendorAccount
Target PC
Target PC
Target PC
Target PC
Scenario 2 – Vendor account has privileges escalated
Systems allow account logins at the OS but only for privilege
Controlled access would not allow the escalation attack, and/or alert to the attempt
VPN
AD
VPN
AD
AUDITING/ACCOUNTING
Auditing/Accounting – WHAT TO ASK
• Do you have logs?
• Where do they log to?
• Who has access to the logs?
• Do you understand them?
• Are they resistant to change?
• ARE YOU SURE????
Auditing/Accounting – WHAT TO DO
• Logging needs to be actionable• Start small; then get better
• Set up a central logging server and point your logs to that• Allow only authorized persons access to this server
• Then parse your logs using a tool like Splunk, or Windows Security and Operations Center
Auditing/Logging – TOOLBOX• https://www.sans.org/reading-room/whitepapers/logging/dis
covering-security-events-interest-splunk-34272• [WinEvent] >sourcetype="WinEventLog:Security"
("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 3
• [XSS] >source="/var/log/my-app/application.log" “&#” OR “script” OR "`" OR "cookie" OR "alert" OR "%00“
• [SQL Inj] >source="/var/log/my-app/application.log" (‘ AND =) OR (‘ AND ;) OR (drop table) OR --
Author: Carrie Roberts
Not a preventive measure• This is not a preventive measure, however it does allow for:• Detection of events in real time (with tools that do this)• Forensic examination of events after the fact• Leaves a trail that can be used to identify attack patterns
• You MUST make your logs resilient to change• Log everything to a central server, or mirror them• Restrict access to this system to only authorized security persons• Trust but verify
PHYSICAL SECURITY
Physical security – WHAT TO ASK
• Do you allow OEM devices to be connected to your network?
• Do you allow vendors/contractors access to facility and internal network?
• Do you have mobile devices in your enterprise?• How do you secure them?
• You know what I’m going to say!
• Are you sure?
Physical security – WHAT TO DO
• USB sticks• Use GPOs to restrict what can connect to your network (least
cost) or use DLP software to restrict data that can be moved (most costly)
• Disable Autorun (GPO)• Physically restrict your network• Guest cubes or multiple drops with ports on the untrusted
network• Security of mobile devices• Enforcing screen lock; this may be the most meaningful with the
least amount of impact• Encryption of data at rest• Awareness of connected devices
Physical security – TOOLBOX• ADM templates to disable USB• http://blogs.technet.com/b/danstolts/archive/2009/01/21/
disable-adding-usb-drive-and-memory-sticks-via-group-policy-and-group-policy-preferences.aspx
• Physically restrict your network• Guest cubes or multiple drops with ports on the untrusted
network• Security of mobile devices• Enforcing screen lock (GPO); this may be the most meaningful
with the least amount of impact• Encryption of data at rest (Bitlocker)• Awareness of connected devices
• Simple Powershell commands• http://help.outlook.com/en-us/140/gg985420.aspx
Physical Security Described• Physical security would not have been applicable to our case
study
• Physical security is important when you have non-employees in a facility that can access your internal network
• Physical security is important when you have assets that travel outside your network
BACKUP STRATEGY
Backup strategy – WHAT TO ASK
• Do you have a backup strategy?• Is it documented?
• Does it align with your business needs?• Backups cost money, time and resources• Do you back up more than you need?
• Do you have resources to verify/restore backups?• Do you regularly test backups? • When was the last time you did and what were the results? • Did you document this?
• ARE YOU SURE?
Backup strategy – WHAT TO DO
• Create a policy for regular backups• Identify critical systems & backup frequency• If you have a DRD in place make sure it’s being adhered to
• Document a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) for your backups• This aligns with disaster planning• Must be done in alignment with your business
• VERIFY YOUR BACKUPS• This is not negotiable or avoidable!
Back to Basics ratings
Mitigation strategy
Overall security
effectiveness
User resistan
ce
Upfront cost (staff,
equipment, technical
complexity)
Maintenance cost (mainly
staff)
Helps detect
intrusions
Helps mitigate intrusion stage 1:
code execution
Helps mitigate intrusion stage 2: network
propagation
Helps mitigate intrusion stage 3:
data exfiltrati
on
Reconnaissance Excellent Low Low Low Yes Possible Yes NoNetwork segmentation Excellent Low Medium Low No Possible Yes YesAccount management Excellent Medium Low Low No Yes Yes Possible
Controlled access Essential Medium Medium Low No Possible Yes NoAuditing/accounting Excellent Low High Medium Yes No No No
Physical Security Good High Low Medium No Yes Yes YesBackup Strategy Excellent Low High Medium No No No Yes
Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
GOVERNANCE TOOLBOX
Change management• Who approves your security changes?• Is this documented and reviewed periodically?
• Who reviews your security changes for accuracy?
• Who follows up to verify the changes are still accurate?
• Document reasons for changes, approvals and mitigations
• ARE YOU SURE?
Establish a governance calendar
• The calendar contains your regular cadence of review activity• You can script reminders to the entities responsible for the review
• SharePoint• Google scripts (Google calendar)• http://
corporateservices.schwab.com/public/corporate/compliance_solutions
• Work this activity into your existing processes so they get prioritized
• Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these
activities
TO CONCLUDE…
Important Enterprise Infosec Lessons
• There is no magic bullet – infosec is multi-layered and multi-disciplinary
• Infosec will cost you time, money and resources – measure your value appropriately
• Infosec is an active discipline; it requires care and feeding, you cannot install and forget
• Time is the enemy of infosec; the longer it takes, the higher the risks
• Infosec is a value add for your business, and it is up to you to show it
• Infosec is not a department of “no.” Market yourself like a startup
Security basics put simply…• 1. If you think technology can fix security, you don’t
understand technology and you don’t understand security.
• 2. The root cause of a security incident is rarely about the technology and almost always about the implementation.
• 3. Humans will always be the weakest link in the security chain. Awareness will mitigate the vast majority of your security issues … spend time and money on educating everyone in your company about security.
APPENDIX
Tools & references list
• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site• http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx -
AD rights delegation• http://sectools.org/ - List of pay and free network tools• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD
Top 35• http://www.counciloncybersecurity.com – Council on Cybersecurity• https://www.sans.org/reading-room/whitepapers/logging/discovering-security
-events-interest-splunk-34272 - Carrie Roberts white paper on logging
• http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling
• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current state of the Target breach and some of the false pretense
Contact info• Joel Cardella• Twitter: @JoelConverses• Email: jscardella@pobox.com• IRC: #misec on Freenode (joel_s_c)