Post on 16-Dec-2015
(n)Code Solutions
Presentation on the Presentation on the importance of a Secure importance of a Secure
Technology Technology InfrastructureInfrastructure
Internal ThreatsHuman ErrorDishonest / disgruntled employeesTechnical Sabotage
External ThreatsVirusTrojans / Worms / Malicious CodeHackers / Intruders
What are Threats ?
Protection fromInternal protection for
ConfidentialityIntegrityAvailability
External protection fromVirusHackers / IntrudersMalicious Code
CountermeasuresPatch Management SystemIntrusion Prevention SystemsIntrusion Detection SystemsAnti-VirusContent ManagementFirewallsVPNPKI
World Statistics on attacks and misuse
Business and Financial Losses
The need for Security ?
InternetWeek: 50% of Corporations have had 30 or more penetrations, 60% lost up to $200K/intrusion
Federal Computing World: Over 50% of Federal agencies report unauthorized access (some are massive numbers)
FBI/Computer Security Institute: 48% of all attacks originated from within the organization
WarRoom Research Survey: 90% of Fortune 500 companies surveyed admitted to inside security breaches
Common IT Security Shortcomings
Enterprise wide patch management systemIntrusion Detection systems on both inside and outside of the perimeterNo firewalls / weak firewalls in placeAll / few servers directly open to the internetOutgoing email server doesn’t require authenticationPartial Content management / prevention solutionOutdated / un-patched mail servers
Patch Management :Why reaction time matters…
Reaction time is critical in preventing viruses and worms, which can cost organizations billions.
Forrester says that organizations typically require more than 300 days to fully deploy patches for most of these issues after the fix is available.
The race begins when the technical details of an issue (such as a security bulletin or release of exploit code) are made public.
Worm Number of days from release of exploit to worm appearance
Scalper (2002, FreeBSD)
(*early disclosure)11 days
Blaster (2003, Windows) 16 days
Code Red (2001, Windows)
24 days
Lion (2001, Linux) 53 days
Slapper (2002, Linux) 58 days
Melissa (1999, Windows) 64 days
Nimda (2001, Windows) 172 days
Slammer (2003, Windows)
180 days
Ramen (2001, Linux) 208 days
The SQL Slammer Worm:What Happened??
- MS SQL Vulnerability and patch released July, 2002
- Worm Released at 5:30 GMT, January 25, 2003
- Saturation point reached within 2 hours of start of infection
- 250,000 – 300,000 hosts infected
- Internet Connectivity affected worldwide
- Not easily detected by anti-virus since it did not write itself to disk
The SQL Slammer Worm:30 Minutes After “Release”
- Infections doubled every 8.5 seconds- Spread 100X faster than code red- At peak, scanned 55 million hosts per second.
The RPC Blaster Worm:What Happened??
- RPC Vulnerability and patch published by Microsoft on July 16th, 2003.
- Vulnerability affects NT 4.0, WinXP, Win2000, and Win2003 Server.
- Blaster worm released Monday August 11, 2003 – Main target is only WinXP, Win2000.
- +330,000 hosts infected in less than a week
- Microsoft had to make network changes to avoid DDOS attack
- Worm Variants Appearing Lovsan.B, Lovsan.C
Lessons Learned
Applying patches must be done quickly and thoroughly
–If vulnerability applies to clients these must be patched–One infected machine can scan and infect 1000s of victims
The network must be configured with QOS and have the intelligence to filter and control traffic when needed
Complements to patches such as Host-Based Security Agents must be considered
WindowsUpdate
InternetInternet
IntranetIntranet
Running SUS
Windows: Critical Security Updates, Windows: Critical Security Updates, Security Rollups, Service PacksSecurity Rollups, Service Packs
Configured via web based admin tool. Admin Approves Updates
Sync UpdatesSync Updates
Download and Download and installinstall Approved UpdatesUpdates
Corporate Servers, Desktops and Laptops with the Automatic Updates Client
Central Client Config
SUS 1.0: How it Works
WindowsWindowsUpdateUpdate
WindowsWindowsUpdateUpdate
Choosing a Patch Management SolutionFunctionality versus IT Resources Based Selection
Choose the solution that provides the best balance of functionality versus IT resource constraints for your specific needs
IT Resources & Administration Skill LevelIT Resources & Administration Skill Level
Bre
ad
th o
f F
un
cti
on
alit
yB
rea
dth
of
Fu
nc
tio
na
lity
SUSSUS
SMSSMS
LowLow HighHigh
HighHigh
Additional Measures
Good and effective Anti-Virus Server and Anti-Spam Server on the gateway
Install Intrusion Detection Software on the internal as well as external networks
Implement firewalls Good Content Management as well as
traffic management system Network Monitoring and management
software.
•Internet connections have increased as a frequent point of attack (from 59% in 2000 to 79% in 2003.) • Of those reporting attacks, we learn:
• 27% say they don't know if there had been unauthorized access or misuse – no network information!• 21% reported from two to five incidents• 58% reported ten or more incidents – something isn’t working!
•Computer Security Institute & FBI Report•March, 2003
Network Security Problems are Growing
Why Integrated Network Security?
Attackers take advantage of new, complex networks and sophisticated services
In this environment, Everything is a target:–Routers, Switches, Hosts, Networks (local and remote), Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc.
New breed of network attacks have multiple vectors that cannot be blocked by one device
Network security requires an integrated system•Layers of security are required•Embedded security throughout the network•Integrated security in network devices
Network management and reporting must be secure
2) Secure
1) Security Policy
3) Monitor and Respond
4) Test/Assess
5) Manage and Improve
Security is a business process requiring continuous improvement and automation...
The 7 Top Management Errors that Lead to Computer Security Vulnerabilities
1. Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
2. Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.
3. Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed .
4. Reply primarily on a firewall.
5. Fail to realize how much money their information and organizational reputations are worth.
6. Authorize reactive, short-term fixes so problems re-emerge rapidly.
7. Pretend the problem will go away if they ignore it.
http://www.sans.org/resources/errors.php
Thank you