1 / 44

Security in the Trenches

Security in the Trenches. Who are the defenders in the trenches?. Security staff Monitor threats and behavior without invading privacy Tactical calculation of acceptable risk and response Design trenches that allow free flow of information and services

lyndon
Download Presentation

Security in the Trenches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security in the Trenches

  2. Who are the defenders in the trenches? • Security staff • Monitor threats and behavior without invading privacy • Tactical calculation of acceptable risk and response • Design trenches that allow free flow of information and services • Respond to breeches and threats without causing harm

  3. Who are the defenders in the trenches? • Everyone at a keyboard • Everyone with a network connection • Everyone that uses or manages Information Technology

  4. Who are the defenders in the trenches? • Students • Exposed to constant scans, malicious messages, and fraud attempts. • Can’t trust messages from their friends or even the administration or support organization (administration@jmu.edu, support@jmu.edu ) • Computer malfunctions and compromise of personal information and accounts • Potential identity theft victims when central stores of information are compromised

  5. Who are the defenders in the trenches? • Faculty • Exposed to constant scans, malicious messages, and fraud attempts. • Threat environment makes it difficult to experiment safely. • Confidential commercial research may be compromised • Fulfilling grant security requirements complicate research efforts • Lose valuable messages in storm of SPAM • Unable to get or share information because criminal element has made it too risky

  6. Who are the defenders in the trenches? • Staff • Exposed to constant scans, malicious messages, and fraud attempts. • Safeguard information of constituents • Spyware calls burying support resources making them unavailable to others • Responding to constant stream of threats. • Fear of being the person who makes the next headlines by clicking the wrong thing. • Loss of trust

  7. Who are the defenders in the trenches? • Management • Exposed to constant scans, malicious messages, and fraud attempts. • Strategic calculation of acceptable risk and response • Hesitant to offer forward thinking services because of risk. • Headlines don’t explain “acceptable” and “residual” risk. • Risk is always unacceptable if an incident occurs. • Growing security expenditures take from line of business needs

  8. Who are the defenders in the trenches • General Public • Exposed to constant scans, malicious messages, and fraud attempts. • Lose battles daily for control of their computers, documents, and accounts • Deluged with simplistic, ineffective, overly complex, sensationalist, and/or accusing advice.

  9. WE ARE ALL IN THE TRENCHES! • Defending: • Our own computer and information • Our constituent’s information and services • Our organization’s information and services

  10. Trench Warfare • Trench - a long, narrow ditch dug by soldiers for cover and concealment • Trench Warfare – form of fighting whereby two sides fight each other from opposing trenches • Conscription – a system of compulsory recruitment for the armed forces • Home Front – the name given to the part of war that was not actively involved in the fighting but which was vital to it • No-man’s land – the barren territory that lay between the opposing Allied and German trenches on the Western Front • Attrition – strategy of wearing down the enemy through continual attack and pressure • Deterrent – something designed to stop a person or people from doing something • Entrenched – to be fixed or deeply rooted in an area • Retaliation – to fight back, revenge • Shell shock – medical condition caused by prolonged exposure to the distressing experiences of trench warfare • Stand-down – name given to the daily evening routine in the trenches

  11. Vandals Joy Riders Graffiti artists Kids and professionals Thieves Extortionists Manipulators Voyeurs Egotists Competitors (business, romance, research, etc.) Free loaders Anarchists Exploiters Terrorists Multiple simultaneous enemies Multiple motivations Varying capabilities Who is the Enemy?

  12. Where are the enemies’ trenches? • They have none! • Worldwide, instant mobility • Worldwide, anonymous mobility • Worldwide, unrestricted mobility • At every network connection • At every keyboard • At every exposed web site

  13. Guerilla Warfare • Guerrilla warfare operates with small, mobile and flexible combat groups without a front line • Guerrilla tactics are based on ambush, sabotage, espionage, and avoiding the response of the defenders through greater mobility • The mobility provided by the Internet and the ability to commandeer computers results in the attackers being able to wage open warfare on the defenders with relative anonymity. • Freely available weaponry on the Internet • Mercenaries – BOTS • Smart bombs - viruses, worms

  14. Where are our weaknesses? • Our networks provide attacker mobility • Global • Limitless • Unauthenticated

  15. What are our Weaknesses? • Networks and Societies Must Have Cooperation to Work • Throwing bricks through windows • Driving down the wrong side of the street • Stealing mail from mailboxes • Can you secure your house or car? • The Internet extends the reach of uncooperative members

  16. Where are our weaknesses? • Our Systems provide soft targets • Complex – error prone in design, implementation, configuration, and usage • Defective security controls • Lack of access controls in most default configurations • Not designed for hostile environment • Not maintained for hostile environment

  17. Where are our weaknesses? • We, ourselves, provide opportunity • Complexity breeds mistakes • Decisions • Design • Implementation • Configuration • Operation • Priorities • We cannot spend all our time on defense nor make all our decisions based on security. • The attackers have no such limitations • Acceptable risk • Conflicting Business Goals • Desire for universal, easy accessibility • Minimize access controls for location, method, source, or destination • Desire for autonomy and personalization • Minimize policies, procedures, standards, and controls • Desire for privacy • Minimize identification and monitoring • Transparent security

  18. Where are Our Weaknesses? • An intruder only has to find one entry point. • A defender has to close or watch all entry points. • One mistake, one oversight, one wrong mouse click creates opportunity for the attacker

  19. Battle Statistics • Thousands of infected e-mail messages received daily • 60%+ of incoming e-mail messages are SPAM – dozens, sometimes hundreds, containing fraud attempts such as phishing and Nigeria scams

  20. Battle Statistics • Malicious Instant Message Events

  21. Battle Statistics Malicious Web Sites

  22. Battle Statistics Incoming Network Scans

  23. Symantec Internet Security Threat Report January-June 2005 • 10,866 new Windows viruses • Of the 50 most common reported, 74% expose confidential information • 10,352 BOTS detected per day • 1,862 new software defects • Average time to exploit – 6 days • Average time to patch – 54 days • 5.7 million fraudulent “phishing” email messages per day

  24. Lifetime of unpatched computer Malware sophistication Security software neutralization Back channel communications, instant notification BOTS Distributed Denial of Service Rootkits Keyloggers Unrecognized malware Exploits of unfixed defects Below the radar communications Social engineering DDOS E-gold E-bay hijack E-bay phish IM keylogger data stream Organized crime Targeted spam – Lexus Nexus Higher Education incidents Credit Card battle One mistake Issues and Incidents

  25. What are we trying to protect? • Confidentiality • Integrity • Availability • …if we don’t protect them we may have…

  26. If we don’t protect C-I-A we may have… • Liability • Operational disruption • Theft • Vandalism • Loss of reputation, confidence, and/or trust • ...which may lead to the loss of…

  27. Which may lead to the loss of… • Time • Money • Freedom • Jobs • Mission • Quality of Life (in the worst case, life itself – health, military, terrorism)

  28. Security Goal • Reduce the risk of loss to an acceptable level • We can not eliminate risk. There will always be residual risk. • Reducing risk will always have costs: • Time (always) • Money • Access • Convenience • Privacy • Freedom • Complaints • Quality of life • Service delivery • Compare to costs of security incidents on previous slide - balance

  29. Security Keystones Security

  30. Security Keystones • Awareness of the risks and a desire to do something to reduce those risks • Assessment of the risks and a willingness to accept the costs of addressing unacceptable risks leading to • Policies and procedures to reduce the risks to an acceptable level • Controls enforcing the policies and procedures • Monitoring operation of the controls and compliance with policies and procedures • Responding to non-compliance incidents and altered risk assessment parameters through changing awareness • Repeat as necessary • Best practices and common sense can shorten the process, though without detailed analysis and comparisons, one may be led into a false sense of security and/or unproductive efforts.

  31. Security Keystones • No one keystone can stand alone • No keystone is infallible. • Multiple layers of each keystone provide the best protection to minimize effects of failures and mistakes

  32. Keystone – Risk Assessment • The factors that go into a risk assessment are constantly changing. • Value • Threats • Vulnerabilities • Probabilities • Exposure • Attack Activity • Motivation

  33. Keystone – Risk Assessments • Risk = Consequence x (threat x vulnerability) • Consequences are rising rapidly as more services and data are made accessible online and systems are interconnected • Threats are rising rapidly as attacks grow in number and sophistication • Vulnerabilities are still rising as software gets more complex, services are pushed out faster, more services are exposed, automated exploit kits proliferate, and businesses struggle with global competition • Risk will increase for the foreseeable future

  34. Generalizing Risk Assessment – Best Practices • Provide access only to that which is needed (default deny and least privilege) • Defense in depth (i.e. redundant layers) • These fundamental security principles haven’t changed in centuries. We ignore them at our peril.

  35. Keystone - Policies and Procedures • Surrounds the whole process • Like a risk assessment, usually lags the environment and is difficult to implement for varying, complex systems needing good reaction times.

  36. Keystone – Access ControlLayered Defense Theory

  37. Keystone – Access ControlLayered Defense Practice Backup Systems Self Service Student Information and Human Resources Systems Faculty/Staff (indirect path) Desktops and other unidentified sensitive systems

  38. Grades SSN Credit Cards Performance Evaluations Medical Resumes Research Vendor Purchasing Financial Reports Organizational Planning Environmental control systems Credit card processing systems Building entry and security systems ID/debit card systems Office desktops? Home desktops? Laptops? CD? USB Drive? Floppy? Cell phone? PDA? Shared folder? One mistake What Data is on Your Desktops?

  39. Keystone - Access Control • Granting access indicates explicit trust • Not controlling access indicates implicit trust • To read • To alter • To destroy • The more we depend upon trust, the less control we have. • SPAM • Network access – Scanning, bandwidth depletion, denial of service attacks, exploit attempts, unauthorized account access, patch urgency • Computer access – running malicious programs, unsafe configurations, incompatible configurations • Inappropriate use

  40. Trust => Risk • Ignorance (failure of awareness) • Faulty Risk Assessment assumptions • Failed Access Controls • Failed Monitoring Processes • Inadequate Response • Inappropriate Use • ==================== Misplaced TRUST Unaccepted Access ====> Unaccepted Risk The more we trust, the more we better monitor.

  41. Keystone - Monitoring • We have to monitor unless: • Our trust in everything is 100% justified • The factors that went into the risk assessment don’t change • We’re not interested in detecting when we’re the victim of the residual assumed risk. • As malware and attacks move toward encrypted open ports (web), monitoring is going to be a lot harder. • The more we trust, the more we better monitor.

  42. Risk Evolution • Decreasing • Fundamental operating system and server defects • Increasing • Human error due to complexity • Desktops • Distributed data exposure • Client applications • Web applications

  43. Key Defense Improvements for Today’s Threat Environment • Reduce exposure • Default deny networks • Default deny computers (least privilege accounts e.g. non-Administrator) • Increase monitoring • Reduce reaction time to the inevitable security failure and new threat • Awareness != Education

  44. WE ARE ALL IN THE TRENCHES! • Defending: • Our own computer and information • Our constituent’s information and services • Our organization’s information and services

More Related