1 / 5

2001: THE END OF REACTIVE NETWORK SECURITY

THE CASE FOR PROACTIVE NETWORK SECURITY: WORMS, VIRUSES & BUSINESS CONTINUITY Presented to Dr. Yan Chen MITP 458- Information Security & Assurance Business Case Study Presentation 09 June 2007 by The Loop Group Farney, Heilprin, Leonard. 2001: THE END OF REACTIVE NETWORK SECURITY.

hubert
Download Presentation

2001: THE END OF REACTIVE NETWORK SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE CASE FOR PROACTIVE NETWORK SECURITY:WORMS, VIRUSES & BUSINESS CONTINUITYPresented to Dr. Yan ChenMITP 458- Information Security & AssuranceBusiness Case Study Presentation09 June 2007by The Loop GroupFarney, Heilprin, Leonard

  2. 2001: THE END OF REACTIVE NETWORK SECURITY • The Year of the Worm; (3) major worms released July-September 2001 • Code Red • $2.6bn estimated damage • Simple buffer overflow infected 350,000+ hosts in single day • Code Red II • Same attack vector (.ida), but different signature • Nimda • Mass-mailing, multivariate attack • All based on previously released and patched vulnerabilities • MS01-033, MS00-052, MS00-078, MS01-020 • A/V software useless • Used firewall ports not needed (externally) in the first place • 135, 137, 138, 139, 445, 593, 1639, 2000-3000, 3127-3198 100% Preventability!

  3. “HEROIC IT” NOT ENOUGH, PEOPLE AND PROCESS REQUIRED • Speed of attack dispersion and increased geographic expansion make it impossible to react to today’s threats • Design and deploy network security operations infrastructure in which automatic patch management plays central role • Vulnerabilities addressed on release day (making test assumption) • Proactively tighten defenses • “deny all” vs. “allow all” on interior firewall interfaces • Perform network analysis to determine required business functions and corresponding ports, deny all else 2001 attacks responsible for major shift in corporate defenses • Heroic IT Management Is No Longer Enough, Diamond Cluster Viewpoint, 2004

  4. NEXT PARADIGM SHIFT: STRING SCANNING -> HEURISTICS • Zero Day attacks becoming more common • Virus definitions and patches not available • “Ex post mechanism is folly- by focusing on catching attack of the past, you miss the attack of the future”1 • A new proactivity required: behavior based security • Create behaviors for which to look for, not specific strings • Heuristics is the only way to protect against Zero Day attacks • Looks for anomalous activity like • Use off the shelf software, security services, or product like Internet Motion Sensor • Most A/V software today uses heuristics at some level • Most effective are agent-based products dedicated to this type of analysis • The Efficacy of Network-Level SPAM Mitigation , Sean Farney, MITP 458, 2007

  5. PERSONAL LESSONS LEARNED • Globally dispersed operations offers challenges • Follow-the-sun staffing great for finite day-to-day tasks, but can impede focus on large events • Lack of 24x7 line responsibility allows transition gaps and requires re-activation energy • Consider centralization and/or sourcing to true 24x7 model/provider for consistent and efficient handling of operations • Patching systems, either internally or externally, produce same effect • Remove human element from revision compliance • Commonplace now, but still new in 2001 • Fight battles before they start, be as proactive as possible • The Freedom1 of “Deny All” • See Nietzsche’s Twilight of the Idols

More Related