50 likes | 56 Views
This business case study presentation explores the importance of proactive network security in preventing the damage caused by worms and viruses. It highlights the need for automated patch management, behavior-based security, and 24x7 operations. The lessons learned emphasize the benefits of centralization and proactive measures in ensuring business continuity.
E N D
THE CASE FOR PROACTIVE NETWORK SECURITY:WORMS, VIRUSES & BUSINESS CONTINUITYPresented to Dr. Yan ChenMITP 458- Information Security & AssuranceBusiness Case Study Presentation09 June 2007by The Loop GroupFarney, Heilprin, Leonard
2001: THE END OF REACTIVE NETWORK SECURITY • The Year of the Worm; (3) major worms released July-September 2001 • Code Red • $2.6bn estimated damage • Simple buffer overflow infected 350,000+ hosts in single day • Code Red II • Same attack vector (.ida), but different signature • Nimda • Mass-mailing, multivariate attack • All based on previously released and patched vulnerabilities • MS01-033, MS00-052, MS00-078, MS01-020 • A/V software useless • Used firewall ports not needed (externally) in the first place • 135, 137, 138, 139, 445, 593, 1639, 2000-3000, 3127-3198 100% Preventability!
“HEROIC IT” NOT ENOUGH, PEOPLE AND PROCESS REQUIRED • Speed of attack dispersion and increased geographic expansion make it impossible to react to today’s threats • Design and deploy network security operations infrastructure in which automatic patch management plays central role • Vulnerabilities addressed on release day (making test assumption) • Proactively tighten defenses • “deny all” vs. “allow all” on interior firewall interfaces • Perform network analysis to determine required business functions and corresponding ports, deny all else 2001 attacks responsible for major shift in corporate defenses • Heroic IT Management Is No Longer Enough, Diamond Cluster Viewpoint, 2004
NEXT PARADIGM SHIFT: STRING SCANNING -> HEURISTICS • Zero Day attacks becoming more common • Virus definitions and patches not available • “Ex post mechanism is folly- by focusing on catching attack of the past, you miss the attack of the future”1 • A new proactivity required: behavior based security • Create behaviors for which to look for, not specific strings • Heuristics is the only way to protect against Zero Day attacks • Looks for anomalous activity like • Use off the shelf software, security services, or product like Internet Motion Sensor • Most A/V software today uses heuristics at some level • Most effective are agent-based products dedicated to this type of analysis • The Efficacy of Network-Level SPAM Mitigation , Sean Farney, MITP 458, 2007
PERSONAL LESSONS LEARNED • Globally dispersed operations offers challenges • Follow-the-sun staffing great for finite day-to-day tasks, but can impede focus on large events • Lack of 24x7 line responsibility allows transition gaps and requires re-activation energy • Consider centralization and/or sourcing to true 24x7 model/provider for consistent and efficient handling of operations • Patching systems, either internally or externally, produce same effect • Remove human element from revision compliance • Commonplace now, but still new in 2001 • Fight battles before they start, be as proactive as possible • The Freedom1 of “Deny All” • See Nietzsche’s Twilight of the Idols