210 likes | 637 Views
Hacking Exposed 7 Network Security Secrets & Solutions. Chapter 12 Countermeasure Cookbook. Introduction. Attack-centric view from this book vs. building more secure systems Asymmetry of risk management Attacker’s advantage, defender’s dilemma Best countermeasure strategies
E N D
Hacking Exposed 7Network Security Secrets & Solutions Chapter 12 Countermeasure Cookbook
Introduction • Attack-centric view from this book vs. building more secure systems • Asymmetry of risk management • Attacker’s advantage, defender’s dilemma • Best countermeasure strategies • General strategies • Usability vs. security • Increase the “cost” of attack • (Re)move the asset, separation of duties, AAA (authenticate, authorize, audit), layering, adaptive enhancement, orderly failure, policy and training, simple/cheap/easy • Example scenarios • Desktop scenarios, several scenarios, network scenarios, Web application and database scenarios, mobile scenarios
(Re)move the Asset • Remove the target of the attack • Example: database index • A website collects personally identifiable info like government-issued identification number • To more reliably index customers in a database • But it is not needed by the business • Why not use non-identifiable randomly generated values to index? • Better than encrypting the data that the business doesn’t really need!
Separation of Duties • Prevent, detect, and respond • Parallel countermeasures, e.g. host intrusion protection, network intrusion detection, incident response process execution • People, process, and technology • Nature of parallel countermeasures • Mix and match the above in a matrix! • Checks and balances • Coordination of duties • Ask different accountable persons to work on the same task • Preventing collusion: e.g. detection folks & reaction folks • Providing checks and balances: e.g. set firewall rules to block access to a vulnerable service
Authenticate, Authorize, Audit • Know users, limit what they can access, and check access logs • Off-the-shelf authentication solutions • Multifactor solutions: RSA SecureID • Online services: Windows LiveIDand OpenID • Frameworks: Oauth and SAML • Customized authorization solutions • Role-based, claims-based, mandatory vs. discretionary, digital right management • e.g. Microsoft’s Mandatory Integrity Controls (MIC) • Protected Mode Internet Explorer (PMIE): isolate a compromised web browser to a limited set of objects within the user’s authenticated session • Audit on authentication and authorization • Who did what to which, when, and how
Layering • Defense-in-depth or compensating controls • Linear countermeasures vs. parallel countermeasures • Layer of IT stack • Physical: secured facility • Network: firewall, ACL • Host: endpoint software, host-level firewall and antimalware/antivirus • Application: patch vulnerabilities • Logical: access control on app’s capability and data
Adaptive Enhancement • Turned on and off • Examples • WAF (Web Application Firewall) turned on if a certain vulnerability cannot be patched until the next release • Reactive compensation • Additional challenge factor during authentication if a user logs in less normally • Predictive compensation • Bank of America’s SafePass feature for online banking: additional password for mobile devices • Predictive compensation
Orderly Failure • Risk management • Plan your failure – self-defeating • Worst-case scenario • All or some components fail • Security features fail • Reactive countermeasures • Annual “fire drills” • Test people, process, and technology • Check failover mechanisms • After failure: fail closed or fail open?
Policy and Training • Security policy • Context where countermeasures are implemented • System owner’s intent • Countermeasures prescribed by security policy • Training • How can you do the right thing if you don’t know what the right thing is? • Integrated into daily workflows of affected parties • Not disruptive hours of class training • SecureAssist from Cigital: “security spell check” in code writing
Simple, Cheap, and Easy • KISS (Keep it simple and stupid) for countermeasure design • 2012 Verizon Data Breach Report • 63% of recommended preventive countermeasures were simple and cheap • 3~5% were difficult and expensive • Identify and solve obvious problems • Not necessarily “manual and home-grown” • Often more cost-effective to deploy “umbrella” countermeasures (e.g. firewall) to compensate for vast sea of vulnerabilities
Desktop Scenarios • Remove the asset • Data leak prevention (DLP) across enterprise • AAA for consolidated remote access • Instrument the endpoint • Antimalware, configuration management, log shipping, HIPS, file system integrity monitor (tripwire) • Network-based countermeasures • Signature-based detection • Top talkers for data exfiltration • Reactive countermeasures • Most desktop malware install persistence mechanism leveraging Windows ASEPs (AutoStart Extensibility Points) hooks • Orderly failure by a forensic agent • Policy enforcement if possible
Server Scenarios (1/2) • Administrative privilege restriction • Strong AAA, e.g. Xsuite • IAM (identity and Access Management): entitlement review, e.g. Sarbanes-Oxley or SOX • Hardening root access in UNIX: cracklib (password composition tool), Secure Remote Password (authentication and key exchange), OpenSSH, pam_passwdqc (password length check), pam_lockout (account lockout) • Minimal attack surface • Disabling unnecessary services: less listening services/ports, less doors – legacy NetBIOS, SMB • Using Windows Firewall to restrict access to services
Server Scenarios (2/2) • Strong maintenance practices • Windows security patching guidance • Automated patch management tool, e.g. SMS (System Management Server) • Workaround in a window of exposure before patch release: inbound port blocking • Active monitoring, backup, and response • Customized detection and response plans for new vulnerabilities
Network Scenarios • Lower-layer TCP/IP firewall: ports • Upper-layer application firewall: SQL injection, cross-site scripting, etc. • Deploy more granular firewalls with visibility and control at higher layers • Segment networks with higher risk from ones with greater sensitivity: DMZ • Attacks on network itself • Eavesdropping and traffic redirection (ARP spoofing): limit broadcast domains, authentication and encryption with 802.1X and WPA2 Enterprise • DoS: asymmetrical attack pattern, Prolexic service • DNS exploit: pay attention on configuration (restrict zone transfers and recursive queries)
Web Application and Database Scenarios • Off-the-shelf (OTS) components • OTS packages: web servers, shopping carts, blog management, social interaction (web chat), etc. • Configure properly and patch religiously • Strong DAM (Database Activity Monitoring) with blocking capability • Custom-developed application code • Security program on code development • BSIMM (Cigital’s Building Security In Maturity Model): downloadable framework and tools to assess yourself
Mobile Scenarios • Impact due to device theft, remote hacking, malicious apps, phone/SMS fraud, etc. • Remove the data • Whether the most sensitive data should be downloaded to devices • Physical control of attackers: device debug mode, rooting, jailbreaking, etc. • Keep a separate (physical or virtual) device for sensitive activities • Enable password lock and device wipe on successive failed logins • Keep system and application software up-to-date • Be very selective about apps you download • Install MDM (mobile device management) and/or security software
Summary • Usage vs. security • Diversification in countermeasures: multiple parallel or serial obstacles • Keep it simple and stupid. • Empirical studies by VDBR (Verizon Data Breach Report)