1 / 32

Entering the Security Arena

Entering the Security Arena. Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct 01. Introduction. Bejtlich = 'bate-lik"

vesna
Download Presentation

Entering the Security Arena

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Entering the Security Arena • Richard Bejtlich / rbejtlich@saball.com • Senior Engineer • Managed Network Security Opertations • Ball Aerospace & Technologies Corp. • San Antonio, TX • 24 Oct 01

  2. Introduction • Bejtlich = 'bate-lik" • Senior engineer for managed network security operations, BATC (2001-) • Former captain at US Air Force Computer Emergency Response Team (1998-2001) • Student of network-based intrusion detection, computer forensics • http://bejtlich.net

  3. Outline • Philosophy • Planning • Prevention • Detection • Response • Personnel development • Thank you to Dreamworks LLC and Universal Studios for Gladiator photos

  4. Philosophy How can we best defend the empire against the barbarians of the North?

  5. Philosophy • What is security? • Preservation of confidentiality, integrity, and availability of an organization's resources • Why does security matter? • Owners must trust their resources to do business • Customers avoid organizations they don't trust • Regulators disallow business without safeguards

  6. Philosophy • How can security be achieved? • Plan by developing a security policy • Prevent exploitation where possible • Detect exploitation when it happens • React to exploitation, then resume operations • Constantly assess the tools and processes implementing these steps • Ensure your people are qualified

  7. Planning Who wants to write a security policy? Anyone? Anyone?

  8. Planning • Security cannot be achieved without policy • Written policy recommended, but not always needed in small, simple operations • Without a written policy, it is difficult to enforce your security objectives • Every computing resource is a manifestation of your security policy

  9. Planning • What should a security policy discuss? • Acceptable use of resources (CPU, bandwidth) • Allow peer-to-peer (Gnutella, Napster), chat (IRC, AIM), remote control (VNC, pcAnywhere)? • Prohibitions on installing software, especially tools which may be used to escalate privileges • No reasonable expectation of privacy • If management doesn't agree, forget it

  10. Planning • Minimum preparation for incident response • System administrator contact list; include names, titles, and numbers for home/cell phones • Network provider contact list • Management contact list (include PR and legal) • Agree upon response prior to compromise • Pursue and monitor with law enforcement help? • Recover, secure, and press on?

  11. Planning • Back-ups can save the day • Copying critical files to tape, Zip, Jazz, CD-R • Hard copies may be warranted • Redundancy helps preserve availability • Network connectivity (separate ISPs) • Electricity (Uninterruptable Power Supplies) • Hot spares (web servers, network devices)

  12. Prevention Sire, let me show you the latest offering from our security vendors.

  13. Prevention • Prevention is continous implemention of processes and tools to preserve security • Prevention relies upon understanding user and customer needs • Prevention demands appreciation of capabilities and intentions of intruders • Balancing user needs vs. threats is key

  14. Prevention • What exactly must be prevented? • Confidentiality: exposure of information and resources to unauthorized parties • Integrity: manipulation of information and resources by unauthorized parties • Availability: preservation of ability of authorized parties to access information and resources

  15. Prevention • Who constitutes the threat? • Disgruntled, curious, and former users • Competitors collecting business intelligence • Foreign intelligence services • Pranksters • Technologically literate activists • Forces of nature

  16. Prevention • Risk = vulnerability X threat X recovery cost • A new vulnerability for Windows 2000 appears: you run Solaris, so vulnerability is zero • A new vulnerability for Windows 2000 appears: no one knows how to exploit it, so threat is zero • It takes zero effort to resume operations after compromise: recovery cost is zero • Taken collectively, risk is generally not zero

  17. Prevention • Core principles • Grant users the least amount of privilege necessary to perform their work • Implement multiple, independent levels of defense which do not "fail open" • Learn of new vulnerabilities and apply countermeasures in a timely manner • Prevent what you can and detect everything else

  18. Prevention • Core technologies • Screening/filtering routers • Firewalls • Virtual Private Networks • Authentication services • Anti-virus applications • Technology is only as useful as the operator who configures and uses it

  19. Detection We detect clouds over Rome. Does this augur a dark future?

  20. Detection • Prevention will never be 100% successful • Ignorance is not bliss. Ignorance causes: • Systematic, long-term compromise • Subtle manipulation of information for evil means • Complete loss of confidence by users, customers • Legal and financial losses in many cases • Detection is not optional. How one performs detection is the question.

  21. Detection • Detection should be implemented in layers, as prevention is. Detect at these locations: • Network perimeter • Demilitarized zone • Bastion hosts • Critical internal hosts • User workstations, if managable • Remote locations (e.g., home laptops)

  22. Detection • Detection methodology • Baseline your systems processes. Know what services should be active on each. • Baseline your network traffic. Recognize normal internal and external patterns of use. • Implement processes and tools to detect deviations from these baselines. • Devote resources to these processes and tools

  23. Detection • Detection technologies • Router and firewall logs • Network-based intrusion detection systems • Host-based intrusion detection systems • Anti-virus software • Personal workstation intrusion detection systems • Network traffic profiling software • Human brains

  24. Detection • Challenges to detection • Staying current with attack methods and tools • Numerous vulnerabilities discovered each week • Intruders constantly devise ways to evade standard detection methods • Do-it-yourself sensors are difficult to use • Staffing sufficient numbers of appropriately trained and compensated personnel

  25. Response This is how WE deal with compromise, pal!

  26. Response • Don't panic! Implement your plan. • Contact response personnel by phone, not email • Contain the intruder by isolating the victim host • Decide if you want to recover or pursue • If recovering: determine method of compromise, patch exploited system, then return to service • If pursuing: augment detection, refine isolation, then return to service until objectives satisfied

  27. Response • Response considerations • System administrators may have more latitude for collection than law enforcement • Reporting incidents to law enforcement helps the community at large and shows you treat exploitation seriously • Evidence collected for prosecution must withstand intense scrutiny by defense lawyers

  28. Personnel Development We shall assemble a force to be reckoned with. Whom shall test our defenses?

  29. Personnel Development • Your security is only as sound as the personnel planning and implementing your prevention, detection, and response • UNIX administrators are not comfortable with Windows environments, and vice versa • Training is a retention device, not a way for employees to learn-and-leave • Lack of training = organizational suicide

  30. Personnel Development • Reputable training mechanisms: • Books: "My Picks" at http://bejtlich.net • Conferences: http://www.sans.org • Certifications: CISSP at http://www.isc2.org • Mentoring and in-house programs • Beware false prophets!

  31. Conclusion I declare victory over the network intruders!

  32. Conclusion • Security is a never-ending journey • Any positive steps are better than nothing • A small amount of effort can eliminate 80% of your vulnerabilities • A moderate amount of effort can eliminate 90% • A huge effort can eliminate 95% • Nothing can eliminate the remaining 5%

More Related