Security in the Trenches - PowerPoint PPT Presentation

1 / 44

About This Presentation

Title:

Security in the Trenches

Description:

Monitor threats and behavior without invading privacy ... Egotists. Competitors (business, romance, research, etc.) Free loaders. Anarchists. Exploiters ... – PowerPoint PPT presentation

Number of Views:30

Avg rating:3.0/5.0

Slides: 45

Provided by: garyf1

Category:

more less

Transcript and Presenter's Notes

Title: Security in the Trenches

1
Security in the Trenches
2
Who are the defenders in the trenches?

Security staff
Monitor threats and behavior without invading
privacy
Tactical calculation of acceptable risk and
response
Design trenches that allow free flow of
information and services
Respond to breeches and threats without causing
harm

3
Who are the defenders in the trenches?

Everyone at a keyboard
Everyone with a network connection
Everyone that uses or manages Information
Technology

4
Who are the defenders in the trenches?

Students
Exposed to constant scans, malicious messages,
and fraud attempts.
Cant trust messages from their friends or even
the administration or support organization
(administration_at_jmu.edu, support_at_jmu.edu )
Computer malfunctions and compromise of personal
information and accounts
Potential identity theft victims when central
stores of information are compromised

5
Who are the defenders in the trenches?

Faculty
Exposed to constant scans, malicious messages,
and fraud attempts.
Threat environment makes it difficult to
experiment safely.
Confidential commercial research may be
compromised
Fulfilling grant security requirements complicate
research efforts
Lose valuable messages in storm of SPAM
Unable to get or share information because
criminal element has made it too risky

6
Who are the defenders in the trenches?

Staff
Exposed to constant scans, malicious messages,
and fraud attempts.
Safeguard information of constituents
Spyware calls burying support resources making
them unavailable to others
Responding to constant stream of threats.
Fear of being the person who makes the next
headlines by clicking the wrong thing.
Loss of trust

7
Who are the defenders in the trenches?

Management
Exposed to constant scans, malicious messages,
and fraud attempts.
Strategic calculation of acceptable risk and
response
Hesitant to offer forward thinking services
because of risk.
Headlines dont explain acceptable and
residual risk.
Risk is always unacceptable if an incident
occurs.
Growing security expenditures take from line of
business needs

8
Who are the defenders in the trenches

General Public
Exposed to constant scans, malicious messages,
and fraud attempts.
Lose battles daily for control of their
computers, documents, and accounts
Deluged with simplistic, ineffective, overly
complex, sensationalist, and/or accusing advice.

9
WE ARE ALL IN THE TRENCHES!

Defending
Our own computer and information
Our constituents information and services
Our organizations information and services

10
Trench Warfare

Trench - a long, narrow ditch dug by soldiers for
cover and concealment
Trench Warfare form of fighting whereby two
sides fight each other from opposing trenches
Conscription a system of compulsory recruitment
for the armed forces
Home Front the name given to the part of war
that was not actively involved in the fighting
but which was vital to it
No-mans land the barren territory that lay
between the opposing Allied and German trenches
on the Western Front
Attrition strategy of wearing down the enemy
through continual attack and pressure
Deterrent something designed to stop a person
or people from doing something
Entrenched to be fixed or deeply rooted in an
area
Retaliation to fight back, revenge
Shell shock medical condition caused by
prolonged exposure to the distressing experiences
of trench warfare
Stand-down name given to the daily evening
routine in the trenches

11
Who is the Enemy?

Vandals
Joy Riders
Graffiti artists
Kids and professionals
Thieves
Extortionists
Manipulators
Voyeurs
Egotists
Competitors (business, romance, research, etc.)
Free loaders
Anarchists
Exploiters
Terrorists

Multiple simultaneous enemies
Multiple motivations
Varying capabilities

12
Where are the enemies trenches?

They have none!
Worldwide, instant mobility
Worldwide, anonymous mobility
Worldwide, unrestricted mobility
At every network connection
At every keyboard
At every exposed web site

13
Guerilla Warfare

Guerrilla warfare operates with small, mobile and
flexible combat groups without a front line
Guerrilla tactics are based on ambush, sabotage,
espionage, and avoiding the response of the
defenders through greater mobility
The mobility provided by the Internet and the
ability to commandeer computers results in the
attackers being able to wage open warfare on the
defenders with relative anonymity.
Freely available weaponry on the Internet
Mercenaries BOTS
Smart bombs - viruses, worms

14
Where are our weaknesses?

Our networks provide attacker mobility
Global
Limitless
Unauthenticated

15
What are our Weaknesses?

Networks and Societies Must Have Cooperation to
Work
Throwing bricks through windows
Driving down the wrong side of the street
Stealing mail from mailboxes
Can you secure your house or car?
The Internet extends the reach of uncooperative
members

16
Where are our weaknesses?

Our Systems provide soft targets
Complex error prone in design, implementation,
configuration, and usage
Defective security controls
Lack of access controls in most default
configurations
Not designed for hostile environment
Not maintained for hostile environment

17
Where are our weaknesses?

We, ourselves, provide opportunity
Complexity breeds mistakes
Decisions
Design
Implementation
Configuration
Operation
Priorities
We cannot spend all our time on defense nor make
all our decisions based on security.
The attackers have no such limitations
Acceptable risk
Conflicting Business Goals
Desire for universal, easy accessibility
Minimize access controls for location, method,
source, or destination
Desire for autonomy and personalization

18
Where are Our Weaknesses?

An intruder only has to find one entry point.
A defender has to close or watch all entry
points.
One mistake, one oversight, one wrong mouse click
creates opportunity for the attacker

19
Battle Statistics

Thousands of infected e-mail messages received
daily
60 of incoming e-mail messages are SPAM
dozens, sometimes hundreds, containing fraud
attempts such as phishing and Nigeria scams

20
Battle Statistics

Malicious Instant Message Events

21
Battle Statistics
Malicious Web Sites
22
Battle Statistics

Incoming Network Scans

23
Symantec Internet Security Threat Report
January-June 2005

10,866 new Windows viruses
Of the 50 most common reported, 74 expose
confidential information
10,352 BOTS detected per day
1,862 new software defects
Average time to exploit 6 days
Average time to patch 54 days
5.7 million fraudulent phishing email messages
per day

24
Issues and Incidents

Lifetime of unpatched computer
Malware sophistication
Security software neutralization
Back channel communications, instant notification
BOTS
Distributed Denial of Service
Rootkits
Keyloggers
Unrecognized malware
Exploits of unfixed defects
Below the radar communications
Social engineering

DDOS
E-gold
E-bay hijack
E-bay phish
IM keylogger data stream
Organized crime
Targeted spam Lexus Nexus
Higher Education incidents
Credit Card battle
One mistake

25
What are we trying to protect?

Confidentiality
Integrity
Availability
if we dont protect them we may have

26
If we dont protect C-I-A we may have

Liability
Operational disruption
Theft
Vandalism
Loss of reputation, confidence, and/or trust
...which may lead to the loss of

27
Which may lead to the loss of

Time
Money
Freedom
Jobs
Mission
Quality of Life (in the worst case, life itself
health, military, terrorism)

28
Security Goal

Reduce the risk of loss to an acceptable level
We can not eliminate risk. There will always be
residual risk.
Reducing risk will always have costs
Time (always)
Money
Access
Convenience
Privacy
Freedom
Complaints
Quality of life
Service delivery
Compare to costs of security incidents on
previous slide - balance

29
Security Keystones
Security
30
Security Keystones

Awareness of the risks and a desire to do
something to reduce those risks
Assessment of the risks and a willingness to
accept the costs of addressing unacceptable risks
leading to
Policies and procedures to reduce the risks to an
acceptable level
Controls enforcing the policies and procedures
Monitoring operation of the controls and
compliance with policies and procedures
Responding to non-compliance incidents and
altered risk assessment parameters through
changing awareness
Repeat as necessary
Best practices and common sense can shorten the
process, though without detailed analysis and
comparisons, one may be led into a false sense of
security and/or unproductive efforts.

31
Security Keystones

No one keystone can stand alone
No keystone is infallible.
Multiple layers of each keystone provide the best
protection to minimize effects of failures and
mistakes

32
Keystone Risk Assessment

The factors that go into a risk assessment are
constantly changing.
Value
Threats
Vulnerabilities
Probabilities
Exposure
Attack Activity
Motivation

33
Keystone Risk Assessments

Risk Consequence x (threat x vulnerability)
Consequences are rising rapidly as more services
and data are made accessible online and systems
are interconnected
Threats are rising rapidly as attacks grow in
number and sophistication
Vulnerabilities are still rising as software gets
more complex, services are pushed out faster,
more services are exposed, automated exploit kits
proliferate, and businesses struggle with global
competition
Risk will increase for the foreseeable future

34
Generalizing Risk Assessment Best Practices

Provide access only to that which is needed
(default deny and least privilege)
Defense in depth (i.e. redundant layers)
These fundamental security principles havent
changed in centuries. We ignore them at our peril.

35
Keystone - Policies and Procedures

Surrounds the whole process
Like a risk assessment, usually lags the
environment and is difficult to implement for
varying, complex systems needing good reaction
times.

36
Keystone Access ControlLayered Defense Theory
37
Keystone Access ControlLayered Defense Practice
Backup Systems
Self Service Student Information and Human
Resources Systems
Faculty/Staff (indirect path)
Desktops and other unidentified sensitive systems
38
What Data is on Your Desktops?

Grades
SSN
Credit Cards
Performance Evaluations
Medical
Resumes
Research
Vendor
Purchasing
Financial Reports
Organizational Planning
Environmental control systems
Credit card processing systems
Building entry and security systems
ID/debit card systems

Office desktops?
Home desktops?
Laptops?
CD?
USB Drive?
Floppy?
Cell phone?
PDA?
Shared folder?
One mistake

39
Keystone - Access Control

Granting access indicates explicit trust
Not controlling access indicates implicit trust
To read
To alter
To destroy
The more we depend upon trust, the less control
we have.
SPAM
Network access Scanning, bandwidth depletion,
denial of service attacks, exploit attempts,
unauthorized account access, patch urgency
Computer access running malicious programs,
unsafe configurations, incompatible
configurations
Inappropriate use

40
Trust gt Risk

Ignorance (failure of awareness)
Faulty Risk Assessment assumptions
Failed Access Controls
Failed Monitoring Processes
Inadequate Response
Inappropriate Use
Misplaced TRUST
Unaccepted Access gt Unaccepted Risk
The more we trust, the more we better monitor.

41
Keystone - Monitoring

We have to monitor unless
Our trust in everything is 100 justified
The factors that went into the risk assessment
dont change
Were not interested in detecting when were the
victim of the residual assumed risk.
As malware and attacks move toward encrypted open
ports (web), monitoring is going to be a lot
harder.
The more we trust, the more we better monitor.

42
Risk Evolution