beware the firewall my son: the workshop

Beware the Firewall, My Son!

The Jaws That Bite, The Claws That Catch!

The Workshop*

*With apologies to Lewis Carroll

Who Am I?

• Michele Chubirka, aka Mrs. Y.• Senior security architect. • Blogs and hosts Healthy

Paranoia, information security podcast channel of Packetpushers.

• Researches and pontificates on topics such as security architecture and best practices.

Agenda

• Firewall State of the Union• Current Architectural Models• Challenges• Security Vs. Compliance• Design Recommendations• Case Study• Overcoming Barriers

Let’s Make it Simpler

Why?What?How?

Beware the proxy server, and shun The frumious packet filter!

WHY?

What’s the big deal, can’t I just install a firewall to protect my organization?

Recent Findings: Trustwave and Verizon

• Customer records make up 89% of breached data.

• 92% of breaches come from outsiders.

• 76% of intrusions utilize weak or stolen credentials.

Death of AV?

• In 2012, SANS and Bruce Schneier publicly criticized effectiveness of anti-malware protection.

• According to Mikko Hypponen of F-Secure:

“Stuxnet went undetected for more than a year after it was unleashed in the wild, and was only discovered after an antivirus firm in Belarus was called in to look at machines in Iran that were having problems.”

Are You Depressed Yet?

The most common password used by organizations is “Password1” because it satisfies the default Microsoft Active Directory complexity setting.

Trustwave 2012 Global Security Report

Only 16% of compromises were self-detected and attackers had an average of 173.5 days before detection.

Verizon Data Breach Report 2013

“…three-quarters of breaches are of low or very low difficulty for initial compromise, and the rest land in the moderate category.”

Verizon Data Breach Investigations Report 2013

Verizon Data Breach Investigations Report 2013

Verizon Data Breach Investigations Report 2013

Verizon Data Breach Report 2013

“When you consider the methods used by attackers to gain a foothold in organizations—brute force, stolen creds, phishing, tampering—it’s really not all that surprising that none receive the highly difficult rating. Would you fire a guided missile at an unlocked screen door?”

High Profile Attacks

• Major news media organizations compromised.

• DDoS attacks against financial institutions.• Breach of credit card processor Global

Payments went undetected for over a year with 7 million accounts compromised.

• Prominent defense contractors penetrated via information stolen from RSA Security.

Do you think they had firewalls?

"The entire security industry is wired so that the oldest and least effective methods will profit most….”

Josh Corman, Director of Security Intelligence at Akamai, the content delivery network.

Why Do We Say We Use Firewalls?

• Infosec design “best practice.”• Because compliance rules and auditors say so.• To protect data, applications, servers and users

from attacks.

Why Do We Really Use Firewalls?

FUD(Fear, Uncertainty and

Doubt)

Why Do We Still Use Firewalls?

According to Infoworld’s Roger Grimes, they “…need to go away.”•Most attacks are client-side (http and https) and can bypass the firewall rules.•Network choke-points.•Rules are a mess, often breaking access.•Management is difficult, at best.•More of a problem than a solution.

Why Do You Hate Firewalls?

I don’t hate firewalls. I hate how we use them.

April Fool’s RFC 3514

Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header.

April Fool’s RFC 3093

We propose the Firewall Enhancement Protocol (FEP).… Our methodology is to layer any application layer Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets over the HyperText Transfer Protocol (HTTP) protocol, since HTTP packets are typically able to transit Firewalls. … FEP allows the best of both worlds: the security of a firewall, and transparent tunneling through the firewall.

Questions?

WHAT?

She took her vorpal sword in hand:  Long time the TCP flow she sought --

Definitions Con’tFirewall

From The Oxford American Dictionary:

A wall or partition designed to inhibit or prevent the spread of fire. Any barrier that is intended to thwart the spread of a destructive agent.

A firewall does not prevent a fire.

So rested she by the DMZ,  And stood awhile in thought.

Current Model: The Sandwich

Typical Network Security Segmentation

INET : Public facing, the internet.

CORP : Corporate network, your user community.

DATA : Database systems

APP: Applications

DMZ : Anything requiring public access; web-front ends, mail, DNS

MGMT : management segment

PCI or other compliance standards are usually wedged in somewhere as an afterthought.

Typical Data Classification Model

• Routine or Public

• Sensitive

• Private

• Business-Critical or Confidential

Routine or Public

Information not presenting a risk to the business if it were compromised. The lowest degree of protection.

Examples •Master list of projects•Employee names associated with public projects or documents

Sensitive

Information not of specific value to an attacker, but it might provide information that could be useful in an attack.

Examples:•Details of a project•Employee email addresses•Types of applications used internally

Private

Personal information that the organization is required to keep secure, either by regulation or to maintain the confidence of its customers. Disclosure could impact reputation of company.

Examples:•Credit card information•Medical data

Business-Critical or Confidential

Internal data containing details about how the organization operates its business. Could affect the organization's competitive advantage or have a financial impact if it were compromised.

Examples:•Intellectual property•Source code

What You Really Get

And, as in uffish thought she stood,The firewall, with eyes of flame,

Data Owner

Member of the management team who makes decisions regarding data and is ultimately responsible for ensuring its protection.

Data Custodian

Individual, usually in the security department, who is a delegate appointed by the data owner to oversee the protection of data. The responsibilities of this role could also be divided between various roles in an operations team.

The Challenge• The data owner is responsible for classifying

information within an organization.• A Security team is responsible for managing the

technical or logical controls for accessing data. • They are data custodians for the data owners.• The challenge is to ensure that they closely

align the network security segmentation design with an information classification matrix.

Came whiffling through the Ethernet, And burbled as it came!

Security Vs. Compliance

• Adherence to PCI-DSS, SOX, HIPAA or any other compliance standard does not equate to organizational security.

• Compliance is conformance to a standard dictated by a governing body.

Definitions

Compliance - the act of conforming, acquiescing, or yielding. A tendency to yield readily to others, especially in a weak and subservient way. Conformity; accordance: in compliance with orders. Cooperation or obedience.

From The American Heritage Dictionary

Definitions

Security - freedom from danger, risk, etc.; safety. Freedom from care, anxiety, or doubt; well-founded confidence. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc.

From The American Heritage Dictionary

Compliance != Security

Venn diagram courtesy of @grecs

The Auditor Is Not Your Friend

Questions?

HOW?

Emphasize strategic solutions over tactical ones.

One, two! One, two! And through and through  The vorpal blade went snicker-snack!

Elements of a Good Security Design

• Well-documented data classification model• Business service catalog• Technical service catalog

Information Classification Best Practices

• Data represents the digital assets of a company.• Different data has varying levels of value,

organized according to sensitivity to loss, disclosure, or unavailability.

• Data is segmented according to level, then security controls are applied.

• An information classification matrix represents the foundation of a security design.

For additional information, see “Understanding Data Classification Based On Business and Security Requirements” by Rafael Etges and Karen McNeil

The Goal: Enterprise Security Architecture

• Integration of security into the enterprise architecture.

• Design driven by business needs.• Built in, not bolted on.• Utilize frameworks or models such as:

OSA (Open Security Architecture) SABSA (Sherwood Applied Business

Security Architecture)

Definition

Security Architecture“…the art and science of designing and

supervising the construction of business systems, usually business information systems, which are: free from danger, damage, etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe from attack.”

From Enterprise Security Architecture: A Business-Driven Approach

OSA Design Principles

The design artifacts that describe how the security controls (= security countermeasures) are positioned, and how they relate to the overall IT Architecture.

A New and Improved DMZ Sandwich

http://www.opensecurityarchitecture.org/cms/en/library/patternlandscape/286-sp-016-dmz-module

SABSA Overview

SABSA Model

Contextual Layer – Business policymaking, risk assessment, requirements collection and specification.

Conceptual Layer – Programs for training and awareness, business continuity, audit/review, process development, standards and procedures.

Logical Layer – Security policymaking, classification, management of security services, audit trail monitoring.

Physical Layer – Development and execution of security rules, practices and procedures.

Component Layer – Products, technology, evaluation and selection of standards and tools, project management.

SABSA Matrix

Security Architecture Lifecycle

Form Follows Function

•What's the purpose of the structure? Who must it serve?•What's the environment like? Is it closed or open? What is the context?•Complex or simple? Think of the technical environment and the capabilities of those involved.

Definitions

Defense-in-depth

According to the Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, it is defined as:

IA [information assurance] strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of networks.

Defense-in-depth is comprised of multiple types of controls, not only

multiples of the same controls.

Multi-Layered Security

1. Information Assets2. Data Security3. Application Software Security4. System Software Security5. Hardware Security6. Physical Security7. Procedures, Training, Audit, Business

Continuity8. Policy

It is like an onion!

Security Service Types

• Prevention • Containment• Detection and notification• Event collection and event tracking• Recovery and restoration• AssuranceThink in terms of services, not products or

solutions. You need to consider all when addressing requirements.

Security as an enabler of business, not a roadblock.

“Consider the brakes on a car…. having better brakes enables the car to be driven at much higher speeds, because the driver now has the confidence that if the need arises, braking will be fast and efficient.”

From Enterprise Security Architecture: A Business-Driven Approach

She left it dead, and with its NAT policy, she went galumphing back.

Implementing Good Network Segmentation: Phase One

1. Establish a new network segmentation model, based upon some of the existing or implicit standards from your security team.

2. Verify that this will meet current compliance needs, proactively.

3. Document this fully and get sign off, so that there is an agreed upon model or standard for all divisions.

4. Build new systems and networks on this design, migrating legacy systems where possible with minimal impact to customers and when required for compliance.

Implementing Good Network Segmentation: Phase Two

1. Build a business and service technical catalog, then a full data classification matrix.

2. Develop the next generation of network segmentation based upon the data classification matrix.

3. Document this fully, so that there is an agreed upon model or standard.

Implementation of phase one, will make phase two feasible. The goal is a thoughtful design that meets the needs of all customers and divisions within an organization.

Case Study: Recovery from PCI-DSS Audit Failure1. Inventory of the cardholder data environment

(CDE).2. Data classification.3. User classification.4. Proposed segmentation based upon the

intersection of users and data.5. Documentation of business rules.Warning: You will experience PCI scope creep. Think of

anything touching the CDE as contaminated and plan accordingly.

Now for the Real Challenge

Prevention is a hard sell.

A NEW KIND OF INGRATITUDE

Who gets rewarded, the central banker who avoids a recession or the one who comes to "correct" his predecessors' faults and happens to be there during some economic recovery?

...everybody knows that you need more prevention than treatment, but few reward acts of prevention. …We humans are not just a superficial race (this may be

curable to some extent); we are a very unfair one.

-from “The Black Swan” by Nassim Taleb

Selling the Design

• The WAY we present information is just as important as WHAT we present.

• In the first few minutes we interact with someone, we’re being assessed for our potential to provide reward or punishment.

The Threat Response

• Cortex receives input.• Limbic system, the emotional area, and

prefrontal cortex (the executive or evaluator of the brain) take in data simultaneously.

• Amygdala, responsible for emotional response and memory, acts as an alarm activating fight/flight response if threat is perceived.

• Sympathetic nervous system sets up organs and muscles for fight/flight response.

Key Concepts

• The limbic system is an “open loop,” influenced by other people’s emotions, aka mirror neurons. Also known as emotional contagion.

• The brain has a negativity bias because the limbic system is quicker than the prefrontal cortex at perceiving and analyzing potential threats.

• Traumatic experiences are “stickier” than positive, happy experiences, i.e. harder to un-map.

No Escape From Threat

• Most of us are in a permanent state of cortisol overload due to the constant stressors of modern life and the fact that stress hormones stay in the body for hours.

• This decreases intellectual capacity, memory capacity and lowers impulse control.

• Stress makes you stupid.

Amygdala Hijack

Intense and immediate emotional reaction, followed by the understanding that it was inappropriate.

Examples

• I thought that stick on the ground was a snake!

• I don’t like you or I’m bored, so I won’t cooperate or listen to what you have to say.

• That guy who cut me off in traffic was trying to kill me!

• Why were you so insulting to me in that email yesterday? (studies show there’s a negativity bias in email.)

Thin Slicing: Bedside Manner

• In an analysis of malpractice lawsuits, there was no correlation between the number of mistakes by doctors and how many lawsuits were filed against them.

• In studies, psychologists were able to predict which doctors would be sued more by analyzing the amount of time spent with patients and if the tone of their voices sounded “concerned.”

Mirror Neurons

Marie Dasborough observed two groups:•One group was given negative feedback accompanied by positive emotional signs, nods and smiles.•Another was provided positive feedback that was delivered using negative emotional cues, frowns and narrowed eyes.

Entrainment

• Those who received the positive feedback accompanied by negative emotional signs reported that they felt worse than participants who received negative feedback given with positive emotional cues.

• Delivery was more important than the message.

• This is similar to a phenomenon known in physics as entrainment.

Conflict Avoidance != Conflict Resolution

“…conflicts are like fish, and if you put this fish under the table, what happens after a while? It starts to smell.”

- George Kohlrieser

By addressing conflict through respectful methods, opposition can be transformed into an engaged dialogue.

You’re Ready, Right?

Operational Security To Do List

• Focus on containment.• Improve standardization and documentation.• Gather metrics. If you can’t measure, you can’t

demonstrate value.• Visibility and monitoring (and no, that doesn’t

mean email alerts).• Consistently audit access.• Emphasize a proactive over reactive posture.• Be a partner to the business.

Don’t implement solutions before

understanding the problem.

Warning!

And, has thou slain the Firewall? Come to my arms, my beamish girl!

O stateful day! Callooh! Callay!'  She chortled in her joy.

Questions?

Where Am I?

Spending quality time in kernel mode practicing and refining my particular form of snark.www.healthyparanoia.net Twitter @MrsYisWhy Google+ MrsYisWhynetworksecurityprincess@gmail.com chubirka@packetpushers.nethttp://www.networkcomputing.com/blogs/author/Michele-Chubirka

ReferencesCovert, Edwin. Using Enterprise Security Architecture S to Align Business Goals and IT Security within an Organization. Tech. Columbia: Applied Network Solutions, n.d. Print.Gladwell, Malcolm. Blink: The Power of Thinking without Thinking. New York: Little, Brown and, 2005. Print.Goleman, Daniel, and Richard Boyatzis. "Social Intelligence and Biology of Leadership." Harvard Business Review (2008): n. pag. Web.Goleman, Daniel. Working with Emotional Intelligence. New York: Bantam, 1998. Print.Grimes, Roger. "Why You Don't Need a Firewall." InfoWorld. N.p., 15 May 2012. Web. 15 May 2012. <http://www.infoworld.com/d/security/why-you-dont-need-firewall-193153?page=0,1>.Harris, Shon. CISSP Exam Guide. Berkeley, CA: Osborne, 2012. Print.

References Con’t

Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 1 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breach-window-expands/>.Krebs, Brian. "Krebs on Security." Krebs on Security RSS. N.p., 17 May 2012. Web. 16 Apr. 2013. <http://krebsonsecurity.com/2012/05/global-payments-breach-now-dates-back-to-jan-2011/>.Lee, Rob. "Blog." Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results. SANS, 9 Apr. 2012. Web. 16 Apr. 2013. http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results."Open Security Architecture." Open Security Architecture. N.p., n.d. Web. 17 Apr. 2013.Plato, Andrew. "Analysis of the Palo Alto Cache Poison Issue." Anitian Blog. Antian Security, 3 Jan. 2013. Web. 16 Apr. 2013."SABSA." SABSA. N.p., n.d. Web. 17 Apr. 2013.

References Con’tSherwood, John, Andrew Clark, and David Lynas. Enterprise Security Architecture: A Business-driven Approach. San Francisco: CMP, 2005. Print.Trustwave 2012 Global Security Report. Rep. Trustwave, 2012. Web.Verizon 2013 Data Breach Investigations Report. Rep. Verizon, 2013. Web.Wan, William, and Ellen Nakashima. "Report Ties Cyberattacks on U.S. Computers to Chinese Military." Washington Post. The Washington Post, 19 Feb. 2013. Web. 16 Apr. 2013. <http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html>.Zetter, Kim. "RSA Agrees to Replace Security Tokens After Admitting Compromise." Wired.com. Conde Nast Digital, 05 June 0011. Web. 16 Apr. 2013. <http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/>.