security for privacy professionals iapp privacy futures jeff williams, mba/tm cissp iam privacy...

Security for Privacy Professionals

IAPP Privacy Futures

Jeff Williams, MBA/TM CISSP IAM

Privacy Officer, Microsoft Services

You cannot ensure privacy if you don’t first have security

Axiom

Security Operating Security Operating PrinciplesPrinciples

Corporate Security Corporate Security Mission and VisionMission and Vision

Security StrategySecurity Strategy

Risk-Based Decision ModelRisk-Based Decision Model

Tactical PrioritizationTactical Prioritization

Mission

Assess Risk

Define Policy

Monitor

Audit

Prevent malicious or unauthorized use that results in the loss of intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets

Vision

• Five Trustworthy Assurances– My identity is not compromised– Resources are secure and available– Data and communications are private– Roles and accountability are clearly defined– There is a timely response to risks and threats

An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client

Operating Principles

• Management commitment– Manage risk according to business objectives– Define organizational roles and responsibilities

• Users and data– Manage to practice of least privilege– Strictly enforce privacy and privacy rules

• Application and system development– Build security into development life cycle– Create layered defense and reduce attack surface

• Operations and maintenance– Integrate security into operations framework– Align monitor, audit, and response functions to operational functions

Security Landscape

State of the Nation

• Security problems are growing• Total financial losses double 2002 levels• Most organizations are not yet equipped to

deal with security threats • Growth of the external threat• New and evolving threats• 95% of security issues could have been

avoided if systems were properly configured and patched

CERT 2003: Computer Crime Survey

What you may not have known…

• DDoS extortion can pay $50k+ per incident– Costs very little < $1000

• The “Really Bad People” pay “ethically challenged” techies to do their dirty work– Execute DDoS, write bots, code exploits, provide ‘zero-

day’ exploit information, compromise specific systems– Anonymous payments via Paypal etc.– No questions asked

• Spam pays too– AOL gave away the Porsche Boxster confiscated from

a convicted Spammer– How much has been pocketed by how many?

• Who paid them?

Understanding the Landscape

Author

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddieScript-Kiddie HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

Trespasser

An Evolving Threat

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Largest Largest area by area by volumevolume

Largest area by $ Largest area by $ lostlost

Script-KiddieScript-Kiddie

Largest segment Largest segment by by $ spent on $ spent on defensedefense

Fastest Fastest growingrowing g segmensegmentt

AuthorVandal

Thief

Spy

Trespasser

Security is nothing more than Managing Risk

Enterprise Risk Model

High

Low High

Imp

act

to

Bu

sin

es

s(D

efin

ed b

y B

usi

nes

s O

wn

er)

Low

Acceptable RiskAcceptable Risk

Unacceptable RiskUnacceptable Risk

Probability of Exploit(Defined by Corporate Security)

Risk assessment drives Risk assessment drives to acceptable riskto acceptable risk

Risk Analysis by Asset Class

Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks HostHost

Unauthenticated access to applications, unchecked memory allocations

ApplicationApplication

Compromise of integrity or privacy of accounts

AccountAccount

Unmanaged trusts enable movement among environments

TrustTrust

Data sniffing on the wire, network fingerprinting

NetworkNetwork AssetsAssets

Components of Risk Assessment

Asset Threat

Impact

Vulnerability Mitigation

Probability

++

==

What are you trying toassess?

What are you afraid of

happening?

What is the impact to the

business?

How could the threat occur?

What is currently

reducing the risk?

How likely is the threat giventhe controls?

Current Level of Risk

What is the probability that the threat will overcome controls to successfully exploit the

vulnerability and affect the asset?

Risk Management Process and Roles

33 44

SecuritySolutions &Initiatives

Sustained Operations

Cross-IT Teams

Corporate Security

TacticalPrioritization

11

PrioritizeRisks

22

Security Policy

55

Compliance

Risk Assessment

• Can’t eliminate risk

• Three things we can do– Accept– Mitigate– Transfer

• Security policy helps determine which

Risk mitigation

Preventing

Detecting

Responding

Each builds on the previous…

Risk Computation

• Useful formula

• If any term is zero, risk is zero

• Balance cost of attack vs. cost to secure

• Remember your soft costs

• Don’t forget liability– Eve hacks Alice, uses Alice to hack Bob; Bob

sues Alice for failure to maintain security. Civil only; whose laws apply?

• Factor in cost to repair reputation

R = T × V × E

How to Compromise a System

1. Port scan—what’s listening

2. Sniff traffic—URLs, clear text passwords

3. Launch scripts to probe for vulnerabilities

4. Run a privilege escalation attack

5. Infect; leave backdoors

6. Cover tracks in the logs

7. Get out

Trojans, Viruses, Bots and Worms

• Multiple delivery mechanisms

• Run in context of logged on user

• Send personal data to attackers

• Send malicious data to attack others

• Open holes for access from Internet

• Backups won’t help if not clean

Document the threats

• Documenting threats to your systems is difficult– What kinds of things can go wrong?– How can an attacker take advantage of your

network?

• You must think like an attacker – What are the juicy bits of data?– What do they want to do with your

environment?

• Evaluate chains– If item A occurs then item B can occur…

Fault Trees

• Demonstrate logical paths through a system• Used to highlight faults in a system• Points out relationships between faults• Allow us to estimate the interactions

between faults

Defense in Depth• Using a layered approach:

– Increases an attacker’s risk of detection – Reduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, patch management, authentication, HIDS

Firewalls, VPN quarantine

Guards, locks, tracking devices

Network segments, IPSec, NIDS

Application hardening, antivirus

ACL, encryption, Rights Management

User education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Defenses

• Defense in depth– Networks– Hosts– Applications– Users

Network Defenses

• Border router– Ingress and egress filtering

• Firewalls– Is high availability a business requirement?

• Authentication– Check credentials before allowing through

• Encryption– VPNs, IPSec ESP tunnel mode

• Not just perimeter, though...– Can do all this between logical and business security

zones, too

Host Defenses

• Updated anti-virus, hotfixes, service packs• Control security settings and software

distribution/installation with group policy• Authenticated connections

– IPSec AH, 802.1x

• Encrypted sessions– IPSec ESP transport mode

• Restricted connections, in and out– IPSec filtering, ICF

• File Integrity monitoring

The art of patching without patching

Turn stuff off!…or don’t install it in the first place

Application Defenses

• Encrypted communications– SSL/TLS, S/MIME

• Signed communications– S/MIME, code signing

• Authorization– Fine for public services– Must do this if you need to know who

• Strong security development practices

Defense Against Users

• Principle of least privilege (POLP)– Users aren’t local administrators– Trust those who are admins, though– Configure trust relationships only where there is a

business need– Appropriate access lists and rights, again following

business needs

• Don’t read e-mail with admin account

Technologies

• Prevention– Internet Connection Firewall– IPSec (encryption, authentication, filtering)– ISA Server (rules and filters)– Distribution of current updates

• Group policy• Corporate Windows Update• Systems Management Server

Technologies

• Detection– Security logging and auditing– Port scanning– NetMon from SMS– Microsoft Operations Manager– ISA Server (IDS and honeypot)

Non-technologies

• Response– People and processes– You need a plan. Period

10 Things Attackers Don’t Want You To Do

1. Ensure everything is fully patched2. Use strong pass phrases3. Open only necessary holes in firewalls 4. Harden servers 5. Use properly hardened applications6. Use least privilege7. Restrict outbound traffic8. Restrict internal traffic9. Micro-manage service accounts10. Maintain a healthy level of paranoia

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, MSN, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Appendix

Organizational: directed to management’s commitment to risk management and security awareness

•Manage risk according to business objectives•Define organizational roles and responsibilities•Invest in secure design•Commit to secure operations

Users and data: includes authentication, user privacy, and data authorization

•Manage to practice of least privilege•Base decision on data classification and fair use•Enforce privacy and privacy rules•Ensure data integrity•Monitor identity assurance•Build in availability

Application and system development: dedicated to the design and development of secure systems

•Build security into the life cycle•Design defense in depth•Reduce attack surface•Keep it simple

Operations and maintenance: people, processes, and technology to build, maintain, and operate secure systems

•Plan for system maintenance•Enforce security configuration and hardening•Monitor and audit•Practice incident response•Verify disaster recovery

SecuritySecurityCategory Security Principle

Most Common Risks

• Poor password management

• Weak account management processes

• Unsecured and unmanaged remote computers

• Poorly configured and unpatched systems

• Weak auditing and monitoring processes

• Inadequately restricted access to critical information

Network Security Hardening

• Default OS configuration is acceptable for a trusted network– Windows 2000 is very open by default– Windows Server 2003 is much more secure

• Still room for improvement

– Application hardening is critical• Same rules apply as for platform

Lemma: You cannot design an optimal security configuration without a thorough understanding of the usage pattern of a system

Threat Modeling

• Understanding and communicating the threats to your environment

• Commonly used in application design

• Writing Secure Code 2nd Ed.

• Can also be applied to networks

Best Practices• Document

– Model applications and services– Environment dependent

• Segregate– Applications– Security requirements

• Restrict– Disable services– Close ports

• Use IPSec or RRAS filters– Use different passwords

Document

• Purpose is to communicate what the environment looks like

• Use well understood modeling techniques– Modified Data flow diagrams– Threat trees– Verbose documentation

Model The NetworkInternet

Domain Controller

Client

Corporate Domain Controller

Corporate Clients

Client

Web Farm 2 Web Farm 1 SQL ClusterVPN Server

SQL Cluster

Corp Servers

Superimpose a DFDInternet

Domain Controller

Client

Corporate Domain Controller

Corporate Clients

Client

Web Farm 2 Web Farm 1 SQL ClusterVPN Server

SQL Cluster

Corp Servers

Segregate

• Segregate systems by application and security requirements

• Should you trust systems that are not part of your application?– Which systems do they trust?– What are their security requirements?

• Less sensitive systems may depend on more sensitive systems

• More sensitive systems MUST NEVER depend on less sensitive systems

Network Segmentation

Documenting Segments

Domain Controller

Corp Servers Corp ClientsCorp DCs

Internet Client

Web F

arm 1

SQ

L Cluster 1

Web F

arm 2

SQ

L Cluster 2 VPN

Domain Controller

1433

DC Traffic

DC Traffic

DC traffic

80, 443

443

1433 3389

3389

3389

Term Serv

Term Serv3389

3389

1723

1433

DC traffic DC traffic

DC traffic

DC traffic

DC traffic

DC traffic

3389

DC Traffic

Restrict

• Policies allow nothing but…– Disable unnecessary services– Remove users– Restrict privileges– Turn on security tweaks– Remove permissions– Set very strong passwords

• Restrict communications– IPSec– RRAS filters

Trust Boundaries

• Systems and entities you trust are included within your trust boundary

• Should your trust boundary include databases?– It depends

• Who writes to them?• Do you trust those systems?

– If you trust the systems that write to the database you may still not want to trust the database

• Is it secure?

Trust Boundaries

Internet Client

Web F

arm

1

SQL 1

Domain Controller

1433

DC TrafficDC Traffic

80, 443

Trust Boundary

Staging Server

445

1433

Conclusion

• Prevention is less costly than reacting to incidents

• Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems

• Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan

Best Practices

• Upgrade from any unsupported OS• Prioritize according to risk assessment• Establish service management framework• Start with a pilot project in a small, controlled area• Anticipate evolutionary changes in technology• Actively manage employee education and

communication• Consider network bandwidth constraints• Train end users to identify virus behavior and proper

response• Stay secure and informed

Conclusion

• Network security is difficult• Hardening networks requires

understanding the environment– Optimal hardening requires deep

understanding• There is a fundamental tradeoff between

security and usability• Three-phase approach to network

hardening– Document– Segregate– Restrict

Other Resources

Technical information

Microsoft Security Best Practiceshttp://www.microsoft.com/technet/security/bestprac.asp

MBSAhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp

Attend a free chat or web casthttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp

List of newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

Security Guidance And Training

Windows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG/default.asp

Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846

Windows XP Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14839

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15159

Microsoft Guide to Security Patch Managementhttp://www.microsoft.com/technet/security/topics/patch/default.asp