1

DEFENDINGNETWORKS

CYBER SECURITYWEBINAR PART 4

JARNO NIEMELÄ F-SECURE

15th of October 2015

CYBER SECURITY WEBINAR SERIES - PART 4

© F-Secure2

• INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS• DEFENDING SERVERS• DEFENDING NETWORKS - NOW• RESPONDING TO AN INCIDENT 9TH NOVEMBER 2015• BUILDING SECURE SYSTEMS 3RD DECEMBER 2015

RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM

3

DEFENDINGNETWORKS

JARNO NIEMELÄ SENIOR RESEARCHER

F-SECURE

WHAT DOES HACKING LOOK LIKE?

Let’s hack like in the movies Kali 2.0

Armitage graphical hacking environment

https://www.kali.org/

In real life hacking is not mostly this easy But it is, if attacker has a working exploit or system is totally out of date

Most commonly the attacked service is some web application

Or company in house application

© F-Secure4

BASICS OF NETWORK DEFENCE

Limit access also inside the local network

Update all hosts, servers and network equipment

Have only the services visible that are needed

Monitor the network

Perform regular audits

© F-Secure5

A TYPICAL NETWORK

© F-Secure6

DC Email and File server

Office

DMZ

Internal Servers

Web server

A TYPICAL INFECTED NET

© F-Secure7

DC Email and File server

Office

DMZ

Internal Servers

Web server

A TYPICAL INFECTED NET

© F-Secure8

DC Email and File server

Office

DMZ

Internal Servers

Web server

A TYPICAL INFECTED NET

© F-Secure9

Web server

DC Email and File server

Office

DMZ

Internal Servers

WELL BUILT NETWORK

© F-Secure10

Web server

Rabbit(DC) Turtle(Email and File server)

VPN

DMZ

Internal Servers

Office

Use port isolating switches All routing with firewalls Except some server to server connections

Do not have servers with obvious names Have honeypots with obvious names

Control all traffic with firewalls Workstations can only access the servers

they need Allow outside access only over proxies Servers cannot connect to clients

or other servers they don’t need

DC (honeypot)

TAKE CARE OF NETWORK EQUIPMENT

Nowadays network equipment are just custom Linux servers Make sure you keep them up to date

Don’t have any open services that are not needed Firewall should have no open ports visible to the internet

Use separate VPN server and route over firewall

Monitor firewall for abnormalities Any traffic coming from firewall without corresponding external source

is rather suspicious

Monitor that your DNS server is giving correct answers

© F-Secure11

MOVE PUBLIC THINGS TO PUBLIC CLOUDS

Your public web server is a visible target Almost every DOS attack hits the easy target

Do not run public services in same network as rest of company systems Either have a separate network, or move things to cloud

This way a DOS attack against your website does not kill the rest of the systems

Mask the identify of your office/production network Attacker is not supposed to see your vital connections with Whois

Make sure your ISP contact includes a DOS mitigation service

© F-Secure12

AUDIT TO MAKE SURE Configuration is not secure until it has been tested

Make sure that all security controls are always tested after modifications

At minimum use Nmap or another scanner to check for open ports

Network audit by a consultant is also an option to consider Although consultant should be involved in planning stage

© F-Secure13

LOGS AND IDS ARE YOUR EYES AND EARS

Logs are invaluable in investigation So make sure you log long enough also on network traffic

Use IDS to detect anomalies

Install honeypots to your network

Look for things out of place Workstation using RDP to another workstation

Workstation doing anything but DC queries to domain controller

Server accessing another server that it is not supposed to

© F-Secure14

IDS IS NOT MAGICSignature IDS detects only incompetent attackers

Scanners are relatively useless in AV

They are even more useless in network traffic

Anomaly IDS are mostly false alarm generators

Thus for IDS to be useful, you need a well configured network

When normal traffic is restricted anomalies are interesting

If a workstation is breaking rules It means someone has disabled the local firewall

© F-Secure15

CONCLUSIONS Network security is all about limiting and monitoring

Limit what connections servers and workstations can do

Monitor for anything that breaks those limitations

© F-Secure16

THANK YOU FOR YOUR PARTICIPATION!

17

STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:

9 November 2015 at 11.00 EET: “Responding to an incident”

3 December 2015 at 11.00 EET: “Building secure systems”

The Recording will be available at the BUSINESS SECURITY INSIDER

https://business.f-secure.com