information technology security: fitting into the big picture

Information Technology Security:Information Technology Security:Fitting Into the Big PictureFitting Into the Big Picture

Topics for DiscussionTopics for Discussion

Typical IT Security Technical WorkIntrusion Detection/PreventionEthical Hacking/Penetration Testing

IT Security in the BusinessRisk, Audit Support, Compliance

Policies, Standards, and ProceduresIT Security’s Role in Creation and

Enforcement

Typical IT Security Technical WorkIntrusion Detection/PreventionEthical Hacking/Penetration Testing

IT Security in the BusinessRisk, Audit Support, Compliance

Policies, Standards, and ProceduresIT Security’s Role in Creation and

Enforcement

Intrusion DetectionIntrusion Detection

Intrusion Detection Systems are just what they seem to be.

Detect and Alert Host Based and Network Based

How they work? Statistical Modeling Heuristics Trending

End result? Similar to home security system

Intrusion Detection Systems are just what they seem to be.

Detect and Alert Host Based and Network Based

How they work? Statistical Modeling Heuristics Trending

End result? Similar to home security system

Intrusion Prevention Systems

Intrusion Prevention Systems

Actively participates in defense of security violations

Host based IPS:Resident to the host machine. Monitors

system calls and inbound traffic. Creates a baseline and can prevent internal “bad” behavior through system controls.

Typically works in conjunction with Anti-virus

Sandboxing – Creates isolated “scratch” disk space to run untrusted platforms or applications from untrusted third parties

Actively participates in defense of security violations

Host based IPS:Resident to the host machine. Monitors

system calls and inbound traffic. Creates a baseline and can prevent internal “bad” behavior through system controls.

Typically works in conjunction with Anti-virus

Sandboxing – Creates isolated “scratch” disk space to run untrusted platforms or applications from untrusted third parties

Intrusion Prevention cont’d


Network based IPS has several operating modes or implementations:Inline IPS is directly inline with the

data stream similar to a firewallGateway Interaction performs packet

analysis interactively with the router/firewall

Network based IPS has several operating modes or implementations:Inline IPS is directly inline with the

data stream similar to a firewallGateway Interaction performs packet

analysis interactively with the router/firewall



Network intrusion prevention action methods:Content based – Inspects packet

contents for unique sequences or “signatures” to prevent known attacks

Protocol analysis – Decodes known protocols to detect anomalous behavior

Rate based – Used to prevent Denial of Service attacks

Network intrusion prevention action methods:Content based – Inspects packet

contents for unique sequences or “signatures” to prevent known attacks

Protocol analysis – Decodes known protocols to detect anomalous behavior

Rate based – Used to prevent Denial of Service attacks



Core Design: www.pandasecurity.com

IPS Business Case 1IPS Business Case 1Company X requires a homogeneous solution due to

compliance and governance restrictions. The facts: Cisco is the network hardware provider for all

communications. All connections need to be monitored:

VOIP Hosts Gateways VPN Routers and Switches Ingress/Egress traffic (Firewall)

The aggregation point for analysis and statistics must be built on a windows server platform

The solution must be licensed The solution should not be built on open source code Support from the vendor must be highly available regardless

of cost

Company X requires a homogeneous solution due to compliance and governance restrictions. The facts:

Cisco is the network hardware provider for all communications.

All connections need to be monitored: VOIP Hosts Gateways VPN Routers and Switches Ingress/Egress traffic (Firewall)

The aggregation point for analysis and statistics must be built on a windows server platform

The solution must be licensed The solution should not be built on open source code Support from the vendor must be highly available regardless

of cost

IPS Business Case 1 cont’d


How do you choose?How do you choose?

© 2008 Gartner, Inc. and/or its Affiliates. All Rights

Reserved.



Cisco SolutionsPoints to consider: Homogeneous

solution Proprietary Code Base Supreme Support Current Vendor Management easy but

not intuitive Fewer vulnerability

signatures Cost

Cisco SolutionsPoints to consider: Homogeneous

solution Proprietary Code Base Supreme Support Current Vendor Management easy but

not intuitive Fewer vulnerability

signatures Cost

Sourcefire SolutionsPoints to consider: Homogeneous solution Visionary Leader Controls SNORT signature

engine Cost Potentially lacking

support New vendor Technically complicated Open Source based

Sourcefire SolutionsPoints to consider: Homogeneous solution Visionary Leader Controls SNORT signature

engine Cost Potentially lacking

support New vendor Technically complicated Open Source based



Cisco wins based on the scorecard of requirements.Cisco wins based on the scorecard of requirements.

© 2007 Cisco Systems, Inc. All rights reserved.



Protection At All LayersProtection At All Layers

© 2007 Cisco Systems, Inc. All rights reserved.

Ethical HackingEthical Hacking

Ethical hacking is a very common profession within the IT security industry.

White hat, Grey hat, Black hatSometimes synonymous with

penetration testing – A method of assessing the security posture of a system or network by simulating an “attack”

Ethical hacking is a very common profession within the IT security industry.

White hat, Grey hat, Black hatSometimes synonymous with

penetration testing – A method of assessing the security posture of a system or network by simulating an “attack”

Ethical Hacking cont’dEthical Hacking cont’d

Most current computer protocols were designed in a time when security was not a consideration. Times have changed:

Most current computer protocols were designed in a time when security was not a consideration. Times have changed:

Source: CERT


Why perform an ethical hack?Determine flaws and vulnerabilitiesProvide a quantitative metric for

evaluating systems and networksMeasure against pre-established

baselinesDetermine risk to the organizationDesign mitigating controls

Why perform an ethical hack?Determine flaws and vulnerabilitiesProvide a quantitative metric for

evaluating systems and networksMeasure against pre-established

baselinesDetermine risk to the organizationDesign mitigating controls


We will now explore some free tools and simple techniques to break into a machine.

Disclaimer: Don’t Try This At Home

Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm

Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.

http://www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm

We will now explore some free tools and simple techniques to break into a machine.

Disclaimer: Don’t Try This At Home

Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm

Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.

http://www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm

Wanna Break In?Wanna Break In?

The first step in any ethical hack is to obtain information in the most stealth fashion.

The first step in any ethical hack is to obtain information in the most stealth fashion.

USE NMAP!!

NMAPNMAP

nmap is an open-source port/security scannerhttp://insecure.org/

It’s primary function is the discovery and mapping of hosts on a network

nmap is consistently voted as one of the most used security tools

nmap is an open-source port/security scannerhttp://insecure.org/

It’s primary function is the discovery and mapping of hosts on a network

nmap is consistently voted as one of the most used security tools

NMAPNMAP

Host Discovery – Identifying computers on a network

Port Scanning – Enumerating the open ports on one or more target computers

Version Detection – Interrogating listening network services listening on remote computers to determine

the application name and version number OS Detection – Remotely determining

the operating system from network devices

Host Discovery – Identifying computers on a network

Port Scanning – Enumerating the open ports on one or more target computers

Version Detection – Interrogating listening network services listening on remote computers to determine

the application name and version number OS Detection – Remotely determining

the operating system from network devices

NMAPNMAP

Sample Syntax:nmap [ <Scan Type> ...] [ <Options> ] { <target

specification> }TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1;

10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude

hosts/networks --excludefile <exclude_file>: Exclude list from file

Sample Syntax:nmap [ <Scan Type> ...] [ <Options> ] { <target

specification> }TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1;

10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude

hosts/networks --excludefile <exclude_file>: Exclude list from file

NMAP cont’dNMAP cont’d

Analyze your results:Analyze your results:

NMAP OUTPUT PRINTED

VulnerabilitiesVulnerabilities

Find any hosts worthwhile? Your next step should be scanning for exploitable vulnerabilities.

Find any hosts worthwhile? Your next step should be scanning for exploitable vulnerabilities.

USE NESSUS!!!© Copyright 2002 - 2009 Tenable Network Security(R). All Rights Reserved.

NessusNessus Nessus is an open-source vulnerability scanner

Public domain software, such as Nessus, isn't always inferior and sometimes it is actually superior !

Technical support available at tenablesecurity.com

Three steps1. Run a port-scan (using nmap) on the target

host to determine which ports are open2. Once open ports are identified, Nessus runs a

set of exploits on the open ports. Nessus assumes standard processes run on standard ports (i.e., http on port 80)

3. Check for and reporting vulnerabilities

Nessus is an open-source vulnerability scanner Public domain software, such as Nessus, isn't

always inferior and sometimes it is actually superior !

Technical support available at tenablesecurity.com

Three steps1. Run a port-scan (using nmap) on the target

host to determine which ports are open2. Once open ports are identified, Nessus runs a

set of exploits on the open ports. Nessus assumes standard processes run on standard ports (i.e., http on port 80)

3. Check for and reporting vulnerabilities

NessusNessus

Vulnerability checks are implemented through plugins. Plugins are written in Nessus Attack Scripting

Language (NASL), a scripting language optimized for custom network interaction.

New plugins are added as vulnerabilities are discovered.

Many plugins check for a vulnerability by actually exploiting the vulnerability.

The ‘safe checks’ option specifies that no vulnerability check capable of crashing a remote host be used (such as DOS attacks).

Vulnerability checks are implemented through plugins. Plugins are written in Nessus Attack Scripting

Language (NASL), a scripting language optimized for custom network interaction.

New plugins are added as vulnerabilities are discovered.

Many plugins check for a vulnerability by actually exploiting the vulnerability.

The ‘safe checks’ option specifies that no vulnerability check capable of crashing a remote host be used (such as DOS attacks).

NessusNessus

Check your results!!

Check your results!!

Nessus Sample Report

How Do We Exploit?How Do We Exploit?

Now that you have found a useful exploit, what do we use?

Now that you have found a useful exploit, what do we use?

USE METASPLOIT!!!Copyright © 2003-2009 Metasploit LLC

Metasploit ™ is a registered trademark

Contact us at msfdev[at]metasploit.com

MetaSploitMetaSploit

Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition it is a powerful tool for third party security researchers to investigate potential vulnerabilities.

Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition it is a powerful tool for third party security researchers to investigate potential vulnerabilities.

MetaSploit cont’dMetaSploit cont’dRemember the machine with vulns?? Let’s use the metasploit

framework….Remember the machine with vulns?? Let’s use the metasploit

framework….

MetaSploit cont’dMetaSploit cont’d

What else can we do now that were in???What else can we do now that were in???

MetaSploit cont’dMetaSploit cont’d

We can add shares as root!!We can add shares as root!!


Administrative items:Authorization letter – “Get out of

jail free card”Risk report

Likelihood of riskMitigation plansTrends (performed with recurring

clients)

Administrative items:Authorization letter – “Get out of

jail free card”Risk report

Likelihood of riskMitigation plansTrends (performed with recurring

clients)


Low Moderate to Low

Moderate High

Magnitude of Impact

AlmostCertain

Likely

Moderate

Unlikely

Rare

Lik

eli

ho

od

of

Oc

cu

rre

nce

Moderate to High

A

F

B

C

DE

GH

I

J

K

L

MN

O

PQ

R

Quantitative Heat Map Guide

Horizontal Axis = Impact if risk were realized Vertical Axis = Likelihood of risk being realized

Size of Bubble = Relative total instances of that issue

= Low Risk = Moderate Risk = High Risk = Critical Risk

Q & AQ & A

ANY QUESTIONS? ANY QUESTIONS?

The CISO AgendaThe CISO Agenda

Core FunctionsCore Functions

BusinessBusiness

Regulatory Regulatory ComplianceCompliance

TechnologyTechnologyEnablementEnablement

Alignment with Business Goals / ObjectivesAlignment with Business Goals / ObjectivesBrand Protection & EnhancementBrand Protection & Enhancement

Linkage to EnterpriseLinkage to Enterprise Risk MgmtRisk Mgmt

Metrics / BenchmarkingMetrics / Benchmarking

Business ContinuityBusiness Continuity

Compliance / Internal AuditCompliance / Internal Audit

Disaster RecoveryDisaster Recovery

StrategyStrategyPrivacy / Security BreachPrivacy / Security Breach

Vulnerability / Patch ManagementVulnerability / Patch ManagementStaffing SupportStaffing Support

High AvailabilityHigh Availability

Identity ManagementIdentity Management

M&AM&A Executive / Board ReportingExecutive / Board Reporting

Mobile ComputingMobile Computing

Evolving ThreatsEvolving Threats

Managing 3rd Party Risk (Outsourcers)Managing 3rd Party Risk (Outsourcers)Culture / AwarenessCulture / Awareness

CISOCISO

RiskRisk

IT Security performs a critical role in assessing risk in the organization.

Vulnerability ScanningPenetration Testing Industry Trends IT StrategyFamiliarity with Audit and

Compliance measures

IT Security performs a critical role in assessing risk in the organization.

Vulnerability ScanningPenetration Testing Industry Trends IT StrategyFamiliarity with Audit and

Compliance measures

Audit SupportAudit Support

In many cases, IT Security is heavily relied upon to perform in depth testing required by an audit organization. Security is enlisted by audit because:

Technical expertise Familiarity with current issues

from internal testingFamiliarity with Policies,

Standards, and Procedures

In many cases, IT Security is heavily relied upon to perform in depth testing required by an audit organization. Security is enlisted by audit because:

Technical expertise Familiarity with current issues

from internal testingFamiliarity with Policies,

Standards, and Procedures

ComplianceCompliance

Compliance may relate to internal compliance or external compliance.

Internal compliance:Policies and StandardsSecurity and Configuration baselinesFramework use – ISO, COBIT, ITIL,

GAISP, NISTBest Practices

Compliance may relate to internal compliance or external compliance.

Internal compliance:Policies and StandardsSecurity and Configuration baselinesFramework use – ISO, COBIT, ITIL,

GAISP, NISTBest Practices

Compliance cont’dCompliance cont’d

External compliance:SOX (Sarbanes Oxley)

COSO FrameworkHIPAAPCISafe Harbor

External compliance:SOX (Sarbanes Oxley)

COSO FrameworkHIPAAPCISafe Harbor

ISO Best PracticesISO Best Practices

Source: www.rsa.com

Compliance in ActionCompliance in Action

Source: www.rsa.com

Internal PolicyInternal Policy

IT Security is regularly tasked with creation and enforcement of IT policies, standards, and procedures. Creation and enforcement of these documents require:

Understanding of audit roles and procedures Familiarity with all systems, networks, and

applications Compliance considerations

IT Security is regularly tasked with creation and enforcement of IT policies, standards, and procedures. Creation and enforcement of these documents require:

Understanding of audit roles and procedures Familiarity with all systems, networks, and

applications Compliance considerations

Internal Policy cont’dInternal Policy cont’d

Definitions: A Policy is a set of directional statements and

requirements aiming to protect corporate values, assets and intelligence. Policies serve as the foundation for related standards, procedures and guidelines.

A Standard is a set of practices and benchmarks employed to comply with the requirements set forth in policies. A standard should always be a derivation of a policy, as it is the second step in the process of a company’s policy propagation.

A Procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices.

Definitions: A Policy is a set of directional statements and

requirements aiming to protect corporate values, assets and intelligence. Policies serve as the foundation for related standards, procedures and guidelines.

A Standard is a set of practices and benchmarks employed to comply with the requirements set forth in policies. A standard should always be a derivation of a policy, as it is the second step in the process of a company’s policy propagation.

A Procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices.


Policy creation and enforcement cycle

Policy creation and enforcement cycle

Policy Business CasePolicy Business Case

A top 5 global food retailer has a massive IT/IS infrastructure and good governance….but no real policies!

Policies are the foundation for enforcing IT compliance and governance.

What policies were written for the client…

A top 5 global food retailer has a massive IT/IS infrastructure and good governance….but no real policies!

Policies are the foundation for enforcing IT compliance and governance.

What policies were written for the client…

Policy Business Case cont’d


Policies written for IT Security: Acceptable Use Policy Information Classification & Ownership Policy Risk Assessment & Mitigation Policy Access Control Policy Network Configuration and Communication Policy Remote Access Policy Business Continuity Policy Incident Response Policy Third Party Data Sharing Policy System Implementation & Maintenance Secure Application Development Cryptography & Key Management Mobile Computing Physical & Environmental Security

Policies written for IT Security: Acceptable Use Policy Information Classification & Ownership Policy Risk Assessment & Mitigation Policy Access Control Policy Network Configuration and Communication Policy Remote Access Policy Business Continuity Policy Incident Response Policy Third Party Data Sharing Policy System Implementation & Maintenance Secure Application Development Cryptography & Key Management Mobile Computing Physical & Environmental Security



Sample PoliciesSample Policies

Cryptography and Key Management Policy

Access Control Policy

information technology security: fitting into the big picture

Documents