It's 2012 and My Network Got Hacked

100% of the time

the good guys need to be correct

ONCE the bad guys need to be correct just

Ten years ago,

employees were

assigned laptops

and told not to lose

them.

They were given

logins to the

company network,

and told not to tell

anyone their

password.

“End of security training.”

Today Your Workers are

Loaded with Devices, and Not Overly

Concerned About Security

According to PAST Studies

“the Internet” will DOUBLE in size every 5.32 years.

Source: Cisco ISBG

More Connected Devices than People

5 billion mobile users by 2016

Source: Cisco VNI Global Mobile Data Forecast

Remote Access and BYOD

What About

Social Media?

Cybercrime Return on Investment Matrix

Source: Cisco Annual Security Report

Vulnerability and Threat Categories

Source: Cisco Annual Security Report

malware encounters per month

(11 per day!)

200% increase over the same period a year ago…

Is that scary?

Well…

It will probably get worse!

Free It Up?

Lock It Down?

or

How Do you Measure Security?

Agenda: Case Studies

Case Study 1: Remote Access VPN #FAIL

Case Study 2: Great Homework!

Case Study 3: Awesome New leet Gadgets

Case Study 4: Pwning the Data Center

Your own sub headline

Templates

CASE STUDY 1

REMOTE ACCESS VPN

#FAIL

How Admins Continue to #FAIL

Remote Access

Attacker Exploited the

“Authentication Bypass

Vulnerability” described in

CVE-2010-0568

The Cisco ASA was not patched for

the vulnerability

Attacker was able to compromise

other internal systems and stole

several documents / information.

How It Happened…

Unauthorized Access via

Clientless SSL VPN several

times for about 3-4 weeks.

What Happened?

1

Your own sub headline

How It Was Detected…

Monthly VPN Activity Report

Uh?

User anonwannabe??

Seriously?

Say What!?!?!

CVE-2010-0568

OLD CVE!

In a monthly VPN activity report admins

noticed that a user called anonwannabe

logged in several times for a period of 3-4

weeks.

The username did not conform to their

active directory standards.

After further investigation, they found that

VPN authentication was being bypassed in

their Cisco ASA cluster as a result of CVE-

2010-0568.

What Technologies Did You Have In

Place?

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

Only allowed VPN traffic to ASAs

External user authentication

AD/NTLM authentication

Idle and session timeouts

Leveraged DAP

Disabled Split-tunneling

VPN traffic inspected by IPS

ASA

VPN

Cluster

Road warriors

Patch Management – Proactive Security

Vulnerability Announced by Vendor

Identify Affected Devices

Identify Workarounds

Patch/Fix is Obtained

Patch/Fix is Tested

Patch is Implemented

Awareness

• You need to keep up with vulnerability announcements from vendors at all times.

Identification/ Correlation

• Identify vulnerable devices

• Identify potential workarounds and network mitigations

Fix Tested and Implemented

• Test

• Certify Image/Software

• Implement

Incident Management – Reactive Security

TEvent

(Te-To)

Tincident

(Ti-Te)

Tcontainment

(Tc-Ti)

T0 Te Ti Tc

To = Time when an event occurs on the network Te = Time when the event is detected on the network Ti = Time when the event is classified as an incident Tc = Time when the incident is contained on the network

Analyzing and Applying Security

???

Security Principals

Describes the primary security

principals that are affected by

security policies

Visibility

Control

Security Actions

Describes essential actions

that enable Visibility and

Control

Identify

Monitor

Correlate

Harden

Isolate

Enforce

Business Relevance

Specific business goals, and the

threats to goal attainment

Business Goals and Objectives

Threats to Goals and Objectives

Security Policies

Describes the iterative

development and monitoring of

security policies

Security Policies

Security Operations

Threat and Risk Assessment

Identify who or what is using the network

Identify

Observe and monitor activities occurring on the network

Monitor

Build intelligence from activities occurring on the network

Correlate

Separate and create boundaries around users, traffic and devices

Isolate

Ensure network conforms to a desired state or behavior

Enforce

Security Control Framework Complete Control

Security Policy Enforcement and Event

Mitigation

Total Visibility Identity, Trust, Compliance, Event, and

Performance Monitoring

Withstand and recover from security anomalies

Harden

Increase Security and Resiliency in Networks and Services

A framework for the key principals required by a network to achieve a

strong security posture

Creating Security Metrics

With gained knowledge, security managers can better answer hard questions from their executives and others, such as:

Are we more secure today than we were before?

Have we improved from last year?

Are we secure enough?

Can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions

Provides tool for security folks to measure the effectiveness of various components of their security programs, product or process, and the ability of staff to address security issues for which they are responsible

Operational Security Metrics

• How long does it take to identify an event?

• How long does it take to identify an incident?

• How long does it take to contain an incident?

Incident Management

• What percent of devices are in compliance with certified software image

• What percent of devices are in compliance with standard configuration templates?

Device Compliance

Operational Security Metrics

• How long does it take you to become aware of the new vulnerability announcements from vendors?

• How long does it take to identify affected devices?

• How long does it take to implement workarounds (when available)?

• How long does it take for you to test and implement the fix/patch?

Patch Management

Your own sub headline

Templates

CASE STUDY 1

GREAT HOMEWORK

AND CLEVER ATTACK

What Happened..

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

I have NO clue what’s happening

Attacker Compromised Users

and were able to gain access

to higher-profile user

information and data.

How It Happened..

Sent

Targeted

email with

malicious

attachment

2

Found users

to target

from sites

like

Facebook

1

You Got Mail!!!

Naïve users

opened the

exploit that

installed a

backdoor.

3

Other users and devices

were attacked for

escalation of privileges

4

Data was

acquired

from

targeted

servers

5

Data was

transferred

externally

6

How *It* was Detected..

They were notified by external sources that several internal confidential records/documents were posted. After post-incident forensic activity, they found several machines communicating over TCP port 6969 outside of the US

What Technologies Did You Have In Place?

AAA in all Networking Devices

Secure Protocols such as SSH

Redundancy (Logical & Physical)

NetFlow and Event Monitoring

Firewalls

Intrusion Prevention Systems (IPS)

Control Plane Policing (CoPP)

Virtual Switch Systems (VSS)

Endpoint Protection (AV, FW)

Layer 2 and 3 security practices

Access Layer

Distribution Layer

Core Layer

Quick Analysis of the Attack

Exploited Human Weaknesses

Exploited Zero-day vulnerabilities

Exploited Gaps in Infrastructure

Exploited Gaps in Network Monitoring

Use

r A

war

enes

s Tr

ain

ing Social Media

Threats

Security Policies

Emerging Threats

Leverage Training: • Facebook

• APWG

• Stop Badware

E-R

epu

tati

on

Email Reputation

Web Reputation

Mo

nit

ori

ng

and

Co

ntr

ol

Why allowed traffic to ports known for Botnets?

Is monitoring enabled on all network and security devices?

All Those Technologies and Still Got Pwned?

Operational Security Metrics

• What percent of employees have read and acknowledged the corporate security policies

User Awareness

Training

• What percent of unauthorized data flows are found on firewalls

• What percent of network and security devices are being remotely monitored?

• What percent of network is being content filtered

Monitoring

Your own sub headline

Templates

CASE STUDY 1

LEET GADGETS CAN

GO SHOPPING!

Acme Industries:

Branch Office Network

Private

WAN Corporate

Network

Branch Network 1

Branch Network 2

How It Happened..

Our retail store in Mobile, Alabama

was, apparently, not physically secured.

Hackers plugged and hid a wireless

DEVICE on the network

They controlled the router over an

encrypted wireless connection

They sniffed traffic to extract user

credentials with escalated privileges

Finally, they transferred sensitive data outside of the

network

How *It* was Detected..

Law enforcement agencies traced a number of fraudulent purchases all over the country, with one commonality – all victims had used their cards in our company stores.

What Technologies Did You Have

In Place? AAA in all Networking Devices

Secure Protocols such as SSH

Redundancy (Logical & Physical)

NetFlow and Event Monitoring

Routing Protocol Security

WAN edge acting as firewall & IPS

Control Plane Policing (CoPP)

QoS for traffic prioritization

GETVPN to encrypt all WAN traffic

Private

WAN Corporate

Network

Branch Network

What stops someone from plugging this in?

All Those Technologies and

Still Got Pwned?

AA

A M

anag

emen

t Network Device Authentication?

Network User Authentication?

Guest Access with network restrictions? R

estr

icte

d A

cces

s Shutting down unused ports?

Traffic filtering from branch to corporate network? P

hys

ical

Sec

uri

ty

Unlocked/unrestricted wiring closets?

Monitoring via cameras?

Operational Security Metrics

• What percent of unauthorized devices are on the network?

• How long does it take to locate device from its IP address in real-time?

• How long does it take to locate device from its IP address using historical logs?

Device

Identity

Management

• What percent of unauthorized users are on the network

• How long does it take to identify user from its IP address in real-time?

• How long does it take to identify user from its IP address from historical logs?

User

Identity

Management

Your own sub headline

Templates

CASE STUDY 1

PWNING THE DC!

What Happened!?!?

Hackers stole customer data that

was stored in a datacenter in North

Carolina.

Corporate Network

How Did It Happen..

ASA

5585X

ASA

5585X

Cat 6k Cat 6k

Data Center

Core

Nexus

7k

Nexus

7k

IPS IPS

ACE + WAF Services Layer

Access Layer

Aggregation Layer

Cat 6k Cat 6k

SAN SAN

Storage Storage

UCS

N

A newly installed server hosting an in-house-developed application was compromised and attacker was able to gain access to numerous records from other servers and databases.

Quick Analysis of the Attack

Exploited Vulnerability in Open Source Software used in new application along with other insecure coding practices

Exploited zero-day vulnerabilities in underlying Linux Operating System

Exploited Gaps in DC Infrastructure

What Technologies Did You Have In

Place?

ASA

5585X

ASA

5585X

Cat 6k

Cat 6k Data Center

Core

Nexus

7k

Nexus

7k

IPS IPS

ACE + WAF Services Layer

Access Layer

Aggregation Layer

Cat 6k Cat 6k

SAN SAN

Storage Storage

UCS

Firewalls, IPS, WAFs, Netflow

Corporate Network

ASA

5585X

ASA

5585X

Cat 6k Cat 6k

Data Center

Core

Nexus

7k

Nexus

7k

IPS IPS

ACE + WAF Services Layer

Access Layer

Aggregation Layer

Cat 6k Cat 6k

SAN SAN

Storage Storage

UCS

Firewalls at the aggregation layer provide an excellent filtering point and first layer of protection.

However, they do not provide isolation between servers/services

All Those Technologies and Still Got

Pwned?

Ap

plic

atio

n S

ecu

rity

Keep up with 3rd Party Security Patches

Secure Code Best Practices:

- Static Analysis

- ASLR, X-Space

- Safe C Libraries and OWASP Java libraries

DC

Infr

astr

uct

ure

Isolation provides the first layer of security for the data center and server-farm.

Depending on the goals of the design it can be achieved through the use of firewalls, access lists, VLANS, and/or physical separation.

What Happens in a Virtualized

Environment..

Traffic flows within

virtualized environments

sometimes do not even

touch physical devices.

For example, traffic

between these VMs do

not even leave the

physical hardware.

Virtual Security Gateways (VSGs)

• You can transparently insert a

Cisco VSG into the VMware

vSphere environment where

the Cisco Nexus 1000V

distributed virtual switch is

deployed.

• One or more instances can

be deployed on a per-tenant

basis.

• Tenants are isolated from

each other, so no traffic can

cross tenant boundaries.

• You can deploy the Cisco

VSG at the tenant level, at

the virtual data center (vDC)

level, and at the vApp level.

Operational Security Techniques

and Metrics

• How often do you perform application robustness audits (i.e., fuzzing, secure coding best practices, and patching)?

• What percentage of all applications are tested for security vulnerabilities in a consistent and repeatable manner?

Application Robustness.

SECURITY METRICS

THANK YOU!

Your Logo