it's 2012 and my network got hacked - omar santos
DESCRIPTION
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network. Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.TRANSCRIPT
It's 2012 and My Network Got Hacked
100% of the time
the good guys need to be correct
ONCE the bad guys need to be correct just
Ten years ago,
employees were
assigned laptops
and told not to lose
them.
They were given
logins to the
company network,
and told not to tell
anyone their
password.
“End of security training.”
Today Your Workers are
Loaded with Devices, and Not Overly
Concerned About Security
According to PAST Studies
“the Internet” will DOUBLE in size every 5.32 years.
Source: Cisco ISBG
More Connected Devices than People
5 billion mobile users by 2016
Source: Cisco VNI Global Mobile Data Forecast
Remote Access and BYOD
What About
Social Media?
Cybercrime Return on Investment Matrix
Source: Cisco Annual Security Report
Vulnerability and Threat Categories
Source: Cisco Annual Security Report
malware encounters per month
(11 per day!)
200% increase over the same period a year ago…
Is that scary?
Well…
It will probably get worse!
Free It Up?
Lock It Down?
or
How Do you Measure Security?
Agenda: Case Studies
Case Study 1: Remote Access VPN #FAIL
Case Study 2: Great Homework!
Case Study 3: Awesome New leet Gadgets
Case Study 4: Pwning the Data Center
Your own sub headline
Templates
CASE STUDY 1
REMOTE ACCESS VPN
#FAIL
How Admins Continue to #FAIL
Remote Access
Attacker Exploited the
“Authentication Bypass
Vulnerability” described in
CVE-2010-0568
The Cisco ASA was not patched for
the vulnerability
Attacker was able to compromise
other internal systems and stole
several documents / information.
How It Happened…
Unauthorized Access via
Clientless SSL VPN several
times for about 3-4 weeks.
What Happened?
1
Your own sub headline
How It Was Detected…
Monthly VPN Activity Report
Uh?
User anonwannabe??
Seriously?
Say What!?!?!
CVE-2010-0568
OLD CVE!
In a monthly VPN activity report admins
noticed that a user called anonwannabe
logged in several times for a period of 3-4
weeks.
The username did not conform to their
active directory standards.
After further investigation, they found that
VPN authentication was being bypassed in
their Cisco ASA cluster as a result of CVE-
2010-0568.
What Technologies Did You Have In
Place?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Only allowed VPN traffic to ASAs
External user authentication
AD/NTLM authentication
Idle and session timeouts
Leveraged DAP
Disabled Split-tunneling
VPN traffic inspected by IPS
ASA
VPN
Cluster
Road warriors
Patch Management – Proactive Security
Vulnerability Announced by Vendor
Identify Affected Devices
Identify Workarounds
Patch/Fix is Obtained
Patch/Fix is Tested
Patch is Implemented
Awareness
• You need to keep up with vulnerability announcements from vendors at all times.
Identification/ Correlation
• Identify vulnerable devices
• Identify potential workarounds and network mitigations
Fix Tested and Implemented
• Test
• Certify Image/Software
• Implement
Incident Management – Reactive Security
TEvent
(Te-To)
Tincident
(Ti-Te)
Tcontainment
(Tc-Ti)
T0 Te Ti Tc
To = Time when an event occurs on the network Te = Time when the event is detected on the network Ti = Time when the event is classified as an incident Tc = Time when the incident is contained on the network
Analyzing and Applying Security
???
Security Principals
Describes the primary security
principals that are affected by
security policies
Visibility
Control
Security Actions
Describes essential actions
that enable Visibility and
Control
Identify
Monitor
Correlate
Harden
Isolate
Enforce
Business Relevance
Specific business goals, and the
threats to goal attainment
Business Goals and Objectives
Threats to Goals and Objectives
Security Policies
Describes the iterative
development and monitoring of
security policies
Security Policies
Security Operations
Threat and Risk Assessment
Identify who or what is using the network
Identify
Observe and monitor activities occurring on the network
Monitor
Build intelligence from activities occurring on the network
Correlate
Separate and create boundaries around users, traffic and devices
Isolate
Ensure network conforms to a desired state or behavior
Enforce
Security Control Framework Complete Control
Security Policy Enforcement and Event
Mitigation
Total Visibility Identity, Trust, Compliance, Event, and
Performance Monitoring
Withstand and recover from security anomalies
Harden
Increase Security and Resiliency in Networks and Services
A framework for the key principals required by a network to achieve a
strong security posture
Creating Security Metrics
With gained knowledge, security managers can better answer hard questions from their executives and others, such as:
Are we more secure today than we were before?
Have we improved from last year?
Are we secure enough?
Can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions
Provides tool for security folks to measure the effectiveness of various components of their security programs, product or process, and the ability of staff to address security issues for which they are responsible
Operational Security Metrics
• How long does it take to identify an event?
• How long does it take to identify an incident?
• How long does it take to contain an incident?
Incident Management
• What percent of devices are in compliance with certified software image
• What percent of devices are in compliance with standard configuration templates?
Device Compliance
Operational Security Metrics
• How long does it take you to become aware of the new vulnerability announcements from vendors?
• How long does it take to identify affected devices?
• How long does it take to implement workarounds (when available)?
• How long does it take for you to test and implement the fix/patch?
Patch Management
Your own sub headline
Templates
CASE STUDY 1
GREAT HOMEWORK
AND CLEVER ATTACK
What Happened..
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
I have NO clue what’s happening
Attacker Compromised Users
and were able to gain access
to higher-profile user
information and data.
How It Happened..
Sent
Targeted
email with
malicious
attachment
2
Found users
to target
from sites
like
1
You Got Mail!!!
Naïve users
opened the
exploit that
installed a
backdoor.
3
Other users and devices
were attacked for
escalation of privileges
4
Data was
acquired
from
targeted
servers
5
Data was
transferred
externally
6
How *It* was Detected..
They were notified by external sources that several internal confidential records/documents were posted. After post-incident forensic activity, they found several machines communicating over TCP port 6969 outside of the US
What Technologies Did You Have In Place?
AAA in all Networking Devices
Secure Protocols such as SSH
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Firewalls
Intrusion Prevention Systems (IPS)
Control Plane Policing (CoPP)
Virtual Switch Systems (VSS)
Endpoint Protection (AV, FW)
Layer 2 and 3 security practices
Access Layer
Distribution Layer
Core Layer
Quick Analysis of the Attack
Exploited Human Weaknesses
Exploited Zero-day vulnerabilities
Exploited Gaps in Infrastructure
Exploited Gaps in Network Monitoring
Use
r A
war
enes
s Tr
ain
ing Social Media
Threats
Security Policies
Emerging Threats
Leverage Training: • Facebook
• APWG
• Stop Badware
E-R
epu
tati
on
Email Reputation
Web Reputation
Mo
nit
ori
ng
and
Co
ntr
ol
Why allowed traffic to ports known for Botnets?
Is monitoring enabled on all network and security devices?
All Those Technologies and Still Got Pwned?
Operational Security Metrics
• What percent of employees have read and acknowledged the corporate security policies
User Awareness
Training
• What percent of unauthorized data flows are found on firewalls
• What percent of network and security devices are being remotely monitored?
• What percent of network is being content filtered
Monitoring
Your own sub headline
Templates
CASE STUDY 1
LEET GADGETS CAN
GO SHOPPING!
Acme Industries:
Branch Office Network
Private
WAN Corporate
Network
Branch Network 1
Branch Network 2
How It Happened..
Our retail store in Mobile, Alabama
was, apparently, not physically secured.
Hackers plugged and hid a wireless
DEVICE on the network
They controlled the router over an
encrypted wireless connection
They sniffed traffic to extract user
credentials with escalated privileges
Finally, they transferred sensitive data outside of the
network
How *It* was Detected..
Law enforcement agencies traced a number of fraudulent purchases all over the country, with one commonality – all victims had used their cards in our company stores.
What Technologies Did You Have
In Place? AAA in all Networking Devices
Secure Protocols such as SSH
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Routing Protocol Security
WAN edge acting as firewall & IPS
Control Plane Policing (CoPP)
QoS for traffic prioritization
GETVPN to encrypt all WAN traffic
Private
WAN Corporate
Network
Branch Network
What stops someone from plugging this in?
All Those Technologies and
Still Got Pwned?
AA
A M
anag
emen
t Network Device Authentication?
Network User Authentication?
Guest Access with network restrictions? R
estr
icte
d A
cces
s Shutting down unused ports?
Traffic filtering from branch to corporate network? P
hys
ical
Sec
uri
ty
Unlocked/unrestricted wiring closets?
Monitoring via cameras?
Operational Security Metrics
• What percent of unauthorized devices are on the network?
• How long does it take to locate device from its IP address in real-time?
• How long does it take to locate device from its IP address using historical logs?
Device
Identity
Management
• What percent of unauthorized users are on the network
• How long does it take to identify user from its IP address in real-time?
• How long does it take to identify user from its IP address from historical logs?
User
Identity
Management
Your own sub headline
Templates
CASE STUDY 1
PWNING THE DC!
What Happened!?!?
Hackers stole customer data that
was stored in a datacenter in North
Carolina.
Corporate Network
How Did It Happen..
ASA
5585X
ASA
5585X
Cat 6k Cat 6k
Data Center
Core
Nexus
7k
Nexus
7k
IPS IPS
ACE + WAF Services Layer
Access Layer
Aggregation Layer
Cat 6k Cat 6k
SAN SAN
Storage Storage
UCS
N
A newly installed server hosting an in-house-developed application was compromised and attacker was able to gain access to numerous records from other servers and databases.
Quick Analysis of the Attack
Exploited Vulnerability in Open Source Software used in new application along with other insecure coding practices
Exploited zero-day vulnerabilities in underlying Linux Operating System
Exploited Gaps in DC Infrastructure
What Technologies Did You Have In
Place?
ASA
5585X
ASA
5585X
Cat 6k
Cat 6k Data Center
Core
Nexus
7k
Nexus
7k
IPS IPS
ACE + WAF Services Layer
Access Layer
Aggregation Layer
Cat 6k Cat 6k
SAN SAN
Storage Storage
UCS
Firewalls, IPS, WAFs, Netflow
Corporate Network
ASA
5585X
ASA
5585X
Cat 6k Cat 6k
Data Center
Core
Nexus
7k
Nexus
7k
IPS IPS
ACE + WAF Services Layer
Access Layer
Aggregation Layer
Cat 6k Cat 6k
SAN SAN
Storage Storage
UCS
Firewalls at the aggregation layer provide an excellent filtering point and first layer of protection.
However, they do not provide isolation between servers/services
All Those Technologies and Still Got
Pwned?
Ap
plic
atio
n S
ecu
rity
Keep up with 3rd Party Security Patches
Secure Code Best Practices:
- Static Analysis
- ASLR, X-Space
- Safe C Libraries and OWASP Java libraries
DC
Infr
astr
uct
ure
Isolation provides the first layer of security for the data center and server-farm.
Depending on the goals of the design it can be achieved through the use of firewalls, access lists, VLANS, and/or physical separation.
What Happens in a Virtualized
Environment..
Traffic flows within
virtualized environments
sometimes do not even
touch physical devices.
For example, traffic
between these VMs do
not even leave the
physical hardware.
Virtual Security Gateways (VSGs)
• You can transparently insert a
Cisco VSG into the VMware
vSphere environment where
the Cisco Nexus 1000V
distributed virtual switch is
deployed.
• One or more instances can
be deployed on a per-tenant
basis.
• Tenants are isolated from
each other, so no traffic can
cross tenant boundaries.
• You can deploy the Cisco
VSG at the tenant level, at
the virtual data center (vDC)
level, and at the vApp level.
Operational Security Techniques
and Metrics
• How often do you perform application robustness audits (i.e., fuzzing, secure coding best practices, and patching)?
• What percentage of all applications are tested for security vulnerabilities in a consistent and repeatable manner?
Application Robustness.
SECURITY METRICS
THANK YOU!
Your Logo