lecture materials for the john wiley & sons book: cyber security: managing networks, conducting...

Lecture Materials for the John Wiley & Sons book:

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

April 11, 2023 DRAFT 1

Chapter 12: Large Enterprise Cyber Security – Data Centers and Clouds

Critical Security Controls•Controls are security requirements and there are over 200 with

thousands of sub-controls in NIST SP 800-53•But which controls are the most important?•Luckily security experts formed a consensus on the top 20 most

critical controls, from organizations including:–SANS Institute–National Security Agency–US Cyber Command–McAfee–US Department of Defense–Lockheed Martin–commercial pen testing firms–and many others

•The Critical Controls are based upon the actual threats experienced by large enterprises.

•US State Department and Idaho National Laboratories (SCADA R&D) validated that these controls address the real threats

04/11/23 DRAFT 2Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Critical Security Controls 2

•1: Inventory of Authorized and Unauthorized Devices•2: Inventory of Authorized and Unauthorized Software•3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops,

Workstations, and Servers•4: Continuous Vulnerability Assessment and Remediation•5: Malware Defenses•6: Application Software Security•7: Wireless Device Control•8: Data Recovery Capability•9: Security Skills Assessment and Appropriate Training to Fill Gaps•10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches•11: Limitation and Control of Network Ports, Protocols, and Services•12: Controlled Use of Administrative Privileges•13: Boundary Defense•14: Maintenance, Monitoring, and Analysis of Audit Logs•15: Controlled Access Based on the Need to Know•16: Account Monitoring and Control•17: Data Loss Prevention•18: Incident Response and Management•19: Secure Network Engineering•20: Penetration Tests and Red Team Exercises


Solving Key Threat/Vuln Antipatterns using the Critical Controls

•The Critical Controls document identifies top threats and vulnerabilities behind real-world cyber attacks

•We have used these threats and vulnerabilities to compile an antipatterns catalog

–The catalog shows how the Top 20 Controls proactively address the most prevalent threats and vulnerabilities


Threat/Vuln Antipatterns

1. Scanning Enterprise IP Address Range2. Drive-By-Malware3. Unpatched Applications in Large Enterprises4. Internal Pivot from Compromised Machines5. Weak System Configurations6. Unpatched Systems7. Lack of Security Improvement8. Vulnerable Web Applications and Databases9. Wireless Vulnerability10.Social Engineering11.Temporary Open Ports12.Weak Network Architectures13.Lack of Logging and Log Reviews14.Lack of Risk Assessment and Data Protection15.Data Loss via Undetected Exfiltration16.Poor Incident Response – APT17.Cloud Security18.New Governance and QA for Cloud Computing


Scanning Enterprise IP Address Range

•Most large enterprises have IP address blocks that are public information, e.g. via Internet registries

•Malicious actors scan these ranges to find vulnerable machines

–When machines first appear on the net, they are often unpatched, e.g.

•A brand new system using dated image from CD

•A system that has been turned off and unpatched for a while

•A system that is not being managed or patched

•Partial Solution: Control 1 Inventory of Authorized and Unauthorized devices

–Control and change management of devices on the network can address the threat/vulns in this antipattern


Drive-By-Malware

•Malicious websites can infect a machine that simply visits that website via browser

•Partial Solution: Controls 2 and 3–Secure configurations assures that non-

zero-day threats could be stopped–Eliminating unauthorized software could

reduce the attack surface


Unpatched Applications in Large Enterprises

•A typical large enterprise end-user could have 100’s of different vendor and open source applications

–Keeping these applications patched is a nearly impossible task

•Controls 2, 4–Eliminating unauthorized software enables the

enterprise to focus on patching a limited set–Continuous vuln assessment and remediation

enables the enterprise to discover and patch applications automatically and rapidly


Internal Pivot from Compromised Machine

•Once an enterprise is penetrated, attackers expand their footprint through pivots to find new exploitable targets

•Controls 2, 10–Unauthorized software should include most

security and network tools such as netcat, which are essential for implementing pivots

–Hardening network devices minimizes the ability for attackers to penetrate


Weak System Configurations

•Operating systems and commercial applications strive for broad flexibility and ease of use, thus enable many unnecessary features and services

–Unnecessary features and services expand the attack surface

•Controls 3, 10–Secure configurations includes eliminating

unnecessary open ports and services–Network device security can stop access to

these vulnerabilities by closing ports at the perimeter


Unpatched Systems

•As new operating system vulnerabilities are announced (e.g. on Patch Tuesday), attackers rush to exploit unpatched machines

•Controls 4, 5–Continuous monitoring can quickly discover

these vulns and remediate them rapidly–Malware defenses should also be updated on

Patch Tuesday, so that these attacks are inhibited


Lack of Security Improvement•Threats are continually evolving. If security

is not being continuously improved, then it is falling behind, and vulns are increasing daily

•Controls 4, 5, 11, 20–Network defenses should be constantly up-to-

date and evolving with the state-of-the-art–Conscious improvement of limits on ports,

protocols and services can improve the security profile

–Pen testing is a highly recommended best practice that can reveal latent vulns and weak security strategies


Vulnerable Web Applications and Databases

•Internet facing applications and databases are exposed to worldwide threats… Threats that are escalating daily

•Controls 6, 20–Application software security is critical,

especially for Internet-facing apps. Web security testing is essential

–Pen testing can reveal latent vulns and suggest remediations


Wireless Vulnerability

•Attackers can easily spoof WAPs (the strongest signal wins), and otherwise compromize wireless systems which operate on the public airwaves

•Control 7–Following configuration benchmarks and

best practices for managing WAPs and wireless devices is essential for network defense


Social Engineering

•The human element is the most significant vulnerability, scenarios include: Phishing, Pretexting, and USB attacks

•Controls 9, 12, 16–End user training for Internet Safety is perhaps the

most significant improvement an enterprise can make to its security profile

–Limiting user privileges prevents over-privileged machines from posing threats

–Account monitoring watches for potentially hazardous activities


Temporary Open Ports

•It is common practice to grant requests to open firewall and server ports to support a temporary business activity, e.g. a video teleconference

–Few organizations managing the process of re-closing the ports after the need is gone

•This gap leads to an escalating vuln of open ports

•Controls 10, 13–Keeping network devices security includes

continuous monitoring and cleanup of changes–Boundary defenses should be hardened and

monitored for configuration issues


Weak Network Architectures

•Focus on Internet perimeter security often leads to neglect of the internal security architecture

–For example, machines with restricted data should be encrypted and defended from internal attacks from the rest of the network

•Controls 13, 19–Secure network engineering means that

internal as well as external defenses are considered

•For example, internal network partitions and defenses should be designed to protect the most valuable assets


Lack of Logging and Log Reviews

•It’s often said that the network guys with the big fancy video network dashboards miss everything, and the professionals with simple tools watching the logs see what’s really happening

•Control 14–Log consolidation, log normalization, and

frequent log analysis are needed for the network team to understand the network and what’s happening on it


Lack of Risk Assessment and Data Protection

•It is impossible to security everything, so organizations must identify what needs to be protected and prioritize their defenses

–Failure to do so results in a mis-allocated array of defenses that are not protecting the right things

•Controls 15, 17–The need to know is a fundamental principle for

controlling internal access to sensitive information •Internal threats are more potentially dangerous than external

ones – they already know what’s very sensitive, where to obtain it, and have legitimate access privileges

–In organizations with restricted data (and most are) DLP is an essential defense against the consequences of data spillage, e.g. fines, costs, loss of customer goodwill


Data Loss via Undetected Exfiltration

•Data is constantly in motion in mobile devices and on networks

–Data is vulnerable to insider threats as well as Advanced Persistent Threats (APT) and common crime such as theft or even worker negligence

•Control 17–DLP proactively seeks out sensitive data

and ensures it’s encryption in motion and at rest – thus preventing future potential exfiltrations


Poor Incident Response - APT

•Typical time from APT penetration to detection by the enterprise is 6 months

–Even some of the most savvy companies respond this slowly, e.g. RSA, Google

•Control 18–Mature intrusion detection practices, coupled

with effective incident response are essential to protect restricted data, mission critical systems, intellectual property, and competitiveness


Cloud Security - Introduction

•Clouds are massive pools of computing and storage resources.

–Public Clouds – provide outsourcing of scalable computing resources, software applications, and system management

–Private Clouds – owned within an organization•Private Clouds are increasingly easy to build with

Performance Optimized Datacenter (POD) preconfigured racks

•Why go private? Security. Performance. Control.


How do clouds form? How do clouds work?

•Data Storage Clouds–Scalable mass storage… automatic backup–Data volume escalating

•e.g. Large Hadron Collider, MRI/CT, EHR, DNA Sequencing, Internet Click Stream, Customer Purchases…

•Infrastructure/Application Provisioning–Scalable outsourcing of computation/applications

•Computation Intensive–e.g. supercomputing, big data computing


Special Security Implications

•In clouds, data and processing migrate across physical, virtual, and organizational boundaries

•Data and applications are aggregated–Increases potential risks from security breach

•Potential end-user community is expanded –Many more users potentially have access,

including malicious insider or external threats


Security Implications 2

•Consolidation into Clouds Can Magnify Risks

•Clouds Require Stronger Trust Relationships

•Clouds Change Security Assumptions •Data Mashups Increase Data Sensitivity


Cloud Indexing Changes Security Semantics

•To aid in search, cloud developers create various indexes into big data collections

•In large enterprises, the big data could be a mashup

–from multiple applications which originally had security assumptions about who can access and need to know

–How can those original security assumptions be translated into a multi-application mashup?

•Indexing accelerates access to data with aggregated and/or compromised security assumptions


Cloud Security Technology Maturity

•Virtual servers on virtual networks may be invisible to physical network security devices

•Mobile Code–Clouds rely on thin clients (e.g. Internet browsers) which

require extensive mobile code to emulate sophisticated end user applications

–Code authentication technologies exist but are not widely utilized – introduction of malicious mobile code can go undetected

•Mobile Devices Extend the Cloud to the Edge–Increasingly an extension of our enterprises, largely

unprotected from malicious software and spoofed access points


Stovepiped Widgets in the Cloud

•Stovepiped Cloud Widgets–Developers building cloud applications (i.e. widgets) on

top of primitive services (i.e. operating systems, sockets, and databases) are reinventing their own technology stacks and security solutions

•Widget Frameworks–Ideally, primitive services should be encapsulated into

higher level application services, which…•Accelerate development due to the higher level of enterprise-

context-specific abstraction, e.g. battlefield simulation services, customer relationship services

•Embed security solutions in higher level services, so that security does not have to be re-validated from the ground up


New Governance and QA for Cloud Computing

•Small-scale widget developers can move code into production without the usual QA checks required of large-scale applications

•Service Oriented Architecture (SOA) approaches are encapsulating legacy applications and making that processing and data available to widget developers

–Data access can more easily cross organizational boundaries creating new governance and security challenges

•IT governance must evolve to address this growing ecosystem


REVIEW Chapter Summary

Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

04/11/23 DRAFT 31

lecture materials for the john wiley & sons book: cyber security: managing networks, conducting...

Documents