security policy
DESCRIPTION
Security Policy. Topics for Discussion. IT Security in the Business Risk, Audit Support, Compliance Policies, Standards, and Procedures IT Security’s Role in Creation and Enforcement Typical IT Security Technical Work Intrusion Detection/Prevention Ethical Hacking/Penetration Testing. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/1.jpg)
Security Policy
![Page 2: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/2.jpg)
Topics for Discussion
• IT Security in the Business– Risk, Audit Support, Compliance
• Policies, Standards, and Procedures– IT Security’s Role in Creation and Enforcement
• Typical IT Security Technical Work– Intrusion Detection/Prevention– Ethical Hacking/Penetration Testing
![Page 3: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/3.jpg)
The CISO Agenda
Core Functions
Business
Regulatory Compliance
TechnologyEnablement
Alignment with Business Goals / ObjectivesBrand Protection & Enhancement
Linkage to Enterprise Risk Mgmt
Metrics / Benchmarking
Business Continuity
Compliance / Internal Audit
Disaster Recovery
StrategyPrivacy / Security Breach
Vulnerability / Patch ManagementStaffing Support
High Availability
Identity Management
M&A
Executive / Board Reporting
Mobile Computing
Evolving Threats
Managing 3rd Party Risk (Outsourcers)Culture / Awareness
CISO
![Page 4: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/4.jpg)
Risk
IT Security performs a critical role in assessing risk in the organization.
• Vulnerability Scanning• Penetration Testing• Industry Trends• IT Strategy• Familiarity with Audit and Compliance
measures
![Page 5: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/5.jpg)
Audit Support
In many cases, IT Security is heavily relied upon to perform in depth testing required by an audit organization. Security is enlisted by audit because:
• Technical expertise • Familiarity with current issues from internal
testing• Familiarity with Policies, Standards, and
Procedures
![Page 6: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/6.jpg)
Compliance
Compliance may relate to internal compliance or external compliance.
Internal compliance:• Policies and Standards• Security and Configuration baselines• Framework use – ISO, COBIT, ITIL, GAISP, NIST• Best Practices
![Page 7: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/7.jpg)
Compliance cont’d
External compliance:• SOX (Sarbanes Oxley)– COSO Framework
• HIPAA• PCI• Safe Harbor
![Page 8: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/8.jpg)
ISO Leading Practices
Source: www.rsa.com
![Page 9: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/9.jpg)
Compliance in Action
Source: www.rsa.com
![Page 10: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/10.jpg)
Internal Policy
IT Security is regularly tasked with creation and enforcement of IT policies, standards, and procedures. Creation and enforcement of these documents require:
• Understanding of audit roles and procedures• Familiarity with all systems, networks, and applications• Compliance considerations
![Page 11: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/11.jpg)
Internal Policy cont’d
Definitions:• A Policy is a set of directional statements and requirements aiming
to protect corporate values, assets and intelligence. Policies serve as the foundation for related standards, procedures and guidelines.
• A Standard is a set of practices and benchmarks employed to comply with the requirements set forth in policies. A standard should always be a derivation of a policy, as it is the second step in the process of a company’s policy propagation.
• A Procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices.
![Page 12: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/12.jpg)
Internal Policy cont’d
![Page 13: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/13.jpg)
Internal Policy cont’d
Policy creation and enforcement cycle
![Page 14: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/14.jpg)
Policy Business Case
A top 5 global food retailer has a massive IT/IS infrastructure and good governance….but no real policies!
Policies are the foundation for enforcing IT compliance and governance.
What policies were written for the client…
![Page 15: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/15.jpg)
Policy Business Case cont’d
Policies written for IT Security:• Acceptable Use Policy• Information Classification & Ownership Policy• Risk Assessment & Mitigation Policy• Access Control Policy• Network Configuration and Communication Policy• Remote Access Policy• Business Continuity Policy• Incident Response Policy• Third Party Data Sharing Policy• System Implementation & Maintenance• Secure Application Development• Cryptography & Key Management• Mobile Computing• Physical & Environmental Security
![Page 16: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/16.jpg)
Policy Business Case cont’d
Sample Policies
Cryptography and Key Management Policy
![Page 17: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/17.jpg)
Ethical Hacking
Ethical hacking is a very common profession within the IT security industry.
• White hat, Grey hat, Black hat• Sometimes synonymous with penetration
testing – A method of assessing the security posture of a system or network by simulating an “attack”
![Page 18: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/18.jpg)
Ethical Hacking
Why perform an ethical hack?• Determine flaws and vulnerabilities• Provide a quantitative metric for evaluating
systems and networks• Measure against pre-established baselines• Determine risk to the organization• Design mitigating controls
![Page 19: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/19.jpg)
Ethical Hacking
![Page 20: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/20.jpg)
Ethical Hacking
Administrative items:• Authorization letter – “Get out of jail free
card”• Risk report– Likelihood of risk– Mitigation plans– Trends (performed with recurring clients)
![Page 21: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/21.jpg)
Q & A
ANY QUESTIONS?
![Page 22: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/22.jpg)
Slide material sourced from the Black Hat presentation presented by Sean Convery of Cisco Systems
Layer 2 Hacking
![Page 23: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/23.jpg)
Topics for Discussion
• Layer 2 Protocols and Weaknesses– ARP– MAC/CAM– VLAN/Encapsulation– STP/BPDU– DHCP– MPLS– BGP
• Tools
• Carrier “Ethernet” Appendix
![Page 24: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/24.jpg)
Why Layer 2
![Page 25: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/25.jpg)
ARP
• ARP Spoofing is the process of sending a crafted ARP request across the network to enable the sniffing of one or many hosts on a network.
• ARP poisoning is also a similar attack but you attack all hosts on a subnet. This is useful to ARP spoof the address of a switch or router so all traffic can be send through you!
![Page 26: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/26.jpg)
ARP Poisoning
![Page 27: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/27.jpg)
ARP Poisoning• Start Sniffing
![Page 28: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/28.jpg)
ARP Poisoning• Scan for hosts
![Page 29: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/29.jpg)
ARP Poisoning
![Page 30: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/30.jpg)
ARP Poisoning
![Page 31: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/31.jpg)
ARP Poisoning
• Select the machines to poison
We chose to ARP poison only the windows machine 192.168.1.2 and the router 192.168.1.1.
• Highlight the line containing 192.168.1.1 and click on the "target 1" button.
• Highlight the line containing 192.168.1.2 and click on the "target 2" button.
• If you do not select any machines as target, all the machine inside the subnet will be ARP poisoned.
![Page 32: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/32.jpg)
ARP Poisoning
![Page 33: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/33.jpg)
ARP Poisoning
![Page 34: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/34.jpg)
ARP Poisoning
![Page 35: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/35.jpg)
ARP Poisoning
• To recap the information found using Wireshark (or another sniffer)
– 192.168.1.1 is at 11:22:33:44:11:11 (Router)– 192.168.1.2 is at 11:22:33:44:55:66 (Host)– 192.168.1.100 is at 11:22:33:44:99:99 (Attacker)
![Page 36: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/36.jpg)
ARP Poisoning
• Before the ARP poisoning:
SRC: 11:22:33:44:55:66 (host)DST: FF:FF:FF:FF:FF:FF (gateway/router)Message: Who has 192.168.1.1? Tell 192.168.1.2
SRC: 11:22:33:44:11:11 (gateway/router) DST: 11:22:33:44:55:66 (host)Message: 192.168.1.1 is at 11:22:33:44:11:11
![Page 37: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/37.jpg)
During/After ARP Poisoning/Spoof
• Executing the ARP poisoning/spoof:
Before: 192.168.1.1|11:22:33:44:11:11 (in host ARP table)
ExecutionSRC: 11:22:33:44:99:99 DST: 11:22:33:44:55:66 (Host) Message: 192.168.1.1 is at 11:22:33:44:99:99After attack: 192.168.1.1| 11:22:33:44:99:99 (in host ARP
table)
![Page 38: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/38.jpg)
ARP Poisoning
![Page 39: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/39.jpg)
ARP Poisoning
• What to do once poisoned?–Man In The Middle Attacks• DNS Spoof• Manipulate Connections• Steal Info• Redirect Sessions• SSH/Protocol Downgrade Attack
![Page 40: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/40.jpg)
ARP Spoof Defense
• SARPI & DARPI: Static and Dynamic ARP inspection. Not practical -- Requires an agent on every host.
• DHCP Snooping: Keeps a record of each MAC address connected to a port and hence can detect false ARP responses. – Widely used on commercial network gear.
– Can be easily circumvented by not using DHCP. This is the most common defense since almost all networks require a DHCP address be assigned, but it is not perfect.
• Static Mapping: Statically mapping IP-MAC relationships is an easy way to defend against only simple ARP Spoof attacks
![Page 41: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/41.jpg)
ARP Spoof Defense
• Monitoring: There are numerous products and software packages that can actively monitor ARP requests and caches to clean caches and identify ARP attacks.– ARPDefender (appliance in network)
– Arpwatch (software)
– Xarp (software)
– anti-arpspoof (software)
![Page 42: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/42.jpg)
Exploiting Simple Masking Errors
• Here’s a rule on a Cisco firewall:– access-list outside permit ip 10.11.12.0 255.255.255.0 host a.b.c.d
– That says “allow anyone in 10.11.12.* to reach a.b.c.d”
• Here’s the same rule in Cisco IOS:– permit ip 10.11.12.0 0.0.0.255 host a.b.c.d
– That does (almost) the same thing• Note the way you have to write the mask “backwards” in IOS• Suppose you forget – you say:– permit ip 10.11.12.0 255.255.255.0 host a.b.c.d
– That “looks right”, even to very experienced technical folks• What does that do?
![Page 43: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/43.jpg)
Exploiting Simple Masking Errors
• The Backwards Mask:– permit ip 10.11.12.0 255.255.255.0 host a.b.c.d
• What does it do?• It really looks like “permit one subnet”• It actually permits 16,777,216 different hosts– Every address that ends in a zero
• Once you know this happens, the lesson is obvious– When in an unknown network, set your IP to something
like *.*.*.0– You may find a lot of doors suddenly spring open!
• In many networks, the right source IP grants magic access
![Page 44: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/44.jpg)
MAC/CAM
• Every switch uses a Content Addressable Memory (CAM) space to store the physical address of a hosts so it knows where to send data destined for a host. This memory space of course has a limitation.
• In order to place a MAC in CAM the switch hashes all the various information regarding the host: MAC, VLAN, etc.
![Page 45: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/45.jpg)
MAC/CAM
• There are tools like macof and dsniff that can generate thousands of CAM entries per minute. Why? To flood the CAM table. Once the CAM is flooded, all traffic on the switch is sent to all physically connected hosts because the switch cannot determine what traffic goes where, thereby allowing you to see all traffic on the switch.
![Page 46: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/46.jpg)
MAC/CAM
![Page 47: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/47.jpg)
CAM Flood Defense
• Port Security: This requires writing the MAC address of the host allowed to use a specified port on each port description in the switch configuration. Hard to implement. Not Scalable.
• Sticky MAC: Sticky MAC addresses allow MAC addresses to be dynamically learned and limit port access to said MAC address. The MAC address will be learned when the first MAC address attempts to connect to the port and will be written to the running configuration.
![Page 48: Security Policy](https://reader036.vdocuments.site/reader036/viewer/2022081503/56813e33550346895da81750/html5/thumbnails/48.jpg)
Hakipedia
• www.hakipedia.com