technical cyber defense strategies explained!
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
Technical Cyber Defense Strategies Explained
Marcus Murray & Hasain AlshakartiTruesec Security Team, MVP-Enterprise Security x2
Marcus Murray Hasain Alshakarti
WARNING!Session format
=DISCUSSION!
Soo.. What does it take to be hack-proof?
Let´s start with the big picture!
We all know what a network looks like..
Web Srv Mail Srv
File SrvDC Mail Srv
ClientClient
Attacker
Internet Strategy
Web Srv Mail Srv
SqlSrvDC FileSrv
Client
UserAdmin
Client
Attacker
Front-end
Back-end
Client
Traditional internal Strategy
Web Srv Mail Srv
SqlSrvDC FileSrv
Client
UserAdmin
Client
AttackerFront-end
Back-end
Admin
Client
Demo – Hacking SQL..
SqlSrv Attacker
Traditional Internet strategy
FileSrv
Client
Attacker
Internet Front-end
Internal Front-end
Client network(Internet)
Internet back-end
Internal back-end
Cloud Front-end
Cloud back-end
WorldAccessible
Client network(Managed)
Trusted access
World access
Admin access
Client
Client
Client Client
Apply Internet strategy internally
Internet Front-end
Internal Front-end
Client network(Managed)
Secure Access Layer
Client network(Internet)
Internet back-end
Internal back-end
Cloud Front-end
Cloud back-end
WorldAccessible
Trusted access
World access
Admin access
Client
Client
Attacker
Let´s add som future.. (today for some..)
Internet Front-end
Internal Front-end
Client network(Managed)
Secure Access Layer
Client network(Internet)
Internet back-end
Internal back-end
Cloud Front-end
Cloud back-end
WorldAccessible
Trusted access
World access
Admin access
Client
Client
Attacker
Fabric controllersFabric controllers.
Implementing Secure networking - DEMO
• Ipsec domain isolation• Direct Access• Ipsec server isolation
Domain Isolation - Demo
Internal
Client network(Managed)
Trusted access
World access
Admin accessClient
Attacker
Client
File Srv
Sql Srv
Attacker
Direct access - Demo
Internal
Client network(Managed)
Secure Access LayerWorldAccessible
Trusted access
World access
Admin accessClient
Attacker
Client
DA Srv
File Srv
Sql Srv
Server isolation - Demo
Internal Front-end
Client network(Managed)
Secure Access Layer
Internal back-end
WorldAccessible
Trusted access
World access
Admin accessClient
Attacker
Client
DA Srv
File Srv
Sql Srv
So, if the clients are on the ”internet” all the time..
• Physical access• Firewall• Patching• Non-admin• Malware protection• Secure transport
Client
User
Web Srv
Attacker
Physical access protection
• Bitlocker• Protect from DMA access!
– http://support.microsoft.com/kb/2516445
Local Firewall
• Is there ANY reason why the client firewall must allow inbound traffic at any time?
Client
User
Web Srv
AttackerClient
User
Patching, of course, but what about the 0-days?
• Non-Admin• Early mitigations• Patching strategy
Client
User
Web Srv
AttackerClient
User
Malware protection
• Macro settings• Antivirus? Yes or No?• Remember applocker?
Attacker
Client
User
Secure transports….
• Weak protocols…– Clear text– NTLM configurations
• Direct access!• IPSEC!
Client
User
Web Srv
AttackerClient
User
So, what about BYOD?
Internet Front-end
Internal Front-end
Client network(Managed)
Secure Access Layer
Client network(Internet)
Internet back-end
Internal back-end
Cloud Front-end
Cloud back-end
WorldAccessible
Trusted access
World access
Admin access
Client
Client
Attacker
• Application classification• Data classification
..and… adminclients
• Should an adminuser/computer be on the ”internet”?
• Should an admin user read email?
• Safe admin access– Non compromized computer– Trusted communication channel– Robust exposure of admin interface
• Robust services• Limited number of administrators
– Authentication– Authorization
Client
Admin
DC
Attacker
And let´s talk about server services.
• Robust service– Authentication– Authorization
• Firewall• Patching• privs• depencencies• Admin exposure
Client
User
Web Srv
Attacker
Web server attack
Web SrvAttacker
Marcus Murray Hasain Alshakarti
Thank you for listening!