This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.
2. My profile
• Joel Cardella
• Over 20 years in IT; operations, data center, application
development, architecture and security
• Regional Security Officer for North Americas
• Global company (41,000 users) with local information security
control (8,500 users)
3. Assumptions
• You have some basic understanding of information security
• You are aware that some risks exist in your enterprise
• You have in some ways secured your enterprise, using basic
security techniques
• Firewalls
• Policy control
• User access rights
• You are running a mostly Microsoft environment, with some
variations
• Active Directory authentication
• Active Directory User & Computer management
• You are worried that you may have missed something
4. Assumptions
• You are confident of your existing processes
• ARE YOU SURE?
• You need more robust controls
• You need better ways to measure
• You are immature in security and need to improve your
posture
5. Why this talk?
You can pay now, or you can pay
more later … but you will
eventually have to pay
6. Who benefits from this talk?
• Practitioner
• You need to implement or improve
• New to infosec
• Veteran – everyone needs reminders!
• Manager
• Know your people, their skills and knowledge
• Know your business and how you support it
• Executive
• Know what questions to ask
• Know your risks
8. Risk Defined in Security Terms
(Offense) (Defense)
Likelihood Impact
THREATS X VULNERABILITIES = RISK
Reduces Risk
Drives risk calculation
Threats increase risk
Dealing with vulnerabilities reduces risk
When a threat connects with a vulnerability, there is impact
Source: Dr Eric Cole, SANS
9. What risk can we control?
THREATS X VULNERABILITIES X TIME = RISK
No control Direct ControlIndirect Control (Vendor reliance)
Direct Control (Issuing patches &
updates)
None of these values is ever zero, but we should work toward zero
10. Where do we start?
Source: http://www.northropgrumman.com/AboutUs/Contracts/ManagedServices/Pages/SecurityServices.aspx
11. Back to basics – The Pareto
Principle
• In your enterprise, can you manage to the 80/20 rule?
• If you can focus on 20% of your basics, you can address 80% of
your risk
• Vendors love to focus on the other 80%
• This is the sexy space, where the talking points come from
• So the inverse would also be accurate, where looking at the
bottom 80% only addresses 20% of the risk!
12. Case study
• A major retailer was “Target-ed” by a very sophisticated
malware attack
• It gained major media attention, and prompted a
congressional inquiry
• It is the first case in which a CEO was ousted due to a security
event (though it was also likely driven by the PR disaster)
13. Case study – the numbers
Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
40 Million
The number of credit and debit cards thieves stole from Target
between Nov. 27 and Dec. 15, 2013.
70 Million
The number of records stolen that included the name, address,
email address and phone number of Target shoppers.
$200 Million
Estimated dollar cost to credit unions and community banks for
reissuing 21.8 million cards — about half of the total stolen in the
Target breach.
46%
The percentage drop in profits at Target in the fourth quarter of
2013, compared with the year before. ($480M)
$53.7 Million
The income that hackers likely generated from the sale of 2
million cards stolen from Target and sold at the mid-range price of
$26.85 (the median price between $18.00 and $35.70).
1M – 3M
The estimated number of cards stolen from Target that were
successfully sold on the black market and used for fraud before
issuing banks got around to canceling the rest.
14. Case study – the numbers
Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
$100 Million
The number of dollars Target says it will spend upgrading their
payment terminals to support Chip-and-PIN enabled cards.
0
The number of customer cards that Chip-and-PIN-enabled
terminals would have been able to stop the bad guys from
stealing had Target put the technology in place prior to the
breach.
0 The number of people in Chief Information Security Officer (CISO)
or Chief Security Officer (CSO) jobs at Target (according to the
AP).
$55 Million
The number of dollars outgoing CEO Gregg Steinhafel stands to
reap in executive compensation and other benefits on his
departure as Target’s chief executive.
16. Let’s start at the very
beginning…
A phishing email is
sent to Target
vendor
Vendor is
successfully
phished, vendor
account is
compromised
Adversary logs into
Target systems
with Vendor
account
Once successfully
logged in,
adversary launches
a privilege
escalation attack
Once successful,
the adversary can
now traverse the
Target network
unfettered, create
more accounts,
create file shares,
etc
Hilarity ensues
Even if this is not
precisely what occurred
it is a great example of
typical attack vectors
17. From the Bloomberg article
• ”Target’s system, like any standard corporate network, is
segmented so that the most sensitive parts—including
customer payments and personal data—are walled off from
other parts of the network and, especially, the open Internet.”
• “Target’s walls obviously had holes.”
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
18. Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 1 – Vendor account has no privilege
Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
How could Back to Basics have prevented either of these scenarios?
V
P
N
AD
V
P
N
AD
20. Security basics
• Security requires resources; you must invest to get a return
• If you don’t invest the resources, you will increase the
vulnerability and likelihood
• Basics should include
• Prevention
• Detection
• Response
• Recovery
21. Things to remember
• Act/think like an adversary; be hostile toward your own
network and you will learn things you did not know existed
• Find and understand your baselines
• Document your findings; document everything
• Make a plan
• Decide what you want to address
• Keep your scope small (80/20)
• Go back and do it all again
• Verify your assumptions, verify your baselines
• Document changes
• Continuously improve
22. Business context is everything
• Do you understand your business?
• How does your IT infrastructure support your business?
• Do you understand the functions of your IT segments, and
how they support your business operations?
• Example: Is your website critical to your business?
• How will your firewall affect this? Does it have anything to do with
it?
• Document it!
24. SANS 20 Critical Security Controls
3 1: Inventory of Authorized and Unauthorized Devices
3 2: Inventory of Authorized and Unauthorized Software
5 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4 4: Continuous Vulnerability Assessment and Remediation
7 5: Malware Defenses
2 6: Application Software Security
2 7: Wireless Access Control
2 8: Data Recovery Capability
1 9: Security Skills Assessment and Appropriate Training to Fill Gaps
1 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
4 11: Limitation and Control of Network Ports, Protocols, and Services
9 12: Controlled Use of Administrative Privileges
2 13: Boundary Defense
5 14: Maintenance, Monitoring, and Analysis of Audit Logs
1 15: Controlled Access Based on the Need to Know
9 16: Account Monitoring and Control
4 17: Data Protection
6 18: Incident Response and Management
1 19: Secure Network Engineering
2 20: Penetration Tests and Red Team Exercises
73 Quick Wins
Quick wins provide significant risk reductionwithout major financial, procedural, architectural, or technical changes to
an environment, or that provide such substantial and immediate risk reduction against very common attacks that
most security-aware organizations prioritize these key controls.
Source: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
26. Rapid approach to the basics
• Application whitelisting (CSC 2/DSD 1)
• Use of standard, secure system configurations (CSC 3)
• Patch application software within 48 hours (CSC 4/DSD 2)
• Patch system software within 48 hours (CSC 4/DSD 3)
• Reduce number of users with administrative privileges (CSC 3
and 12/DSD 4)
• DSD suggests these will fit into the Pareto principle and
address 80% of your risks
27. DSD ratings
Mitigation strategy
Overall
security
effectiveness
User
resistance
Upfront cost
(staff,
equipment,
technical
complexity)
Maintenance
cost (mainly
staff)
Helps
detect
intrusions
Helps mitigate
intrusion stage
1: code
execution
Helps mitigate
intrusion
stage 2:
network
propagation
Helps
mitigate
intrusion
stage 3:
data
exfiltration
Application whitelistingof permitted/trusted programs, to prevent execution of
malicious or unapproved programs including DLL files, scripts and installers.
Essential Medium High Medium Yes Yes Yes Yes
Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft
Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days.
Use the latest version of applications.
Essential Low High High No Yes Possible No
Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme
risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid
Windows XP.
Essential Low Medium Medium No Yes Possible No
Restrict administrative privileges to operating systems and applications based on
user duties. Such users should use a separate unprivileged account for email and
web browsing.
Essential Medium Medium Low No Possible Yes No
Reconnaissance Good Low Low Low Yes Possible Yes No
Network segmentation Excellent Low Medium Low No Possible Yes Yes
Account management Excellent Medium Low Low No Yes Yes Possible
Controlled access Essential Medium Medium Low No Possible Yes No
Auditing/accounting Excellent Low High Medium Yes No No No
Physical Security Good High Low Medium No Yes Yes Yes
Backup Strategy Excellent Low High Medium No No No Yes
Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
30. Basics explained
• WHAT TO ASK
• Questions to ask both down and up
• WHAT TO DO
• Steps you can take
• TOOLBOX
• Tools you can use
• HOW IT APPLIES
• How it can mitigate the problem in our case study
32. Recon – WHAT TO ASK
• What are your assets?
• Hardware
• Software
• Are you aware of authorized vs unauthorized assets?
• Can you tell when this changes?
• ARE YOU SURE?
33. Recon – WHAT TO DO
• Create a standard user account
• Login in from the outside and from the inside (both sides of your
firewall)
• Where can you go? What can you see? What do you have access to?
• Do you understand what you are seeing?
• Are you forgetting anything? Look for examples of what other
breaches have occurred and what they have tried
• Threat modeling works well here
35. Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 1 – Vendor account has no privilege
Systems allow
account logins at
the OS
Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
Systems allow
account logins at
the OS but only
for privilege
Recon would show us what this account can actually do with its privilege
V
P
N
AD
V
P
N
AD
37. Network segmentation –
WHAT TO ASK
• Do you have network segmentation?
• Protected enclaves can be formed with firewalls, VPNs, VLANS
and Access Control Lists and Network Access Control
• Do you allow access to any network resources from the
outside?
• How are they controlled?
• ARE YOU SURE?
38. Network segmentation – WHAT TO
DO
• Create a “secure zone” using your smart switches or firewall rules
• External and internal (non-employees vs employees)
• Internal zones (trusted and untrusted)
• You should have a basic classification scheme to decide what will fall into
these zones
• Document this!
• Inside the trusted zone, allow only certain accounts or certain
systems to talk to each other
• Never let generic user or non-privileged accounts access to critical
server infrastructure at the OS layer
• Accounts which use VPN logins should be limited by ACLs or IP
address
• For example: separate your public and private wireless spaces using
firewall rules
• Limit VPN access per account using IP ACLs
39. Network segmentation – TOOLBOX
• Some free firewall tools to help you
• http://www.solarwinds.com/products/freetools/firewall-
browser.aspx
• http://www.fwbuilder.org/
• This is going to take a lot of time and investment
• You have to have subject matter expertise
• You have to make ongoing reviews; frequency depends on how
many changes happen
• Make it worth it; document everything
40. Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 1 – Vendor account has no privilege
Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
Changes over
time to firewall
rules create holes
Network segmentation is in place … but is it working as designed?
This requires the most care and feeding of any basic control
V
P
N
AD
V
P
N
AD
42. Account management – WHAT TO
ASK
• What types of accounts exist in your enterprise?
• Do you know who owns those accounts?
• Do you know if those accounts are still valid?
• If you have system or service accounts, do you know what
they have access to (zones)?
• ARE YOU SURE?
43. Account management – WHAT TO
DO
• Manage your accounts by policy and technical enforcement
• Expire passwords/password complexity
• Use ACLs to manage access to your systems
• Restrict access within your zones
• Enforce 2nd factor authentication for vendor/contractor access
• For employees if you can! For everyone!
• Inventory your accounts and their parameters
• Know your vendors by their accounts
44. Key quotes
• “In fairness to Target, if they thought their network was
properly segmented, they wouldn’t have needed to have two-
factor access for everyone,” Litan said. “But if someone got in
there and somehow escalated their Active Directory privileges
like you described, that might have [bridged] that
segmentation.” - http://krebsonsecurity.com/2014/02/email-
attack-on-vendor-set-up-breach-at-target/
In all fairness to Ms. Litan, I disagree.
Why? Because they were not sure.
46. Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 1 – Vendor account has no privilege
Systems allow
account logins at
the OS
Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
Systems allow
account logins at
the OS but only
for privilege
2nd factor authentication would have prevented BOTH scenarios!
V
P
N
AD
2nd factor
challenge
V
P
N
AD
2nd factor
challenge
Internal firewalls
have holes
Internal firewalls
have holes
48. Controlled access – WHAT TO ASK
• What systems can talk to each other?
• Are they in different zones? Do they need to be?
• Do your business people have access to information they do
not need to do their jobs?
• Do your administrators have more access than they need to
do their jobs?
• What about non-admins?
• ARE YOU SURE?
49. Controlled access – WHAT TO DO
• Access based on need to know/need to work
• Classification scheme is needed for this
• Establish a policy of access based on need to know/need to
work
• Establish approval mechanism for special exceptions
• Talk to the business to find out what access they need, and
create a Segregation of Duties (SoD) matrix
• Enforce SoD through system constraints and involve the
business in the SoD approvals
50. Controlled access – TOOLBOX
• Don’t allow continuous membership in Enterprise Admins or
Schema Admins
• Limit access to these groups to senior admins only
• Monitor additions to Domain Admins group and keep this
group as small as possible
• Monitor groups for changes
• SCOM
• Netwrix (http://www.netwrix.com/)
• Quest tools (http://www.quest.com/)
• Within AD, delegate authority – slightly more secure approach
• http://technet.microsoft.com/en-
us/magazine/2007.02.activedirectory.aspx
• Use AD security groups / delegation to restrict access to
resources based on SoD matrix
51. Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 1 – Vendor account has no privilege
Controlled access
only allows logins
from certain
accounts
Vendor
Account
Target
PC
Target
PC
Target
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
Systems allow
account logins at
the OS but only
for privilege
Controlled access would not allow the escalation attack, and/or alert to the
attempt
V
P
N
AD
V
P
N
AD
53. Auditing/Accounting – WHAT TO
ASK
• Do you have logs?
• Where do they log to?
• Who has access to the logs?
• Do you understand them?
• Are they resistant to change?
• ARE YOU SURE????
54. Auditing/Accounting – WHAT TO
DO
• Logging needs to be actionable
• Start small; then get better
• Set up a central logging server and point your logs to that
• Allow only authorized persons access to this server
• Then parse your logs using a tool like Splunk, or Windows
Security and Operations Center
55. Auditing/Logging – TOOLBOX
• https://www.sans.org/reading-
room/whitepapers/logging/discovering-security-events-
interest-splunk-34272
• [WinEvent] >sourcetype="WinEventLog:Security"
("EventCode=675" OR ("EventCode=672" AND Type="Failure
Audit")) OR (EventCode=4771 AND "Audit Failure") NOT
(User_Name="*$" OR Account_Name="*$") NOT
Failure_Code=0x19 | stats count by Account_Name | where
count > 3
• [XSS] >source="/var/log/my-app/application.log" “&#” OR
“script” OR "`" OR "cookie" OR "alert" OR "%00“
• [SQL Inj] >source="/var/log/my-app/application.log" (‘ AND =)
OR (‘ AND ;) OR (drop table) OR --
Author: Carrie Roberts
56. Not a preventive measure
• This is not a preventive measure, however it does allow for:
• Detection of events in real time (with tools that do this)
• Forensic examination of events after the fact
• Leaves a trail that can be used to identify attack patterns
• You MUST make your logs resilient to change
• Log everything to a central server, or mirror them
• Restrict access to this system to only authorized security persons
• Trust but verify
58. Physical security – WHAT TO ASK
• Do you allow OEM devices to be connected to your network?
• Do you allow vendors/contractors access to facility and
internal network?
• Do you have mobile devices in your enterprise?
• How do you secure them?
• You know what I’m going to say!
• Are you sure?
59. Physical security – WHAT TO DO
• USB sticks
• Use GPOs to restrict what can connect to your network (least
cost) or use DLP software to restrict data that can be moved
(most costly)
• Disable Autorun (GPO)
• Physically restrict your network
• Guest cubes or multiple drops with ports on the untrusted
network
• Security of mobile devices
• Enforcing screen lock; this may be the most meaningful with the
least amount of impact
• Encryption of data at rest
• Awareness of connected devices
60. Physical security – TOOLBOX
• ADM templates to disable USB
• http://blogs.technet.com/b/danstolts/archive/2009/01/21/disabl
e-adding-usb-drive-and-memory-sticks-via-group-policy-and-
group-policy-preferences.aspx
• Physically restrict your network
• Guest cubes or multiple drops with ports on the untrusted
network
• Security of mobile devices
• Enforcing screen lock (GPO); this may be the most meaningful
with the least amount of impact
• Encryption of data at rest (Bitlocker)
• Awareness of connected devices
• Simple Powershell commands
• http://help.outlook.com/en-us/140/gg985420.aspx
61. Physical Security Described
• Physical security would not have been applicable to our case
study
• Physical security is important when you have non-employees
in a facility that can access your internal network
• Physical security is important when you have assets that travel
outside your network
63. Backup strategy – WHAT TO ASK
• Do you have a backup strategy?
• Is it documented?
• Does it align with your business needs?
• Backups cost money, time and resources
• Do you back up more than you need?
• Do you have resources to verify/restore backups?
• Do you regularly test backups?
• When was the last time you did and what were the results?
• Did you document this?
• ARE YOU SURE?
64. Backup strategy – WHAT TO DO
• Create a policy for regular backups
• Identify critical systems & backup frequency
• If you have a DRD in place make sure it’s being adhered to
• Document a Recovery Time Objective (RTO) and a Recovery
Point Objective (RPO) for your backups
• This aligns with disaster planning
• Must be done in alignment with your business
• VERIFY YOUR BACKUPS
• This is not negotiable or avoidable!
65. Back to Basics ratings
Mitigation strategy
Overall
security
effectiveness
User
resistance
Upfront cost
(staff,
equipment,
technical
complexity)
Maintenance
cost (mainly
staff)
Helps
detect
intrusions
Helps mitigate
intrusion stage
1: code
execution
Helps mitigate
intrusion
stage 2:
network
propagation
Helps
mitigate
intrusion
stage 3:
data
exfiltration
Reconnaissance Excellent Low Low Low Yes Possible Yes No
Network segmentation Excellent Low Medium Low No Possible Yes Yes
Account management Excellent Medium Low Low No Yes Yes Possible
Controlled access Essential Medium Medium Low No Possible Yes No
Auditing/accounting Excellent Low High Medium Yes No No No
Physical Security Good High Low Medium No Yes Yes Yes
Backup Strategy Excellent Low High Medium No No No Yes
Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
67. Change management
• Who approves your security changes?
• Is this documented and reviewed periodically?
• Who reviews your security changes for accuracy?
• Who follows up to verify the changes are still accurate?
• Document reasons for changes, approvals and mitigations
• ARE YOU SURE?
68. Establish a governance calendar
• The calendar contains your regular cadence of review activity
• You can script reminders to the entities responsible for the review
• SharePoint
• Google scripts (Google calendar)
• http://corporateservices.schwab.com/public/corporate/compliance_
solutions
• Work this activity into your existing processes so they get
prioritized
• Time box those activities!
• Get SLAs/SLOs for teams on which you rely to perform these
activities
70. Important Enterprise Infosec
Lessons
• There is no magic bullet – infosec is multi-layered and multi-
disciplinary
• Infosec will cost you time, money and resources – measure
your value appropriately
• Infosec is an active discipline; it requires care and feeding, you
cannot install and forget
• Time is the enemy of infosec; the longer it takes, the higher
the risks
• Infosec is a value add for your business, and it is up to you to
show it
• Infosec is not a department of “no.” Market yourself like a
startup
71. Security basics put simply…
• 1. If you think technology can fix security, you don’t
understand technology and you don’t understand security.
• 2. The root cause of a security incident is rarely about the
technology and almost always about the implementation.
• 3. Humans will always be the weakest link in the security
chain. Awareness will mitigate the vast majority of your
security issues … spend time and money on educating
everyone in your company about security.
73. Tools & references list
• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site
• http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx -
AD rights delegation
• http://sectools.org/ - List of pay and free network tools
• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC
• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD
Top 35
• http://www.counciloncybersecurity.com – Council on Cybersecurity
• https://www.sans.org/reading-room/whitepapers/logging/discovering-
security-events-interest-splunk-34272 - Carrie Roberts white paper on logging
• http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-
Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective
threat modeling
• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-
card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current state of
the Target breach and some of the false pretense
74. Contact info
• Joel Cardella
• Twitter: @JoelConverses
• Email: jscardella@pobox.com
• IRC: #misec on Freenode (joel_s_c)
Hinweis der Redaktion
So let’s talk about how we in Security define risk.Threats increase our risk. Threats can be known issues (known OS / app bugs, patching). They can be unknown issues (zero days)The more we address vulnerabilities, the less risk we assume.When a threat and vulnerability meet, we have impact. Sometimes we can predict the impact and sometimes we cannot.