SlideShare ist ein Scribd-Unternehmen logo

INFRAGARD 2014: Back to basics security

Als PPTX, PDF herunterladen
Joel Cardella
Joel Cardella

This talk focuses on getting Back To Basics with security controls. Too many enterprises are focusing on the wrong threats and spending money in the wrong places. Often overlooked are our basic security controls that require care and feeding, and regular review. This talk focuses on a few of those areas.

InternetTechnologie
1 von 74
Enterprise security back to basics Joel Cardella
My profile • Joel Cardella • Over 20 years in IT; operations, data center, application development, architecture and security • Regional Security Officer for North Americas • Global company (41,000 users) with local information security control (8,500 users)
Assumptions • You have some basic understanding of information security • You are aware that some risks exist in your enterprise • You have in some ways secured your enterprise, using basic security techniques • Firewalls • Policy control • User access rights • You are running a mostly Microsoft environment, with some variations • Active Directory authentication • Active Directory User & Computer management • You are worried that you may have missed something
Assumptions • You are confident of your existing processes • ARE YOU SURE? • You need more robust controls • You need better ways to measure • You are immature in security and need to improve your posture
Why this talk? You can pay now, or you can pay more later … but you will eventually have to pay
Who benefits from this talk? • Practitioner • You need to implement or improve • New to infosec • Veteran – everyone needs reminders! • Manager • Know your people, their skills and knowledge • Know your business and how you support it • Executive • Know what questions to ask • Know your risks
LET’S TALK RISK
Risk Defined in Security Terms (Offense) (Defense) Likelihood Impact THREATS X VULNERABILITIES = RISK Reduces Risk Drives risk calculation Threats increase risk Dealing with vulnerabilities reduces risk When a threat connects with a vulnerability, there is impact Source: Dr Eric Cole, SANS
What risk can we control? THREATS X VULNERABILITIES X TIME = RISK No control Direct ControlIndirect Control (Vendor reliance) Direct Control (Issuing patches & updates) None of these values is ever zero, but we should work toward zero
Where do we start? Source: http://www.northropgrumman.com/AboutUs/Contracts/ManagedServices/Pages/SecurityServices.aspx
Back to basics – The Pareto Principle • In your enterprise, can you manage to the 80/20 rule? • If you can focus on 20% of your basics, you can address 80% of your risk • Vendors love to focus on the other 80% • This is the sexy space, where the talking points come from • So the inverse would also be accurate, where looking at the bottom 80% only addresses 20% of the risk!
Case study • A major retailer was “Target-ed” by a very sophisticated malware attack • It gained major media attention, and prompted a congressional inquiry • It is the first case in which a CEO was ousted due to a security event (though it was also likely driven by the PR disaster)
Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ 40 Million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013. 70 Million The number of records stolen that included the name, address, email address and phone number of Target shoppers. $200 Million Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach. 46% The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before. ($480M) $53.7 Million The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70). 1M – 3M The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest.
Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ $100 Million The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards. 0 The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach. 0 The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP). $55 Million The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.
Media focuses on thisThe problem starts here!
Let’s start at the very beginning… A phishing email is sent to Target vendor Vendor is successfully phished, vendor account is compromised Adversary logs into Target systems with Vendor account Once successfully logged in, adversary launches a privilege escalation attack Once successful, the adversary can now traverse the Target network unfettered, create more accounts, create file shares, etc Hilarity ensues Even if this is not precisely what occurred it is a great example of typical attack vectors
From the Bloomberg article • ”Target’s system, like any standard corporate network, is segmented so that the most sensitive parts—including customer payments and personal data—are walled off from other parts of the network and, especially, the open Internet.” • “Target’s walls obviously had holes.” http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated How could Back to Basics have prevented either of these scenarios? V P N AD V P N AD
BEFORE YOU START…
Security basics • Security requires resources; you must invest to get a return • If you don’t invest the resources, you will increase the vulnerability and likelihood • Basics should include • Prevention • Detection • Response • Recovery
Things to remember • Act/think like an adversary; be hostile toward your own network and you will learn things you did not know existed • Find and understand your baselines • Document your findings; document everything • Make a plan • Decide what you want to address • Keep your scope small (80/20) • Go back and do it all again • Verify your assumptions, verify your baselines • Document changes • Continuously improve
Business context is everything • Do you understand your business? • How does your IT infrastructure support your business? • Do you understand the functions of your IT segments, and how they support your business operations? • Example: Is your website critical to your business? • How will your firewall affect this? Does it have anything to do with it? • Document it!
FOUNDATIONAL APPROACHES
SANS 20 Critical Security Controls 3 1: Inventory of Authorized and Unauthorized Devices 3 2: Inventory of Authorized and Unauthorized Software 5 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 4: Continuous Vulnerability Assessment and Remediation 7 5: Malware Defenses 2 6: Application Software Security 2 7: Wireless Access Control 2 8: Data Recovery Capability 1 9: Security Skills Assessment and Appropriate Training to Fill Gaps 1 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 4 11: Limitation and Control of Network Ports, Protocols, and Services 9 12: Controlled Use of Administrative Privileges 2 13: Boundary Defense 5 14: Maintenance, Monitoring, and Analysis of Audit Logs 1 15: Controlled Access Based on the Need to Know 9 16: Account Monitoring and Control 4 17: Data Protection 6 18: Incident Response and Management 1 19: Secure Network Engineering 2 20: Penetration Tests and Red Team Exercises 73 Quick Wins Quick wins provide significant risk reductionwithout major financial, procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls. Source: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
AU Defence Signals Directorate
Rapid approach to the basics • Application whitelisting (CSC 2/DSD 1) • Use of standard, secure system configurations (CSC 3) • Patch application software within 48 hours (CSC 4/DSD 2) • Patch system software within 48 hours (CSC 4/DSD 3) • Reduce number of users with administrative privileges (CSC 3 and 12/DSD 4) • DSD suggests these will fit into the Pareto principle and address 80% of your risks
DSD ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Application whitelistingof permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers. Essential Medium High Medium Yes Yes Yes Yes Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest version of applications. Essential Low High High No Yes Possible No Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP. Essential Low Medium Medium No Yes Possible No Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. Essential Medium Medium Low No Possible Yes No Reconnaissance Good Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
SIMPLE APPROACH TO THE BASICS
Targeted basics • Reconnaissance • Network segmentation • Account management • Controlled access • Auditing/accounting • Physical Security • Backup Strategy • Governance
Basics explained • WHAT TO ASK • Questions to ask both down and up • WHAT TO DO • Steps you can take • TOOLBOX • Tools you can use • HOW IT APPLIES • How it can mitigate the problem in our case study
RECONNAISSANCE
Recon – WHAT TO ASK • What are your assets? • Hardware • Software • Are you aware of authorized vs unauthorized assets? • Can you tell when this changes? • ARE YOU SURE?
Recon – WHAT TO DO • Create a standard user account • Login in from the outside and from the inside (both sides of your firewall) • Where can you go? What can you see? What do you have access to? • Do you understand what you are seeing? • Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried • Threat modeling works well here
Recon – TOOLBOX • Standard RDP / SSH • Inventory tools • Spiceworks (http://www.spiceworks.com) • BelArc (http://www.belarc.com) • Lansweeper (http://www.lansweeper.com) • System Management Tools • SCCM/Altiris/Dameware • Threat modeling info • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update- on-Story-Driven-Security.aspx
Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Recon would show us what this account can actually do with its privilege V P N AD V P N AD
NETWORK SEGMENTATION
Network segmentation – WHAT TO ASK • Do you have network segmentation? • Protected enclaves can be formed with firewalls, VPNs, VLANS and Access Control Lists and Network Access Control • Do you allow access to any network resources from the outside? • How are they controlled? • ARE YOU SURE?
Network segmentation – WHAT TO DO • Create a “secure zone” using your smart switches or firewall rules • External and internal (non-employees vs employees) • Internal zones (trusted and untrusted) • You should have a basic classification scheme to decide what will fall into these zones • Document this! • Inside the trusted zone, allow only certain accounts or certain systems to talk to each other • Never let generic user or non-privileged accounts access to critical server infrastructure at the OS layer • Accounts which use VPN logins should be limited by ACLs or IP address • For example: separate your public and private wireless spaces using firewall rules • Limit VPN access per account using IP ACLs
Network segmentation – TOOLBOX • Some free firewall tools to help you • http://www.solarwinds.com/products/freetools/firewall- browser.aspx • http://www.fwbuilder.org/ • This is going to take a lot of time and investment • You have to have subject matter expertise • You have to make ongoing reviews; frequency depends on how many changes happen • Make it worth it; document everything
Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Changes over time to firewall rules create holes Network segmentation is in place … but is it working as designed? This requires the most care and feeding of any basic control V P N AD V P N AD
ACCOUNT MANAGEMENT
Account management – WHAT TO ASK • What types of accounts exist in your enterprise? • Do you know who owns those accounts? • Do you know if those accounts are still valid? • If you have system or service accounts, do you know what they have access to (zones)? • ARE YOU SURE?
Account management – WHAT TO DO • Manage your accounts by policy and technical enforcement • Expire passwords/password complexity • Use ACLs to manage access to your systems • Restrict access within your zones • Enforce 2nd factor authentication for vendor/contractor access • For employees if you can! For everyone! • Inventory your accounts and their parameters • Know your vendors by their accounts
Key quotes • “In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two- factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.” - http://krebsonsecurity.com/2014/02/email- attack-on-vendor-set-up-breach-at-target/ In all fairness to Ms. Litan, I disagree. Why? Because they were not sure.
Account management – TOOLBOX • Fail2ban (Unix) • http://sourceforge.net/projects/fail2ban/ • Winfail2ban • http://winfail2ban.sourceforge.net/ • 2nd factor authentication • Google Authenticator - https://support.google.com/accounts/answer/1066447?hl=en • Microsoft Phonefactor - http://technet.microsoft.com/en- us/magazine/dn448533.aspx • Duo Security – https://www.duosecurity.com/ • Windows Powershell • http://technet.microsoft.com/en-us/scriptcenter/ee861518.aspx • Get-ADUser -Filter * -SearchBase "DC=ad,DC=company,DC=com" KEY SECURITY STRATEGY!
Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege 2nd factor authentication would have prevented BOTH scenarios! V P N AD 2nd factor challenge V P N AD 2nd factor challenge Internal firewalls have holes Internal firewalls have holes
CONTROLLED ACCESS
Controlled access – WHAT TO ASK • What systems can talk to each other? • Are they in different zones? Do they need to be? • Do your business people have access to information they do not need to do their jobs? • Do your administrators have more access than they need to do their jobs? • What about non-admins? • ARE YOU SURE?
Controlled access – WHAT TO DO • Access based on need to know/need to work • Classification scheme is needed for this • Establish a policy of access based on need to know/need to work • Establish approval mechanism for special exceptions • Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix • Enforce SoD through system constraints and involve the business in the SoD approvals
Controlled access – TOOLBOX • Don’t allow continuous membership in Enterprise Admins or Schema Admins • Limit access to these groups to senior admins only • Monitor additions to Domain Admins group and keep this group as small as possible • Monitor groups for changes • SCOM • Netwrix (http://www.netwrix.com/) • Quest tools (http://www.quest.com/) • Within AD, delegate authority – slightly more secure approach • http://technet.microsoft.com/en- us/magazine/2007.02.activedirectory.aspx • Use AD security groups / delegation to restrict access to resources based on SoD matrix
Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Controlled access only allows logins from certain accounts Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Controlled access would not allow the escalation attack, and/or alert to the attempt V P N AD V P N AD
AUDITING/ACCOUNTING
Auditing/Accounting – WHAT TO ASK • Do you have logs? • Where do they log to? • Who has access to the logs? • Do you understand them? • Are they resistant to change? • ARE YOU SURE????
Auditing/Accounting – WHAT TO DO • Logging needs to be actionable • Start small; then get better • Set up a central logging server and point your logs to that • Allow only authorized persons access to this server • Then parse your logs using a tool like Splunk, or Windows Security and Operations Center
Auditing/Logging – TOOLBOX • https://www.sans.org/reading- room/whitepapers/logging/discovering-security-events- interest-splunk-34272 • [WinEvent] >sourcetype="WinEventLog:Security" ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 3 • [XSS] >source="/var/log/my-app/application.log" “&#” OR “script” OR "`" OR "cookie" OR "alert" OR "%00“ • [SQL Inj] >source="/var/log/my-app/application.log" (‘ AND =) OR (‘ AND ;) OR (drop table) OR -- Author: Carrie Roberts
Not a preventive measure • This is not a preventive measure, however it does allow for: • Detection of events in real time (with tools that do this) • Forensic examination of events after the fact • Leaves a trail that can be used to identify attack patterns • You MUST make your logs resilient to change • Log everything to a central server, or mirror them • Restrict access to this system to only authorized security persons • Trust but verify
PHYSICAL SECURITY
Physical security – WHAT TO ASK • Do you allow OEM devices to be connected to your network? • Do you allow vendors/contractors access to facility and internal network? • Do you have mobile devices in your enterprise? • How do you secure them? • You know what I’m going to say! • Are you sure?
Physical security – WHAT TO DO • USB sticks • Use GPOs to restrict what can connect to your network (least cost) or use DLP software to restrict data that can be moved (most costly) • Disable Autorun (GPO) • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock; this may be the most meaningful with the least amount of impact • Encryption of data at rest • Awareness of connected devices
Physical security – TOOLBOX • ADM templates to disable USB • http://blogs.technet.com/b/danstolts/archive/2009/01/21/disabl e-adding-usb-drive-and-memory-sticks-via-group-policy-and- group-policy-preferences.aspx • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock (GPO); this may be the most meaningful with the least amount of impact • Encryption of data at rest (Bitlocker) • Awareness of connected devices • Simple Powershell commands • http://help.outlook.com/en-us/140/gg985420.aspx
Physical Security Described • Physical security would not have been applicable to our case study • Physical security is important when you have non-employees in a facility that can access your internal network • Physical security is important when you have assets that travel outside your network
BACKUP STRATEGY
Backup strategy – WHAT TO ASK • Do you have a backup strategy? • Is it documented? • Does it align with your business needs? • Backups cost money, time and resources • Do you back up more than you need? • Do you have resources to verify/restore backups? • Do you regularly test backups? • When was the last time you did and what were the results? • Did you document this? • ARE YOU SURE?
Backup strategy – WHAT TO DO • Create a policy for regular backups • Identify critical systems & backup frequency • If you have a DRD in place make sure it’s being adhered to • Document a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) for your backups • This aligns with disaster planning • Must be done in alignment with your business • VERIFY YOUR BACKUPS • This is not negotiable or avoidable!
Back to Basics ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Reconnaissance Excellent Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
GOVERNANCE TOOLBOX
Change management • Who approves your security changes? • Is this documented and reviewed periodically? • Who reviews your security changes for accuracy? • Who follows up to verify the changes are still accurate? • Document reasons for changes, approvals and mitigations • ARE YOU SURE?
Establish a governance calendar • The calendar contains your regular cadence of review activity • You can script reminders to the entities responsible for the review • SharePoint • Google scripts (Google calendar) • http://corporateservices.schwab.com/public/corporate/compliance_ solutions • Work this activity into your existing processes so they get prioritized • Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these activities
TO CONCLUDE…
Important Enterprise Infosec Lessons • There is no magic bullet – infosec is multi-layered and multi- disciplinary • Infosec will cost you time, money and resources – measure your value appropriately • Infosec is an active discipline; it requires care and feeding, you cannot install and forget • Time is the enemy of infosec; the longer it takes, the higher the risks • Infosec is a value add for your business, and it is up to you to show it • Infosec is not a department of “no.” Market yourself like a startup
Security basics put simply… • 1. If you think technology can fix security, you don’t understand technology and you don’t understand security. • 2. The root cause of a security incident is rarely about the technology and almost always about the implementation. • 3. Humans will always be the weakest link in the security chain. Awareness will mitigate the vast majority of your security issues … spend time and money on educating everyone in your company about security.
APPENDIX
Tools & references list • http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site • http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights delegation • http://sectools.org/ - List of pay and free network tools • http://www.poshsec.com/ - Powershell scripts that support the 20 CSC • http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35 • http://www.counciloncybersecurity.com – Council on Cybersecurity • https://www.sans.org/reading-room/whitepapers/logging/discovering- security-events-interest-splunk-34272 - Carrie Roberts white paper on logging • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story- Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling • http://www.theguardian.com/commentisfree/2014/may/06/target-credit- card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current state of the Target breach and some of the false pretense
Contact info • Joel Cardella • Twitter: @JoelConverses • Email: jscardella@pobox.com • IRC: #misec on Freenode (joel_s_c)

Empfohlen

Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17SelectedPresentations
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Soc
SocSoc
SocMukesh Chaudhari
 

Empfohlen

Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17SelectedPresentations
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Soc
SocSoc
SocMukesh Chaudhari
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_JunCandan BOLUKBAS
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 

Weitere ähnliche Inhalte

Was ist angesagt?

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 

Was ist angesagt? (20)

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 

Andere mochten auch

TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Enterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityEnterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityMark Masterson
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Cyber security
Cyber securityCyber security
Cyber securitySiblu28
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Andere mochten auch (8)

TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
 
Security Basics - Internet Safety
Security Basics - Internet SafetySecurity Basics - Internet Safety
Security Basics - Internet Safety
 
Enterprise Cloud Risk And Security
Enterprise Cloud Risk And SecurityEnterprise Cloud Risk And Security
Enterprise Cloud Risk And Security
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Ähnlich wie INFRAGARD 2014: Back to basics security

nist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxnist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxJkYt1
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Net at Work
 
Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Net at Work
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)OnRamp
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Nonprofit Cybersecurity Risk Assessment Basics
Nonprofit Cybersecurity Risk Assessment BasicsNonprofit Cybersecurity Risk Assessment Basics
Nonprofit Cybersecurity Risk Assessment BasicsCommunity IT Innovators
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxhforhassan101
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisNorth Texas Chapter of the ISSA
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 

Ähnlich wie INFRAGARD 2014: Back to basics security (20)

A data-centric program
A data-centric program A data-centric program
A data-centric program
 
nist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptxnist_small_business_fundamentals_july_2019.pptx
nist_small_business_fundamentals_july_2019.pptx
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
 
Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!Endpoint Security & Why It Matters!
Endpoint Security & Why It Matters!
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Nonprofit Cybersecurity Risk Assessment Basics
Nonprofit Cybersecurity Risk Assessment BasicsNonprofit Cybersecurity Risk Assessment Basics
Nonprofit Cybersecurity Risk Assessment Basics
 
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptxSAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
SAL-DR-01-ELC 10 Understanding the SOC Audience.pptx
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 

Mehr von Joel Cardella

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!Joel Cardella
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedJoel Cardella
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapJoel Cardella
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseJoel Cardella
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersJoel Cardella
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everythingJoel Cardella
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsJoel Cardella
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat HonanJoel Cardella
 

Mehr von Joel Cardella (8)

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterprise
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everything
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security students
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan
 

Kürzlich hochgeladen

Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...SUHANI PANDEY
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.soniya singh
 
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...SUHANI PANDEY
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceEscorts Call Girls
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...SUHANI PANDEY
 

Kürzlich hochgeladen (20)

Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
 
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Samalka Delhi >༒8448380779 Escort Service
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
 

INFRAGARD 2014: Back to basics security

  • 1. Enterprise security back to basics Joel Cardella
  • 2. My profile • Joel Cardella • Over 20 years in IT; operations, data center, application development, architecture and security • Regional Security Officer for North Americas • Global company (41,000 users) with local information security control (8,500 users)
  • 3. Assumptions • You have some basic understanding of information security • You are aware that some risks exist in your enterprise • You have in some ways secured your enterprise, using basic security techniques • Firewalls • Policy control • User access rights • You are running a mostly Microsoft environment, with some variations • Active Directory authentication • Active Directory User & Computer management • You are worried that you may have missed something
  • 4. Assumptions • You are confident of your existing processes • ARE YOU SURE? • You need more robust controls • You need better ways to measure • You are immature in security and need to improve your posture
  • 5. Why this talk? You can pay now, or you can pay more later … but you will eventually have to pay
  • 6. Who benefits from this talk? • Practitioner • You need to implement or improve • New to infosec • Veteran – everyone needs reminders! • Manager • Know your people, their skills and knowledge • Know your business and how you support it • Executive • Know what questions to ask • Know your risks
  • 8. Risk Defined in Security Terms (Offense) (Defense) Likelihood Impact THREATS X VULNERABILITIES = RISK Reduces Risk Drives risk calculation Threats increase risk Dealing with vulnerabilities reduces risk When a threat connects with a vulnerability, there is impact Source: Dr Eric Cole, SANS
  • 9. What risk can we control? THREATS X VULNERABILITIES X TIME = RISK No control Direct ControlIndirect Control (Vendor reliance) Direct Control (Issuing patches & updates) None of these values is ever zero, but we should work toward zero
  • 10. Where do we start? Source: http://www.northropgrumman.com/AboutUs/Contracts/ManagedServices/Pages/SecurityServices.aspx
  • 11. Back to basics – The Pareto Principle • In your enterprise, can you manage to the 80/20 rule? • If you can focus on 20% of your basics, you can address 80% of your risk • Vendors love to focus on the other 80% • This is the sexy space, where the talking points come from • So the inverse would also be accurate, where looking at the bottom 80% only addresses 20% of the risk!
  • 12. Case study • A major retailer was “Target-ed” by a very sophisticated malware attack • It gained major media attention, and prompted a congressional inquiry • It is the first case in which a CEO was ousted due to a security event (though it was also likely driven by the PR disaster)
  • 13. Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ 40 Million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013. 70 Million The number of records stolen that included the name, address, email address and phone number of Target shoppers. $200 Million Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach. 46% The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before. ($480M) $53.7 Million The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70). 1M – 3M The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest.
  • 14. Case study – the numbers Source: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ $100 Million The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards. 0 The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach. 0 The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP). $55 Million The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.
  • 15. Media focuses on thisThe problem starts here!
  • 16. Let’s start at the very beginning… A phishing email is sent to Target vendor Vendor is successfully phished, vendor account is compromised Adversary logs into Target systems with Vendor account Once successfully logged in, adversary launches a privilege escalation attack Once successful, the adversary can now traverse the Target network unfettered, create more accounts, create file shares, etc Hilarity ensues Even if this is not precisely what occurred it is a great example of typical attack vectors
  • 17. From the Bloomberg article • ”Target’s system, like any standard corporate network, is segmented so that the most sensitive parts—including customer payments and personal data—are walled off from other parts of the network and, especially, the open Internet.” • “Target’s walls obviously had holes.” http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
  • 18. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated How could Back to Basics have prevented either of these scenarios? V P N AD V P N AD
  • 20. Security basics • Security requires resources; you must invest to get a return • If you don’t invest the resources, you will increase the vulnerability and likelihood • Basics should include • Prevention • Detection • Response • Recovery
  • 21. Things to remember • Act/think like an adversary; be hostile toward your own network and you will learn things you did not know existed • Find and understand your baselines • Document your findings; document everything • Make a plan • Decide what you want to address • Keep your scope small (80/20) • Go back and do it all again • Verify your assumptions, verify your baselines • Document changes • Continuously improve
  • 22. Business context is everything • Do you understand your business? • How does your IT infrastructure support your business? • Do you understand the functions of your IT segments, and how they support your business operations? • Example: Is your website critical to your business? • How will your firewall affect this? Does it have anything to do with it? • Document it!
  • 24. SANS 20 Critical Security Controls 3 1: Inventory of Authorized and Unauthorized Devices 3 2: Inventory of Authorized and Unauthorized Software 5 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 4: Continuous Vulnerability Assessment and Remediation 7 5: Malware Defenses 2 6: Application Software Security 2 7: Wireless Access Control 2 8: Data Recovery Capability 1 9: Security Skills Assessment and Appropriate Training to Fill Gaps 1 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 4 11: Limitation and Control of Network Ports, Protocols, and Services 9 12: Controlled Use of Administrative Privileges 2 13: Boundary Defense 5 14: Maintenance, Monitoring, and Analysis of Audit Logs 1 15: Controlled Access Based on the Need to Know 9 16: Account Monitoring and Control 4 17: Data Protection 6 18: Incident Response and Management 1 19: Secure Network Engineering 2 20: Penetration Tests and Red Team Exercises 73 Quick Wins Quick wins provide significant risk reductionwithout major financial, procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls. Source: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
  • 25. AU Defence Signals Directorate
  • 26. Rapid approach to the basics • Application whitelisting (CSC 2/DSD 1) • Use of standard, secure system configurations (CSC 3) • Patch application software within 48 hours (CSC 4/DSD 2) • Patch system software within 48 hours (CSC 4/DSD 3) • Reduce number of users with administrative privileges (CSC 3 and 12/DSD 4) • DSD suggests these will fit into the Pareto principle and address 80% of your risks
  • 27. DSD ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Application whitelistingof permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts and installers. Essential Medium High Medium Yes Yes Yes Yes Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest version of applications. Essential Low High High No Yes Possible No Patch operating system vulnerabilities. Patch or mitigate systems with 'extreme risk' vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP. Essential Low Medium Medium No Yes Possible No Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. Essential Medium Medium Low No Possible Yes No Reconnaissance Good Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
  • 28. SIMPLE APPROACH TO THE BASICS
  • 29. Targeted basics • Reconnaissance • Network segmentation • Account management • Controlled access • Auditing/accounting • Physical Security • Backup Strategy • Governance
  • 30. Basics explained • WHAT TO ASK • Questions to ask both down and up • WHAT TO DO • Steps you can take • TOOLBOX • Tools you can use • HOW IT APPLIES • How it can mitigate the problem in our case study
  • 32. Recon – WHAT TO ASK • What are your assets? • Hardware • Software • Are you aware of authorized vs unauthorized assets? • Can you tell when this changes? • ARE YOU SURE?
  • 33. Recon – WHAT TO DO • Create a standard user account • Login in from the outside and from the inside (both sides of your firewall) • Where can you go? What can you see? What do you have access to? • Do you understand what you are seeing? • Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried • Threat modeling works well here
  • 34. Recon – TOOLBOX • Standard RDP / SSH • Inventory tools • Spiceworks (http://www.spiceworks.com) • BelArc (http://www.belarc.com) • Lansweeper (http://www.lansweeper.com) • System Management Tools • SCCM/Altiris/Dameware • Threat modeling info • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update- on-Story-Driven-Security.aspx
  • 35. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Recon would show us what this account can actually do with its privilege V P N AD V P N AD
  • 37. Network segmentation – WHAT TO ASK • Do you have network segmentation? • Protected enclaves can be formed with firewalls, VPNs, VLANS and Access Control Lists and Network Access Control • Do you allow access to any network resources from the outside? • How are they controlled? • ARE YOU SURE?
  • 38. Network segmentation – WHAT TO DO • Create a “secure zone” using your smart switches or firewall rules • External and internal (non-employees vs employees) • Internal zones (trusted and untrusted) • You should have a basic classification scheme to decide what will fall into these zones • Document this! • Inside the trusted zone, allow only certain accounts or certain systems to talk to each other • Never let generic user or non-privileged accounts access to critical server infrastructure at the OS layer • Accounts which use VPN logins should be limited by ACLs or IP address • For example: separate your public and private wireless spaces using firewall rules • Limit VPN access per account using IP ACLs
  • 39. Network segmentation – TOOLBOX • Some free firewall tools to help you • http://www.solarwinds.com/products/freetools/firewall- browser.aspx • http://www.fwbuilder.org/ • This is going to take a lot of time and investment • You have to have subject matter expertise • You have to make ongoing reviews; frequency depends on how many changes happen • Make it worth it; document everything
  • 40. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Changes over time to firewall rules create holes Network segmentation is in place … but is it working as designed? This requires the most care and feeding of any basic control V P N AD V P N AD
  • 42. Account management – WHAT TO ASK • What types of accounts exist in your enterprise? • Do you know who owns those accounts? • Do you know if those accounts are still valid? • If you have system or service accounts, do you know what they have access to (zones)? • ARE YOU SURE?
  • 43. Account management – WHAT TO DO • Manage your accounts by policy and technical enforcement • Expire passwords/password complexity • Use ACLs to manage access to your systems • Restrict access within your zones • Enforce 2nd factor authentication for vendor/contractor access • For employees if you can! For everyone! • Inventory your accounts and their parameters • Know your vendors by their accounts
  • 44. Key quotes • “In fairness to Target, if they thought their network was properly segmented, they wouldn’t have needed to have two- factor access for everyone,” Litan said. “But if someone got in there and somehow escalated their Active Directory privileges like you described, that might have [bridged] that segmentation.” - http://krebsonsecurity.com/2014/02/email- attack-on-vendor-set-up-breach-at-target/ In all fairness to Ms. Litan, I disagree. Why? Because they were not sure.
  • 45. Account management – TOOLBOX • Fail2ban (Unix) • http://sourceforge.net/projects/fail2ban/ • Winfail2ban • http://winfail2ban.sourceforge.net/ • 2nd factor authentication • Google Authenticator - https://support.google.com/accounts/answer/1066447?hl=en • Microsoft Phonefactor - http://technet.microsoft.com/en- us/magazine/dn448533.aspx • Duo Security – https://www.duosecurity.com/ • Windows Powershell • http://technet.microsoft.com/en-us/scriptcenter/ee861518.aspx • Get-ADUser -Filter * -SearchBase "DC=ad,DC=company,DC=com" KEY SECURITY STRATEGY!
  • 46. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Systems allow account logins at the OS Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege 2nd factor authentication would have prevented BOTH scenarios! V P N AD 2nd factor challenge V P N AD 2nd factor challenge Internal firewalls have holes Internal firewalls have holes
  • 48. Controlled access – WHAT TO ASK • What systems can talk to each other? • Are they in different zones? Do they need to be? • Do your business people have access to information they do not need to do their jobs? • Do your administrators have more access than they need to do their jobs? • What about non-admins? • ARE YOU SURE?
  • 49. Controlled access – WHAT TO DO • Access based on need to know/need to work • Classification scheme is needed for this • Establish a policy of access based on need to know/need to work • Establish approval mechanism for special exceptions • Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix • Enforce SoD through system constraints and involve the business in the SoD approvals
  • 50. Controlled access – TOOLBOX • Don’t allow continuous membership in Enterprise Admins or Schema Admins • Limit access to these groups to senior admins only • Monitor additions to Domain Admins group and keep this group as small as possible • Monitor groups for changes • SCOM • Netwrix (http://www.netwrix.com/) • Quest tools (http://www.quest.com/) • Within AD, delegate authority – slightly more secure approach • http://technet.microsoft.com/en- us/magazine/2007.02.activedirectory.aspx • Use AD security groups / delegation to restrict access to resources based on SoD matrix
  • 51. Vendor Account Target PC Target PC Target PC Target PC Scenario 1 – Vendor account has no privilege Controlled access only allows logins from certain accounts Vendor Account Target PC Target PC Target PC Target PC Scenario 2 – Vendor account has privileges escalated Systems allow account logins at the OS but only for privilege Controlled access would not allow the escalation attack, and/or alert to the attempt V P N AD V P N AD
  • 53. Auditing/Accounting – WHAT TO ASK • Do you have logs? • Where do they log to? • Who has access to the logs? • Do you understand them? • Are they resistant to change? • ARE YOU SURE????
  • 54. Auditing/Accounting – WHAT TO DO • Logging needs to be actionable • Start small; then get better • Set up a central logging server and point your logs to that • Allow only authorized persons access to this server • Then parse your logs using a tool like Splunk, or Windows Security and Operations Center
  • 55. Auditing/Logging – TOOLBOX • https://www.sans.org/reading- room/whitepapers/logging/discovering-security-events- interest-splunk-34272 • [WinEvent] >sourcetype="WinEventLog:Security" ("EventCode=675" OR ("EventCode=672" AND Type="Failure Audit")) OR (EventCode=4771 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 3 • [XSS] >source="/var/log/my-app/application.log" “&#” OR “script” OR "`" OR "cookie" OR "alert" OR "%00“ • [SQL Inj] >source="/var/log/my-app/application.log" (‘ AND =) OR (‘ AND ;) OR (drop table) OR -- Author: Carrie Roberts
  • 56. Not a preventive measure • This is not a preventive measure, however it does allow for: • Detection of events in real time (with tools that do this) • Forensic examination of events after the fact • Leaves a trail that can be used to identify attack patterns • You MUST make your logs resilient to change • Log everything to a central server, or mirror them • Restrict access to this system to only authorized security persons • Trust but verify
  • 58. Physical security – WHAT TO ASK • Do you allow OEM devices to be connected to your network? • Do you allow vendors/contractors access to facility and internal network? • Do you have mobile devices in your enterprise? • How do you secure them? • You know what I’m going to say! • Are you sure?
  • 59. Physical security – WHAT TO DO • USB sticks • Use GPOs to restrict what can connect to your network (least cost) or use DLP software to restrict data that can be moved (most costly) • Disable Autorun (GPO) • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock; this may be the most meaningful with the least amount of impact • Encryption of data at rest • Awareness of connected devices
  • 60. Physical security – TOOLBOX • ADM templates to disable USB • http://blogs.technet.com/b/danstolts/archive/2009/01/21/disabl e-adding-usb-drive-and-memory-sticks-via-group-policy-and- group-policy-preferences.aspx • Physically restrict your network • Guest cubes or multiple drops with ports on the untrusted network • Security of mobile devices • Enforcing screen lock (GPO); this may be the most meaningful with the least amount of impact • Encryption of data at rest (Bitlocker) • Awareness of connected devices • Simple Powershell commands • http://help.outlook.com/en-us/140/gg985420.aspx
  • 61. Physical Security Described • Physical security would not have been applicable to our case study • Physical security is important when you have non-employees in a facility that can access your internal network • Physical security is important when you have assets that travel outside your network
  • 63. Backup strategy – WHAT TO ASK • Do you have a backup strategy? • Is it documented? • Does it align with your business needs? • Backups cost money, time and resources • Do you back up more than you need? • Do you have resources to verify/restore backups? • Do you regularly test backups? • When was the last time you did and what were the results? • Did you document this? • ARE YOU SURE?
  • 64. Backup strategy – WHAT TO DO • Create a policy for regular backups • Identify critical systems & backup frequency • If you have a DRD in place make sure it’s being adhered to • Document a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) for your backups • This aligns with disaster planning • Must be done in alignment with your business • VERIFY YOUR BACKUPS • This is not negotiable or avoidable!
  • 65. Back to Basics ratings Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Reconnaissance Excellent Low Low Low Yes Possible Yes No Network segmentation Excellent Low Medium Low No Possible Yes Yes Account management Excellent Medium Low Low No Yes Yes Possible Controlled access Essential Medium Medium Low No Possible Yes No Auditing/accounting Excellent Low High Medium Yes No No No Physical Security Good High Low Medium No Yes Yes Yes Backup Strategy Excellent Low High Medium No No No Yes Adapted From: http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
  • 67. Change management • Who approves your security changes? • Is this documented and reviewed periodically? • Who reviews your security changes for accuracy? • Who follows up to verify the changes are still accurate? • Document reasons for changes, approvals and mitigations • ARE YOU SURE?
  • 68. Establish a governance calendar • The calendar contains your regular cadence of review activity • You can script reminders to the entities responsible for the review • SharePoint • Google scripts (Google calendar) • http://corporateservices.schwab.com/public/corporate/compliance_ solutions • Work this activity into your existing processes so they get prioritized • Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these activities
  • 70. Important Enterprise Infosec Lessons • There is no magic bullet – infosec is multi-layered and multi- disciplinary • Infosec will cost you time, money and resources – measure your value appropriately • Infosec is an active discipline; it requires care and feeding, you cannot install and forget • Time is the enemy of infosec; the longer it takes, the higher the risks • Infosec is a value add for your business, and it is up to you to show it • Infosec is not a department of “no.” Market yourself like a startup
  • 71. Security basics put simply… • 1. If you think technology can fix security, you don’t understand technology and you don’t understand security. • 2. The root cause of a security incident is rarely about the technology and almost always about the implementation. • 3. Humans will always be the weakest link in the security chain. Awareness will mitigate the vast majority of your security issues … spend time and money on educating everyone in your company about security.
  • 73. Tools & references list • http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site • http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights delegation • http://sectools.org/ - List of pay and free network tools • http://www.poshsec.com/ - Powershell scripts that support the 20 CSC • http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35 • http://www.counciloncybersecurity.com – Council on Cybersecurity • https://www.sans.org/reading-room/whitepapers/logging/discovering- security-events-interest-splunk-34272 - Carrie Roberts white paper on logging • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story- Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling • http://www.theguardian.com/commentisfree/2014/may/06/target-credit- card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current state of the Target breach and some of the false pretense
  • 74. Contact info • Joel Cardella • Twitter: @JoelConverses • Email: jscardella@pobox.com • IRC: #misec on Freenode (joel_s_c)

Hinweis der Redaktion

  1. So let’s talk about how we in Security define risk.Threats increase our risk. Threats can be known issues (known OS / app bugs, patching). They can be unknown issues (zero days)The more we address vulnerabilities, the less risk we assume.When a threat and vulnerability meet, we have impact. Sometimes we can predict the impact and sometimes we cannot.