SlideShare ist ein Scribd-Unternehmen logo

It's 2012 and My Network Got Hacked - Omar Santos

S
santosomar

Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network. Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.

Technologie
1 von 59
Downloaden Sie, um offline zu lesen
It's 2012 and My Network Got Hacked
the good guys need to be correct 100% of the time
the bad guys need to be correct just ONCE
Ten years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. “End of security training.”
Today Your Workers are Loaded with Devices, and Not Overly Concerned About Security
According to PAST Studies “the Internet” will DOUBLE in size every 5.32 years.
More Connected Devices than People Source: Cisco ISBG
5 billion mobile users by 2016 Source: Cisco VNI Global Mobile Data Forecast
Remote Access and BYOD
What About Social Media?
Cybercrime Return on Investment Matrix Source: Cisco Annual Security Report
Vulnerability and Threat Categories Source: Cisco Annual Security Report
malware encounters per month (11 per day!)
200% increase over the same period a year ago…
Is that scary?
Well… It will probably get worse!
Free It Up? or Lock It Down?
How Do you Measure Security?
Agenda: Case Studies Case Study 1: Remote Access VPN #FAIL Case Study 2: Great Homework! Case Study 3: Awesome New leet Gadgets Case Study 4: Pwning the Data Center
Templates Your own sub headline REMOTE ACCESS VPN #FAIL CASE STUDY 1
Remote Access How Admins Continue to #FAIL What Happened? How It Happened… Unauthorized Access via 1 Attacker Exploited the “Authentication Bypass Clientless SSL VPN several Vulnerability” described in times for about 3-4 weeks. CVE-2010-0568 The Cisco ASA was not patched for the vulnerability Attacker was able to compromise other internal systems and stole several documents / information.
How It Was Detected… Your own sub headline Uh? In a monthly VPN activity report admins Monthly VPN Activity Report noticed that a user called anonwannabe logged in several times for a period of 3-4 weeks. Say What!?!?! The username did not conform to their User anonwannabe?? active directory standards. Seriously? After further investigation, they found that OLD CVE! VPN authentication was being bypassed in their Cisco ASA cluster as a result of CVE- CVE-2010-0568 2010-0568.
What Technologies Did You Have In Place? Only allowed VPN traffic to ASAs External user authentication AD/NTLM authentication ASA VPN Cluster Idle and session timeouts Road warriors Leveraged DAP Disabled Split-tunneling VPN traffic inspected by IPS © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Patch Management – Proactive Security Vulnerability Announced Identify Patch/Fix is by Vendor Workarounds Tested Identify Patch/Fix is Patch is Affected Obtained Implemented Devices Identification/ Fix Tested and Awareness Correlation Implemented • You need to keep • Identify vulnerable • Test up with devices • Certify vulnerability • Identify potential Image/Software announcements workarounds and • Implement from vendors at network mitigations all times.
Incident Management – Reactive Security T0 Te Ti Tc TEvent Tincident Tcontainment (Te-To) (Ti-Te) (Tc-Ti) To = Time when an event occurs on the network Te = Time when the event is detected on the network Ti = Time when the event is classified as an incident Tc = Time when the incident is contained on the network
Analyzing and Applying Security Business Relevance Security Policies Security Principals Security Actions Identify Business Goals Threat and Risk and Objectives Assessment Visibility Monitor Correlate ??? Security Policies Harden Threats to Goals Control Isolate Security and Objectives Operations Enforce Specific business goals, and the Describes the iterative Describes the primary security Describes essential actions threats to goal attainment development and monitoring of principals that are affected by that enable Visibility and security policies security policies Control
A framework for the key principals required by a network to achieve a strong security posture Security Control Framework Total Visibility Complete Control Identity, Trust, Compliance, Event, and Security Policy Enforcement and Event Performance Monitoring Mitigation Identify Monitor Correlate Harden Isolate Enforce Separate and Observe and Build Withstand and create Ensure network Identify who or monitor intelligence recover from boundaries conforms to a what is using activities from activities security around users, desired state or the network occurring on the occurring on the anomalies traffic and behavior network network devices Increase Security and Resiliency in Networks and Services
Creating Security Metrics Provides tool for security folks to measure the effectiveness of various components of their security programs, product or process, and the ability of staff to address security issues for which they are responsible Can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions With gained knowledge, security managers can better answer hard questions from their executives and others, such as: Are we more secure today Have we improved from Are we secure enough? than we were before? last year?
Operational Security Metrics • How long does it take to identify an event? Incident • How long does it take to identify an incident? Management • How long does it take to contain an incident? • What percent of devices are in compliance with Device certified software image Compliance • What percent of devices are in compliance with standard configuration templates?
Operational Security Metrics • How long does it take you to become aware of the new vulnerability announcements from vendors? • How long does it take to identify affected devices? Patch Management • How long does it take to implement workarounds (when available)? • How long does it take for you to test and implement the fix/patch?
Templates Your own sub headline GREAT HOMEWORK AND CLEVER ATTACK CASE STUDY 1
What Happened.. Attacker Compromised Users and were able to gain access to higher-profile user information and data. I have NO clue what’s happening © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
How It Happened.. 1 6 Data was Found users transferred to target externally from sites like Facebook 3 5 Data was Naïve users acquired opened the from exploit that targeted 2 installed a You Got servers backdoor. Sent Mail!!! Targeted email with 4 malicious Other users and devices attachment were attacked for escalation of privileges
How *It* was Detected.. They were notified by external sources that several internal confidential records/documents were posted. After post-incident forensic activity, they found several machines communicating over TCP port 6969 outside of the US
What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Core Layer Redundancy (Logical & Physical) NetFlow and Event Monitoring Distribution Layer Firewalls Intrusion Prevention Systems (IPS) Control Plane Policing (CoPP) Virtual Switch Systems (VSS) Access Layer Endpoint Protection (AV, FW) Layer 2 and 3 security practices
Quick Analysis of the Attack Exploited Human Weaknesses Exploited Zero-day vulnerabilities Exploited Gaps in Infrastructure Exploited Gaps in Network Monitoring
All Those Technologies and Still Got Pwned? E-Reputation Monitoring and Control Social Media Email Why allowed User Awareness Training Threats Reputation traffic to ports Security Web known for Policies Reputation Botnets? Emerging Threats Is monitoring Leverage enabled on all Training: network and • Facebook security • APWG devices? • Stop Badware
Operational Security Metrics User Awareness • What percent of employees have read and Training acknowledged the corporate security policies • What percent of unauthorized data flows are found on firewalls Monitoring • What percent of network and security devices are being remotely monitored? • What percent of network is being content filtered
Templates Your own sub headline LEET GADGETS CAN GO SHOPPING! CASE STUDY 1
Acme Industries: Branch Office Network Branch Network 1 Private Corporate WAN Network Branch Network 2
How It Happened.. Our retail store in Mobile, Alabama was, apparently, not physically secured. Finally, they Hackers plugged transferred sensitive and hid a wireless data outside of the DEVICE on the network network They sniffed traffic They controlled the to extract user router over an credentials with encrypted wireless escalated privileges connection
How *It* was Detected.. Law enforcement agencies traced a number of fraudulent purchases all over the country, with one commonality – all victims had used their cards in our company stores.
What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Branch Network Redundancy (Logical & Physical) NetFlow and Event Monitoring Private Corporate WAN Network Routing Protocol Security WAN edge acting as firewall & IPS Control Plane Policing (CoPP) QoS for traffic prioritization GETVPN to encrypt all WAN traffic
What stops someone from plugging this in?
All Those Technologies and Still Got Pwned? Network Device Shutting down Unlocked/unrest Physical Security AAA Management Restricted Access Authentication? unused ports? ricted wiring Network User closets? Authentication? Traffic filtering Guest Access from branch to Monitoring via with network corporate cameras? restrictions? network?
Operational Security Metrics • What percent of unauthorized devices are on Device the network? • How long does it take to locate device from its Identity IP address in real-time? Management • How long does it take to locate device from its IP address using historical logs? • What percent of unauthorized users are on User the network • How long does it take to identify user from its Identity IP address in real-time? Management • How long does it take to identify user from its IP address from historical logs?
Templates Your own sub headline PWNING THE DC! CASE STUDY 1
What Happened!?!? Hackers stole customer data that was stored in a datacenter in North Carolina.
How Did It Happen.. Corporate Network Cat 6k Cat 6k Data Center Core A newly installed server hosting an in- house-developed application was Nexus Nexus Aggregation Layer 7k 7k ASA compromised andASA attacker was able to 5585X 5585X gain access to numerous records from other servers and databases. ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN N SAN UCS Storage Storage
Quick Analysis of the Attack Exploited Vulnerability in Open Source Software used in new application along with other insecure coding practices Exploited zero-day vulnerabilities in underlying Linux Operating System Exploited Gaps in DC Infrastructure
What Technologies Did You Have In Place? Firewalls, IPS, WAFs, Netflow Cat 6k Data Center Cat 6k Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585X ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
Firewalls at the aggregation layer Corporate Network excellent filtering provide an point and first layer of Cat 6k protection. Cat 6k Data Center Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585X However, they do not provide ACE + WAF Services Layer isolation between servers/services Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
All Those Technologies and Still Got Pwned? Keep up with 3rd Party Isolation provides Application Security DC Infrastructure Security Patches the first layer of security for the data center and server- Secure Code Best farm. Practices: Depending on the - Static Analysis goals of the design it - ASLR, X-Space can be achieved - Safe C Libraries and through the use of OWASP Java libraries firewalls, access lists, VLANS, and/or physical separation.
What Happens in a Virtualized Environment.. Traffic flows within virtualized environments sometimes do not even touch physical devices. For example, traffic between these VMs do not even leave the physical hardware.
Virtual Security Gateways (VSGs) • You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000V distributed virtual switch is deployed. • One or more instances can be deployed on a per-tenant basis. • Tenants are isolated from each other, so no traffic can cross tenant boundaries. • You can deploy the Cisco VSG at the tenant level, at the virtual data center (vDC) level, and at the vApp level.
Operational Security Techniques and Metrics • How often do you perform application robustness audits (i.e., fuzzing, secure coding best practices, and patching)? Application • What percentage of all Robustness. applications are tested for security vulnerabilities in a consistent and repeatable manner?
SECURITY METRICS
THANK YOU! Your Logo

Empfohlen

Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
CCNA Security - Chapter 5
CCNA Security - Chapter 5CCNA Security - Chapter 5
CCNA Security - Chapter 5Irsandi Hasan
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 

Empfohlen

Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
CCNA Security - Chapter 5
CCNA Security - Chapter 5CCNA Security - Chapter 5
CCNA Security - Chapter 5Irsandi Hasan
 
[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp Security[DSBW Spring 2009] Unit 08: WebApp Security
[DSBW Spring 2009] Unit 08: WebApp SecurityCarles Farré
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
VSD Infotech
VSD InfotechVSD Infotech
VSD InfotechVSD infotech
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeTUESDAY Business Network
 
Pramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 PraesentationSophan_Pheng
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010Andris Soroka
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 

Weitere ähnliche Inhalte

Was ist angesagt?

Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesBulent Buyukkahraman
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin RowneySymantec
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Blue Slate Solutions
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Pramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 PraesentationSophan_Pheng
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010Andris Soroka
 

Was ist angesagt? (20)

Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
Axoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment ServicesAxoss Network Vulnerability Assessment Services
Axoss Network Vulnerability Assessment Services
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
RSA 2010 Kevin Rowney
RSA 2010 Kevin RowneyRSA 2010 Kevin Rowney
RSA 2010 Kevin Rowney
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Pramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center ManagerPramod Yadav_Security Operations Center Manager
Pramod Yadav_Security Operations Center Manager
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
Cat6500 Praesentation
Cat6500 PraesentationCat6500 Praesentation
Cat6500 Praesentation
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010HTLV - DSS @Vilnius 2010
HTLV - DSS @Vilnius 2010
 

Ähnlich wie It's 2012 and My Network Got Hacked - Omar Santos

Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Scalar Decisions
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Intel IT Center
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security programmatt_presson
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...Khazret Sapenov
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightIBM WebSphereIndia
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Novell
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web ApplicationsNadia BENCHIKHA
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 

Ähnlich wie It's 2012 and My Network Got Hacked - Omar Santos (20)

Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn security
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary Cloud Security Checklist and Planning Guide Summary
Cloud Security Checklist and Planning Guide Summary
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security program
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
What customers want the cloud to be - Jason Waxman GM at Intel, Cloud Slam 20...
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
 
Threat Modeling Web Applications
Threat Modeling Web ApplicationsThreat Modeling Web Applications
Threat Modeling Web Applications
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 

Kürzlich hochgeladen

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Kürzlich hochgeladen (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

It's 2012 and My Network Got Hacked - Omar Santos

  • 1. It's 2012 and My Network Got Hacked
  • 2. the good guys need to be correct 100% of the time
  • 3. the bad guys need to be correct just ONCE
  • 4. Ten years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. “End of security training.”
  • 5. Today Your Workers are Loaded with Devices, and Not Overly Concerned About Security
  • 6. According to PAST Studies “the Internet” will DOUBLE in size every 5.32 years.
  • 7. More Connected Devices than People Source: Cisco ISBG
  • 8. 5 billion mobile users by 2016 Source: Cisco VNI Global Mobile Data Forecast
  • 9.
  • 11. What About Social Media?
  • 12. Cybercrime Return on Investment Matrix Source: Cisco Annual Security Report
  • 13. Vulnerability and Threat Categories Source: Cisco Annual Security Report
  • 14. malware encounters per month (11 per day!)
  • 15. 200% increase over the same period a year ago…
  • 18. Free It Up? or Lock It Down?
  • 19. How Do you Measure Security?
  • 20. Agenda: Case Studies Case Study 1: Remote Access VPN #FAIL Case Study 2: Great Homework! Case Study 3: Awesome New leet Gadgets Case Study 4: Pwning the Data Center
  • 21. Templates Your own sub headline REMOTE ACCESS VPN #FAIL CASE STUDY 1
  • 22. Remote Access How Admins Continue to #FAIL What Happened? How It Happened… Unauthorized Access via 1 Attacker Exploited the “Authentication Bypass Clientless SSL VPN several Vulnerability” described in times for about 3-4 weeks. CVE-2010-0568 The Cisco ASA was not patched for the vulnerability Attacker was able to compromise other internal systems and stole several documents / information.
  • 23. How It Was Detected… Your own sub headline Uh? In a monthly VPN activity report admins Monthly VPN Activity Report noticed that a user called anonwannabe logged in several times for a period of 3-4 weeks. Say What!?!?! The username did not conform to their User anonwannabe?? active directory standards. Seriously? After further investigation, they found that OLD CVE! VPN authentication was being bypassed in their Cisco ASA cluster as a result of CVE- CVE-2010-0568 2010-0568.
  • 24. What Technologies Did You Have In Place? Only allowed VPN traffic to ASAs External user authentication AD/NTLM authentication ASA VPN Cluster Idle and session timeouts Road warriors Leveraged DAP Disabled Split-tunneling VPN traffic inspected by IPS © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 25. Patch Management – Proactive Security Vulnerability Announced Identify Patch/Fix is by Vendor Workarounds Tested Identify Patch/Fix is Patch is Affected Obtained Implemented Devices Identification/ Fix Tested and Awareness Correlation Implemented • You need to keep • Identify vulnerable • Test up with devices • Certify vulnerability • Identify potential Image/Software announcements workarounds and • Implement from vendors at network mitigations all times.
  • 26. Incident Management – Reactive Security T0 Te Ti Tc TEvent Tincident Tcontainment (Te-To) (Ti-Te) (Tc-Ti) To = Time when an event occurs on the network Te = Time when the event is detected on the network Ti = Time when the event is classified as an incident Tc = Time when the incident is contained on the network
  • 27. Analyzing and Applying Security Business Relevance Security Policies Security Principals Security Actions Identify Business Goals Threat and Risk and Objectives Assessment Visibility Monitor Correlate ??? Security Policies Harden Threats to Goals Control Isolate Security and Objectives Operations Enforce Specific business goals, and the Describes the iterative Describes the primary security Describes essential actions threats to goal attainment development and monitoring of principals that are affected by that enable Visibility and security policies security policies Control
  • 28. A framework for the key principals required by a network to achieve a strong security posture Security Control Framework Total Visibility Complete Control Identity, Trust, Compliance, Event, and Security Policy Enforcement and Event Performance Monitoring Mitigation Identify Monitor Correlate Harden Isolate Enforce Separate and Observe and Build Withstand and create Ensure network Identify who or monitor intelligence recover from boundaries conforms to a what is using activities from activities security around users, desired state or the network occurring on the occurring on the anomalies traffic and behavior network network devices Increase Security and Resiliency in Networks and Services
  • 29. Creating Security Metrics Provides tool for security folks to measure the effectiveness of various components of their security programs, product or process, and the ability of staff to address security issues for which they are responsible Can also help identify the level of risk in not taking a given action, and in that way provide guidance in prioritizing corrective actions With gained knowledge, security managers can better answer hard questions from their executives and others, such as: Are we more secure today Have we improved from Are we secure enough? than we were before? last year?
  • 30. Operational Security Metrics • How long does it take to identify an event? Incident • How long does it take to identify an incident? Management • How long does it take to contain an incident? • What percent of devices are in compliance with Device certified software image Compliance • What percent of devices are in compliance with standard configuration templates?
  • 31. Operational Security Metrics • How long does it take you to become aware of the new vulnerability announcements from vendors? • How long does it take to identify affected devices? Patch Management • How long does it take to implement workarounds (when available)? • How long does it take for you to test and implement the fix/patch?
  • 32. Templates Your own sub headline GREAT HOMEWORK AND CLEVER ATTACK CASE STUDY 1
  • 33. What Happened.. Attacker Compromised Users and were able to gain access to higher-profile user information and data. I have NO clue what’s happening © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 34. How It Happened.. 1 6 Data was Found users transferred to target externally from sites like Facebook 3 5 Data was Naïve users acquired opened the from exploit that targeted 2 installed a You Got servers backdoor. Sent Mail!!! Targeted email with 4 malicious Other users and devices attachment were attacked for escalation of privileges
  • 35. How *It* was Detected.. They were notified by external sources that several internal confidential records/documents were posted. After post-incident forensic activity, they found several machines communicating over TCP port 6969 outside of the US
  • 36. What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Core Layer Redundancy (Logical & Physical) NetFlow and Event Monitoring Distribution Layer Firewalls Intrusion Prevention Systems (IPS) Control Plane Policing (CoPP) Virtual Switch Systems (VSS) Access Layer Endpoint Protection (AV, FW) Layer 2 and 3 security practices
  • 37. Quick Analysis of the Attack Exploited Human Weaknesses Exploited Zero-day vulnerabilities Exploited Gaps in Infrastructure Exploited Gaps in Network Monitoring
  • 38. All Those Technologies and Still Got Pwned? E-Reputation Monitoring and Control Social Media Email Why allowed User Awareness Training Threats Reputation traffic to ports Security Web known for Policies Reputation Botnets? Emerging Threats Is monitoring Leverage enabled on all Training: network and • Facebook security • APWG devices? • Stop Badware
  • 39. Operational Security Metrics User Awareness • What percent of employees have read and Training acknowledged the corporate security policies • What percent of unauthorized data flows are found on firewalls Monitoring • What percent of network and security devices are being remotely monitored? • What percent of network is being content filtered
  • 40. Templates Your own sub headline LEET GADGETS CAN GO SHOPPING! CASE STUDY 1
  • 41. Acme Industries: Branch Office Network Branch Network 1 Private Corporate WAN Network Branch Network 2
  • 42. How It Happened.. Our retail store in Mobile, Alabama was, apparently, not physically secured. Finally, they Hackers plugged transferred sensitive and hid a wireless data outside of the DEVICE on the network network They sniffed traffic They controlled the to extract user router over an credentials with encrypted wireless escalated privileges connection
  • 43. How *It* was Detected.. Law enforcement agencies traced a number of fraudulent purchases all over the country, with one commonality – all victims had used their cards in our company stores.
  • 44. What Technologies Did You Have In Place? AAA in all Networking Devices Secure Protocols such as SSH Branch Network Redundancy (Logical & Physical) NetFlow and Event Monitoring Private Corporate WAN Network Routing Protocol Security WAN edge acting as firewall & IPS Control Plane Policing (CoPP) QoS for traffic prioritization GETVPN to encrypt all WAN traffic
  • 45. What stops someone from plugging this in?
  • 46. All Those Technologies and Still Got Pwned? Network Device Shutting down Unlocked/unrest Physical Security AAA Management Restricted Access Authentication? unused ports? ricted wiring Network User closets? Authentication? Traffic filtering Guest Access from branch to Monitoring via with network corporate cameras? restrictions? network?
  • 47. Operational Security Metrics • What percent of unauthorized devices are on Device the network? • How long does it take to locate device from its Identity IP address in real-time? Management • How long does it take to locate device from its IP address using historical logs? • What percent of unauthorized users are on User the network • How long does it take to identify user from its Identity IP address in real-time? Management • How long does it take to identify user from its IP address from historical logs?
  • 48. Templates Your own sub headline PWNING THE DC! CASE STUDY 1
  • 49. What Happened!?!? Hackers stole customer data that was stored in a datacenter in North Carolina.
  • 50. How Did It Happen.. Corporate Network Cat 6k Cat 6k Data Center Core A newly installed server hosting an in- house-developed application was Nexus Nexus Aggregation Layer 7k 7k ASA compromised andASA attacker was able to 5585X 5585X gain access to numerous records from other servers and databases. ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN N SAN UCS Storage Storage
  • 51. Quick Analysis of the Attack Exploited Vulnerability in Open Source Software used in new application along with other insecure coding practices Exploited zero-day vulnerabilities in underlying Linux Operating System Exploited Gaps in DC Infrastructure
  • 52. What Technologies Did You Have In Place? Firewalls, IPS, WAFs, Netflow Cat 6k Data Center Cat 6k Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585X ACE + WAF Services Layer Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
  • 53. Firewalls at the aggregation layer Corporate Network excellent filtering provide an point and first layer of Cat 6k protection. Cat 6k Data Center Core Nexus Nexus Aggregation Layer 7k 7k ASA ASA 5585X 5585X However, they do not provide ACE + WAF Services Layer isolation between servers/services Cat 6k Cat 6k Access Layer IPS IPS SAN SAN UCS Storage Storage
  • 54. All Those Technologies and Still Got Pwned? Keep up with 3rd Party Isolation provides Application Security DC Infrastructure Security Patches the first layer of security for the data center and server- Secure Code Best farm. Practices: Depending on the - Static Analysis goals of the design it - ASLR, X-Space can be achieved - Safe C Libraries and through the use of OWASP Java libraries firewalls, access lists, VLANS, and/or physical separation.
  • 55. What Happens in a Virtualized Environment.. Traffic flows within virtualized environments sometimes do not even touch physical devices. For example, traffic between these VMs do not even leave the physical hardware.
  • 56. Virtual Security Gateways (VSGs) • You can transparently insert a Cisco VSG into the VMware vSphere environment where the Cisco Nexus 1000V distributed virtual switch is deployed. • One or more instances can be deployed on a per-tenant basis. • Tenants are isolated from each other, so no traffic can cross tenant boundaries. • You can deploy the Cisco VSG at the tenant level, at the virtual data center (vDC) level, and at the vApp level.
  • 57. Operational Security Techniques and Metrics • How often do you perform application robustness audits (i.e., fuzzing, secure coding best practices, and patching)? Application • What percentage of all Robustness. applications are tested for security vulnerabilities in a consistent and repeatable manner?
  • 59. THANK YOU! Your Logo