Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
4. Ten years ago,
employees were
assigned laptops
and told not to lose
them.
They were given
logins to the
company network,
and told not to tell
anyone their
password.
“End of security training.”
5. Today Your Workers are
Loaded with Devices, and Not Overly
Concerned About Security
6. According to PAST Studies
“the Internet” will DOUBLE
in size every 5.32 years.
20. Agenda: Case Studies
Case Study 1: Remote Access VPN #FAIL
Case Study 2: Great Homework!
Case Study 3: Awesome New leet Gadgets
Case Study 4: Pwning the Data Center
22. Remote Access
How Admins Continue to #FAIL
What Happened? How It Happened…
Unauthorized Access via
1 Attacker Exploited the
“Authentication Bypass
Clientless SSL VPN several Vulnerability” described in
times for about 3-4 weeks. CVE-2010-0568
The Cisco ASA was not patched for
the vulnerability
Attacker was able to compromise
other internal systems and stole
several documents / information.
23. How It Was Detected…
Your own sub headline
Uh?
In a monthly VPN activity report admins
Monthly VPN Activity Report noticed that a user called anonwannabe
logged in several times for a period of 3-4
weeks.
Say What!?!?!
The username did not conform to their
User anonwannabe?? active directory standards.
Seriously?
After further investigation, they found that
OLD CVE! VPN authentication was being bypassed in
their Cisco ASA cluster as a result of CVE-
CVE-2010-0568 2010-0568.
25. Patch Management – Proactive Security
Vulnerability
Announced Identify Patch/Fix is
by Vendor Workarounds Tested
Identify Patch/Fix is Patch is
Affected Obtained Implemented
Devices
Identification/ Fix Tested and
Awareness
Correlation Implemented
• You need to keep • Identify vulnerable • Test
up with devices • Certify
vulnerability • Identify potential Image/Software
announcements workarounds and • Implement
from vendors at network mitigations
all times.
26. Incident Management – Reactive Security
T0 Te Ti Tc
TEvent Tincident Tcontainment
(Te-To) (Ti-Te) (Tc-Ti)
To = Time when an event occurs on the network
Te = Time when the event is detected on the network
Ti = Time when the event is classified as an incident
Tc = Time when the incident is contained on the network
27. Analyzing and Applying Security
Business Relevance Security Policies Security Principals Security Actions
Identify
Business Goals Threat and Risk
and Objectives Assessment Visibility Monitor
Correlate
???
Security
Policies
Harden
Threats to Goals
Control Isolate
Security
and Objectives Operations
Enforce
Specific business goals, and the Describes the iterative Describes the primary security Describes essential actions
threats to goal attainment development and monitoring of principals that are affected by that enable Visibility and
security policies security policies Control
28. A framework for the key principals required by a network to achieve a
strong security posture
Security Control Framework
Total Visibility Complete Control
Identity, Trust, Compliance, Event, and Security Policy Enforcement and Event
Performance Monitoring Mitigation
Identify Monitor Correlate Harden Isolate Enforce
Separate and
Observe and Build
Withstand and create Ensure network
Identify who or monitor intelligence
recover from boundaries conforms to a
what is using activities from activities
security around users, desired state or
the network occurring on the occurring on the
anomalies traffic and behavior
network network
devices
Increase Security and Resiliency in Networks and Services
29. Creating Security Metrics
Provides tool for security folks to measure the effectiveness of various
components of their security programs, product or process, and the ability
of staff to address security issues for which they are responsible
Can also help identify the level of risk in not taking a given action, and in
that way provide guidance in prioritizing corrective actions
With gained knowledge, security managers can better answer hard
questions from their executives and others, such as:
Are we more secure today Have we improved from
Are we secure enough?
than we were before? last year?
30. Operational Security Metrics
• How long does it take to identify an event?
Incident
• How long does it take to identify an incident?
Management
• How long does it take to contain an incident?
• What percent of devices are in compliance with
Device certified software image
Compliance
• What percent of devices are in compliance with
standard configuration templates?
31. Operational Security Metrics
• How long does it take you to become aware
of the new vulnerability announcements
from vendors?
• How long does it take to identify affected
devices?
Patch
Management • How long does it take to implement
workarounds (when available)?
• How long does it take for you to test and
implement the fix/patch?
34. How It Happened..
1 6
Data was
Found users transferred
to target externally
from sites
like
Facebook
3 5
Data was
Naïve users
acquired
opened the
from
exploit that
targeted
2 installed a
You Got servers
backdoor.
Sent Mail!!!
Targeted
email with 4
malicious
Other users and devices
attachment
were attacked for
escalation of privileges
35. How *It* was Detected..
They were notified by external sources that several
internal confidential records/documents were
posted. After post-incident forensic activity, they
found several machines communicating over TCP
port 6969 outside of the US
36. What Technologies Did You Have In Place?
AAA in all Networking Devices
Secure Protocols such as SSH
Core Layer
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Distribution Layer
Firewalls
Intrusion Prevention Systems (IPS)
Control Plane Policing (CoPP)
Virtual Switch Systems (VSS)
Access Layer Endpoint Protection (AV, FW)
Layer 2 and 3 security practices
37. Quick Analysis of the Attack
Exploited Human Weaknesses
Exploited Zero-day vulnerabilities
Exploited Gaps in Infrastructure
Exploited Gaps in Network Monitoring
38. All Those Technologies and Still Got Pwned?
E-Reputation
Monitoring and Control
Social Media Email Why allowed
User Awareness Training
Threats Reputation traffic to ports
Security Web known for
Policies Reputation Botnets?
Emerging
Threats Is monitoring
Leverage enabled on all
Training: network and
• Facebook
security
• APWG devices?
• Stop Badware
39. Operational Security Metrics
User
Awareness • What percent of employees have read and
Training acknowledged the corporate security policies
• What percent of unauthorized data flows are
found on firewalls
Monitoring • What percent of network and security devices are
being remotely monitored?
• What percent of network is being content filtered
42. How It Happened..
Our retail store in
Mobile, Alabama
was, apparently, not
physically secured.
Finally, they Hackers plugged
transferred sensitive and hid a wireless
data outside of the DEVICE on the
network network
They sniffed traffic They controlled the
to extract user router over an
credentials with encrypted wireless
escalated privileges connection
43. How *It* was Detected..
Law enforcement agencies
traced a number of fraudulent
purchases all over the country,
with one commonality – all
victims had used their cards in
our company stores.
44. What Technologies Did You Have
In Place?
AAA in all Networking Devices
Secure Protocols such as SSH
Branch Network
Redundancy (Logical & Physical)
NetFlow and Event Monitoring
Private
Corporate WAN
Network Routing Protocol Security
WAN edge acting as firewall & IPS
Control Plane Policing (CoPP)
QoS for traffic prioritization
GETVPN to encrypt all WAN traffic
46. All Those Technologies and
Still Got Pwned?
Network Device Shutting down Unlocked/unrest
Physical Security
AAA Management
Restricted Access
Authentication? unused ports? ricted wiring
Network User closets?
Authentication? Traffic filtering
Guest Access from branch to Monitoring via
with network corporate cameras?
restrictions? network?
47. Operational Security Metrics
• What percent of unauthorized devices are on
Device the network?
• How long does it take to locate device from its
Identity IP address in real-time?
Management • How long does it take to locate device from its
IP address using historical logs?
• What percent of unauthorized users are on
User the network
• How long does it take to identify user from its
Identity IP address in real-time?
Management • How long does it take to identify user from its
IP address from historical logs?
49. What Happened!?!?
Hackers stole customer data that
was stored in a datacenter in North
Carolina.
50. How Did It Happen..
Corporate Network
Cat 6k Cat 6k
Data Center
Core
A newly installed server hosting an in-
house-developed application was Nexus Nexus Aggregation Layer
7k 7k ASA
compromised andASA attacker was able to
5585X 5585X
gain access to numerous records from
other servers and databases.
ACE + WAF Services Layer
Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN
N SAN
UCS
Storage
Storage
51. Quick Analysis of the Attack
Exploited Vulnerability in Open Source
Software used in new application along with
other insecure coding practices
Exploited zero-day vulnerabilities in
underlying Linux Operating System
Exploited Gaps in DC Infrastructure
52. What Technologies Did You Have In
Place?
Firewalls, IPS, WAFs, Netflow Cat 6k
Data Center Cat 6k
Core
Nexus Nexus Aggregation Layer
7k 7k ASA
ASA
5585X 5585X
ACE + WAF Services Layer
Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN SAN
UCS
Storage
Storage
53. Firewalls at the aggregation layer
Corporate Network excellent filtering
provide an
point and first layer of
Cat 6k
protection.
Cat 6k
Data Center
Core
Nexus Nexus Aggregation Layer
7k 7k ASA
ASA
5585X 5585X
However, they do not provide
ACE + WAF Services Layer
isolation between
servers/services Cat 6k
Cat 6k
Access Layer
IPS IPS
SAN SAN
UCS
Storage
Storage
54. All Those Technologies and Still Got
Pwned?
Keep up with 3rd Party Isolation provides
Application Security
DC Infrastructure
Security Patches the first layer of
security for the data
center and server-
Secure Code Best farm.
Practices:
Depending on the
- Static Analysis
goals of the design it
- ASLR, X-Space can be achieved
- Safe C Libraries and through the use of
OWASP Java libraries firewalls, access lists,
VLANS, and/or
physical separation.
55. What Happens in a Virtualized
Environment..
Traffic flows within
virtualized environments
sometimes do not even
touch physical devices.
For example, traffic
between these VMs do
not even leave the
physical hardware.
56. Virtual Security Gateways (VSGs)
• You can transparently insert a
Cisco VSG into the VMware
vSphere environment where
the Cisco Nexus 1000V
distributed virtual switch is
deployed.
• One or more instances can
be deployed on a per-tenant
basis.
• Tenants are isolated from
each other, so no traffic can
cross tenant boundaries.
• You can deploy the Cisco
VSG at the tenant level, at
the virtual data center (vDC)
level, and at the vApp level.
57. Operational Security Techniques
and Metrics
• How often do you perform
application robustness audits
(i.e., fuzzing, secure coding best
practices, and patching)?
Application • What percentage of all
Robustness. applications are tested for
security vulnerabilities in a
consistent and repeatable
manner?