Post on 09-Jan-2017
Cybersecurity Concept &
Defense best practices
Presented by
Wajahat Iqbal
B.E(Computer Science),ISO 27001 LI,ISO 22301 LI
Cybersecurity Concept & Framework
Definition Cybersecurity Domain is a collection of best
practices,Technologies,Frameworks & Standards to protect an enterprise,organization ,Govt entities,Military establishment,Individual user from global cyber threats(Theft Identity,Cybertheft,Cyber-ransom,Infrastructure damage) resulting in either Financial,Economical,Copyright Information,Personal identity,Infrastructure loss.
3
Major Cybersecurity standards NIST Cybersecurity Framework (De-facto standard)
ISO 27001 (Information Security Management Framework)
ISACA COBIT5
NIST SP800-53
NIST SP800-30
ISA 62443
ISO 27005
The Cybersecurity standards were first adopted in the Seoul (South Korea) Conference on Global Cybersecurity in 2013
4
Cybersecurity holistic view
Manage physical access to IT Infrastructure
Manage sensitive documents and output Devices
Monitor the Infrastructure for security related Events
Protect against Malware (*** Most challenging )
Manage Network and Connectivity security
Manage User Identity and logical access
Protect critical and vital Infrastructure (Banks,Vital Industrial installations,IT,Nuclear power,Dams,Defense)
5
Cybersecurity Lifecycle The Cybersecurity Lifecycle can be described aptly by the
below (Figure-1) which decomposes the various stages .
6
(1) Identify Business
outcomes (2)Understand Vulnerabilities
Threats
(3)Create current profile
(4)Conduct Risk assessments
(5)Apply Controls
(6)Create Target profile
(7)Determine/
prioritize gaps
(8)Implement plan
(9)Report to stakeholders
(10)Continuous monitoring
Cyber security Lifecycle
Risk actions
7
Risk Actions: The most generally accepted Actions on Risk Management Cycle are: (1) Risk Acceptance (2) Risk Transfer (3) Risk Avoidance (4) Risk Mitigation – Most practised action Depending on Risk Appetite/Risk Tolerance threshold of an Organisation These are drawn from the ISO 27001 Standard for ISMS which is the most widely used and accepted standard on IT Security involving Risk Management processes
HACKERS & ATTACKS
Threat to Cyberdefense
9
The damage caused by threats to Cyberdefense can be characterized by loss of “Confidentiality, Integrity or availability (CIA)”, the basic model of Data Security as practiced in ISO27001/27002 and other globally accepted standards
Hackers profile
The different type of Hackers are:
Individual Hacker
State Sponsored (With Political & Military Agenda)
Cyber Criminals (Organised Mafia)
10
Hacker Kill Chain The USA Aeronautics Major Lockheed Martin – Kill Chain
methodology describes seven steps from reconnaissance through actions on the objectives and recommends defenses be designed to align with each of the seven steps in the process below:
11
Summary of Kill Chain Reconnaissance:
Finding the Host,Internet Website,Domain
Do IP Address Scan of the Business Domain
Do Port Scan of the Active hosts
Automated scanning by Botnets (Compromised Systems)
Locate Network Topology and identify potential access control Devices
12
Summary of Kill Chain(Cont’d) Weaponization:
Identify the Vulnerability
Initiate the Attack
Coupling a remote access Trojan(RAT) with an Exploit into a deliverable payload,typically by means of an automated tool (The commonly used weaponizer are Adobe PDF and Microsoft Office documents)
Delivery:
Transmission of Weapon to the targeted environment
Three most prevalent delivery vectors for weaponzied payloads are – Emails,Compromised Web Sites & USB removal media
13
Summary of Kill Chain (Cont’d) Exploitation:
Email,Website &USB explore a Vulnerability on launch and Hacket gets remote access to admin Shell
Exploitation targets Operating System or Application vulnerability
Installation:
Install Malware(Malicious Code) into Memory,Disk or Operating System Kernel,modify windows registry,modify Unix Kernel
Allow installation of remote access Trojan or backdoor on the victim system
14
Summary of Kill Chain (Cont’d) Command & Control (C2):
Compromised system/hosts beacon back to the Master Controller to establish C2 Channel
Hacker gains complete control of the compromised system
Intruders have “hands on the keyboard” access to the targeted environment
Action:
This Activity is data exfiltration that involves collecting,encrypting and extraction information (e,g Deface Website,Steal Credit Card Information,Steal Copyright Information,Steal IE passwords,Modify Banking websites,Steal medical records) etc
15
BOTNET Attack(Automated) These days professional Hackers,Malware developers,Cyber
Criminals work in tandem to develop automated Tools to initiate a Cyber Attack against the intended victim/host.The mechanism is to install remote access Trojan(RAT) on compromised system(BOTNETS) which could number in thousands and then initiate the attack in phases as shown in Figure- 2 (next page)
Key Components of a BOTNET Attack:
BOTNET Construction Kit
Command & Control Capability
Remote Access Trojan(RAT)
Custom developed Malware(Malicious Code) for the intended Victim/Host
(Example BOTNET Attacks - ZEUS,CITADEL,GO ZEUS) 16
BOTNET Attack(Automated) These
17
Type of Cyber Attacks
18
Famous hack attacks
19
MALWARE
Malware:Types & Protection
21
SOC - CYBERSECURITY ARCHITECTURE
SOC Components Lately SOC has become an integral part of any
Organisation to protect itself from Cyber attacks and detect/correct/recover from a Cyber Incident in the quickest span of time without further damage to its reputation. The critical components of a SOC are:
IDS/IPS Infrastructure
Firewall Infrastructure
SIEM (Security Information and Event Monitoring System)
Logging and Alerting mechanism
Security Incident Processes
Forensics capability
User Training & Retention
Managing Evidence
23
SOC Individual Process Layers
24
Cybersecurity Architecture
25
• Network Security
• Identity,Authentication and Access Management
• Data Protection and Cryptography
• Monitoring Vulnerability & Patch Management
• High Availablity,Disaster Recovery & Physical protection
• Asset Management & Supply Chain
• Policy,Audit,E-Discover & Training
• Systems Adminstration
• Application Security
• Endpoint,Server & Device Security
Cybersecurity
Architecture
The Cyber Architecture consists of the following components:
Defense in Depth(DOD)
This is the most common practice employed by Organisation to create and implement a multilayered approach to Cybersecurity.It is described by the following process (Figure-3) and can be implemented at various layers of the Network Infrastructure
26
.
9 Basic steps of Cybersecurity These are the guidelines to follow while drawing up a
comprehensive Cybersecurity program in an Organisation
#1 : Explore the Legislation and other requirements
#2: Define the Business benefits and get top Management support (Very Important)
#3: Setting the Cybersecurity requirements
#4: Choosing the framework for Cybersecurity Implementation
#5:Organizing the Implementation(Setting up Teams,PM Resources,Project Charter,Budget etc)
#6: Risk Assessment & Mitigation (Applying Controls)
#7: Implementation of Controls
#8: Training & Awareness
#9: Continuous Monitoring and Checks
and Reporting to Senior Management (C Level Executives)
27
Cybersecurity operational processes To maintain an effective Cybersecurity posture,the CISO
should maintain a number of enterprise operational processes to include the following:
Policies and Policies Exception Management
Project and Change Security Reviews
Risk Management
Control Management
Auditing and Deficiency Tracking
Asset Inventory and audit
Change Control
Configuration Management Database Re-Certification
Supplier reviews and Risk assessments
28
Cybersecurity operational processes CyberIntrusion Response
All-Hazards Emergency preparedness Exercises
Vulnerability Scanning,Tracking & Management
Patch Management & Deployment
Security Monitoring
Password and Key Management
Account and Access periodic Re-Certification
Privileged Account activity Audit
29
SANS TOP 20 CRITICAL SECURITY CONTROLS
SANS top 20 Controls These are widely established critical controls to maintain a
healthy Network security posture
31
INCIDENT PROCESS & MANAGEMENT
Incident Process & Management
33
NETWORK PERIMETER SECURITY (BEST PRACTISES)
Network perimeter best security practises
Restrict use of administrative utilities(e,g Microsoft Management
Console) Use secure File permission system i.e NTFS & UFS File System Manage Users properly especially the Admin Accounts on Unix &
Windows machines Perform Effective Group Management for – Admin,Print,Power,Server
operator & Normal Users in Windows 2000 O.S Enforce strong password policy,password aging for Users Enable Windows O.S and Unix O.S logging facility Eliminate unnecessary Accounts (especially the Employee’s who
have left the Organisation) Disable Resource sharing service and remove hidden administrative
shares – C$,ADMIN$,WIN NT$ in older version of Windows O.S Disable unneeded Service in Unix – Telnet,Finger ,tftp,NTP(Network
Time protocol) Applications should use the latest Security patches in Production
Environment
35
Network perimeter best security practises
Enforce using NAT(Network Address Translation) & PAT(Port Address
Translation) in internal Network (Firewalls & Routers) Enable DNS Spoofing,DOS Attacks (Smurf & Direct Broadcast
Attacks) mitigation policies on Gateway Routers via ACL and Cisco IOS Enforce Best Industry practice of secure Application Coding to
mitigate “Buffer Overflow” Vulnerability in the Memory Enforce strong password policy,password aging,lockout policy for
Application Databases (Oracle,Sybase) Install latest O.S and Application patches as soon they are available
from Vendors Install latest Security patches for Browsers,Flash Players,Microsoft
Applications Update the Anti-Virus & IDS/IPS /HIDS Signatures on frequent basis Update the Business Continuity/DR Plan and keep latest backup of all
critical Servers
36
Network perimeter best security practises
Update and Install latest Security patches for Application Gateways(Proxies),Web Filltering Devices,Firewalls
Check the Logs daily on Firewalls,IPS/IDS,HIDS for any Security Incident triggered by any malicious Activity
Implement Industry Best practices to secure the Network (NIST Guidelines,SANS 20 Critical Security Controls,NSA Guidelines etc)
Place the Mission Critical Web Servers (User Interface) on a Screened Subnet,DMZ and the backend Application Server & Oracle Database Server in the internal Network
Change the Default Password of SNMP Community string on Network Devices
37
NETWORK PERIMETER SECURITY (CASE STUDY)
CASE STUDY – Cyber attack secure design
39
CASE STUDY – Cyber attack secure design Design Features:
Border Router:A Gateway Router connects the network to the Internet and provides basic Filtering through ACL(Access Control Lists) on Ingress & Egress Interfaces
Just behind the Gateway Router is Stateful Inspection Firewall that enforces the majority of access control of the network
Public services and private services have been separated by putting them on different network segments (DMZ,Corporate & Screened Subnet)
Split DNS is being used on public DNS Server and it provides Name resolution for public services only
Intrusion Detection Systems(IDS) are located on the public,private,network perimeter end points to watch for unusual activity
The Front end Application Web server is on the Screened Subnet and the backed Oracle DB Server is behind the Internal Firewall
40
CASE STUDY – Cyber attack secure design Host based IDS(HIDS) complement the Network by adding
additional layer of security and are placed on the individual mission critical servers(Anti-Virus,Email Proxy,Web Proxy,Internal Email Server,Oracle DB Server) to monitor the systems network activity,log files,Files Systems Integrity and User actions.A host based IDS will also detect and generate an alarm when it detects escalation of privileges for a Guest user to Admin Account
Host based IDS can help detect attacks that network IDS evasion techniques
Host based IDS is also useful for correlating attacks picked up by Network sensors
All security log entries are sent to the SIEM(Security Information and Event Monitoring System) for Data Analysis and Forensics.The SIEM generates an Alert when suspicious activity is detected
For the Remote Office users all their Laptops are installed with Personal Firewalls to mitigate/detect Hacker entry through backdoor channels
41
CASE STUDY – Cyber attack secure design
All configuration of security devices is performed from the management console
Additionally one can install TACACS,RADIUS Servers to monitor Users access on the Gateway Router and other mission critical Servers
The sample Rule base configured for the above Network Design on the Stateful Inspection Firewall can be as follows (Illustrative purpose only): Next page
42
CASE STUDY – Cyber attack secure design
43
CONCLUSION
Conclusion Note:
The process to securing and making a perfect “Digital World” is a ongoing continuous Journey ,and with ever changing Modus operandi of the Hackers and the Cyber Criminals globally,we always have to be one step forward in the race to protect our Digital Assets,Intellectual property,Identity,Infrastructure.
Thank You
(Wajahat Iqbal)
44
Disclaimer Note:
This is Copyright Material © of Wajahat Iqbal (2016) and the Information shown is collected from Internet repositories and any typo, error, omission is regretted on behalf of Author.The Author does not hold any responsibility or liability for the incorrectness of the Information shared.This technical presentation can be shared/Printed/Distributed keeping in view that Credit is given rightly to the Author.
Contact E-Mail: Wajahat_Iqbal@Yahoo.com
LinkedIn: http://www.linkedin.com/in/wiqbal
45