TACOM 2014: Back To Basics
-
Upload
joel-cardella -
Category
Internet
-
view
284 -
download
1
Transcript of TACOM 2014: Back To Basics
![Page 1: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/1.jpg)
![Page 2: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/2.jpg)
BACK TO BASICS FOR
INFORMATION
SECURITYJoel Cardella
Director, Information Security
Holcim US
![Page 3: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/3.jpg)
Biographical Info
• Joel Cardella
• 20 years in Information Technology
• Network Operations
• Data Center
• Telecommunications
• Health Care
• Manufacturing
• Currently Regional Security Officer for multinational
industrial manufacturing organization
• Passionate evangelist of infosec
![Page 4: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/4.jpg)
Security problems in the news
![Page 5: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/5.jpg)
The (abbreviated) story of Mat
![Page 6: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/6.jpg)
Who
• Mat Honan is a digital journalist, writing for Wired,
Gizmodo and a number of digital magazines
• On August 3, 2012, hackers used simple social
engineering to trick Amazon and Apple into providing
information that would allow them to take over the
AppleID of Wired reporter Mat Honan
Name
Email address Billing address
Last 4 of credit card on file
![Page 7: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/7.jpg)
What
• Mat had the following happen• Gmail account compromised & deleted
• Me.com email account compromised
• Apple (icloud.com) ID compromised
• Remote wipe of iPhone
• Remote wipe of Macbook
• Twitter account compromised
• It was 10 minutes between when he noticed his iPhone being wiped and calling AppleCare• By then it was far too late – 30 minutes earlier the hack had
occurred
• 2 minutes later the hackers post on his hacked Twitter account
![Page 8: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/8.jpg)
![Page 9: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/9.jpg)
Why
• Mat is a public figure so it’s expected you can find more
info on him than a non-public figure
• However, our hackers had only one thing in mind when
they hacked his account – what do you think it was?
• He had a 3 letter Twitter name (@mat) and they liked it
and wanted to use it
![Page 10: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/10.jpg)
Poor basic practices
• While this hack was clever, Mat also observed poor basic
security practices
• “My Twitter account linked to my personal website, where they
found my Gmail address.”
• He re-used the same username/email name (and possibly
password)
• “If I had some other account aside from an Apple e-mail
address, or had used two-factor authentication for Gmail,
everything would have stopped [when the hackers
accurately guessed that information].”
![Page 11: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/11.jpg)
Other controls
Low
Medium
High
Critical
Basic security starts with
foundations
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/
![Page 12: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/12.jpg)
Buy latest hyped
product
Panic
Pray
Hope
Procrastinate
Unfortunately…
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/
![Page 13: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/13.jpg)
• “…if your roof has leaks, you fix the leaks in the roof
before you remodel the house, right?”
• John Pescatore, SANS
http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-
leaky-roof-before-remodeling-the-house/
![Page 14: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/14.jpg)
Pareto principle
• Aka the 80/20 rule
• In anything, a few (20) are vital and many (80) are trivial
• In security terms: focusing on 20% of your basics can
address 80% of your risk
![Page 15: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/15.jpg)
3 key words
![Page 16: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/16.jpg)
PERSONAL BASICSPart 1
![Page 17: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/17.jpg)
Walls of separation
• Build walls of separation between your online identities
• Do not reuse usernames
• Do not reuse email addresses
• Do not reuse passwords
• Separate work from home, bank from everything
• Use password managers to help with this
• Keepass (http://keepass.info/)
• LastPass (https://lastpass.com/)
• 1Password (https://agilebits.com/onepassword)
![Page 18: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/18.jpg)
Strong passwords
• Minimum complexity of Upper, Lower, Number & Symbol,
plus spaces if you can
• Passphrases are the best choice if available
• Use spaces where you can, form “words”
• Mis-spelling of words helps!
• Minimum 10 characters – for now…
![Page 19: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/19.jpg)
Rainbow tables guess passwords
https://www.freerainbowtables.com/
![Page 20: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/20.jpg)
Multifactor where available
Something you know Something you have
Strong authentication
![Page 21: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/21.jpg)
Social media
Whether or not you
are out there, you
are out there!
![Page 22: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/22.jpg)
ENTERPRISE BASICSPart 2
![Page 23: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/23.jpg)
![Page 24: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/24.jpg)
The basics
PREVENT
DETECT
RESPOND
RECOVER
![Page 25: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/25.jpg)
Risk Defined in Security Terms
(Offense) (Defense)
Likelihood Impact
THREATS X VULNERABILITIES = RISK
Reduces Risk
Drives risk calculation
Threats increase risk
Dealing with vulnerabilities reduces risk
When a threat connects with a vulnerability, there is impact
Source: Dr Eric Cole, SANS
![Page 26: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/26.jpg)
Critical security controls
• Quick wins
• Ways to
monitor &
measure
• Easy way to
speak to your
business /
create
scorecard
![Page 27: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/27.jpg)
Rapid approach to the basics
• Application whitelisting (CSC 2/DSD 1)
• Use of standard, secure system configurations (CSC 3)
• Patch application software within 48 hours (CSC 4/DSD 2)
• Patch system software within 48 hours (CSC 4/DSD 3)
• Reduce number of users with administrative privileges (CSC 3
and 12/DSD 4)
• DSD suggests these will fit into the Pareto principle and
address 80% of your risks
![Page 28: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/28.jpg)
BASICS IN DEPTHPart 3
![Page 29: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/29.jpg)
Basic attack pattern of all intruders
Inbound connectionOpen a port
/ start a
serviceOutbound connection
For basics, what can we focus on to mitigate this attack pattern?
![Page 30: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/30.jpg)
Recon your network
• What are your assets?
• Hardware
• Software
• Are you aware of authorized vs unauthorized assets?
• Can you tell when this changes?
• ARE YOU SURE?
![Page 31: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/31.jpg)
Recon – things TO DO
• Create a standard user account
• Login in from the outside and from the inside (both sides of your firewall)
• Where can you go? What can you see? What do you have access to?
• Do you understand what you are seeing?
• Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried
• Threat modeling works well here
![Page 32: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/32.jpg)
Account management –
WHAT TO ASK• What types of accounts exist in your enterprise?
• Do you know who owns those accounts?
• Do you know if those accounts are still valid?
• If you have system or service accounts, do you know what
they have access to (zones)?
• ARE YOU SURE?
![Page 33: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/33.jpg)
Account management –
WHAT TO DO• Manage your accounts by policy and technical
enforcement
• Expire passwords/password complexity
• Use ACLs to manage access to your systems
• Restrict access within your zones
• Enforce 2nd factor authentication for vendor/contractor access
• For employees if you can! For everyone!
• Inventory your accounts and their parameters
• Know your vendors by their accounts
![Page 34: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/34.jpg)
Controlled access –
WHAT TO ASK• What systems can talk to each other?
• Are they in different zones? Do they need to be?
• Do your business people have access to information they
do not need to do their jobs?
• Do your administrators have more access than they need
to do their jobs?
• What about non-admins?
• ARE YOU SURE?
![Page 35: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/35.jpg)
Controlled access –
WHAT TO DO• Access based on need to know/need to work
• Classification scheme is needed for this
• Establish a policy of access based on need to know/need to work• Establish approval mechanism for special exceptions
• Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix
• Enforce SoD through system constraints and involve the business in the SoD approvals
![Page 36: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/36.jpg)
Vendor
Account
Target
PC
Target
PCTarget
PC
Target
PC
Network Segmentation
Vendor
Account
Target
PC
Target
PCTarget
PC
Target
PC
ARE YOU SURE?Changes over time to firewall
rules create holes
Our controls are in place … but are they working as designed?
V
P
N
A
D
V
P
N
A
D
Account management in
place
Access is controlled to
these resources
Changes to access control lists
also create holes
Recon + threat
modeling
![Page 37: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/37.jpg)
Vendor
Account
Target
PC
Target
PCTarget
PC
Target
PC
Two factor is a strong defense against external intrusion
Systems allow
account logins
at the OS
Vendor
Account
Target
PC
Target
PCTarget
PC
Target
PC
Scenario 2 – Vendor account has privileges escalated
Systems allow
account logins
at the OS but
only for
privilege
V
P
N
A
D
2nd factor
challenge
V
P
N
A
D
2nd factor
challenge
Internal
firewalls have
holes
Internal
firewalls have
holes
![Page 38: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/38.jpg)
Backup strategy – WHAT TO ASK
• Do you have a backup strategy?• Is it documented?
• Does it align with your business needs?• Backups cost money, time and resources
• Do you back up more than you need?
• Do you have resources to verify/restore backups?• Do you regularly test backups?
• When was the last time you did and what were the results?
• Did you document this?
• ARE YOU SURE?
![Page 39: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/39.jpg)
Backup strategy – WHAT TO DO
• Create a policy for regular backups
• Identify critical systems & backup frequency
• If you have a DRD in place make sure it’s being adhered to
• Document a Recovery Time Objective (RTO) and a
Recovery Point Objective (RPO) for your backups
• This aligns with disaster planning / BCP
• Must be done in alignment with your business
• VERIFY YOUR BACKUPS
• This is not negotiable or avoidable!
![Page 40: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/40.jpg)
Change management
• Who approves your security changes?
• Is this documented and reviewed periodically?
• Who reviews your security changes for accuracy?
• Who follows up to verify the changes are still accurate?
• Document reasons for changes, approvals and
mitigations
• ARE YOU SURE?
![Page 41: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/41.jpg)
Establish a
governance calendar• The calendar contains your regular cadence of review
activity
• You can script reminders to the entities responsible for the review
• SharePoint
• Google scripts (Google calendar)
• Work this activity into your existing processes so they get
prioritized
• Time box those activities!
• Get SLAs/SLOs for teams on which you rely to perform these
activities
![Page 42: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/42.jpg)
Q1 Q2 Q3 Q4
DR Testing
Recon
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Recon
Backup
testing
Backup
testing
Backup
testing
Sample Governance Calendar
AD
reviewAD
reviewAD
review
Operations Security Data Center
Mid year
audit
Audit
![Page 43: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/43.jpg)
Important Enterprise Infosec Lessons
1. There is no magic bullet – infosec is multi-layered and
multi-disciplinary
2. Infosec will cost you time, money and resources –
measure your value appropriately
3. Infosec is an active discipline; it requires care and
feeding, you cannot install and forget
4. Time is the enemy of infosec; the longer it takes, the
higher the risks
5. Infosec is a value add for your business, and it is up to
you to show it – in many cases it IS the business
6. Infosec is not a department of “no.” Market yourself like
a startup
![Page 44: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/44.jpg)
Security basics put simply…
• If you think technology can fix security, you don’t
understand technology and you don’t understand security.
• The root cause of a security incident is rarely about the
technology and almost always about the implementation.
• Humans will always be the weakest link in the security
chain. Awareness will mitigate the vast majority of your
security issues … spend time and money on educating
everyone in your company about security.
![Page 45: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/45.jpg)
![Page 46: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/46.jpg)
Tools & references list
• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site
• http://technet.microsoft.com/en-
us/magazine/2007.02.activedirectory.aspx - AD rights delegation
• http://sectools.org/ - List of pay and free network tools
• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC
• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian
DSD Top 35
• http://www.counciloncybersecurity.com – Council on Cybersecurity
• http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-
Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on
effective threat modeling
• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-
card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current
state of the Target breach and some of the false pretense
![Page 47: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/47.jpg)
Contact info
• Joel Cardella
• LinkedIn: https://www.linkedin.com/pub/joel-cardella/0/107/412
• Twitter: @JoelConverses or @jscardella
• Email: [email protected]
• IRC: #misec on Freenode (joel_s_c)
![Page 48: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/48.jpg)
![Page 49: TACOM 2014: Back To Basics](https://reader033.fdocuments.in/reader033/viewer/2022050907/55a28a311a28abef748b4785/html5/thumbnails/49.jpg)