Managing A Secure
Infrastructure – Tales From
the Trenches
November 6, 2003
About the Speaker
• Steve Manzuik – Director, SecuritySensei.Com
•
•
•
•
•
Founder / Moderator of Vulnwatch.Org
Founder of Win2KSecAdvice mailing list
Member of nmrc.Org
Co-Author of Hack Proofing Your Network
Participant – Open Web Application Security Project
(OWASP.org)
• Participant – Open Source Vulnerability Database
(OSVDB.org)
www.nmrc.org
Outline
• Security today
• Failures in
Security
• Succeed in
Security
Security Today
• Vulnerabilities will always exist
• Typical organizations have made large
investments in network and security
infrastructure
• Incidents still occur at high rates
• Past investments do not support the business
need
• Security warnings to upper management are
seen as the new Y2K hype.
• It is time for organizations to stop buying the
latest security toy and actually secure their
networks.
You Have Been Lied
To!
• All the Firewalls and Intrusion Detection devices in the
world will not protect you.
• Most organizations do not have a firm grasp of their
entire infrastructure.
• Aggressive Firewall configurations prohibit business
and prohibit productivity.
• Network Intrusion Detection has limited value in most
organizations.
• Security is not a magic black box or application.
• Security is NOT a black art.
Failures in Security
• Firewalls
• Intrusion Detection
• Wall of Shame
Expensive Logging
Devices:
Firewalls
• “But we have a firewall, we are completely
protected…….”
• “We have invested in world class firewall
technologies… …we are secure.”
• “Why would we want to block people from
getting out?”
• “A hacker would have to break into our
firewall in order to gain access….”
• “You mean you have to patch a firewall?”
Expensive & Confusing
Logging Devices
IDS
• “Well our IDS didn’t see anything wrong…”
• “There were just too many alerts so I turned it off….”
• “I didn’t understand what SHELLCODE x86 NOOP was
so I ignored it….”
• “ISS told us that it wasn’t possible….”
• “What do you mean I can’t monitor this switch…”
• “No one watches the console on weekends and
holidays…..”
Other Examples
Wall of Shame
• “Passwords just made implementing the technology to
difficult for our users…”
• “What exactly do you mean by audit process?”
• “We spent 2 million dollars on firewalls and other security
solutions and 2 thousand dollars on testing those
systems….”
• “We don’t exactly have a security department but Joe in
the server group is a hacker so I am sure he is taking
care of us….”
• “But our vendor hasn’t told us anything about….”
• “But that is a localhost issue…..”
What does this all mean?
• A proper security posture combines people,
process and technology.
• Most organizations rely on technology
leaving their security posture weak and
vulnerable.
Success in Security
“The greatest security infrastructures are
the ones that satisfy the most business
needs while allowing for uninhibited
network communications between
employees, business partners,
vendors, and customers.”
Success in Security
• Do not let vendors use your fear,
uncertainty and doubt against you.
• It is a lot of work but when approached in a
logical and calm fashion Information
Security can be improved.
• Never think you are completely secure.
Succeed in Security:
Awareness
• All the security in the world can be trumped
by the double click of an email attachment.
• If your users are not aware – they are your
greatest threat.
• If your Administrators are not educated –
they are unarmed and unable to be
proactive.
Succeed in Security:
Know Your Assets
• If you don’t know what you have or what it does – how
do you plan on protecting it?
• If you don’t know your business how will you enable it?
• Data and system classification is essential.
• Large organizations must approach security based on
risk.
Succeed in Security:
Host Security
• Secure baseline configurations – the
technical starting point of a truly secure
infrastructure.
• Thwarting the attacker by leveraging
technology you already have.
• Helps improve desktop & server support
processes and actually reduces long term
support costs.
Succeed in Security:
Monitoring
• Logical combinations of network and host
based monitoring can be valuable.
• Log management is valuable.
• Technical education is far more valuable
than the technology itself.
• Do the right people know when a device is
added to the network? What about
removed?
Succeed in Security:
Validation
• Penetration Testing over Vulnerability
Assessment.
• Intrusion Detection Validation and tuning is
essential.
• Firewall rule and configuration validation is
essential.
• Don’t forget about phones, and wireless
devices.
Succeed in Security:
Other Tips
• Explicit trust is a dangerous game.
• Users are not malicious for the most
part but must be protected against
themselves.
• Don’t overlook email threats.
• Don’t overlook social engineering
threats.
Succeed in Security:
Other Tips
• Build a trusted relationship with a
security consulting organization that
is vendor neutral.
• Observe what other organizations in
similar industries and of similar size
are doing.
Closing
• Questions?
Steve Manzuik
[email protected]
[email protected]