Download Evolve IP - Defense in Depth

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Security and safety features new to Windows Vista wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Information security wikipedia , lookup

Cyberattack wikipedia , lookup

Computer security compromised by hardware failure wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Transcript 
Defense in Depth
A COMPREHENSIVE PERSPECTIVE
TM
989 Old Eagle School Road
Suite 815
Wayne, PA 19087
USA
610.964.8000
www.evolveip.net
Defense in Depth
Table of Contents
……………………………………………………………………………
3
The Need ….……………………………………………………………………………….
4
Top Internet Security Risks ………………………………………….…………….
6
The Anatomy of an Attack ………………………………………………………….
8
Introduction to Defense in Depth ..…………………………………………….
10
Layers of Defense in Depth ………………………………………………………..
11
Conclusions and Next Step Considerations ………………………………….
16
Introduction
Acknowledgements
Carl Herberger
Vice President, Information Security & Compliance Services
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 2 of 20
Defense in Depth
Introduction
In the Information Age, the “connected” nature of the world is a blessing and a curse. Increasingly,
distances between business partners and vendors have become logically smaller; developing nations
have access to the global economy and always on, always connected communications have become the
standard. Nevertheless, along with connectivity comes risks; the very nature of this ubiquitous
connectivity implies that we gain access to systems outside of our control, while exposing our own
networks to the outside world. For every business partner we are allowed access to, there are
thousands of hackers preparing to do us harm.
The purpose of this paper is to explain just how those attacks take place, to demonstrate that your
business’ susceptibility to these attacks is greater than you may think, and to explain the concept of
Defense in Depth as a means to mitigate that susceptibility. Armed with this information, business
owners, CIOs and IT Directors should consider if their business is prepared to meet the demands of a
Defense in Depth strategy or if selective outsourcing of these services is the best path for success.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 3 of 20
Defense
e in Depth
The Nee
ed
Why be co
oncerned abo
out network security?
s
Wh
hat are the real dangers an
nd underlyingg business riskks?
And mostt importantly,, how does yo
our business justify
j
spendiing time, reso
ources and money on netw
work
security? The Cost of Ownership
O
off any securityy investment is
i difficult to discern as neetwork securitty is
largely considered protection – “inssurance”, if yo
ou will. It is equally
e
difficu
ult to calculatte exactly whaat the
potential financial riskss are to your organization,, should you be
b attacked. Despite the difficulties
d
usly), could bee disastrous.
determiniing the costs and risks, thee converse (not taking the threat seriou
In a 2008 survey, of 52
22 computer security
s
practtitioners in U.S. corporatio
ons, government agencies,,
financial institutions, medical
m
institu
utions and un
niversities, 46
6 percent of these organizaations had
experiencced a securityy incident whiile 13 percentt did not know
w. Security In
ncidents in th
his statistic do
o not
include th
he standard “noise” that any good secu
urity plan wou
uld counteracct (like spam),, but instead
referencee real infiltratiions into the business netw
work. Keep in mind that the
t respondents to this surrvey
are securiity and IT pro
ofessionals. In
n smaller businesses where dedicated security
s
or evven dedicated
d IT
staff are a luxury, the numbers
n
are even higher.
Average
A
Annual Losses
05
$345,00
$350,000
$288,618
$300,000
$250,000
$200,000
713
$167,7
Aveerage Annual Lo
osses
$150,000
$100,000
$50,000
$0
2007
2008
2009
CSI Compu
uter Crime & Security Su
urvey, 2008
Respondeents’ estimate
es of the lossees caused by various typess of computer security incidents was
$288,618,, down from $345,005
$
lastt year, but up
p from the low
w of $167,713
3 two years ago. The mostt
expensivee computer se
ecurity incideents were those involving financial
f
fraud
d; with an aveerage reporteed
cost of clo
ose to $500,0
000 (Richardso
on, Robert, CSI Computer Crime & Secu
urity Survey, 2008).
2
The
second-m
most expensive was dealingg with “bot” computers
c
wiithin the orgaanization’s neetwork, reporrted
to cost an
n average of nearly
n
$350,000 per respondent.
Gartner estimates thatt, although feewer than 10 percent of th
he attacks on the Internet are targeted
o an individuaal business off a single succcessful targeteed
against a single compaany, the financial impact to
Evvolve IP | 989 Old Eagle Scho
ool Road – Suitte 815 | Wayn
ne, PA 19087 | 610.964.800
00 | info@evo
olveip.net
Page 4 of 20
Defense
e in Depth
attack will be 50 to 100
0 times greatter than the im
mpact of a su
uccessful worm
m or virus eveent (Pescatorre,
John, Garttner, 2005).
Co
ost of Se
ecurity Incident Respon
nse
(in millions)
Virus-Type Incidents
I
$2.8
$3.2
Theft
$2.7
7
$12.0
0
Financial Fraaud
Network Inttrusions
(Computerr crime costs $67 billiion, FBI says, Joris Evvers, cnet News, 2006
6)
Many com
mpanies make
e the incorrecct assumption
n that they arre not the kin
nd of businesss that is a “tarrget”
for hackers. That assumption is wro
ong on two leevels: compan
nies are targeeted based on
n their
susceptibility to attackk (further explained below under The Anatomy of an
n Attack). Thee less secure you
are the MORE
M
apt you are to becom
me a target. Moreover, many
m
attacks utilize
u
non-tarrgeted processses,
such as ph
hishing (spam
m) or web-bassed malware, as a means of
o attack whicch amplifies the difficultiess in
the traditional ‘not a taarget’ approaach. In these types of attacks, your network becomees susceptiblee
based on the behaviorr of your employees while using legitimate mediumss such as emaail or the web.
In fact, these types of attempts
a
are on the rise—
— according to
o Cisco, daily spam volumees nearly doubled
in 2008 reelative to 200
07. Even more concerning is that a metthod of propaagating malwaare, which
reached new
n levels of popularity in 2008, is com
mpromising leggitimate websites to makee them hubs for
f
malware distribution.
d
Cisco dataa shows that exploited websites are currently responsible for mo
ore than 87 peercent of all WebW
based threats. Additionally, accordiing to securityy audit provid
der White Hat Security, mo
ore than 79
o the website
es hosting maalicious code are
a legitimatee websites that have been
n compromiseed
percent of
(Cisco 200
08 Annual Seccurity Report,, January 2009). In 2008, an
a unprecedeented amount of financial fraud
was perpeetrated; hund
dreds of pagees of Businesssweek.com were comprom
mised in an atttempt to servve
Malware to
t the site’s users,
u
new ph
hishing attackks were built to
t look like th
he IRS, Betterr Business Burreau,
US Districct courts and countless
c
well-known finaancial institutiions, and a Crraigslist posting was used to
commit a bank robberyy. However your
y
businesss calculates risk, there is no
o question th
hat a sound
s
policyy is essential..
network security
Surprisingg to some, mo
ost data breaches investigated were caused by external sources. Breaches
attributed
d to insiders, though fewer in number, were much laarger than tho
ose caused by outsiders when
w
they did occur.
o
As a re
eminder of rissks inherent to
t the extended enterprisee, business paartners were
behind weell over a thirrd of breaches; a number that
t
rose five-fold over thee time period
d of the study.
breaches occur?
Evvolve IP | 989 Old Eagle Scho
ool Road – Suitte 815 | Wayn
ne, PA 19087 | 610.964.800
00 | info@evo
olveip.net
Page 5 of 20
Defense in Depth
Most breaches resulted from a combination of events rather than a single action. Some form of error
often directly or indirectly contributed to a compromise. In terms of deliberate action against
information systems, hacking and malcode proved to be the attack method of choice among
cybercriminals. Intrusion attempts targeted the application layer more than the operating system and
less than a quarter of attacks exploited vulnerabilities. Ninety percent of known vulnerabilities exploited
by these attacks had patches available for at least six months prior to the breach.
How Do Breaches Occur?
Were attributed to a
significant error
15%
22%
62%
Resulted from hacking
and intrusions
Incorporated malicious
code
31%
Exploited a vulnerability
59%
Were due to physical
threats
The past few years have also seen the adoption of information security guidelines as federal regulations
that must be audited and reported on dependent of your type of business. Comprehensive security
information event management systems have been developed and deployed to assist in archiving,
correlating and reporting on event data from all the areas of security enforcement and protection points
in a network. The output from these systems provides the necessary audit data to ensure compliance to
both internal and external information security policies. A point to remember is that policy can only
work when employees are aware of its existence. Regular awareness seminars to cover topics of
information security policy, email and web safety and even computer tips and tricks all help to improve
employee acceptance of a company’s IT operation.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 6 of 20
Defense in Depth
Top Internet Security Risks
So where are the top risks to your business? Each year, the SANS Institute compiles its top risks. This
risk list changes each year. What does not change is the fact that these risks affect every potential area
of access into a network.
The SANS 2007 (continuously updated) Top Internet Security Risks, an Overview (The SANS Institute.
The SANS 2007 Top Internet Security Risks, an Overview.)
Top New Risks That Are Particularly Difficult To Defend:
1.
Critical vulnerabilities in Web applications enabling the Web site to be poisoned, the data behind
the Web site to be stolen and other computers connected to the Web site to be compromised.
Best defenses: Web application firewall, Web application security scanner, application source
code testing tools, application penetration testing services, and most importantly a formal policy
that all important Web applications will be developed using a valid secure development life cycle
and only by developers who have proven (through testing) that they have the skills and
knowledge to write secure applications.
2.
Gullible, busy, accommodating computer users, including executives, IT staff, and others with
privileged access, who follow false instructions provided in spear phishing emails, leading to
empty bank accounts, compromise of major military systems around the world, compromise of
government contractors, industrial espionage and much more.
Best defenses: This is the most challenging risk. Security awareness training is important but is
definitely not sufficient to solve this problem. Two defenses seem promising: (a) inoculation in
which all users are sent periodic spear phishing emails that are benign. Those who err are
educated or cut off, (b) Admit that this problem cannot be solved in all cases and establish new
monitoring and forensics systems that constantly search network traffic and systems for
evidence of deep penetration and persistent presence.
Other Priorities That Have Grown In Importance but Have Reasonable Technical Defenses:
3.
Critical vulnerabilities in software on personal computers inside and outside enterprises (clientside vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets
and also allowing them to be used as back doors for stealing information from and taking over
servers inside large organizations:
o
Web Browsers
o
Office Software
o
Email Clients
o
Media Players
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 7 of 20
Defense in Depth
Best defenses: Firmly enforced secure configurations (at installation time) for all applications,
constantly verified patching and upgrading of both applications and system software, constant
vulnerability scanning and rapid resolution of problems found, tightly configured firewalls and
intrusion prevention systems, up-to-date anti-virus and anti-spyware at gateways as well as on
desktops.
4.
Critical vulnerabilities in the software and systems that provides the operating environment and
primary services to computer users (server side software):
o
Windows Services
o
Unix and Mac OS Services
o
Backup Software
o
Anti-virus Software
o
Management Servers
o
Database Software
o
VOIP servers
Best defenses: (mostly the same as group 3) Firmly enforced secure configurations (at
installation time) for all applications, constantly verified patching and upgrading of applications
and system software, tightly configured firewalls and intrusion prevention systems.
5.
Policy and Enforcement Problems that allow malware (software designed to infiltrate or damage
a computer system without the owner's informed consent) to do extra harm and that lead to
loss of large amounts of data:
o
Excessive User Rights and Unauthorized Devices
o
Unencrypted Laptops and Removable Media
Best defenses: Zero-exception policies, constant monitoring and substantial penalties for failure
to comply.
6.
Application abuse of tools that are user favorites leading to client and server compromise, loss of
sensitive information and use of enterprise systems for illegal activity such as serving child
pornography:
o
Instant Messaging
o
Peer-to-Peer Programs
Best defenses: Use only tightly secured versions of these tools, or prohibit them entirely.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 8 of 20
Defense in Depth
7.
Zero-day attacks
Best defenses: Build much more restrictive perimeters with deny-all, allow some firewall rules
and redesign networks to protect internal systems from Internet-facing systems.
In other words, trust but verify through automation and testing. These risks and their mitigations are very
specific and very individual topics, but they collectively point to a single security concept– network security is
not an event …. It’s not a device … It’s not a policy … It’s a comprehensive, 24x7 business culture that
encompasses all of these things. This culture is generally referred to as “Defense in Depth”.
There are many information security organizations which have provided valuable documentation and
guidelines for constructing an effective information security policy. Both SANS and NIST offer great
white papers on the development process, awareness training, and auditing & enforcement standards.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 9 of 20
Defense in Depth
The Anatomy of an Attack
In order to plan a sound security policy, it is first important to understand how attacks occur.
The Honeypot project places systems on the Internet with the sole intention of enticing hackers
or intruders. The Information gathered on these “Honeypots” is used to educate Information
Security professionals on the types and originations of attacks against systems for the purposes
of tightening security techniques. The fastest that one of their Honeypots has ever been
attacked is 15 minutes. 15 minutes. Keep in mind that these servers are not advertised, they
are not at public domains and are not on large corporate networks. Who could have found this
server and how is it possible that a non-advertised but exposed system could be infiltrated that
quickly? Let’s start by discussing who— Attacks generally come from one of three types of
hacker:
1.
Script Kiddie - Script Kiddies are not specifically targeting an organization. They are
generally looking for a quick or easy kill. Their goal is to scan, locate and gain access
to systems or networks using well-known and well-documented exploits. They are
dangerous because everyone is a target and the information they use is readily
available and supported by a community of “would-be” hackers. The Honeypot attack
listed above was more than likely the work of a Script Kiddie.
2.
Skilled Attackers - Skilled Attackers use similar tools but are generally targeting a
specific organization. They are better at researching and mapping the exposed or
public resources of an organization and they will use any and every exploit they can to
gain access. This requires even tighter controls in the target organization in order to
thwart an attack. Skilled Attackers will spend days mapping an organization looking
for cracks in their security policy. Once a crack has been identified, access occurs in
seconds.
3.
Inside Attackers - Inside attackers are the biggest threat because they know the
resources and assets inside the network and in many cases have trusted access to
those assets. Inside attacks can only be thwarted through vigilant policy management
and tight procedures.
Thwarting attacks from each of these types of hackers require different security postures and
planning.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 10 of 20
Defense
e in Depth
The averaage attack goe
es through fo
our phases:
The Honeeypot listed ab
bove was more than likelyy identified th
hrough a scan and infiltrateed through a
standard exploitation. The importaant thing to no
ote is that paatching system
ms and securiing the perim
meter
is not eno
ough; threats are being introduced at evver increasingg rates with incredible varried delivery
mechanisms making de
etection and prevention very
v
difficult. For these reeasons, and many
m
others, the
t
ngle device (e
e.g. firewall orr intrusion deetection devicce) external perimeter
p
model is giving way
w
typical sin
to a neweer ‘defense-in
n-depth’ or layyered security architecturees.
Evvolve IP | 989 Old Eagle Scho
ool Road – Suitte 815 | Wayn
ne, PA 19087 | 610.964.800
00 | info@evo
olveip.net
Page 11 of 20
Defense in Depth
Introduction to Defense in Depth
Defense in Depth is the layering of multiple defense techniques, mechanisms and devices to protect
critical network assets, data, systems and users. These defenses are layered for two primary reasons:
First, as one layer, device or mechanism fails, another will be there to mitigate, or at least track and
notify the administrator, about the breach. Second, as detailed above, attacks can come from a
multitude of sources and can attack multiple methods of access. One defense mechanism will not
address every potential path into the business.
In order to allow network users access to resources they require, their information technology must,
eventually, be connected to untrusted networks (external and / or business partners) and thereby
exposed. To allow this level of access, while mitigating the risks associated with this exposure, network
managers and security professionals must remain focused on three principle tenants: Confidentiality,
Integrity and Availability. These principles are not always complimentary and maintaining proper
balance of these tenants is an ongoing challenge. In order to ensure organizations maintain these
standards, the personnel managing information technology are tasked with the design, implementation
and daily maintenance of the security posture that revolves around a Defense in Depth and regulatory
compliant strategy.
Probably the most important thing to note is that a security policy will not be successful unless ALL of
the layers of the Defense in Depth policy are addressed. A firewall may protect the network perimeter
but at its very nature it must allow users access to the outside world (Internet). A Web attack, such as
Malware, will not be seen by, nor can it be mitigated through, a firewall which is doing its job by
allowing an internal user access to that file. Once Malware is installed internally, most security controls
are rendered useless. Implementing only a portion of this plan is tantamount to locking the front door
and turning on a security system while leaving a first floor window open.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 12 of 20
Defense in Depth
Layers of Defense in Depth
While there are many schools of thought on how to logically divide the layers in discussion, there is no
question as to the components that comprise the layers. The primary layers of any Defense in Depth
Strategy are:
The Network Security layer is sometimes called the perimeter security layer. It is comprised of
elements that create definition between and inspect the traffic that passed from the outside (untrusted)
network and the inside (trusted) network. This layer starts with the Firewall, generally considered the
building block of any security policy. Unfortunately, many business owners and IT directors consider a
premise-based firewall to be a single, efficient defense measure for protecting the network. In fact, the
SANS Institute calls over-reliance on the firewall one of the top ten security mistakes that IT directors
make. More importantly, a firewall is only as good as its software revision level, log file analysis and
maintenance. If a firewall has not been kept up to date, it is a futile security measure.
A Firewall “allows” or “denies” packets passing through it based on a security policy; however, with so
many attacks focused on legitimate ports and applications, a Firewall must allow this traffic to pass. It is,
by nature, an unintelligent device which inspects packets and compares them to its security policy or
Access Control List (ACL) and simply grants or denies access. A method utilized to support the firewall is
IDS or IPS. An Intrusion Detection System is used to detect several types of malicious behaviors that can
compromise the security and trust of a computer system—including network attacks against vulnerable
services, data driven attacks on applications, host based attacks (i.e. privilege escalation, unauthorized
logins and access to sensitive files) and malware (i.e. viruses, Trojan horses, and worms).
An IDS is composed of several components: sensors which generate security events, a console to
monitor events and alerts and control the sensors, and a central engine that records events logged by
the sensors in a database and uses a system of rules to generate alerts from security events received.
There are several ways to categorize an IDS depending on the type and location of the sensors and the
methodology used by the engine to generate alerts. In many simple IDS implementations, all three
components are combined in a single device or appliance.
In a passive system, the Intrusion Detection System (IDS) sensor detects a potential security breach, logs
the information and signals an alert on the console and/or owner. In a reactive system, also known as
an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the
connection or by reprogramming the firewall to block network traffic from the suspected malicious
source. This can happen automatically or at the command of an operator.
One last compound, which is becoming a necessity, is the judicious use of network-layer forensics tools
and services for ‘what-happened’ analysis. These tools are not only becoming critical in uncovering the
origins of attacks, occasionally even while they are in progress, but they also have become invaluable in
complying with certain federal and state statutes or resolving litigation situations. A survey conducted
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 13 of 20
Defense in Depth
by Verizon’s Business Risk Team, as outlined in their 2008 Data Investigations Report, assessed these
needs as absolutely paramount for business operations going forward. Since Firewalls and IDS/IPS
systems are designed to mitigate anomalous behavior at the network perimeter, they are a perfect basis
of any security policy; however, many attacks target applications that are naturally exposed through the
firewall. These attacks look like legitimate traffic to the Network Security Layer and as a result, the next
layer of the Defense in Depth model is focused on applications.
Who Is Behind Data Breaches?
Resulted from external
sources
30%
73%
Were cause by insiders
Implicated business
partners
39%
Involved multiple
parties
18%
The Application Security layer comprises an important realm that resides just beyond the perimeter and
is made up of interactive applications (services) that may utilize both public and extremely confidential
data. This layer not only controls access to sensitive information but also represents your company’s
digital presence in the world and includes: web servers, email, e-commerce, internet services, and voice.
This layer is so critical that many times this layer itself is the target of attacks rather than the data it
utilizes and attempts to protect. A denial of service against the application security layer will render
income generating services useless and can destroy reputations.
A closer look at where this layer resides, both from a physical and a network (e.g. OSI) layer perspective,
could indicate that this should be the easiest layer to protect by simply controlling access and securing
communications in and out of this layer. That is the correct approach, but implementation proves more
challenging than expected. Why? Because once the access control is complete, the larger vulnerability
lies directly in the application itself. Let’s examine the best defenses to employ for this layer.
Access Controls are the methods used to authenticate, authorize and account for secure
communications to an application or service once connectivity has been established through the
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 14 of 20
Defense in Depth
secured network perimeter. The oldest and most basic form of access control is authentication by
means of a password. The password needs to restrict the user to only allow access to the resource that
is required. The best methods for this type of control include using complex password schemes,
certificates or Public Key Infrastructure (PKI) and one-time passwords (OTP) or tokens. Once access to a
resource has been granted, the access control process is not complete; this process now has the
responsibility to continually authorize the actions of the authenticated user and to report on them. It
can be audited and can be used to assist with various forms of compliancy.
Application isolation can be likened to a form of access control for the application rather than the user.
Proper design of the system should allow for the isolation of applications to allow for additional security
mechanisms to be placed in line between applications needing to communicate with one another or to
communicate with a lower level process. These mechanisms include authenticated, encrypted
communication and failsafe mechanisms to prevent restarting (respawning) after process modification
or failure. The goal behind this security stance is to protect the system such that if one application is
compromised it cannot be used to attack other applications or resources of the system.
Code protection refers to the preventative actions executed to protect the actual software code used to
run the application itself. As mentioned above the largest vulnerability in this layer resides directly in
the bits and bytes of the software application. The best access controls and isolation practices in the
world will not stop attacks that come over legitimate communication channels and exploit
vulnerabilities in the software and thereby gain unauthorized access or even control of the device. The
most common exploit for this area is the buffer overflow attack which forces the application to abort
normal request processing due to poor code constraints and/or memory buffer utilization and actually
force the underlying shell layer to respond or the program to terminate. Some best practices to ensure
safeguards include routine software maintenance to ensure all patches related to security flaws are up
to date, participation in security advisory discussions. Additionally subscriptions relating to the software
maintenance and the assurance that the vendor is conducting regular vulnerability assessments and
hands-on penetration testing are a must.
The standard security testing in which applications are tested is based on the Open Web Application
Security Project or OWASP guidelines. These guidelines suggest that application vulnerability
assessments take into consideration an application’s data classification, access path, user base, and
domain. Many applications are required by either law (e.g. HIPAA) or by industry standards (e.g. PCI) to
undergo a comprehensive testing approach for assessing application security vulnerabilities and
reporting security vulnerabilities for risk mitigation. Among the various testing techniques the following
are the most widely deployed methodologies:
•
Static Source Code Analysis (white box)
•
Dynamic Application Security Testing (grey/black box)
•
Dynamic System Security Testing (black box)
•
Dynamic Application Quality Testing / Negative Testing (black box)
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 15 of 20
Defense in Depth
Just as application security is important to ensure your presence in the digital world is protected, the
next layer will address how to protect what happens inside your organization. It may not always have as
much public exposure, but if left unchecked can leave the door open for issues with employee
productivity or worse: lack of federal compliances.
All network traffic has a source and a destination. Both of these endpoints reside on physical devices
known as hosts. Hosts can be workstations, servers, phones, mobile devices and the list goes on and on.
The host security layer can be the most difficult to secure and control. It is the nature of hosts to be
multitasking devices, connecting to multiple applications and interacting with multiple services
simultaneously.
The easiest example of this operation is to observe the normal office employee. This user is utilizing
email, surfing web pages, filling out data in business applications, chatting on IM and talking on a VoIP
softphone all at the same time. While the legitimate applications may only be the business application
and the phone call on the softphone, the host is dangerously connected to other non-critical
applications and services which, when unsecured, can provide malicious traffic an entry to the network.
Once a single internal host is compromised the internal and previously “secured” network now is a wide
open field of possibility to the attacker. All of our perimeter network security and access control
methods will not help us as those layers have been bypassed through legitimate channels. There is only
the host security layer to help secure against this type of attack.
Host Intrusion Prevention services take a lesson from the network intrusion prevention devices in
detecting malicious behavior and applying the mechanisms to mitigate the behavior before causing
damage. The HIPS system is a heuristic system that is less dependent on referencing attacks against a
signature but rather pure behavior and anomaly based detection. The HIPS agent resides directly on the
host device and has a policy sent to it from a management station. This policy contains rule sets that the
host must follow. These rule sets range from network rules, to application use rules, to kernel and
hardware calls. Any behavior that occurs outside of the policy rule set is denied and reported to the
security management software. This method is the best and most reliable method to date for securing
hosts on a network. A HIPS implementation with proper policy creation, tuning and enforcement can
stop nearly all virus, worm and day zero outbreaks.
Content Filtering services are another method to help secure this layer; the goals of this defensive
strategy are to thoroughly clean and verify content before delivering it to the host. The most popular
and broadest deployed flavors of content filtering are for securing web and email content and some
targeted applications. Proper implementation of a web filtering service will cleanse the client’s browser
sessions of malicious scripting (activeX and Java), malware implementations and unknown spyware
downloads. Prevention of these potentially harmful packages not only leads to a cleaner and more
secure network, but also a better performing network and end host. Email filtering solutions are the
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 16 of 20
Defense in Depth
most popular deployment of content filtering in use today. An email filtering solution will scan all mail
both incoming and outgoing for an organization. The solution will filter and report on spam, viruses,
dangerous executables and other email-based security vulnerabilities. Due to the volume and use of
email in today’s digital age, it is the easiest way to infiltrate an end host. An email filtering solution and
proper user awareness training on the dangers of email are helping to minimize exposure through this
medium.
Policies, Compliance, and Awareness are a defensive strategy in your information security plan which is
often overlooked until it is too late. The host layer adherence to this strategy helps to control the one
portion of host security that is not able to be controlled by another system (either hardware or
software) — the USER.
Users are the rogue processes that are an administrators’ worst nightmare to both predict and control.
Systems are built and operated by a set of rules, and actions outside these rules can be controlled and
mitigated. Users should also be governed by a set of rules and adherence to these policies must also be
audited and enforced. All too often, security policies for organizations go unenforced or sometimes
even abandoned altogether.
The final layer of security in a ‘Defense in Depth’ strategy is wrapped around your business’ most critical
asset— sensitive data. Whether this data contains industry secrets, customer information, or critical
financial information, the data itself needs to be secured. This data, when it is not being used in the
upper layers of applications or by hosts, resides in two main locations: on medium (disk, tape, cd, etc.)
or in transit.
Data medium protection is crucial to the custodial relationship of the data and its owners. The best
practice for this area allows for the encryption of the data on the medium along with the securing of the
physical medium itself. Common methods of data encryption force the data through encryption
algorithms that are then secured with a hash. The current accepted standards of encryption employ an
Advanced Encryption Standard (AES) level of encryption using a SHA-1 (or stronger) hash mechanism.
Technical requirements for recommended encryption and decryption standards can be found in NIST
publications FIPS 197 and FIPS 180-2. The physical medium itself requires protection from unauthorized
access, fire, flood, aging and other elements. The safeguards used in the encryption and physical
security of the medium will require regular audit and disaster recovery testing. It would be a total loss if
countless dollars were spent in securing data that was rendered unusable due to faulty encryption and
decryption mechanisms or storage procedures.
Data transit protection can apply to both transits over an electronic or physical path. Any transmission
of data over an electronic medium needs to be secured via encryption algorithms that are secure not
only in cipher strength but are also not susceptible to man in the middle or replay attacks. The method
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 17 of 20
Defense in Depth
of transmission needs to adhere to the highest levels of confidentiality and integrity. The most prime
example of a time when confidential data requires transmission is during electronic backups. The
backup system needs to maintain the high encryption standards during transit both for storage and
retrieval.
Data Leakage Protection goes by many names: Data loss protection or prevention, anti-data leakage,
insider-threat protection, outbound content management just to name a few. The point of these
strategies (often manifested in software products) is to monitor, document, and often prevent sensitive
information from leaving an organization without authorization.
The definition of "sensitive data" varies by company, too. Some types of data are obviously of a
sensitive nature, including credit-card, social-security, or bank account numbers of customers or
employees. But sensitive data can also include intellectual property, competitive information -anything that a company doesn't want viewed by the wrong eyes.
Data-leak protection products identify sensitive information by matching terms in an included dictionary
or by helping companies define what their sensitive data is and using algorithms to flag matches to
those definitions. These products can be software-only tools or appliances and some require the use of
client agents. Regardless of their form, most of these products work by scanning "data in motion,"
meaning information that's leaving the organization via e-mail or instant messaging, or being copied to
removable media. These days many of these products are also scanning "data at rest," meaning
information found in data stores throughout the corporate network. The latter approach helps
companies get a handle on all the sensitive data they own (and therefore are responsible for protecting,
as per government and industry regulations), not just the sensitive information that's leaving the
company.
Once identified by these tools, the data can be handled in a variety of ways. Administrators have the
option to simply be alerted that sensitive data is leaving the organization, or the action can be blocked
or quarantined. Some products will display a notice to users that they are about to move sensitive data
in a manner that violates corporate policy and prompts users to enter a reason for engaging in this
action. This approach helps educate users about sensitive-data policies to help limit unintentional
sharing of protected information.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 18 of 20
Defense in Depth
Conclusion and Next Step Considerations
The Bottom Line: What is Not Being Done to Protect Systems? (adapted from the SANS Institute)The
Bottom Line: What is Not Being Done to Protect Systems.)
Best Practices for Preventing Top Risks:
1.
Secure configurations. Configure systems, from the first day, with the most secure
configuration that your business functionality will allow, and use automation to keep users
from installing/uninstalling software.
2.
Secure technical architecture. Use automation to make sure systems maintain their secure
configuration, remain fully patched with the latest version of the software (including keeping
anti-virus software up to date).
3.
Filter egress network traffic. Use proxies on your border network, configuring all client
services (HTTP, HTTPS, FTP, DNS, etc.) so that they have to pass through the proxies before
traversing outbound .
4.
Data leakage protection. Protect sensitive data through encryption, data classification
mapped against access control, and through automated data leakage protection.
5.
Security Awareness Training. Establish employee and business partner security awareness
and provide penalties for those who do not follow acceptable use policy.
6.
Network segmentation. Perform proper DMZ segmentation with firewalls.
7.
Application security. Remove the security flaws in Web applications by testing programmers’
security knowledge and testing the software for flaws.
In the Information Age, your business is using the Internet to some extent for critical functions— from
web-browsing, to email, to web-based software as a service application. The very nature of this
connectivity exposes your business to risk. While you may perceive that your business does not have a
large exposure due to size, location or industry, this is not true. Businesses of all sizes are exposed due
to the indiscriminate nature of the methods used to identify and attack them.
Simply stated: If you are vulnerable, you will be exploited.
A firewall is not enough. Virus Protection on your email is not enough. Only through ‘Defense in Depth’
can a business be assured that its critical assets are protected from external threats. Most businesses
do not have protections built at every level of the ‘Defense in Depth’ strategy. Deploying Intrusion
Detection and Prevention, Policy Management, Vulnerability Assessment and Content Filtering along
with proper management of existing Firewalls and Email security tools requires capital, 24x7 reporting
and management, knowledge of current hacking techniques and security policies and skills that most IT
departments do not readily have at their disposal.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 19 of 20
Defense in Depth
Companies of all sizes depend on their networks for vital daily operations; hence security must be a top
priority. Although overall IT spending is down, global security spending is up across every market
segment for every business size. Due to the rising complexity of ensuring data and network security,
many companies, especially Small and Medium-sized businesses, are outsourcing their managed security
because they lack the expertise and/or resources to implement and manage the solutions themselves.
Outsourcing security solutions also provides companies of this size major business benefits such as:
Ensure end-to-end secure solutions—by outsourcing, companies can tailor services to meet specific
security needs. They aren't limited to standalone point solutions that only cover portions of their
information infrastructure.
Minimize security gaps—protect network systems and data from intentional or accidental damage.
Gain flexibility and scalability—often, the cost of expanding coverage or adding capabilities is costprohibitive for small and medium-sized businesses. Often it is far more cost-effective to outsource for
specialized expertise than try to divert internal resources and do it themselves.
Better protect information assets while improving productivity—service providers have the
infrastructure, monitoring systems, and staff to deliver reliable security services, freeing smaller
businesses to focus on its core business.
Managed security services delivered by a trusted provider, allow you to enjoy all the benefits of
centrally managed security without the additional headache of implementing, maintaining and updating
all your security products and policies—helping you to mitigate your risk without taking resources away
from core business activities. Network Security is not a set it and forget it methodology. Outsourced
Managed Security services should be heavily considered by any business without full-time staff and
software systems dedicated to managing the security posture. Businesses with full-time staff should
consider outsourcing these specialized requirements in order to keep staff focused on strategic
initiatives and maintain service levels.
Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected]
Page 20 of 20
Related documents
Slide 1 - WordPress.com
Slide 1 - WordPress.com
Molecular regulation of plant responses to low temperature in
Molecular regulation of plant responses to low temperature in
APT-Tactics
APT-Tactics
Our Defense System Spring 2014
Our Defense System Spring 2014
Immunity Questions
Immunity Questions
2 Marketing Strategy Background
2 Marketing Strategy Background
Word
Word
4A Worksheet 1) Intrinsic Defense Systems include the ______
4A Worksheet 1) Intrinsic Defense Systems include the ______
Defenses Against Infection NoteTaking Guide
Defenses Against Infection NoteTaking Guide
Study Guide For Immune System Test, Chapter 40
Study Guide For Immune System Test, Chapter 40