Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Defense in Depth A COMPREHENSIVE PERSPECTIVE TM 989 Old Eagle School Road Suite 815 Wayne, PA 19087 USA 610.964.8000 www.evolveip.net Defense in Depth Table of Contents …………………………………………………………………………… 3 The Need ….………………………………………………………………………………. 4 Top Internet Security Risks ………………………………………….……………. 6 The Anatomy of an Attack …………………………………………………………. 8 Introduction to Defense in Depth ..……………………………………………. 10 Layers of Defense in Depth ……………………………………………………….. 11 Conclusions and Next Step Considerations …………………………………. 16 Introduction Acknowledgements Carl Herberger Vice President, Information Security & Compliance Services Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 2 of 20 Defense in Depth Introduction In the Information Age, the “connected” nature of the world is a blessing and a curse. Increasingly, distances between business partners and vendors have become logically smaller; developing nations have access to the global economy and always on, always connected communications have become the standard. Nevertheless, along with connectivity comes risks; the very nature of this ubiquitous connectivity implies that we gain access to systems outside of our control, while exposing our own networks to the outside world. For every business partner we are allowed access to, there are thousands of hackers preparing to do us harm. The purpose of this paper is to explain just how those attacks take place, to demonstrate that your business’ susceptibility to these attacks is greater than you may think, and to explain the concept of Defense in Depth as a means to mitigate that susceptibility. Armed with this information, business owners, CIOs and IT Directors should consider if their business is prepared to meet the demands of a Defense in Depth strategy or if selective outsourcing of these services is the best path for success. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 3 of 20 Defense e in Depth The Nee ed Why be co oncerned abo out network security? s Wh hat are the real dangers an nd underlyingg business riskks? And mostt importantly,, how does yo our business justify j spendiing time, reso ources and money on netw work security? The Cost of Ownership O off any securityy investment is i difficult to discern as neetwork securitty is largely considered protection – “inssurance”, if yo ou will. It is equally e difficu ult to calculatte exactly whaat the potential financial riskss are to your organization,, should you be b attacked. Despite the difficulties d usly), could bee disastrous. determiniing the costs and risks, thee converse (not taking the threat seriou In a 2008 survey, of 52 22 computer security s practtitioners in U.S. corporatio ons, government agencies,, financial institutions, medical m institu utions and un niversities, 46 6 percent of these organizaations had experiencced a securityy incident whiile 13 percentt did not know w. Security In ncidents in th his statistic do o not include th he standard “noise” that any good secu urity plan wou uld counteracct (like spam),, but instead referencee real infiltratiions into the business netw work. Keep in mind that the t respondents to this surrvey are securiity and IT pro ofessionals. In n smaller businesses where dedicated security s or evven dedicated d IT staff are a luxury, the numbers n are even higher. Average A Annual Losses 05 $345,00 $350,000 $288,618 $300,000 $250,000 $200,000 713 $167,7 Aveerage Annual Lo osses $150,000 $100,000 $50,000 $0 2007 2008 2009 CSI Compu uter Crime & Security Su urvey, 2008 Respondeents’ estimate es of the lossees caused by various typess of computer security incidents was $288,618,, down from $345,005 $ lastt year, but up p from the low w of $167,713 3 two years ago. The mostt expensivee computer se ecurity incideents were those involving financial f fraud d; with an aveerage reporteed cost of clo ose to $500,0 000 (Richardso on, Robert, CSI Computer Crime & Secu urity Survey, 2008). 2 The second-m most expensive was dealingg with “bot” computers c wiithin the orgaanization’s neetwork, reporrted to cost an n average of nearly n $350,000 per respondent. Gartner estimates thatt, although feewer than 10 percent of th he attacks on the Internet are targeted o an individuaal business off a single succcessful targeteed against a single compaany, the financial impact to Evvolve IP | 989 Old Eagle Scho ool Road – Suitte 815 | Wayn ne, PA 19087 | 610.964.800 00 | info@evo olveip.net Page 4 of 20 Defense e in Depth attack will be 50 to 100 0 times greatter than the im mpact of a su uccessful worm m or virus eveent (Pescatorre, John, Garttner, 2005). Co ost of Se ecurity Incident Respon nse (in millions) Virus-Type Incidents I $2.8 $3.2 Theft $2.7 7 $12.0 0 Financial Fraaud Network Inttrusions (Computerr crime costs $67 billiion, FBI says, Joris Evvers, cnet News, 2006 6) Many com mpanies make e the incorrecct assumption n that they arre not the kin nd of businesss that is a “tarrget” for hackers. That assumption is wro ong on two leevels: compan nies are targeeted based on n their susceptibility to attackk (further explained below under The Anatomy of an n Attack). Thee less secure you are the MORE M apt you are to becom me a target. Moreover, many m attacks utilize u non-tarrgeted processses, such as ph hishing (spam m) or web-bassed malware, as a means of o attack whicch amplifies the difficultiess in the traditional ‘not a taarget’ approaach. In these types of attacks, your network becomees susceptiblee based on the behaviorr of your employees while using legitimate mediumss such as emaail or the web. In fact, these types of attempts a are on the rise— — according to o Cisco, daily spam volumees nearly doubled in 2008 reelative to 200 07. Even more concerning is that a metthod of propaagating malwaare, which reached new n levels of popularity in 2008, is com mpromising leggitimate websites to makee them hubs for f malware distribution. d Cisco dataa shows that exploited websites are currently responsible for mo ore than 87 peercent of all WebW based threats. Additionally, accordiing to securityy audit provid der White Hat Security, mo ore than 79 o the website es hosting maalicious code are a legitimatee websites that have been n compromiseed percent of (Cisco 200 08 Annual Seccurity Report,, January 2009). In 2008, an a unprecedeented amount of financial fraud was perpeetrated; hund dreds of pagees of Businesssweek.com were comprom mised in an atttempt to servve Malware to t the site’s users, u new ph hishing attackks were built to t look like th he IRS, Betterr Business Burreau, US Districct courts and countless c well-known finaancial institutiions, and a Crraigslist posting was used to commit a bank robberyy. However your y businesss calculates risk, there is no o question th hat a sound s policyy is essential.. network security Surprisingg to some, mo ost data breaches investigated were caused by external sources. Breaches attributed d to insiders, though fewer in number, were much laarger than tho ose caused by outsiders when w they did occur. o As a re eminder of rissks inherent to t the extended enterprisee, business paartners were behind weell over a thirrd of breaches; a number that t rose five-fold over thee time period d of the study. breaches occur? Evvolve IP | 989 Old Eagle Scho ool Road – Suitte 815 | Wayn ne, PA 19087 | 610.964.800 00 | info@evo olveip.net Page 5 of 20 Defense in Depth Most breaches resulted from a combination of events rather than a single action. Some form of error often directly or indirectly contributed to a compromise. In terms of deliberate action against information systems, hacking and malcode proved to be the attack method of choice among cybercriminals. Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities. Ninety percent of known vulnerabilities exploited by these attacks had patches available for at least six months prior to the breach. How Do Breaches Occur? Were attributed to a significant error 15% 22% 62% Resulted from hacking and intrusions Incorporated malicious code 31% Exploited a vulnerability 59% Were due to physical threats The past few years have also seen the adoption of information security guidelines as federal regulations that must be audited and reported on dependent of your type of business. Comprehensive security information event management systems have been developed and deployed to assist in archiving, correlating and reporting on event data from all the areas of security enforcement and protection points in a network. The output from these systems provides the necessary audit data to ensure compliance to both internal and external information security policies. A point to remember is that policy can only work when employees are aware of its existence. Regular awareness seminars to cover topics of information security policy, email and web safety and even computer tips and tricks all help to improve employee acceptance of a company’s IT operation. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 6 of 20 Defense in Depth Top Internet Security Risks So where are the top risks to your business? Each year, the SANS Institute compiles its top risks. This risk list changes each year. What does not change is the fact that these risks affect every potential area of access into a network. The SANS 2007 (continuously updated) Top Internet Security Risks, an Overview (The SANS Institute. The SANS 2007 Top Internet Security Risks, an Overview.) Top New Risks That Are Particularly Difficult To Defend: 1. Critical vulnerabilities in Web applications enabling the Web site to be poisoned, the data behind the Web site to be stolen and other computers connected to the Web site to be compromised. Best defenses: Web application firewall, Web application security scanner, application source code testing tools, application penetration testing services, and most importantly a formal policy that all important Web applications will be developed using a valid secure development life cycle and only by developers who have proven (through testing) that they have the skills and knowledge to write secure applications. 2. Gullible, busy, accommodating computer users, including executives, IT staff, and others with privileged access, who follow false instructions provided in spear phishing emails, leading to empty bank accounts, compromise of major military systems around the world, compromise of government contractors, industrial espionage and much more. Best defenses: This is the most challenging risk. Security awareness training is important but is definitely not sufficient to solve this problem. Two defenses seem promising: (a) inoculation in which all users are sent periodic spear phishing emails that are benign. Those who err are educated or cut off, (b) Admit that this problem cannot be solved in all cases and establish new monitoring and forensics systems that constantly search network traffic and systems for evidence of deep penetration and persistent presence. Other Priorities That Have Grown In Importance but Have Reasonable Technical Defenses: 3. Critical vulnerabilities in software on personal computers inside and outside enterprises (clientside vulnerabilities) allowing these systems to be turned into zombies and recruited into botnets and also allowing them to be used as back doors for stealing information from and taking over servers inside large organizations: o Web Browsers o Office Software o Email Clients o Media Players Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 7 of 20 Defense in Depth Best defenses: Firmly enforced secure configurations (at installation time) for all applications, constantly verified patching and upgrading of both applications and system software, constant vulnerability scanning and rapid resolution of problems found, tightly configured firewalls and intrusion prevention systems, up-to-date anti-virus and anti-spyware at gateways as well as on desktops. 4. Critical vulnerabilities in the software and systems that provides the operating environment and primary services to computer users (server side software): o Windows Services o Unix and Mac OS Services o Backup Software o Anti-virus Software o Management Servers o Database Software o VOIP servers Best defenses: (mostly the same as group 3) Firmly enforced secure configurations (at installation time) for all applications, constantly verified patching and upgrading of applications and system software, tightly configured firewalls and intrusion prevention systems. 5. Policy and Enforcement Problems that allow malware (software designed to infiltrate or damage a computer system without the owner's informed consent) to do extra harm and that lead to loss of large amounts of data: o Excessive User Rights and Unauthorized Devices o Unencrypted Laptops and Removable Media Best defenses: Zero-exception policies, constant monitoring and substantial penalties for failure to comply. 6. Application abuse of tools that are user favorites leading to client and server compromise, loss of sensitive information and use of enterprise systems for illegal activity such as serving child pornography: o Instant Messaging o Peer-to-Peer Programs Best defenses: Use only tightly secured versions of these tools, or prohibit them entirely. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 8 of 20 Defense in Depth 7. Zero-day attacks Best defenses: Build much more restrictive perimeters with deny-all, allow some firewall rules and redesign networks to protect internal systems from Internet-facing systems. In other words, trust but verify through automation and testing. These risks and their mitigations are very specific and very individual topics, but they collectively point to a single security concept– network security is not an event …. It’s not a device … It’s not a policy … It’s a comprehensive, 24x7 business culture that encompasses all of these things. This culture is generally referred to as “Defense in Depth”. There are many information security organizations which have provided valuable documentation and guidelines for constructing an effective information security policy. Both SANS and NIST offer great white papers on the development process, awareness training, and auditing & enforcement standards. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 9 of 20 Defense in Depth The Anatomy of an Attack In order to plan a sound security policy, it is first important to understand how attacks occur. The Honeypot project places systems on the Internet with the sole intention of enticing hackers or intruders. The Information gathered on these “Honeypots” is used to educate Information Security professionals on the types and originations of attacks against systems for the purposes of tightening security techniques. The fastest that one of their Honeypots has ever been attacked is 15 minutes. 15 minutes. Keep in mind that these servers are not advertised, they are not at public domains and are not on large corporate networks. Who could have found this server and how is it possible that a non-advertised but exposed system could be infiltrated that quickly? Let’s start by discussing who— Attacks generally come from one of three types of hacker: 1. Script Kiddie - Script Kiddies are not specifically targeting an organization. They are generally looking for a quick or easy kill. Their goal is to scan, locate and gain access to systems or networks using well-known and well-documented exploits. They are dangerous because everyone is a target and the information they use is readily available and supported by a community of “would-be” hackers. The Honeypot attack listed above was more than likely the work of a Script Kiddie. 2. Skilled Attackers - Skilled Attackers use similar tools but are generally targeting a specific organization. They are better at researching and mapping the exposed or public resources of an organization and they will use any and every exploit they can to gain access. This requires even tighter controls in the target organization in order to thwart an attack. Skilled Attackers will spend days mapping an organization looking for cracks in their security policy. Once a crack has been identified, access occurs in seconds. 3. Inside Attackers - Inside attackers are the biggest threat because they know the resources and assets inside the network and in many cases have trusted access to those assets. Inside attacks can only be thwarted through vigilant policy management and tight procedures. Thwarting attacks from each of these types of hackers require different security postures and planning. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 10 of 20 Defense e in Depth The averaage attack goe es through fo our phases: The Honeeypot listed ab bove was more than likelyy identified th hrough a scan and infiltrateed through a standard exploitation. The importaant thing to no ote is that paatching system ms and securiing the perim meter is not eno ough; threats are being introduced at evver increasingg rates with incredible varried delivery mechanisms making de etection and prevention very v difficult. For these reeasons, and many m others, the t ngle device (e e.g. firewall orr intrusion deetection devicce) external perimeter p model is giving way w typical sin to a neweer ‘defense-in n-depth’ or layyered security architecturees. Evvolve IP | 989 Old Eagle Scho ool Road – Suitte 815 | Wayn ne, PA 19087 | 610.964.800 00 | info@evo olveip.net Page 11 of 20 Defense in Depth Introduction to Defense in Depth Defense in Depth is the layering of multiple defense techniques, mechanisms and devices to protect critical network assets, data, systems and users. These defenses are layered for two primary reasons: First, as one layer, device or mechanism fails, another will be there to mitigate, or at least track and notify the administrator, about the breach. Second, as detailed above, attacks can come from a multitude of sources and can attack multiple methods of access. One defense mechanism will not address every potential path into the business. In order to allow network users access to resources they require, their information technology must, eventually, be connected to untrusted networks (external and / or business partners) and thereby exposed. To allow this level of access, while mitigating the risks associated with this exposure, network managers and security professionals must remain focused on three principle tenants: Confidentiality, Integrity and Availability. These principles are not always complimentary and maintaining proper balance of these tenants is an ongoing challenge. In order to ensure organizations maintain these standards, the personnel managing information technology are tasked with the design, implementation and daily maintenance of the security posture that revolves around a Defense in Depth and regulatory compliant strategy. Probably the most important thing to note is that a security policy will not be successful unless ALL of the layers of the Defense in Depth policy are addressed. A firewall may protect the network perimeter but at its very nature it must allow users access to the outside world (Internet). A Web attack, such as Malware, will not be seen by, nor can it be mitigated through, a firewall which is doing its job by allowing an internal user access to that file. Once Malware is installed internally, most security controls are rendered useless. Implementing only a portion of this plan is tantamount to locking the front door and turning on a security system while leaving a first floor window open. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 12 of 20 Defense in Depth Layers of Defense in Depth While there are many schools of thought on how to logically divide the layers in discussion, there is no question as to the components that comprise the layers. The primary layers of any Defense in Depth Strategy are: The Network Security layer is sometimes called the perimeter security layer. It is comprised of elements that create definition between and inspect the traffic that passed from the outside (untrusted) network and the inside (trusted) network. This layer starts with the Firewall, generally considered the building block of any security policy. Unfortunately, many business owners and IT directors consider a premise-based firewall to be a single, efficient defense measure for protecting the network. In fact, the SANS Institute calls over-reliance on the firewall one of the top ten security mistakes that IT directors make. More importantly, a firewall is only as good as its software revision level, log file analysis and maintenance. If a firewall has not been kept up to date, it is a futile security measure. A Firewall “allows” or “denies” packets passing through it based on a security policy; however, with so many attacks focused on legitimate ports and applications, a Firewall must allow this traffic to pass. It is, by nature, an unintelligent device which inspects packets and compares them to its security policy or Access Control List (ACL) and simply grants or denies access. A method utilized to support the firewall is IDS or IPS. An Intrusion Detection System is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system—including network attacks against vulnerable services, data driven attacks on applications, host based attacks (i.e. privilege escalation, unauthorized logins and access to sensitive files) and malware (i.e. viruses, Trojan horses, and worms). An IDS is composed of several components: sensors which generate security events, a console to monitor events and alerts and control the sensors, and a central engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations, all three components are combined in a single device or appliance. In a passive system, the Intrusion Detection System (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and/or owner. In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator. One last compound, which is becoming a necessity, is the judicious use of network-layer forensics tools and services for ‘what-happened’ analysis. These tools are not only becoming critical in uncovering the origins of attacks, occasionally even while they are in progress, but they also have become invaluable in complying with certain federal and state statutes or resolving litigation situations. A survey conducted Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 13 of 20 Defense in Depth by Verizon’s Business Risk Team, as outlined in their 2008 Data Investigations Report, assessed these needs as absolutely paramount for business operations going forward. Since Firewalls and IDS/IPS systems are designed to mitigate anomalous behavior at the network perimeter, they are a perfect basis of any security policy; however, many attacks target applications that are naturally exposed through the firewall. These attacks look like legitimate traffic to the Network Security Layer and as a result, the next layer of the Defense in Depth model is focused on applications. Who Is Behind Data Breaches? Resulted from external sources 30% 73% Were cause by insiders Implicated business partners 39% Involved multiple parties 18% The Application Security layer comprises an important realm that resides just beyond the perimeter and is made up of interactive applications (services) that may utilize both public and extremely confidential data. This layer not only controls access to sensitive information but also represents your company’s digital presence in the world and includes: web servers, email, e-commerce, internet services, and voice. This layer is so critical that many times this layer itself is the target of attacks rather than the data it utilizes and attempts to protect. A denial of service against the application security layer will render income generating services useless and can destroy reputations. A closer look at where this layer resides, both from a physical and a network (e.g. OSI) layer perspective, could indicate that this should be the easiest layer to protect by simply controlling access and securing communications in and out of this layer. That is the correct approach, but implementation proves more challenging than expected. Why? Because once the access control is complete, the larger vulnerability lies directly in the application itself. Let’s examine the best defenses to employ for this layer. Access Controls are the methods used to authenticate, authorize and account for secure communications to an application or service once connectivity has been established through the Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 14 of 20 Defense in Depth secured network perimeter. The oldest and most basic form of access control is authentication by means of a password. The password needs to restrict the user to only allow access to the resource that is required. The best methods for this type of control include using complex password schemes, certificates or Public Key Infrastructure (PKI) and one-time passwords (OTP) or tokens. Once access to a resource has been granted, the access control process is not complete; this process now has the responsibility to continually authorize the actions of the authenticated user and to report on them. It can be audited and can be used to assist with various forms of compliancy. Application isolation can be likened to a form of access control for the application rather than the user. Proper design of the system should allow for the isolation of applications to allow for additional security mechanisms to be placed in line between applications needing to communicate with one another or to communicate with a lower level process. These mechanisms include authenticated, encrypted communication and failsafe mechanisms to prevent restarting (respawning) after process modification or failure. The goal behind this security stance is to protect the system such that if one application is compromised it cannot be used to attack other applications or resources of the system. Code protection refers to the preventative actions executed to protect the actual software code used to run the application itself. As mentioned above the largest vulnerability in this layer resides directly in the bits and bytes of the software application. The best access controls and isolation practices in the world will not stop attacks that come over legitimate communication channels and exploit vulnerabilities in the software and thereby gain unauthorized access or even control of the device. The most common exploit for this area is the buffer overflow attack which forces the application to abort normal request processing due to poor code constraints and/or memory buffer utilization and actually force the underlying shell layer to respond or the program to terminate. Some best practices to ensure safeguards include routine software maintenance to ensure all patches related to security flaws are up to date, participation in security advisory discussions. Additionally subscriptions relating to the software maintenance and the assurance that the vendor is conducting regular vulnerability assessments and hands-on penetration testing are a must. The standard security testing in which applications are tested is based on the Open Web Application Security Project or OWASP guidelines. These guidelines suggest that application vulnerability assessments take into consideration an application’s data classification, access path, user base, and domain. Many applications are required by either law (e.g. HIPAA) or by industry standards (e.g. PCI) to undergo a comprehensive testing approach for assessing application security vulnerabilities and reporting security vulnerabilities for risk mitigation. Among the various testing techniques the following are the most widely deployed methodologies: • Static Source Code Analysis (white box) • Dynamic Application Security Testing (grey/black box) • Dynamic System Security Testing (black box) • Dynamic Application Quality Testing / Negative Testing (black box) Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 15 of 20 Defense in Depth Just as application security is important to ensure your presence in the digital world is protected, the next layer will address how to protect what happens inside your organization. It may not always have as much public exposure, but if left unchecked can leave the door open for issues with employee productivity or worse: lack of federal compliances. All network traffic has a source and a destination. Both of these endpoints reside on physical devices known as hosts. Hosts can be workstations, servers, phones, mobile devices and the list goes on and on. The host security layer can be the most difficult to secure and control. It is the nature of hosts to be multitasking devices, connecting to multiple applications and interacting with multiple services simultaneously. The easiest example of this operation is to observe the normal office employee. This user is utilizing email, surfing web pages, filling out data in business applications, chatting on IM and talking on a VoIP softphone all at the same time. While the legitimate applications may only be the business application and the phone call on the softphone, the host is dangerously connected to other non-critical applications and services which, when unsecured, can provide malicious traffic an entry to the network. Once a single internal host is compromised the internal and previously “secured” network now is a wide open field of possibility to the attacker. All of our perimeter network security and access control methods will not help us as those layers have been bypassed through legitimate channels. There is only the host security layer to help secure against this type of attack. Host Intrusion Prevention services take a lesson from the network intrusion prevention devices in detecting malicious behavior and applying the mechanisms to mitigate the behavior before causing damage. The HIPS system is a heuristic system that is less dependent on referencing attacks against a signature but rather pure behavior and anomaly based detection. The HIPS agent resides directly on the host device and has a policy sent to it from a management station. This policy contains rule sets that the host must follow. These rule sets range from network rules, to application use rules, to kernel and hardware calls. Any behavior that occurs outside of the policy rule set is denied and reported to the security management software. This method is the best and most reliable method to date for securing hosts on a network. A HIPS implementation with proper policy creation, tuning and enforcement can stop nearly all virus, worm and day zero outbreaks. Content Filtering services are another method to help secure this layer; the goals of this defensive strategy are to thoroughly clean and verify content before delivering it to the host. The most popular and broadest deployed flavors of content filtering are for securing web and email content and some targeted applications. Proper implementation of a web filtering service will cleanse the client’s browser sessions of malicious scripting (activeX and Java), malware implementations and unknown spyware downloads. Prevention of these potentially harmful packages not only leads to a cleaner and more secure network, but also a better performing network and end host. Email filtering solutions are the Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 16 of 20 Defense in Depth most popular deployment of content filtering in use today. An email filtering solution will scan all mail both incoming and outgoing for an organization. The solution will filter and report on spam, viruses, dangerous executables and other email-based security vulnerabilities. Due to the volume and use of email in today’s digital age, it is the easiest way to infiltrate an end host. An email filtering solution and proper user awareness training on the dangers of email are helping to minimize exposure through this medium. Policies, Compliance, and Awareness are a defensive strategy in your information security plan which is often overlooked until it is too late. The host layer adherence to this strategy helps to control the one portion of host security that is not able to be controlled by another system (either hardware or software) — the USER. Users are the rogue processes that are an administrators’ worst nightmare to both predict and control. Systems are built and operated by a set of rules, and actions outside these rules can be controlled and mitigated. Users should also be governed by a set of rules and adherence to these policies must also be audited and enforced. All too often, security policies for organizations go unenforced or sometimes even abandoned altogether. The final layer of security in a ‘Defense in Depth’ strategy is wrapped around your business’ most critical asset— sensitive data. Whether this data contains industry secrets, customer information, or critical financial information, the data itself needs to be secured. This data, when it is not being used in the upper layers of applications or by hosts, resides in two main locations: on medium (disk, tape, cd, etc.) or in transit. Data medium protection is crucial to the custodial relationship of the data and its owners. The best practice for this area allows for the encryption of the data on the medium along with the securing of the physical medium itself. Common methods of data encryption force the data through encryption algorithms that are then secured with a hash. The current accepted standards of encryption employ an Advanced Encryption Standard (AES) level of encryption using a SHA-1 (or stronger) hash mechanism. Technical requirements for recommended encryption and decryption standards can be found in NIST publications FIPS 197 and FIPS 180-2. The physical medium itself requires protection from unauthorized access, fire, flood, aging and other elements. The safeguards used in the encryption and physical security of the medium will require regular audit and disaster recovery testing. It would be a total loss if countless dollars were spent in securing data that was rendered unusable due to faulty encryption and decryption mechanisms or storage procedures. Data transit protection can apply to both transits over an electronic or physical path. Any transmission of data over an electronic medium needs to be secured via encryption algorithms that are secure not only in cipher strength but are also not susceptible to man in the middle or replay attacks. The method Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 17 of 20 Defense in Depth of transmission needs to adhere to the highest levels of confidentiality and integrity. The most prime example of a time when confidential data requires transmission is during electronic backups. The backup system needs to maintain the high encryption standards during transit both for storage and retrieval. Data Leakage Protection goes by many names: Data loss protection or prevention, anti-data leakage, insider-threat protection, outbound content management just to name a few. The point of these strategies (often manifested in software products) is to monitor, document, and often prevent sensitive information from leaving an organization without authorization. The definition of "sensitive data" varies by company, too. Some types of data are obviously of a sensitive nature, including credit-card, social-security, or bank account numbers of customers or employees. But sensitive data can also include intellectual property, competitive information -anything that a company doesn't want viewed by the wrong eyes. Data-leak protection products identify sensitive information by matching terms in an included dictionary or by helping companies define what their sensitive data is and using algorithms to flag matches to those definitions. These products can be software-only tools or appliances and some require the use of client agents. Regardless of their form, most of these products work by scanning "data in motion," meaning information that's leaving the organization via e-mail or instant messaging, or being copied to removable media. These days many of these products are also scanning "data at rest," meaning information found in data stores throughout the corporate network. The latter approach helps companies get a handle on all the sensitive data they own (and therefore are responsible for protecting, as per government and industry regulations), not just the sensitive information that's leaving the company. Once identified by these tools, the data can be handled in a variety of ways. Administrators have the option to simply be alerted that sensitive data is leaving the organization, or the action can be blocked or quarantined. Some products will display a notice to users that they are about to move sensitive data in a manner that violates corporate policy and prompts users to enter a reason for engaging in this action. This approach helps educate users about sensitive-data policies to help limit unintentional sharing of protected information. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 18 of 20 Defense in Depth Conclusion and Next Step Considerations The Bottom Line: What is Not Being Done to Protect Systems? (adapted from the SANS Institute)The Bottom Line: What is Not Being Done to Protect Systems.) Best Practices for Preventing Top Risks: 1. Secure configurations. Configure systems, from the first day, with the most secure configuration that your business functionality will allow, and use automation to keep users from installing/uninstalling software. 2. Secure technical architecture. Use automation to make sure systems maintain their secure configuration, remain fully patched with the latest version of the software (including keeping anti-virus software up to date). 3. Filter egress network traffic. Use proxies on your border network, configuring all client services (HTTP, HTTPS, FTP, DNS, etc.) so that they have to pass through the proxies before traversing outbound . 4. Data leakage protection. Protect sensitive data through encryption, data classification mapped against access control, and through automated data leakage protection. 5. Security Awareness Training. Establish employee and business partner security awareness and provide penalties for those who do not follow acceptable use policy. 6. Network segmentation. Perform proper DMZ segmentation with firewalls. 7. Application security. Remove the security flaws in Web applications by testing programmers’ security knowledge and testing the software for flaws. In the Information Age, your business is using the Internet to some extent for critical functions— from web-browsing, to email, to web-based software as a service application. The very nature of this connectivity exposes your business to risk. While you may perceive that your business does not have a large exposure due to size, location or industry, this is not true. Businesses of all sizes are exposed due to the indiscriminate nature of the methods used to identify and attack them. Simply stated: If you are vulnerable, you will be exploited. A firewall is not enough. Virus Protection on your email is not enough. Only through ‘Defense in Depth’ can a business be assured that its critical assets are protected from external threats. Most businesses do not have protections built at every level of the ‘Defense in Depth’ strategy. Deploying Intrusion Detection and Prevention, Policy Management, Vulnerability Assessment and Content Filtering along with proper management of existing Firewalls and Email security tools requires capital, 24x7 reporting and management, knowledge of current hacking techniques and security policies and skills that most IT departments do not readily have at their disposal. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 19 of 20 Defense in Depth Companies of all sizes depend on their networks for vital daily operations; hence security must be a top priority. Although overall IT spending is down, global security spending is up across every market segment for every business size. Due to the rising complexity of ensuring data and network security, many companies, especially Small and Medium-sized businesses, are outsourcing their managed security because they lack the expertise and/or resources to implement and manage the solutions themselves. Outsourcing security solutions also provides companies of this size major business benefits such as: Ensure end-to-end secure solutions—by outsourcing, companies can tailor services to meet specific security needs. They aren't limited to standalone point solutions that only cover portions of their information infrastructure. Minimize security gaps—protect network systems and data from intentional or accidental damage. Gain flexibility and scalability—often, the cost of expanding coverage or adding capabilities is costprohibitive for small and medium-sized businesses. Often it is far more cost-effective to outsource for specialized expertise than try to divert internal resources and do it themselves. Better protect information assets while improving productivity—service providers have the infrastructure, monitoring systems, and staff to deliver reliable security services, freeing smaller businesses to focus on its core business. Managed security services delivered by a trusted provider, allow you to enjoy all the benefits of centrally managed security without the additional headache of implementing, maintaining and updating all your security products and policies—helping you to mitigate your risk without taking resources away from core business activities. Network Security is not a set it and forget it methodology. Outsourced Managed Security services should be heavily considered by any business without full-time staff and software systems dedicated to managing the security posture. Businesses with full-time staff should consider outsourcing these specialized requirements in order to keep staff focused on strategic initiatives and maintain service levels. Evolve IP | 989 Old Eagle School Road – Suite 815 | Wayne, PA 19087 | 610.964.8000 | [email protected] Page 20 of 20