Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download policies - NY Capital Region Chapter
Document related concepts
Security-focused operating system wikipedia , lookup
Information security wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Mobile security wikipedia , lookup
Unix security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Social engineering (security) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Transcript
Network Security and its Impact on Network Continuity What you don't know can hurt you! What is “Network Security”? "Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together." Source: http://en.wikipedia.org/wiki/Network_security Information Security is related to, but not identical with, Network Security Impact of non-secure network infrastructure on an organization Loss of Services Website/Server Down Loss of Sales Loss of Time Loss of Data Proprietary Information Sensitive Information Customer Information Loss of Reputation Adverse publicity Loss of Customers Known as an easy mark on hacker forums Threats External Hackers Enter network using simple or advanced techniques Use “sociological hacking” techniques Have a lot of time and good, free tools NMAP MetaSploit MilW0rm Netcat “Phishing” “Pharming”--Much more dangerous than Phishing Malware Malicious code on websites Malicious email attachments A Simple Hack Hacker scans random network with NMAP Bad luck! It happens to be yours Hacker discovers Website has sensitive information stored on it Hacker uses sensitive information, e.g. user names, passwords to begin cracking network Hacker gains access to network after a few weeks of “brute force” attacks Hacker finds unpatched Windows XP machine and plants malware on it Hacker finds backup password file in c:\windows\repair\sam and cracks local admin password Hacker tries access to another machine with local admin password, which is usually the same across an organization A lot of information can be gathered, including server names and addresses, access to email etc. You are p0wned! More Advanced Techniques Hacker scans network and finds services available over the Internet Only HTTP (TCP Port 80) on one server is open to the Internet with only established connections permitted out (Stateful Inspection) Hacker uses crafted module with MetaSploit from information gleaned from Milw0rm to compromise server and install “Netcat” Hacker redirects traffic over permitted port using Netcat listening on HTTP, bypassing outbound firewall rules See above You are p0wned! Anatomy of a Pharming Attack Malware Trojans Usually downloaded by user Do not self replicate Send information from compromised host and also listen for connections Worms Can be downloaded or can self replicate Usually attack major services, such as HTTP and SQL Can reside in memory, i.e. no file is resident on hard disk Threats Internal Threats Disgruntled Employees Can be very dangerous if technically savvy Usually steal or remove information—sabotage with “logic bomb” No outbound traffic filtering Web filtering Email filtering Instant Messaging P2P (Person to Person) Unauthorized Wireless Access Points Credential Sharing Unpatched or Misconfigured machines There is some Hope! A well designed network can mitigate many types of risks and threats Controls and Monitors Policies and Procedures Some network designs are legally mandated: HIPPA http://www.cms.hhs.gov/HIPAAGenInfo/ Health Insurance Industry Sarbanes-Oxley (SARBOX) May include audits and Penetration Tests Financial Industry Some are Industry Standards PCI https://www.pcisecuritystandards.org/ Credit Card Industry NIST http://www.nist.gov/index.html Controls and Monitoring Controls can allow or disallow traffic or access. Controls require little or no intervention. Controls can be dangerous, configure with care! Examples Firewalls allow or block traffic according to configured Access Control List (ACL) Firewalls typically block traffic from the Internet into a private network Application Firewalls look inside network information sent and determine if packet is permitted or not, and then take configured action. WebSense will block all Nazi sites Antvirus Software can remove existing malware and/or stop malware from changing the configuration of the machine Intrusion Prevention Systems look for known “evil” packets and block them Log Monitoring can show when an event occurred, and show trends over time, e.g. SPLUNK Policies and Procedures Policies require intervention to work Effective Policies and Procedures need to be known by required users and backed up by management Policies and Procedures can have legal ramifications A Procedure implements a policy Examples “Least Privilege” Web Usage Policies Disaster Recovery Procedures User creation, change and deletion procedures Basic Secure Network Design Firewall traffic between different Security Zones All machines in one zone have one network access policy To traverse a zone, information must pass through ACL Separate network for Internet facing servers such as web and database servers with ACLs controlling access to internal network Typical “office” machines do not have direct access to sensitive servers unless required Monitor traffic Unauthorized or “odd” information is flagged for review A packet with 10,000 As is probably a buffer overflow attempt Investigate repeated “denies” on an ACL from a particular host Basic Secure Network Design IPS events should be reviewed Trend analysis—over time engineers become familiar with what “normal” traffic is Can correlate information from multiple sensors to discover coordinated attacks IPS needs to be tuned, and automatically denying traffic can be dangerous, use with care! Basic Secure Network Design Host based protection for Servers and Workstations Active Directory Policies Hardens machines against e.g. Denial of Service (DOS) “Labrea” hosts Windows Firewall Antivirus Also useful for alarms and backtracking outbreaks Host Based IPS Can turn off NetBios, LDAP etc via policy Also useful for alarms and backtracking outbreaks Knowledgeable users!!!!!! Testing Security-Assessment Network Security Assessment Find Every Host Find vulnerabilities Test fail over scenarios Review Logs and Event Handling Check compliance with stated policy, e.g. password expiration Testing Security-Penetration Test Exploit discovered vulnerabilities, no “false positives” Can find cracks in security design, e.g. non encrypted admin passwords to access patch server which are not normally monitored, can find flaws in web applications Also tests incident response Can be “Black Box”, “White Box” or “Grey Box” Black Box-target is unaware and no information is supplied to pen tester White Box-Pen tester and target cooperate Grey Box-Some information is shared between pen tester and target Q&A Questions?
