The Evolution of Defense in Depth Robert Perciaccante, CISSP Security Systems Engineer – Cisco Systems September 11, 2007 - Pittsburgh, PA Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Good Morning! Introductions Brief History of Internet Threats “Old School Thinking” – Security in the Beginning Changes in the Threat Model - ~2000 – Present Defense in Depth – What's mine is mine, and its going to stay mine. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Quick Question: How many of you are directly involved with the security and protection of your organization? Technical Team Members? Management? How many of you have been involved, in one way or another, in a security breach, such as a malicious action or a malware outbreak? At your Work? At your Home? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 A Day In The Life of a Security Professional… Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 What is a Threat? threat (thrět) n.* An expression of an intention to inflict pain, injury, evil, or punishment. An indication of impending danger or harm. One that is regarded as a possible danger; a menace. A threat is any network-based attempt to compromise information, system, or network resources They can originate from anywhere, any time They take advantage of operating system, application, protocol, and psychological vulnerabilities They leverage all methods of entry to a system The can steal information, destroy data, deny access to servers, shut down embedded devices They do not want to be found “threat.: The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. 22 Jan. 2007. <Dictionary.com http://dictionary.reference.com/browse/threat> Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5 Sources of Threats Application vulnerabilities allow hackers to gain access to underlying databases and improper levels of access to applications Improper data access through improperly configured firewalls and legacy firewall technology Operating system vulnerabilities allow hackers control of computers and enable information theft and improper system access E-Mail can offer spoofed links (e.g. phishing) and attachments infected with spyware, viruses, and other malware Internet use introduces files through download, drive-by installations, and errant software installations User access to information and resources that they either shouldn’t have or don’t need Network system vulnerabilities can allow hackers to take over entire domains (pharming) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Fateful Words “Why would someone bother to attack me? I have nothing that they would want.” - IT Manager ~1998 during a firewall proposal meeting FACT: You may not have something that anyone would want, but you can be used to get to something that they DO want, and where do you think the FBI will come when they start their investigation? Not only could this cause you to lose your operations center (frozen for investigation by authorities), but you are open to liability issues as a result of failure to perform due diligence. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 Fateful Words - Example A datacenter was breached, and used to amplify a DDoS network (Smurf attack) Target network reported incident and source network to the FBI. The FBI identified the datacenter network as a source of the traffic, and seized control of the network to perform forensic analysis. In doing so, the FBI removed all the devices from the network, taking the company’s entire internet presence offline for 5 weeks. The datacenter network had to be rebuilt from scratch, with all new hardware, in order to maintain operations during the course of the investigation. The cause was determined to be a failure to implement appropriate security controls. The company who was the target of the DDoS sued the datacenter owner for loss revenue as a result of the attack and won $750,000 in damages. Total cost to datacenter owner: $750,000.00 $175,000.00 $400,000.00 $1,325,000.00 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Punitive Damages to victim Legal resources due to legal action Loss of revenue from downed datacenter and internal resources for its recreation Total Loss (and this does not include public image impact!) Cisco Confidential 8 The Old Security Model: ~1997 IDS\IPS (Maybe…) Corporate Network Public Internet Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 The Old Security Model: ~1997 Generalizations: Everyone on the Internet is untrustworthy Everyone within my organization is essentially trustworthy The model was “hard exterior, soft gooey center” Security efforts were focused on keeping the outsiders out Internal personnel and\or systems were essentially permitted to go wherever they needed: HTTP\S, FTP, P2P, IM all essentially permitted unchecked. Traffic headed to externally facing systems, such as webservers etc, was typically protected through a single layer of firewall protection Limited or no internal segregation of networks or personnel Hosts were protected with Anti-virus, perhaps a hardened image, but typically was unprotected Enterprise event monitoring did not exist There was no significant market uptake for centralized logging and\or monitoring of events – It simply was not done Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Challenges with the “Old Model” Disparate security devices meant segregation of administrative controls Firewall Management Domain Management User Management IDS\IPS Management Router\Switch Management Too much data in too many different places Inability to get the “Big Picture” because most personnel only had access to a piece of the puzzle Exterior-only protection meant insiders had free reign No protection from the “Insider Threat” Inability to reconstruct unauthorized access for investigative or prosecutorial processes Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 Changes in Internet Use and Abuse… As the Internet became more ingrained into the minds of business and personal users, the number of systems attached to the Internet increased. Increased complexity of networks and access With this increased attach rate, the importance for layered security grew from a nice to have to a MUST have: Regulatory compliance Demonstrability of “Due Diligence” SOX, GLBA, PCI, etc Business needs for connectivity Email Website\eCommerce Vendor\Remote Access Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 … leads to an Increase in Complexity Forensics and Investigations more complex Complexity of networks make the forensic reconstruction of events incredibly more difficult to do accurately Resource diversification Resources may be segmented (i.e. Network Admins and Security Admins) making communications and collaboration more difficult in determining root cause Intercommunications between companies and partners more complex Application communications are more complex, requiring a much higher degree of network and application understanding to be able to determine what is right and wrong in terms of behaviors Monitoring and management more difficult De-centralized monitoring typically the case, makes recreation of event timelines very problematic Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 Unlimited Entry Points Virtually unlimited application, operating system, driver, and firmware updates annually Each has undiscovered vulnerabilities This creates virtually unlimited access by hackers Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Evolution of Threats and Exploits 19942007 Complexity High Blended Threats Intelligent Bots Dynamic Capabilities Pulsing Zombies Packet Forging/Spoofing Stealth Diagnostics Sniffers Self Installing Root Kits Sweepers Session Hijacking Back Door Exploits Audit Disablement Vulnerability Scanning Password Cracking Self Replicating Code (WORM) Low Password Guessing Time Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Evolution of Security Challenges Target and Scope of Damage Rapidly Escalating Threat to Businesses GLOBAL Seconds Infrastructure Impact REGIONAL Networks Minutes MULTIPLE Days Networks INDIVIDUAL Networks INDIVIDUAL Computer Weeks First Gen Boot viruses Second Gen Macro viruses Denial of Service 1980s Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 1990s Cisco Confidential Third Gen Distributed Denial of Service Blended threats Today Next Gen Flash threats Massive “bot”-driven DDoS Damaging payload worms Future 16 The Evolution of Intent From Hobbyists to Professionals Threats becoming increasingly difficult to detect and mitigate FINANCIAL Theft & Damage THREAT SEVERITY FAME Viruses and Malware TESTING THE WATERS Basic Intrusions and Viruses 1990 Presentation_ID 1995 © 2006 Cisco Systems, Inc. All rights reserved. 2000 Cisco Confidential 2005 WHAT’S NEXT? 17 Emerging Threats More access, always on, from everywhere Corporate “Edge” becoming harder to define and control Wireless Networking Density Anonymous access to or through legitimate networks, data leakage, remote point of attack against endpoints SSL and other single sided technologies Allow for scaling and instant DR Loss of control over corporate assets significantly changes security posture Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 Viruses Aren’t Dead During January 2007, 19 new major viruses were released Average response time of 21 leading AV engines was 8 hours 40% of the virus attacks in January 2007 had peaked before the AV signature was released The trend is getting worse, not better. Signature-based solutions must be combined with day-zero protection to protect today’s networks. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Security Breach Example Costs Cost of Recent Customer Records Breach $6.5 Million: DSW Warehouse Costs from Data Theft $5.7 Million: BJ’s Wholesale Club from Data Breach Additional impact/cost due to lost customers 20% of customers have ended a relationship with a company after being notified of a breach (Ponemon Institute) 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 Prevention Costs Prevention may be cheaper then reaction: Multiple independent studies have estimated the cost of customer record losses to be between $90 and $182 per record “A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Gartner analyst Avivah Litan Presentation_ID © 2007 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 TJX Security Breach—Jan. 17, 2007 NEW YORK, Jan 17 (Reuters) —TJX Cos Inc. (TJX), which operates the T.J. Maxx and Marshalls chains, said on Wednesday that its computer systems that process customer transactions had been breached, and customer information has been stolen. Trading of TJX stock was halted on the floor of the NY stock exchange as the news broke. TJX took a $5M charge to cover the investigation, legal fees and costs associated with explaining the problem to its customers Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 January 18, 2007—Congress Responds Washington, DC—House Financial Services Committee Chairman Barney Frank (D-MA) today issued the following statement regarding another major data breach potentially impacting millions of credit card holders: “I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why. This is further evidence of the need for a provision over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility. Specifically, this means retailers or wholesalers must take responsibility for financial losses, contrary to what common practice is today.” Barney Frank, House Financial Services Committee Chair Presentation_ID © 2007 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 The TJX Saga Continues Feb 22: TJX indicates that data thefts could reach back into 2005 March 21: TJX indicates that fraudulently obtained information was used in an $8M gift card scheme March 29: Company reports SEC filing with loss of 45.7M records, along with 455k return records containing SSNs, Military IDs, and other info April 22: Company clarifies records theft dates back to July 2005 (17 months) April 26: Class action lawsuit filed by MA, CT, ME May 4: WSJ Reports TJX had outdated wireless security, failed to install firewalls, and not properly installed other layers of security … http://online.wsj.com/article_email/article_print/SB11782444622 6991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 Breaches occur more often than you think… 155,048,651 Reported records breached since 2005* “unknowns” not counted Source: privacyrights.org as of June 8, 2007 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 Common Myths Only specific users have access to my systems We patch at every release and are therefore secure We air-gap the <insert name here> network and it’s therefore not exploitable Our firewall is bulletproof We use more than one vendor in each tier, so we are more secure. This reduces visibility, increases resource requirements, and significantly increases the likelihood of human error! Repeat after me: it is vulnerable, it is exploitable, someone will access it Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 New Opportunity: Proliferation of Devices The Challenge Opportunities for Attack New types of devices are joining the network: All of these systems provides an ingress point into some form of back-end system Hand-helds, smart phones, cameras, tools, physical security systems, etc. Diversity of OSs: Both the method of communication and the device itself are targets More devices means more operating systems and custom applications IT department often not involved in procurement—little attention paid to security For example, one environment got hacked from an oscilloscope User Expectations Users want to use the technology that are used to using at home Attacks on the device Proliferation leaves many opportunities for taking control of a system Embedded OSs Process controllers, kiosks, ATMs, lab tools, etc. Attacks on the back-end Attacks on data Sensitive data is becoming increasingly distributed and uncontrolled Attacks from “Trusted” Devices Mobility of devices means devices move out of your protected network and then back in, possibly bringing malware with it. For example, family member of an employee installs software onto laptop that contains a virus. Example: Wireless networking, cellular network access Presentation_ID © 2007 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 True Layered Protection Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Servers Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • In order to minimize an organization’s risk, it is IMPERATIVE that security be pervasive throughout every layer of the network and integrated into both technology and business processes. • While the ROI on security has historically been difficult to calculate, many good ROI models have been published to help minimize overall risk (both operational and financial) as well as provide guidance on the appropriate level of protection • EXCELLENT article on the US-CERT website: https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/busine ss/677.html 28 Implement Concept of Security Domains Literal Layer Public Internet Internet Gateway Domain Affiliation Wholly Untrusted DMZ DMZ Gateway Partial Trust Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Trust Domain Definitions: Wholly Untrusted • No operational access or control over devices in this environment Partially Trusted: • Operationally controlled by organization • Accessed by systems not controlled by organization Internal Trust: • Operationally controlled by organization • NOT accessed by hosts not managed by organization • Individuals using these systems or devices have undergone administrative review Internal Servers Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Security Domains in a Nutshell Define technical and administrative controls for communications from a higher trust-level domain to a lower trust-level domain Example: Connections from an internal laptop to a DMZ system must be only permitted on FTP or SFTP Define technical and administrative controls for communications from a lower trust-level domain to a higher trust-level domain Example: Information that is needed for a web-facing application cannot be fetched directly from an internal database. Instead a secure-DMZ database may receive replicated data from the internal source, and the web application may access the secondary database using strong authentication, and secure communications. Will require a lot of thought and planning, but will result in a very strong security infrastructure and reduced overall costs! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30 Implementing True Defense in Depth: Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Anonymous Internet User • Consider participants of the Public Internet as hostile: • If they cannot be inherently trusted, then they must by default treated as automatically hostile. • Minimize the number of services available to hosts that are not trusted • Provide a means to authenticate or establish the trust of external hosts through VPN use, SSL Certification authentication, etc. • Move everything that touches or is touched by the Public Internet behind a perimeter defense point 31 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Perimeter Firewall • Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! • Implement active defense methodology that will be flexible enough to respond to changing business needs and internet threats such as the implementation of both firewall and intrusion prevention. • Utilize best-of-breed technologies that maximize capital expenses, reduces internal resources, and provides the greatest ability to identify and respond to threats 32 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Webserver Farm • Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions. • Provide heightened level of security over standard hosts through formal lock-down procedures. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behaviorbased agents. • Restrict access to these systems, even from your internal systems! 33 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Presentation_ID • Example: Firewall between DMZ and Secured DMZ • Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! • Protect higher-trust networks from potentially compromised hosts. Internal Network Internal Servers • Create a mid-tier for shared information between the DMZ and the internal network by creating a secure DMZ. Internal Clients Internal Devices • Restrict both ingress and egress through this gateway! © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Network used to replicate information from internal data sources to externally-facing systems • Establish formally accepted guidelines for specifically what data must go through the S-DMZ, and what hosts may pull from or push to hosts in this network. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behaviorbased agents. • Restrict access to these systems, even from your internal systems! 35 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Firewall between Internal network and Secured DMZ • Establish formally accepted guidelines for standardization of perimeter security devices, and services that are permitted in both directions! • Protect higher-trust networks from potentially compromised hosts. • Very much like the controls in place for the DMZ and Perimeter gateways • Restrict both ingress and egress through this gateway! 36 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Internal routers and switches (access and distribution) • Define formal paths for traffic flows (assists in incident containment) • Implement layered approach through security applied on each device, switch, etc. • Use VLAN’s as a means to segregate LIKE traffic, but not as a means to separate security domains • VLAN hopping is possible in certain situations • Create internal segregation to further compartmentalize traffic and access (guests, vendors, etc) • Utilize strong authentication and encryption • WEP is not security, it can be cracked in under 3 mins with a very low skill level • Use Network Access Control to authenticate and assign additional restrictions as necessary • Implement internal intrusion prevention to keep unauthorized traffic under control and to provide additional alerts for early-warning of outbreaks, etc. 37 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential • Example: Infrastructure computational devices such as file\print servers, email servers, etc • Develop strong security lock-down and configuration standards for all hosts. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behaviorbased agents. • Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. • Restrict access to these systems, even from your internal systems! 38 Implementing True Defense in Depth: Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers • Example: End-user laptops, desktops, or terminals. • Develop strong security lock-down and configuration standards for all hosts. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behaviorbased agents. • Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39 Implementing True Defense in Depth: Public Internet Internet Gateway(s) • Example: Shared resources, such as network-enabled printers, IP-based controls, etc. DMZ DMZ Gateway Secure DMZ S-DMZ Gateway • Develop standardized hardware, software, and configuration procedures, and secure where possible Internal Network Internal Servers • Remember: Most network devices use an embedded operating system, and can be used as a jumping-off point for further attacks or infection! • Minimize the number of these devices, and ensure that they are not accessible Internal Clients Internal Devices Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40 Calculate the Value of your Data Use a deterministic approach to security Apply the appropriate amount of protection based on business risk analysis, not FUD Calculate the ROI of security vs “protect everything at any cost” Ensure that you are reducing the overall risk of your organization through the application of appropriate controls Don’t protect data worth $1,000 with a $100,000 device Determine and document what is an acceptable loss, and prepare for it Create a “Risk Acceptance” process that will allow for documented exceptions, reducing the likelihood of undocumented changes being made in order to circumvent the formal procedure. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41 General Controls: Gateway Controls Utilize best-of-breed technology Create a policy that documents what is considered acceptable traffic, and publish these standards. Once published, they can be incorporated into your project management methodology, allowing for automates enforcement and more uniform adoption. Utilize both firewall and intrusion prevention technologies to maximize the effectiveness of your perimeter defense against known and unknown attempts. Define all points of ingress and egress, and apply these controls to all of these gateways uniformly This reduces the complexity and chances for human error. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42 General Controls: Pervasive Network Controls Add security to every layer of your network Utilize the concept of security domains, even within your internal network Segregate infrastructure servers from mission-critical systems from desktops from network printers etc… Implement Network Access Control to limit access to your network from personnel on the inside such as guests, vendors, etc. Use strong encryption and strong authentication everywhere – if you cannot secure it properly, don’t deploy it until you can! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43 General Controls: Host-Based Develop strong security configurations for hosts as appropriate Implement Behavioral- and Policy-based protection Provides the flexibility to adapt to new threats, as well as support any application you may be running internally. Prevents the need for signature updates, prevents zero-day attacks based on how the attack behaves, not what it’s signature is. Implementation of host-based fire-walling technologies to prevent connections from occurring in the first place. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44 General Controls: Enterprise Visibility Implement a centralized logging and monitoring environment Send all logs (or as many as practical based on business risk profile) to a centralized event correlation environment Provides “instant” visibility into issues potentially before they become widespread Ensures that the forensic review of issues is concise, resource group independent, and forensically sound If you do not already have one, prepare an incident response plan, and practice it often! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45 Questions? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46