la securite dans tous ses etats
DESCRIPTION
par Simon FRANCOIS, le 11 mars 2014TRANSCRIPT
+
Simon FRANCOISResponsable Réseau et Sécurité
www.segi.be [email protected]
La sécurité dans tous ses états
11/03/2014
1
+.: We don’t mess with Security :.
© 2013 SEGI ULg – Simon FRANCOIS
2
+.: Agenda :.
n General Security Basics
n Threats
n Hints and Best Practices
n An eye on ULg
n Responsibilities
© 2014 SEGI ULg – Simon FRANCOIS
3
+.: Basics : the Triad :.
n CIAn Confidentialityn Integrityn Availability
© 2014 SEGI ULg – Simon FRANCOIS
4
+.: Basics : Broad Spectrum :. according to CISSP CBK
© 2014 SEGI ULg – Simon FRANCOIS
n Access control
n Software development
n BCP & DRP
n Cryptography
n IS Governance and Risk Management
n Legal, Regulations, Investigations, Compliance…
n Security Operations
n Physical (Environment) Security
n Security Architecture and Design
5
+.: Basics : Deeper in Access Control :. according to CISSP CBK
© 2014 SEGI ULg – Simon FRANCOIS
6
+.: Basics : not that obvious :. according to Sean Bean
© 2014 SEGI ULg – Simon FRANCOIS
7
+.: Agenda :.
n General Security Basics
n Threats
n Hints and Best Practices
n An eye on ULg
n Responsibilities
© 2014 SEGI ULg – Simon FRANCOIS
8
+.: Threats : they are Legion (1) :.
© 2014 SEGI ULg – Simon FRANCOIS9
+.: Threats : they are Legion (2) :.
© 2014 SEGI ULg – Simon FRANCOIS10
+.: Threats : sad truths :. It’s a trap!
© 2014 SEGI ULg – Simon FRANCOIS
n80% of the exploits rely on well known weaknesses thathaven’t been addressed (Source : Verizon 2013Q4)
nBiggest flaw is the human factor
nYou won’t stop a determined hacker ; you play a game where he’s one step ahead
11
+.: Agenda :.
n General Security Basics
n Threats
n Hints and Best Practices
n An eye on ULg
n Responsibilities
© 2014 SEGI ULg – Simon FRANCOIS
12
+.: BP : the cost of security :.How valuable are your assets ?
© 2014 SEGI ULg – Simon FRANCOIS
99% -
100% -
Percentage of blocked threats
Risk = (Vulnerability * Exposure) -‐ Security
13
+.: BP : every layer its job :.
n Let firewalls and routers deal with IP. Not your code, not your server.
n Let centralized services (AAA, monitoring) deal with their responsibilities. Not your code.
n Let the OS libraries do their job. Don’t override if not vital.
© 2014 SEGI ULg – Simon FRANCOIS
14
+.: BP : Secure everything :.
n Security must become a reflex actionn Don’t add security a posteriorin Think, build and develop with security in mind
n Use TLS as often as possiblen As a client : chose smtpS, imapS…n As a provider : force httpS, Sftp…
n AAA your usersn No anonymous connection (unless public)n Keep track and liability
© 2014 SEGI ULg – Simon FRANCOIS
15
+.: BP : Logs! Logs! Logs! :.
nKeep logs of everythingn Network devices, servers, OS events, personal
computers, applications…n Only way to analyze, understand, a posteriori
nUse accounting for users’ activityn Liability
nLegal matters
nHave your logs analyzed by software
16
+.: Agenda :.
n General security basics
n Threats
n Best practices
n An eye on ULg
n Responsibilities
© 2014 SEGI ULg – Simon FRANCOIS
17
+.: Information System @ ULg :. Systems side
n 2 datacenters with High Availabilityn 2 secured rooms, distant from 3kmn Many 10Gbps direct optical fibersn NetApp Metrocluster
n 260 TB storage, 150TB VTL
n Super calculator (1920 cores ; 7,7TB RAM)
n >1,000 servers
n > 95% virtual
n All above hosted @SEGI ! Many more across Campus…
© 2014 SEGI ULg – Simon FRANCOIS
18
+.: Information System @ ULg :. Network side
n 50,000 network access wall plugs
n 1,800 WiFi access points
n 500 switches ; 15 core routers (10Gbps partial mesh)
n > 30 firewalls
n 2 next generation firewalls (NGFW) since 2009
n 2x 1Gbps through Belnet (> 20TB/7TB per month)
n Kind of Internet Service Provider
© 2014 SEGI ULg – Simon FRANCOIS
19
© 2014 SEGI ULg – Simon FRANCOIS
20
+.: Information System @ ULg :. Institutional security features
nVirtual network split (VLAN ; VRF)
nLocal firewalls
n Internet border firewalls and NG firewallsn IDS / IPS = Threat preventionn URL filtering : dangerous or dubious websites
nAntispam
nAntivirus
© 2014 SEGI ULg – Simon FRANCOIS
21
+.: Information System @ ULg :. Security side
nHundreds of thousands automatic attacks denied each… day.n SQL-Injection, brute force, C&C traffic, stack
overflow, SIP spyware…
nPhishing still works fine, at every attempt
nLocally managed servers are barely updated
nPersonal passwords : shared, easy to find…
nNo auth apps, infected BYOD…
© 2014 SEGI ULg – Simon FRANCOIS
22
+.: Agenda :.
n General security basics
n Threats
n Best practices
n An eye on ULg
n Responsibilities
© 2014 SEGI ULg – Simon FRANCOIS
23
+.: Responsibilities :.
nSecurity fails because of the weakest link
nà Security is everyone’s responsibility!
nWe want YOU to share, inform, educate, help, correct… others.
© 2014 SEGI ULg – Simon FRANCOIS
24