Managing A Secure Infrastructure – Tales From

the Trenches

November 6, 2003

About the Speaker

• Steve Manzuik – Director, Security-Sensei.Com

• Founder / Moderator of Vulnwatch.Org• Founder of Win2KSecAdvice mailing list• Member of nmrc.Org• Co-Author of Hack Proofing Your Network• Participant – Open Web Application Security

Project (OWASP.org)• Participant – Open Source Vulnerability Database

(OSVDB.org)

www.nmrc.org

Outline

• Security today

• Failures in Security

• Succeed in Security

Security Today

• Vulnerabilities will always exist• Typical organizations have made large investments

in network and security infrastructure• Incidents still occur at high rates• Past investments do not support the business need• Security warnings to upper management are seen

as the new Y2K hype.• It is time for organizations to stop buying the latest

security toy and actually secure their networks.

You Have Been Lied To!

• All the Firewalls and Intrusion Detection devices in the world will not protect you.

• Most organizations do not have a firm grasp of their entire infrastructure.

• Aggressive Firewall configurations prohibit business and prohibit productivity.

• Network Intrusion Detection has limited value in most organizations.

• Security is not a magic black box or application.• Security is NOT a black art.

Failures in Security

• Firewalls

• Intrusion Detection

• Wall of Shame

Expensive Logging Devices:

Firewalls

• “But we have a firewall, we are completely protected…….”

• “We have invested in world class firewall technologies… …we are secure.”

• “Why would we want to block people from getting out?”

• “A hacker would have to break into our firewall in order to gain access….”

• “You mean you have to patch a firewall?”

Expensive & Confusing Logging Devices

IDS

• “Well our IDS didn’t see anything wrong…”• “There were just too many alerts so I turned it off….”• “I didn’t understand what SHELLCODE x86 NOOP was

so I ignored it….”• “ISS told us that it wasn’t possible….”• “What do you mean I can’t monitor this switch…”• “No one watches the console on weekends and

holidays…..”

Other Examples Wall of Shame

• “Passwords just made implementing the technology to difficult for our users…”

• “What exactly do you mean by audit process?”

• “We spent 2 million dollars on firewalls and other security solutions and 2 thousand dollars on testing those systems….”

• “We don’t exactly have a security department but Joe in the server group is a hacker so I am sure he is taking care of us….”

• “But our vendor hasn’t told us anything about….”

• “But that is a localhost issue…..”

What does this all mean?

• A proper security posture combines people, process and technology.

• Most organizations rely on technology leaving their security posture weak and vulnerable.

Success in Security

“The greatest security infrastructures are the ones that satisfy the most business

needs while allowing for uninhibited network communications between

employees, business partners, vendors, and customers.”

Success in Security

• Do not let vendors use your fear, uncertainty and doubt against you.

• It is a lot of work but when approached in a logical and calm fashion Information Security can be improved.

• Never think you are completely secure.

Succeed in Security:Awareness

• All the security in the world can be trumped by the double click of an email attachment.

• If your users are not aware – they are your greatest threat.

• If your Administrators are not educated – they are unarmed and unable to be proactive.

Succeed in Security:Know Your Assets

• If you don’t know what you have or what it does – how do you plan on protecting it?

• If you don’t know your business how will you enable it?

• Data and system classification is essential.

• Large organizations must approach security based on risk.

Succeed in Security:Host Security

• Secure baseline configurations – the technical starting point of a truly secure infrastructure.

• Thwarting the attacker by leveraging technology you already have.

• Helps improve desktop & server support processes and actually reduces long term support costs.

Succeed in Security:Monitoring

• Logical combinations of network and host based monitoring can be valuable.

• Log management is valuable.

• Technical education is far more valuable than the technology itself.

• Do the right people know when a device is added to the network? What about removed?

Succeed in Security:Validation

• Penetration Testing over Vulnerability Assessment.

• Intrusion Detection Validation and tuning is essential.

• Firewall rule and configuration validation is essential.

• Don’t forget about phones, and wireless devices.

Succeed in Security:

Other Tips

• Explicit trust is a dangerous game.

• Users are not malicious for the most part but must be protected against themselves.

• Don’t overlook email threats.

• Don’t overlook social engineering threats.

Succeed in Security:Other Tips

• Build a trusted relationship with a security consulting organization that is vendor neutral.

• Observe what other organizations in similar industries and of similar size are doing.

Closing

• Questions?

Steve Manzuik

smanzuik@sidc.net

steve@security-sensei.com