BACK TO BASICS FOR

INFORMATION

SECURITYJoel Cardella

Director, Information Security

Holcim US

Biographical Info

• Joel Cardella

• 20 years in Information Technology

• Network Operations

• Data Center

• Telecommunications

• Health Care

• Manufacturing

• Currently Regional Security Officer for multinational

industrial manufacturing organization

• Passionate evangelist of infosec

Security problems in the news

The (abbreviated) story of Mat

Who

• Mat Honan is a digital journalist, writing for Wired,

Gizmodo and a number of digital magazines

• On August 3, 2012, hackers used simple social

engineering to trick Amazon and Apple into providing

information that would allow them to take over the

AppleID of Wired reporter Mat Honan

Name

Email address Billing address

Last 4 of credit card on file

What

• Mat had the following happen• Gmail account compromised & deleted

• Me.com email account compromised

• Apple (icloud.com) ID compromised

• Remote wipe of iPhone

• Remote wipe of Macbook

• Twitter account compromised

• It was 10 minutes between when he noticed his iPhone being wiped and calling AppleCare• By then it was far too late – 30 minutes earlier the hack had

occurred

• 2 minutes later the hackers post on his hacked Twitter account

Why

• Mat is a public figure so it’s expected you can find more

info on him than a non-public figure

• However, our hackers had only one thing in mind when

they hacked his account – what do you think it was?

• He had a 3 letter Twitter name (@mat) and they liked it

and wanted to use it

Poor basic practices

• While this hack was clever, Mat also observed poor basic

security practices

• “My Twitter account linked to my personal website, where they

found my Gmail address.”

• He re-used the same username/email name (and possibly

password)

• “If I had some other account aside from an Apple e-mail

address, or had used two-factor authentication for Gmail,

everything would have stopped [when the hackers

accurately guessed that information].”

Other controls

Low

Medium

High

Critical

Basic security starts with

foundations

http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/

Buy latest hyped

product

Panic

Pray

Hope

Procrastinate

Unfortunately…

http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/

• “…if your roof has leaks, you fix the leaks in the roof

before you remodel the house, right?”

• John Pescatore, SANS

http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-

leaky-roof-before-remodeling-the-house/

Pareto principle

• Aka the 80/20 rule

• In anything, a few (20) are vital and many (80) are trivial

• In security terms: focusing on 20% of your basics can

address 80% of your risk

3 key words

PERSONAL BASICSPart 1

Walls of separation

• Build walls of separation between your online identities

• Do not reuse usernames

• Do not reuse email addresses

• Do not reuse passwords

• Separate work from home, bank from everything

• Use password managers to help with this

• Keepass (http://keepass.info/)

• LastPass (https://lastpass.com/)

• 1Password (https://agilebits.com/onepassword)

Strong passwords

• Minimum complexity of Upper, Lower, Number & Symbol,

plus spaces if you can

• Passphrases are the best choice if available

• Use spaces where you can, form “words”

• Mis-spelling of words helps!

• Minimum 10 characters – for now…

Rainbow tables guess passwords

https://www.freerainbowtables.com/

Multifactor where available

Something you know Something you have

Strong authentication

Social media

Whether or not you

are out there, you

are out there!

ENTERPRISE BASICSPart 2

The basics

PREVENT

DETECT

RESPOND

RECOVER

Risk Defined in Security Terms

(Offense) (Defense)

Likelihood Impact

THREATS X VULNERABILITIES = RISK

Reduces Risk

Drives risk calculation

Threats increase risk

Dealing with vulnerabilities reduces risk

When a threat connects with a vulnerability, there is impact

Source: Dr Eric Cole, SANS

Critical security controls

• Quick wins

• Ways to

monitor &

measure

• Easy way to

speak to your

business /

create

scorecard

Rapid approach to the basics

• Application whitelisting (CSC 2/DSD 1)

• Use of standard, secure system configurations (CSC 3)

• Patch application software within 48 hours (CSC 4/DSD 2)

• Patch system software within 48 hours (CSC 4/DSD 3)

• Reduce number of users with administrative privileges (CSC 3

and 12/DSD 4)

• DSD suggests these will fit into the Pareto principle and

address 80% of your risks

BASICS IN DEPTHPart 3

Basic attack pattern of all intruders

Inbound connectionOpen a port

/ start a

serviceOutbound connection

For basics, what can we focus on to mitigate this attack pattern?

Recon your network

• What are your assets?

• Hardware

• Software

• Are you aware of authorized vs unauthorized assets?

• Can you tell when this changes?

• ARE YOU SURE?

Recon – things TO DO

• Create a standard user account

• Login in from the outside and from the inside (both sides of your firewall)

• Where can you go? What can you see? What do you have access to?

• Do you understand what you are seeing?

• Are you forgetting anything? Look for examples of what other breaches have occurred and what they have tried

• Threat modeling works well here

Account management –

WHAT TO ASK• What types of accounts exist in your enterprise?

• Do you know who owns those accounts?

• Do you know if those accounts are still valid?

• If you have system or service accounts, do you know what

they have access to (zones)?

• ARE YOU SURE?

Account management –

WHAT TO DO• Manage your accounts by policy and technical

enforcement

• Expire passwords/password complexity

• Use ACLs to manage access to your systems

• Restrict access within your zones

• Enforce 2nd factor authentication for vendor/contractor access

• For employees if you can! For everyone!

• Inventory your accounts and their parameters

• Know your vendors by their accounts

Controlled access –

WHAT TO ASK• What systems can talk to each other?

• Are they in different zones? Do they need to be?

• Do your business people have access to information they

do not need to do their jobs?

• Do your administrators have more access than they need

to do their jobs?

• What about non-admins?

• ARE YOU SURE?

Controlled access –

WHAT TO DO• Access based on need to know/need to work

• Classification scheme is needed for this

• Establish a policy of access based on need to know/need to work• Establish approval mechanism for special exceptions

• Talk to the business to find out what access they need, and create a Segregation of Duties (SoD) matrix

• Enforce SoD through system constraints and involve the business in the SoD approvals

Vendor

Account

Target

PC

Target

PCTarget

PC

Target

PC

Network Segmentation

Vendor

Account

Target

PC

Target

PCTarget

PC

Target

PC

ARE YOU SURE?Changes over time to firewall

rules create holes

Our controls are in place … but are they working as designed?

V

P

N

A

D

V

P

N

A

D

Account management in

place

Access is controlled to

these resources

Changes to access control lists

also create holes

Recon + threat

modeling

Vendor

Account

Target

PC

Target

PCTarget

PC

Target

PC

Two factor is a strong defense against external intrusion

Systems allow

account logins

at the OS

Vendor

Account

Target

PC

Target

PCTarget

PC

Target

PC

Scenario 2 – Vendor account has privileges escalated

Systems allow

account logins

at the OS but

only for

privilege

V

P

N

A

D

2nd factor

challenge

V

P

N

A

D

2nd factor

challenge

Internal

firewalls have

holes

Internal

firewalls have

holes

Backup strategy – WHAT TO ASK

• Do you have a backup strategy?• Is it documented?

• Does it align with your business needs?• Backups cost money, time and resources

• Do you back up more than you need?

• Do you have resources to verify/restore backups?• Do you regularly test backups?

• When was the last time you did and what were the results?

• Did you document this?

• ARE YOU SURE?

Backup strategy – WHAT TO DO

• Create a policy for regular backups

• Identify critical systems & backup frequency

• If you have a DRD in place make sure it’s being adhered to

• Document a Recovery Time Objective (RTO) and a

Recovery Point Objective (RPO) for your backups

• This aligns with disaster planning / BCP

• Must be done in alignment with your business

• VERIFY YOUR BACKUPS

• This is not negotiable or avoidable!

Change management

• Who approves your security changes?

• Is this documented and reviewed periodically?

• Who reviews your security changes for accuracy?

• Who follows up to verify the changes are still accurate?

• Document reasons for changes, approvals and

mitigations

• ARE YOU SURE?

Establish a

governance calendar• The calendar contains your regular cadence of review

activity

• You can script reminders to the entities responsible for the review

• SharePoint

• Google scripts (Google calendar)

• Work this activity into your existing processes so they get

prioritized

• Time box those activities!

• Get SLAs/SLOs for teams on which you rely to perform these

activities

Q1 Q2 Q3 Q4

DR Testing

Recon

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Recon

Backup

testing

Backup

testing

Backup

testing

Sample Governance Calendar

AD

reviewAD

reviewAD

review

Operations Security Data Center

Mid year

audit

Audit

Important Enterprise Infosec Lessons

1. There is no magic bullet – infosec is multi-layered and

multi-disciplinary

2. Infosec will cost you time, money and resources –

measure your value appropriately

3. Infosec is an active discipline; it requires care and

feeding, you cannot install and forget

4. Time is the enemy of infosec; the longer it takes, the

higher the risks

5. Infosec is a value add for your business, and it is up to

you to show it – in many cases it IS the business

6. Infosec is not a department of “no.” Market yourself like

a startup

Security basics put simply…

• If you think technology can fix security, you don’t

understand technology and you don’t understand security.

• The root cause of a security incident is rarely about the

technology and almost always about the implementation.

• Humans will always be the weakest link in the security

chain. Awareness will mitigate the vast majority of your

security issues … spend time and money on educating

everyone in your company about security.

Tools & references list

• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site

• http://technet.microsoft.com/en-

us/magazine/2007.02.activedirectory.aspx - AD rights delegation

• http://sectools.org/ - List of pay and free network tools

• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC

• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian

DSD Top 35

• http://www.counciloncybersecurity.com – Council on Cybersecurity

• http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-

Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on

effective threat modeling

• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-

card-data-hackers-retail-industry - Brian Kreb’s op-ed on the current

state of the Target breach and some of the false pretense

Contact info

• Joel Cardella

• LinkedIn: https://www.linkedin.com/pub/joel-cardella/0/107/412

• Twitter: @JoelConverses or @jscardella

• Email: jscardella@pobox.com

• IRC: #misec on Freenode (joel_s_c)