slide1
Download
Skip this Video
Download Presentation
KBOM

Loading in 2 Seconds...

play fullscreen
1 / 35

KBOM - PowerPoint PPT Presentation


  • 173 Views
  • Uploaded on

KBOM. Aim. Develop a series of Success Factors for infrastructure security Demonstrate the Success Factors in a Physical security analogy Extend the analogy to the Digital world Describe typical faults in infrastructure security. Good Security Security Success Factors.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'KBOM' - kerri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
Aim
  • Develop a series of Success Factors for infrastructure security
  • Demonstrate the Success Factors in a Physical security analogy
  • Extend the analogy to the Digital world
  • Describe typical faults in infrastructure security
good security security success factors
Good SecuritySecurity Success Factors
  • Multiple layers of protection
    • Defence in-depth
    • No direct access to customer data
  • Utilises multiple technologies including
    • Access control
    • Breach detection
    • Auditing or recording key events
  • Should integrate Human and Mechanised systems
  • What is not specific required is denied
security systems

Security systems

Testing the key success factors in the real world

security success factors applied

Multiple layers of security

- “buys” time to repel attacker and prevents bert endangering the jewels

Security Success Factors Applied

Multiple technologies including

    • Access control
    • Breach detection
    • Auditing
  • Ensures one fault does not put the crown jewels at risk

Use of manual and digital security

Guard

e security systems

E-security systems

Relating the digital-world to the real world

e security systems1

E-security systems

A model that works

security success factors applied1

Alert

Corporate

Network

Internet

Audit

Logs

Security Success Factors Applied

Interface of manual and digital security

Security

Console

Multiple technologies including

    • Access control
    • Breach detection
    • Auditing
  • Ensures one fault does not put the crown jewels at risk

data

  • Multiple layers of security
  • “buys” time to repel attacker and prevents bert endangering the jewels
  • Customer data not inDMZ
slide12

No proper design documentation – only a collection of clip-art

No ip addresses or server details etc

Too much new and diverse technology – multiple UNIX & Multiple Windows OS versions make it operational

unviable

Design rules applied with no understanding so for example multiple firewalls provide no extra protection

No Desk Check done !!!!!

Data checking ing download ed scripts

Authentication flawed or

SPI Unencrypted

No centralised Time server or logging server

No administration access or terminal servers so when things go wrong it is impossible to get access

Standing data stored in DMZonly protected by 1

Layer of security

Common Faults

Overall configuration & design

Corporate

Databases

Customer

Data

Enterprise Systems

Encrypted information securely transferring over the Internet

Further protection of the Intranet

Internet

Internal Firewall

Intranet

Web Server

Perimeter Firewall

Application

Server

?

Authentication and permissions

?

Merchant securely identified via Certificates

Central role of the application server that will connect to all data sources

Internet

Databases

SET payment protocol that sends the user’s details directly to the bank

Certification

Authority

Bank

User securely identified via certificates

common faults router

Corporate

Network

Internet

Audit

Logs

Common Faults: Router
  • Access lists absent, incomplete or applied to the wrong interface
  • SNMP open with Community string of Public & ... (Go on, have a guess)
  • Telnet open - allowing unrestricted terminal access to the internet
  • Small services open

And even if the perimeter router isn’t yours

WHO PAYS THE PRICE IF IT IS HACKED

bad config router 1 of 1
Bad Config - router 1 of 1

pants#show startup-config

hostname pants

enable password cisco

interface Serial0/0

ip address 194.117.132.10 255.255.255.252

interface FastEthernet1/0

ip address 192.188.144.81 255.255.255.252

ip route 0.0.0.0 0.0.0.0 194.117.132.9

ip route 192.193.97.65 255.255.255.255 195.188.144.82

snmp-server community public RO

snmp-server community private RW

line con 0

line aux 0

line vty 0 4

password cisco

login

!

after router 1 of 2
After router 1 of 2

service password-encryption

no service udp-small-servers

no service tcp-small-servers

hostname pants

enable secret 5 $1$s1gN$TDLK8LhaSdgKlDUpR84OY1

enable password notused

!

interface Serial0/0

ip address 192.117.132.10 255.255.255.8

ip access-group 102 in

!

interface FastEthernet1/0

ip address 195.188.144.81 255.255.255.0

! ip access-group 103 in

after router 1 of 21
After router 1 of 2

! Management controls

access-list 1 permit 193.193.97.65

access-list 1 permit 193.193.116.0 0.0.0.255

!

! Spoof & rfc 1918 filter

access-list 102 deny ip 195.188.144.0 0.0.0.255 any

access-list 102 deny ip 10.0.0.0 0. 255 . 255 .255 any

!

! Traffic filter

access-list 102 permit tcp any host 195.188.144.68 eq www

access-list 102 permit tcp any host 195.188.144.66 eq smtp

access-list 102 permit ip any host 195.188.144.66

!

! Egress rules

access-list 103 permit ip 195.188.144.0 0.0.0.255 any

access-list 103 deny ip any any

slide18
snmp-server community x1xx RO 1

snmp-server community x1xx RW 1

line con 0

password GMxQttt98

login

line aux 0

line vty 0 4

access-class 1 in

password Tmtttts

login

common faults firewalls

Corporate

Network

Internet

Audit

Logs

Common Faults - Firewalls
  • No anti-spoofing
  • Default passwords, Rules or Config
  • Unused services
  • Rules confused + undocumented
  • No consideration given to error logging or the return connection (which can stop many hacks !!!)
  • Changes to the Configuration not logged
  • No reporting of authorisation failures
before pix 1 of 3
Before Pix 1 of 3

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname firewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol sqlnet 1521

names

pager lines 24

no logging console

no logging monitor

no logging buffered errors

no logging trap

logging facility 20

before pix 2 of 3
Before Pix 2 of 3

interface ethernet0 auto

interface ethernet1 auto

ip address outside 11.73.2.222 255.255.255.0

ip address inside 11.73.7.251 255.255.255.0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 11.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0

conduit permit tcp host 11.73.1.1 eq smtp any

conduit permit tcp host 11.73.1.2 eq www any

conduit permit tcp host 11.73.1.2 eq telnet any

before pix 3 of 3
Before Pix 3 of 3

apply (inside) 11 outgoing_src

rip outside passive

rip outside default

rip inside passive

rip inside default

route outside 0.0.0.0 0.0.0.0 161.73.2.234 1

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

telnet 11.73.140.99 255.255.255.255

telnet timeout 5

floodguard 1

Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

after pix 1 of 3
after Pix 1 of 3

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname firewall

no fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

no fixup protocol h323 1720

no fixup protocol sqlnet 1521

names

pager lines 24

no logging console

logging host 192.2.2.1

logging trap 3

logging facility 20

after pix 2 of 3
After Pix 2 of 3

interface ethernet0 auto

interface ethernet1 auto

ip address outside 11.73.2.222 255.255.255.0

ip address inside 11.73.7.251 255.255.255.0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 11.73.1.2 161.73.1.2 netmask 255.255.255.255 0 0

static (inside,outside) 161.73.1.1 161.73.1.1 netmask 255.255.255.255 0 0

conduit permit tcp host 11.73.1.1 eq smtp any

conduit permit tcp host 11.73.1.2 eq www any

conduit permit tcp host 11.73.1.2 eq telnet any

outbound 11 permit 11.73.0.0 255.255.0.0 smtp tcp

outbound 11 deny 11.73.0.0 255.255.0.0 www tcp

apply (inside) 11 outgoing_src

after pix 3 of 3
After Pix 3 of 3

rip outside passive

rip outside default

rip inside passive

rip inside default

route outside 0.0.0.0 0.0.0.0 161.73.2.234 1

no snmp-server location

no snmp-server contact

no snmp-server community public

no snmp-server enable traps

telnet 11.73.140.99 255.255.255.255

telnet timeout 5

floodguard 1

Cryptochecksum:8c7bc2b51a5bd78305c83a14f13e9c7b

common faults web server

Corporate

Network

Internet

Audit

Logs

Common Faults - Web Server
  • Whoops - SSL is not enabled
  • Critical data in the DMZ – Classical example of pointless Multiple layers
  • Default CGI script or Administration servlets only protected by a simple(Default!!) passwords
  • Developer SDK and doco available
  • Operating systems not properly hardened and configured
common faults applications

Corporate

Network

Internet

Audit

Logs

Common Faults - Applications
  • Confidential screens and information (perhaps passwords) unencrypted – in URL or in cookies
  • Passwords used for high-value transactions
  • Application authorization that “should work” (as long as you don’t try it)
  • No proper application logging or alerting –making fraud easy
common faults ids

Corporate

Network

Internet

Audit

Logs

Common Faults - IDS
  • Focusing on known-attacks rather than anomalous traffic
  • Not updating it regularly
    • Attacks emerge every day
  • Encryption
    • Encryption is our friend – but if you install a network based IDS to monitor encrypted traffic what is it
  • Putting them in a wrong place
    • You don’t put a motion detector outside your house
ad