The Evolution of Defense in Depth Robert Perciaccante, CISSP Security Systems Engineer – Cisco Systems September 11, 2007 - Pittsburgh, PA
Good Morning! • Introductions • Brief History of Internet Threats • “Old School Thinking” – Security in the Beginning • Changes in the Threat Model - ~2000 – Present • Defense in Depth – What's mine is mine, and its going to stay mine.
Quick Question: • How many of you are directly involved with the security and protection of your organization? • Technical Team Members? • Management? • How many of you have been involved, in one way or another, in a security breach, such as a malicious action or a malware outbreak? • At your Work? • At your Home?
What is a Threat? • threat (thrět) n.* • An expression of an intention to inflict pain, injury, evil, or punishment. • An indication of impending danger or harm. • One that is regarded as a possible danger; a menace. • A threat is any network-based attempt to compromise information, system, or network resources • They can originate from anywhere, any time • They take advantage of operating system, application, protocol, and psychological vulnerabilities • They leverage all methods of entry to a system • The can steal information, destroy data, deny access to servers, shut down embedded devices • They do not want to be found “threat.: The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. 22 Jan. 2007. <Dictionary.com http://dictionary.reference.com/browse/threat>
Sources of Threats • Application vulnerabilities allow hackers to gain access to underlying databases and improper levels of access to applications • Improper data access through improperly configured firewalls and legacy firewall technology • Operating system vulnerabilities allow hackers control of computers and enable information theft and improper system access • E-Mail can offer spoofed links (e.g. phishing) and attachments infected with spyware, viruses, and other malware • Internet use introduces files through download, drive-by installations, and errant software installations • User access to information and resources that they either shouldn’t have or don’t need • Network system vulnerabilities can allow hackers to take over entire domains (pharming)
Fateful Words “Why would someone bother to attack me? I have nothing that they would want.” - IT Manager ~1998 during a firewall proposal meeting FACT: You may not have something that anyone would want, but you can be used to get to something that they DO want, and where do you think the FBI will come when they start their investigation? Not only could this cause you to lose your operations center (frozen for investigation by authorities), but you are open to liability issues as a result of failure to perform due diligence.
Fateful Words - Example • A datacenter was breached, and used to amplify a DDoS network (Smurf attack) • Target network reported incident and source network to the FBI. • The FBI identified the datacenter network as a source of the traffic, and seized control of the network to perform forensic analysis. • In doing so, the FBI removed all the devices from the network, taking the company’s entire internet presence offline for 5 weeks. • The datacenter network had to be rebuilt from scratch, with all new hardware, in order to maintain operations during the course of the investigation. • The cause was determined to be a failure to implement appropriate security controls. The company who was the target of the DDoS sued the datacenter owner for loss revenue as a result of the attack and won $750,000 in damages. • Total cost to datacenter owner: • $750,000.00 Punitive Damages to victim • $175,000.00 Legal resources due to legal action • $400,000.00 Loss of revenue from downed datacenter • and internal resources for its recreation • $1,325,000.00 Total Loss (and this does not include public image impact!)
The Old Security Model: ~1997 IDS\IPS (Maybe…) Corporate Network Public Internet
The Old Security Model: ~1997 Generalizations: • Everyone on the Internet is untrustworthy • Everyone within my organization is essentially trustworthy • The model was “hard exterior, soft gooey center” • Security efforts were focused on keeping the outsiders out • Internal personnel and\or systems were essentially permitted to go wherever they needed: HTTP\S, FTP, P2P, IM all essentially permitted unchecked. • Traffic headed to externally facing systems, such as webservers etc, was typically protected through a single layer of firewall protection • Limited or no internal segregation of networks or personnel • Hosts were protected with Anti-virus, perhaps a hardened image, but typically was unprotected • Enterprise event monitoring did not exist • There was no significant market uptake for centralized logging and\or monitoring of events – It simply was not done
Challenges with the “Old Model” • Disparate security devices meant segregation of administrative controls • Firewall Management • Domain Management • User Management • IDS\IPS Management • Router\Switch Management • Too much data in too many different places • Inability to get the “Big Picture” because most personnel only had access to a piece of the puzzle • Exterior-only protection meant insiders had free reign • No protection from the “Insider Threat” • Inability to reconstruct unauthorized access for investigative or prosecutorial processes
Changes in Internet Use and Abuse… • As the Internet became more ingrained into the minds of business and personal users, the number of systems attached to the Internet increased. • Increased complexity of networks and access • With this increased attach rate, the importance for layered security grew from a nice to have to a MUST have: • Regulatory compliance • Demonstrability of “Due Diligence” • SOX, GLBA, PCI, etc • Business needs for connectivity • Email • Website\eCommerce • Vendor\Remote Access
… leads to an Increase in Complexity • Forensics and Investigations more complex • Complexity of networks make the forensic reconstruction of events incredibly more difficult to do accurately • Resource diversification • Resources may be segmented (i.e. Network Admins and Security Admins) making communications and collaboration more difficult in determining root cause • Intercommunications between companies and partners more complex • Application communications are more complex, requiring a much higher degree of network and application understanding to be able to determine what is right and wrong in terms of behaviors • Monitoring and management more difficult • De-centralized monitoring typically the case, makes recreation of event timelines very problematic
Unlimited Entry Points • Virtually unlimited application, operating system, driver, and firmware updates annually • Each has undiscovered vulnerabilities • This creates virtually unlimited access by hackers
High Expertise Required Low Evolution of Threats and Exploits 1994-2007 Blended Threats Intelligent Bots Dynamic Capabilities Pulsing Zombies Packet Forging/Spoofing Stealth Diagnostics Sniffers Self Installing Root Kits Sweepers Session Hijacking Back Door Exploits Complexity Audit Disablement Vulnerability Scanning Password Cracking Self Replicating Code (WORM) Password Guessing Time
Rapidly Escalating Threat to Businesses Seconds • Next Gen • Flash threats • Massive “bot”-driven DDoS • Damaging payload worms Minutes • Third Gen • Distributed Denial ofService • Blended threats Days • Second Gen • Macro viruses • Denial ofService Weeks • First Gen • Boot viruses Evolution of Security Challenges Target and Scope of Damage GLOBALInfrastructureImpact REGIONALNetworks MULTIPLENetworks INDIVIDUALNetworks INDIVIDUALComputer 1980s 1990s Today Future
The Evolution of IntentFrom Hobbyists to Professionals Threats becoming increasingly difficult to detect and mitigate FINANCIAL Theft & Damage FAME Viruses and Malware THREAT SEVERITY TESTING THE WATERS Basic Intrusions and Viruses 1990 1995 2000 2005 WHAT’S NEXT?
Emerging Threats More access, always on, from everywhere Corporate “Edge” becoming harder to define and control Wireless Networking Density Anonymous access to or through legitimate networks, data leakage, remote point of attack against endpoints SSL and other single sided technologies Allow for scaling and instant DR Loss of control over corporate assets significantly changes security posture
Viruses Aren’t Dead • During January 2007, 19 new major viruses were released • Average response time of 21 leading AV engines was 8 hours • 40% of the virus attacks in January 2007 had peaked before the AV signature was released • The trend is getting worse, not better. Signature-based solutions must be combined with day-zero protection to protect today’s networks.
Security Breach Example Costs Cost of Recent Customer Records Breach • $6.5 Million: DSW Warehouse Costs from Data Theft • $5.7 Million: BJ’s Wholesale Club from Data Breach Additional impact/cost due to lost customers • 20% of customers have ended a relationship with a company after being notified of a breach (Ponemon Institute) • 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident
Prevention Costs • Prevention may be cheaper then reaction: • Multiple independent studies have estimated the cost of customer record losses to be between $90 and $182 per record “A company with at least 10,000 accounts to protectcan spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined,” Gartner analyst Avivah Litan 21 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
TJX Security Breach—Jan. 17, 2007 • NEW YORK, Jan 17 (Reuters)—TJX Cos Inc. (TJX), which operates the T.J. Maxx and Marshalls chains, said on Wednesday that its computer systems that process customer transactions had been breached, and customer information has been stolen. • Trading of TJX stock was halted on the floor of the NY stock exchange as the news broke. • TJX took a $5M charge to cover the investigation, legal fees and costs associated with explaining the problem to its customers
January 18, 2007—Congress Responds • Washington, DC—House Financial Services Committee Chairman Barney Frank (D-MA) today issued the following statement regarding another major data breach potentially impacting millions of credit card holders: “I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why. This is further evidence of the need for a provision over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility. Specifically, this means retailers or wholesalers must take responsibility for financial losses, contrary to what common practice is today.” Barney Frank, House Financial Services Committee Chair 23 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The TJX Saga Continues • Feb 22: TJX indicates that data thefts could reach back into 2005 • March 21: TJX indicates that fraudulently obtained information was used in an $8M gift card scheme • March 29: Company reports SEC filing with loss of 45.7M records, along with 455k return records containing SSNs, Military IDs, and other info • April 22: Company clarifies records theft dates back to July 2005 (17 months) • April 26: Class action lawsuit filed by MA, CT, ME • May 4: WSJ Reports TJX had outdated wireless security, failed to install firewalls, and not properly installed other layers of security … • http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html
Breaches occur more often than you think… 155,048,651 • Reported records breached since 2005* • “unknowns” not counted Source: privacyrights.org as of June 8, 2007
Common Myths • Only specific users have access to my systems • We patch at every release and are therefore secure • We air-gap the <insert name here> network and it’s therefore not exploitable • Our firewall is bulletproof • We use more than one vendor in each tier, so we are more secure. • This reduces visibility, increases resource requirements, and significantly increases the likelihood of human error! • Repeat after me: it is vulnerable, it is exploitable, someone will access it
New types of devices are joining the network: Hand-helds, smart phones, cameras, tools, physical security systems, etc. Diversity of OSs: More devices means more operating systems and custom applications Embedded OSs Process controllers, kiosks, ATMs, lab tools, etc. IT department often not involved in procurement—little attention paid to security For example, one environment got hacked from an oscilloscope User Expectations Users want to use the technology that are used to using at home Example: Wireless networking, cellular network access New Opportunity:Proliferation of Devices The Challenge Opportunities for Attack • Attacks on the back-end • All of these systems provides an ingress point into some form of back-end system • Both the method of communication and the device itself are targets • Attacks on the device • Proliferation leaves many opportunities for taking controlof a system • Attacks on data • Sensitive data is becoming increasingly distributed and uncontrolled • Attacks from “Trusted” Devices • Mobility of devices means devices move out of your protected network and then back in, possibly bringing malware with it. • For example, family member of an employee installs software onto laptop that contains a virus. 27 Presentation_ID © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
True Layered Protection Public Internet • In order to minimize an organization’s risk, it is IMPERATIVE that security be pervasive throughout every layer of the network and integrated into both technology and business processes. • While the ROI on security has historically been difficult to calculate, many good ROI models have been published to help minimize overall risk (both operational and financial) as well as provide guidance on the appropriate level of protection • EXCELLENT article on the US-CERT website: • https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677.html Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Servers
Implement Concept of Security Domains Literal Layer Domain Affiliation • Domain Definitions: • Wholly Untrusted • No operational access or control over devices in this environment • Partially Trusted: • Operationally controlled by organization • Accessed by systems not controlled by organization • Internal Trust: • Operationally controlled by organization • NOT accessed by hosts not managed by organization • Individuals using these systems or devices have undergone administrative review Public Internet Wholly Untrusted Internet Gateway Partial Trust DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Trust Internal Network Internal Servers Internal Clients Internal Servers
Security Domains in a Nutshell Define technical and administrative controls for communications from a higher trust-level domain to a lower trust-level domain • Example: Connections from an internal laptop to a DMZ system must be only permitted on FTP or SFTP Define technical and administrative controls for communications from a lower trust-level domain to a higher trust-level domain • Example: Information that is needed for a web-facing application cannot be fetched directly from an internal database. Instead a secure-DMZ database may receive replicated data from the internal source, and the web application may access the secondary database using strong authentication, and secure communications. • Will require a lot of thought and planning, but will result in a very strong security infrastructure and reduced overall costs!
Implementing True Defense in Depth: • Example: Anonymous Internet User • Consider participants of the Public Internet as hostile: • If they cannot be inherently trusted, then they must by default treated as automatically hostile. • Minimize the number of services available to hosts that are not trusted • Provide a means to authenticate or establish the trust of external hosts through VPN use, SSL Certification authentication, etc. • Move everything that touches or is touched by the Public Internet behind a perimeter defense point Public Internet Internet Gateway DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Perimeter Firewall • Establish formally accepted guidelines for standardization of perimeter securitydevices, and services that are permitted in both directions! • Implement active defense methodology that will be flexible enough to respond to changing business needs and internet threats such as the implementation of both firewall and intrusion prevention. • Utilize best-of-breed technologies that maximize capital expenses, reduces internal resources, and provides the greatest ability to identify and respond to threats Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Webserver Farm • Establish formally accepted guidelines for standardization of perimeter securitydevices, and services that are permitted in both directions. • Provide heightened level of security over standard hosts through formal lock-down procedures. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior-based agents. • Restrict access to these systems, even from your internal systems! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Firewall between DMZ and Secured DMZ • Establish formally accepted guidelines for standardization of perimeter securitydevices, and services that are permitted in both directions! • Protect higher-trust networks from potentially compromised hosts. • Create a mid-tier for shared information between the DMZ and the internal network by creating a secure DMZ. • Restrict both ingress and egress through this gateway! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Network used to replicate information from internal data sources to externally-facing systems • Establish formally accepted guidelines for specifically what data must go through the S-DMZ, and what hosts may pull from or push to hosts in this network. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior-based agents. • Restrict access to these systems, even from your internal systems! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Firewall between Internal network and Secured DMZ • Establish formally accepted guidelines for standardization of perimeter securitydevices, and services that are permitted in both directions! • Protect higher-trust networks from potentially compromised hosts. • Very much like the controls in place for the DMZ and Perimeter gateways • Restrict both ingress and egress through this gateway! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: • Example: Internal routers and switches (access and distribution) • Define formal paths for traffic flows (assists in incident containment) • Implement layered approach through security applied on each device, switch, etc. • Use VLAN’s as a means to segregate LIKE traffic, but not as a means to separate security domains • VLAN hopping is possible in certain situations • Create internal segregation to further compartmentalize traffic and access (guests, vendors, etc) • Utilize strong authentication and encryption • WEP is not security, it can be cracked in under 3 mins with a very low skill level • Use Network Access Control to authenticate and assign additional restrictions as necessary • Implement internal intrusion prevention to keep unauthorized traffic under control and to provide additional alerts for early-warning of outbreaks, etc. Public Internet Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Infrastructure computational devices such as file\print servers, email servers, etc • Develop strong security lock-down and configuration standards for all hosts. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior-based agents. • Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. • Restrict access to these systems, even from your internal systems! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: End-user laptops, desktops, or terminals. • Develop strong security lock-down and configuration standards for all hosts. • Implement active response protection through the implementation of agent- and policy-based monitoring such as configuration monitoring and behavior-based agents. • Utilize centralized authentication (LDAP, etc) to speed provisioning, and respond to personnel changes. Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Implementing True Defense in Depth: Public Internet • Example: Shared resources, such as network-enabled printers, IP-based controls, etc. • Develop standardized hardware, software, and configuration procedures, and secure where possible • Minimize the number of these devices, and ensure that they are not accessible • Remember: Most network devices use an embedded operating system, and can be used as a jumping-off point for further attacks or infection! Internet Gateway(s) DMZ DMZ Gateway Secure DMZ S-DMZ Gateway Internal Network Internal Servers Internal Clients Internal Devices
Calculate the Value of your Data • Use a deterministic approach to security • Apply the appropriate amount of protection based on business risk analysis, not FUD • Calculate the ROI of security vs “protect everything at any cost” • Ensure that you are reducing the overall risk of your organization through the application of appropriate controls • Don’t protect data worth $1,000 with a $100,000 device • Determine and document what is an acceptable loss, and prepare for it • Create a “Risk Acceptance” process that will allow for documented exceptions, reducing the likelihood of undocumented changes being made in order to circumvent the formal procedure.
General Controls: Gateway Controls • Utilize best-of-breed technology • Create a policy that documents what is considered acceptable traffic, and publish these standards. • Once published, they can be incorporated into your project management methodology, allowing for automates enforcement and more uniform adoption. • Utilize both firewall and intrusion prevention technologies to maximize the effectiveness of your perimeter defense against known and unknown attempts. • Define all points of ingress and egress, and apply these controls to all of these gateways uniformly • This reduces the complexity and chances for human error.
General Controls: Pervasive Network Controls • Add security to every layer of your network • Utilize the concept of security domains, even within your internal network • Segregate infrastructure servers from mission-critical systems from desktops from network printers etc… • Implement Network Access Control to limit access to your network from personnel on the inside such as guests, vendors, etc. • Use strong encryption and strong authentication everywhere – if you cannot secure it properly, don’t deploy it until you can!
General Controls: Host-Based • Develop strong security configurations for hosts as appropriate • Implement Behavioral- and Policy-based protection • Provides the flexibility to adapt to new threats, as well as support any application you may be running internally. • Prevents the need for signature updates, prevents zero-day attacks based on how the attack behaves, not what it’s signature is. • Implementation of host-based fire-walling technologies to prevent connections from occurring in the first place.
General Controls: Enterprise Visibility • Implement a centralized logging and monitoring environment • Send all logs (or as many as practical based on business risk profile) to a centralized event correlation environment • Provides “instant” visibility into issues potentially before they become widespread • Ensures that the forensic review of issues is concise, resource group independent, and forensically sound • If you do not already have one, prepare an incident response plan, and practice it often!