Common Cyber Defenses

Tom ChothiaComputer Security, Lecture 18

Wi-Fi

A Typical Business Network

WebServer

Comp1

DataBase …

E-mail Server

SSH/RDPWeb Proxy…

Comp2

NAT

Defenses

• Remove specific attack vectors.

• Make attacks more difficult.

• Make attacks easier to detect.

• Have good policies in place to ensure the system stays secure.

Defenses: Fast Patches

• Most importantly of all.

• Make sure all security patches are installed immediately.

• There is almost always a patch to stop any well known exploit.

Defenses: Anti-Virus

• Anti-Virus products scan the computer for known malware.

• Can also scan e-mail and network traffic

• Only as good as the last update.

• Can be disabled by an attacker with admin access.

Defenses: Firewalls

• Firewalls block Internet traffic.

• May be on the computer (host) or built into a router (network).

• Firewalls can be stateless of statefull

• Stateless firewalls could e.g. block all traffic block all traffic not on port 80.

Defenses: Firewalls

• Statefull firewalls record the traffic and use it to make future decisions.

• E.g. block incoming connection but allow replies to outgoing connections.

• Can’t firewall services used by outside world.

• See mac settings.

Wi-Fi

A Typical Business Network

WebServer

Comp1

DataBase …

E-mail Server

SSH/RDPWeb Proxy…

Comp2

NAT

A Typical Firewall Policy

Wi-Fi

WebServer

Comp1

DataBase…

E-mail Server

Comp2

Credit Card ProsessingDMZ

Web Proxy

VPN

Possible Firewall Policy DMZ

• Webserver: incoming to ports 80, 443, 22 (and replies).

• Web proxy new connections only from internal network.

• E-mail server traffic via ports 22, 25 only.

Possible Firewall Policy Internal

• Outgoing connections only allow to the DMZ. – exceptions for particular apps e.g. skype

• Only VPN can open connections into the internal network.

• Wi-fi network, only allows traffic to and from outside the network.

Defenses: Intrusion Detection Systems

• A good system administrators will monitor their network.

• IDSs look at all packets (like wireshark) and report suspicious behavior.

• Can catch nmap and metasploit.

• E.g. Snort: www.snort.org

Defense: Encryption

• Security sensitive data should not be stored in plain text.

• E.g. Credit cards should always be encrypted.– But attacker may find key on the system

• Passwords should be hashed– But attacker can try to crack them.

Top Defenses:

1. Apply patches2. Firewall3. Anti-Virus4. Intrusion Detection Systems5. Good password and user policies6. Encryption policy

First 2 should be fine for Linux or Mac, first 3 for windows. All 6 if you are a sys. admin.

Computer Security Policy

• NIST defines “Policy” as documentation of computer security decisions.

• It’s all about the documentation.

• Usually: needs of the business come first, the security comes second.

• See example policies: http://www.sans.org/security-resources/policies/computer.php

It’s all about the documentation

Payment Card Industry Data Security Standard (PCI-DSS)

• PCI-DSS is a standard for protecting organisations.

• All organisations that handle credit card data should comply with the standard.

• Card payments could be refused for non- compliant organisation.– In practice, most of the time, non-compliant

organisation, will only get into trouble if there is a problem or an audit..

A Typical Network

Wi-Fi

WebServer

Comp1

DataBase…

E-mail Server

Comp2DMZ

NAT Proxy

A Typical Business Network PCI-DSS

Wi-Fi

WebServer

Comp1

DataBase…

E-mail Server

Comp2

Credit Card Prosessing

DMZ

Payment Gatewaye.g. Authorize.net

NAT Proxy

Key Steps Towards PCI-DSS Compliance.

1: A secure network– Firewalls

2: Correctly configure your equipment– Remove default passwords, services etc.

3: Protect credit card data.– Use encryption or do not store.

4: Encrypted transmission of data.– Use SSL/TLS

Key Steps Towards PCI-DSS Compliance.

5: Vulnerability Management Program. – Run anti-virus.

6: Secure Systems and Applications:– Patches – Update policy and design– Check for web attacks.

7 & 8 : Access Control– Use access control, e.g. RBAC– Good password policy

Key Steps Towards PCI-DSS Compliance.

9: Physical Access Control to Card Data– Video cameras, site badges, shred data etc.

10: Monitor and Test– Log access, ensure clocks are correct, have

a policy for reacting to alerts.11: Regular testing and processes

– Run quarterly pen. Tests, IDS12: Maintain a Security Policy.

Conclusion

Simple steps and good policy are the best way to keep a network secure.

PCI-DSS is a simple security check up for a organization that uses credit cards.

Next three lectures: Ian Batten on information security policy.