common cyber defenses tom chothia computer security, lecture 18
TRANSCRIPT
Wi-Fi
A Typical Business Network
WebServer
Comp1
DataBase …
E-mail Server
SSH/RDPWeb Proxy…
Comp2
NAT
Defenses
• Remove specific attack vectors.
• Make attacks more difficult.
• Make attacks easier to detect.
• Have good policies in place to ensure the system stays secure.
Defenses: Fast Patches
• Most importantly of all.
• Make sure all security patches are installed immediately.
• There is almost always a patch to stop any well known exploit.
Defenses: Anti-Virus
• Anti-Virus products scan the computer for known malware.
• Can also scan e-mail and network traffic
• Only as good as the last update.
• Can be disabled by an attacker with admin access.
Defenses: Firewalls
• Firewalls block Internet traffic.
• May be on the computer (host) or built into a router (network).
• Firewalls can be stateless of statefull
• Stateless firewalls could e.g. block all traffic block all traffic not on port 80.
Defenses: Firewalls
• Statefull firewalls record the traffic and use it to make future decisions.
• E.g. block incoming connection but allow replies to outgoing connections.
• Can’t firewall services used by outside world.
Wi-Fi
A Typical Business Network
WebServer
Comp1
DataBase …
E-mail Server
SSH/RDPWeb Proxy…
Comp2
NAT
A Typical Firewall Policy
Wi-Fi
WebServer
Comp1
DataBase…
E-mail Server
Comp2
Credit Card ProsessingDMZ
Web Proxy
VPN
Possible Firewall Policy DMZ
• Webserver: incoming to ports 80, 443, 22 (and replies).
• Web proxy new connections only from internal network.
• E-mail server traffic via ports 22, 25 only.
Possible Firewall Policy Internal
• Outgoing connections only allow to the DMZ. – exceptions for particular apps e.g. skype
• Only VPN can open connections into the internal network.
• Wi-fi network, only allows traffic to and from outside the network.
Defenses: Intrusion Detection Systems
• A good system administrators will monitor their network.
• IDSs look at all packets (like wireshark) and report suspicious behavior.
• Can catch nmap and metasploit.
• E.g. Snort: www.snort.org
Defense: Encryption
• Security sensitive data should not be stored in plain text.
• E.g. Credit cards should always be encrypted.– But attacker may find key on the system
• Passwords should be hashed– But attacker can try to crack them.
Top Defenses:
1. Apply patches2. Firewall3. Anti-Virus4. Intrusion Detection Systems5. Good password and user policies6. Encryption policy
First 2 should be fine for Linux or Mac, first 3 for windows. All 6 if you are a sys. admin.
Computer Security Policy
• NIST defines “Policy” as documentation of computer security decisions.
• It’s all about the documentation.
• Usually: needs of the business come first, the security comes second.
• See example policies: http://www.sans.org/security-resources/policies/computer.php
Payment Card Industry Data Security Standard (PCI-DSS)
• PCI-DSS is a standard for protecting organisations.
• All organisations that handle credit card data should comply with the standard.
• Card payments could be refused for non- compliant organisation.– In practice, most of the time, non-compliant
organisation, will only get into trouble if there is a problem or an audit..
A Typical Business Network PCI-DSS
Wi-Fi
WebServer
Comp1
DataBase…
E-mail Server
Comp2
Credit Card Prosessing
DMZ
Payment Gatewaye.g. Authorize.net
NAT Proxy
Key Steps Towards PCI-DSS Compliance.
1: A secure network– Firewalls
2: Correctly configure your equipment– Remove default passwords, services etc.
3: Protect credit card data.– Use encryption or do not store.
4: Encrypted transmission of data.– Use SSL/TLS
Key Steps Towards PCI-DSS Compliance.
5: Vulnerability Management Program. – Run anti-virus.
6: Secure Systems and Applications:– Patches – Update policy and design– Check for web attacks.
7 & 8 : Access Control– Use access control, e.g. RBAC– Good password policy
Key Steps Towards PCI-DSS Compliance.
9: Physical Access Control to Card Data– Video cameras, site badges, shred data etc.
10: Monitor and Test– Log access, ensure clocks are correct, have
a policy for reacting to alerts.11: Regular testing and processes
– Run quarterly pen. Tests, IDS12: Maintain a Security Policy.