Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk

Download Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk

Post on 23-Dec-2015

222 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<ul><li> Slide 1 </li> <li> Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk </li> <li> Slide 2 </li> <li> 2 Objectives Overview a process-oriented approach to security Discuss the recent trends in approaching security issues </li> <li> Slide 3 </li> <li> 3 Session Agenda Frameworks, Processes and Concepts Issues Trends </li> <li> Slide 4 </li> <li> 4 The Problem We have (more than enough) security technologies, but we do not know how (and if) we are secure </li> <li> Slide 5 </li> <li> 5 Security Frameworks </li> <li> Slide 6 </li> <li> 6 Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat therefore, in practice, an impossible goal What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafals Definition) </li> <li> Slide 7 </li> <li> 7 Adequate Security CERT usefully suggests: A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances. www.cert.org/governance/adequate.html www.cert.org/governance/adequate.html Risk Appetite defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions Relates to risks that must be mitigated and managed Risk Tolerance residual risk accepted Relates to risk for which no mitigation would be in place </li> <li> Slide 8 </li> <li> 8 Approaches for Achieving Security Two approaches are needed: Active, dynamic, transient Implemented through behaviour and pattern analysis Passive, static, pervasive Implemented through cryptography </li> <li> Slide 9 </li> <li> 9 Holistic View of Security Security should be: Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment </li> <li> Slide 10 </li> <li> 10 Framework 1: Defense in Depth Using a layered approach: Increases an attackers risk of detection Reduces an attackers chance of success Policies, Procedures, &amp; Awareness OS hardening, update management, authentication Firewalls, VPN quarantine Guards, locks, tracking devices, HSM Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education against social engineering Physical Security Perimeter Internal Network Host Application Data </li> <li> Slide 11 </li> <li> 11 Secure Environment A secure environment is a combination of: Hardened hosts (nodes) Intrusion Detection System (IDS) Operating Processes Standard and Emergency Threat Modelling and Analysis Dedicated Responsible Staff Chief Security Officer (CSO) responsible for all Continuous Training Users and security staff against social engineering </li> <li> Slide 12 </li> <li> 12 Framework 2: OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Carnegie-Mellon University guidance Origin in 2001 Used by US military and a growing number of larger organisations www.cert.org/octave </li> <li> Slide 13 </li> <li> 13 Concept of OCTAVE Workshop-based analysis Collaborative approach Guided by an 18-volume publication Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and medium organisations www.cert.org/octave/osig.html </li> <li> Slide 14 </li> <li> 14 OCTAVE Process Progressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans </li> <li> Slide 15 </li> <li> 15 Framework 3: Security Risk Analysis A simplified approach, taking into account your assets exposure to security risks Requires: 1. Identifying your assets 2. Assesing risks and their impact, probability and exposure 3. Formulating plans to reduce overall risk exposure </li> <li> Slide 16 </li> <li> 16 Risk Impact Assessment For each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbers with agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex: Asset: Internal MD mailbox Risk: Access to content by press Impact: Catastrophic (5) </li> <li> Slide 17 </li> <li> 17 Risk Probability Assessment Now for each entry measure probability the loss may happen Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) Ex: Asset: Internal MD mailbox Risk: Access to content by press Probability: Low (0.3) </li> <li> Slide 18 </li> <li> 18 Risk Exposure and Risk List Multiply probability by impact for each entry Exposure = Probability x Impact Sort by exposure High-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanisms or ignored Example: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples </li> <li> Slide 19 </li> <li> 19 Mitigation and Contingency For high-exposure risks plan: Mitigation: Reduce its probability or impact (so exposure) Transfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes reality </li> <li> Slide 20 </li> <li> 20 Framework 4: Threat Modeling Structured analysis aimed at: Finding infrastructure vulnerabilities Evaluating security threats Identify countermeasures Originated from software development security threat analysis 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats </li> <li> Slide 21 </li> <li> 21 STRIDE A Technique for Threat Identification (Step 4) Type of Threat Examples Spoofing Forging Email Message Replaying Authentication Tampering Altering data during transmission Changing data in database Repudiation Delete critical data and deny it Purchase product and deny it Information disclosure Expose information in error messages Expose code on web site Denial of Service Flood web service with invalid request Flood network with SYN Elevation of Privilege Obtain Administrator privileges Use assembly in GAC to create acct </li> <li> Slide 22 </li> <li> 22 Threat Tree Inside Attack Enabled Inside Attack Enabled Attack domain controller from inside SQL Injection An application doesnt validate users input and allows evil texts Dev Server Unhardened SQL server used by internal developers Messenger Xfer Novice admin uses an instant messenger on a server Trojan Soc Eng Attacker sends a trojan masquerading as network util OR AND </li> <li> Slide 23 </li> <li> 23 Current Security Issues </li> <li> Slide 24 </li> <li> 24 Industry Issues for 2005-2006 Without undue generalisation: Mobile security at data layer Malware/spyware Compliance auditing Identity management Patch/update management Application defence Intrusion detection </li> <li> Slide 25 </li> <li> 25 Mobile Security at Data Layer Laptops and PDAs are rarely protected against physical data extraction Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome Smartcards plus EFS or an alternative system, such as PGP etc. can be applied Data recovery needs (legal and practical) complicate the matter greatly </li> <li> Slide 26 </li> <li> 26 Spyware (Malware) Protection 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink &amp; Webroot) Zombies Network bandwidth and CPU degradation Commercial secrets leaked Privacy destroyed 3 rd party liability arises Best practice: SpyBot Search and Destroy (www.spybot.info) Microsoft AntiSpyware (in beta) AdAware Limit use of administrative privileges for end-users </li> <li> Slide 27 </li> <li> 27 Compliance Auditing An area of rapid growth, primarily due to Sarbannes/Oxley (Sarbox, or Sox) and EU Data Privacy regulation In hands of specialised providers, mainly consulting business Microsoft Operations Manager (MOM) can be applied for this purpose </li> <li> Slide 28 </li> <li> 28 Identity Management Heterogeneity of authentication and security measures is a common fact Dont fight it, integrate it Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server) Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens </li> <li> Slide 29 </li> <li> 29 Patch and Update Management As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present: Windows OS updates Office SQL Server Exchange More Microsoft products being added over the next months Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server) </li> <li> Slide 30 </li> <li> 30 Application Defence As networks and hosts become well protected, application-level attacks are on the increase Other than for very new in-house applications, development security has rarely been a concern This is a major area of worry from both perspectives of an insider and outside attacks Approaches: Prove its safe (threat modelling) Isolate-and-monitor Replace </li> <li> Slide 31 </li> <li> 31 Treating Unproven Applications Until proven to be secure, treat all applications as evil Restrict access only to users on need-to-use basis Restrict remote use Isolate to dedicated application servers Restrict servers through IPSec policies to only allow communication that applications explicitly require Monitor usage pattern to establish a baseline and raise alarm when patterns vary Enable stringent auditing Request a formal threat analysis if above restrictions are too severe </li> <li> Slide 32 </li> <li> 32 Intrusion Detection Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network- level detection Honeypots, i.e. monitored vulnerable servers exposed as bait are still very effective, though may pose legal problems </li> <li> Slide 33 </li> <li> 33 Trends for 2006 </li> <li> Slide 34 </li> <li> 34 Network Security IPv6 A major development for 2006+ will be gradual replacement of IPv4 with IPv6 Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire- level Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called Next Generation TCP/IP </li> <li> Slide 35 </li> <li> 35 Network Device Port Protection Though long awaited, 802.1x for wired networks is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected With new infrastructure this technology might be useful in high-risk areas, especially exposed networks </li> <li> Slide 36 </li> <li> 36 Smartcards While not a new technology, Microsofts support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues Infocard specification for developers Alacris acquisition (20 Sept) for smartcard lifecycle management Axalto deal for smartcard infrastructure Windows Vista re-write of smartcard functionality </li> <li> Slide 37 </li> <li> 37 Biometrics Overhyped: be careful and sceptical Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment Advantage: Simple and works in some environments, e.g. immigration control or secondary authentication of staff Weakness: Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned Biometric data can be stolen and can be used to fake identity no way to change it later Too many positive and negative false matches </li> <li> Slide 38 </li> <li> 38 Application-level Protection With.NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies easily Developers are increasingly seen as responsible for security This extends even to database developers, previously unlikely to engage in cryptography or ACL management It is very important that all in-house and vertical solution- provider application developers undergo security training Refresher courses or workshops are a good idea Community participation helps </li> <li> Slide 39 </li> <li> 39 Summary </li> <li> Slide 40 </li> <li> 40 Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education Security goals oppose those of usability Frameworks enable achieving security goals without facing unexpected costs Network and host protections are fairly mature Developer-oriented solutions to prevent application-level attacks must be employed </li> <li> Slide 41 </li> <li> 41 2005 Project Botticelli Ltd &amp; Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You must verify all the information presented before relying on it. E&amp;OE. </li> <li> Slide 42 </li> <li> Welcome Clare Dillon Developer and Platform Group Microsoft Ireland Clare.Dillon@microsoft.com </li> </ul>