10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION
Keith Turpin Chief Information Security Officer Universal Weather and Aviation
Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual Property
Direct Financial Loss (e.g. Loss resulting in loss of funds) Indirect Financial Loss (e.g. Cost incurred responding to a
Reputation Loss Regulatory Sanctions
breach)
Understanding Mindset IT Staff View: IT systems are designed to meet functional requirements
Attacker's View: What matters is what a system can do, not what it was intended to do
The Hard Truth: "Any action not specifically prohibited, is allowed“
Managing Security Infrastructure
Intrusion Prevention
Security Architecture
Software Web Browsing Security
Patch Management
Vulnerability Management
Access Control
Email Security
Security Training
3rd Party Assessments
Policies and Contracts
Software Security
Endpoint Security Management
Malware Detection System Hardening Fire Walls
Incident Response
Change Management
Which Systems Represent the Greatest Risk? Determine Consistent and Relevant Criteria: • Accessibility: Where can the system be reached from?
Internal network, public internet, supplier network, vendor network...
• Operation Control: Who manages the system?
Your organization, a vendor, a vendor to a vendor...
• People: What types of people use the system?
Employees, Vendors, Customers, Competitors, U.S. Persons, Non-U.S. Persons...
• Critical Operations: Does the system support critical operations?
Revenue Generation, Enterprise Security, Critical Infrastructure, Identity Management...
• Information Types: Does it manage access to highly sensitive information?
PII, Intellectual Property, Regulatory Compliance...
• System Characteristics: Are there system attributes that raise the risk?
Over Privileges Accounts, End-of-Life Software, mixed data sensitivity or system criticality...
Critical Vulnerabilities in IT Systems 1.
Weak Authentication Practices
2.
Failing to Secure the Infrastructure
3.
Insecure Data Storage
4.
Introducing Flaws During Maintenance
5.
Not Testing for Vulnerabilities
6.
Failing to Remediate Known Issues
7.
Insufficiently Monitoring
8.
Creating Insecure Designs
9.
Using Insecure Coding Practices
10. Failing to Train Staff
Weak Authentication Practices: Risk #1 Chipping Away At The Keys To Your Digital Kingdom •
Weak passwords, phishing , cracking tools, large scale breaches, password re-use
Multi-Factor Authentication Can Mitigate Many Data Breaches* Start Implementing Two Factor Authentication: • • • •
End user remote access accounts Infrastructure administrator accounts Local device login Web based applications, even customer facing applications
Used by: Google, Microsoft, Amazon, Facebook, and many others
*Mandiant M-Trends® 2015 & Verizon 2015 Data Breach Investigation Report
Failing to Secure the Infrastructure: Risk #2 Don't Allow Your Systems To Be Soft On The Inside
Harden Systems In Their Deployment Configuration 1.
Implement Least Privilege
2.
Implement Good Authentication Controls
3.
Securing Web and Application Servers
4.
Lock down Network Shares
5.
Reduce Attack Surface
6.
Implement Local Security Controls
7.
Secure Databases Configurations
8.
Verify Previously Fixed Issues Stay Fixed
Insecure the Data Storage: Risk #3 Keep It Safe, Even If You Lose It
Encrypted Sensitive Data When It Must Be Reusable • •
This includes databases, files shares, cloud storage and hard drives Encryption can mitigate legal liability associated with data loss
When data only needs to be validated against, like passwords, use one way salted hashes Clear text data and authentication credentials can be a significant contributor to breach severity
Introducing Flaws During Maintenance: Risk #4 Don't Break It While You Keep It Running
Changes To The System Are Inevitable • •
Implement configuration management plans for all critical systems Use a formal change management process to provide visibility
Conduct A Security Impact Analysis For All Production Changes • •
Ensure changes do not adversely affect security posture Don’t undo something you already fixed
Include Both System Modifications And New Technology Insertions
Not Testing for Vulnerabilities: Risk #5 Don't Assume Things Are Secure
Security Assessments Are Critical To Understanding Your Current State Assessment Focus Areas: • • • • • • •
Network Security Assessments Server Security Assessments Application Security Assessments Penetration Tests Security Architecture Reviews Security Management Practices Assessments Compromise Assessments
Failing to Remediate Known Issues: Risk #6 Knowing You Have A Problem Is Half The Battle
Systems Are Frequently Breached Using Fixable Vulnerabilities • •
71% of exploited vulnerabilities had patches available for more than 1 year Commercial software vulnerabilities often result in systemic issues
Vulnerability Management Program Responsibilities • • • •
Vulnerability management and reporting Prioritize vulnerabilities Tracking status and report metrics Corrective action validation
Monitor For Emerging Threats: • • •
Software vendor security bulletins Vulnerability clearing houses (CVE, Security Focus, etc.) New exploit announcements (Exploit DB, Blackhat, RSA, InfrGard)
Insufficiently Monitoring: Risk #7 What You Don't See Can Hurt You
Things You Need To Be Monitoring: • • • • • •
Email and all web traffic (including HTTPS) Malicious activity on end points Network traffic for call outs to command and control systems Rapid system and file changes (could indicate ransomware at work) Security and perimeter system alerts Help desk tickets related to security tools
Things To Consider Monitoring: • • • • • • •
Servers transmitting data to unregistered IPs Servers “initiating” HTTP, HTTPS, FTPS or other outbound connections Unusual activity on shell services like SSH and RPC Unauthorized proxies on end point devices New local admin accounts showing up Users logging into systems they don't normally access Users logging in at odd hours or from an unusual geographic region
Creating Insecure Designs: Risk #8 Bad Designs Can Introduce Complex Vulnerabilities
Threat Model Critical Systems To: • • •
Identify logic errors Identify design errors Determine the most likely points of weakness
There are 7 stages to a threat modeling exercise: 1. 2. 3. 4. 5. 6. 7.
Identify Assets Create an Architecture Overview Decompose the Application Identify the Threats Document the Threats Rate the Threats Remediate, Mitigate or Accept the Associated Risks
Using Poor Coding Practices: Risk #9 Good Developer ≠ Secure Code
Vulnerabilities are usually the result of uninformed efforts to meet functional requirements Set expectations by documenting software security requirements in standards and contracts
Train developers on secure coding practices and common vulnerabilities Create secure, tested, reusable, managed code libraries for common business requirements
Failing to Train Staff: Risk #10 People Are The Third Perimeter
Tools cannot save you... They won't even help much, without people who now how to use them Even great tools won't catch everything, people need learn to recognize when something does not look, feel or act right The help desk needs to know what data to collect for security related calls and have tip sheets for common issues
Help staff understand how to improve security at home, and they will be more secure in the office
QUESTIONS?
SUPPLEMENTAL MATERIAL AKA USEFUL STUFF
Locking Down Your Servers Windows Server Hardening Guide - Example (PDF):
Embedded Document Double click to open
Build Secure Software Secure Coding Guides (PDF) 1. Access Control and Web Session Management Guide 2. Authentication and Password Guide 3. Data and File Handling Guide 4. Error Handling & Logging Guide 5. HTML 5 Security Guide 6. Memory Management and General Practices Guide
Embedded Documents Double click to open
Security Guidance for the Common Person Information Security in Our Personal Lives (PDF):
Embedded Document Double click to open
Keep Staff Informed Sample: Apple QuickTime IT Security Bulletin (PDF):
Embedded Document Double click to open
Software Security Testing Application Assessment Focus Areas and Methods: •
Application Security Assessment Types o
Dynamic Application Security Testing (DAST) Rapid interface based testing Good at covering deployed software and supporting frameworks Only covers web applications
o
Source Code and Binary Security Testing (SCST)/(BAST) Best coverage of code base May miss non-compiled or client side code Cannot detect framework or other application environmental vulnerabilities
o
Manual Application Security Testing and Code Review Can detect vulnerabilities that tools miss Takes more time and a higher level of skill
•
Penetration Test o o o
Simulates the methods, motives and techniques of an actual attacker Includes exploitation of discovered vulnerabilities The goal is to breach of a targeted system
Maintain Existing Threat Models Threat models need to be kept current in order to accurately address system risk. The following changes should trigger a review. Threat Model Update Triggers: 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11)
System scope System design External entities interacting with the system Trust boundaries between systems Addition or removal of hosts, processes or data stores Data flows Protocols used for data transport Sensitive data types How authentication occurs between people or processes How authorization is performed New threats are identified which may impact system components
What is a threat in the context of threat modeling? A threat is any potential occurrence, malicious or otherwise, that might damage or compromise the system or the data it manages
Keith Turpin Chief Information Security Officer Universal Weather and Aviation
Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual Property
Direct Financial Loss (e.g. Loss resulting in loss of funds) Indirect Financial Loss (e.g. Cost incurred responding to a
Reputation Loss Regulatory Sanctions
breach)
Understanding Mindset IT Staff View: IT systems are designed to meet functional requirements
Attacker's View: What matters is what a system can do, not what it was intended to do
The Hard Truth: "Any action not specifically prohibited, is allowed“
Managing Security Infrastructure
Intrusion Prevention
Security Architecture
Software Web Browsing Security
Patch Management
Vulnerability Management
Access Control
Email Security
Security Training
3rd Party Assessments
Policies and Contracts
Software Security
Endpoint Security Management
Malware Detection System Hardening Fire Walls
Incident Response
Change Management
Which Systems Represent the Greatest Risk? Determine Consistent and Relevant Criteria: • Accessibility: Where can the system be reached from?
Internal network, public internet, supplier network, vendor network...
• Operation Control: Who manages the system?
Your organization, a vendor, a vendor to a vendor...
• People: What types of people use the system?
Employees, Vendors, Customers, Competitors, U.S. Persons, Non-U.S. Persons...
• Critical Operations: Does the system support critical operations?
Revenue Generation, Enterprise Security, Critical Infrastructure, Identity Management...
• Information Types: Does it manage access to highly sensitive information?
PII, Intellectual Property, Regulatory Compliance...
• System Characteristics: Are there system attributes that raise the risk?
Over Privileges Accounts, End-of-Life Software, mixed data sensitivity or system criticality...
Critical Vulnerabilities in IT Systems 1.
Weak Authentication Practices
2.
Failing to Secure the Infrastructure
3.
Insecure Data Storage
4.
Introducing Flaws During Maintenance
5.
Not Testing for Vulnerabilities
6.
Failing to Remediate Known Issues
7.
Insufficiently Monitoring
8.
Creating Insecure Designs
9.
Using Insecure Coding Practices
10. Failing to Train Staff
Weak Authentication Practices: Risk #1 Chipping Away At The Keys To Your Digital Kingdom •
Weak passwords, phishing , cracking tools, large scale breaches, password re-use
Multi-Factor Authentication Can Mitigate Many Data Breaches* Start Implementing Two Factor Authentication: • • • •
End user remote access accounts Infrastructure administrator accounts Local device login Web based applications, even customer facing applications
Used by: Google, Microsoft, Amazon, Facebook, and many others
*Mandiant M-Trends® 2015 & Verizon 2015 Data Breach Investigation Report
Failing to Secure the Infrastructure: Risk #2 Don't Allow Your Systems To Be Soft On The Inside
Harden Systems In Their Deployment Configuration 1.
Implement Least Privilege
2.
Implement Good Authentication Controls
3.
Securing Web and Application Servers
4.
Lock down Network Shares
5.
Reduce Attack Surface
6.
Implement Local Security Controls
7.
Secure Databases Configurations
8.
Verify Previously Fixed Issues Stay Fixed
Insecure the Data Storage: Risk #3 Keep It Safe, Even If You Lose It
Encrypted Sensitive Data When It Must Be Reusable • •
This includes databases, files shares, cloud storage and hard drives Encryption can mitigate legal liability associated with data loss
When data only needs to be validated against, like passwords, use one way salted hashes Clear text data and authentication credentials can be a significant contributor to breach severity
Introducing Flaws During Maintenance: Risk #4 Don't Break It While You Keep It Running
Changes To The System Are Inevitable • •
Implement configuration management plans for all critical systems Use a formal change management process to provide visibility
Conduct A Security Impact Analysis For All Production Changes • •
Ensure changes do not adversely affect security posture Don’t undo something you already fixed
Include Both System Modifications And New Technology Insertions
Not Testing for Vulnerabilities: Risk #5 Don't Assume Things Are Secure
Security Assessments Are Critical To Understanding Your Current State Assessment Focus Areas: • • • • • • •
Network Security Assessments Server Security Assessments Application Security Assessments Penetration Tests Security Architecture Reviews Security Management Practices Assessments Compromise Assessments
Failing to Remediate Known Issues: Risk #6 Knowing You Have A Problem Is Half The Battle
Systems Are Frequently Breached Using Fixable Vulnerabilities • •
71% of exploited vulnerabilities had patches available for more than 1 year Commercial software vulnerabilities often result in systemic issues
Vulnerability Management Program Responsibilities • • • •
Vulnerability management and reporting Prioritize vulnerabilities Tracking status and report metrics Corrective action validation
Monitor For Emerging Threats: • • •
Software vendor security bulletins Vulnerability clearing houses (CVE, Security Focus, etc.) New exploit announcements (Exploit DB, Blackhat, RSA, InfrGard)
Insufficiently Monitoring: Risk #7 What You Don't See Can Hurt You
Things You Need To Be Monitoring: • • • • • •
Email and all web traffic (including HTTPS) Malicious activity on end points Network traffic for call outs to command and control systems Rapid system and file changes (could indicate ransomware at work) Security and perimeter system alerts Help desk tickets related to security tools
Things To Consider Monitoring: • • • • • • •
Servers transmitting data to unregistered IPs Servers “initiating” HTTP, HTTPS, FTPS or other outbound connections Unusual activity on shell services like SSH and RPC Unauthorized proxies on end point devices New local admin accounts showing up Users logging into systems they don't normally access Users logging in at odd hours or from an unusual geographic region
Creating Insecure Designs: Risk #8 Bad Designs Can Introduce Complex Vulnerabilities
Threat Model Critical Systems To: • • •
Identify logic errors Identify design errors Determine the most likely points of weakness
There are 7 stages to a threat modeling exercise: 1. 2. 3. 4. 5. 6. 7.
Identify Assets Create an Architecture Overview Decompose the Application Identify the Threats Document the Threats Rate the Threats Remediate, Mitigate or Accept the Associated Risks
Using Poor Coding Practices: Risk #9 Good Developer ≠ Secure Code
Vulnerabilities are usually the result of uninformed efforts to meet functional requirements Set expectations by documenting software security requirements in standards and contracts
Train developers on secure coding practices and common vulnerabilities Create secure, tested, reusable, managed code libraries for common business requirements
Failing to Train Staff: Risk #10 People Are The Third Perimeter
Tools cannot save you... They won't even help much, without people who now how to use them Even great tools won't catch everything, people need learn to recognize when something does not look, feel or act right The help desk needs to know what data to collect for security related calls and have tip sheets for common issues
Help staff understand how to improve security at home, and they will be more secure in the office
QUESTIONS?
SUPPLEMENTAL MATERIAL AKA USEFUL STUFF
Locking Down Your Servers Windows Server Hardening Guide - Example (PDF):
Embedded Document Double click to open
Build Secure Software Secure Coding Guides (PDF) 1. Access Control and Web Session Management Guide 2. Authentication and Password Guide 3. Data and File Handling Guide 4. Error Handling & Logging Guide 5. HTML 5 Security Guide 6. Memory Management and General Practices Guide
Embedded Documents Double click to open
Security Guidance for the Common Person Information Security in Our Personal Lives (PDF):
Embedded Document Double click to open
Keep Staff Informed Sample: Apple QuickTime IT Security Bulletin (PDF):
Embedded Document Double click to open
Software Security Testing Application Assessment Focus Areas and Methods: •
Application Security Assessment Types o
Dynamic Application Security Testing (DAST) Rapid interface based testing Good at covering deployed software and supporting frameworks Only covers web applications
o
Source Code and Binary Security Testing (SCST)/(BAST) Best coverage of code base May miss non-compiled or client side code Cannot detect framework or other application environmental vulnerabilities
o
Manual Application Security Testing and Code Review Can detect vulnerabilities that tools miss Takes more time and a higher level of skill
•
Penetration Test o o o
Simulates the methods, motives and techniques of an actual attacker Includes exploitation of discovered vulnerabilities The goal is to breach of a targeted system
Maintain Existing Threat Models Threat models need to be kept current in order to accurately address system risk. The following changes should trigger a review. Threat Model Update Triggers: 1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11)
System scope System design External entities interacting with the system Trust boundaries between systems Addition or removal of hosts, processes or data stores Data flows Protocols used for data transport Sensitive data types How authentication occurs between people or processes How authorization is performed New threats are identified which may impact system components
What is a threat in the context of threat modeling? A threat is any potential occurrence, malicious or otherwise, that might damage or compromise the system or the data it manages
