Network Security and its Impact on Network Continuity

1
Network Security and its Impact on Network
Continuity
2
What you don't know can hurt you!

• What is Network Security?
• "Network security consists of the provisions made
  in an underlying computer network infrastructure,
  policies adopted by the network administrator to
  protect the network and the network-accessible
  resources from unauthorized access and consistent
  and continuous monitoring and measurement of its
  effectiveness (or lack) combined together."
• Source http//en.wikipedia.org/wiki/Network_secur
  ity
• Information Security is related to, but not
  identical with, Network Security

3
Impact of non-secure network infrastructure on an
organization

• Loss of Services
• Website/Server Down
• Loss of Sales
• Loss of Time
• Loss of Data
• Proprietary Information
• Sensitive Information
• Customer Information
• Loss of Reputation
• Adverse publicity
• Loss of Customers
• Known as an easy mark on hacker forums

4
Threats

• External
• Hackers
• Enter network using simple or advanced techniques
• Use sociological hacking techniques
• Have a lot of time and good, free tools
• NMAP
• MetaSploit
• MilW0rm
• Netcat
• Phishing
• Pharming--Much more dangerous than Phishing
• Malware
• Malicious code on websites
• Malicious email attachments

5
A Simple Hack

• Hacker scans random network with NMAP
• Bad luck! It happens to be yours
• Hacker discovers Website has sensitive
  information stored on it
• Hacker uses sensitive information, e.g. user
  names, passwords to begin cracking network
• Hacker gains access to network after a few weeks
  of brute force attacks
• Hacker finds unpatched Windows XP machine and
  plants malware on it
• Hacker finds backup password file in
  c\windows\repair\sam and cracks local admin
  password
• Hacker tries access to another machine with local
  admin password, which is usually the same across
  an organization
• A lot of information can be gathered, including
  server names and addresses, access to email etc.
• You are p0wned!

6
More Advanced Techniques

• Hacker scans network and finds services available
  over the Internet
• Only HTTP (TCP Port 80) on one server is open to
  the Internet with only established connections
  permitted out (Stateful Inspection)
• Hacker uses crafted module with MetaSploit from
  information gleaned from Milw0rm to compromise
  server and install Netcat
• Hacker redirects traffic over permitted port
  using Netcat listening on HTTP, bypassing
  outbound firewall rules
• See above
• You are p0wned!

7
Anatomy of a Pharming Attack
8
Malware

• Trojans
• Usually downloaded by user
• Do not self replicate
• Send information from compromised host and also
  listen for connections
• Worms
• Can be downloaded or can self replicate
• Usually attack major services, such as HTTP and
  SQL
• Can reside in memory, i.e. no file is resident on
  hard disk

9
Threats

• Internal Threats
• Disgruntled Employees
• Can be very dangerous if technically savvy
• Usually steal or remove informationsabotage with
  logic bomb
• No outbound traffic filtering
• Web filtering
• Email filtering
• Instant Messaging
• P2P (Person to Person)
• Unauthorized Wireless Access Points
• Credential Sharing
• Unpatched or Misconfigured machines

10
There is some Hope!

• A well designed network can mitigate many types
  of risks and threats
• Controls and Monitors
• Policies and Procedures
• May include audits and Penetration Tests
• Some network designs are legally mandated
• HIPPA http//www.cms.hhs.gov/HIPAAGenInfo/
• Health Insurance Industry
• Sarbanes-Oxley (SARBOX)
• Financial Industry
• Some are Industry Standards
• PCI https//www.pcisecuritystandards.org/
• Credit Card Industry
• NIST http//www.nist.gov/index.html

11
Controls and Monitoring

• Controls can allow or disallow traffic or access.
  Controls require little or no intervention.
  Controls can be dangerous, configure with care!
• Examples
• Firewalls allow or block traffic according to
  configured Access Control List (ACL) Firewalls
  typically block traffic from the Internet into a
  private network
• Application Firewalls look inside network
  information sent and determine if packet is
  permitted or not, and then take configured
  action. WebSense will block all Nazi sites
• Antvirus Software can remove existing malware
  and/or stop malware from changing the
  configuration of the machine
• Intrusion Prevention Systems look for known
  evil packets and block them
• Log Monitoring can show when an event occurred,
  and show trends over time, e.g. SPLUNK

12
Policies and Procedures

• Policies require intervention to work
• Effective Policies and Procedures need to be
  known by required users and backed up by
  management
• Policies and Procedures can have legal
  ramifications
• A Procedure implements a policy
• Examples
• Least Privilege
• Web Usage Policies
• Disaster Recovery Procedures
• User creation, change and deletion procedures

13
Basic Secure Network Design

• Firewall traffic between different Security Zones
• All machines in one zone have one network access
  policy
• To traverse a zone, information must pass through
  ACL
• Separate network for Internet facing servers such
  as web and database servers with ACLs controlling
  access to internal network
• Typical office machines do not have direct
  access to sensitive servers unless required
• Monitor traffic
• Unauthorized or odd information is flagged for
  review
• A packet with 10,000 As is probably a buffer
  overflow attempt
• Investigate repeated denies on an ACL from a
  particular host

14
Basic Secure Network Design

• IPS events should be reviewed
• Trend analysisover time engineers become
  familiar with what normal traffic is
• Can correlate information from multiple sensors
  to discover coordinated attacks
• IPS needs to be tuned, and automatically denying
  traffic can be dangerous, use with care!

15
Basic Secure Network Design

• Host based protection for Servers and
  Workstations
• Active Directory Policies
• Hardens machines against e.g. Denial of Service
  (DOS)
• Labrea hosts
• Windows Firewall
• Can turn off NetBios, LDAP etc via policy
• Antivirus
• Also useful for alarms and backtracking outbreaks
• Host Based IPS
• Also useful for alarms and backtracking outbreaks
• Knowledgeable users!!!!!!

16
Testing Security-Assessment

• Network Security Assessment
• Find Every Host
• Find vulnerabilities
• Test fail over scenarios
• Review Logs and Event Handling
• Check compliance with stated policy, e.g.
  password expiration

17
Testing Security-Penetration Test

• Exploit discovered vulnerabilities, no false
  positives
• Can find cracks in security design, e.g. non
  encrypted admin passwords to access patch server
  which are not normally monitored, can find flaws
  in web applications
• Also tests incident response
• Can be Black Box, White Box or Grey Box
• Black Box-target is unaware and no information is
  supplied to pen tester
• White Box-Pen tester and target cooperate
• Grey Box-Some information is shared between pen
  tester and target

18
QA

• Questions?