Managing A Secure Infrastructure Tales From the Trenches - PowerPoint PPT Presentation

Loading...

PPT – Managing A Secure Infrastructure Tales From the Trenches PowerPoint presentation | free to view - id: 5edcd-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Managing A Secure Infrastructure Tales From the Trenches

Description:

Aggressive Firewall configurations prohibit business and prohibit productivity. ... 'We have invested in world class firewall technologies? ?we are secure. ... – PowerPoint PPT presentation

Number of Views:18
Avg rating:3.0/5.0
Slides: 21
Provided by: stevem71
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Managing A Secure Infrastructure Tales From the Trenches


1
Managing A Secure Infrastructure Tales From the
Trenches
November 6, 2003
2
About the Speaker
  • Steve Manzuik Director, Security-Sensei.Com
  • Founder / Moderator of Vulnwatch.Org
  • Founder of Win2KSecAdvice mailing list
  • Member of nmrc.Org
  • Co-Author of Hack Proofing Your Network
  • Participant Open Web Application Security
    Project (OWASP.org)
  • Participant Open Source Vulnerability Database
    (OSVDB.org)

3
Outline
  • Security today
  • Failures in Security
  • Succeed in Security

4
Security Today
  • Vulnerabilities will always exist
  • Typical organizations have made large investments
    in network and security infrastructure
  • Incidents still occur at high rates
  • Past investments do not support the business need
  • Security warnings to upper management are seen as
    the new Y2K hype.
  • It is time for organizations to stop buying the
    latest security toy and actually secure their
    networks.

5
You Have Been Lied To!
  • All the Firewalls and Intrusion Detection devices
    in the world will not protect you.
  • Most organizations do not have a firm grasp of
    their entire infrastructure.
  • Aggressive Firewall configurations prohibit
    business and prohibit productivity.
  • Network Intrusion Detection has limited value in
    most organizations.
  • Security is not a magic black box or application.
  • Security is NOT a black art.

6
Failures in Security
  • Firewalls
  • Intrusion Detection
  • Wall of Shame

7
Expensive Logging Devices Firewalls
  • But we have a firewall, we are completely
    protected…….
  • We have invested in world class firewall
    technologies… …we are secure.
  • Why would we want to block people from getting
    out?
  • A hacker would have to break into our firewall
    in order to gain access….
  • You mean you have to patch a firewall?

8
Expensive Confusing Logging Devices IDS
  • Well our IDS didnt see anything wrong…
  • There were just too many alerts so I turned it
    off….
  • I didnt understand what SHELLCODE x86 NOOP was
    so I ignored it….
  • ISS told us that it wasnt possible….
  • What do you mean I cant monitor this switch…
  • No one watches the console on weekends and
    holidays…..

9
Other Examples Wall of Shame
  • Passwords just made implementing the technology
    to difficult for our users…
  • What exactly do you mean by audit process?
  • We spent 2 million dollars on firewalls and
    other security solutions and 2 thousand dollars
    on testing those systems….
  • We dont exactly have a security department but
    Joe in the server group is a hacker so I am sure
    he is taking care of us….
  • But our vendor hasnt told us anything about….
  • But that is a localhost issue…..

10
What does this all mean?
  • A proper security posture combines people,
    process and technology.
  • Most organizations rely on technology leaving
    their security posture weak and vulnerable.

11
Success in Security
  • The greatest security infrastructures are the
    ones that satisfy the most business needs while
    allowing for uninhibited network communications
    between employees, business partners, vendors,
    and customers.

12
Success in Security
  • Do not let vendors use your fear, uncertainty and
    doubt against you.
  • It is a lot of work but when approached in a
    logical and calm fashion Information Security can
    be improved.
  • Never think you are completely secure.

13
Succeed in Security Awareness
  • All the security in the world can be trumped by
    the double click of an email attachment.
  • If your users are not aware they are your
    greatest threat.
  • If your Administrators are not educated they
    are unarmed and unable to be proactive.

14
Succeed in Security Know Your Assets
  • If you dont know what you have or what it does
    how do you plan on protecting it?
  • If you dont know your business how will you
    enable it?
  • Data and system classification is essential.
  • Large organizations must approach security based
    on risk.

15
Succeed in Security Host Security
  • Secure baseline configurations the technical
    starting point of a truly secure infrastructure.
  • Thwarting the attacker by leveraging technology
    you already have.
  • Helps improve desktop server support processes
    and actually reduces long term support costs.

16
Succeed in Security Monitoring
  • Logical combinations of network and host based
    monitoring can be valuable.
  • Log management is valuable.
  • Technical education is far more valuable than the
    technology itself.
  • Do the right people know when a device is added
    to the network? What about removed?

17
Succeed in Security Validation
  • Penetration Testing over Vulnerability
    Assessment.
  • Intrusion Detection Validation and tuning is
    essential.
  • Firewall rule and configuration validation is
    essential.
  • Dont forget about phones, and wireless devices.

18
Succeed in Security Other Tips
  • Explicit trust is a dangerous game.
  • Users are not malicious for the most part but
    must be protected against themselves.
  • Dont overlook email threats.
  • Dont overlook social engineering threats.

19
Succeed in Security Other Tips
  • Build a trusted relationship with a security
    consulting organization that is vendor neutral.
  • Observe what other organizations in similar
    industries and of similar size are doing.

20
Closing
  • Questions?
  • Steve Manzuik
  • smanzuik_at_sidc.net
  • steve_at_security-sensei.com
About PowerShow.com