Wednesday, October 13, 2004
NCSA meeting about Securing your Infrastructure
The other day I attended the monthly North Carolina System Administrators' meeting, at which Tim Crofton, Manager for Security Consulting from NEC Unified Solutions, Inc. gave a presentation entitled "Crossing the Bridge Before you come to it. Securing Your Infrastructure."
According to the speaker, NEC Unified Solutions is a subsidiary of NEC America and was formed in Jan 04. It is a business and professional consulting organization. On 10/28 they are going to hold an open house at their Blue Ridge Road offices.
Following are the notes that I took during this meeting:
Overview:
Network risk basics
Risk and Vulnerabilities
Risk Assessment
- Over the years, hacker tools have become more sophisticated and the technical knowledge required has decreased drastically.
- No business is without risk.
Loss factors
- Most organizations don't know they're being hacked.
- 55% of respondents report unauthorized access by insiders
- 26% reported theft of proprietary information.
- 80% of all illegal access occurs within the organization by an employee.
(Source: FBI computer security institute)
- happens when employees are fired and access is not removed.
- Convergence between different systems is taking place - becomes issue for security.
Asset protection considerations:
- Paranoid is good
- Technology alone will not make you safe
- Identify your weakness
- Know your enemy
- Always be ready for the worst case scenario
Before staging your strategy:
- Define what is important to protect
- Categorize threats
- Identify vulnerabilities
- vulnerabilities are not just technical. Social engineering, etc.
- Identify the risk
- Build a roadmap
Issues to keep in mind:
- Recognize that traditional TCP/IP risk management principles apply.
- Establish acceptable levels of risk for the environment.
- Don't forget that you are living in a common and open environment.
- Recognize that enterprise infrastructure risk exposes the environment.
- Identify pre-existing environment vulnerabilities.
Where do you start?
- Design a plan!! around pre-existing industry recognized standards for managing technology risk, related to your business...
ISO 17799
BS 7799
GLB
Sarbanes & Oxley
HIPAA
EHNAC
Common Sense!!!
- Adopt a risk management model
--Monitor -Validate & Test - Implement - Monitor etc.
- Identify vulnerabilities:
- Perform a network security assessment to canvas the entire enterprise
- includes social engineering, war driving, information security policies and procedures, security architecture and infrastructure, authentication, etc.
- People, process, systems, networks, applications, physical protections
- Presenter thinks that grinding hard disks is more cost effective and preferable to data wiping (!!)
- Often it's the low tech and not the high tech systems that are the most exploitable.
- Most important part of designing plan is to provide for security awareness.
Assessment approach
- Look at the enterprise as a "system"
- Remember that security is a "process"
- Don't overlook business culture weakness
- Don't forget that you can control system configuration...but you cannot control people.
- Don't focus only on technology alone.
- Don't cross the bridge until you come to it.
- Review all policies, templates and procedures
- Review all system management practice
- Check all configuration settings based on policies
- Port scan all TCP/IP devices
- Discover vulnerabilities
Assessment tools
- use a combination of:
commercial tools
freeware
manual processes
Do it yourself or hire someone?
Hire someone:
advantage: experience, better toolkit, assessment will most likely be more comprehensive and timely
disadvantage: Cost
DIY:
advantage: you gain some experience and insight
disadvantage: Cost, you may need to hire someone anyways due to regulatory compliance directives.
- If you do it yourself, make sure to have written buy-in from management all the way up the food-chain. Otherwise you leave yourself vulnerable to criminal prosecution.
What you should get when it's all said and done:
- Make sure deliverables include a vulnerability reduction plan.
-Security gap analysis
- vulnerability reports
- recommendations
--turn this into a vulnerability reduction plan.
VoIP phones (soft phones) are **just as vulnerable** as other TCP/IP devices
Integrate a "holistic" plan approach
- Configure firewall logging
- Device security
- practice robust log management
- monitor voice server integrity (in case of VoIP)
- exercise control over eavesdropping, if possible.
If all fails: find out what went wrong:
- Do forensics
Vulnerability reduction strategy
Remember: Nothing is more expensive than an incident!!
Comments []
According to the speaker, NEC Unified Solutions is a subsidiary of NEC America and was formed in Jan 04. It is a business and professional consulting organization. On 10/28 they are going to hold an open house at their Blue Ridge Road offices.
Following are the notes that I took during this meeting:
Overview:
Network risk basics
Risk and Vulnerabilities
Risk Assessment
- Over the years, hacker tools have become more sophisticated and the technical knowledge required has decreased drastically.
- No business is without risk.
Loss factors
- Most organizations don't know they're being hacked.
- 55% of respondents report unauthorized access by insiders
- 26% reported theft of proprietary information.
- 80% of all illegal access occurs within the organization by an employee.
(Source: FBI computer security institute)
- happens when employees are fired and access is not removed.
- Convergence between different systems is taking place - becomes issue for security.
Asset protection considerations:
- Paranoid is good
- Technology alone will not make you safe
- Identify your weakness
- Know your enemy
- Always be ready for the worst case scenario
Before staging your strategy:
- Define what is important to protect
- Categorize threats
- Identify vulnerabilities
- vulnerabilities are not just technical. Social engineering, etc.
- Identify the risk
- Build a roadmap
Issues to keep in mind:
- Recognize that traditional TCP/IP risk management principles apply.
- Establish acceptable levels of risk for the environment.
- Don't forget that you are living in a common and open environment.
- Recognize that enterprise infrastructure risk exposes the environment.
- Identify pre-existing environment vulnerabilities.
Where do you start?
- Design a plan!! around pre-existing industry recognized standards for managing technology risk, related to your business...
ISO 17799
BS 7799
GLB
Sarbanes & Oxley
HIPAA
EHNAC
Common Sense!!!
- Adopt a risk management model
--Monitor -Validate & Test - Implement - Monitor etc.
- Identify vulnerabilities:
- Perform a network security assessment to canvas the entire enterprise
- includes social engineering, war driving, information security policies and procedures, security architecture and infrastructure, authentication, etc.
- People, process, systems, networks, applications, physical protections
- Presenter thinks that grinding hard disks is more cost effective and preferable to data wiping (!!)
- Often it's the low tech and not the high tech systems that are the most exploitable.
- Most important part of designing plan is to provide for security awareness.
Assessment approach
- Look at the enterprise as a "system"
- Remember that security is a "process"
- Don't overlook business culture weakness
- Don't forget that you can control system configuration...but you cannot control people.
- Don't focus only on technology alone.
- Don't cross the bridge until you come to it.
- Review all policies, templates and procedures
- Review all system management practice
- Check all configuration settings based on policies
- Port scan all TCP/IP devices
- Discover vulnerabilities
Assessment tools
- use a combination of:
commercial tools
freeware
manual processes
Do it yourself or hire someone?
Hire someone:
advantage: experience, better toolkit, assessment will most likely be more comprehensive and timely
disadvantage: Cost
DIY:
advantage: you gain some experience and insight
disadvantage: Cost, you may need to hire someone anyways due to regulatory compliance directives.
- If you do it yourself, make sure to have written buy-in from management all the way up the food-chain. Otherwise you leave yourself vulnerable to criminal prosecution.
What you should get when it's all said and done:
- Make sure deliverables include a vulnerability reduction plan.
-Security gap analysis
- vulnerability reports
- recommendations
--turn this into a vulnerability reduction plan.
VoIP phones (soft phones) are **just as vulnerable** as other TCP/IP devices
Integrate a "holistic" plan approach
- Configure firewall logging
- Device security
- practice robust log management
- monitor voice server integrity (in case of VoIP)
- exercise control over eavesdropping, if possible.
If all fails: find out what went wrong:
- Do forensics
Vulnerability reduction strategy
Remember: Nothing is more expensive than an incident!!
Comments []
