Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions August 25, 2014 DRAFT1 Chapter 12: Large Enterprise Cyber Security – Data Centers and Clouds

Critical Security Controls Controls are security requirements and there are over 200 with thousands of sub-controls in NIST SP But which controls are the most important? Luckily security experts formed a consensus on the top 20 most critical controls, from organizations including: –SANS Institute –National Security Agency –US Cyber Command –McAfee –US Department of Defense –Lockheed Martin –commercial pen testing firms –and many others The Critical Controls are based upon the actual threats experienced by large enterprises. US State Department and Idaho National Laboratories (SCADA R&D) validated that these controls address the real threats 8/25/2014 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Critical Security Controls 2 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Device Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Loss Prevention 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises 8/25/2014 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Solving Key Threat/Vuln Antipatterns using the Critical Controls The Critical Controls document identifies top threats and vulnerabilities behind real- world cyber attacks We have used these threats and vulnerabilities to compile an antipatterns catalog –The catalog shows how the Top 20 Controls proactively address the most prevalent threats and vulnerabilities 8/25/2014 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Threat/Vuln Antipatterns 1. Scanning Enterprise IP Address Range 2. Drive-By-Malware 3. Unpatched Applications in Large Enterprises 4. Internal Pivot from Compromised Machines 5. Weak System Configurations 6. Unpatched Systems 7. Lack of Security Improvement 8. Vulnerable Web Applications and Databases 9. Wireless Vulnerability 10. Social Engineering 11. Temporary Open Ports 12. Weak Network Architectures 13. Lack of Logging and Log Reviews 14. Lack of Risk Assessment and Data Protection 15. Data Loss via Undetected Exfiltration 16. Poor Incident Response – APT 17. Cloud Security 18. New Governance and QA for Cloud Computing 8/25/2014 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Scanning Enterprise IP Address Range Most large enterprises have IP address blocks that are public information, e.g. via Internet registries Malicious actors scan these ranges to find vulnerable machines –When machines first appear on the net, they are often unpatched, e.g. A brand new system using dated image from CD A system that has been turned off and unpatched for a while A system that is not being managed or patched Partial Solution: Control 1 Inventory of Authorized and Unauthorized devices –Control and change management of devices on the network can address the threat/vulns in this antipattern 8/25/2014 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Drive-By-Malware Malicious websites can infect a machine that simply visits that website via browser Partial Solution: Controls 2 and 3 –Secure configurations assures that non- zero-day threats could be stopped –Eliminating unauthorized software could reduce the attack surface 8/25/2014 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Unpatched Applications in Large Enterprises A typical large enterprise end-user could have 100’s of different vendor and open source applications –Keeping these applications patched is a nearly impossible task Controls 2, 4 –Eliminating unauthorized software enables the enterprise to focus on patching a limited set –Continuous vuln assessment and remediation enables the enterprise to discover and patch applications automatically and rapidly 8/25/2014 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Internal Pivot from Compromised Machine Once an enterprise is penetrated, attackers expand their footprint through pivots to find new exploitable targets Controls 2, 10 –Unauthorized software should include most security and network tools such as netcat, which are essential for implementing pivots –Hardening network devices minimizes the ability for attackers to penetrate 8/25/2014 DRAFT9 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Weak System Configurations Operating systems and commercial applications strive for broad flexibility and ease of use, thus enable many unnecessary features and services –Unnecessary features and services expand the attack surface Controls 3, 10 –Secure configurations includes eliminating unnecessary open ports and services –Network device security can stop access to these vulnerabilities by closing ports at the perimeter 8/25/2014 DRAFT10 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Unpatched Systems As new operating system vulnerabilities are announced (e.g. on Patch Tuesday), attackers rush to exploit unpatched machines Controls 4, 5 –Continuous monitoring can quickly discover these vulns and remediate them rapidly –Malware defenses should also be updated on Patch Tuesday, so that these attacks are inhibited 8/25/2014 DRAFT11 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Lack of Security Improvement Threats are continually evolving. If security is not being continuously improved, then it is falling behind, and vulns are increasing daily Controls 4, 5, 11, 20 –Network defenses should be constantly up- to-date and evolving with the state-of-the-art –Conscious improvement of limits on ports, protocols and services can improve the security profile –Pen testing is a highly recommended best practice that can reveal latent vulns and weak security strategies 8/25/2014 DRAFT12 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Vulnerable Web Applications and Databases Internet facing applications and databases are exposed to worldwide threats… Threats that are escalating daily Controls 6, 20 –Application software security is critical, especially for Internet-facing apps. Web security testing is essential –Pen testing can reveal latent vulns and suggest remediations 8/25/2014 DRAFT13 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Wireless Vulnerability Attackers can easily spoof WAPs (the strongest signal wins), and otherwise compromize wireless systems which operate on the public airwaves Control 7 –Following configuration benchmarks and best practices for managing WAPs and wireless devices is essential for network defense 8/25/2014 DRAFT14 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Social Engineering The human element is the most significant vulnerability, scenarios include: Phishing, Pretexting, and USB attacks Controls 9, 12, 16 –End user training for Internet Safety is perhaps the most significant improvement an enterprise can make to its security profile –Limiting user privileges prevents over-privileged machines from posing threats –Account monitoring watches for potentially hazardous activities 8/25/2014 DRAFT15 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Temporary Open Ports It is common practice to grant requests to open firewall and server ports to support a temporary business activity, e.g. a video teleconference –Few organizations managing the process of re- closing the ports after the need is gone This gap leads to an escalating vuln of open ports Controls 10, 13 –Keeping network devices security includes continuous monitoring and cleanup of changes –Boundary defenses should be hardened and monitored for configuration issues 8/25/2014 DRAFT16 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Weak Network Architectures Focus on Internet perimeter security often leads to neglect of the internal security architecture –For example, machines with restricted data should be encrypted and defended from internal attacks from the rest of the network Controls 13, 19 –Secure network engineering means that internal as well as external defenses are considered For example, internal network partitions and defenses should be designed to protect the most valuable assets 8/25/2014 DRAFT17 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Lack of Logging and Log Reviews It’s often said that the network guys with the big fancy video network dashboards miss everything, and the professionals with simple tools watching the logs see what’s really happening Control 14 –Log consolidation, log normalization, and frequent log analysis are needed for the network team to understand the network and what’s happening on it 8/25/2014 DRAFT18 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Lack of Risk Assessment and Data Protection It is impossible to security everything, so organizations must identify what needs to be protected and prioritize their defenses –Failure to do so results in a mis-allocated array of defenses that are not protecting the right things Controls 15, 17 –The need to know is a fundamental principle for controlling internal access to sensitive information Internal threats are more potentially dangerous than external ones – they already know what’s very sensitive, where to obtain it, and have legitimate access privileges –In organizations with restricted data (and most are) DLP is an essential defense against the consequences of data spillage, e.g. fines, costs, loss of customer goodwill 8/25/2014 DRAFT19 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Data Loss via Undetected Exfiltration Data is constantly in motion in mobile devices and on networks –Data is vulnerable to insider threats as well as Advanced Persistent Threats (APT) and common crime such as theft or even worker negligence Control 17 –DLP proactively seeks out sensitive data and ensures it’s encryption in motion and at rest – thus preventing future potential exfiltrations 8/25/2014 DRAFT20 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Poor Incident Response - APT Typical time from APT penetration to detection by the enterprise is 6 months –Even some of the most savvy companies respond this slowly, e.g. RSA, Google Control 18 –Mature intrusion detection practices, coupled with effective incident response are essential to protect restricted data, mission critical systems, intellectual property, and competitiveness 8/25/2014 DRAFT21 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Cloud Security - Introduction Clouds are massive pools of computing and storage resources. –Public Clouds – provide outsourcing of scalable computing resources, software applications, and system management –Private Clouds – owned within an organization Private Clouds are increasingly easy to build with Performance Optimized Datacenter (POD) preconfigured racks Why go private? Security. Performance. Control. 8/25/2014 DRAFT22 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

8/25/2014 DRAFT23 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

How do clouds form? How do clouds work? Data Storage Clouds –Scalable mass storage… automatic backup –Data volume escalating e.g. Large Hadron Collider, MRI/CT, EHR, DNA Sequencing, Internet Click Stream, Customer Purchases… Infrastructure/Application Provisioning –Scalable outsourcing of computation/applications Computation Intensive –e.g. supercomputing, big data computing 8/25/2014 DRAFT24 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Special Security Implications In clouds, data and processing migrate across physical, virtual, and organizational boundaries Data and applications are aggregated –Increases potential risks from security breach Potential end-user community is expanded –Many more users potentially have access, including malicious insider or external threats 8/25/2014 DRAFT25 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Security Implications 2 Consolidation into Clouds Can Magnify Risks Clouds Require Stronger Trust Relationships Clouds Change Security Assumptions Data Mashups Increase Data Sensitivity 8/25/2014 DRAFT26 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Cloud Indexing Changes Security Semantics To aid in search, cloud developers create various indexes into big data collections In large enterprises, the big data could be a mashup –from multiple applications which originally had security assumptions about who can access and need to know –How can those original security assumptions be translated into a multi-application mashup? Indexing accelerates access to data with aggregated and/or compromised security assumptions 8/25/2014 DRAFT27 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Cloud Security Technology Maturity Virtual servers on virtual networks may be invisible to physical network security devices Mobile Code –Clouds rely on thin clients (e.g. Internet browsers) which require extensive mobile code to emulate sophisticated end user applications –Code authentication technologies exist but are not widely utilized – introduction of malicious mobile code can go undetected Mobile Devices Extend the Cloud to the Edge –Increasingly an extension of our enterprises, largely unprotected from m alicious software and spoofed access points 8/25/2014 DRAFT28 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

Stovepiped Widgets in the Cloud Stovepiped Cloud Widgets –Developers building cloud applications (i.e. widgets) on top of primitive services (i.e. operating systems, sockets, and databases) are reinventing their own technology stacks and security solutions Widget Frameworks –Ideally, primitive services should be encapsulated into higher level application services, which… Accelerate development due to the higher level of enterprise-context-specific abstraction, e.g. battlefield simulation services, customer relationship services Embed security solutions in higher level services, so that security does not have to be re-validated from the ground up 8/25/2014 DRAFT29 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

New Governance and QA for Cloud Computing Small-scale widget developers can move code into production without the usual QA checks required of large-scale applications Service Oriented Architecture (SOA) approaches are encapsulating legacy applications and making that processing and data available to widget developers –Data access can more easily cross organizational boundaries creating new governance and security challenges IT governance must evolve to address this growing ecosystem 8/25/2014 DRAFT30 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 8/25/2014 DRAFT31