Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Published bySpencer Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile."— Presentation transcript:

1 Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile

2 Overview The Secure Operations Framework Establishing a Baseline Monitoring & Detecting Attacks Analyzing Attacks Responding to & Recovering from Attacks Prioritizing Actions 2

3 Secure Operations Framework A Process for Conducting Secure Operations Within Your Registry 3 Monitor Detect Respond Recover Analyze Baseline

4 Secure Operations Framework Viewed as a Timeline: 4 BaselineMonitor DetectAnalyzeRecoverRespond Do This Before This Your Detection Time May Vary ATTACK Quick! Stop Effect Prevent

5 Establishing a Baseline Secure Operations BEGIN with an understanding of your network -> a Baseline! To Establish a Baseline – You Need to Understand: – Architecture – Traffic – People – Processes – Vulnerabilities 5 “If you know the enemy and know yourself you need not fear the results of a hundred battles”

6 Establishing a Baseline Architecture Baseline – Hosts, Services, Ports, Connections, Addresses This is frequently a network architecture diagram, but could be a text document, or part of your network monitoring solution 6

7 Establishing a Baseline Architecture Baseline – Document your host configurations, operating systems, applications, versions, etc Ideally you want something you can reference quickly during attack analysis… – e.g. Can you quickly answer the question: 7 “Is my web server vulnerable to the latest Apache vulnerability?”

8 Establishing a Baseline Architecture Baseline Tools – Visio – Paper / Pencil! – NAGIOS, OpenNMS, HP Openview, etc Lots of tools available – the hardest part is actually doing it! 8

9 Establishing a Baseline Traffic Baseline – What kind, how much, source / destination, and usual time This is more difficult to capture but is critical to determining if something is expected or not 9

10 Establishing a Baseline External Traffic Baseline – How much traffic (packets per second, megabits per second, etc) is “normal” on your external links? – What kind of traffic to external servers (e.g. do you normally have SSH connections to your DNS servers?) Internal Traffic Baseline – Which hosts or applications communicate? – What protocols do they use? – How much traffic do they produce? – When do they do it? 10

11 Establishing a Baseline Traffic Baseline – Again, ideally, you will have this information readily available during the analysis phase – For example, can you easily answer the question: 11 “Is a SSH connection to my DNS server at 0330 on a Saturday normal?”

12 Establishing a Baseline Traffic Baseline Tools – NetFlow – Wireshark – Tcpdump – Iperf, dnsperf Again, lots of tools available, the hard part is not only capturing the baseline traffic, but putting it into a format you can reference – Graphing and statistical analysis tools can help here! SmokePing, NetFlow Analyzer 12

13 Establishing a Baseline People Baseline – How do your customers interact with your network? Web application for processing registration? Do you typically see people login at 0330? – How do your administrators interact with your network? What hosts do they connect to, what protocols do they use, when do they do it? – How do your local users interact with your network? What hosts are they _supposed_ to be on, what hosts do they communicate with, when? – How do your external users interact with your network? What servers do they connect to, what protocols? 13

14 Establishing a Baseline People Baseline – Again, ideally, you will have this information readily available during the analysis phase – For example, can you easily answer the question: 14 “Should User Jane be Connecting to Users Bob’s Computer at 0330 on Saturday?”

15 Establishing a Baseline People Baseline “Tools” – Personnel Interviews How does Bob usually do his job via the network? – Administration & User Policies Set policy to guide your administrators and users in what they should and should not do – Understand Your Customers How do you interact with your customers? How do your customers interact with you? 15

16 Establishing a Baseline Processes Baseline – Processes typically fuse people and technology – Even though the people and technology may not have issues, the processes that pull them together might – Processes can be: Business oriented (e.g. processing user registration updates) Operational (e.g. responding to a DDoS attack) What processes do you have that interact with your network at one point or another? 16 DISCUSSION

17 Establishing a Baseline Process Baseline – Creating a baseline of your processes requires an understanding of what you do and how you do it! – Again, information should be readily accessible: Can you easily answer this question: 17 “A new vulnerability was found in our database – what do we need to stop doing until it is patched?”

18 Establishing a Baseline Process Baseline “Tools” – Understand your critical business functions and what’s required to provide those functions – Walkthroughs & Reviews – Personnel Interviews & Surveys – See the “Attack & Contingency Planning Course” 18

19 Establishing a Baseline Vulnerability Baseline – Vulnerabilities in Operating Systems & Applications – Vulnerabilities in Your Business or Operational Processes Processing registrations, responding to cyber attacks, etc – Vulnerabilities in Your People Susceptible to phishing scams The procedural or people vulnerabilities are often easier to take advantage of: – e.g. do you require validation for updating registrations? Why hack the name server or registry database, when a simple “update” form would work? 19

20 Establishing a Baseline Vulnerability Baseline – To determine technical vulnerabilities, use automated tools – To determine procedural vulnerabilities, think like a “bad guy” You MUST make the risk decision on fixing vulnerabilities – You may determine that a vulnerability is an acceptable risk! Better that you KNOW about vulnerabilities than not Again, quick reference during analysis is critical: – e.g. Can you quickly answer the question: 20 “Can this attack take advantage of the vulnerability in our automated registry processing systems?” Know Your Enemy…

21 Establishing a Baseline Vulnerability Baseline Tools – Nessus, LanGuard, SuperScan, Retina – Process Walkthroughs Take each of your critical processes and step through them attempting to identify weaknesses – Network Defense Exercises Test your network operators to determine how effective they are responding to cyber attacks Can your operators see attacks, can they analyze and respond quickly? 21

22 Establishing a Baseline Other Sources of Baseline Information: 22 Senior Management Business Area Managers & Process Owners Technicians & Support Staff Important assets Perceived threats Security requirements Current security practices Organizational vulnerabilities How Can Your Network Fail?

23 Monitoring & Detecting Attacks Regardless of the monitoring tools you use, you _MUST_ have a baseline to compare it to, otherwise, you are fighting blind 23 Once You Have a Baseline – You Can Differentiate “Normal” From “Trouble”

24 Monitoring & Detecting Attacks Monitoring is the notion of having insight into your network and viewing its current (and past) status and performance Detecting attacks requires monitoring your network and a comparison of what you see to what is expected 24

25 Monitoring & Detecting Attacks Network monitoring is best accomplished with automated tools – but can be done manually (not recommended!) You must install, configure and operate monitoring tools on your network - without them, how do you know something is happening? – Yes - phone calls from customers are a monitoring tool! There are many, many tools out there – the challenge is to find those that: 1)Capture the right data 2)Shows that data to you effectively 3)Allows your operation to detect and respond to attacks – Personal preference plays a critical part in this – if you’re not comfortable with a tool – there’s probably another one! 25

26 Monitoring & Detecting Attacks The tools presented in this course, while not the only ones out there, are recommended for their particular task These tools were selected to give you the most “bang for the buck” Your particular operation may require something else – YOU must spend due diligence in selecting the right tools for your situation 26

27 Analyzing Attacks Analyzing an attack is the notion of gaining an understanding of what’s going on and the extent of the attack – What critical business functions are affected – What hosts, applications, or services are affected – Who is doing it – What type of attack is it? – How is it being done? Arm yourself with the information necessary to develop an effective response to the problem 27

28 Responding to Attacks Based on your analysis from the previous step, take action! You DO have choices here: – Stop the attack -> Stops the effect – Stop the effect, but not the attack – Ride it out and suffer the effects Which strategy you chose depends on your response capabilities, your priorities, and your plan! 28

29 Responding to Attacks Your Plan? – You _DO_ Have a Plan Right? Establishing basic actions prior to an attack will allow you to focus on response actions, not the determination of what to do… Your contingency response plans should include how to respond to cyber attacks! – See Attack & Contingency Response Planning 29

30 Responding to Attacks This course focuses on the technical response to attacks – but don’t forget your customers, the media, and the public! Part of an effective response strategy must incorporate crisis communication procedures – Consider Communicating: Fact of the disruption or status update Basic steps being taken Estimated impact or down time – See the Attack and Contingency Planning Workshop 30

31 Responding to Attacks The toughest job might be handling the media! 31

32 Recovering From Attacks Recovery steps are those taken after the attack is over, or at least the effects mitigated – Are there any lasting effects which need to be handled? – How would you prevent this from happening again? – What would you do differently next time? May make you reconsider risk decisions – Do we need to shut down that service permanently? – Do we need a new firewall? – Do we need to train our administrators to respond? 32

33 Prioritizing Actions Understand your critical business functions Understand the big picture of what’s going on Take action based on responding and recovering what’s most important to your business – Avoid “Building a $10,000 fence around a stack of quarters” 33

34 Balancing Ops & Security You Need to Balance Daily Ops & Security A Recommendation – Make Security Part of Ops How Much Security you Do Depends on Your Situation? – Security is necessary – but is a black hole and will take everything you can give to it! – Tune your sensors to provide only the amount of information that you can handle – most sensors default to “overwhelm” Security Budgeting – Convince management of the risk through monitoring & analysis – Security takes a constant investment – roll this into your network admin costs when it comes to budget time 34 How Many of Your IT Positions are Dedicated to Security?

35 QUESTIONS? 35 ? Do you have any questions about … –Cyber Threats –Motivations –Remediation Strategies

Download ppt "Secure Registry Operations Framework Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile."

Similar presentations

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Network security policy: best practices

Network security policy: best practices
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Introduction to Network Defense

Introduction to Network Defense
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
November 2009 Network Disaster Recovery October 2014.

November 2009 Network Disaster Recovery October 2014.
Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.

Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

Similar presentations

Ads by Google