Hacking Exposed 7 Network Security Secrets Solutions Chapter

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 12 Countermeasure Cookbook 1

Introduction • Attack-centric view from this book vs. building more secure systems • Asymmetry of risk management – Attacker’s advantage, defender’s dilemma • Best countermeasure strategies – General strategies • Usability vs. security • Increase the “cost” of attack • (Re)move the asset, separation of duties, AAA (authenticate, authorize, audit), layering, adaptive enhancement, orderly failure, policy and training, simple/cheap/easy – Example scenarios • Desktop scenarios, sever scenarios, network scenarios, Web application and database scenarios, mobile scenarios 2

(Re)move the Asset • Remove the target of the attack • Example: database index – A website collects personally identifiable info like government-issued identification number • To more reliably index customers in a database • But it is not needed by the business – Why not use non-identifiable randomly generated values to index? – Better than encrypting the data that the business doesn’t really need! 3

Separation of Duties • Prevent, detect, and respond – Parallel countermeasures, e. g. host intrusion protection, network intrusion detection, incident response process execution • People, process, and technology – Nature of parallel countermeasures • Mix and match the above in a matrix! • Checks and balances – Coordination of duties – Ask different accountable persons to work on the same task • Preventing collusion: e. g. detection folks & reaction folks • Providing checks and balances: e. g. set firewall rules to block access to a vulnerable service 4

Authenticate, Authorize, Audit • Know users, limit what they can access, and check access logs • Off-the-shelf authentication solutions – Multifactor solutions: RSA Secure. ID – Online services: Windows Live. ID and Open. ID – Frameworks: Oauth and SAML • Customized authorization solutions – Role-based, claims-based, mandatory vs. discretionary, digital right management – e. g. Microsoft’s Mandatory Integrity Controls (MIC) • Protected Mode Internet Explorer (PMIE): isolate a compromised web browser to a limited set of objects within the user’s authenticated session • Audit on authentication and authorization – Who did what to which, when, and how 5

Layering • Defense-in-depth or compensating controls • Linear countermeasures vs. parallel countermeasures • Layer of IT stack – Physical: secured facility – Network: firewall, ACL – Host: endpoint software, host-level firewall and antimalware/antivirus – Application: patch vulnerabilities – Logical: access control on app’s capability and data 6

Adaptive Enhancement • Turned on and off • Examples – WAF (Web Application Firewall) turned on if a certain vulnerability cannot be patched until the next release • Reactive compensation – Additional challenge factor during authentication if a user logs in less normally • Predictive compensation – Bank of America’s Safe. Pass feature for online banking: additional password for mobile devices • Predictive compensation 7

Orderly Failure • Risk management – Plan your failure – self-defeating – Worst-case scenario • All or some components fail • Security features fail • Reactive countermeasures – Annual “fire drills” – Test people, process, and technology – Check failover mechanisms – After failure: fail closed or fail open? 8

Policy and Training • Security policy – Context where countermeasures are implemented – System owner’s intent – Countermeasures prescribed by security policy • Training – How can you do the right thing if you don’t know what the right thing is? – Integrated into daily workflows of affected parties • Not disruptive hours of class training • Secure. Assist from Cigital: “security spell check” in code writing 9

Simple, Cheap, and Easy • KISS (Keep it simple and stupid) for countermeasure design • 2012 Verizon Data Breach Report – 63% of recommended preventive countermeasures were simple and cheap – 3~5% were difficult and expensive – Identify and solve obvious problems • Not necessarily “manual and home-grown” – Often more cost-effective to deploy “umbrella” countermeasures (e. g. firewall) to compensate for vast sea of vulnerabilities 10

Desktop Scenarios • Remove the asset – Data leak prevention (DLP) across an enterprise – AAA for consolidated remote access • Instrument the endpoint – Antimalware, configuration management, log shipping, HIPS, file system integrity monitor (tripwire) • Network-based countermeasures – Signature-based detection – Top talkers for data exfiltration • Reactive countermeasures – Most desktop malware install persistence mechanism leveraging Windows ASEPs (Auto. Start Extensibility Points) hooks • Orderly failure by a forensic agent • Policy enforcement if possible 11

Server Scenarios (1/2) • Administrative privilege restriction – Strong AAA, e. g. Xsuite – IAM (identity and Access Management): entitlement review, e. g. Sarbanes-Oxley or SOX – Hardening root access in UNIX: cracklib (password composition tool), Secure Remote Password (authentication and key exchange), Open. SSH, pam_passwdqc (password length check), pam_lockout (account lockout) • Minimal attack surface – Disabling unnecessary services: less listening services/ports, less doors – legacy Net. BIOS, SMB – Using Windows Firewall to restrict access to services 12

Server Scenarios (2/2) • Strong maintenance practices – Windows security patching guidance – Automated patch management tool, e. g. SMS (System Management Server) – Workaround in a window of exposure before patch release: inbound port blocking • Active monitoring, backup, and response – Customized detection and response plans for new vulnerabilities 13

Network Scenarios • Lower-layer TCP/IP firewall: ports • Upper-layer application firewall: SQL injection, crosssite scripting, etc. • Deploy more granular firewalls with visibility and control at higher layers • Segment networks with higher risk from ones with greater sensitivity: DMZ • Attacks on network itself – Eavesdropping and traffic redirection (ARP spoofing): limit broadcast domains, authentication and encryption with 802. 1 X and WPA 2 Enterprise – Do. S: asymmetrical attack pattern, Prolexic service – DNS exploit: pay attention on configuration (restrict zone transfers and recursive queries) 14

Web Application and Database Scenarios • Off-the-shelf (OTS) components – OTS packages: web servers, shopping carts, blog management, social interaction (web chat), etc. – Configure properly and patch religiously – Strong DAM (Database Activity Monitoring) with blocking capability • Custom-developed application code – Security program on code development – BSIMM (Cigital’s Building Security In Maturity Model): downloadable framework and tools to assess yourself 15

Mobile Scenarios • Impact due to device theft, remote hacking, malicious apps, phone/SMS fraud, etc. • Remove the data – Whether the most sensitive data should be downloaded to devices – Physical control of attackers: device debug mode, rooting, jailbreaking, etc. • Keep a separate (physical or virtual) device for sensitive activities • Enable password lock and device wipe on successive failed logins • Keep system and application software up-to-date • Be very selective about apps you download • Install MDM (mobile device management) and/or security software 16

Summary • Usage vs. security • Diversification in countermeasures: multiple parallel or serial obstacles • Keep it simple and stupid. • Empirical studies by VDBR (Verizon Data Breach Report) 17