Guarding the Treasure Protecting your organization’s data assets from viruses, worms, hackers, and spies What Is The Treasure? In a word, DATA • Customer/Patient/Partner Information • Financial Data • Proprietary Company Information • Legal Documents Where Is The Treasure? • In Transit • In Storage • Outside the Organization • Inside the Organization Why Protect The Treasure? • Value of the Data • Reputation of the Company • Gov’t Regulations What Are We Protecting the Treasure From? Given That…, • We require connectivity to do business. • Attacks can come from anywhere • Attacks can take many forms • There is no “magic bullet” technology that will completely secure your data How Can We Protect the Treasure? Strategic Defense in Depth (proposed) Layer 1: The Security Policy The Security Policy Identifies the – Scope – What you need to protect and level of Security needed (which drives the technology decisions) – Threats, and prioritizes them – Key Personnel and their responsibilities and actions (What needs to be done and by Whom) – User’s Rights and Responsibilities And the Security Policy must constantly evolve to meet the ever-changing threat environment Layer 2: Personnel • Awareness – “Harden” personnel against social engineering attacks – Identify and eliminate poor practices • Training – Reduce accidental disruptions – Reinforce sound security practices Layer 3: Technologies • Firewalls • Intrusion Detection/Prevention • Anti-Virus • Cryptography • Password Authentication • Vulnerability Assessment • Physical Security Tactical Defense in Depth The required layers to secure your organizations data assets are … … dictated by your organization’s needs, architecture and resources. Zone Defense • Perimeter – Firewalls, Gateway AV • Network/Server – Cryptography, Intrusion Detection, File and Mail Server AV, Hardening • Desktop – Desktop AV, Desktop Firewall and IDS, User Training • Remote Users – Desktop AV, Personal Firewall and IDS, VPN • E-Commerce – Cryptography, AV Scanning Cryptography and E-Commerce Benefits of Cryptography Data Security / Privacy – Data is unreadable except by intended recipient Authentication – Establishes the proof of identity of an entity or sender of data Data Integrity / Non-Repudiation – Data has not changed from its original form and you can prove it! Symmetric Cryptography (AKA Conventional or Shared Secret Cryptography) A Encrypt with key A One key is required: Decrypt with key A Asymmetric Cryptography (Also known as Public Key Cryptography) Two different, yet mathematically related, keys are required: PUB Encrypt and verify signatures with public-key PRIV Decrypt and sign with private-key Together the keys create a key pair (public key + private key) Hybrid Encryption Hybrid Decryption Digital Signatures Encryption Technologies • PGP • PKI • S/MIME • SSL • SSH Anti-Virus and E-Commerce How Viruses Spread in the Past File Desktop Server Desktop Email Desktop Server Desktop Desktop How Viruses Spread Today File Desktop Server Gateway Desktop Internet Email Desktop Server Desktop Mobile Computer How Viruses will Spread Tomorrow Desktop Desktop Internet Desktop Desktop Mobile Computer Threats are more complex and security lines are becoming blurred Desktop Firewall Anti Virus IDS Vulnerability Assessment Attacks on the Global Business Network Are Getting Worse • Faster moving • More damaging • More pervasive • Technology is evolving quickly Fact #1: Viruses are Moving Faster Fact: The time required for malicious code to spread to a point where it can do serious infrastructure damage halves every 18 months. Viruses Spread More Quickly Than Ever Machines infected per hour at peak of outbreak 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 Code Red Nimda Goner Source: McAfee AVERT 2001-2002 Fact #2: The Cost of Damage is Escalating • $13 billion in virus damage in 2001 – Four times greater than 2000 • Nimda alone cost over $635 million … so far • $1.3 trillion in damages by end of 2002 Source: Computer Economics, PriceWaterhouseCoopers Virus Damage and Sophistication Increases Over Time Damage ?? Gen 5th Gen Wireless & Blended threats Common •Exploit Applications 4th Gen vulnerabilities •Blended Mass • Create threats 2nd Gen 3rd Gen Mailers backdoors •More damage spreads Macro Melissa •Spread many • Faster 1stGen The world virus Love Bug ways spread Boot notices Infects Code Red Sector Michael- data files Nimda,Funlove floppies angelo Concept Stoned Early 2001 1986 ’90s 1995 1999 Sophistication & Speed of Infection Fact #3: Platform Coverage Expanding Fact: When a platform or an application gains widespread popularity, it will be attacked. Fact #4: Technical Complexity is Advancing • “Seek the Weak” very aggressively • Propagate using new or combined vehicles • Binary attacks • Exploit vulnerabilities • Create vulnerabilities • “Robot” Hacker The Threat Is Increasing # of Security Vulnerabilities Reported The Rise Of Malware YEAR NEW KNOWN KNOWN VULNERABILITIES ALL VIRUSES OPERATING SYSTEMS 1998 262 40,000 1999 417 48,000 2000 1,090 55,000 Source: NIPC 2001 2001 2,437 59,000 Sources:CERTCoordinationCenter,Pittsburgh;TruSecureCorp.,Herndon,Va. Lessons Learned • Organizations need more comprehensive coverage on all points of entry • Must apply security patches in a timely manner • Need perimeter scanning Multi-tiered Defense Perimeter Defence Requirements • Anti-Spam – Blocks mails from MAPS RBL Mail Abuse Prevention System Real time Black hole list Org-g???? • Attachment filtering – Allows you to control loading on e500 and network • Content filtering – Block virus related attachment types (.VB?, .JS, .EXE,…) – Block non-corporate mails by title, message text, attachment name or text – Instant 1st Line of defence for known virus threat (In & out) Example: CodeRed • Virus only exists in memory – Must detect in the HTTP stream (at the perimeter Infects W2K & XP servers through TCP/IP Port 80) • Using ISS exploit MS01-033 Uncheck Buffer in Index Server ISAPI – Gives ability to “run code of attackers choice” A variant – Defaces web pages – Contained a DDOS payload C variant – Drops backdoor trojan to utilise (MS00-052) to run Explorer.exe – Modifies registry to disable local file system security Gives Web access to drives C & D Perimeter Defense • Nearly 80% of all viruses are spread via email • Viruses cause network problems and bandwidth congestion • Your solution should – Scan before they pass the perimeter – Include comprehensive detection and cleaning – Provide automated updates – Offer hardware and software solution alternatives Multi-tiered Defense Mail and File Server • Email protection is extremely important to overall AV compliance and effectiveness • Viruses bring down your email servers • Your solution should – Detect and clean infections at the server level – Include outbreak management – Include remote manageability – Provide logging, reporting, alerting Multi-tiered Defense The Insider threat In 2001, 1-in-3 security violations were instigated internally by legitimate but untrustworthy users. Changing Environment: Gateway Jumping Internet Corporate Net Laptop @Home Desktop and Remote Users Remote user profile is changing • The new challenge – More and more data is by-passing the corporate firewall – 21 million US in 2001, 35 million in 2005 – Always-on = always vulnerable – Most vocal and high profile users – Hacker can ride in on the VPN connection – How to stop attacks contracted outside the network (Web visit, etc.) – Interoperability w/ Cisco, Checkpoint, Nortel VPN clients (about 85% of market) – Threats require defensive measures Desktop Firewall: Adding Defensive Depth 2) Desktop Firewall’s distributed Firewall 1) Desktop Provides the second Firewall’s line of defense distributed IDS • robust packet filtering Provides the first line of • application level policy defense to • learning mode • block common hacker attacks • stop Trojans, nukes, DOS attacks Corporate Network Hacker blocked, & optionally traced Hacker attempts to port scan and hack into a computer protected by Desktop Firewall Desktop Firewall How does it stop malicious code and attacks? Only allow your specified traffic on the network Firewall prevents undefined applications from connecting IDS trends detect internal and external attacks (50-70% attacks are internal) Bi-directional IDS stops malicious code spreading to other PCs Stops Distributed denial of service zombies Code that infects and sends files, keystokes, Multi-tiered Defense Viruses in the Palm of Your Hand • Personal Digital Assistants [PDA’s] • Portable threat to corporate networks • Early PDA malware – Liberty [trojan] – Vapor [trojan] – Phage [virus] Multi-tiered Defense Manageability is Key to AV Protection • Be able to quickly and effectively deal with threats • Business cost of managing AV, often higher than software cost • Most frequently updated/modified software on PCs • To have an effective AV strategy, must be able to: – Control & modify Anti-Virus configuration, lock them down – Automated updates – Report on the virus outbreaks and levels of protection Cost Effective Management • Will eliminate company downtime from virus outbreak – Update anti-virus policy to combat threats • Will match policy to company threat – Set strict policies for vulnerable data • Will eliminate end-user tampering – Enforce policies on all machines • Will protect entire enterprise without modifying infrastructure – Policy management over anything How often do you check compliance of your security policy? Annually or Weekly Longer 13% 25% Monthly 13% Semi-Annual Don't Know 9% 21% Quarterly 19% Information Security Magazine (September 2000) Central Management - Summary • Monitor AV activity with Total Visibility – Track an outbreak to its source – Find vulnerabilities and adjust • Maintain Updated AV Protection – Distribute weekly/emergency signatures, new engines, service packs – Low impact on bandwidth • Control & Enforce Policies Centrally – Keep end users compliant with security policy – Customize policy to combat new threats – Manage over anything (NetWare, NT, Internet) Where do you go from here... Creating an Anti-Virus Strategy • You can’t manage what you can’t measure • Assess the potential risk to the business – How can a virus enter the organization? – Where can a virus be stored? – How can a virus be transferred? – What level of risk do you want to assume? Rule of Thumb: You can’t lock down EVERYTHING! Identify the Risks and Threats L Stand Alone Proxy Servers H & Gateways H E-Mail Servers File & Print Servers Internet Firewall H HM M M Laptops L M Wireless Desktops Unix Boxes Create an Anti-Virus Policy • What, where and how AV is deployed • Configuration settings • Update requirements • Scanning requirements • Identify responsible parties Anti-Virus Policy • Identify how to deal with a virus outbreak – AV response team • Document clean-up procedures • Requirements for user training • Dealing with non-compliance • Address Policy Management • Reporting Requirements Constantly Evaluate Policies Business Needs Change Risks Change AV Policy Virus Technology Improves • Change forces Policy revision • Re-evaluate your policies & procedures on a regular basis (Test them!) Thank you!