1 / 20

Managing A Secure Infrastructure – Tales From the Trenches

Managing A Secure Infrastructure – Tales From the Trenches. November 6, 2003. www.nmrc.org. About the Speaker. Steve Manzuik – Director, Security-Sensei.Com Founder / Moderator of Vulnwatch.Org Founder of Win2KSecAdvice mailing list Member of nmrc.Org

brina
Télécharger la présentation

Managing A Secure Infrastructure – Tales From the Trenches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003

  2. www.nmrc.org About the Speaker • Steve Manzuik – Director, Security-Sensei.Com • Founder / Moderator of Vulnwatch.Org • Founder of Win2KSecAdvice mailing list • Member of nmrc.Org • Co-Author of Hack Proofing Your Network • Participant – Open Web Application Security Project (OWASP.org) • Participant – Open Source Vulnerability Database (OSVDB.org)

  3. Outline • Security today • Failures in Security • Succeed in Security

  4. Security Today • Vulnerabilities will always exist • Typical organizations have made large investments in network and security infrastructure • Incidents still occur at high rates • Past investments do not support the business need • Security warnings to upper management are seen as the new Y2K hype. • It is time for organizations to stop buying the latest security toy and actually secure their networks.

  5. You Have Been Lied To! • All the Firewalls and Intrusion Detection devices in the world will not protect you. • Most organizations do not have a firm grasp of their entire infrastructure. • Aggressive Firewall configurations prohibit business and prohibit productivity. • Network Intrusion Detection has limited value in most organizations. • Security is not a magic black box or application. • Security is NOT a black art.

  6. Failures in Security • Firewalls • Intrusion Detection • Wall of Shame

  7. Expensive Logging Devices:Firewalls • “But we have a firewall, we are completely protected…….” • “We have invested in world class firewall technologies… …we are secure.” • “Why would we want to block people from getting out?” • “A hacker would have to break into our firewall in order to gain access….” • “You mean you have to patch a firewall?”

  8. Expensive & Confusing Logging Devices IDS • “Well our IDS didn’t see anything wrong…” • “There were just too many alerts so I turned it off….” • “I didn’t understand what SHELLCODE x86 NOOP was so I ignored it….” • “ISS told us that it wasn’t possible….” • “What do you mean I can’t monitor this switch…” • “No one watches the console on weekends and holidays…..”

  9. Other Examples Wall of Shame • “Passwords just made implementing the technology to difficult for our users…” • “What exactly do you mean by audit process?” • “We spent 2 million dollars on firewalls and other security solutions and 2 thousand dollars on testing those systems….” • “We don’t exactly have a security department but Joe in the server group is a hacker so I am sure he is taking care of us….” • “But our vendor hasn’t told us anything about….” • “But that is a localhost issue…..”

  10. What does this all mean? • A proper security posture combines people, process and technology. • Most organizations rely on technology leaving their security posture weak and vulnerable.

  11. Success in Security “The greatest security infrastructures are the ones that satisfy the most business needs while allowing for uninhibited network communications between employees, business partners, vendors, and customers.”

  12. Success in Security • Do not let vendors use your fear, uncertainty and doubt against you. • It is a lot of work but when approached in a logical and calm fashion Information Security can be improved. • Never think you are completely secure.

  13. Succeed in Security:Awareness • All the security in the world can be trumped by the double click of an email attachment. • If your users are not aware – they are your greatest threat. • If your Administrators are not educated – they are unarmed and unable to be proactive.

  14. Succeed in Security:Know Your Assets • If you don’t know what you have or what it does – how do you plan on protecting it? • If you don’t know your business how will you enable it? • Data and system classification is essential. • Large organizations must approach security based on risk.

  15. Succeed in Security:Host Security • Secure baseline configurations – the technical starting point of a truly secure infrastructure. • Thwarting the attacker by leveraging technology you already have. • Helps improve desktop & server support processes and actually reduces long term support costs.

  16. Succeed in Security:Monitoring • Logical combinations of network and host based monitoring can be valuable. • Log management is valuable. • Technical education is far more valuable than the technology itself. • Do the right people know when a device is added to the network? What about removed?

  17. Succeed in Security:Validation • Penetration Testing over Vulnerability Assessment. • Intrusion Detection Validation and tuning is essential. • Firewall rule and configuration validation is essential. • Don’t forget about phones, and wireless devices.

  18. Succeed in Security:Other Tips • Explicit trust is a dangerous game. • Users are not malicious for the most part but must be protected against themselves. • Don’t overlook email threats. • Don’t overlook social engineering threats.

  19. Succeed in Security:Other Tips • Build a trusted relationship with a security consulting organization that is vendor neutral. • Observe what other organizations in similar industries and of similar size are doing.

  20. Closing • Questions? Steve Manzuik smanzuik@sidc.net steve@security-sensei.com

More Related