The document discusses Check Point's approach to defining a security blueprint. It recommends identifying the organization's environment and security zones, main threats and necessary protections. Performance requirements should be analyzed and modular packages defined to organize policies. Specific policies are then defined to address external threats, enable secure application use and prevent data loss. Analytics of security events help improve the security strategy. The overall approach aims to build modular security solutions that are easy to manage and enable the business while protecting the organization.
IT is very dynamicEvents every dayNew application, new system, new serverNew dbDRP projectsNew officesMigration of dept. New acquistionsMore outsourced systems that interact with internal systemsNew audiences interacting with our systems : partners, customers, external accountants, gateways New threats – bots, constant new malwaresNew technologies – mobile synchronization, cloud synchNew trends – BYODTrying to balance time/moneyNeed to apply security measures toAccessInternal assets and informationTools and applicationsConserve bandwidth for business critical tasksOptimize employees’ productivityProtect internal assets from unauthorized accessEnable secure access from everywherePrevent sensitive information from getting to the wrong handsWho is allowed to access which tools?(Who? By IP – but IPs change as users are mobile; IP ranges/NW segments are not accurate – again, users are mobile)What are users allowed to do?(Which internal assets can be accessed? Which Internet tools?)What content can leave the organization?
On the 24.2.2012 at approximately 14:00 Singapore time Daniel Phuan, a SE Manager from the Singapore office, received a phone call to his mobile phone from an undisclosed number. The caller spoke English with an Asian accent, and introduced himself as Mike Chen (Product Marketing Manager from US). He claimed that he is on the road from US to Japan for a business meeting, have a connection at Singapore airport and does not have access to Check Point web site as his laptop broke down. He requested contact information of Japan office personnel and provided an external e-mail address (biztrip@live.com).
While getting the notification Daniel kept trying to authenticate the identity of the caller started to suspect when he failed to provide the name of his direct manager. The caller claimed that he reports directly to Marketing VP, Juliette Sultan. Daniel told the caller he cannot provide further information and the call ended.Daniel Contacted Check Point security officer by email and notified him of the incident and that Johnny Poh and Lum Soong Chee received a similar call.
Check Point Business information - Missing classification, Highly Restricted Documents, Customer names, Sales reports, SSH private key, confidential security alerts, employee data (compensation, salaries, job offers)Check Point RnD specific data – Code (generic), templates, project namesFinancial data – SEC filings, financial report, large excel files send out of Finance outside the company Intellectual property – Patents and design filesCompliance – PCI and HIPPABest Practices –Database files, inappropriate language, password protected files, Social security #, passport # .
Check Point Business information - Missing classification, Highly Restricted Documents, Customer names, Sales reports, SSH private key, confidential security alerts, employee data (compensation, salaries, job offers)Check Point RnD specific data – Code (generic), templates, project namesFinancial data – SEC filings, financial report, large excel files send out of Finance outside the company Intellectual property – Patents and design filesCompliance – PCI and HIPPABest Practices –Database files, inappropriate language, password protected files, Social security #, passport # .
Vladimir Antonovich, End Point system administrator, setting the environment to test an anti-malware productRan Ravid, Security on duty, reviews the log of application control.Ran - 13:47Please check why your host is running BitorrentVladimir - 13:55 Can’t find this host can you send more information Ran - 13:57According to my log it is using BiTorrent and UtorrentVladimir – 14:06Found it – A Laptop used for test we forgotto uninstall Torrent clients ConclusionsIt took ~20 min to close the “Hole”Even security experts can miss security policySecurity enforcement should be strict
The trojan attempted to communicate with the command and control center, but Anti-Bot Software Blade detected the communication and blocked it.
The second dimension provides fine-grain internet application awareness to the Check Point security gateway. Check Point’s application control library scanning and detection of more than 4,500 distinct applications and over 50,000 social networking widgets across a wide range of categories including Instant Messaging, Peer-to-peer file sharing, Social Networking, Web 2.0, Voice-over-IP, Anonymizers, IPTV, Multimedia, Games, Virtual Worlds, and Unified Communication. These applications are classified in different levels of business and non-business categories enabling a strong and flexible choice of parameters for any given policy. The applications are organized into 150 categories including categories for communication, IM, entertainment, commercial, financial, computing, government and a lot more.
Low risk applications are applications from the following categories: Business Applicatons (i.e Google Apps *), Download Managers (i.e 3wGet, Apt-get, Download Master), Media Sharing (only YouTube and Apple QuickTime are allowed), Mobile Software (i.e Google Play, Mobile Google Maps, WhatsApp Messenger), Social Networking (i.e Facebook, Geni), Tweeter Clients (i.eBinTweet, CheapTweet), and more.* Google apps may be used for personal use only. Uploading corporate data to Google apps is forbidden.Medium risk applications are applications from the following categories: Brower plugins (i.e.AdobeFlase, Ask Toolbar, BingBar), Email * (I,e Gmail, Yahoo!), VoIP (i.e Skype), Web Conferencing (only Adobe Connect is allowed), and more.High risk applicatons are applications from the following categories: File Storage and Sharing (i.eDropBox, Sugarsync, DropMe, ShareFile), Instant Messaging (i.e Miranda IM, CryptoChat, IceChat), P2P File Sharing (i.eKazaa, Sopcast, AllPeers, Bittorent, uTorent, Emule), Remote Administration (i.e Poison Ivy, Access Remore PC, Radmin, TeamViewer, pcAnywhere), and more.
Check Point Business information - Missing classification, Highly Restricted Documents, Customer names, Sales reports, SSH private key, confidential security alerts, employee data (compensation, salaries, job offers)Check Point RnD specific data – Code (generic), templates, project namesFinancial data – SEC filings, financial report, large excel files send out of Finance outside the company Intellectual property – Patents and design filesCompliance – PCI and HIPPABest Practices –Database files, inappropriate language, password protected files, Social security #, passport # .
Zbot Trojan is loaded onto a USB stickDerek plugs the USB stick into his computerZbot Trojan is installedZbot turns Derek’s computer into a bot !!The trojan attempted to communicate with the command and control center, but Anti-Bot Software Blade detected the communication and blocked it.Trojan.Spy.MSIL.ZbotMalware that when loaded attempts to steal dataTurns systems into Botsto steal more dataMulti-vector attack
The trojan attempted to communicate with the command and control center, but Anti-Bot Software Blade detected the communication and blocked it.
Check Point Business information - Missing classification, Highly Restricted Documents, Customer names, Sales reports, SSH private key, confidential security alerts, employee data (compensation, salaries, job offers)Check Point RnD specific data – Code (generic), templates, project namesFinancial data – SEC filings, financial report, large excel files send out of Finance outside the company Intellectual property – Patents and design filesCompliance – PCI and HIPPABest Practices –Database files, inappropriate language, password protected files, Social security #, passport # .