BindView
BindView
BindView
BindView
BindView
BindView
Scott Blake
Mark Loveless
Day 2:
Morning
Starting from Nothing
Security Policies
Afternoon
Intrusion Detection

Overview
• Security and networks
• Assessment
– Understand the what, who, and how
• Technology and Policy
– Problem specifics change at internet
speed
– Ways of coping don’t

Security and Networks
• From 643 Respondents to the “2000
Computer Crime and Security Survey”
(CSI/FBI):
– 90% Detected security breaches
– 74% Acknowledged financial loss
– 25% Detected system penetration for outside the
organization
– 19% Reported 10 or more incidents

What the Statistics Mean
• We don’t really know the prevalence of
computer security breaches
• Low response rate to surveys
• Corps and Govn’ts won’t share information
• Successful attacks come from inside
• Actual financial losses are probably
overstated

The Latest Trends
• Old ideas get new life
– Yet Another DDoS Tool: Trinity
– More Viruses
• Alternative Streams
• Mobile Devices
– Web Page Hacks
• Front Page still insecure
• Database insecurities

Assessment
• Starting from Nothing
– Assets - What are you protecting?
– Risks - What can be wrong?
– Threat Vectors - Who might attack?
– Methods - How do they attack?

What are you protecting?
• Each component of the network
– Web servers
– Routers
– Accounting systems
– Mail Servers
– Modem Banks
• Don’t forget the data

What can be wrong?
• Poor software configuration
• Missing patches
• Bad passwords
• No logs
• No sysadmin attention

Who might attack you?
• Hackers
– A few talented people provide tools for
thousands of kids
– rootshell.com, insecure.org contain
hundreds of tools
– Opportunity targets
• Customers
– Themselves
– Through stolen/guessed passwords

Who might attack you? (2)
• Insiders
– Through malice
– Carelessness
– Overwork
• Competitors
– “Denial of Service” attacks make you look
bad
– Customer lists for marketing

How Outsiders Attack
• Look for known weaknesses
– Misconfigured Software
– Lots of sw has “more secure”
configuration which is not turned on out of
the box
– Outdated software with known problems
– Bad passwords

How outsiders attack (2)
• Scanning tools (SATAN, sscan)
– Make finding problems easy
• Exploit tools
– Make taking advantage of problems easy
• Stealth tools
– Make erasing logs easy

How insiders attack
• Exactly the same as outsiders
– Except that they are more effective

What to do about it?
• Policies and Procedures for Security
– What are you protecting?
– What's in place to protect it?
• Training and knowledge throughout the
organization
– Do system managers know that security is
a priority?
– Do they have the skills and training to
execute?

What to do about it?
• Design for Defense
– Separation of Responsibility
– Least Privilege Required
• Tools
– Software to Implement

Governing Principles
• Integrity
– Strong internal controls on security of the applications and
data
• Confidentiality
– Strong security on user access and data transmissions
• Availability
– Failsafe components, error tolerance, internal availability
monitoring
• Accountability
– Full internal auditing, tie-ins to change control systems

The Policy Process
1. Policy Definition
2. Implementation 3. Compliance Reporting

The Policy Process
• High level security process
• Begins with policy definition
• Implementation forms a separate low
level process
• Compliance reporting summarizes
status viz-a-viz defined policy

The Implementation Process
1. Assess
2. Planning
(Reporting)
3. Fix

The Implementation Process
• Lower level IT process
• Assess against pre-defined policy
• Results inform remediation planning
• Implement fixes
• Repeat

Policies
• Know what you want to protect, and
why
– This lets you do cost benefit analysis
• Know who you want to protect it from
– This lets you design your defenses
• Know what to do
– Policies need to define actions

Policies
• Involve the Stakeholders
– Managers to focus on business case
– Technical staff to focus on what's possible,
effective
– Everyone to commit to goals

Why Do Policies Fail?
• Lack of stakeholder support
• Too much complexity
• Organizational politics

Organizational Politics
• Common Organization
– Centralized security body
– Distributed system administration
• Results in tensions, cross-purposes

Questions?

A Distributed Organization