+

Simon FRANCOISResponsable Réseau et Sécurité

www.segi.be Simon.Francois@ulg.ac.be

La sécurité dans tous ses états

11/03/2014

1

+.: We don’t mess with Security :.

© 2013 SEGI ULg – Simon FRANCOIS

2

+.: Agenda :.

n General Security Basics

n Threats

n Hints and Best Practices

n An eye on ULg

n Responsibilities

© 2014 SEGI ULg – Simon FRANCOIS

3

+.: Basics : the Triad :.

n CIAn Confidentialityn Integrityn Availability

© 2014 SEGI ULg – Simon FRANCOIS

4

+.: Basics : Broad Spectrum :. according to CISSP CBK

© 2014 SEGI ULg – Simon FRANCOIS

n Access control

n Software development

n BCP & DRP

n Cryptography

n IS Governance and Risk Management

n Legal, Regulations, Investigations, Compliance…

n Security Operations

n Physical (Environment) Security

n Security Architecture and Design

5

+.: Basics : Deeper in Access Control :. according to CISSP CBK

© 2014 SEGI ULg – Simon FRANCOIS

6

+.: Basics : not that obvious :. according to Sean Bean

© 2014 SEGI ULg – Simon FRANCOIS

7

+.: Agenda :.

n General Security Basics

n Threats

n Hints and Best Practices

n An eye on ULg

n Responsibilities

© 2014 SEGI ULg – Simon FRANCOIS

8

+.: Threats : they are Legion (1) :.

© 2014 SEGI ULg – Simon FRANCOIS9

+.: Threats : they are Legion (2) :.

© 2014 SEGI ULg – Simon FRANCOIS10

+.: Threats : sad truths :. It’s a trap!

© 2014 SEGI ULg – Simon FRANCOIS

n80% of the exploits rely on well known weaknesses thathaven’t been addressed (Source : Verizon 2013Q4)

nBiggest flaw is the human factor

nYou won’t stop a determined hacker ; you play a game where he’s one step ahead

11

+.: Agenda :.

n General Security Basics

n Threats

n Hints and Best Practices

n An eye on ULg

n Responsibilities

© 2014 SEGI ULg – Simon FRANCOIS

12

+.: BP : the cost of security :.How valuable are your assets ?

© 2014 SEGI ULg – Simon FRANCOIS

99% -

100% -

Percentage of blocked threats

Risk  =  (Vulnerability  *  Exposure)  -­‐  Security

13

+.: BP : every layer its job :.

n Let firewalls and routers deal with IP. Not your code, not your server.

n Let centralized services (AAA, monitoring) deal with their responsibilities. Not your code.

n Let the OS libraries do their job. Don’t override if not vital.

© 2014 SEGI ULg – Simon FRANCOIS

14

+.: BP : Secure everything :.

n Security must become a reflex actionn Don’t add security a posteriorin Think, build and develop with security in mind

n Use TLS as often as possiblen As a client : chose smtpS, imapS…n As a provider : force httpS, Sftp…

n AAA your usersn No anonymous connection (unless public)n Keep track and liability

© 2014 SEGI ULg – Simon FRANCOIS

15

+.: BP : Logs! Logs! Logs! :.

nKeep logs of everythingn Network devices, servers, OS events, personal

computers, applications…n Only way to analyze, understand, a posteriori

nUse accounting for users’ activityn Liability

nLegal matters

nHave your logs analyzed by software

16

+.: Agenda :.

n General security basics

n Threats

n Best practices

n An eye on ULg

n Responsibilities

© 2014 SEGI ULg – Simon FRANCOIS

17

+.: Information System @ ULg :. Systems side

n 2 datacenters with High Availabilityn 2 secured rooms, distant from 3kmn Many 10Gbps direct optical fibersn NetApp Metrocluster

n 260 TB storage, 150TB VTL

n Super calculator (1920 cores ; 7,7TB RAM)

n >1,000 servers

n > 95% virtual

n All above hosted @SEGI ! Many more across Campus…

© 2014 SEGI ULg – Simon FRANCOIS

18

+.: Information System @ ULg :. Network side

n 50,000 network access wall plugs

n 1,800 WiFi access points

n 500 switches ; 15 core routers (10Gbps partial mesh)

n > 30 firewalls

n 2 next generation firewalls (NGFW) since 2009

n 2x 1Gbps through Belnet (> 20TB/7TB per month)

n Kind of Internet Service Provider

© 2014 SEGI ULg – Simon FRANCOIS

19

© 2014 SEGI ULg – Simon FRANCOIS

20

+.: Information System @ ULg :. Institutional security features

nVirtual network split (VLAN ; VRF)

nLocal firewalls

n Internet border firewalls and NG firewallsn IDS / IPS = Threat preventionn URL filtering : dangerous or dubious websites

nAntispam

nAntivirus

© 2014 SEGI ULg – Simon FRANCOIS

21

+.: Information System @ ULg :. Security side

nHundreds of thousands automatic attacks denied each… day.n SQL-Injection, brute force, C&C traffic, stack

overflow, SIP spyware…

nPhishing still works fine, at every attempt

nLocally managed servers are barely updated

nPersonal passwords : shared, easy to find…

nNo auth apps, infected BYOD…

© 2014 SEGI ULg – Simon FRANCOIS

22

+.: Agenda :.

n General security basics

n Threats

n Best practices

n An eye on ULg

n Responsibilities

© 2014 SEGI ULg – Simon FRANCOIS

23

+.: Responsibilities :.

nSecurity fails because of the weakest link

nà Security is everyone’s responsibility!

nWe want YOU to share, inform, educate, help, correct… others.

© 2014 SEGI ULg – Simon FRANCOIS

24

+ Q & A’s ?Simon.Francois@ulg.ac.be

© 2014 SEGI ULg – Simon FRANCOIS

25