managing the integrity of employee devices and data
Post on 19-Oct-2014
559 views
DESCRIPTION
TRANSCRIPT
Managing the Integrity of Employee Devices and Data “Security Life Cycle Best Practices” Pacific NW Digital Gov’t. Summit
David Cantey CISSP SCSPPrincipal Systems EngineerSymantec Corporation
Agenda
• Key Security Challenges
• Current risk perspective
• Customer Scenario: Homeland Security = Client Security
• Security best practices in the larger management picture
Reqs
Common Public Sector Security Requirements:
• Customer/Citizen trust: Safeguard privacy, sensitive data
• Continuity of operations: Smooth recovery during crises
• Demonstrate preparedness: Ability to spot new dangers
• Security management: Is security actually “happening?”
• Create/maintain safe IT environment: Resolve vulnerabilities
• Comply with applicable regulatory measures: HIPAA, FISMA
• Obtain some tangible measure of security benefit to the organization
affect
As applied to end users and their devices:
• Perimeters are disappearing: Tablet PCs, laptops, handhelds, etc. must be able to securely operate outside the office defenses
• Hardening devices with disparate firewall, antivirus, intrusion prevention, etc. is complex and/or degrades device performance
• With mobile assets accompanying individuals in new, joint environments, trust depends on consistent standards
• The “undesired” ranks are expanding: Need solutions that encompass relatively recent threats via P2P sharing, adware, spyware, etc. without undue burden
• Blurring lines between “securing” IT assets across the board and assuming “management” of these items.
• What do we own? Asset management is a significant security impediment in large organizations.
• Beyond users’ credentials, how safe is their machine and data?
Trends
25,000
50,000
75,000
100,000
125,000
150,000
World-Wide Attack Trends
1996 1997 1998 1999 2000 2001 2002 20030
Infe
cti
on
Att
emp
ts
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT
100M
200M
300M
400M
500M
600M
700M
800M
900M
Ne
two
rk In
tru
sio
n A
tte
mp
ts
0
Blended Threats(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts*
NetworkIntrusionAttempts**
high
Attack Trend Highlights:
• Security Focus: Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them.
Rank Port DescriptionPercentageof Attackers
1 TCP/135Microsoft / DCE-Remote Procedure Call (Blaster)
32.9%
2 TCP/80 HTTP / Web 19.7%
3 TCP/4662 E-donkey / Peer-to-peer file sharing 9.8%
4 TCP/6346 Gnutella / Peer-to-peer file sharing 8.9%
5 TCP/445 Microsoft CIFS Filesharing 6.9%
6 UDP/53 DNS 5.9%
7 UDP/137 Microsoft CIFS Filesharing 4.7%
8 UDP/41170 Blubster / Peer-to-peer Filesharing 3.2%
9 TCP/7122 Unknown 2.5%
10 UDP/1434 Microsoft SQL Server (Slammer) 2.4%
Vuln
Source: Bugtraq Vulnerabilities
Software Vulnerabilities
10
2530
50
60
0
10
20
30
40
50
60
70
1999 2000 2001 2002 2003
Average number of new vulnerabilities discovered every week
Highl
Vulnerability Trend Highlights
• Security Focus reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable.
0%
20%
40%
60%
80%
100%
Jan02 Mar02 May02 Jul02 2-Sep Nov02 Jan03 Mar03 May03 Jul03 Sep03 Nov03
Month
Pe
rce
nta
ge
of
vu
lne
rab
ilit
ies
Percentage of Easily Exploitable New Vulnerabilities
exp
VulnerabilitySafeguard
Applied
VulnerabilitySignatureIssued/
Safeguardposted
Major Vulnerability
ExposureOutbreak
VulnerabilityDiscovered
Current Vulnerability Management expenditure
Time
Vu
lne
rab
ilit
y A
cti
vit
y
T0 T1 T2 T3
TOO LATEBEST ROI
Spending occurs here
Best$$
VulnerabilitySignatureIssued/
Safeguardposted
Major Vulnerability
ExposureOutbreak
VulnerabilityDiscovered
VulnerabilitySafeguard
Applied
Vulnerability Management Best ROI t0-t2
Time
Vu
lne
rab
ilit
y A
cti
vit
y
T0 T1 T2 T3
TOO LATEBEST ROI
Spending needs to occur pre T2
Maltrend
Malicious Code Trend Highlights
• Two and a half times the number of Win32 viruses and worms were released in 2003 than over the same period in 2002. Over the second half of 2003, more than 1702 new Win32 viruses and worms, a 250% increase over the 687 documented in the second half of 2002.
308433 445
687
994
1702
0
400
800
1200
1600
2000
Period
Nu
mb
er
of
vir
us
es
an
d w
orm
s
Jan 1, 2001 -Jun 30, 2001
Jul 1, 2001 -Dec 31, 2001
Jan 1, 2002 -Jun 30, 2002
Jul 1, 2002 -Dec 31, 2002
Jan 1, 2003 -Jun 30, 2003
Jul 1, 2003 -Dec 31, 2003
New Win32 Viruses and Worms
Highl
Malicious Code Trend Highlights
• Blended threats make up 54% of the top ten submissions over the past six months.
• Blended threats have begun targeting core operating system component vulnerabilities
– More widespread than the server software targeted by previous network-based worms
– Much higher density of vulnerable systems.
• These worms also increase from two other factors
– The decrease in time between vulnerability disclosure and release of exploit code
– The overall increase in exploit code development.
• Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61% over first half of 2003.
Mean?
What do these statistics mean?
• Users’ devices are increasingly targeted for attack:
• More vulnerabilities in:
– Core operating system components
– Common desktop applications (i.e. browsers)
– Threats growing around instant messaging apps, P2P, etc.
– E-mail remains a troubling attack avenue. Example: one out of every 12 messages carried MyDoom in Jan. 2004
• With computing power and applications pushed to new locations (border checkpoints, vehicles, etc.), protections need to be in place to prevent widespread compromise
Case
One Mid-Atlantic county’s experience:
• New crisis command center forced client system access across fire, police and rescue agencies, plus transportation, FEMA, and others
– No consistent security tools/configurations in place, even among same-jurisdiction agencies.
– Significant fears of infection, cleanup, re-infection…
• Rapid proliferation of computers in multiple locations and vehicles
– “Workstations” in police cruisers, command vans, etc.
– Many with no OEM security
– Need to only permit trusted devices to connect, as security is pushed to all machines
• IT staffs under CIO’s office and those supporting first responders had different perspectives on priorities, including security
• The need to share data rapidly helped define security challenges
Solu
County Deploys Client Firewall with Antivirus:
• Client antivirus, firewall and intrusion protection
• Centrally managed
• resource efficient footprint
• Easy transparent updates
• Blocks numerous attacks by default
• Stops outbound activity that is suspect or malicious, containing damage
• VPN compliancy permits VPN access only when policies are correct (i.e. IDS enabled, AV defs. current, etc.)
Life
???
Place Users & Devices Within Core Security Functions
Alert Protect
Manage Respond
ProactiveControl
Detail
Early awareness of threats
Listening posts
Prevent unwanted attacks
Detect physical breaches
Security of information assets
InternalWorkflowAuto-configurationDisaster recovery
ExternalHotlineSignature updates
• EnvironmentPolicies and
VulnerabilitiesDevice/Patch
ConfigurationUser AccessIdentity Management
• InformationEvents and incidents
Alert Protect
Manage Respond
ProactiveControl
Alert
Alert: Spotting the ‘Blaster’ worm early
Notification’s
IP Addresses Infected With The Blaster Worm
7/16 - initial alerts on the RPC DCOM attack
7/23 - warnings of suspected exploit code in the wild. Advises to expedite patching.
7/25 - exploit code confirmed in the wild. Clear text IDS signatures released.
8/5 - warnings of impending worm.
8/7 activity is being seen in the wild.
8/11 - Blaster worm breaks out.
Prot
ClientGateway
Protect – multi-tier, multi-layer, integrated
Server
Gateway Security• Virus Protection• Content Filtering• Firewall• Intrusion Detection• Common Install, Management and Content Update
Client Security• Virus Protection• Content Filtering• Firewall• Intrusion Detection• Common Install, Management and Content Update
Server Security• Virus Protection• Content Filtering• Vulnerability Mgmt.• Intrusion Detection• Common Install,Management and Content Update
Resp
Respond
• Combine technology with proactive and reactive intelligence….
Anticipate new threats
Develop and practice emergency response teams
Respond to security outbreaks with intelligence and fix tools from your security partner
• and minimize damage
Lost revenue
Repair costs to bring systems back online
Lost productivity
Damage to reputation/brand
Mng
Manage
• Collect and log security events from all sources of input
• Correlate (real-time and statistical), analyze, identify and report incidents
• Execute a continuous vulnerability assessment
• Ensure policy compliance
• Recommend action and track workflow
• Present a real-time dashboard
• Link to other management systems
• Apply automated remediation
EA
The Reality of Converging Management Requirements: Central
• Assure security policy compliance
• Receive early awareness of threats
• Prevent & detect attacks & breaches
• Protect privacy of information
• Rapidly & easily recover from loss of critical systems & information
• Insure via policies that adequate storage available for applications & backup
• Create secure archives for preserving information assets
• Discover & track HW/SW assets
• Provision, update & configure systems via automated policies
• Instantly push security patches & signatures to all managed devices
• Assure software license compliance & remove unauthorized applications
• De-provision & repurpose systems securely
Ensur
• Threat, vulnerability & event-driven patch & configuration management
Ensuring the security and availability of end users and their client systems
• Policy-driven backup
• Monitor storage resources & perform corrective action
• System & data recovery
• Threat, vulnerability & event-driven backup
• Recovery from attack
Sum
Summary
• Public and private IT innovation hinges on trust
• Consider mission requirements in fielding protection for end users and their devices
• Consider integrated solutions as a means to simplifying security across portable assets
• View APRM model as the means to give each device (and its user profile) a secure lifespan from installation through replacement
• Eliminate security/storage/system silos – they are all integrity-relevant. The only secure IT assets are managed IT assets.
123
Thank You!
Questions?