Upload
bill-murphy-ceo-redzone-technologies-transforming-it-security
View
1.572
Download
1
Embed Size (px)
DESCRIPTION
The Credit Union National Association (CUNA) issued a statement on Friday, April 26th, 2013 that a possible widespread Distributed Denial of Service (DDoS) attack may take place on Tuesday, May 7th, 2013. Despite the numerous warnings, CUNA has offered little advice on how to manage the situation and mitigate an attack. Realizing the severity of the situation, RedZone has put together 5 practical ways to mitigate against a DDoS happening to you that was presented via GoToWebinar on Wednesday, May 1st, 2013. The types of attacks we reviewed were: 1. Pure network attack against the credit union 2. Pure network attack against the ISP router 3. Content DDoS 4. DNS DDoS 5. Random Botnet attack We also answered the following questions: • What does it mean? • What are your Zero day protection options? • What to check on your security products? • How to enable Global IP protection? • How do I detect fraud communication in advance? • What are some vendor product options?
Citation preview
Credit Union - DDoS (Distributed Denial of Service) Attacks?
Virtual Education Session May 2nd | 4 – 4:45pm
Moderator: Kristine WilsonPresenters: Bill Murphy and James Crifasi
Live Tweet from the event! @TheRedZoneCIO
Schedule of Events
Learn 5 Practical Things A Credit Union Can Do To Prevent An Attack
4:00p – 4:30p Presentation (If Lucky)
4:30p – 4:45p Q&A
Live Tweet from the event! @TheRedZoneCIO
President and Founder • RedZone Technologies• ThunderDG• MA DR Solutions• Beyond Limits Magazine
Keep In Touch With Bill:@TheRedZoneCIOCIO Executive Series [email protected]
About Bill Murphy
Live Tweet from the event! @TheRedZoneCIO
About James Crifasi
Live Tweet from the event! @TheRedZoneCIO
• CTO of RedZone Technologies• Co-Founder ThunderDG• Co-Founder MA DR
• University of Maryland Graduate | B.A. Criminology & Criminal Justice | B.S. Computer Science – Algorithmic Theory & AI | M.S. Interdisciplinary Management
• Keep In Touch With James: [email protected]
Assessment: IT Architecture and Design
Integration: Security| Disaster Recovery| Infrastructure
Managed Service Programs
Cloud Brokerage
Live Tweet from the event! @TheRedZoneCIO
Agenda – Types of attacks To Be Reviewed
1. Pure network attack against the credit union
2. Pure network attack against the ISP router
3. Content DDoS
4. DNS DDoS
5. Random Botnet attack
Live Tweet from the event! @TheRedZoneCIO
Agenda – Questions To Be Answered
• What does it mean?
• What are your zero-day protection options?
• What to check on your security products?
• How to enable global IP protection?
• How do I address potential fraud communication in advance?
• What are some vendor solutions?
Live Tweet from the event! @TheRedZoneCIO
Set The Stage
Live Tweet from the event! @TheRedZoneCIO
Insidious Plots
.
Live Tweet from the event! @TheRedZoneCIO
.
Live Tweet from the event! @TheRedZoneCIO
Insidious Plots
Source: InformationWeek.com
.
Live Tweet from the event! @TheRedZoneCIO
Insidious Plots
Source: DarkReading.com
Insidious Plots
.
Live Tweet from the event! @TheRedZoneCIO
Source: RSA
What Do They Want?
Live Tweet from the event! @TheRedZoneCIO
“Their tactics have been succeeding. They will be back for more because they are getting what they want.”
- Avivah Litan, a Gartner analyst who tracks DDoS.
CU Times1. Primary objective appears to be to create uncertainties
about the reliability and dependability of the United States’ financial system and knock many big banks off line – mission accomplished.
2. Headlines
What Do They Want?
.
Live Tweet from the event! @TheRedZoneCIO
Source: RSA
What Does It Mean?
• Being down• Unable to update members on situation• Greater risk of attacks on members (Phishing)
Live Tweet from the event! @TheRedZoneCIO
Source: Tosh.ComedyCentral.com
Our Philosophy – Be Proactive
.
Live Tweet from the event! @TheRedZoneCIOSource: Google Images
Whack-A-Mole? Reactive!
Live Tweet from the event! @TheRedZoneCIOSource: Google Images
Security When Under The Gun
.
Live Tweet from the event! @TheRedZoneCIOSource: Google Images
Our Approach When Time Is Of the Essence
.
Live Tweet from the event! @TheRedZoneCIO
• Review critical network components
• Communication with members
• Let board know there are no guarantees
How Can a Credit Union prepare and respond during an attack?
An attack can be from hours to days…
Three Phases Are Needed1. Pre-Attack Phase –
• Readying for an attack • Securing mitigation solutions, deploying appropriate security
systems, etc.2. During the Attack Phase
• Assemble the required manpower and expertise• Considering that you may only experience a few attacks per year
3. Post-Attack Phase • Conducting forensics, drawing conclusions and improving for the next
attack• Search for additional competencies externally - from security experts,
vertical alliances, or government services. • On-demand service Live Tweet from the event!
@TheRedZoneCIO
Our Approach When Not Under GunLogic | Assessment | Portfolio Investment
Live Tweet from the event! @TheRedZoneCIO
• Review Security Portfolio• Develop 24 month investment roadmap• Identify Gaps• Remediate Gaps
• Let Board know there are no guarantees
**Don’t make it easy for them (attackers)
Security Scoreboard
Live Tweet from the event! @TheRedZoneCIOSource: RedZone Technologies
Client Integrity
Intelligent Perimeters
Identity Access Control
Enterprise Single Sign On
Provisioning/ Deprovisioning
Authentication
Authorization & Roles
Directory - Foundation
Multi-year Security, Identity and Privacy Strategy(SIP)
ComplianceRequirements
PC firewallsUSB Mgmt
Laptop MgmtEmail Encryption
FirewallsUTM devices
IDP/IDSSPAM Filters
VPNsSSL/VPNWeb Mail
Two factor Authentication
BiometricsKey fob (two factor)
Secure Password Management and
Building access Mgmt through anAppliance or
Application rewriting
Single Directory with process and system ‘tie-
ins’Federation
Strategic Creation of Roles based on job
function, not individualized on a per
user basis.
Microsoft AD, Novell, Open LDAP, etc
M O N I T O R
LOGGNG
R E P O R T I N G
Live Tweet from the event! @TheRedZoneCIOSource: RedZone Technologies
PURE POWER IS BIG ENABLER
Live Tweet from the event! @TheRedZoneCIO
• Attacks reach 40+ gigabits/second
• Attacker only needs 2,000+ servers
• Targets have to invest substantial resources to defend
• Reflective DNS attacks still major “weapon”
• Tactics have adapted to counter measures
• Attacks are more intelligent and deadly
Source: RSA
Pure Network Attack Against the Credit Union
Live Tweet from the event! @TheRedZoneCIO
THE CUServer (Any)
Source: RSA
Pure Network Attack Against the ISP Router
Live Tweet from the event! @TheRedZoneCIO
The droidguy.com
ISP Router
CU Security Gear
Source: RSA
Content DDoS
Live Tweet from the event! @TheRedZoneCIO
Normal: ask for one file and wait for answer
DDoS: ask for hundreds of files and ignore answer
EXAMPLE 1
EXAMPLE 2
Source: RSA
Content DDoS
Live Tweet from the event! @TheRedZoneCIO
One example of content DDoS is using the servers SSL certificate against it.
Source: Radware
DNS DDoS (Amplification)
Live Tweet from the event! @TheRedZoneCIO
CU MembersSource: RSA
Live Tweet from the event! @TheRedZoneCIO
Random Botnet
Credit Union
Source: RSA
What To Check
• Firewall – Basic DDoS Network Protection
• Load Balancers – Network DDoS Protection
• ISP Router – does it answer to the internet? (do you let people ping?)
• Where is your DNS hosted? i.e. On a single server, with the ISP, self hosted behind security (best), secure cloud hosted (best)
• IDS/IPS and Security Services at the edge of your network
Live Tweet from the event! @TheRedZoneCIO
What To Check
Live Tweet from the event! @TheRedZoneCIOUlrich RSA
Defense
• Block DNS responses from servers that don’t need to see them
• Only answer queries for which server is authoritative
• Limit access to recursive name servers to internal users
Offense
• Attacker uses queries for which server is authoritative
• Attacker compromises servers with substantial bandwidth
• Use of “ANY” queries• Use of EDN0
Vendor Options
Live Tweet from the event! @TheRedZoneCIO
Live Tweet from the event! @TheRedZoneCIOSource: Blue Coat
Live Tweet from the event! @TheRedZoneCIOSource: RSA
Live Tweet from the event! @TheRedZoneCIO
The Dell SonicWALL Threats Research Team discovered a new Trojan spreading through drive-by downloads from malicious links.
The Neglemir Trojan was found reporting to a Botnet infrastructure and performing DDOS (Distributed Denial of Service) attacks on selected targets in China.
During our analysis, we found it targeting various servers belonging to China Telecom as well as websites selling tools for The Legend of Mir, an online multiplayer roleplaying game.
• Web Application Firewalling – Content DDoS• NSA UTM protection – Network DDoS• Spam Filtering – Phishing Relevance
Source: Dell
Live Tweet from the event! @TheRedZoneCIO
A new malware threat for the Mac, called “Pintsized,” attempts to set up a secure connection for a remote hacker to connect through and grab private information.
This backdoor Trojan can be used to conduct distributed denial of service (DDoS) attacks, or it can be used to install additional Trojans or other forms of malicious software. The Trojan stays hidden by disguising itself as a file that is used for networked printers in Mac OS X.
This tactic conceals the Trojan and makes a monitor think that a printer is seeking access to the network, thus evading traditional signature-based detection systems. http://alrt.co/15ekmXW
Takeaway: Distributed denial-of-service attacks (DDOS) can be minimized or even completely mitigated by a properly planned Web security infrastructure consisting of global DNS as well as Web application firewalls.
• Web Security Monitor• Threat Manager
Source: AlertLogic
In Summary - Plan
Live Tweet from the event! @TheRedZoneCIOSource: Google Images
Upcoming Events
Live Tweet from the event! @TheRedZoneCIO
BYOD | MDM | Mobile Policy Management | Compliance | Advanced Threats (APTs) | Security Portfolio Investment RiskIn this symposium learning event, Credit Union IT Chiefs will learn to Go Hunting for Malware & Crimeware. We will cover 15 major areas of an IT Security and Infrastructure Best Practices program. Some highlights of the learning and education will be:• Centralized deployment of applications and data• BYOD, MDM and Mobility• Perform Compliance functions with ease.• Increase Security effectiveness, management, and auditing on a tight
budget• Advanced Threat Education on APTsWednesday, June 12th from 11:30am to 5:00pmEggspectations in Columbia
Security Scoreboard
Live Tweet from the event! @TheRedZoneCIOSource: RedZone Technologies
Live Tweet from the event! @TheRedZoneCIO
Pyramid of Networking Success – Assessment Foundation
BONESIP Addressing, Routers, and Switches
MUSCLESNOS Services (DHCP, WINS, and DNS)
BRAINThe Windows Domain
Active Directory
Security Edge to Core
NOSNetworking
AndName Resolution
Foundation Network Services
Desktop and ServerManagement
Compliance, Risk Mgmt, Monitoring, WAN QoS,
Reporting
Data Protection, Backup and Recovery
Source: RedZone Technologies
RZ Assessment
• RedZone will assess your risk
• Examine a number of factors
• Score you based on those factors (RZ Scoreboard)
• Better to be proactive and assess now to find potential weaknesses than to be reactive after you’ve already been hacked
Live Tweet from the event! @TheRedZoneCIO
Security Scoreboard
Live Tweet from the event! @TheRedZoneCIOSource: RedZone Technologies
Summary
• Review zero-day protection options? Check your current vendors or vendors on following page
• What are your BotNet IP options? Check your current vendors or vendors on following page
• How to enable Global IP Filter protection? Check your current vendors or vendors on following page
• How do I alert fraud communication in advance?
• What are some vendor product options for advanced content security?
Live Tweet from the event! @TheRedZoneCIO
Q&A
Live Tweet from the event! @TheRedZoneCIO