Embed Size (px)
Citation preview
Security 101Principles Models & Concepts
Andrew Kozma
Sr. Security Administrator
Capital District Health Authority
Defense In Depth
• Originally a military model used to slow the progress of an attacker
• The building up, layering on and overlapping of security measures
• Should one defensive measure fail there are other defensive measures
in place that continue to provide protection
• The strength of any system is no greater than its weakest link
Figure. 1
The OSI Model – Open Systems Interconnect
• An industry standard model
• Defines the framework for
implementing protocols into seven
layers
•A hierarchal model where the layer
below supports the layer above it
• Security services can be added to
individual layers to support the
defense in depth principle
Figure. 2
The Physical Layer
• Classify your data
• If it is important lock it up!
• Servers that house sensitive data should be behind a locked door with
controlled access
• If an attacker has physical access they own it…. period
Data Link Layer
• Media Access Control (MAC Address)
• ARP – Address Resolution Protocol
• Threat = ARP Poisoning
• MAC Flooding – Targets switching infrastructure
• Man In the Middle – Intercept traffic destined for another host
• DOS – Direct traffic to “Nowhere”
• Mitigation = Network Access Control (NAC)
The Network Layer
• Provides routing services and is the home to routable protocols (IP)
• ICMP – Evaluate the requirements, manage this at select gateways as
required.
• Enumeration – OS Detection, port scanning, sniffing
• Traditional firewalls
• Intrusion Detection Services
• Intrusion Prevention Services
Securing the Host Layers
The landscape is changing, users are now more mobile and portable than
ever before.
• Endpoint protection
• Anti Virus
• Client Side Firewalls with IPS
• Encryption Services
• Software updates
• Microsoft WSUS
• Application updates, flash player
• The model of trusted and untrusted networks is blurring.
The Human Factor
• The user community historically is the weakest link
• Raising awareness - Educate your user community, build the “Human
Firewall”
• Incident response - Know what to do when something goes wrong
• Who needs to know
• When do they need to know it
The Importance Of Logging
• At a minimum enable logging. If there are too many consider event log
correlation and management solutions
• Historical data will be required for forensic analysis in the event of a data
breach or a disruption in service
• Maybe required to provide information to law enforcement
• If you don‟t know what happened how can you prevent it from happening
again?
The Security Life Cycle
• Security is not just at the perimeter
• Security is a process not a product
Aligning Security With The Business
Balance security with cost
• Risk analysis
• Project Management
Compliancy and policy
• SOX
• HIPPA
• PHIA
• PIPEDA
Lessons Learned
• Have to be right all of the time, the bad guys only needs to be right once
• Multiple vendor solutions can be complex and can increase
administration requirements
• Defense in depth is not a security blanket, be careful not to buy the
latest and greatest technology for multiple layers
• Multiple management domains, not necessarily a single pane of glass
• Select a few solutions but know them well
• Meet with vendors often to review implementation and services
Lessons Learned
• Good enough is not good enough anymore
• Stay current
• Training, instructor led, online, webcasts *(EC Council first look)
• research new technologies
• read vendor reports
• Meet with vendors
• Share your knowledge, mentor and be mentored
• Attend ATLSECCON „12
Summary
• Align security with business
• Develop policy
• Maintain compliance
• Strive for Continuous improvement
• Manage - Security is a process not a product
• Measure - Vulnerability assessments
Summary
• Monitor – Baseline and know the behavior of your environment
• Alert - Notify on changes and anomalies
• Log & Report - Know your security posture, audit and prove compliance
Questions?
