Bulletproof IT Security

Unravel the Enigma of Insecurity
1
Bulletproof IT Security…Is It Possible?
by Gary S. Miliefsky, Editor-in-Chief,
CyberDefenseMagazine.com
Brought to you by Concise-Courses.comit SEXY to have a

2
About Me
Editor of Cyber Defense Magazine
Former Lead Cover Story Writer for Hakin9
Founder of NetClarity, a BYOD/NAC Company
Founding Member of US Department of Homeland Security
Board and Advisory Membership
National Information Security Group (NAISG.org)
Norwich.edu Cyber-war Research Labs
Informal Advisor to White House.gov PCIPB
MITRE’s CVE – Global standard for vulnerability information

3
Look at The Current Stats….
Cybercrime up by 6% through January 1, 2013
(Source: PONEMON INSTITUTE)
WhiteHouse Hacked by China
(Sources: WHITEHOUSE.GOV and PENTAGON.MIL)
ADOBE UPDATE SERVER – HACKED IN SEPTEMBER
MICROSOFT INTERNET EXPLORER – HACKED IN OCTOBER
ORACLE – RELEASES OVER 109 SECURITY FIXES IN OCTOBER
Total Personally Identifiable Information Records Stolen (US): 563,000,000+
Total Common Vulnerabilities and Exposures (CVEs aka “holes”): ~54,000
Total MD5 Hash Entries in Top Anti-virus Databases: 100,000,000+ and growing
(Sources: CDM, Adobe, Microsoft, Oracle, MITRE, PrivacyRights.org, VirusBulletin)
Over 60% of Bing search results
lead to infected pages
Over 30% of Google search
results lead to infected pages

4
Bulletproof IT Security Best Practices…
Here's my best practice list, in order of importance:
1. Roll out corporate security policies
2. Deliver corporate security awareness and training
3. Run frequent information security self-assessments
4. Perform regulatory compliance self-assessments
5. Deploy corporate-wide encryption
6. Value, protect, track and manage all corporate assets
7. Test business continuity and disaster recovery planning

5
New Ideas – Does Your Supply Chain Matter?
If you BUILD or even BUY IT Networking and Security Equipment,
have you checked the supply chain?
• Walmart ships picture frames infected with zero-day malware from
China
• Spyware found on Brand New ‘blank’ USB sticks built in China
• Microsoft uncovers Nitol botnet which shipped on “new” PCs from
Distribution partners throughout USA who purchase their equipment
from China, September, 2012
• Huawei and ZTE Equipment may ship with remote ‘eavesdropping’
technology from China – US House Intelligence Panel, Oct 2012
In balance, the USA’s NSA.gov has admitted (through EPIC FOI requests)
asking for similar capabilities through US telco and network equipment
manufacturers, whether or not this has happened and to what extent…

6
New Ideas – Should You Become a Big Brother?
• Create Employee Policy Agreements That All Must Accept
• Proper use of resources
• Behavior on the network and internet
• Password rules and storage do matter
• Best practices about NOT being socially engineered
• BYOD and wireless devices must be managed and controlled
• Run Your Own HoneyPots on Your Own Employees and Consultants
• To catch a thief you have to give them something to steal
• Create a fake database of confidential information and make it
easy to find and easy to hack
• Log all activities and track the sources of the attacks
Visit www.honeynet.org to learn more about Honey Pots

7
New Ideas – You Deploy BYOD Security?
Do you allow employees to bring in their own equipment?
• What is the OS? What apps are running? Are they
patched?
• What if it is lost or stolen with data leakage potential?
• Do you have the controls in place to remote wipe it?
• Can you find a stolen device? Lojack or similar software?
• What’s it doing on your network anyway?
It’s time to….
• Detect, Log, Alert, Block, Audit, Quarantine
• There are agentless and agent-based ways to do this…
• Google “BYOD” and “NAC” and evaluate, then deploy

8
New Ideas – Centralize and Frequently Review CybOX
CybOX stands for Cyber Observable Expressions…
•Threat assessment & characterization
(detailed attack patterns)
•Malware characterization
•Operational event management
•Logging
•Cyber situational awareness
•Incident Response
•Digital Forensics
•Cyber Threat information sharing
Visit http://cybox.mitre.org to learn how to implement it.

9
System Hardening 101
1. Understand your software development weaknesses:
http://cwe.mitre.org
2. Understand your operating system weaknesses:
http://oval.mitre.org
3. Understand your network systems weaknesses:
http://cve.mitre.org and http://nvd.nist.gov
4. Remove these weaknesses by better software
development processes, patching and reconfiguring
operating systems and network systems. Repeat. Repeat.
Repeat. Repeat. Repeat….yes…Repeat again…and again…

10
System Hardening 101 (cont’)
Make sure you checkout http://www.first.org/ and find their local affiliate in your
country or region… First offers a FIRST Best Practice Guide Library (BPGL)
Also maintained by FIRST: the FIRST Security Reference Index
It is a complicated, arduous, and time-consuming task for even experienced system
administrators to know what a reasonable set of security settings is for any
operating system. Thus, the FIRST Best Practice Guide Library intends to assist FIRST
Team Members and public in general in configuring their systems securely by
providing configuration templates and security guidelines.
Also, this initiative aims at recognizing FIRST members' work and promote it outside
the FIRST community. Note: The Best Practice Guides Library is based on documents
and links submitted by FIRST members.
FIRST members are strongly encouraged to share their Best Practice guides or links
to Web sites hosting Best Practice guides.
The FIRST BPGL is found here: http://www.first.org/resources/guides

11
Want to see all of the UNCLASSIFIED STIGS so you can harden just about anything?
Here is the entire list of STIGS:
http://iase.disa.mil/stigs/a-z.html
Say you are worried about a Windows 7 deployment.
How would you harden it when you finish the install?
Go here: http://iase.disa.mil/stigs/os/windows/seven.html
Download the STIG…follow the instructions…

12
Leverage the NSA and NIST recommendations…
For example…How would you harden a bluetooth network?
www.nsa.gov/ia/_files/wireless/BlueToothDoc.pdf
All their guides can be found here:
http://www.nsa.gov/ia/mitigation_guidance/security_configuratio
What are the best checklists to follow to harden your
systems?
http://web.nvd.nist.gov/view/ncp/repository

13
Root Cause of Exploitation?
Common Vulnerabilities and Exposures (CVEs)
1. Although there might be 100,000,000 signatures in your McAfee or
Symantec anti-virus scanner database (and growing exponentially),
there are only ~54,000 CVEs. If you close just one CVE, for example,
you can block more than 110,000 variants of the W32 malware.
2. If you aren’t visiting http://nvd.nist.gov to see what kind of exploitable
holes you have in your network, cyber criminals CERTAINLY are…
3. Everything with an IP address has a CVE, you need to figure out which
ones are critical holes and how to patch, reconfigure and remove them
—i.e. system hardening.

14
Some Best Practices Free Tools
NETWORK-BASED VULNERABILITY TESTS:
http://www.openvas.org
(better than Nessus)
OPERATING SYSTEM-BASED VULNERABILITY TESTS:
http://oval.mitre.org
Try: http://threatguard.com/node/27 for
a great OVAL tool that’s FREE

15
Some Best Practices Free Tools (cont’)
COBIT 5 is the latest edition of ISACA’s globally accepted
framework, providing an end-to-end business view of the
governance of enterprise IT that reflects the central role of
information and technology in creating value for enterprises.
The principles, practices, analytical tools and models found in
COBIT 5 embody thought leadership and guidance from
business, IT and governance experts around the world.
http://www.isaca.org/COBIT/Pages/default.aspx

16
Stay on top of your CERTIFICATION…take some free online
quizzes at CCCURE.org
https://www.freepracticetests.org/quiz/index.php?page=register
Send an email to clement.dupuis@gmail.com mentioning you saw CCCURE.org in
my Concise-Courses.com presentation and Clement will send you a copy of his
Scenario Based questions practice test for FREE. This is a value of $59.99 The real
exam contains many scenario based question, get ready for this special format,
CCCURE.org is the only vendor providing such type of quizzes.

17
ENCRYPTION… http://www.truecrypt.org
Main Features: Creates a virtual encrypted disk within a file and mounts it as a real
disk. Encrypts an entire partition or storage device such as USB flash drive or hard
drive. Encrypts a partition or drive where Windows is installed (
pre-boot authentication). Encryption is
automatic, real-time (on-the-fly) and transparent. Parallelization and pipelining
allow data to be read and written as fast as if the drive was not encrypted.
Encryption can be hardware-accelerated on modern processors. Provides plausible
deniability, in case an adversary forces you to reveal the password: Hidden volume
(steganography) and hidden operating system. More information about the features
of TrueCrypt may be found in the documentation.

18
What Are The Best Ways to Stop Malware?
Checkout the VirusBulletin at
http://www.virusbtn.com/vb100/index
Upload a suspicious file to VirusTotal: https://www.virustotal.com/
or try Jotti’s here: http://virusscan.jotti.org/en
or try VirScan here: http://virscan.org/
or try MetaScan from Opswat: http://www.metascan-online.com/

19
Speaking of VirusBulletin…

20
Stopping Malware…Multi-pronged Approach
1. System Hardening is crucial. No CVEs. No holes. Almost
nowhere to exploit.
2. Educating Employees to not be socially engineered and to best
practices behavior is also crucial.
3. Controlling which devices come and go on your network (BYOD
through NAC) is also very important.
4. Most importantly, Host-based Intrusion Prevention is your final
resort.
5. The better the HIPS engine in the anti-virus solution, the higher
the rating.

21
So What is Bulletproof IT Security?
• Good Corporate Security Policies
• Frequent Employee Training
• Ongoing Self-Assessment
• Corporate-wide Encryption
• Consistent System Hardening
• Vulnerability Management
• Managing the BYOD Dilemma
• Testing your BCP and DRP Plans
• Leveraging Next Gen Malware Blocking

22
Get Your Free Copy…
www.cyberdefensemagazine.com
Signup Today for FREE E-Subscriptions:
FREE MONTHLY NEWSLETTERS
20-40 pages packed with tips, tricks, tools and
techniques for better IT Security and Regulatory
Compliance
FREE QUARTERLY MAGAZINE
Ships in print at RSA Conference 2013, Covers
next generation tools and techniques, Cyber
Defense Test Labs (CDTL) INFOSEC product
reviews, and much more…

Bulletproof IT Security

More Related Content

What's hot (20)

Similar to Bulletproof IT Security (20)

More from London School of Cyber Security (17)

Recently uploaded (20)

Bulletproof IT Security