Essential Defense by Kevin Cardwell

Kevin Cardwell

TMI

The good, the bad and the ugly

Smart defense

3

505 Billion Pages to date

www.shodanh.io

4

Local Area Network Protocol Should not be open from the Internet!

Ports

135,137,139,445

5

6

We have gotten better at security

The hackers have gotten better at hacking

Patch system is broken

Residual risk

www.zerodayinitiative.com

7

12

The compromise was inevitable! APT, sophisticated attackers etc etc

MYTH!

13

Estimated to block 85% of attacks when initially released

Application Whitelisting

Patch Applications

Patch Operating System

Minimize the number of users with privileged rights◦ Disable the local admin account on domain

computers

15

Security is a process and methodology not a product!

16

Steps

Identify critical segments◦ List the ingress and egress requirements

◦ Monitor deviations from the normal

Segment to segment

Research segment by segment vulnerabilities◦ Legacy, commercial and ICS

◦ Prioritize the fixes

◦ Servers no initiation of connection

◦ Windows => core installations for Windows 2008/2012/2016

18

Track 2-3 vulnerability sites◦ ICS - www.ics-cert.gov

◦ Identify the areas of concern => increase monitoring

19

Traffic coming into your network Implemented by almost all organizations Security policy determines what is allowed and

configured in the filters No traffic arriving at the perimeter should have an

internal source address◦ Commonly referred to as sanity checking

Sanity checking Bogon filtering RFC 2827 – defeating denial of service attacks RFC 3704 GEO IP blocking

CaseStudy of malware infection => 64% of traffic blocked by bogon filtering

20

If site is not 24/7◦ Shut off access going out to the Internet

Block the well known malware ports of communication http ssh https Etc

◦ Monitor for attempts All malware will attempt outbound connections If no one is there, should be none

If 24/7◦ Only monitor critical systems

Servers should not initiate connections to the Internet◦ Subscribe to a service

Watch for lookups of known malware nets

21

Blackhole routing◦ No DNS traffic can be sourced from an address

other than the internal DNS server

no direct client queries to the Internet

◦ No traffic directly to a web server

Has to be sourced from the IP address of the proxy

90% of the malware does direct queries

22

Enhanced Mitigation Experience Toolkit◦ Microsoft tool

DEP and others => adds obstacles to exploitation

◦ Permanent protection against targeted applications

Adobe etc

All 2015 IE exploits failed

23

Segmentation and isolation

Bind ports INSIDE of the bastion host

Externalnetwork

Screeningrouter

Bastionhost

DMZ

DMZ App Servers

IDS

No time

No staff

No budget

Etc

Internal honeypot and decoys◦ Provides a method of detection of an attack

◦ Allows IT to develop the implementation plan

◦ Low cost

Relatively speaking

$600

KFSensor◦ Cost

Back Officer friendly◦ Cost

FREE

Labrea Tarpit◦ FREE

◦ Linux!!!!!!!

We can defend!

cesi@ieee.org

31