|








   







„


‡ ›


 
  ›
 
›



‡ Founder / Moderator of Vulnwatch.Org

‡ Founder of Win2KSecAdvice mailing list
‡ Member of nmrc.Org
‡ Co-Author of Hack Proofing Your Network
‡ Participant ± Open Web Application Security
Project (OWASP.org)
‡ Participant ± Open Source Vulnerability Database
(OSVDB.org)

  
£ 

‡ Security today

‡ Failures in
Security

‡ Succeed in
Security
 
 
‡ Vulnerabilities will always exist
‡ Typical organizations have made large
investments in network and security
infrastructure
‡ Incidents still occur at high rates
‡ Past investments do not support the business
need
‡ Security warnings to upper management are
seen as the new Y2K hype.
‡   

   


  
  
    




  



‡ All the Firewalls and Intrusion Detection devices in the

world will not protect you.
‡ Most organizations do not have a firm grasp of their
entire infrastructure.
‡ Aggressive Firewall configurations prohibit business
and prohibit productivity.
‡ Network Intrusion Detection has limited value in most
organizations.
‡ Security is not a magic black box or application.
‡ ›
  
 
á   

‡ Firewalls

‡ Intrusion Detection

‡ Wall of Shame
Î  
 
 !

á  
‡ ³But we have a firewall, we are completely
protected««.´
‡ ³We have invested in world class firewall
technologies« «we are secure.´
‡ ³Why would we want to block people from
getting out?´
‡ ³A hacker would have to break V
 our
firewall in order to gain access«.´
‡ ³You mean you have to patch a firewall?´
Î  "#
 

   

 

‡ ³Well our IDS didn¶t see anything wrong«´

‡ ³There were just too many alerts so I turned it off«.´
‡ ³I didn¶t understand what Î#£ Î
$££ was
so I ignored it«.´
‡ ³ISS told us that it wasn¶t possible«.´
‡ ³What do you mean I can¶t monitor this switch«´
‡ ³No one watches the console on weekends and
holidays«..´
£Î 
% 
 
‡ ³Passwords just made implementing the technology to
difficult for our users«´

‡ ³What exactly do you mean by  
&'

‡ ³We spent 2 million dollars on firewalls and other security

solutions and 2 thousand dollars on testing those
systems«.´

‡ ³We don¶t exactly have a security department but Joe in

the server group is a  
 so I am sure he is taking
care of us«.´

‡ ³But our vendor hasn¶t told us anything about«.´

‡ ³But that is a 
 
 issue«..´

% 
   &

‡ A proper security posture combines


(
 



‡ Most organizations rely on technology

leaving their security posture weak and
vulnerable.
  

)     


   
  
  
 
  



  
 

(   (

( 
'
  

‡ Do not let vendors use your fear,

uncertainty and doubt against you.

‡ It is a lot of work but when approached in a

logical and calm fashion Information
Security can be improved.

‡ Never think you are completely secure.

  !
„ 

‡ All the security in the world can be trumped

by the double click of an email attachment.

‡ If your users are not aware ± they are your

greatest threat.

‡ If your Administrators are not educated ±

they are unarmed and unable to be
proactive.
  !
*

„

‡ If you don¶t know what you have or what it does ± how

do you plan on protecting it?

‡ If you don¶t know your business how will you enable it?

‡ Data and system classification is essential.

‡ Large organizations must approach security based on

risk.
  !

 

‡ Secure baseline configurations ± the

technical starting point of a truly secure
infrastructure.

‡ Thwarting the attacker by leveraging

technology you already have.

‡ Helps improve desktop & server support

processes and actually reduces long term
support costs.
  !
+
 
 

‡ Logical combinations of network and host

based monitoring can be valuable.

‡ Log management is valuable.

‡ Technical education is far more valuable

than the technology itself.

‡ Do the right people know when a device is

added to the network? What about
removed?
  !
,   


‡ Penetration Testing over Vulnerability

Assessment.

‡ Intrusion Detection Validation and tuning is

essential.

‡ Firewall rule and configuration validation is

essential.

‡ Don¶t forget about phones, and wireless

devices.
  !

£ 

‡ Explicit trust is a dangerous game.

‡ Users are not malicious for the most

part but must be protected against
themselves.

‡ Don¶t overlook email threats.

‡ Don¶t overlook social engineering

threats.
  !
£ 

‡ Build a trusted relationship with a

security consulting organization that
is vendor neutral.

‡ Observe what other organizations in

similar industries and of similar size
are doing.
#
 

‡ Questions?

Steve Manzuik
smanzuik@sidc.net
steve@security-sensei.com