Professional Documents
Culture Documents
2
Defense In-Depth
There is no magic when it comes to network security, Multiple layers of protection
must be deployed.
All three area are important for any organization but there is always a piority like :
Confiedentiality: Government
Availabliity: E-Commerce
Approaches to DiD:
Uniform Protection
SANS 401.2 1
it’s like firewall, VPN, antiviurs…
Protected enclaves
internal firewalls
Information centric
If your network is not partitioned, nothing prevents the exploit from spreading “you
cannot protect what you do not know”
SANS 401.2 2
To manage a configuration, you need two things:
Data Classification
Two Categories, There is public like militarty and private data like commercial stuff.
Top Secret
Secret
Confidential
Unclassified
As there is no organization able to protect all their data (specially if it’s a big
company). You should classify the data, so you can protect what it’s sensitive.
SANS 401.2 3
Identify roles
SANS 401.2 4
Should be used with mutli-factor authentication
Talked about difference between hashing and cracking, John the Ripper.
Quality of Algorithm
Key Length
CPU Cycles
Password length
Pre-Computation Attack, it’s like get the hash for a lot of values and store them in a
database or whatever, then if you need to crack this hash you can find it’s match in
the database.
Security Policy
The more you understand the organization’s concerns, the better you are able
to sell your ideas
SANS 401.2 5
A Mission Statement has to be operational, otherwise it’s
just good intentions
Installing Software
Purpose
SANS 401.2 6
Related documents or references
Cancellation or expiration
backgroud
Scope
Policy Statement
Responsibility
Action
Types of Policies
Program Policy
Issue-Specific Policy
System-Specific Policy
SANS 401.2 7
Two issue-specific policies
copyright
We need to priorities and someone to take a stand and provide the industry with a
set of real priorities for defense.
Securing our Nation against cyber attacks has become one of the nations’s highest
piorities.
SANS 401.2 8
Defenses should be automated where possible and periodically or continuously
measured using automated measurement techniaues where feasible.
Root cause problems must be fixed in order to ensure the prevention or timely
detection of attacks.
Some Explantion
SANS 401.2 9
Defenses
One or two tests that could be performed for each of the critical controls, which
would help teh evaluation team determine whether or not the defined business
goal of the control has been met.
You likely will not pass all the tests the first time you try the goal
is to reduce the organization’s risk level
Effectiveness Measures
SANS 401.2 10
Two different Measure Types:
We can believe you can use to automatically collect information from your
security sensors to give you a better perspective on the risk your organization
faces.
Shimomura, that is the one that got hacked, and he was a security researcher 🙂.
SANS 401.2 11
Mitnick was able to do DOS attack via SYN flooding, then he silents
one of the trusted machines and spoofed it’s IP address to gain
access to the desired computer. From this system, Mitnick could
obtain the files he wanted.
The stroy of this attack quite intersting and shimomura wrote a book about it called
“Take down: The pursuit and capture fo kevin mitnick, America’s Most wanted
computer outlaw”
Patching Systems
SANS 401.2 12
Firewalls
SANS 401.2 13
With APT the game has changed and the question you have to ask is: Do you know
the rules of the new game ?
The only way to protect yourself 100% is turn off your computer
Primary Goal for APT is long-term occupation for data mining, malicious activities to
ensure future use.
Constant Aggressor.
SANS 401.2 14
Organization
Technology
1. Persistent (Targeted)
2. Advanced
SANS 401.2 15
There is no technology that will make you secure. Every technoloy
has a purpose and works well for the purpose it was designed for,
but no technology will be effective for all type of threats
Anti-Virus
Firewalls
IPS/ IDS
Email Filters
Signature based
Payload Analysis
Today’s adversary uses unique code for each attack, so the signature will be
different each time they launch this attack, even if the same expliot is needed, they
will use obfuscation techniques and re-compile the code which will no longer
contain the original signature.
SANS 401.2 16
Also for the payload if it’s encrypted, it will go through the security defenses
undetected, unless you have other techniques to detect it.
APT Remediation
Part of the remediation plan has to envolve forensics and cleaning up the
system
it’s always important to pirotize your assets, One of the challenges is the
organizations try to do too much and end up doing very little. So you have to
focus on the critical assets …
Intelligence
Fraud
Perception management
Decrease availability
SANS 401.2 17
Theft, DoS, sabotage, ransomware
SANS 401.2 18