Network Security Threats and Countermeasures-Security Recommendations, Counter measures and Security Baseline
In this session you will learn:
▪ Security Configuration Checklist
▪ Checklist Usage
▪ Checklist Development
▪ Checklist Procedures
▪ Security Compliance Toolkit
▪ Implementing Security Countermeasures in Defense Layers
▪ Firewall Anti-Evasion Techniques
▪ Firewall Security Recommendations and Best Practices
▪ Comprehensive set of policies
▪ Provide hardening foro Windows OS
o Authentication
o Authorization
o Application environments
▪ Implemented as GPOs
▪ Configured with Security Compliance Manager
The Contentious History of Microsoft Security
Creating Security Baseline
Security Baseline
Security Configuration Checklist
▪ Document that contains instructions or procedures for configuring
an IT product to an operational environment.
Also known as:
o Lockdown Guide
o Hardening Guide
o Security Guide
o Security Technical Implementation Guide [STIG]
o Benchmark
Security Configuration Checklist
A checklist might include any of the following:
▪ Configuration files that automatically set various security
settings
▪ Documents that guides user to manually configure an IT
product
▪ Documents that explain the recommended methods to
securely install and configure a device
▪ Policy documents that set forth guidelines
▪ Administrative practices for IT product
Types of devices and software for which security
checklists are intended are:
▪ General purpose operating systems
▪ Common desktop applications
▪ Infrastructure devices
▪ Application servers
▪ Other network devices
Benefits of Security Checklists
Some benefits associated with using checklists are:
▪ Provides a baseline level of security
▪ Reduces time required to research and develop configurations
▪ Allows smaller organizations to implement security configurations
▪ Preventing public loss of confidence
Checklist Usage
▪ High-level process
▪ Follow when retrieving and using checklists
▪ The process will apply to most situations
▪ Guidance on conducting an initial analysis
▪ Process for selecting and retrieving checklists
▪ Recommends steps for analyzing, tailoring, and applying the checklist
Checklist Procedures
▪ Analyze local requirements and security needs or policy and identify operational environment model.
▪ Browse the repository for checklists that match the IT product
▪ Review the downloaded checklists and tests and customizes them to reflect local policy and functionality
▪ Prepare to apply the checklists in production
▪ The checklists can be applied to production systems
Checklist Procedures
Checklist Development
▪ General process of developing security configuration checklists and submitting them to the NIST Checklist Program.
▪ Includes overview of the process NIST will follow to screen the checklist submissions and publish them
▪ Individual developers and organizations that wish to submit checklists to NIST should review the appendices of this document
▪ The most recent version is available as a separate file at http://checklists.nist.gov/
Security Configuration Checklist
Checklist Development
Security Compliance Toolkit
▪ Microsoft Security Compliance Toolkit
▪ Security Configuration Analysis Wizard has been deprecated
▪ The Microsoft Baseline Security Analyzer has been deprecated
▪ The Security Configuration Manager has been deprecated.
▪ New phase, new evolution of Microsoft security products with the Microsoft Security Compliance Toolkit.
Dynatrace
▪ Dynatrace offers data masking features to assist in complying with one’s data privacy and data
protection obligations
Firewall Anti-Evasion Techniques
▪ No network security device can guarantee 100 per cent protection
▪ Traditional threats like Stuxnet or Conficker where a signature update seemed to fix the problem
▪ Simple device update does not fix the AET problem
▪ Protection against AETs is an uphill battle
▪ Organizations should take steps to increase their protection against the threat
▪ Organizations risk serious repercussions for failing to ready their networks in the fight against AETs
Firewall Security Recommendations and Best Practices
Some recommendations and best practices are:
▪ Testing your own network
▪ Analyzing the risks
▪ Using traffic inspection methods
▪ Re-evaluating patch management
▪ Countermeasures
Testing your Own Network
▪ Software-based, ready-made evasion test lab
▪ Provides security device owners
▪ Ability to detect, block, and report evasion
▪ Designed to provide deep packet inspection of data, to detect and block malicious traffic.
▪ The Evader test is specifically designed to determine how effective (or ineffective) the subject network security device is against AETs.
▪ Includes only two pre-selected, old MSRPC and HTTP exploits
Evader provides:
▪ Objective, real-life data on your current and planned network security devices’ antievasion capabilities
▪ An Evasion Risk Assessment for management in the form of a test report, accompanying test data
Analyzing the Risks
Audit your critical infrastructure and analyze the most significant assets of your organization:
▪ How you store them
▪ Where you store them
▪ Whether you back up the information
Prioritize your assets, and make sure your critical assets and public services have the best possible protection.
Using Traffic Inspection Methods
Employ traffic inspection methods to solve the advanced evasion problem.
▪ Identify the assets and then map out all the different ways to access those assets.
▪ Cybercriminals have to use those same access paths to reach your information
▪ Secure those access paths using advanced network security solutions.
▪ Technology called traffic normalization is able to remove advanced evasions
Re-Evaluating Patch Management
▪ Evasions may help attackers bypass network security devices
▪ They cannot attack a patched system
▪ Patch testing and deployment takes time
▪ Network security devices with virtual patching and other security measures.
Countermeasures
▪ IDS’s and Firewalls live and die by their rules and signatures
▪ Keep signatures and software up to date
▪ Avoid being victim to an already patched exploit
▪ Ensure that your settings allow of the IDS to see fragmented data exactly as the end client will see it
▪ Set rules to account for the ability of information
No comments:
Post a Comment