Tài liệu Intrusion Detection The Big Picture – Part VI pdf

74 357 0
Tài liệu Intrusion Detection The Big Picture – Part VI pdf

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Intrusion Detection The Big Picture – Part VI Stephen Northcutt Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 This page intentionally left blank Intrusion Detection Roadmap What are the pieces and how they play together • Honeypots • Firewalls – Proxy, State Aware, Filtering Routers • Risk Assessment and Auditing – Introduction to Risk Management – Knowledge-Based Risk Assessment – Online Auditing Tools Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 This page intentionally left blank Seven Most Important Things to Do if Security Matters • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 You will notice that I have never read a slide to you in the entire time together, so please bear with me • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response So here on this slide we have another big picture view of information security Students that complete Information Security KickStart and Security Essentials certification are well on their way to accomplish each of these This is by no means the only way to approach building a security capability, but it is a comprehensive high level view Theory of Risk Assessment Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 It is critical to have an understanding of risk management to properly choose and deploy intrusion detection and response assets To manage risk, one must be able to assess it In this section of the course we will cover the basic theory of risk assessment We will also talk about three methods of risk assessment: qualitative, quantitative, and knowledge-based (also known as best practices) The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Whether or not we explicitly choose, we have exactly three options and we choose between: acceptance, mitigation, and transference When we accept the risk, this means we make no changes in policy or process This decision means that we judge the risk of a given threat to be inconsequential in the greater scheme of things If we feel the threat is significant and could cause harm to our business or enterprise, then we have the option of taking action to protect operations by reducing the risk A firewall or system patch are obvious examples of risk mitigation Transferring the risk is sometimes a workable technique The classic example is to buy insurance This means that you not have to fully protect yourself against a catastrophic threat Instead, for a fee you pass this risk to a risk broker that insures you up to some limit against the threat A real world example of this is hacker insurance The insurance company still expects you to have a firewall and patches, but insures should these fail Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How reliable are the answers to the above three questions? (recognition of uncertainty) Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we analyze the risk to better understand it What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy feeling? If the threat is successful, how bad will it hurt? What is the probable extent of the damage? How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi, Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often But, if something can damage us on a daily basis, this is a significant problem Finally, how we know? In the cyberworld, how accurate are our risk calculations when new program or operating system vulnerabilities are discovered weekly? Uncertainty Uncertainty is the central issue of risk management! (What would happen to James Bond if his luck failed in those stunts he does?) Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Have you ever wondered why Bond (James Bond) never gets shot, can jump off of an airplane without a parachute and live, and never loses at cards? It is simple! He read the script! In fact he may have had a hand in writing it Since they follow the script, the stunts he does are closer to professional wrestling because he certainly knows he is going to get the bad guy – and the girl He wouldn’t look half so composed if he was uncertain as to what was going to happen Uncertainty then, is the heart of risk management Risk Requires Uncertainty If you have reason to believe there is no uncertainty, there is no risk For example, jumping out of an airplane two miles up without a parachute isn’t risky; it is suicide For such an action there is a 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive Probability ranges between 0.0 and 1.0 though people often express it as a per cent Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Jumping out of an airplane with a parachute involves risk If you were to try the James Bond stunt of jumping out of an airplane without a chute you are committing suicide, but you aren’t doing anything risky Risk involves uncertainty Let’s tie this back to the information assurance world If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the perimeter, it is certainly going to be compromised It might not happen in a single day, but it will happen over the course of a year In the same way that gravity is the compelling reason jumping from a plane sans chute is near-certain death, the continuous probing and poking of exposed systems on the Internet is the compelling reason the box will be compromised So what? How bad can a compromise be? Well, once they compromise the box they have the ability to manipulate your organization’s trust model If you have valuable assets, that may be what happens Or they may just create weird system domains and hit systems all over the Internet, giving your organization a bad name What is an Unacceptable Risk? • You can define the threat • If it happened, it would be bad (high impact) • If one shot didn’t kill you, and then it hit you again and again (frequent threat) • There is high certainty the threat exists, it is high impact, and potentially could occur multiple times Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk To be an unacceptable risk, it has to be a defined threat They will compromise the DNS server, most likely via a buffer overflow How bad would it be? If they chose to manipulate the trust model and had several days to work without being detected - such as over the Christmas holidays - they could make considerable headway at owning the entire organization’s information assets You might never get them dislodged What if they chose simply to use your box to attack others? People are usually forgiving if it only happens once, but there are domains that have been compromised a number of times These are not usually respected and may even be blocked One of the classics is the Brazilian Research Network This loose group of addresses has been the source of hundreds and hundreds of attacks against Internet hosts The price? Besides being a standing joke, legitimate users continue to find their access blocked Single Loss Expectancy (SLE - one shot) • Asset value x exposure factor = SLE • Exposure factor: - 100% of loss to asset • Example Nuclear bomb/small town ($90M x 100% = $90M) Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 10 How much financial loss am I willing to accept in a single event? It all comes down to money in the end When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the information resource asset Example: a company’s top salesman accounts for 25% of their $40 million in revenue, or $10 million His client contact list and fee schedule is stored on his laptop and is not encrypted If it fell into the wrong hands it would be worth at least 10% of its value to the competition ($1 million) and possibly more if they can finesse the information So we find we can calculate a minimum approximate SLE, but there is uncertainty as to a maximum value Another example: an author takes a royalty of $100,000 to write a book He receives partial payments every 25% of the project What is the SLE if his hard drive crashes at the 70% mark and the data is not recoverable? 25,000 x 80% or $20,000, unless he has been sending chapters in as they are done 10 ... practices) The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) Intrusion Detection - The Big Picture – SANS GIAC ©2000, 2001 Whether or... review 15 For knowledge-based risk assessment to be effective the developer of the system must have the knowledge and mindset to think like an attacker! Intrusion Detection - The Big Picture –. .. said review Include the signature(s) of those conducting the review ( ) There are no Anonymous users ( ) All accounts are password protected Intrusion Detection - The Big Picture – SANS GIAC ©2000,

Ngày đăng: 10/12/2013, 14:16

Từ khóa liên quan

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan