Rants
Questions
Soapbox
Best Practices
Apply today for a FREE subscription to CIO Magazine!
Sat, Sep 29, 2007 13:53 EDT
|
Posted by: mattroedell in Best Practices Topic: Infrastructure
Current Rating: |
Information Security: Part 2: 7 Data Leaks You Can’t Ignore
I received many comments on layer 2 port security from the readers of my last article, Information Security: 7 Data Leak’s You Can’t Ignore. Some readers deemed it necessary to tell me that they could bypass my controls using spoofing and other tactics and that my solution was not effective. If everyone recalls, the main purpose of my last article was to give some insight on cost effective ways to mitigate risk. I shared some of the “no cost” things that I have implemented to increase the security posture of my organization. The information I provided was not a comprehensive security program nor did I present it as such. If you have nothing in place to protect your access layer, port security is a “zero dollar no brainer solution” to protect you against the most common threats to your environment. Some of these more common threats are a vendor connecting an un-patched laptop running an outdated anti-virus to your network for a presentation. An employee connecting a wireless access point in default configuration mode they purchased at their local Best Buy so they can be more productive and work from a conference room. The purpose of port security is to guard against these common threats…not a malicious person trying to compromise your network.
With that being said, I will now share with you some additional layers of security that my staff and I have implemented to mitigate the malicious person from connecting to your network. Keep in mind this is not our comprehensive solution but I feel confident enough to share some details with you. These solutions are HIGHLY effective when no one on your network is admin of their local PC. For this, you will need the TriGeo SIM and a few hours to configure the rules and test them. If you are lucky enough to convince your Board to drop 50K on the TriGeo SIM you can rest easy. Rules can be built using their drag & drop GUI to create the following layered defense model:
Defense Layer 1
Proper physical controls: Nothing technical here. Visitors must wear badges and be escorted at all times.
End user education: Users must be educated on how to detect social engineering and the common tactics used by these individuals.
Effective policy distribution & acceptance: Users must know & understand your policies and sign a document acknowledging their roles in keeping the institution secure.
Defense Layer 2
Port-Security Violation: If the mac-address does not match my switch config file, shut port and send an email to the information security department.
DHCP No Agent: If a DHCP request is received, check for the TriGeo agent installation file. If no agent is detected, send an email to information security with the PC name and IP address.
No Anti-Virus: If a PC joins the network (DHCP or Static) and is not running Antivirus solution “X”, send an email to the information security department.
If you manage to bypass layers 1 & 2, here is Defense Layer 3
TCP/UDP Scan Attack: If “X” amount of TCP/UDP packets are detected in “X” seconds send an email to the information security department.
ICMP Scan Attack: If “X” amount of ICMP packets are detected in “X” seconds send an email to the information security department.
Admin Used: If admin, administrator, guest account or “X account” attempted authentication occurs, send an email to the information security department. This is very effective since no one in my environment is permitted to
Thank you for posting enabling technical ideas. Each step to reduce risk at the technical level is welcome. Naturally simple, low-cost gains will not cure the world. But, I have learned that it is the simple omissions of controls within our reach that get us into most of our troubles.
I would like to expand the subject a bit. To do this, I would like to roughly classify your article in to the area of "Technical" data leakage. By this, I mean that your approach is based in a bottom up approach to risk closure in the technology perspective. This is an absolutely good area to provide help but not the whole data leakage story.
The other kind of data leakage which I will call "Categorized Information" data leakage is much more a question of meaning and valuation of information. This kind of data leakage includes spreadsheets with account data mistakenly emailed to the wrong people. Or, allowing bittorent to download data from a company internal network drive; thus, dumping sensitive corporate records to the open internet. Somehow, I doubt that any of the technical controls proposed would help with these gaffs in a direct way. This is because, the user did not understand and so did not act consistently with the valuation of data or the categorization of the information being leaked.
This "Categorized Information" data leakage also has some simple, low cost approaches. One method places limits on approved software down-loaded from the internet: bittorrent, utorrent, limewire, etc. Another method is an often overlooked area of awareness training. None of these solutions solve all problems. But each layer helps.
The low cost part of these solutions fit into a good security return on a protection investment. The financial logic of security is easy to understand at an intuitive level.
* 15 cents of security can help protect 1 Million dollars worth of data; if so, do it.
* 1 Million dollars of security might only protect 15 cents of data; if so, do not do it.
It is worth thinking through the value of the spreadsheet sitting in your Email inbox or on a shared drive. Particularly if you think it is worth more than 15 cents.
Best Wishes
Don Turnblade
MS, CISA, CISSP
Principle, Arctific Inc
Don,
I you would have read my first article and then the second; you would know that none of scenarios you listed are possible on my network.
Users can not get to file sharing sites because they are blocked by Websense.
Users can not email ANY file containing sensitive data out my internet connection because of the content inspection product that sits between my outside firewall and internet router.
Thanks,
Matt
For those of you who reply...please take the time to read BOTH of my articles.
Don,
As far as your comments go...I can't find any info on the company you are a "Principle" of...not even so much as a website!!!
Care to comment?
Regards,
Author
Matt,
1) Consider the Arizona Corporation, You will find Arctific legally registered there.
2) Arctific was created to address high risk ethical hacking requirements of my clients. If I am tasked to complete a red team risk demonstration to meet my client's needs, it is fair to build a structure that protects my home in the case of a downside outcome. A class C corporation satisfies that need on a national or international basis as a matter of corporate law, so long as I am worthy of my CISSP certification and behave honorably and ethically at all times.
3) Why do I not have a website, yet? An interesting question... On the one hand, it would be an obvious hacking target to embarrass as Information Security Professional by hacking it. On the other hand, I am still considering the non-vanity marketing potential of the website.
To spend a moment on Vanity, I have already demonstrated ethical hacking levels of trust greater than $1B in electronic money. I take pleasure in the effective security improvements of all of my clients well above giving out names; I am not speaking of my present client, which is much larger still.
Best Wishes
Don Turnblade
Principle, Arctific Inc
http://www.linkedin.com/in/arctific
Useful Keywords to learn more: Arctific or Turnblade
Matt,
I really hope that your network is architected better than many others. I really did like your positive focus on easy to implement "technical" data leakage defenses. I would like go on describing ideas that work or frustrate various cheats or hacks against a corporation; doing so is always the bright spot of my day.
If you truly do have a network architecture where the words, "can never happen" correctly apply, I would be glad to see it. I will not ask for any form of actual test. A network diagram and walk through should be instructive enough for me.
Terms: for the privilege of a network Visio diagram that includes the position of a sample Internet connected Email server, a sample internal file server and a sample internal PC and a walk through, I will ship a six pack of your favorite. The six pack of your favorite must be legal and simply obtainable in the USA and legal to ship to the location of your choosing using common carriers like DHL or UPS. You have inspired me, and I am serious.
Best Wishes
Don Turnblade
MS, CISSP, CISA
Principle Arctific Inc
602-881-3348