s e c u r i t y k p i s
play

S E C U R I T Y K P I S by: steven aiello ver: 2.0.1 - PowerPoint PPT Presentation

Apr 02, 2024 •497 likes •794 views

S E C U R I T Y K P I S by: steven aiello ver: 2.0.1 Introduction. Steven Aiello Security & Compliance Solutions Principal SANS GCIH License 29615 Mentor Status CISA SANS GSEC License 353652 Mentor Status VCAP - DCA OSCP (In

  1. S E C U R I T Y K P I S by: steven aiello ver: 2.0.1

  2. Introduction. Steven Aiello Security & Compliance Solutions Principal SANS GCIH License 29615 – Mentor Status CISA SANS GSEC License 353652 – Mentor Status VCAP - DCA OSCP – (In Progress) VCAP - DCD CISSP VCP

  3. This is where I’ve been It’s been a long road… Endpoint Network Logging Systems Admin. Web Development Compliance I.R. A.D.

  4. Performance is the best way to shut people up. ” - Marcus Lemonis

  5. The Data What does the data say about our efforts in cyber security? 101.6 20 6 4 the money the results the activity the change $

  6. 2020 $101.6B “ In 2020, these organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research released Wednesday by the International Data Corporation. This equates to a 38% increase from the $73.7 billion that IDC projects 38 % 2016 organizations will spend on cybersecurity in 2016.” Oct 12 th 2016 fortune.com

  7. 2016 “disclosed by the affected customer or an external “ threat actor bragging or Employee notifications were the extorting their victims.” most common internal discovery method for the second straight year and there was also an uptick identification through internal financial audits, associated with business email compromise law (BEC). Third-party disclosure is up due to an increase in numbers of breaches disclosed by the affected customer or an external threat actor bragging or extorting their victims.” DBIR 2017 verizon

  8. How likely you are to be breached if you’ve had an event 100% Broken down by industry 90% 80% 70% Accommodation 93% 60% Healthcare 65% 50% Finance 47% 40% Manufacturing 20% 30% Information 16% Professional 4% 20% Public 1% 10% 0%

  9. Top attack vectors of known breaches Attack vectors of confirmed breaches: Email & Email Attachments 43% Backdoor or C2 (Hacking) 24% Web Application 19% Direct Install 6% LAN Access 4% Partner Facility 4% Backdoor or C2 (Hacking) Email & Email Attachments Web Application Direct Install LAN Access Partner Facility

  10. Top six actions by threat actors “ The top six threat action varieties that follow the well-traveled path of phishing users to install C2 and keylogging software in order to capture credentials that are used to authenticate into, and exfiltrate data out of, organizations.” DBIR 2017 verizon

  11. To recap what’s happening 81% of breaches leveraged weak or stolen passwords, this includes password hashes… Top 6 66% actions threat actors of malware was use involve valid installed via malicous passwords to move email attachments laterally through the network Top 6 24% actions threat actors use involve valid passwords to of breaches involved access data and exfiltrate backdoors or “hacking” it [within days] …

  12. Four security KPIs Confidence in account Minimization and monitoring validity of lateral movement What percentage of systems have What level of confidence does the unilateral access to other hosts? What organization have that user accounts policies and technologies can organizations authenticating to systems are being put in place to gain visibility? properly used? Confidence in system control Data monitored for anomalous access What are our patch times for operating systems, CotS applications, internally What data is important to the business? developed applications? How do we What are “normal” data access patterns reduce patching cycles? For systems by user account? How does the that cannot be patched, leverage organization monitor for changes in data application white listing. access patterns?

  13. Four security KPIs KPI number one: Confidence in account validity Account validity is possibly the most difficult KPI to score well in. No, your two factor authentication will not protect you … Protection from Kerberos Golden Ticket Mitigating pass the ticket on Active Directory CERT-EU Security 2014-07

  14. KPI one: confidence in account validity 01 02 03 2FA == local logon only SMB is the problem Kerberos is the problem Two-factor authentication only Protection from PTH attacks Creating the Golden Ticket protects user logon attempts from • psexec bypasses 2FA • KRBTGT password hash the Windows console or RDP • Domain admin. username • Domain name • Domain SID

  15. KPI one: confidence in account validity 01 02 03 Disable cached creds If not possible… Kerberos is still the problem Within Active Directory Group For mobile users: Protection from the Golden Ticket Policy: \Security Settings • KRBTGT password hash \Computer Configuration \Local Policies • Domain admin. username \Windows Settings \Security Options • Domain name \Security Settings Interactive Logon: Number of • Domain SID \Local Policies previous logons to cache (in case If a golden ticket is created the \Security Options domain controller is not available) only way to invalidate the ticket is Do not allow storage of passwords to reset the KRBTGT two times and credentials for network authentication

  16. Four security KPIs Confidence in system control 1 Document patch cycles Not all systems can be patched, however, you should understand what those limitations are and seek to improve on them 2 Whitelist what you can’t rapidly patch If systems are so sensitive they cannot be patched, by that merit they should not change. Application whitelisting should be used on systems that change infrequently 3 Isolate what you can’t patch or whitelist

  17. KPI two: confidence in system control 2017 2018 2019 2020 “You can't manage what Are you patching your If your application vendors Understanding your you can't measure." applications as fast as wont let you patch, whitelist. current state and making Peter Drucker. you patch your OS? Use it where needed – don’t progress towards your overextend. goal is key 90% 3/5 Measure your Whitelist fixed progress use systems Can you patch 90% in 30 days?

  18. KPI two: confidence in system control Sometimes Apache Struts 2 is the perfect isolation is your example… only option… https://arstechnica.com/information-technology/2017/09/exploit- goes-public-for-severe-bug-affecting-high-impact-sites/ Patch: step 1 Rebuild web applications: step 2 Potentially change code that calls Struts: step 3 Before someone with Metasploit attacks… https://github.com/rapid7/metasploit-framework/pull/8924

  19. Four security KPIs Minimize [and monitor] lateral movement Minimizing lateral movement includes defining normal traffic patterns in the user LAN segment, and monitoring for policy violations.

  20. KPI three: minimize and monitor lateral movement 66% 81% 100% Attacking the User Harvesting Credentials Lateral Movement Users WILL open office If you implement the The user will have to move documents, it’s part of their job. recommendations from KPI 1, across the network, this is your Security needs to protect users the amount of credentials opportunity to discover their while they are doing their job. available will be greatly limited. actions. Understanding valid network traffic is critical. First Second Third

  21. KPI three: minimize and monitor lateral movement PING scans Policy: don’t allow it on user LANs Attacks WILL come TCP/UDP port scans from the user LAN Policy: don’t allow it on user The brunt of attacks will be LANs focused on your users; this ends up being a “good thing” No SMB shares because it makes lateral All file sharing should go back movement easier to detect… to the datacenter John Doe Users should know company policy…

  22. KPI three: minimize and monitor lateral movement Every company I’ve pVLANs & ACLs Our starting point worked for has used pVLANs with post ACLs require zero capital investment as long as pVLANs your switches are sized properly I was shocked when I realized most Netflow monitoring Visibility is key companies were NOT using pVLANs in their user LANs. There are open source and commercially available packages ADP 2003 for netflow monitoring; select SaaS Provider one and master it. LAN & data center Investment required OnlineTech micro-segmentation 2012 Iaas Provider If you’re operating at a larger scale, you may require an investment in software to help you manage micro-segmentation

  23. Four security KPIs Data monitored for anomalous access “ Data is the new gold” Mark Cuban

  24. KPI four: data monitored for anomalous access 90% of focus should Good security be applied here! doesn’t protect bad data… some... data is gold Understanding what data you most data is pyrite have, where it lives, and who [fool’s gold] can access it will be critical to successful GDPR compliance 90% Focus is what you say no to, let the 90% go … [most] of your data is probably fool’s gold 10%

  25. The effort To do this well you will most likely need a commercial product [unfortunately]…

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

First Order Logic Philipp Koehn 9 March 2017 Philipp Koehn Artificial Intelligence: First Order

First Order Logic Philipp Koehn 9 March 2017 Philipp Koehn Artificial Intelligence: First Order

First Order Logic Philipp Koehn 9 March 2017 Philipp Koehn Artificial Intelligence: First Order Logic 9 March 2017 Wittgenstein: Tractatus Logico-Philosophicus 1 1. The world is everything that is the case. 2. What is the case (a fact) is

887 views • 36 slides
Lobachevsky Geometry and Image Recognition Metric invariants in image recognision Nadiia

Lobachevsky Geometry and Image Recognition Metric invariants in image recognision Nadiia

Lobachevsky Geometry and Image Recognition Metric invariants in image recognision Nadiia Konovenko & Valentin Lychagin NAFT, Odessa, Ukraine, IPU RAN, Moscow, Russia & Department of Mathematics and Statistics,University of Troms,

1.12k views • 58 slides
A recursive algorithmic construction for spherical codes in dimensions R 2 k Henrique K. Miyamoto

A recursive algorithmic construction for spherical codes in dimensions R 2 k Henrique K. Miyamoto

A recursive algorithmic construction for spherical codes in dimensions R 2 k Henrique K. Miyamoto Henrique S a Earp e Sueli Costa Unicamp - University of Campinas miyamotohk@gmail.com July 9, 2018 Henrique K. Miyamoto LAWCI July 9, 2018

277 views • 6 slides
ts t rtq

ts t rtq

sr ts rtqs ss tr ts t rtq

1.14k views • 96 slides
We desperately need wisdom We desperately need wisdom In fact, getting wisdom is the most

We desperately need wisdom We desperately need wisdom In fact, getting wisdom is the most

We desperately need wisdom We desperately need wisdom In fact, getting wisdom is the most important thing you can do. Whatever else you get, get insight! Love wisdom and she will make you great. Proverbs 4:7-8 GN We desperately need wisdom

430 views • 18 slides
Classification Key Concepts Duen Horng (Polo) Chau Assistant Professor Associate Director,

Classification Key Concepts Duen Horng (Polo) Chau Assistant Professor Associate Director,

http://poloclub.gatech.edu/cse6242 CSE6242 / CX4242: Data & Visual Analytics Classification Key Concepts Duen Horng (Polo) Chau Assistant Professor Associate Director, MS Analytics Georgia Tech Parishit Ram GT PhD alum;

786 views • 35 slides
AGENTE DA PASSIVA A GENTE DA PASSIVA o termo da orao que se refere a um verbo na voz

AGENTE DA PASSIVA A GENTE DA PASSIVA o termo da orao que se refere a um verbo na voz

AGENTE DA PASSIVA A GENTE DA PASSIVA o termo da orao que se refere a um verbo na voz passiva, sempre introduzido por preposio. As terras foram desapropriadas pelo governo. Sujeito (paciente) Verbo na voz passiva Agente

362 views • 15 slides
Estrutura do tema Avaliao de Desempenho (IA32) Soma Int Acesso a Disco Multiplicao FP

Estrutura do tema Avaliao de Desempenho (IA32) Soma Int Acesso a Disco Multiplicao FP

O correr do tempo Avaliao de Desempenho na perspectiva de um computador no IA32 (6) Escala de Tempo (Mquina de 1 Ghz ) Microscpica Macroscpica Estrutura do tema Avaliao de Desempenho (IA32) Soma Int Acesso a Disco

99 views • 7 slides
Gerncia de processos Requisitos fundamentais Implementar um modelo de processo.

Gerncia de processos Requisitos fundamentais Implementar um modelo de processo.

Gerncia de processos Requisitos fundamentais Implementar um modelo de processo. Implementar facilidades para criao e destruio de processos por usurios Alocar recursos a processos Intercalar a execuo de um nmero

689 views • 34 slides
Forums: A Love Story @cheddam who are you tho whats a forum tho why do I care tho How did

Forums: A Love Story @cheddam who are you tho whats a forum tho why do I care tho How did

Forums: A Love Story @cheddam who are you tho whats a forum tho why do I care tho How did you learn? Animators Hall Animators Hall (RIP) MacFreakz PLUGINS sickHeaderJS() sickFooterJS() MacFeats* THEME <sickhtml>

551 views • 25 slides
Course Review 2 Quantitative Overview Chapter 1 (Introduction) 0.5 session, 14 slides

Course Review 2 Quantitative Overview Chapter 1 (Introduction) 0.5 session, 14 slides

Mechanical Equipment (ENGI-7903) Spring 2013 Course Review 2 Quantitative Overview Chapter 1 (Introduction) 0.5 session, 14 slides Chapter 2 (Thermofluids fundamentals) 2.5 sessions, 20 slides, 4 examples Chapter 3 (Flow

368 views • 20 slides
Machine Learning - Regressions Amir H. Payberah payberah@kth.se 07/11/2018 The Course Web Page

Machine Learning - Regressions Amir H. Payberah payberah@kth.se 07/11/2018 The Course Web Page

Machine Learning - Regressions Amir H. Payberah payberah@kth.se 07/11/2018 The Course Web Page https://id2223kth.github.io 1 / 81 Where Are We? 2 / 81 Where Are We? 3 / 81 Lets Start with an Example 4 / 81 The Housing Price Example

1.05k views • 82 slides
Planning and Optimization C3. Delete Relaxation: AND/OR Graphs Malte Helmert and Gabriele R

Planning and Optimization C3. Delete Relaxation: AND/OR Graphs Malte Helmert and Gabriele R

Planning and Optimization C3. Delete Relaxation: AND/OR Graphs Malte Helmert and Gabriele R oger Universit at Basel October 25, 2017 AND/OR Graphs Forced Nodes Most/Least Conservative Valuations Summary Content of this Course Tasks

603 views • 35 slides
Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Checkpoint

Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Checkpoint

Principles of Software Construction: Objects, Design, and Concurrency Part 4: Et cetera Toward SE in practice: Empiricism in SE Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Checkpoint deadline tonight Due

549 views • 29 slides
An application of Thurston's theorem on branched coverings Mitsuhiro Shishikura (Kyoto

An application of Thurston's theorem on branched coverings Mitsuhiro Shishikura (Kyoto

An application of Thurston's theorem on branched coverings Mitsuhiro Shishikura (Kyoto University) Parabolic Implosion Institut de Mathmatiques de Toulouse Universit Paul Sabatier Toulouse, November 22, 2010 Plan Thustons theorem on

686 views • 15 slides
Climate change and hydrological extreme events Risks and perspectives for water management in

Climate change and hydrological extreme events Risks and perspectives for water management in

Climate change and hydrological extreme events Risks and perspectives for water management in Bavaria and Qubec Ralf Ludwig for the ClimEx group ICTP Trieste 16 June 2017 2 ICTP Trieste 16 June 2017 Partnership Background Major

841 views • 36 slides
Backpack Strawberry Flute Traffic light Backpack Matchs1ck

Backpack Strawberry Flute Traffic light Backpack Matchs1ck

Large Scale Visual Recogni1on Challenge (ILSVRC) Jia Deng Hao Su

1.25k views • 75 slides
Monday19thOctober LO:toreadandanswerquestionsaboutapoem

Monday19thOctober LO:toreadandanswerquestionsaboutapoem

English week 7.notebook October 18, 2020 Monday19thOctober LO:toreadandanswerquestionsaboutapoem Todaywearegoingtoreadapoemreaditto yourselffirst.

134 views • 12 slides
Comparison of The Energy Spectra Between Single Shock and Converging Double-Shock Speaker: Wang

Comparison of The Energy Spectra Between Single Shock and Converging Double-Shock Speaker: Wang

Comparison of The Energy Spectra Between Single Shock and Converging Double-Shock Speaker: Wang Xin Co-authors: Yan Yihua, Ding Mingde, Wang Na, & Shan Hao Xinjiang Astronomical Observatory, Chinese Academy of Sciences CAS Key Laboratory

423 views • 17 slides
R8_p1 Historical Earthquakes in the Himalaya Also see Stacey Martin's ASC page. previous

R8_p1 Historical Earthquakes in the Himalaya Also see Stacey Martin's ASC page. previous

http://www.geo.tv/quake/kashmir.asp Kashmir Earthquake: The Mw7.6 Kashmir 8 October 2005 earthquake occurred in a region where a great plate-boundary earthquake has long been considered overdue. Although the earthquake resulted in widespread

240 views • 8 slides
New Research and Initiatives Tuesday, June 21 st 2016 12 p.m. to 1:30 p.m. PST POLIS Water

New Research and Initiatives Tuesday, June 21 st 2016 12 p.m. to 1:30 p.m. PST POLIS Water

Evolving Watershed Governance in BC: New Research and Initiatives Tuesday, June 21 st 2016 12 p.m. to 1:30 p.m. PST POLIS Water Sustainability Project Creating a Blue Dialogue Webinar Series 2015/2016 Thank You to Our Partners & Supporters

823 views • 58 slides
Union Bay Duncan Williams, Executive Director Crown Land Opportunities and Restoration Branch

Union Bay Duncan Williams, Executive Director Crown Land Opportunities and Restoration Branch

Union Bay Duncan Williams, Executive Director Crown Land Opportunities and Restoration Branch April 24, 2018 The Union Bay Site The Union Bay Site is the location of a large coal waste pile occupying approximately 13 hectares of filled

387 views • 6 slides
The Star Casino modification, IPC public meeting 27 August 2019 Hotel (220 rooms) Residential

The Star Casino modification, IPC public meeting 27 August 2019 Hotel (220 rooms) Residential

The Star Casino modification, IPC public meeting 27 August 2019 Hotel (220 rooms) Residential (204 Apartments) Neighbourhood centre Thankyou

583 views • 9 slides
Viewing 2 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2016 Projections I 2 Pinhole Camera

Viewing 2 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2016 Projections I 2 Pinhole Camera

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2016 Tamara Munzner Viewing 2 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2016 Projections I 2 Pinhole Camera ingredients box, film, hole punch result picture

775 views • 29 slides

More recommend