Presentation is loading. Please wait.

Presentation is loading. Please wait.

Litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect e- secure Secure in a networked world.

Similar presentations

Presentation on theme: "Litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect e- secure Secure in a networked world."— Presentation transcript:

1 litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect e- secure Secure in a networked world

2 Agenda Introduction 10 reasons why honey pots suck Demo of dtk vs s’kiddie 10 things you can do instead Demo of litmus and snort vs s’kiddie

3 Introduction Who is that fat bugger? Where is Australia? How does e-Secure fit into this talk?

4 Andrew van der Stock Senior Security Architect Cat slave and MCSE (NT/2K) Contributor to various open source projects, such as NetBSD, XFree86 and pnm2ppa Immediate Past SAGE-AU President On auDA’s DNS Competition Panel

5 Where is Australia?

6 Who are e-Secure? They employ me, and more importantly, they paid for me to be here We are one of Australia’s largest specialist security consulting firms We don’t sell product, and we are platform and vendor neutral We have offices along the east coast of Australia

7 Why do I think you are here? Most of you will have excellent ITIL security processes All your hosts are patched and secure Your internal staff are absolutely trustworthy You have a large risk management group and an even larger security group, all of whom are extremely clueful and proactive Your major risk is from unknown sources and you need to know when they occur

8 Nothing could be more wrong Most organizations spend far too much on defending against the wrong risks Some risks are over-hyped and get far too much press Most (>95%) organizations are not even able to repeat a simple secure host installation let alone trust their staff

9 What’s wrong with honey pots? Greater security profile If you can run almost every corporate network on three visible ports, why add more? You don’t learn anything new All software has defects Best practice says that software can only hope to have as few as one defect per 1 KLOC Normal code has 5-15 bugs per 1000 lines dtk 0.9 has 14978 lines with comments, or 9279 lines without comments. Do the math

10 What’s wrong with honey pots? The insurance model will not allow you to take unnecessary risks without a substantial increase in premium Risk management says that honey pots increase risk for demonstrably invalid reasons You can learn more by using better instrumentation

11 What’s wrong with honey pots? The threat reality is that most attackers are morons and will attack with DoS if denied real access Honey pots must be kept up to date but in general aren’t Honey pots must act like the host operating system Fix current problems rather than generating new ones

12 Demo: dtk vs. s’kiddie Or why out of date software is useless

13 Risk Management 101 Or if everyone did the right thing, why would there still be so many vulnerable hosts?

14 Guess!

15 Too many hosts to secure Most operating systems and network devices are insecure out of the box This must change Operating systems maintained by normal users must be set to take care of themselves by default Growth of the net will be the single largest factor as to why there are so many vulnerable systems It is unrealistic to assume that the net will ever be safe

16 Risk Management

17 Large corporations use risk management to reduce risk to their operations Risk management is not absolute and is not “every risk is eradicated” Most likelihoods are subjective Generally expressed as “once in every x years” It is possible to determine likelihood (insurance companies do, for example), so you should try Most impacts can be relatively accurately expressed in $ per incident The dollar figure ranges from zero to millions

18 Risk model f $ Cost of attack vs frequency of attack

19 Risk model – excess f $

20 Risk model – self insuring f $

21 Risk model – catastrophic f $

22 Insurance 101 Or why insurance will not reduce famous defacements

23 Insurance – the SME experience

24 Small to medium enterprises (4-100 employees) make up the majority of all corporations They will have little choice but to take out insurance products once they are developed Sometimes, there will be “no insurance at any price” if certain things aren’t done (think GPS trackers for regularly stolen cars, and apply…) The excess will still be there


26 Insurance – Mega Corps In large corporations, insurance is a method to assign the risk of catastrophic events to another entity Most large corporations are self insuring for most risks (for example, one of my clients simply pays for all car accidents; it’s just cheaper that way) Most large corporations do not see the point in insuring an intangible risk such as a web defacement, but they might insure good will.

27 Threat models Or why a s’kiddie is more of a threat than extremely well funded or knowledgeable attackers

28 Old thinking: external threats Old thinking: Seasoned attacker with extreme skills will be attacking me every time Reality #1: s’kiddies will launch zillions of RDS attacks at you, even though you might be running Solaris Reality #2: your staff are much more of a risk than the s’kiddies of this world

29 Anatomy of a s’kiddie attack Collect tools Attack victims Tag & Brag

30 Anatomy of a gifted amateur attack Collect tools Develop skills Attack victim Gather info

31 Anatomy of a strong attack Develop tools Attack victim Gather info Platform mastery Identify targets

32 Internet age threats Real threats arise from people with motive Most external attacks are simple, but not all Most successful attacks are essentially internal fraud Audit controls will help It is nearly always easier to socially engineer from within than attack a system from without once minimum defenses are added

33 Intrusion Detection Systems Are generally useless in most environments

34 Where does IDS fit? IDS are useful as an additional layer of defense, no more IDS are helpful when advanced attackers are attacking you with new attacks Two major types today: network IDS (snort) and host IDS (AIDE, log watcher, etc) Missing IDS type: application IDS eEye’s SecureIIS might be a precursor, but has been proven flawed already AZN-API is a useful new direction for authorization issues

35 Generic issues with IDS It’s either an AI issue or yet another system that has to be monitored Yet another set of logs that will be ignored Too verbose? Not sensitive enough? Not enough eyes to monitor all your systems? The “three cries and you’re out” problem No one likes being woken up continuously at 3 am

36 Host IDS Host based IDS perform a range of useful integrity tests, such as tracking file system changes WinNT/2K: prefer auditing to tripwire (or maybe use both) – auditing is real time, and you know which user caused the event as they are doing it Tripwire and AIDE are non-real time and only let you know something has happened after the fact Commercial host IDS do way more than open source IDS today, but expect this to change soon

37 Network IDS Usually has one or more interfaces in promiscuous mode – which makes them detectable in certain circumstances (see anti-sniff) Useful to spot unusual traffic trends Even with the fastest processors, most commercial and non-commercial network IDS cannot cope with > 100 Mb/s traffic Good example: snort Issue: useful only if you can monitor it and the alarms have been calibrated to suit your needs

38 Application IDS Doesn’t exist … but should! Requires the assistance of applications to really function correctly Typical nascent example: eEye’s SecureIIS product More of a shim than real protection A good first start, except… There isn’t a general purpose API to implement this, and many product writers believe that they are writing secure software, so…

39 Where to deploy IDS The typical place is in the DMZ or behind the firewall There’s too many lame attacks for IDS to be out in no man’s land Much more useful to see those attacks that have penetrated your firewall or are in a sensitive network

40 Call to Action Or what you can do to visibly improve your site’s security

41 Do the fundamentals first… If you don’t do the basics, don’t bother with any form of honey pot or a real IDS as you already have many fine examples in your production network To prevent most s’kiddies, reduce your security profile To prevent real loss, improve your security processes

42 Deter, Defend, Delay Defense in depth Deter: warning banners, low profile, high prosecution profile Defend: keep up to date, install security helpers such as firewalls Delay: keep the attacker from causing any lasting damage Destroy: if you can identify your attacker in real life, if you’re big enough, you can cause real pain to them (ie deny service if you’re a telco)

43 Passive Defense Traditional security mainstays: Firewalls Bastion hosts IDS Logs Deny all unless permitted The above are necessary, nice and shiny, but insufficient to cope with modern security threats

44 Active Defense Counterattack At best – misguided. Breaking the law does not help you illegal in most countries with infosec laws your ISP will dump you if they catch you Intelligence gathering worthwhile but handle evidence properly Prosecution Costly but worthwhile if the scumbag is in your jurisdiction AND you have enforceable infosec laws (see !Philippines )

45 The Top 10 things you can do If you only do one of them, do the first one…

46 Keep up with patches If your vendor ships an update to a known vulnerability, test it and patch your hosts Nearly all scripted attacks can be warded off by this very simple measure Even advanced attackers prefer to use known vulnerabilities rather than develop new ones

47 Automated Software Distribution Without automated software distribution, you cannot look after your hosts in a time of crisis Test any solution you put in, including OS upgrades (along with the requisite reboot) Ensure that the distribution point(s) are secure, are controlled by you, and allow you to constrain what is deployed on your network ie, don’t update from a local Debian mirror blindly

48 Business Recovery Planning This encompasses many, many things, including disaster recovery plans and incident response Thinking through a fully fledged BRP will help in times of real crisis Include news media handling in the BRP if you are publicly traded or rely heavily on lots of customers In a crisis where real damage is caused, you must keep your customers informed and allow them to report events to you in a timely fashion

49 Backups Always have a recent backup Always verify … there is no excuse Keep off-sites Practice restores diligently use different tapes and drives to ensure that you have media compatibility

50 Constantly Improve Processes Continuous improvement is the only acceptable option if you use 1990 levels of security knowledge, you will be successfully attacked Security is a continuous process of learning, mitigating and defending When you learn something, incorporate it

51 Harden Critical Hosts Adopt a router or switch today! Most operating systems have various security postures out of the box or have third party guides to assist with lockdowns Use them Test the result Come back and do it again next week Repeat ad nauseam

52 Reduce Your Security Profile Make as many DMZ or extranet hosts invisible to the Internet For most corporations, only three ports need to be visible (tcp/25, tcp/80, udp/53) Make a map of your network; you’d be surprised at the number of exceptions. Fix them!

53 Create a security policy Adopt a security posture suitable for your line of business and business culture Be reasonable about it – humans will work around any fascistic control you might think desirable Use ISO 17799 as a guide Once adopted, identify systems and processes at risk and fix them

54 Subscribe to security mailing lists Not only to bugtraq, ntbugtraq, Win2kSecAdvice, but also to your vendor’s patch announcements Most lists are a good source of new and upcoming vulnerabilities Sometimes overwhelming in terms of volume and usefulness Delegate someone to summarize each day

55 Counterattack when you can The only legal active defense open to you is prosecution Learn about forensic data preservation (you cannot prosecute without a strong chain of untampered evidence) and practice regularly. Fix those systems that are forensic-proof When a s’kiddie or attacker really gets you, help law enforcement all the way. If you get a rep as a hard target with real consequences, hopefully more people will stay away This can backfire (see US Military or Microsoft)

56 Note what wasn’t mentioned No mention of IDS IDS are really only suitable once you have a really top notch security environment and you want an additional layer of defense Still better to spend money on self-repairing content checkers, backups, and other security items An IDS in an immature environment is worse than the immature environment. It gives a false sense of security where none exists

57 litmus Is simply a passive configuration of IP Filter, running under NetBSD coupled to a log scanner for escalation Portable to other operating systems who also use IP Filter (OpenBSD, FreeBSD, Solaris) Since IP Filter is IPv6 native, so is litmus Not promiscuous – harder to detect, particularly if you run it on hosts that actually have a function Limited use – it’s only a litmus test

58 Demo: litmus vs s’kiddy Snort is better

59 Conclusion Honey pots are never the right answer for any corporate network under any circumstance Judicious use of various types of IDS can be used to some effect, but… You must cover the fundamentals first or you will waste money on baubles

60 finis Thanks for listening. Questions?

Download ppt "Litmus a risk reduced alternative to honey pots Andrew van der Stock Senior Architect e- secure Secure in a networked world."

Similar presentations

Ads by Google