THE CASE FOR PROACTIVE NETWORK SECURITY:WORMS, VIRUSES & BUSINESS CONTINUITY

Presented to Dr. Yan ChenMITP 458- Information Security & Assurance

Business Case Study Presentation09 June 2007

by The Loop GroupFarney, Heilprin, Leonard

- 2 -

2001: THE END OF REACTIVE NETWORK SECURITY

The Year of the Worm; (3) major worms released July-September 2001

• Code Red

- $2.6bn estimated damage

- Simple buffer overflow infected 350,000+ hosts in single day

• Code Red II

- Same attack vector (.ida), but different signature

• Nimda

- Mass-mailing, multivariate attack

• All based on previously released and patched vulnerabilities

- MS01-033, MS00-052, MS00-078, MS01-020

- A/V software useless

• Used firewall ports not needed (externally) in the first place

- 135, 137, 138, 139, 445, 593, 1639, 2000-3000, 3127-3198

100% Preventability!100% Preventability!

- 3 -

“HEROIC IT” NOT ENOUGH, PEOPLE AND PROCESS REQUIRED

Speed of attack dispersion and increased geographic expansion make it impossible to react to today’s threats

• Design and deploy network security operations infrastructure in which automatic patch management plays central role

- Vulnerabilities addressed on release day (making test assumption)

• Proactively tighten defenses

- “deny all” vs. “allow all” on interior firewall interfaces

- Perform network analysis to determine required business functions and corresponding ports, deny all else

(1) Heroic IT Management Is No Longer Enough, Diamond Cluster Viewpoint, 2004

2001 attacks responsible for major shift in corporate defenses

2001 attacks responsible for major shift in corporate defenses

- 4 -

NEXT PARADIGM SHIFT: STRING SCANNING -> HEURISTICS

Zero Day attacks becoming more common

• Virus definitions and patches not available

• “Ex post mechanism is folly- by focusing on catching attack of the past, you miss the attack of the future”1

A new proactivity required: behavior based security

• Create behaviors for which to look for, not specific strings

• Heuristics is the only way to protect against Zero Day attacks

- Looks for anomalous activity like

- Use off the shelf software, security services, or product like Internet Motion Sensor

- Most A/V software today uses heuristics at some level

· Most effective are agent-based products dedicated to this type of analysis

(1) The Efficacy of Network-Level SPAM Mitigation , Sean Farney, MITP 458, 2007

- 5 -

PERSONAL LESSONS LEARNED

Globally dispersed operations offers challenges

• Follow-the-sun staffing great for finite day-to-day tasks, but can impede focus on large events

- Lack of 24x7 line responsibility allows transition gaps and requires re-activation energy

• Consider centralization and/or sourcing to true 24x7 model/provider for consistent and efficient handling of operations

Patching systems, either internally or externally, produce same effect

• Remove human element from revision compliance

• Commonplace now, but still new in 2001

Fight battles before they start, be as proactive as possible

• The Freedom1 of “Deny All”

(1) See Nietzsche’s Twilight of the Idols