ME Information Security Summit

Infrastructure Security

Mohamed MonsefSenior System/Network Engineer – MEAI Region TeamNational Oilwell Varco

AgendaAbout Me.IntroductionCases – Data BreachesSteps in SecuritySecurity model (Defense is in Depth)Security Layer-1Security Layer-2Security Layer-3Security Layer-4Precautionary stepsInsider Security RiskQ & A

Mohamed MonsefSenior System and Network EngineerMEAI Region Team at National Oilwell Varco(Oil and Energy Sector)

Eng_M_Monsef@yahoo.comhttps://eg.linkedin.com/in/mohamedmonsefSenior System and Network EngineerEl Sewedy Electric – Doha Cables Company (Industrial & Manufacturing Sector)

IT Infrastructure ManagerASGATech Company – Teqneyat Group (IT Services and Products sector)

System and Network AdministratorGrand Capital Group – Grand Investment Securities (Banking sector)

System and Network Administrator(Confidential company – Confidential sector)

“Security is not merely a product, but a process. It's more than designing strong cryptography into a system; it's designing the fail-safe system such that, all security measures, including cryptography, works together.“

Bruce SchneierThe renowned security technologist and author

Cases – Data Breaches

1- Comprehend your IT infrastructure, network (configuration and topology), network traffic and communication system.

2- Prepare a security policy, processes, procedures, and their implementation plan.

3- Obtain approval of the above from management.

4- Implement the above policies and plans.

Steps in Security

5- Maintain a standardized documentation of the entire IT infrastructure. 6- Periodically test and audit the entire network security (Internet, Intranet and Extranet), update it regularly, and maintain an audit trail of all changes

7- Create security awareness among users through training, crash courses or “tip of the day” messages.

8- Undertake preventive measures, before corrective measures become necessary.

Security model (Defense is in Depth)Many IT Pros and IT Managers/Directors don’t work for organizations with budgets for procurement of security equipment or systems.

Perimeter defense

Operating Systems & Servers Protection

Host protection

Information protection

Security Layer-1:Perimeter Defense Security Systems

A national survey showed that 70-80% of attacks are internal i.e., from within the organization’s internal network. (www.sans.org)

Therefore, securing from internal attacks is the first line of defense.

For example:DoS (Denial of Service) attack

Zombie attack (system used to attack the target)

Precautionary Measures1- Setup DMZ 1st scenario is setup as an external network to the internal network (Production Network) 2nd scenario is setup as an internal network for requests from Internet to the DMZ.2- Access list (Protect from ICMP attacks)3- Anti-Spoofing (Protect from attacks through network devices)4- “no ip directed-broadcast” (Protect from packets broadcast attacks)5- Control and monitor filter configurations as who can modify / who modified /when modified /why modified.6- Update filters.7- Test filters periodically.

Security Layer-2:OS and Application Servers Security SystemsThis layer holds protection of operating system, the application servers, web servers, and mail servers.

Vulnerabilities exist in operating systems, web servers, proxy servers, mail servers and application servers that need patches / service packs / hotfixes to fill those holes.

1- Place your servers and communication equipment in a secure room.

2- Give restricted access to server/communication room.

3- Avoid using server consoles as much as possible

4- Match hardware compatibility while buying/installing the server.

5- Disable CD-ROM or floppy disk boot.

Who is responsible for securing these systems?

Windows server 2003/2008/2012 some tricks (Not All)1- Install latest Service Pack for the server.2- Enable auditing (it is not by default). 3- Enable “change periodic password” policy (not enabled by default).4- Change the default user rights. 5- Make proper backups. 6- “Password-guessing attack”7- Have Anti-virus software

Security Layer-3:Host Protection1- Protect against someone trying to attack from within the network.2- Protect the data stored on workstation from someone coming through the firewall.

To apply the security in this level:-

1- Prepare User Access Policy

2- Update regularly the patches/hotfixes.

3- Limit the Network Resources Access from workstations.

4- Install AV software

5- Ensure workstation data is included in daily nightly backups.

6- Allow no modems on workstations.

7- Allow only one user to login in on each workstation.

8- Do not retain faulty or old hard disk drives.

Security Layer-4:Data/Information ProtectionW ith the previous layers, we should have one more layer on our data. Have encryption, whenever possible.

1- Having all the security layers implemented on the corporate network helps

secure all the PCs in the network but ??

2- Data protection distinct to the following categories:

operating system security, sensitive data storage practices, and data encryption.

3- Operating system security

4- Sensitive data storage practices

5- Data encryption covers

Precautionary steps:1- Do not use any option that "remembers" your password so that you do not have to reenter it the next time you need it.2- Have all the laptops with latest windows OS installed with all encryption features enabled.3- Have different password for different accounts.4- Do not use same password for corporate network and public networks. (Hotmail.com, Yahoo mail etc.)5- Apply newly released operating system patches and application patches.

Insider Security Risk

• Minimize Rights• Enforce Access Controls• Monitor User Activity

Questions &

Answers

Thanks YouMohamed Monsef

Senior System and Network EngineerMEAI Region Team– National Oilwell Varco

Eng_M_Monsef@Yahoo.comhttps://eg.linkedin.com/in/mohamedmonsef