a school’s blueprint to secure everything - edweek.org schools blueprint to secure... · a...
TRANSCRIPT
A School’s Blueprint to Secure Everything
Renault Ross CISSP, MCSE, CCNA, CHSS , CCSK,VCP5 US Information Security & Privacy Architect Public Sector Strategic Programs
Agenda
Security Challenges in Securing Everything
Key Trends & Snapshot of Today’s Threat Landscape
Recommendations and Strategies
KEY TRENDS
CONSUMERIZATION
IT-IFICATION
VIRTUALIZATION
CLOUD
DATA GROWTH
THREAT LANDSCAPE
• Mobile • Social
Technology Trends
KEY TRENDS
CONSUMERIZATION
IT-IFICATION
VIRTUALIZATION
CLOUD
DATA GROWTH
THREAT LANDSCAPE
• Mobile • Social
Technology Trends
KEY TRENDS
CONSUMERIZATION
IT-IFICATION
VIRTUALIZATION
CLOUD
DATA GROWTH
THREAT LANDSCAPE
• Mobile • Social
Technology Trends
?
Retail & Finance
• Smart payments, cards
• Point of sale terminals
• ATM
• Vending machine monitoring
• Digital signage and electronic billboards
Utilities
• Meter reading
• Industrial controls
• Pro-active alerts
• Smart Grid applications
• Remote temperature control
Auto
• Telematics
• In-vehicle entertainment
• Navigation
• Safety services
• Concierge services
• Remote diagnostics
• Personalized insurance
Internet of Things
Healthcare
• Home healthcare and hospital patient monitoring
• Remote telemedicine & physician consultation
• Body sensor monitoring
Consumer Services
• Smart home appliances
• Connected home
• Video feed monitoring
Manu-facturing
• Supply chain management
• Geo-fencing
• Machine diagnostics
• Inventory control
• Industrial automation control
• Equipment monitoring
Hacking Old Motivation
Threat Landscape A fundamental shift…
7
Cyber Crime Cyber Espionage
Cyber Warfare
What’s in common between Miss Teen and a Businessman?
THEY ARE BOTH TARGETED FOR ATTACK
Targeted Attacks
up 42% in 2012
• Manufacturing moved to top position in 2012
• But all industries are targeted
1%
2%
2%
2%
8%
10%
12%
17%
19%
24%
0% 10% 20% 30%
Manufacturing
Finance, Insurance & Real Estate
Services – Non-Traditional
Government
Energy/Utilities
Services – Professional
Wholesale
Retail
Aerospace
Transportation, Communications, Electric, Gas
Targeted Attacks by Industry
2
Infection vectors
The vulnerability being exploited is the browser and plugins
Browser IPS
Host IPS
Plugins (flash, Acrobat, Silverlight, Skype…)
Code (php, ActiveX javascript, AS3)
Browser
Protocol (HTTP, HTTPS)
Network (IP)
Threat Landscape
How are we being attacked?
• It can start with an attachment
• Buried inside may be an embedded ‘Flash’ object
• Which leverages a vulnerability to deliver malware
Threat Landscape
How are we being attacked?
• More likely it will be a link
• Seems innocuous, right?
• Well not so fast…
• Hover over the link to see the real link buried underneath
• Clicking the link brings you to a malicious web site
Threat Landscape
How are we being attacked?
• Or the web site itself will infect you just by visiting it…
• For example, the neighborhood pizza store might be infected
• How many pizza stores have a fulltime IT guy on staff looking out for trouble?
2010 Trends
Mobile Threats
“There’s an app for that…”
Threat Landscape Why is it hard to stop attacks?
Hacker develops threat Hacker uses Tool to obfuscate executable
Tool generates clones that differ at the byte-level
This is my first virus that I
plan to use to steal key and
passwords from
unsuspecting victims.
Kjjkjjj sdkjhkjsj398jid
9-2 -02-00 3984—2 3—
030984 1299-04 1-03---0-
23li jkjdunjjdpe d.
Ijis kks my alsiep siilf that pasje ata see ps stwe ake
adas pasowallsie
sppfr ausupeasect ffi
Ijis kks my alsiep siilf that pasje ata see ps stwe ake
adas pasowallsie
sppfr ausupeasect ffi
Ista asbin lsiked lipole
alskk askf hwpks
pollasjjfklg toalkkst
pooldajao sjfkg asklfa klla oek
Use cloud scanner to check for detection
Release undetected variants
HVAC
Transport
Fire & Safety
Lighting
Security
Access, etc.
Turbines
Windmills
Batteries
Generators
Motors, Drills
Fuel Cells
ENERGY Rigs, Derricks, Well
Heads, Pumps, Pipelines
Alternative
IoT (Internet of
Things) CONSUMER &
HOME
PDAs
Implants, Surgical Equipment
Pumps, Monitors
Telemedicine
INDUSTRIAL
Pumps, Valves, Vats, Conveyors, Pipelines Meters, Drives, Converting, Fabrication
Assembly/Packaging, Vessels
Tolls, etc.
Automobiles
Traffic Lights Ships Planes
RETAIL
POS Terminals
Tags
Cash Registers
Vending Machines
Signs, etc.
SECURITY/PUBLICSAFETY
IT & NETWORKS
Tanks, Fighter
Jets
Battlefield Comms
Homeland Security
Servers
Storage
PC, Routers
Switches
* Adapted from Beecham Research
The Internet of Things Is a Broad Area
Mic
rop
roce
sso
rs
….
The Rising Number of “Things”
• Today, 7 billion people, 9 billion connected devices!
• By 2020, 50 billion “things” connected to the Internet
*From Cisco UBSG, April 2011
500M
12.5B
25B 50B
2003
2010
2015
2020
Architecture Matters Application logic, data and analytics can be placed anywhere
Enterprise Cloud Gateway Local/Edge
Application Data Analytics
Trust / Governance
• When a device is contacted for the first time (a user, another device), is it trusted?
– PKI as a root of trust
– Employ reputation
– Leverage a separate trusted channel
• Governance:
• Policy definition, management, and enforcement
• Compliance
Identity
• Billions of devices are going to be interconnected, so it is necessary to manage their identities in a scalable way
• Eventually, each device will be addressable on the Internet to support end-to-end communication, so it requires a scalable way to discover a device’s address given its identity
Fault Tolerance
• Devices may become faulty and stop working and even get compromised
• Many devices deployed in the field where there’s no management capability
• Fault tolerance:
– Remote monitoring
– Fault discovery by e.g., anomaly detection, intrusion detection, or remote diagnostics
– Remote reboot, reprogramming, and software update
– End-point protection by e.g., lock-down
Communications
• Heterogeneous communications:
– Ethernet, dail-up, optics
– WiFi, Celluar, ZigBee, Bluetooth, WiMax
• Different requirements for communication:
– Low transmission latency for control networks
– Small payload size, e.g., 8 bytes for CAN, and 128 bytes for ZigBee
• Secure communications channel:
– Establish secure communication between devices/users using e.g., SSL-like handshake protocol
Authenticate Device Two-factor authentication, Managed Public Key Infrastructure solutions
Security Recommendations In the Internet of Things
Protect the Infrastructure Malicious Endpoint Protection, Web Gateway, Message Gateway, and
Critical Systems Protection solutions
Develop and Enforce IT Policies Policy & standards modules, risk
manager & vulnerability modules and solutions
Manage the Infrastructure
Desktop and server patch management, software delivery, assets, ticket management and
mobile devices solutions
Protect the information Data Loss Prevention, Encryption, Backup and High availability solutions
Governance Tools to Develop and Enforce IT Policy
1
3rd Party Data
Governance, Risk and Compliance
ESM
Manager
CCS-Data
Collection
Federated Data Processing and Analysis
Dashboards Audit Reports
Questionaires Entitlements Standards External Policies
A
Authenticate Identities & Devices
Endpoint Mobility
Application Government
Shared cloud-based two-factor authentication solution offering
multiple credential choices
VeriSign Identity Protection
RISK SCORE
Rules Eng. Behavior Eng.
Risk-Based authentication and software-based fraud detection
Fraud Detection Service
Strong Authentication and MPKI
Public Key Infrastructure
PKI service issues certificates for strong authentication,
encryption and digital signing
Protect the Information
3
Data Loss Prevention
Storage
Data Loss Prevention Network Discover
Data Loss Prevention Data Insight
Data Loss Prevention Network Protect
Endpoint
Data Loss Prevention
Endpoint Discover
Data Loss Prevention Endpoint Prevent
Network
Data Loss Prevention Network Monitor
Data Loss Prevention Network Prevent
Encryption of sensitive data
Whole Disk Help Desk
Removal Hard-drive
Manage the Infrastructure
4
Enterprise Systems Management
System
Management Platform
Systems Management Platform
INFRASTRUCTURE OPERATIONS
BUSINESS CONTINUITY
STORAGE INFORMATION RISK
& COMPLIANCE SECURITY
Backup
Management
Patch and System
Management
Mobile Security
Management Power
Management
HelpDesk
Management
Application
Virtualization
Dell Management
Console
Dell Client Manager
vProTM enabled
computer
management
HP Client
Manager
Third-Party Solutions
Protect the Infrastructure
5
Threat management solutions
Summary
Storage Foundation
NetBackup
Manage Data
Operational Security Manage Data
Information Protection
Embedded Security
Encryption
Information Protection
mPKI
Embedded Security
Operational Security
CSP
Symantec Security in IoT
SEP
• Encrypt information
• Authenticate devices
• Managed / hosted PKI & device level certificates
• Controlling and securing systems
• Intrusion protection / detection
• Resource lockdown
• Application whitelisting
CSP
• Network monitoring
• Anomaly detection and reporting
• Information and event management from all network and host sources
• Data management
• Intrusion protection / detection
• Resource lockdown
Network Heuristics
Data Loss Prevention
Inventory & Asset Mgmt
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2010 Symantec Corporation. All rights reserved.
Thank you!
Renault Ross