a school’s blueprint to secure everything - edweek.org schools blueprint to secure... · a...

A School’s Blueprint to Secure Everything

Renault Ross CISSP, MCSE, CCNA, CHSS , CCSK,VCP5 US Information Security & Privacy Architect Public Sector Strategic Programs

Agenda

Security Challenges in Securing Everything

Key Trends & Snapshot of Today’s Threat Landscape

Recommendations and Strategies

KEY TRENDS

CONSUMERIZATION

IT-IFICATION

VIRTUALIZATION

CLOUD

DATA GROWTH

THREAT LANDSCAPE

• Mobile • Social

Technology Trends

KEY TRENDS

CONSUMERIZATION

IT-IFICATION

VIRTUALIZATION

CLOUD

DATA GROWTH

THREAT LANDSCAPE

• Mobile • Social

Technology Trends

KEY TRENDS

CONSUMERIZATION

IT-IFICATION

VIRTUALIZATION

CLOUD

DATA GROWTH

THREAT LANDSCAPE

• Mobile • Social

Technology Trends

?

Retail & Finance

• Smart payments, cards

• Point of sale terminals

• ATM

• Vending machine monitoring

• Digital signage and electronic billboards

Utilities

• Meter reading

• Industrial controls

• Pro-active alerts

• Smart Grid applications

• Remote temperature control

Auto

• Telematics

• In-vehicle entertainment

• Navigation

• Safety services

• Concierge services

• Remote diagnostics

• Personalized insurance

Internet of Things

Healthcare

• Home healthcare and hospital patient monitoring

• Remote telemedicine & physician consultation

• Body sensor monitoring

Consumer Services

• Smart home appliances

• Connected home

• Video feed monitoring

Manu-facturing

• Supply chain management

• Geo-fencing

• Machine diagnostics

• Inventory control

• Industrial automation control

• Equipment monitoring

Hacking Old Motivation

Threat Landscape A fundamental shift…

7

Cyber Crime Cyber Espionage

Cyber Warfare

What’s in common between Miss Teen and a Businessman?

THEY ARE BOTH TARGETED FOR ATTACK

Targeted Attacks

up 42% in 2012

• Manufacturing moved to top position in 2012

• But all industries are targeted

1%

2%

2%

2%

8%

10%

12%

17%

19%

24%

0% 10% 20% 30%

Manufacturing

Finance, Insurance & Real Estate

Services – Non-Traditional

Government

Energy/Utilities

Services – Professional

Wholesale

Retail

Aerospace

Transportation, Communications, Electric, Gas

Targeted Attacks by Industry

2

Infection vectors

The vulnerability being exploited is the browser and plugins

Browser IPS

Host IPS

Plugins (flash, Acrobat, Silverlight, Skype…)

Code (php, ActiveX javascript, AS3)

Browser

Protocol (HTTP, HTTPS)

Network (IP)

Threat Landscape

How are we being attacked?

• It can start with an attachment

• Buried inside may be an embedded ‘Flash’ object

• Which leverages a vulnerability to deliver malware

Threat Landscape

How are we being attacked?

• More likely it will be a link

• Seems innocuous, right?

• Well not so fast…

• Hover over the link to see the real link buried underneath

• Clicking the link brings you to a malicious web site

Threat Landscape

How are we being attacked?

• Or the web site itself will infect you just by visiting it…

• For example, the neighborhood pizza store might be infected

• How many pizza stores have a fulltime IT guy on staff looking out for trouble?

2010 Trends

Mobile Threats

“There’s an app for that…”

Threat Landscape Why is it hard to stop attacks?

Hacker develops threat Hacker uses Tool to obfuscate executable

Tool generates clones that differ at the byte-level

This is my first virus that I

plan to use to steal key and

passwords from

unsuspecting victims.

Kjjkjjj sdkjhkjsj398jid

9-2 -02-00 3984—2 3—

030984 1299-04 1-03---0-

23li jkjdunjjdpe d.

Ijis kks my alsiep siilf that pasje ata see ps stwe ake

adas pasowallsie

sppfr ausupeasect ffi

Ijis kks my alsiep siilf that pasje ata see ps stwe ake

adas pasowallsie

sppfr ausupeasect ffi

Ista asbin lsiked lipole

alskk askf hwpks

pollasjjfklg toalkkst

pooldajao sjfkg asklfa klla oek

Use cloud scanner to check for detection

Release undetected variants

HVAC

Transport

Fire & Safety

Lighting

Security

Access, etc.

Turbines

Windmills

Batteries

Generators

Motors, Drills

Fuel Cells

ENERGY Rigs, Derricks, Well

Heads, Pumps, Pipelines

Alternative

IoT (Internet of

Things) CONSUMER &

HOME

PDAs

Implants, Surgical Equipment

Pumps, Monitors

Telemedicine

INDUSTRIAL

Pumps, Valves, Vats, Conveyors, Pipelines Meters, Drives, Converting, Fabrication

Assembly/Packaging, Vessels

Tolls, etc.

Automobiles

Traffic Lights Ships Planes

RETAIL

POS Terminals

Tags

Cash Registers

Vending Machines

Signs, etc.

SECURITY/PUBLICSAFETY

IT & NETWORKS

Tanks, Fighter

Jets

Battlefield Comms

Homeland Security

Servers

Storage

PC, Routers

Switches

* Adapted from Beecham Research

The Internet of Things Is a Broad Area

Mic

rop

roce

sso

rs

….

The Rising Number of “Things”

• Today, 7 billion people, 9 billion connected devices!

• By 2020, 50 billion “things” connected to the Internet

*From Cisco UBSG, April 2011

500M

12.5B

25B 50B

2003

2010

2015

2020

Architecture Matters Application logic, data and analytics can be placed anywhere

Enterprise Cloud Gateway Local/Edge

Application Data Analytics

Trust / Governance

• When a device is contacted for the first time (a user, another device), is it trusted?

– PKI as a root of trust

– Employ reputation

– Leverage a separate trusted channel

• Governance:

• Policy definition, management, and enforcement

• Compliance

Identity

• Billions of devices are going to be interconnected, so it is necessary to manage their identities in a scalable way

• Eventually, each device will be addressable on the Internet to support end-to-end communication, so it requires a scalable way to discover a device’s address given its identity

Fault Tolerance

• Devices may become faulty and stop working and even get compromised

• Many devices deployed in the field where there’s no management capability

• Fault tolerance:

– Remote monitoring

– Fault discovery by e.g., anomaly detection, intrusion detection, or remote diagnostics

– Remote reboot, reprogramming, and software update

– End-point protection by e.g., lock-down

Communications

• Heterogeneous communications:

– Ethernet, dail-up, optics

– WiFi, Celluar, ZigBee, Bluetooth, WiMax

• Different requirements for communication:

– Low transmission latency for control networks

– Small payload size, e.g., 8 bytes for CAN, and 128 bytes for ZigBee

• Secure communications channel:

– Establish secure communication between devices/users using e.g., SSL-like handshake protocol

Authenticate Device Two-factor authentication, Managed Public Key Infrastructure solutions

Security Recommendations In the Internet of Things

Protect the Infrastructure Malicious Endpoint Protection, Web Gateway, Message Gateway, and

Critical Systems Protection solutions

Develop and Enforce IT Policies Policy & standards modules, risk

manager & vulnerability modules and solutions

Manage the Infrastructure

Desktop and server patch management, software delivery, assets, ticket management and

mobile devices solutions

Protect the information Data Loss Prevention, Encryption, Backup and High availability solutions

Governance Tools to Develop and Enforce IT Policy

1

3rd Party Data

Governance, Risk and Compliance

ESM

Manager

CCS-Data

Collection

Federated Data Processing and Analysis

Dashboards Audit Reports

Questionaires Entitlements Standards External Policies

A

Authenticate Identities & Devices

Endpoint Mobility

Application Government

Shared cloud-based two-factor authentication solution offering

multiple credential choices

VeriSign Identity Protection

RISK SCORE

Rules Eng. Behavior Eng.

Risk-Based authentication and software-based fraud detection

Fraud Detection Service

Strong Authentication and MPKI

Public Key Infrastructure

PKI service issues certificates for strong authentication,

encryption and digital signing

Protect the Information

3

Data Loss Prevention

Storage

Data Loss Prevention Network Discover

Data Loss Prevention Data Insight

Data Loss Prevention Network Protect

Endpoint

Data Loss Prevention

Endpoint Discover

Data Loss Prevention Endpoint Prevent

Network

Data Loss Prevention Network Monitor

Data Loss Prevention Network Prevent

Encryption of sensitive data

Whole Disk Help Desk

Removal Hard-drive

Manage the Infrastructure

4

Enterprise Systems Management

System

Management Platform

Systems Management Platform

INFRASTRUCTURE OPERATIONS

BUSINESS CONTINUITY

STORAGE INFORMATION RISK

& COMPLIANCE SECURITY

Backup

Management

Patch and System

Management

Mobile Security

Management Power

Management

HelpDesk

Management

Application

Virtualization

Dell Management

Console

Dell Client Manager

vProTM enabled

computer

management

HP Client

Manager

Third-Party Solutions

Protect the Infrastructure

5

Threat management solutions

Summary

Storage Foundation

NetBackup

Manage Data

Operational Security Manage Data

Information Protection

Embedded Security

Encryption

Information Protection

mPKI

Embedded Security

Operational Security

CSP

Symantec Security in IoT

SEP

• Encrypt information

• Authenticate devices

• Managed / hosted PKI & device level certificates

• Controlling and securing systems

• Intrusion protection / detection

• Resource lockdown

• Application whitelisting

CSP

• Network monitoring

• Anomaly detection and reporting

• Information and event management from all network and host sources

• Data management

• Intrusion protection / detection

• Resource lockdown

Network Heuristics

Data Loss Prevention

Inventory & Asset Mgmt

Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2010 Symantec Corporation. All rights reserved.

Thank you!

Renault Ross

Renault_Ross@symantec.com