Datacenter Attack Surfaces

Posted on by
6

Hello!  I’m Jim Klun – a comparatively recent addition to the team here at Microsolved. 

I have worked over the years to protect large datacenter environments from compromise.  I want to take moment to share a way to look at the external security risks facing such an environment .  I’ve used it effectively to explain (usually to senior management)  the reality of risks that often go unplanned for.

 Essentially, I have come to view a typical datacenter environment as presenting three major “doorways” that external attackers will attempt to break through.  These are often described as “attack surfaces” in the literature and are illustrated below:

Let’s take a look at each side of this “attack surface” triangle

Internet

An organization’s Internet presence – the Internet-facing services offered to the public over the Internet – is usually well understood as an attack surface.  Organizations with at least some security awareness will ensure that servers with publicly exposed services are protected by a firewall, offer only a limited number of secured services to the Internet and tightly monitor those services for signs of potential abuse or compromise.  Best practice also dictates that they be in a separate network segment (e.g. a “DMZ”) with limited access into the rest of the datacenter.  Segmentation makes it more difficult for an attacker who has gained access to an Internet server to extend their control inward without being detected.

But – note the other attack surfaces shown in the diagram. These are the ones often ignored by organizations.  The reason is invariably a misplaced sense of “trust”. 

Private Connections

These are the various “private” pathways into your datacenter provided to vendors, business partners or customers.  Communication may be over dedicated non-Internet communication channels or possibly via site-to-site VPN over the Internet.  Portions of some other organization’s internal infrastructure is connected to yours via such paths.  Your organization becomes dependent on their internal security.

Regardless of the private communication mechanism, the special nature of the relationship invariably instills a sense of trust in the security of the connection.  The assumption is the folks at the other end are “doing the right thing” and pose a limited risk.   But of course you have no way of really knowing that.  A compromise of a vendor site that has a direct connection into your datacenter so that the vendor can perform maintenance work on your servers is a  real and serious risk to you.  As an attacker, I would delight after compromising a support vendor to find such maintenance connections.
Hopefully one would not be to your datacenter.

Unless you have complete, assured control of the infrastructure at such sites, you must assume they are potentially hostile.  Firewalls, logging, segmentation, and intrusion detection are as much a requirement here as they are for the Internet.

Employee/Contractors

“We trust our employees!”   Of course you do.  But trust here goes beyond trust of the individual human being.  The trust is of a combined entity – your employee AND that company laptop they take home every night.  Few people are capable of using a Windows-based laptop in such a way as to avoid compromise over the long term.  You may have a full array of anti-malware solutions running on company laptops, but the simple fact of modern digital life is a subset of them will be compromised and you will not detect it.

The trick is to limit the damage that any one such compromised laptop can do to the security of your datacenter.  If you have no firewalls between your internal employee space and your datacenter and you have no controls on outbound traffic from your employee space to the Internet (porn filters are not enough), then an attacker who has remote control of that laptop can simply use it as an internal attack platform against your datacenter.   This has become a major vector for data-center compromise.

Employee desktop/laptop/smartphone IP-space should be entirely different from that used internally within your datacenter.  Firewalls should lie between those spaces. Strict limits must be imposed on what your non-technical users “see” of your datacenter.  If they can see everything, then an attacker who has taken control of their machine can see it all as well. Ideally all access to datacenter servers by technical administrators is by way of “jump hosts” that sit at the boundary between the datacenter and employee space. Two factor authentication for access to such administrative jump-hosts is  a requirement.  System admins are just as likely as any other user to have traditional credentials stolen.

By limiting what your internal users can see of your datacenter and logging all access attempts, you have some chance of limiting the opportunities for attack from a compromised laptop and at least some chance of detecting it if it does occur.

Don’t think it happens?   http://spectrum.ieee.org/riskfactor/computing/it/south-korean-banks-weeklong-system-failure-affecting-30-million-an-inside-job

_______________________________________________________

For my next post,  I’d like take a look at a topic closely related to the above: Egress Filtering.  Don’t do it?   You need to.  See: http://en.wikipedia.org/wiki/Egress_filtering

 

 

CMHSecLunch for December is the 9th

Posted on by
7

Just a reminder that the CMHSecLunch for December will be on the 9th at North Market. As always, admission is free and everyone is welcome. Come on out and see your friends.

As usual, to RSVP and let others know you are attending, or to view more information about the event, you can visit the eventbrite site here.

See you there! Or, on Twitter with the hashtag #CMHSecLunch if you can’t make it or are out of the Columbus area. The more the merrier!

Touchdown Task for November- Network Segmentation Review

Posted on by
Reply

Whether it is budget preparation or annual project planning, the end of the year always leads us to think of the “big picture”. The touchdown task for this month is to review your network architecture maps and diagrams. First of all, make sure they are up-to-date. But secondly, look for indications that your network might be too flat. That is, do you have proper network segmentation between all of your information resources? Are your firewalls placed properly throughout your environment? 

 

A “flat” network architecture allows attackers who have gained a foothold on the internal (and sometimes even the external — you do have a layered DMZ, right?) network full visibility to internal systems and to move freely through workstation and server space. 

 

If you see some re-architecting that should be done, make note of it now. Depending on the complexity of the work, either schedule the re-architecture for a slow period at the end of this year or create a work plan for 2014. 


As always, thanks for reading and keep your eyes on the goal!

Code of Conduct Research

Posted on by
1

We have begun working on another project around helping organizations better protect their information assets and the reputations of both their employees and their firms at large. As part of that project, we would like to solicit some feedback from the readership of the blog. 

Does your organization have a code of conduct for employees? Does is have a written code of conduct for management, board members and/or public relations campaigns? 

Is it a living code of conduct or is it a stagnant piece of policy? How often is it updated? Does it cover social media presence, community engagement and/or public perception of the firm or individual?

Who audits the code of conduct and how is it monitored for violations? 

Please feel free to give us your thoughts on the code of conduct and which industry you are in. We are taking responses via email (info <at> microsolved <dot> com) or via Twitter (@lbhuston). 

Thanks for responding. Responses will be entered into a random drawing for a Starbucks gift card, so respond for a chance to win some java goodness. 🙂

Brent Huston to Lead ICS/SCADA Honeypot Webinar with SANS

Posted on by
5

Our Founder and CEO, Brent Huston (@lbhuston) will be leading a SANS webinar on ICS/SCADA honeypots. The webinar is scheduled for November, 25th, 2013 and you can find more information and register by visiting this page.

The webinar will cover when honeypots are and are not useful, basic deployment strategies and insights into using them for detection in field deployments and control environments. 

Check it out, tune in and give Brent a shout out on Twitter. Thanks for reading and we hope you enjoy the webinar.

Thanks for Making the 3rd Mid-West ICS/SCADA Security Symposium a Success

Posted on by
3

Thanks to the attendees and speakers who participated yesterday in the 3rd Annual ICS/SCADA Security Symposium. It was another great event and once again, the center of the value was in the interactions of the audience with the speakers and each other. It’s great to hear asset owners discuss what is working, what is challenging and what is critical in their minds.

Thanks again to those who attended and contributed to making this event such a wonderful thing again this year. We appreciate it and we can’t wait until next year to do it all again.

Thank YOU!

Three Ways to Help Your Security Team Succeed

Posted on by
2

Over the years, I have watched several infosec teams grow from inception to maturity. I have worked with managers, board members and the front line first responders to help them succeed. During that time I have keyed in on three key items that really mean the difference between success and failure when it comes to growing a teams’ capability, maturity and effectiveness. Those three items are:

  • Cooperative relationships with business units – groups that succeed form cooperative, consultative relationships with the lines of business, other groups of stakeholders and the management team. Failing teams create political infighting, rivalry and back stabbing. The other stakeholders have to be able to trust and communicate with the infosec team in order for the security team to gain wisdom, leverage and effective pro-active traction to reform security postures. If the other teams can’t trust the security folks, then they won’t include them in planning, enforce anything beyond the absolute minimum requirements and/or offer them a seat at their table when it comes time to plan and execute new endeavors. Successful teams operate as brethren of the entire business, while failing teams either play the role of the “net cop” or the heavy handed bad guy — helping neither themselves, their users or the business at large.
  • Embracing security automation and simplification – groups that succeed automate as much of the heavy lifting as possible. They continually optimize processes and reduce complex tasks to simplified ones with methodologies, written checklists or other forms of easy to use quality management techniques. Where they can, they replace human tasks with scripting, code, systems or shared responsibility. Failing teams burn out the team members. They engage in sloppy processes, tedious workflows, use the term “we’ve always done it this way” quite a bit and throw human talent and attention at problems that simple hardware and software investments could eliminate or simplify. If you have someone “reading the logs”, for example, after a few days, they are likely getting less and less effective by the moment. Automate the heavy lifting and let your team members work on the output, hunt for the bad guys or do the more fun stuff of information security. Fail to do this and your team will perish under turnover, malaise and a lack of effectiveness. Failing teams find themselves on the chopping block when the business bottom line calls for reform.
  • Mentoring and peer to peer rotation – groups that succeed pay deep attention to skills development and work hard to avoid burn out. They have team members engage in mentoring, not just with other security team members, but with other lines of business, stakeholder groups and management. They act as both mentors and mentees. They also rotate highly complex or tedious tasks among the team members and promote cross training and group problem solving over time. This allows for continuous knowledge transfer, fresh eyes on the problems and ongoing organic problem reduction. When innovation and mentoring are rewarded, people rise to the occasion. Failing groups don’t do any of this. Instead, they tend to lock people to tasks, especially pushing the unsexy tasks to the low person on the totem pole. This causes animosity, a general loss of knowledge transfer and a seriously bad working environment. Failing teams look like security silos with little cross training or co-operative initiatives. This creates a difficult situation for the entire team and reduces the overall effectiveness for the organization at large.

Where does your team fit into the picture? Are you working hard on the three key items or have they ever been addressed? How might you bring these three key items into play in your security team? Give us a shout on Twitter (@microsolved or @lbhuston) and let us know about your successes or failures. 

Thanks for reading, and until next time, stay safe out there! 

SANS ICS Summit & Training in Singapore

Posted on by
3

SANS Asia Pacific ICS Summit and Training 2013 – Singapore

If you have any responsibility for security of control systems – policy, engineering, governance or operations you won’t want to miss the Asia Pacific ICS Security Summit taking place 2-8 December 2013 where you will:

Learn all about the new Global ICS Professional Security Certification

Gain the most current information regarding Industrial Control System threats and learn how to best prepare to defend against them

Hear what works and what does not from peer organizations. 

Network with top individuals in the field of Industrial Control Systems security and return from the Summit with solutions you can immediately put to use in your organization. 

Listen to 15+ speakers from a variety of companies who will cover exceptional content throughout the two-day Summit.

Earn CPE credits for the summit and course you attend

 

ICS410: ICS Cyber Security Essentials, (Brand New course) – 4-8 December taught by SANS Faculty Fellow Dr. Eric Cole will provide a standardized foundational set of skills, knowledge and abilities for Industrial Cyber Security professionals. This course is designed to ensure that the workforce involved in supporting and defending Industrial Control Systems is trained to perform work in a manner that will keep the operational environment safe, secure and resilient against current and emerging cyber threats.

Agenda highlights for the summit include:

A Community Approach to Securing the Cyberspace to Enhance National Resilience

The Good, Bad and the Ugly: Certification of People, Processes and Devices 

SCADA Security Assessment Methodology: The Malaysia Experience  

The State of Critical Control System Security in Japan 

Smart Security : Strengthening Information Protection in Your ICS

 

To learn more about the Summit and Training, or register now and save 5% on your registration with code SANSICS_MSI5, please visit: http://www.sans.org/info/142537


CMHSecLunch is Monday, November 11th

Posted on by
2

Mark your calendars now!!!!

The next CMHSecLunch is Monday, November 11th at the Tuttle Mall food court! Starts at 11:30 and runs to about 1 PM.

Come out and see your old friends, make some new ones and generally have a little InfoSec FUN!!!!!!

This is even a great food court, with COFFEE and ICE CREAM!!!! Fun and dessert!!!! mmmmmmmmmm 🙂

Sign up here, or just drop by and surprise us all! 🙂 

See ya then!