E-Book, Englisch, 320 Seiten
Cole Advanced Persistent Threat
1. Auflage 2012
ISBN: 978-1-59749-955-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Understanding the Danger and How to Protect Your Organization
E-Book, Englisch, 320 Seiten
ISBN: 978-1-59749-955-2
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
The newest threat to security has been categorized as the Advanced Persistent Threat or APT. The APT bypasses most of an organization's current security devices, and is typically carried out by an organized group, such as a foreign nation state or rogue group with both the capability and the intent to persistently and effectively target a specific entity and wreak havoc. Most organizations do not understand how to deal with it and what is needed to protect their network from compromise. In Advanced Persistent Threat: Understanding the Danger and How to Protect your Organization Eric Cole discusses the critical information that readers need to know about APT and how to avoid being a victim. Advanced Persistent Threat is the first comprehensive manual that discusses how attackers are breaking into systems and what to do to protect and defend against these intrusions. - How and why organizations are being attacked - How to develop a 'Risk based Approach to Security' - Tools for protecting data and preventing attacks - Critical information on how to respond and recover from an intrusion - The emerging threat to Cloud based networks
Dr. Eric Cole is an industry recognized security expert, technology visionary and scientist, with over 15 year's hands-on experience. Dr. Cole currently performs leading edge security consulting and works in research and development to advance the state of the art in information systems security. Dr. Cole has over a decade of experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. Dr. Cole has a Masters in Computer Science from NYIT, and Ph.D. from Pace University with a concentration in Information Security. Dr. Cole is the author of several books to include Hackers Beware, Hiding in Plain Site, Network Security Bible and Insider Threat. He is also the inventor of over 20 patents and is a researcher, writer, and speaker for SANS Institute and faculty for The SANS Technology Institute, a degree granting institution.
Autoren/Hrsg.
Weitere Infos & Material
2;Half Title;2
3;Advanced PersistentThreat;4
4;Copyright;5
5;Dedication;6
6;Contents;8
7;Author Biography;14
8;Preface;16
9;Understanding the Problem ;18
10;1 The Changing Threat;20
10.1;Introduction;20
10.2;The Current Landscape;21
10.3;Organizations View on Security;22
10.4;You will be Compromised;23
10.5;The Cyber ShopLifter;24
10.6;The New Defense in Depth;25
10.7;Proactive vs Reactive;27
10.8;Loss of Common Sense;28
10.9;It is All About Risk;29
10.10;What Was In Place?;30
10.11;Pain Killer Security;31
10.12;Reducing the Surface Space;31
10.13;HTML Embedded Email;32
10.14;Buffer Overflows;32
10.15;Macros in Office Documents;33
10.16;The Traditional Threat;33
10.17;Common Cold;34
10.18;Reactive Security;34
10.19;Automation;34
10.20;The Emerging Threat;35
10.21;APT—Cyber Cancer;36
10.22;Advanced Persistent Threat (APT);36
10.23;APT—Stealthy, Targeted, and Data Focused;38
10.24;Characteristics of the APT;39
10.25;Defending Against the APT;40
10.26;APT vs Traditional Threat;41
10.27;Sample APT Attacks;42
10.28;APT Multi-Phased Approach;42
10.29;Summary;43
11;2 Why are Organizations Being Compromised?;44
11.1;Introduction;44
11.2;Doing Good Things and Doing the Right Things;45
11.3;Security is Not Helpless;46
11.4;Beyond Good or Bad;48
11.5;Attackers are in Your Network;48
11.6;Proactive, Predictive, and Adaptive;51
11.7;Example of How to Win;54
11.8;Data Centric Security;56
11.9;Money Does Not Equal Security;57
11.10;The New Approach to APT;58
11.11;Selling Security to Your Executives;59
11.12;Top Security Trends;63
11.13;Summary;66
12;3 How are Organizations Being Compromised?;68
12.1;Introduction;68
12.2;What are Attackers After?;70
12.3;Attacker Process;70
12.4;Reconnaissance;71
12.5;Scanning;73
12.6;Exploitation;74
12.7;Create Backdoors;75
12.8;Cover Their Tracks;75
12.9;Compromising a Server;76
12.10;Compromising a Client;82
12.11;Insider Threat;83
12.12;Traditional Security;86
12.13;Firewalls;86
12.14;Dropped Packets;88
12.15;InBound Prevention and OutBound Detection;90
12.16;Intrusion Detection;91
12.17;Summary;92
13;4 Risk-Based Approach to Security;94
13.1;Introduction;94
13.2;Products vs. Solutions;95
13.3;Learning from the Past;95
13.4;What is Risk?;96
13.5;Focused Security;97
13.6;Formal Risk Model;101
13.6.1;Threat;102
13.6.1.1;External vs. Internal Threat;105
13.6.2;Vulnerability;105
13.6.3;Known and Unknown Vulnerabilities;107
13.6.4;Putting the Pieces Back Together;109
13.7;Insurance Model;112
13.8;Calculating Risk;113
13.9;Summary;113
14;Emerging Trends ;114
15;5 Protecting Your Data;116
15.1;Introduction;116
15.2;Data Discovery;117
15.3;Protected Enclaves;118
15.4;Everything Starts with Your Data;121
15.5;CIA;123
15.6;Data Classification;124
15.6.1;Data Classification Mistake 1;125
15.6.2;Data Classification Rule 1;125
15.6.3;Data Classification Mistake 2;126
15.6.4;Data Classification Rule 2;126
15.6.5;Data Classification Mistake 3;126
15.6.6;Data Classification Rule 3;126
15.7;Encryption;128
15.8;Types of Encryption;130
15.9;Goals of Encryption;131
15.10;Data at Rest;132
15.11;Data at Motion;133
15.12;Encryption—More Than You Bargained For;134
15.13;Network Segmentation and De-Scoping;135
15.14;Encryption Free Zone;136
15.15;Summary;138
16;6 Prevention is Ideal but Detection is a Must;140
16.1;Introduction;140
16.2;Inbound Prevention;142
16.3;Outbound Detection;148
16.4;Network vs. Host;153
16.5;Making Hard Decisions;155
16.6;Is AV/Host Protection Dead?;159
16.7;Summary;160
17;7 Incident Response: Respond and Recover;162
17.1;Introduction;162
17.2;The New Rule;164
17.3;Suicidal Mindset;166
17.4;Incident Response;168
17.5;Events/Audit Trails;171
17.6;Sample Incidents;173
17.7;6-Step Process;176
17.7.1;Preparation;177
17.7.2;Identification;179
17.7.3;Containment;181
17.7.4;Eradication;183
17.7.5;Recovery;184
17.7.6;Lesson Learned;184
17.8;Forensic Overview;184
17.9;Summary;188
18;8 Technologies for Success;190
18.1;Introduction;190
18.2;Integrated Approach to APT;192
18.3;How Bad is the Problem?;193
18.4;Trying to Hit a Moving Target;196
18.5;Finding the Needle in the Haystack;199
18.6;Understand What You Have;205
18.7;Identifying APT;206
18.7.1;Assessment and Discovery;208
18.7.2;Analysis and Remediation;213
18.7.3;Program Review;215
18.8;Minimizing the Problem;218
18.9;End to End Solution for the APT;219
18.10;Summary;221
19;The Future and How to Win;224
20;9 The Changing Landscape: Cloud and Mobilization;226
20.1;Introduction;226
20.2;You Cannot Fight the Cloud;229
20.3;Is the Cloud Really New?;230
20.4;What is the Cloud?;231
20.5;Securing the Cloud;232
20.6;Reducing Cloud Computing Risks;235
20.7;Mobilization—BYOD (Bring Your Own Device);236
20.8;Dealing with Future Technologies;237
20.9;Summary;239
21;10 Proactive Security and Reputational Ranking;240
21.1;Introduction;240
21.2;Facing Reality;242
21.3;Predicting Attacks to Become Proactive;243
21.3.1;Advanced;244
21.3.2;Persistent;245
21.3.3;Threat;246
21.4;Changing How You Think About Security;247
21.5;The Problem has Changed;250
21.6;The APT Defendable Network;251
21.7;Summary;257
22;11 Focusing in on the Right Security;260
22.1;Introduction;260
22.2;What is the Problem That is Being Solved?;261
22.3;If the Offense Knows More Than the Defense You Will Loose;264
22.4;Enhancing User Awareness;267
22.5;Virtualized Sandboxing;267
22.6;Patching;269
22.7;White Listing;270
22.8;Summary;271
23;12 Implementing Adaptive Security;272
23.1;Introduction;272
23.2;Focusing on the Human;274
23.3;Focusing on the Data;279
23.4;Game Plan;282
23.5;Prioritizing Risks;284
23.6;Key Emerging Technologies;289
23.7;The Critical Controls;292
23.8;Summary;297
24;Index;300
24.1;A;300
24.2;B;301
24.3;C;301
24.4;D;303
24.5;E;304
24.6;F;304
24.7;H;304
24.8;I;304
24.9;M;304
24.10;N;304
24.11;O;304
24.12;P;305
24.13;R;305
24.14;S;305
24.15;T;306
24.16;U;306
24.17;V;307
24.18;W;307
24.19;Z;307
Chapter 2 Why are Organizations Being Compromised? Introduction
It would be nice if we lived in a world where bad things only happened to bad people. Unfortunately we live in a world where bad things happen to good people. People who drive the speed limit, always stop at stop signs, and wear seat belts still get into accidents or hit by drunk drivers in which they had no control over the situation. Similar things happen in the cyber world. Organizations that try to do the right thing and follow all of the rules still get compromised and broken into. Many executives of organizations, after they are notified that are compromised, are surprised. A common theme is we have spent millions of dollars on security, how could this have happened. The underlying reason is no matter how hard we try you cannot control the threats. The only things that you control are the vulnerabilities that are present on your systems. Now this can be a slippery slope. It is impossible to remove all vulnerabilities from a system, just like it is impossible to remove all vulnerabilities from our lives. Even though some people reading this book might believe so, there are no super humans or people that are perfect. We all have weaknesses. Those who are successful in life focus in fixing the weaknesses that we can, accepting the ones that we cannot and create situations that maximize our strengths and minimize our short comings. Security needs to take the same approach. On the one hand an organization cannot remove all vulnerabilities, which mean there is always a chance of compromise. This chapter is about playing to our strengths and avoiding the slippery slope of spending a lot of effort on security and still being compromised. By better understanding the threats and why organizations are compromised will allow us to build better more effective defensive measures. In the real world and in cyber there is no “E” for effort. In elementary school, I use to receive an “E” for effort as my grade for PE (physical education). Essentially this was a nice way of saying that while I tried harder than anyone else in class, I really sucked at this particular activity. School is about learning and instead of giving me an F which is what I deserved, since I was not very good at the activity, it would have really discouraged me, and they wanted to show my parents that I was trying very hard and putting in a lot of effort, even though the results did not show it. Unfortunately once you leave school, regardless of whether you try hard or not does not matter, you are judged solely on the results. This causes frustration for many people because they are trying hard to secure their organization but are still compromised. Back in the 1990s, understanding and assessing why organizations were compromised was straightforward. Organizations that were compromised back then were making obvious mistakes. They had no firewalls, no detection, all systems had public IP addresses, and no patches were applied. After an incident it was pretty obvious that organizations needed to put resources against security to minimize this from happening again. Just like in the medical world, we understand the common cold very well and there are many solutions for dealing with it. While cyber security is never simple, it was straightforward because we were dealing with a visible threat and organizations knew what had to be done to secure the enterprise. Today the threat is much harder because we are dealing with cyber cancer which we are still trying to understand and determine exactly how it works. Today cyber security can be downright frustrating because organizations can do what they believe to be the right things but still get compromised. Just like people can exercise, eat healthy, have low blood pressure, and still get cancer. Organizations can still get cyber cancer even though they believe to be following good sound cyber security principles. The problem that will be discussed in this chapter is there is a difference between doing good things and doing the right things. Good things will help you in the long run, but the right things will stop and defend against the current threats. Doing Good Things and Doing the Right Things
One of the first rules that many people have learned throughout their lives is that money does not solve all problems. In the cyber world, many organizations are learning the same principle. Money does not equal security. Just because an organization buys a lot of products does not mean they will be secure. First, there is no such thing as a silver bullet or 100% security. No matter what you do, an organization will have vulnerabilities. There is no single product that an organization can implement that will make them secure. Therefore products will help manage an organization’s risk but regardless of what products are purchased; continuous monitoring must be performed to detect attacks that traditional security measures might have missed. Second, security products must be implemented correctly in order for them to be effective. Many organizations will purchase a security product, plug it into their network or install it on a server, and assume they are secure. Most security products have to be configured and properly managed in order for them to work. Many organizations have a false sense of security because they have a firewall, IDS, IPS, and DLP installed and therefore feel they are secure. When in reality those products are not stopping the advanced attacks because they are not configured correctly. Third, security products must map against critical risks to an organization. Are the security products that are being implemented actually solving the problem that is needed for an organization to be secure? There are all of these fad diets available that will help people lose weight. The problem with many of these diets is they are not very healthy for your body. Most people will agree that being healthy is what is most important. However people get so focused on losing weight, they will do anything, regardless of whether it is healthy or not. Many organizations do the same thing with security. They get so caught up in implementing products, they forget to ask the most fundamental question of whether it made them more secure or not. While we know that buying security products might seem like a good idea, it might not always be the best option. Ultimately the question of doing good things and doing the right things comes down to the fundamental and core principles of security. Whether we like it or not, security has and will always be about understanding, managing, and mitigating risk to an organization. Buying products that does not reduce or map against a high priority risk is a good thing to do. Mapping any purchase or activity against proper risk reduction is the right thing to do to protect against an advanced threat. Remember the key questions. Before you spend a dollar of your budget or an hour of your time on security, you should always be able to answer three questions: 1. What is the risk? 2. Is it the highest priority risk? 3. Is it the most cost effective way of reducing the risk? Organizations that focus on these questions are doing the right thing and winning the cyber battle and organizations that are not focusing in on risk are typically compromised with a high degree of frequency. If you want to take a quick test and see how well aligned your security budget is with doing the right thing, perform the following steps. Take your current yearly security plan or roadmap and for each item on your plan ask the above three questions. If you can answer them for most of the items on your roadmap, your security is properly aligned. If you cannot answer those questions for most items on your security roadmap then you are doing things that are very similar to organizations that are being compromised. If an organization’s security decisions are not mapped back to risk, they are not focusing in on the areas that matter in defending against the APT. Security is Not Helpless
With all of the attacks that are occurring and the perception that any network could be compromised, it is important not to get frustrated, unplug your systems, and go Amish. While it is a reality that systems will be compromised, it is not hopeless. By focusing in on the right areas, cyber security can make a positive difference and help improve the functionality of an organization. We have to recognize the bad things that are going to happen and properly prioritize and focus in on preventing, minimizing, and detecting the threats that can cause the most harm. Always remember that there is no such thing as a risk-free life. People get into car accidents and still drive. People get injured on a daily basis but people still exercise and play sports. Relatively speaking, cyber security is relatively new so the media focuses energy and effort when compromises occur. If one large Fortune 500 company is compromised it will make headline news but what about the other 499 that did not get compromised? We are making a positive difference in increasing overall security, but we have to remember that it is never going to be perfect. In order to be effective within an organization, we have to make sure the executives understand that while attacks are going to occur there are actionable things that can be performed that will make a positive difference. I have heard executives say if attacks are always going to be successful then why bother wasting money on cyber security. Just let the attacks occur. That statement is as foolish as saying well there is a chance I could get into...
