 My name is Ken Mayer. I'm going to be your instructor for this course. A little bit about my background. I've been in this industry in some form or another since the very early 80s, which I realize, for many of you, that makes you think, well, he must be old. Okay. Well, in the 80s, things were a lot different than they are today, but over time, I've seen my work going from basically workstations to our big database servers that we had back then, going into network operating systems with Novell and then Microsoft, and then eventually moving into the network infrastructure where I do a lot of work either directly for companies like Cisco or Juniper or Palo Alto Networks or IBM or going around the world and doing the same type of work. So I have a lot of experience when it comes to, especially on the focus of security, with the security that I've seen evolve over time with operating systems. On working with all of these different vendors with their security products, whether it's their firewalls or understanding how to lock down their routers and switches to your storage devices with Cisco or with IBM, and again, looking at security issues and the deployment options that we have. Again, working with service providers all around the world with companies like Cisco and Juniper and some of their, again, even on the Juniper side with their firewall basis and it goes on and on. So what I'm hoping to say is that I've had the opportunity to see a lot of different types of vendors that are involved in the world of security. I've got to see a variety of different types of deployments and network designs and I hope that I can take a lot of that experience and help add that into this course that we're going to talk about, which is the CompTIA's advanced security practitioner. Now in this lesson, we're going to take a look at enterprise security architecture and so what we're going to see is basically looking at it as far as the basics of what we should look at in enterprise security. We're going to take that and put it into an enterprise structure and then also talk about what some of the minimum requirements should be for enterprise security. So in this topic, we're going to take a look at the basics of enterprise security. That means first we'll make sure we understand the nomenclature, the different components that is the enterprise itself, what we mean by enterprise security, business goals and security, some of the common enterprise security principles. We'll take a look at the enterprise threat intelligence and then have the discussion about what to protect. And when I have that discussion, it doesn't mean that there are some things we don't care about, but some things are more important. So we're going to put some priorities in what to protect. We're going to take a look at providing defense in depth. We'll make sure that you understand that it's more than just buying a platform like a firewall. There's certainly other things we can do. We'll take a look at some of the common components of your enterprise solutions, take a look at it from the administrative side with policy standards and procedures, and then talk about some of the enterprise policy types that you should be encouraging those at the top of this organization to be able to set up and have ready to enforce. So when we talk about the enterprise, and of course for those of you who are Star Trek fans, it's not what it sounds like. That's basically what we call your company. Now, it says right here, very first one, large complex organization. Well, okay, it could be. I mean, but it can also be a small mom and pop shop that might have some sort of presence on the web that needs security. But basically the enterprise is your company, your organization. Now, that just simply means that in this case provides services or goods. So it doesn't mean it's all e-commerce out there like an Amazon.com or something large as an organization there. But it could simply be that you provide cloud services. So you're out here in the internet world and you've created some virtual machines and you have customers that are connecting to maybe run different applications that you have available to them. And you might be doing this out of your garage. All right, well, I hope you aren't. But anyway, so that's kind of what they mean by the enterprise. It could be a multinational company that we're dealing with. Multinational simply means that we have lots of these local area networks. Maybe one of them is headquarters, another local area network over here on different continents. And we're going through what I'm going to hope that this little globe is indicating the worldwide web. And so we have connectivity either going out through this worldwide web where, of course, that's also where my hackers live and might be trying to intercept or destroy your traffic or even attack you. You might be using service providers to provide a specific wide area network connection. So those little SPs are service providers and maybe they're providing your connectivity all the way through from one location to the other. It could be a combination of both where perhaps one of these, instead of designated as the LAN, that's designated as your web farm. And so now we're hoping for the customers to come into your web farm to do whatever e-commerce. What I'm hoping to be able to illustrate here with all of the scribbling that I'm giving you is that there are a number of ways that we can try to describe what an enterprise is. But all in all, what I hope I've described is that it is a single company or organization that we are working for that we're trying to secure. It doesn't have to be that it spans multiple geological locations. It doesn't have to mean that when we say enterprise, like I said, it could be a small company that has just one brick-and-mortar location and having employees there. It doesn't necessarily have to employ a large number of individuals. So it sounds like I'm speaking in contrary to what you actually see being presented here. And I am in a way. I'm kind of saying there are other definitions of the enterprise. But what we're going to take a look at it as a large organization so that we can get a full idea of all of the areas that we need to look for when it comes to security. Now, when we talk about enterprise security, we're going to take a look at it from what a lot of us like to say is the top-down approach. Now, top-down approach simply means that at the very top of this organization, what we may call the C-level of people, the CEOs, CIOs, CFOs, C-levels, that they should be concerned in making certain that they have proper implementation of security. But you see, when you look at it from the top up here, you should see all these different facets of security. I mean, for some of us, depending on the types of jobs that we may be working with, we might be sitting over here looking at the PCs, the operating systems, and talking about security from that aspect. When we talk about the security, we're going to probably list things like antivirus software loaded onto each of these machines. We might even talk about host-based intrusion detection systems loaded on these machines. We may talk about security or securing the web browsing. That's great, but that's only a piece of the security. By the way, there's many more things that we can look at. I was actually talking about solutions that we'd have to install as opposed to policies like acceptable use types of policies, but that's something we'll be able to discussion on a little bit afterwards. Now, some of the other things we have to look at is maybe what I'd call document security. Now, document security to me might be, or at least to some of you, you might be thinking of how it's stored or the storage of where it's at. And by the way, I could relate that back to the PCs. If these computers, or let's say they were laptops, and they have documents that are inside of them that are very important, that's where we start thinking of encryption. By the way, if you can't tell, that was a padlock that I just drew. Other things about storage, of course, would be the permissions. You know, who has the rights to view what information. You know, it's also how we transmit that information, whether we transmit it securely or not. You know, it just kind of continues to, as I said, give you an idea that at the top of this level, at the top of this, we have to look at it as all aspects of security, where some of us might be more focused on certain areas because that's within our job responsibilities. Again, let's talk about access, access to these documents, whether it's from the inside or the outside. Again, I kind of already made that hint with permissions of who gets to view, who gets to access. Even, you know what, you'd have to ask the question, who's allowed to create different types of content as well. And then, of course, from there we still have to worry about, well, I'm going to assume, just looking at this here, physical, because I see a picture of a door, right? Or somebody trying to break in and get access, right? That goes back to the theft of our information. You know, I always tell somebody that if I can get into your server room, I don't care how good your network security is. If I can touch a server, if I can touch a router, if I can touch a firewall, I own it. And if I own it, then I can do anything I want to with your data, with your information. And there's many other areas that I could probably continue to move into when we talk about enterprise security. But we got to, like I said, look at it in this whole picture so that we understand what we really have to talk about with security. You know, and like I said, we still can get into the whole transportation. If I were to just call these lines, instead of kind of this organizational chart, if I were just to call this your network, you know, your routers and switches that are making them all interconnect, we have to make sure that we are maintaining our security all the way through, even with the communications that are making all of this happen and possible for us. So, oh, and physical, I'm also going to put policies, because we're going to talk about policies in a bit as well. So this is kind of the great overview of where we need to go in our discussions about enterprise security. All right, so let's take a look at business goals and security. And what that means is that, again, if we look at it from the top of our organization going down, and that's how we should enforce all of our security, by the way, is in a top down, if I haven't already said that. That means that we have to have some sort of a strategy, maybe a business strategy that talks about how we're going to secure information. Now, the first thing you have to remember about security, and I've got to say this because the most important thing that we have to do for our enterprise is make sure that our enterprise is profitable. We have to meet the business needs. That means if my company makes widgets, and I decide that, you know, I'm going to lock things down so much that I affect the ability for that company to be able to build the widgets, then my company doesn't make money. It doesn't make money. I probably don't have a job anymore. So there's a business strategy that we have to be aware of. Now that business strategy might have some other regulations, depending on the country that the business is operating in, that it has to fulfill. So there are some requirements that we also have to include in that. The business strategy might have a risk management type of study that's been done to be able to determine what we can do to lower our risk to keep this company making widgets. Now, all of that becomes kind of the, I guess you could say the objectives. What do we want to see happen after we come up with this strategy for not only keeping the company running but for the security aspects and putting that together as our security solution? Now, a lot of these things like the business impact study or the risk assessment that I just talked about can help you in creating those objectives. And those objectives often will become listed as part of our security policy. And it's from that security policy that we use as a blueprint to be able to come up with the security solutions that we need to be able to put it all together. And by the way, it has to work together. One feeds the other feeds the other. And again, the goal always is to help maintain business needs. Some of the common security principles that we look at are the first ones called the CIA triad. Now, that always sounds cool because thinking about spies with the Central Intelligence Agency, but that's not what it is. What we look at is that we have some sort of asset, whether it's data, whatever it is. We have something that's important to us and we want to protect it. And so the reason they call it a triad, so I drew it as a triangle, is that we look at the C. The C stands for confidentiality. And the confidentiality can be a lot of different things. It could be the encryption of data. It could be the place in which we store the data. It could be the policies or the permissions that we apply to the data or the asset that we're trying to keep safe. And then we have the I, the integrity. Now, the integrity means that we want to have some assurances that maybe the data hasn't been maliciously or accidentally changed. Do we have some checks and balances in there? Or if I'm transmitting this information across a network, confidentiality would often mean, as I said, encryption, and then we'd have some sort of a hashing function which would help us be able to verify that the data wasn't altered in transit. Now, the A part of it. All right, there's going to be some discussion over this. Some of you may say, oh, no, no, OK, that's not at all what we were told. All right, so let me give you one of it. One of them is availability. All right, so it is possible that we could lock with security this information so much that it's not very available. If it's not very available, like I said, that might affect the way in which we do business. And so we need to think about that. Some people will say that A stands for the authentication. I'll just say the auth because authentication authorization sometimes goes hand in hand in our discussions which is back to the who has access. Well, I am firmly the one that says availability is great and let's put it this way and let me explain. So if I were to say, OK, here's my asset and I look at the confidentiality. As I move towards more confidentiality, I'm moving away from availability. If I move, let's say, towards confidentiality and integrity as my main goal, I'm moving further away from availability. If I move more towards availability, do you get the picture? Then you're moving away from confidentiality and the integrity part of this. And so there's a balancing act that we have to try to come up with. And it's not the easiest goal sometimes to come up with that idea. But that's why they kind of put it into a triad is so that you can get the picture of what the CIA is but how when you overdo one area, I know that sounds weird, right? Overdue security. We could overdo security. I mean, if you really want something to be secure, you can store it on a hard drive and lock it in a bank vault or, you know, and post guards around it. But, you know, what'd you do? You lost availability at that point. Okay, another principle that we have to look at is least privilege. Least privilege is the idea that we give every user, everybody, including ourselves, only the permissions we need to do our job and no more. So let's take a look at another common triangle. This one's called Active Directory. And in Active Directory, we have these things called organizational units and they might have some child organizational units and within those they have groups of users and, you know, on goes the issue. Well, let's say that I have a user and this user is assigned to an organizational unit that gives them permission to do whatever jobs that they need to do because we can put security on that level and groups and the rest of it. I'm not trying to make this a Windows class but what would happen if that user says, hey, in order for me to do my job, there's a printer over here that is a part of this organizational unit that I need to use? Well, if we're not careful, we might have an administrator or, you know, a power user who says, oh, you know what, I just want to get this done off my plate, get this ticket out of my way and put them in that organizational unit so that they have access to the printer. Little did they know that they had the ability from there to create a line of credit for people to get loans because they didn't look at the documentation or understand why Active Directory was organized or why user groups were organized in a certain way. And so suddenly, we have a user who, unknowingly to some administrator, might have more privilege than they're supposed to have. Whether or not they take advantage, whether or not they even know that there was a problem. If it was me, by the way, if that was me, I would know because I typically tend to push the limits to see exactly what I have permission to do. Okay, job rotation. Job rotation is kind of a different story and it's nothing to do with the actual technical aspects. But let's put it this way. Let's see if I can draw this out. You know, I'm sorry, my bank building doesn't look more professional, it looks more like a house, I realize that. And I've got a user over here who's the manager of that particular bank branch. And after a while, depending, I'm being maybe more pessimistic than I should. But after a while, this user might start to feel as though they are in charge of this branch and start doing some things that might not be quite so legal. So what we would do with job rotation is we say, look, we're not demoting you. In fact, we're not saying we don't trust you. We are creating a policy that mandatory says this manager, let's call him manager A, is now going to be transferred to this manager or this bank branch. That was a tough one to say. And now they're going to run that one and we'll bring this new manager, maybe from another location, to run the branch that they were at before. Again, it's not a demotion. It doesn't mean it's a promotion. What it means is that I now have a new set of eyes that can look to see what's happening inside of here and make sure everything was going well, that maybe no embezzlement or those types of things. And it also means that this same manager A can do the same thing at this branch that they were just moved to. And so it gives us the ability to kind of put in a safety check that could otherwise occur when somebody might start taking advantage of being in a position of authority for too long. And so that's kind of the idea. So that was my job rotation, kind of analogy. Dual control. All right. Well, I already made a Star Trek reference, so you know I'm kind of a geek. And another one of these things I'm kind of a geek about are these high-tech thrillers. And so without sounding too offensive, let's see how well I can pretend that I'm drawing a rocket. And that rocket can do damage everywhere if we're not careful. And the question then becomes what happens if somebody who's watching this decides to fire this rocket? And so we create a system of dual control that says that this person A can't by themselves launch it. Person B by themselves can't launch it this rocket. But if they work together, and this is where those movies come in they see like they both have like a key that they have to turn into a little lock and both turn it at the same time. So there's an agreement, and there might still even be a user C over here who has the launch controls or the codes that has to provide those as well. And so that's kind of the idea of dual control. Now you might say, well, you just went off the reservation here, Ken, we're talking about networks. Yes, we are. Dual control and networks can operate the same way. You know, if you're thinking about doing tape backups or any type of backup, tape, storage area, whatever, you might have a user who has permission to back up files. One of the problems is is that that person may be backing up files that they don't have permission to see. So we would give the job of restore to a different user. And that way one person couldn't back up the files and then restore them onto a system that they could look at those files. It could be maybe firewall administration that it takes two people to work, oops, FW with the firewall to administer it so that we are again making sure there's no one person who might accidentally, and remember, not every time I talk about security, I don't want you to assume I think that there's always people that are trying to sabotage you and your company. But whether they accidentally or purposely allow some traffic in, it could be a bad thing for us. Mandatory vacation to me kind of goes back to the idea of job rotation. Because again, if I make it mandatory that you take a vacation, now that doesn't mean I have to tell you when to take the vacation. I just have to say, yes, you must take a vacation. We give you vacation time. So I want you to take a solid week off. You take the solid week off and that assistant manager person can come in there and take a look at what you're doing as far as how you manage the system, all of those really kind of cool things. And as much as I just talked about dual control, the backup and restore firewall is probably the best example. The rocket ship, I'm going to kind of put that down here. That's kind of that separation of duties again. To me they kind of go hand in hand. The idea here is that it takes more than one person to be able to do a certain job. And some of you might say, this just sounds so inefficient. If one person could do all that work, why am I having to spend money hiring a second or a third? And you know what you're doing is you're investing into your security at that point. Now one of the things we take a look at is what's called threat intelligence. Now threat intelligence is where we're gathering information about the current concerns in the world of security. Now we gather this information in a variety of different ways. And when you think of security and I hope that you have heard me say this enough, it's not just technology. Technology is just one piece. We have physical security. We also have the administrative needs for security, whether they're creating just pieces of paper called policies that we use as the blueprint to enact our physical or technical types of security. But we need to look at threats from all angles. As an example, I worked with a company a long ago that does credit card processing. Well actually they're the ones that run the network so when you slide your card they're securing that information. And for me to get into that building, I had to go through of course some sort of background check. Apparently I made it through because I got in the building. I had to surrender my driver's license. Couldn't get it back until I left the building. And I always had to have an escort with me wherever I was going. Now this is a regular enterprise company, not a military organization that was dealing with top secret types of information. But this whole process probably came about because part of the management team or maybe part of some other team realized that they have to have a certain level of physical security knowing what I said before that if I could touch something then I can own it. Or whether you're worried about me picking up let's imagine I'm walking through your office and I just start picking up notes and memos off of people's tables and stuffing them in my pocket so I can read them later. All of those are kinds of the ideas of what we gather as far as the types of threats. Again we could talk about the newest type of vulnerability in an operating system or the newest type of SQL injection. I mean all of these are posted on a regular basis. So we gather the threat intelligence and we have these different teams. Management, development, quality team we could go on that are going to analyze and give their evaluations or ratings about what they think is the risk of that threat. Now when I say about the risk of that threat that really kind of goes into a risk assessment and we put that information together to be able to develop a security policy and then from that security policy as I said we would then be able to start building a security solution. Alright what are we going to protect? Well one of the first things is data. And again everybody starts thinking hey I like this idea of protecting data. These cylinders by the way are a couple of hard drives that we'll say are in a storage area network. It's becoming more and more popular. It's very popular right now. You know because we might have a virtual host, virtual machine out here acting as a cloud that needs to have connectivity to this. I might have some other type of server farm for the web that's utilizing maybe a SQL database server and then you know all this customer information is all being fed to the storage area network. And so you know when we're talking about protecting data and I hope I've said this already a number of times we have to figure out a couple of places to secure it. First of all let's put the internet over here. So this is the WWW where the customers come in. So where am I going to protect my data? Well I'm going to have to worry about protecting my data from users coming in, whether they're maybe trying to break in or be hackers or if they are legitimate users we're going to look at some type of encryption. But then internally in my network as it's being transmitted back and forth from the cloud or the web or the database or wherever we're sending it from we should also consider protecting that information because yes there could be a user in this network who might be a part of a remote access trojan or botnet because they may not have understood not to download certain files or bring in certain files or this might be that user what's the new thing that we have to worry about who's got a tablet and they're using their 4G connection but also using the Wi-Fi connection inside your network and so now they're bridging new methods of people coming from the outside into your network without even going through your security so we got to look at all of these different communication paths and of course even here we have to decide or we're going to encrypt the information that is on the hard drives are we going to have some sort of integrity solution to make sure that that information doesn't get changed you know what kind of application are they using to bring that data in maybe I should better say over here the application on the web server is it set up in a way to make sure that only valid changes can be made to the data or that it collects the right kind of information for instance if it's a form to put in your first name last name, birth date and somebody mixes it up and puts birth date for a first name I mean is this application smart enough just to check for accidental types of integrity issues let alone people using it to otherwise corrupt your data you know and so anyway all of these are things that we have to worry about and then of course like I said we still have the physical barrier that we have to put in place to keep people from getting into the technology layer and trying to cause us problems okay so I'm going to describe our resources your storage area network is a great example of a resource even though I was talking about the data that's on the drive the resource is still the usually like a storage area so that we have the ability hopefully to be able to you know physically secure it like I said before or make sure that we have the right permissions for access or you know to check the integrity personnel alright so I just drew a physical barrier let me just finish this physical barrier and if I could imagine putting some 3D in here but I won't let's just say that here's the door that goes out into your car's parking lot right there you go your parking lots does that look like parking lots probably not pretty crooked but then I guess you've never seen how I park so those are perfect for me anyway going back to well back to that credit card processing company that's a perfect one they've had problems with their personnel leaving to go out into the parking lot and while out here being approached and bribed by people that would want to have them help get them access inside that's better than being kidnapped right or abducted but still they have that problem so we still have to talk about protecting personnel by protecting personnel that's where the security comes in you know all of these and I could just continue to go on that's where you may be putting in guards you know in fact there's a whole study on security that deals with believe it or not this entire feature like where are the light poles at do you have enough light poles so that the whole parking lot is lit up to help make sure the people are safe do you have video cameras there's my tripod for my video camera out there watching so again I could just go on all of this by the way is protecting these intangibles wow now the intangibles that's a harder one to deal with as an example this last holiday season there was a report of a large department store chain that they said had lost up to 110 million credit cards of their customers here is an intangible what do you think that did to that company's reputation and what they want to do to make people feel comfortable to come in and shop with them again that costs the money that is going to be really that's why it's an intangible hard to come up with a you know what is it really going to cost them what is the cost for to restore that faith I mean are they liable for illegal charges are the banks going to come after them you know is this going to reduce business right these are all things that we look at when we're talking about protection because believe it or not if we're doing this stuff up here pretty good then we're protecting our intangibles I hope that makes sense and that's kind of what we're really looking for is you know when it comes down to it we're going to see that we're liable for our customers or internal data and what if I'm just an employee whose human resource record was stolen or I'm a patient in the doctor's office the medical records were stolen that's going to cause that doctor's office and problems with reputation maybe legal issues so in a way they do all go hand in hand when we talk about what to protect now this idea of defense and depth is very important to us because the idea is we've got a hacker who's going to try a variety of different ways to be able to break into our networks and we're going to look at it from kind of a simplistic method here and what I'm going to do is I'm going to change the path we're going to assume that the attacker is coming from the outside and is going to enter into your network now again this is from the outside right now I'll just tell you I've heard that approximately 15% of our real dangerous attacks occur from the outside meaning that the other 85% of our attacks are over here I'll deal with that in just a second so what do we have the firewall is a device that typically looks at what we call layer 3 and layer 4 information those would be your source and destination IP addresses layer 3 and the protocol usually TCP and the port number that it's trying to connect to for instance port 80 as a destination port if it's to a web server and then the big goal of the firewall is to block that 95% of other traffic just a certain amount of traffic to come in for that reason I tell people that your firewall is really not very useful in being your only security and let me put it this way let me just kind of diagram outside of this imagine that this is your web server and your web server is protected by our firewall we often see a firewall symbol like that where we're blocking traffic and the attacker is coming from the outside I'll give them an A for being an attacker and all they have to do and let me tell you why your firewall is not very effective as your only form of security it's got two weaknesses the first is that we as the administrators might miss program the actual security logic and number two it allows traffic because let's face it we want that traffic to go through the firewall to get to our web server so that we can have maybe e-commerce going on that allows traffic and that traffic that's being allowed even though it's very restrictive what did I say 95% of the traffic is blocked so it's just letting 5% or less of that traffic through but attackers know how to take over your servers based on the traffic you allow so that attackers comes in they get through the firewall because they followed your firewall rules so we add another layer whether it's intrusion detection systems or intrusion prevention systems by the way I prefer those I'll diagram a reason why here in a second but what it does is it scans through what we call the layer 7 that's your application traffic that means it could be looking for malware it could be looking for command and control types of attacks it could also look for anomalies coming through that's not normally seen and the goal then is that the attacker is sending the traffic into the server and now you put another device intrusion detection in there to scan and see what that traffic is that's going through there the actual content of the traffic then you are reducing the likelihood that they are going to send you a known bit of malware, vulnerabilities or whatever the case may be and of course we can also have this system constantly backing itself up so if it was compromised at some point we hope that we could do a restore and get our system back together some people call it a shadow backup but that brings us into the real-time backups and then boom out we go now there are some firewalls out there that can do the intrusion detection and the firewall in the same actual architecture or in the same hardware or appliance that you buy I'll let you make all the studies that you want but you'll see some of the big players of course are going to be things like Checkpoint the ASA by Cisco the SRX by Juniper the Palo Alto Networks Firewall and a bunch of others for those of you companies who do firewall technology and I left you out I'm sorry I'm not reading from the list I'm just kind of throwing them out there saying that we have some boxes and more there's some that can certainly do a lot of other cool stuff all added into layers of security so we are doing good from that aspect but like I said we do have to worry about often the traffic on the inside now again defense in depth what about this inside I can't just let that go I guess let's talk about it like I said you could have a person over here who's decided to bring in their tablet or their smartphone and they're making an energy connection while it's also connected to your system and computer and so suddenly now the attackers traffic can come in in a direction that's completely avoiding all of the potential security layers that we have created so what can we do here well we could still add a couple layers of security here we can have that host-based antivirus program that's looking for malware there are host-based intrusion detection that we can put on this as well there are things that can do integrity checks on files and systems to see if they've been corrupted so that even if we are allowing people in which we shouldn't be but we can't control all the users that we're still adding layers of security in fact there's also host-based firewalls as well that can control the traffic coming in and going out and so we can also add some layers of security as I said and in fact if somewhere in your network you were connected to a server farm my little tilted server there you could put another firewall internally or IDS or both to protect inside parts of your network so when you think of layers of security it is just what it sounds like lots of mechanisms looking for the potentials of malware or other attacks or just making sure you ensure that your policies for allowable traffic are enforced and we can do that not just from the outside but also while on the inside because as I said you have to worry about people bringing in their own device that's kind of what we call that BYOD bring your own device but we also have to worry about people bringing in their own files from home and installing them on their computers inside the office and not realizing that they've opened up a door in fact I'm running out of room to be able to describe this but a lot of your firewalls and intrusion detection systems when it comes to the inside traffic going to the outside generally speaking most of those firewalls allow 100% of that traffic to go out because we're trusting those people on the inside and so then they hit some sort of malware server botnet server that sends a reply to allow the traffic out it allows the traffic in so that means that our firewall is fairly ineffective because if that malware server had initiated the traffic it would have been blocked but because it was a reply then it's usually allowed so we have sometimes the logic of how we create the rules on these firewalls that can also defeat us and make it easy to see why I said that we sometimes worry about the attacks actually being on the inside of our network I did say I talk a bit more about the IDS and the IPS so here's kind of the idea we usually have let's call this the World Wide Web and many times we might have a screening router that screening router can use what they call an access control list to block a lot of traffic then we usually would go through a firewall and from the firewall to the endpoint we would have a core switch or core infrastructure that would begin to let us distribute our traffic and the difference between IDS and IPS is that IDS sits outside and gets a copy of the traffic that's coming through and based on that traffic the IDS and depending on the vendor could send a new firewall rule but often it's too late because remember we got a copy of the traffic which means that malware has already been sent to the victim IPS was designed to be in line so that the traffic from the firewall goes through the IPS everything the IDS does and can block it right there before it sends it to the core architecture providing more protection but often at the cost of less bandwidth because it takes a lot of processing power to do those types of inspections so it's your trade off again security was that CIA where we have more security but maybe less availability with IPS we have a little less security with IDS but more availability you have to make the call now when we talk about some of the common components of enterprise security the first thing we look at is what I call the administrative part of this the paperwork and that's the policies and procedures because let's face it we could just say I've read in the news we need a firewall let's just go buy one so then how are you going to program it what logic, what's allowed, what's the purpose and so the answer becomes I don't know I was just told to buy a firewall and my network would be better trust me I've run into owners of businesses that just say especially in the days when firewalls were first getting popular they would just say hey here I need a firewall go get me one and it's like okay what do you want to block but they didn't have any real idea of what their goals were those are the policies and procedures that's that blueprint at least the high level one is a blueprint that helps us create other procedures other standards that we have to follow that we can enforce with your particular hardware and of course like I said there's also the software capabilities of our security solutions the software could be integrity checking as I said it could be the encryption or it could be malware detections things we call anti spyware anti virus host based firewalls so we have a lot of different security components but again it's not just a matter of just going out and buying this stuff or just installing it and saying let's call it good I mean as an example you might have been told that buying antivirus software for your computers is a good thing now I'm not saying it isn't but some of your existing applications might break by your installation of antivirus software especially if you have a company that makes their own types of applications where it may be doing system calls that your antivirus software thinks is some sort of an attack and then things just come to a crashing halt again remember business needs have to be your priority a server or a system that suddenly doesn't work because you just installed AV thinking that's what you should do to be more secure then you have to run the risk of actually losing money, losing service, production and everything else so again I'm trying to sound like a good politician there's goods and bads to every solution you need to have a policy and procedures in place to understand what it is you're trying to protect why you're trying to protect it what's that beyond all of that there has to be a testing phase a rollout phase evaluation phase as well so like I said just security policy is the architecture the blueprint that begins this and it's going to lead to really more specific policies you're going to lead to things that we call the standards procedures and guidelines so standards are basically our way of verifying that we have security in place the way we want it to I mean the standards are going to come from the policy if the policy says protect my customer database and then you've done some more research business impacts risk assessments and you've come up with the standards and say here it is and then we're going to have procedures procedures might be how we access that customer database is there a particular application we must use are there particular people things that we call acceptable use or guidelines about the usage of that information which could come from regulatory aspects of laws in the country that your business is working in so all of those are a part of really what's building what we're going to see as a solution with our hardware here are some examples of different policies that we'd normally see and again remember this is all around the idea of security the first one is the acceptable use policy or the AUP and you know this is a big deal to us it's really about telling employees how to use or what is acceptable practice or you know employee rules let's call them that and here's a big idea of what I mean by this is you know some things cost us money I remember many many years ago as a contractor I had an account with this company this client and they just got in a new color and I found out that Ken had permission to print so I did I then found out they audited the prints and said hey you're going to have to pay for the toner that you used and it's like oh okay that's fine but I didn't have an AUP that said I couldn't print I just said oh there's a printer I got something I need to print and so you know and I still continue to work with that company don't worry I didn't get in big trouble some rules that they wanted to enforce they enforced it post my doing it by their audit and had forgotten to tell me that there were rules that I couldn't do certain things and I actually didn't think it was so bad to just print 50 pages but it was there and it could be worse you know a lot of times email email is a big thing right don't use your company email for personal reasons don't be doing email tag with somebody you met online don't be doing that while you work you know it's all of those are things that we usually have to make sure our employees and everybody actually should know planning policies this might be for a backup and restore plan and that's important to us right because we don't want to lose information we don't want to be down for a long time and also what I call the incident response type of policy and that's important too especially this should be a big thing with training of our employees that if they see some sort of action that could be a security problem that they ought to have a place or a person or a process that they can go and actually say hey we think something needs to be done here we might be in trouble I've already talked about the security policy itself being kind of that blueprint and that's kind of the top level part of that security process that you know would hopefully lead to the guidelines and procedures you know it's things that really as a blueprint it's a way of guiding the company to security or to better security and that's what we're looking for a blueprint to follow and you know when I say guiding to security remember I broke it down into things like admin stuff which is the things like the acceptable use policy it could be in the actual technology you know even down to the point of telling you how your passwords should look you know how long they should be and how complex they are not just what firewall to put in and what rules to have and it should also include physical as do we have guards, fences, gates locks, magnetic key cards you know all of that sort of stuff the next one is a policy on remote access so remote access is basically the most common one that all of us would see might be something we think of as VPNs okay remote access does cover more than just virtual private networks but you know the idea was is you could be at home and you're going to work from home and so you're using your internet connection to go through the internet to get to headquarters and so we have you know some acceptable use policies or I should say remote access policy sorry that said okay we want you to use a specific laptop that we have put together for that use we don't want to use your home laptop and certain types of protocols that we're going to use to create this tunnel encrypt our traffic and so as well as when you make the connection then we're going to figure out what your permissions are because we realize that you might not be as a secure environment at home as you would be if you were in our network so all of those come up there with us wireless security policies as well will usually be again the device or security requirements or the type of device because again I don't want you to bring your own type of wireless device and people will do that by the way they'll come into your office and hook up their wireless router from home so they could have their telephones, smart phones, tablets connected to your network so they didn't have to pay for their cellular service or something like that you know so that's again going to be also security requirements you know and maybe even talk about guest requirements I mean that's a big deal in today's world is that we are allowing guest access you know somebody coming to visit our company that can get out to the internet through our company but can't get internal access alright I already said password authentication policies so you know here's where that main security policy might detail some of these other events in fact as I said it's a blueprint to follow and that's usually again the guidelines for strong passwords when we say a strong password what are we actually saying and most of you would hopefully say ok that's the length of the password so now that's a good question most companies make minimum 8 I'm just going to tell you that that's not sufficient because of this technique of being able to take those password hashes and take them through these pre-created hash tables some people call them rainbow tables and right now most 8 character passwords probably can be figured out in a few minutes you know so I would tell you at a minimum 15 but now I'm lecturing I guess I'm not supposed to lecture I'm just telling you some things about security complexity is another one now the complexity again is that we don't use passwords that are all letters all numbers or dates of births or you know you're easy to guess that's where we want what we call the alpha numeric upper lower case letters numbers special characters as well you know like the at sign or exclamation point or something like that a dollar sign adding into the complexity and so that's a way again that we are trying to increase the security so let's face it your password right now is the weakest thing when it comes to your security because of this thing that we call social engineering social engineering is almost half of all attacks where I'll just call somebody and pretend to be an important person or ask for your help or maybe I'm just watching you type in your passwords or maybe I'm just listening to you speak and you know I'm telling somebody else your password I have so many different stories I was you know flying into an airport well I don't want to give away which even airline it was we'll just say it was in the southeastern part of the United States and they didn't have my suitcase it was lost and I was at the baggage counter and the lady back there couldn't log into the computer so she got on her walkie-talkie remind you walkie-talkie means unencrypted communications and asked what was the password and the username so that they could log on to check for my suitcase and over the walkie-talkie I could hear them say the username and password both were baggage so not only did we not have a strong password we had an easy to guess password and the password was the same as the username which is often called the John Doe password and all of those were and I just thought to myself wow I'm 11 and I just learned the way to get into the network physical security policy anyway that was social engineering the whole point of that story and I didn't have to do anything I just had to stand there alright so physical security again is how we control access so let's talk about that let's start from the outside how about building access do you have the need to have a key a magnetic key card is there a guard at the front of the desk building surrounded by fences gates did you design the sidewalks to force the flow of foot traffic into a certain door or car traffic and then once inside the building let's talk about your server room or whatever you want to call your network operation center or anything else how do you get into that location again is it key cards or combinations so I was doing some other work for this company in the south to say in the south and I was walking down I had a badge to get into a lot of the buildings but there was a particular room that was actually the only room without a label which some people in security would say hey important rooms don't put a label on there and I'm thinking well at the same time if every other door has a label and this one doesn't then it's probably important but it had a key card need for me to get in and my key card so I tried it by the way I guess I was bored but they gave me a key card so I tried it and my key card didn't work but the door had a little window so I could look through the window and then that window I saw on the inside a biometric fingerprint scanner right and I saw a combination lock so even if your fingerprint matched you still had to know the combo lock and by the way when it comes to authentication I didn't mention with the authentication policy as I've already talked about it but now that I'm bringing it up I'm bringing it up so you have it this is called a multi-factor type of authentication it's consisting of something you have a key card something you are biometric scan or fingerprint scan and something you know which normally would have been like a username or password and so I looked through there and I realized that even if my key card had worked now while I was peering through the window somebody from the company well I think they snuck up behind me I didn't hear them coming and they asked if they could help me scared me a little bit but I just told them who I was, what I was doing and of course my badge said visitor so they opened it all up and let me look inside we're back to social engineering defeating everything I wasn't there to hack but I hope you're getting the points of these little stories that I'm telling you so you kind of get an idea that even the best ideas in security we still got to think about weaknesses network policy well alright so a formalized statement or set of statements that talk about the network function okay again that might go back to the acceptable use policy when we think about that you know we might say whether or not you get instant messaging maybe how you use the voice over IP phones you know it just kind of goes on and on do you get to download illegal files through your own bit torrents let's hope not right so all of that kind of comes back together in talking about how we do our work with our networks we might also have issues of quality of service or talk about backups and restores and audit policy is also important to us that's where we're collecting information generally we might talk about things like a syslog server and that syslog server or sim collecting information from a bunch of different security devices to help us analyze what's happening or you know on windows machines might be an event log that we're analyzing for security or even remember not just security but it could be system events like certain software pieces beginning to fail that you know if the server fails could be a security issue on availability so all of those are parts of what we should have policies for change management this is a big one right that's where we talk about things like the trouble ticket you know and when I talk about management you know there are some things that might happen like a server fails and we need to fix it right away but you know so we might have a fast track for getting that trouble ticket done but again if it's somebody saying that they want us to update the newest security patch we want to plan for that create often what we call a maintenance window or a time where we do those updates so that we are not trying to take production down very quickly and so those are also things that we should look for and by the way we want to have this change management policy because one of the other big parts of that is an approval process where you know we just can't have anybody decide oh I'm going to make an update I'm just going to patch this thing at noon on Friday whether you know people want me to or not I mean we have to go through a process where we can evaluate it maybe test it make sure that it's not going to cause conflicts or complications because again security is availability and if you do some of these things and take a server down then you know you've cost production and often get what we call name recognition because everybody's going to remember who it was it took the servers down