Last week was a bit of a "security week" for me. I attended "SANS546 Detecting Hackers for System Administrators", listened in on the SANS webcast on the Advanced Persistent Threat (APT), and started work on my GSEC certification.
A few notes to start out with: I highly recommend the SANS546 course for any Systems Administrator, Network Administrator, IT Manager, or anyone else that needs to know details on how to maintain security in a network. This course gets beyond the basics of setting up a firewall, making sure your systems are patched, and virus scanning installed. It demonstrates first hand why you have to go beyond these basic steps and gets into Defense in Depth, host-based and network-based IDS, network sniffing, baselining, and detecting malware. The best thing I took away from this course: You can't identify the bad stuff if you don't know what the good stuff looks like.
Second, the webcast on the Advanced Persistent Threat scared the bejesus out of me. For those not familiar with the APT, it is essentially a well-coordinated, continuous effort by professional crackers located in China to break into government and corporate networks in the US. These people are VERY GOOD at what they do! My biggest take-away from this webcast: Treat your network like a garden instead of a fortress. You can't just put up the walls and assume the bad guys will stay out. You need to be continuously looking for the weeds in your garden and removing them promptly.
The two bold statements above are so important because it does not matter how strong your fortress is, a persistent and knowledgeable "bad guy" will get in. Consider this scenario: through reconnaissance, I determine that your CFO likes to play Farmville on Facebook (cringe). So I send him an email "from Facebook" saying that he has qualified for 500 free points and all he has to do is watch a video. A link is included, which actually goes to my malicious site. When he clicks on the video, a popup comes up saying "You must install this codec to watch the video". He clicks it and my malicious program is installed.
The malicious program is custom-built, so no AV signatures exist for it yet (i.e. Anti-Virus doesn't have a chance of recognizing it). My program now starts collecting the CFO's email messages and sending them off to my server. No firewall will block this because outbound traffic, especially web traffic, is generally allowed.
The only way of catching this program is to "know the good stuff" so that your IDS system or log reviews will catch the bad process, files, or network traffic. Even at that, it's very hard. So you have to be diligent. Is one workstation connecting out to other workstations? That's not normal.
Now I know what you're thinking: Just train your users not to click on stupid stuff.
Doesn't work. Yes, you should include security awareness training as part of your security plan, but it's not sufficient. People will click on stupid stuff.
I will definitely be increasing the intrusion detection capabilities of Data Knoxx as a result of my Security Week.
I would be very interested to hear people's response to these points and discuss them further. Feel free to comment or email me directly.