Not quite well-known solutions for the protection of IT business infrastructure

The classic approach of the Russian business today is the installation of a firewall, then after the first attempts of targeted attacks, an anti-intrusion system. And go to sleep peacefully. In practice, this gives a good level of protection only against violinists, with any more or less serious threat (for example, from competitors or an attack from detractors, or a targeted attack from a foreign industrial espionage group), something additional is needed besides classical means.

I already wrote about the profile of a typical directed attack on a Russian civil enterprise. Now I’ll talk about how the defense strategy has changed in general in our country in recent years, in particular, due to the displacement of the attack vectors by 0-day and the associated implementation of static code analyzers directly in the IDE.
')
Plus a couple of examples for sweetness - you will find out what can happen in a network completely isolated from the Internet and on the perimeter of the bank.

Development

Over the past two years, quite a strong movement has begun on the market for large enterprise solutions. At first there was a fairly good activity on protection from DDoS - just then the attacks fell in price. While the average business got acquainted with IT on the issues "why we have a website and do not operate cash registers in stores," the major reorganized defense in the direction of protection against non-standard attacks. Let me remind you that most of the targeted threats are realized through a 0-day bundle and social engineering. Therefore, the introduction of code analyzers at the software development stage for the company has become a logical step.

Check to commit

One of the most effective measures was the organization of the process in such a way that no commit takes place without static code analysis, and not a single release goes to the combat servers until the dynamic analysis is completed. Moreover, this dynamic is done in the sandboxes of virtual machines, ideally corresponding to different servers, users' machines with different profiles, and so on. That is, the code is “swinging” in a real environment with the whole chain of interactions.

Most hardor, of course, the integration of analyzers with the IDE. Wrote the function - and not one step further until you remove all the warnings of the analyzer. At the same time, for complete happiness, the security officer sees the logs of what was happening, and every warning is duplicated to him. As colleagues say, in the West it turned out to be a very effective tool for the code to be immediately written normally.


An example of a solution is HP Fortify Software Security center.

3rd party code

When implementing a third-party code, the IB of a large business often insists on static code analysis. When it comes to open source, the situation is very simple and straightforward, just running through the analyzer and “suppressing” from hundreds to thousands of warnings. When the code is commercial, and the customer is not ready to provide the source code of his subsystem, a more interesting iteration occurs.

If the source code is not provided, but they can be read at the developer’s office, representatives of the IT department and the information security department go to the place, where they together launch a static analyzer. If, however, it cannot be so, then either they give up the code, or, less often, they assign an enhanced “swing” in dynamics.

In addition to automatic methods, a pentester is often invited: this is either an employee of an information security / IT department with a specialized education, or, more often, a third-party specialist from a partner company.

Old code

If you find problems with legacy-code, and even compiled for the subsystem as much as in 1996 (there was such a real case), it is naturally quite difficult to rewrite it. In this case, a rule is written on the firewall describing the type of exploitation of the vulnerability (in fact, the exploit package signatures), or the cut-off of everything that is not a normal package for the final system is prescribed on one of the intermediate systems. A kind of DPI, but to close the vulnerability, piping a level higher.

Internal rounds

A very large business has one more characteristic problem - the number of changes in the living infrastructure is such that even a large department cannot control all movements in the network. Therefore, the same banks, retail and insurance use specialized tools like HP Webinspect or MaxPatrol from our compatriots Positive Technologies. These systems allow you to check a variety of infrastructure components, including what rolls onto microcontrollers of low-voltage systems.

Very common traffic profiling system. A typical profile of calls to each node is built on a database from switches and routers, then a correlation of users and systems to which they access is built. It turns out the interaction matrix, where you can see which service generates traffic for which user. Minor deviations fall in the form of a notice to safety guards, serious ones are immediately blocked. When the malware enters the network, characteristic multiple traces are visible, everything critical is “frozen” and the logging begins.

In this setting is in the form of "application-user-server" in the form of a GUI directly by the security officer without the participation of the IT department. Oddly enough, I like such systems, including admins - I had an example when the Vkontakte application started generating 90% of the traffic in the band, and the admin very easily noticed.

An example of a network anomaly search system is StealthWatch.

With a comprehensive analysis of security is usually done three procedures:

• The analysis at the “black box” level without user privileges, that is, just calling outside. These are free ports, analysis of everything that looks out of services, attempts to exploit the collected vulnerabilities and go through the DMZ. Standard pentest, as a rule.
• Audit with uchetku admin or privileged user. It is assumed that the attacker somehow "namutil" accesses (for example, by means of social engineering), and the attack develops from that moment on. As part of the same audit, a detour is done throughout the entire network. Settings, configuration files, system update correctness, checksums of each package and file are checked, software versions and their known vulnerabilities are evaluated (for example, that Windows on user machines are updated correctly from a certified source). An example package is RedCheck.
• The third mode is compliance with the requirements of a certain standard. This is an advanced network traversal according to a template, for example, personal data processing models by class. Our vendors have pre-configured templates for Russia - foreign ones, as a rule, rarely go beyond PCI DSS at best.

We have examples of such audits right here . But let's move on to the problems and the game "find a friend."

Typical problems

As a rule, most of the problems for IS of large businesses are no longer technical, but “everyday”, at the organization level:

• Outdated hardware and software. Often, big business needs certified solutions, and they are rapidly lagging behind new products. Many simply can not afford to put a new software or a new cool piece of iron, but they put something with obviously known holes or the missing functionality, and crutches to somehow solve the problem. It is not uncommon for a bank to make a decision that is only being certified, and, in fact, works a month or two at your own risk and risk without full compliance with the requirements of regulators. The alternative is to have a hole the size of a horse in an information security, but at the same time try to close it with a piece of paper that everything meets the standard and requirements.
• Consequence - one box closes the entire network. The problem is completely insane from the outside, but often the entire internal network of a small bank can rest on one device that is 5 years behind the flagship, but it works under a certificate. At failure of this piece of iron everything falls to the solution of a question. Naturally, more modern solutions are able to bypass the subsystems, parallelism, redundancy - but the reality is a little different from the ideal network architecture.
• Or another option. There is, in general, everything you need. But DLP and antibot cannot be activated, there are often problems with updating the antibot signature database (it is forbidden to update), problems with drivers (there was a situation - they installed certified equipment, but it didn’t fit into the RAID array - fortunately, a few days later a new certified version came out ).
• "Hardcode". Different devices need a different type of traffic, and when introducing new iron solutions, a painful and long re-switching is often done. Tests of one protective agent can go weeks for just that. In practice, it is enough to put a modern solution that will allow you to work at the channel level. That allows, for example, to put IPS under this channel before the firewall or after (which greatly affects the performance).

Gigamon GigaVUE-HC2

• Different iron under protection. This is not really a problem, just the tendency is that most of the vendors have come to the conclusion that all solutions for securing the perimeter fit into one UTM device. The fact is that each solution is a PACK in the form of a “black box”. Modern version - the same x86-architecture, and the ability to update the functionality without throwing iron every two years. For example, there is a device where there is already a firewall, streaming antivirus, anti-bot-system, and so on. At the same time, it is certified entirely and in the iron part consists of x86-machine, divided into virtual software blades at the software level. If necessary, software is delivered there, paid for a license - and it continues to thresh in a new way.
• Sophisticated zoo systems integration. Again, a consequence of the previous paragraph. Many different badly coupled iron is the problem of transferring data from one part of the IB system to another. For example, it has long become the norm that IPS is clearly connected with the antibotnet system. I am sure that this is not so in all banks - because, again, either it is difficult to do integration mechanics, or there is no single piece of hardware with blades as I described above. By the way, the latest generation also knows how to "split the brain" in order to scan itself for the appropriate configuration of the same PCI DSS. Previously, this was done by separate external systems.
• Infrastructure analysis for compliance with standards does not take into account Russian realities. Simplifying, you will have the perfect set of "utility crawlers" to verify compliance with PCI DSS. But only a small part of the decisions can number 152- “ About personal data” . For example, for this (well, and not only) domestic MaxPatrol "chases" in Lukoil, Norilsk Nickel, VimpelCom, Gazprom, and so on.
• Sudden changes. This is generally beyond good and evil, but it happens. A common case is that an IT specialist does something and sets a new rule at the infrastructure level, which in a month or two suddenly becomes safe (often - not by himself, but from a hint, a program for searching bugs, pentest or a real attack) and panics. Then suits all the dressing. For example, in one of our integrations there was a situation where we had to speed up the introduction of a heavy thresher server for a week. When deploying, without knowing all the details of the customer's IT kitchen, we were allowed to drive a certain type of traffic right before it. And then reported on the success. In response, the security officers initiated an internal investigation, as a result of which we ourselves almost got a little on the cap. So, it is right to put the system in place when an IT specialist implements something on the network, but the rule does not run until the security officer confirms it. It would have been like this, our colleagues would have received bonuses, because the problem was not in allowing the traffic, but that it passed by the information security department.
• Untrusted sources. In many corporate environments, at the butt level, there are often problems with the fact that the end user devices are a circus in half with the menagerie of viruses. For example, one thing is when an insurance agent travels to a place, photographs a dent in a car on his camera, then comes home, photoshop for more severe damage and sends. Another thing is when a photo comes from a corporate application (under certificate) via a secure channel and from a non-rooted device. You can trust the size of the dent. A more serious case is a sharp decline in trust in a VPN in one of the companies, where, as a result, due to viruses from remote employees, all accesses to the intruders got to the attackers. Solved the problem with a virtual JAVA applet in the browser that provides a secure trusted environment for VPN access.

Protective agents, examples

• NG FW class systems (Check Point, Stonesoft, HP Tipping Point);
• system for detection of potentially dangerous files (sandbox) (Check Point, McAfee, FireEye);
• specialized web application protection (WAF) (Imperva SecureSphere WAF, Radware AppWall, Fortinet Fortiweb);
• Intelligent center (ByPass node) for connecting IB facilities (Gigamon GigaVUE-HC2).
• Network traffic anomaly detection systems (StealthWatch, RSA NetWitness, Solera Networks);
• Security and compliance analysis (MaxPatrol, HP Webinspect)
• code security audit (HP Fortify, Digital Security ERPScan CheckCode, IBM AppScan Source);
• DDoS protection system (iron - Radware DefensePRO, ARBOR PRAVAIL, Check Point DDoS Protector; service - Kaspersky DDoS Prevention, QRATOR HLL).

Examples for dessert

Certified network
In one of the major government departments, it was decided to assess the security of the certified network segment intended for processing confidential information. In particular, users of this segment are strictly prohibited access to the Internet. Found this:

• Traces of connecting USB modems.
• One of the laptops was connected simultaneously to the external network and public.
• There were quite a lot of instant messengers and games.

In general, you must have seen such isolated networks in the army, when headquarters fighters sit on dating sites. Here the situation was somewhat more serious.

Network perimeter of a commercial bank
It was necessary to assess the perimeter security. Usually such work is carried out within the framework of penetration testing, but in this case the customer was more interested to see what he can do on his own from within. To do this, the servers and telecommunications equipment of the external demilitarized zones were scanned by the MaxPatrol system in the Audit and Compliance modes, and then the reports were analyzed. The first thing that caught my eye was a certain number of vulnerabilities associated, as usual, with outdated software or lack of security updates (old OS versions, no patches on most servers, etc.), but this is not the worst thing: for most of these vulnerabilities There are no exploits available to hackers. But there were also surprises. On a pair of perimeter routers, there were no ACLs (as it turned out, they were temporarily disabled when diagnosing communication problems between departments, and they forgot to enable them), so there were many more nodes outside than the administrators thought were available. In a large Internet face looking out combat military DBMS. Instead of SSH, TELNET was used on a number of nodes. On a number of combat servers, the RDP settings were not changed after configuration (RDP traffic was closed with a typical key). There were heroes who have not changed defol passwords since the start of work in the company. Fortunately, they did not have time to notice it from the outside, so everything was quickly shut down with almost no casualties in the IT department.

PS If you have a question not for comments, my mail is PLutsik@croc.ru.