1.Check Point to the maximum. The human factor in information security

It is not a secret for anyone that 2017 was a very “hot” year for all information security specialists. WannaCry , Petya, NotPetya, data leaks and more. In the information security market, there is now an unprecedented boom and many companies are rapidly searching for remedies. At the same time, many people forget about the most important thing - the human factor .

According to Gartner's 2016 reports, 95% of all successful attacks could have been prevented by properly configuring existing defenses. Those. Companies already had all the means to repel attacks, but were seriously injured due to carelessness or negligence of employees. In this case, the company loses money twice :
')

1. As a result of the attack;
2. Money is thrown at remedies that are not used even by 50%.

If we recall the same WannaCry, then the victims of this encrypter were companies that did not update the operating systems in time and did not close the “extra” ports on the firewalls. In fact, there are many other factors, such as the lack of centralized management, a system of centralized monitoring, gathering and correlation of events (ie, the SIEM, which also needs to be “properly” set up). There are a lot of similar examples. Take the same network equipment. By work, I often had to participate in very large projects, where the task was to protect the network of 5-10 thousand users. A huge amount of expensive equipment was purchased - firewalls, intrusion prevention systems, a proxy server, etc. The project budget amounted to tens of millions of rubles. Imagine my surprise when, after the introduction of such “expensive” projects, it was found that ordinary network equipment used passwords like “ admin ” or “ 1234 ” (and these passwords did not change over the years, even after changing system administrators). To connect to the switches, the unprotected “ Telnet ” protocol was used. The offices were hubs , which brought the users themselves, " because it is more convenient for them ." Personal laptops of employees were connected to the corporate network. There was complete anarchy in the IT infrastructure. Those. in spite of the millions spent, such a network could even be put by a schoolchild within 5 minutes.

What to say about setting up such “sophisticated” protection tools as next-generation firewalls ( NGFW ) or UTM devices . And no matter how expensive the firewall you bought and what place it occupies in the annual rating of the same Gartner .

Need proper configuration and administration! Quite often you can meet harsh criticism of a decision by administrators. However, when checking the configuration, you realize that apart from the access list “ permit ip any any ”, nothing more has been configured. The result in this case is logical. Cisco, Fortinet , Check Point , Palo Alto, without a difference. Without the right settings, this is money down the drain (and often quite big money). In addition, you need to understand that information security is a continuous process, not a result . After completing the setting once, you will definitely have to return to updating it after some time.

In connection with all the above, we are announcing a new mini-course on setting up a Check Point, in which we will try to show how to “squeeze” the maximum protection out of it. Yes, the presence of Check Point does not guarantee good protection without adequate configuration, in fact, just like for any other solutions. This is just a tool that needs to be properly used. We have previously published an article on best practices in setting up the Firewall blade, but now we will focus on such blades as Anti-Virus , IPS , Threat Emulation , Application Control , Content Awareness , etc. We will also consider the Blade Compliance , which is designed to minimize errors and dangers in the Check Point configuration (that is, to reduce the influence of the human factor).

In this case, we will not be limited to only theoretical data and we will try everything in practice. All the settings we will implement in the newest version of Check Point - R80.10 . Lessons will be in the format of “Weapons - Protection”. In general, our layout will look like this:

For the tests, we will use the Kali Linux distribution (Hacker PC) , generating various types of viruses and trying to “drag” them through Check Point in various ways (mail delivery or through a browser). We will look at ways to bypass antiviruses and intrusion prevention systems using various code obfuscation mechanisms. Those. in essence, we’ll do something like the pentest , which is basically the best way to test the quality of protection and the quality of settings.

As you understand, within the framework of one mini-course it is impossible to comprehend the immense, so we will consider protection against attacks only with the example of Check Point (maybe in the future we will touch other vendors). However, even if you do not use Check Point, then with the help of these lessons, later you will be able to independently test the effectiveness of your current remedies . We will form a checklist of mandatory checks. In extreme cases (if you are too lazy) use at least the basic checks that we published earlier .

This is where our introduction ends. I hope that this course really interested you, and in the next lesson we will talk about https inspections.