Security Basics mailing list archives
Re: Network Segregation to prevent spread of malware
From: Alex Creek <acreek83 () yahoo com>
Date: Fri, 25 Jan 2013 07:43:09 -0800 (PST)
This is from a report published by Australia's DSD (Defence Signals Directorate) on strategies to mitigate targeted cyber intrusions. This doesn't talk specifically about malware, but it does highlight the importance of network segregation. Full article dsd.gov.au/publications/csocprotect/network_segmentation_segregation.htm Why is network segmentation and segregation important? 1. Once a malicious cyber adversary compromises your network, usually through the compromise of a system under the control of a legitimate user by means of social engineering, they will attempt to move around your network to locate and access the information they are targeting. This is known as propagation or lateral movement. 2. In order to minimise the impact of such a compromise, it should be as hard as possible for the malicious cyber adversary to find and access the information they seek and move undetected around a system or network, and remove the information from the network once they locate it. 3. The malicious cyber adversary may attempt to make connections directly from the compromised system(s) to the more sensitive system(s) using tools and techniques they have at their disposal. This is typically executed using their own or enhanced versions of legitimate network administration tools. For example, if the malicious cyber adversary has initially compromised a workstation, they may seek to create a remote connection to a sensitive server, map a network resource or use installed legitimate network administration tools in order to access information on that server, or execute software remotely on the server. This is particularly common when the adversary targets an organisation’s authentication server. Properly planned and implemented network segmentation and segregation is a key control to stop such activities from occurring. You may be able to explicitly disallow remote desktop connections or the use of common network administration tools from end-user workstations on sensitive servers (as most users do not require such functionality) and/or configure sensitive servers to prohibit the sharing of files and restrict their ability to communicate via remote connections. 4. Network segmentation and segregation also assists an organisation to both detect and respond to an intrusion. The technologies implemented to enforce segmentation and separation will: 1. contain audit and alerting capabilities that may prove critical in identifying an intrusion 2. allow an organisation to better focus their auditing and alerting tools to a limited subset of attacks based on the approved access methods, and 3. provide a ready way to isolate a compromised device from the rest of your network in the event of an intrusion. 5. Network segmentation and segregation is a key enabler for the implementation of workforce mobility and a secure bring your own device (BYOD) strategy as it allows you to better isolate a compromised or potentially compromised device from the key information on your network. Best practice in implementing network segmentation and segregation 1. Regardless of the technology chosen to implement network segmentation and segregation, there are five common themes for good network segmentation and segregation, including: 1. Apply technologies at more than just the network layer. Each system and network should be segmented and segregated, where possible, from the data link layer up to and including the application layer. It is not sufficient to implement a hardware-based firewall as the only protective security measure. 2. Use the principles of least privilege and need-to-know. If a system doesn’t need to communicate with another system on the network, it should not be allowed to. If a system only needs to talk to another system on a specific port or protocol and nothing else, it should be restricted as such. 3. Separate information and infrastructure based on your security requirements. This may include using different hardware or platforms based on security classifications or different threat and risk environments in which each system or network segment operates. 4. Identify, authenticate and authorise access for entities based on your security requirements. This includes users, systems and services that should have their access restricted to that required to perform their intended function. 5. Implement whitelisting instead of blacklisting. That is, grant access to the known good, rather then denying access to the known bad. This will also improve an organisation’s capacity to analyse log files. Alex ________________________________ From: Sagar <sagarnseas () gmail com> To: listbounce () securityfocus com; "tomright006 () gmail com" <tomright006 () gmail com> Cc: "security-basics () securityfocus com" <security-basics () securityfocus com> Sent: Thursday, January 24, 2013 9:48 AM Subject: Re: Network Segregation to prevent spread of malware Hi Tom, In my experience and humble opinion, technology and architecture would just amount to about 30 percent of your attempt to secure systems and infrastructure, what you would be aiming at (of course once your network is setup) is not only perimeter security coupled with best practice architecture but detection of traffic flow.. Pattern and pattern anomaly detection will play a vital role. IMHO a few critical aspects in this regard will be using SIEM technology, that is evolving by leaps and bounds.. DETECTION is the keyword, though setting up an efficient SIEM and continous monitoring will involve resources in terms of cost and human resources . Of course nothing beats employees aware of safe internet practices so I would invest sufficiently in training them. In a nutshell my two cents - SIEM monitoring (aggregation and correlation) and Employee awareness training. Cheers, Stay Info Safe :) Sagar Narasimha LA 27k,20k,9k PMP,six sigma GB,ITIL CCSA,NCSS,CCSP Sent from my BlackBerry® on Reliance Mobile, India's No. 1 Network. Go for it! -----Original Message----- From: Jerry Bell <jerry () riskologist com> Sender: listbounce () securityfocus com Date: Wed, 23 Jan 2013 07:07:25 To: tomright006 () gmail com<tomright006 () gmail com> Cc: security-basics () securityfocus com<security-basics () securityfocus com> Subject: Re: Network Segregation to prevent spread of malware Hi Tom, The answer is 'it depends', but probably no. If you are talking about a classic company network and dividing workstations into separate networks to prevent cross contamination, you have to consider the pivot points for most malware - email, file shares, etc, which can still allow malware to propagate between networks even if no traffic is allowed directly between them. Some kinds of malware, notably worms who propagate directly from one system to another via some kind of remotely exploitable vulnerability, would be contained by network segmentation, however those sorts of events are becoming increasingly rare (however when they do happen, they tend to be big events). Jerry Sent from my iPhone On Jan 22, 2013, at 5:33 PM, tomright006 () gmail com wrote:
Hello All, I need few tips on Network Segregation to prevent spread of Malware. Can I avoid Malware spreading from one network segment to another just by segregating network with access list or firewalls? Thanks, Tom ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Network Segregation to prevent spread of malware, (continued)
- RE: Network Segregation to prevent spread of malware Daniel Buentello (Corp - MEIMail) (Jan 23)
- Re: Network Segregation to prevent spread of malware Steve Figures (Jan 23)
- RE: Network Segregation to prevent spread of malware Mcmillan, Arlan (Jan 27)
- RE: Network Segregation to prevent spread of malware David Gillett (Jan 23)
- Re: Network Segregation to prevent spread of malware DaKahuna (Jan 23)
- Re: Network Segregation to prevent spread of malware Michael Peppard (Jan 23)
- AW: Network Segregation to prevent spread of malware Mohammad Ilyas (Jan 23)
- RE: Network Segregation to prevent spread of malware Mohammad Ellyas Bin Hashim (Jan 24)
- Re: Network Segregation to prevent spread of malware Dave, Manish, R. - ESIL (MUM) (Jan 23)
- Re: Network Segregation to prevent spread of malware Sagar (Jan 24)
- Re: Network Segregation to prevent spread of malware Alex Creek (Jan 28)
- Re: Network Segregation to prevent spread of malware Vic Vandal (Jan 23)
- Message not available
- RE: Network Segregation to prevent spread of malware Grzegorz Dlugajczyk (Jan 23)