Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Logs And Backups

ā€¢Download as ODP, PDFā€¢
ā€¢
Charles Southerland
Charles Southerland

An idea for a log and backup policy that reduces the possibility of and potential damage from insider threats. Presented at Information Warfare Summit 2013.

Technology
1 of 43
Logs and BackupsLogs and Backups Charles Southerland (a.k.a. proidiot)Charles Southerland (a.k.a. proidiot) Stuph LabsStuph Labs Information Warfare Summit 2013Information Warfare Summit 2013
Imagine an outsider trying to deface yourImagine an outsider trying to deface your organization's website.organization's website. We'll say they're using SQL injection to do this.We'll say they're using SQL injection to do this.
The logs will likely give you a trove of informationThe logs will likely give you a trove of information about how the attack occurred, and the backupabout how the attack occurred, and the backup will allow you to revert the changes quickly.will allow you to revert the changes quickly.
Now imagine getting attacked by an insider.Now imagine getting attacked by an insider.
Those backups suddenly become a liability.Those backups suddenly become a liability.
And those logs, which can usually be modifiedAnd those logs, which can usually be modified with ease by an insider, will probably not help youwith ease by an insider, will probably not help you figure out who attacked, how they attacked, orfigure out who attacked, how they attacked, or perhaps even that they attacked at all.perhaps even that they attacked at all.
In fact, the logs might be almost as bad to leak asIn fact, the logs might be almost as bad to leak as your backups.your backups.
Unfortunately, there doesn't appear to be a goodUnfortunately, there doesn't appear to be a good one-size-fits-all way to deal with backups and logsone-size-fits-all way to deal with backups and logs with respect to insider threats at this time.with respect to insider threats at this time.
I have no doubt that there is some vendor outI have no doubt that there is some vendor out there that will sell you a ā€œsecurity in a boxā€there that will sell you a ā€œsecurity in a boxā€ solution to this problem, but I seriously doubt suchsolution to this problem, but I seriously doubt such a solution would be a good choice for manya solution would be a good choice for many organizations.organizations.
...but I have some ideas that might work for some...but I have some ideas that might work for some organizations.organizations.
First: rethink backupsFirst: rethink backups
Why you might need to recover from backups:Why you might need to recover from backups: ā— Something went wrongSomething went wrong and you can recover quicklyand you can recover quickly ā— Something catastrophic happenedSomething catastrophic happened and you must recover carefullyand you must recover carefully
The best solution to non-breach recoveryThe best solution to non-breach recovery is failover.is failover. After all, the time it takes to restore from aAfter all, the time it takes to restore from a backup is still downtime.backup is still downtime.
For the actual backups, separately backupFor the actual backups, separately backup sensitive user data, other business data, etc.sensitive user data, other business data, etc.
Use a configuration management system (e.g.Use a configuration management system (e.g. Chef, Puppet, CFEngine) and back up those filesChef, Puppet, CFEngine) and back up those files in a form that necessary personnel can quicklyin a form that necessary personnel can quickly decrypt and use as needed.decrypt and use as needed.
Encrypt all backups using a cryptosystem that isEncrypt all backups using a cryptosystem that is appropriate for the sensitivity of the particularappropriate for the sensitivity of the particular data, and be sure to always verify the authenticitydata, and be sure to always verify the authenticity of the data (e.g. md5sum).of the data (e.g. md5sum).
Limit access to the onsite backups to a handful ofLimit access to the onsite backups to a handful of people, and choose different people to grantpeople, and choose different people to grant access to the crypto keys for those onsiteaccess to the crypto keys for those onsite backups.backups.
Very closely monitor and log all access to theVery closely monitor and log all access to the onsite backups. These onsite backups shouldonsite backups. These onsite backups should preferably be kept somewhere that would be verypreferably be kept somewhere that would be very difficult to extract information unnoticed from (i.e.difficult to extract information unnoticed from (i.e. a computer with an air gap to the network).a computer with an air gap to the network).
Keep lots of backups in an offsite facility yourKeep lots of backups in an offsite facility your employees don't have access to (e.g. Amazonemployees don't have access to (e.g. Amazon Web Services, Rackspace).Web Services, Rackspace).
Amazon's Glacier would probably be a goodAmazon's Glacier would probably be a good choice.choice.
Again, profusely log all access to the offsiteAgain, profusely log all access to the offsite backups.backups.
Treat access to offsite backups like you do theTreat access to offsite backups like you do the onsite one: encrypt all data, assure differentonsite one: encrypt all data, assure different people have access to the data vs. the keys, etc.people have access to the data vs. the keys, etc.
Every 6 months and every time someone leavesEvery 6 months and every time someone leaves who had access to the key or data for the onsitewho had access to the key or data for the onsite backups, immediately destroy the key and data,backups, immediately destroy the key and data, create new keys for the new backups, and thencreate new keys for the new backups, and then randomly assign who will have access to whichrandomly assign who will have access to which keys and data.keys and data.
It would be best to have similar practices withIt would be best to have similar practices with regard to the keys and data for the offsiteregard to the keys and data for the offsite backups, but care must be taken not to handlebackups, but care must be taken not to handle these actions in an insecure way.these actions in an insecure way.
Next: rethink logsNext: rethink logs
It is vital to assure that none of the sensitive dataIt is vital to assure that none of the sensitive data leaks into the logs.leaks into the logs.
However, all other data, no matter how menial,However, all other data, no matter how menial, should be recorded into the logs.should be recorded into the logs.
Hard drive space is very cheap and big data canHard drive space is very cheap and big data can be extremely useful...be extremely useful...
...so open the floodgates (e.g. this user requested...so open the floodgates (e.g. this user requested this page by following this link from this ip addressthis page by following this link from this ip address at this time from a browser with this agent string)at this time from a browser with this agent string)
You can use Apache Hadoop to analyze this dataYou can use Apache Hadoop to analyze this data and do cool things like...and do cool things like...
...make graphs...make graphs
...or determine user preferences...or determine user preferences
...or better protect your network...or better protect your network
You will accumulate an incredible amount of logYou will accumulate an incredible amount of log data, but the sheer size could prove to be adata, but the sheer size could prove to be a deterrant to would-be attackersdeterrant to would-be attackers
Not to mention that all access to the onsite andNot to mention that all access to the onsite and offsite logs will also be heavily loggedoffsite logs will also be heavily logged
Access to the verbose offsite logs will rarely beAccess to the verbose offsite logs will rarely be time sensitive, so access to those keys could betime sensitive, so access to those keys could be much more heavily restricted apart from thosemuch more heavily restricted apart from those timestimes
Not all of these suggestions will not work for everyNot all of these suggestions will not work for every organizationorganization
The logs you keep on site do not need to be allThe logs you keep on site do not need to be all that verbosethat verbose
And you don't really need to keep the onsite logsAnd you don't really need to keep the onsite logs for very long (they're only needed to documentfor very long (they're only needed to document the things that the IT dept can fix in a short time)the things that the IT dept can fix in a short time)
Also, as these approaches would likely require aAlso, as these approaches would likely require a significant amount of resources to set up andsignificant amount of resources to set up and maintain, it would likely not be cost effective formaintain, it would likely not be cost effective for some organizationssome organizations
However, the kinds of organizations that InfragardHowever, the kinds of organizations that Infragard focuses on would have such a high potential costfocuses on would have such a high potential cost to an insider threat that alternate approaches toto an insider threat that alternate approaches to this problem must at least be consideredthis problem must at least be considered
While there is currently no best solution to theWhile there is currently no best solution to the problems that insider threats pose to logs andproblems that insider threats pose to logs and backups, I feel it would be negligent not tobackups, I feel it would be negligent not to continue looking for one.continue looking for one.
Questions?Questions?

Recommended

Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone Else
Gareth Rushgrove
Ā 
Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between Tribes
Gareth Rushgrove
Ā 
Linux Users are People, Too!
Linux Users are People, Too!Linux Users are People, Too!
Linux Users are People, Too!
Charles Southerland
Ā 
HTTPS Sucks
HTTPS SucksHTTPS Sucks
HTTPS Sucks
Charles Southerland
Ā 
C Is Not Dead Yet
C Is Not Dead YetC Is Not Dead Yet
C Is Not Dead Yet
Charles Southerland
Ā 
Passwords
PasswordsPasswords
Passwords
Charles Southerland
Ā 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
Ā 
Cap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludableCap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludable
iSalutacasa
Ā 

Recommended

Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone Else
Gareth Rushgrove
Ā 
Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between Tribes
Gareth Rushgrove
Ā 
Linux Users are People, Too!
Linux Users are People, Too!Linux Users are People, Too!
Linux Users are People, Too!
Charles Southerland
Ā 
HTTPS Sucks
HTTPS SucksHTTPS Sucks
HTTPS Sucks
Charles Southerland
Ā 
C Is Not Dead Yet
C Is Not Dead YetC Is Not Dead Yet
C Is Not Dead Yet
Charles Southerland
Ā 
Passwords
PasswordsPasswords
Passwords
Charles Southerland
Ā 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
Ā 
Cap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludableCap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludable
iSalutacasa
Ā 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Mohammed Almeshekah
Ā 
App locker
App lockerApp locker
App locker
Concentrated Technology
Ā 
From šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļøFrom šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļø
Ori Pekelman
Ā 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
Ā 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
Ā 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
Kris Buytaert
Ā 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
Ā 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
Cristian Calderon
Ā 
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
NETWAYS
Ā 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
Ā 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
Ā 
The computer science behind a modern disributed data store
The computer science behind a modern disributed data storeThe computer science behind a modern disributed data store
The computer science behind a modern disributed data store
J On The Beach
Ā 
Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]
David Przybilla
Ā 
Connor big data
Connor big dataConnor big data
Connor big data
David Jimenez
Ā 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
Ā 
Metric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in OracleMetric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in Oracle
Steve Karam
Ā 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
Ā 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Ā 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxpbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptx
Julie Tsai
Ā 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
Ā 
hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
Charles Southerland
Ā 
RSA
RSARSA
RSA
Charles Southerland
Ā 

More Related Content

Similar to Logs And Backups

Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Mohammed Almeshekah
Ā 
App locker
App lockerApp locker
App locker
Concentrated Technology
Ā 
From šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļøFrom šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļø
Ori Pekelman
Ā 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
Ā 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
North Texas Chapter of the ISSA
Ā 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
Kris Buytaert
Ā 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Yandex
Ā 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
Cristian Calderon
Ā 
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
NETWAYS
Ā 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
Ā 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
Ā 
The computer science behind a modern disributed data store
The computer science behind a modern disributed data storeThe computer science behind a modern disributed data store
The computer science behind a modern disributed data store
J On The Beach
Ā 
Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]
David Przybilla
Ā 
Connor big data
Connor big dataConnor big data
Connor big data
David Jimenez
Ā 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ori Pekelman
Ā 
Metric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in OracleMetric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in Oracle
Steve Karam
Ā 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
Ā 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
Ā 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxpbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptx
Julie Tsai
Ā 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Greg Stromire
Ā 

Similar to Logs And Backups (20)

Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Ā 
App locker
App lockerApp locker
App locker
Ā 
From šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļøFrom šŸ¤¦ to šŸæļø
From šŸ¤¦ to šŸæļø
Ā 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Ā 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Ā 
Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?Dev secops opsec, devsec, devops ?
Dev secops opsec, devsec, devops ?
Ā 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
Ā 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
Ā 
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
OSDC 2018 | The Computer science behind a modern distributed data store by Ma...
Ā 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Ā 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Ā 
The computer science behind a modern disributed data store
The computer science behind a modern disributed data storeThe computer science behind a modern disributed data store
The computer science behind a modern disributed data store
Ā 
Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]Reproducible datascience [with Terraform]
Reproducible datascience [with Terraform]
Ā 
Connor big data
Connor big dataConnor big data
Connor big data
Ā 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
Ā 
Metric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in OracleMetric Abuse: Frequently Misused Metrics in Oracle
Metric Abuse: Frequently Misused Metrics in Oracle
Ā 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
Ā 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Ā 
pbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptxpbc_devsecops_eastereggs.2022oct06.jt.pptx
pbc_devsecops_eastereggs.2022oct06.jt.pptx
Ā 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
Ā 

More from Charles Southerland

hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
Charles Southerland
Ā 
RSA
RSARSA
RSA
Charles Southerland
Ā 
Program Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderProgram Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime Order
Charles Southerland
Ā 
Program Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFProgram Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GF
Charles Southerland
Ā 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Charles Southerland
Ā 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
Charles Southerland
Ā 

More from Charles Southerland (6)

hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
Ā 
RSA
RSARSA
RSA
Ā 
Program Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderProgram Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime Order
Ā 
Program Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFProgram Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GF
Ā 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Ā 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
Ā 

Recently uploaded

Day 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data ManipulationDay 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data Manipulation
UiPathCommunity
Ā 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
Larry Smarr
Ā 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Neeraj Kumar Singh
Ā 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
Ā 
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time MLMongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
ScyllaDB
Ā 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
UiPathCommunity
Ā 
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
Ā 
Building a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data PlatformBuilding a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data Platform
Enterprise Knowledge
Ā 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
Ā 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
ThousandEyes
Ā 
Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2
DianaGray10
Ā 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
Ā 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
Safe Software
Ā 
CTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database MigrationCTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database Migration
ScyllaDB
Ā 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
Ā 
intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
NTTDATA INTRAMART
Ā 
So You've Lost Quorum: Lessons From Accidental Downtime
So You've Lost Quorum: Lessons From Accidental DowntimeSo You've Lost Quorum: Lessons From Accidental Downtime
So You've Lost Quorum: Lessons From Accidental Downtime
ScyllaDB
Ā 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
Ā 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
Ā 
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
anilsa9823
Ā 

Recently uploaded (20)

Day 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data ManipulationDay 4 - Excel Automation and Data Manipulation
Day 4 - Excel Automation and Data Manipulation
Ā 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
Ā 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Ā 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Ā 
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time MLMongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
MongoDB vs ScyllaDB: Tractianā€™s Experience with Real-Time ML
Ā 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
Ā 
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
PoznanĢ ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Ā 
Building a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data PlatformBuilding a Semantic Layer of your Data Platform
Building a Semantic Layer of your Data Platform
Ā 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Ā 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
Ā 
Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2
Ā 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Ā 
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise IntegrationAn Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
Ā 
CTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database MigrationCTO Insights: Steering a High-Stakes Database Migration
CTO Insights: Steering a High-Stakes Database Migration
Ā 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ā 
intra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_Enintra-mart Accel series 2024 Spring updates_En
intra-mart Accel series 2024 Spring updates_En
Ā 
So You've Lost Quorum: Lessons From Accidental Downtime
So You've Lost Quorum: Lessons From Accidental DowntimeSo You've Lost Quorum: Lessons From Accidental Downtime
So You've Lost Quorum: Lessons From Accidental Downtime
Ā 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
Ā 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
Ā 
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
Call Girls Chennai ā˜Žļø +91-7426014248 šŸ˜ Chennai Call Girl Beauty Girls Chennai...
Ā 

Logs And Backups

  • 1. Logs and BackupsLogs and Backups Charles Southerland (a.k.a. proidiot)Charles Southerland (a.k.a. proidiot) Stuph LabsStuph Labs Information Warfare Summit 2013Information Warfare Summit 2013
  • 2. Imagine an outsider trying to deface yourImagine an outsider trying to deface your organization's website.organization's website. We'll say they're using SQL injection to do this.We'll say they're using SQL injection to do this.
  • 3. The logs will likely give you a trove of informationThe logs will likely give you a trove of information about how the attack occurred, and the backupabout how the attack occurred, and the backup will allow you to revert the changes quickly.will allow you to revert the changes quickly.
  • 4. Now imagine getting attacked by an insider.Now imagine getting attacked by an insider.
  • 5. Those backups suddenly become a liability.Those backups suddenly become a liability.
  • 6. And those logs, which can usually be modifiedAnd those logs, which can usually be modified with ease by an insider, will probably not help youwith ease by an insider, will probably not help you figure out who attacked, how they attacked, orfigure out who attacked, how they attacked, or perhaps even that they attacked at all.perhaps even that they attacked at all.
  • 7. In fact, the logs might be almost as bad to leak asIn fact, the logs might be almost as bad to leak as your backups.your backups.
  • 8. Unfortunately, there doesn't appear to be a goodUnfortunately, there doesn't appear to be a good one-size-fits-all way to deal with backups and logsone-size-fits-all way to deal with backups and logs with respect to insider threats at this time.with respect to insider threats at this time.
  • 9. I have no doubt that there is some vendor outI have no doubt that there is some vendor out there that will sell you a ā€œsecurity in a boxā€there that will sell you a ā€œsecurity in a boxā€ solution to this problem, but I seriously doubt suchsolution to this problem, but I seriously doubt such a solution would be a good choice for manya solution would be a good choice for many organizations.organizations.
  • 10. ...but I have some ideas that might work for some...but I have some ideas that might work for some organizations.organizations.
  • 11. First: rethink backupsFirst: rethink backups
  • 12. Why you might need to recover from backups:Why you might need to recover from backups: ā— Something went wrongSomething went wrong and you can recover quicklyand you can recover quickly ā— Something catastrophic happenedSomething catastrophic happened and you must recover carefullyand you must recover carefully
  • 13. The best solution to non-breach recoveryThe best solution to non-breach recovery is failover.is failover. After all, the time it takes to restore from aAfter all, the time it takes to restore from a backup is still downtime.backup is still downtime.
  • 14. For the actual backups, separately backupFor the actual backups, separately backup sensitive user data, other business data, etc.sensitive user data, other business data, etc.
  • 15. Use a configuration management system (e.g.Use a configuration management system (e.g. Chef, Puppet, CFEngine) and back up those filesChef, Puppet, CFEngine) and back up those files in a form that necessary personnel can quicklyin a form that necessary personnel can quickly decrypt and use as needed.decrypt and use as needed.
  • 16. Encrypt all backups using a cryptosystem that isEncrypt all backups using a cryptosystem that is appropriate for the sensitivity of the particularappropriate for the sensitivity of the particular data, and be sure to always verify the authenticitydata, and be sure to always verify the authenticity of the data (e.g. md5sum).of the data (e.g. md5sum).
  • 17. Limit access to the onsite backups to a handful ofLimit access to the onsite backups to a handful of people, and choose different people to grantpeople, and choose different people to grant access to the crypto keys for those onsiteaccess to the crypto keys for those onsite backups.backups.
  • 18. Very closely monitor and log all access to theVery closely monitor and log all access to the onsite backups. These onsite backups shouldonsite backups. These onsite backups should preferably be kept somewhere that would be verypreferably be kept somewhere that would be very difficult to extract information unnoticed from (i.e.difficult to extract information unnoticed from (i.e. a computer with an air gap to the network).a computer with an air gap to the network).
  • 19. Keep lots of backups in an offsite facility yourKeep lots of backups in an offsite facility your employees don't have access to (e.g. Amazonemployees don't have access to (e.g. Amazon Web Services, Rackspace).Web Services, Rackspace).
  • 20. Amazon's Glacier would probably be a goodAmazon's Glacier would probably be a good choice.choice.
  • 21. Again, profusely log all access to the offsiteAgain, profusely log all access to the offsite backups.backups.
  • 22. Treat access to offsite backups like you do theTreat access to offsite backups like you do the onsite one: encrypt all data, assure differentonsite one: encrypt all data, assure different people have access to the data vs. the keys, etc.people have access to the data vs. the keys, etc.
  • 23. Every 6 months and every time someone leavesEvery 6 months and every time someone leaves who had access to the key or data for the onsitewho had access to the key or data for the onsite backups, immediately destroy the key and data,backups, immediately destroy the key and data, create new keys for the new backups, and thencreate new keys for the new backups, and then randomly assign who will have access to whichrandomly assign who will have access to which keys and data.keys and data.
  • 24. It would be best to have similar practices withIt would be best to have similar practices with regard to the keys and data for the offsiteregard to the keys and data for the offsite backups, but care must be taken not to handlebackups, but care must be taken not to handle these actions in an insecure way.these actions in an insecure way.
  • 25. Next: rethink logsNext: rethink logs
  • 26. It is vital to assure that none of the sensitive dataIt is vital to assure that none of the sensitive data leaks into the logs.leaks into the logs.
  • 27. However, all other data, no matter how menial,However, all other data, no matter how menial, should be recorded into the logs.should be recorded into the logs.
  • 28. Hard drive space is very cheap and big data canHard drive space is very cheap and big data can be extremely useful...be extremely useful...
  • 29. ...so open the floodgates (e.g. this user requested...so open the floodgates (e.g. this user requested this page by following this link from this ip addressthis page by following this link from this ip address at this time from a browser with this agent string)at this time from a browser with this agent string)
  • 30. You can use Apache Hadoop to analyze this dataYou can use Apache Hadoop to analyze this data and do cool things like...and do cool things like...
  • 32. ...or determine user preferences...or determine user preferences
  • 33. ...or better protect your network...or better protect your network
  • 34. You will accumulate an incredible amount of logYou will accumulate an incredible amount of log data, but the sheer size could prove to be adata, but the sheer size could prove to be a deterrant to would-be attackersdeterrant to would-be attackers
  • 35. Not to mention that all access to the onsite andNot to mention that all access to the onsite and offsite logs will also be heavily loggedoffsite logs will also be heavily logged
  • 36. Access to the verbose offsite logs will rarely beAccess to the verbose offsite logs will rarely be time sensitive, so access to those keys could betime sensitive, so access to those keys could be much more heavily restricted apart from thosemuch more heavily restricted apart from those timestimes
  • 37. Not all of these suggestions will not work for everyNot all of these suggestions will not work for every organizationorganization
  • 38. The logs you keep on site do not need to be allThe logs you keep on site do not need to be all that verbosethat verbose
  • 39. And you don't really need to keep the onsite logsAnd you don't really need to keep the onsite logs for very long (they're only needed to documentfor very long (they're only needed to document the things that the IT dept can fix in a short time)the things that the IT dept can fix in a short time)
  • 40. Also, as these approaches would likely require aAlso, as these approaches would likely require a significant amount of resources to set up andsignificant amount of resources to set up and maintain, it would likely not be cost effective formaintain, it would likely not be cost effective for some organizationssome organizations
  • 41. However, the kinds of organizations that InfragardHowever, the kinds of organizations that Infragard focuses on would have such a high potential costfocuses on would have such a high potential cost to an insider threat that alternate approaches toto an insider threat that alternate approaches to this problem must at least be consideredthis problem must at least be considered
  • 42. While there is currently no best solution to theWhile there is currently no best solution to the problems that insider threats pose to logs andproblems that insider threats pose to logs and backups, I feel it would be negligent not tobackups, I feel it would be negligent not to continue looking for one.continue looking for one.