Upload
jaymemcree
View
799
Download
0
Embed Size (px)
DESCRIPTION
Learn how Computer Network Security can be put at risk and how SAGE can help fix it
Citation preview
The Seven Bad Things People Do To Endanger Their Network Security
(…Explained in Plain English)
Presented by SAGE Computer Associates, Inc. ¨ SAGE Computer Associates, Inc.:
– In business for 19 years – Hundred person-years of experience– Worked with many businesses– Certified Security Administrator on staff– Certified Microsoft Engineers on staff– Certified Novell Engineers on staff
Take away from today’s talk
¨ Nothing is secure¨ However, NO HEADS IN THE SAND¨ Inexpensive steps you can take NOW¨ Even on your home PC.
“There is nothing more secure than a computer which is not connected to the network ---
and powered off!”
What are the Seven Things?
¨ No Policies¨ Bad Passwords¨ No Virus Protection¨ No Backup¨ Inadequate protection against hackers¨ Don’t keep up with patches/fixes¨ Unrestrained e-mail/instant messaging
Mistake #1: No Policies• Data Security: Do you know who sees and has access to
what data? And should they have that level of access? • Termination policies: Disgruntled employees are the second
most common source of network sabotage• Remote access: A common hole in network security• Computer usage: Non-business activities that open your
network up to attack• Internet usage: You know there’s LOTS of bad stuff out
there – but do you know just how much? • Confidentiality awareness: Think about what your
employees know about your business• Hire the right people! It’s more important than you may
think
Internet Usage at Work¨ Productivity Issues:
– Cyber-loafing accounts for 30% to 40% of
lost worker productivity (Business Week)– 90% of those surveyed indicated that they view non-work related
web sites during work hours. (Vaultreports.com)¨ Resource use
– Downloading music/videos takes A LOT of network resources
More Reasons to Care
¨ Legal Liability– One in five men and one in eight women
admitted using their work computers as their primary lifeline to sexually explicit material online (MSNBC)
– Since the company is the one that gave employees access, the company is liable … unless the company can show it took reasonable steps to prevent problems (Corporate Politics on the Internet: Connection without Controversy)
Implement the Policies!
–Appropriate Security on the Network• Administrative/Supervisor rights• Appropriate Security for users
More Confidentiality Awareness
¨ Training
- particularly to address Social Engineering
“outside hackers use of psychological tricks on legitimate users of computer systems to get passwords/user-ids to get access to systems”
www.morehouse.org/hin/blckcrwl/hack/soceng.txt
Mistake #1: No PoliciesHow can we help?
Request a copy of our sample policies for:- Internet Usage- E-mail Usage- Virus Protection
and get SAGE to help you implement it
Mistake #1: No PoliciesHow can we help?¨ Internet Monitoring
– Monitor where people go on the Internet– Create reports– Block offensive/other sites- list updated 2x/week– Block specific kinds of traffic (music, photographs,
etc)– Block specific addresses– Block specific users– Block usage during specific times
Mistake #2: Bad Passwords
– 40% of all passwords are the word ‘password’
– Difficult passwords are hard to administerhttp://www.slac.stanford.edu/comp/security/password.html
Password Guidance¨ Password No-No’s:
less than eight characters a word found in a dictionary (English or foreign) a common usage word such as names of family, pets, friends,
co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies,
hardware, software. Birthdays/other personal information such as addresses and
phone numbers. Word or number patterns like aaabbb, qwerty, zyxwvuts,
123321, etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1,
1secret)
Password Guidance¨ Password Suggestions (Strong passwords)
Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters e.g., 0-9,
!@#$%^&*()_+|~-=\ {}[]:";'<>?,./) Are at least eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, Are not
based on personal information, names of family, etc. Easily remembered. One way to do this is create a password
based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~"
Mistake #2: Bad PasswordsHow We Can Help:¨ Password Cracking Tool:
L0phtCrack www.sunbelt-software.com
-Runs in the background
-Can collect all passwords, given enough time
We will run this for you and
help you implement a policy
Future Solutions
¨ Security Tokens-Secure Computing solution¨ Biometrics
Mistake #3: No Virus Protection
¨ Different threats under the same name:– Virus– Worm– Trojan horse– Malicious code– Blended Threat– Hoax– Denial of Service DoS (not a virus)
Virus Security¨ Example of malicious codeFrom: Microsoft Corporation Security Center
<[email protected]>To: Microsoft Customer <'[email protected]'>Subject: Internet Security UpdateAttachment: q216309.exe
Microsoft Customer,this is the latest version of security update, the "7 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.
Description of several well-know vulnerabilities:
Would have recognized this as a threat?
Virus Security
¨ Anti-Virus software
¨ MUST BE UPDATED!!¨ Home users need it as much as business users¨ By subscription- TrendMicro, Symantec, other
vendors
Virus Security
¨ Business users should be set up to update automatically without ‘human intervention’
¨ Training¨ Many websites, ‘kits’ available to write your own
viruses– http://orbita.starmedia.com/~lautaroml/virus.html
Virus Security
¨ Turn off the Preview Pane in Outlook– Click on View, unclick ‘preview pane’
¨ Turn off disk and printer sharing in Windows– Start button, click ‘Settings’, ‘Control Panel’
‘Network’ and make sure ‘share disk’ and ‘share printer’ are NOT checked
Mistake #3: Virus Security How We Can Help
¨ Virus Software Audit¨ Network Audit
Mistake #4: No Backup
¨ Most people believe this is covered, BUT– Data stored on local drives– Data not restorable– Tapes not taken off site– Not enough data backed up– Open files not handled
Mistake #4: No BackupHow We Can Help
¨ Backup Audit
Future Solutions
¨ Internet-based backup¨ Optical Storage
Mistake #5: Inadequate Protection Against Hackers ¨ Firewalls
– Blocks incoming traffic– From free to millions $$$$
EVERYONE MUST HAVE ONE
www.zonelabs.com – Software (home)
www.sonicwall.com – Appliance (business)
Mistake #5: Inadequate Protection Against Hackers-If you host your own website
¨ Incoming Web Traffic– SSL certificates– Different type of firewall– Data available for customers on your website has to be
segregated from the rest of the company data– Outsourcing
Internet Security
¨ What to ask your outsourced web hoster– Power back up– Internet connection redundancy– Which firewall?– Data back up– Business questions – How can I make changes?– Register your URL in YOUR name
Mistake #5: Inadequate Protection- How we can help
¨ Port Scan– Reports open ports/vulnerabilities
Mistake #6: Not Keeping Up with Patches/Service Packs¨ Difficult to Keep Pace—But Imperative
– Your lack of patching can help spread viruses to other networks
– Workstation updates are now part of the problem too
Mistake #6: Staying Current-How we can help
¨ Penetration Testing– Check for documented vulnerabilities
Mistake #7: Unrestrained Email, Instant Messaging¨ “E-mail is like sending a postcard on the Internet”
– Can be read by many people (your ISP, any system admin at any server along the message path, your employer, the US Government using Carnivore/Echelon or other software).
http://www.surfcontrol.com/business/products
– Can be re-sent to someone else, looking like it came from you.
Solution to E-Mail Security
¨ PGP “Pretty Good Privacy”– Download free copy at www.pgpi.org– Go see Phil at http://web.mit.edu/prz/
¨ Digital IDdigitalid.verisign.com
E-Mail SecurityEmail Gaffes
-BBC sports executive sends “I think they’re both crap” email (about two on-camera execs) to entire BBC sports staff (500 people)-London lawyer forwards message from his girlfriend re: “intimate act”- his colleague forwards it to others, in hours, spread across whole Internet. 6 people suspended from their jobs.
Email Protocol/Guidance– http://www.bmcc.cc.or.us/cs/cs125e/notes/etiq.htm– http://www.cio.com/archive/120100/diff.html
Instant Messaging (IM)¨ AOL Instant Messaging/ICQ/Yahoo
Messenger/MSN Messenger/ other packages– The good news?
• they’re free– The bad news?
• Completely not secure• People can pretend to be who they are not• With no policies in place, users have no guidelines on what
they can/cannot say
Instant Messaging Security
¨ Centralize it– Log the traffic– Encrypt the traffic (PGP has a module for this)– Establish policies
OR¨ Block it
Steganography¨ “Embedding secret messages in other files in a way that
prevents an observer from learning anything unusual is taking place”– Greek soldiers tattooed maps on their heads, and
then grew their hair out– Romans obscured messages by applying layers of
wax onto the tablets on which they were written, then melted the wax to read the message.
– Osama bin Laden and his associates have been using steganography to hide terrorist plans inside pornography and MP3 files freely distributed over the Internet.
Resources¨ Pretty Good Privacy for email: www.pgpi.org¨ Firewalls
– www.zonelabs.com (free personal firewall)- see this link for article about it: http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2870704,00.html
– http://www.firewall.com/ good general site for tech info¨ Virus software
– www.symantec.com– www.trendmicro.com(don’t use the free trial-pay for the real software)
Resources
¨ Steganography
http://members.tripod.com/steganography/stego.html
¨ Basic Security website:
http://online.securityfocus.com/infocus/1560¨ Security Certifications-Information Systems
Security Association
www.issa-intl.org/certification.html
Our Offer¨ When you fill out the evaluation form, you can choose
one of the services at no charge:1. Policy creation2. Virus protection audit3. Backup Audit4. Open Port Scan5. Patch/Service Pack Audit6. Internet Monitoring Pilot 7. Network Audit
Don’t Let the Perfect Interfere with the Good:¨ Download the policies if you don’t already have
them¨ Choose one of the free services on the evaluation
form to get started measuring the problem.¨ Download the free firewall (zonelabs.com) and
the not-free virus software for your home PC