Essential Strategies for Protecting Against the New Wave Of Information Security Threats Abe Usher, CISSP Sharp Ideas LLC

Essential Strategies for Protecting Against the New Wave Of

Information Security Threats

Abe Usher, CISSPSharp Ideas LLC

2

About the presenter

> Abe Usher> CISSP> Master’s degree in Information Systems> Ideas published in Wired Magazine,

Network World, New Scientist Magazine, Business Week On-line and others

> Creator of slurp.exe> Principal architect of SecurityBuzz.org

3

Webinar agenda

> Review of security concepts> New threats> Pod slurping> Data theft in the news> Strategies for reducing risk> Questions and wrap up

4

Information security:key terms

> Confidentiality

> Integrity

> Availability

5


> Network security

> Application security

> Host security (endpoint security)

6


Network

Application

Host (Endpoint)

Typically strong

Moderate

Weak (non-existent?)

7

Information security:new threats

The widespread introduction of computing devices and portable storage in the enterprise bring significant risks:

> iPods> USB and Firewire storage> Bluetooth accessories> PDAs> Unauthorized wireless

8

Endpoint: entry vectors

Optical drives

PDAs

Smart phones

Firewire

USB accessories

RJ-45 net

WiFi

Bluetooth

9

Universal Serial Bus (USB)

> Originally developed in 1995 as an external expansion bus to make adding peripherals easy.

> “Universal” acceptance of USB – virtually all new PCs come with one or more USB ports.

> New USB 2.0 allows data transfer at a rate 40 times faster than USB 1.1 (480 Mb/second)

10

USB devices:the good

> Supported by all vendors on all major operating systems

> Productivity booster in the proper context

> USB has reduced cost and complexity of peripherals

> Convenient data exchange between computers

11

USB devices:the bad

> Modern operating systems do not provide granular control over the use of USB devices (e.g. No auditing)

> Most commercial organizations do not have clear policies on the use of USB devices

> Most organizations do not understand the security implications of USB devices

12

The importance of information

> The currency of the Information Age is the bit.

> Information economies gain competitive advantage through creating, analyzing, and distributing information.

> Organizations that fail to protect their information resources jeopardize their own future.

13

Adapt your security infrastructureor become a statistic

Privacy Rights Clearing House | Washington Post, June 22, 2005

14



15



16

Digital media players and portable storage

> More than 42 million iPods sold> Other digital media players

increasingly popular> USB thumb drives reaching low

price point and ubiquitous adoption

17

Information security:in the news

18


19


20


> Unauthorized use of computers increased

> Unauthorized access to information and theft of proprietary information showed significant increases in average loss per respondent ($303,324 and $355,552 respectively)

21


22


23


Additional resources available at:

http://www.sharp-ideas.net/ideas/

37 additional stories from the news media related to data theft

26 messages from prominent information security mailing lists discussing data leakage / data theft

24

Information security:traditional threats

> External hackers

> Malicious code outbreaks

> SPAM

> Spyware

> Phishing

25

Traditional threats(network security)

Hacker activity

Worms & viruses

SPAM

Spyware

Phishing

26

Traditional threats(network security)

Hacker activity

Worms & viruses

SPAM

Spyware

Phishing

Firewall

Intrusion Detection

SPAM filtering

Anti-Spyware

Phishing filtering

27

Emerging threats:endpoint security

> Widespread adoption of portable storage and digital media players USB

Firewire

28



Firewire

> Wireless trend in peripherals & secondary components Bluetooth

802.11

29



Firewire

> Wireless trend in peripherals & secondary components Bluetooth

802.11

> Bottom line: Network security strategies do nothing to protect against devices connected inside of your enterprise network.

30

Evolution of security threats

31

Computing capacity vs.human skill

0

20

40

60

80

100

120

140

160

1995 1998 2001 2004

User skill

Computingpower

The rate that computing power increases is vastly greater thanthe rate that computer users achieve new understanding.

32

Information security:new solutions

> Comprehensive policies that account for portable computing devices, wireless computing, and a mobile workforce

> User awareness of security issues and policies

> Technical solutions that mitigate access of storage and communication devices at the endpoint

33

5 Point strategy to remain secure

1) Assess your technology environment

2) Adapt your security policy

3) Have a user awareness plan

4) Put your policies and procedures into action

5) Assess effectiveness and revise your policy

34

Strategy #1:Assess your technology environment

At a minimum define:> Critical information and information systems> System owners> System users:

employeescontractorsbusiness partners

> Most likely vulnerabilities and threats to endpoint security

35

Strategy #2:Revise your security policy

At a minimum, revise these two areas:> Corporate acceptable use policy> Use of personal computing devices:

USB storageBluetooth peripheralsPersonal media players (e.g. iPod)PDAsOptical drivesMulti-function phones

36

Strategy #3:User awareness

> Inform users of security issues and their responsibilities through

awareness initiativestrainingeducation

> References:NIST 800-50 “Building an Information Technology Security Awareness and Training Program”NIST Awareness, Training, Education http://csrc.nist.gov/ATE/

37

Strategy #4:Implement your policies and procedures

> Assign specific responsibilities> Deploy required technical

solutions

38

Strategy 4:Assign specific responsibilities

> Security manager> Managers> IT staff> Employees> Contractors

> Restrict privileges to critical information to those who require it to be productive

39

Strategy #4:Deploy required technical solutions

> Based on your internal analysis of vulnerabilities and threats, protect essential data:

in active usein active storagein archival storagein transmission

40

Strategy 4:Example technical solutions

Information state Sample solutions

Active use Operating system controlsEndpoint security suiteHardware restrictions

Active storage Endpoint security suiteWindows EFS

Archival storage File Encryption

Transmission Web: SSL (HTTPS)WiFi: WEPEmail: Winzip with AES 256 bit encryption

41

Strategy 4:Example technical solutions

Information state Sample solutions

Active use Operating system controlsEndpoint security suiteHardware restrictions

Active storage Endpoint security suiteWindows EFS

Archival storage File Encryption

Transmission Web: SSL (HTTPS)WiFi: WEPEmail: Winzip with AES 256 bit encryption

(1) Access control, (2) audit activities, (3) detect events in real-time

42

Strategy #5:Assess effectiveness and revise strategy

> All business systems require a feedback loop

> As your operating context changes, so too will your security solutions

> If/when you have endpoint security incidents, be sure to revise your policies appropriately

43

Conclusions

> We've only witnessed the tip of the iceberg related to data theft

> Incident prevention is significantly less costly than incident response

> Addressing the issue at the endpoint provides the best ratio of risk reduction per dollar

> Tailor the recommended strategies to your organization's business requirements

44

USB SticksUSB Sticks

PDAsPDAs

Ext. USB DrivesExt. USB Drives

iPods & Music Players

iPods & Music Players

USB Stick

iPod’s &MP3 players

PDA’s &Blackberry’s

DigitalCameras &

compact flash

CD/DVD& Diskettes

USB Drives

Media Classes

Centrally manage and protect networks from threats associated with removable media devices:

•Data theft•Virus and malware propagation•Computer misuse.

45

Customer Data

Intellectual Property

Corp. Knowledge

DesperateHousewives

Viruses

Malware

How DeviceWall Works

46

Effective Management Reporting

47

DeviceWall 1-minute Overview

> Measured response to known risk• Intuitive and comprehensive auditing• Easy policy creation and deployment• Effective guard against unwanted device connections

> Minimal overhead and ongoing cost of ownership• Low cost of acquisition• Deploy in minutes, update automatically• Temporary access tools keeps users productive• Communication minimizes calls to helpdesk

> Intuitive, fast and effective to manage• No specialist training required• No need for dedicated staff to run Control Center

48

> Supported platforms• Windows NT, 2000, XP, 2003

> Devices managed• PDAs, USB memory, MP3 players, PDAs, CompactFlash,

optical drives, external hard drives, digital cameras, mobile phones, Firewire ports, Bluetooth ports and more

> Server Requirements• Pentium, 128MB RAM, 512MB Hard Disk

> Network Requirements• MS IIS 5.0+, Active Directory & NT domains supported

Technical Specifics

49

We hope that you have enjoyed this presentation on protecting against the future information security

threats. To gain additional information, please examine the following resources:

www.sharp-ideas.net

www.devicewall.com

50

Program Note

This webinar is sponsored by Centennial Software.All referenced research is copyrighted 2006 by Sharp Ideas

LLC, and/or its affiliates. All rights reserved.

Every reasonable attempt has been made to present accurate and reliable information. However, Sharp Ideas LLC disclaims all warranties as to the accuracy, completeness or adequacy of information contained within the webinar. Sharp Ideas LLC shall have no liability for errors, omissions, or inadequacies in the information contained herein or for interpretations thereof.

The opinions expressed herein are subject to change without notice.

Documents

Essential Strategies for Protecting Against the New Wave Of Information Security Threats Abe Usher, CISSP Sharp Ideas LLC