Upload
ada-jennings
View
225
Download
0
Tags:
Embed Size (px)
Citation preview
“Hole in the Wall – The Human Factor in Security”
13 September 2012
Mohd Rafiq Mohamed [email protected]
Overview
Information sharing Information dissemination
ExtranetIntranet
E-CommerceE-Learning
Wikipedia
Web applications are intended to increase employee productivity !
Businesses Need Internet Access
THREAT!!’
“The Internet is full with information but the Internet also full with..
Viruses
Hackers
Privacy threats
Spam
Popups
Trojan horses
Worms
Spyware
Cookies
Intrusions
Do you have an effective means of keeping your business running smoothly by
eliminating all threats and annoyances?
Phishing
Threats From Everywhere
Threats From Everywhere
Confidentiality
Integrity
Availability
The Consequences of Inadequate Security..(Cont’d)
Internet
Internal LAN
Internet/DMZ/Servers
Remote Access Servers
Border Router
InternalRouter
1. Inadequate Router Access Control
Mobile/home user
2. Unsecured/unmonitored remoteAccess
3. Informationleakage via zonetransfer& Services(SMTP, telnet)
4. Running Unnecessary services (FTP, DNS, SMTP)
5. Weak or reused password
6. User acctswith excessive privileges
7. MisconfiguredInternet servers
8. MisconfiguredFirewall or Router
9. S/W unpatched, outdated, defaultconfigurations
10. Excessive file& directory Accesscontrols
Source: Hacking Exposed McClure, Scambray & Kurtz, McGraw-Hill
Top 10 Security Vulnerabilities
Users Don’t Get It• There’s nothing important on my
computer
• We have virus software so my computer is protected from everything
• All threats are from the outside
• It’s not my job/I’m too busy to worry about security
• Technology provides full protection
• Reasons employees gave for altering security settings on their computers (CISCO 2008 White paper)
Users Don’t Get It
• Employees are the security blackhole
Example –RSA’s SecureID Breach, 2011
– In March, an employee opened excel attachment from email in junk folder
– Malware in attachment created system backdoor
– Hackers able to up-gain privilege and copy SecureID security codes from databse
– 40million customers affected
– Result – RSA customers, (L3 & Lockheed) were attacked in April & June
Users Don’t Get It
• Phishing email sent to RSA Employee
Why: Users Don’t Get It
Most Common Mistakes• Poor Password Management• Workstation Attached and Unattended• Malicious E-mail Attachments• Ineffective Anti-virus Software• Uncontrolled Laptops• Unreported Security Violations• Updates, Hot Fixes, Service Packs not Installed• Poor Perimeter Protection
– Electronic– Physical
What?
• Data Backup/Restore• Physical Security• Portables• Social Engineering• ID/Passwords• E-mail• Wireless• Malicious Software
Data Backup/Restore• Users are responsible for communicating their
needs• IT is responsible for making sure it happens
– Included in IT procedures– Tools supplied to users
Physical Security
• Every User is an Extension of the Security Force• Lock Offices as Often as Practical• Restrict Open External Entrances• Technology
– Cameras– Motion sensors– Alarm systems– Tags
Portables• Favorite Target of Thieves• Less Likely to Draw Attention• Easily Hidden• “Turn” Fast at Pawn Shops and Online • Almost Always Contain “Sensitive” Data
Social Engineering• “This is (manager, director, etc.)
and I need…”• “This is Sue with the Help Desk and we are:
– verifying your passwords…”– troubleshooting logon problems…”– got your (bogus) request to change your…”
• E-mail Attachments• Dumpster Diving• Recover Data from Surplus
Equipment/Media
ID/Passwords• Users are responsible for what
happens with their ID/password• If you HAVE to write them down treat the paper like a credit
card• Change passwords if there is a
possibility it has been compromised• Use complex passwords• The sanctions for not protecting login credentials are…
ID/PasswordsPasswords Are Like Underwear:
• Change yours often!
• Don’t leave yours lying around!
• The longer the more protection!
• Don’t share yours with friends!
• Be mysterious!
E-Mail• E-mails Exist in Multiple Places• Deleting an Email from One Place Does Not Delete it from
Anywhere Else• Be Aware of “bcc”• Spam Effects and Avoidance• Verify Attachments Before Opening• Don’t Send Confidential Information
via Standard E-mail• E-mail Can be Forged
Wireless• Don’t Plug in Your Own Wireless Access Point• Don’t Change the Secure Configuration:
– To make it work with your home network– So it will connect in the airport– To access other facilities networks
• Use a Wire When Available– Faster– More secure– Less competition for access
point bandwidth
Malicious Software• Leave Virus Protection and Firewall Programs Running• Check for or Allow Updates• Recognize Potential Malicious Activities:
– Hard drive running when no programs are running– Unusual or unexpected logon screens– Boot up speed or sequence changes– Performance degradation– Returned e-mails
The 5Q
Remember..!!!
“Prevention is always better than cure”.
THANK YOUTHANK YOU