Information Security: A mindset, not a product

Making Business Smarter

Information Security -

A mindset, not a product

www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved

SAGECare®

Security PracticeCustomer Appreciation Days


Introductions

• SAGE Computer Associates, Inc

– Designing, installing, supporting computer networks

since 1983

– Experience supporting 300+ clients

– Certified engineers on staff

• Jeff Cohn

– President

• Jason Appel

– Security Practice Manager– CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA

SAGECare®

Security Practice



This morning...

• In the news...

• What is Information Security

• AAA – Authentication, Authorization,

Accounting

• Threat Identification

• Policies

• Case studies: recent local incidents



In the news…



Information Security

NOT about computers

It’s about the information…



Information Security Goal: IAC triad

Availability

Integrity Confidentiality



Integrity

• Information is valid and usable

• Confidence in the information

– Garbage in, garbage out

• Preventing accidental or malicious changes

• Only authorized changes



Availability

• Information is there when needed

• Redundant systems

– RAID

– Power

– Network

– Server clusters

– Virtualization



Availability

• Data backup, backup… oh, and backup again

– Backup testing

– Offsite storage

– Media encryption

• Business Continuity/Disaster Recovery Plan

– PLAN (a GOOD 4 letter word)

– Practice

– Based on roles, not persons



Confidentiality

• Only those authorized have access to information

• File permissions and rights– Limit access

• Communications– email, voice, file transfer

• Encryption

• Various models for information classification– Could be time sensitive

• Data Destruction



AAA – Who, What, Where of IAC

• Authentication: who are you?

– Username/password

– 2 factor authentication

– Passwords...

• Authorization: what can you do?

– Rights and permissions

• Accounting: who did what?

– Logging, auditing and tracking

• Identification and deniability



Threat Identification: External

• Breach (Confidentiality, Integrity, Availability)– Possible external access to information or systems

• Identity Theft (Confidentiality)– Using someone’s personal data for financial gain

• Social Engineering (Confidentiality)– Using confidence (con) to gain access to information

– Often used to gain information to create a breach

• Spam (Availability, Integrity)– Unsolicited email

– May contain malicious code or phishing links

• Phishing (Confidentiality)– Spoofed (fake) message to trick people into posting

information

– Often used as basis for identity theftwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved


Threat Identification: External

• DoS - Denial of Service - (Availability)

– Service is not available for legitimate use

• Cracking/hacking (Integrity, Confidentiality, Availability)

– Unauthorized, actively accessing systems

• Malicious code (Integrity, Confidentiality, Availability)

– Program or script that will cause harm - aka Malware

– Viruses - require software or computer’s components

– Worms - functioning and self replicating without computer’s components

– Trojan horse - malicious code masked as a useful or desirable program

– Spyware/adware - non-malicious software used to track users and display advertising

• Often poorly written and causes performance problems

• May contain other malicious code



Threat Identification: Internal

• Internal threats– Accidental or deliberate from authorized and

trusted sources

– Majority of security incidents are from internal sources

• Information corruption (Integrity)– Data is not entered correctly or is modified to be wrong

• Information destruction (Integrity)– Data is removed or deleted or otherwise inaccessible

• Information leak (Confidentiality)– Data is revealed to unauthorized persons

• Information outage (Availability)– Data services not available



What can we do – as an organization

• Security Mindset– To catch a thief, think like a thief

• Know your data– What would others like to gain access to?

– What could be sold?

– What you cannot work without?

– Legally and contractually protected data

• Encryption – A tool, not a panacea– Backup media

– Hard drives

– Communications

– Flash drives

• Educate users– Formal policies

– Usage training



What can we do - as an organization

• Follow best practices– Updates - Operating systems, firmware, software,

Anti-Malware

– Protection - Anti-Malware

– Minimalist - run only what you need

• Secure the network– Firewalls - stateful and deep packet inspection at perimeter

– Anti-Malware at perimeter

– IPS/IDS, perimeter and internal

– DMZ

– Software firewalls

• Vendor support– Hardware warranties

– Communication SLA

– Support SLAwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved


What can we do - as users

• Anti-malware software

– Run current versions of reputable anti-malware software

– Be sure to update regularly with latest virus, adware and spyware

definitions

• Update all software regularly

– Turn on automatic operating system and software updates

– Put a reminder on your calendar to check on your other programs

regularly

• Includes Java, Flash and other browser based programs

• If you don’t need it, don’t install it

– Do not use free software at work

• Malware

• Licensing liability



What can we do - as users

• Follow safe browsing and communications practices

(internet, email, IM, social sites)

– Pop-ups - ALT+F4 to close

– Type-in, do not click through, specifically email

• Helps avoid phishing and malware

– If you would not write it on paper, do not write it (email

or online)

– Avoid forwarding chain email and questionable jokes

• Be aware of who you’re sending it to

– Use work PC for work

• Know your organization’s policies



Formal Policies

• Formal written policies should be guidelines for behavior and actions

– Should be intelligible, readable and realistic documents, not legal contracts

• Idea is to augment training and answer questions, not restrict employees



• Should we delete old emails? Should we reply to spam?

• What can we send over email, IM and post on social networking websites?

Formal Policies



Formal Policies

• Should we run free software from spam and pop-ups? Open attachments?

• Can we listen to streaming music and watch videos over the internet?



• Is our data safe? What if something happens to the building?

• Do we really need passwords? Can we put them on post-its?

• Can we access the network remotely?

Formal Policies



Formal Policies

• Consistently enforced policies protect both

user and organization when facing…

– Disasters

– Legal discovery

– Harassment issues

– Employment disputes



Typical Policies

• Computer, network and internet acceptable

usage

• Email and communications usage and

retention

• Data retention

• Information Security

• Business Continuity / Disaster Recovery



Recent Cases: Billing Website

• Online payment system compromised • Healthcare funding organization accepting donations

online• Recently changed payment providers to new system• On old system, thousands of small (less than $1)

authorizations over a weekend• Analysis

– No authorizations only, no charges made– No access to real donor information– Automated submissions, possibly pulled from old website code (5

years old)

• Costs:– Incident investigation and report– Processing fees– Employee time & productivity



Recent Cases: SQL Injection• Database compromise

• Not-for-profit community service scheduling events on website

• Website began redirecting users to a virus download, and download URL was found in the scheduling database

– Database contained customer identifiable info, credit card numbers, and social security numbers

• Analysis:

– Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server

– SQL injection: corrupt data was added to database (URL), no data read from database

• Costs:

– Incident investigation and report

– Database sanitizing

– Employee time & productivity – all internet access was initially blocked during the investigation

– Reputationwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved


Recent Cases: Admin Replacement

• IT administrator no longer trusted

• Multiple clients ranging from associations, to professional offices, to health care providers

• IT Administrator is going to be let go, gone missing, or is in jail

• Password resets:– Network devices

• Firewalls, routers, switches, wireless networks

– Administrator accounts

• Server, PCs, databases, email, applications

– Service and vendor accounts

• Backup accounts, application accounts

– Remote access

• VPN, portals

– 3rd party accounts

• Vendors

– ALL user accounts



Questions?

[email protected]

Customer Appreciation Days


Documents

Information Security: A mindset, not a product