Upload
jaymemcree
View
1.299
Download
1
Tags:
Embed Size (px)
DESCRIPTION
An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk
Citation preview
Making Business Smarter
Information Security -
A mindset, not a product
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
SAGECare®
Security PracticeCustomer Appreciation Days
Making Business Smarter
Introductions
• SAGE Computer Associates, Inc
– Designing, installing, supporting computer networks
since 1983
– Experience supporting 300+ clients
– Certified engineers on staff
• Jeff Cohn
– President
• Jason Appel
– Security Practice Manager– CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA
SAGECare®
Security Practice
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
This morning...
• In the news...
• What is Information Security
• AAA – Authentication, Authorization,
Accounting
• Threat Identification
• Policies
• Case studies: recent local incidents
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
In the news…
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Information Security
NOT about computers
It’s about the information…
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Information Security Goal: IAC triad
Availability
Integrity Confidentiality
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Integrity
• Information is valid and usable
• Confidence in the information
– Garbage in, garbage out
• Preventing accidental or malicious changes
• Only authorized changes
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Availability
• Information is there when needed
• Redundant systems
– RAID
– Power
– Network
– Server clusters
– Virtualization
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Availability
• Data backup, backup… oh, and backup again
– Backup testing
– Offsite storage
– Media encryption
• Business Continuity/Disaster Recovery Plan
– PLAN (a GOOD 4 letter word)
– Practice
– Based on roles, not persons
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Confidentiality
• Only those authorized have access to information
• File permissions and rights– Limit access
• Communications– email, voice, file transfer
• Encryption
• Various models for information classification– Could be time sensitive
• Data Destruction
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
AAA – Who, What, Where of IAC
• Authentication: who are you?
– Username/password
– 2 factor authentication
– Passwords...
• Authorization: what can you do?
– Rights and permissions
• Accounting: who did what?
– Logging, auditing and tracking
• Identification and deniability
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Threat Identification: External
• Breach (Confidentiality, Integrity, Availability)– Possible external access to information or systems
• Identity Theft (Confidentiality)– Using someone’s personal data for financial gain
• Social Engineering (Confidentiality)– Using confidence (con) to gain access to information
– Often used to gain information to create a breach
• Spam (Availability, Integrity)– Unsolicited email
– May contain malicious code or phishing links
• Phishing (Confidentiality)– Spoofed (fake) message to trick people into posting
information
– Often used as basis for identity theftwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Threat Identification: External
• DoS - Denial of Service - (Availability)
– Service is not available for legitimate use
• Cracking/hacking (Integrity, Confidentiality, Availability)
– Unauthorized, actively accessing systems
• Malicious code (Integrity, Confidentiality, Availability)
– Program or script that will cause harm - aka Malware
– Viruses - require software or computer’s components
– Worms - functioning and self replicating without computer’s components
– Trojan horse - malicious code masked as a useful or desirable program
– Spyware/adware - non-malicious software used to track users and display advertising
• Often poorly written and causes performance problems
• May contain other malicious code
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Threat Identification: Internal
• Internal threats– Accidental or deliberate from authorized and
trusted sources
– Majority of security incidents are from internal sources
• Information corruption (Integrity)– Data is not entered correctly or is modified to be wrong
• Information destruction (Integrity)– Data is removed or deleted or otherwise inaccessible
• Information leak (Confidentiality)– Data is revealed to unauthorized persons
• Information outage (Availability)– Data services not available
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
What can we do – as an organization
• Security Mindset– To catch a thief, think like a thief
• Know your data– What would others like to gain access to?
– What could be sold?
– What you cannot work without?
– Legally and contractually protected data
• Encryption – A tool, not a panacea– Backup media
– Hard drives
– Communications
– Flash drives
• Educate users– Formal policies
– Usage training
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
What can we do - as an organization
• Follow best practices– Updates - Operating systems, firmware, software,
Anti-Malware
– Protection - Anti-Malware
– Minimalist - run only what you need
• Secure the network– Firewalls - stateful and deep packet inspection at perimeter
– Anti-Malware at perimeter
– IPS/IDS, perimeter and internal
– DMZ
– Software firewalls
• Vendor support– Hardware warranties
– Communication SLA
– Support SLAwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
What can we do - as users
• Anti-malware software
– Run current versions of reputable anti-malware software
– Be sure to update regularly with latest virus, adware and spyware
definitions
• Update all software regularly
– Turn on automatic operating system and software updates
– Put a reminder on your calendar to check on your other programs
regularly
• Includes Java, Flash and other browser based programs
• If you don’t need it, don’t install it
– Do not use free software at work
• Malware
• Licensing liability
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
What can we do - as users
• Follow safe browsing and communications practices
(internet, email, IM, social sites)
– Pop-ups - ALT+F4 to close
– Type-in, do not click through, specifically email
• Helps avoid phishing and malware
– If you would not write it on paper, do not write it (email
or online)
– Avoid forwarding chain email and questionable jokes
• Be aware of who you’re sending it to
– Use work PC for work
• Know your organization’s policies
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Formal Policies
• Formal written policies should be guidelines for behavior and actions
– Should be intelligible, readable and realistic documents, not legal contracts
• Idea is to augment training and answer questions, not restrict employees
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
• Should we delete old emails? Should we reply to spam?
• What can we send over email, IM and post on social networking websites?
Formal Policies
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Formal Policies
• Should we run free software from spam and pop-ups? Open attachments?
• Can we listen to streaming music and watch videos over the internet?
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
• Is our data safe? What if something happens to the building?
• Do we really need passwords? Can we put them on post-its?
• Can we access the network remotely?
Formal Policies
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Formal Policies
• Consistently enforced policies protect both
user and organization when facing…
– Disasters
– Legal discovery
– Harassment issues
– Employment disputes
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Typical Policies
• Computer, network and internet acceptable
usage
• Email and communications usage and
retention
• Data retention
• Information Security
• Business Continuity / Disaster Recovery
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Recent Cases: Billing Website
• Online payment system compromised • Healthcare funding organization accepting donations
online• Recently changed payment providers to new system• On old system, thousands of small (less than $1)
authorizations over a weekend• Analysis
– No authorizations only, no charges made– No access to real donor information– Automated submissions, possibly pulled from old website code (5
years old)
• Costs:– Incident investigation and report– Processing fees– Employee time & productivity
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Recent Cases: SQL Injection• Database compromise
• Not-for-profit community service scheduling events on website
• Website began redirecting users to a virus download, and download URL was found in the scheduling database
– Database contained customer identifiable info, credit card numbers, and social security numbers
• Analysis:
– Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server
– SQL injection: corrupt data was added to database (URL), no data read from database
• Costs:
– Incident investigation and report
– Database sanitizing
– Employee time & productivity – all internet access was initially blocked during the investigation
– Reputationwww.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Recent Cases: Admin Replacement
• IT administrator no longer trusted
• Multiple clients ranging from associations, to professional offices, to health care providers
• IT Administrator is going to be let go, gone missing, or is in jail
• Password resets:– Network devices
• Firewalls, routers, switches, wireless networks
– Administrator accounts
• Server, PCs, databases, email, applications
– Service and vendor accounts
• Backup accounts, application accounts
– Remote access
• VPN, portals
– 3rd party accounts
• Vendors
– ALL user accounts
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Making Business Smarter
Questions?
Customer Appreciation Days
www.SAGEcomputer.com ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved