Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security and Privacy of Data
Trends and Solutions
July 31, 2007
So many issues, so little time…..
• Attacks on users
• Attacks on (web) applications
• Attacks on physical devices
• Attacks on mobile devices
• Attacks on facilities
• Challenge of administrative completeness
• Closing: Information Security Strategy
Takeaways:
• There are no silver bullets
– You need a defense in depth strategy Layers
• Email Phishing is (STILL) a gathering storm
• Physical security is key
• The challenge of Administrative Completeness
Security = Culture!!Security is a BUSINESS issue, NOT a technical
issue!!
• Administrative Policies / Procedures
• Physical Access Controls
• Technical Security Controls
Secure System Defined:
• “A secure system is one we can depend on to behave as we expect.”– Source: “Web Security and Commerce” by Simson Garfinkel
with Gene Spafford
• Confidentiality• Integrity• Availability
Information Security Strategy
• Protect
• Detect
• (Test and Verify)
• Respond
• Remediate damage
“Amateurs hack systems, professionals hack people.”
Attacks on Users• “Employees pose biggest security risk”
– Simple Nomad
• SANS NewsBites July 17, 2006 Vol. 9, Num. 56TOP OF THE NEWS
• http://www.darkreading.com/document.asp?doc_id=129122&WT.svl=cmpnews1_1
Social Engineering Defined•Per the Hacker’s Jargon Dictionary:
“Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords and other information that compromises a system’s security.”
Telephone Attacks
Pretext calling
• Impersonation– “Hi this is Bill from Geek Squad. I am working with…”
• Intimidation– “I need to get this _______ today or else…”
• Persuasion– “I need your help. I am trying to…”
• Think telemarketers script…
E-mail Attacks - Spoofing and Phishing• Impersonate someone in authority and:
– Ask for information via e-mail– Ask them to visit a web-site
• Examples– Better Business Bureau complaint– http://scmagazine.com/us/news/article/660941/better-
business-bureau-target-phishing-scam/– Microsoft Security Patch Download– http://www.scmagazine.com/us/news/article/667467/r
esearchers-warn-bogus-microsoft-patch-spam/
Dumpster Diving (Trashing)• Outdated hardware• Disks and tapes• Phone books• Organization charts• Company policy manuals• Reports or system print-outs• Memos• Calendars (of meetings, events, vacations)• Technical system manuals (Kevin Mitnik method)
Physical PenetrationCompromise the site:• Friendly folks willing to help:
– “Can you get the door for me?”• Employees who lack awareness• Poorly designed facility• Poor (or lacking) administrative procedures
Plant devices:• Keystroke loggers• Wireless access point• Thumb drives (“Switch Blade”)
Policies – the Beginning of CULTURE• Helpful to remove judgment from employees – items
outside policy are strictly forbidden!– Why it is important
• Include:– Internet / Email use– Password expiration / complexity rules– Use of enterprise passwords– Unauthorized software and hardware
◊ Modems and Wireless Access Points– Unattended log-in sessions– Accountability for violations (posting)– Authenticate and Validate the visitor
Physical Security• Segment buildings – Public vs Private
• Controls on access software
• Procedures for new, changed, terminated access
• Secure shredding
Physical Security
• Conspicuous, difficult to copy badges
• 2 factor authentication (e.g. card swipe plus PIN)
• Console locks / screensaver passwords
• Employee awareness!!
Resources – Attacks on Users• SecurityFocus 2 part series:
http://online.securityfocus.com/infocus/1527
http://online.securityfocus.com/infocus/1533
• CERT Advisory CA-1991-04www.cert.org/advisories/CA-1991-04.html
• SANS Institute:http://rr.sans.org/social/social.php
More Resources – Attacks on Users• Computer Security Institute:
http://www.gocsi.com/soceng.htm
• Methods of Hacking: Social Engineering– by Rick Nelsonhttp://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html
Attacks on Web Applications • No different than traditional vulnerabilities
• Error in code allows attacker to do “something”– NOT what it was designed to do!
Why?• Because firewalls and other defensive
measures work!
• Objective is to attack what is remotely accessible– Web sites– eCommerce– Databases behind the websites– Office applications attacked via email
How many?*************************************************************************
@RISK: The Consensus Security Vulnerability AlertJuly 10, 2007 Vol. 6. Week 28*************************************************************************Platform Number of Updates and Vulnerabilities------------------------- ---------------------------------------------------Other Microsoft Products 3Third Party Windows Apps 7Linux 11Unix 1Cross Platform 11 (#1, #2, #3)Web Application - Cross Site Scripting 8Web Application - SQL Injection 20Web Application 19Network Device 1 (#4)*************************************************************************
http://www.sans.org/newsletters/risk/
5 Broad Categories of Web Application Attacks
• Remote code execution
• SQL injection
• Format string vulnerabilities
• Cross Site Scripting (XSS)
• Username enumeration
http://www.securityfocus.com/infocus/1864
More Email Phishing???
#1 attack vector:
• Email “Spear Phishing”
• Sometimes called “targeted trojan”
• Yet another attack that puts pressure on USERS
http://www.antiphishing.org/
Office applications• Targeted as much as web applications
• Email can deliver malicious code (Trojan) or malicious links (spear phishing) that exploit office applications, such as Excel, Word, Powerpoint, etc.
• In the last 2 months we have seen a drastic swing from Word documents, to PDF files, and just in the last couple of days Excel files.http://www.securityfocus.com/brief/556
The Future of Vulnerabilities?The trend in “disclosures”…
• Zero Day Threats
• Less than Zero Day Threats
• Vulnerability bounty programs
• Vulnerability auction sites
Attacks on Physical Devices• Keystroke loggers
• USB hard drives
• CD/DVD burning
Attacks on Physical DevicesKey protection strategies
• Strong policies to drive the culture– Principle of Minimum Access and Least Privilige
• Use OS settings to enforce policies and to monitor activities
Attacks on Mobile Devices• Proliferating at a high rate
• Attackers developing exploits to match proliferation
• Anyone have an iPhone?– http://www.securityfocus.com/brief/552
Attacks on Mobile DevicesKey protection strategies:
• Strong authentication
• Authentication for “sleep” mode
• Policies for storing data
• Ability to “wipe” if lost or stolen
Encryption Challenges
• Relative lack of widespread solutions
• Interacting with others
• Performance lags
• Impaired search
• Application dependencies
• Stored credentials – provide access to keys
Attacks on Process• Compared to banking, non-regulated environments
have “enjoyed” lack of scrutiny - this is changing.• In the news:
– Senate hearings◊ http://www.securityfocus.com/news/11472
– Government agencies get a C-◊ http://www.securityfocus.com/news/11458
– County web site (Ohio)◊ http://www.ohio.com/mld/beaconjournal/news/state/17536759.htm
– Back up tapes◊ http://toledoblade.com/apps/pbcs.dll/article?AID=/20070720/BREA
KINGNEWS/70720026
Attacks on Process
• Mounting political pressure to react to data breaches and identity theft
• Privacy Rights <dot> orghttp://www.privacyrights.org/ar/ChronDataBreaches.htm
• Minnesota Law:http://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=S1574.2.html&session=ls85
Information Security Strategy
“The Song Remains the Same”
• Protect
• Detect
• Test and Verify
• Respond
• Remediate damage
Four Step Program: Network Security
• Strong Policies and Standards – Create Culture
• Minimize / Maintain Services - No Default Open
• Secure the Perimeter
• Secure Internal Systems - Hardening
Strong Policy
• Provide the backbone for security
• Demonstrate management’s commitment
• Protect from “social engineering”
• Should become part of organization’s “culture”
Strong PoliciesTwo specific policies:
• Back office
• End users
Policy as Culture
• Awareness training is critical
• Should be attended by upper management– upper management should at least make some short
remarks about the importance of the training
Minimize / Maintain Services• Each service provided over the Internet has
inherent vulnerabilities
• “Default” services especially at risk– SMTP– telnet– FTP / tFTP / anonymous FTP– HTTP
• Understand risks accepted for services left “open”
Minimize / Maintain Services
• Updated patches
• 99% of intrusions exploit known vulnerabilities
• Only 3% of business networks have all the latest Microsoft patches!!!
Minimize / Maintain Services
• Shifting focus to Web Applications
• Keep them updated
• Include them in security audits
• Open Web Application Security Project– www.owasp.org
Secure the Perimeter• Firewall rules to enforce service minimization• Periodic test of firewall integrity
– Penetration testing supplemented by vulnerability scanning
• On-going monitoring– Properly configured IDS– Firewall / router logs – critical to forensics!!!
• Do you know where your modems are?– Refer back to policies!!– Vendor dial up?
• Do you have wireless? How do you know?
The Perimeter: Consider Physical Security
• Data center
• Workstations in common areas
• Laptops
• Other technology that can walk out
Secure Internal Systems• Assume that a knowledgeable, determined
attacker will always defeat a firewall!!
• Fundamental problem: Default settings (e.g. at installation) are VERY WEAK!!
• Must ensure basic operating system security is in place to defeat attackers who successfully penetrate the network - HARDENING
Secure Internal SystemsHardening: Four Most Common Issues
• Excessive services running (by default)
• Weak default configurations
• Weak default authentication
• Missing patches
Secure Internal SystemsHardening:
• Hardening checklists from vendor
• CIS offers vendor-neutral hardening resourceshttp://www.cisecurity.org/
• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true
Secure Internal SystemsIncident Response Policy• Documentation is readily available BEFORE hand
• Structured Procedures
• Defined communication
• Chain of command
• Escalation procedures
Summary• Today’s attack vectors:
– Users, Web applications, mobile devices, facilities– Email Phishing, websites with malicious code, social
engineering• Strategy:
– Protect, Detect, Test and Verify, Respond, Remediate
• “Four Step Program”
– Strong Policies, Minimize Services, Secure the Perimeter,
Harden Internal Systems
Questions?
Randy Romes, CISSP, MCP(612) [email protected]