Security Essentials

Security Essentials

“In today’s networked world, we have to accept that our systems and networks can not be 100% secure if we still expect them to be useful in the conduct of our business. That means we will have to learn to live with insecurity and manage our risks.”

Presenters

• Dave Wordhouse– VP, Network Technologies– dwordhouse@cuanswers.com

• Fred Damstra– Network Systems Integration– fdamstra@cuanswers.com

• Jim Vickers– Network Operations Coordinator– jvickers@cuanswers.com

• Jim Lawrence– Asst. Mgr. Internal Networks– jlawrence@cuanswers.com

• Tony Walliczek– Network Operations Coordinator– twalliczek@cuanswers.com

Agenda

• What is Information Security?• Identify the threats.• What’s at stake?• It all starts with the Security

Policy.• The threat from within.• Portable data storage devices.• Ten action steps for a more

secure network.• Developing a Security

Awareness program.

Definition of Information Security

• Information Security –– Computer Security is the protection of data against

unauthorized access.– Information Security is not confined to computer systems,

nor to information in an electronic or machine-readable form. It applies to all aspects of safeguarding or protecting information or data, in whatever form.

• Ensure data– Availability– Confidentiality– Integrity

Data Availability, Confidentiality, and Integrity

First Immutable Law of Security

• In security, there are no “silver bullets”.– Security is built in layers

– No one piece of software, no single firewall, no single policy can totally protect

• Ensure data:– Availability

– Confidentiality

– Integrity

DataPeople

Routers

FirewallsIntrusionDetectionSystems

Anti-VirusScanners

HardenedHosts

ProperPatching

ProperNetworkDesign

The Security OnionLayered Security Approach

Identify the Threats

• Types of threats– Unintentional

• Employee errors, omissions, etc.

– Intentional (malicious)• Virus, trojan, etc.

• Phishing attack

• Denial of Service attack (DoS)

– Natural Disasters (fire, flood, etc.)• Fire, flood, etc.

– (attend 9.65 Disaster Recovery/ Business Continuity for more information)

What’s at stake for you?

• Credibility• Legal issues• Customer satisfaction• Competitor advantage• Staff frustration• Loss of money

What’s at stake for the attacker?

If a financial institution is robbed by someone with a gun, the criminal will be hunted to the ends of the earth with whatever means necessary. But if robbed by someone with a computer, it is likely they will not even acknowledge that a crime has been committed in order to avoid the publicity. [John Tartaglia, "Introduction to Network Security," Computer Security Institute's Conference]

• The average armed robber will get $2,500 to $7,500 with the risk of being shot and killed.• Fifty to 60 percent of armed robbers will be caught and 80 percent of those will be convicted and

sentenced to an average of five years of hard time.

• The average computer criminal will get $50,000 to $500,000 with a risk of being fired or going to jail.• Ten percent of those computer criminals that are discovered are caught, with only 15 percent of those

caught being reported to authorities.• Over 50 percent of these reported never go to trial due to a lack of evidence or a desire to avoid

publicity.• Fifty percent of those who do go to trial are convicted and sentenced to five years of relatively easy time.

*Laws vary in different states and municipalities. New laws are being written to increase the penalties for computer criminals.

Types of Attacks

• Malicious software– User opens attachment or downloads file.

• Virus, Trojan, Spyware

• Phishing– User responds to email request for attention.

• Identity of institution is stolen.

• Social engineering– Exploiting human trust

• Covered in 9.55 The Human Side of Security.

• System/network compromise– Exploiting a system or application vulnerability

• Covered in 9.35 The Armored Network.

Malicious Software

• Viruses– A program or piece of code that is loaded onto your computer without your

knowledge and runs against your wishes.– Usually obtained by opening a file attachment to an email message, visiting an

untrusted web site or by downloading a file.• Trojans

– Will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source.

• Spyware– Software that covertly gathers user information through the user's Internet

connection without his or her knowledge, usually for advertising purposes.– Typically bundled as a hidden component of freeware or shareware programs that

can be downloaded from the Internet.– Once installed, monitors user Internet activity and transparently transmits that

information to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.

• Protection against Viruses, Trojans, and Spyware includes a combination of a centrally managed Anti-Virus software solution combined with user education.

Phishing

• Phishing is actually two online identity thefts used together. In phishing scams, the identity of the target company is stolen first in order to steal even more identities- those of unsuspecting members.

• Typical phishing attack contains two pieces- 1. An authentic-looking email 2. A fraudulent web page.

– Email is designed to confuse, upset, or excite the recipient.

• Phishing techniques– Explicit display of Phishing URL (make no effort to

hide)– Address bar spoofing– Using pop-up windows (showing a legitimate site)– Using forms within the phishing email– Web site spoofing (exact duplicate of your web site)

Phishing (form of Social Engineering)

• Elements of a Phishing attack– Stages of a phishing attack

1. The attacker obtains email addresses for the intended victims. These could be guessed or obtained from a variety of sources.

2. The attacker generates an email that appears legitimate and requests the recipient to perform some action.3. The attacker sends an email to the intended victims in a way that appears legitimate and obscures the true source.4. Depending on the content of the email, the recipient opens a malicious attachment, completes a form, or visits a

web site.5. The attacker harvests the victim's sensitive information and may exploit it in the future.

• Reduce the risk of falling for a phishing attack by:– Establish and enforce corporate email policies.– Regularly conduct highly visible anti-phishing information campaigns.– Support consumer education regarding phishing.– Consider acquiring anti-phishing products and services from your trusted security vendor.

• Visit www.cusecure.org for information on materials available from CU*Answers– Statement inserts that educate members.– Improvements to CU*@Home that help educate members.– Consult Web Services for suggestions on web site materials to education and inform members.

The Threat from Within

• A crime (security breach) perpetrated by, or with the help of, a person working for or trusted by the victim.

– Employee (current/former), friend or spouse of an employee, vendor, etc.

• Internal security breaches at the world's financial institutions are growing faster than external attacks, as institutions invest in technology, instead of employee training.

• According to the 2005 Global Security Survey, published by Deloitte Touche Tohmatsu,

• 35 per cent of respondents said that they had encountered attacks from inside their organization within the last 12 months, up from 14 per cent in 2004.

• In contrast, only 26 per cent confirmed external attacks, compared to 23 per cent in 2004.

The Threat from Within (cont)

• What to look for:

– Are users accessing information that does not relate to their job functions?• Would you know if they were? Are you sure?

– Are attempts being made to access specific areas of the system?• Would you know if they were? Are you sure?

– Are there accounts that consistently have authentication failures?• Would you know if they were? Are you sure?

– Who’s responsible for reviewing your logs?

Portable data storage devices

• What are they?• How can they be used breach security?• How to prevent access to USB ports?

– I've heard of companies filling in the USB ports with plastic resin. When it dries, the ports are unuseable. This prevents the use of USB mouse, keybords, printers, etc.

– Disable port in System BIOS (password protect). – Prevent installation of USB device drivers on Windows XP. – Modify the registry Win XP sp2 to make USB ports read-only – Purchase software that locks out users from specific USB

device types (Deviceshield, etc.). – Create and enforce an acceptable use policy that fits your

organization.

*Remember that all technical controls are just that. If a user has physical control of the machine, he can enable hardware.

Proper disposal of data

• Depreciated hardware.• End-of-life media (tapes, disks, etc.)• Paper information (reports, forms, etc.)• Hardware disposal stories.

– A recent university study examined 105 hard drives which had been purchased on internet auction sites and was able to access data on 92 of them.

– The data recovered by the university team included staff passwords and national insurance numbers, a template to print a university degree and even detailed information about school children.

– Researchers found 57% of the readable disks contained data which allowed the original owners - ranging from organizations in the leisure and financial services industries to a number of universities - to be identified.

– Twenty percent of the disks contained financial information, including sales receipts and profit and loss reports.

• "The only way to be sure is to physically destroy the device“.

Circle of Security

• Protect• Detect• Respond• Recover

“It all starts with the Security Policy”

What a Security Policy should include

• Your security policy should include:– Acceptable use policy.

– Security incident handling procedures.

– Incident escalation procedures.

– Remote access policy.

– Firewall management policy.

– Disaster recovery policy.

Internet Email Safety

• Never open any attached file unless you are expecting it!– Recent worm and Trojan horse activity indicate its not safe

to open files from trusted sources anymore.• Sender’s email address may be spoofed.• Most viruses spread themselves via Email attachments.

– If you are unsure about a file, contact the sender and ask them what they sent you.

Incidence Response

• Could you spot a breech of security?• Do you (and your staff) know what to

do in the event of a breach?• Is there an Incidence Response plan in

place?– Who to contact?

– Protection of evidence?

– Publicity?

• Who’s monitoring your security logs?

A culture of Security Awareness

• The human factor is the only vulnerability that is virtually unpatchable, and no security product, service, or update can protect people from their own choices. Users must never let their growing dependency on technology lead to complacency and irresponsibility.

• Users can contribute significantly to the security of the network by just following certain guidelines and performing simple, logical practices.

• Every staff employee should know:– Why security is important.– Why each person is important in security matter.– Why strong passwords are used.– What is a virus and how to prevent them from spreading.– What is social engineering and how to identify it.– Importance of physical security.– Contents of security policy and repercussions if violated.

Ten action steps for a more secure network

1. Model threats to your business, and perform a security risk assessment.

2. Develop an information security policy and educate your users.

3. Design a secure, layered security strategy.4. Use anti-virus software at the gateway and the desktop.5. Use only operating systems that have adequate security

baseline capabilities (proper patch management).6. Know your network (harden systems).7. Use personal firewalls, especially on laptops (mobile).8. Use strong authentication.9. Develop a computer incident response plan.10. Get started!

Nine ways to increase security for laptop users

1. Avoid using computer bags.2. Never leave access numbers or passwords in your carrying case.3. Carry your laptop with you (don't check it at the gate).4. Encrypt your data (on the drive).5. Keep an eye on your laptop. Don't let someone switch it.6. Buy laptop security device. Security cable, tracing program, ID

checker, etc.7. Avoid setting your laptop on the floor. If have to, between your feet or

against your leg.8. Use a screen guard (beware shoulder surfers).9. Try not to leave your laptop in your hotel room or with the front desk.

*Have a plan of action in case it is stolen.

Top 5 mistakes

• Top 5 System Administrator Mistakes1. The lack of a well established personal security policy.2. Connecting misconfigured systems to the Internet.3. Relying on tools.4. Failing to monitor the logs.5. Running extra and unnecessary services/software/scripts.

• Top 5 Management mistakes1. Employing untrained and inexperienced experts.2. Failing to realize the consequences of a potential security breach.3. Not spending enough money on the Information Security issue.4. Relying mainly on commercial tools and products.5. Thinking security is a one-time investment.

• Top 5 End User mistakes1. Violating the company's security policy.2. Forwarding sensitive data to their home computers.3. Writing down accounting data.4. Downloading from untrusted devices.5. Failing to pay serious attention to the physical security issue.

Additional Resources

• CU*Answers has two CISSP (Certified Information Systems Security Professional) on staff.– Randy Brinks (rbrinks@wesconet.com)

– Joe Couture (jcouture@wesconet.com)

• CERT (www.cert.org)– Home computer security document

– Home computer security checklist handout

• SANS (www.sans.org)• Microsoft Product Security Notification

– http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp

Additional Resources

• Other SECURE-U courses– 9.15 – “Security Essentials“

• Essential security and privacy issues

– 9.35 – “The Armored Network”• Network security at CU*Answers

– 9.55 – “The Human Side of Security”• Social Engineering and other exploits

– 9.65 – “Disaster Recovery and Business Continuity”• The CU*Answers plan

Questions and Answers

• ???