html5-img
1 / 27

BCS - Nottingham Offshoring-and-Security (In Reverse Order)

BCS - Nottingham Offshoring-and-Security (In Reverse Order). John Walker FBCS CITP CISM MICAF PG.Cert British Computer Society Registered Security Specialist Head of Operational Security john.walker@uk.experian.com. Genesis. 1993 - Polymorphism arrives as a real threat.

benito
Download Presentation

BCS - Nottingham Offshoring-and-Security (In Reverse Order)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BCS - NottinghamOffshoring-and-Security(In Reverse Order) John WalkerFBCS CITP CISM MICAF PG.Cert British Computer Society Registered Security Specialist Head of Operational Security john.walker@uk.experian.com

  2. Genesis 1993 - Polymorphism arrives as a real threat Examples (Viruses): Brain – from Pakistan Jerusalem – Israel Cascade – West Germany Vienna – Austria Ping-Pong - Italy 1995 - Is Windows NT susceptible to virus infections? (VB March 1995 ISSN 0956-9979) First virus discovered in the Russia = DOS 6.2 - Vienna Virus Developers Quarterly – raw source code

  3. Landscape – About the Task • Virus Writers, Hackers, and SpyWare folk have learned Project Management Skills (not the case early 2004) • Mobile Computing, Extended Perimeters of Operations bring with • them there own set of problems • Viruses – From a sample of 1,500 Windows Users, 44% confirmed • they had suffered virus infection (I think that number is LOW) • COMOUTING 27 Jan 2005 • 25% of that same sample had suffered Spyware, or Phishing Attacks I am assuming the other 75% were aware that they were clean? • Trojans – MS Windows Media Player – WmvDownloader.a • & WmvDownloader.b • Regulation and Governance – there is a lot of it • DDoS - New Security Considerations - VoIP - spIM

  4. Consider . . . (Something Old) How many holes do you think software could have? Consider Windows XP: 40 Million: Is the number of lines of code in Windows XP (60M? in SP2). 5 per 1,000: With high quality coding, you still have an estimated 5 bugs in every thousand lines of a program. 200: The number of security holes in WinXP (if only 1 out of 1,000) are remotely exploitable. Might be -much- higher... Source:Win2knews The same consideration may be applied to other Applications – just look at the history of exploits!

  5. The Brothers SPAM & spIM Loads of SPAM: Prescription Drugs Healthcare, Begging Letters Easy ways to make money The usual stuff (images) Low cost, ripped off software Loads of spIM: Possibly the first IM based attack to be mounted was against AOL, using the AOL IM. This scam has the subject Confirm AOL billing info and attempts to convince the user to reveal their AOL username and password. The communication goes on to advise that if the user does not follow instructions, payments to AOL can't be processed.

  6. Phone a Friend - VoIP In the next generation of security threats, it is highly likely that VoIP will be/is a target! Proof of concepts do exist (USA) that allow hackers to manipulate communications by inserting their ‘own’ choice of words into live Conversations – consider the ramifications. Bottom line – as with any other Network Based System, VoIP needs to be secured – don’t just think of it as a new telephone system See: www.facetime.com for information on VoIP Security

  7. Here’s Looking at You – SpyWare (Something Borrowed) • Code of computers (none authorised) • Pop-ups • Redirection • Affiliate money makers • Slowing PC’s • Crashing PC’s • Keystroke Monitors • And more . . . . . . . Based on trends to date, expected to rise by a factor of10

  8. Lets Go Phishing Project managed attackers - Spyware can act as triggers (Crimeware). This malware runs, it may start collecting data when a user visits a selected site.  These emails try to drive users to the real site to log in, which will activate the spyware.  An example

  9. Not Forgetting VirusesandWorms • Now an accepted way of life for any user of a computer, no matter at home, or in the office • They spread fact, and can have high impact of system availability • Prediction - They will get smarter, do not have to be destructive, why • not leverage their power to work for the attacker – imagination will • be the only limitation here • You got AV in place – so what, that does not ensure you will remain • Infection free W32/Rbot_GR (Peeping Tom) – locates, and uses Web Cams To look into your personal space.

  10. Hidden Content – Whatever you wish (Something New) The file C:\xxx Settings\xxx\Local Settings \TemporaryInternet Files \Content.IE5 \xxx\xxx is infected with Mr-Nasty.gen - Known Virus, Detected with Scan Engine 4.4.00 DAT version 4.0.4422. The file was successfully deleted.(from PC0xxxxxxxx IP xx.xxx.xxx.xxx user xxxx running VirusScan 4.5.1 SP1 OAS) Every picture tells a Storey

  11. Hidden Content – Whatever you wish (Something Potentially Blue) OR Every picture tells a Storey – AND SOME MAY BE NOT SO ACCEPTABEL

  12. The Need to Move - Mobilisation The Mobilisation of the workforce dictates that what has been seen thus far as the preserve of Perimeter Security to underpin and deter attacks has now had a quantum shift, encompassing such areas as: WiFi (802.11b/g, Bluetooth, Smart Phones and PDA’s, Outsourcing – how will it affect the Perimeter of Security, or what has been thus far accepted as the organisational ‘Area of Control’ (will it push it or pull it?

  13. Legislation & Controls - Challenges Gramm-Leach-Billy Act of 1999 (GLBE) Securities and Exchange Commission (SEC) Compliance issues (17a-4) NASD Sarbanes-Oxley Act USA Patriot Act HIPAA Privacy HIPPA Security FDA’s Electronic Recordings/Signatures (ERES-21CFR11) Mental Hygiene Law Sec. 33.13 And Computer Security Act NIST And . . . . . . . . . . . . . . . . . . . . . . . . . .There are MORE

  14. Build Them Secure – or Suffer Probably one of the most important aspects (the FIRST) of technical security is that of how systems are built: Remember – out of the box, does not necessarily support security Have an agreed Baseline Build for all systems, including Workstation, Mobiles (Laptops etc), Servers, and any other device that serves a Production environment – you also need to consider Phones, and PDA’s If you outsource, or use Third Party Services Providers – don’t forget this may also apply to them This is something old, but still gets missed

  15. Alerting – Key Stuff High importance should be placed against obtaining early reports of Vulnerability Alerts – if not in place, how do you know what you are at risk from Don’t forget this is equally important for any systems outside the Perimeter of the Organisation – home users, and say Outsourced Systems/applications can also support insecurities and vulnerabilities - so make sure you encompass them in the plan Out of sight/site, should not be out mind

  16. This is as important as deploying Anti Virus signatures - Yet it still seems to take a back seat Patch and Fix – or Die Closely following Alerting –Patch and Fix Lots of stuff to consider here – Most important aspect is to stay connection to those security alerts

  17. It Don’t Have to be Expensive It is not always necessary to spend high numbers to achieve Operational Security - consider: What do you own - already What can you leverage from the O/S and applications LOW cost, HIGH Functionality However, if you have a financial pot with no bottom please feel free to discount these ideas

  18. It Don’t Have to be Expensive (What you can Leverage) 1. SNORT:Good IDS, very effective (use the language) 2. Office 2003: Document Security 3. AP Logging:Review them on a regular basis 4. Vulnerability Alerts:There are many good free ones (take a look at OSVB) 5. Use Free Encryption:Turn on NTFS for NT, 2000, and XP – better than nothing (EFS for 2000 >>) 6. WiFi - WEP: Not great, but better than nothing 7. O/S Options: Eventtriggers (Win2k, XP, 2003)

  19. It Don’t Have to be Expensive (SpyWare) Anti-SPAM is no longer to be considered a nice to have, but is A MUST. MS have produced a very functional tool. Here in its Beta Release

  20. It Don’t Have to be Expensive (Log Analysis) Drill Down Sawmill – LOW Cost, HIGH Functionality

  21. Security Testing – Who, When, Why It is essential that in any project, or application lifecycle, the element of security is both acknowledged and addressed (for the ex Government People in the audience – remember Memorandum No10 For HIGH assurance this should be done: • During development phases • Post time of deployment • After any change has been applied • Periodically When conducting testing, for best effect and value, use a known methodology such as -OWASP

  22. Policy and Governance has its Place . . BUT • Security Policies are very important to underpin the security mission of any business – they are the rules that all should abide By – and if not, there will/may be consequences. However, remember: • Security Policies are passive – just because you have one, does not make you secure – so don’t fool yourself • They underpin the day-to-day operations and practices, however, in an operational sense, they have no real value. • They do not proactively avoid an insecurity occurring, they only advise the rules - they will not tell you when things go wrong, but they may be used after-the-fact. Governance should help the business, not grind it to a holt

  23. What Next – What can help MSc in IT Security – Fred Piper – Royal Holloway IISP – Institute of Information Security Professionals – Jan 2006 CISM – Certified Information Security Manager CISSP – Certified Information Security Professional BCS Membership – Professional Development (is key) Read, read, and . . . Read – it is a fast moving area – to keep up

  24. Future of IT Security Drivers are high – it is now a Main Board topic, and key to the business Personal opinion – I feel it will become a Main Board position The area of expertise will grow – needs technical underpinning I believe that it is a science (a mix of physiology and technology) It is a challenge – can be pressured – has an element of ‘the book stops here’ – but is also rewarding and enjoyable One quality required is, ‘decision makers are key’

  25. Outsourcing Skills Value Risk Assessments – post not pre Contracts and SLA Team Work Compliance and Governance Lets talk: Security Challenges Leverage Mapping Process and Procedure Are they IN or OUT?

  26. Outsourcing – Security Outsourcing is now on the up, and many organisation have entered into contracts - but the security model needs to be Considered! • Any pre-deployment Risk Assessments to take into account, not • what is today, but what will be tomorrow • How do the pre, and post deployment perimeters compare – has the • companies boundary of operations moved? • Where do you deploy your security defences? (dependent on the • aforementioned factors) • Do your policies and baselines work – are Minimum • Controls achievable, and maintained?

  27. Brief QA Questions

More Related