1 / 51

Information Security: Security Blankets are not Enough

Information Security: Security Blankets are not Enough. Karl F. Lutzen, CISSP S&T Information Security Officer. About Me. Karl F. Lutzen Certified Information Systems Security Professional (CISSP) S&T Information Security Officer Instructor for CS 362 Office Location: CH 203D

cookj
Download Presentation

Information Security: Security Blankets are not Enough

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security:Security Blankets are not Enough Karl F. Lutzen, CISSP S&T Information Security Officer

  2. About Me • Karl F. Lutzen • Certified Information Systems Security Professional (CISSP) • S&T Information Security Officer • Instructor for CS 362 • Office • Location: CH 203D • Email: kfl@mst.edu (start here!)

  3. Information • “Information” is likely the only asset that can be stolen from you while you still have full possession. • This includes: Data, Personal information, trade secrets, intellectual property, etc.

  4. Information • Clearly we need to protect: • The information itself • The systems where it lives • The access to it • And many other aspects

  5. Fundamental Principles • Confidentiality • Availability • Integrity

  6. Question • How much of the overall security will be technical solutions?

  7. Our information lives here: What all do we need to do to protect it?

  8. Physical (Environmental) Security • Physical security consist of physically securing the devices: • Locks/Cables, Alarms, Secure rooms, Cameras*, Fences, Lighting, Heating, Cooling, Fire protection, etc. • If you defeat the physical security controls, all other control domains (except one) are defeated. *cameras will likely not prevent a theft. Only deter it or be used for evidence later.

  9. Access Control and Methodology • Who has access, how is it controlled, etc. • Authentication • Passphrases, two factor, multi-factor, biometrics • Access Controls (Authorization) • Role Based Access, Mandatory Access Controls, Discretionary Access Controls • Least Privilege and Need to Know

  10. Application Development Security • Software Based Controls • Software Development Lifecycle and Principles • Development models: waterfall, spiral, etc. • Code Review

  11. Telecommunications and Network Security • Implementing correct protocols • Network services • Firewalls • IDS/IPS • Traffic Shaping • Network Topology

  12. Business Continuity Planning(BCP)Disaster Recovery Planning (DRP) • BCP – What controls and process do we need to implement to keep our systems running? • Backups, off-site data storage, cross-training, etc. • DRP – What do we need to do in a crisis? • Response plans, Recovery plans, etc.

  13. Security Architecture and Models • Operation modes/protection mechanisms. • Evaluation Criteria • Security Models • Common Flows/Issues: • Covert Channels, timing issues, maintenance hooks, etc.

  14. Information Security Governance Risk Management • Policies, Standards, Guidelines and Procedures • Risk Management Tools and Practices • Risk assessment: • Qualitative vs. Quantitative • Planning and Organization

  15. Operations Security • Administrative Management • Operation Controls • Auditing • Monitoring • Intrusion Detection (operational side) • Threats/Countermeasures

  16. Legal, Regulations, Investigations and Compliance • Types of computer crimes/attacks • Categories of Law • Computer Laws • Incidents and incident handlings • Investigation and Evidence

  17. Cryptography • Concepts and Methodologies • Encryption algorithms • Asymmetric vs. symmetric • PKI • Cryptanalysis/Methods of Attacks • Steganography

  18. PICK GOOD ALGORITHMS! Original UsingECB Mode Non-ECB ECB = Electronic Codebook. Divide message into blocks, same key encrypts blocks separately. (http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation)

  19. Threats to Security • Viruses and Worms • Other Malware and Trojans • Social Engineering/Phishing • Intruders • Insiders • Criminal Organizations • Terrorists and Information Warfare • Insecure Applications

  20. Viruses, Worms, Malware, Trojans • Lack of policies/training/procedures • Employees can bring in problems! • Mitigation techniques: • Anti Virus • Firewalls • TRAINING

  21. Social Engineering • Multiple methods: • Phone calls • Dumpster Diving • Phishing • Mitigation techniques • Policies/Procedures • Training

  22. Intruders • Def: Deliberately accessing systems or networks to which is un-authorized • Types: • Unstructured threat – not after a specific target • Opportunity • Script Kiddies • Structured Threat – Specific target is in mind • Elite hackers

  23. Insiders • Most Dangerous! Accounts for 70-75% of all security events • Insiders have access to the keys to the kingdom • Human errors account for many security events • Mitigation • Policies, Procedures, Training, Monitoring, etc

  24. Criminal Organizations • With so many business functions now relying on the Internet, crime was sure to follow it. • Attacks: • Fraud, extortion, theft, embezzlement and forgery • Well funded, hire elite hackers, willing to spend years if necessary • Type: Structured attack

  25. Two Types of Electronic Crime • Crimes in which the computer was the target of the attack • Incidents in which the computer was a means of perpetrating a criminal act.

  26. Threats to Security • The biggest change that has occurred in security over the last 30 years has been the change in the computing environment • Central Mainframes to • Decentralized smaller, yet interconnected, systems • Although we seem to be shifting back towards central data centers for core operations.

  27. Avenues of Attack • Types: • Specific target of an attacker • Target of opportunity

  28. Steps in an Attack • Reconnaissance • Gather easily available data • Publicly available information from the web • Newspapers • Financial reports (if publicly traded they are available) • Google as an attack tool?

  29. Reconnaissance (cont.) • Probing • Ping sweeps – find hosts • Port sweeps – find open ports to then test for holes • Determine OS (can be done quite accurately!)

  30. Steps in an attack • Attempt to exploit vulnerabilities • Attempt to gain access through userid/passwords • Brute force • Social engineering • And of course there is simply the physical theft of the system, backup tapes, etc.!

  31. Minimizing Attack Avenues • Patch against vulnerabilities • Use of DMZ (system isolation) • Firewalls • Intrusion detection/prevention systems • Minimize open ports/systems directly accessible to the Internet • Good physical security • Good training to negate social engineering attacks

  32. RSA Attack • March 2011, RSA had a data breach • Attacker stole information which affected some 40 million two-factor authentication tokens • Devices are used in private industry and government agencies • Produces a 6 digit number every 60 seconds.

  33. RSA Attack Analysis • An Advanced Persistent Threat (APT) A structured (advanced), targeted attack (persistent), intent on gaining information (threat)

  34. RSA Background • RSA is a security company that employs a great number of security devices to prevent such a data breach • Methods used bypassed many of the controls that would otherwise prevented direct attack

  35. Attacker Initial Steps • Attackers acquired valid email addresses of a small group of employees. • If the attackers did a full spam to all possible addresses, it gives them away and prevention/detection by RSA is much easier.

  36. Phishing Emails • Two different phishing emails sent over a two-day period. • Sent to two small groups of employees, not particularly high profile or high value targets. • Subject line read: 2011 Recruitment Plan • SPAM filtering DID catch it but put in the Junk folder

  37. Employee Mistake • One employee retrieved the email from the Junk mail folder • Email contained an Excel spreadsheet entitled: 2001 Recruitment Plan.xls • Spreadsheet contained a zero-day exploit through Adobe Flash (since patched). • Installed a backdoor program to allow access.

  38. Remote Administration Tool (RAT) • Attackers chose to use the Poison Ivy RAT. • Very tiny footprint • Gives attacker complete control over the system • Set in reverse-connect mode. System reaches out to get commands. Fairly standard method of getting through firewalls/IPS

  39. Digital Shoulder-Surfing • Next the attackers just sat back and digitally listened to what was going on with the system • The initial system/user didn’t have adequate access for their needs so they needed to take a step to another system to go further.

  40. Harvesting • Initial platform wasn’t adequate, attackers harvested credentials: user, domain admin, service accounts) • Next, performed privilege escalation on non-admin users on other targeted systems. Goal: gain access to high value systems/targets.

  41. The Race • During the stepping from system to system, security controls detected an attack in progress. The race was now on. • Attacker had to move very quickly during this phase of finding a valuable target.

  42. Data Gathering • Attacker established access at staging servers at key aggregation points to retrieve data. • As they visited servers of interest, data was copied to staging servers. • Staging servers aggregated, compressed, encrypted and then FTP’d the data out.

  43. Receiving Host • Target receiving data was a compromised host at an external hosting provider. • Attacker then removed the files from the external compromised host to remove traces of the attack. • This also hid the attacker’s true identity/location.

  44. Lessons Learned • Weakest link: A human • Layered Security: Not adequate to prevent • Upside: Able to implement new security controls to this point were considered too restrictive.

  45. Karl’s Changes • What follows would be the changes I’d make at RSA. • Note, they are a commercial company and do not have the open requirements higher education has. Two different beasts. • If I were to implement these, very likely I’d be doing a different job…

  46. Changes • Traffic shaping both ways. (Firewall port blocking isn’t enough) • Block all but specific protocols • IDS/IPS on all those protocols • Aggressive use of DMZ: Isolate systems • Isolate workstations from one another • Clean Access Solutions on all systems

  47. Biggest Change • Mandatory Monthly Security Awareness training for everyone. • (breaking it into monthly modules makes it tolerable) • Needs to be interesting/fun, Door prizes, etc.

More Related