Protecting Your Technology Assets Understanding and Addressingthe Current Threats to an OrganizationFrom Internet Access Presented By Jeff Greenspan Database & LAN Solutions, Inc. Friday, October 7, 2005 email@example.com 703-503-4485
What We’ll Cover • Educators Dilemma: Educate and Protect • Nature of the Threat • Tools to Mitigate Risk • Firewalls • Anti-Virus and Anti-Spam • Automatic Updates • Disaster Planning and Recovery • Q & A
Educator’s Dilemma Top Concerns of Administrators • Student and Staff Safety • Educational Excellence • Greater Expectations, Diminishing Resources
Educator’s Dilemma Changing Paradigm • Internet is Still Relatively Young • Technology Changes Rapidly • Regulatory Interference Imposition Aspects • Changing Needs of Students as They AgeFrom Protection to Freedom • Shifting Responsibilities with Age
Educator’s Dilemma What are the Core Components of a Comprehensive Strategy in Schoolto Support the Safe and Responsible Use of the Internet? • 1. Safe Places for Younger Students • The primary focus for elementary students should be on maintaining a safe and secure environment. • Elementary students should use the Internet in an environment that specifically restricts their access to sites that have been previewed to determine their appropriateness. • If it is ever necessary for a student to seek information on the more open Internet, such access must only occur with “over-the-shoulder” adult supervision. • Elementary students should use electronic communications in a fully open environment, such as a classroom setting. • 2. Education and Supervision for Older Students • As students become older, the focus should shift to strategies that will help them learn to independently make safe and responsible choices and ensure accountability. • Educating students regarding how to avoid the inadvertent access of inappropriate material and appropriate, effective responses if they accidentally access such materials, especially if the site has “trapped” them and will not allow them to exit, is essential. • Supervision and monitoring must be sufficient to detect instances of misuse. • Source: White Paper on Network Monitoring by Nancy Willard, MS, JD
Educator’s Dilemma Core Components – Cont’d • 3. Focus on the Educational Purpose: Use of the district Internet system should be directed to those activities which support education, enrichment, and career development. • 4. Clear Well Communicated Policy: Students and staff should have a clear understanding of the kinds of activities that are and are not considered acceptable. • 5. Education About Safe and Responsible Use: Teachers, administrators and students should receive instruction related to the safe and responsible use of the Internet.
Educator’s Dilemma Core Components – Cont’d • 6. Supervision and Monitoring • Student use of the Internet should be supervised by teachers in a manner that is appropriate for the age of the students and circumstances of use. • Supervision and monitoring must be sufficient to establish the expectation that there is a high probability that instances of misuse will be detected and result in disciplinary action. • 7. Discipline • Misuse of the Internet by students should be addressed in a manner that makes use of the “teachable moment” both for the individual student and other students in the school.
Educator’s Dilemma Interpreting CIPA • Must have an approved Internet Safety Policy • Must have at least one public hearing on proposed Policy • Local control over Policy, government may not intervene • Policy must be made available to the Commission for review • Must have a technology measure in place to enforce Policy • Technology measure limited to visual depictions that are obscene, child pornography, or harmful to minors • Monitoring is required, but there is a privacy consideration • Source: North Central Education Service District of OR
Educator’s Dilemma Implementing CIPA • Most school systems are using filters • Filters have a number of problems • Can never be 100% effective • Block legitimate material • Not present everywhere (students should still learn how to deal with the content) • Implementation of filtering in schools often leads to a false sense of security and the failure to effectively teach students about safe and responsible use • Delegate control to a third party Protecting students is only part of the problem!
10 Years Ago Viruses on Floppy Social Hacking High Cost to Corporations, Low Cost to Individuals Today Viruses are Content-Based, in Email and on the Web Hacking is Criminal-Based High Cost to EVERYONE YOU are a Target Identity Theft is the fastest growing crime Nature of the Threat
Nature of the Threat CONTENT-BASED CONNECTION-BASED Content Attacks: Fast, Costly, & Indiscriminate PHYSICAL Changing Threat Matrix Spam Banned Content Worms Trojans SPEED, DAMAGE ($) Viruses Hardware Theft 1970 2000 1990 1980 Source: Fortinet, Inc.
Nature of the Threat Governance, Compliance & Risk • New risks to organizations and individuals associated with regulatory compliance. • Sarbanes-Oxley, GLBA, HIPAA, CIPA… • Broad objectives, few directives • More regulations are expected
Nature of the Threat Where Do Hackers Originate • There are three tiers of hackers: • Elite, • IT savvy • Script Kiddies • There are probably 400-500 elite hackers in the world. • Many work for organized crime in other countries. • Many publish their exploits to create “white noise” to hide their activities.
Nature of the Threat No One is Safe • Most victims are “targets of opportunity” • Anyone can be a victim • Cable/DSL users are frequent targets • Hackers have unlimited time • Attackers only need to find one vulnerability, whereas defenders must protect all systems
Nature of the Threat Some Results of Being Hacked • Theft of your data • Files and other Intellectual Property • Bank account and password data (identity theft) • Damage to your system • Data modification or deletion • Operating system corruption and crash • Use of your system for illegal purposes • attacking others (Denial of Service attacks) • distributing illegal content.
Troubling Statistics Source: http://www.cert.org/stats/cert_stats.html Please note that an incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time.
Troubling Statistics • From the 2004 E-Crime Watch • 43% report increase over 2003 • 56% state operational losses • 25% state financial losses • 12% other losses • Only 30% report no e-crime or intrusion • 71% of attacks from outside, 29% inside • “Many companies still seem unwilling to report e-crime for fear of damaging their reputation “
Nature of the Threat • iDEFENSE Security Advisory 03.21.05 - Local exploitation of a buffer overflow vulnerability within the Core Foundation Library included by default in Apple Computer Inc.'s Mac OS X could allow an attacker to gain root privileges • Zdnet News.com 03.29.05 - With eight new variants surfacing in the last week alone, and over a dozen reported since the beginning of March, the Mytob mass-mailing worm, featuring backdoor capabilities, appears to be evolving rapidly. • Boston.com 03.21.05 - Boston College warns about 120,000 graduates that a computer hacker may have gained access to their personal information by raiding a computer that contained the alumni database. • Aunty-spam.com 03.25.05 - Two security companies have discovered that there are two worms, one old and revised, and one new, which are targeting MSN Messenger users. Both worms are considered to be medium-to-high risk. • ChoicePoint
Nature of the Threat Recent Virus Outbreaks • Netsky Variant 2005-09-26 • Bagle Downloader variants 2005-09-20 • Bagle Downloader variants 2005-09-19 • Trojan variant 2005-09-14 • MyTob variant 2005-09-14 • MyTob variant 2005-09-14 • Bagle variant 2005-09-12 • Rechnung Trojan variant 2005-09-11 • Bagle variant 2005-09-09 • Bobax variant 2005-09-07 • Outbreak => 1. New virus or variant. 2. Damage potential moderate to significant. 3. Widespread distribution
Nature of the Threat Is there anyone in the room who isn’t convinced that they need to take steps to protect himself, herself, or his/her company?
Is there any Good News? • There are tools and techniques you can use to protect yourself. • Many of these make good business sense. • Countermeasures should be viewed like any business decision: in context and with a cost-benefit analysis. • Implement layered security to reduce the most significant risks.
Assign responsibility Assess Risk Develop Strategies and Policies to Mitigate the Risks Remediate Secure Third Parties Train Evaluate Monitor Not unlike medicine: diagnose, treat, maintain HIPAA Requirements Tell Me What to Do
Firewall Technologies Your Competitor Your Headquarters FIREWALL Your Neighbor Your Office A Hacker Your Computer Source: Sonicwall, Inc.
Firewall Technologies • NAT – Network Address Translation • Packet Filtering • Proxy Firewalls • Stateful Packet Inspection (SPI) • Does not inspect content • Deep Packet Inspection (DPI) • Can inspect and detect SOME content-based threats • Technology changes almost every day – your staff may think that technologies that have already been hacked are still valid and sufficient.
Firewall Technologies - SPI Stateful Firewall Incoming packets that correspond to recent outgoing requests are passed through. Your Computer Session State Source: Sonicwall, Inc.
STATEFUL INSPECTION FIREWALL Inspects packet headers only – i.e. looks at the envelope, but not at what’s contained inside Firewall Technologies - SPI DATA PACKET ORIENTED – NO CONTENT REVIEW • OK http://www.freesurf.com/downloads/Gettysburg Four score and BAD CONTENTour forefathers brou • OK • OK ght forth upon this continent a new nation, • OK n liberty, and dedicated to the proposition that all Not Scanned Packet “payload” (data) Packet “headers” (TO, FROM, TYPE OF DATA, etc.) Source: Fortinet, Inc.
Firewall Technologies – DPI • New technology recently released by many SPI firewall vendors. • Often associated with Intrusion Detection, Intrusion Prevention, or Anomaly Detection • Signatures can be written that detect and prevent against known and unknown protocols, applications and exploits
Firewall Technologies - Summary • Firewalls are the first line of defense against Internet-borne threats. • Firewalls are necessary but not sufficient, because of the complex nature of content-based threats. • Firewall vendors also offer other services • Virtual Private Networking • Gateway AV • Content Filtering • Anti-Spyware • Logging and Reporting
Firewall Technologies - Summary Buying a Firewall • Two components: appliance & services • Costs for both increase with # of users • Appliance technology is based on current threat matrix. Can’t predict future, so appliance life may be limited!
Anti-Virus and Anti-Spam Technologies Four Types of A/V Protection • Single User Anti-Virus Software • Auto-Managed Anti-Virus Service • Enforced Anti-Virus Service • Gateway-based Anti-Virus
Anti-Virus and Anti-Spam Technologies Gateway-based Anti-Virus • AV Vendors like Symantec, Trend and McAfee have standalone email AV gateway products. • Security appliances like Sonicwall, Fortinet, Watchguard, etc can provides AV checking of all content, including email, web, ftp, etc. They also provide other capabilities (IDP,A/S). • McAfee’s Webshield appliance is similar.
Anti-Virus and Anti-Spam Technologies Why Layering Technologies Works • Assume 100 virus-laden email messagespackage 1 stops 90%, leaving 10package 2 stops 90%, leaving 1 • Together the two packages are 99% effective. • Layer security products at your most vulnerable points, like A/V. • Layering technologies enhances security!
Anti-Virus and Anti-Spam Technologies Anti-Spam Protection • Technology is still evolving. • Stand-Alone Systems • McAfee Spamkiller • Challenge/Response Systems • Multi-User Systems • I Hate Spam • Service/Host-based, like Postini • RBL Lists: list.dsbl.org, bl.spamcop.net • Email Security Appliances – IronPort, Barracuda • False positives are always a concern
Anti-Virus and Anti-Spam Technologies Technologies are converging • Adding software layers can decrease server stability • Software-based solutions are only as secure as their OS platform, and far too likely to be disabled by the user • Security appliances are becoming the norm • Many appliance vendors’ solutions encompass multiple technologies. Sonicwall & Fortinet are great examples. • Merrill Lynch • “… Fortinet is probably the most prominent private entrant into the market for multi-function security appliances.” • Needham & Company • “Two of the major trends we see in today’s security marketplace are the move towards multi-function suites and a shift to hardware-based platforms.Fortinetis at the vanguardof both waves…”
Automatic Updates Updates are Critical for Prevention • Set A/V and other systems for automatic daily updates whenever possible • Don’t forget firmware updates for routers, servers and security appliances. These must be done manually. • Workstation and server operating systems, when not patched, provide hackers with free computing power!
Automatic Updates • Stand-alones and Small Networks: • Windows 98 and up can be configured for Automatic Updates • Mid-size networks • Microsoft’s Software Update Service (SUS) becomes Windows Software Update Service (WSUS) • http://www.microsoft.com/windowsserversystem/sus/default.mspx • Enterprises • Systems Management Server 2003 • Novell and Unix also have patch management and application distribution systems • Many third-party solutions are also available, like Intuit’s Track-It! Patch Manager
Disaster Planning and Recovery • Plan for Failure • Every Moving Part WILL Fail • If it can go WRONG, it WILL • Develop a Backup and Recovery Plan for Data • Develop a Disaster Recovery Plan for Your Site • Expect your plan to fail too
Disaster Planning and Recovery Data Backup and Recovery • Should backup to tape (or multiple media) • Maintain an off-site backup • On-site backups stored in fireproof safe away from computers please • Test restore on a schedule • Keep check-point backups, and don’t rely on tapes • Backup Schemes • GFS • Tower of Hanoi • If this is too hard for you, consider on-line Backup
Disaster Planning and Recovery Disaster Recovery Plan • How long could your organization survive without access to technology resources • What would it cost (per day, per hour) if you had no technology resources • Rule of thumb: spend one to two days worth of costs as insurance against a disaster
Disaster Planning and Recovery Disaster Recovery Plan • Useful to implement off-site access in advance • Appreciated by employees • Remember to use secure methods • May be subsidized by local agencies • Develop scenarios and responses • Major failure of equipment • Can’t get into building • Assign responsibility • Don’t forget telephone technology
Disaster Planning and Recovery Example Plan - Requirements • Firm with 20 employees • Must receive info from clients via phone, fax and email • Must be able to cut checks every day
Disaster Planning and Recovery Example Plan - Solution • Create a Disaster Recovery Site at a Partner’s Home • Maintain daily off-site backups at that site • Set up VPN between that site and main office • If office is inaccessible, can use pcAnywhere and drive mappings to access data and apps
Disaster Planning and Recovery Example Plan - Solution • Remote site includes secure wireless. Laptops can be purchased locally if needed. Wireless cards pre-purchased. Fax/printer pre-purchased. • Remote site includes a workstation with same type of tape drive to recover data if needed • Accounting application is pre-loaded • Additional phone lines and phones installed and ready • Verizon ultra-forwarding enabled • Systems TESTED!!!
Additional Thoughts • Logging • Management Reporting • Monitoring – Internal and External • Security is a Process – Re-evaluate! • Security is Policy Driven. Where is your written Security Policy Document? • Teach your children safe and ethical cyberpractices!
Action Plan Minimum Business Recommendations • Develop and maintain a Security Policy Document. • Educate your Users. • What types of behaviors are likely to cause problems. • What does a virus look like. • Who do I talk to when I suspect a problem. • Implement an ICSA-certified SPI Firewall. • Implement Deep-Packet Inspection technology. • Implement layers of anti-virus (gateway, server, desktop), mixing vendor technologies for maximum effectiveness.
Action Plan Minimum Business Recommendations • Institute (automate when possible) patch management • Antivirus definition files • Firewall, server and router firmware updates. • Develop and maintain a Disaster Recovery Plan. • Backup Your Data • Develop a Site Disaster Plan • Develop a Systems Disaster Plan • Test your plans
Questions to Ask Your IT Provider Firewall/Security Appliance Questions Do we have a firewall in place? What manufacturer and model is it? What firmware version is running on our firewall, server and router? What are the current versions of firmware for these devices? Is the firewall ICSA certified? Does it do stateful packet inspection? Do we have any intrusion detection or intrusion prevention systems in place? Is our network divided into zones? Does anyone have access to our network via pcAnywhere, terminal services or any other program? Is that access over a VPN? Do we have any wireless access to our network?
Antivirus Questions Questions to Ask Your IT Provider What antivirus software do we use on the desktop? Could a user disable it? Does it get updates automatically? How do you know? What antivirus do we use on our servers? How often does it update? Do we host our own email? Do we have any antivirus gateways on our email server and/or on the edge of our network? Does our antivirus software protect us against worms like Sasser?
Patch Management Questions Questions to Ask Your IT Provider How do we decide what OS patches to install? How do we decide what application patches to install? Are patches installed automatically, or does the user have to do something to install them?
Disaster Recovery Questions Questions to Ask Your IT Provider Do we have a written Disaster Recovery Plan? When was it created, and when was it last updated? How would we operate if we could not get into our facility? What are our most critical applications? How do we respond when a server with a critical application fails? What is our tape backup scheme? Do we have a fireproof safe? Do we keep tapes off site? Who changes tapes, and what happens when s/he is not here?