1 / 31

“Hole in the Wall – The Human Factor in Security” 13 September 2012

“Hole in the Wall – The Human Factor in Security” 13 September 2012. Mohd Rafiq Mohamed Hashim rafiq@gitn.com.my. Overview. Businesses Need Internet Access. Web applications are intended to increase employee productivity !. Information sharing. Information dissemination. Extranet.

nili
Download Presentation

“Hole in the Wall – The Human Factor in Security” 13 September 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Hole in the Wall – The Human Factor in Security”13 September 2012 Mohd Rafiq Mohamed Hashim rafiq@gitn.com.my

  2. Overview Businesses Need Internet Access Web applications are intended to increase employee productivity ! Information sharing Information dissemination Extranet Intranet E-Commerce E-Learning Wikipedia

  3. “The Internet is full with information but the Internet also full with.. THREAT!!’

  4. Threats From Everywhere Viruses Trojan horses Hackers Do you have an effective means of keeping your business running smoothly by eliminating all threats and annoyances? Intrusions Phishing Popups Cookies Spam Spyware Worms Privacy threats

  5. Threats From Everywhere

  6. Confidentiality

  7. Integrity

  8. Availability

  9. The Consequences of Inadequate Security..(Cont’d) Top 10 Security Vulnerabilities 1. Inadequate Router Access Control 8. Misconfigured Firewall or Router Border Router 6. User accts with excessive privileges Internet Internal Router 4. Running Unnecessary services (FTP, DNS, SMTP) 5. Weak or reused password Internal LAN 3. Information leakage via zone transfer& Services (SMTP, telnet) Internet/DMZ/Servers 10. Excessive file & directory Access controls 7. Misconfigured Internet servers Remote Access Servers Mobile/home user 9. S/W unpatched, outdated, default configurations 2. Unsecured/ unmonitored remote Access Source: Hacking Exposed McClure, Scambray & Kurtz , McGraw-Hill

  10. Users Don’t Get It • There’s nothing important on my computer • We have virus software so my computer is protected from everything • All threats are from the outside • It’s not my job/I’m too busy to worry about security • Technology provides full protection

  11. Users Don’t Get It • Reasons employees gave for altering security settings on their computers (CISCO 2008 White paper)

  12. Users Don’t Get It • Employees are the security blackhole Example –RSA’s SecureID Breach, 2011 • In March, an employee opened excel attachment from email in junk folder • Malware in attachment created system backdoor • Hackers able to up-gain privilege and copy SecureID security codes from databse • 40million customers affected • Result – RSA customers, (L3 & Lockheed) were attacked in April & June

  13. Why: Users Don’t Get It • Phishing email sent to RSA Employee

  14. Most Common Mistakes • Poor Password Management • Workstation Attached and Unattended • Malicious E-mail Attachments • Ineffective Anti-virus Software • Uncontrolled Laptops • Unreported Security Violations • Updates, Hot Fixes, Service Packs not Installed • Poor Perimeter Protection • Electronic • Physical

  15. What? • Data Backup/Restore • Physical Security • Portables • Social Engineering • ID/Passwords • E-mail • Wireless • Malicious Software

  16. Data Backup/Restore • Users are responsible for communicating their needs • IT is responsible for making sure it happens • Included in IT procedures • Tools supplied to users

  17. Physical Security • Every User is an Extension of the Security Force • Lock Offices as Often as Practical • Restrict Open External Entrances • Technology • Cameras • Motion sensors • Alarm systems • Tags

  18. Portables • Favorite Target of Thieves • Less Likely to Draw Attention • Easily Hidden • “Turn” Fast at Pawn Shops and Online • Almost Always Contain “Sensitive” Data

  19. Social Engineering • “This is (manager, director, etc.) and I need…” • “This is Sue with the Help Desk and we are: • verifying your passwords…” • troubleshooting logon problems…” • got your (bogus) request to change your…” • E-mail Attachments • Dumpster Diving • Recover Data from Surplus Equipment/Media

  20. ID/Passwords • Users are responsible for what happens with their ID/password • If you HAVE to write them down treat the paper like a credit card • Change passwords if there is a possibility it has been compromised • Use complex passwords • The sanctions for not protecting login credentials are…

  21. ID/Passwords Passwords Are Like Underwear: • Change yours often! • Don’t leave yours lying around! • The longer the more protection! • Don’t share yours with friends! • Be mysterious!

  22. E-Mail • E-mails Exist in Multiple Places • Deleting an Email from One Place Does Not Delete it from Anywhere Else • Be Aware of “bcc” • Spam Effects and Avoidance • Verify Attachments Before Opening • Don’t Send Confidential Information via Standard E-mail • E-mail Can be Forged

  23. Wireless • Don’t Plug in Your Own Wireless Access Point • Don’t Change the Secure Configuration: • To make it work with your home network • So it will connect in the airport • To access other facilities networks • Use a Wire When Available • Faster • More secure • Less competition for access point bandwidth

  24. Malicious Software • Leave Virus Protection and Firewall Programs Running • Check for or Allow Updates • Recognize Potential Malicious Activities: • Hard drive running when no programs are running • Unusual or unexpected logon screens • Boot up speed or sequence changes • Performance degradation • Returned e-mails

  25. The 5Q

  26. Remember..!!!

  27. “Prevention is always better than cure”.

  28. THANK YOU

More Related