Generation X, Y, and Z Technology Threats, Risks and Solutions

1. Generation X, Y, and Z Technology Threats, Risks and Solutions Aaron Wilson, SAIC – wilsonaa@saic.com November 15, 2007

2. Agenda • What are some threats specific to Gen X/Y/Z? • How about some examples? • What are some solutions? • Why involve the Security Team? • Q&A

3. Regarding Risks and Solutions… • Risks • These risks focus on those that overlap with Gen X/Y/Z • Solutions • Successful solutions start with clearly established policies • This discussion focuses on technological enforcement of policies, not the policies themselves • “More Technology” doesn’t always mean “More Product” • There is no “magic bullet” or “one size fits all” solution

4. Threat: Peer to Peer File Sharing • Examples: Napster, Kazaa, eDonkey, BitTorrent, Gnutella • Allows trading of files across a distributed network • Risks: • Viruses, worms, trojans, spyware • Illegal content (warez, music) • Policy circumvention(adult material, games) • Some products use encryption to hide content and activities • Known to circumvent firewall policies by piggybacking other rules • Reference: 2005: All Nippon Airlines – passcodes for security-access areas leaked by file sharing virus [Wik] • Solutions: • Intelligent content proxy • Unified threat management (UTM) systems • Host-based protection (AV, Firewall, HIPS/HIDS) • Host-based software inventory/change management

5. Threat: Social Networking Sites • Examples: MySpace, YouTube, Facebook, Blogs • Risks: • Malicious content • Social engineering based on information exposure • Reference: Alicia Key’s MySpace page phished to send credit card and security credentials info to China [Tim07] • Solutions: • Intelligent content proxy • Website rating technology • Host-based protection (AV, Firewall, HIPS/HIDS) • User training for social engineering and phishing

6. Threat: Instant Messaging and VoIP • Examples: AIM, Skype, MSN Messenger, ICQ, Yahoo! Messenger, IRC • Sometimes includes file sharing! • Unencrypted, with some exceptions • Risks: • Username/password capturing • Data leak • All risks associated with file sharing (previous slide) • Social engineering • Reference: IRC users socially engineered to access malicious site resulting in compromise of their systems [Cer02] • Solutions: • Enterprise IM/VoIP solutions – encryption, chat log, policies • User training on proper password use

7. Threat: Data Leak via Mobile Devices • Methods • Thumb drives • Digital cameras, camera phones • iPods and PDAs • Laptops • Any WiFi device • Sometimes intentional, sometimes not • Reference: Classified data taken from Los Alamos National Laboratory via USB drive [Cbs06] • Solutions • Access lists to enforce data access policies • Data access logging and auditing • Company-provided mobile devices • Physical security, turnstiles, x-rays, RFID badges • Desktop monitoring software

8. Why Involve the Security Team? • Security Experts • Long line of experience dealing with these risks • Security is a horizontal! • Research the problem and apply the right solution(s) • You and your security team may share similar concerns • Protecting valuable data • Regulation compliance • Business continuity/emergency planning • Auditing and litigation • Measuring and controlling • Avoid Effort Duplication • The security team may have already solved the problem • You may have already solved the problem • Before you Act… • Requirements and scope review recommended • Get senior/executive management buy-in!

9. Questions?

10. References • [Cbs06], “New Details Emerge in Los Alamos Case”, Oct 25, 2006, http://www.cbsnews.com/stories/2006/10/24/national/main2122004.shtml • [Cer02], “Social Engineering Attacks via IRC and Instant Messaging”, CERT, http://www.cert.org/incident_notes/IN-2002-03.html • [Tim07], “Behind the Alicia Keys MySpace Scam”, Time, Nov 13, 2007, http://www.time.com/time/business/article/0,8599,1683361,00.html?imw=Y • [Wik], “Winny”, http://en.wikipedia.org/wiki/Winny