e security ppt

Fundamentals of Fundamentals of e-Securitye-Security

James KerrJames Kerr

Office of Technology ServicesOffice of Technology Services

June, 2005June, 2005

Acknowledgements & CreditAcknowledgements & Credit

Many thanks to Charles Morrow-Jones, Many thanks to Charles Morrow-Jones, Director of Network Security, Office Director of Network Security, Office of the CIO, and Steve Romig, Director of the CIO, and Steve Romig, Director of the OSU Incident Response Team. of the OSU Incident Response Team. This presentation is based on their This presentation is based on their presentation, “CyberSecurity for presentation, “CyberSecurity for Managers” presented in June, 2005.Managers” presented in June, 2005.

Fundamentals of e-Security

GoalGoal

To help you understand some basics To help you understand some basics about information securityabout information security

To give you some resources that will To give you some resources that will help you when you need to expand help you when you need to expand on this baseon this base


AgendaAgenda

What and who are we worried about, What and who are we worried about, and why?and why?

What can you do about it?What can you do about it?

How are incidents detected and How are incidents detected and handled?handled?


C.I.A.C.I.A.

The University’s entire information The University’s entire information processing environment rests on the processing environment rests on the assumption that we have:assumption that we have:

CConfidentiality-prevent unauthorized onfidentiality-prevent unauthorized disclosure (Threat: unauthorized access)disclosure (Threat: unauthorized access)

IIntegrity-ensure accuracy and authenticity ntegrity-ensure accuracy and authenticity (Threat: altered, deleted, or added data)(Threat: altered, deleted, or added data)

AAvailability-ensure that information and vailability-ensure that information and systems are there when we need them systems are there when we need them (Threat: Denial of service)(Threat: Denial of service)


Other ConcernsOther Concerns Liability: someone can use our computers to do Liability: someone can use our computers to do

bad things that leave us with the liabilitybad things that leave us with the liability Reputation: security issues can make us look Reputation: security issues can make us look

bad, affecting parental trust, recruitingbad, affecting parental trust, recruiting Legal: a growing body of law requires that we do Legal: a growing body of law requires that we do

certain things to secure our systems (FERPA, certain things to secure our systems (FERPA, HIPAA)HIPAA)

Financial: security issues cost money, directly or Financial: security issues cost money, directly or indirectlyindirectly

Traceability, auditability: bad things happen, and Traceability, auditability: bad things happen, and you need to find out what and why (and you need to find out what and why (and sometimes who)sometimes who)


ExerciseExercise

A bad day at the Wild West A bad day at the Wild West University…University…

Two press releases describing the loss Two press releases describing the loss of private information from a of private information from a university’s system:university’s system:


Initial Report ‑‑ March 5, 2003, 10:00p.m.On Sunday, March 2 at 7:20 p.m., computer systems personnel at

WWU discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun.

What happened?The malfunction was assessed to be the result of a deliberate

attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a WWU database were captured, together with e‑mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed.

Is there evidence that the stolen data have been misused or disseminated?

WWU, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break‑in and recapturing the stolen data.. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).

What is WWU doing about this?WWU's highest priority has been to identify the source of the attack

and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure ‑ if any ‑ and to establish a proactive communication program with affected individuals and the WWU community.

How many individual records were exposed?Approximately 55,200 individuals had some of the above data

exposed. This group includes current and former students, current and former faculty and staff, and job applicants.

How will affected individuals be notified?The University is currently developing a communication plan and will

contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused. To send a comment or question to the WWU Incident Response Team, please e‑mail [email protected] (do not send your Social Security number in any e‑mail message).

WWU regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues.

<signed> Vice President for Information Technology, Wild West University

Data Theft Update (October 2003)Data Theft Update (October 2003)

The Wild West University regrets that one of its administrative databases was The Wild West University regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U. S. Attorney's Office, and the U. S. County District Attorney's Office, the U. S. Attorney's Office, and the U. S. Secret Service has secured the stolen data before they could be misused or Secret Service has secured the stolen data before they could be misused or further disseminated.further disseminated.

A WWU undergraduate student suspected of the crime was arrested by the U.S. A WWU undergraduate student suspected of the crime was arrested by the U.S. Secret Service on March 14. His computer and related paraphernalia were Secret Service on March 14. His computer and related paraphernalia were seized and are being analyzed by the Secret Service.seized and are being analyzed by the Secret Service.

Although the security breach and related charges facing the suspect are indeed Although the security breach and related charges facing the suspect are indeed serious, the U.S. Attorney's Office has stated officially, "At this point, there is no serious, the U.S. Attorney's Office has stated officially, "At this point, there is no indication that the stolen data was further disseminated or used to anyone's indication that the stolen data was further disseminated or used to anyone's detriment.“detriment.“

As of October 2003, the University has successfully contacted 92 percent of the As of October 2003, the University has successfully contacted 92 percent of the individuals known to be affected by the data theft incident, and continues its individuals known to be affected by the data theft incident, and continues its efforts to reach the remaining affected population. The University is doing efforts to reach the remaining affected population. The University is doing everything it can to ensure the security of personal information. An underlying everything it can to ensure the security of personal information. An underlying issue that has received attention is the University's use of the Social Security issue that has received attention is the University's use of the Social Security number as the unique identifier for students, faculty, staff, and other affiliates, number as the unique identifier for students, faculty, staff, and other affiliates, a practice that is widespread in universities and elsewhere. The University a practice that is widespread in universities and elsewhere. The University launched a project in 2001 to migrate database systems and services to a launched a project in 2001 to migrate database systems and services to a different identifier, and important progress has been made, but the breached different identifier, and important progress has been made, but the breached system continued to rely upon SSN inputs.system continued to rely upon SSN inputs.

Questions to DiscussQuestions to Discuss

1) What CIA principles were violated?1) What CIA principles were violated?2) What other concerns did this attack raise?2) What other concerns did this attack raise?3) If your information had been exposed, 3) If your information had been exposed,

what would you do?what would you do?4) How much would this incident concern 4) How much would this incident concern

you if you were not affected? Would your you if you were not affected? Would your relationship to the university matter?relationship to the university matter?

5) Based on this information how would you 5) Based on this information how would you evaluate WWU's communications to users?evaluate WWU's communications to users?

6) Can you think of any similar “lurking time 6) Can you think of any similar “lurking time bombs” at OSU?bombs” at OSU?

TerminologyTerminology

Scan: probing through the network to Scan: probing through the network to find vulnerable systemsfind vulnerable systems

Vulnerability: a weakness that might Vulnerability: a weakness that might be exploited to do something “bad”be exploited to do something “bad”

Exploit: using a vulnerability to gain Exploit: using a vulnerability to gain access to a systemaccess to a system


Terminology, continuedTerminology, continued

Backdoor: hidden entrances to your Backdoor: hidden entrances to your systemsystem

Rootkit: tools used to hide an Rootkit: tools used to hide an intruder’s presenceintruder’s presence

Virus, worm, trojan: old names for Virus, worm, trojan: old names for different sorts of “bad software”.different sorts of “bad software”.



Malware: new name for viruses, Malware: new name for viruses, worms, trojans, adware, spyware. worms, trojans, adware, spyware. “MALicious softWARE”“MALicious softWARE”

Adware, spyware: “commercial” Adware, spyware: “commercial” software that invades your privacy, software that invades your privacy, displays pop-ups, and undermines displays pop-ups, and undermines your security.your security.



Bot: (short for robot) a computer Bot: (short for robot) a computer running software that makes it part running software that makes it part of a botnet, and allows others to of a botnet, and allows others to control it remotely.control it remotely.

Botnet: a network of tens, hundreds, Botnet: a network of tens, hundreds, thousands, or tens of thousands of thousands, or tens of thousands of bots that can be used for scanning, bots that can be used for scanning, exploiting, denial of service attacks, exploiting, denial of service attacks, spamming, file sharing, and so on…spamming, file sharing, and so on…


Terminology, continuedTerminology, continued Encryption: a way to make data unreadable Encryption: a way to make data unreadable

by everyone except the intended recipientsby everyone except the intended recipients Authentication: the act of identifying Authentication: the act of identifying

yourself to the computeryourself to the computer Two-factor authentication: authentication Two-factor authentication: authentication

that uses something you have (a key, a that uses something you have (a key, a token card) and something you know (a token card) and something you know (a password, PIN)password, PIN)

Three-factor authentication: authentication Three-factor authentication: authentication that uses something you are (biometric that uses something you are (biometric scan, fingerprint, retina scan, voice print) scan, fingerprint, retina scan, voice print) something you have (a key, a token card) something you have (a key, a token card) and something you know (password, PIN)and something you know (password, PIN)



Authorization: rights granted to a Authorization: rights granted to a person (or a program, computer, etc) person (or a program, computer, etc) for some object (such as data in a for some object (such as data in a database, login to a network)database, login to a network)– Jkerr is authorized to login on this Jkerr is authorized to login on this

computer, but not on that one.computer, but not on that one.– Jkerr is authorized to read this data, but Jkerr is authorized to read this data, but

not modify or delete it.not modify or delete it.


Who are we worried about?Who are we worried about? TeenagersTeenagers

– A large number of attacks are perpetrated by A large number of attacks are perpetrated by teenagersteenagers

– They have high interest in computersThey have high interest in computers– They have lots of free timeThey have lots of free time– Their morals aren’t quite fully developedTheir morals aren’t quite fully developed– No perceived danger to themselvesNo perceived danger to themselves– ““script kiddies”script kiddies”– Goals includeGoals include

Just playing around; learningJust playing around; learning Gaining social stature in the “computer underground”Gaining social stature in the “computer underground” Support their passion (file sharing, denial of service, Support their passion (file sharing, denial of service,

see social stature)see social stature)


Who are we worried about?Who are we worried about?

Organized CriminalsOrganized Criminals– Goals: $$$ for spam, denial of service, Goals: $$$ for spam, denial of service,

identity theft, espionage, harassmentidentity theft, espionage, harassment– Botnets are a real business now-for Botnets are a real business now-for

spam, denial of service attacks, and spam, denial of service attacks, and building other botnetsbuilding other botnets

– They are high-risk operations, and more They are high-risk operations, and more motivated to use sophisticated tools and motivated to use sophisticated tools and techniques to hide their trackstechniques to hide their tracks



Unorganized criminalsUnorganized criminals– Disgruntled employees (are the rest of Disgruntled employees (are the rest of

us gruntled?)us gruntled?)– Other individuals doing criminal thingsOther individuals doing criminal things– Feb. 5, 2005 (Sophos news) – a 24-year Feb. 5, 2005 (Sophos news) – a 24-year

old former AOL employee has pleaded old former AOL employee has pleaded guilty to stealing a list of 92 million guilty to stealing a list of 92 million email addresses of the ISP’s customers email addresses of the ISP’s customers and selling it to spammers for $28,000 and selling it to spammers for $28,000 (=$0.0003 per address)(=$0.0003 per address)



Legitimate usersLegitimate users– People doing things that unintentionally put People doing things that unintentionally put

systems at risk, typically through systems at risk, typically through experimenting with game servers, file experimenting with game servers, file sharing, web servers, instant messaging, sharing, web servers, instant messaging, etc.etc.

– People who carelessly click on email People who carelessly click on email attachments, approving dialogue boxes that attachments, approving dialogue boxes that ask whether it’s OK to install extra software, ask whether it’s OK to install extra software, respond to phishing attacks, and so on…respond to phishing attacks, and so on…


C.Y.A.C.Y.A.

Because we are concerned about Because we are concerned about C.I.A. (and the other issues) we need C.I.A. (and the other issues) we need to secure our systems, networks, and to secure our systems, networks, and data.data.

Step 1: identify assets (data, services, Step 1: identify assets (data, services, etc)etc)

Step 2: identify threats (C.I.A.) for Step 2: identify threats (C.I.A.) for each asseteach asset

Step 3: identify controls to protect our Step 3: identify controls to protect our assets from these threatsassets from these threats


Physical SecurityPhysical Security

Provides for the protection of Provides for the protection of property, personnel, and facilities property, personnel, and facilities from illegal or criminal acts, and/or from illegal or criminal acts, and/or environmental disruptionsenvironmental disruptions

Physical security plan should be Physical security plan should be created that deals with control of created that deals with control of access to the building or officeaccess to the building or office

Plan should also address responses Plan should also address responses to environmental problemsto environmental problems


Physical Security, continuedPhysical Security, continued

Look at what you are trying to protect, and Look at what you are trying to protect, and who or what you are trying to protect it from, who or what you are trying to protect it from, then decide how much security is required.then decide how much security is required.

Physical security is the first line of defense Physical security is the first line of defense against the exploitation of computer systemsagainst the exploitation of computer systems

70% of data theft is physical theft, usually by 70% of data theft is physical theft, usually by stealing a physical device. stealing a physical device.

Physical security should make device theft as Physical security should make device theft as difficult as possible.difficult as possible.


Physical Security, continuedPhysical Security, continued

Access control at doorsAccess control at doors Physical locks or authorization Physical locks or authorization

(something you have) to access (something you have) to access systems, especially laptopssystems, especially laptops

Key control-janitorial access, master Key control-janitorial access, master keyskeys


Laptop/PDA SecurityLaptop/PDA Security

Consider the worst case scenario: Consider the worst case scenario: laptop is stolenlaptop is stolen– You don’t have access to whatever was You don’t have access to whatever was

on iton it– They doThey do– Do you have backups?Do you have backups?– Was sensitive data encrypted, including Was sensitive data encrypted, including

e-mail? (SSNs, student grades, think e-mail? (SSNs, student grades, think FERPA)FERPA)


Laptop/PDA Security, Laptop/PDA Security, continuedcontinued

Apple Mac OS X supports the “file Apple Mac OS X supports the “file vault”, which automatically encrypts vault”, which automatically encrypts files. This should be turned on (off files. This should be turned on (off by default).by default).

Windows 2000 and XP support EFS, Windows 2000 and XP support EFS, the “Encrypting File System”. This the “Encrypting File System”. This should be turned on (off by default).should be turned on (off by default).


Account SecurityAccount Security

Don’t share your accounts or Don’t share your accounts or passwordspasswords

Use “good” passwordsUse “good” passwords Use different passwords on different Use different passwords on different

systemssystems Change your passwordsChange your passwords Lock your screenLock your screen


““Good” Password HabitsGood” Password Habits

Change every 60-90 daysChange every 60-90 days Use all available charactersUse all available characters Memorize, don’t writeMemorize, don’t write Bad: 1234, <first name> i.e. jim, Bad: 1234, <first name> i.e. jim,

buckeye, osu, brutus, lima, passwordbuckeye, osu, brutus, lima, password Good: 1Gin+2TonicGood: 1Gin+2Tonic Good: 47adFb2mGood: 47adFb2m


Data SecurityData Security

Essential to Confidentiality and Essential to Confidentiality and IntegrityIntegrity

Regulatory environment-FERPA and Regulatory environment-FERPA and student informationstudent information

Involves protecting data in transit, as Involves protecting data in transit, as well as in storagewell as in storage

Often requires encryption of the dataOften requires encryption of the data


People SecurityPeople Security

Background screening as part of the Background screening as part of the hiring processhiring process

Termination best practices:Termination best practices:– Remove their accessRemove their access– Dispossess them of sensitive materialsDispossess them of sensitive materials– Repossess important materials (latest Repossess important materials (latest

version of their projects)version of their projects)


People Security, continuedPeople Security, continued

Questions to ponder:Questions to ponder: Do you know what access each Do you know what access each

employee has, including remote employee has, including remote access?access?

Can you guarantee they haven’t set Can you guarantee they haven’t set up back-doors, especially if they were up back-doors, especially if they were disgruntled before they left?disgruntled before they left?

Do you have policies about sensitive Do you have policies about sensitive materials at home, backups, etc?materials at home, backups, etc?


People Security, continuedPeople Security, continued

Social engineering-techniques that Social engineering-techniques that rely on weaknesses in humans rather rely on weaknesses in humans rather than software; the aim is to trick than software; the aim is to trick people into revealing passwords or people into revealing passwords or other information that compromises other information that compromises a target system’s securitya target system’s security

Modified from The Jargon File, version 4.7.7Modified from The Jargon File, version 4.7.7


Phishing examplePhishing example


Mis-spelled words

F.U.D.

Phishing examplePhishing example


<a href= "http://www.paypallk.com:680/paypal.php" style="font-family: monospace; font-size: 10pt;">Click here to confirm your account</a>

See PayPal site page on security

Social engineering exampleSocial engineering example

How could a person get tricked into How could a person get tricked into giving out a password over the giving out a password over the phone?phone?

Much easier than you think!Much easier than you think!


““Hi-this is Jim from Tech Services. We Hi-this is Jim from Tech Services. We noticed that your network segment is noticed that your network segment is down, and we’d like to try your login to down, and we’d like to try your login to verify it. What’s your password?”verify it. What’s your password?”

““This is Andrew from Technology This is Andrew from Technology Services. Your mail spool on the Services. Your mail spool on the server is blocked, and we need your server is blocked, and we need your password to clear it.”password to clear it.”


Social engineering exampleSocial engineering example

What can I do?What can I do?

Lock it down!Lock it down! Auto-install OS updatesAuto-install OS updates Install and use anti-virus and anti-Install and use anti-virus and anti-

adware/spyware softwareadware/spyware software Personal firewall (OS X & Windows XP Personal firewall (OS X & Windows XP

built-in)built-in) Backups!Backups! Use good password practicesUse good password practices


What else can I do?What else can I do?

Use a browser other than Internet Use a browser other than Internet Explorer, i.e. Firefox.Explorer, i.e. Firefox.

Use a locking screensaverUse a locking screensaver Don’t use Instant Messaging clientsDon’t use Instant Messaging clients Cautiously use e-mail attachmentsCautiously use e-mail attachments Don’t use password hintsDon’t use password hints Disable automatic loginsDisable automatic logins Apply paranoia as necessaryApply paranoia as necessary


What does Technology What does Technology Services do?Services do?

Lima OTS and Columbus Network Lima OTS and Columbus Network Security (division of OIT) actively Security (division of OIT) actively scan network hosts for vulnerabilitiesscan network hosts for vulnerabilities

Lima OTS and Columbus Net Security Lima OTS and Columbus Net Security actively monitor network traffic for actively monitor network traffic for suspicious activitysuspicious activity


What does Technology What does Technology Services do?Services do?

Centralize Microsoft OS patches and Centralize Microsoft OS patches and hotfixeshotfixes

Centralize McAfee virus scan updatesCentralize McAfee virus scan updates Filter e-mail for spam and virusesFilter e-mail for spam and viruses AuthenticationAuthentication Columbus blacklistingColumbus blacklisting Firewall for Lima networkFirewall for Lima network


FirewallFirewall

Restricts access to Restricts access to network services, network services, in and outin and out

Personal (host) and Personal (host) and networknetwork


Image courtesy of INetU Managed Hostinghttp://www.inetu.net/services/firewalls.php

What is coming next?What is coming next?

Best Practices for passwordsBest Practices for passwords– Minimum password lengthMinimum password length– Complexity requirementsComplexity requirements– Rotation change enforcementRotation change enforcement

Encrypted remote accessEncrypted remote access Two-factor authentication for laptopsTwo-factor authentication for laptops

– Something you haveSomething you have– Something you knowSomething you know


F.A.Q.F.A.Q.

How can I tell when I’ve been infected?How can I tell when I’ve been infected?– Unusual slowdownUnusual slowdown– Unexpected crashes, strange errorsUnexpected crashes, strange errors– Mouse movement or typing without you-”posessed”Mouse movement or typing without you-”posessed”– OIT security blacklists-no Internet access off-OIT security blacklists-no Internet access off-

campuscampus What do I do?What do I do?

– Turn it off!Turn it off!– Report it to Technology ServicesReport it to Technology Services– Don’t try to backup now, it’s too late. You may Don’t try to backup now, it’s too late. You may

spread contamination.spread contamination.


F.A.Q.F.A.Q.

What do you do with an What do you do with an infected/compromised computer?infected/compromised computer?– Attempt disinfection/repair if it’s a Attempt disinfection/repair if it’s a

known threat with proven recoveryknown threat with proven recovery– Most often complete “rebuild” of the Most often complete “rebuild” of the

computercomputer– Clean and repair data filesClean and repair data files


Useful ResourcesUseful Resources

Lima Technology ServicesLima Technology Services– http://lima.osu.edu/otshttp://lima.osu.edu/ots

Columbus OIT Network SecurityColumbus OIT Network Security– http://www.net.ohio-state.edu/securityhttp://www.net.ohio-state.edu/security

CIO PoliciesCIO Policies– http://cio.osu.edu/policies/policies.htmlhttp://cio.osu.edu/policies/policies.html

Network PoliciesNetwork Policies– http://www.net.ohio-state.edu/OSUNet/phttp://www.net.ohio-state.edu/OSUNet/p

olicies.htmlolicies.html


Useful ResourcesUseful Resources OSU Site Licensed SoftwareOSU Site Licensed Software

– http://osusls.osu.eduhttp://osusls.osu.edu Spybot Search & DestroySpybot Search & Destroy

– http://www.spybot.infohttp://www.spybot.info General Spyware InformationGeneral Spyware Information

– http://www.getnetwise.orghttp://www.getnetwise.org FERPA and OSUFERPA and OSU

– http://www.registrar.ohio-state.edu/ourweb/mohttp://www.registrar.ohio-state.edu/ourweb/more/Content/ferpa.pg1.htmlre/Content/ferpa.pg1.html

PhishingPhishing– http://http://

www.antiphishing.org/phishing_archive.htmlwww.antiphishing.org/phishing_archive.html


e security ppt

Documents