e security ppt
DESCRIPTION
E Security pptTRANSCRIPT
Fundamentals of Fundamentals of e-Securitye-Security
James KerrJames Kerr
Office of Technology ServicesOffice of Technology Services
June, 2005June, 2005
Acknowledgements & CreditAcknowledgements & Credit
Many thanks to Charles Morrow-Jones, Many thanks to Charles Morrow-Jones, Director of Network Security, Office Director of Network Security, Office of the CIO, and Steve Romig, Director of the CIO, and Steve Romig, Director of the OSU Incident Response Team. of the OSU Incident Response Team. This presentation is based on their This presentation is based on their presentation, “CyberSecurity for presentation, “CyberSecurity for Managers” presented in June, 2005.Managers” presented in June, 2005.
Fundamentals of e-Security
GoalGoal
To help you understand some basics To help you understand some basics about information securityabout information security
To give you some resources that will To give you some resources that will help you when you need to expand help you when you need to expand on this baseon this base
Fundamentals of e-Security
AgendaAgenda
What and who are we worried about, What and who are we worried about, and why?and why?
What can you do about it?What can you do about it?
How are incidents detected and How are incidents detected and handled?handled?
Fundamentals of e-Security
C.I.A.C.I.A.
The University’s entire information The University’s entire information processing environment rests on the processing environment rests on the assumption that we have:assumption that we have:
CConfidentiality-prevent unauthorized onfidentiality-prevent unauthorized disclosure (Threat: unauthorized access)disclosure (Threat: unauthorized access)
IIntegrity-ensure accuracy and authenticity ntegrity-ensure accuracy and authenticity (Threat: altered, deleted, or added data)(Threat: altered, deleted, or added data)
AAvailability-ensure that information and vailability-ensure that information and systems are there when we need them systems are there when we need them (Threat: Denial of service)(Threat: Denial of service)
Fundamentals of e-Security
Other ConcernsOther Concerns Liability: someone can use our computers to do Liability: someone can use our computers to do
bad things that leave us with the liabilitybad things that leave us with the liability Reputation: security issues can make us look Reputation: security issues can make us look
bad, affecting parental trust, recruitingbad, affecting parental trust, recruiting Legal: a growing body of law requires that we do Legal: a growing body of law requires that we do
certain things to secure our systems (FERPA, certain things to secure our systems (FERPA, HIPAA)HIPAA)
Financial: security issues cost money, directly or Financial: security issues cost money, directly or indirectlyindirectly
Traceability, auditability: bad things happen, and Traceability, auditability: bad things happen, and you need to find out what and why (and you need to find out what and why (and sometimes who)sometimes who)
Fundamentals of e-Security
ExerciseExercise
A bad day at the Wild West A bad day at the Wild West University…University…
Two press releases describing the loss Two press releases describing the loss of private information from a of private information from a university’s system:university’s system:
Fundamentals of e-Security
Initial Report ‑‑ March 5, 2003, 10:00p.m.On Sunday, March 2 at 7:20 p.m., computer systems personnel at
WWU discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun.
What happened?The malfunction was assessed to be the result of a deliberate
attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a WWU database were captured, together with e‑mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed.
Is there evidence that the stolen data have been misused or disseminated?
WWU, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break‑in and recapturing the stolen data.. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).
What is WWU doing about this?WWU's highest priority has been to identify the source of the attack
and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure ‑ if any ‑ and to establish a proactive communication program with affected individuals and the WWU community.
How many individual records were exposed?Approximately 55,200 individuals had some of the above data
exposed. This group includes current and former students, current and former faculty and staff, and job applicants.
How will affected individuals be notified?The University is currently developing a communication plan and will
contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused. To send a comment or question to the WWU Incident Response Team, please e‑mail [email protected] (do not send your Social Security number in any e‑mail message).
WWU regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues.
<signed> Vice President for Information Technology, Wild West University
Data Theft Update (October 2003)Data Theft Update (October 2003)
The Wild West University regrets that one of its administrative databases was The Wild West University regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U. S. Attorney's Office, and the U. S. County District Attorney's Office, the U. S. Attorney's Office, and the U. S. Secret Service has secured the stolen data before they could be misused or Secret Service has secured the stolen data before they could be misused or further disseminated.further disseminated.
A WWU undergraduate student suspected of the crime was arrested by the U.S. A WWU undergraduate student suspected of the crime was arrested by the U.S. Secret Service on March 14. His computer and related paraphernalia were Secret Service on March 14. His computer and related paraphernalia were seized and are being analyzed by the Secret Service.seized and are being analyzed by the Secret Service.
Although the security breach and related charges facing the suspect are indeed Although the security breach and related charges facing the suspect are indeed serious, the U.S. Attorney's Office has stated officially, "At this point, there is no serious, the U.S. Attorney's Office has stated officially, "At this point, there is no indication that the stolen data was further disseminated or used to anyone's indication that the stolen data was further disseminated or used to anyone's detriment.“detriment.“
As of October 2003, the University has successfully contacted 92 percent of the As of October 2003, the University has successfully contacted 92 percent of the individuals known to be affected by the data theft incident, and continues its individuals known to be affected by the data theft incident, and continues its efforts to reach the remaining affected population. The University is doing efforts to reach the remaining affected population. The University is doing everything it can to ensure the security of personal information. An underlying everything it can to ensure the security of personal information. An underlying issue that has received attention is the University's use of the Social Security issue that has received attention is the University's use of the Social Security number as the unique identifier for students, faculty, staff, and other affiliates, number as the unique identifier for students, faculty, staff, and other affiliates, a practice that is widespread in universities and elsewhere. The University a practice that is widespread in universities and elsewhere. The University launched a project in 2001 to migrate database systems and services to a launched a project in 2001 to migrate database systems and services to a different identifier, and important progress has been made, but the breached different identifier, and important progress has been made, but the breached system continued to rely upon SSN inputs.system continued to rely upon SSN inputs.
Questions to DiscussQuestions to Discuss
1) What CIA principles were violated?1) What CIA principles were violated?2) What other concerns did this attack raise?2) What other concerns did this attack raise?3) If your information had been exposed, 3) If your information had been exposed,
what would you do?what would you do?4) How much would this incident concern 4) How much would this incident concern
you if you were not affected? Would your you if you were not affected? Would your relationship to the university matter?relationship to the university matter?
5) Based on this information how would you 5) Based on this information how would you evaluate WWU's communications to users?evaluate WWU's communications to users?
6) Can you think of any similar “lurking time 6) Can you think of any similar “lurking time bombs” at OSU?bombs” at OSU?
TerminologyTerminology
Scan: probing through the network to Scan: probing through the network to find vulnerable systemsfind vulnerable systems
Vulnerability: a weakness that might Vulnerability: a weakness that might be exploited to do something “bad”be exploited to do something “bad”
Exploit: using a vulnerability to gain Exploit: using a vulnerability to gain access to a systemaccess to a system
Fundamentals of e-Security
Terminology, continuedTerminology, continued
Backdoor: hidden entrances to your Backdoor: hidden entrances to your systemsystem
Rootkit: tools used to hide an Rootkit: tools used to hide an intruder’s presenceintruder’s presence
Virus, worm, trojan: old names for Virus, worm, trojan: old names for different sorts of “bad software”.different sorts of “bad software”.
Fundamentals of e-Security
Terminology, continuedTerminology, continued
Malware: new name for viruses, Malware: new name for viruses, worms, trojans, adware, spyware. worms, trojans, adware, spyware. “MALicious softWARE”“MALicious softWARE”
Adware, spyware: “commercial” Adware, spyware: “commercial” software that invades your privacy, software that invades your privacy, displays pop-ups, and undermines displays pop-ups, and undermines your security.your security.
Fundamentals of e-Security
Terminology, continuedTerminology, continued
Bot: (short for robot) a computer Bot: (short for robot) a computer running software that makes it part running software that makes it part of a botnet, and allows others to of a botnet, and allows others to control it remotely.control it remotely.
Botnet: a network of tens, hundreds, Botnet: a network of tens, hundreds, thousands, or tens of thousands of thousands, or tens of thousands of bots that can be used for scanning, bots that can be used for scanning, exploiting, denial of service attacks, exploiting, denial of service attacks, spamming, file sharing, and so on…spamming, file sharing, and so on…
Fundamentals of e-Security
Terminology, continuedTerminology, continued Encryption: a way to make data unreadable Encryption: a way to make data unreadable
by everyone except the intended recipientsby everyone except the intended recipients Authentication: the act of identifying Authentication: the act of identifying
yourself to the computeryourself to the computer Two-factor authentication: authentication Two-factor authentication: authentication
that uses something you have (a key, a that uses something you have (a key, a token card) and something you know (a token card) and something you know (a password, PIN)password, PIN)
Three-factor authentication: authentication Three-factor authentication: authentication that uses something you are (biometric that uses something you are (biometric scan, fingerprint, retina scan, voice print) scan, fingerprint, retina scan, voice print) something you have (a key, a token card) something you have (a key, a token card) and something you know (password, PIN)and something you know (password, PIN)
Fundamentals of e-Security
Terminology, continuedTerminology, continued
Authorization: rights granted to a Authorization: rights granted to a person (or a program, computer, etc) person (or a program, computer, etc) for some object (such as data in a for some object (such as data in a database, login to a network)database, login to a network)– Jkerr is authorized to login on this Jkerr is authorized to login on this
computer, but not on that one.computer, but not on that one.– Jkerr is authorized to read this data, but Jkerr is authorized to read this data, but
not modify or delete it.not modify or delete it.
Fundamentals of e-Security
Who are we worried about?Who are we worried about? TeenagersTeenagers
– A large number of attacks are perpetrated by A large number of attacks are perpetrated by teenagersteenagers
– They have high interest in computersThey have high interest in computers– They have lots of free timeThey have lots of free time– Their morals aren’t quite fully developedTheir morals aren’t quite fully developed– No perceived danger to themselvesNo perceived danger to themselves– ““script kiddies”script kiddies”– Goals includeGoals include
Just playing around; learningJust playing around; learning Gaining social stature in the “computer underground”Gaining social stature in the “computer underground” Support their passion (file sharing, denial of service, Support their passion (file sharing, denial of service,
see social stature)see social stature)
Fundamentals of e-Security
Who are we worried about?Who are we worried about?
Organized CriminalsOrganized Criminals– Goals: $$$ for spam, denial of service, Goals: $$$ for spam, denial of service,
identity theft, espionage, harassmentidentity theft, espionage, harassment– Botnets are a real business now-for Botnets are a real business now-for
spam, denial of service attacks, and spam, denial of service attacks, and building other botnetsbuilding other botnets
– They are high-risk operations, and more They are high-risk operations, and more motivated to use sophisticated tools and motivated to use sophisticated tools and techniques to hide their trackstechniques to hide their tracks
Fundamentals of e-Security
Who are we worried about?Who are we worried about?
Unorganized criminalsUnorganized criminals– Disgruntled employees (are the rest of Disgruntled employees (are the rest of
us gruntled?)us gruntled?)– Other individuals doing criminal thingsOther individuals doing criminal things– Feb. 5, 2005 (Sophos news) – a 24-year Feb. 5, 2005 (Sophos news) – a 24-year
old former AOL employee has pleaded old former AOL employee has pleaded guilty to stealing a list of 92 million guilty to stealing a list of 92 million email addresses of the ISP’s customers email addresses of the ISP’s customers and selling it to spammers for $28,000 and selling it to spammers for $28,000 (=$0.0003 per address)(=$0.0003 per address)
Fundamentals of e-Security
Who are we worried about?Who are we worried about?
Legitimate usersLegitimate users– People doing things that unintentionally put People doing things that unintentionally put
systems at risk, typically through systems at risk, typically through experimenting with game servers, file experimenting with game servers, file sharing, web servers, instant messaging, sharing, web servers, instant messaging, etc.etc.
– People who carelessly click on email People who carelessly click on email attachments, approving dialogue boxes that attachments, approving dialogue boxes that ask whether it’s OK to install extra software, ask whether it’s OK to install extra software, respond to phishing attacks, and so on…respond to phishing attacks, and so on…
Fundamentals of e-Security
C.Y.A.C.Y.A.
Because we are concerned about Because we are concerned about C.I.A. (and the other issues) we need C.I.A. (and the other issues) we need to secure our systems, networks, and to secure our systems, networks, and data.data.
Step 1: identify assets (data, services, Step 1: identify assets (data, services, etc)etc)
Step 2: identify threats (C.I.A.) for Step 2: identify threats (C.I.A.) for each asseteach asset
Step 3: identify controls to protect our Step 3: identify controls to protect our assets from these threatsassets from these threats
Fundamentals of e-Security
Physical SecurityPhysical Security
Provides for the protection of Provides for the protection of property, personnel, and facilities property, personnel, and facilities from illegal or criminal acts, and/or from illegal or criminal acts, and/or environmental disruptionsenvironmental disruptions
Physical security plan should be Physical security plan should be created that deals with control of created that deals with control of access to the building or officeaccess to the building or office
Plan should also address responses Plan should also address responses to environmental problemsto environmental problems
Fundamentals of e-Security
Physical Security, continuedPhysical Security, continued
Look at what you are trying to protect, and Look at what you are trying to protect, and who or what you are trying to protect it from, who or what you are trying to protect it from, then decide how much security is required.then decide how much security is required.
Physical security is the first line of defense Physical security is the first line of defense against the exploitation of computer systemsagainst the exploitation of computer systems
70% of data theft is physical theft, usually by 70% of data theft is physical theft, usually by stealing a physical device. stealing a physical device.
Physical security should make device theft as Physical security should make device theft as difficult as possible.difficult as possible.
Fundamentals of e-Security
Physical Security, continuedPhysical Security, continued
Access control at doorsAccess control at doors Physical locks or authorization Physical locks or authorization
(something you have) to access (something you have) to access systems, especially laptopssystems, especially laptops
Key control-janitorial access, master Key control-janitorial access, master keyskeys
Fundamentals of e-Security
Laptop/PDA SecurityLaptop/PDA Security
Consider the worst case scenario: Consider the worst case scenario: laptop is stolenlaptop is stolen– You don’t have access to whatever was You don’t have access to whatever was
on iton it– They doThey do– Do you have backups?Do you have backups?– Was sensitive data encrypted, including Was sensitive data encrypted, including
e-mail? (SSNs, student grades, think e-mail? (SSNs, student grades, think FERPA)FERPA)
Fundamentals of e-Security
Laptop/PDA Security, Laptop/PDA Security, continuedcontinued
Apple Mac OS X supports the “file Apple Mac OS X supports the “file vault”, which automatically encrypts vault”, which automatically encrypts files. This should be turned on (off files. This should be turned on (off by default).by default).
Windows 2000 and XP support EFS, Windows 2000 and XP support EFS, the “Encrypting File System”. This the “Encrypting File System”. This should be turned on (off by default).should be turned on (off by default).
Fundamentals of e-Security
Account SecurityAccount Security
Don’t share your accounts or Don’t share your accounts or passwordspasswords
Use “good” passwordsUse “good” passwords Use different passwords on different Use different passwords on different
systemssystems Change your passwordsChange your passwords Lock your screenLock your screen
Fundamentals of e-Security
““Good” Password HabitsGood” Password Habits
Change every 60-90 daysChange every 60-90 days Use all available charactersUse all available characters Memorize, don’t writeMemorize, don’t write Bad: 1234, <first name> i.e. jim, Bad: 1234, <first name> i.e. jim,
buckeye, osu, brutus, lima, passwordbuckeye, osu, brutus, lima, password Good: 1Gin+2TonicGood: 1Gin+2Tonic Good: 47adFb2mGood: 47adFb2m
Fundamentals of e-Security
Data SecurityData Security
Essential to Confidentiality and Essential to Confidentiality and IntegrityIntegrity
Regulatory environment-FERPA and Regulatory environment-FERPA and student informationstudent information
Involves protecting data in transit, as Involves protecting data in transit, as well as in storagewell as in storage
Often requires encryption of the dataOften requires encryption of the data
Fundamentals of e-Security
People SecurityPeople Security
Background screening as part of the Background screening as part of the hiring processhiring process
Termination best practices:Termination best practices:– Remove their accessRemove their access– Dispossess them of sensitive materialsDispossess them of sensitive materials– Repossess important materials (latest Repossess important materials (latest
version of their projects)version of their projects)
Fundamentals of e-Security
People Security, continuedPeople Security, continued
Questions to ponder:Questions to ponder: Do you know what access each Do you know what access each
employee has, including remote employee has, including remote access?access?
Can you guarantee they haven’t set Can you guarantee they haven’t set up back-doors, especially if they were up back-doors, especially if they were disgruntled before they left?disgruntled before they left?
Do you have policies about sensitive Do you have policies about sensitive materials at home, backups, etc?materials at home, backups, etc?
Fundamentals of e-Security
People Security, continuedPeople Security, continued
Social engineering-techniques that Social engineering-techniques that rely on weaknesses in humans rather rely on weaknesses in humans rather than software; the aim is to trick than software; the aim is to trick people into revealing passwords or people into revealing passwords or other information that compromises other information that compromises a target system’s securitya target system’s security
Modified from The Jargon File, version 4.7.7Modified from The Jargon File, version 4.7.7
Fundamentals of e-Security
Phishing examplePhishing example
Fundamentals of e-Security
Mis-spelled words
F.U.D.
Phishing examplePhishing example
Fundamentals of e-Security
<a href= "http://www.paypallk.com:680/paypal.php" style="font-family: monospace; font-size: 10pt;">Click here to confirm your account</a>
See PayPal site page on security
Social engineering exampleSocial engineering example
How could a person get tricked into How could a person get tricked into giving out a password over the giving out a password over the phone?phone?
Much easier than you think!Much easier than you think!
Fundamentals of e-Security
““Hi-this is Jim from Tech Services. We Hi-this is Jim from Tech Services. We noticed that your network segment is noticed that your network segment is down, and we’d like to try your login to down, and we’d like to try your login to verify it. What’s your password?”verify it. What’s your password?”
““This is Andrew from Technology This is Andrew from Technology Services. Your mail spool on the Services. Your mail spool on the server is blocked, and we need your server is blocked, and we need your password to clear it.”password to clear it.”
Fundamentals of e-Security
Social engineering exampleSocial engineering example
What can I do?What can I do?
Lock it down!Lock it down! Auto-install OS updatesAuto-install OS updates Install and use anti-virus and anti-Install and use anti-virus and anti-
adware/spyware softwareadware/spyware software Personal firewall (OS X & Windows XP Personal firewall (OS X & Windows XP
built-in)built-in) Backups!Backups! Use good password practicesUse good password practices
Fundamentals of e-Security
What else can I do?What else can I do?
Use a browser other than Internet Use a browser other than Internet Explorer, i.e. Firefox.Explorer, i.e. Firefox.
Use a locking screensaverUse a locking screensaver Don’t use Instant Messaging clientsDon’t use Instant Messaging clients Cautiously use e-mail attachmentsCautiously use e-mail attachments Don’t use password hintsDon’t use password hints Disable automatic loginsDisable automatic logins Apply paranoia as necessaryApply paranoia as necessary
Fundamentals of e-Security
What does Technology What does Technology Services do?Services do?
Lima OTS and Columbus Network Lima OTS and Columbus Network Security (division of OIT) actively Security (division of OIT) actively scan network hosts for vulnerabilitiesscan network hosts for vulnerabilities
Lima OTS and Columbus Net Security Lima OTS and Columbus Net Security actively monitor network traffic for actively monitor network traffic for suspicious activitysuspicious activity
Fundamentals of e-Security
What does Technology What does Technology Services do?Services do?
Centralize Microsoft OS patches and Centralize Microsoft OS patches and hotfixeshotfixes
Centralize McAfee virus scan updatesCentralize McAfee virus scan updates Filter e-mail for spam and virusesFilter e-mail for spam and viruses AuthenticationAuthentication Columbus blacklistingColumbus blacklisting Firewall for Lima networkFirewall for Lima network
Fundamentals of e-Security
FirewallFirewall
Restricts access to Restricts access to network services, network services, in and outin and out
Personal (host) and Personal (host) and networknetwork
Fundamentals of e-Security
Image courtesy of INetU Managed Hostinghttp://www.inetu.net/services/firewalls.php
What is coming next?What is coming next?
Best Practices for passwordsBest Practices for passwords– Minimum password lengthMinimum password length– Complexity requirementsComplexity requirements– Rotation change enforcementRotation change enforcement
Encrypted remote accessEncrypted remote access Two-factor authentication for laptopsTwo-factor authentication for laptops
– Something you haveSomething you have– Something you knowSomething you know
Fundamentals of e-Security
F.A.Q.F.A.Q.
How can I tell when I’ve been infected?How can I tell when I’ve been infected?– Unusual slowdownUnusual slowdown– Unexpected crashes, strange errorsUnexpected crashes, strange errors– Mouse movement or typing without you-”posessed”Mouse movement or typing without you-”posessed”– OIT security blacklists-no Internet access off-OIT security blacklists-no Internet access off-
campuscampus What do I do?What do I do?
– Turn it off!Turn it off!– Report it to Technology ServicesReport it to Technology Services– Don’t try to backup now, it’s too late. You may Don’t try to backup now, it’s too late. You may
spread contamination.spread contamination.
Fundamentals of e-Security
F.A.Q.F.A.Q.
What do you do with an What do you do with an infected/compromised computer?infected/compromised computer?– Attempt disinfection/repair if it’s a Attempt disinfection/repair if it’s a
known threat with proven recoveryknown threat with proven recovery– Most often complete “rebuild” of the Most often complete “rebuild” of the
computercomputer– Clean and repair data filesClean and repair data files
Fundamentals of e-Security
Useful ResourcesUseful Resources
Lima Technology ServicesLima Technology Services– http://lima.osu.edu/otshttp://lima.osu.edu/ots
Columbus OIT Network SecurityColumbus OIT Network Security– http://www.net.ohio-state.edu/securityhttp://www.net.ohio-state.edu/security
CIO PoliciesCIO Policies– http://cio.osu.edu/policies/policies.htmlhttp://cio.osu.edu/policies/policies.html
Network PoliciesNetwork Policies– http://www.net.ohio-state.edu/OSUNet/phttp://www.net.ohio-state.edu/OSUNet/p
olicies.htmlolicies.html
Fundamentals of e-Security
Useful ResourcesUseful Resources OSU Site Licensed SoftwareOSU Site Licensed Software
– http://osusls.osu.eduhttp://osusls.osu.edu Spybot Search & DestroySpybot Search & Destroy
– http://www.spybot.infohttp://www.spybot.info General Spyware InformationGeneral Spyware Information
– http://www.getnetwise.orghttp://www.getnetwise.org FERPA and OSUFERPA and OSU
– http://www.registrar.ohio-state.edu/ourweb/mohttp://www.registrar.ohio-state.edu/ourweb/more/Content/ferpa.pg1.htmlre/Content/ferpa.pg1.html
PhishingPhishing– http://http://
www.antiphishing.org/phishing_archive.htmlwww.antiphishing.org/phishing_archive.html
Fundamentals of e-Security