intro to cybersecurity
DESCRIPTION
This presentation introduces low/no cost measures any organization can and should employ. This version of the presentation is offered by the New England Water Works Association's IT and Security and Preparedness committees in operator training and certification courses.TRANSCRIPT
Intro to Cybersecurity
NEWWA 5-May, 2009
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Presentation
Top Five No-Cost Suggestions Size and Shape of the Threat Technology Primer Characteristics of an Attack Securing the Organization Resources and Tools
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Top Five No-Cost Suggestions
Use passwords, use them well Individual logons Complex passwords Rotating schedule
Utilize automatic updates Operating system Antivirus
Remove unnecessary programs and components
Create policies Protect system information
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Size and Shape of the Threat
For 2008Financia
lBusines
sEducatio
nGvt/Military Medical
Insider Theft 2.4% 5.6% 1.8% 3.4% 2.4%
Hacking 3.5% 6.1% 2.7% 0.8% 0.8%
Data on the Move 1.7% 7.3% 3% 4.3% 4.4%
Accidental Exposure
0.8% 3.0% 6.1% 3.0% 1.5%
Subcontractor 0.8% 3.5% 1.5% 2.3% 2.3%
2008 - # of Breaches
2008 2007 2006
Business 240 36.6% 28.9% 21%
Educational 131 20% 24.8% 28%
Government/Military 110 16.8% 24.6% 30%
Health/Medical 97 14.8% 14.6% 13%
Financial/Credit 78 11.9% 7% 8%
2008 Data Breach Total SoarsITRC Reports 47% Increase over 2007
Source: Identity Theft Resource Center, “2008 Data Breach Total Soars”
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Size and Shape of Threat
Cyberspy threat is growing
Senate testimony fromJoseph Weiss: Found evidence of 125+
control system breaches Impacts range from
significant environmental damage to death
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
High Profile Attacks
Davis-Besse Nuclear Power Northeast Blackout Australian Sewage Release Olympic Pipeline (3 fatalities) Worcester Airport
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
IT vs. PC Security
TOPIC INFORMATION TECHNOLOGY PROCESS CONTROL
Anti-virus/Mobile Code Common/ Widely Used Uncommon/Impossible to deploy
Support Technology Lifetime 3-5 Years Up to 20 Years
Outsourcing Common/Widely Used Rarely used
Application of Patches Regular/Scheduled Slow (Vendor specific)
Change Management Regular/Scheduled Rare
Time Critical Content Generally delays accepted Critical due to safety
Availability Generally delays accepted 24x7x365xforever
Security Awareness Good in both private and public sector
Poor except for physical
Security Testing/Audit Scheduled and mandated Occasional testing for outages
Physical Security Secure Remote and Unmanned
© 2002 PA Knowledge Limited
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Technology Primer
Domain Name Service “Directory Assistance” for the Internet: Hello, operator? I’m trying to reach Microsoft (
www.microsoft.com).
Internet Phone System
Domain Name Server(DNS21.REGISTER.COM)
Telephone Book/Directory(411)
Uniform Resource Locator (URL)(www.microsoft.com)
Person’s Name(Joe Smith)
IP Address(207.46.199.30)
Telephone Number(617-555-1234)
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Technology Primer
Internet
IntrusionPrevention
System
Server
Client PC
Ethernet
Client PC
Client PC
DMZ
LAN
WAN
Almost everythinggets out
Almost nothinggets in
Most stuff gets in
Almost everythinggets out
Intrusion DetectionSystem
Limited, specific traffic
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Characteristics of an Attack
Types of Attackers Script kiddies Insider Terrorist attacks Nation states
Sources of Attacks Viruses and worms Email Hostile web pages Direct attacks
Typical Steps Target identification Reconnaissance System exploits Keeping access Covering tracks
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
What is “Phishing”?
Appears to be a legitimate email
Contains a false URL (1) that links to illegitimate site (2)
Have different objectives: Obtain personal
account information Plant viruses/worms
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization
Layered Model Human Application Operating system Network Physical
SKiP Method “Security Knowledge in Practice” Steps
Customize vendor software Harden and secure the network Prepare Detect Respond Improve Repeat
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization
No/Low Cost Approaches “Pull the Plug”
No network/internet connection/access This means modems too
Don’t make it easy Protect system design/architecture (consultants) Raise consciousness Create policies (e.g. Internet usage)
Use what you have Passwords, PASSWORDS, PASSWORDS! Remove unused software/components Disable operating system components
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization
Remove unused software/components Windows
Components
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization
Remove unused software/components Windows
Components Programs
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization
Remove unused software/components Windows
Components Programs Services
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Microsoft’s “Security Guide for Small Business”
http://www.microsoft.com/smallbusiness/support/security-toolkit-pdf.mspx
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Step 1: Secure client computers Automatic updates Antivirus Software firewalls
(free with XP, commercial products for others)
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Step 2: Secure data Backups File permissions Encryption
Step 3: Internet usage policy
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Step 4: Secure the Network Use a firewall (hardware and/or software) Use strong passwords Use wireless security features Close unnecessary network ports
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Step 5: Secure the Servers Physical protection and isolation Reduce privileges Understand the options
Step 6: Secure the Applications Use available security options Update the software Restrict access
Step 7: Manage Clients from the Server
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Securing the Organization: 7 Steps
Some / High Cost Methods Intrusion prevention systems
Prevents protocol exploitations, HTTP attacks, SYN flood attacks, FTP attacks, ICMP attacks, and application attacks
Expensive Firewalls
Rule-based port filtering Inexpensive, complicated
Intrusion detection systems Monitoring, auditing, forensics, and reporting of
activity Cheap (free), complicated
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Social Engineering
“Users are the weakest link.” Attackers are patient and persistent Who was Kevin Mitnick?
“When you combine an inclination for deceiving people with the talents of influence and persuasion you arrive at the profile of a social engineer.”
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Social Engineering
Courtesy of xkcd.com: http://xkcd.com/538/
Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.
Web Resources
www.us-cert.gov www.cert.org www.first.org www.isa.org (SP99) www.microsoft.com/security