intro to cybersecurity

Intro to Cybersecurity

NEWWA 5-May, 2009

Copyright 2005-2009, Bridge-Soft, LLC. All rights reserved.

Presentation

Top Five No-Cost Suggestions Size and Shape of the Threat Technology Primer Characteristics of an Attack Securing the Organization Resources and Tools


Top Five No-Cost Suggestions

Use passwords, use them well Individual logons Complex passwords Rotating schedule

Utilize automatic updates Operating system Antivirus

Remove unnecessary programs and components

Create policies Protect system information


Size and Shape of the Threat

For 2008Financia

lBusines

sEducatio

nGvt/Military Medical

Insider Theft 2.4% 5.6% 1.8% 3.4% 2.4%

Hacking 3.5% 6.1% 2.7% 0.8% 0.8%

Data on the Move 1.7% 7.3% 3% 4.3% 4.4%

Accidental Exposure

0.8% 3.0% 6.1% 3.0% 1.5%

Subcontractor 0.8% 3.5% 1.5% 2.3% 2.3%

2008 - # of Breaches

2008 2007 2006

Business 240 36.6% 28.9% 21%

Educational 131 20% 24.8% 28%

Government/Military 110 16.8% 24.6% 30%

Health/Medical 97 14.8% 14.6% 13%

Financial/Credit 78 11.9% 7% 8%

2008 Data Breach Total SoarsITRC Reports 47% Increase over 2007

Source: Identity Theft Resource Center, “2008 Data Breach Total Soars”


Size and Shape of Threat

Cyberspy threat is growing

Senate testimony fromJoseph Weiss: Found evidence of 125+

control system breaches Impacts range from

significant environmental damage to death


High Profile Attacks

Davis-Besse Nuclear Power Northeast Blackout Australian Sewage Release Olympic Pipeline (3 fatalities) Worcester Airport


IT vs. PC Security

TOPIC INFORMATION TECHNOLOGY PROCESS CONTROL

Anti-virus/Mobile Code Common/ Widely Used Uncommon/Impossible to deploy

Support Technology Lifetime 3-5 Years Up to 20 Years

Outsourcing Common/Widely Used Rarely used

Application of Patches Regular/Scheduled Slow (Vendor specific)

Change Management Regular/Scheduled Rare

Time Critical Content Generally delays accepted Critical due to safety

Availability Generally delays accepted 24x7x365xforever

Security Awareness Good in both private and public sector

Poor except for physical

Security Testing/Audit Scheduled and mandated Occasional testing for outages

Physical Security Secure Remote and Unmanned

© 2002 PA Knowledge Limited


Technology Primer

Domain Name Service “Directory Assistance” for the Internet: Hello, operator? I’m trying to reach Microsoft (

www.microsoft.com).

Internet Phone System

Domain Name Server(DNS21.REGISTER.COM)

Telephone Book/Directory(411)

Uniform Resource Locator (URL)(www.microsoft.com)

Person’s Name(Joe Smith)

IP Address(207.46.199.30)

Telephone Number(617-555-1234)

http://www.microsoft.com/


Technology Primer

Internet

IntrusionPrevention

System

Server

Client PC

Ethernet

Client PC

Client PC

DMZ

LAN

WAN

Almost everythinggets out

Almost nothinggets in

Most stuff gets in

Almost everythinggets out

Intrusion DetectionSystem

Limited, specific traffic


Characteristics of an Attack

Types of Attackers Script kiddies Insider Terrorist attacks Nation states

Sources of Attacks Viruses and worms Email Hostile web pages Direct attacks

Typical Steps Target identification Reconnaissance System exploits Keeping access Covering tracks


What is “Phishing”?

Appears to be a legitimate email

Contains a false URL (1) that links to illegitimate site (2)

Have different objectives: Obtain personal

account information Plant viruses/worms


Securing the Organization

Layered Model Human Application Operating system Network Physical

SKiP Method “Security Knowledge in Practice” Steps

Customize vendor software Harden and secure the network Prepare Detect Respond Improve Repeat



No/Low Cost Approaches “Pull the Plug”

No network/internet connection/access This means modems too

Don’t make it easy Protect system design/architecture (consultants) Raise consciousness Create policies (e.g. Internet usage)

Use what you have Passwords, PASSWORDS, PASSWORDS! Remove unused software/components Disable operating system components



Remove unused software/components Windows

Components




Components Programs




Components Programs Services


Securing the Organization: 7 Steps

Microsoft’s “Security Guide for Small Business”

http://www.microsoft.com/smallbusiness/support/security-toolkit-pdf.mspx



Step 1: Secure client computers Automatic updates Antivirus Software firewalls

(free with XP, commercial products for others)



Step 2: Secure data Backups File permissions Encryption

Step 3: Internet usage policy



Step 4: Secure the Network Use a firewall (hardware and/or software) Use strong passwords Use wireless security features Close unnecessary network ports



Step 5: Secure the Servers Physical protection and isolation Reduce privileges Understand the options

Step 6: Secure the Applications Use available security options Update the software Restrict access

Step 7: Manage Clients from the Server



Some / High Cost Methods Intrusion prevention systems

Prevents protocol exploitations, HTTP attacks, SYN flood attacks, FTP attacks, ICMP attacks, and application attacks

Expensive Firewalls

Rule-based port filtering Inexpensive, complicated

Intrusion detection systems Monitoring, auditing, forensics, and reporting of

activity Cheap (free), complicated


Social Engineering

“Users are the weakest link.” Attackers are patient and persistent Who was Kevin Mitnick?

“When you combine an inclination for deceiving people with the talents of influence and persuasion you arrive at the profile of a social engineer.”


Social Engineering

Courtesy of xkcd.com: http://xkcd.com/538/


Web Resources

www.us-cert.gov www.cert.org www.first.org www.isa.org (SP99) www.microsoft.com/security

[email protected]

http://www.us-cert.gov/

http://www.cert.org/

http://www.first.org/

http://www.isa.org/

http://www.microsoft.com/security