securing the cause - information security for not-for-profits
TRANSCRIPT
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Securing the CauseInformation Security for Not-For-Profit Organizations
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Ben Finke• Director of Security Operations, Enterprise Integration
• Lead Security Assessor
• Security Architect
• BIG fan of information security, defending networks, and sharing and learning
• Even BIGGER fan of Not-For-Profit groups and the work they do
• I can (and do) take and pass tests from time to time
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Ben Finke
@benfinke
[email protected] [email protected]
https://www.linkedin.com/pub/ben-finke/3/95a/8a1
blog.eiblackops.comblog.benfinke.com
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
What is security?• It might mean keeping something secret (Confidentiality)
• Maybe it means making sure those services are available (Availability)
• More important to have the correct data than keeping it secret (Integrity)
• Security is about maintaining control over your information systems and the information flowing through them.
• It is NOT about always spending more $$$$$!!!
Security Challenges – NFP Version• Incredibly tight budgets
• Difficult to retain top talent in fields like information security
• Rely on donated products and services
• May have a large volunteer workforce
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
There is some really good news though……There are some things you can recommend to your NFP clients that they can easily start doing today that will make this situation much better!
In fact, there are exactly 6 things that they should all start right now. Today.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
1. Patching
Note: Not this kind of patch.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
1. PatchingFact: 99.9% of security breaches in 2014 were made possibleby a vulnerability (and corresponding patch) that had been available for over a year (!).*
Seriously. A whole entire year. 99.9%. In other words, only 0.1% of the cases were the delicate flowers that involved custom exploits.
Lesson: Patch your stuff.
Not just operating system patches, but everything. Adobe Acrobat, Java, Microsoft Office. And if you don’t absolutely need those things, then remove them.
*Verizon Data Breach Investigation Report – 2015 - http://www.verizonenterprise.com/DBIR/2015/
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
2. Worry about the real target…
“Yeah, that’s probably OK, go ahead and click on it….”
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
2. Worry about the real target…The single biggest target in the whole entire network are the people who use it.
Some kind of security awareness training needs to happen regularly. Emphasize things like:
• Don’t open attachments in email messages that you don’t recognize or aren’t expecting.
• Your IT support team will NEVER ask for your password
• When you call to reset your password, you’ll need to be ready to verify you really are who you say you are
• If you want to keep something secret, it never ever goes on the Internet.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
3. Backups
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
3. BackupsLet’s be clear, the safety of people is the paramount concern. But right after that is reliable backup of the data.
You can recover from just about anything, except for data loss. Once it’s gone it is GONE.
And it’s not enough to see the green check mark in the backup tool. Can you actually restore that system? Are you certain?
Backups are difficult because they have to be 100% correct, 100% of the time.
Get a list of your critical applications and services, and make sure you can actually restore those services. You should test this restore at least quarterly.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
4. An ounce of preparation….
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
4. An ounce of preparation….Not having a plan ensures that your response to any impacting event will be way worse than you would like it to be.
List some possible scenarios. Build a plan. Identify key positions. Make a communication plan.
And then test it. At a minimum, an organization should be running a “Table Top” exercise at least annually. Get everyone involved in a room, and run through the scenario. Think about where the plan needs improvement.
For example, if the scenario is “What to do if the email server fails”, then none of the communications in the plan should rely on email, right? Happens all the time….
For example scenarios, check out Sean Mason’s Table Top Exercise guide: http://seanmason.com/2015/04/20/table-top-exercises-ttx/
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
5. Test those defenses!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
5. Test those defenses!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
5. Test those defenses!If you are fortunate enough to be the owner of a fantastic new Security Ensurer v1000 Premium* system, good for you!
Are you sure it’s doing what it’s supposed to be doing?
Only one way to know, test it!
Is it supposed to block something? Alert someone? Does it do those things?
Testing can be as simple as launching some basic attacks from some free and open source security tools, or some very inexpensive commercial ones. You’d be surprised how often fancy IT products would lie to you**.
Testing also highlights how well your patching process works too!
*I completely made that up, in case you couldn’t tell…..**You’re not really surprised, are you?
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
5. Test those defenses!A good vulnerability scanner license can be had for around $2K annually.
It will:
• Find systems missing patches
• Find systems with misconfigurations
• Build an inventory of your network
Lots of free tools and great how-tos are available online as well. Take advantage of all of this community support!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
6. A Complete Inventory
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
6. A Complete InventoryAn accurate inventory is absolutely imperative.
How do you know what is not supposed to be on the network if you don’t what IS supposed to be on the network?
Are you sure you are backing everything up?
Are you sure everything has AV installed?
Are you sure that everything is being patched?
Your inventory needs to include hardware and software.
If your inventory is older than 7 days, it is really only useful as a historical baseline. Run it again.
Automate this process. Don’t make this a weekly manual task. Periodically (semi-annually) do some manual verification.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Polling Question
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Beyond the BasicsIf your NFP partner has some extra budget, what else should they do?
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Log Management
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Logs?Every system on your network – laptops, servers, network devices, printers, etc., records everything that happens. If something goes wrong, the answers are there. When a problem happens and an incident response team figures out what happened, they use those logs.
The amount of information generated by these systems is surprising….
Data made by people.
Data made by machines.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Log ManagementThere is often nothing better to fully leverage all of your existing investments than investing in a log management/SIEM solution.
You *have to* get all of the logs from all of the important things on your network into one place.
• Backup of logs when a system crashes
• Correlate activity between systems
• Build baselines for your network
• Analytics!!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Email SecurityEmail is one of the most common delivery methods for scammers and attackers. A good email security service will help prevent a lot of those kinds of messages from getting through.
Some will still get through, but the records generated by such a service will help after-the-fact investigations to properly recover from an incident.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Data SecurityAll mobile devices should use full disk encryption (FDE). In the event that a device is lost, it will not be readable by an unauthorized user. This applies to laptops, tablets, and smart phones.
Consider encrypting all removable media as well (USB Flash drives)
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Identity ManagementA good identity management service will provide you with
• A detailed audit log of who has access to what, when they got it, and who approved it
• A self-service password reset capability
• Automated provisioning (for cloud services and in house systems)
• Easy report for audit and compliance purposes
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Implement MFAMFA = Multi Factor Authentication
Lots of offerings exist, many can send an SMS text message with a code, or an app that runs on a smartphone can provide these codes.
A combination of a strong password and a one time token means:
• An attacker who steals your password still doesn’t know your token code
• A lost phone can’t be used on its own to log into the account
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Polling Question
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Security AssessorsAs you mature your program, you will want to expand your testing program.
A reliable third party security testing team can provide tremendous value by testing your prevention, detection, and correction capabilities.
They also have extensive experience and talent that can be hard to retain in-house.
ALWAYS set a goal for each test. Something specific and impactful.
A good third party test can simulate the worst case scenario for your NFP, without the pain and effort of a real incident.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
While we are on the subject…Signs you should look for a new security assessor…
• The “report” lists all the findings with a price for remediation
• The “report” looks strikingly similar to the one you generate yourself
• The “senior security tester” who arrives onsite just started working for the company 3 months ago, after they graduated
• The “report” lists all kinds of issues the testers found, but no recommended actions to fix the issues
• The “report” is just a collection of the outputs of various testing tools, with no commentary or modifications to make it understandable
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Definitely Start These:
• Patching
• Security Awareness Training
• Backups
• Incident Response and Business Continuity Planning
• Test Your Defenses!
• Inventory Your Network
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
If You Have Some Budget To Spend…
• Log Management/SIEM
• Email Security
• Data Security
• Identity Management
• Multi Factor Authentication
• 3rd Party Security Assessments
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
You’ll notice we haven’t…Said the word “cloud” once in this whole talk!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Cloud ServicesI personally believe that most “cloud” solutions can provide great value.
The contract you make with your cloud provider is critical!
• Cloud provider security responsibilities
• Service Level Agreements
• Data Portability (what happens when you want to leave?)
Securing access to your cloud service admin console will be a big challenge that your NFP partner will need to aggressively maintain.
Oh, and that Identity Management/MFA stuff we mentioned earlier? That will be HUGE for helping your NFP partner keeping this neat and tidy.
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
You’ll notice we haven’t…Mentioned social media at all!
Your NFP brand can be greatly benefited by active participation on social media channels.
Safeguard access to those accounts! Change the passwords often!
Ben
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke
Thanks for your time!I really enjoyed getting a chance to share with everyone.
Please reach out with questions or comments. I really mean this.
Have a great day!
Ben Finke
@benfinke
[email protected] [email protected]
https://www.linkedin.com/pub/ben-finke/3/95a/8a1
blog.eiblackops.comblog.benfinke.com B
en
Fin
ke -
Secu
ring
the C
ause
- @
ben
finke