Information Security: Security Blankets are not Enough - PowerPoint PPT Presentation

Loading...

PPT – Information Security: Security Blankets are not Enough PowerPoint presentation | free to download - id: 51482f-MzU1O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Information Security: Security Blankets are not Enough

Description:

Information Security: Security Blankets are not Enough Karl F. Lutzen, CISSP S&T Information Security Officer RSA Attack Analysis An Advanced Persistent Threat (APT ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 51
Provided by: kfl9
Learn more at: http://web.mst.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Information Security: Security Blankets are not Enough


1
Information SecuritySecurity Blankets are not
Enough
  • Karl F. Lutzen, CISSP
  • ST Information Security Officer

2
About Me
  • Karl F. Lutzen
  • Certified Information Systems Security
    Professional (CISSP)
  • ST Information Security Officer
  • Instructor for CS 362
  • Office
  • Location CS 333
  • Email kfl_at_mst.edu (start here!)

3
Information
  • Information is likely the only asset that can
    be stolen from you while you still have full
    possession.
  • This includes Data, Personal information, trade
    secrets, intellectual property, etc.

4
Information
  • Clearly we need to protect
  • The information itself
  • The systems where it lives
  • The access to it
  • And many other aspects

5
Fundamental Principles
  • Confidentiality
  • Availability
  • Integrity

6
Question
  • How much of the overall security will be
    technical solutions?

7
Our information lives here
What all do we need to do to protect it?
8
(No Transcript)
9
Physical (Environmental) Security
  • Physical security consist of physically securing
    the devices
  • Locks/Cables, Alarms, Secure rooms, Cameras,
    Fences, Lighting, Heating, Cooling, Fire
    protection, etc.
  • If you defeat the physical security controls, all
    other control domains (except one) are defeated.
  • cameras will likely not prevent a theft. Only
    deter it or be used for evidence later.

10
Access Control and Methodology
  • Who has access, how is it controlled, etc.
  • Authentication
  • Passphrases, two factor, multi-factor, biometrics
  • Access Controls
  • Role Based Access, Mandatory Access Controls,
    Discretionary Access Controls
  • Least Privilege and Need to Know

11
Application Development Security
  • Software Based Controls
  • Software Development Lifecycle and Principles
  • Development models waterfall, spiral, etc.
  • Code Review

12
Telecommunications and Network Security
  • Implementing correct protocols
  • Network services
  • Firewalls
  • IDS/IPS
  • Traffic Shaping
  • Network Topology

13
Business Continuity Planning(BCP)Disaster
Recovery Planning (DRP)
  • BCP What controls and process do we need to
    implement to keep our systems running?
  • Backups, off-site data storage, cross-training,
    etc.
  • DRP What do we need to do in a crisis?
  • Response plans, Recovery plans, etc.

14
Security Architecture and Models
  • Operation modes/protection mechanisms.
  • Evaluation Criteria
  • Security Models
  • Common Flows/Issues
  • Cover Channels, timing issues, maintenance hooks,
    etc.

15
Information Security Governance Risk Management
  • Policies, Standards, Guidelines and Procedures
  • Risk Management Tools and Practices
  • Risk assessment
  • Qualitative vs. Quantitative
  • Planning and Organization

16
Operations Security
  • Administrative Management
  • Operation Controls
  • Auditing
  • Monitoring
  • Intrusion Detection (operational side)
  • Threats/Countermeasures

17
Legal, Regulations, Investigations and Compliance
  • Types of computer crimes/attacks
  • Categories of Law
  • Computer Laws
  • Incidents and incident handlings
  • Investigation and Evidence

18
Cryptography
  • Concepts and Methodologies
  • Encryption algorithms
  • Asymmetric vs. symmetric
  • PKI
  • Cryptanalysis/Methods of Attacks
  • Steganography

19
PICK GOOD ALGORITHMS!
Using ECB Mode
  • Original

Non-ECB
ECB Electronic Codebook. Divide message into
blocks, same key encrypts blocks
separately. (http//en.wikipedia.org/wiki/Block_ci
pher_modes_of_operation)
20
Threats to Security
  • Viruses and Worms
  • Other Malware and Trojans
  • Social Engineering/Phishing
  • Intruders
  • Insiders
  • Criminal Organizations
  • Terrorists and Information Warfare
  • Insecure Applications

21
Viruses, Worms, Malware, Trojans
  • Lack of policies/training/procedures
  • Employees can bring in problems!
  • Mitigation techniques
  • Anti Virus
  • Firewalls
  • TRAINING

22
Social Engineering
  • Multiple methods
  • Phone calls
  • Dumpster Diving
  • Phishing
  • Mitigation techniques
  • Policies/Procedures
  • Training

23
Intruders
  • Def Deliberately accessing systems or networks
    to which is un-authorized
  • Types
  • Unstructured threat not after a specific target
  • Opportunity
  • Script Kiddies
  • Structured Threat Specific target is in mind
  • Elite hackers

24
Insiders
  • Most Dangerous! Accounts for 70-75 of all
    security events
  • Insiders have access to the keys to the kingdom
  • Human errors account for many security events
  • Mitigation
  • Policies, Procedures, Training, Monitoring, etc

25
Criminal Organizations
  • With so many business functions now relying on
    the Internet, crime was sure to follow it.
  • Attacks
  • Fraud, extortion, theft, embezzlement and forgery
  • Well funded, hire elite hackers, willing to spend
    years if necessary
  • Type Structured attack

26
Two Types of Electronic Crime
  • Crimes in which the computer was the target of
    the attack
  • Incidents in which the computer was a means of
    perpetrating a criminal act.

27
Threats to Security
  • The biggest change that has occurred in security
    over the last 30 years has been the change in the
    computing environment
  • Central Mainframes to
  • Decentralized smaller, yet interconnected,
    systems
  • Although we seem to be shifting back towards
    central data centers for core operations.

28
Avenues of Attack
  • Types
  • Specific target of an attacker
  • Target of opportunity

29
Steps in an Attack
  • Reconnaissance
  • Gather easily available data
  • Publicly available information from the web
  • Newspapers
  • Financial reports (if publicly traded they are
    available)
  • Google as an attack tool?

30
Reconnaissance (cont.)
  • Probing
  • Ping sweeps find hosts
  • Port sweeps find open ports to then test for
    holes
  • Determine OS (can be done quite accurately!)

31
Steps in an attack
  • Attempt to exploit vulnerabilities
  • Attempt to gain access through userid/passwords
  • Brute force
  • Social engineering
  • And of course there is simply the physical theft
    of the system, backup tapes, etc.!

32
Minimizing Attack Avenues
  • Patch against vulnerabilities
  • Use of DMZ (system isolation)
  • Firewalls
  • Intrusion detection/prevention systems
  • Minimize open ports/systems directly accessible
    to the Internet
  • Good physical security
  • Good training to negate social engineering attacks

33
RSA Attack
  • March 2011, RSA had a data breach
  • Attacker stole information which affected some 40
    million two-factor authentication tokens
  • Devices are used in private industry and
    government agencies
  • Produces a 6 digit number every 60 seconds.

34
RSA Attack Analysis
  • An Advanced Persistent Threat (APT)
  • A structured (advanced),
  • targeted attack (persistent),
  • intent on gaining information (threat)

35
RSA Background
  • RSA is a security company that employs a great
    number of security devices to prevent such a data
    breach
  • Methods used bypassed many of the controls that
    would otherwise prevented direct attack

36
Attacker Initial Steps
  • Attackers acquired valid email addresses of a
    small group of employees.
  • If the attackers did a full spam to all possible
    addresses, it gives them away and
    prevention/detection by RSA is much easier.

37
Phishing Emails
  • Two different phishing emails sent over a two-day
    period.
  • Sent to two small groups of employees, not
    particularly high profile or high value targets.
  • Subject line read 2011 Recruitment Plan
  • SPAM filtering DID catch it but put in the Junk
    folder

38
Employee Mistake
  • One employee retrieved the email from the Junk
    mail folder
  • Email contained an Excel spreadsheet entitled
    2001 Recruitment Plan.xls
  • Spreadsheet contained a zero-day exploit through
    Adobe Flash (since patched).
  • Installed a backdoor program to allow access.

39
Remote Administration Tool (RAT)
  • Attackers chose to use the Poison Ivy RAT.
  • Very tiny footprint
  • Gives attacker complete control over the system
  • Set in reverse-connect mode. System reaches out
    to get commands. Fairly standard method of
    getting through firewalls/IPS

40
Digital Shoulder-Surfing
  • Next the attackers just sat back and digitally
    listened to what was going on with the system
  • The initial system/user didnt have adequate
    access for their needs so they needed to take a
    step to another system to go further.

41
Harvesting
  • Initial platform wasnt adequate, attackers
    harvested credentials user, domain admin,
    service accounts)
  • Next, performed privilege escalation on non-admin
    users on other targeted systems. Goal gain
    access to high value systems/targets.

42
The Race
  • During the stepping from system to system,
    security controls detected an attack in progress.
    The race was now on.
  • Attacker had to move very quickly during this
    phase of finding a valuable target.

43
Data Gathering
  • Attacker established access at staging servers at
    key aggregation points to retrieve data.
  • As they visited servers of interest, data was
    copied to staging servers.
  • Staging servers aggregated, compressed, encrypted
    and then FTPd the data out.

44
Receiving Host
  • Target receiving data was a compromised host at
    an external hosting provider.
  • Attacker then removed the files from the external
    compromised host to remove traces of the attack.
  • This also hid the attackers true
    identity/location.

45
(No Transcript)
46
Lessons Learned
  • Weakest link A human
  • Layered Security Not adequate to prevent
  • Upside Able to implement new security controls
    to this point were considered too restrictive.

47
Karls Changes
  • What follows would be the changes Id make at
    RSA.
  • Note, they are a commercial company and do not
    have the open requirements higher education has.
    Two different beasts.
  • If I were to implement these, very likely Id be
    doing a different job

48
Changes
  • Traffic shaping both ways. (Firewall port
    blocking isnt enough)
  • Block all but specific protocols
  • IDS/IPS on all those protocols
  • Aggressive use of DMZ Isolate systems
  • Isolate workstations from one another
  • Clean Access Solutions on all systems

49
Biggest Change
  • Mandatory Monthly Security Awareness training for
    everyone.
  • (breaking it into monthly modules makes it
    tolerable)
  • Needs to be interesting/fun, Door prizes, etc.

50
RSA Attack Credits
  • http//www.satorys.com/rsa-attack-analysis-lessons
    -learned/
About PowerShow.com