NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Monitoring & Response By Mohammad Shanehsaz

advertisement
NETW 05A: APPLIED WIRELESS
SECURITY
Functional Policy: Monitoring & Response
By Mohammad Shanehsaz
Spring 2005
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Security management :



Explain the necessary criteria for regular
wireless LAN security reporting and
documentation
Implement and conduct timely and
consistent reporting procedures
Implement & maintain wireless LAN
security checklist
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain how to identify and prevent
social engineering



Educate staff and security personnel
Implementation and enforcement of
corporate policy regarding social
engineering
Security marketing and propaganda
campaigns to heighten awareness
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
This lecture covers
Physical Security
Social Engineering
Reporting
Response Procedures
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Physical Security
Physical security begins with allowing only
authorized personnel into and out of the
organization’s premises, by implementing
security and educating staff about the risks
prevent


placement of Rogue access points and Ad Hoc
networks on the wired network, and
data flooding.
RF jamming is more difficult to prevent,
detect, or block, but it can be done by putting
up high fences that block RF transmissions
around facility, or using mesh substances in
the wall
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Physical Security
Security policy must include
documentation on physical security,




procedures for authorizing visitors or
technicians who show up to repair and
upgrade systems,
how rogues will be found,
how often the area will be scanned and
what to do when rogues are found
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Social Engineering
By training employees and help desk staff we can
raise their awareness to recognize and prevent
social engineering.
Social engineering attacks come in many forms
such as:



Dumpster diving - searching through the trash
Phone calls - attackers try to locate willing and helpful
people from whom to obtain information such as
usernames and password
Email and IM (instant messaging ) - a social engineer
gathers a phone directory and information on the
standard naming conventions for IM, and then
masquerades as a legitimate employee
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Social Engineering Prevention
Some of the procedures support and
administrative personnel should adhere to are:





Positively identify the person that is calling or
requesting help
Use established, secure channels for passing security
information
Report suspicious activity or phone calls
Establish procedures that eliminate password
exchanges
Shred company documents before throwing them in the
trash
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Social Engineering Prevention
A well-educated employee is the best
defense against social engineering
attempts, they must become familiar
with what types of attacks may occur,
what to look for, and how to respond to
incident
An organization’s security policy should
dictate proper response procedures for
social engineering threat
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Social Engineering Audits
To reduce the threat of social
engineering have defenses tested for
weaknesses by penetration tests,
including social engineering attacks
against organizational staff, performed
by security professionals
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Reporting
Reports that are generated as part of security
monitoring procedures can provide valuable
information on how the network is being utilized as
well as where attacks are occurring.
A proper reporting policy will include information on
who is accountable for generating the reports and
who is responsible for reading the reports in a timely
manner
Training should also be required for the reviewers
System logs and IDS logs can be used to detect
anomalies and attacks on a network
Traffic baselining of data flow establishes which users
or devices are utilizing the most WLAN bandwidth
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Response Procedures
Response procedures endeavor to
detect and properly react to intrusions
A security policy should define the steps
to take after an intrusion has been
recognized, to prevent the attack from
occurring again
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Recommended steps for response
procedures
Positive identification

Administrator must be properly trained to
distinguish between an attack and false
positives
Confirmed attack

After an attack has taken place, damage
must be assessed and confirmed, and
appropriate managers should be notified
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Recommended steps for response
procedures
Immediate action

If an attack has taken place follow the documented
security policy to implement the appropriate procedures
for each type of attack scenario
Documentation

Document all attack findings in a standard form
generated by the organization and add to the security
policy
Reporting

Notify the appropriate authorities, Corporate legal
counsel, police and even IT forensics experts
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources
CWSP certified wireless security
professional, from McGraw-Hill
This work is supported by the
National Science Foundation under
Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Download