Information Security Fundamentals David Veksler Who is this talk for? • Non IT experts • Those working with confidential information • Especially in parts of the world with high informational security risks Why should I care about security? • Can’t I just hire someone and/or install software to protect myself? Why should I care about security? • • In most organizations, any IT administrator can read and alter any other employees email without any knowledge or record. Mr Smith was an executive building a new manufacturing plant in China. The support technicians in his IT department have access to the corporate mail server. One of them was hired by a competitor. Before he left, he logged on to the mail server and downloaded the entire mail archive for Mr Smith, including the design plans for the new assembly line. The company did not discover about the leak until the competitor built their own production line and release a competing product on the market. Why should I care about security? • • A tiny device with a build-in cellular modem can act as a Trojan horse to open your network to outsiders. Widget Corp produces software for sale worldwide. A agent for their competitors walked into one of their offices and installed a plugbot (theplugbot.com). The plugbot was able to sniff a domain password and send it over the built-in cellular modem. From there, the attacker established remote access to the corporate data server. A few months later, Widget Corp's suddenly had a new competitor in the market. Why should I care about security? • • "It has become the Wild West on that other side of the globe. There is little or no respect for Intellectual Property. Copyrights and patents are ignored. Accounting issues have recently also come into question for many Chinese companies that have bought U.S. shell corporations to simplify the process of going public in the West. Rough and tumble attitudes must be expected. Any American company doing business in China must anticipate the worst even as it hopes for the best in expanded marketing opportunities." http://www.forbes.com/sites/joanlappin/2011/09/21/americansuperconductor-destroyed-for-a-tiny-bribe/ Why should I care about security? • • "In terms of outright theft of intellectual property, there is growing evidence that China’s intelligence agencies are involved, as attacks spread from hits on large technology companies to the hacking of startups and even law firms. “The government can basically put their hands in and take whatever they want,” says Michael Wessel, who sits on the U.S.-China Economic and Security Review Commission that reports to Congress. “We need to take more actions and protect our intellectual property.” Inside the Chinese Boom in Corporate Espionage (http://www.businessweek.com/articles/2012-03-14/inside-thechinese-boom-in-corporate-espionage) Why should I care about security? • “There have been a large number of corporate spying cases involving China recently… as the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.” Why should I care about security? • “There have been a large number of corporate spying cases involving China recently… as the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.” Contents • • • • Part 1: Secure web browsing Part 2: Secure networks Part 3: Secure email and IM Part 4: Securing operating systems & mobile devices • Part 5: Securing organizations • Conclusion: limitations of security measures Choosing a web browser Why web browsers matter Internet Explorer: upgrade to 9+ or switch to: Chrome: recommended for personal use Get HTTPS Everywhere & AdBlock Firefox as a multi-tool Plugging privacy leaks Keep your browser up to date Disable unused plugins AdBlock: it’s not just for blocking ads Block third party cookies Using Private Mode Cleaning your tracks with CC Cleaner Securing your surfing HTTPS Everywhere OpenDNS/Google DNS DNSCrypt VPN (details later) Advanced: monitoring web traffic Outgoing firewalls: Zone Alarm (Windows) Little Snitch (OS X) Monitoring network traffic with Wireshark Part 2: Secure Networks: Virtual Private Networks VPN options PPTP: simple, supported by mobile devices, only safe for personal use L2TP: best for corporations: supports digital certificates Open VPN: free, open-source Alternative VPN Solutions LogMeIn Hamachi: simple ad-hoc and hub and spoke VPN SSH Tunneling Browser helpers for VPNs Proxy Switchy (Chrome) Foxy Proxy (Firefox) Proxy Scripting – works with Proxy Switchy when configured in Chrome (IE) Advanced: Running your own proxy • Why run a proxy locally? • Optimize, secure, accelerate traffic • Control access to outside network Privoxy (recommended) GlimmerBlocker (OS X) Squid (Unix) Polipo (Unix, Windows, OS X) Part 3: Secure Email and IM: Encryption Tools Symmetric encryption Asymmetric encryption Secure Email Corporate E-mail: Digital Certificates & Signing Get a free cert at http://startssl.com/ PGP: PGP Desktop ,GnuPG Secure Instant Messaging Corporate Instant Messaging: Microsoft: Skype, Lynx, Office Communication Server Personal Instant Messaging Off-The-Record plugin for: Pidgin (Windows), Adium (OS X) Part 4: Securing Operating Systems: OS Hardening Basic OS Hardening • Secure your login mechanism • • Password protect access to your desktop Admin privileges & user level accounts: run as a userlevel account; require password to login • Disable file sharing on the network • Enable automatic updates • Disable unused user accounts Anti-Virus Options • Do you need Anti-Virus software? • Anti-Virus for Individuals • • Windows Defender • Avast • Many free options • F-Secure, Trend Micro Office Scan Tip: Don't use Norton or McAfee! Anti-Malware Options • Do you need Anti-Malware software? • Recommended Anti-Malware: • Microsoft’s Windows Defender • Spybot S&D (Free) • Malware Bytes (Free/Pro) Whole disk encryption • What is it? Do you need it? • True Crypt (multiplatform) • Bitlocker (Windows) • File Vault (Apple) • PGP Whole Disk Encryption • Symantec Endpoint Encryption Advanced: Tips from the Pros • OS Hardening guides from the NSA • Windows: • OS X • Security tips from the NSA for all OS’s Advanced: OS Isolation • Portable (Live) OS • Portable apps • Virtual Machines • Only an “air gap” is safe for mission critical data! OS Specific Considerations • OpenBSD: when security is mission-critical • Linux • Windows Server 2008 • Windows XP • Windows 7 • OS X Securing your smartphone • Notes on locking: • Only protects against casual theft • Cloud storage risks • Remote wipes Part 5: Secure Organizations: physical security, social engineering, and other considerations Physical security • Human factors • Physical security • International travel • Asset management & theft prevention Social Engineering • Inside threats • Social engineering • “Need to access” policies Advanced: Threat discovery • Process Explorer • Rootkit detectors: • Microsoft: Rootkit Revealer • Avast: GMER • RootkitHunter Conclusion: Limitations of Information Security • Limitations of software measures • Limitations of hardware measures • Cost vs. benefit of security measures The End Technologies mentioned in this presentation have links to more information – get a copy of the PowerPoint from me (david.veksler@ef.com).