Information Security Awareness, Safety, and Protecting Information

advertisement
Information Security
Awareness, Safety, and
Protecting Information
Jay James R. Arroyo, CEH, CCNSP
Network and Security Administrator
Information and Communication Technology Division
Security Awareness
Security awareness is the knowledge of potential threats
and the ability to anticipate what types of security issues
and incidents. Officers, staff, and job orders may face in
their day-to-day functions. Technology alone cannot
provide adequate information security. Awareness and
personal responsibility are critical to the success of any
information security program.
Why Security?








Liability
Privacy Concerns
Copyright Violations
Identity Theft
Resource Violations
Reputation Protection
Meet Expectations
Laws & Regulations
Information Security Involves
three elements
Confidentiality: Ensuring information is disclosed to,
and reviewed exclusively by intended recipients /
authorized individuals.
Threats include Phishing, Malware and unpatched systems (both
operating systems and applications).
Information Security Involves
three elements
Integrity: Ensuring the accuracy and completeness
of information and processing methods.
Business process improvement and verification processes.
Information Security Involves
three elements
Availability: Ensuring that information and
associated assets are accessible, whenever
necessary, by authorized individuals.
Disaster Recovery / Business Continuity planning.
Security in General
Security:
 The quality or state of being secure
 Freedom from danger
 Freedom from fear, anxiety or care
 Freedom from uncertainty or doubt
Security in General
Safety:
 The condition of being safe
 Freedom from exposure to danger
 Exemption from hurt, injury or loss
 Knowledge of or skill in methods of avoiding or
disease
Why is information security
important today?





High degree of networking
Sensitive information stored on computers
Hacking is a sport for students and enthusiasts
Cracking is business for criminals!
Theft of credit card data or identity theft can lead to
uncontrollable damage and nuisances of all kind
 privacy
The Internet is a very special
place…
 Distance is irrelevant
 Networked systems are prime targets
 The knowledge to act as a computer criminal can be
acquired everyone
 If there are no log files there are no traces of any
wrong-doing
 Any crime or event can remain undetected for months
The Internet is a very special
place…
 Cybercrime is hard to follow up on
 International police cooperation is not easy
 If Cybercrime is not a crime in a country, there
are no crimes
 Any security measures can very easily lead to an
abrogation of essential freedoms
Understanding Threats





What is valuable?
What is vulnerable?
What can we do to safeguard and mitigate threats?
What can we do to prepare ourselves?
Most believe they will win lottery before getting hit by malicious
code
Internet Users
http://www.internetlivestats.com/internet-users/philippines/
Attack Trends
•
•
•
•
•
Increasing sophistication
Decreasing costs
Increasing attack frequency
Difficulties in patching systems
Increasing network connections,
dependencies, and trust relationships
Threats
• A threat is any potential danger to information and
systems
• 3 levels of cyber threats
• Unstructured
• Structured
• Highly structured
Unstructured Threats
• Individual/small group with little or no organization or
funding
• Easily detectable information gathering
• Exploitations based upon documented flaws
• Targets of opportunity
• Gain control of machines
• Motivated by bragging rights, thrills, access to resources
Structured Threats
• Well organized, planned and funded
• Specific targets and extensive information gathering to
choose avenue and means of attack
• Goal-data stored on machines or machines themselves
• Exploitation may rely on insider help of unknown flaw
• Target drives attack
• Organized crime/black hat hackers
Highly Structured Threats
• Extensive organization, funding and planning over an
extended time, with goal of having an effect beyond the
data or machine being attacked
• Stealthy information gathering
• Multiple attacks exploiting unknown flaws or insider help
• Coordinated efforts from multiple groups
• “Cyber warfare”
Risk Handling Discussion
•
•
•
•
•
Risk reduction (countermeasures, HVA)
Risk transference (insurance)
Risk acceptance (may happen)
Risk rejection (do nothing)
Security assessments are an important part
of risk management
• Penetration testing
• Identify all vulnerabilities and threats to
information, systems and networks
Contingency Planning Components
•
•
•
•
How to handle disruption?
Business continuity
Disaster recovery
Incident response
Recovery Strategy
• A recovery strategy provides direction
to restore IT operations quickly and
effectively
• Backup methods
• Alternate sites
• Equipment replacement
• Roles and responsibilities
• Cost considerations
Business Continuity Plan
• A comprehensive written plan to maintain or resume
business operations in the event of a disruption
• Continue critical business operations
• Jeopardize normal operations
• Most critical operations
• May require alternate sites (hot, warm, cold)
• What do we need to KEEP going?
Disaster Recovery Plan
• A comprehensive written plan to return business operations
to the pre-disruption state following a disruption
• Restore IT functions (prep and restore)
• Jeopardize the normal operations
• Includes all operations
• RETURN TO NORMAL BUSINESS OPERATIONS
• WHAT DO WE NEED TO DO IN CASE OF A DISASTER?
Plan Testing, Training and Exercising
• Testing is a critical to ensure a viable contingency capability
• Conduct plan exercises
• TTXs are useful
Policies and Procedures
•
•
•
•
•
•
Establish security culture
Establish best security practices
Define goals and structure of security program
Educate personnel
Maintain compliance with any regulations
Ex: email policy, Internet usage, physical security
Physical Security Countermeasures
•
•
•
•
•
•
•
Property protection (door, locks, lightening)
Structural hardening (construction)
Physical access control (authorized users)
Intrusion detection (guards, monitoring)
Physical security procedures (escort visitors, logs)
Contingency plans (generators, off site storage)
Physical security awareness training (training for suspicious
activities)
Personal Security
• Practices established to
ensure the safety and
security of personnel and
other organizational assets
• It’s ALL about people
• People are the weakest link
• Reduce vulnerability to
personnel based threats
Personal Security Threat Categories
• Insider threats-most common, difficult to recognize
• Includes sabotage and unauthorized disclosure of
information
• Social engineering-multiple techniques are used to gain
information from authorized employees and using that
info in conjunction with an attack
• Not aware of the value of information
Social Engineering
Social engineering is the human side of breaking into a corporate
network. Social engineering involves gaining sensitive information or
unauthorized access privileges by building inappropriate trust
relationships with insiders.
Social engineers manipulate people into speaking/acting contrary to
their normal manner. The goal of a social engineer is to fool someone
into providing valuable information or access to that information. In
most cases the attacker never comes face-to-face with the victim, but
they get the information or the access they need to commit fraud
nearly 100% of the time.
Social Engineering
Pretexting - is when a social engineer develops a storyline that
he or she is able to portray to the target. It provides the
justification for the questions being asked.
Impersonation - posing as an employee. It is a technique used
by social engineers to deceive people.
Protect from Phishing and
Email scams
Who is the email from? Look at the "From:" field. Is the sender's
name or email address familiar to you? Does it use a webmail
account like Hotmail or Gmail when it claims to be from your bank?
Is there a URL in the email? Where's the hyperlink going to? To
see where the hyperlink is actually going, hover over it with your
mouse (don’t click it). The true URL will be displayed on the bottom
in the status bar. When in doubt, don’t click on it! As a best practice,
never click on links in emails, texts, or social network sites. Instead,
type the site address into the browser yourself (www.picpa.com.ph)
to ensure that the browser goes to the expected site.
Protect from Phishing and
Email scams
Is there a threat of immediate detrimental action if you don’t
respond with personal information? A message demanding an
immediate response deserves a good dose of skepticism.
Does the email refer to a current news event? Major news events
such as large-scale catastrophes or the death of celebrities are
quickly followed by a wave of phishing messages touting the same
news events in their subject lines or email body. Phishers are hoping
that overeager users will let their guard down and click on their
proffered URL links in their haste for more information.
Protect from Phishing and
Email scams
Does the tone of the email from friends or colleagues sound right?
Filter the messages based on what you know of the purported
sender(s) and how they typically write.
Protect from Phishing and
Email scams
What if I don’t have anything of value?
People often assume they have nothing worth stealing. They think, "Why would
somebody want something from me? I don't have any money or anything
anyone would want." On the contrary, if a social engineer can assume your
identity, he or she can convince your friends to do something. Or you can pay
their bills. Or they can commit crimes in your name. No matter who you are, or
who you represent, you have value to a criminal.
The single most important key to avoiding phishing and email scams is to not
give sensitive information to anyone unless you can verify that they are who
they claim to be and that they have a legitimate need for access to the
information.
Dumpster Diving
• Improperly discarded memos, organizational
charts, or policy manuals could be used for
footprinting (the art of gathering information or
pre-hacking). Social engineers commonly
research a predetermined target and determine
the best opportunities for exploitation.
Dumpsters provide a huge amount of
information, including the information a hacker
needs to impersonate an employee.
How do you protect yourself and
your company?
Social engineering attacks may be inevitable in the world today for the simple
reason that humans are easy targets; nevertheless, that does not mean that
attacks are unpreventable.
The single most important key to avoiding social engineering attacks is to not
give sensitive information to anyone unless you can verify that they are who they
claim to be and that they have a legitimate need for access to the information.
Organizations and individuals can protect themselves through training and
awareness as well as security-related policies and procedures.
What is an organization’s best line of
defense?
Properly trained staff, not technology, is the best
protection against social engineering attacks. Learn how
to protect yourself and your organization against social
engineering attacks by understanding social engineering
tactics and knowing how to recognize scams. People are
the weakest link and as a result, organizations must build
a human firewall by training their people
Safe Social Networking
People are getting hurt today, because they're revealing too much
information online, and because they trust that other people won't
steal their identities. In today's world, this is just naïve. Users of
social networking sites may not think much about the way posted
information might enable identity theft, home burglary and social
engineering attacks and may easily get into trouble. Neither do they
consider how their behavior on social media sites might affect their
employer. Information security awareness training can help to
decrease the likelihood of serious problems whether at home or at
work.
Safe Social Networking
Mobile apps - There's no guarantee that mobile apps are free of
bugs or malware. Mobile malware is capable of obtaining any and all
permissions on the infected device, sending SMS messages to
premium phone numbers, stealing online banking credentials &
downloading other malicious code without the user's knowledge.
Safe Social Networking
Social Networking Sites - Sometimes hackers go right to the
source, injecting malicious code into a social networking site,
including inside advertisements, shortened URLs, and via third-party
apps.
Safe Social Networking
Users – It's imperative that users understand how to safely
navigate the Internet. At the same time, individuals & employees
need to behave responsibly, understanding that we all have lapses
in judgment, make mistakes or behave emotionally. Nobody's
perfect all of the time.
Safe Social Networking
Lack of a Social Media Policy – Organizations need to spell out
the goals and parameters of their enterprise's social media initiatives
or they're inviting problems. Employees need proper training, if only
to clear up issues regarding official social media policies, and every
social media initiative needs a coordinator, i.e. a social media
manager.
Safe Social Networking
Undoubtedly, the use of social networking increases the risk of leaking sensitive
information and Personally Identifiable Information (PII). There are other risks to
organizations as well:








Reputational risks
Data breaches
ID theft
Copy-right and trademark infringements
Defamation and libel
Loss of intellectual property
Violations of industry-specific regulatory requirements
eDiscovery costs
Safe Social Networking
Best practices to all your social networking accounts and activities:
•
•
•
Choose a strong password: Make it longer than eight characters, include a
variety of letters, numbers, and symbols, and change it regularly. Make sure
you use different passwords for each of your online accounts.
Never save passwords in your browser: Browsers often ask if you'd like to
save your password for easy access (so you don't have to enter it on your
next visit). Never ever save your passwords on your computer.
Never post information in your profile (or elsewhere) that could be used to
confirm your identity. This includes home address, birth date, phone number,
etc. An individual's DOB and state of birth are enough to guess a SSN with
great accuracy
Safe Social Networking
•
•
•
•
•
•
Turn off the bells & whistles. Disable options, then open them one by one.
Set up login alerts. To help protect your account, request an email from the site
should someone try to login from an IP address other than yours.
Use your privacy settings to control who gets to see your posts and profile.
Turn off applications such as games & quizzes (Get a free goat on Farmville!). If
you choose to add applications, ensure you understand and control how much
information you share with the application.
Enable secure browsing, or HTTPS when using social media sites from unsecured
public networks such as those in airports, cafes or hotels. This encrypts the
information you send and receive. (Look in the site's security settings)
Get tips and advice on how to avoid threats from the site's security/privacy page.
Safe Social Networking
Safely engage in social networking:
•
•
•
•
•
•
•
Use discernment when accepting friend invitations. Only accept invitations from people you know.
Cybercriminals create bogus profiles to propagate malware.
Show "limited friends" a cut down version of your profile. This can be useful if you have associates to
whom you do not wish to give full friend status.
Remove a connection to a friend that you are no longer comfortable with.
Block individuals if they are harassing you or if you just don't want to be visible to them.
Report abuse: The most efficient way to do this is right where it occurs – in the social media site's
privacy settings.
Be careful where you click. Make sure to evaluate the potential costs/benefits of pop-ups, applications,
and invites.
Don’t be an early adopter of a new app. Give the community time to discover the security weaknesses
before you dive in.
Safe Social Networking
•
•
•
•
•
•
•
Avoid suspicious-looking URLs. Make it a habit to mouse over links to identify the source
and proceed with caution.
Never click on unsolicited links containing celebrity gossip, natural disasters, political
scandals etc. Scammers quickly build malicious websites designed to trick users into
installing malware or sending donations to replicated websites.
Never copy & paste a link into your address bar unless you know where the link goes. Doing
so will bypass you browser's security controls.
Never post your whereabouts or your vacation plans. You're only helping burglars to plan
their break-in.
Never give up your login credentials. Social engineers are equipped with enough information
to trick you into believing the request is from a legitimate authority.
Ask permission before posting someone’s picture or publishing a conversation that was
meant to be private.
Respect the law, including those laws governing defamation, discrimination, harassment and
copyright.
Online Privacy
Every day we share information about ourselves with businesses.
We do this when you take advantage of all kinds of services,
including Internet searches, social networking, mobile and more.
When we use these services, we’re sharing information about
ourselves with friends, businesses, and affiliates. That information is
often shared and sold between businesses and advertising
networks.
Online Privacy
Here are a few tips to help you protect your personal information online:
1. Examine the seals and privacy policies that Internet companies post on their
websites before using their product. As internet companies become more
established, their policies may change, but their clients will be less likely to
inform themselves of the change.
2. Before making a purchase from an online retailer, first ensure that the
company or individual is legitimate and that you are not dealing with hackers
posing as an online store. Do they ensure that the transaction is secure and
encrypted? Does the site provide offline contact information, including a
postal address?
3. Beware sites that offer some sort of reward or prize in exchange for your
contact information or other personal details.
Online Privacy
4. Refrain from giving out your full name, address, birth date, or any
other personal information that could be used to impersonate you
(identity theft) or gain access to your accounts.
5. Periodically review the privacy and security settings on your Internet
accounts and adjust them to your personal comfort level. Do not rely
on "recommended" settings or default settings; and ensure they
haven’t been reset through an automatic update.
6. Periodically review and delete apps and games you no longer use that
have access to your accounts and devices.
7. Log out of websites and browsers when you are done. Never leave
your online accounts open.
Online Privacy
8. The best offense is a good defense: Safety and security starts with
protecting your computer. Install a security suite (antivirus,
antispyware, and firewall) that is set to update automatically. Make
sure that you are regularly applying updates for your operating
system. Be sure that you are running the most up to date version of
your Web browser. Keeping these critical components up to date
ensures that you are protected from commonly exploited attacks.
9. Make sure that your password is long, complex and combines letters,
numbers, and symbols (if allowed). Ideally, you should use a different
password for every online account you have.
10. Know what action to take if you suspect unusual activity or a breach.
Online Privacy
Knowing how to navigate the
Internet safely is essential to
maintaining your privacy online.
Remember that YOU decide what
information about yourself to reveal,
when, why, and to whom.
Creating Awareness
Educate staff
•
•
Train staff
Document processes and outline expectations
Research potential candidates
•
Perform background & credit checks
Track system changes
•
•
Audit system access
Audit system changes
Create & communicate policies:
•
•
•
•
Define document and system disposal processes
Define backup procedures
Define clean work area policies
Define computer usage policies
Technology
Core Features
Sleek, portable, quiet, compact, rugged, shippable form factor
Intel-based hardware delivers professional-grade performance & reliability
Onboard high-gain 802.11a/b/g/n/ac wireless supporting packet injection & monitor mode
Onboard Bluetooth supporting device scanning & monitor mode
Runs Pwnix, a custom Debian distro based on Kali Linux
Over 100 OSS-based pentesting tools including Metasploit, SET, Kismet, Aircrack-NG, SSLstrip, Nmap,
Hydra, W3af, Scapy, Ettercap, Bluetooth/VoIP/IPv6tools, and more
Simple web-based administration and in-product updates with “Pwnie UI“
One-click Evil AP & Passive Recon services
Persistent reverse-SSH access to your target network
6 unique covert channels for remote access through application-aware firewalls and IPS
Supports HTTP proxies, SSH-VPN, & OpenVPN
Out-of-band SSH access over 4G/GSM cell networks (with optional GSM adapter accessory)
Wired NAC/802.1x/RADIUS bypass capability
Unpingable and no listening ports in stealth mode
Local console access via HDMI
Pwn Plug
Technology
https://www.pwnieexpress.com/
THANK YOU!
Jay James R. Arroyo, CEH, CCNSP
Network and Security Administrator
Mobile: 0916.221.88.77
Email: jjrarroyo@nbi.gov.ph
Download