Data Protection and War Stories from the Wild Wild West · SCAN YOUR ENVIRONMENT Scanning -...

Data Protection and War Stories Data Protection and War Stories from the Wild Wild Westfrom the Wild Wild West

Peter H. Gregory, CISA, CISSPPeter H. Gregory, CISA, [email protected]@yahoo.comwww.isecbooks.comwww.isecbooks.comWestern Pension and Benefits ConferenceWestern Pension and Benefits ConferenceFebruary 20, 2007February 20, 2007

Peter H. Gregory, CISA, CISSP Peter H. Gregory, CISA, CISSP [email protected]@yahoo.com

Western Pension & Benefits ConferenceWestern Pension & Benefits Conference

About the SpeakerAbout the Speaker

Peter Gregory, CISA, CISSPPeter Gregory, CISA, CISSPAuthor of 12 books in information security & technologyAuthor of 12 books in information security & technologyFrequent conference speakerFrequent conference speakerInterviews in Information Security Magazine, Interviews in Information Security Magazine, Computerworld, Seattle Times, Computerworld, Seattle Times, C|NetC|Net News, etc.News, etc.Board of Directors, InfraGard SeattleBoard of Directors, InfraGard SeattleWay too busy with too many things (but considering more)Way too busy with too many things (but considering more)

www.isecbooks.comwww.isecbooks.competergregory@[email protected]



RulesRules

This is interactiveThis is interactiveAsk questions at any timeAsk questions at any time

-- There are no dumb questionsThere are no dumb questionsYou can send me eYou can send me e--mail about it latermail about it laterYou can leave comments or questions on my You can leave comments or questions on my blogblog



AgendaAgenda

Background on technology and securityBackground on technology and securityUnintended consequencesUnintended consequencesMisuse of technologyMisuse of technologyThreats and VulnerabilitiesThreats and VulnerabilitiesThings you can do on your ownThings you can do on your ownThings you need your organization to doThings you need your organization to do



The security problem definedThe security problem defined

Technology advances faster than our ability to protect Technology advances faster than our ability to protect ourselvesourselves

-- Examples: cars, childrenExamples: cars, children’’s toyss toysTechnology does not attempt to discern the intent of the Technology does not attempt to discern the intent of the user; persons with evil intent are free to misuse technologyuser; persons with evil intent are free to misuse technologyAs various technologies are used together, there are As various technologies are used together, there are frequently unintended consequences that are not frequently unintended consequences that are not immediately understoodimmediately understoodSecurity measures come later, and are often imperfectSecurity measures come later, and are often imperfectUsers assume some responsibility for safe usageUsers assume some responsibility for safe usage



Speaking of unintended consequencesSpeaking of unintended consequences……





Another thing you need to knowAnother thing you need to know……

Security mechanisms do not necessarily stop bad things Security mechanisms do not necessarily stop bad things from happeningfrom happening





Understanding ThreatsUnderstanding Threats

Data Theft & Identity TheftData Theft & Identity TheftMalwareMalwarePhysical TheftPhysical TheftFraudFraudInsidersInsidersFormerFormer insidersinsidersOrganized crimeOrganized crime



Understanding VulnerabilitiesUnderstanding Vulnerabilities

Weaknesses that can permit unauthorized access or Weaknesses that can permit unauthorized access or malfunctionsmalfunctions

-- SoftwareSoftware-- ProcessesProcesses-- PeoplePeople





What needs to be protectedWhat needs to be protected

Credentials (userids and passwords)Credentials (userids and passwords)PII (Personally Identifiable Information)PII (Personally Identifiable Information)Your company secretsYour company secrets, whatever they are, whatever they areYour companyYour company assetsassetsYour personal secretsYour personal secrets



What security professionals care aboutWhat security professionals care about

““CIACIA””-- ConfidentialityConfidentiality-- IntegrityIntegrity-- AvailabilityAvailability



Understanding RiskUnderstanding Risk

Security professionals sometimes perform risk analysisSecurity professionals sometimes perform risk analysis

Risk = (Probability of event) X (Impact of event)Risk = (Probability of event) X (Impact of event)



How to tell if a computer breach has occurredHow to tell if a computer breach has occurred

No easy ways, yet, if everNo easy ways, yet, if everIf information has been stolen, itIf information has been stolen, it’’s still theres still thereIf information has been deliberately corrupted, it may not If information has been deliberately corrupted, it may not be immediately evident, if everbe immediately evident, if ever



How to protect your assetsHow to protect your assets

Things you can doThings you can do-- Secure your passwordsSecure your passwords-- Protect your screenProtect your screen-- Encrypt your dataEncrypt your data-- Use the Internet safelyUse the Internet safely-- Prevent laptop theftPrevent laptop theft-- Secure document disposalSecure document disposal-- Prevent eavesdroppingPrevent eavesdropping

Things your Things your organizationorganization can docan do-- TopTop--down securitydown security-- Account managementAccount management-- Access managementAccess management-- Perimeter defensesPerimeter defenses-- Physical securityPhysical security-- Security scanningSecurity scanning-- Change managementChange management-- Incident managementIncident management-- Background checksBackground checks-- Outside assessmentsOutside assessments-- DRP / BCPDRP / BCP



SECURE YOUR PASSWORDSSECURE YOUR PASSWORDS

Use good passwordsUse good passwords-- Long, complex, difficult for others to guessLong, complex, difficult for others to guess

Use different passwords for different accountsUse different passwords for different accountsUse a password storage vaultUse a password storage vault

-- Password SafePassword Safe



Password SafePassword Safe

passwordsafe.sourceforge.net



PROTECT YOUR SCREENPROTECT YOUR SCREEN

Privacy filter ($70Privacy filter ($70--90)90)Short interval Short interval lockinglocking screen saverscreen saverLock your screen when unattended Lock your screen when unattended

-- --LL-- CtrlCtrl--AltAlt--Del Del -- KK





ENCRYPT YOUR DATAENCRYPT YOUR DATA

Encrypt data stored on your computerEncrypt data stored on your computer-- Disk encryptionDisk encryption

-- EFS (built in to Windows)EFS (built in to Windows)-- BitLocker (new in Vista)BitLocker (new in Vista)-- PGP diskPGP disk-- many other brandsmany other brands

Encrypt data you send to othersEncrypt data you send to others-- PGP, WinZip v9+PGP, WinZip v9+



WinZip version 9 or newerWinZip version 9 or newer



USE THE INTERNET SAFELYUSE THE INTERNET SAFELY

AntiAnti--VirusVirus-- Check for updates dailyCheck for updates daily-- Full hard drive scan weeklyFull hard drive scan weekly-- AutoAuto--protect turned onprotect turned on-- Heuristics turned onHeuristics turned on-- EE--mail protection (if available)mail protection (if available)

DonDon’’t want to pay? Use AVG Free Antit want to pay? Use AVG Free Anti--VirusViruswww.grisoft.comwww.grisoft.com

VirusesWormsTrojans



USE THE INTERNET SAFELYUSE THE INTERNET SAFELY

EE--mailmail-- Use a spam filterUse a spam filter-- DonDon’’t open unfamiliar et open unfamiliar e--mailsmails

Browser safetyBrowser safety-- Maintain secure settingsMaintain secure settings-- Use antiUse anti--spywarespyware

-- Windows Defender, Spy Sweeper, AdWindows Defender, Spy Sweeper, Ad--AwareAware……-- Block popBlock pop--upsups

SPAM

PopUps

Spyware



PREVENT LAPTOP THEFTPREVENT LAPTOP THEFT

Keep your laptop with you at all timesKeep your laptop with you at all times-- Lock in your trunkLock in your trunk-- DonDon’’t put it in checked baggaget put it in checked baggage-- DonDon’’t check at the bell deskt check at the bell desk-- Lock it to a heavy piece of Lock it to a heavy piece of

furniturefurniture



SECURE DOCUMENT DISPOSALSECURE DOCUMENT DISPOSAL

Pay attention to what you are throwing awayPay attention to what you are throwing awayWaste paper into recyclingWaste paper into recyclingPaper with personal or company information to shred bins Paper with personal or company information to shred bins or directly to the shredderor directly to the shredder



PREVENT EAVESDROPPINGPREVENT EAVESDROPPING

Phone conversations in public placesPhone conversations in public placesBe mindful of who may overhear youBe mindful of who may overhear you



Things your Things your organizationorganization can docan do……



TOPTOP--DOWN SECURITYDOWN SECURITY

ExecutiveExecutive--level accountability for security and compliancelevel accountability for security and complianceLeadership by exampleLeadership by exampleOrganization security policyOrganization security policy

-- Enforcement to include real consequencesEnforcement to include real consequences



ACTIVELY MANAGE USER ACCOUNTSACTIVELY MANAGE USER ACCOUNTS

Formal process for userid creationFormal process for userid creationFormal process for terminationFormal process for termination

-- Promptly disable user accountsPromptly disable user accounts-- Contractors tooContractors too



RESTRICT ACCESS TO DATA NEED TO RESTRICT ACCESS TO DATA NEED TO KNOWKNOW

Employees should be able to access Employees should be able to access only what they only what they require to do their jobrequire to do their job, and no more, and no moreHow: create access control policy How: create access control policy firstfirst, , thenthen implement itimplement itDo not permit Do not permit ““accumulation of privilegesaccumulation of privileges””

-- Transfers within the organization Transfers within the organization –– people take their people take their privileges with them and accumulate moreprivileges with them and accumulate more



ENCRYPT SENSITIVE DATAENCRYPT SENSITIVE DATA

Encrypt sensitive data at restEncrypt sensitive data at rest-- PII (personally identifiable information)PII (personally identifiable information)

-- Financial, medical, identityFinancial, medical, identityEncrypt sensitive data in transitEncrypt sensitive data in transit

-- Batch feeds between organizationsBatch feeds between organizations-- EE--mailmail-- Ad hoc data transfersAd hoc data transfers



IMPLEMENT PERIMETER DEFENSESIMPLEMENT PERIMETER DEFENSES

FirewallsFirewallsSpam filteringSpam filtering

-- Hardware, software, or external service*Hardware, software, or external service*Intrusion detectionIntrusion detection

-- ““snortsnort””Intrusion preventionIntrusion prevention

* * -- my favorite by farmy favorite by far



PHYSICAL SECURITYPHYSICAL SECURITY

Key card entryKey card entryVisible name/photo badgesVisible name/photo badgesRestricted access to sensitive areas, computer roomsRestricted access to sensitive areas, computer roomsSignSign--in sheet at receptionin sheet at reception

-- Capture DL, DOB, vehicle license, signatureCapture DL, DOB, vehicle license, signatureVideo surveillanceVideo surveillance

-- Watch all entrances, sensitive areasWatch all entrances, sensitive areas-- Record video, retain it for 30 days or moreRecord video, retain it for 30 days or more



SCAN YOUR ENVIRONMENTSCAN YOUR ENVIRONMENT

Scanning Scanning -- electronically searching for vulnerabilitieselectronically searching for vulnerabilitiesScan from the outsideScan from the outside--inin

-- External scanning providersExternal scanning providers-- Qualys, Ambiron, many othersQualys, Ambiron, many others

-- Hackers do it routinely and frequently, why not do it Hackers do it routinely and frequently, why not do it also and also and plug those holes!plug those holes!

Scan internallyScan internally-- Nessus, Qualys, ShavlikNessus, Qualys, Shavlik



CHANGE MANAGEMENTCHANGE MANAGEMENT

All changes to applications, infrastructure should go All changes to applications, infrastructure should go through a formal change management processthrough a formal change management process

-- RequestRequest-- ReviewReview-- ApproveApprove-- ImplementImplement-- VerifyVerify-- RecordkeepingRecordkeeping



SECURITY INCIDENT MANAGEMENTSECURITY INCIDENT MANAGEMENT

Recognize when an incident occursRecognize when an incident occursAct quickly to preserve forensic dataAct quickly to preserve forensic data

-- May be needed for criminal or civil actionsMay be needed for criminal or civil actionsAct quickly to restore operationsAct quickly to restore operations

-- May trigger business continuity eventsMay trigger business continuity events



BACKGROUND CHECKSBACKGROUND CHECKS

Do you really know whoDo you really know who’’s working for you?s working for you?Make background checks a part of the hiring processMake background checks a part of the hiring process

-- EducationEducation-- EmploymentEmployment-- CreditCredit-- CriminalCriminal

Do this for employees Do this for employees andand contractors!contractors!



OUTSIDE AUDITORS / ASSESSORSOUTSIDE AUDITORS / ASSESSORS

Many regulations require periodic audits Many regulations require periodic audits –– others do notothers do not-- PCI, HIPAA, GLBA, SB1386, SB6043, FISMA, SOXPCI, HIPAA, GLBA, SB1386, SB6043, FISMA, SOX

If you are not periodically audited, consider doing soIf you are not periodically audited, consider doing so-- Security risk assessment by a security firmSecurity risk assessment by a security firm-- ISO27001 certificationISO27001 certification-- Webtrust or Systrust certificationWebtrust or Systrust certification-- HackerSafe or Verisign sealHackerSafe or Verisign seal



DISASTER RECOVERY / BUSINESS DISASTER RECOVERY / BUSINESS CONTINUITY PLANNINGCONTINUITY PLANNING

Tangential to data securityTangential to data security-- Tied to Tied to ““availabilityavailability””



War Story: Stolen LaptopsWar Story: Stolen Laptops

Scenario 1: 30+ employee laptops disappear overnightScenario 1: 30+ employee laptops disappear overnight

Scenario 2: executive left laptop on the airplaneScenario 2: executive left laptop on the airplane

Scenario 3: laptop and computer bag stolen out of Scenario 3: laptop and computer bag stolen out of employeeemployee’’s cars car



War Story: Disclosed PasswordsWar Story: Disclosed Passwords

Scenario 1: Call center employee using supervisorScenario 1: Call center employee using supervisor’’s ID for s ID for approving discounts and creditsapproving discounts and credits

Scenario 2: Privileged (administrative) password given to Scenario 2: Privileged (administrative) password given to an employee who should not have had itan employee who should not have had it

-- Came to light when unauthorized changes caused Came to light when unauthorized changes caused outagesoutages



War Story: Typhoid Mary laptop brings in a War Story: Typhoid Mary laptop brings in a wormworm

Scenario: 2003, Nimda wormScenario: 2003, Nimda worm-- EmployeeEmployee’’s laptop antis laptop anti--virus wasnvirus wasn’’t workingt working-- Became infected with Nimda while at home (no Became infected with Nimda while at home (no

firewall)firewall)-- Came in to work, plugged into the networkCame in to work, plugged into the network-- Attack commenced inside the corporate networkAttack commenced inside the corporate network-- Critical servers attacked, crashedCritical servers attacked, crashed

-- This occurred three times in three days (different This occurred three times in three days (different employees)employees)



War Story: Vulnerability on CompetitorWar Story: Vulnerability on Competitor’’s Web s Web Site: could it happen to us?Site: could it happen to us?

WellWell--publicized vulnerability on publicized vulnerability on VerizonVerizon’’ss website easily website easily allowed people to view other customersallowed people to view other customers’’ account account informationinformationQuickly, executives asked if it could happen to us (AT&T Quickly, executives asked if it could happen to us (AT&T Wireless).Wireless).((……a mad scramble ensuesa mad scramble ensues……))We were not vulnerable to the same attack, or anything We were not vulnerable to the same attack, or anything resembling it. Phew!resembling it. Phew!



War Story: Sept 11, 2001 War Story: Sept 11, 2001 –– corporate lockdowncorporate lockdown

We convened on an emergency response We convened on an emergency response conference bridge and locked down and conference bridge and locked down and mobilized the entire company: dozens of mobilized the entire company: dozens of office locations and hundreds of storesoffice locations and hundreds of stores

-- Locked down office building Locked down office building entrances (ingress by main entrance entrances (ingress by main entrance only)only)

-- Temporarily released all contractorsTemporarily released all contractors-- Tightened network securityTightened network security-- Suspended extranet accessSuspended extranet access



Viruses and more in the software dev labViruses and more in the software dev lab

New administrator in a lab stuffed with dozens of New administrator in a lab stuffed with dozens of computers discovered a system with dozens of viruses computers discovered a system with dozens of viruses and and ““root kitsroot kits””When IT switched antiWhen IT switched anti--virus vendors, they never told R&D, virus vendors, they never told R&D, so the systems in the lab stopped updating virus so the systems in the lab stopped updating virus signatures six months earliersignatures six months earlierThe solution:The solution:

-- Reset all passwordsReset all passwords-- Wipe the seriouslyWipe the seriously--infected systems, clean the restinfected systems, clean the rest-- Get current antiGet current anti--virus licensesvirus licenses



Outsider hacking in to 501(c)(3) web siteOutsider hacking in to 501(c)(3) web site

NonNon--profit websiteprofit website……Hacked into website software Hacked into website software

-- defaced web pagesdefaced web pages-- altered web pagesaltered web pages-- changed links to take people elsewherechanged links to take people elsewhere

Security assessment neededSecurity assessment needed-- Identify the vulnerabilitiesIdentify the vulnerabilities-- Fix themFix them



Transactions showing up in other accountsTransactions showing up in other accounts

Credit card transactions for one customer showing up in Credit card transactions for one customer showing up in another customeranother customer’’s reports reportRoot cause analysis (RCA): administrator error, not Root cause analysis (RCA): administrator error, not following a procedurefollowing a procedure



Q & AQ & A

Data Protection and War Stories Data Protection and War Stories from the Wild Wild Westfrom the Wild Wild West

Peter H. Gregory, CISA, CISSPPeter H. Gregory, CISA, [email protected]@yahoo.comwww.isecbooks.comwww.isecbooks.comWestern Pension and Benefits ConferenceWestern Pension and Benefits ConferenceFebruary 20, 2007February 20, 2007

Date post:	02-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Data Protection and War Stories from the Wild Wild West · SCAN YOUR ENVIRONMENT Scanning -...

Documents