Date post: | 26-May-2015 |
Category: |
Education |
Upload: | ivo-depoorter |
View: | 4,135 times |
Download: | 3 times |
Ivo Depoorter
Whois I
Functions Sysadmin, DBA, CIO, ADP instructor, SSO,
Security consultant
Career (20 y) NATO – Local government – Youth care
Training Lots of Microsoft, Linux, networking,
programming… Security: Site Security Officer, CISSP, BCM,
Ethical Hacking, network scanning,…
Course outline Information security? Security Why? Security approach Vocabulary The weakest link Real life security sample
Information security?
According to Wikipedia, ISO2700x, CISSP, SANS,…. Confidentiality: Classified information must, be protected
from unauthorized disclosure.
Integrity: Information must be protected against unauthorized changes and modification.
Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security?
Security attributes according to the Belgian privacycommission Confidentiality Integrity Availability
+
Accountability Non-repudiation Authenticity Reliability
CIA Exercise Defacing of Belgian Army website
CIA Exercise Confidentiality
?? Webserver only hosting public information? Webserver separated from LAN?
Integrity
Availability
Unauthorized changes!
Information is no longer available
Security Why? Compliance with law
Protect (valuable) assets
Prevent production breakdowns
Protect reputation, (non-)commercial image
Meet customer & shareholder requirements
Keep personnel happy
Security approach Both technical and non-technical countermeasures.
Top-management approval and support!
Communicate!
Information security needs a
layered approach!!!
Best practices
COBIT
Control Objectives for Information and related Technology
ISO 27002 (ISO 17799) Code of practice for information security management
…..
ISO 27002 Section 0 Introduction Section 1 Scope Section 2 Terms and Definitions Section 3 Structure of the Standard Section 4 Risk Assessment and Treatment Section 5 Security Policy Section 6 Organizing Information Security Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical and Environmental Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition, Development and
Maintenance Section 13 Information Security Incident Management Section 14 Business Continuity Management Section 15 Compliance
ISO 27002 - Example
10 9 11 15 Procedures Physical access Logical access
Security audit local government > 500 employees Technique: Social Engineering
Internal audit
Security vocabulary - Threat A potential cause of an unwanted incident, which may
result in harm to individuals, assets, a system or organization, the environment, or the community. (BCI)
Samples: Fire
Death of a key person (SPOK or Single Point of Knowledge)
Crash of a critical network component e.g. core switch (SPOF: single
point of failure)
…
Security vocabulary - Damage Harm or injury to property or a person, resulting in loss of
value or the impairment of usefulness
Damage in information security: Operational Financial Legal Reputational
Damage defaced Belgian Army website? Operational: probably (temporary frontpage, patch management,….) Financial: probably (training personnel, hiring consultancy,….) Legal: probably (lawsuit against external responsible?) Reputational: certainly!
Security vocabulary - Risk Combination of the probability of an event and its
consequence.
Risk components Threat (probability) Damage (amount)
Example:
Damage
Process Threat O F L R Max impact Probability Risk
Food freezing Electricity Failure > 24 h 4 3 2 2 4 2 8
The Zen of Risk
What is just the right amount of security?
Seeking Balance between
Security (Yin) and Business (Yang)
Potential Loss Cost
Countermeasures Productivity
Security vocabulary - AAA Authentication: technologies used to determine the
authenticity of users, network nodes, and documents
Authorization: who is allowed to do what?
Accountability: is it possible to find out who has made any operations?
• Strong authentication
(two-factor or multifactor)
• Something you know (password, PIN,…) • Something you have (token,…) • Something you are (fingerprint, …)
The weakest link
SEC_RITY is not complete without U!
Countermeasures: • Force password policy on
server • Train personnel • Use strong authentication • …
The weakest link
Amateurs hack systems, professionals hack people!
Countermeasures: • Implement security & access
policies • Job rotation • Encryption • Employee awareness training • Audit trail of all accesses to
documents • ….
Hacking steps
Step Countermeasures (short list)
1. Reconnaissance Be careful with information
2. Network mapping Network IDS – block ICMP
3. Exploiting System hardening
4. Keeping access IDS – Antivirus – rootkit scanners
5. Covering Tracks
Reconnaissance (information gathering):
Searching interesting information on discussion groups/forum,
social networks, customer reference lists, Google hacks…
Logical security
• VLAN’s
• Password policy
• …
Real life security sample High security (war)zone
Illiterate (local) cleaning
personnel
(Use opportunities!!!)
Physical security:
• Personnel clearance
• Physical control
• Pc placement (shoulder surfing)
• Clean desk policy
• Shredder
• Lock screen policy
• Fiber to pc
WWW
> 2 m
LAN
Tempest!!!
We learned…. Security is CIA(+) Why: law, reputation, production continuity,… Approach: layered, technical & non-technical, support
from CEO, lots of communication Vocabulary: threat, damage, risk, (strong)authentication,
authorization, accountability Risk = threat * damage Security balance: loss vs. cost
& countermeasures vs. productivity The weakest link is personnel! A hacker starts with information gathering