The 7 Myths of Information

Copyright 2008, IDW http://www.idw.pt 1

The 7 Myths of InformationSystems Security

Marco Aurélio Pereira, CISSPInformation Systems SecurityBusiness Unit Directormarco@idw.pt

1) We use the best and latest AV1) We use the best and latest AV

• Virus ≠ Worms ≠ Trojan ≠ Spyware• Knowledge base, black list tool => Reactive

• Infected Population Doubling Rate:– Code Red [July 2001] – 37 minutes

Copyright 2008, IDW http://www.idw.pt 2

– Code Red [July 2001] – 37 minutes– SQL Slammer [Jan 2003] – 8.5 seconds

• SQL Slammer Infected 90% vulnerable hosts within 10 minutes

• Nobody is that fast!

2) We have a multilayer, multivendor FW2) We have a multilayer, multivendor FW

The paradigm:• Anytime• Anywhere• Any Device• Any Content

– Most attackers are already inside• Visitor, On-Site and Off-Site Consultants• Support Technicians, Tele-workers• Business Partners

Copyright 2008, IDW http://www.idw.pt 3

Data loss can happen:• Anytime• Anywhere• Any Device• Any Content

– Mobility represents a trade-off: Too many holes in perimeter defence

• VPN, Dial-Ups, Laptops, PDAs• P2P, Malware & Spyware• Instant Messaging• Wireless Access Points

• Focus in the “new” weak Point

– Most problems in custom made applications• Cookie poisoning, Session Hijacking, Buffer Overflows• Parameter Tampering, Malicious Code Insertion, SQL Injection

OS Common Applications

Custom Applications

3) Custom Applications made by the BEST3) Custom Applications made by the BEST

Copyright 2008, IDW http://www.idw.pt 4

Parameter Tampering, Malicious Code Insertion, SQL Injection• Object Reuse, Race conditions, Random number generation

• Programmers want to write good code but:– Never taught to write secure code;– Believe users are benevolent like them;– Focus in features and deadlines rather

than quality and security.

4) We use SSL because guarantees security4) We use SSL because guarantees security

• SSL – Authenticates the server (and the client)– Allows symmetric key exchange for safe communication

• Doesn’t guarantee:

Copyright 2008, IDW http://www.idw.pt 5

– You are using a robust crypto algorithm;– The client or the server isn’t compromised;

• Key logger, root kit, private key in memory.

1024 bits of pure random data

5) We even use strong cryptography !5) We even use strong cryptography !

• ePassport:– The key is derived from

the printed information

• Integrity in DB

Copyright 2008, IDW http://www.idw.pt 6

Records:– Store hash and Data in

the same DB!

• Mantrap

6) We share a common security policy/vision 6) We share a common security policy/vision

Copyright 2008, IDW http://www.idw.pt 7

7) We only have the Best Of Breed7) We only have the Best Of Breed

• A medium size IT security infrastructure has more than 10 different products.– Do you look daily to the logs?– How many consoles to you have?– Do you centralize and

Copyright 2008, IDW http://www.idw.pt 8

Do you centralize andcorrelate the information?

– What is the size of yoursecurity team?

Lesson 1Lesson 1

If you want results, get enthusiastic support from your Top Management

– Security and Risk are OLD Business Problems.– Data Owner ≠ Data Custodian ≠ Data User– You cannot manage without measuring:

Copyright 2008, IDW http://www.idw.pt 9

You cannot manage without measuring:• Benchmarks• Maturity models• Audits, Pentests

Lesson 2Lesson 2

Be careful with custom applications!– “If you want it bad, you’ll get it bad.”– Incredible ROI: 1 Day Security Training for Developers– Project Management is a balance between:

Scope (Quality Performance)

Copyright 2008, IDW http://www.idw.pt 10

If you lock Time andCost, Scope will suffer.

Scope (Quality, Performance)

Time (Deadline) Cost (Budget)

Lesson 3Lesson 3

Never underestimate the Human Aspect!– People do “stupid” things.

• That’s the only reason why virus exist.• People + Technology = Risk

“I was so successful in that line of attack [social engineering] that I rarely had to resort to a technical attack.”

Copyright 2008, IDW http://www.idw.pt 11

yKevin Mitnick

– Security awareness is essential.

Lesson 4Lesson 4

Better to have zero security than bad security!1. You save the money2. Don’t create the wrong feeling of security!

Use your budget wisely.

Copyright 2008, IDW http://www.idw.pt 12

A complex securityinfrastructure requires:

– Correlate all the different outputs.– Consolidated management.– Huge Technical Expertise.– Advice: Look to the vendors roadmap and take

advantage of the “shopping” trend.

Lesson 5Lesson 5

Choose the right level of paranoia. But Remember:

– Systems will fail.– There is always a weak point.– Big brother is watching you.

Copyright 2008, IDW http://www.idw.pt 13

– “Only the paranoids survive.”Andrew Grove. Chairman. Intel Corporation

– Our greatest glory is not in never falling,but in rising every time we fall.”

Confucius

Lesson 6Lesson 6

Understand how the security tools work:– Knowledge vs. Behaviour Base– Black List vs. White List

– Knowledge Based solutions will always be reactive

Copyright 2008, IDW http://www.idw.pt 14

– Behaviour Based will always be incomplete

– You need both!

Lesson 7 – Keep it Simple, otherwise:Lesson 7 – Keep it Simple, otherwise:

Copyright 2008, IDW http://www.idw.pt 15

Beirut Telecom

Q & A and Contact InformationQ & A and Contact Information

• Q & A

Copyright 2008, IDW http://www.idw.pt 16

Contact information:Marco Aurélio PereiraInformation Systems SecurityBusiness Unit DirectorIDW, Portugalmarco@idw.pthttp://www.idw.pt+351 21 094 52 00