1“A careless word… a needless sinking” 1943
Does IT Security Matter…
Anton Otto Fischer
Does Information Security Matter?
IT Security and IT Security and PrivacyPrivacy
GROUP 5:
Natalia Hardey Christopher Boyce Christopher Rodelas Michael Bruns Irene Budiono
AgendaAgenda1. Introduction
Video IT Security at a Glance Common IT Security Risks & Costs Involved IT Security Technologies Legislations CSO/CISO Roles
2. Case Studies Midwestern University U.S. Army
3. Summary of Best Practices Organizations Individuals
4. Q & A
3
It’s not just the technology…It’s not just the technology…
http://www.youtube.com/watch?v=dy4VJP-lZpA 4
Recent IT BreachesRecent IT Breaches July 2008, University of Nebraska at Kearney –
SSNs unaccounted for on university computers
January 2009, White House – “Chinese hackers crack White House”
January 2009, CheckFree Corp. – Five million E-Pay
records hacked
January 2009, Heartland Payment Systems – Malicious software on payment processing network
January 2009, U.S. Military – soldiers SSNs found on
thrift-store USB drive
5
Information SecurityInformation SecurityInformation Security Definition
◦ Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Confidentiality : Preserving authorized restrictions on access
and disclosure, including means for protecting personal
privacy and proprietary information;
Integrity: Guarding against improper information
modification or destruction, and includes ensuring information
non-repudiation and authenticity; and
Availability: Ensuring timely and reliable access to and use
of information.
6
Common Security ThreatsCommon Security ThreatsVulnerability Issues
◦ CIA Triad Confidentiality Integrity AvailabilityMainly Concerned with Information.
◦ Parkerian Hexad. CIA TriadPLUS: Possession Authenticity UtilityStill Concerned with Information.
7
Information SecurityInformation SecurityTypes of Information Security
◦Products (Physical Security)◦People (Personal Security)◦Procedures (Organizational Security)
8
Common Security ThreatsCommon Security ThreatsBehavioral
◦Often Referred to as ‘Social Engineering’
Phishing Scams◦Password Cracking◦Disclosure of Financial Information◦Disclosure of Personal InformationOften Used in Conjunction with Malware
Malicious Software (Malware)◦Spyware and Adware◦Bots (Backdoors)◦Viruses, Worms, and Trojans
9
10
The security practitioners ranked “cloud computing”, mobility, cybercrime and databreach as major threats to organizations’ confidential and sensitive data.
n=577
Mega Trends – IT SecurityMega Trends – IT Security
Cloud Computing
Mobile Workforce
Cybercrime
Outsourcing
Data Breach
11
Costs of IT Security Incidents to Costs of IT Security Incidents to OrganizationsOrganizations
2008 n=144
12
Although erratic, costs seem to be declining as time progresses
Costs of IT Security Incidents to Costs of IT Security Incidents to OrganizationsOrganizations
http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
Type of Incident Average Cost per Incident
Financial Fraud $463,100
Bot Computers $345,600
Loss of Proprietary Information $241,000
Loss of Confidential Data $268,000
Virus Incidents $40,141
13
Contrary to what many people believe, viruses are not the most costly incidents that can affect an organization
Security Spending and Security Spending and Justification Justification ( (CSI 2008 Summary)CSI 2008 Summary) 53% of Respondents allocate no
more than 5% of their IT Budget to IT Security
42% Spent less than 1% of their security dollars on awareness programs
Low spending due to perceived financial benefits of security investments◦ (ROI, NPV, IRR)
Security Insurance14
IT Security Technology Used IT Security Technology Used
CSI 2008 Summary
TECHNOLOGY % USE
Anti-virus software 97%
Firewalls 94%
Virtual Private Network (NPV) 85%
Anti-spyware software 80%
Encryption of data in transit 71%
15
Reasons for not reporting an Reasons for not reporting an Incident Incident ( (CSI 2008 Summary)CSI 2008 Summary)
16On a scale of 1-7 with 1 being least important and 7 being most important
Legislation – IT SecurityLegislation – IT Security
American Recovery and Reinvestment Act◦ President Barack H. Obama signed into law the
American Recovery and Reinvestment Act of 2009 (ARRA)
◦ A significant portion of the ARRA's stimulus expenditures and measures are related to health information technology (HIT) and incentives to adopt electronic health record (EHR) systems.
17
18
Legislation – IT SecurityLegislation – IT SecurityFERPA
◦ “The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education” http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.ht
ml
◦ Outcome: Rights transferred from parents once students reach
18, or no longer in high school. Gives “Eligible Students” privacy of their education
results. Rights to inspect, review, and correct their
information. Schools must acknowledge parents and eligible
students their rights each year. 18
Legislation – IT SecurityLegislation – IT SecurityHIPAA
◦ Health Insurance Portability and Accountability Act of 1996.
◦ Establish national standards for the security of electronic health care information.
◦ Outcome: Protects patients’ privacy on their personal
information. Health providers is subject to civil & criminal
penalties if they violate the patients’ rights under HIPAA. Up to $25,000 for multiple violations for the same
standard in a calendar year. Up to $250,000 and/or 10 years in jail, if knowing
any misuse of patients’ information.19
Legislation – IT SecurityLegislation – IT Security Sarbanes-Oxley Act of 2002
Section 404 of the act addresses testing of general computer controls, such as: data center operating controls, system software controls, access security controls, and application system development and maintenance.
20
LEGISLATION – IT SECURITYLEGISLATION – IT SECURITY Federal Information Security Management
Act (2002)
1. Inventory and Categorization of Information Systems
2. Security Controls
3. Risk Assessment
4. System Security Plan
5. Certification
and Accreditation
6. Continues Monitoring
21
LEGISLATION – IT SECURITYLEGISLATION – IT SECURITY Federal Information Security Management
Act (2008)
22
Created the Chief Information Security Officer (CISO) role
Established the CISO Council
Enhanced the continuous monitoring process
Required additional reporting from DHS
Why CISO role created?Why CISO role created?Enforce Security Standards and CompliancesDemonstrate to CxOs positive payback for
the organization’s goals & strategy from IT investments
Control and track IT spending (esp. security costs)
Assist other senior managers to achieve business goals and protecting their information
Comply with annual auditrequirements
23
24
Company OverviewCompany OverviewUniversity Population: 20,000FY2009 Budget: between $100 & $300
MillionIT Department: Very centralized Employees: ~60IT Spend: 7% (higher than average)IT Security Spend: ~5% of total IT
SpendCustomers : Students, Faculty/Staff,
Guests, Patients
25
Organizational StructureOrganizational Structure
26
Top ThreatsTop ThreatsPhishing (#1 threat)Security AwarenessDenial of ServicePassword SharingMalware, Spyware, Bots, etcHuman error, to which there is no
control overSabotage
27
Denial of ServiceDenial of Service
28
Gaining the Upper-handGaining the Upper-handCentralization
◦ Forces campus wide policies and procedures
Network Access Control (NAC) System◦ Authenticates all IP addresses and user names◦ Continuously ensures that your system is up to date
New threat detection software◦ Allows for immediate response
Exploiting functionality on legacy software that went unused due to lack of staff◦ Legacy: obsolete systems that are still be in use
29
30
Type of Control Student Compute
rs
Faculty Compute
rs
Connected to the NAC YES YES
Administrative rights NO YES
Symantec anti-virus YES YES
Nightly updates YES YES
Security alerted to any virus immediately
YES YES
No installs or changes to registry permitted
YES NO
Restart returns machine to “frozen state”
YES NO
Controls: Student & Controls: Student & FacultyFaculty
Network Access SecurityNetwork Access Security
Port locking in place for wired connection
Wireless access allowed Treated as a hostile network Stores IP and ID information On a different network than University
Allows wireless usage to grow while mitigating threats
31
How a NAC WorksHow a NAC Works
32
Examples of Practices Examples of Practices in Placein PlaceProducts (Physical Security)
◦ Hard drives wiped with GDisk to DOD standards
◦ Stolen property reported to CSO, police◦ Machines with student data encrypted
People (Personal Security)◦ Awareness / Education◦ Staff to assist with issues◦ Free anti-virus software for personal
machinesProcedures (Organizational Security)
◦ SSN Remediation Project◦ General Usage Agreement
33
Difficulties and ChallengesDifficulties and ChallengesLargest obstacle is human (users)
error
The “Higher Education Culture”◦ Staff often lack anti-spy/spam software◦ Staff generally have more sensitive data◦ Staff have unfettered access
No real restrictions except file sharing
34
Recent DevelopmentsRecent Developments
Security awareness is much better
Promotion, persuasion, mandates
Regulatory issues have become high on the priority list
HIPPA, FERPA, Credit Card Transactions RIAA suits
35
Biggest CostsBiggest CostsAnti-Spam software is the most
expensiveData Discovery and Litigation
Lawsuits◦New Jan ’08 Federal Law requires that all
data related to lawsuits (like a hiring discrimination lawsuit) must physically be put into secure locations
Anti-Virus SoftwareFirewall and HardwareNetwork Access Control (NAC)
Software36
New Security TechnologyNew Security TechnologyHost-Based Intrusion Prevention System
◦ Combats attacks at the device and server level
◦ Complements existing investments in network-based IPS without relying on signatures that require near-constant updates
◦ Currently very expensive and used little
Application Firewall ◦ Limits which software applications have
access and type of traffic (Such as Web Browser vs. P2P File-sharing)
37
Chilling Encrypted DataChilling Encrypted Data Princeton computer security researchers discovered
that spraying an inverted can of "canned air" on RAM chips can “freeze” the data stored on the chips.
Less than 1 percent of the bits decaying after 10 minutes without power.
When the DRAM chips were cooled to liquid nitrogen temperatures, the Princeton group observed decay rates of 0.17 percent after 60 minutes without power.
38
Biggest Lessons LearnedBiggest Lessons LearnedMore often than not, it takes a critical
situation for security to be taken seriously
Human error is always the largest threat
The security is only as good as the people using it
39
40
41
U.S. Army Signal Corps U.S. Army Signal Corps OverviewOverviewSizeU.S. Army:
◦547,000 Active Duty◦358,200 Nat’l Guard◦206,000 Army Reserve◦ 65,000 Signal Corps
BudgetU.S. Army: $140.7 Billion (FY09)
41
Signal Corps Mission Signal Corps Mission StatementStatement The mission of the Signal Corps is to provide and manage
communications and information systems support for the command and control of combined arms forces. Signal support includes Network Operations (information assurance, information dissemination management, and network management) and management of the electromagnetic spectrum. Signal support encompasses all aspects of designing, installing, maintaining, and managing information networks to include communications links, computers, and other components of local and wide area networks. Signal forces plan, install, operate, and maintain voice and data communications networks that employ single and multi-channel satellite, tropospheric scatter, terrestrial microwave, switching, messaging, video-teleconferencing, visual information, and other related systems. They integrate tactical, strategic and sustaining base communications, information processing and management systems into a seamless global information network that supports knowledge dominance for Army, joint and coalition operations.
42
US Army Signal CorpsUS Army Signal CorpsChain of CommandChain of Command
NETCOM, the 9th Signal Command, has 17,000 soldiers, civilians, and contractors working for it and the various units under its command 43
44
U.S. Federal and U.S. Federal and Department of the Army Department of the Army ICT Spending ICT Spending (in Billions $)(in Billions $)
Category Federal
Army
Data Processing & Telecommunications
$25.4 $3.1
Communication and Detection Equipment
15.4 6.7
Automatic Data Processing Equipment
10.4 3.7
Contracts for Fiber Optics 0.12 0.03
Structure of Security Structure of Security NetworkNetworkDOD Network Structure
3 Types of Networks:1. DOD Machines on Non-DOD Network2. DOD Machines on DOD Network
NIPR Network SIPR Network
3. Tactical Networks Constraints
Satellite Bandwidth Small Units still communicate primarily by radio.
Physical Security of Fiber and Cable
45
Structure of Security Structure of Security NetworkNetworkDOD Network Security
◦ Software Security DOD centrally disseminates security updates for
software Activity of all users monitored and logged
◦ Physical Security Measures No USB Devices allowed on DOD Networks Offices are secured Checklists exist for users and administrators Vaulted computers for highly sensitive
information
46
Structure of Security Structure of Security NetworkNetworkDOD Network Security
◦ Network Security Measures Three Layers of Network Security
DOD Army Installation – Level
Password Management Passwords must be changed every 90 days Can’t roll back to previous 6 passwords
Network Breaches Happen rarely, typically a ‘people problem’, not
a network problem
47
DOD Information DOD Information SecuritySecurityDOD Information Security
◦ Unclassified Info Open to all Need to Know (Not Subject to FOIA)
◦ Classified InfoAll Classified Information is Need to Know Secret Top-Secret Special Security Information
48
Largest IT ThreatsLargest IT ThreatsWhat keeps IT Pros in the Army up at
night?◦ People not following security regulations!◦ People are the weakest link in the
Information Security chain◦ Software Security/Vulnerabilities aren’t a
big concern!
49
Upcoming TechnologiesUpcoming TechnologiesStatic Analysis Tools
◦Used to augment software testing◦Looks for errors in code that cause
security vulnerabilities◦Doesn’t need to run program
50
Upcoming TechnologiesUpcoming Technologies
Preventing Internal Theft of Information and Hardware◦Design architecture that runs all processes
on a secure server and accepts only mouse and keyboard input from users and returns compressed streaming video Place limits on video bandwidth and print
bandwidth Firewall all servers, allow only trusted programs
to run Physically secure server location Don’t allow any processes to run on user
terminals 51
Upcoming TechnologiesUpcoming Technologies
Future Combat Systems◦Often derided as “Cell Phones for Soldiers”
Provide secure communications; Using a self-organizing network, With Radios that act as both transmitter and
receiver, And provide voice, text, picture, and limited
video communications◦Biggest Challenge: TCP/IP is not a
sufficiently capable protocol for FCS wireless ad-hoc or mesh networks. FCS will require a new network structure.
52
Consolidation of Consolidation of LandWarNetLandWarNetOrganizational Changes
◦NETCOM now has technical authority over all network hardware and software
People Changes◦No important changes
Product Changes◦There will be a standardized “enterprise
software suite” that will be made available to all Army personnel
◦Hardware will be centralized, capabilities standardized
53
54
Best Practices - Best Practices - OrganizationsOrganizationsCentralizeStandardize (ERP)Manage usersAwareness Training
◦ Level of security awareness: Education: 9.2% Government: 22.2%
Use separate machines to access sensitive information (case # 2)
Using Password Manager Helps◦ Users store passwords securely in either in
computer hard drive, mobile devices, or online website
◦ To Encrypt personal files or data sent via email
56
Awareness TrainingAwareness TrainingInvolve Top ManagementSet up topicsClearly communicate
goals of each training sessionsDefine and explain each topic to
trainee◦Ensure they receive training of each
topic (and risks) and that they are equipped with prevention methods at the end of session
Regular (annual) sessions, and for new staff
57
Characteristics of Effective Characteristics of Effective Security GovernanceSecurity Governance An Enterprise-wide issue Leaders are accountable Viewed as a business requirement Risk-based Roles, responsibilities, and segregation of duties
defined Addressed and enforced in policy Adequate resources committed Staff aware and trained A development life cycle requirement
58
Information Security Policy within Information Security Policy within an Organization an Organization (CSI 2008 Summary)(CSI 2008 Summary)
59
Techniques Used to Evaluate Techniques Used to Evaluate Security Technology Security Technology (CSI 2008 Summary)(CSI 2008 Summary)
60
Organizations are using a variety of methods to evaluate security technologies
What this means for What this means for CISOCISO(s)(s)??Information Security is
IMPORTANT!!Business Success depends on IT
(security)Work towards IT centralizationAwareness Training is essential
◦To keep people aware of current & potential information risks and how to keep away from them
Plan the security strategy61
Security StrategySecurity Strategy“Five Principles of Security”
1. Planning2. Proactive3. Protection4. Prevention5. Pitfalls
62
What Can I Do?What Can I Do?
Use multiple strong passwordsUse Antivirus and Antispyware
software and keep it updatedUse a firewallDownload Windows security
updatesStay informed with current email
viruses and phishing scams
63
Example of a SiteKeyExample of a SiteKey
64
Time to crack *your* Time to crack *your* passwordpassword
65
Character Set
Password Length
26 - Letters 36 - Letters and Digits52 Letters and Digits with
upper and lower case
3 0.18 seconds 0.47 seconds 1.41 seconds
4 4.57 seconds 16.8 seconds 1.22 minutes
5 1.98 minutes 10.1 minutes 1.06 hours
6 51.5 minutes 6.05 hours 13.7 days
7 22.3 hours 9.07 days 3.91 months
8 24.2 days 10.7 months 17.0 years
9 1.72 years 32.2 years 8.82 centuries
10 44.8 years 1.16 millennia 45.8 millennia
11 11.6 centuries 41.7 millennia 2,384 millennia
12 30.3 millennia 1,503 millennia 123,946 millennia
Identity TheftIdentity Theft
http://www.youtube.com/watch?v=ZIC57kbD_W8 66
New Future Technology - New Future Technology - Fee Fee By FingerPrintBy FingerPrint
http://www.youtube.com/watch?v=frnYEJK8XMA 67
Internet Security in a Internet Security in a nutshellnutshell
Threat How it happens
What it does How to Stop it
Spyware Downloading files and installing free or unknown software from untrusted sources.
Computer can become unstable or unusable, keystroke logging
Use Anti-spyware, Regular scans, avoid the unknown
Virus, worms, malware, trojans
Opening unsolicited email, attachments, clicking on pop-ups
Files can be destroyed, hackers can gain control, replication and distribution on network
Install and update anti-virus and firewall software, avoid the unknown
Phishing scams and identity theft
Replying to or clicking on links in emails that appear legitimate but aren’t, conducting business on unsecure sites
Can compromise your identity, financial information and security
Encrypted financial transactions, never reply to emails asking for passwords or personal information, cookie notification
68
ReferencesReferencesSlide 1- “A careless word… a needless sinking” Anton Otto Fischer ; Artist, 1943, Office of War Information
Slide 4 Heartland Payment Systems:http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html All others: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009White House: Anonymous, (2009), Information Management Journal, Jan/Feb 2009, 43, 1, pg. 10
Slides 6 & 8http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542----000-.html
Slide 7http://www.zdnetasia.com/techguide/security/0,39044901,62044759,00.htm
Slide 9http://www.albany.edu/its/security_threats.htm
Slides 10 & 11http://www.lumension.com/viewDocument.jsp?id=148524
Slide 12-16 & 59-60http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf 69
ReferencesReferencesSlide 17 & 20
http://www.iasplus.com/dttpubs/0502soxfpi.pdf
http://www.foley.com/publications/pub_detail.aspx?pubid=5726
Slide 18
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Slide 19
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMo
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1240504144&clientId=45249
How to Protect Your Data When You’re on the Web, Adarsh K. Gupta DO, MS (2008)
Slides 21 & 22
http://blog.isc2.org/isc2_blog/2008/10/fisma-2008---wh.html
http://www.sec-oig.gov/Reports/AuditsInspections/2008/451final.pdfSlide 23Mechling, J. (2009). What does your CIO really need to know?, Government Finance Review, Feb 2009, 25, 1, pg. 79. Accessed from ABI/INFORM Global database. Rau, K. G. (2004). Effective Governance of IT: Design Objectives, Roles, and Relationships, Information Systems Management, Fall 2004, 21, 4, pg. 35.
Accessed from ABI/INFORM Global database. 70
ReferencesReferencesSlides 25-27, 36-37
Interview
Slide 28
http://static.howstuffworks.com/gif/zombie-computer-3d.jpg
Slide 29
http://www.answers.com/topic/legacy-system
Slide 35
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5_ps10264_Products_Data_Sheet.html
Slide 38
Swartz, Nikki. (2008). Chilling Encrypted Data, Information Management Journal, May/June 2008, 42-3, pg. 12
Slide 41
http://www.army.mil/aps/08/critical_challenges/critical_challenges.html Accessed 21 Apr 09
http://www.gordon.army.mil/Signal/pdf_2009/GoSignal.pdf
Slide 42
http://www.branchorientation.com/signal/mission.html
71
ReferencesReferencesSlide 43
http://www.netcom.army.mil/about/docs/NETCOM_Brochure.pdf
Slide 44
http://usaspending.gov/
Slide 50
MILCOM 2008, Improving Software Reliability and Security with Automated Analysis, IEEE Database, Paul Anderson
Slide 51
MILCOM 2008, Global Virtual Vault: Preventing Unauthorized Physical Disclosure by the Insider, Fisk, Miller, and Kent, IEEE Database
Slide 52
Striki, McAuley, and Morera. Modeling Topology Dissemination for Routing in Future Force Networks. MILCOM 2008. 16 – 19 Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009. http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&history=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
72
ReferencesReferencesSlide 52
Wang, Hag, Schmidt, and Corsaro. Toward an Adaptive Data Distribution Service for Dynamic Large-Scale Network-Centric Operation and Warfare (NCOW) Systems. MILCOM 2008. 16 – 19 Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009. http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&history=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
Slides 45-49, 53
Personal Interview with Lt. Col. Warren Griggs.
Slides 56-57
http://www.cp-lab.com/
Rotvold, G. (2008), How to Create a Security Culture in Your Organization, Information Management Journal, 42, 6, pg. 32. Accessed from ABI/INFORM Database.
Slide 58
Allen, J. H. (2007). Governing for Enterprise Security, Carnegie Mellon University, Software Engineering Institute.
Slide 61 Mechling, J. (2009). What does your CIO really need to know?, Government
Finance Review, Feb 2009, 25, 1, pg. 79. Accessed from ABI/INFORM Global database.
73
ReferencesReferencesSlide 62
Pollitt, D. (2005). Energis trains employees and customers in IT security, Human Resource Management International Digest, 13, 2, p. 25. Accessed from ABI/INFORM Database.
Slide 63
http://www.btcoinc.com/images/security300x350.jpg
http://www.jisclegal.ac.uk/graphics/esecurity.jpg
Slide 65
http://www.oit.osu.edu/networking/osunet/Password_Best_Practices.pdf
Slide 66
http://www.youtube.com/watch?v=ZIC57kbD_W8
Slide 67
http://www.youtube.com/watch?v=frnYEJK8XMA
74