Upload
dominick-northam
View
214
Download
0
Embed Size (px)
Citation preview
C15Building a Secure Infrastructure
Faculty:Scott Greene
ofEvidence Solutions, Inc.
1: Take control of remote sessions◦ I do a lot of remote support. For that support, I
use either LogMeIn or TeamViewer. Inevitably, I run into clients who constantly want to “show me” what’s going on, take over the mouse to point out something different, or even use their machine for something else (like replying to an email that should be able to wait). Outside of annoying any support tech, this does one thing — extends the length of time needed to do a job.
10 Things Users do to Drive you Crazy
2: Give too much irrelevant information about an issue◦ What I really want to know is that you clicked on an
attachment that was in an email. I don’t care to know the email was originated by your grandmother on your father’s side and the email had the most darling picture of kittens and puppies playing together in a field of daisies. I also don’t care that you were sitting at your desk, having your usual lunch of yogurt and sliced apples dipped in caramel when everything started to go down the drain. Get to the point, give me the facts, and I will do my job to the best of my ability.
10 Things Users do to Drive you Crazy
Just because a network has been designed well does not mean it is, or will remain, secure.
No audit, internal, external, compliance-related or not, can by itself ensure a network is secure.
The real benefit of an designing a secure infrastructure comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, & more closely aligning information security needs & risk mitigation with business goals.
Disclaimer
Protect the Information
Provide Access
A new web threat is detected every 4.5 seconds.◦ SophosLabs, published in Sophos Security Threat
Report Mid-Year 2011
Why?
Why the focus on the Web?◦ Because it works!
Over the last year, we’ve seen major breaches, at companies including Sony, RSA, and Zappos.com, and several U.S. military contractors.
All from a click on a malicious link.
Why?
Why?
These can help create a Frame Work of security:◦ Health Insurance Portability & Accounting Act
(HIPAA) (1996)◦ Graham-Leach-Bliley (1999)◦ Homeland Security Act (2002)
Federal Information Security Management Act (FISMA)
◦ Federal Information Processing Standard (FIPS) (2010)
◦ Payment Card Industry Data Security Standard (PCI / PCIDSS)
Regulations
Federal Information Processing Standards◦ Publicly available standards developed by the
United States Federal government for use by all non-military government agencies and by government contractors.
◦ Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.)
FIPS
FIPS is used to Manage Risk by selecting and implementing security controls in the organizational information system including:◦ 1) Applying the organization’s approach to managing risk◦ 2) Categorizing the information system and determining the
system impact level in accordance with FIPS 199 and FIPS 200, respectively;
◦ 3) Selecting security controls, including tailoring the initial set of baseline security controls and supplementing the tailored baseline as necessary based on an organizational assessment of risk
◦ 4) assessing the security controls as part of a comprehensive continuous monitoring process.
FIPSThe Process
Categorize◦ the information processed, stored, and
transmitted by that system
FIPSThe Process of Managing Risk
Select◦ an initial set of baseline security controls for the
information system based on the system impact level and minimum security requirements
◦ apply tailoring guidance by supplementing the baseline security controls based on an organizational assessment of risk and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and specify assurance requirements
FIPSThe Process of Managing Risk
Implement◦ the security controls and document how the
controls are employed within the information system and its environment of operation.
FIPSThe Process of Managing Risk
Assess◦ The security controls using appropriate
assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
FIPSThe Process of Managing Risk
Security Categorization
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
(confidentiality x impact) + (integrity x impact) + (availability x impact)
FIPS & FISMAThe Formula
Confidentiality:◦ “the property that data or information is not made
available or disclosed to unauthorized persons or processes.”
FIPS & FISMAThe Formula
Integrity is:◦ “the property that data or information have not
been altered or destroyed in an unauthorized manner.”
FIPS & FISMAThe Formula
Availability is:◦ “the property that data or information is
accessible and useable upon demand by an authorized person.”
FIPS & FISMAThe Formula
Impact◦ N/A◦ Low◦ Moderate◦ High
FIPS & FISMAThe Formula
Access Control (AC):◦ Organizations must limit information system
access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
FIPSMinimum Security Requirements
Awareness and Training (AT):◦ Organizations must:
Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems;
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
FIPSMinimum Security Requirements
Audit and Accountability (AU):◦ Organizations must:
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity;
Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
FIPSMinimum Security Requirements
Certification, Accreditation, and Security Assessments (CA):
Organizations must:◦ Periodically assess the security controls in organizational
information systems to determine if the controls are effective in their application;
◦ Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems;
◦ Authorize the operation of organizational information systems and any associated information system connections;
◦ Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
FIPSMinimum Security Requirements
Configuration Management (CM):◦ Organizations must:
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;
Establish and enforce security configuration settings for information technology products employed in organizational information systems.
FIPSMinimum Security Requirements
Contingency Planning (CP):◦ Organizations must establish, maintain, and
effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
FIPSMinimum Security Requirements
Identification and Authentication (IA):◦ Organizations must identify information system
users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
FIPSMinimum Security Requirements
Incident Response (IR): ◦ Organizations must:
Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities;
Track, document, and report incidents to appropriate organizational officials and/or authorities.
FIPSMinimum Security Requirements
Maintenance (MA):◦ Organizations must:
Perform periodic and timely maintenance on organizational information systems;
Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
FIPSMinimum Security Requirements
Media Protection (MP):◦ Organizations must:
Protect information system media, both paper and digital;
Limit access to information on information system media to authorized users;
Sanitize or destroy information system media before disposal or release for reuse.
FIPSMinimum Security Requirements
Physical and Environmental Protection (PE):◦ Organizations must:
Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;
Protect the physical plant and support infrastructure for information systems;
Provide supporting utilities for information systems; Protect information systems against environmental hazards; Provide appropriate environmental controls in facilities
containing information systems.
FIPSMinimum Security Requirements
Planning (PL): ◦ Organizations must develop, document,
periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
FIPSMinimum Security Requirements
Personnel Security (PS): ◦ Organizations must:
Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions;
Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers;
Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
FIPSMinimum Security Requirements
Risk Assessment (RA):◦ Organizations must periodically assess the risk
to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
FIPSMinimum Security Requirements
System and Services Acquisition (SA):◦ Organizations must:
Allocate sufficient resources to adequately protect organizational information systems;
Employ system development life cycle processes that incorporate information security considerations;
Employ software usage and installation restrictions;
Ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
FIPSMinimum Security Requirements
System and Communications Protection (SC):◦ Organizations must:
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
FIPSMinimum Security Requirements
System and Information Integrity (SI):◦ Organizations must:
Identify, report, and correct information and information system flaws in a timely manner;
Provide protection from malicious code at appropriate locations within organizational information systems;
Monitor information system security alerts and advisories and take appropriate actions in response.
FIPSMinimum Security Requirements
3: Blame the issue on something I (or another tech) did previously◦ Yes, I’ve worked on your machine before. No, what I did
last time to help you remap your K drive had zero effect on the fact that now you can’t get a network connection. Although they may be related, they are not directly cause and effect. Trust me on this. I’m not trying to pull a fast one on you, and I am 100 percent sure that the K drive issue is not related. But on the off chance that you simply will not believe me, I will do everything I can to show you the two are not related in any way. If you still don’t believe me, I have a list of other consultants who will be happy to have your work — until they’re no longer happy to have your work.
10 Things Users do to Drive you Crazy
4: Lie◦ This one should not need any explanation. But for
those who have yet to experience the liar, let me set the stage. There are times when you log into a user’s machine and discover that something obviously has been done — a profile or program deleted — that can be done only by an end user. When an end user has made such a mistake, he or she will sometimes try to deny doing anything to cause the problem. That’s fine. But most support professionals can see through the thinly veiled lie. We know the truth… so it’s okay to admit it.
10 Things Users do toDrive you Crazy
Monitoring vs. Prevention◦ Monitoring causes the system(s) to report events◦ Prevention causes the system(s) to interrupt
events May require additional integration between vendors
Considerations
Security is Inconvenient Know what you are defending Review the current threats often Users are unsophisticated Anonymous is good at what it does / The
bad guys are good at what they do / It is the only thing they do
Resources / Money / Budget
Know What you are Up Against
Evaluate Risks and Threats◦ What is critical to your business unit?◦ How do you protect it?◦ How do you prevent downtime?◦ How do you get back up and running quickly?
Just because you have technology protecting your network doesn’t mean it is all working
65% of all attacks are internal
Know What you are Up Against
In 2011◦ 39% of email-borne malware consisted of
hyperlinks, not attachments; ◦ That’s up from 24% of email in 2010
- Symantec’s Internet Security Threat Report.
Endpoint Security
Almost half of malicious software communicates out over the Internet within 60 seconds of infecting a computer, and about 80% of those communications use some form of Web protocol.
-Websense.
Endpoint Security
It used to be that Porn was driving this issue Followed closely by gambling In the last two years however the field has
change it is now: It’s religious sites
Endpoint Security
Windows 7 allows for Software Restriction Policies (SRPs)◦ The Path Rule◦ The Hash Rule◦ The Publisher Rule◦ Audit mode◦ Configuring AppLocker◦ Experimenting with AppLocker
Windows 7 and AppLocker
Background of SRPs◦ SRPs have been around since Active Directory 1.0
(Win 2000)◦ Windows has sported Software Restriction
Policies or SRP’s for short.◦SRP’s allowed administrators to configure
their Active Directory networks in one of two ways: A blacklist ( most common ) A whitelist ( most secure )
Windows 7 and AppLocker
Background of SRPs◦A blacklist ( most common ) Allows anything to run except what is on
the black list.◦A whitelist ( most secure )
Only lets items run that are on the white list. What about notepad, Calculator, etc……
Windows 7 and AppLocker
The Path Rule◦ Allows users to run applications from a specific location.◦ It is generally impractical for most organizations◦ Executables live in a single folder on the user’s
workstation (or on the network).◦ Allows for Multiple path rules◦ Becomes unwieldy quickly◦ “It’s OK to run apps that live in \\SW\GOODAPPS”
any user with write permissions can just copy an application to the “goodapps” path and then run it.
◦ In AppLocker, default path rules exist to permit running applications in the Windows folder and the Program Files folder.
Windows 7 and AppLocker
The Hash Rule◦ The hash rule requires that you point Windows to the actual
executable file that you wish to allow or deny in your additional rules, so that Windows can generate a cryptographic hash that is specific to that binary file.
◦ While the hash rule addresses the ease with which path rules can be obfuscated it presents an additional burden for administrators: Plenty of upfront work generating hashes generate new hash rules every executable changes Hashes have a slight negative impact on workstation
performance
Windows 7 and AppLocker
The Publisher Rule◦ Avoids the problem with users circumventing path rules
by renaming executables◦ Allows administrators to allow or deny certificate-based
applications◦ Uses standards like digital signatures◦ Uses publisher rules to specify allowed or disallowed
versions.◦ Can use a range of versions
Windows 7 and AppLocker
Audit Mode versus Enforce Rules◦ Audit mode is a great way of gauging the
potential impact on AppLocker without actually denying anyone the right to run an application. This mode is used for testing.
◦ Audit mode generates a list of applications that will fail and pass under the rules you’ve created
◦ This lets you identify potential problems before that unpleasant phone call from a frustrated users.
◦ This mode help limit the impact of rules on the Brass ( as well as the rest of the users )
Windows 7 and AppLocker
Configuring AppLocker◦ Use the Active Directory Group Policy on the
server◦ Install Remote Server Administration Tools in
Windows 7 This installs an updated GPMC
The RSAT for Windows 7 <> RSAT for Vista
Windows 7 and AppLocker
Experimenting with AppLocker◦ Start by working with a test machine that’s not
connected to your network.◦ Start with local Group Policy settings rather than
network-based settings.◦ Start with the blacklist model in which the default
behavior is to allow everything.◦ Leave the AppID service start type as manual, so
if you get into trouble, you can reboot.
Windows 7 and AppLocker
5: Take control of conversations◦ When I’m trying to explain an issue to an end
user, it really bugs me when that user takes over the conversation, preventing me from being able to effectively communicate either the problem or the solution. Generally, these people tend to have more to say on the issue than necessary and assume what they have to add to the situation is far more important than what they have to learn. If those end users would stop and listen for once, the reoccurring issue I am trying to help them with might not reoccur.
10 Things Users do to Drive you Crazy
Endpoint Security
BlackHole Exploit Kit◦ A type of crimeware Web application developed in Russia to help hackers take advantage of
unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.
◦ Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
◦ The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.
These direct Web attacks typically consist of six stages◦ First: The Lure◦ Second: The Redirection◦ Third: Exploitation via vulnerability◦ Fourth: Install the program◦ Fifth: Contact Command-and-Control◦ Sixth: Start using the compromised system
Endpoint Security
THREAT EXAMPLES IMPACT DEFENSES
Botnet Cutwail and Zeus
Take over system control, record accountuser names & passwords
Web-security gateway; endpoint security; network monitoring; use of security-as-a- service and patching, and removal of browser plug-ins to reduce possible vulnerability
Click fraud
DNSChanger Redirect user browsing
Security-as-a-service, outbound monitoring, endpoint security
Endpoint Security
THREAT EXAMPLES
IMPACT DEFENSES
Exploit kit
Blackhole & Phoenix
Compromise systems & communications
Security-as-a-service, endpoint security, aggressive patching, removal of vulnerable plug-ins,outbound monitoring
Man in the browser
Zeus Compromise secure browser channels, steal $ from bank accounts
Browser security software, endpoint security
Endpoint Security
THREAT EXAMPLES
IMPACT DEFENSES
Phishing Fake Christmas lottery
Steal credentials, make more attacks
Anti-spam, network monitoring, security-as-a-service, browser protection, endpoint security
Rogue application
Virus remover & Antivirus 2009…
Compromise system, require payment forfraudulent services
Endpoint security, reputation engines, installation of software from vendors’ sites
Targeted attack
Oak Ridge National Labs attack
Steal confidential data
Endpoint security, data loss prevention, patching, removal of browser plug-ins
Endpoint Security
Be aware of the hacker’s technology and strategy, and understand how they’re helping attackers better defeat security measures.
Be ready to counter the attacks with layers of responses designed to make it harder for attackers to penetrate your network.
If the crooks do get in, you might at least keep them away from your most valuable servers and data.
Perimeter
Firewalls◦ Block what you don’t need◦ Block Countries where you do not do
business Russia, Ukrain & China
Doesn’t work as well as it used to but still worth doing
◦ Block Inappropriate Sites Gambling, Entertainment, Porn, Religious?
Perimeter
Firewalls◦ Use a unique connection to the outside for:
Mail Servers Web Servers E-Commerce Etc.
Perimeter
Firewall DMZ or no DMZ◦Ensure all unnecessary ports are closed
(port forwarding). As an alternative to, or in tandem with a DMZ option, many hardware-based firewalls allow port forwarding. This occurs when only a specific port may be visible to the outside world. If you are implementing port forwarding, open only those ports that are explicitly needed. Any other publicly visible port should be considered a security risk.
Perimeter
Firewalls◦ Protect various departments / Critical Assets
Network Segmentation Sub-Perimeter firewalls
◦ Protecting machines Sub-Sub Perimeter / Workstation Firewalls
Preferably centrally managed but if that is too expensive, install non-centrally managed products.
Perimeter
Checklist◦ Procedures should be comprehensively
documented.◦ Employees should be trained & tested in their
roles◦ Security patch management should be
examined / tested◦ Penetration testing should be regularly performed◦ Firewall settings should be examined frequently◦ Data should be classified and stored appropriately◦ Wireless setting should be checked / changed◦ Scan for unauthorized WAP’s.
Audits
Checklist◦ Event logs should be thoroughly examined all the
time and during an audit.◦ Test software that deals with sensitive data /
Review source code.
Audits
The wrong data on the wrong server◦ Windows Search◦ dtSearch
Simple Audits
46% of internal security audits find significant security problems
54% of external security audits find significant security problems
Third Party Audit
Audits should be a surprise◦ Prior to audits, IT teams rush around and make
last-minute adjustments to their configurations and processes.
◦ In the real world, however, audit preparation should be treated as an ongoing endeavor.
External Audits can find things like:◦ Malicious users◦ Malicious administrators
Third Party Audit
Develop a well documented network◦ What talks to what when and how
Continuously monitor the network for changes◦ Whitelists, blacklists, hardware and software
Remediate Changes◦ When you detect a change, launch into action!
Assess constantly◦ In large organizations at least part of someone’s
job should be to assess the status of the network.
Monitoring
Nmap Look@LAN Advanced Port Scanner Microsoft Baseline Security Analyzer (hasn’t
recently been updated) LeakTest (Gibson Research) Symantec Security Check
Monitoring Resources
6: Ask the “quick question”◦ This one really bothers me. Without fail, a client
will call me with a “quick question” that inevitably winds up being a 30-minute phone conversation. My time is valuable through the workday and those quick questions add up. Not only that, but many clients use the quick question to avoid having to pay for support on the real issue
10 Things Users do to Drive you Crazy
AntiVirus◦ Use multiple
Each one will pickup different items◦ Monitor Centrally
Users are notorious for selecting “ignore”.◦ Workstation Firewalls
Each and every workstation needs a firewall Use multiple
Layers Layers Layers
Another concern agencies should have is spyware.◦ Spyware is installed surreptitiously on a PC to intercept or
take partial control over the user's interaction with the computer, without the user's informed consent.
◦ Spyware, is generally not intended to be malicious.◦ It reports information about users back to a third party.◦ The information varies from general information about
their system or specifics on their web browsing habits.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
Spyware falls into several categories:◦ 1. Retail and vendor information tracking.
Generally to track where users go on a site or on the vendor’s competitors site.
◦ 2. Tracking collect various types of personal information, such as
Internet surfing habits, sites that have been visited, etc
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
◦ 3. Redirection / Hijacking These types of spyware interfere with user control of
the computer. By installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.
Spyware can change computer settings, resulting in slow connections, different home pages, and loss of Internet or other programs.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
In response to the emergence of spyware, an entire anti-spyware industry has sprung up.
A variety of programs are available for detecting and removing this spyware.
Running anti-spyware software has become a widely recognized element of computer security for Windows computers.
The US Federal Trade Commission has an entire page of advice to consumers about how to lower the risk of spyware infection.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
Our top choices:◦ Spybot Search and Destroy◦ Zone Alarm – Anti-Spyware◦ Adaware Pro◦ Computer Associates – Anti-Spyware◦ F-Secure
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
Strong Passwords ◦ 1,000,000+
The largest Dictionaries of passwords we’ve seen reported
Common names of people or pets are the first passwords tried
Ordinary words are tried next Followed by words & names with one or two digits
tacked on. Finally things like: common substitutions of
numbers and characters for letters 3@SY4M3 – Easy for me r@ts – rats etc.
The Obvious
Strong Passwords◦ Longer is better◦ Odd Structure is better◦ Distinctness◦ Frequency of Change◦ Require:
At least eight characters Include Two or more digits Special Characters Digits and Special Characters Randomly instead of
just the beginning or the end
The Obvious
Wireless◦ WPA2 tied to the infrastructure◦ Scan for new wireless devices
The Obvious
172 Million smart phones were sold in 2010 Leveraging the employee smart phone can
be huge $500 device versus the data stored or
available on the device
Mobile Devices
Benefits◦ The employee bears the cost of the device◦ The employee bears the cost of the service◦ Employees are more connected◦ Employees collaborate more often◦ Communication increases dramatically◦ Faster decision making
Mobile Devices
Mobile DevicesFour things you cannot ignore with mobile devices• 1) Antivirus software on every device
◦ BullGuard◦ Kaspersky◦ ESET◦ LookOut◦ TrendMicro
◦ F-Secure◦ NetQin◦ WebRoot◦ Norton 360
Four things you cannot ignore with mobile devices◦ 2) Protect data on devices
Enforce PIN access Encrypt Sensitive Data Management: Remote Lock, Remote Wipe
Mobile Devices
Four things you cannot ignore with mobile devices◦ 3) Tightly control what can be installed on a
mobile device Known sources
AppStore Google Play Store / Amazon Etc.
Scan before installation
Mobile Devices
Four things you cannot ignore with mobile devices◦ 4) Detect & Prevent Malware
See anti-virus Educate users
If they see something wrong, turn off the device and seek help.
Mobile Devices
Web Browser Configuration / Lockdown◦ All browser plugins should be limited to essential
plug-ins approved by the Agency◦ Active X plugins should be limited
Users should not be expected to be able to determine whether or not adequate security is available for Active X plugins
Browser Security
Web Browser Configuration / Lockdown◦ Web browsers should be configured to limit
vulnerability to intrusion.◦ Active code should be disabled or used only in
conjunction with trusted sites.◦ < Demo browsing with a crippled browser >◦ The browser should always be updated to the
latest secure version.
Browser Security
Web Browser Configuration / Lockdown◦ Privacy
This is a big concern. The greatest threat is the use of cookies by third
party websites and the monitoring of web browsing habits of users by third parties using those same cookies.
Cookies can be disabled, controlled and / or removed using a variety of built-in web browser features or third-party applications.
Browser Security
◦ JavaScript should also be limited or turned off. While JavaScript is used on many Websites turning it
off generally only causes some nuisances when browsing these sites.
Browser Security
OpenDNS Google Public DNS
Browser Security
1. Educate Employees◦ Show them what to watch out for◦ encourage them to report questionable sites and
links. 2. Flexible Policies
◦ Policies should be adaptable to the rapidly changing Web environment.
Four Steps to Better Web Security
3. Secure All Devices◦ Keep patches up to date◦ Remove unneeded plug-ins◦ Use endpoint security◦ Use Browser sandbox.
4. Use Web Filtering◦ Monitor traffic in both directions to catch incoming
threats and infected machines transmitting out.
Four Steps to Better Web Security
7: Chat while I’m concentrating◦ This goes along with dominating the conversation.
Many users, while in the middle of a remote session, want to chat. Sometimes that’s okay, as we are simply waiting for a download or waiting on the progress of a service or application. But when I’m elbows deep in the dirt and grit of trying to resolve a crucial issue, don’t try to chat me up about the weather, the royal wedding, or the price of gas. Please let me resolve the issue at hand (especially one that requires my concentration) and then I will happily chat about whatever (so long as I don’t have a pressing appointment after yours).
10 Things Users do to Drive you Crazy
8: Insist what their “cousin” told them was true◦ I get it. Some companies enlist the help of “Cousin Joe,”
who happens to owe the secretary a favor and “knows a thing or two” about computers. Well, Cousin Joe didn’t do you any favors when he caused even more problems doing what he did. Not that I am going to slam your cousin. But when I say that although Joe’s intentions were good, what he did was counterproductive to solving the issue at hand, please don’t insist that the cousin was in the right and that I am only trying to bilk you out of more money. Of course, if it ever comes to those kinds of words, you will most certainly be looking for a new support specialist.
10 Things Users do to Drive you Crazy
1) Understand your requirements◦ Define your requirements from the inside◦ What to protect?◦ Where is is residing?◦ End Points?
Four DLP Steps
2) Work with the business at hand◦ Understand what managers need
Conduct interviews What do they need access to? Where do they need access to it? Too many false positives may indicate a broken
business process
Four DLP Steps
3) Involve the legal & HR departments◦ Legal can help with:
Compliance issues Helping write an incident plan
◦ HR: Handle an incident created by an employee
Four DLP Steps
4) Implement in Phases◦ Don’t shock the system◦ Monitor each phase
Four DLP Steps
Data Identification◦ This is the first step to implementation◦ Solutions should be able to identifying confidential or
sensitive information.◦ The data identification:
in motion at rest at end points
Data Loss Prevention
Data Identification◦ DLP solution should allow for:
Keywords Dictionaries regular expressions partial document matching fingerprinting
◦ DLP solution should allow you to write your own rules.
Data Loss Prevention
Data Identification◦ The strength of the analysis engine directly
correlates to its accuracy.◦ Each organization may have unique needs,
however.◦ Accuracy depends on many variables
They way the data is stored. The format of the data Encryption of the data
Data Loss Prevention
Data Identification◦ Testing for accuracy
Often Compare results with previous testing Ensure the solution has virtually zero false
positives/negatives.
Data Loss Prevention
Network & Gateway DLP◦ Dedicated hardware/software platforms, typically
at the border.◦ They analyze network traffic to search for
unauthorized information transmissions including: Email IM FTP HTTP
◦ They are generally cost effective.◦ Some Networks systems review data stored
throughout the enterprise to identify areas of risk.
Data Loss Prevention
Host-based DLP systems◦ Run on end-user workstations or servers◦ Generally address internal communications◦ Some can monitor external communications◦ Others can also control information flow within
the organization.◦ Can also control:
Email IM
Data Loss Prevention
Host-based DLP systems◦ Can monitor physical device◦ Can also monitor interaction with portable
devices.◦ Should block sensitive information
transmissions◦ Provide provide feedback to the user with
notifications going to Management◦ Are installed every workstation in the network
Data Loss Prevention
A DLP Product should include:◦ centralized management◦ policy creation◦ enforcement workflow◦ monitoring and protection of content and data.
Data Loss Preventionother considerations
Operational Actions:◦ Quarantine email?◦ Encrypt email?◦ Block email?◦ Notify sender?◦ Notify management / operations?
Data Loss Preventionother considerations
Advanced Data discovery types of DLP systems can move the data to a secure location, if found to be residing on a non-protected share.
Data Loss Preventionother considerations
Most DLP systems integrate with Active Directory.◦ Users◦ Groups◦ etc
Data Loss Preventionother considerations
Severity Level Assignment – Assigns severity level to incidents and is highly configurable.
Custom Attribute Lookup – This makes queries to LDAP or Active Directory server for user identity and additional attributes.
Automated Incident Response – A number of actions can be taken using this feature. Some of the important ones are the ability to comment, block, log, etc.
Data Loss Preventionother considerations
Role-based Access control – This is an interesting feature, in that it determines which incidents a remediator can work on and the amount of details available.
For example, if the violation originated from a staff in the DLP group, it does not do any good assigning the incident to the violator himself.
Data Loss Preventionother considerations
SmartResponse – This provides detailed data to determine the remediation steps for incidents. It also allows for fast incident remediation.
Data Loss Preventionother considerations
Leak Prevention◦ As the system learns data by reviewing existing
data.◦ During the review period someone must monitor
the system.◦ This should be done prior to turning on the Leak
Prevention◦ DLP generally handles: SMTP, HTTP, HTTPS, FTP
and Telnet. Is that enough?
Data Loss Preventionother considerations
◦ The product’s functionality is dedicated to solving the business and technical problems of protecting content through content awareness.
◦ A number of products, particularly email security solutions, provide basic DLP functions, but aren't complete DLP solutions.
Data Loss Preventionother considerations
9: Undo my work◦ Raise your hand if you’re guilty of undoing all that
work the support techs did the very second they left. I’ve seen this happen plenty of times. I’ve had clients actually confess to doing this. What those clients don’t realize is that I will more than likely have to come back and redo what I did prior to this visit — and I’ll also have to fix problems they caused by undoing my work. Do us both a favor and don’t undo my work. This is rarely going to be a smart choice, and the possibility that you’ll be able to resolve the issues created by your tampering are nil.
10 Things Users do to Drive you Crazy
10: Lack the necessary information◦ When end users call for help, 75 percent of the
time they have all of the information necessary for a successful appointment. The other 25 percent? Not so much. In fact, a large portion of that 25 percent require nearly double the normal job time just for fact gathering. So… when you call, please make sure you have all the information needed to complete the appointment. Otherwise, you are wasting my time and running up your bill.
10 Things Users do to Drive you Crazy
What is different about cloud?◦ Cloud computing moves us away from the
traditional model, where organizations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments.
Cloud Security
Cloud Security Today’s Data Centers
◦ We have control◦ They are located at A◦ The data is on servers:
Sagittarius and Aquarius◦ Our admins control
access◦ Our uptime works◦ Our auditors are ok◦ Our security team is
engaged
The Cloud◦ Who has control◦ Where is it located?◦ Where is it stored?◦ Who backs it up?◦ Who has access?◦ How resilient is it?◦ How do auditors do their
job?◦ How does our security
team get involved?
Essential Questions◦ Are you in a shared environment?
Who else uses the servers? What is in place to prevent leakage to the others on
the server? What logging capabilities are available?
Cloud Security
Essential Questions◦ Where does your data actually reside?◦ Can you lose service with an investigation into
data loss from another customer ensues?
Cloud Security
Essential Questions◦ What happens with an DDOS attack occurs?
Cloud Security
Essential Questions◦ Who ensures compliance?
Cloud Security
Essential Questions◦ How well is your data protected?
Cloud Security
Essential Questions◦ Is Encryption in place
Cloud Security
Essential Questions◦ Are all compliance requirements met in the
Cloud?
Cloud Security
Essential Questions◦ Are Event Management options available?
To who? How? How Quickly?
Cloud Security
Essential Questions◦ When an event happens, can your business unit
react as it did when servers were local?
Cloud Security
10 signs that you aren't cut out for IT◦ 1: You lack patience◦ 2: You have no desire to continue your education◦ 3: You refuse to work outside 9-to-5◦ 4: You don’t like people◦ 5: You give up quickly◦ 6: You’re easily frustrated◦ 7: You can’t multitask◦ 8: You have dreams of climbing the corporate
ladder◦ 9: You hate technology◦ 10: You turn off your phone at night
By Jack Wallen; February 24, 2012
10 Signs you aren’t cut out for IT
Evalution I value your comments. Please fill in your
evaluation form found at the end of your packet.
Contact InformationScott Greene, SCFE
Evidence Solutions, Inc866-795-7166