“Hole in the Wall – The Human Factor in Security”

13 September 2012

Mohd Rafiq Mohamed Hashimrafiq@gitn.com.my

Overview

Information sharing Information dissemination

ExtranetIntranet

E-CommerceE-Learning

Wikipedia

Web applications are intended to increase employee productivity !

Businesses Need Internet Access

THREAT!!’

“The Internet is full with information but the Internet also full with..

Viruses

Hackers

Privacy threats

Spam

Popups

Trojan horses

Worms

Spyware

Cookies

Intrusions

Do you have an effective means of keeping your business running smoothly by

eliminating all threats and annoyances?

Phishing

Threats From Everywhere

Threats From Everywhere

Confidentiality

Integrity

Availability

The Consequences of Inadequate Security..(Cont’d)

Internet

Internal LAN

Internet/DMZ/Servers

Remote Access Servers

Border Router

InternalRouter

1. Inadequate Router Access Control

Mobile/home user

2. Unsecured/unmonitored remoteAccess

3. Informationleakage via zonetransfer& Services(SMTP, telnet)

4. Running Unnecessary services (FTP, DNS, SMTP)

5. Weak or reused password

6. User acctswith excessive privileges

7. MisconfiguredInternet servers

8. MisconfiguredFirewall or Router

9. S/W unpatched, outdated, defaultconfigurations

10. Excessive file& directory Accesscontrols

Source: Hacking Exposed McClure, Scambray & Kurtz, McGraw-Hill

Top 10 Security Vulnerabilities

Users Don’t Get It• There’s nothing important on my

computer

• We have virus software so my computer is protected from everything

• All threats are from the outside

• It’s not my job/I’m too busy to worry about security

• Technology provides full protection

• Reasons employees gave for altering security settings on their computers (CISCO 2008 White paper)

Users Don’t Get It

• Employees are the security blackhole

Example –RSA’s SecureID Breach, 2011

– In March, an employee opened excel attachment from email in junk folder

– Malware in attachment created system backdoor

– Hackers able to up-gain privilege and copy SecureID security codes from databse

– 40million customers affected

– Result – RSA customers, (L3 & Lockheed) were attacked in April & June

Users Don’t Get It

• Phishing email sent to RSA Employee

Why: Users Don’t Get It

Most Common Mistakes• Poor Password Management• Workstation Attached and Unattended• Malicious E-mail Attachments• Ineffective Anti-virus Software• Uncontrolled Laptops• Unreported Security Violations• Updates, Hot Fixes, Service Packs not Installed• Poor Perimeter Protection

– Electronic– Physical

What?

• Data Backup/Restore• Physical Security• Portables• Social Engineering• ID/Passwords• E-mail• Wireless• Malicious Software

Data Backup/Restore• Users are responsible for communicating their

needs• IT is responsible for making sure it happens

– Included in IT procedures– Tools supplied to users

Physical Security

• Every User is an Extension of the Security Force• Lock Offices as Often as Practical• Restrict Open External Entrances• Technology

– Cameras– Motion sensors– Alarm systems– Tags

Portables• Favorite Target of Thieves• Less Likely to Draw Attention• Easily Hidden• “Turn” Fast at Pawn Shops and Online • Almost Always Contain “Sensitive” Data

Social Engineering• “This is (manager, director, etc.)

and I need…”• “This is Sue with the Help Desk and we are:

– verifying your passwords…”– troubleshooting logon problems…”– got your (bogus) request to change your…”

• E-mail Attachments• Dumpster Diving• Recover Data from Surplus

Equipment/Media

ID/Passwords• Users are responsible for what

happens with their ID/password• If you HAVE to write them down treat the paper like a credit

card• Change passwords if there is a

possibility it has been compromised• Use complex passwords• The sanctions for not protecting login credentials are…

ID/PasswordsPasswords Are Like Underwear:

• Change yours often!

• Don’t leave yours lying around!

• The longer the more protection!

• Don’t share yours with friends!

• Be mysterious!

E-Mail• E-mails Exist in Multiple Places• Deleting an Email from One Place Does Not Delete it from

Anywhere Else• Be Aware of “bcc”• Spam Effects and Avoidance• Verify Attachments Before Opening• Don’t Send Confidential Information

via Standard E-mail• E-mail Can be Forged

Wireless• Don’t Plug in Your Own Wireless Access Point• Don’t Change the Secure Configuration:

– To make it work with your home network– So it will connect in the airport– To access other facilities networks

• Use a Wire When Available– Faster– More secure– Less competition for access

point bandwidth

Malicious Software• Leave Virus Protection and Firewall Programs Running• Check for or Allow Updates• Recognize Potential Malicious Activities:

– Hard drive running when no programs are running– Unusual or unexpected logon screens– Boot up speed or sequence changes– Performance degradation– Returned e-mails

The 5Q

Remember..!!!

“Prevention is always better than cure”.

THANK YOUTHANK YOU