OED Security 2013(Tactical Plan)

Richard WoodfordSecurity Administrator

Introduction

• Richard Woodford – New Security Administrator• Grew up in the Silverton Hills• Asthmatic skinny kid with glasses• Champion of the chess team, debate team, editor

for school newspaper• Math, physics and computers came easy, but

anything that I had to study for did not• Eventually the asthma turned to hay fever and I

found I could run fast and played football so…

Career choices

• Dallas Cowboy wide receiver– Unfortunately there were a few 250 pound guys that

were just as fast• Air Force Academy– Grades were mediocre, history of medical problems

• Meteorologist– Career outlook “You will be replaced by a computer”

• Degree in Electronics/Computer Science– So here I am

Background

• Installing security systems• Networking for Evergreen Aviation• Worked for the Marion County/City of Salem

Data Center for 10 years• Migrated to DHS, DAS, now here – 13 years• ISO Certified Information Systems Security

Professional (CISSP) – Federal and many organization are now requiring certification

Most Importantly

Definitions and Sources

• Vulnerability – A weakness that may be exploited to cause harm• Threat – Anything that is capable of causing harm to an asset or organization (if

fully realized)• Risk – The probability of a threat causing harm• Malware – Various types of computer “viruses” that put our business at risk• NIST – National Institute of Standards and Technology• CISSP – A nationally recognized certification for security professionals• My Math – Proprietary method derived from years of government security

training• Wikipedia – Encyclopedia in “the cloud” that knows all

*Sources: Richard Woodford, CISSP; Wikipedia

Risk

You can never completely eliminate Risk• Reduce (countermeasures, safeguards)• Transfer (insurance)• Accept (acknowledge that the remaining risk

cannot practically be reduced further or that the cost or business impact of further countermeasures would exceed the potential harm)

Security for the non-techie

• This assessment is based on the SANS Top 20 (plus a few of our own)

• SANS is the largest provider of security research and training in the U.S.

• If you do these “Top 20” things well, you will do well on security audits AND have security that works in the real world

• Derived from NIST (which is the basis for standards such as IRS 1075) for compliance

S.W.O.T. analysis

• Strengths, Weaknesses, Opportunities, Threats

• Knowing that we can’t do it all, this is a way to evaluate what the most important security improvements should be for OED in 2013

• We are only going to focus on a few of them– Most improvement needed– Probably all we have a realistic chance of

accomplishing

Problem #1 - malware

• New generation of cyber-threats– Advanced Persistent Threats (APTs)• Developed by “well organized” groups• Undetectable by traditional antivirus• Designed to “persist” (maintain access)• Aimed to harm military, transportation, energy,

government, economic targets

*Sources: Department of Homeland Security; FBI; Mandiant APT report released Feb 18, 2013

Old Threats

Current Threats Malware is behind most attacks Disgruntled employees (hacking for revenge) Identity thieves (hacking for money) Cyber-terrorists (hacking because they want to cause you

harm) Hack-tivists (hacking for a political cause) Cyber-vigilanties (hacking to expose a weakness in an

organization) Ransomware Nations Social engineering is almost always a component*

*Optional video

The facts• Most modern malware comes from viewing legitimate websites that are

infected by a third party bad guy• 80% of malware is deployed successfully to only one target• 99% of victims have updated antivirus software running• 94% of breaches are reported by third parties• 416 = The median number of days advanced attackers are on a network

before being detected*• 99% of attacks involve stolen credentials• Another source said 95% of all “new” viruses are not detected by antivirus

*Sources: Verizon, Mandiant

Why would we be a target?

Yes, it does (still) happen to us

From: "Slinkard, Phil R." <Phil.Slinkard@ic.fbi.gov> To: "richard.woodford@state.or.us" <richard.woodford@state.or.us> Date: 2/19/2013 8:54 AM Subject: Joint Indicators Bulletin Attachments: JIB-INC260425-Attachment_A.CSV; JIB-INC260425.pdf Richard, The U.S. Government (USG) is committed to working with the private sector to better protect critical networks from persistent malicious actors. Therefore, the USG is providing the Joint Indicators Bulletin (JIB) to facilitate working together with the community in mitigating the threat of cyber attacks. Attached you will find the JIB addressing malicious cyber attacks and the risks it poses to your intellectual property, trade secrets, and other sensitive business information. Recipients are encouraged to distribute the JIB to any individuals and/or organizations who could benefit from this message. If you have any questions, comments, and/or detect any cyber intrusions, please do not hesitate to contact me. Mandiant has also released some of their related work product on their website. They have included a very informative video on the subject named "APT1 Video". Thank you very much for your partnership as we combat this National Security matter. Phil R. Slinkard Special Agent Portland Division - Cyber Crime Federal Bureau of Investigation

Not all antivirus protection is equal

Recommendation #1(a)

• OED should immediately research and implement a Universal Threat Management Gateway (UTM), or a next-generation firewall. This would be the quickest way to reduce the malware threat

• UTMs are new technology designed to defend against advanced threats by watching all network traffic at an application level and detect traffic that is suspect (from an application that normally doesn’t use the internet or traffic communicating with China)

• UTMs also filter web content rather than just watching for known bad websites

• Defense-in-depth

Recommendation #1(b)

• Additionally, ISO should research new desktop protection technologies to better protect systems from modern malware (give ourselves more time to make a decision this time)

• This will require some initial investment of about $75,000., but it will replace our other outdated defenses and reduce our maintenance costs substantially

Problem #2

• A review of our server security has revealed that too many people have too much access (either access they do not need or should not have)

• Auditors revealed that we do not have logs of what people with admin privileges have accessed on a system

Recommendation #2

• ISO is requesting the purchase of data governance software Varonis

• Varonis will allow ISO to do a complete assessment of our Server security

• Varonis will provide an auditable trail of who accessed what data

• Varonis Datadvantage costs $68,000 and is essentially up and running already

Problem #3

• Log visibility is considered a mandatory control by most standards

• ISO has no visibility into security logs from all devices

• No way to know if a breach is occurring or has occurred

• Auditors found us out of compliance• In the real world… allowed/denied

Recommendation #3

• Research options for consolidating all security related logs

• Research options for monitoring logs for suspicious activity

• Part of this solution will involved the data center

Problem #4

• We have been told that an enterprise identity and access system is needed

• A report by an outside consultant found problems with the current project

• Enterprise Identity and access systems are difficult to implement with varied technology and customer base

Recommendation #4

• Work with the business on requirements• Ask industry experts for recommendations• See what other agencies are doing• Talk to the data center and see if this is

something they are planning on providing

Problem #5

• Data Classification is mandated by DAS policy• All documents and other data should be

“labeled” Level 1, 2, 3, 4 (think how the federal government does this)

• Level 1 – Published (public info)• Level 2 – Limited (proprietary)• Level 3 – Restricted (privacy)• Level 4 – Critical (safety)

Recommendation #5

• Direct ISO and other resources to get this done

• Varonis has a set of tools for about $40,000. that can help immensely by looking for data elements such as SSNs

• The purchasing of this software is under consideration

Avoid “Compliancitis”

• Compliance: Change passwords every 60-90 days…?

• Real world: Use a strong password• Password strength calculator

Closing

• We have a small, but professional team• Security is driven by numerous state, federal, and private

mandates (along with audits)• Your security staff (ISO) must make sure we meet mandates

AND protect us from real world attacks• Smart security (not just “no”)• Due Care, the business, risk management• ISO knows that you (the business) are our customers and are

committed to providing the highest level of service possible• If you have suggestions for improvements, we are listening• If you have questions about security, we are your consultants

Q/A

• Questions about security• Things you’d like to see improved with the

security office