Essential Strategies for Protecting Against the New Wave Of
Information Security Threats
Abe Usher, CISSPSharp Ideas LLC
2
About the presenter
> Abe Usher> CISSP> Master’s degree in Information Systems> Ideas published in Wired Magazine,
Network World, New Scientist Magazine, Business Week On-line and others
> Creator of slurp.exe> Principal architect of SecurityBuzz.org
3
Webinar agenda
> Review of security concepts> New threats> Pod slurping> Data theft in the news> Strategies for reducing risk> Questions and wrap up
4
Information security:key terms
> Confidentiality
> Integrity
> Availability
5
Information security:key terms
> Network security
> Application security
> Host security (endpoint security)
6
Information security:key terms
Network
Application
Host (Endpoint)
Typically strong
Moderate
Weak (non-existent?)
7
Information security:new threats
The widespread introduction of computing devices and portable storage in the enterprise bring significant risks:
> iPods> USB and Firewire storage> Bluetooth accessories> PDAs> Unauthorized wireless
8
Endpoint: entry vectors
Optical drives
PDAs
Smart phones
Firewire
USB accessories
RJ-45 net
WiFi
Bluetooth
9
Universal Serial Bus (USB)
> Originally developed in 1995 as an external expansion bus to make adding peripherals easy.
> “Universal” acceptance of USB – virtually all new PCs come with one or more USB ports.
> New USB 2.0 allows data transfer at a rate 40 times faster than USB 1.1 (480 Mb/second)
10
USB devices:the good
> Supported by all vendors on all major operating systems
> Productivity booster in the proper context
> USB has reduced cost and complexity of peripherals
> Convenient data exchange between computers
11
USB devices:the bad
> Modern operating systems do not provide granular control over the use of USB devices (e.g. No auditing)
> Most commercial organizations do not have clear policies on the use of USB devices
> Most organizations do not understand the security implications of USB devices
12
The importance of information
> The currency of the Information Age is the bit.
> Information economies gain competitive advantage through creating, analyzing, and distributing information.
> Organizations that fail to protect their information resources jeopardize their own future.
13
Adapt your security infrastructureor become a statistic
Privacy Rights Clearing House | Washington Post, June 22, 2005
14
Adapt your security infrastructureor become a statistic
Privacy Rights Clearing House | Washington Post, June 22, 2005
15
Adapt your security infrastructureor become a statistic
Privacy Rights Clearing House | Washington Post, June 22, 2005
16
Digital media players and portable storage
> More than 42 million iPods sold> Other digital media players
increasingly popular> USB thumb drives reaching low
price point and ubiquitous adoption
17
Information security:in the news
18
Information security:in the news
19
Information security:in the news
20
Information security:in the news
> Unauthorized use of computers increased
> Unauthorized access to information and theft of proprietary information showed significant increases in average loss per respondent ($303,324 and $355,552 respectively)
21
Information security:in the news
22
Information security:in the news
23
Information security:in the news
Additional resources available at:
http://www.sharp-ideas.net/ideas/
37 additional stories from the news media related to data theft
26 messages from prominent information security mailing lists discussing data leakage / data theft
24
Information security:traditional threats
> External hackers
> Malicious code outbreaks
> SPAM
> Spyware
> Phishing
25
Traditional threats(network security)
Hacker activity
Worms & viruses
SPAM
Spyware
Phishing
26
Traditional threats(network security)
Hacker activity
Worms & viruses
SPAM
Spyware
Phishing
Firewall
Intrusion Detection
SPAM filtering
Anti-Spyware
Phishing filtering
27
Emerging threats:endpoint security
> Widespread adoption of portable storage and digital media players USB
Firewire
28
Emerging threats:endpoint security
> Widespread adoption of portable storage and digital media players USB
Firewire
> Wireless trend in peripherals & secondary components Bluetooth
802.11
29
Emerging threats:endpoint security
> Widespread adoption of portable storage and digital media players USB
Firewire
> Wireless trend in peripherals & secondary components Bluetooth
802.11
> Bottom line: Network security strategies do nothing to protect against devices connected inside of your enterprise network.
30
Evolution of security threats
31
Computing capacity vs.human skill
0
20
40
60
80
100
120
140
160
1995 1998 2001 2004
User skill
Computingpower
The rate that computing power increases is vastly greater thanthe rate that computer users achieve new understanding.
32
Information security:new solutions
> Comprehensive policies that account for portable computing devices, wireless computing, and a mobile workforce
> User awareness of security issues and policies
> Technical solutions that mitigate access of storage and communication devices at the endpoint
33
5 Point strategy to remain secure
1) Assess your technology environment
2) Adapt your security policy
3) Have a user awareness plan
4) Put your policies and procedures into action
5) Assess effectiveness and revise your policy
34
Strategy #1:Assess your technology environment
At a minimum define:> Critical information and information systems> System owners> System users:
employeescontractorsbusiness partners
> Most likely vulnerabilities and threats to endpoint security
35
Strategy #2:Revise your security policy
At a minimum, revise these two areas:> Corporate acceptable use policy> Use of personal computing devices:
USB storageBluetooth peripheralsPersonal media players (e.g. iPod)PDAsOptical drivesMulti-function phones
36
Strategy #3:User awareness
> Inform users of security issues and their responsibilities through
awareness initiativestrainingeducation
> References:NIST 800-50 “Building an Information Technology Security Awareness and Training Program”NIST Awareness, Training, Education http://csrc.nist.gov/ATE/
37
Strategy #4:Implement your policies and procedures
> Assign specific responsibilities> Deploy required technical
solutions
38
Strategy 4:Assign specific responsibilities
> Security manager> Managers> IT staff> Employees> Contractors
> Restrict privileges to critical information to those who require it to be productive
39
Strategy #4:Deploy required technical solutions
> Based on your internal analysis of vulnerabilities and threats, protect essential data:
in active usein active storagein archival storagein transmission
40
Strategy 4:Example technical solutions
Information state Sample solutions
Active use Operating system controlsEndpoint security suiteHardware restrictions
Active storage Endpoint security suiteWindows EFS
Archival storage File Encryption
Transmission Web: SSL (HTTPS)WiFi: WEPEmail: Winzip with AES 256 bit encryption
41
Strategy 4:Example technical solutions
Information state Sample solutions
Active use Operating system controlsEndpoint security suiteHardware restrictions
Active storage Endpoint security suiteWindows EFS
Archival storage File Encryption
Transmission Web: SSL (HTTPS)WiFi: WEPEmail: Winzip with AES 256 bit encryption
(1) Access control, (2) audit activities, (3) detect events in real-time
42
Strategy #5:Assess effectiveness and revise strategy
> All business systems require a feedback loop
> As your operating context changes, so too will your security solutions
> If/when you have endpoint security incidents, be sure to revise your policies appropriately
43
Conclusions
> We've only witnessed the tip of the iceberg related to data theft
> Incident prevention is significantly less costly than incident response
> Addressing the issue at the endpoint provides the best ratio of risk reduction per dollar
> Tailor the recommended strategies to your organization's business requirements
44
USB SticksUSB Sticks
PDAsPDAs
Ext. USB DrivesExt. USB Drives
iPods & Music Players
iPods & Music Players
USB Stick
iPod’s &MP3 players
PDA’s &Blackberry’s
DigitalCameras &
compact flash
CD/DVD& Diskettes
USB Drives
Media Classes
Centrally manage and protect networks from threats associated with removable media devices:
•Data theft•Virus and malware propagation•Computer misuse.
45
Customer Data
Intellectual Property
Corp. Knowledge
DesperateHousewives
Viruses
Malware
How DeviceWall Works
46
Effective Management Reporting
47
DeviceWall 1-minute Overview
> Measured response to known risk• Intuitive and comprehensive auditing• Easy policy creation and deployment• Effective guard against unwanted device connections
> Minimal overhead and ongoing cost of ownership• Low cost of acquisition• Deploy in minutes, update automatically• Temporary access tools keeps users productive• Communication minimizes calls to helpdesk
> Intuitive, fast and effective to manage• No specialist training required• No need for dedicated staff to run Control Center
48
> Supported platforms• Windows NT, 2000, XP, 2003
> Devices managed• PDAs, USB memory, MP3 players, PDAs, CompactFlash,
optical drives, external hard drives, digital cameras, mobile phones, Firewire ports, Bluetooth ports and more
> Server Requirements• Pentium, 128MB RAM, 512MB Hard Disk
> Network Requirements• MS IIS 5.0+, Active Directory & NT domains supported
Technical Specifics
49
We hope that you have enjoyed this presentation on protecting against the future information security
threats. To gain additional information, please examine the following resources:
www.sharp-ideas.net
www.devicewall.com
50
Program Note
This webinar is sponsored by Centennial Software.All referenced research is copyrighted 2006 by Sharp Ideas
LLC, and/or its affiliates. All rights reserved.
Every reasonable attempt has been made to present accurate and reliable information. However, Sharp Ideas LLC disclaims all warranties as to the accuracy, completeness or adequacy of information contained within the webinar. Sharp Ideas LLC shall have no liability for errors, omissions, or inadequacies in the information contained herein or for interpretations thereof.
The opinions expressed herein are subject to change without notice.