information security fundamentals david veksler. who is this talk for? non it experts non it experts...
Post on 15-Dec-2015
215 Views
Preview:
TRANSCRIPT
Information Security Information Security FundamentalsFundamentals
David VekslerDavid Veksler
Who is this talk for?Who is this talk for?
• Non IT experts Non IT experts
• Those working with confidential informationThose working with confidential information
• Especially in parts of the world with high Especially in parts of the world with high informational security risksinformational security risks
Why should I care about Why should I care about security?security?• Can’t I just hire someone and/or install Can’t I just hire someone and/or install
software to protect myself?software to protect myself?
Why should I care about Why should I care about security?security?
• In most organizations, any IT administrator can read and In most organizations, any IT administrator can read and alter any other employees email without any knowledge or alter any other employees email without any knowledge or record.record.
• Mr Smith was an executive building a new manufacturing plant in China. The Mr Smith was an executive building a new manufacturing plant in China. The support technicians in his IT department have access to the corporate mail support technicians in his IT department have access to the corporate mail server. One of them was hired by a competitor. Before he left, he logged on to server. One of them was hired by a competitor. Before he left, he logged on to the mail server and downloaded the entire mail archive for Mr Smith, including the mail server and downloaded the entire mail archive for Mr Smith, including the design plans for the new assembly line. The company did not discover the design plans for the new assembly line. The company did not discover about the leak until the competitor built their own production line and release a about the leak until the competitor built their own production line and release a competing product on the market.competing product on the market.
Why should I care about Why should I care about security?security?
• A tiny device with a build-in cellular modem can act A tiny device with a build-in cellular modem can act as a Trojan horse to open your network to outsiders.as a Trojan horse to open your network to outsiders.
• Widget Corp produces software for sale worldwide. A agent for their Widget Corp produces software for sale worldwide. A agent for their competitors walked into one of their offices and installed a plugbot competitors walked into one of their offices and installed a plugbot (theplugbot.com). The plugbot was able to sniff a domain password (theplugbot.com). The plugbot was able to sniff a domain password and send it over the built-in cellular modem. From there, the attacker and send it over the built-in cellular modem. From there, the attacker established remote access to the corporate data server. A few months established remote access to the corporate data server. A few months later, Widget Corp's suddenly had a new competitor in the market. later, Widget Corp's suddenly had a new competitor in the market.
Why should I care about Why should I care about security?security?
• "It has become the Wild West on that other side of the globe. There is "It has become the Wild West on that other side of the globe. There is little or no respect for Intellectual Property. Copyrights and patents are little or no respect for Intellectual Property. Copyrights and patents are ignored. Accounting issues have recently also come into question for ignored. Accounting issues have recently also come into question for many Chinese companies that have bought U.S. shell corporations to many Chinese companies that have bought U.S. shell corporations to simplify the process of going public in the West. Rough and tumble simplify the process of going public in the West. Rough and tumble attitudes must be expected. Any American company doing business in attitudes must be expected. Any American company doing business in China must anticipate the worst even as it hopes for the best in China must anticipate the worst even as it hopes for the best in expanded marketing opportunities."expanded marketing opportunities."
• http://www.forbes.com/sites/joanlappin/2011/09/21/american-http://www.forbes.com/sites/joanlappin/2011/09/21/american-superconductor-destroyed-for-a-tiny-bribe/superconductor-destroyed-for-a-tiny-bribe/
Why should I care about Why should I care about security?security?• "In terms of outright theft of intellectual property, there is "In terms of outright theft of intellectual property, there is
growing evidence that China’s intelligence agencies are growing evidence that China’s intelligence agencies are involved, as attacks spread from hits on large technology involved, as attacks spread from hits on large technology companies to the hacking of startups and even law firms. companies to the hacking of startups and even law firms. “The government can basically put their hands in and “The government can basically put their hands in and take whatever they want,” says Michael Wessel, who sits take whatever they want,” says Michael Wessel, who sits on the U.S.-China Economic and Security Review on the U.S.-China Economic and Security Review Commission that reports to Congress. “We need to take Commission that reports to Congress. “We need to take more actions and protect our intellectual property.”more actions and protect our intellectual property.”
• Inside the Chinese Boom in Corporate Espionage Inside the Chinese Boom in Corporate Espionage (http://www.businessweek.com/articles/2012-03-14/inside-(http://www.businessweek.com/articles/2012-03-14/inside-the-chinese-boom-in-corporate-espionage)the-chinese-boom-in-corporate-espionage)
Why should I care about Why should I care about security?security?
• ““There have been a large number of corporate spying cases involving China recently… as the toll s the toll adds up, political leaders and intelligence officials in adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the history,” General Keith Alexander, director of the National Security Agency, said at a security National Security Agency, said at a security conference at New York’s Fordham University in conference at New York’s Fordham University in January.”January.”
Why should I care about Why should I care about security?security?
• ““There have been a large number of corporate spying cases involving China recently… as the toll s the toll adds up, political leaders and intelligence officials in adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the history,” General Keith Alexander, director of the National Security Agency, said at a security National Security Agency, said at a security conference at New York’s Fordham University in conference at New York’s Fordham University in January.”January.”
ContentsContents
• Part 1: Secure web browsingPart 1: Secure web browsing• Part 2: Secure networksPart 2: Secure networks• Part 3: Secure email and IMPart 3: Secure email and IM• Part 4: Securing operating systems & Part 4: Securing operating systems &
mobile devicesmobile devices• Part 5: Securing organizationsPart 5: Securing organizations• Conclusion: limitations of security Conclusion: limitations of security
measuresmeasures
Choosing a web browserChoosing a web browser
Why web browsers matterWhy web browsers matter
Internet Explorer: upgrade to 9+ or switch Internet Explorer: upgrade to 9+ or switch to:to:
Chrome: recommended for personal use : recommended for personal use
Get HTTPS Everywhere & AdBlockGet HTTPS Everywhere & AdBlock
Firefox as a multi-toolFirefox as a multi-tool
Plugging privacy leaksPlugging privacy leaks
Keep your browser up to dateKeep your browser up to date
Disable unused pluginsDisable unused plugins
AdBlock: it’s not just for blocking ads: it’s not just for blocking ads
Block third party cookiesBlock third party cookies
Using Private ModeUsing Private Mode
Cleaning your tracks with Cleaning your tracks with CC Cleaner
Securing your surfingSecuring your surfing
HTTPS Everywhere
OpenDNS//Google DNS
DNSCrypt
VPN (details later)VPN (details later)
Advanced: monitoring Advanced: monitoring web trafficweb traffic
Outgoing firewalls:Outgoing firewalls:
Zone Alarm (Windows) (Windows)
Little Snitch (OS X) (OS X)
Monitoring network traffic with Monitoring network traffic with Wireshark
Part 2: Secure Part 2: Secure Networks: Virtual Networks: Virtual Private NetworksPrivate Networks
VPN optionsVPN options
PPTP: simple, supported by mobile devices, PPTP: simple, supported by mobile devices, only safe for personal useonly safe for personal use
L2TP: best for corporations: supports digital L2TP: best for corporations: supports digital certificatescertificates
Open VPN: free, open-sourceOpen VPN: free, open-source
Alternative VPN Alternative VPN SolutionsSolutions
LogMeIn Hamachi: simple ad-hoc and hub : simple ad-hoc and hub and spoke VPNand spoke VPN
SSH Tunneling
Browser helpers for Browser helpers for VPNsVPNs
Proxy Switchy (Chrome)(Chrome)
Foxy Proxy (Firefox)(Firefox)
Proxy Scripting – works with Proxy Switchy Proxy Scripting – works with Proxy Switchy when configured in Chrome (IE)when configured in Chrome (IE)
Advanced: Running your Advanced: Running your own proxyown proxy
• Why run a proxy locally?Why run a proxy locally?
• Optimize, secure, accelerate trafficOptimize, secure, accelerate traffic
• Control access to outside networkControl access to outside network
Privoxy (recommended) (recommended)
GlimmerBlocker (OS X) (OS X)
Squid (Unix) (Unix)
Polipo (Unix, Windows, OS X) (Unix, Windows, OS X)
Part 3: Secure Email and Part 3: Secure Email and IM: Encryption ToolsIM: Encryption Tools
Symmetric encryptionSymmetric encryption
Asymmetric encryptionAsymmetric encryption
Secure EmailSecure Email
Corporate E-mail: Digital Certificates & Corporate E-mail: Digital Certificates & SigningSigning
Get a free cert at Get a free cert at http://startssl.com/
PGP: PGP: PGP Desktop , ,GnuPG
Secure Instant Secure Instant MessagingMessaging
Corporate Instant Messaging:Corporate Instant Messaging:
Microsoft: Skype, Lynx, Office Microsoft: Skype, Lynx, Office Communication ServerCommunication Server
Personal Instant MessagingPersonal Instant Messaging
Off-The-Record plugin for: plugin for:
Pidgin (Windows), (Windows), Adium (OS X)(OS X)
Part 4: Securing Part 4: Securing Operating Systems: OS Operating Systems: OS HardeningHardening
Basic OS HardeningBasic OS Hardening
• Secure your login mechanismSecure your login mechanism
• Password protect access to your desktopPassword protect access to your desktop
• Admin privileges & user level accounts: run as Admin privileges & user level accounts: run as a user-level account; require password to logina user-level account; require password to login
• Disable file sharing on the networkDisable file sharing on the network
• Enable automatic updatesEnable automatic updates
• Disable unused user accountsDisable unused user accounts
Anti-Virus OptionsAnti-Virus Options• Do you need Anti-Virus software?Do you need Anti-Virus software?
• Anti-Virus for IndividualsAnti-Virus for Individuals
• Windows Defender
• Avast
• Many free options
• F-Secure, Trend Micro Office ScanF-Secure, Trend Micro Office Scan
• Tip: Don't use Norton or McAfee!Tip: Don't use Norton or McAfee!
Anti-Malware OptionsAnti-Malware Options
• Do you need Anti-Malware software?Do you need Anti-Malware software?
• Recommended Anti-Malware:Recommended Anti-Malware:
• Microsoft’s Windows Defender
• Spybot S&D (Free)Spybot S&D (Free)
• Malware Bytes (Free/Pro) (Free/Pro)
Whole disk encryptionWhole disk encryption
• What is it? Do you need it?What is it? Do you need it?
• True Crypt (multiplatform)True Crypt (multiplatform)
• Bitlocker (Windows)Bitlocker (Windows)
• File Vault (Apple)File Vault (Apple)
• PGP Whole Disk EncryptionPGP Whole Disk Encryption
• Symantec Endpoint EncryptionSymantec Endpoint Encryption
Advanced: Tips from the Advanced: Tips from the ProsPros
• OS Hardening guides from the NSAOS Hardening guides from the NSA
• Windows:Windows:
• OS XOS X
• Security tips from the NSA for all OS’s
Advanced: OS IsolationAdvanced: OS Isolation
• Portable (Live) OS
• Portable apps
• Virtual Machines
• Only an “air gap” is safe for mission critical data!
OS Specific OS Specific ConsiderationsConsiderations
• OpenBSD: when security is mission-criticalOpenBSD: when security is mission-critical
• LinuxLinux
• Windows Server 2008Windows Server 2008
• Windows XPWindows XP
• Windows 7Windows 7
• OS XOS X
Securing your Securing your smartphonesmartphone
• Notes on locking:Notes on locking:
• Only protects against casual Only protects against casual thefttheft
• Cloud storage risksCloud storage risks
• Remote wipesRemote wipes
Part 5: Secure Part 5: Secure Organizations: physical Organizations: physical security, social security, social engineering, and other engineering, and other considerationsconsiderations
Physical security Physical security
• Human factors
• Physical securityPhysical security
• International travelInternational travel
• Asset management & theft preventionAsset management & theft prevention
Social EngineeringSocial Engineering
• Inside threatsInside threats• Social engineeringSocial engineering• ““Need to access” policiesNeed to access” policies
Advanced: Threat discovery
• Process ExplorerProcess Explorer
• Rootkit detectors:Rootkit detectors:
• Microsoft: Rootkit RevealerMicrosoft: Rootkit Revealer
• Avast: GMER Avast: GMER
• RootkitHunter RootkitHunter
Conclusion: Conclusion: Limitations of Limitations of Information SecurityInformation Security
• Limitations of software measures
• Limitations of hardware measures
• Cost vs. benefit of security measures
The EndThe End
Technologies mentioned in this Technologies mentioned in this presentation have links to more presentation have links to more information – get a copy of the information – get a copy of the PowerPoint from me PowerPoint from me (david.veksler@ef.com).(david.veksler@ef.com).
top related