Information Security Information Security FundamentalsFundamentals

David VekslerDavid Veksler

Who is this talk for?Who is this talk for?

• Non IT experts Non IT experts

• Those working with confidential informationThose working with confidential information

• Especially in parts of the world with high Especially in parts of the world with high informational security risksinformational security risks

Why should I care about Why should I care about security?security?• Can’t I just hire someone and/or install Can’t I just hire someone and/or install

software to protect myself?software to protect myself?

Why should I care about Why should I care about security?security?

• In most organizations, any IT administrator can read and In most organizations, any IT administrator can read and alter any other employees email without any knowledge or alter any other employees email without any knowledge or record.record.

• Mr Smith was an executive building a new manufacturing plant in China. The Mr Smith was an executive building a new manufacturing plant in China. The support technicians in his IT department have access to the corporate mail support technicians in his IT department have access to the corporate mail server. One of them was hired by a competitor. Before he left, he logged on to server. One of them was hired by a competitor. Before he left, he logged on to the mail server and downloaded the entire mail archive for Mr Smith, including the mail server and downloaded the entire mail archive for Mr Smith, including the design plans for the new assembly line. The company did not discover the design plans for the new assembly line. The company did not discover about the leak until the competitor built their own production line and release a about the leak until the competitor built their own production line and release a competing product on the market.competing product on the market.

Why should I care about Why should I care about security?security?

• A tiny device with a build-in cellular modem can act A tiny device with a build-in cellular modem can act as a Trojan horse to open your network to outsiders.as a Trojan horse to open your network to outsiders.

• Widget Corp produces software for sale worldwide. A agent for their Widget Corp produces software for sale worldwide. A agent for their competitors walked into one of their offices and installed a plugbot competitors walked into one of their offices and installed a plugbot (theplugbot.com). The plugbot was able to sniff a domain password (theplugbot.com). The plugbot was able to sniff a domain password and send it over the built-in cellular modem. From there, the attacker and send it over the built-in cellular modem. From there, the attacker established remote access to the corporate data server. A few months established remote access to the corporate data server. A few months later, Widget Corp's suddenly had a new competitor in the market. later, Widget Corp's suddenly had a new competitor in the market.

Why should I care about Why should I care about security?security?

• "It has become the Wild West on that other side of the globe. There is "It has become the Wild West on that other side of the globe. There is little or no respect for Intellectual Property. Copyrights and patents are little or no respect for Intellectual Property. Copyrights and patents are ignored. Accounting issues have recently also come into question for ignored. Accounting issues have recently also come into question for many Chinese companies that have bought U.S. shell corporations to many Chinese companies that have bought U.S. shell corporations to simplify the process of going public in the West. Rough and tumble simplify the process of going public in the West. Rough and tumble attitudes must be expected. Any American company doing business in attitudes must be expected. Any American company doing business in China must anticipate the worst even as it hopes for the best in China must anticipate the worst even as it hopes for the best in expanded marketing opportunities."expanded marketing opportunities."

• http://www.forbes.com/sites/joanlappin/2011/09/21/american-http://www.forbes.com/sites/joanlappin/2011/09/21/american-superconductor-destroyed-for-a-tiny-bribe/superconductor-destroyed-for-a-tiny-bribe/

Why should I care about Why should I care about security?security?• "In terms of outright theft of intellectual property, there is "In terms of outright theft of intellectual property, there is

growing evidence that China’s intelligence agencies are growing evidence that China’s intelligence agencies are involved, as attacks spread from hits on large technology involved, as attacks spread from hits on large technology companies to the hacking of startups and even law firms. companies to the hacking of startups and even law firms. “The government can basically put their hands in and “The government can basically put their hands in and take whatever they want,” says Michael Wessel, who sits take whatever they want,” says Michael Wessel, who sits on the U.S.-China Economic and Security Review on the U.S.-China Economic and Security Review Commission that reports to Congress. “We need to take Commission that reports to Congress. “We need to take more actions and protect our intellectual property.”more actions and protect our intellectual property.”

• Inside the Chinese Boom in Corporate Espionage Inside the Chinese Boom in Corporate Espionage (http://www.businessweek.com/articles/2012-03-14/inside-(http://www.businessweek.com/articles/2012-03-14/inside-the-chinese-boom-in-corporate-espionage)the-chinese-boom-in-corporate-espionage)

Why should I care about Why should I care about security?security?

• ““There have been a large number of corporate spying cases involving China recently… as the toll s the toll adds up, political leaders and intelligence officials in adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the history,” General Keith Alexander, director of the National Security Agency, said at a security National Security Agency, said at a security conference at New York’s Fordham University in conference at New York’s Fordham University in January.”January.”

Why should I care about Why should I care about security?security?

• ““There have been a large number of corporate spying cases involving China recently… as the toll s the toll adds up, political leaders and intelligence officials in adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the history,” General Keith Alexander, director of the National Security Agency, said at a security National Security Agency, said at a security conference at New York’s Fordham University in conference at New York’s Fordham University in January.”January.”

ContentsContents

• Part 1: Secure web browsingPart 1: Secure web browsing• Part 2: Secure networksPart 2: Secure networks• Part 3: Secure email and IMPart 3: Secure email and IM• Part 4: Securing operating systems & Part 4: Securing operating systems &

mobile devicesmobile devices• Part 5: Securing organizationsPart 5: Securing organizations• Conclusion: limitations of security Conclusion: limitations of security

measuresmeasures

Choosing a web browserChoosing a web browser

Why web browsers matterWhy web browsers matter

Internet Explorer: upgrade to 9+ or switch Internet Explorer: upgrade to 9+ or switch to:to:

Chrome: recommended for personal use : recommended for personal use

Get HTTPS Everywhere & AdBlockGet HTTPS Everywhere & AdBlock

Firefox as a multi-toolFirefox as a multi-tool

Plugging privacy leaksPlugging privacy leaks

Keep your browser up to dateKeep your browser up to date

Disable unused pluginsDisable unused plugins

AdBlock: it’s not just for blocking ads: it’s not just for blocking ads

Block third party cookiesBlock third party cookies

Using Private ModeUsing Private Mode

Cleaning your tracks with Cleaning your tracks with CC Cleaner

Securing your surfingSecuring your surfing

HTTPS Everywhere

OpenDNS//Google DNS

DNSCrypt

VPN (details later)VPN (details later)

Advanced: monitoring Advanced: monitoring web trafficweb traffic

Outgoing firewalls:Outgoing firewalls:

Zone Alarm (Windows) (Windows)

Little Snitch (OS X) (OS X)

Monitoring network traffic with Monitoring network traffic with Wireshark

Part 2: Secure Part 2: Secure Networks: Virtual Networks: Virtual Private NetworksPrivate Networks

VPN optionsVPN options

PPTP: simple, supported by mobile devices, PPTP: simple, supported by mobile devices, only safe for personal useonly safe for personal use

L2TP: best for corporations: supports digital L2TP: best for corporations: supports digital certificatescertificates

  Open VPN: free, open-sourceOpen VPN: free, open-source

Alternative VPN Alternative VPN SolutionsSolutions

LogMeIn Hamachi: simple ad-hoc and hub : simple ad-hoc and hub and spoke VPNand spoke VPN

SSH Tunneling        

Browser helpers for Browser helpers for VPNsVPNs

Proxy Switchy (Chrome)(Chrome)

Foxy Proxy (Firefox)(Firefox)

Proxy Scripting – works with Proxy Switchy Proxy Scripting – works with Proxy Switchy when configured in Chrome (IE)when configured in Chrome (IE)

Advanced: Running your Advanced: Running your own proxyown proxy

• Why run a proxy locally?Why run a proxy locally?

• Optimize, secure, accelerate trafficOptimize, secure, accelerate traffic

• Control access to outside networkControl access to outside network

Privoxy (recommended) (recommended)

GlimmerBlocker (OS X) (OS X)

Squid (Unix) (Unix)

Polipo (Unix, Windows, OS X) (Unix, Windows, OS X)

Part 3: Secure Email and Part 3: Secure Email and IM: Encryption ToolsIM: Encryption Tools

Symmetric encryptionSymmetric encryption

Asymmetric encryptionAsymmetric encryption

Secure EmailSecure Email

Corporate E-mail: Digital Certificates & Corporate E-mail: Digital Certificates & SigningSigning

Get a free cert at Get a free cert at http://startssl.com/

PGP: PGP: PGP Desktop , ,GnuPG

Secure Instant Secure Instant MessagingMessaging

Corporate Instant Messaging:Corporate Instant Messaging:

Microsoft: Skype, Lynx, Office Microsoft: Skype, Lynx, Office Communication ServerCommunication Server

Personal Instant MessagingPersonal Instant Messaging

Off-The-Record plugin for: plugin for:

Pidgin (Windows), (Windows), Adium (OS X)(OS X)

Part 4: Securing Part 4: Securing Operating Systems: OS Operating Systems: OS HardeningHardening

Basic OS HardeningBasic OS Hardening

• Secure your login mechanismSecure your login mechanism

• Password protect access to your desktopPassword protect access to your desktop

• Admin privileges & user level accounts: run as Admin privileges & user level accounts: run as a user-level account; require password to logina user-level account; require password to login

• Disable file sharing on the networkDisable file sharing on the network

• Enable automatic updatesEnable automatic updates

• Disable unused user accountsDisable unused user accounts

Anti-Virus OptionsAnti-Virus Options• Do you need Anti-Virus software?Do you need Anti-Virus software?

• Anti-Virus for IndividualsAnti-Virus for Individuals

• Windows Defender

• Avast

• Many free options

• F-Secure, Trend Micro Office ScanF-Secure, Trend Micro Office Scan

• Tip: Don't use Norton or McAfee!Tip: Don't use Norton or McAfee!

Anti-Malware OptionsAnti-Malware Options

• Do you need Anti-Malware software?Do you need Anti-Malware software?

• Recommended Anti-Malware:Recommended Anti-Malware:

• Microsoft’s Windows Defender

• Spybot S&D (Free)Spybot S&D (Free)

• Malware Bytes (Free/Pro) (Free/Pro)

Whole disk encryptionWhole disk encryption

• What is it? Do you need it?What is it? Do you need it?

• True Crypt (multiplatform)True Crypt (multiplatform)

•   Bitlocker (Windows)Bitlocker (Windows)

• File Vault (Apple)File Vault (Apple)

• PGP Whole Disk EncryptionPGP Whole Disk Encryption

• Symantec Endpoint EncryptionSymantec Endpoint Encryption

Advanced: Tips from the Advanced: Tips from the ProsPros

• OS Hardening guides from the NSAOS Hardening guides from the NSA

• Windows:Windows:

• OS XOS X

• Security tips from the NSA for all OS’s

Advanced: OS IsolationAdvanced: OS Isolation

• Portable (Live) OS

• Portable apps

• Virtual Machines

• Only an “air gap” is safe for mission critical data!

OS Specific OS Specific ConsiderationsConsiderations

• OpenBSD: when security is mission-criticalOpenBSD: when security is mission-critical

• LinuxLinux

• Windows Server 2008Windows Server 2008

• Windows XPWindows XP

• Windows 7Windows 7

• OS XOS X

Securing your Securing your smartphonesmartphone

• Notes on locking:Notes on locking:

• Only protects against casual Only protects against casual thefttheft

• Cloud storage risksCloud storage risks

• Remote wipesRemote wipes

Part 5: Secure Part 5: Secure Organizations: physical Organizations: physical security, social security, social engineering, and other engineering, and other considerationsconsiderations

Physical security Physical security

• Human factors

• Physical securityPhysical security

• International travelInternational travel

• Asset management & theft preventionAsset management & theft prevention

Social EngineeringSocial Engineering

• Inside threatsInside threats• Social engineeringSocial engineering• ““Need to access” policiesNeed to access” policies

Advanced: Threat discovery

• Process ExplorerProcess Explorer

• Rootkit detectors:Rootkit detectors:

• Microsoft: Rootkit RevealerMicrosoft: Rootkit Revealer

• Avast: GMER Avast: GMER

• RootkitHunter RootkitHunter 

Conclusion: Conclusion: Limitations of Limitations of Information SecurityInformation Security

• Limitations of software measures

• Limitations of hardware measures

• Cost vs. benefit of security measures

The EndThe End

Technologies mentioned in this Technologies mentioned in this presentation have links to more presentation have links to more information – get a copy of the information – get a copy of the PowerPoint from me PowerPoint from me (david.veksler@ef.com).(david.veksler@ef.com).