it security for the physical security professional
DESCRIPTION
TRANSCRIPT
IT Security for the Physical
Security Professional
Dave Tyson, MBA, CPP, CISSPAngela Swan, CISSP
November 18, 2005
Speakers
Dave Tyson CPP, CISSP MBA CSO for City of
Van National CIO
Subcommittee for Info protection
2006 Chair ASIS International IT Security Council
Angela Swan CISSP CUCBC Security City of Van IT
Security Manager Supervised IT
Security for HSBC Bank Canada
Network and security for the New West PD
Agenda Introductions Overview of IT Security – debunk
some myths and terminology Technical stuff Break Enterprise Security Lunch – Keynote Speaker What you can do Where you can help today Some checklists and other
resources
Changing Threat Paradigm for Physical
SecurityPhysical security had been
chiefly responsible for fraud, theft, harassment issues in the workplace
New people in the organization responsible for security “stuff” that may not have specific security backgrounds
The Future…Why should you care?
850 Million end points on the Internet (2004)
2.3 Billion Cell PhonesWhen the 3rd generation
network is fully deployed and all cell phones are internet devices, the internet will be triple the size with fewer protections
HSPD 12
What does this mean on the risk side of the
equation?What gets worse? Fraud Harassment Stalking Identity theft Phishing &
Pharming SPAM Viruses Delivery of
Spyware, Trojan horses and Adware
What gets easier?
What it takes to perpetrate these activities
Committing the same crimes in a new way
The Real Problem
The average Physical Security Professional knows very little about these issues at this time!
Risks are Everywhere
Keystroke LoggersSharepointNational BankIBMBackup tape lossesHundreds of computers
unaccounted for in the federal government
Federal Government
2004 Report to parliament by from Privacy Commissioner details the loss of 330 Computers from agencies and departments such as: RCMP Canadian Space Agency CCRA DND Corrections Refugee Board others
Laptop Theft More than 600,000 laptops reported
stolen in 2004 – Safeware insurance
720 Million Dollars in losses 5.4 Billion Dollars in theft of proprietary information
Chances of having a laptop stolen are 1 in 10 – Gartner Group
80% of all laptop thefts are internal and 73 % of companies do not have laptop specific policies - Gartner
80% of companies surveyed acknowledged financial losses due to computer breaches – CSI/FBI Computer Crime Survey 2005
Caveats
Technology can be complicated, so we may make some generalizations during the presentation to aid in learning
Ask questions as we go because we will build on knowledge learned as session goes on – 2 or 3 slides might be a bit painful, but ask lots of questions and you will get there!
Basic Philosophy
Confidentiality of DataAvailability of DataIntegrity of DataSecurity is a weakest link
discipline – find the vulnerability by asking the correct questions and you can now close the hole
Basic PhilosophySecurity
ConceptPhysical Security
WorldIT Security World
Access Control Buildings / Assets Servers / Data
Authentication Picture IDAlarm Code
User ID / Password
Authorization Access Control List / Badge
Personal RecognitionKeys
Access Control List / Profile
Confidentiality Physical Information Electronic Information
Smoke & Mirrors
Information provides powerIT people generally have little
interest in security or they “know all about it”
In general, security is not well built in to IT systems or is turned off by default for ease of use or setup
Risk assessment is not well done
Debunking the Mystery
IT people generally know more than physical security people about IT Security? (Security mindset is what’s important)
The fields are not concerned with the same issues?
Access Control is Access Control? Loss prevention is still the game:
just the asset is different?
Terminology as a Weapon
ISP VPNUSBVLAN IP PacketsNetworkServer
Be prepared for TLAs….
It’s not as bad as it looks!!
Concentric Circle Theory
Also called defense in depth
Physical Security Architecture Physical Controls Policy, Procedures, Standards Emergency Response Services
Safewalk Investigations
The DilemmaSecurity
CostEase ofuse
Computer and Network Basics
PC / Workstation User computer typically dedicated to a single person’s use
Laptop Effectively a mobile PC
Server A more powerful PC that does the
jobs required by the network
Hard drive A storage device in your computer
Computer and Network Basics
Computer is made up of hardware and software
String computers together by wires or wireless, you have a network
The internet, or Intranet, is really just a big network that people can go to
Computer and Network Basics
Internet – computers you can communicate with outside your network
Intranet – computers you can communicate inside your network
IT Architecture
Logical Controls Firewall
Outside circle – first line of defense Access Controls
Policy, Procedures, StandardsEmergency (Incident) ResponseServices
E-mail Web Surfing
Everybody has a job to do!
Web ServerE-mail ServerFirewallFile Server
Terminology and Concepts
Internet Protocol (IP)E-mailWeb Surfing (HTTP)
ApplicationsDatabasesFirewallDMZ / Segmentation
More Technical Stuff
StorageClient server
Client Server
RouterCabling
Ethernet Fibre Optic
PacketsAddressingModems
Break Time
Common ITS Attacks
Man in the middleBrute ForceSpoofingDenial of ServiceSniffer attacksViruses, Worms and Trojan
Horses
Slammer
Source: www.wired.com
January 25, 2003 First victim 12:30am Eastern Standard Time 12:45am huge sections of the Internet off line Three hundred thousand cable modems in
Portugal went dark, and South Korea fell right off the map: no cell phone or Internet service for 27 million people.
Slammer knocked out more than just the Internet. Emergency 911 dispatchers in Seattle resorted to paper. Continental Airlines, unable to process tickets, canceled flights from its Newark hub.
Total cost of the bailout: more than $1 billion.
Enterprise SecurityPhysical Security of IT AssetsAccess ControlNetwork Security Disaster RecoveryEncryption LegalHuman ResourcesTelecommunicationsSpywareComputer Crime
Physical security of IT assets
LaptopsPDAUSB StorageIPODMonitorsServersCooling and Fire Suppression
Access Control
PerimeterAD – Directory ServicesApplication Access ControlDMZSegmentation
Network Security
PatchingExcessive Services ServersDatabase SecurityModemsWirelessDocumentationDisposal of Technology Assets
Disaster Recovery
Network is mission critical for business resumption Payments, salaries, purchasing
Phones (VOIP)Security systems reliant on
network?Incident Response
Custody of evidence Law enforcement Liaison Review of alarm and access logs
Encryption
File encryption Do not confuse this with password
protecting a file
E-mail encryption If you do not know if it is encrypted,
it isn’t
Digital certificateDigital signatureRemote accessWireless
War driving – for fun and profit
Remote Access Security
Enter your User ID:
Enter your Password:
Access Granted
JSmith
Iw2gstw!
INTERNET
File sharing server
(KaZaa, BearShare, Napster)
On-line video game server
(Quake, Counterstrike, Everquest)
Your CompanyHome User
Home
Wireless
INTERNET
Legal Section 163 - Child Porn Interception - Section 184 (1)
Everyone who, by means of any electro-magnetic, acoustic, mechanical or other device, willfully intercepts a private communication is guilty of an indictable offence…..
Theft of Telecommunications - Section 326 (1)b Everyone commits theft who fraudulently…
uses any telecommunications facility or obtains any telecommunication service
Human Resources
Code of EthicsConfidentiality AgreementsBackground checks on
vendors and ITS consultants
Telecommunications
• Telephone Fraud Phone Wall
Wireless 801.x WiFi Bluetooth RIM – Blackberry Wireless Air-cards Evil Twins “Netstumbler”
• Voice of Internet Protocol (VOIP)
Spyware Broad definition could be: software that -
is installed on a user’s computer to collect information about the user or use of a computer without appropriate notice and consent
makes unauthorized use of users’ computers and Internet connections or
has faulty or weak user-privacy protections Information collected or tracked can
include click-stream data and user’s web browsing habits, online transaction information (such as credit card numbers), user names, passwords, etc.
Keystroke Loggers (a.k.a., Keyloggers or Snoopware)
Software that runs in background, recording all keystrokes of user
Installation Methods of Spyware
Drive-by downloads automatic download to computer, often
without knowledge or consent can be initiated by visiting a web site or
viewing an HTML e-mail message Bundling
installation takes place along with another application e.g., some peer-to-peer file sharing
applications and some screensavers Deception
installation occurs when user clicks on a deceptive window e.g., pop-up window that resembles request
from reputable organization
Negative Effects of Spyware
Loss of privacy, including potential for identity theft
Loss of control, including potential for: redirect of “home” and “search” pages increased number of advertisements hijacking of browser or Internet connection difficulty in removing unwanted software
Decreased desktop productivity potential to slow down a user’s Internet
connection Potential to impact user’s ability to
install applications
Computer Crime
Dramatic increase in cyber crime 20 minutes to 12 seconds in 1
yearIdentity TheftAccess to confidential
information The only change is location of
the asset
LUNCH
What you can do!
Security awarenessWirelessCybercrime reductionData centre securityPersonnel securityThreat and Risk Assessment
Security Awareness
Talk to users about risks of equipment, data, personal information, competitive info Inadvertent disclosure
Repetition is the key – new employee orientation is still important
Evangelize incidents when they do occur
When servers go down find out why? This may be a source of information to support more security
Wireless
Determine if a policy exists at your workplace on wireless – communicate the risks if not
Assist in identifying rogue wireless equipment
Support possible encryption solutions
Cybercrime Reduction Work together to look for signs of cyber
crime – 2 departments are better than 1 Security awareness sessions should
include spyware awareness and how this can effect cyber criminals ability to victimize Firewalls Antivirus Anti spyware Know what you download – read the
Licensing agreement
Data Centre Security
Review data centre environmental controls and procedures HVAC Power Data Tape removal
Networking equipment Cable Rooms Network closets
Personnel Security
System Administrators and DBA’s Increased privledges and access
create potential mission critical risks if employment relationship degrades – prepare differently
Background checks on all persons who will get elevated privledges
Techies have all kinds of information storage devices
Threat and Risk Assessment
Add ITS items to building TRA Open ports in public areas Access to desktops by unauthorized
persons Wireless hotspots Storage areas of IT assets Physical security controls of IT areas Fire suppression issues in data
centres Privacy impacts
ITS Standards
ISO 17799COBITNISTOrange Book
Top 20 ITS Vulnerabilities
Desktop Security Password Choice Password Sharing Insecure User ID and
Password Excessively logged in
machines Wireless USB Storage Portable devices w/o
passwords Access control to
equipment No background checks
on administrators
Patch Installation Excessive Services Stale user pool Unauthorized
privledges Too many power
users Bad installations In-secure coding Plain text
authentication Remote access back
doors Logs not audited
ISO 17799
Security Policy
SecurityOrganization
PersonnelSecurity
AssetClassificationand Control
Physical andEnvironmental
Security
Communications and
OperationsManagement
BusinessContinuityPlanning
SystemDevelopment
andMaintenance
AccessControl
Compliance
Break
Where you can help – Today?
TRACyber InvestigationsLoss Prevention – HardwareConfidentialityDesktop SecuritySecurity Awareness
Security Awareness Checklist
Inappropriate Content Education Filtering
Equipment
Web mail MSN Yahoo
Passwords Selection protection
Hardware Laptops Palm pilots USB Storage
devices LCD, cell phones
Privileges Termination or
leave Transfer
departments
Security Awareness Checklist
Good Practices Locking
workstation when away
Don’t share passwords or ID’s
Naming servers
Dangerous items Keyloggers Wireless
access Easy to
remove storage devices
CD writers
Spyware ChecklistUse defense mechanismsDon’t allow free programs Lock down desktop
Day-to-day tasks do not require Administrator privileges
Recognize deceptive softwareRecognize signs of spyware in
action Slow performance Browser hijacking Pop ups Clicking sounds or lights flashing
when computer not in use
Technical ChecklistNon std ports should be closed unless required to be
open – Who/what is using these ports? i.e. port 51015 is open for no reason
Turn off default or unnecessary services• Echo• Chargen• Discard• HTTP
Move away from clear text authentication services• FTP ( should never communicate with the outside world directly
using plain text authentication)• Telnet
(Use SSH or SFTP instead)
Make sure your running updated versions of software with current patchesEspecially if you are running webservers i.e. apache
Make friends
first
Technical ChecklistNo unencrypted administrator passwords
left on servers
Everything of value needs a password, especially admin accounts
No surfing the web with administration accounts
Reduce the opportunity for arbitrary code to be able to run
Registry should not be writable for non –admin users
Technical Checklist
Avoid allowing anonymous connections
Turn off unnecessary web servers (Tivoli Storage web server, Apache, other)
SNMP community strings – should be disabled or set to private, make sure the version is patched or up to date
Passwords should not be “hard-coded” into applications
Wireless is simply dangerous!
Website Resources
www.securityfocus.com
www.issa.org
www.isaca.org
www.sans.org