Security and Privacy of Data

Trends and Solutions

July 31, 2007

So many issues, so little time…..

• Attacks on users

• Attacks on (web) applications

• Attacks on physical devices

• Attacks on mobile devices

• Attacks on facilities

• Challenge of administrative completeness

• Closing: Information Security Strategy

Takeaways:

• There are no silver bullets

– You need a defense in depth strategy Layers

• Email Phishing is (STILL) a gathering storm

• Physical security is key

• The challenge of Administrative Completeness

Security = Culture!!Security is a BUSINESS issue, NOT a technical

issue!!

• Administrative Policies / Procedures

• Physical Access Controls

• Technical Security Controls

Secure System Defined:

• “A secure system is one we can depend on to behave as we expect.”– Source: “Web Security and Commerce” by Simson Garfinkel

with Gene Spafford

• Confidentiality• Integrity• Availability

Information Security Strategy

• Protect

• Detect

• (Test and Verify)

• Respond

• Remediate damage

“Amateurs hack systems, professionals hack people.”

Attacks on Users• “Employees pose biggest security risk”

– Simple Nomad

• SANS NewsBites July 17, 2006 Vol. 9, Num. 56TOP OF THE NEWS

• http://www.darkreading.com/document.asp?doc_id=129122&WT.svl=cmpnews1_1

Social Engineering Defined•Per the Hacker’s Jargon Dictionary:

“Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords and other information that compromises a system’s security.”

Telephone Attacks

Pretext calling

• Impersonation– “Hi this is Bill from Geek Squad. I am working with…”

• Intimidation– “I need to get this _______ today or else…”

• Persuasion– “I need your help. I am trying to…”

• Think telemarketers script…

E-mail Attacks - Spoofing and Phishing• Impersonate someone in authority and:

– Ask for information via e-mail– Ask them to visit a web-site

• Examples– Better Business Bureau complaint– http://scmagazine.com/us/news/article/660941/better-

business-bureau-target-phishing-scam/– Microsoft Security Patch Download– http://www.scmagazine.com/us/news/article/667467/r

esearchers-warn-bogus-microsoft-patch-spam/

Dumpster Diving (Trashing)• Outdated hardware• Disks and tapes• Phone books• Organization charts• Company policy manuals• Reports or system print-outs• Memos• Calendars (of meetings, events, vacations)• Technical system manuals (Kevin Mitnik method)

Physical PenetrationCompromise the site:• Friendly folks willing to help:

– “Can you get the door for me?”• Employees who lack awareness• Poorly designed facility• Poor (or lacking) administrative procedures

Plant devices:• Keystroke loggers• Wireless access point• Thumb drives (“Switch Blade”)

Policies – the Beginning of CULTURE• Helpful to remove judgment from employees – items

outside policy are strictly forbidden!– Why it is important

• Include:– Internet / Email use– Password expiration / complexity rules– Use of enterprise passwords– Unauthorized software and hardware

◊ Modems and Wireless Access Points– Unattended log-in sessions– Accountability for violations (posting)– Authenticate and Validate the visitor

Physical Security• Segment buildings – Public vs Private

• Controls on access software

• Procedures for new, changed, terminated access

• Secure shredding

Physical Security

• Conspicuous, difficult to copy badges

• 2 factor authentication (e.g. card swipe plus PIN)

• Console locks / screensaver passwords

• Employee awareness!!

Resources – Attacks on Users• SecurityFocus 2 part series:

http://online.securityfocus.com/infocus/1527

http://online.securityfocus.com/infocus/1533

• CERT Advisory CA-1991-04www.cert.org/advisories/CA-1991-04.html

• SANS Institute:http://rr.sans.org/social/social.php

More Resources – Attacks on Users• Computer Security Institute:

http://www.gocsi.com/soceng.htm

• Methods of Hacking: Social Engineering– by Rick Nelsonhttp://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

Attacks on Web Applications • No different than traditional vulnerabilities

• Error in code allows attacker to do “something”– NOT what it was designed to do!

Why?• Because firewalls and other defensive

measures work!

• Objective is to attack what is remotely accessible– Web sites– eCommerce– Databases behind the websites– Office applications attacked via email

How many?*************************************************************************

@RISK: The Consensus Security Vulnerability AlertJuly 10, 2007 Vol. 6. Week 28*************************************************************************Platform Number of Updates and Vulnerabilities------------------------- ---------------------------------------------------Other Microsoft Products 3Third Party Windows Apps 7Linux 11Unix 1Cross Platform 11 (#1, #2, #3)Web Application - Cross Site Scripting 8Web Application - SQL Injection 20Web Application 19Network Device 1 (#4)*************************************************************************

http://www.sans.org/newsletters/risk/

5 Broad Categories of Web Application Attacks

• Remote code execution

• SQL injection

• Format string vulnerabilities

• Cross Site Scripting (XSS)

• Username enumeration

http://www.securityfocus.com/infocus/1864

More Email Phishing???

#1 attack vector:

• Email “Spear Phishing”

• Sometimes called “targeted trojan”

• Yet another attack that puts pressure on USERS

http://www.antiphishing.org/

Office applications• Targeted as much as web applications

• Email can deliver malicious code (Trojan) or malicious links (spear phishing) that exploit office applications, such as Excel, Word, Powerpoint, etc.

• In the last 2 months we have seen a drastic swing from Word documents, to PDF files, and just in the last couple of days Excel files.http://www.securityfocus.com/brief/556

The Future of Vulnerabilities?The trend in “disclosures”…

• Zero Day Threats

• Less than Zero Day Threats

• Vulnerability bounty programs

• Vulnerability auction sites

Attacks on Physical Devices• Keystroke loggers

• USB hard drives

• CD/DVD burning

Attacks on Physical DevicesKey protection strategies

• Strong policies to drive the culture– Principle of Minimum Access and Least Privilige

• Use OS settings to enforce policies and to monitor activities

Attacks on Mobile Devices• Proliferating at a high rate

• Attackers developing exploits to match proliferation

• Anyone have an iPhone?– http://www.securityfocus.com/brief/552

Attacks on Mobile DevicesKey protection strategies:

• Strong authentication

• Authentication for “sleep” mode

• Policies for storing data

• Ability to “wipe” if lost or stolen

Encryption Challenges

• Relative lack of widespread solutions

• Interacting with others

• Performance lags

• Impaired search

• Application dependencies

• Stored credentials – provide access to keys

Attacks on Process• Compared to banking, non-regulated environments

have “enjoyed” lack of scrutiny - this is changing.• In the news:

– Senate hearings◊ http://www.securityfocus.com/news/11472

– Government agencies get a C-◊ http://www.securityfocus.com/news/11458

– County web site (Ohio)◊ http://www.ohio.com/mld/beaconjournal/news/state/17536759.htm

– Back up tapes◊ http://toledoblade.com/apps/pbcs.dll/article?AID=/20070720/BREA

KINGNEWS/70720026

Attacks on Process

• Mounting political pressure to react to data breaches and identity theft

• Privacy Rights <dot> orghttp://www.privacyrights.org/ar/ChronDataBreaches.htm

• Minnesota Law:http://www.revisor.leg.state.mn.us/bin/bldbill.php?bill=S1574.2.html&session=ls85

Information Security Strategy

“The Song Remains the Same”

• Protect

• Detect

• Test and Verify

• Respond

• Remediate damage

Four Step Program: Network Security

• Strong Policies and Standards – Create Culture

• Minimize / Maintain Services - No Default Open

• Secure the Perimeter

• Secure Internal Systems - Hardening

Strong Policy

• Provide the backbone for security

• Demonstrate management’s commitment

• Protect from “social engineering”

• Should become part of organization’s “culture”

Strong PoliciesTwo specific policies:

• Back office

• End users

Policy as Culture

• Awareness training is critical

• Should be attended by upper management– upper management should at least make some short

remarks about the importance of the training

Minimize / Maintain Services• Each service provided over the Internet has

inherent vulnerabilities

• “Default” services especially at risk– SMTP– telnet– FTP / tFTP / anonymous FTP– HTTP

• Understand risks accepted for services left “open”

Minimize / Maintain Services

• Updated patches

• 99% of intrusions exploit known vulnerabilities

• Only 3% of business networks have all the latest Microsoft patches!!!

Minimize / Maintain Services

• Shifting focus to Web Applications

• Keep them updated

• Include them in security audits

• Open Web Application Security Project– www.owasp.org

Secure the Perimeter• Firewall rules to enforce service minimization• Periodic test of firewall integrity

– Penetration testing supplemented by vulnerability scanning

• On-going monitoring– Properly configured IDS– Firewall / router logs – critical to forensics!!!

• Do you know where your modems are?– Refer back to policies!!– Vendor dial up?

• Do you have wireless? How do you know?

The Perimeter: Consider Physical Security

• Data center

• Workstations in common areas

• Laptops

• Other technology that can walk out

Secure Internal Systems• Assume that a knowledgeable, determined

attacker will always defeat a firewall!!

• Fundamental problem: Default settings (e.g. at installation) are VERY WEAK!!

• Must ensure basic operating system security is in place to defeat attackers who successfully penetrate the network - HARDENING

Secure Internal SystemsHardening: Four Most Common Issues

• Excessive services running (by default)

• Weak default configurations

• Weak default authentication

• Missing patches

Secure Internal SystemsHardening:

• Hardening checklists from vendor

• CIS offers vendor-neutral hardening resourceshttp://www.cisecurity.org/

• Microsoft Security Checklistshttp://www.microsoft.com/technet/archive/security/chklist/default.mspx?mfr=true

Secure Internal SystemsIncident Response Policy• Documentation is readily available BEFORE hand

• Structured Procedures

• Defined communication

• Chain of command

• Escalation procedures

Summary• Today’s attack vectors:

– Users, Web applications, mobile devices, facilities– Email Phishing, websites with malicious code, social

engineering• Strategy:

– Protect, Detect, Test and Verify, Respond, Remediate

• “Four Step Program”

– Strong Policies, Minimize Services, Secure the Perimeter,

Harden Internal Systems

Questions?

Randy Romes, CISSP, MCP(612) 397-3114rromes@larsonallen.com