ITSolutions|Currie Network Security Seminar
-
Upload
daniel-versola -
Category
Technology
-
view
1.280 -
download
0
description
Transcript of ITSolutions|Currie Network Security Seminar
COMPUTER NETWORK SECURITYFor Small to Medium Sized Organizations
Speaker: James Dempsey
Contact: [email protected]
Phone: 209-578-9739
Why are we here?Score Category
179 Security and data protection solutions
171 SPAM filtering
170 Network monitoring
165 Disaster recovery plans and tools
163 Virtual Server technologies
159 Pro-active network maintenance
157 Emergency network service
156 Power backup solutions
147 Digital records retention
141 Storage solutions
135 Workstation imaging
127 Internet monitoring solutions
Getting started
Please turn off cell phones Bathrooms
Myth:
“I don’t have anything a hacker would be interested in.”
“Money is driving the growth of targeted attacks against financial institutions, enterprises, and governmental agencies”
- ComputerWeekly.com
Revenues from cybercrime, at $1 trillion annually, are now exceeding those of drug crime.
This was the testimony from AT&T’s Chief Security Officer Edward Amoroso, which he gave to a US Senate Commerce Committee
- ComputerWeekly.com
Myth:
“Hackers are usually just geeky kids screwing around.”
C2C – Criminal-to-Criminal
Criminal #1 creates a crimeware toolkit with easy, step by step instructions… and sells it
Criminal #2 buys the toolkit, and uses it to collect private data… and sells it
Criminal #3 buys the private data, and exploits it for profit
What is at risk
Your money○ Hackers steal from companies all the time
Your data Your identity
○ Once your system has been compromised, you have lost control of your personal information.
Your hard earned reputation
MalWare / SpyWare
Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent.
- Wikipedia
It’s all in our heads?
Have you been hacked?
How does that make your feel…
Dealing With Specifics…
How, exactly, can this affect my organization?
The setup… Sign Designs is a well established, responsible
local company They work with the Bank of Stockton, a well
know and responsible institution They contract with an independent, local
computer consultant All employee’s have internet and email access They did not embrace a proactive
security/stability maintenance program They have never had any form of network
security audit or review
On July 23, 2009, Sign Designs lost nearly $100,000 when cyber-crooks initiated a series of transfers to 17 accomplices at 7 banks around the country.
- http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html
The Repercussions Employee moral issues – was it an inside job?
○ The FBI is interviewing all employees
The FBI confiscates key equipment, causing further business disruption
The banks seldom return money stolen from businesses in this fashion
If confidential data is stolen as well, the business must report the theft to all affected clients, vendors, and employees
SB-1386Senate Bill 1386, operative since July 1, 2003, require all businesses to report any loss of confidential data.
“a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Fines of up to $250,000 and/or 5 year prison
sentence
Attack Profile
Malware specializing in on-line banking hacking
#1
Zeus –Crimeware for sale
Zeus is a Trojan “kit”
Average black market price: $700
Very mature with > 70,000 variants
• Does not have the right to distribute the product in any business or commercial purpose not connected with this sale.
• May not disassemble / study the binary code of the bot builder.• Has no right to use the control panel as a means to control other bot nets or use it for any other
purpose.• Does not have the right to deliberately send any portion of the product to anti-virus companies and
other such institutions.• Commits to give the seller a fee for any update to the product that is not connected with errors in the
work, as well as for adding additional functionality.
“In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to anti-virus companies.”
Zeus – Helps a hacker to:
Detect when banking information is being entered
View screen shots real-time and remotely control what
is shown on the monitor
Steal passwords and other log-in information using
advanced key loggers
Encrypt stolen information, then transmit it to the
attacker’s servers
Zeus according to Symantec: http://www.youtube.com/watch?v=CzdBCDPETxk&feature=related
URLZone –More Complex…
Checks with a central server for updated instructions,
regularly
Watch for HTTPS web traffic
If the Web site matches the banking portal targeted, the
malware will capture screenshots from the victim’s
computer and send them to a command and control server
http://www.finjan.com/MCRCblog.aspx?EntryId=2345
http://blogs.techrepublic.com.com/security/?p=2464&tag=nl.e036
URLZone – Very specific…
When the user confirms the financial transaction,
URLZone changes the account number and amount
The banking portal receives the transaction information
and completes the transfer
URLZone presents transaction information the user
expects to avoid suspicion.
As far as the victim knows, the transaction was a success,
which it was. It’s just that the amount of money is most
likely different and the money was transferred to a money
mule account, not where the victim intended
Attack Profile
Malware specializing in on-line banking hacking
#1
#2
Crimeware toolkit for “drive-by” download
LuckySploit
A webpage is “armed” with LuckySploit
It checks to see if visiting computers are missing security
patches in:○ Internet Explorer, FireFox, Opera
○ Adobe Flash, Acrobat Reader
○ Numerous Microsoft vulnerabilities
Exploits identified vulnerabilities to deliver the “payload”
http://www.finjan.com/MCRCblog.aspx?EntryId=2213
Attack Profile
#1
#2
Crimeware toolkit for “drive-by” download
#3
A way to trick you into getting to my hacked webpage
Spam + Social Engineering
Spam + Social Engineering
Attack Profile
#3
#2
#1
URLZone Trojan
Website armed with
LuckySploit
Social Engineering
How can you protect yourself
Be proactive about software patch managementUse business-class anti-virus / anti-malware
softwareFilter your emailDeploy a business-class firewallRestrict internet accessUse Group Policies to control workstation security
A password policy is a must!Understand and secure all remote access points
Wireless Access Points (watch for rogues!)
There is a big difference between being
Proactive
and
Reactive
Patch Management
Know where you are vulnerable!
All Microsoft software – workstations and servers All Mac’s Key 3rd party applications
Adobe Acrobat Adobe Flash Player Java iTunes QuickTime
Microsoft Patch Management
Manual deployment Very time consuming Difficult to do consistently
Automatic deployment – independent workstations Success must be tested monthly using special tools No granular control May impact internet bandwidth of multiple PC’s download simultaneously
WSUS Free from Microsoft! All workstations report success failure to a central console You can choose what patches to deploy You can choose to have only the server download the patches
○ Server pushes patches to workstations○ May take 20-60GB of hard disk space – Use an inexpensive USB drive
3rd Party ApplicationsThe secret to success: You need a
plan! Updates can be pushed out through Group Policy Create an update checklist spreadsheet
Apps to UpdateAcrobatReader
AcrobatFlash Java iTunes Quicktime
Workstations
HRStation1 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Acct01 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Acct02 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Prod01 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Prod02 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Prod03 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09
Sales01 08/10/09 08/10/09 08/10/09 08/10/09 08/10/09
Sales02 08/10/09 08/10/09 08/10/09 08/10/09 08/10/09
Antivirus SoftwareThe reality…
It is intrusive
It slows down your computers and network
It must be monitored and maintained
It occasionally creates compatibility issues
There are annual renewal fees
… and you can’t live without it. Period.
Business Class Antivirus
Workstation status and licensing can be managed from a central software “console” You don’t need to touch 20 workstations to check status’
Central policies can be “pushed” down from the server IE: All workstation are to do a full scan once per week, and
users aren’t able to cancel the scan You can “Exclude” critical files and directories from virus
scans This can help performance significantly, and prevents instability
and corruption issues
Business Class Antivirus
Scan Policies
Real Time Scanning Protecting your system 24/7 Typically scans only the most dangerous file types and locations
Scheduled Scanning Typically scans everything, beginning to end Has a performance impact on the workstation Users can be broken into groups with scans occurring at convenient
times
Email -A Primary Portal
Minimize your exposure by breaking your users into groups
Group A – Internal email access only
Group B – Can receive email from “outside” the company
Spam FilteringSpam has become a primary delivery point for malicious code
Several things to watch for:
Hyperlinks that direct you to unknown places on the web Attachments that carry a malicious payload Social Engineering – The art of tricking a human into performing
an action or providing information they typically wouldn’t IE: Critical Microsoft Patch!
Spam FilteringMethods of protection
Install spam filter software on each workstation Install spam filter software on your e-mail server Route all company email through a spam filter “appliance”
Barracuda Route all email through a spam filter service (a 3rd party)
Spam-a-Side Only cleaned emails will be received by the company Lock your firewall down to only receive email from the host
Business Class Firewall
Why simple a home-class firewall isn’t always sufficient
WebRequest
FTP
TrustedNetwork Resources
The Cruel, Hard World( a/k/a: The Internet )
Where to?An emailserver
Well then surely you must be a safe
secure messagefrom a legitimate
source!
First door toyour right!Umm…
Gee, thanks!That was easy…
Locked!
Locked!
A basic firewall “pin holed” to allow public email
E-Mail (?)
A Business Class Firewall Looks Inside the Data Packet
WebRequest
FTP
TrustedNetwork Resources
The Cruel, Hard World( a/k/a: The Internet )
Where to?An emailserver
Umm…Gee, ok…
Don’t you trust me?
Locked!
Locked!
A Business-Class firewall “pin holed” to allow public email
E-Mail (?)
Ok. I’ll need your name, ID#, shoe size, and a DNA
sample.
Is that an attachment? That type isn’t allowed. It stays at the door.
Soon. Please step behind the privacy screen and hand me those latex
gloves…
*Squeak!*
Firewalls OversimplifiedThree major firewall classes:
#1 - Simple home/small bus ($80-$200) Helps to hide you on the internet “Locks the doors” from the public side
#2 – Business Class ($450-$900) “Layer 7 protection” – It looks inside the data packets to be sure they
aren’t “mal-formed” Strips out inappropriate content (IE: Dangerous attachments) Includes extra layers of protection
Web Blocking Antivirus Boarder Protection
#3 – Corporate Class ($1200-$???) Much greater bandwidth The ability to support many branch offices and VPN connections Advanced security, routing, and configuration features
Firewalls – What do you need?
Simple firewalls work if you:Have no “in-bound” data trafficHave another way to control internet usage
Web blockers don’t just prevent internet abuse…
Business Class firewall is appropriate if you:Host Email, public Web Server, or FTP ServerNeed to control outbound access as well as inboundHave a server and need to control web access
based upon Active Directory Group membership
Myth:
“Only people who go to ‘bad’ websites get spyware.”
Restricting Web Access
Only give access to people who really need it Restrict people to explicitly approved sites Use a Web Blocker
○ Break your users into groups. IE:- Management – Full Access- Day Crew – Partial Access- Night Crew – Restrict to only approved sites
Consider a web usage monitor - Cymphonix
Choosing a FirewallProtection
Stateful Packet Inspection (Required)
Internal Email Server Protection (Proxy)
Internal Web Server Protection (Proxy)
Internal FTP Server Protection (Proxy)
Need to control user groups differently
WAN Failover
Web Blocker Controls
Antivirus Boarder Protection
Advanced BOVPN Management
More than 50 Users
Complex Routing
Firewall
Type
Basic X
Business Class X X X X X X X X
Corporate Class X X X X X X X X X X X
Password PoliciesPasswords are the keys to your
network
Policies are centrally controlled through Group Policy:
Password changes – How often? Account Lockout
If you strike out 10 times, you’re locked out for 10 minutes Password Complexity
Security is an active part of your
company culture
… or it isn’t …
There are two ways to learn about network security vulnerabilities:
A Trained Professional
- or -
A Trained Professional
Engaging a Professional Begin with a network audit Clearly define responsibilities Choose an engagement method
Methods of Engagement Reactive
○ “I’ll call for help if I think I’ve been hacked”
Scheduled, proactive maintenance○ Allocates time and resources to address core issues○ Be sure there is a plan that addresses all issues○ Work with the consultant! Ask questions!
Managed services○ A true partnering and aligning of business models
Several More Security Myths
I have a firewall so I’m protected
I have virus protection software so I’m OK
I can protect myself once and be OK forever
My Mac doesn’t have all of these security issues
Serious Suggestions Audit your internal network Audit external access Restrict access as much as possible Update everything, proactively, regularly Use strong passwords Implement a proactive maintenance plan Engage a professional
Questions?
Please!!!
Please fill out the evaluation form! On the bottom of the evaluation, there is
an opportunity to request more info about network security
Survey Next seminar topic