ITSolutions|Currie Network Security Seminar

58
COMPUTER NETWORK SECURITY For Small to Medium Sized Organizations Speaker: James Dempsey Contact: [email protected] Phone: 209-578-9739

description

Computer security is an ever changing environment. It is essential that you stay educated on how to protect yourself and your organization!

Transcript of ITSolutions|Currie Network Security Seminar

Page 1: ITSolutions|Currie Network Security Seminar

COMPUTER NETWORK SECURITYFor Small to Medium Sized Organizations

Speaker: James Dempsey

Contact: [email protected]

Phone: 209-578-9739

Page 2: ITSolutions|Currie Network Security Seminar

Why are we here?Score Category

179 Security and data protection solutions

171 SPAM filtering

170 Network monitoring

165 Disaster recovery plans and tools

163 Virtual Server technologies

159 Pro-active network maintenance

157 Emergency network service

156 Power backup solutions

147 Digital records retention

141 Storage solutions

135 Workstation imaging

127 Internet monitoring solutions

Page 3: ITSolutions|Currie Network Security Seminar

Getting started

Please turn off cell phones Bathrooms

Page 4: ITSolutions|Currie Network Security Seminar

Myth:

“I don’t have anything a hacker would be interested in.”

Page 5: ITSolutions|Currie Network Security Seminar

“Money is driving the growth of targeted attacks against financial institutions, enterprises, and governmental agencies”

- ComputerWeekly.com

Page 6: ITSolutions|Currie Network Security Seminar

Revenues from cybercrime, at $1 trillion annually, are now exceeding those of drug crime.

This was the testimony from AT&T’s Chief Security Officer Edward Amoroso, which he gave to a US Senate Commerce Committee

- ComputerWeekly.com

Page 7: ITSolutions|Currie Network Security Seminar

Myth:

“Hackers are usually just geeky kids screwing around.”

Page 8: ITSolutions|Currie Network Security Seminar

C2C – Criminal-to-Criminal

Criminal #1 creates a crimeware toolkit with easy, step by step instructions… and sells it

Criminal #2 buys the toolkit, and uses it to collect private data… and sells it

Criminal #3 buys the private data, and exploits it for profit

Page 9: ITSolutions|Currie Network Security Seminar

What is at risk

Your money○ Hackers steal from companies all the time

Your data Your identity

○ Once your system has been compromised, you have lost control of your personal information.

Your hard earned reputation

Page 10: ITSolutions|Currie Network Security Seminar

MalWare / SpyWare

Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent.

- Wikipedia

Page 11: ITSolutions|Currie Network Security Seminar

It’s all in our heads?

Have you been hacked?

How does that make your feel…

Page 12: ITSolutions|Currie Network Security Seminar

Dealing With Specifics…

How, exactly, can this affect my organization?

Page 13: ITSolutions|Currie Network Security Seminar
Page 14: ITSolutions|Currie Network Security Seminar

The setup… Sign Designs is a well established, responsible

local company They work with the Bank of Stockton, a well

know and responsible institution They contract with an independent, local

computer consultant All employee’s have internet and email access They did not embrace a proactive

security/stability maintenance program They have never had any form of network

security audit or review

Page 15: ITSolutions|Currie Network Security Seminar

On July 23, 2009, Sign Designs lost nearly $100,000 when cyber-crooks initiated a series of transfers to 17 accomplices at 7 banks around the country.

- http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

Page 16: ITSolutions|Currie Network Security Seminar

The Repercussions Employee moral issues – was it an inside job?

○ The FBI is interviewing all employees

The FBI confiscates key equipment, causing further business disruption

The banks seldom return money stolen from businesses in this fashion

If confidential data is stolen as well, the business must report the theft to all affected clients, vendors, and employees

Page 17: ITSolutions|Currie Network Security Seminar

SB-1386Senate Bill 1386, operative since July 1, 2003, require all businesses to report any loss of confidential data.

“a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Fines of up to $250,000 and/or 5 year prison

sentence

Page 18: ITSolutions|Currie Network Security Seminar

Attack Profile

Malware specializing in on-line banking hacking

#1

Page 19: ITSolutions|Currie Network Security Seminar

Zeus –Crimeware for sale

Zeus is a Trojan “kit”

Average black market price: $700

Very mature with > 70,000 variants

Page 20: ITSolutions|Currie Network Security Seminar

• Does not have the right to distribute the product in any business or commercial purpose not connected with this sale.

• May not disassemble / study the binary code of the bot builder.• Has no right to use the control panel as a means to control other bot nets or use it for any other

purpose.• Does not have the right to deliberately send any portion of the product to anti-virus companies and

other such institutions.• Commits to give the seller a fee for any update to the product that is not connected with errors in the

work, as well as for adding additional functionality.

“In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to anti-virus companies.”

Page 21: ITSolutions|Currie Network Security Seminar

Zeus – Helps a hacker to:

Detect when banking information is being entered

View screen shots real-time and remotely control what

is shown on the monitor

Steal passwords and other log-in information using

advanced key loggers

Encrypt stolen information, then transmit it to the

attacker’s servers

Page 22: ITSolutions|Currie Network Security Seminar

Zeus according to Symantec: http://www.youtube.com/watch?v=CzdBCDPETxk&feature=related

Page 23: ITSolutions|Currie Network Security Seminar

URLZone –More Complex…

Checks with a central server for updated instructions,

regularly

Watch for HTTPS web traffic

If the Web site matches the banking portal targeted, the

malware will capture screenshots from the victim’s

computer and send them to a command and control server

http://www.finjan.com/MCRCblog.aspx?EntryId=2345

http://blogs.techrepublic.com.com/security/?p=2464&tag=nl.e036

Page 24: ITSolutions|Currie Network Security Seminar

URLZone – Very specific…

When the user confirms the financial transaction,

URLZone changes the account number and amount

The banking portal receives the transaction information

and completes the transfer

URLZone presents transaction information the user

expects to avoid suspicion.

As far as the victim knows, the transaction was a success,

which it was. It’s just that the amount of money is most

likely different and the money was transferred to a money

mule account, not where the victim intended

Page 25: ITSolutions|Currie Network Security Seminar

Attack Profile

Malware specializing in on-line banking hacking

#1

#2

Crimeware toolkit for “drive-by” download

Page 26: ITSolutions|Currie Network Security Seminar

LuckySploit

A webpage is “armed” with LuckySploit

It checks to see if visiting computers are missing security

patches in:○ Internet Explorer, FireFox, Opera

○ Adobe Flash, Acrobat Reader

○ Numerous Microsoft vulnerabilities

Exploits identified vulnerabilities to deliver the “payload”

http://www.finjan.com/MCRCblog.aspx?EntryId=2213

Page 27: ITSolutions|Currie Network Security Seminar

Attack Profile

#1

#2

Crimeware toolkit for “drive-by” download

#3

A way to trick you into getting to my hacked webpage

Page 28: ITSolutions|Currie Network Security Seminar

Spam + Social Engineering

Page 29: ITSolutions|Currie Network Security Seminar

Spam + Social Engineering

Page 30: ITSolutions|Currie Network Security Seminar

Attack Profile

#3

#2

#1

URLZone Trojan

Website armed with

LuckySploit

Social Engineering

Page 31: ITSolutions|Currie Network Security Seminar

How can you protect yourself

Be proactive about software patch managementUse business-class anti-virus / anti-malware

softwareFilter your emailDeploy a business-class firewallRestrict internet accessUse Group Policies to control workstation security

A password policy is a must!Understand and secure all remote access points

Wireless Access Points (watch for rogues!)

Page 32: ITSolutions|Currie Network Security Seminar

There is a big difference between being

Proactive

and

Reactive

Page 33: ITSolutions|Currie Network Security Seminar

Patch Management

Know where you are vulnerable!

All Microsoft software – workstations and servers All Mac’s Key 3rd party applications

Adobe Acrobat Adobe Flash Player Java iTunes QuickTime

Page 34: ITSolutions|Currie Network Security Seminar

Microsoft Patch Management

Manual deployment Very time consuming Difficult to do consistently

Automatic deployment – independent workstations Success must be tested monthly using special tools No granular control May impact internet bandwidth of multiple PC’s download simultaneously

WSUS Free from Microsoft! All workstations report success failure to a central console You can choose what patches to deploy You can choose to have only the server download the patches

○ Server pushes patches to workstations○ May take 20-60GB of hard disk space – Use an inexpensive USB drive

Page 35: ITSolutions|Currie Network Security Seminar

3rd Party ApplicationsThe secret to success: You need a

plan! Updates can be pushed out through Group Policy Create an update checklist spreadsheet

Apps to UpdateAcrobatReader

AcrobatFlash Java iTunes Quicktime

Workstations

HRStation1 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Acct01 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Acct02 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Prod01 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Prod02 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Prod03 09/15/09 08/10/09 09/15/09 08/10/09 09/15/09

Sales01 08/10/09 08/10/09 08/10/09 08/10/09 08/10/09

Sales02 08/10/09 08/10/09 08/10/09 08/10/09 08/10/09

Page 36: ITSolutions|Currie Network Security Seminar

Antivirus SoftwareThe reality…

It is intrusive

It slows down your computers and network

It must be monitored and maintained

It occasionally creates compatibility issues

There are annual renewal fees

… and you can’t live without it. Period.

Page 37: ITSolutions|Currie Network Security Seminar

Business Class Antivirus

Workstation status and licensing can be managed from a central software “console” You don’t need to touch 20 workstations to check status’

Central policies can be “pushed” down from the server IE: All workstation are to do a full scan once per week, and

users aren’t able to cancel the scan You can “Exclude” critical files and directories from virus

scans This can help performance significantly, and prevents instability

and corruption issues

Page 38: ITSolutions|Currie Network Security Seminar

Business Class Antivirus

Scan Policies

Real Time Scanning Protecting your system 24/7 Typically scans only the most dangerous file types and locations

Scheduled Scanning Typically scans everything, beginning to end Has a performance impact on the workstation Users can be broken into groups with scans occurring at convenient

times

Page 39: ITSolutions|Currie Network Security Seminar

Email -A Primary Portal

Minimize your exposure by breaking your users into groups

Group A – Internal email access only

Group B – Can receive email from “outside” the company

Page 40: ITSolutions|Currie Network Security Seminar

Spam FilteringSpam has become a primary delivery point for malicious code

Several things to watch for:

Hyperlinks that direct you to unknown places on the web Attachments that carry a malicious payload Social Engineering – The art of tricking a human into performing

an action or providing information they typically wouldn’t IE: Critical Microsoft Patch!

Page 41: ITSolutions|Currie Network Security Seminar

Spam FilteringMethods of protection

Install spam filter software on each workstation Install spam filter software on your e-mail server Route all company email through a spam filter “appliance”

Barracuda Route all email through a spam filter service (a 3rd party)

Spam-a-Side Only cleaned emails will be received by the company Lock your firewall down to only receive email from the host

Page 42: ITSolutions|Currie Network Security Seminar

Business Class Firewall

Page 43: ITSolutions|Currie Network Security Seminar

Why simple a home-class firewall isn’t always sufficient

E-Mail

WebRequest

FTP

TrustedNetwork Resources

The Cruel, Hard World( a/k/a: The Internet )

Where to?An emailserver

Well then surely you must be a safe

secure messagefrom a legitimate

source!

First door toyour right!Umm…

Gee, thanks!That was easy…

Locked!

Locked!

A basic firewall “pin holed” to allow public email

E-Mail (?)

Page 44: ITSolutions|Currie Network Security Seminar

A Business Class Firewall Looks Inside the Data Packet

E-Mail

WebRequest

FTP

TrustedNetwork Resources

The Cruel, Hard World( a/k/a: The Internet )

Where to?An emailserver

Umm…Gee, ok…

Don’t you trust me?

Locked!

Locked!

A Business-Class firewall “pin holed” to allow public email

E-Mail (?)

Ok. I’ll need your name, ID#, shoe size, and a DNA

sample.

Is that an attachment? That type isn’t allowed. It stays at the door.

Soon. Please step behind the privacy screen and hand me those latex

gloves…

*Squeak!*

Page 45: ITSolutions|Currie Network Security Seminar

Firewalls OversimplifiedThree major firewall classes:

#1 - Simple home/small bus ($80-$200) Helps to hide you on the internet “Locks the doors” from the public side

#2 – Business Class ($450-$900) “Layer 7 protection” – It looks inside the data packets to be sure they

aren’t “mal-formed” Strips out inappropriate content (IE: Dangerous attachments) Includes extra layers of protection

Web Blocking Antivirus Boarder Protection

#3 – Corporate Class ($1200-$???) Much greater bandwidth The ability to support many branch offices and VPN connections Advanced security, routing, and configuration features

Page 46: ITSolutions|Currie Network Security Seminar

Firewalls – What do you need?

Simple firewalls work if you:Have no “in-bound” data trafficHave another way to control internet usage

Web blockers don’t just prevent internet abuse…

Business Class firewall is appropriate if you:Host Email, public Web Server, or FTP ServerNeed to control outbound access as well as inboundHave a server and need to control web access

based upon Active Directory Group membership

Page 47: ITSolutions|Currie Network Security Seminar

Myth:

“Only people who go to ‘bad’ websites get spyware.”

Page 48: ITSolutions|Currie Network Security Seminar

Restricting Web Access

Only give access to people who really need it Restrict people to explicitly approved sites Use a Web Blocker

○ Break your users into groups. IE:- Management – Full Access- Day Crew – Partial Access- Night Crew – Restrict to only approved sites

Consider a web usage monitor - Cymphonix

Page 49: ITSolutions|Currie Network Security Seminar

Choosing a FirewallProtection

Stateful Packet Inspection (Required)

Internal Email Server Protection (Proxy)

Internal Web Server Protection (Proxy)

Internal FTP Server Protection (Proxy)

Need to control user groups differently

WAN Failover

Web Blocker Controls

Antivirus Boarder Protection

Advanced BOVPN Management

More than 50 Users

Complex Routing

Firewall

Type

Basic X

Business Class X X X X X X X X

Corporate Class X X X X X X X X X X X

Page 50: ITSolutions|Currie Network Security Seminar

Password PoliciesPasswords are the keys to your

network

Policies are centrally controlled through Group Policy:

Password changes – How often? Account Lockout

If you strike out 10 times, you’re locked out for 10 minutes Password Complexity

Page 51: ITSolutions|Currie Network Security Seminar

Security is an active part of your

company culture

… or it isn’t …

Page 52: ITSolutions|Currie Network Security Seminar

There are two ways to learn about network security vulnerabilities:

A Trained Professional

- or -

A Trained Professional

Page 53: ITSolutions|Currie Network Security Seminar

Engaging a Professional Begin with a network audit Clearly define responsibilities Choose an engagement method

Page 54: ITSolutions|Currie Network Security Seminar

Methods of Engagement Reactive

○ “I’ll call for help if I think I’ve been hacked”

Scheduled, proactive maintenance○ Allocates time and resources to address core issues○ Be sure there is a plan that addresses all issues○ Work with the consultant! Ask questions!

Managed services○ A true partnering and aligning of business models

Page 55: ITSolutions|Currie Network Security Seminar

Several More Security Myths

I have a firewall so I’m protected

I have virus protection software so I’m OK

I can protect myself once and be OK forever

My Mac doesn’t have all of these security issues

Page 56: ITSolutions|Currie Network Security Seminar

Serious Suggestions Audit your internal network Audit external access Restrict access as much as possible Update everything, proactively, regularly Use strong passwords Implement a proactive maintenance plan Engage a professional

Page 57: ITSolutions|Currie Network Security Seminar

Questions?

Page 58: ITSolutions|Currie Network Security Seminar

Please!!!

Please fill out the evaluation form! On the bottom of the evaluation, there is

an opportunity to request more info about network security

Survey Next seminar topic