FREE Security Tool for Personal Computers Updating What’s New in
Security For Free
29
1 Improving Your Security…For FREE Stephen Marchewitz CSO SecureState The CIO Circle July 8, 2009
description
This is a presentation given by Stephen MArchewitz CSO, from SecureState to Cincinnati\'s CIO Circle.
Transcript of Security For Free
1
Improving Your Security…For FREE
Stephen Marchewitz
CSO
SecureState
The CIO Circle July 8, 2009
2
What’s the catch?
Sorry, you’re going to have to Think….
―Thinking is the hardest work there is…that’s why so few
people do it. ― – Henry Ford
…And Do…
―The only place where success comes before work is in
the dictionary.‖ –Donald Kendall
Copyright 2009 SecureState
3
About me
Stephen Marchewitz
– B.A. The University of Michigan
Business Communications and Statistics
– M.B.A. Case Western Reserve University
Management Information Systems and Finance
– Ten+ years experience and progressive responsibility in multiple facets of information systems with specific expertise in information assurance
– SecureState LLC, CSO, 4 Years
– Past Experience
• Oracle Corporation, Security Service Manager
• Computer Associates Inc., Senior Security Consultant
• Ernst & Young, LLP, Management Consultant
Copyright 2009 SecureState
4
SecureState Overview
• Ohio Based Company
– Founded 2001
• 40 Security Professionals
• Information Assurance & Protection
• Audit and business background (Big X)
• Experts in ethical hacking across many specialized areas
CISSP – Certified Information Systems Security
CISM – Certified Information Security Manager
CISA – Certified Information Systems Auditor
QDSP – Qualified Data Security Professional
GSEC – SANS GIAC Security Essentials
NSA INFOSEC Assessment Methodology (IAM)
Forensics – NTI, EnCase
ANSI X9/TG-3
Copyright 2009 SecureState
5
SecureState Overview
Audit and Compliance
• PCI (Payment Card Industry)
• ISO 27001/SAS 70
• SOX, GLBA etc.
• TG-3, NERC/CIP
• INFOSEC (Information System Security Risk Assessment)
Profiling and Attack• Web Application Security (WAS)
• Attack and Penetration Services (internal, external, client, physical, wireless)
• Wireless Audits
• Architecture Reviews
• Zero-Day Research
• Training
Risk Management• Security Program Manager (SPM)
• StateScan
• SecureTime
• Virtual Compliance Officer (VCO)
Forensic Technology Solutions
• Data Forensics/Incident Response
• Reverse Engineering
• Expert Testimony
Copyright 2009 SecureState
6
We have no budget! – Get them to care
• FUD – Fear, Uncertainty and Doubt only works a little bit and
I never (rarely) use it.
• That said, never underestimate the power of a good ―breach‖ story.
• Find a compelling event
• Use assessments and testing
• Get someone outside your organization to say the same thing you say to
your execs…they’ll be more likely to listen
• Learn to love to say the same thing over…and over…and over…
and over...
Copyright 2009 SecureState
77
Get it done through Regulations
• By the way Mr. CEO, we’re not
PCI compliant
• You do know that if there is a breach, our
state has data breach disclosure laws
• SOX and the SAS now state that audit
firms must sign off on the security of
the systems
• We don’t have to be compliant, but our
customer is saying we do
Copyright 2009 SecureState
8
Get the Bullies on your side
• Work with Audit
• Learn what they’re trying to achieve
• You will never be good enough
• Report, report, report
• Do you know what the problems are?
• Do you have a plan to fix them?
Copyright 2009 SecureState
99
Don’t Hold Risk
• You don’t get paid enough to hold the risk of the organization
• Offload it to the board and/or other executive management,
i.e. let them sign off
• Your job is to:
– Identify risk (through assessments)
– Recommend remediation
– Provide assistance in remediation management
Copyright 2009 SecureState
10
Make Risk Reduction Simple
Copyright 2009 SecureState
1111
Assess. Build. Rinse. Repeat.
Assessments (checks) are the best
route to understand the current
state of your program
Assessments ―get the wheel turning‖
You don’t/can’t know what you’re
doing in security if you’re not
checking first.
You can enhance your credibility
by putting it into terms the business
can understand
13
Refer to a Framework
NIST – www.csrc.nist.gov/publications/PubsSPs.html
Special Publications in the 800 series present documents of general
interest to the computer security community
NIST 800-53 Security Controls for Federal Information Systems and
Organizations
ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100)
THE ISO 27001 and ISO 27002 TOOLKIT
Copyright 2009 SecureState
14
Inventory and Classify your Assets
• Do you know everything you have?
• Have you assigned a value to your assets?
• There is a reason you don’t have an armed guard covering
petty cash
• Make sure the level of protection is commensurate with the value
Copyright 2009 SecureState
15
Simulate a breach, incident, or disaster
• Set up a meeting with all parties involved to pretend we’ve just had a
Breach (or Disaster)
– Who needs to be in there?
– What needs to happen?
– Worst case
– What do we have to do to facilitate
a forensic investigation?
• Logging
• Data flows
• Network Diagrams
• Monitoring
Copyright 2009 SecureState
16
Question Products
• Companies are always looking to slam a $40k appliance in to solve
the world for them. Unfortunately this doesn’t work.
• Detecting viruses, malware, and threats goes into a formalized
security program that is constantly tested. Penetration tests are
excellent methods in identifying deficiencies within the current
security program.
Copyright 2009 SecureState
17
A product example – reshifting budget to get more
Antivirus:
Anti-virus is typically thought of as a first line of defense for
detecting a potential outbreak, malware, or viruses.
Anti-virus companies market that they are the end-all-be-all and
can catch anything out there.
It’s estimated that 70% of all malware is currently NOT being
detected by anti-virus.
The truth: No longer a defensible position against attackers.
There are now products that combine zero-update attack
protection, data loss prevention, and signature-based antivirus,
reducing cost (upkeep, etc.) and increasing effectiveness.
Copyright 2009 SecureState
18
Check out Great Sources
CIS Benchmarks –
The CIS Benchmarks are the consensus best practice security configuration standards both developed and accepted by government, business, industry, and academia (http://www.cisecurity.org/benchmarks.html)\
Payment Card Industry (PCI) Data Security Standard –
Free audit standards
https://www.pcisecuritystandards.org/
OWASP – Open Web Application Security Standard
www.owasp.org The defacto standard for Web Application Security
―Information Security Policies Made Easy‖ –
Policy book by Charles Cresson Woods ($800)
Copyright 2009 SecureState
19
Build Awareness
• Build awareness programs, consistency, ease, available, etc.
• However the main message is: ―Don’t be stupid!‖
• Social Engineering
– Have someone from another office, (or your nephew, grandma,
buddy, etc.) try to social engineer your company
– Tell everyone the stories (e-mail, new hire training, etc.)
Copyright 2009 SecureState
20
Free but…
• Utilize free tools if you have to
• Some exceptions, but generally it makes more sense to just get
someone else to do it
Copyright 2009 SecureState
21
Utilize Free Tools
MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal question: How safe it my IT infrastructure? The advisor checks systems for common misconfigurations and missing security updates, then makes recommendations for improving safeguards in accordance with Microsoft security standards.
Nessus: This product is considered to be one of the best vulnerability scanners available at any price — and it happens to be free. The tool explores and maps network systems for potential weaknesses that could provide an open door to attackers. The Nessus client is compatible with all Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows.
AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3 and SMTP protocols.
Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250 million downloads so far.
Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network troubleshooting, analysis, software and protocol development. The tool is compatible with popular computing platforms, including Windows, Unix and Linux.
*courtesy (mostly from) itsecurity.com
Copyright 2009 SecureState
22
Utilize Free Tools
Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows you to identify potential security flaws within your wireless environments. It also helps you detect rogue access points, and test your overall security implementations.
MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible MailWasher promises to filter and block spam messages while allowing legitimate email to pass through unimpeded. And it won't cost you a nickel.
Karen's Replicator: Since even the most security-conscious business will need to restore data at some point, frequent and comprehensive backups are a vital part of any security strategy. Karen's Replicator can copy files and folders to a backup storage device on either a manual or scheduled basis. The program can also distribute files across a network and automatically restore damaged or changed files on a Web server.
Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol analyzer that enables users to passively detect or actively block various kinds of probes and attacks. The software's detection capabilities include stealth port scans, operating-system fingerprinting attempts, buffer overflows and application attacks.
GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the auspices of the Free Software Foundation's software project. GnuPG can be combined with front ends that supply compatibility with virtually any operating system — past or present.
Copyright 2009 SecureState
23
Utilize Free Hacker Tools
• Back|Track Live Security Distribution
– Back|Track is the number one security distribution.
– Place CD in computer, reboot, full-fledged hacker environment
with the latest and greatest hacker tools.
Copyright 2009 SecureState
24
Utilize Open-Source Tools
• Fast-Track
– Exploitation framework created by David Kennedy at SecureState
– Used to effectively test security and exploit vulnerabilities
• Metasploit
– Most popular open-source exploitation framework
Copyright 2009 SecureState
25
Utilize Free Forensic Tools
• DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu
Linux-based Computer Forensics live CD.
– It is designed to meet
police, investigators,
system administrator
and Computer
Forensics specialist’s
needs
– http://www.deftlinux.net/
Copyright 2009 SecureState
26
Utilize Free Forensic Tools
• Helix3 Live CD
– http://www.e-fense.com/helix3-download.php
– Contains multiple open source forensic tools
Copyright 2009 SecureState
27
Utilize Free Forensic Tools
• Forensic Live CD
– http://www.forensiclivecd.com
Copyright 2009 SecureState
28
Summary of biggest mistakes we see
In general, organizations don’t do enough of the following:
• Relay risk to upper management
• Ask for help on things they have no idea about
• Assess
• Build consistent, repeatable processes
• Take the time to think it through
Copyright 2009 SecureState
29
Thank you!
―Never sacrifice opportunity for security!‖
Questions?
Copyright 2009 SecureState
