Global Security Risk Management LLC Information Security By Paul DeMatteis

Global Security Risk Management, LLC Information Security By Paul DeMatteis, CPP, CFE dematteis@globalsecurityrm.com www.globalsecurityrm.com Paul DeMatteis, CPP, CFE Main Study Material Management of Information Security Michael E. Whitman & Herbert J. Mattord Paul DeMatteis, CPP, CFE Total Security at What Cost Completely secure at the expense of infinite cost or zero utility. Confidentiality, integrity & availability Paul DeMatteis, CPP, CFE Computer Security Goals Balancing Security & Operational Needs Protecting computer information from unauthorized and/or accidental destruction, modification and/or disclosure. Keep outsiders out & insiders honest. Develop early warning systems, quick and appropriate responses, limit losses, fast recovery and provide tools for investigations. Paul DeMatteis, CPP, CFE Balancing Security & Operational Needs Security Goals Information & computer assets can be stolen, borrowed and/or changed and never be noticed. Most computer security exposures originate from insiders. YES - NO??? Most computer breaks-in are not reported. Outsourcing security issues Software is broken Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE The Problem Computer Security Institute revealed that 80% of 500 US companies surveyed reported total losses of $ 455 million Computer breaches increased 1000 times from 1999 to 2002 World financial impact for 2001 $13.2 billion Management doesn’t take information security seriously enough Paul DeMatteis, CPP, CFE Total Security at What Cost Systems are optimized for maximum performance not security. IT managers conserve hardware. Security desirable but not sufficiently important to compromise performance. Security is traded off in the name of reliability. Cost, increased speed, user-friendliness, time to market, new product, etc. Paul DeMatteis, CPP, CFE To Do List Develop computer security policies & standards. Start an information classification system. Establish an emergency response team. Form a company-wide information protection awareness (IPA) program. Identify system weaknesses & correct them. Use early warning tools & develop quick response capabilities. Develop a clean desk policy. Paul DeMatteis, CPP, CFE Security Issues to Consider How many people in your organization can read your E-Mail? Where does your senior executive’s PC hard disk drive go when repaired or replaced? Are there any vendor back doors and/or universal type passwords on your system? Would you know if you were hacked? What does your system look like Are your system audit files on? Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Computer Security Facts System administrators are evaluated on the basis of responsiveness not security. They resist controls that might interfere with performance. Only a small number of computer crimes are reported and/or discovered at all. Most system administrators have uncontrolled access to systems,including audit files. Paul DeMatteis, CPP, CFE Computer Security Terms User profile - list rights or access levels User ID - connect user with their profile Password - authenticate user Password types - static, dynamic & biometric Audit log - history file - real-time monitoring Operating system - root access Fire wall - Remote access - Network Sniffer Hacker - System Administrators Encryption - renders data unreadable - VPN Paul DeMatteis, CPP, CFE Computer Security Terms Chief Information Officer (CIO) Chief Information Security Officer (CISO) Bottom-up approach (grass-roots effort) Top-down approach (strong upper management support) Human Firewall Project Advanced Encryption Standard (AES) Denial-of-service (DoS) Pretty Good Privacy (PGP) Paul DeMatteis, CPP, CFE Computer Security Terms Penetration Testing White-hat hackers Ethical hackers Tiger teams Red teams 57 UNIX systems tested (ELVIS) Paul DeMatteis, CPP, CFE Policy Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered Policies – standards – practices – guidelines procedures Paul DeMatteis, CPP, CFE Security Management Models & Practices www.nist.gov National Institute of Standards and Technology (NIST) Computer Security Handbook Generally Accepted Security Principles and Practices Guide for Developing Security Plans Risk Management for Information Technology Self- Assessment Guide Paul DeMatteis, CPP, CFE System Penetrations Methodology Social engineering Vendor & manufacturer vulnerabilities Password sharing System & program weaknesses Unattended PCs Internet access Modem access Paul DeMatteis, CPP, CFE Security Issues to Consider Unpatched or outdated software Misconfigured file sharing services Trusted relationships Inadequate segregation of duties Excessive admin & user rights Weak Passwords Paul DeMatteis, CPP, CFE Computer Security Terms Password Attacks Dictionary Brute Force Man-in-the middle Social engineering Keyboard Paul DeMatteis, CPP, CFE Government Accounting Office GAO A 1997 GAO report indicated: 1992 to 1995 Defense Information Systems Agency (DISA) reports indicated that out of 38,000 attacks performed by DISA more then 65% were successful. 96% of the systems failed to detect that they were under attack. GAO also indicated that 120 nations had information warfare programs in place. Paul DeMatteis, CPP, CFE Hacker Tools Electromagnetic Radiation (tempest) Sniffers Social engineering Internet hacking tools Cracker programs Hacker information exchange Paul DeMatteis, CPP, CFE Potential Adversaries Insiders Disgruntled staff Hackers (insiders) System administrators Information thieves Staff extending rights Dishonest employees System browsers Corporate spies Vendors & consultants Outsiders Ex-disgruntled staff Hackers (outsiders) Foreign Threats Corporate spies External thieves Terrorists Ex-vendors & consultants Outsourcing operations Paul DeMatteis, CPP, CFE Risk Control Strategies Avoidance (applying safeguards) Transference (shifting the risk) Mitigation (reducing the impact) Acceptance (understanding & accepting the consequences) Paul DeMatteis, CPP, CFE Do You Know Is it password protected? How many failed (wrong password) login attempts can a user try before the system responds & what will happen? How will a user reset his or her password if locked out of the system? Where are they stored? Are the passwords encrypted? Who has access to them? Can the files be read by users? Who can get access to them? Is the system equipped with audit tools? What type of information do the audit logs record? Are the audit logs turned on and does someone review them; if so, who? Paul DeMatteis, CPP, CFE New System Security Controls What happens when the audit logs are full? Who has access to read, write (edit) & delete audit logs? How many people have root/ admin access, what can they do (edit files)? Does each root/admin have his own ID that is traceable in the audit logs? Are there other trusted systems connected? Are all manufacturer, vendor and consultant passwords accounted for? Is the system going to be protected (security on) when first brought up? Is there going to be remote access to the system, and what are the safe guards and monitoring tools? If there is a problem, how long will it take to identify; what will be the response and how long will it take? Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE PBX Paul DeMatteis, CPP, CFE Hacker Power Off The Hook radio show airs on Tuesday at 8PM on WBAI 99.5 FM. 2600 meetings locations - Argentina, Australia, Belgium, Brazil, Canada, England, France, India, Japan, Mexico, Poland, Russia, Scotland, South Africa and in 35 states in the US each month. Plus the 2600 magazine & on the Web. Paul DeMatteis, CPP, CFE WWW.2600.com Paul DeMatteis, CPP, CFE Telephone Company & PBX Fraud to Computer Fraud * In 1954, the Bell system technical journal published an article, “In-Band Single Frequency Signaling”, describing signaling in their first installations. * In 1960 the same journal published an article outlining the signaling used for call completion including tones for in-band signaling. * In October 1961 the first Blue box was discovered by Bell security investigators. Paul DeMatteis, CPP, CFE In-Band Single Frequency Signaling 2600 VOICE Voice Switching CO CO CO Paul DeMatteis, CPP, CFE CO CO Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE 2600 Worldwide Meeting Locations Updated February, 1999 INTERNATIONAL UNITED STATES ARGENTINA-Buenos Aires: In the bar at San Jose-AUSTRALIA -Melbourne: Melbourne Central Shopping-Graz: Cafe Haltestelle on JakominiplatzBELGIUM-BRAZIL-Belo Horizonte: Rio de Janeiro-CANADA-AlbertaEdmonton-British Columbia-Vancouver-Ontario-Ottawa Toronto-QuebecMontreal-ENGLAND-Bristol Hull-Leeds-London-Manchester-FRANCE-INDIAITALY-JAPAN-MEXICO-POLAND-RUSSIA-SCOTLAND-SOUTH AFRICA UNITED STATES-Alabama-Arizona-Arkansas-California-Los Angeles-Sacramento- San Diego-San Francisco-San Jose-Connecticut-District of Columbia-Arlington-Florida-Ft. Lauderdale-Ft. Myers-Miami-Orlando-Atlanta-Hawaii-Honolulu-Waikiki-Idaho-Illinois-Chicago Indiana-Kansas-Kentucky-Louisiana-New Orleans Maine-Portland-Massachusetts-BostonMichigan-Minnesota-Missouri-St. Louis-Nebraska-Nevada-Las Vegas-New Hampshire-New Mexico-New York-Buffalo-Rochester-North Carolina-Charlotte Raleigh-Ohio-AkronCleveland-Columbus-Oklahoma-Oklahoma City-Tulsa-Oregon-McMinnville-PortlandPennsylvania-Philadelphia South Dakota-Sioux Falls-Tennessee-Knoxville-MemphisNashville-Texas-Austin: Dobie Mall food court-Dallas: Mama's Pizza, Campbell & Preston-Ft. Worth: North East Mall food court-Houston: Galleria 2 food court, under the stairs-San Antonio: North Star Mall food court-Washington-Seattle: Washington State Convention Center-Spokane: Spokane Valley Mall food court-Wisconsin-Eau Claire: London Square Mall food court-Madison: Union South (227 N. Randall Ave.) on the lower level in the Martin Luther King Jr. Lounge by the payphones. Payphone: (608) 251-9909. Milwaukee: Mayfair Mall on Highway 100 (Mayfair Rd.) & North Ave. in the Mayfair Community Room. Payphone: (414) 302-9549. Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Sniffer Programs Julio Ardita a 21-year-old hacker located in Buenos Aires removed confidential files from Pentagon computer systems. He also penetrated the US. Navy & National Aeronautics & Space Adm. systems. Julio had access to Harvard University’s Internet site and expanded his authority and installed a sniffer program to record passwords to other systems. Paul DeMatteis, CPP, CFE Security Administrator’s Tool for Analyzing Networks SATAN Dan Farmer developed SATAN as an security administrator tool. First test SATAN in 1996 over the Internet. Farmer scanned approximately 2,200 Internet hosts for security vulnerabilities. 1700 sites were open to known hacker attacks. Sites reviewed were banks, credit unions, government sites and other key servers. This unauthorized review was not well received. Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Webpage Security (or Lack of Security) CIA Webpage - September 18, 1996 was replaced with the The Central Stupidity Agency. At the DOJ, photo of Adolph Hitler replaced the Attorney General. Paul DeMatteis, CPP, CFE Concepts of Computer Investigations Secure & preserve all evidence. Identify the origin of the attack. Trace the attack path. Identify other targets. Determine if your systems were used to attack others outside of your network. Prepare for repeat attacks--turn on all audit logs--protect the most sensitive information. Paul DeMatteis, CPP, CFE Evidence & the Criminal Justice System Best evidence - original unaltered Chain of custody - limit number persons handling evidence - initial, seal & secure Paul DeMatteis, CPP, CFE Paul DeMatteis, CPP, CFE Dr. Clifford Stoll A 75 cent accounting error in 1986, lead Mr. Stoll to discover a Soviet (KGB) based espionage ring located in Germany. KGB-contracted German hackers were using Berkeley Laboratory computers to launch attacks against US military and Pentagon computers. FBI agents originally dismissed the incident. In 1989 Clifford Stoll was credited with cracking the German and Soviet spy ring. Paul DeMatteis, CPP, CFE