Transcript Chapter 7 Secure-Use Practices: Defensive Best Practices

Chapter 7
Secure-Use Practices:
Defensive Best Practices
Presented by:
Derrick Lowe
Ken Dean
Quintin King
Caroline Hawes
Introduction
• This chapter focuses on what
companies must do to protect
themselves from internal risks.
• Before hackers and the internet there
were:
– Disgruntled workers
– Careless administrators
– Hostile managers
Introduction cont’
• Current technology amplifies security
threats, can be blamed on
organizational practices
• Effective countermeasures
– Secure-use practices
– User training
Secure Use Practices:
Policies
Major Risk Factors
• Most likely sources of
cyber threats continue to
come from within.
• Unknown and unseen
hackers and thieves are
not the most common
threat.
• It is difficult to accept the
reality that a majority of
cyber security incidents
are traced to company
insiders.
Examples
• An unwitting employee may spread
infected email or be tricked into
revealing information through a
popular hacker technique – social
engineering.
• Spoofing-disguising true identity of the
sender
• Administrators may be unable or
unwilling to apply software patches to
fix known vulnerabilities.
Limits On The Extent To Which
Risk Factors Can Be Controlled
• A complete set of updated, well-documented
policies and training in security procedures
can be time-consuming.
• They are not without risks
– Selectively enforced policies can be worse than
having none at all
– If employees send threatening messages to each
other and company fail to notify law enforcement,
they can be held liable for negligence
Enforcement Of Secure-Use
Practices Must Be Consistent
With AUP
• A clearly written Acceptable Use Policy
and documentation of confirmation from
employees that they read, understood,
and agreed to its terms in addition to
the Secure-Use practice can help a
company avoid costly lawsuits.
Key Secure – Use Procedures
and Practices
Security Focus in Organizational
Planning Process
• Information security
for organizations may
not always follow a
standard pattern:
– Develop a business
plan
• Defines goals,
objectives, strategy
and priorities.
– Restructure budgets
and organizations
• Information security
planning may require
a different approach:
– External events,
current threats,
technical consideration
or trends may require
change to be
necessary.
Security as a Business
Function
• Changes in behavior and
attitude are necessary to
have security as a priority
– Top management must
implement, enforce and
commit…DLM model
again
Sales
Marketing
• How to achieve equal status
– Centralize authority that is visible and powerful
– Coordinate with other forms of risk
management: physical security, insurance,
and legal functions
Security
Finance
Integrating Security and
Business Plans
• Ensures that most strategic information receive
the most protection.
– Also promotes security as being fundamental to the
success of the business.
• Failure to do this will lead to:
– A security plan out of sync with the business plan
– Security policies not being taken seriously
Developing Information
Security Standards
• Formal policies and standard documents should
be developed for other security functions such
as:
– Firewall configuration
- Archival storage
– Remote access procedures - Roles and permissions
– Wireless handheld devices - Password maintenance
• Maintaining formal policies and standard
documents allows for consistency and currency
with changes in technology as well the as
business environment.
Documentation and
Training
• Normally documentation and training
budgets are set a very low level. This
tendency starves the education budget
and will tend to subvert the entire
program.
• When training is implemented correctly
and employees know their stake in a
secure workplace they are able to
recognize and react in a communal
fashion, which is usually the most
effective method.
Incident Response Policy and
Incident Response Teams
• Preparation before an incident occurs is necessary for
development and readiness
– Design policy and teams
– Educate everyone of their roles
– Conduct test to validate plan’s effectiveness
• An incident response policy is the key to readiness.
– Needs to be clear and simple for ease of use during the
stressful event
– Provides guidance on what to do when an attack occurs
– Defines the scope of the powers, authority, and
discretion that the team has in responding to an attack.
– Focuses management attention on security and
response issues.
Example: Incident Response
Process
From http://www.securityfocus.com/
infocus/1467
Developing a Notification
Plan
• Who do you notify:
–
–
–
–
–
Law enforcement
Regulatory authorities
Clearinghouse organizations, such as CERT
Business partners
Bugtraq
• The choice is up to the victimized firm.
– In 2002, CSI/FBI Computer Crime and Security Survey
reported that only 60% of known intrusions were reported to
anyone not directly involved and 34% to law enforcement.
• These numbers occur because some firms may not want to
expose any breaches in their networks to the public, the risk of
liability, and delays and costs in formal investigations.
Secure-Use Procedures:
Technology
Shut Down Unnecessary
Services
• Network Administrators should review
all active ports.
– Ports: interfaces, or entry/exit points, to a
network
– Common Ports
•
•
•
•
80-http
23-Telnet
43-SSL
110-POP3
Set up and Maintain
Permissions Securely
• Permissions are privileges granted to each
user that control what data and applications
that user has access to.
– Controlled by system admin
– Can be from read-only to full admin privileges
– Limitations can help distinguish honest and
dishonest employees: security by ignorance
• Roles, or access-level categories, are an
effective way to manage permissions where
users are assigned specific access levels to
the server
Conduct Background Checks
• A thorough background investigation of
everyone being considered for a
system administrator job should be
conducted rigorously prior to
employment
– Rotating responsibilities among a team
makes it difficult to hide dishonesty
Enforce Strong Passwords
• Rules for strong passwords:
• No default passwords
• Minimum 10 characters
with symbols and #s
• Change at least every 4
months
• Any others?
Review Partner Contracts
• Network of business partners become
an extension of the business’s own
network.
– Ask for 3rd party certification of info
security practices
– Build in provisions into contracts that
provides protection
Audit and Update
• One area of liability that is often ignored is
the use of unlicensed software.
– Software vendors are entitled to conduct
audits to ensure license compliance.
– The best way to protect your company is to
periodically survey all computers for illegal
applications proactively.
– Failure to address known vulnerabilities in
commercial software become vulnerabilities for
hackers to exploit
Physical Security
• Ways to keep information physically
secure
– Use encryption on all offline storage of
sensitive data
– Make sure all the network devices in the
field are in physically secure place
– Dispose of old computers with extreme
care.
Auditing ….
• Acts as a legal deterrent and
demonstrates diligence
• Similar to financial audits – certify
with outside agency
• Beyond technology: include
documentation, training and
personnel
…includes Testing
• Test response of defensive technology and
designated response team
• Backup sites should be included
Other Secure Principles and
Practices
Insurance
• Now available to cover liability from
virus transmission and confidential
info release, business interruption,
loss of income from DoS attack
• http://www.cfcunderwriting.com/produ
cts/esurance.html
Staying Current
• Need I say more?
Reinforcing Secure-Use
Procedures
• Warning vs Welcome message
– Welcome message must be after warning
– Court ruling found incorrect order implies
authorization
Rewarding Secure Behavior
• Rewards are as important as reprimands
Worst Practices
Dangerous Email Practices
• email forwarding
• auto reply/responders
allow system to send
prepared message
automatically to each
email it receives
– Spammers are
guaranteed responses
• HTML email
• IM
Dangerous Sharing Practices
• P2P Network - 2nd most effective way (mail
1st) for malware distribution
• Software downloads - spy ware, Trojan
horses
• Unauthorized users-PCs and PDAs shared
with others unfamiliar with AUP
• Public networks and wireless networks open PC to anyone monitoring
Summary
• Secure-Use Practices help control risks
and dangers through the use of policies
and technology
• The effectiveness of security practices
depends on the relationship to the
business culture and diligence of staff
• The key is to balance security and
capability