Transcript ISSS Presentation - BCS Nottingham & Derby Branch

BCS - Nottingham
Offshoring-and-Security
(In Reverse Order)
John Walker FBCS CITP CISM MICAF PG.Cert
British Computer Society Registered Security Specialist
Head of Operational Security
[email protected]
Genesis
Examples (Viruses):
1993 - Polymorphism arrives as a real
threat
Brain – from Pakistan
Jerusalem – Israel
Cascade – West Germany
Vienna – Austria
Ping-Pong - Italy
1995 - Is Windows NT susceptible to
virus infections? (VB March 1995 ISSN
0956-9979)
First virus discovered in the Russia = DOS 6.2 - Vienna
Virus Developers Quarterly – raw source code
Landscape – About the Task
• Virus Writers, Hackers, and SpyWare folk have learned Project
Management Skills (not the case early 2004)
• Mobile Computing, Extended Perimeters of Operations bring with
them there own set of problems
• Viruses – From a sample of 1,500 Windows Users, 44% confirmed
they had suffered virus infection (I think that number is LOW)
COMOUTING 27 Jan 2005
• 25% of that same sample had suffered Spyware, or Phishing Attacks
I am assuming the other 75% were aware that they were clean?
• Trojans – MS Windows Media Player – WmvDownloader.a
& WmvDownloader.b
• Regulation and Governance – there is a lot of it
•
DDoS - New Security Considerations - VoIP - spIM
Consider . . . (Something Old)
How many holes do you think software could have?
Consider Windows XP:
40 Million: Is the number of lines of code in Windows XP (60M?
in SP2).
5 per 1,000: With high quality coding, you still have an estimated
5 bugs in every thousand lines of a program.
200: The number of security holes in WinXP (if only 1 out of
1,000) are remotely exploitable. Might be -much- higher...
Source: Win2knews
The same consideration may be applied to other
Applications – just look at the history of exploits!
The Brothers SPAM & spIM
Loads of SPAM:
Prescription Drugs
Healthcare, Begging Letters
Easy ways to make money
The usual stuff (images)
Low cost, ripped off software
Loads of spIM: Possibly the first IM based attack to be mounted
was against AOL, using the AOL IM. This scam has the subject
Confirm AOL billing info and attempts to convince the user to reveal
their AOL username and password. The communication goes on to
advise that if the user does not follow instructions,
payments to AOL can't be processed.
Phone a Friend - VoIP
In the next generation of security threats, it is highly likely that VoIP
will be/is a target!
Proof of concepts do exist (USA) that allow hackers to manipulate
communications by inserting their ‘own’ choice of words into live
Conversations – consider the ramifications.
Bottom line – as with any other Network Based System, VoIP needs to
be secured – don’t just think of it as a new telephone system
See: www.facetime.com for information on VoIP Security
Here’s Looking at You – SpyWare
(Something Borrowed)
• Code of computers (none authorised)
• Pop-ups
• Redirection
• Affiliate money makers
• Slowing PC’s
• Crashing PC’s
• Keystroke Monitors
• And more . . . . . . .
Based on trends to date, expected to rise by a factor of
10
Lets Go Phishing
Project managed attackers - Spyware can act as triggers (Crimeware).
This malware runs, it may start collecting data when a user visits a
selected site. These emails try to drive users to the real site to log in,
which will activate the spyware.
An example
Not Forgetting Viruses and Worms
• Now an accepted way of life for any user of a computer, no matter
at home, or in the office
• They spread fact, and can have high impact of system availability
• Prediction - They will get smarter, do not have to be destructive, why
not leverage their power to work for the attacker – imagination will
be the only limitation here
• You got AV in place – so what, that does not ensure you will remain
Infection free
W32/Rbot_GR (Peeping Tom) – locates, and uses Web Cams
To look into your personal space.
Hidden Content – Whatever you wish
(Something New)
The file C:\xxx Settings\xxx\Local
Settings \TemporaryInternet Files
\Content.IE5 \xxx\xxx is infected
with Mr-Nasty.gen - Known Virus,
Detected with Scan Engine 4.4.00
DAT version 4.0.4422. The file was
successfully deleted.(from
PC0xxxxxxxx IP xx.xxx.xxx.xxx
user xxxx running VirusScan
4.5.1 SP1 OAS)
Every picture tells a Storey
Hidden Content – Whatever you
wish (Something Potentially Blue)
OR
Every picture tells a Storey – AND SOME MAY BE NOT
SO ACCEPTABEL
The Need to Move - Mobilisation
The Mobilisation of the workforce dictates that what has been seen
thus far as the preserve of Perimeter Security to underpin and deter
attacks has now had a quantum shift, encompassing such areas as:
WiFi (802.11b/g, Bluetooth, Smart Phones and PDA’s,
Outsourcing – how will it affect the Perimeter of Security, or what has
been thus far accepted as the organisational ‘Area of Control’
(will it push it or pull it?
Legislation & Controls - Challenges
Gramm-Leach-Billy Act of 1999 (GLBE)
Securities and Exchange Commission (SEC) Compliance issues (17a-4)
NASD
Sarbanes-Oxley Act
USA Patriot Act
HIPAA Privacy
HIPPA Security
FDA’s Electronic Recordings/Signatures (ERES-21CFR11)
Mental Hygiene Law Sec. 33.13
And
Computer Security Act
NIST
And . . . . . . . . . . . . . . . . . . . . . . . . . .There are
MORE
Build Them Secure – or Suffer
Probably one of the most important aspects (the FIRST) of technical
security is that of how systems are built:
Remember – out of the box, does not necessarily support security
Have an agreed Baseline Build for all systems, including Workstation,
Mobiles (Laptops etc), Servers, and any other device that serves a
Production environment – you also need to consider Phones, and PDA’s
If you outsource, or use Third Party Services Providers –
don’t forget this may also apply to them
This is something old, but still gets missed
Alerting – Key Stuff
High importance should be placed against obtaining early
reports of Vulnerability Alerts – if not in place, how do you know
what you are at risk from
Don’t forget this is equally important for any systems outside the
Perimeter of the Organisation – home users, and say Outsourced
Systems/applications can also support insecurities and vulnerabilities
- so make sure you encompass them in the plan
Out of
sight/site, should not be out mind
Patch and Fix – or Die
Closely following Alerting –Patch and Fix
Lots of stuff to consider here – Most important aspect
is to stay connection to those security alerts
This is as important as deploying Anti Virus signatures
- Yet it still seems to take a back seat
It Don’t Have to be Expensive
It is not always necessary to spend high numbers to achieve
Operational Security - consider:
What do you own - already
What can you leverage from the O/S and applications
LOW cost, HIGH Functionality
However, if you have a financial pot with no bottom
please feel free to discount these ideas
It Don’t Have to be Expensive
(What you can Leverage)
1. SNORT: Good IDS, very effective (use the language)
2. Office 2003: Document Security
3. AP Logging: Review them on a regular basis
4. Vulnerability Alerts: There are many good free ones (take a
look at OSVB)
5. Use Free Encryption: Turn on NTFS for NT, 2000, and XP –
better than nothing (EFS for 2000 >>)
6. WiFi - WEP: Not great, but better than nothing
7. O/S Options: Eventtriggers (Win2k, XP, 2003)
It Don’t Have to be Expensive (SpyWare)
Anti-SPAM is no longer to be considered a nice to have, but is
A MUST. MS have produced a very functional tool.
Here in its Beta Release
It Don’t Have to be Expensive
(Log Analysis)
Drill Down
Sawmill – LOW Cost, HIGH Functionality
Security Testing – Who, When, Why
It is essential that in any project, or application lifecycle, the element
of security is both acknowledged and addressed (for the ex
Government People in the audience – remember Memorandum No10
For HIGH assurance this should be done:
• During development phases
• Post time of deployment
• After any change has been applied
• Periodically
When conducting testing, for best effect and value, use a
known methodology such as - OWASP
Policy and Governance has its Place . .
BUT
• Security Policies are very important to underpin the security mission
of any business – they are the rules that all should abide By – and if
not, there will/may be consequences. However, remember:
• Security Policies are passive – just because you have one, does not
make you secure – so don’t fool yourself
• They underpin the day-to-day operations and practices, however, in an
operational sense, they have no real value.
• They do not proactively avoid an insecurity occurring,
they only advise the rules - they will not tell you when
things go wrong, but they may be used after-the-fact.
Governance should help the business, not grind it to a holt
What Next – What can help
MSc in IT Security – Fred Piper – Royal Holloway
IISP – Institute of Information Security Professionals – Jan 2006
CISM – Certified Information Security Manager
CISSP – Certified Information Security Professional
BCS Membership – Professional Development (is key)
Read, read, and . . . Read – it is a fast moving area – to keep up
Future of IT Security
Drivers are high – it is now a Main Board topic, and key to
the business
Personal opinion – I feel it will become a Main Board position
The area of expertise will grow – needs technical underpinning
I believe that it is a science (a mix of physiology and technology)
It is a challenge – can be pressured – has an element of
‘the book stops here’ – but is also rewarding and enjoyable
One quality required is, ‘decision makers are key’
Outsourcing
Lets talk:
Skills
Security
Value
Challenges
Risk Assessments – post not pre
Leverage
Contracts and SLA
Mapping Process and Procedure
Team Work
Are they IN or OUT?
Compliance and Governance
Outsourcing – Security
Outsourcing is now on the up, and many organisation have entered
into contracts - but the security model needs to be Considered!
• Any pre-deployment Risk Assessments to take into account, not
what is today, but what will be tomorrow
• How do the pre, and post deployment perimeters compare – has the
companies boundary of operations moved?
• Where do you deploy your security defences? (dependent on the
aforementioned factors)
• Do your policies and baselines work – are Minimum
Controls achievable, and maintained?
Brief QA
Questions