1 / 102

IT Security

IT Security. Julie Schmitz James Mote Jason Tice . Agenda. Overview of basic IT security Human Resources Command-St. Louis Inside Financing Recommendations and Best Practices Closing and questions. IT Security Defined.

afric
Download Presentation

IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security Julie Schmitz James Mote Jason Tice

  2. Agenda • Overview of basic IT security • Human Resources Command-St. Louis • Inside Financing • Recommendations and Best Practices • Closing and questions

  3. IT Security Defined • “Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals” -William R. Cheswick

  4. IT Security Overview • Intruders - hackers and crackers • Insiders – fraud case at Financing • Criminals • Online Scam artists • Terrorists

  5. IT Security Overview • Hacker • Person who enjoys exploring the details of programmable systems and how to stretch their capabilities • Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance • True hacker will look for weaknesses in a system and publish it Source: FBI Cyber Task Force

  6. IT Security Overview • Cracker • One who breaks security on a target computer system • The term was coined by hackers around 1985 in defense against the journalistic misuse of the term “hacker” • Tend to never disclose their findings Source: FBI Cyber Task Force

  7. Hackers or Crackers?

  8. How does a Hacker Effect You? • Michael Buen and Onel de Guzman • Both are suspected of writing the “I Love You” virus • David L. Smith • Melissa virus author • Released March 26, 1999 • Caused an estimated $80 million in damages Source: FBI Cyber Task Force

  9. IT Security at your Office • Social Engineering • Denial of service attacks (DoS) • E-mail bombs • Password cracking • Web spoofs • Trojan, worm, virus attacks • Antivirus tools Source: FBI Cyber Task Force

  10. Social Engineering • A con game played by computer literate criminals • Works because people are the weakest link in any security system Source: FBI Cyber Task Force

  11. Denial of Service • Prevents users from using a computer service. • A type of DoS attack involves continually sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users • Ping attacks • DDoS attacks • Uses multiple computers to coordinate DoS attacks Source: FBI Cyber Task Force

  12. Email Bombs • A type of denial of service attack • Email bombs involve sending enormous amounts of email to a particular user, in effect, shutting down the email system • Many spammers fall victim to this type of attack • No need to manually send email; downloadable programs will do it for you Source: FBI Cyber Task Force

  13. Password Cracking • Involves repeatedly trying common passwords against an account in order to log into a computer system • Freely available “cracking” programs facilitate this process Source: FBI Cyber Task Force

  14. Web Spoofing • “faking the origin” • The attacker creates a false or shadow copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine • Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers Source: FBI Cyber Task Force

  15. What Should Have Been Displayed

  16. What was Displayed

  17. Trojan, Worm, and Virus • A Trojan program does not propagate itself from one computer to another • A Worm reproduces ITSELF over a network • A Virus, like its human counterpart, looks for ways to infect other systems or “replicate” itself (i.e., e-mail) Source: FBI Cyber Task Force

  18. Trojans • Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc. • When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password) Source: FBI Cyber Task Force

  19. TrojanControl

  20. Virus • A program that replicates without being asked to • Copies itself to other computers or disks • Huge threat to companies Source: FBI Cyber Task Force

  21. Antivirus Tools • Any hardware or software designed to stop viruses, eliminate viruses, and/or recover data affected by viruses • AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets • Should be used as part of a security policy Source: FBI Cyber Task Force

  22. After the Incident • Identify means to avoid another attack • Download latest patches • Repair compromised systems • Re-educate users • Run anti-virus software • Stay alert for signs the intruder is still in your system • Log traffic data Source: FBI Cyber Task Force

  23. Security Budget

  24. The Facts on IT Security Budgets • 62 percent of technology officers feel no pressure to increase spending this year • 40 percent of their budgets will go toward preventing existing machinery from breaking • Systems security tends to go unfixed until proven broken • A simple firewall has become the ultimate security commodity • Don’t use ROI to configure IT security budget Source: FBI Cyber Task Force

  25. Source: Federal Bureau of Investigation / Computer Security Institute – http://www.gocsi.com - viewed 11/4/2004

  26. I.T. SECURITY BRIEF- HUMAN RESOURCES COMMAND ST. LOUIS

  27. Human Resources CommandSt. Louis Historical Timeline • First established in 1944 at 4300 Goodfellow • First known as the Demobilized Personnel Records Branch after WWII • In 1956, moved to its present location, 9700 Page • In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis • In 1985, Army Reserve Personnel Center (ARPERCEN) was formed. • In 2003, organization was renamed to Human Resources Command (HRC) Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004

  28. Human Resources Command (HRC) St. Louis Overview • Supports or conducts the Human Resources Life • Cycle for over 1.5 million customers • Workforce comprised of over 65% civilians, 30% • Active Guard-Reserve soldiers, 5% Active • Component soldiers • Of the military workforce, most officers are Majors • (O-4) & most non-commissioned officers are • Sergeants First Class (E-7s) • 65-acre facility located off Page Avenue • Total of Nine Directorates Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004

  29. Human Resources Command (HRC) Mission Statement • To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy. • To provide human resource services to our retired reserve and veterans. Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004

  30. Information Assurance Office Information Assurance Manager (Rank: Major) IANCO (Rank: MSG) Assistant IAM (Rank: CPT) Civilian (GS-12) Information Tech & Sec Specialist Civilian(GS-13) Deputy IAM Civilian (GS-11) Information Tech & Sec Specialist Civilian (GS-11) Information Tech & Sec Specialist Source: Information Assurance Office, Human Resources Command, St. Louis

  31. Information Assurance Manager Duties Major: Responsible for Overall IT Security Master Sergeant: Verifies Security Clearances; Trng; Account Requests Captain: Drafts & Submits Policy GS-13: Updates Patches & ACERT Compliance GS-12: System Security Authorization Agreement; Networthiness Certification GS-11: Investigates Computer forensics; Backup for updates & patches GS-11: Backup for Computer forensics; Trng; Account Req.; Verifies Sec. Clear. Source: Information Assurance Office, Human Resources Command, St. Louis

  32. Information Assurance Defined • The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users • Also includes those measures necessary to detect, document, and counter such threats • This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations Source: Army Regulation (AR) 25-2

  33. Information Assurance Organization Chief Information Officer U.S. Army Reserve Command Atlanta, Georgia Information Assurance Officers- 11 Regional Support Commands Information Assurance Officer- Human Resources Command-St. Louis Source: Information Assurance Office, Human Resources Command, St. Louis

  34. In Order to Gain System Access • All Military must have a Security Clearance • Some civilians must have Security Clearance • Other civilians must have at least a National Agency Check (NAC) • All employees must submit a request for system access Source: Information Assurance Office, Human Resources Command, St. Louis

  35. Common End User Problems • Pornography • Running Businesses • Unauthorized use of illegal • software • Sharing of logons/passwords Source: Information Assurance Office, Human Resources Command, St. Louis

  36. What Happens If YouGet Locked Out? • Go to your local Information Mgmt • personnel assigned to serve your • directorate Source: Information Assurance Office, Human Resources Command, St. Louis

  37. Main Concerns of IT Security • Information Security Training • Purchasing automation equipment • without authorization • Computer left on 24/7 • Having a qualified Information • Assurance Manager that is strict • Knowledge of the system Source: Information Assurance Office, Human Resources Command, St. Louis, MO; Information Assurance Officer, 63rd Regional Readiness Command, Los Alamitos, California

  38. Anti-Virus Activity STOPPED AT GATEWAY 45,000 IN APRIL STOPPED AT DESKTOP Source: Information Assurance Office, Human Resources Command, St. Louis

  39. Probes and ScansAgainst Network 135,000 YTD Source: Information Assurance Office, Human Resources Command, St. Louis

  40. Computer Security Model • Bell-LaPadula Model • Developed by the US Army in the 1970’s • Provides framework for handling data of different classifications • Known as “multilevel security system” • One of the earliest and most famous computer security models Source: Information Assurance Office, Human Resources Command, St. Louis; http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2 - viewed 11/6/2004

  41. Information Unable to Obtain • IT Security Budget • Business Policy Procedures • Outsource IT providers information Source: Information Assurance Office, Human Resources Command, St. Louis

  42. Security challenges at Financing from theCIO’s perspective

  43. Financing Background Info • Financing is one of the largest domestic providers of inventory floor financing for several different industrial channels. • Recent focus to use IT to reduce business costs by processing transactions online. • IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly. Source: Interview and personal comments from Financing’s CIO – October 2004

  44. Case Study Research Method • Interviewed CIO to gain their different perspectives on IT security and business. • Interview lasted approximately 2 hours and consisted of 15 questions. • Subsequent discussion based on what CIO said were issues of highest concern. Source: Interview and personal comments from Financing’s CIO – October 2004

  45. Most Pressing Security Concerns • Eliminating bad user practices • Measures to prevent security breeches • Ability to quickly recover from security failures / breeches • Impact of compliance with SOX regulations Source: Interview and personal comments from Financing’s CIO – October 2004

  46. Security Specifics • No specific line item budget amount. • Security costs are encompassed in other budget items, such as system development & testing, data center operations, etc. • No dedicated resources focusing solely on security. • Security related activities fall under responsibility of existing IT staff. Source: Interview and personal comments from Financing’s CIO – October 2004

  47. Security Challenges:End User Security “Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.” -Anonymous

  48. End User Security:Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. Source: Interview and personal comments from Financing’s CIO – October 2004

  49. End User Security:Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. • What is so risky about this??? Source: Interview and personal comments from Financing’s CIO – October 2004

  50. End User Security:Typical Financing User (2) • Known problems with Spyware and viruses. • Account reps reported seeing multiple users post their username and password in plain view in their offices. Source: Interview and personal comments from Financing’s CIO – October 2004

More Related