1 / 115

Information Security

Information Security. Mark Lachniet mlachniet@analysts.com Analysts International. Introductions. Mark Lachniet (mlachniet@analysts.com) Senior Security Engineer at Analysts International – Sequoia Services Group Technical lead for the Security Group MCNE, MCSE, CCSE, LPIC-1

deirdre-ramsey
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Mark Lachniet mlachniet@analysts.com Analysts International

  2. Introductions • Mark Lachniet (mlachniet@analysts.com) • Senior Security Engineer at Analysts International – Sequoia Services Group • Technical lead for the Security Group • MCNE, MCSE, CCSE, LPIC-1 • Worked for 6 years as a technician and later the IS Director at Holt Public Schools • Former board member and conference organizer for MAEDS (http://maeds.org) • Frequent presenter at MAEDS, MACUL, MIEM and for private engagements

  3. Purpose of Today’s Presentation • Provide a macroscopic overview of security issues, technologies, and concerns for schools • General Overview • Operations Security • Physical Security • For administrators and technicians • Will be presented first. Non-technical people may not need to hear about server hardening, but technical people definitely need to hear everything • Provide technical information about specific technologies of concern • Network Security • Host Security

  4. Purpose of Today’s Presentation • Provide links, works cited and references for continued research and investigation • Provide time for discussion (via e-mail) about specific issues of concern • Most importantly – to raise awareness. Things are bad in computer security, and we don’t want Michigan schools to be a casualty!

  5. Agenda • Security Background • Operations Security • Physical Security • Network Security • Wireless • Host Security • Macintosh (OS/X) • Novell Netware • Linux / UNIX • Microsoft • Short breaks about every 45 minutes for questions and more coffee

  6. General Overview

  7. Computer Crime on the Rise • We know that computer security is a real problem. We are here, aren’t we? • September 11th has further raised the bar on computer security awareness and funding • Computer security is about economic impact – our reliance on the Internet and computers mean that our livelihood can be threatened by digital attackers from around the world • Consider how skittish the stock market is, and how it affects the overall economy • More and more people are getting connected • Tools and attacks are increasingly easy to find and use, lowering the intellectual bar

  8. The CSI Computer Crime and Security Survey • The CSI survey, released 4/7/2002 has some very interesting pieces of information: • 90% of respondents detected a security breach within the last 12 months. Have you? If not, it is probably happening without your knowledge! • 44% of respondents were able to quantify their losses due to a security breach. The result was $455,848,000 over 223 respondents, for an average loss of $2,044,161 each

  9. The CSI Computer Crime and Security Survey • 74% of attacks cited were against the Internet border and devices (web servers, firewalls) • 33% of attacks cited were against internal systems (internal file/print, workstations) • 40% detected penetrations from the outside • 40% detected Denial of Service (DoS) attacks • 78% detected employees abusing privileges (pornography, pirated software, etc.)

  10. The CIA Triangle Confidentiality Integrity Availability

  11. The CIA Triangle • Confidentiality • The unintended or unauthorized disclosure of computer data or information • Integrity • The unintended or unauthorized modification of computer data or information • Availability • The loss of service of critical applications, systems, data, networks or computer services • K-12 Schools need to worry about all three!

  12. Reasons for Security in K-12 Education • Funding requirements (USF) • Integrity of critical data • Public opinion / negative publicity • Student safety & disciplinary issues • Avoid costly litigation • Lost productivity, both for technical and non-technical personnel • Lost educational potential, inability to teach on broken computers, lost files, etc. • To be a good Internet citizen

  13. Important K-12 Data to Protect • Grades / Attendance: changing (for better or worse) student grades or attendance: School Accreditation, state funding (count day) etc. • Information considered private: SS#, special education status, free lunch programs, notes from councilors, discipline, medication (Ritalin), etc. • Integrity of financial data – online PO’s, budgetary information (balances, accounts, responsibility reports) • Payroll and Human Resources – criminal history, disciplinary actions, disability, etc. • Educational and administrative documents – tests, lessons, etc. These are essentially “congealed money”

  14. Protecting Students and Staff • We must protect children and staff who are threatened by electronic means • Pedophiles, stalkers, and bad people • Student to student threats, assault • Recorded information about drugs, sexual activity, abuse, gang activity, violence, or other crime • Questionable Internet content – bomb-making instructions, how to hack, etc. • The problem of IM and chat rooms • Student info – last names & pictures • South Carolina’s law

  15. The Public • As a public school employee, anyone can question or criticize your methods and actions at a school board meeting, PTO or school function, or in the media • Bad security may expose the district to significant lawsuits, especially for failing to protect children’s information such as special ed. Status • Bad security can (and eventually probably will) equal bad publicity, as more than one local district knows • Be aware of FOIA laws – what can they legally obtain??? All e-mail? What is protected? • And… of course… Internet filtering.

  16. Downtime and Discipline • Broken systems – deleted files, missing software, physical vandalism • Prevents students from learning • Requires extensive time and $$ to fix • Frequently leads to disciplinary action. The computer tech as computer-narc (Think S.C.) • Take good notes of what you do • Learn to use windows find! Alt-PrtScn it, print it out, and start a file • Parents….. “my son would never do that!” • Hopefully, it takes less time to proactively secure things than to fix them

  17. Justifying the Cost of Security • Security work can be expensive! It takes tools, training and time (or money to hire out) • Compared to “firefighting”, yearly replacement, keeping servers running, and imaging workstations, it is usually not seen as a priority (until there is an incident, anyway) • Or worse, it is a priority but nobody ever gets the time to do it • Talk to the school board, H.R. and Finance directors, and superintendents about the risk (and get help from someone) • Security is a proactive cost savings, not reactive

  18. Scare Them… With Reality • Discuss the frequency of computer breaches in the media and at peer organizations • The national cost of computer incidents – Code Red alone = $1.2 BILLION • Compute the cost in lost productivity if the HR, payroll, or student system dies (lots!) • Discuss the cost of a lawsuit. Even a lawsuit without merit will cost thousands of dollars • Discuss the need for student safety – could a child be exposed to harm due to a failure in the existing system? Can you put a price on that?

  19. Scare Them… With Reality • Discuss the educational ramifications – what if all student and staff directories were wiped out and no backups existed? • Discuss privacy issues – some choice e-mail from the superintendent’s or spec. ed director’s account being sent to the local paper for example • Loss of USF funding, loss of accreditation? • Loss of community confidence and support • Loss of valuable computer technician time that could otherwise be spent keeping everything working properly • Loss of YOURJOB!

  20. Hacking

  21. The Goal of Network Security • Simply put: “To be more annoying to break into than your neighbor” • The house and neighborhood metaphor • Increase the “work factor” of attacking you by erecting as many barriers as possible (defense in depth) • Ultimately, network security is all about preserving the functionality of the organization. Technology is just the tool.

  22. Why People Hack (Crack) • Crackers are generally regarded as being motivated by one of four primary reasons: • Economic gain (espionage, embezzlement) • Egocentric (to prove they can do it, play god, get recognition from other crackers) • Ideological (to prove a political point – attacking the World Trade Organization or NATO web sites for example) • Psychotic (they are just sick in the head and probably destructive)

  23. Types of Hack Attacks • Reconnaissance – Scan networks and online resources (whois, DNS), dumpster diving, etc. to gain interesting information about the target. Typically non-invasive, usually untraceable • Exploits – Attack servers in an attempt to exploit a system vulnerability of some kind (e.g. NIMDA, Code Red, etc.) Very invasive, can be detected by IDS systems or careful log analysis • Denial of Service (DoS) – Attack servers to take them down and render them unusable. You will probably know when this is happening from the complaint phone calls

  24. Types of Hack Attacks • Attacks can be both personal and manual, or automated and generic • Many attacks are the result of systems that have already been attacked, and are now attempting to hack other machines. NIMDA was a good example of this. Usually the system owners have no idea what is happening • If you monitor any Internet connection long enough (say, 15 minutes) you are bound to see attacks coming through. It is just part of doing business nowadays • It is the manual attacks that you need to be worried about – deliberate, careful, and focused • Most hackers aren’t that smart – they just use programs given to them – and are thus known as “script kiddies”

  25. Common Security Practices • Security is a nascent field in many respects • Terminology, procedures and skill levels vary drastically between people and organizations • Some disagreement over what best practices actually are (i.e. the best placement of an IDS) • Few objective benchmarks to allow “apples to apples” comparisons for HW, SW, Services • There is a big technical curve for security – you must first be an expert in the technology, and then learn security on top of it • Whether you do it internally or get external help, it needs to be done

  26. What We Have to Work With

  27. Common Security Services • A firewall and Internet border security is simply not enough! This gives rise to the “candy” network – hard on the outside, soft on the inside (and tasty for attackers, too) • Embrace the concept of “defense in depth.” In other words, have security at multiple layers and in many places to make attacks as difficult as possible. • There is value in getting help from an external perspective – there is less ego on the line and a fresh viewpoint

  28. Vulnerability Assessments • Sometimes called “penetration testing” • Uses scripts and vulnerability assessment tools such as “Nessus” and the “ISS Internet Scanner” to scan all hosts for all known vulnerabilities • Also uses “human logic” to find problems – manually connecting to services, analyzing portscans, researching various software packages, making connections, etc. • Human logic is the most important step! Anyone can run a scanner program, but interpreting results and applying knowledge of the technologies involved is essential.

  29. Vulnerability Assessments • People and companies that specialize in security are important for a good vulnerability assessment project • The deliverable of a vulnerability assessment should include a list of all IP addresses, open ports, explanation and ranking of vulnerabilities, and hopefully some dialog on how to start fixing them • Vulnerability assessments should be done regularly – new vulnerabilities come out all the time – so you must stay up to date • Be warned – other people are assessing your network. Are you?

  30. Security Assessment Services • Sometimes called an audit • Sometimes performed in a very limited capacity by financial auditors (mainly backup systems) • Can be used to audit an actual environment against a set criteria, for example to determine compliance • Should be performed by one or more individuals with backgrounds in both network systems and organizational administration • Takes a macroscopic view of the organization • Analyze technology as well as policies and procedures, configurations, and other items that a tool cannot assess

  31. Security Assessment Services • Uses interviews, inspection of documentation, and manual analysis (depending upon the focus) • Should make recommendations on a wide variety of things to improve security • Should provide a description of the current situation, what best practices are, and what the recommended changes are • Should provide for estimation of pricing and priority, so that it could be used as a planning document for department priorities and budgets

  32. Example Recommendations Physical Security Project #1: War Dial Telephone Exchanges Project #2: Improve Physical Security Network Security Project #3: Audit Firewall Configuration Project #4: Implement RFC 1918 addressing Machine Security Project #5: Secure Externally-Maintained Machines Project #6: Deploy warning banners Policies and Procedures Project #7: Security Awareness and Responsibilities Project #8: Improve User Password Security

  33. Disaster Recovery Planning • Concerned with minimizing the effect of a problem with a technological system • Focuses on things like tape backup, off-site storage, network and machine redundancy, and recovery procedures • Must identify critical assets, and all of the resources that support them (power, network, etc.) • Put into place preventative measures and recovery procedures • DRP is highly interactive and labor-intensive, primarily conducted through lots of interviews • In the private sector, failure to have a Disaster Recovery Plan in place constitutes a failure of due diligence, and CEOs can be held legally liable for damages

  34. Business Continuity Planning • BCP is similar to DRP, but it looks at the health of the entire organization, and not just technological systems • Why? Approx 65% of businesses that are down for more than a week never recover! School must continue regardless, but it will cost a fortune, and that may mean cutting back on services and employees to compensate (you won’t be popular) • BCP looks at things like alternate locations, backup telephone systems, contacting employees, interfacing with public service agencies and the media, forming relationships with support vendors, etc. • BCP typically is larger than, and contains, DRP measures • Takes even longer than DRP

  35. VPN / Remote Access Services • Providing remote access to school resources from outside of the network is risky • Access should only be given to those with a legitimate need (not just complainers) • Frequently, programs like PC/Anywhere, VNC, and dial-up modem pools are used. Bad! • A better option is to use VPN devices • Can use the existing Internet connection, and reduce the reliance on dial-up lines to save $ • Can enforce proper authentication, provide logging, and protect traffic through the use of encryption • Can be used for client-site or site-site

  36. Intrusion Detection Systems • Are designed to detect (and sometimes respond to) significant security events • Configuration is critical to success! • IDS works in two ways: • Signature matching, like antivirus software • Pattern matching, finding strange behaviors or fluctuations from the norm (ie, a DoS attack)

  37. Intrusion Detection Systems • IDS comes in a few different forms: • Network based, “sniffs” the network • Host based, monitor local traffic and API calls • Intrusion Prevention Systems, a combination of other types but with the ability to intercept and *stop* attacks (e.g. Entercept) • Filesystem integrity based, monitor changes in the filesystem, registry, routers, etc. for changes (e.g. TripWire) • Popular IDS Systems: • Snort (free, open source, harder to manage) • ISS RealSecure (nice, but expensive) • Cisco Secure IDS (great for internal switches, especially)

  38. Intrusion Detection Systems • Can be configured to take different actions upon noting an event such as logging to a database, sending an e-mail or page to a network admin, or working with a firewall or router to block the attack • Be warned of active response IDS systems! What happens if I spoof an attack from your DNS server? • IMO, IDS systems are somewhat overrated because of the sheer volume of attacks that occur on a daily basis • Without very careful configuration, especially sensor placement and signature tuning, you could be so overwhelmed by alerts that you can’t filter the noise from the important stuff • Are probably best suited for the internal network, or on a DMZ network with a heavily tuned signature database

  39. Server Hardening • Probably the single most important aspect of security • A firewall cannot protect an insecure host • Hardening includes a number of steps including keeping up to date with patches, and other proactive steps • Simply keeping up with patches is not true hardening • True hardening takes steps to make a compromise more difficult – even for exploits that have not yet been discovered • Server hardening is time consuming, especially on NT and UNIX systems, and requires a lot of upkeep • We will discuss server hardening in the technical portion of this presentation

  40. Operations Security

  41. Operations Security • Concerned with ways to mitigate security risks through administration – policies, procedures and practices • The weakest link in the security chain are individual humans (or as Dilbert calls them, “in-duh-viduals”) • Part of “defense in depth” • Administration support is critical to any security initiative • Helps to minimize risk, respond to incidents, and establish standards for how things should be done

  42. Personnel Controls • Pre-hiring background checks for important positions. Do they have a criminal history with computers? Did they lie on their resume? Do they have heavy debt? • Coordinate user ID practices with human resources: • Hirings (create new IDs) • Firings (delete all IDs) • Position Changes (change ID rights) • Requires that the IS department maintain a list of all places where IDs are stored! Do you have this? • Create an “ID Maintenance” form as part of the H.R. standard procedures? Require sign-off on AUP • Create checks and balances in power such that no single individual can take a process from start to finish by themselves. Especially in regards to money (payroll, POs, etc.)

  43. Acceptable Use Policies • Should be well-plowed ground for most school districts, so we’ll just touch on it • Provides guidance and expectation settings on what behavior is acceptable an unacceptable • Should apply to both students and staff • Should use “implicit deny” language • Should state that all equipment is the property of the district and may be monitored at any time • Should require sign-off on the part of users to document that they have read it and agree with the requirements • Should address password security • Should address information privacy standards such as the treatment of confidential data (special ed records, etc.)

  44. Warning Banners • Use warning banners when possible • Functions somewhat like an AUP, and can contain the AUP itself (or items of it) • Can provide additional legal ammunition in the event that something needed to go to court • Should be placed on public servers (web server, e-mail servers, etc.) and on local workstations • Should contain three distinct statements: • Definition of the appropriate use of the resource • Warning that the system is monitored • That there is no expectation of privacy • http://www.ciac.org/ciac/bulletins/j-043.shtml

  45. Formal I.S. Staff Security Responsibilities • Security it takes time! If nobody is given sufficient time to keep up with security, it will never happen • The buck must stop somewhere. Who is responsible for it? • Define explicit security responsibilities for one or more staff members such as firewall maintenance, log review, server patching, etc. (good on a resume) • Document these responsibilities and how they are done – this will help in the case of a vacation or staff change (hit by a bus or wins the lotto, you choose) • Provide tools and training opportunities (such as SANS, or Microsoft for K-12 security training) • Put it in the budget!

  46. Formal Employee Security Responsibilities • Every computer user has responsibilities they must live up to (or not use the computers) • For example - don’t share passwords, don’t write passwords on a sticky notes, don’t use your last name as your password, etc. • Information privacy – don’t store confidential information in an inappropriate place • Don’t let student aides log into the student information system to enter grades • Don’t let students use a teacher ID • This and more needs to be in the AUP and also reinforced!

  47. Incident Response Plans • Have a plan in place on how to respond to security incidents before it happens • May be different for student discipline vs. external hacks • It is better to plan ahead than to figure it out when you are under stress • What is the criteria for alerting superiors? • What is the criteria for alerting law enforcement? • Who will be responsible for responding? • How will the response be escalated? • What type of documentation will you keep?

  48. Change Control • Change control is the process of requesting changes to systems, implementing and testing them, and documenting results • Security can be improved through change control because it reduces error and improves availability • Keep detailed records of before and after configurations • Require approval of changes by another party to ensure that the change is appropriate, needed, and does not create problems • Test changes on a non-production system prior to full implementation

  49. Security Awareness • Staying abreast of the latest issues and solutions in security is critical • Administrators must budget for and offer training opportunities to technical staff • Administrators should require that technical staff be signed up for security listserves such as: • BugTraq / NT BugTraq (www.securityfocus.com) • Microsoft Bulletins (security.microsoft.com) • Consider conducting regular internal trainings on security topics • Consider ways to keep staff up to speed

  50. Physical Security

More Related