480 likes | 603 Views
Fundamentals of e-Security. James Kerr Office of Technology Services June, 2005. Acknowledgements & Credit.
E N D
Fundamentals of e-Security James Kerr Office of Technology Services June, 2005
Acknowledgements & Credit Many thanks to Charles Morrow-Jones, Director of Network Security, Office of the CIO, and Steve Romig, Director of the OSU Incident Response Team. This presentation is based on their presentation, “CyberSecurity for Managers” presented in June, 2005. Fundamentals of e-Security
Goal • To help you understand some basics about information security • To give you some resources that will help you when you need to expand on this base Fundamentals of e-Security
Agenda • What and who are we worried about, and why? • What can you do about it? • How are incidents detected and handled? Fundamentals of e-Security
C.I.A. The University’s entire information processing environment rests on the assumption that we have: • Confidentiality-prevent unauthorized disclosure (Threat: unauthorized access) • Integrity-ensure accuracy and authenticity (Threat: altered, deleted, or added data) • Availability-ensure that information and systems are there when we need them (Threat: Denial of service) Fundamentals of e-Security
Other Concerns • Liability: someone can use our computers to do bad things that leave us with the liability • Reputation: security issues can make us look bad, affecting parental trust, recruiting • Legal: a growing body of law requires that we do certain things to secure our systems (FERPA, HIPAA) • Financial: security issues cost money, directly or indirectly • Traceability, auditability: bad things happen, and you need to find out what and why (and sometimes who) Fundamentals of e-Security
Exercise A bad day at the Wild West University… Two press releases describing the loss of private information from a university’s system: Fundamentals of e-Security
Initial Report ‑‑ March 5, 2003, 10:00p.m. On Sunday, March 2 at 7:20 p.m., computer systems personnel at WWU discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun. What happened? The malfunction was assessed to be the result of a deliberate attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a WWU database were captured, together with e‑mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed. Is there evidence that the stolen data have been misused or disseminated? WWU, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break‑in and recapturing the stolen data.. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).
What is WWU doing about this? WWU's highest priority has been to identify the source of the attack and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure ‑ if any ‑ and to establish a proactive communication program with affected individuals and the WWU community. How many individual records were exposed? Approximately 55,200 individuals had some of the above data exposed. This group includes current and former students, current and former faculty and staff, and job applicants. How will affected individuals be notified? The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused. To send a comment or question to the WWU Incident Response Team, please e‑mail datatheft@its.wwu.edu (do not send your Social Security number in any e‑mail message). WWU regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues. <signed> Vice President for Information Technology, Wild West University
Data Theft Update (October 2003) The Wild West University regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U. S. Attorney's Office, and the U. S. Secret Service has secured the stolen data before they could be misused or further disseminated. A WWU undergraduate student suspected of the crime was arrested by the U.S. Secret Service on March 14. His computer and related paraphernalia were seized and are being analyzed by the Secret Service. Although the security breach and related charges facing the suspect are indeed serious, the U.S. Attorney's Office has stated officially, "At this point, there is no indication that the stolen data was further disseminated or used to anyone's detriment.“ As of October 2003, the University has successfully contacted 92 percent of the individuals known to be affected by the data theft incident, and continues its efforts to reach the remaining affected population. The University is doing everything it can to ensure the security of personal information. An underlying issue that has received attention is the University's use of the Social Security number as the unique identifier for students, faculty, staff, and other affiliates, a practice that is widespread in universities and elsewhere. The University launched a project in 2001 to migrate database systems and services to a different identifier, and important progress has been made, but the breached system continued to rely upon SSN inputs.
Questions to Discuss 1) What CIA principles were violated? 2) What other concerns did this attack raise? 3) If your information had been exposed, what would you do? 4) How much would this incident concern you if you were not affected? Would your relationship to the university matter? 5) Based on this information how would you evaluate WWU's communications to users? 6) Can you think of any similar “lurking time bombs” at OSU?
Terminology • Scan: probing through the network to find vulnerable systems • Vulnerability: a weakness that might be exploited to do something “bad” • Exploit: using a vulnerability to gain access to a system Fundamentals of e-Security
Terminology, continued • Backdoor: hidden entrances to your system • Rootkit: tools used to hide an intruder’s presence • Virus, worm, trojan: old names for different sorts of “bad software”. Fundamentals of e-Security
Terminology, continued • Malware: new name for viruses, worms, trojans, adware, spyware. “MALicious softWARE” • Adware, spyware: “commercial” software that invades your privacy, displays pop-ups, and undermines your security. Fundamentals of e-Security
Terminology, continued • Bot: (short for robot) a computer running software that makes it part of a botnet, and allows others to control it remotely. • Botnet: a network of tens, hundreds, thousands, or tens of thousands of bots that can be used for scanning, exploiting, denial of service attacks, spamming, file sharing, and so on… Fundamentals of e-Security
Terminology, continued • Encryption: a way to make data unreadable by everyone except the intended recipients • Authentication: the act of identifying yourself to the computer • Two-factor authentication: authentication that uses something you have (a key, a token card) and something you know (a password, PIN) • Three-factor authentication: authentication that uses something you are (biometric scan, fingerprint, retina scan, voice print) something you have (a key, a token card) and something you know (password, PIN) Fundamentals of e-Security
Terminology, continued • Authorization: rights granted to a person (or a program, computer, etc) for some object (such as data in a database, login to a network) • Jkerr is authorized to login on this computer, but not on that one. • Jkerr is authorized to read this data, but not modify or delete it. Fundamentals of e-Security
Who are we worried about? • Teenagers • A large number of attacks are perpetrated by teenagers • They have high interest in computers • They have lots of free time • Their morals aren’t quite fully developed • No perceived danger to themselves • “script kiddies” • Goals include • Just playing around; learning • Gaining social stature in the “computer underground” • Support their passion (file sharing, denial of service, see social stature) Fundamentals of e-Security
Who are we worried about? • Organized Criminals • Goals: $$$ for spam, denial of service, identity theft, espionage, harassment • Botnets are a real business now-for spam, denial of service attacks, and building other botnets • They are high-risk operations, and more motivated to use sophisticated tools and techniques to hide their tracks Fundamentals of e-Security
Who are we worried about? • Unorganized criminals • Disgruntled employees (are the rest of us gruntled?) • Other individuals doing criminal things • Feb. 5, 2005 (Sophos news) – a 24-year old former AOL employee has pleaded guilty to stealing a list of 92 million email addresses of the ISP’s customers and selling it to spammers for $28,000 (=$0.0003 per address) Fundamentals of e-Security
Who are we worried about? • Legitimate users • People doing things that unintentionally put systems at risk, typically through experimenting with game servers, file sharing, web servers, instant messaging, etc. • People who carelessly click on email attachments, approving dialogue boxes that ask whether it’s OK to install extra software, respond to phishing attacks, and so on… Fundamentals of e-Security
C.Y.A. • Because we are concerned about C.I.A. (and the other issues) we need to secure our systems, networks, and data. • Step 1: identify assets (data, services, etc) • Step 2: identify threats (C.I.A.) for each asset • Step 3: identify controls to protect our assets from these threats Fundamentals of e-Security
Physical Security • Provides for the protection of property, personnel, and facilities from illegal or criminal acts, and/or environmental disruptions • Physical security plan should be created that deals with control of access to the building or office • Plan should also address responses to environmental problems Fundamentals of e-Security
Physical Security, continued • Look at what you are trying to protect, and who or what you are trying to protect it from, then decide how much security is required. • Physical security is the first line of defense against the exploitation of computer systems • 70% of data theft is physical theft, usually by stealing a physical device. • Physical security should make device theft as difficult as possible. Fundamentals of e-Security
Physical Security, continued • Access control at doors • Physical locks or authorization (something you have) to access systems, especially laptops • Key control-janitorial access, master keys Fundamentals of e-Security
Laptop/PDA Security • Consider the worst case scenario: laptop is stolen • You don’t have access to whatever was on it • They do • Do you have backups? • Was sensitive data encrypted, including e-mail? (SSNs, student grades, think FERPA) Fundamentals of e-Security
Laptop/PDA Security, continued • Apple Mac OS X supports the “file vault”, which automatically encrypts files. This should be turned on (off by default). • Windows 2000 and XP support EFS, the “Encrypting File System”. This should be turned on (off by default). Fundamentals of e-Security
Account Security • Don’t share your accounts or passwords • Use “good” passwords • Use different passwords on different systems • Change your passwords • Lock your screen Fundamentals of e-Security
“Good” Password Habits • Change every 60-90 days • Use all available characters • Memorize, don’t write • Bad: 1234, <first name> i.e. jim, buckeye, osu, brutus, lima, password • Good: 1Gin+2Tonic • Good: 47adFb2m Fundamentals of e-Security
Data Security • Essential to Confidentiality and Integrity • Regulatory environment-FERPA and student information • Involves protecting data in transit, as well as in storage • Often requires encryption of the data Fundamentals of e-Security
People Security • Background screening as part of the hiring process • Termination best practices: • Remove their access • Dispossess them of sensitive materials • Repossess important materials (latest version of their projects) Fundamentals of e-Security
People Security, continued • Questions to ponder: • Do you know what access each employee has, including remote access? • Can you guarantee they haven’t set up back-doors, especially if they were disgruntled before they left? • Do you have policies about sensitive materials at home, backups, etc? Fundamentals of e-Security
People Security, continued • Social engineering-techniques that rely on weaknesses in humans rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security Modified from The Jargon File, version 4.7.7 Fundamentals of e-Security
Phishing example Mis-spelled words F.U.D. Fundamentals of e-Security
Phishing example <a href= "http://www.paypallk.com:680/paypal.php" style="font-family: monospace; font-size: 10pt;">Click here to confirm your account</a> See PayPal site page on security Fundamentals of e-Security
Social engineering example • How could a person get tricked into giving out a password over the phone? • Much easier than you think! Fundamentals of e-Security
Social engineering example • “Hi-this is Jim from Tech Services. We noticed that your network segment is down, and we’d like to try your login to verify it. What’s your password?” • “This is Andrew from Technology Services. Your mail spool on the server is blocked, and we need your password to clear it.” Fundamentals of e-Security
What can I do? • Lock it down! • Auto-install OS updates • Install and use anti-virus and anti-adware/spyware software • Personal firewall (OS X & Windows XP built-in) • Backups! • Use good password practices Fundamentals of e-Security
What else can I do? • Use a browser other than Internet Explorer, i.e. Firefox. • Use a locking screensaver • Don’t use Instant Messaging clients • Cautiously use e-mail attachments • Don’t use password hints • Disable automatic logins • Apply paranoia as necessary Fundamentals of e-Security
What does Technology Services do? • Lima OTS and Columbus Network Security (division of OIT) actively scan network hosts for vulnerabilities • Lima OTS and Columbus Net Security actively monitor network traffic for suspicious activity Fundamentals of e-Security
What does Technology Services do? • Centralize Microsoft OS patches and hotfixes • Centralize McAfee virus scan updates • Filter e-mail for spam and viruses • Authentication • Columbus blacklisting • Firewall for Lima network Fundamentals of e-Security
Firewall • Restricts access to network services, in and out • Personal (host) and network Image courtesy of INetU Managed Hosting http://www.inetu.net/services/firewalls.php Fundamentals of e-Security
What is coming next? • Best Practices for passwords • Minimum password length • Complexity requirements • Rotation change enforcement • Encrypted remote access • Two-factor authentication for laptops • Something you have • Something you know Fundamentals of e-Security
F.A.Q. • How can I tell when I’ve been infected? • Unusual slowdown • Unexpected crashes, strange errors • Mouse movement or typing without you-”posessed” • OIT security blacklists-no Internet access off-campus • What do I do? • Turn it off! • Report it to Technology Services • Don’t try to backup now, it’s too late. You may spread contamination. Fundamentals of e-Security
F.A.Q. • What do you do with an infected/compromised computer? • Attempt disinfection/repair if it’s a known threat with proven recovery • Most often complete “rebuild” of the computer • Clean and repair data files Fundamentals of e-Security
Useful Resources • Lima Technology Services • http://lima.osu.edu/ots • Columbus OIT Network Security • http://www.net.ohio-state.edu/security • CIO Policies • http://cio.osu.edu/policies/policies.html • Network Policies • http://www.net.ohio-state.edu/OSUNet/policies.html Fundamentals of e-Security
Useful Resources • OSU Site Licensed Software • http://osusls.osu.edu • Spybot Search & Destroy • http://www.spybot.info • General Spyware Information • http://www.getnetwise.org • FERPA and OSU • http://www.registrar.ohio-state.edu/ourweb/more/Content/ferpa.pg1.html • Phishing • http://www.antiphishing.org/phishing_archive.html Fundamentals of e-Security