320 likes | 389 Views
Analysts International Wireless, Remote Users and Corporate Policy AGA / IIA / ISACA Tuesday, April 22 nd , 2003. Introductions. Mark Lachniet from Analysts International, Sequoia Services Group Senior Security Engineer and Security Services technical lead
E N D
Analysts InternationalWireless, Remote Users and Corporate PolicyAGA / IIA / ISACA Tuesday, April 22nd, 2003
Introductions • Mark Lachniet from Analysts International, Sequoia Services Group • Senior Security Engineer and Security Services technical lead • Former I.S. director for Holt Public Schools • Certified Information Systems Security Professional (CISSP) • Microsoft MCSE, Novell Master CNE, Linux LPI Certified LPIC-1, Check Point Certified CCSE, TruSecure TICSA, etc.
Agenda • This will be a brief overview of some issues • Common remote access scenarios • VPN / RAS Dialup • Wireless LAN/WAN • Security risks with remote access • Network-related • Workstation related • Access on the road (kiosks, airplanes, etc.) • Wireless-specific risks • Remote access security policy • Technical • Procedural (e.g. ISO17799/BS7799) • Products and services for remote users • Round table – Q&A – Brainstorming
Common Remote Access Scenarios – VPN User • Remote VPN users access the corporate network from home across DSL or Cable Modem connections • Typically connect to dedicated VPN concentrators • Access internal resources, file/print, servers as if on the LAN
Common Remote Access Scenarios – Wireless • I am personally of the opinion that wireless users should be treated as “untrusted” users just the same as Internet users • Thus, one solution is to require usage of a VPN for wireless users for security and accountability • That said, I will use Wireless and VPN users interchangeably
Common Remote Access Scenarios – VPN User • Ideally, the data will be encrypted to keep it confidential (a requirement for any Internet access) • All users should be authenticated: • To their own laptop (to protect VPN configuration settings from compromise – these are sensitive!) • On the VPN concentrator • For any/all internal resources • Two-Factor authentication should be mandatory (Biometrics, SecurID, preferred!) • Access across the VPN should be restricted to only those resources that they need to do their job, not the entire corporate network. (Use firewalls or filtering policies on VPN terminators to do this)
Creating an Audit Trail • All network activity and authentications should be logged to create an audit trail: • On the VPN termination device • On the internal file/print servers • On the remote user’s laptop or workstation • Within critical applications (especially ones that manage $$) • Log review must be regularly performed and be formally part of someone’s job description and that there is time put aside for it. • Giving remote access to any user is tantamount to giving them a direct WAN link to your network (note – it may not be limited to one computer, either) • This means that remote users’ workstations should be company property and subject its rules and regulations
Problems with Remote Access • Once connected to the internal LAN, viruses, worms, attacks and other malware can reach the internal network, bypassing the firewall, virus filters, etc. • The same security measures used inside the network need to be employed, and then some more on top of it • Note: This is the same problem we have with vendors and partners who connect to your network!
Problems with Remote Access:Split Tunneling and Trojans • Split Tunneling – allowing both corporate network access and Internet access simultaneously • This may allow a hacker to “leapfrog” into the corporate WAN
Problems with Remote Access:Split Tunneling and Trojans • This could be done in real-time by planting a remote control program such as VNC or Terminal Services • Even if split tunneling is disabled, a user could be hacked while *not* on the corporate VPN and a Trojan could be installed • Trojans could be used to: • Record keystrokes (passwords, emails, etc.) • Sniff the network for passwords • Remotely run programs and scripts • Spread worms / viruses or hack through the VPN to the internal net • Capture pictures, audio from the workstation, etc • Hence, all remote workstations need to have controls in place
Technical Controls for Remote Access Workstations • Do not give admin privileges to end users: • Will make it harder for a Trojan to be installed • Will make it harder for Anti-Virus and personal firewall software to be disabled • Ensure that Anti-Virus is installed and up to date on all end machines. • Use personal firewall software (ZoneAlarm, Norton, etc.) and block incoming connections by default • This protects the user from attacks, while on the VPN and while on the Internet in general • Don’t allow connection-sharing software or devices
Enterprise Security Products“Zone Labs Integrity” • This is a randomly selected example of a product that can help to enforce technical policies enterprise-wide • A centrally-managed solution for remote users • Enforces policies, with provisions for users, groups, connection type (wireless, VPN, etc) • Can integrate with existing user management systems (Windows, LDAP, Radius, etc.) • When integrated with a supported VPN concentrator (Cisco 3000 series) can ensure that policies are complied with before allowing VPN access • Software is up to date • Antivirus is enabled and up to date • Personal firewall software is configured and enabled • Should also be used with wireless users
Technical Controls for Remote Access Workstations • Do not allow modems in remote user workstations • In case PC/Anywhere or another remote desktop software package is installed • Use encryption for sensitive data on the workstation • Windows Encrypting File System (EFS) is one option that provides for centralized key recovery • Note that Windows EFS can be compromised by resetting the users password (and may have other issues as well) • Use folder encryption software such as PGP (pgp.com) • Use full-disk encryption software to protect the whole hard drive (winmagic.com or similar) • Use removable media for sensitive data, and keep it on your person (many people use USB flash drives or tokens for this purpose)
Data Remnants on Hard Drives • A recent article entitled “Remembrance of Data Passed: A Study of Disk Sanitization Practices” had some scary findings • It found that even data that the prudent man would think is adequately sanitized (ie, formatted or deleted) could be easily recovered • Since remote users’ workstations are difficult to control, removal of sensitive data is critical – there needs to be a plan for how systems will be de-commissioned prior to disposal or sale • If it were found that your organization did not have an adequate plan to remove sensitive information (especially in finance and health care industries) you could be subject to costly litigation, especially with the new HIPAA and privacy laws
Data Remnants on Hard DrivesSome Findings • In August, 2002, the U.S. Veterans Administration Medical Center in Indianapolis retired 139 computers. • These were later found to contain highly sensitive information such as the names of veterans with AIDS And mental health problems, and 44 credit card numbers • In April, 1997 a woman in Nevada purchased a used IBM computer for $159 and discovered that it contained prescription records of 2,000 patients • Included in this were prescriptions for AIDS, alcoholism and depression • What is your “Worst Case Scenario”? How much could it cost you (in $$ and reputation) to have this happen?
Consumer Personal Encryption • One product that can be used is the “Authenex” token, bundled with “Personal Privacy 2.0” (see http://www.authenex.com) • This product is affordable enough for consumers($29.99 at CompUSA or TigerDirect.com) • Makes use of AES encryption with a secret password to secure files or folders on a machine (for example c:\audit) • Is two-factor authentication, and requires both the token (a USB dongle) and a password to decrypt the folders • Thus, if the laptop is stolen, it would be necessary to have the token, and guess the password (which must be typed by hand, thus probably too difficult for brute-force attacks) • This is not a recommendation, just an example. It is not known how secure this device is in practice, and there are certainly ways around it (such as a key logger)
Two-factor Authentication • These types of programs can also be used with VPN clients, to authenticate to Windows domains, store keys for web sites, etc. • Like most two-factor authentication systems, this requires the use of a dedicated authentication server (usually running RADIUS authentication)
Data Wiping Guidelines • To combat the risk of unprotected data being compromised, *all* media should be wiped before being de-commissioned or disposed of • This includes • Floppy / ZIP / JAZZ / any removable disks • Tapes, DAT, DLT, etc. • Hard drives, anything else • DOD 5220.22-M speaks to this at http://www.dss.mil/isec/nispom.htm • Essentially, you need to over-write *all* data with 1’s and 0’s several times to remove remnant data, including slack space – there are products • Even this can be beaten with a technique called Magnetic Force Microscopy, but only incredibly well-funded organizations can afford to do this
Access Problems on the Road • Net access is everywhere: Hotels, libraries, coffee shops, box seats at sporting events, etc. • However, these workstations are inherently insecure and should not be used! • In addition to things like key loggers, a lot of data is left behind on the workstation that could be found • Examples include temporary files, passwords stored in memory (sometimes therefore in the swap file) and others • Using an unknown network is also risky – wireless or Ethernet – because you don’t know if they have any security, and may be monitoring your transmissions • If you must use one of these systems, at least make sure that your connections are encrypted (VPN, SSL, SSH, etc.)
The $59 KEYkatcher • The hardware key logger – no need to install any software whatsoever • Could be placed on a public access terminal, log a few passwords, and then removed • Might also be placed on remote access laptops or workstations • Only $59 each from TigerDirect.com KeyKatcher
Wireless Issues – Ease of Use • Refers primarily to WLAN 802.11(a/b/g) devices, although other devices also have issues (CDMA, older 2.4ghz devices such as Proxim) • Wireless is a particular risk to organizations because it is incredibly inexpensive, easy to obtain and easy to configure (even by non-technical people) • Also at issue is that the default configuration is very insecure, and is the most common configuration • Underlying the issue of wireless is *control* (or lack thereof) – you cannot easily maintain a physical “zone of control” with wireless as you can with other systems. Your signal may go a *long* way • Wireless can also be difficult for the “good guys” to track down – it is sometimes hidden in ceiling tiles, etc. and tools to physically locate them are immature
Wireless Issues - Encryption • WLAN products were developed with an encryption system known as WEP (Wired Equivalent Protection) • Unfortunately, there have been problems found in the implementation of the WEP protocol, such that it cannot be trusted for critical applications • WEP, while not infallible, should be used anyway because it makes it that much more difficult to hack • Software packages such as AirSnort have been created specifically to analyze wireless network traffic and obtain the WEP encryption key • In general, an additional layer of encryption should be used for wireless users, either through VPN services or through a proprietary commercial system • Note: VPN usage has some issues – especially roaming, distribution and maintenance of VPN software, and ease of use (ie, no instant access for traveling executives or guests)
Wireless Issues - Authentication • Encryption, while protecting data in transit, does not prove who the user is • To do this, we need to add some conventional authentication (username / password, or two-factor) to the mix • This needs to occur from the client to the Access Point, and from the AP to the client • One risk is that of “rogue access points” that are put into place by hackers, and trick you into logging on through them, possibly stealing your password at the same time • To my knowledge, the best means of doing this right now is through the 802.1X standards
802.1x Systems • While still relatively new, 802.1x seems to be the direction that both wireless and wired security systems will be using • Read a whitepaper at : http://www.nwfusion.com/research/2002/ilabswhitepaper1.doc • 802.1X is a relatively open framework that is coupled with EAP (Extensible Authentication Protocol) • Historically, we had PPP, which was good for dial-up connections. This was then applied to Ethernet connections (PPPoE ala some DSL / Cable modem systems), and then applied to wireless LANs • In addition to providing for strong authentication of all parties, it also provides for some handy features such as: • Automated changes in WEP keys • Assigning a user to a VLAN • Forcing an authentication timeout
Wireless Issues - Wardriving • Another problem to worry about – “wardriving” • Just load the software, buy or build a good antenna, and find access points to your hearts content • Will grab long / lat from a GPS for later hacking • “Warchalkers” may mark your building as vulnerable for others
Policies and ProceduresISO17799/BS7799 • The British Standard 7799 / ISO 17799 2000 documents give some good guidelines in section 9.8.2 – mainly to perform a study: • Analyze the physical security of the remote user’s location. Are the assets protected from theft? • Is there a significant threat of unauthorized access from others – family, friends, etc. • Do you wish to set guidelines such as how and when the remote access can be performed?
Policies and ProceduresISO17799/BS7799 • How will the workstation be supported (tech support, patches, etc.) • How will the data on the workstation be backed up? What are the disaster recovery implications? • How will events on the workstation be audited? How will security be monitored? • How will the company revoke the access rights and hardware in the event that the employee leaves the company?
Policies and ProceduresTraining and Acceptable Use • Providing training and guidelines on appropriate behavior is essential – most people just don’t know! • There needs to be an Acceptable Use Policy that details the appropriate usage of company resources (both on-site and remote) • Should users have to sign off on a policy before being granted remote access? (yes) • Are there any mandatory standards for the classification and handling of data on the machine? Is encryption required? Must sensitive files be stored on removable media? How is it disposed of? • What about printed records that are outside of the physical control of the corporation? Do you need a clean desk policy, rules for locking up documents?
Policies and ProceduresTraining and Acceptable Use • Are there requirements on the installation of software? Who can do it? How is it monitored and maintained? • Is use of the laptop or other computer equipment for personal purposes allowed? • Should users have the expectation of privacy? Are their machines monitored? • Is there insurance coverage for theft or damage to the equipment? • Do workstations need to have mandatory password enabled screen savers that lock the console?
Policies and ProceduresInternal I.S. and H.R. • How is ID maintenance going to be done? • Are HR and IT talking about hires, fires and how they relate to ID maintenance? • How will you quickly revoke all remote access in the event that you need to? (ie, an active hack attack) • Is there a formal procedure in place so that no points of access are missed when revoking user access? • Is there a list of all the places where a user has an ID and password? • Is there a list of all hardware, software and information that needs to be retrieved at the end of use by the employee? • How will you update encryption keys, software, etc. as it is used over time?
Q&A and BrainstormingMark Lachniet, Sr. Security EngineerCISSP, MCNE, MCSE, CCSE, LPIC-1, TICSAAnalysts International - Sequoia Services3101 Technology Blvd. Suite ALansing, MI 48910phone: 517.336.1004fax: 517.336.1004