1.05k likes | 1.23k Views
IT Security. Julie Schmitz James Mote Jason Tice . Agenda. Overview of basic IT security Human Resources Command-St. Louis Inside Financing Recommendations and Best Practices Closing and questions. IT Security Defined.
E N D
IT Security Julie Schmitz James Mote Jason Tice
Agenda • Overview of basic IT security • Human Resources Command-St. Louis • Inside Financing • Recommendations and Best Practices • Closing and questions
IT Security Defined • “Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals” -William R. Cheswick
IT Security Overview • Intruders - hackers and crackers • Insiders – fraud case at Financing • Criminals • Online Scam artists • Terrorists
IT Security Overview • Hacker • Person who enjoys exploring the details of programmable systems and how to stretch their capabilities • Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance • True hacker will look for weaknesses in a system and publish it Source: FBI Cyber Task Force
IT Security Overview • Cracker • One who breaks security on a target computer system • The term was coined by hackers around 1985 in defense against the journalistic misuse of the term “hacker” • Tend to never disclose their findings Source: FBI Cyber Task Force
How does a Hacker Effect You? • Michael Buen and Onel de Guzman • Both are suspected of writing the “I Love You” virus • David L. Smith • Melissa virus author • Released March 26, 1999 • Caused an estimated $80 million in damages Source: FBI Cyber Task Force
IT Security at your Office • Social Engineering • Denial of service attacks (DoS) • E-mail bombs • Password cracking • Web spoofs • Trojan, worm, virus attacks • Antivirus tools Source: FBI Cyber Task Force
Social Engineering • A con game played by computer literate criminals • Works because people are the weakest link in any security system Source: FBI Cyber Task Force
Denial of Service • Prevents users from using a computer service. • A type of DoS attack involves continually sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users • Ping attacks • DDoS attacks • Uses multiple computers to coordinate DoS attacks Source: FBI Cyber Task Force
Email Bombs • A type of denial of service attack • Email bombs involve sending enormous amounts of email to a particular user, in effect, shutting down the email system • Many spammers fall victim to this type of attack • No need to manually send email; downloadable programs will do it for you Source: FBI Cyber Task Force
Password Cracking • Involves repeatedly trying common passwords against an account in order to log into a computer system • Freely available “cracking” programs facilitate this process Source: FBI Cyber Task Force
Web Spoofing • “faking the origin” • The attacker creates a false or shadow copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine • Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers Source: FBI Cyber Task Force
Trojan, Worm, and Virus • A Trojan program does not propagate itself from one computer to another • A Worm reproduces ITSELF over a network • A Virus, like its human counterpart, looks for ways to infect other systems or “replicate” itself (i.e., e-mail) Source: FBI Cyber Task Force
Trojans • Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc. • When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password) Source: FBI Cyber Task Force
Virus • A program that replicates without being asked to • Copies itself to other computers or disks • Huge threat to companies Source: FBI Cyber Task Force
Antivirus Tools • Any hardware or software designed to stop viruses, eliminate viruses, and/or recover data affected by viruses • AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets • Should be used as part of a security policy Source: FBI Cyber Task Force
After the Incident • Identify means to avoid another attack • Download latest patches • Repair compromised systems • Re-educate users • Run anti-virus software • Stay alert for signs the intruder is still in your system • Log traffic data Source: FBI Cyber Task Force
The Facts on IT Security Budgets • 62 percent of technology officers feel no pressure to increase spending this year • 40 percent of their budgets will go toward preventing existing machinery from breaking • Systems security tends to go unfixed until proven broken • A simple firewall has become the ultimate security commodity • Don’t use ROI to configure IT security budget Source: FBI Cyber Task Force
Source: Federal Bureau of Investigation / Computer Security Institute – http://www.gocsi.com - viewed 11/4/2004
I.T. SECURITY BRIEF- HUMAN RESOURCES COMMAND ST. LOUIS
Human Resources CommandSt. Louis Historical Timeline • First established in 1944 at 4300 Goodfellow • First known as the Demobilized Personnel Records Branch after WWII • In 1956, moved to its present location, 9700 Page • In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis • In 1985, Army Reserve Personnel Center (ARPERCEN) was formed. • In 2003, organization was renamed to Human Resources Command (HRC) Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004
Human Resources Command (HRC) St. Louis Overview • Supports or conducts the Human Resources Life • Cycle for over 1.5 million customers • Workforce comprised of over 65% civilians, 30% • Active Guard-Reserve soldiers, 5% Active • Component soldiers • Of the military workforce, most officers are Majors • (O-4) & most non-commissioned officers are • Sergeants First Class (E-7s) • 65-acre facility located off Page Avenue • Total of Nine Directorates Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004
Human Resources Command (HRC) Mission Statement • To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy. • To provide human resource services to our retired reserve and veterans. Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004
Information Assurance Office Information Assurance Manager (Rank: Major) IANCO (Rank: MSG) Assistant IAM (Rank: CPT) Civilian (GS-12) Information Tech & Sec Specialist Civilian(GS-13) Deputy IAM Civilian (GS-11) Information Tech & Sec Specialist Civilian (GS-11) Information Tech & Sec Specialist Source: Information Assurance Office, Human Resources Command, St. Louis
Information Assurance Manager Duties Major: Responsible for Overall IT Security Master Sergeant: Verifies Security Clearances; Trng; Account Requests Captain: Drafts & Submits Policy GS-13: Updates Patches & ACERT Compliance GS-12: System Security Authorization Agreement; Networthiness Certification GS-11: Investigates Computer forensics; Backup for updates & patches GS-11: Backup for Computer forensics; Trng; Account Req.; Verifies Sec. Clear. Source: Information Assurance Office, Human Resources Command, St. Louis
Information Assurance Defined • The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users • Also includes those measures necessary to detect, document, and counter such threats • This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations Source: Army Regulation (AR) 25-2
Information Assurance Organization Chief Information Officer U.S. Army Reserve Command Atlanta, Georgia Information Assurance Officers- 11 Regional Support Commands Information Assurance Officer- Human Resources Command-St. Louis Source: Information Assurance Office, Human Resources Command, St. Louis
In Order to Gain System Access • All Military must have a Security Clearance • Some civilians must have Security Clearance • Other civilians must have at least a National Agency Check (NAC) • All employees must submit a request for system access Source: Information Assurance Office, Human Resources Command, St. Louis
Common End User Problems • Pornography • Running Businesses • Unauthorized use of illegal • software • Sharing of logons/passwords Source: Information Assurance Office, Human Resources Command, St. Louis
What Happens If YouGet Locked Out? • Go to your local Information Mgmt • personnel assigned to serve your • directorate Source: Information Assurance Office, Human Resources Command, St. Louis
Main Concerns of IT Security • Information Security Training • Purchasing automation equipment • without authorization • Computer left on 24/7 • Having a qualified Information • Assurance Manager that is strict • Knowledge of the system Source: Information Assurance Office, Human Resources Command, St. Louis, MO; Information Assurance Officer, 63rd Regional Readiness Command, Los Alamitos, California
Anti-Virus Activity STOPPED AT GATEWAY 45,000 IN APRIL STOPPED AT DESKTOP Source: Information Assurance Office, Human Resources Command, St. Louis
Probes and ScansAgainst Network 135,000 YTD Source: Information Assurance Office, Human Resources Command, St. Louis
Computer Security Model • Bell-LaPadula Model • Developed by the US Army in the 1970’s • Provides framework for handling data of different classifications • Known as “multilevel security system” • One of the earliest and most famous computer security models Source: Information Assurance Office, Human Resources Command, St. Louis; http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2 - viewed 11/6/2004
Information Unable to Obtain • IT Security Budget • Business Policy Procedures • Outsource IT providers information Source: Information Assurance Office, Human Resources Command, St. Louis
Financing Background Info • Financing is one of the largest domestic providers of inventory floor financing for several different industrial channels. • Recent focus to use IT to reduce business costs by processing transactions online. • IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly. Source: Interview and personal comments from Financing’s CIO – October 2004
Case Study Research Method • Interviewed CIO to gain their different perspectives on IT security and business. • Interview lasted approximately 2 hours and consisted of 15 questions. • Subsequent discussion based on what CIO said were issues of highest concern. Source: Interview and personal comments from Financing’s CIO – October 2004
Most Pressing Security Concerns • Eliminating bad user practices • Measures to prevent security breeches • Ability to quickly recover from security failures / breeches • Impact of compliance with SOX regulations Source: Interview and personal comments from Financing’s CIO – October 2004
Security Specifics • No specific line item budget amount. • Security costs are encompassed in other budget items, such as system development & testing, data center operations, etc. • No dedicated resources focusing solely on security. • Security related activities fall under responsibility of existing IT staff. Source: Interview and personal comments from Financing’s CIO – October 2004
Security Challenges:End User Security “Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.” -Anonymous
End User Security:Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. Source: Interview and personal comments from Financing’s CIO – October 2004
End User Security:Typical Financing User • Non-technology savvy office clerks and book keepers. • No on-site IT support to maintain individual system security. • Many dealers have Broadband access without firewall protection. • What is so risky about this??? Source: Interview and personal comments from Financing’s CIO – October 2004
End User Security:Typical Financing User (2) • Known problems with Spyware and viruses. • Account reps reported seeing multiple users post their username and password in plain view in their offices. Source: Interview and personal comments from Financing’s CIO – October 2004