1 / 17

Slide Heading

Slide Heading. Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors . Brian Judd, CISSP SynerComm January 20, 2009. Agenda. Slide Heading. Assure IT- Top 10 Audit Findings. Top 10 Audit Findings. Top 10 Audit Findings. Security Awareness Patch Management

rhona
Download Presentation

Slide Heading

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009

  2. Agenda Slide Heading

  3. Assure IT- Top 10 Audit Findings Top 10 Audit Findings

  4. Top 10 Audit Findings • Security Awareness • Patch Management • OS Hardening / Default Configurations / Build Standards • Excessive Privileges • Weak Authentication • Missing Audit Trails • Database Security • Web Application Security • Over-Disclosure of Information • Lack of Network Visibility & Management

  5. Top 10 Audit Findings- Client Side Risks • Security Awareness • Patch Management • OS Hardening / Default Configurations / Build Standards • Excessive Privileges • Weak Authentication • Missing Audit Trails • Database Security • Web Application Security • Over-Disclosure of Information • Lack of Network Visibility & Management • Vulnerabilities/Threat Areas Common to Client-Side Risk

  6. Assure IT- Client Side Risk Client Side Risk

  7. What are Client-side Vulnerabilities? • Client-side vulnerabilities include both software weaknesses and end-user security awareness. • To exploit a client-side vulnerability, the computer end-user must open an infected file/document or browse to a malicious webpage. • Occasionally, bugs in software such as MS Outlook’s preview feature could execute code with almost no user interaction. • Client-side attacks often trick users into violating corporate security policies. • Targeted phishing attacks often spoof email headers and known/trusted source identities. • Policy: Do not open email messages or attachments from unknown sources. • Policy: Do not browse non-business related websites. • Policy: Do not install unapproved software on business machines. • Client-side attacks may bypass many technical controls including anti-malware software, firewalls and intrusion prevention systems.

  8. Outcomes of Client-side Attacks • Like network-based attacks, client-side attacks often result in the compromise of computing systems. It is possible for attackers to execute arbitrary code during exploitation. • Because client-software is being attacked, malicious code will execute in the context of the exploited software. • Most client software runs with the same privilege as the user who launched the software. • Do your users have local administrator privileges? If so, the attacker’s malicious payload will also run with administrator privileges. • Some client software may run with elevated privileges regardless of the computer user’s privilege. • The payload of a client-side attack often opens a command-and-control (C&C) connection back to the attacker. • Or worse, C&C could join a botnet. • Any data or system that the compromised end-user has access to, the attacker will also have access to.

  9. Common Client-side Vulnerabilities • Internet Browsers • Internet Explorer & Firefox • Browser Plugins • ActiveX Controls • Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer • Common Applications • Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC, Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird, WinZip, Windows Media Player, McAfee EPO, etc. • Biggest Risks: Adobe Acrobat Reader and Sun JRE • Why? Because they are found on most business machines. Critical vulnerabilities are discovered regularly in each of these applications. Sun’s JRE installer does not remove older (vulnerable) versions automatically. • Computer End-Users • The security awareness of your users may be your only defense.

  10. AssureIT- Client-Side Exploit Demonstration Demonstration

  11. AssureIT- Client-Side Vulnerability Mitigation Minimizing Client Side Risks

  12. 1. Security Awareness • Policies • Employees should be trained on policies at time of hire • A policy training/refresher should be given annually • Procedures • Standards • Training • Security awareness training should be given to ALL employees annually • Require testing to ensure that key concepts are retained • Security administrators should receive certification and information security training regularly

  13. 2. Patch Management • Operating system patches • Microsoft, Linux, Unix, etc. • Legacy Microsoft software may not get patched by Windows Update or WSUS • Switches, routers, firewalls, embedded devices • Application patches • Common non-Microsoft applications • Adobe – Acrobat, Photoshop, etc. • Sun Microsystems – Java Runtime Environment (JRE) • Web browsers (Opera, Safari, Konqueror, etc.) • Commercial off the shelf (COTS) • Custom applications • Patch management strategy • Weekly, monthly, more?? • Patch testing and rollback • Out of cycle patches? Zero day?

  14. 3. Operating System Hardening • Default operating system and application installations are very dangerous • Microsoft Windows 2000, XP, Server, etc. all install many unneeded services • Most security controls are disabled or configured for maximum usability • Cisco routers have vulnerable configurations until hardened • Remove and/or rename default accounts and set strong passwords • Windows – change “administrator” username and disable “guest” account • Consider adopting an operating system standard/benchmark • Sources: Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) • Use standards to create a “Gold” build

  15. 4. Excessive Privileges • Users have local administrator privileges to their workstations • Especially dangerous for uncontrolled laptops that are used outside of a financial institution’s networks • File shares not protected with access controls • Employees with access to banking applications and/or GLBA data also have access to email and Internet • Administrators need to ask themselves whether or not all employees should be given access to email and Internet • Is web browsing secured and filtered by a proxy? • Firewall egress should be locked down by strict access control lists

  16. 5. Egress Controls • Principal of Least Privilege • Only Email Server or Gateway should be allowed to transmit outbound using SMTP • Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P should be tightly restricted or blocked • If dangerous protocols are allowed egress to the Internet, the should be monitored • Email Gateways • Web Proxy • URL Filter • Intrusion Prevention System • SOCKS Proxy • Encrypted protocols can be dangerous • SSH, HTTPS • Botnet C&C over valid HTTP/HTTPS posts and requests

  17. Questions?

More Related