240 likes | 402 Views
IT Security. Class 3 – April 6, 2012. IT Security Threats. Three types of Security Threats (External, Network, Internal) External- Intrusion Threats Hacking: Unauthorized access and use of sensitive information Compromising National security data
E N D
IT Security Class 3 – April 6, 2012
IT Security Threats • Three types of Security Threats (External, Network, Internal) • External- Intrusion Threats • Hacking: Unauthorized access and use of sensitive information • Compromising National security data • Compromising Personnel data, e.g SSN, Credit cards • Compromising Personal data • Cyber crimes • ID thefts: on the rise • Identity theft – estimated 10 million people with $50 billion in losses annually according to FTC estimates. • Carding Forums: Criminal websites dedicated to the sale of stolen personal and financial information
IT Security Threats • Three types of Security Threats (continued) • Network- Technological Threats • Network threats (Technological) • System vulnerabilities/ compromises: • Security threats due to the software and hardware itself (some systems can be easily hacked or broken into) • Software is particularly vulnerable. New exploits are found as quickly as existing exploits are patched. Unpatched computers represent an army of drones for use by criminal enterprises. • Malicious software • Viruses: Programs that attach to files, enabling them to spread from one computer to another; can damage hardware, software or files. • Worms: Self-propagating viruses
IT Security Threats • Three types of Security Threats (continued) • Malicious Software (continued) • Botnets – thousands of computers all under the control of a single hacker or enterprise, used to launch distributed denial of service attacks, flood the network with spam, or store criminal information such as child pornography or stolen information. Once in place, can run autonomously and automatically, requiring little input from “owners.” • Spyware: Programs that are installed without user’s knowledge, and can potentially monitor activities or steal sensitive information • Phishing: Legitimate looking emails that tricks user into providing sensitive information
IT Security Threats • Internet Piracy • Online software scams that could potentially be a security threat [see: http://www.bsa.org/files/Internet_Piracy_Report.pdf] • Wireless insecurities • Wireless is more prone to security threats than wired connections • Open wireless communities (e.g. Wi-FI hotspots in public places that do not require a password) are particularly vulnerable
IT Security Threats • Internal organizational threats • Employee security—who is to guard the guard? • Lax management – governments are extensive data repositories; lax management could compromise the data • Problems of security threats • Corruption of Information • Disclosure of Information to unauthorized parties • Theft of Service • Denial-of-service to legitimate users
Containing Security Threats • Legislative Actions • Computer Security Act (1987) –security guidelines and standards for government computers • Gave NIST (National Institute of Standards and Technology) the mission of developing security standards and guidelines for federal computer systems. • Government Information Security Reform Act (GISRA – 2000) –complemented CSA • Complemented CSA. Required agencies to implement agency-wide information security programs, annual agency program reviews, and annual independent evaluations of security practices by the Inspector General. Oversight by OMB which ultimately reports to Congress.
Containing Security Threats • Legislative Actions (continued) • Homeland Security Act (HSA – 2002): CIO authority for overseeing coordination and consolidation of data • Federal Information Security Management Act of 2002 (FISMA) • Superseded CSA and made most provisions of GISRA permanent. Strengthened training, evaluation and reporting requirements.
Containing Security Threats • Total Information Awareness Project • Virtual database with instant access to information on individuals phone call records, email transcripts, Web search histories, financial records, store purchases, health prescriptions, medical records, educational records, travel history, and transactions involving passports and driver’s licenses. Renamed “Terrorism Information Awareness” project to make it more politically palatable. Attacks came from all sides, both liberal and conservative (civil liberties and bad for business). BUT versions of this already exist, though not as all inclusive – see Accurint and ChoicePoint, for example.
Containing Security Threats • Update software • Install the latest software patches • Install antivirus software with frequent updates • Attack halting • Stops the attack, whether it is a program or a hacker • Attack blocking • Closes the loop-hole through which the attacker gained access • Attack alerting • Either pop-up to an online admin, or email or SMS to a remote admin
Containing Security Threats • Information collecting • On what is done by the attack to the network, and from where the attack came - helps gather forensic evidence should a prosecution become necessary or possible • Full reporting • Learn from mistakes; prevent future problems • Intrusion Detection Systems • Firewalls
Containing Security Threats • Access limitations • Super Power passwords • CAPTCHAs (Completely Automated Turing Test To Tell Computers and Humans Apart) • Multi level access control • Discretionary access control (DAC) • Restricted access to objects based on identity of user or group. Implemented using access control lists to identify which users can access the object and what their rights are. • Mandatory access control (MAC) • Restricted access based on sensitivity of information and authorization of user to access info with that level of sensitivity (top secret, etc.). Administrator controls access by specifying which security labels subject can use.
Containing Security Threats • Role based access control • Access based on user role within organization. User given no more access or authority than needed to do their job. Concept of “least privilege.” • Task based access control • Rather than by role, user given access to multiple tasks required to perform job. Tasks relate to work responsibility of specific user.
Containing Security Threats • Fail-safe features • Encryption of data to authenticate identity of individuals attempting to access the governmental computer systems • Public Key Infrastructure (PKI) • User gets digital certificate from certificate authority • Certificate of authority requires verification of user’s credentials before issuing a digital certificate. Ex. Verisign, Thawte, Digicert, Network Solutions, Smartcom, Trustwave • Certificate creates a public key for the user • Certificate authority stores public key in a public registry • Certificate also issues matching private key • Private key is stored on user’s computer or on a smart card. When data is encrypted with your private key, only your public key can decrypt, and vice versa. Sender encrypts the data using the RECEIVER’s public key. Receiver can then decrypt with his or her private key. • User can employ the private key to send encrypted messages • Another user can decrypt messages by using the public key • Good tutorial on the use of PKI http://gdp.globus.org/gt4-tutorial/multiplehtml/ch09s03.html
Containing Security Threats • VPN tunneling through secure channels • VPN = Virtual Private Networking – uses public Internet, but data is encapsulated and encrypted to prevent its interception and use by those not authorized to view the data. Protocols protect, secure, and authenticate data between peer devices. • Federal ID Cards for federal employees and contractors (Smartcards) • Smart cards contain verified identifying information such as a PIN and biometric fingerprint data on a microchip. Includes anti-counterfeit protection. • Real ID Act (2005) – establishes minimum requirements for state issued ID cards and driver’s licenses
Containing Security Threats • Agency-Level Security Policies • Security governance and reporting • Complete inventories of IT assets; listings of critical infrastructure and mission-critical systems; strong incident identification and reporting procedures; oversight over contractors; strong reporting of security problems. • Physical Security Systems • With all the concentration on hackers and the like . . . Don’t forget to physically secure the system! • Security Checks and Clearances • “Hacking out” rather than in. Employees can be a problem, sending information out of the network from their authorized devices within the firewall. • Biometrics • Becoming more widely used, still not perfected and generally not sufficient on its own.
Containing Security Threats • Agency-Level Security Policies (continued) • Configuration Management • Automatic maintenance of networked computers, enforcing authorized configurations on the user and automating updates and patches. • Secure System Design • Planning for breaches; secure and redundant data backups. • Red Teams – teams of experts • Hired to break into the system to determine where vulnerability lies. • Honey Pots – proactive security strategies • Intentionally weak devices placed on the network to log and monitor access attempts. No reasons for any employee to attempt access, so all attempts are suspect.
Components of a Comprehensive Security Policy • Risk Management Structure • Formal, highly placed, organizational structure for security planning. Top management representation and support with its own budget. Team performs periodic risk assessments to set security goals. • Data Stewardship • Inventory of systems and their related databases with stewardship given to specific agency personnel tasked with implementing security and privacy policies for their assigned assets. • Risk Tracking • Develop security indicators and measurement procedures to track all forms of risk. Server logs and monitoring software useful for this purpose.
Components of a Comprehensive Security Policy • Risk Notification • Disseminate information quickly to foster employee awareness and commitment to security. • Authentication • Procedures to verify the identity of those with whom the agency shares information. Different access types for different users. • Encryption • Procedures for secure transfer of information appropriate to assessed risk level. • Data Security • Plans for protecting information from external electronic access or physical theft. Also should be protected from insider abuse through security checks and clearances.
Components of a Comprehensive Security Policy • Data Sharing • Decisions on how data requests from other agencies and the public will be handled. Should support Freedom of Information Act requests while protecting Personally Identifiable Information and intellectual property. • Data Disposal • How and when to dispose of records. • Security Training • Security procedure training for new employees; security awareness training for all employees; technical security training for its IT staff.
Incident Response • Attack recognition – what is the correct first response? • Should the attack be stopped immediately? • Call law enforcement? • Notify upper management? Who? • Even if you are able to stop the attack immediately, you may not want to do so until you understand the attack fully and identify the intended target and goal of the attack. This may allow the identification of compromised data that might otherwise go unnoticed and the collection of forensic evidence that might lead to prosecution.
Incident Response • The role of the Computer Security Incident Response Team (CSIRT) • Organized and tailored to the environment in which it will operate • Framework: • Mission statement: high level goals, objectives and priorities • understand if they are using the correct priorities to ensure they respond to the most important activity • correct any inappropriate expectations of those they interact with • understand how and whether it is appropriate for them to react to a given situation • revise their policies and procedures to meet the needs of the situation • determine if the range and nature of the services they offer should be modified
Incident Response • The role of the Computer Security Incident Response Team (CSIRT) • Constituency: who is served and what is the relationship? • Full authority to act for constituency • Shared authority – can influence but cannot dictate decisions • No authority – advisors or advocates • Place within the organizational structure and within risk management function • Overlaps with security team, but must be part of the business process, too, since it should establish operational guidelines. • Relationship to others within the organization and without • Must be in a position where it can coordinate activities among groups. • CSIRTS are both reactive and proactive in security.