Enterprise Security Management

1
Enterprise Security Management

• Eileen Dewey
• Rose State College
• Midwest City, OK

2
ESM The Class

• Instructor Eileen Dewey
• Educational targets
• Awareness of information and network security
  issues for enterprises
• Mastery of IT security Risk Management and
  related processes
• Understanding of core elements of information
  security policies and procedures

3
Core Topics

• IT Security Risk Management
• Security Self Assessment
• Security Awareness and Training Programs
• Security Policies, Guidelines and Procedure
• Incident Handling and Response

4
Special Topics

• Biometrics
• Public Key Infrastructure
• Smart Cards
• Single-sign on solutions
• Network Security

5
Related Topics

• Disaster Recovery
• Business Continuity
• Contingency Planning
• Business Impact Analysis

6
Resources

• Various NIST CSRC Publications
• Class Website
• D2L

7
Resources (contd)

• NIST Publications
• NIST Risk Management for IT Systems (55 pages)
• NIST Security Self Assessment Guide for IT
  Systems (95 pages)
• NIST Contingency Planning for IT Systems (107
  pages)
• NIST IT Security Training Requirements A Rose
  and Performance-based Model (226 pages)
• NIST Guidelines for the Security Certification
  and Accreditation of Federal IT Systems (78
  pages)
• NIST Guide to Selecting IT Security Products
  (62 pages)
• And others.

8
Course Work

• Course Projects
• Team oriented
• Policy and procedure generation
• Risk analysis processes
• Awareness, Training and Education Modules
• Assignments
• Critical analysis and evaluation of tools and
  methodologies
• Case Studies
• Exams
• 2 exams

9
Sarbanes-Oxley Act

• The Sarbanes-Oxley Act was signed into law on
  30th July 2002, and introduced highly significant
  legislative changes to financial practice and
  corporate governance regulation. It introduced
  stringent new rules with the stated objective
  "to protect investors by improving the accuracy
  and reliability of corporate disclosures made
  pursuant to the securities laws".

10
Cyber Adversaries

• Hackers
• Hacking for curiosity/exploration
• Hacker ethic
• Script Kiddies
• Download exploit scripts and hacking tools
• Computer Criminals
• Hacking for profit
• Targets corporate/personal/government systems
  with financial assets/secrets/intellectual
  property
• Virus and Worm Writers
• Malicious creativity and tribute
• Toolkits and copycat crime
• Insiders
• Commit the most amount of computer crime
• The most knowledge, access and motive
• Cyber Terrorists
• Targets critical infrastructure
• Force multiplication

11
Economic Espionage

• University of Chicago student arrested for
  stealing trade secrets from DirecTV (January
  2003)
• Igor Serebryany, 19, accused of stealing IP on
  DirecTVs Period 4 access card
• Access card controls which premium
  events/channels a subscriber can watch
• Documents allegedly taken from Jones Day Reavis
  Pogue (DirecTVs legal counsel) while Serebryany
  was a temporary employee there Jones Day was
  pursuing litigation between DirecTV and NDS
  Americas (a security vendor)
• Period 4 access card is the only DirecTV card yet
  to be compromised by the satellite pirate
  community DirecTV invested 25 million in its
  development
• Trade secrets and private correspondences
  regarding the design of implementation of the
  Period 4 access card were published on pirate
  websites
• Final irony The genesis of the lawsuits between
  DirecTV and NDS Group, NDS Groups contention was
  that DirecTV was itself leaking internal
  documents onto the Internet

12
Identity Theft

• The largest case of identity theft in U.S.
  history -- 30,000 victims (November 2002)
• In the spotlight Philip Cummings, customer
  service representative for Teledata
  Communications, Inc. (TCI) in Long Island, N.Y.
• TCI - provides the computer infrastructure for
  banks and other institutions to access credit
  reports from the three major credit bureaus
  (Experian, TransUnion and Equifax)
• Cummings sold credit reports (30 per report) to
  individuals in New York through a co-conspirator
  and then eventually sold passwords and codes of
  TCI clients for unlimited access to credit
  reports
• Victims bank accounts were drained, credit cards
  hit, change of address forms filed,
  ATM/debit/credit cards sent to unauthorized
  locations
• 2.7 million in financial losses known to date

13
Logic Bombs Malicious Code

• UBS Paine Webber employee accused of triggering
  logic bomb, deleting files on 1000 corporate
  systems (March 2002)
• Roger Duronio, former network administrator,
  allegedly planted bomb in 1000 of 1500 systems at
  branch offices nationwide
• Duronio repeatedly expressed dissatisfaction with
  salary and bonuses
• Duronio purportedly developed the bomb in
  November 2001 he resigned in February 2002 bomb
  activated March 4, 2002
• In Feb. and March of 2002, Duronio spent 21K on
  put options (short sell) of UBS A.G. stock set
  to expire March 15, 2002.
• The bomb cost UBS Paine Webber 3 million in
  repairs
• Attack not made public at the time stock never
  dropped below the strike price
• Similar schemes have worked Emulex fraud caused
  its stock value to drop 50

14
Computer Fraud

• Two Russian hackers accused of hacking and
  financial fraud (2001)
• Credit card information stolen from ISPs (over
  50,000 credit card numbers found on their systems
  confiscated in Russia)
• Broke into a number of systems (including school
  computers in St Clair County, Michigan) to
  execute a plan to defraud e-bay and PayPal
• Also stole personal financial information from
  online banking portals operated by Nara Bank and
  Central National Bank Waco
• Created thousands of anonymous Yahoo/Hotmail
  email addresses in order to use stolen credit
  card numbers on ebay
• One program they used allowed them to rig
  auctions so they could act as both buyer/seller
  on ebay
• Caught in a FBI sting operation (2000) FBI
  created fictitious Invita company, met w/
  hackers, interviewed them, gave them a hacking
  test and arrested subsequently arrested them
• Warm fuzzy FBI Special Agents Marty Prewett and
  Michael Schuler were awarded the Director's
  Annual Award for Outstanding Criminal
  Investigation by the Director of the FBI for
  their work on the case
• One sentenced to 36 months in prison 700,000
  restitution the other is awaiting trial

15
Computer Intrusions

• Jan 8, 2004 - Daniel Jeremy Baas, 25, of Milford
  OH pleads guilty to exceeding authorized access
  to a protected computer and obtaining information
  ("hacking)
• Charged in August with illegally accessing a
  protected computer and stealing customer
  databases from Acxiom, a Little Rock,
  Arkansas-based company that manages customer
  information for credit card issuers, banks,
  automotive manufacturers, and retailers and
  others
• Baas was the computer systems administrator for a
  Cincinnati company that did business with Acxiom.
  He was allowed to download files set aside for
  his employer on Acxiom computers.
• His crime was exceeding authorized access,
  downloading an encrypted password file, and
  running a password cracker on it
• Baas illegally obtained 300 passwords, including
  one that acted like a "master key" and allowed
  him to download files that belonged to other
  Acxiom customers. The downloaded files contained
  personal identification information.
• Total cost to Acxiom of the intrusion and theft
  of data estimated at more than 5.8 million
  (employee time, travel expenses, and payments for
  security audits and encryption software in
  addition to the value of the information he
  stole).
• Baas faces a maximum penalty of five years in
  prison, a fine of 250,000 or twice the amount of
  gain or loss, and three years of supervised
  release.

16
Worms and Viruses

• NIMDA -Windows Internet Worm exposes network
  system hard drives, modifies web pages and
  creates a massive Internet DoS, causing an
  estimated 590 million in damage (September 2001)
• Multifactor propagation
• CR II backdoors in IIS hosts
• IIS Directory vulnerabilities
• Auto-executable email attachment
• Browser propagation
• Network shares
• Stealth
• Variable subject line
• README.EXE
• Enables Guest account with high privileges

17
Security Fundamentals

• Dimensions of security
• Confidentiality secrecy and privacy of
  information
• Integrity accuracy of data and authentication of
  origin
• Availability timely access to resources
• Core principles of security
• Least privilege
• Complete mediation
• Fail-safe defaults
• Open design
• Economy of mechanism
• Psychological acceptability

18
Risk Management

• Process concerned with
• identification
• measurement
• control, and
• minimization
• of security risk to information systems to a
  level commensurate with the value of the
  protected assets or mission, and impact on system
  functionality

19
Risk Management Cycle
20
Technology is Useless Without

• Policies
• High-level statements that establish core
  security standards and acceptable use behavior
• E.g., Perimeter policy, computer use policy
• Procedures
• Operational guidelines that conform to policies
• E.g., incident handling, safe computer practices
• Training
• Written, oral and interactive modes to
  habitualize safe user behavior
• Technology and security training for IT personnel

21
Stop Here Ken

• Your Assignment .due Thursday the 28th
• Go to the D2L site
• Read the 2007 Computer Crime and Security Survey
• Explain in your report (typed) what this survey
  is, its purpose, who participates, and its
  findings
• Report will be no less than 2 pages, double
  spaced, Times New Roman 12.