IT Security

1
IT Security

• Robert Schifreen, April 2006

2
So Last Century

• Hacking was a penny a go
• Long-distance hacking even dearer
• Passwords very easy to guess
• Very low corporate dependence on IT

3
Hackers Love the Internet

• Hack day and night for free
• International hacking at local rates
• Password crackers easily available
• But most importantlyTotal corporate reliance on
  ITNo more filing cabinets

4
Thinking outside the box
5
Real-world Tales

• ITVs firewall
• Figures on the train
• The L0phtcrack Seminar
• Photosenses OrderID gaffe
• WS_FTP Woes
• Google for employees only
• Deleting Prestels security log

6
So where are the current risks and what can we do
about them?
7
Spam, Phishing, Pharming

• Some spam can be incredibly offensive
• Spammers continually inventing new
  tricksPolymorphic email is the latestFirst it
  was the thesaurus-based emailer
• Phishing attacks are getting more convincing
• Much better caught at the gateway, not users
  PCs
• Pharming Hijack a DNS entry to redirect
  traffic

8
Patch, Patch, Patch Again

• Ensure that auto-update is always turned on
• Test that the updates really are getting through
• Its not just Microsoft that issues updates
• Consider something like SUS to control patching
• Be aware that non-admin users cant always patch
• Update a new PC before connecting to the LAN

9
Protect your wireless network

• Audit to search for WLANs
• Disable SSID broadcasting
• Use the strongest encryption
• Use MAC address filtering
• Have a policy!

10
Antivirus Precautions

• Keep it up to dateSoftware plus signatures
• Control laptops brought in by visitors
• Install AV before connecting new a PC to the LAN
• Need centralised reporting of updating
• Dont make it the users job to update. Its
  your job, not theirs. And they wont do it.

11
Spyware

• Put antispyware on all PCs
• Update it frequently
• Run it often
• Use more than one product
• Be aware of what spyware does
• Lock down PCs

12
Danger USB!

• The current fashion accessory
• Holds up to 4 GB
• of your data!
• Is that a pen-drive in your pocket?Theyre not
  always easy to spot

13
Web site defacement

• Who updates your web content?
• How tightly do you control the passwords?
• How soon would you notice if your site is
  defaced?
• Even if its just a tiny change?
• Have you tested your backup and restore?
• What about the content database, logs etc?

14
SQL Injections and other stories

• Few web sites are plain static HTML any more
• How well do you test your code?
• Do you use a commercial CMS or a DIY one?
• Is your Web server properly patched?Unpatched
  servers rarely survive for more than an hour

15
Security Awareness Training

• Ensure that your users understand the risks
  fromPhishing emailsScam emailsUnexpected
  attachmentsSpamEmailed requests for, eg,
  password changesSocial engineering attacks
• But hang on a moment

16
Keystroke Logging

• Comes in hardware and software form
• Also has legitimate uses
• TrueActive is one well-known product
• Do you check for their presence?
• One bank nearly lost 220m
• The solution? One-time passwords.

17
Google Friend and Foe

• The easiest way to find hacking tools
• And the easiest way for you to find holes to fix
• Use it, and use it often
• Try searching for your company name tooSee what
  the hackers are saying about youTry adding words
  such as internal use only

18
Encryption

• Here, have a padlockWhy public-key crypto is de
  rigeur
• Ensure that all confidential data is encrypted
• Modern products remove need for user awareness
• Windows 2000/XP/2003 has EFS built in. Use it.
• There are add-ons for Outlook too
• Ensure that you can override itWhat if user is
  unwilling or unable to divulge password?

19
Home Workers

• Difficult to control, technically and
  politically
• Whose laptop is it anyway?
• Static IP and VPN is the way to go
• Must have AV software and firewall

20
Biometrics

• Still expensive and not widely used
• Worth considering in certain applications
• Reliability is improving
• Can you access a protected PC in users absence?
• Fingerprint is the most socially acceptable
  method
• Technology now found in mouse and keyboard

21
Back It Up

• Keep important backups off-site
• Use encryption where possible
• Online services are handy
• Verify backups regularly
• Check the backup policy regularly
• Beware the EFS implications

22
Know Your Employees

• Did you take up references?
• Could they be plotting an inside job?How would
  you know?
• How many are planted by your competitors?None?
  You sure?
• If you monitor, be sure to say that you do

23
Blogging

• The current craze among users
• Ensure that staff dont talk about work in blogs
• Can bring you into disrepute, and worse
• Famous sackings include airline and bookshopBut
  results in lots of bad publicitySeen as sacked
  for telling it how it is

24
Thanks for listening

• robert_at_schifreen.co.uk