Information Security Overview

1
Information Security Overview

• Tony Letts
• Team Lead Information Security and Networks

2
Agenda

• Who is Chick-fil-A?
• What is information security?
• Why should I care?
• What are some trends for the future?
• What can I do?
• Questions?

3
Who is Chick-fil-A?
4
Chick-fil-A Business Overview

• Our Corporate Purpose
• To glorify God by being a faithful steward of all
  that is entrusted to us.
• To be a positive influence on all that come in
  contact with Chick-fil-A
• Key Words
• Glorify God
• Stewardship
• Positive Influence on People

5
Chick-fil-A Business Overview

• Founded by Truett Cathy
• 1st to Market with the Chicken Sandwich
• 1070 Restaurants in 35 states
• 1.37 Billion in revenue last year
• Owner/Operator model

S. Truett Cathy Founder and Chairman
6
Chick-fil-A Business Overview

• 2 Primary Roles of the Home Office
• Support Restaurants
• Services (Accounting, Purchasing, I.T., etc.)
• Products (systems, marketing materials, etc.)
• Open New Restaurants
• 2 per week (on average)
• 60-80 active deals in the pipeline
• 180 day cycle
• 1/3 of home office staff

7
What is security?

• Merriam-Webster
• the quality or state of being secure
• freedom from fear or anxiety
• measures taken to guard against espionage or
  sabotage, crime, attack, or escape

8
What is information security?

• Webopedia defines it as techniques for ensuring
  that data stored in a computer cannot be read or
  compromised.

9
Ten Domains of Security ISC2

• Security Management Practices
• Access Control Systems
• Telecommunications and Network Security
• Cryptography
• Security Architecture and Models
• Operations Security
• Applications and Systems Development
• Business Continuity Planning and Disaster
  Recovery
• Law, Investigations, and Ethics
• Physical Security

10
What is information security?

• Integrity
• The protection of information from intentional,
  unauthorized, or accidental changes.
• Confidentiality
• The protection of information from unauthorized
  access.
• Availability
• The assurance that information and resources are
  accessible by authorized users as needed.

11
Why should I care?

• Its only kids hacking for credit cards and
  defacing websites, right?
• Hackers like these things but there is a bigger
  picture.
• Worms
• Economic Crimes
• Hacking Recreation

12
Worms

• Self-replicating unlike viruses
• Exploit a vulnerabilities
• Force their victims to search out other
  vulnerable systems.
• Examples Slapper, Code Red, Nimda, Leaves, Lion

13
Slapper Worm

• Slapper Worm victimized over 30,000 systems
• 1 (339) of these victims were used to attack a
  US intelligence agency
• The agency was down for 26 hours
• Over 1,000,000 packets of data per second
• They only came back up because the hacker decided
  to stop

14
Code Red and Nimda

• Both of these worms exploited Microsoft IIS.
• 150,000 to 300,000 victims
• Clean-up costs were around 80 million in direct
  labor. 300-600 per system.
• Left back doors that could be used by any hacker.

15
Financial Crimes

• Credit Card Theft
• System break-in nets hackers 8 million credit
  card numbers ComputerWorld 2/24/03
• FBI warns e-commerce sites about organized
  hacker groups in Russia and the Ukraine
  InfoWorld 3/9/01

16
Financial Crimes

• Identity Theft
• The FTC received reports of over 120,000 cases of
  identity theft in 2001. The numbers continue to
  grow.
• Website manipulation (not defacement)
• Posting false information
• Compromise of consumer trust

17
Hacker Recreation

• Website defacement
• Loss of privacy

18
A hacker is watching this guy through his web cam
19
(No Transcript)
20
Privacy

• They can read all your e-mail
• Send e-mails to anyone posing as you.
• Look at personal files on your computer
• Delete files from your computer.

21
I should care because

• Major costs for organizations
• Worms and DDoS attacks
• Economic crimes - extortion
• Web defacement
• Loss of privacy
• It is not just a problem for Corporate America
  it can strike at home too.

22
What are some future trends?

• Web Application Attacks
• Super Worms

23
Web Application Attacks

• Why are Web Applications Targets?
• Typically worse with regards to security than
  shrink-wrapped applications -- WOW!
• Usually not tested as thoroughly
• Payoff is big, lots of valuable
  personal/financial information

24
Brute Force Authentication

• Attack
• There are free tools available to automate the
  guessing of passwords
• Defense
• Educate users on selecting strong passwords
• Log failed attempts and check logs regularly

25
SQL Injection

• Attack
• This technique attempts to manipulate a back-end
  database using the web applications itself by
  adding information to a SQL statement.

26
SQL Injection

• Attack
• A web app typically takes user input and places
  it into a SQL statement
• select field from table where variable
  value
• update table set ltvariablegt ltvaluegt
• Once the hacker has targeted a user input string
  they use standard database logic and start having
  fun. Dropping tables, updating tables, querying,
  etc...

User Input
27
SQL Injection

• Defense
• Server side filters. Define what characters are
  OK and filter everything else
• Client side filters can be bypassed.
• Search your entire application for
  vulnerabilities.
• It only takes one screen to give the hacker a way
  in.

28
Super Worms

• Worms to date have only exploited one
  vulnerability and have been isolated to one
  platform
• SQL Slammer
• SQL vulnerability
• Microsoft
• Slapper
• Apache
• Linux

29
Super Worms

• Next Generation worms
• Multi-exploit
• Multi-platform
• Zero Day
• Polymorphic
• Fast spreading
• Metamorphic
• Nasty Payload

30
What are some future trends?Summary

• A new focus on web applications.
• Data gathering
• Fraud
• Malicious intent
• Just for fun
• Super worms
• The internet will likely be down for a couple of
  days Internet snow days ?

31
What can I do?

• Be a responsible Internet user
• Dont open e-mail from users you dont know
• Always save e-mail attachments to your hard drive
  first and scan for viruses before opening.
• Anti-virus software is a must! Keep it updated!
• Dont click on URL links inside of e-mails The
  code behind the link may take you to a malicious
  site.
• When downloading software from websites, check
  other sites and compare. Hackers are targeting
  software distribution sites.

32
What can I do?

• Be a responsible employee
• Does your computer have antivirus software on it?
  (Hopefully you Information Security department
  has done its job)
• Use the internet for business purposes. Browsing
  for fun is when you get in trouble.
• Choose difficult to guess passwords

33
What can I do?

• Be a responsible IT professional
• Build secure applications. Think about security
  in the beginning, dont tack it on later.
• Databases should include security in the design
  phase. Create layers of security that will keep
  users accountable for the information they
  attempt to access.

34
Within an organization information security is
only as strong as its weakest link. Dont be a
weak link!
35
References

• SANS' Information Security Reading
  Roomhttp//rr.sans.org
• The Open Web Application Security Project is a
  great resource for creating secure web
  applicationshttp//www.owasp.org
• General Security Newshttp//www.securityfocus.com
  

36
Questions?