Information Security for Managers

1
Information Security for Managers
Chuck Morrow-Jones Shawn Sines February, 2007
2
Goal

• Goal to help you understand the least you need
  to know about information security
• To give you some resources that will help you
  when you need to expand on this minimal base
• This is a tall order - dont panic!

3
Topics

• What does the CIO Security group do?
• C.I.A.
• A Bad Day at Wild West U Exercise
• Security Jargon and Terminology
• Who are we worried about?
• C.Y.A
• Physical Security
• Laptop/PDA Security
• Account Security
• Passwords
• Data Security
• FERPA and Ohio HB 104
• The Cost of Exposure
• People Security
• Social Engineering Exercise

The Guide to Security Administration Security
Policy Considerations - Installation policy -
Lock it Down - Patch management Computer
Security Network Security Disposal policies User
policies and habit management Frequently Asked
Questions Resources and Links
4
What does the CIO Security group do?

• Security Awareness
• Incident Response
• Firewalls and Authentication Devices
• Security Consulting
• Vulnerability Scanning
• Outreach and Education of faculty, staff and
  students

5
C.I.A.

• The Universitys entire information processing
  environment rests on the assumption that we have
• Confidentiality-prevent unauthorized disclosure
  (Threat unauthorized access)
• Integrity-ensure accuracy and authenticity
  (Threat altered, deleted, or added data)
• Availability-ensure that information and systems
  are there when we need them (Threat Denial of
  service)

6
Other Concerns

• Liability someone can use our computers to do
  bad things that leave us with the liability
• Reputation security issues can make us look
  bad, affecting parental trust, recruiting
• Legal a growing body of law requires that we do
  certain things to secure our systems (FERPA,
  HIPAA, Ohio HB104)
• Financial security issues cost money, directly
  or indirectly
• Traceability, auditability bad things happen,
  and you need to find out what and why (and
  sometimes who)

7
ExerciseA bad day at the Wild West USomewhere
in Texas
8
Terminology

• Scan probing through the network to find
  vulnerable systems
• Vulnerability a weakness that might lead to
  something bad
• Exploit using a vulnerability to gain access to
  a system

9
Terminology

• Backdoor intruders often insert hidden entrances
  to your system
• Malware MALicious softWARE is category of
  software containing viruses, worms, adware,
  spyware, trojans
• Virus, worm, trojan other names for different
  sorts of bad software. These have all sort of
  blended together

10
Terminology

• Rootkit tools used to hide an intruders
  presence
• Adware, spyware commercial software that
  invades your privacy, displays pop-ups and
  undermines your security
• Phishing e-mail or webpages that look like
  legitimate businesses but are really tricking you
  to give them information.

11
Terminology

• Bot (short for robot) a computer running
  software that makes it part of a botnet which
  allows others to control it
• Botnet a network of 10s, 100s or 10,000s of
  bots that can be used for scanning, exploiting,
  denial of service attacks, spamming, file sharing
  and so on

12
Terminology

• Encryption A way to make data unreadable by
  everyone except the intended recipient(s).
• Authentication The act of identifying yourself
  to the computer.
• Two-factor authentication Authentication that
  using something you have (a token card) and
  something you know (a PIN).

13
Terminology

• Authorization rights granted to a person (or a
  program, computer...) for some object (like data
  in a database, login access, email, a file...)
• Steve is authorized to login on this computer,
  but not that one
• Steve is authorized to read this data, but not
  delete or modify it

14
Who Are we Worried about?
15
Who are we worried about?

• Teenagers and young adults
• Historically this group was the dominant source
  of security problems - not as much today.
• They have high interest in computers
• Their morals arent quite fully developed
• No perceived danger to themselves
• Their goals are usually non-monetary

16
Who are we worried about?

• Organized Criminals security problems caused by
  this group are increasing
• Goals for spam, denial of service,
  identity theft, espionage, harassment
• Botnets are a real business now-for spam, denial
  of service attacks, and building other botnets
• They are high-risk operations, and more
  motivated to use sophisticated tools and
  techniques to hide their tracks

17
Who are we worried about?

• Unorganized criminals
• Disgruntled employees
• Other individuals doing criminal things
• Feb. 5, 2005 (Sophos news) a 24-year old
  former AOL employee has pleaded guilty to
  stealing a list of 92 million email addresses of
  the ISPs customers and selling it to spammers
  for 28,000 (0.0003 per address)

18
Who are we worried about?

• Legitimate users
• People doing things that unintentionally put
  systems at risk, typically through experimenting
  with game servers, file sharing, web servers,
  instant messaging, etc.
• People who carelessly click on email attachments,
  approving dialogue boxes that ask whether its OK
  to install extra software, respond to phishing
  attacks, and so on

19
C.Y.A.

• Because we are concerned about C.I.A. (and the
  other issues) we need to secure our systems,
  networks, and data.
• Step 1 Identify assets (data, services, etc)
• Step 2 Identify threats (C.I.A.) for each asset
• Step 3 Identify controls to protect our assets
  from these threats

20
Security Controls
21
Physical Security

• Provides for the protection of property,
  personnel, and facilities from illegal or
  criminal acts, and/or environmental disruptions
• Physical security plan should be created that
  deals with control of access to the building or
  office
• Plan should also address responses to
  environmental problems

22
Physical Security

• Look at what you are trying to protect, and who
  or what you are trying to protect it from, then
  decide how much security is required.
• Physical security is the first line of defense
  against the exploitation of computer systems
• 70 of data theft is physical theft, usually by
  stealing a physical device.
• Physical security should make device theft as
  difficult as possible.

23
Physical Security

• The Security Plan should include information
  about
• Access control at doors -
• Are there security locks? Deadbolts? Etc.
• Physical locks or authorization (something you
  have) to access systems, especially laptops -
• Is physical access sufficient?
• Do you need technology solutions as well?
• Key control-janitorial access, master keys -
• Who has keys?
• Do you have an auditable list and do you do
  regular checks?
• Do all people on the list really need key access
  or can this be controlled another way?

24
Laptop/PDA Security

• Consider the worst case scenario laptop is
  stolen
• You dont have access to whatever was on it
• They do
• Do you have backups?
• Did it contain and Personally Identifiable
  information? Was sensitive data encrypted,
  including e-mail? (SSNs, student grades, think
  FERPA and Ohio HB104)

25
Laptop/PDA Security

• Apple Mac OS X supports the file vault, which
  automatically encrypts files. This should be
  turned on (off by default).
• Windows 2000 and XP support EFS, the Encrypting
  File System. This should be turned on (off by
  default).
• Windows Vista includes Bitlocker encryption. This
  should be enabled on systems that handle/store
  sensitive data.

26
Account Security

• Dont share your accounts or passwords
• Use good passwords
• Use different passwords on different systems
• Change your passwords
• Lock your screen

27
Passwords
Time it takes a professional to crack normal
password - by character size
1,578 yrs
137 days
3.4 hrs
ss
ss
7 8 9 10 11
Password length
SS sub-second
28
Passwords - Best Practices

• Change passwords every 60-90 days
• Use all available characters
• Memorize, dont write
• Eamples of Passwords
• Bad 1234, ltfirst namegt i.e. jim, buckeye, osu,
  brutus, password
• Good 1Sour3Whiskey!
• Good 47adFb2m

29
Data Security

• Remember CIA? Data Security is essential to
  C(onfidentiality) and I(ntegrity) and aids in
  A(ccesibility) and accountability
• Needs are driven in part by the regulatory
  environment- examples being FERPA and student
  information, HB104, HIPPA
• Involves protecting data in transit, as well as
  in storage
• Often requires encryption of the data

30
Ohio House Bill 104

• Interim Disclosure and Exposure policy
• Defines the following as sensitive information
• Name in combination with
• Social Security Number
• Drivers License Number
• Credit or Debit card number with password or pin
• University is required to notify in the event of
  an exposure

31
Cost of Exposure

• Department responsible for the exposure pays the
  cost.
• Owner of the data - if not responsible for
  exposure - cosigns all correspondence to victims
  in case of notification.
• Average cost of notification is 8-20 per person.
• Loss of respect for The Ohio State University is
  not a quantifiable cost

32
FERPA (Family Educational Rights to Privacy Act
of 1974)

• Designed to protect the privacy of student
  educational records
• In general, requires student permission to
  release information contained in the educational
  record
• Certain directory information is public, unless
  the student requests suppression

33
People Security

• Consider implementing employee background
  screening
• Most easily done as part of hiring process
• OSU Police can provide several levels of
  screening may cost

34
People Security

• Questions to ponder
• Do you know what access each employee has,
  including remote access?
• Can you guarantee they havent set up back-doors,
  especially if they were disgruntled before they
  left?
• Do you have policies about sensitive materials at
  home, backups, etc?
• When you terminate an employee, you need to
• Remove their access (including remote access)
• Dispossess them of sensitive materials
• Repossess important materials (latest version of
  their project)

35
People Security

• Social engineering-techniques that rely on
  weaknesses in humans rather than software the
  aim is to trick people into revealing passwords
  or other information that compromises a target
  systems security
• Modified from The Jargon File, version 4.7.7

36
(No Transcript)
37
(No Transcript)
38
A social engineering example
Hi-this is Susan from the OIT Help Desk. Im
sorry to bother you, but we are converting our
files from handwritten to electronic, and cant
quite make out the handwriting on your record.
Could you verify this phone number? Your office
number? Your password? Your buildings street
address? Thank you.
39
The Guide to Secure Administration
40
Security Policy Considerations

• Design/support a strong internal policy
• Require removal or encryption of sensitive
  information on all laptops and PDAs
• Prohibit storing sensitive information on highly
  portable devices such as USB memory, CDs
• Prohibit the storage (electronic or paper) of
  SSNs

41
Security Policy Considerations

• Lock it down!
• Auto-install OS updates
• Use anti-virus and anti-spyware software
• Use personal firewalls (included with OS X
  Windows XP)
• Make and test backups!
• Use good password practices

42
Computer Security Policy

• See Host Based Security Best Practices at
  Infosec.ohio-state.edu
• Build it in a secure way
• Lock it down

43
Computer Security Policy

• Secure Installations
• Reformat if you are reinstalling!
• Take the computer off the net, or put it behind a
  good firewall where there are NO infected
  computers
• Reinstall, patch fully
• Now its safe(r) to put back on the net

44
Computer Security

• Lock it Down
• Set computers to install updates automatically
• Install anti-virus and anti-adware software
• Use a personal firewall
• Make backups!
• Disable services that you dont need
• Set passwords on ALL accounts
• Increase audit levels, space

45
Computer Security

• Lock it Down
• Consider using a browser other than Internet
  Explorer we recommend Firefox
• If you use IE, enable highest level security
  settings. Consider IE 7
• Disable the Guest account
• Set the system to automatically lock the screen
  after its been idle for a while and to require a
  password to unlock the screen
• When asked for password hints, dont give any
• Disable automatic login

46
Computer Security

• Patching
• It is important that you keep up to date with
  security related updates
• Set your computer to install updates
  automatically as they become available
• Windows update is sometimes wrong get and use
  Microsoft Baseline Security Analyzer in addition
• Configure Mac OS X Software Update to check daily.

47
Computer Security

• Anti-virus Anti-spyware
• Anti-virus detects most known malware and (if
  configured correctly) will prevent it from
  infecting your computer
• We have a site license for McAfee - use it!
• Set to check for updates DAILY
• Set to scan files on open (or at least on
  execute)
• There is MUCH that anti-virus software
  cant/wont detect!!

48
Computer Security

• Anti-virus Anti-spyware
• There are significant concerns about privacy,
  security and, of course, the annoyance of pop-up
  ads.
• Detection and remediation tools
• Spybot-Search Destroy
• Ad-aware
• Enable pop-up blockers in web browsers

49
Network Security Policy

• This should address issues such as
• The use of network firewalls to restrict traffic
• Network services that are offered to the outside
• Intrusion detection and prevention
• Remote access
• Mobile/personal computers

50
Network Security Policy

• This should address issues such as
• The use of network firewalls to restrict traffic
• Network services that are offered to the outside
• Intrusion detection and prevention
• Remote access
• Mobile/personal computers

51
Network Security

• Firewalls
• Firewalls restrict access to network services
• 2 Types host/personal and network
• Personal firewalls (like the one in XP SP2) are
  fine, especially for restricting access from your
  computer to the net, but they can easily be
  disabled by malware
• Network firewalls are especially useful for
  centralized control

52
Network Security

• Remote Access
• Remote access is useful for after-hours support,
  telecommuting from home
• Remote access can be a huge security problem
• PII must never be stored on personally owned
  devices
• Require two factor authentication and use
  encryption for the traffic.
• You should also have a policy regarding security
  of the home computers.

53
Network Security

• Laptops
• Do you have a policy regarding laptops on your
  network?
• PII must not be stored on personal laptops
  should not be stored on OSU owned laptops unless
  encrypted
• Specify security precautions that should be in
  place before connecting to the network?
• Attaching infected laptops on your critical
  network behind your secure firewall could
  result in your machines being infected.

54
Network Security

• External Access and Authentication
• OSU network policy requires that all access be
  authenticated.
• We need to be able to trace activity back to the
  person responsible when possible.
• Two-factor authentication is coming
• RSA Token or another form so be ready!
• Note that this includes laptops that people bring
  in and attach to the network

55
Network Security

• Wireless
• All wireless networks at OSU must comply with the
  OSU wireless policy (http//cio.osu.edu/policy/wir
  eless.html )
• The authentication requirement applies to
  wireless networks as well
• Wireless, dialup and laptop networks should be
  outside your firewall

56
Disposal Policy

• Security concerns dont end when you replace a
  computer, have a plan in place for
• Disposal of sensitive data
• Disposal of licensed software when computers are
  retired
• Hardware cleanup/disposal when computers are
  transferred or surplused

57
Disposal Policy

• Data left on the disks could be accessed by the
  next owner. Theres almost certainly something
  there that is sensitive to someone...
• Deleting and even re-formatting are not enough!
• Use DBAN to wipe previously existing data -
  especially if it includes PII
• Physically damaged discs should be shredded or
  otherwise destroyed

58
User policies and habit management

• Technology alone does not solve many security
  problems.
• Education and outreach help to retrain users to
  think or act securely in their daily work
• Establishing and informing users of their
  responsibilities, and the consequences of
  ignoring policy falls on management and technical
  staff.

59
Frequently Asked Questions
60
Frequently Asked Questions

• How do I know if my network is vulnerable?
• CIO security offers the following services to
  help
• Network Scanning
• Intrusion Detection
• Firemarshall Firewalls

61
Frequently Asked Questions

• How can I tell Ive been infected/infiltrated?
• Your system or network is unusually slow
• Software suddenly starts acting strange
  crashes, weird errors
• Computer is possessed mouse moves, windows open,
  things are typed, etc
• The security group blocks your computer -)

62
Frequently Asked Questions

• I think Ive been infected now what?
• Report it to your network or computer
  administrator
• Report it to security via security_at_osu.edu
• If you report it to security, please dont delete
  things, kill processes, etc until youve heard
  from us

63
Frequently Asked Questions

• I think Ive been infected now what?
• Questions to ask yourself
• How did we get infected?
• How do we prevent this from happening again?
  This might include making changes to the system,
  or educating users.
• How can we detect this better in the future?
• Do we have other systems at risk?

64
Frequently Asked Questions

• Why did you block my computer? How do I get it
  unblocked?
• We block compromised computers
• To protect them
• To protect the rest of us!
• Well happily unblock it once its been fixed and
  secured
• To unblock have your network admin contact us

65
Frequently Asked Questions

• How do I recover from a security incident?
• Disinfection is great, when it works
• However, anti-virus disinfection only removes
  what it knows to remove - the miscreants may have
  installed more!
• Rebuilding from scratch is sometimes the best (or
  only) option (see the Host Best Practices for
  instructions on this!)

66
Frequently Asked Questions

• How do I design secure systems and networks?
• Read Viega McGraws Building Secure Software,
  ISBN 0-201-72152-X, Addison-Wesley
• Read Curtins Developing Trust Online Privacy
  and Security, ISBN 1-893115-72-0, Apress
• Read Moeller and Lucass Effective Incident
  Response, ISBN 0-201-76175-0, Addison-Wesley

67
Resources and Links

• OSUs Safe computing information site
  safecomputing.osu.edu
• CIO Security Groups homepage www.infosec.ohio-st
  ate.edu
• CIO policies cio.osu.edu/policies/policies.html
• Enterprise Network policies www.net.ohio-state.ed
  u/OSUNet/policies.html
• Registrars FERPA web site www.registrar.ohio-sta
  te.edu/ourweb/more/Content/ferpa.pg1.html
• Host security best practices infosec.ohio-state.
  edu/pmwiki/uploads/Main/HostBestPractices.pdf

68
Resources and Links

• Mailing lists at OSU
• distcons_at_lists.acs.ohio-state.edu
• security-public_at_net.ohio-state.edu
• XP SP2 FAQ http//www.microsoft.com/windowsxp/sp2/
  default.mspx
• OSU site licensed software osusls.osu.edu
• You can get Microsoft Baseline Security Analyzer
  (MBSA) from Microsoft - search for it
• For Ad-aware SE Personal see lavasoftusa.com
• For Spybot-SD see www.spybot.info
• General Spyware information www.getnetwise.org

69
Resources and Links

• The Monthly security working group meeting
  (SECWOG) is held the 1st Thursday of every month
  from 300 to 500 at Baker 120.
• The meeting is open to anyone and everyone.