Information Security Best Practices

1
Information Security Best Practices

• John R. Burnette
• Tuesday, December 9, 2008

2
Introduction

• Today there are e-mail viruses, Trojans, Internet
  worms, keystroke loggers (i.e. malware) and
  hackers.
• Twenty years ago the first computer virus was
  written to protect floppy disk software from
  bootleggers.
• 1990s viruses were created for cyber vandalism
• Michelangelo virus 1990
• SoBig-F virus download programs from the web at
  a specific time
• Delete a hard disk or corrupt a spreadsheet
• 2008 malware is created for securing financial
  assets
• Keystroke logger waits until a victim visits a
  banking website and then records the users
  account numbers and passwords and sends the
  information to a hacker.

3
Information Security Targets

• All Businesses with monetary assets, Intellectual
  Property, and
• personal identity information (i.e. identity
  theft)
• All U.S. citizens and foreign nationals with
  monetary assets
• Business and Personal Bank Accounts
• Checking and Savings Numbers
• Business and Personal Checks
• Business and Personal Computers
• Business and Personal Data
• Social Security Numbers
• Employee Addresses and Telephone Numbers
• Business and Personal Debit Cards
• Business and Personal Credit Cards
• Credit Card Receipts (i.e. carbon copy)
• Credit Card Numbers
• Credit Card Statements

4
Information Insecurity - Threat

• Hackers, Phishing, E-Mail Scams, Trojans, Worms
• Attacks originate from 106 countries benefit of
  a prosperous global economy
• Algeria
• Armenia
• Azerbaijan
• Belarus
• China, Peoples Republic of China
• Cuba
• Eastern Block (i.e. Yugoslavia, Albania, Romania)
• Georgia
• India
• Iran
• Iraq
• Israel
• Kazakhstan
• Korea, Democratic Peoples Republic of (North
  Korea)
• Kyrgyzstan
• Libya
• Moldova

5
Information Security Business and Personal
Computers

• Provide an air gap between your sensitive and
  non-sensitive data
• Computer No. 1
• Internet Usage access web sites www.msn.com
• Internet Explorer search the world wide web
• E-Mail
• Computer No. 2
• Vulnerable Business and Personal Information
• Bank Account Numbers
• Investment Account Numbers
• Credit Card Numbers
• Tax Returns
• Social Security Numbers and Personnel Information
• Financial spreadsheets
• Computers are standalones no internet access or
  e-mail capability
• Microsoft products are extremely vulnerable
• Cost/Benefit Analysis Second computer compared
  to compromised financial records.

6
Information Insecurity - Malware

• Commercial CDs loaded with malware.  Legitimate
  looking CDs that are freely available at trade
  shows, conventions, foreign travel.
• Malware uses e-mail and websites
• Storm 2007 utilizes social engineering
  techniques to make its messages highly appealing
  to open and click through.
• 2008 Internet Malware Trends, Cisco, IronPort.
• The estimate is 50 million computers have been
  infected.

7
Information Security Best Practices

• Use a strong password for your computer and
  password protect your documents. A strong
  password will have a variety of letters, numbers,
  and characters.
• Use Encryption PKI, PGP
• Double Your Protection use both a strong
  password and encryption for sending documents
  (both internal and external). The encryption
  provides both security and confidentiality for
  the sender and receiver.
• Install antivirus/firewall software on your
  laptop computer
• Use a physical lock for your laptop computer
  (i.e. business travel and college students)
• Sanitize your laptop computer when returning from
  business or personal travel to a foreign country.

8
Information Security - Email

• Incoming e-mail
• Never open e-mail from a party that you do not
  know.
• Read the e-mail address carefully
• Instead of firstname.lastname_at_pnl.gov the address
  may read
• firstname.lastname_at_pnl.com
• E-mail client should be set to prevent
  attachments from being displayed or opened unless
  confirmed by the owner of the system
• Attachments may contain executable and malicious
  software
• Install a Spam blocker utility

9
Information Security Wireless Networking

• Separate wireless from wired networks where
  practical
• Separate security into two distinct problems
  user (client) access security and wired network
  security. Breaking into the user network does not
  provide access to many information resources.
• Business best practices
• Make wireless access networks external to wired
  networks
• Manage wireless network equipment out-of-band
• Personal best practices
• Use very strong (long) WPA/WPA2 personal
  passwords
• Use secure (VPN/SSL) connections to email,
  websites
• Maintain configuration of laptops (patches,
  anti-spyware, firewall)

10
Information Security Best Practices

• Use a biometric fingerprint reader for your
  laptop computer.
• Use good configuration management practices for
  all client devices (patches, anti-malware, host
  firewall, periodic vulnerability scans to verify)
• Use thin client methods where possible
  (applications and data are on secure server not
  client computer)
• Use removable USB thumb drives to store sensitive
  information in encrypted form (reduces exposure
  to threats)

11
Information Security Bank Accounts

• OPSEC Operations Security
• Monitor and balance your monthly bank statements
• Check for errors, overdraft charges, transfers
• Balance your checkbook and savings accounts on a
  daily basis (i.e. Gesa Call 24)
• Guard your passwords and account numbers
  memorize instead of written on a Post-It Note
  hidden under the computer keyboard
• Discrepancies contact bank immediately
• Shred all checkbook and savings account receipts
  (i.e. identity theft)
• Mail all bills, birthday cards with checks at the
  post office instead of through your personal
  mailbox. Business and personal mailboxes are
  vulnerable to theft ink on checks can be erased
  and rewritten.

12
Information Insecurity - Attacks

• E-Mail Nigerian Scam Please send me your bank
  account number, and I will deposit a large sum of
  money in your account.
• Phishing Gesa, Ebay E-Mail, Telephone call
• Many of the e-mail messages have the correct logo
  of the company and appear to be legitimate (i.e.
  U.S. DOE MSC announcement).
• Check the e-mail address for accuracy.
• Rule of Thumb if the message is by e-mail or
  telephone immediately contact your bank/credit
  card company do not use the telephone number
  provided in the message and do not provide any
  information to the caller.
• Train your employees and family members in case
  of an attack.
• Vulnerability everyone
• Easy targets elderly, students
• Trojans Internet, E-Mail infiltrate your
  computer and send your business and personal
  information to the sender (i.e. Downloader)
• Worms Internet, E-Mail Infiltrate your
  computer and send your business and personal
  information to the sender.

13
Information Security - Computers

• Guard your computer passwords memorize
• Do not give anyone your passwords
• Lock your computer when leaving your desk
• Control Alt Delete Lock Computer
• Screen saver has a ten minute lock
• Keep your office door closed and locked when you
  are away from the building

14
Best Practices

• Keep system patched
• Use anti-virus and anti-spyware
• Least permissions mode
• Use due diligence (no magic bullet)
• As the global economy continues to falter the
  number of cyber attacks will increase.