First Annual Commonwealth Information Security Conference

1
First Annual CommonwealthInformation Security
Conference
www.vita.virginia.gov
2
Agenda

• Walter KucharskiTop 10 Commonwealth Information
  Security Issues/Opportunities/Concerns/Risks
• John GreenApplication Security Why Firewalls
  Arent Enough Anymore
• Keynote Gino MenchiniGovernment IT The New
  Expectations and Challenges
• Randy MarchanyUnintended Consequences Don't
  Create New Risks
• Eric TaylorIT Seppuku Why Do We Still Suffer
  Security Violations
• Bob BasketteSocial Engineering Building Bridges
  to Confidential Data

3
Commonwealth Information Security Conference

• November 2, 2009

4
AGA Top Ten List -- 2009

1. STIMULUS MONEY -- ARRA
2. DATA SECURITY
3. VITA/NORTHROP GRUMMAN
4. ENTERPRISE APPLICATION/DATA EXCHANGE STANDARDS
5. MORE TIMELY FINANCIAL INFORMATION

AUDITOR OF PUBLIC ACCOUNTS
5
AGA Top Ten List -- 2009

• ADMINISTRATIVE DUTIES CONSOLIDATION
• SUCCESSION PLANNING
• PERFORMANCE MANAGEMENT / MEASURES
• CONTRACT MANAGEMENT
• PPEA / PPTA

AUDITOR OF PUBLIC ACCOUNTS
6
The FUTURE -- 2009

• Financial statements will need to be completed
  and issued with 90 days and the single audit
  within 4 months
• The State needs newer accounting systems and one
  sole enterprise application will probably not be
  the answer
• Data security concerns will continue to grow
• There will be increasing e-commerce and data
  exchange between federal, local and state
  government
• Information technology infrastructure and systems
  will become commodities and shared

AUDITOR OF PUBLIC ACCOUNTS
7
Concerns

• WHAT IS PRIVACY?
• WHAT IS TRANSPARENCY?

AUDITOR OF PUBLIC ACCOUNTS
8
Concerns

• DATA SECURITY -- Employees
• VITA/NORTHROP GRUMMAN
• DATA EXCHANGE STANDARDS
• MORE TIMELY FINANCIAL INFORMATION
• CONSOLIDATING ADMINISTRATIVE DUTIES

AUDITOR OF PUBLIC ACCOUNTS
9
Concerns

• ACCOUNTING/ WORKFLOW SYSTEM CONTROLS WILL REPLACE
  MANUAL CONTROLS
• E-COMMERCE AND DATA EXCHANGE BETWEEN FEDERAL,
  LOCAL AND STATE GOVERNMENT
• SHARED INFORMATION TECHNOLOGY INFRASTRUCTURE AND
  SYSTEMS AS COMMODITIES

7
AUDITOR OF PUBLIC ACCOUNTS
10
What is an ISO

• Paper pusher or Policeman
• Management Oversight or One of the Gang
• Tail-end Reviewer or System Developer and
  Guardian
• Risk Manager or Elephant Parade Cleaner

AUDITOR OF PUBLIC ACCOUNTS
11
Application SecurityWhy Firewalls Are Not Enough

• John Green
• Chief Information Security Officer
• Commonwealth of Virginia

www.vita.virginia.gov
www.vita.virginia.gov
12
Todays Agenda

• Introduction
• Lessons From History
• Threats and Vulnerabilities
• Opportunities For Mitigation
• Resources
• Questions

www.vita.virginia.gov
13
Application Vulnerabilities Skyrocketing!

• Web vulnerabilities have increased from 1.9 of
  all published vulnerabilities in 2006 to over 52
  in 2009.
• Application vulnerabilities from 2007 to 2008
  increased by 154.
• WhiteHat Security said about 70 of websites it
  scans are likely to have at least one critical
  website vulnerability.

www.vita.virginia.gov
Source http//www.ncircle.com/index.php?ssolutio
n_Web-Application-Vulnerability-Statistics
14
Largest Breaches In History
www.vita.virginia.gov
15
Why? Money!

www.vita.virginia.gov
16
Firewall Are No Longer Enough

• Firewalls have been around a while
• Primary purpose To stop unwanted traffic from
  crossing network boundaries
• Hackers are walking right through them
• Perimeter firewalls are necessary, but no longer
  sufficient!
• History shows us why

www.vita.virginia.gov
17
Impenetrable Defenses Of France
"We could hardly dream of building a kind of
Great Wall of France, which would in any case be
far too costly. Instead we have foreseen powerful
but flexible means of organizing defense, based
on the dual principle of taking full advantage of
the terrain and establishing a continuous line of
fire everywhere." Maginot
www.vita.virginia.gov
18
21st Century Maginot Line
Internal Networks
Router
Router
Email
Maginot Line Term used now for something that is
confidently relied upon but ends up being
ineffective.
Web
www.vita.virginia.gov
19
May 10, 1940 - What Went Wrong?

• Defenses based on past threat
• Perimeter protection
• No layered defenses
• Holes
• Ardennes Forest
• Belgium was an ally
• Maginot Line never fell
• Bypassed
• Surrendered

www.vita.virginia.gov
20
Firewalls Do Not Stop Todays Threat
Internal Networks
DB Server
DB Server
Router
Router
Email
Web
www.vita.virginia.gov
21
2008 Symantec Threat Report

• 63 percent of vulnerabilities affected Web
  applications, an increase from 59 percent in 2007
• There were 12,885 site-specific cross-site
  scripting vulnerabilities identified, compared
  to17,697 in 2007 of the vulnerabilities
  identified in 2008, only 3 percent (394
  vulnerabilities) had been fixed at the time of
  writing.
• The education sector represented the highest
  number of known data breaches that could lead to
  identity theft, accounting for 27 percent of the
  total
• The government sector ranked second and accounted
  for 20 percent of data breaches that could lead
  to identity theft.
• Hacking ranked second for identities exposed in
  2008, with 22 percent this is a large decrease
  from 2007, when hacking accounted for 62 percent
  of total identities exposed.

www.vita.virginia.gov
Source http//www.symantec.com/business/theme.jsp
?themeidthreatreport
22
OWASP Top 10 Application Flaws
Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes.
Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary
Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
www.vita.virginia.gov
Source http//www.owasp.org/index.php/Top_10_200
7
23
WASC Application Vulnerability Statistics
Web Application Security Consortium (WASC )
Report 2008 includes data from 12186 web
applications evaluated. Compared to 2007, the
number of sites with wide spread SQL Injection
and Cross-site Scripting vulnerabilities fell by
13 and 20, respectively, however, the number
of sites with different types of Information
Leakage rose by 24. On the other hand, the
probability to compromise a host automatically
rose from 7 to 13 .
www.vita.virginia.gov
Source http//projects.webappsec.org/Web-Applicat
ion-Security-Statistics
24
SQL-injection Information

• Can occur whenever client-side data is used to
  construct an SQL query without first adequately
  constraining or sanitizing the client-side input.
  The use of dynamic SQL statements (the formation
  of SQL queries from several strings of
  information) can provide the conditions needed to
  exploit the backend database that supports the
  web server.
• SQL injections allow for the execution of SQL
  code under the privileges of the system ID used
  to connect to the backend database.
• Malicious code can be inserted into a web form
  field or the websites code to make a system
  execute a command-shell or other arbitrary
  command.
• In addition to command execution exploitation,
  this vulnerability may allow a malicious
  individual to change the content of the back-end
  database and therefore the information displayed
  by the website.

www.vita.virginia.gov
25
Cross-Site Scripting (XSS)

• Allows a malicious individual to utilize a
  website address that does not belong to the
  malicious individual for malicious purposes.
• Cross Site Scripting attacks are the result of
  improper filtering of input obtained from unknown
  or untrusted sources.
• Cross-Site Scripting attacks occur when a
  malicious individual utilizes a web application
  to send malicious code, generally in the form of
  a browser side script, to an unsuspecting user.
• The parameters entered into a web form is
  processed by the web application and the correct
  combination of variables can result in arbitrary
  command execution.

www.vita.virginia.gov
26
Cross-Site Scripting (XSS)

• The unsuspecting users browser has no way to
  know that the script should not be trusted, and
  will execute the script.
• Because the unsuspecting users browser believes
  that the script came from a trusted source, the
  malicious script can access any cookies, session
  tokens, or other sensitive information retained
  by the unsuspecting users browser.
• The injected code then takes advantage of the
  trust given by the unsuspecting user to the
  vulnerable site. These attacks are usually
  targeted to all users of a web application
  instead of the application itself.

www.vita.virginia.gov
27
Opportunities For Mitigation

• Personnel Awareness Training
• Systems Development Life Cycle
• New Development
• Application Procurement
• Legacy Applications

www.vita.virginia.gov
28
Systems Development Life Cycle

• Project Initiation
• Classify the data that the system will process
• Determine if sensitive data absolutely must be
  collected and/or stored
• Perform risk analysis based on known requirements
  classification of data
• Develop an initial IT System Security Plan
• Project Definition
• Identify, document incorporate security control
  requirements into IT System design specifications
• Develop evaluation procedures to validate that
  security controls
• Update the IT System Security Plan to include
  controls
• Implementation
• Execute the evaluation procedures
• Conduct a risk assessment to evaluate overall
  system risk
• Update the IT System Security Plan to include
  controls
• Disposition
• Require that data retention schedules are adhered
  to
• Require that electronic media is sanitized prior
  to disposal

www.vita.virginia.gov
29
New Development

• Push security involvement to the front end of
  development
• Security Design (for sensitive systems)
• Encrypted communication channels
• Sensitive information shall not be stored in
  hidden fields
• Application Development
• Application-based authentication shall be
  performed for access to data that is not
  considered publicly accessible
• Support inactivity timeouts on user sessions
• Data storage must be separated from the
  application interface
• Validate all input irrespective of source, focus
  on server-side
• Implement a default deny policy for access
  control
• Use the least set of privileges required for
  processing
• Internal testing must include one of penetration
  testing, fuzz testing or source code auditing
• Clear cached and temporary data upon exit
• Production and Maintenance
• Scan internet-facing sensitive applications
  periodically for vulnerabilities

www.vita.virginia.gov
30
Applications Procurement

• Work to incorporate language into contracts that
  includes
• General
• Personnel, Security Training, Background Checks
• Vulnerabilities, Risks and Threats
• Application Development
• Development Environment
• Secure coding, Configuration management,
  Distribution, Disclosure, Evaluation
• Testing
• General, Source Code, Vulnerability and
  Penetration Test
• Patches and Updates
• Tracking Security Issues
• Delivery Of The Secure Application
• Self Certification
• No Malicious Code
• Security Acceptance And Maintenance
• Acceptance
• Investigating Security Issues

www.vita.virginia.gov
Source http//www.sans.org/appseccontract/
31
Legacy Applications

• Periodic application vulnerability scanning
• Strong configuration management
• If vulnerabilities are identified
• Each application may have specific challenges
• Case by case analysis may reveal options
• Easy fix
• Virtualization
• Host based intrusion prevention
• Application firewall technology
• Third party integration
• Other technology

www.vita.virginia.gov
32
Resources
www.vita.virginia.gov
33
www.OWASP.org
www.vita.virginia.gov
34
2009 CWE/SANS Top 25
www.vita.virginia.gov
35
http//iase.disa.mil/stigs/checklist/
www.vita.virginia.gov
36
http//trustedsignal.com/secDevChecklist.html
Recommended!
www.vita.virginia.gov
37
Organizational Resources

• Agency Information Security Officer
• Commonwealth Security and Risk Management
• Other Resources?
• CommonwealthSecurity_at_vita.virginia.gov

www.vita.virginia.gov
38
Conclusions

• Largest breaches in history due to application
  vulnerabilities
• Firewalls are necessary but wont protect
  vulnerable applications
• SQL injection and Cross Site Scripting top the
  lists of vulnerabilities measured and attacked
• Many opportunities to address the problem of
  insecure code
• Plenty of resources to help, USE THEM!

www.vita.virginia.gov
39
GEN. Patton on Usefulness of Firewalls
"Fixed fortifications are monuments to the
stupidity of man."
www.vita.virginia.gov
40
Questions?

• Thank You!
• John.Green_at_vita.virginia.gov

www.vita.virginia.gov
41
ITS ALL ABOUT SERVICE
DRAFT for Review_v.4
Gino Menchini Managing Director
42
The City of New York

• Resident population of over 8 million daytime
  population of 10 million
• Over 350,000 City employees, 300,000 retirees
• New York City Government includes its 5 counties
  
• The 1 million student school system reports to
  the Mayor
• Annual budget exceeds 59.5 billion dollars
• If New York City was a private sector
  corporation, it would be in the Top 30 of the
  Fortune 500 companies
• Over 120 agencies, offices, and organizations
  make up The City

43
New York City as a Bellwether Local Government
IT on Steroids

• New Breed of Leadership Significant expansion
  in the role of IT
• Mayor Michael R. Bloomberg Business IT
  experience
• Younger commissioners, senior staff, and
  legislators demand more of IT
• Higher expectations on Government from the public
• They demand to perform transactions seamlessly
  through the Government walk-in, web and call
  centers
• Publics perception of the competency of an
  administration is increasingly shaped by the ease
  of access/response

44
The role of IT in Emergency Response and
Preparedness

• Focus on Public Safety Technologies
• 911 CAD systems and infrastructure - 311
• First Responder Radio infrastructure
• Command and Control Communications
• Greater Dependence on
• GIS
• Email Blackberries
• New Technologies
• Video Surveillance Systems Sensor systems
• Hospital Emergency Room monitoring systems
• AVL
• Emergency Management Systems
• Real time Crime Center
• Intelligent Transportation systems
• Access control systems
• Telecomm carrier infrastructure survivability
  post 9/11
• Municipal IT infrastructure Redundancy/Survivabi
  lity

45
New York City as a Bellwether Local Government
IT on Steroids

• IT is now at the decision making table Are we
  ready?
• Guide and manage a larger volume of IT projects
  simultaneously while advancing our IT Strategy
• Be prepared to deliver IT projects rapidly high
  availability systems
• Provide solutions to address the problem of the
  day Be relevant

46
NYC Department of Information Technology and
Telecommunications - Then
47
The role of the NYC Department of Information
Technology and Telecommunications - Now
48
New technologies implemented rapidly
49
New York Citys Agencies and IT

• Highly diverse range of services, unlike private
  sector.
• Virtually the entire range of Government Public
  Sector Services are provided by New York City
  from Child care to Anti-terrorism, Street
  cleaning to fresh water reservoirs.
• Agencies are organized and staffed to focus on
  their area of responsibility and specialization
  (silos).
• Specialized agency specific IT applications need
  to be implemented and supported by agencies.
• High availability is required. Security is
  expected.

50
Unintended Consequences Dont Create New Risks

• Randy Marchany, VA Tech IT Security Office

51
What People Think of Security
Internal Network
The Firewall will protect us!
The Big Bad Internet
52
What I meant is not what I said

• Schneiers article
• http//www.schneier.com/essay-210.html
• Google street view
• County records
• Account lockout the easy DOS
• SSN finders SSN generators?
• Fundrace.org
• P2P
• Spammers and FOIA
• Classroom locks?
• Emergency Messaging Systems

53
Inside the Twisted Mind.

• Security mindset involves thinking how things
  can be made to fail
• Otherwise, you never notice most security
  problems
• Designers are so focused on making systems work
  that they dont notice how they might fail
• They dont notice how those failures might be
  exploited

54
Inside the Twisted Mind..

• Uncle Miltons Ant Farm
• You filled out a card with your address and
  theyd mail you some ants but..
• Theyll send a tube of live ants to anyone you
  tell them to
• Smartwater
• Liquid with unique id linked to an owner
• Ill paint mine on YOUR stuff and then call the
  police

55
Inside The Twisted Mind

• Auto Dealership Service Centers
• Get my car by giving them my name
• Get your car by giving them your name
• Laser Printers
• Use their disks for your storage
• City Surveillance
• Who watches the watchers?
• Can you corrupt stored camera images?

56
(No Transcript)
57
(No Transcript)
58
Account Lockout

• Whats the purpose of the lockout?
• Log failed attempts?
• Multiple entries in a short period of time
  usually indicate a brute force attack
• Password strength rules in effect?
• Designed to prevent guessable passwords

59
Account Lockout

• How long does it take to reset the account?
• Minutes?
• Hours?
• Forever?
• After hours?
• So, what if my attack is to lock you out?

60
Account Lockouts

• Account Lockout Policy
• 25 year defense
• Old Unix systems had no password controls so this
  was the only defense against brute force guessing
• AIX 3.1 (1993) was one of the first with
  password controls
• Why are we still using a 25 year defense if the
  other controls are more effective?

61
SSN Finders or SSN Generators?

• Software to search for sensitive data on
  computers
• Can they be used to generate SSN/CCN?
• Freeware
• VT Find_SSNs
• Cornell Spider
• UT-Austin SENF
• Commercial
• IdentityFinder

62
Inside the Twisted Mind
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
P2P or P_at_!_at_()P

• Ban it says the RIAA/MPAA!
• Extension divisions use P2P to distribute
  videos/recordings to farmers
• YouTube
• Independent bands use P2P to sell or distribute
  their music
• Ban P2Pbring on the antitrust lawsuits
• Youre restricting my ability to market my
  product

68
Spammers and FOIA

• A known spammer issued a FOIA request for all U
  of Texas faculty, staff and student email address
• Same thing happened in VA

69
Antivirus Software Threat?

• My job is to test security tools
• AV Software deletes my tools because it thinks it
  knows better than me.
• We know whats good for you. syndrome
• Its a race to create the exception list ?

70
Things That Make You Go Hmmm

• Locks on doors
• Bulletproof doors included?
• Likelihood of mugging vs. worse
• Dealing with 2 separate incidents
• First event happened 7am
• Second event happened 930am almost ¾ mile away
  from the first event
• Insider attack

71
Campus Lockdown?
Yes, its a Airport
Approx. 2 miles
72
(No Transcript)
73
(No Transcript)
74
Understand Your Audience

• Security Process without regard to Business
  Process
• Business Process rule the world
• Physical security rules can be translated to
  cybersecurity rules
• IT people focus on technology not the business
  process. Wrong!
• Business process doesnt consult IT when buying
  new gadgets

75
Use Risk Analysis to Build DR Plan
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
76
We have met the enemy and it is vendors..
77
Its Insecure Out of the Box

• Viruses will never be eliminated
• Multibillion industry to fight them
• Eliminate the threat, we no longer have
  multibillion industry.
• Wireless cash register software sending data in
  the clear
• Document imaging systems sending data in the
  clear
• Govt/LE records digitized by insecure software
• Printers, copiers based on NT!

78
Its Insecure Out of the Box

• Security vs. Convenience
• Let the users debug the code
• OS vendors are starting to see the light
• Windows XP/2003 with security features enabled
• Apple OSX
• Linux systems with firewall enabled
• Application Vendors still dont get it
• Oracle stepped in it
• http//news.com.com/Whensecurityresearcherbecom
  etheproblem/2010-1071_3-5807074.html

79
Why is this an option? This should be the
default! Wait! I already know the last 4 digits
of my SSN so why have this at all?
80
(No Transcript)
81
(No Transcript)
82
Unlocked Key Mean Transmission In the Clear!
83
Let Me Read Your Email!
84
Why buy the cow when you can get the milk for
free?
85
(No Transcript)
86
(No Transcript)
87
(No Transcript)
88
(No Transcript)
89
(No Transcript)
90
Obtaining Personal Information

• Public Records can be accessed from anywhere in
  the world.
• Local governments are allowing access to
  sensitive info via the Web without thinking about
  security.

91
County Clerks and Identity Theft

• Making legal docs available on the net w/o good
  security practices.
• A secure www site isnt enough
• Tom Delay SSN From Public Records
• Jeb Bush SSN From Public Documents
• Colin Powell Deed of Trust
• Colin Powell SSN from Public Records
• Do County Clerks (by extension, the state
  legislature) facilitate ID Theft?

92
Whats Going On Here?

• Were spending to protect sensitive data
  (SSN) but.
• State govt is allowing SSN info to be obtained
  online so.
• Laws need to be coordinated but.
• Update VA passed a law (7/1/08) that makes it
  illegal to distribute SSN legally obtained from
  public govt www sites ?

93
(No Transcript)
94
The Twisted Mind

• If youre not doing anything illegal, you
  shouldnt care whether youre surveilled
• What if I just want to track you?
• NY Times article on bored security staff tracking
  people on the streets.

95
T-Mobile said the company's computer forensics
and security team were "actively investigating to
determine how Ms. Hilton's information was
obtained."
96
The Twisted Mind

• Smart phones and PDAs have become the electronic
  equivalent of the sticky note
• Put my passwords in the device
• What if I drain your battery?

97
Virtualization

• Use it to check for unintended consequences
• Build test systems then apply Schneiers rule to
  them
• Lets see a demo..

98
Should We Give Up?

• NO! But examine solutions carefully to make sure
  you dont introduce a worse threat
• Knee-jerk solutions cause worse problems
• Apply Schneiers rules to your solution

99
Should We Give Up?

• NO! Hold vendors accountable for their bad
  security practices
• Insecure code
• Stolen developer laptop syndrome
• They modify their EULA
• We just dont buy the product.

100
Should We Give Up?

• NO! Increase User Awareness training.
• Customize it. What makes sense at VT might not
  make sense in your house.
• Helps your overall security posture.
• If we do security for the end user, theyll never
  change their behavior.
• All security is local.
• A Tip ONeill twist

101
Questions?

• Randy Marchany, VA Tech IT Security Office Lab,
  1300 Torgersen Hall, VA Tech, Blacksburg, VA
  24060
• 540-231-9523
• marchany_at_vt.edu
• http//security.vt.edu

102
IT Seppuku Why Do We Still Suffer Security
Violations?
Eric Taylor Enterprise Security Architect
Northrop Grumman
103
Agenda

• Introduction
• Evolution of computer attacks
• The Commonwealth over the last year
• How Do We Avoid Security Violations

104
Cybergovernment
105
Cybercommunity
106
Cybereconomy
107
Cybergeeks
108
Cybersickness
109
Cyberbaby
110
Cyberdefense
111
Cyberspace
112
Cyberwarfare
113
Cybersabotage
114
Cybercrime
115
Cybercriminal
116
Cybertherapist
117
Cyberwarrior
118
Cybersuicide
119
Disclaimer

• No such thing as a secure system
• Security is hard, but the basics are easy and
  still need attention.
• Attacks are not always technical, non-technical
  means can be used
• Attacks take the path of least resistance

120
Evolution of computer attacks

• Hacking for Fun (1970 1995)
• The goal was to gain access
• Motivation was mainly curiosity
• Methods phreakers, password guessing, bad
  configurations, virus, trojan horses, insecure
  networks.
• Lessons Learned
• New Laws Congress passes the Computer Fraud and
  Abuse Act

121
Evolution of computer attacks

• Casual Hacking (1995 2000)
• The goal was to gain access, defacement,
  disruption.
• The motivation was for showing off, education,
  publicity and money.
• Methods buffer overflows, email virus/
  attachments, AOHell, Back Orifice
• Lessons Learned
• There is a need for compromise detection
  (intrusion detection)
• Software security through better tools and
  languages

122
Evolution of computer attacks

• Hacking (2001 2005)
• The goal was to attract attention through
  large-scale activities.
• Motivation publicity and money
• Methods DoS, worms, rootkits, etc..
• Lessons Learned
• Service Denied
• Bill Gates decrees that Microsoft will secure its
  products and services, and kicks off a massive
  internal training and quality control campaign.

123
Evolution of computer attacks

• Professional hacking (2005 - ?? )
• The goal for system compromise, identity theft,
  information exfiltration, and Advanced Persistent
  Threat (APT)
• Motivation is
• Methods web attacks, phishing / pharming,
  spear-phishing, etc..
• Malware, drive by downloads, FakeAV
• Large-scale botnets, hacker service networks
• Conficker worm infiltrated billions of PCs
  worldwide

124
Commonwealth over the last year

• Malware / Worms
• Over a three month period, 1335 total unique
  infections (fakeav and others)
• Conficker
• FakeAV
• Mobile Devices
• USB drives
• Lost Flash drives
• Conficker
• Stolen or lost Laptops
• Unsecure configurations
• Systems not locked down before production

125
Commonwealth over the last year

• Information leakage
• Posting sensitive information to public website
• Human Error
• Application Security
• According to Privacy Clearing house, one incident
  in 2009, Virginia provided individual
  notifications to 530,000 people
• 530,000 x .50 265,000 (estimate for stamps
  and envelopes)
• Social Engineering
• Spear phishing user accounts throughout the
  Commonwealth

126
Commonwealth Incidents

• Malware
• 66 over the last year
• Major Outages
• Unauthorized Access Attempts
• 3 instances of Virginia Agencies in 2009 appear
  on the Privacy Clearing House - A Chronology of
  Data Breaches website.

127
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
128
The Stop and Rob
Developer
Firewall
Access Control
Application Logic
HTTP/ HTTPS
DATA
129
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
Firewall
Access Control
Application Logic
Bad Guy
Developer
DATA
130
How Do We AvoidSecurity Violations?

• 20 Critical Controls, prioritized baseline of
  information security measures and controls
• Boundary Defense
• Avoiding Insecure Network Designs
• Patch Management
• User Awareness
• Least Privilege
• End Point or Client Side Security

NOTE - SANS 20 Critical Security Controls -
Version 2.1
131
How Do We AvoidSecurity Violations?

• Secure SDLC Processes
• Security As Weighted Factor During the
  Procurement Process
• Application Security
• Security Skill Assessment and Appropriate Training

132
Summary

• We are still learning our lessons
• Attackers are more advanced then ever before
• Security must start from the beginning
• The Commonwealth is a target

133
Social Engineering Building Bridges to
Confidential Data

• Bob Baskette
• CISSP-ISSAP, CCNP/CCDP, RHCT
• Commonwealth Security Architect

www.vita.virginia.gov
134
Why Information Security Matters

• Computer systems have an inherent value to both
  the computer system owner and those malicious
  individuals who seek the data stored on the
  computer systems and the available processing
  power the computer systems possess
• Malicious individuals may also be interested in
  taking over the computer system to store illegal
  materials or launch attacks that will be traced
  back to the compromised system instead of the
  malicious individual

135
Social Engineering

• The use of influence and persuasion to deceive
  people for the purpose of obtaining information
  or persuading a victim to perform some action
• Based on the building of inappropriate trust
  relationships
• Will target Help Desk personnel, onsite
  employees, and contractors
• Is one of the most potentially dangerous attacks
  since it does not directly target technology

136
Factors in Social Engineering

• Desire to be helpful
• Tendency to trust people
• Fear of getting in trouble
• Art of Manipulation (the ability to blend-in)

137
Social Engineering Behavioral Types

• Scarcity
• Belief that an item is in short supply
• Commonly used by marketing
• Authority
• Based on premise of power
• Liking
• Based on the fact that people tend to help people
  they like

138
Social Engineering Behavioral Types

• Consistency
• Based on the fact that people like to be
  consistent
• Social Validation
• If one person does it, others will follow
• Reciprocation
• One good turn deserves another

139
Social Engineering Attack Types

• Human-based (Person-to-Person)
• Computer-Based (Automated)

140
Human-based (Person-to-Person)

• Uses the following techniques
• Shoulder surfing
• Dumpster diving
• Impersonation
• Intimidation
• Using third-party approval

141
Human-based (Person-to-Person)

• Impersonation (Masquerading)
• Attacker pretends to be someone else
• Can impersonate an new employee, valid user,
  business client, janitor, delivery person, or
  mail room person
• Attack carries a higher risk since the attacker
  is inside the facility perimeter
• Intimidation (Posing as an important user)
• Attacker pretends to be an important user
• Works on the belief that it is not good to
  question authority
• Using third person authorization
• Attacker convinces the victim that the attacker
  has approval from a third party that is an
  authoritative source
• Works on the belief that most people are good and
  truthful

142
Human-based (Person-to-Person)

• Reverse Social Engineering
• Considered to be the most difficult type of
  Social Engineering attack
• Requires a tremendous amount of preparation and
  skill
• Act as help-desk or admin staff to request
  information
• Can involve sabotaging the victims equipment and
  then offering to fix the problem
• Can be difficult to execute since the first step
  requires the sabotage of a system
• Target could be a external utility such as a
  phone line
• Deliver defective equipment and then offer to
  repair
• Attach business card to toner box or laptop case

143
Computer-Based (Automated)

• Phishing and Spam
• Email attachments
• Fake websites
• Pop-up messages
• Drive-by downloads
• DNS Cache poisoning
• Spoofed SSL-certificates

144
SPAM and the Flying Circus

• Spam is the intentional abuse or misuse of
  electronic messaging systems to send unsolicited
  bulk messages
• SPAM is normally associated with e-mail spam, can
  be used with other electronic transmission types
  such as instant messaging, Usenet newsgroups, Web
  search engines, blogs, mobile phone messaging,
  Internet forums, and fax transmissions
• SPAM remains economically viable because
  advertisers have no operating costs beyond the
  management of their mailing lists, and it is
  difficult to hold senders accountable for their
  mass mailings
• Today, SPAM is increasingly sourced from bot
  networks. Many modern worms install a backdoor
  which allows the spammer access to the computer
  and use it for malicious purposes
• SPAM email-chains are still very popular
  promising good fortune if the chain is not broken

145
Phishing Basics

• Phishing campaigns use either email or malicious
  web sites to solicit personal information from
  targeted individuals
• Attackers attempt to replicate the look and
  format of emails from reputable companies,
  government agencies, or financial institutions
• The Phishing messages appear to come from popular
  social networking sites, auction sites, online
  payment processors or IT Administrators to entice
  the unsuspecting public to respond
• Phishing campaigns that target specific
  categories or groups of users are known as Spear
  Phishing Campaigns

146
Phishing Basics

• People respond without thinking to things that
  seem important
• Email subjects lines worded to create anxiety or
  self-doubt with subject lines such as Do you
  trust her/him or Is she/he cheating on you
  usually entice immediate action
• Email with the subjects such as Your bank
  account has been suspended or There is a
  problem with your bank account will usually get
  instant attention and prompt most people to click
  on the listed URL to determine what has happened

147
Pop-up messages

• Can prompt victim for numerous types of
  information
• Can be very successful since the message appears
  to be a system message referencing loss of access
  or malicious software detection
• Has been used successfully to install malicious
  software under the pretense of removing malicious
  software

148
Drive-By Downloads

• Uses legitimate websites to infect end users
• The legitimate website is compromised by a
  malicious individual to add hidden frames,
  malicious URLs, or malicious scripts to the
  legitimate website
• The users browser retrieves the information
  associated with the malicious URL or script and
  becomes infected with malicious software
• ClickJacking Use of hidden frames on web pages
  to entice the user into clicking on malicious URLs

149
DNS Cache Poisoning

• Uses DNS responses to redirect users to malicious
  websites
• Uses multiple techniques to load malicious
  IP-address information into legitimate DNS
  servers
• Removes the need to trick a user into visiting a
  malicious website since the malicious IP-address
  is provided by a legitimate DNS server

150
SSL Certificate Spoofing

• MD5 Hash Collision/Digital Signature transfer
• A vulnerability in the Internet Public Key
  Infrastructure (PKI) used to issue digital
  certificates for secure websites has been
  identified
• Utilizes a weakness in the MD5 cryptographic hash
  function to allow the construction of different
  messages with the same MD5 hash
• This vulnerability can be used to create a rogue
  Certification Authority (CA) certificate trusted
  by all common web browsers
• This rogue certificate can be used to impersonate
  any website on the Internet, including banking
  and e-commerce sites secured using the HTTPS
  protocol

151
SSL Certificate Spoofing/Piggybacking

• Piggybacking SSL Certificates
• Allows multiple phishing attacks on a single
  certificate
• A single compromised Web server with a valid SSL
  certificate can be used to host multiple phishing
  sites since visitors to the phishing sites
  erroneously believe that they have a secure
  connection with original website
• Visitors could only detect the fake SSL
  certificate if they reviewed the certificate or
  had access to other visual indicators (secured
  with an extended validation SSL certificate)

152
SSL Certificate Spoofing/URL Obfuscation

• NULL character attack
• Convinces the end-user that a certificate has
  been issued to a different domain than the one to
  which is was actually issued
• The use of NULL characters provides the ability
  to put up a certificate on what appears to be the
  exact same domain name as the targeted site
• This technique utilizes a Man-in-the-Middle
  attack and uses the null-character certificate to
  create its false certificates as needed
• Leading zero attack
• Similar to the NULL Character attack
• The certificate will attach an invisible zero to
  the first hex character in the certificate

153
Social Engineering Mitigation Methods

• User Security Awareness and Training
• Policies
• Procedures

154
Security Awareness Training

• Increases the understanding of security and the
  threat of Social Engineering
• Training should occur during employee enrollment
  and at regular intervals
• Training could be outsourced to a third-party
  since many employees consider third-party input
  to be more important

155
Email Security Awareness Training

• The best mitigation mechanism for SPAM and
  Phishing emails is the delete button
• To mitigate the potential threat presented by a
  spam email campaign, it is recommended that you
  remind your users to never open attachments or
  click links contained in unsolicited email
  messages
• Advise them, if possible, to check with the
  person who supposedly sent the email to make sure
  that it is legitimate prior to opening any
  attachments
• Scan any attachments at the network perimeter as
  well as the desktop with anti-virus software
  before opening the attachment
• Never use the contact information provided on a
  web site connected directly to the email request

156
Email Security Awareness Training

• Also advise users not to reveal personal or
  financial information in an email, and not to
  respond to email solicitations for this
  information
• Always examine the URL of a web site. Malicious
  web sites may look identical to a legitimate
  site, but the URL may use a variation in spelling
  or a different domain extension such as .com vs.
  .net
• An additional step to help mitigate the risk of a
  phishing campaign is to limit the administrative
  rights of the local users through the
  implementation of the Least-Privileged best
  practice
• Only display functional/group email addresses on
  public websites to limit the amount of
  SPAM/Phishing emails sent to individuals

157
Physical Security Awareness Training

• Ensure all visitors are always escorted
• Remind employees not to allow Piggy-Back access
• Remind employees not to allow an unknown person
  to wander the facility
• Never allow a visitor, client, or other persons
  to simply connect a computer to the internal
  network without prior approval

158
Credential Security Awareness Training

• Protection of account credentials
• Never give out or share passwords
• Use strong passwords for any application
  requiring a login
• Use unique passwords for every application and
  avoid using the same password for similar
  applications
• Carefully consider the questions used to verify
  the user for automated password resets
• Most automated systems use a common set of
  questions for password reset and the answers to
  these questions can be found in public records or
  on-line
• Place of birth, mothers maiden name, and school
  information are available in public records
• Friends, color preference, hobbies, and pet
  information often found on Social Network sites
• Make of first car can be guessed based on
  purchasing trends

159
Identity Security Awareness Training

• Protection of Personal Identifiable Information
  within Social Networks
• Select your screen name carefully do not
  include any information such as your name, age,
  sex, city, or employer
• Never post anything you would not want to have
  distributed publicly
• Never post personally identifying information
  such as SSN, first and last name, address,
  drivers license, telephone number and e-mail
  address
• When establishing your account, adjust your
  profile until you are comfortable with the amount
  of protection provided to maximize your security

160
Policies

• Must clarify information access controls
• Detail rules for setting up accounts
• Define access approval
• Define process for changing passwords

161
Policies

• Define policy for physical destruction of devices
  and media
• Hard Drives
• CD/DVDs
• Define physical control selection and
  implementation
• Locks
• Access controls
• How visitors are authorized and escorted

162
Employee Hiring and Termination Policies

• Hiring should include background checks,
  verifying educational records, and Non-Disclosure
  Agreements
• Termination should include exit interviews,
  review of NDA, suspension of network access, and
  checklist for equipment return

163
Help Desk Procedures

• Used to make sure that there is a standard
  procedure for employee verification
• Caller-ID or employee call-back can be used to
  verify caller
• Can also use Cognitive Passwords
• Arcane information that only the user should know

164
Password Change Policy

• Require strong passwords
• Must not contain any part of account name
• Must be at least 8-characters long
• Must contain at least three or four
• Numbers
• Uppercase letters
• Lowercase letters
• Non-alphanumeric symbols
• Require password aging
• Prohibit password reuse

165
Employee Identification

• ID badges give a clear indication of authorized
  personnel
• Guests should also wear temporary ID badges
• Guests should be required to sign-in and sign-out
• Anyone without a badge should be questioned and
  escorted to the proper facility personnel

166
Privacy Policies

• Employees and customers have a certain
  expectation with regard to privacy
• The privacy policy should be posted on the public
  website

167
Laws and Regulations

• 4th Amendment to the Unites States Constitution
• Electronic Communications Privacy Act of 1986
• Protects email and voice communications
• HIPPA (Health Insurance Portability and
  Accountability Act)
• Family Education Rights and Privacy Act
• Privacy rights to students over 18
• European Union Privacy Law
• Protects personal data

168
Data Classification Systems

• Can help prevent Social Engineering
• Can be used to define what information is most
  critical
• Can be used to gain end-user compliance
• Governmental Information Classification System
• Designed to protect confidentiality of
  information
• Commercial Information Classification System
• Focused on the integrity of information

169
Governmental Information Classification System

• Unclassified
• Information is not sensitive and does not need to
  be protected
• The loss of information would not cause damage
• Confidential
• Information is sensitive and the disclosure could
  result in some damage
• Will require a safeguard against disclosure
• Secret
• Information that is classified as secret has a
  greater important than confidential data
• Disclosure would result in serious damage
• May result in loss of significant scientific or
  technical development
• Top-Secret
• Information that requires the most protection
• Disclosure would be catastrophic

170
Commercial Information Classification System

• Public
• Similar to unclassified information
• Disclosure would not result in damage
• Sensitive
• Information requires controls to prevent the
  release to unauthorized parties
• Disclosure would result in some damage
• Private
• Information is primary personal in nature
• Can include employee or medical records
• Confidential
• Information has the most sensitive rating
• Information is required to keep the company
  competitive
• The information should never be released

171
Commonwealth Security Information Resource Center

• http//www.csirc.vita.virginia.gov
• Two Main Goals
• Create a place to provide security information
  that is relative to the Commonwealth
• Includes security topics within the COV
  government
• Addresses topics for those with interests in the
  security community
• Citizens, businesses, other states, etc.
• Create a source for providing threat data to
  third parties
• Summary threat data for public viewing
• Detailed threat data available for appropriate
  parties

172
Security Information

• Types of information posted
• Security advisories
• Advisories affecting the Commonwealth government
  computing environment
• Phishing scams
• Attempts to gather information from users that
  will be useful for malicious activity
• Information security tips
• How to integrate security into daily activity
• News
• The latest news about information security that
  would be useful to the government and its
  constituents
• Threat data
• Information showing statistics about the top
  attackers targeting the Commonwealth.

173
Security Research URLs

• Internet Storm Center
• http//isc.sans.org/
• SANS Reading Room
• https//www.sans.org/reading_room/
• OWASP
• http//www.owasp.org/index.php/Main_Page
• Security Focus
• http//www.securityfocus.com/
• US-CERT
• http//www.us-cert.gov
• Team Cymru
• http//www.team-cymru.org/

174
Questions???

• For more information, please contact
  CommonwealthSecurity_at_VITA.Virginia.Gov
• For more information on topics discussed in this
  presentation
• Bob.Baskette_at_VITA.Virginia.GOV
• Thank You!