Information and Security

Information andSecurity"No one can build hissecurity upon the noblenessof another person."- Willa CatherTopicsPort ScanningRisk ManagementWireless SecurityIn the News - 6/20/2006America's universities admit that, in the first half of2006, they let a million Social Security numbersslip through their fingers.Accountants, banks and brokerages have proventhemselves to be half as competent at protectingyour critical data, conceding to more than 1.9million lost SSNs. And the health care industryfares even worse: 2.4 million.But the King of Data Giveaways, with over 40million Social Security numbers stolen in just sixmonths, is ...Your GovernmentLocal, stateand federal.Ignore, for amoment, theinfamoustheft of 28.5millionrecords from a VA employee's laptop. You're stillleft with over 11 million stolen identities.How they got Lost...91% percent of the data was lifted via physicaltheft, where crooks stole tapes, printed records, orcomputer gear... especially laptops. In fact, over30.5 million records skipped out via laptop. That's73% of the records lost through physical means.Another 1.8 million records were exposed throughwhat can best be described as Official Stupidity.Lists of personal records were inadvertentlybroadcast via email, SSNs were posted online,dummies left downloaded databases on hotelcomputers, and viruses picked up from porn sitesharvested in-house databases.And In the End...Only 2.5 million identities were purloinedusing the method most romanticized onthe Web: hacking... just 5%. And thevast majority of those were inside jobs.And, yet, the government now wantsmore and more data, claiming that weshould "trust" them to protect it..."Cool" Security Story09/09/99 - Seattle, WashingtonThere was a power outage to 5,000homes and businesses in Seattle,Washington.And this is the reason...In the NewsStudy Shows IT Security Professionals WillNumber 2.1 Million by 2008 (8 November 2004)A study conducted by IDC projects that thenumber of IT security professionals worldwide willincrease to 2.1 million by 2008, a compoundannual growth rate of 13.7% from 2003. Inaddition, the study found that 93% managersresponsible for hiring security staff considercertifications to be important.Most industry observers also believe that handsonskills are very important as well.

Case StudyI've Got a SecretClassified DocumentsHow many classified documents doesthe US Government have?How much does it cost to keep all thosesecrets?What do you think?Chapter 5Planning for SecurityIf this is the information superhighway, it’s goingthrough a lot of bad, bad, neighborhoods.-- Dorian Berger, 1997Introduction Creation of information security program begins withcreation and/or review of organization’s information securitypolicies, standards, and practices Then, selection or creation of information securityarchitecture and the development and use of a detailedinformation security blueprint creates plan for future success Without policy, blueprints, and planning, organization isunable to meet information security needs of variouscommunities of interestInformation Security Policy, Standardsand Practices Communities of interest must consider policies as basis forall information security efforts Policies direct how issues should be addressed andtechnologies used Security policies are least expensive controls to executebut most difficult to implement Shaping policy is difficultDefinitions Policy: course of action used by organization to conveyinstructions from management to those who perform duties Policies are organizational laws Standards: more detailed statements of what must bedone to comply with policy Practices, procedures and guidelines effectively explainhow to comply with policy For a policy to be effective, must be properly disseminated,read, understood and agreed to by all members oforganizationEnterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for all securityefforts within the organization Executive-level document, usually drafted by or with CIO ofthe organization Typically addresses compliance in two areas Ensure meeting requirements to establish program andresponsibilities assigned therein to various organizationalcomponents Use of specified penalties and disciplinary actionIssue-Specific Security Policy (ISSP) The ISSP: Addresses specific areas of technology Requires frequent updates Contains statement on organization’s position onspecific issue Three approaches when creating and managing ISSPs: Create a number of independent ISSP documents Create a single comprehensive ISSP document Create a modular ISSP document

Systems-Specific Policy (SysSP) SysSPs frequently codified as standards and proceduresused when configuring or maintaining systems Systems-specific policies fall into two groups Access control lists (ACLs) Configuration rulesSystems-Specific Policy (SysSP) (continued) Both Microsoft Windows and Novell Netware 5.x/6.x familiestranslate ACLs into configurations used to control access ACLs allow configuration to restrict access from anyoneand anywhere Rule policies are more specific to operation of a systemthan ACLs Many security systems require specific configuration scriptstelling systems what actions to perform on each set ofinformation they processPolicy Management Policies must be managed as they constantly change To remain viable, security policies must have: Individual responsible for reviews A schedule of reviews Method for making recommendations for reviews Specific policy issuance and revision dateInformation Classification Classification of information is an important aspect of policy Policies are classified A clean desk policy stipulates that at end of business day,classified information must be properly stored and secured In today’s open office environments, may be beneficial toimplement a clean desk policyThe Information Security Blueprint Basis for design, selection, and implementation of allsecurity policies, education and training programs, andtechnological controls More detailed version of security framework (outline ofoverall information security strategy for organization) Should specify tasks to be accomplished and the order inwhich they are to be realized Should also serve as scalable, upgradeable, andcomprehensive plan for information security needs forcoming yearsISO 17799/BS7799 One of the most widely referenced and often discussedsecurity models Framework for information security that statesorganizational security policy is needed to providemanagement direction and supportNIST Security Models Another possible approach described in documentsavailable from Computer Security Resource Center of NIST SP 800-12 SP 800-14 SP 800-18 SP 800-26 SP 800-30NIST Special Publication 800-14 Security supports mission of organization; is an integralelement of sound management Security should be cost-effective; owners have securityresponsibilities outside their own organizations Security responsibilities and accountability should be madeexplicit; security requires a comprehensive and integratedapproach Security should be periodically reassessed; security isconstrained by societal factors 33 Principles enumeratedIETF Security Architecture Security Area Working Group acts as advisory board forprotocols and areas developed and promoted by theInternet Society RFC 2196: Site Security Handbook covers five basic areasof security with detailed discussions on development andimplementation

VISA International Security Model VISA International promotes strong security measures andhas security guidelines Developed two important documents that improve andregulate information systems: “Security AssessmentProcess”; “Agreed Upon Procedures” Using the two documents, security team can develop soundstrategy the design of good security architecture Only down side to this approach is very specific focus onsystems that can or do integrate with VISA’s systemsBaselining and Best Business Practices Baselining and best practices are solid methods forcollecting security practices, but provide less detail than acomplete methodology Possible to gain information by baselining and using bestpractices and thus work backwards to an effective design The Federal Agency Security Practices (FASP) site(fasp.nist.gov) designed to provide best practices for publicagencies and adapted easily to private institutionsHybrid Framework for a Blueprint of anInformation Security System Result of a detailed analysis of components of alldocuments, standards, and Web-based informationdescribed previously Offered here as a balanced introductory blueprint forlearning the blueprint development processFigure 5-15 – Spheres of SecurityHybrid Framework for a Blueprint of anInformation Security System (continued) NIST SP 800-26 Management controls cover security processes designed bythe strategic planners and performed by securityadministration Operational controls deal with operational functionality ofsecurity in organization Technical controls address tactical and technical issuesrelated to designing and implementing security inorganizationDesign of Security Architecture Defense in depth Implementation of security in layers Requires that organization establish sufficient securitycontrols and safeguards so that an intruder faces multiplelayers of controls Security perimeter Point at which an organization’s security protection ends andoutside world begins Does not apply to internal attacks from employee threats oron-site physical threatsKey Technology Components Firewall: device that selectively discriminates againstinformation flowing into or out of organization Demilitarized zone (DMZ): no-man’s land between insideand outside networks where some organizations placeWeb servers Intrusion Detection Systems (IDSs): in effort to detectunauthorized activity within inner network, or on individualmachines, organization may wish to implement an IDSFigure 5-18 – Key ComponentsSecurity Education, Training, and AwarenessProgram As soon as general security policy exist, policies toimplement security education, training and awareness(SETA) program should follow SETA is a control measure designed to reduce accidentalsecurity breaches Security education and training builds on the generalknowledge the employees must possess to do their jobs,familiarizing them with the way to do their jobs securely The SETA program consists of three elements: securityeducation; security training; and security awareness

Security Education Everyone in an organization needs to be trained and awareof information security; not every member needs formaldegree or certificate in information security When formal education for individuals in security is needed,an employee can identify curriculum available from localinstitutions of higher learning or continuing education A number of universities have formal coursework ininformation securitySecurity Training Involves providing members of organization with detailedinformation and hands-on instruction designed to preparethem to perform their duties securely Management of information security can developcustomized in-house training or outsource the trainingprogramSecurity Awareness One of least frequently implemented but most beneficialprograms is the security awareness program Designed to keep information security at the forefront ofusers’ minds Need not be complicated or expensive If the program is not actively implemented, employeesbegin to “tune out” and risk of employee accidents andfailures increasesContinuity Strategies Incident response plans (IRPs); disaster recovery plans(DRPs); business continuity plans (BCPs) Primary functions of above plans IRP focuses on immediate response; if attack escalates or isdisastrous, process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disastersoccur; as such, is closely associated with BCP BCP occurs concurrently with DRP when damage is major orlong term, requiring more than simple restoration ofinformation and information resourcesFigure 5-22 – Contingency PlanningTimelineContinuity Strategies (continued) Before planning can begin, a team has to plan effort andprepare resulting documents Champion: high-level manager to support, promote, andendorse findings of project Project manager: leads project and makes sure soundproject planning process is used, a complete and usefulproject plan is developed, and project resources areprudently managed Team members: should be managers or theirrepresentatives from various communities of interest:business, IT, and information securityFigure 5-23 – Major Steps inContingency PlanningIncident Response Planning Incident response planning covers identification of,classification of, and response to an incident Attacks classified as incidents if they: Are directed against information assets Have a realistic chance of success Could threaten confidentiality, integrity, or availability ofinformation resources Incident response (IR) is more reactive, than proactive, with theexception of planning that must occur to prepare IR teams to beready to react to an incidentIncident Planning First step in overall process of incident response planning Pre-defined responses enable organization to react quicklyand effectively to detected incident if: Organization has IR team Organization can detect incident IR team consists of individuals needed to handle systemsas incident takes place Planners should develop guidelines for reacting to andrecovering from incident

Incident Detection Most common occurrence is complaint about technologysupport, often delivered to help desk Careful training needed to quickly identify and classify anincident Once attack is properly identified, organization can respondIncident Reaction Consists of actions that guide organization to stop incident,mitigate impact of incident, and provide information forrecovery from incident In reacting to an incident there are actions that must occurquickly: Notification of key personnel Documentation of incidentIncident Containment Strategies Before incident can be contained, areas affected must bedetermined Organization can stop incident and attempt to recovercontrol through a number or strategiesIncident Recovery Once incident has been contained, and control of systemsregained, the next stage is recovery First task is to identify human resources needed and launchthem into action Full extent of the damage must be assessed Organization repairs vulnerabilities, addresses anyshortcomings in safeguards, and restores data and servicesof the systemsDamage Assessment Several sources of information on damage, includingsystem logs; intrusion detection logs; configuration logs anddocuments; documentation from incident response; andresults of detailed assessment of systems and data storage Computer evidence must be carefully collected,documented, and maintained to be acceptable in formalproceedings Individuals who assess damage need special trainingRecovery Once extent of damage determined, recovery process canbegin Process involves much more than simple restoration ofstolen, damaged, or destroyed data filesAutomated Response New systems can respond to incident threat autonomously Downsides of current automated response systems mayoutweigh benefits Entrapment is luring an individual into committing a crimeto get a conviction Enticement is legal and ethical, while entrapment is notDisaster Recovery Planning Disaster recovery planning (DRP) is planning thepreparation for and recovery from a disaster The contingency planning team must decide which actionsconstitute disasters and which constitute incidents When situations classified as disasters, plans change as tohow to respond; take action to secure most valuable assetsto preserve value for the longer term DRP strives to reestablish operations at the primary siteCrisis Management Actions taken during and after a disaster focusing on peopleinvolved and addressing viability of business Crisis management team responsible for managing eventfrom an enterprise perspective and covers: Supporting personnel and families during crisis Determining impact on normal business operations and, ifnecessary, making disaster declaration Keeping the public informed Communicating with major customers, suppliers, partners,regulatory agencies, industry organizations, the media, andother interested parties

Business Continuity Planning Outlines reestablishment of critical business operationsduring a disaster that impacts operations If disaster has rendered the business unusable forcontinued operations, there must be a plan to allowbusiness to continue functioning Development of BCP somewhat simpler than IRP or DRP;consists primarily of selecting a continuity strategy andintegrating off-site data storage and recovery functions intothis strategyContinuity Strategies There are a number of strategies for planning for businesscontinuity Determining factor in selecting between options usually cost In general there are three exclusive options: hot sites; warmsites; and cold sites Three shared functions: time-share; service bureaus; andmutual agreementsOff-Site Disaster Data Storage To get sites up and running quickly, organization must haveability to port data into new site’s systems Options for getting operations up and running include: Electronic vaulting Remote journaling Database shadowingModel For a Consolidated Contingency Plan Single document set approach supports concise planningand encourages smaller organizations to develop, test, anduse IR and DR plans Model is based on analyses of disaster recovery andincident response plans of dozens of organizationsThe Planning Document Six steps in contingency planning process Identifying mission- or business-critical functions Identifying resources that support critical functions Anticipating potential contingencies or disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revising strategyFigure 5-24 – Contingency Plan FormatLaw Enforcement Involvement When incident at hand constitutes a violation of law,organization may determine involving law enforcement isnecessary Questions: When should organization get law enforcement involved? What level of law enforcement agency should be involved(local, state, federal)? What happens when law enforcement agency is involved? Some questions are best answered by organization’s legaldepartmentBenefits and Drawbacks of Law EnforcementInvolvement Involving law enforcement agencies has advantages: Agencies may be better equipped at processing evidence Organization may be less effective in convicting suspects Law enforcement agencies prepared to handle warrants andsubpoenas needed Law enforcement skilled at obtaining witness statements andother information collectionBenefits and Drawbacks of Law EnforcementInvolvement (continued) Involving law enforcement agencies has disadvantages: Once a law enforcement agency takes over case,organization loses complete control over chain of events Organization may not hear about case for weeks or months Equipment vital to the organization’s business may betagged evidence If organization detects a criminal act, it is legally obligated toinvolve appropriate law enforcement officials

Security DemoPort ScannerPort ScanningUnzip WinStrobe.zipCopy ports.ini to c:\windowsRun WinstrobeFile / Start / Server-1Run against your PCFile / Start / 127.0.0.1Analyzing The ResultsWhat ports were open?What services are running?Do you need those services?How can a hacker use this information?Did MBSA give us this infomation?Probing PortsOpen a command tooltelnet host portTo turn on local echoCTRL+]set localechoTelnet to ports 21, 23, 25, 110What can you find out about theseports?Case StudyCost of SecurityCase StudyStolen Computers Contain Wells FargoCustomer Data (5 November 2004)Four computers stolen from RegulusIntegrated Solutions LLS's Atlanta officecontain names, addresses, social securityand account numbers belonging tothousands of Wells Fargo student loan andmortgage customers. Wells Fargo hasnotified affected customers by mail and isoffering a free year of its credit monitoringservice.Some NumbersIf 5,000 accounts were compromised and500 of those offered took Wells Fargo up onthe free credit reporting for a year.Let's also assume there were 10 PCs (vs.just the 4 that were stolen) in the office.The cost of this incident is at least $125,000.The cost of having encryption software onthose 10 PCs would be well under $10,000.Security+Domain 2: WirelessConceptsWireless Application ProtocolWireless Local Area NetworksWired Equivalent PrivacyWireless Zero Configuration

InterferenceWiFi Frequency - 2.4 GhzDepending on coating, windows candecrease signals by 50-70%Solid Core Walls - 90+%Cordless phones, MicrowavesUse same frequenciesSpread Spectrum TechnologySimultaneous communicationsPrevents eavesdroppingFrequency hopping spread spectrum(FHSS)Direct sequence spread spectrum(DSSS)Frequency hopping spread spectrum(FHSS)Dwell Time: How LongHop Time: Switch TimeHopping SequenceDirect sequence spread spectrum(DSSS)Data is "spread out" in a predefinedpattern with a power level so low thatthe signal appears to be backgroundnoiseCSMA/CD vs. CSMA/CAInternet standard isCarrier Sensing, Multiple AccessCollision DetectionWireless usesCarrier Sensing, Multiple AccessCollision AvoidanceWhy CSMA/CA?Not all wireless nodes can hear eachother.CSMA/CAListen, wait, RTSWait for CTSTransmit Data, repeatWAPSimilar to WWW, w/Small ScreensWTLSWireless Transport Layer SecurityBased on TLSBased on SSLSupport for UDP/TCPSupport for long round-trip timesLow-bandwidth, limited memory, andprocessor capabilities

802.11Developed in 19892.4 Ghz using DSSS or FHSS1 - 2 Mbps, 300 foot range802.11bMost PopularDSSS1, 2, 5.5, 11 MbpsWEP 40 (64) and 128 encryption802.11b Channels802.11b applies to wireless LANs andprovides 11 Mbps transmission (with afallback to 5.5, 2 and 1 Mbps dependingon Range and Signal Strength) in the2.4 GHz band. 802.11b uses only DSSS(Acronym for direct-sequence spreadspectrum. DSSS is one of two types ofspread spectrum radio.) 802.11b was a1999 IEEE ratification to the original802.11 standard.http://www.research.umbc.edu/~dgorin1/451/wlan/wlan.htmWireless Channels802.11b PerformanceSpeed vs. Distance802.11a5 Ghz UNII Bands6,9,12,16,18,24,36,48,and 54MbpsRate Doubling TechnologyNot backwards compatibleDual Frequency WAPShorter Range (25-75 feet)More WAPsMore Expensive802.11g2.4 GhzUp to 54MbpsRate Doubling TechnologyBackwards compatible w/802.11bRange up to 300 feetMidrange CostsNot compatible with 802.11aComparisonAd-HocStations interact with each other

InfrastructureStations access via WAPMultiple NetworksSSIDService Set IdentifierNetwork nameBroadcast?Site SurveySiteSurveyWEPWired Equivalent PrivacyEncryption and AuthenticationShared KeyBased on PassphraseIEEE 802.11 standard states that WEPprovides for protection from “casualeavesdropping.”WEP FeaturesHas CRC-32 to provide integrityUses RC4 encryptionWEP is easy to implementSet keys on WAPs and ClientsWEP keys are user-definable, and can,and should, be changed oftenWEP AuthenticationIf the keys don't match, the system isrefused.In-DepthWardrivingWarDrivingHackers willsearch forwireless accesspoints with aportablecomputer and GPS...Video: war.driving.wmv

WarMappingAnd produce maps to share with theirfriends...It Can't Happen HereWardriving in HollywoodDo the rich and famous have openwireless access points?Tech TV tried to find outVideo: TTV_wardriving.asfOther attacksWireless MITMRouge WAPs sites40 Bit Encryption is WeakRC4 Encryption WeaknessesReusing keysAdditional Protection MethodsWireless Subnet outside firewallStrong AuthenticationWireless VPNIntegrating WirelessEnd of This Lesson