E Security

Fundamentals of e-Security
James Kerr Office of Technology Services June, 2005
Acknowledgements & Credit

Many thanks to Charles Morrow-Jones, Director of Network Security, Office of the CIO, and Steve Romig, Director of the OSU Incident Response Team. This presentation is based on their presentation, CyberSecurity for Managers presented in June, 2005.
Goal
To help you understand some basics about information security To give you some resources that will help you when you need to expand on this base
Agenda
What and who are we worried about, and why? What can you do about it? How are incidents detected and handled?
C.I.A.
The Universitys entire information processing environment rests on the assumption that we have: Confidentiality-prevent unauthorized disclosure (Threat: unauthorized access) Integrity-ensure accuracy and authenticity (Threat: altered, deleted, or added data) Availability-ensure that information and systems are there when we need them (Threat: Denial of service)
Other Concerns

Liability: someone can use our computers to do bad things that leave us with the liability Reputation: security issues can make us look bad, affecting parental trust, recruiting Legal: a growing body of law requires that we do certain things to secure our systems (FERPA, HIPAA) Financial: security issues cost money, directly or indirectly Traceability, auditability: bad things happen, and you need to find out what and why (and sometimes who)
Exercise
A bad day at the Wild West University Two press releases describing the loss of private information from a universitys system:
Initial Report -- March 5, 2003, 10:00p.m. On Sunday, March 2 at 7:20 p.m., computer systems personnel at WWU discovered a computer malfunction. The affected computer system was immediately shut down, and detailed analysis was begun. What happened? The malfunction was assessed to be the result of a deliberate attack from the Internet. Subsequent analysis revealed that a security weakness in an administrative data reporting system was exploited by writing a program to input millions of Social Security numbers. Those SSNs that matched selected individuals in a WWU database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed. Is there evidence that the stolen data have been misused or disseminated? WWU, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data.. To date there is no evidence that the stolen data have been distributed beyond the computer(s) of the perpetrator(s).
What is WWU doing about this? WWU's highest priority has been to identify the source of the attack and to cooperate with law enforcement authorities to capture the perpetrator(s), and any associated computers and data. Our second priority will be to assess the extent of further data exposure - if any - and to establish a proactive communication program with affected individuals and the WWU community. How many individual records were exposed? Approximately 55,200 individuals had some of the above data exposed. This group includes current and former students, current and former faculty and staff, and job applicants. How will affected individuals be notified? The University is currently developing a communication plan and will contact affected individuals as soon as possible. At this juncture, there is no evidence that the data have been further exposed or misused. To send a comment or question to the WWU Incident Response Team, please e-mail datatheft@its.wwu.edu (do not send your Social Security number in any e-mail message). WWU regrets this incident and commits to do whatever is required to ensure the integrity of the data of all our past and present colleagues. <signed> Vice President for Information Technology, Wild West University
Data Theft Update (October 2003) The Wild West University regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U. S. Attorney's Office, and the U. S. Secret Service has secured the stolen data before they could be misused or further disseminated. A WWU undergraduate student suspected of the crime was arrested by the U.S. Secret Service on March 14. His computer and related paraphernalia were seized and are being analyzed by the Secret Service. Although the security breach and related charges facing the suspect are indeed serious, the U.S. Attorney's Office has stated officially, "At this point, there is no indication that the stolen data was further disseminated or used to anyone's detriment. As of October 2003, the University has successfully contacted 92 percent of the individuals known to be affected by the data theft incident, and continues its efforts to reach the remaining affected population. The University is doing everything it can to ensure the security of personal information. An underlying issue that has received attention is the University's use of the Social Security number as the unique identifier for students, faculty, staff, and other affiliates, a practice that is widespread in universities and elsewhere. The University launched a project in 2001 to migrate database systems and services to a different identifier, and important progress has been made, but the breached system continued to rely upon SSN inputs.
Questions to Discuss
1) What CIA principles were violated? 2) What other concerns did this attack raise? 3) If your information had been exposed, what would you do? 4) How much would this incident concern you if you were not affected? Would your relationship to the university matter? 5) Based on this information how would you evaluate WWU's communications to users? 6) Can you think of any similar lurking time bombs at OSU?
Terminology
Scan: probing through the network to find vulnerable systems Vulnerability: a weakness that might be exploited to do something bad Exploit: using a vulnerability to gain access to a system
Terminology, continued
Backdoor: hidden entrances to your system Rootkit: tools used to hide an intruders presence Virus, worm, trojan: old names for different sorts of bad software.
Malware: new name for viruses, worms, trojans, adware, spyware. MALicious softWARE Adware, spyware: commercial software that invades your privacy, displays popups, and undermines your security.
Bot: (short for robot) a computer running software that makes it part of a botnet, and allows others to control it remotely. Botnet: a network of tens, hundreds, thousands, or tens of thousands of bots that can be used for scanning, exploiting, denial of service attacks, spamming, file sharing, and so on
Encryption: a way to make data unreadable by everyone except the intended recipients Authentication: the act of identifying yourself to the computer Two-factor authentication: authentication that uses something you have (a key, a token card) and something you know (a password, PIN) Three-factor authentication: authentication that uses something you are (biometric scan, fingerprint, retina scan, voice print) something you have (a key, a token card) and something you know (password, PIN)
Authorization: rights granted to a person (or a program, computer, etc) for some object (such as data in a database, login to a network)
Jkerr is authorized to login on this computer, but not on that one. Jkerr is authorized to read this data, but not modify or delete it.
Who are we worried about?
Teenagers
A large number of attacks are perpetrated by teenagers They have high interest in computers They have lots of free time Their morals arent quite fully developed No perceived danger to themselves script kiddies Goals include
Just playing around; learning Gaining social stature in the computer underground Support their passion (file sharing, denial of service, see social stature)
Organized Criminals
Goals: $$$ for spam, denial of service, identity theft, espionage, harassment Botnets are a real business now-for spam, denial of service attacks, and building other botnets They are high-risk operations, and more motivated to use sophisticated tools and techniques to hide their tracks
Unorganized criminals
Disgruntled employees (are the rest of us gruntled?) Other individuals doing criminal things Feb. 5, 2005 (Sophos news) a 24-year old former AOL employee has pleaded guilty to stealing a list of 92 million email addresses of the ISPs customers and selling it to spammers for $28,000 (=$0.0003 per address)
Legitimate users
People doing things that unintentionally put systems at risk, typically through experimenting with game servers, file sharing, web servers, instant messaging, etc. People who carelessly click on email attachments, approving dialogue boxes that ask whether its OK to install extra software, respond to phishing attacks, and so on
C.Y.A.
Because we are concerned about C.I.A. (and the other issues) we need to secure our systems, networks, and data. Step 1: identify assets (data, services, etc) Step 2: identify threats (C.I.A.) for each asset Step 3: identify controls to protect our assets from these threats
Physical Security
Provides for the protection of property, personnel, and facilities from illegal or criminal acts, and/or environmental disruptions Physical security plan should be created that deals with control of access to the building or office Plan should also address responses to environmental problems
Physical Security, continued

Look at what you are trying to protect, and who or what you are trying to protect it from, then decide how much security is required. Physical security is the first line of defense against the exploitation of computer systems 70% of data theft is physical theft, usually by stealing a physical device. Physical security should make device theft as difficult as possible.
Physical Security, continued

Access control at doors Physical locks or authorization (something you have) to access systems, especially laptops Key control-janitorial access, master keys
Laptop/PDA Security
Consider the worst case scenario: laptop is stolen

You dont have access to whatever was on it They do Do you have backups? Was sensitive data encrypted, including email? (SSNs, student grades, think FERPA)
Laptop/PDA Security, continued
Apple Mac OS X supports the file vault, which automatically encrypts files. This should be turned on (off by default). Windows 2000 and XP support EFS, the Encrypting File System. This should be turned on (off by default).
Account Security
Dont share your accounts or passwords Use good passwords Use different passwords on different systems Change your passwords Lock your screen
Good Password Habits

Change every 60-90 days Use all available characters Memorize, dont write Bad: 1234, <first name> i.e. jim, buckeye, osu, brutus, lima, password Good: 1Gin+2Tonic Good: 47adFb2m
Data Security
Essential to Confidentiality and Integrity Regulatory environment-FERPA and student information Involves protecting data in transit, as well as in storage Often requires encryption of the data
People Security
Background screening as part of the hiring process Termination best practices:
Remove their access Dispossess them of sensitive materials Repossess important materials (latest version of their projects)
People Security, continued

Questions to ponder: Do you know what access each employee has, including remote access? Can you guarantee they havent set up back-doors, especially if they were disgruntled before they left? Do you have policies about sensitive materials at home, backups, etc?
People Security, continued
Social engineering-techniques that rely on weaknesses in humans rather than software; the aim is to trick people into revealing passwords or other information that compromises a target systems security
Modified from The Jargon File, version 4.7.7
Phishing example
Mis-spelled words
F.U.D.
Phishing example
<a href= "http://www.paypallk.com:680/paypal.php" style="font-family: monospace; font-size: 10pt;">Click here to confirm your account</a>
See PayPal site page on security Fundamentals of e-Security
Social engineering example
How could a person get tricked into giving out a password over the phone? Much easier than you think!
Social engineering example
Hi-this is Jim from Tech Services. We noticed that your network segment is down, and wed like to try your login to verify it. Whats your password? This is Andrew from Technology Services. Your mail spool on the server is blocked, and we need your password to clear it.
What can I do?

Lock it down! Auto-install OS updates Install and use anti-virus and antiadware/spyware software Personal firewall (OS X & Windows XP built-in) Backups! Use good password practices
What else can I do?

Use a browser other than Internet Explorer, i.e. Firefox. Use a locking screensaver Dont use Instant Messaging clients Cautiously use e-mail attachments Dont use password hints Disable automatic logins Apply paranoia as necessary
What does Technology Services do?
Lima OTS and Columbus Network Security (division of OIT) actively scan network hosts for vulnerabilities Lima OTS and Columbus Net Security actively monitor network traffic for suspicious activity
What does Technology Services do?

Centralize Microsoft OS patches and hotfixes Centralize McAfee virus scan updates Filter e-mail for spam and viruses Authentication Columbus blacklisting Firewall for Lima network
Firewall
Restricts access to network services, in and out
Personal (host) and network
Image courtesy of INetU Managed Hosting http://www.inetu.net/services/firewalls.php
What is coming next?
Best Practices for passwords

Minimum password length Complexity requirements Rotation change enforcement
Encrypted remote access Two-factor authentication for laptops
Something you have Something you know

F.A.Q.
How can I tell when Ive been infected?

Unusual slowdown Unexpected crashes, strange errors Mouse movement or typing without you-posessed OIT security blacklists-no Internet access off-campus
What do I do?
Turn it off! Report it to Technology Services Dont try to backup now, its too late. You may spread contamination.
F.A.Q.
What do you do with an infected/compromised computer?

Attempt disinfection/repair if its a known threat with proven recovery Most often complete rebuild of the computer Clean and repair data files
Useful Resources

Lima Technology Services

http://lima.osu.edu/ots
Columbus OIT Network Security

http://www.net.ohio-state.edu/security
CIO Policies
http://cio.osu.edu/policies/policies.html
Network Policies
http://www.net.ohiostate.edu/OSUNet/policies.html
Useful Resources

OSU Site Licensed Software Spybot Search & Destroy General Spyware Information FERPA and OSU
http://www.getnetwise.org
http://www.registrar.ohiostate.edu/ourweb/more/Content/ferpa.pg1.html http://www.antiphishing.org/phishing_archive.html
http://osusls.osu.edu
http://www.spybot.info
Phishing

E Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E Security

Uploaded by

Copyright:

Available Formats

Fundamentals of e-Security

James Kerr Office of Technology Services June, 2005

Acknowledgements & Credit

Who are we worried about?

Who are we worried about?

Who are we worried about?

Who are we worried about?

Physical Security, continued

Physical Security, continued

Consider the worst case scenario: laptop is stolen

Laptop/PDA Security, continued

Good Password Habits

People Security, continued

People Security, continued

See PayPal site page on security Fundamentals of e-Security

Social engineering example

Social engineering example

What can I do?

What else can I do?

What does Technology Services do?

What does Technology Services do?

Restricts access to network services, in and out

Personal (host) and network

Image courtesy of INetU Managed Hosting http://www.inetu.net/services/firewalls.php

What is coming next?

Best Practices for passwords

Encrypted remote access Two-factor authentication for laptops

Something you have Something you know

How can I tell when Ive been infected?

What do you do with an infected/compromised computer?

Lima Technology Services

Columbus OIT Network Security

You might also like