1 people by jamie sims february 13, 2003. 2 outline trusting other computers trusting other...
TRANSCRIPT
11
PeoplePeople
By Jamie SimsBy Jamie Sims
February 13, 2003February 13, 2003
22
OutlineOutline
Trusting other computersTrusting other computers Firewall VulnerabilitiesFirewall Vulnerabilities EmployeesEmployees ConsultantsConsultants OutsidersOutsiders
33
Trusting Other ComputersTrusting Other Computers
The question is how much each system should The question is how much each system should trust other systems it communicates with.trust other systems it communicates with.– Always insist on too much securityAlways insist on too much security– Even though it might make employees angry, you Even though it might make employees angry, you
will be protecting their workwill be protecting their work
44
Trusting Other ComputersTrusting Other Computers
Some Computers contain data so confidential Some Computers contain data so confidential that they should have no connection to the that they should have no connection to the Internet or company networkInternet or company network
55
Examples of Databases not to put on Examples of Databases not to put on the Networkthe Network
Ones that contain:Ones that contain:– Employee DataEmployee Data– Patient medical dataPatient medical data– Financial databases (banking, stock, etc…)Financial databases (banking, stock, etc…)– Legal CasesLegal Cases– Customer Information (credit cards, passwords)Customer Information (credit cards, passwords)– Security InformationSecurity Information
66
Firewall VulnerabilitiesFirewall Vulnerabilities1.1. Attacks from WithinAttacks from Within
a)a) Someone with access to internal systems Someone with access to internal systems initiates an attackinitiates an attack
2.2. End runs and tunnelingEnd runs and tunneling a) a) Intruder gets past the firewall and “has his Intruder gets past the firewall and “has his way with your systemsway with your systems b) b) All it takes is someone connecting a All it takes is someone connecting a modem to his/her desktop system to defeat modem to his/her desktop system to defeat the firewallthe firewall
77
Firewall VulnerabilitiesFirewall Vulnerabilities
3.3. Content-based attacksContent-based attacksa)a) Malicious email attachmentMalicious email attachmentb)b) MS word macrosMS word macrosc)c) Evil Web pagesEvil Web pages
4.4. Address spoofing attacksAddress spoofing attacksa)a) Any decent firewall will detect a packet Any decent firewall will detect a packet
originating from outside the agency, originating from outside the agency, spoofing an address of an inside machine spoofing an address of an inside machine and drop itand drop it
88
Firewall VulnerabilitiesFirewall Vulnerabilities5.5. DOS attacksDOS attacks
a)a) The attacker can flood your firewall with The attacker can flood your firewall with more traffic than it can handle, burying more traffic than it can handle, burying legitimate packetslegitimate packets
6.6. Misplaced Server attacksMisplaced Server attacksa)a) Vulnerable services should be provided by Vulnerable services should be provided by
systems in the DMZ (web server configs, systems in the DMZ (web server configs, externally accessible DNS, sendmail)externally accessible DNS, sendmail)
7.7. Configuration Error attacksConfiguration Error attacksa)a) Analyze any changes to firewall Analyze any changes to firewall
configuration carefullyconfiguration carefully
99
““...the human factor is truly security’s ...the human factor is truly security’s weakest link.” Kevin D. Mitnick weakest link.” Kevin D. Mitnick
The FBI claims that more than The FBI claims that more than 80%80% of of all computer intrusions are from within.all computer intrusions are from within.
1010
EmployeesEmployees Hacking tools used by employees within organizations may be Hacking tools used by employees within organizations may be
the biggest security threat to emerge this year, leading to the biggest security threat to emerge this year, leading to increased vulnerabilities, lost data, and wasted time and increased vulnerabilities, lost data, and wasted time and resources resources
Websense, the worldwide leader of employee Internet Websense, the worldwide leader of employee Internet management (EIM) solutions, reports that the number of management (EIM) solutions, reports that the number of hacking Web sites has increased 45 percent in the last 12 hacking Web sites has increased 45 percent in the last 12 months, now totaling approximately 6,000 Web sites, months, now totaling approximately 6,000 Web sites, encompassing more than 1 million pages of content encompassing more than 1 million pages of content
Nearly 90 percent of U.S. businesses and government agencies Nearly 90 percent of U.S. businesses and government agencies suffered hacker attacks in the last year, according to suffered hacker attacks in the last year, according to Newsbytes, while 80 percent of network security managers Newsbytes, while 80 percent of network security managers claim their biggest security threat comes from their own claim their biggest security threat comes from their own employees, according to a survey conducted at this year's employees, according to a survey conducted at this year's Gartner Information Security Conference.Gartner Information Security Conference.
http://www.websense.com/company/news/pr/02/121702.cfmhttp://www.websense.com/company/news/pr/02/121702.cfm
1111
The Social EngineerThe Social Engineer
Social EngineeringSocial Engineering is the hacker term for a con is the hacker term for a con game: persuade the other person to do what you game: persuade the other person to do what you wantwant
Bypasses:Bypasses:– CryptographyCryptography– Computer SecurityComputer Security– Network SecurityNetwork Security– Everything else technologicalEverything else technological
1212
EmployeesEmployees Companies need to prepare for social engineering Companies need to prepare for social engineering
attacks from current or former employees who may attacks from current or former employees who may have an axe to grind.have an axe to grind.
Background checks may be helpful to weed out Background checks may be helpful to weed out prospects who may have a propensity toward this prospects who may have a propensity toward this type of behavior. But in most cases, these people type of behavior. But in most cases, these people will be extremely difficult to detect. will be extremely difficult to detect.
The only reasonable safeguard in these cases is to The only reasonable safeguard in these cases is to enforce and audit procedures verifying identity, enforce and audit procedures verifying identity, including the person’s employment status, prior to including the person’s employment status, prior to disclosing any information to anyone not personally disclosing any information to anyone not personally known to be with the company.known to be with the company.
1313
EmployeesEmployees
New EmployeesNew Employees
Current EmployeesCurrent Employees
Former EmployeesFormer Employees
Disgruntled EmployeesDisgruntled Employees
1414
New EmployeesNew Employees New Employees are ripe targets for attackersNew Employees are ripe targets for attackers
o Do not know company proceduresDo not know company procedureso Eager to show how cooperative and quick to respond Eager to show how cooperative and quick to respond
they can be, so they will give out any information anyone they can be, so they will give out any information anyone asks them for!asks them for!
o Unaware of the value of specific company information or Unaware of the value of specific company information or of the possible results of certain actions.of the possible results of certain actions.
o Tend to be easily influenced by some of the more Tend to be easily influenced by some of the more common social engineering approaches:common social engineering approaches:
o a caller who invokes authoritya caller who invokes authorityo a person who seems friendly and likeablea person who seems friendly and likeableo a person who appears to know people in the a person who appears to know people in the
company who are know to the victimcompany who are know to the victimo a request that the attacker claims is urgenta request that the attacker claims is urgento the inference that the victim will gain some the inference that the victim will gain some
kind of favor or recognitionkind of favor or recognition
1515
New EmployeesNew Employees
Andrea in HRAndrea in HR
1616
Former EmployeesFormer Employees
Need to have ironclad procedures when a departing Need to have ironclad procedures when a departing employee has had access to sensitive information, employee has had access to sensitive information, passwords, dial-in numbers, etc…passwords, dial-in numbers, etc…– Your security procedures need to provide a way to keep Your security procedures need to provide a way to keep
track of who has authorization to various systems.track of who has authorization to various systems.
Change passwords for accessing systems Change passwords for accessing systems (administrator passwords if applicable). (administrator passwords if applicable).
For companies that need very high security, it needs For companies that need very high security, it needs to be required that all employees in the same to be required that all employees in the same workgroup as the person leaving change their workgroup as the person leaving change their passwordspasswords
1717
Disgruntled/Fired EmployeesDisgruntled/Fired Employees
Story about employee who was transferred to a Story about employee who was transferred to a different department within the city offices.different department within the city offices.
1818
Policies for All EmployeesPolicies for All Employees1. Reporting suspicious calls1. Reporting suspicious calls
Employees who suspect that they may be the subject Employees who suspect that they may be the subject of a security violation must immediately report the of a security violation must immediately report the event to the company’s incident reporting groupevent to the company’s incident reporting group
When a social engineer fails to convince his or her When a social engineer fails to convince his or her target, they will try someone else.target, they will try someone else.
2. Documenting suspicious calls2. Documenting suspicious calls The employee shall, to the extent practical, draw out The employee shall, to the extent practical, draw out
the caller to learn details that might reveal what the the caller to learn details that might reveal what the attacker is attempting to accomplish and make notesattacker is attempting to accomplish and make notes
Such details can help the incident reporting group Such details can help the incident reporting group spot the object or pattern of an attackspot the object or pattern of an attack
1919
Policies for All EmployeesPolicies for All Employees3. Disclosure of dial-up numbers3. Disclosure of dial-up numbers
Company personnel must not disclose company Company personnel must not disclose company modem telephone numbers, but should always refer modem telephone numbers, but should always refer such requests to the help desk.such requests to the help desk.
Treat dial up numbers an internal information, only to Treat dial up numbers an internal information, only to be given to employees who need to know such be given to employees who need to know such informationinformation
4. Corporate ID badges4. Corporate ID badges Except in their immediate office area, all company Except in their immediate office area, all company
personnel, including management and executive staff, personnel, including management and executive staff, must wear badges at all timesmust wear badges at all times
All employees who arrive at work without their badge All employees who arrive at work without their badge should be required to stop at the lobby desk or security should be required to stop at the lobby desk or security office to obtain a temporary badgeoffice to obtain a temporary badge
2020
Polices for All EmployeesPolices for All Employees5. Challenging ID badge violations5. Challenging ID badge violations
All employees must immediately challenge any All employees must immediately challenge any unfamiliar person who is not wearing an employee unfamiliar person who is not wearing an employee badge or visitor’s badge.badge or visitor’s badge.
6. Piggybacking6. Piggybacking Employees entering a building must not allow anyone Employees entering a building must not allow anyone
not personally known to them to follow behind them not personally known to them to follow behind them when they have used a secure means to gain entrance when they have used a secure means to gain entrance into an areainto an area
Carrying boxes so the worker will hold the Carrying boxes so the worker will hold the door open for them to be nicedoor open for them to be nice
2121
Policies for All EmployeesPolicies for All Employees7. Shredding sensitive documents7. Shredding sensitive documents
cross-shred sensitive documents and destroy hard cross-shred sensitive documents and destroy hard drives and disks that contained sensitive informationdrives and disks that contained sensitive information
8. Personal identifiers8. Personal identifiers Never used employee numbers, social security Never used employee numbers, social security
numbers, driver’s license’s numbers, date and place numbers, driver’s license’s numbers, date and place of birth and mother’s maiden name for verifying of birth and mother’s maiden name for verifying identityidentity These are not secret and can be obtained numerous These are not secret and can be obtained numerous
waysways
2222
Policies for All EmployeesPolicies for All Employees
9. Organizational charts9. Organizational charts A company’s organization chart details should never A company’s organization chart details should never
be released to anyone outside the companybe released to anyone outside the company This includes positions, contact numbers, This includes positions, contact numbers,
extensions, emailsextensions, emails
10. Audit access to sensitive files, like payroll files, 10. Audit access to sensitive files, like payroll files, unless the employee is allowed to have access to unless the employee is allowed to have access to these files for job reasonsthese files for job reasons
Employees have been know to write a program where Employees have been know to write a program where they will receive a raise every few monthsthey will receive a raise every few months
2323
Malicious InsidersMalicious Insiders
A dangerous and insidious adversaryA dangerous and insidious adversary Can be impossible to stop because they’re the Can be impossible to stop because they’re the
same people we’re forced to trustsame people we’re forced to trust Know how system works and where the weak Know how system works and where the weak
points arepoints are
2424
ConsultantsConsultants
Insiders are not always employees, they can be Insiders are not always employees, they can be consultantsconsultants
Consultants have access to sensitive Consultants have access to sensitive information and are trusted by the company’s information and are trusted by the company’s employees, so they could easily attack a employees, so they could easily attack a systemsystem
Stanley Mark Rifkin storyStanley Mark Rifkin story
2525
OutsidersOutsiders
Someone who does not have security clearance Someone who does not have security clearance to access informationto access information
The “unverified” personThe “unverified” person
2626
What to do when confronted by an What to do when confronted by an
OutsiderOutsider1.1. Verify that the person is who he or she claims to Verify that the person is who he or she claims to
bebe2.2. CallbackCallback3.3. VouchingVouching4.4. Shared SecretShared Secret5.5. Employee’s SupervisorEmployee’s Supervisor6.6. Secure EmailSecure Email7.7. Personal Voice RecognitionPersonal Voice Recognition8.8. Dynamic Password VerificationDynamic Password Verification9.9. In person with IDIn person with ID
2727
OutsidersOutsiders Michael Parker figured out that people with Michael Parker figured out that people with
college degrees got better paying jobs….college degrees got better paying jobs….
2828
ReferencesReferences
Mitnick, K.D & Simon W.L. Mitnick, K.D & Simon W.L. The Art of Deception Controlling The Art of Deception Controlling the Human Element of Securitythe Human Element of Security. 2002. Wiley Publishing, Inc., . 2002. Wiley Publishing, Inc., Indianapolis, INIndianapolis, IN
Schneier, B. Schneier, B. Secrets & Lies Digital Security in a Networked Secrets & Lies Digital Security in a Networked WorldWorld. 2000. John Wiley & Sons, Inc. New York, NY. 2000. John Wiley & Sons, Inc. New York, NY
Toxen, B. Toxen, B. Real World Linux SecurityReal World Linux Security. 2002 2. 2002 2ndnd Ed. Pearson Ed. Pearson Education. Upper Saddle River, New JerseyEducation. Upper Saddle River, New Jersey