security of data, networks and mobile solutionsdoc.housing.org.uk.s3.amazonaws.com/presentations/ts2...

Julian Heywood

Development Manager

MIS Active Management Systems

julian.heywood@mis-ams.com

Session TS2

Mark Appleyard

Managing Director

MIS Systems Engineering

mark.appleyard@mis-se.com

Security of data, networks and mobile solutions

Session Focus

• Understanding the data security risks in the mobile working environment

• Developing an open, multi-layered approach to mobile security

• Delivering secure mobile working practises to drive productivity and business opportunities

Julian Heywood

Development Manager

MIS Active Management Systems

julian.heywood@mis-ams.com

What is mobile working?

8 Rules of Good Security

Nothing is 100% secure

1

Nothing is 100% secure

“The most secure computers are those not connected to the internet and shielded from any interference.”

- Wikipedia - Computer Security

1

Trust No One And No Thing

2

Security should be designed into the system, not added as an afterthought.

3

Don’t Re-Invent The Wheel

4

5

5

Encrypt Everything

5

Usernames & Passwords

Network Protocols

Offsite Data

Database

5

6

Don’t make yourself a target

6

Don’t Neglect The Social Aspect

7

8

http://tinyurl.com/79j4o9o

Good security is like Shrek

8

http://tinyurl.com/79j4o9o

Good security has layers

8

http://tinyurl.com/79j4o9o

Good security has layers

8

Some Vectors of Attack

Unpatched Software

XSS – Cross Site Scripting

SQL Injection

Real Life Examples

MySQL.com

SQL Injection Attack

27th March 2011

Usernames And Passwords Compromised

Gawker.com

Made Themselves A Target

11th December 2010

Whole Server Compromised

Sony PSN

Too Much Trust In Users

26th April 2011

Whole Network Compromised

Black and Berg Security

Made Themselves A Target

8th June 2011

Web Server Compromised

Mark Appleyard

Managing Director

MIS Systems Engineering

mark.appleyard@mis-se.com

Securing Remote Access to Corporate Resources

• VPN

• Multi-factor Authentication

• Enforced Health Requirement NAP/NAC

• An Integrated Approach to Improve Security

• Secure Virtual Applications & Desktops

• Wireless Considerations

• Portable USB and Encrypted Storage Devices

VPN Connectivity

Hardware based site-to-site IPsec• Secure and can be locked to specific TCP/IP addresses for added protection

• No direct involvement of non-technical users

• Can be scaled to support many users

Client based such as PPTP/L2TP IPsec• Cisco VPN client or Microsoft VPN client

• Often requires installation of software onto device

• Compatibility issues between various vendor products

Browser based SSL VPN• Works with most browsers

• Mostly does not require any software to be installed onto device

• Good compatibility between various vendor products

• Only requires HTTPS (normally open on most networks)

VPN Connectivity

Risks associated with VPN technology

• Spread of viruses, worms, and Trojans

• Split tunnelling

• User credential related risks

• A compromised VPN may go unnoticed for a good deal of time

• Intrusion Detection Systems (IDS) does not monitor traffic on VPNs because it is encrypted

Encryption, authentication and securing the machines of end users are critical components of overall enterprise VPN security

A compromised VPN connection is the equivalent of leaving your front door wide open!

VPN Risk Mitigation

• Session timeouts (10 minutes or less)

• SSL version verification (reject SSL 2.0)

• Discouraging use at public terminals or WiFi

• Security policies and secure access through strong user authentication

• Host identity verification• Host security posture validation (NAP/NAC)• Secure desktop, portals or application publishing

Secure User Authentication

Two factor authentication - "something you have" + "something you know" concept

The simplest security tokens do not need any connection to a computer. The client enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when asked to do so

Enforced Health requirement policiesMicrosoft - Network Access Protection (NAP)Cisco - Network Admission Control (NAC)

Benefits• NAP Enables policy validation, network restriction, network

remediation and on-going compliance• Inspecting client computer health state, limits network access for

noncompliant clients• Secures the network from unauthorised users and systems • Provides highly customizable role-based access to network

resources for employees• NAP/802.1X Enforcement works seamlessly across both wired and

wireless networks

Enforced Health requirement policies

We need to empower users to be productive from virtually any device or location …

An Integrated Approach to Improve Security

Network Administrators are under pressure to provide anywhere-access to messaging, collaboration and other resources. To achieve Secure Anywhere Access IT departments must employ a variety of security strategies.

• It is no longer feasible simply to protect at the perimeter

• Protection and security must exist throughout the network

• Application-agnostic network security recommended

• Determine access control policies and key management strategies to address that risk

• Determine what data is considered sensitive, and where it resides in the organisation

Security vendors are introducing new purpose-built platforms which deliver comprehensive, secure remote access to corporate resources for employees and partners on both managed and unmanaged PCs and mobile devices.

Delivers simple and secure access optimised for applications such as SharePoint, Exchange, and Dynamics CRM.

Integrating a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user's identity – Forefront UAG enforces granular access controls and policies to deliver comprehensive remote access, ensure security, and reduce management costs and complexity.

Citrix Access Gateway

• Simple secure HTTPS access to published apps, full desktops or VDI from web browsers

• Consolidates points of access by combining your traditional IPSecVPN and Secure gateway into a single appliance

• Citrix Access Gateway VPX is a software virtual appliance that you can deploy on any off-the-shelf server in the datacentre

• Secure Virtual Desktops - Give users secure access from anywhere while maximising their productivity

Citrix Access Gateway is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere.

Citrix Receiver now supports Android and Apple (as well as Windows) so no need to load or install software on device

Wireless Access

• Wired Equivalent Privacy (WEP) – can be hacked in less than 10 mins

• Wi-Fi Protected Access (WPA) more secure than WEP but has now been replaced with WPA2

• WPA2 – Mandatory for Wi-Fi–certified devices since 2006 so no reason not to use it, if your devices are older than this or don’t support WPA2 they should be replaced

• Small businesses can use AES pre-shared keys but for larger Enterprises better to use 802.1X (WPA2 Enterprise)

Many businesses access points are still accepting WEP connections and lots of home networks with no encryption !!!

802.1X Wireless Access Authentication

AES pre-shared keys are OK but for larger Enterprises better to use 801X, this way keys don’t have to be given out – changing when someone leaves or after visitors is unmanageable.

• Windows XP, Vista and Windows 7 have support 802.1X for all network connections by default. Windows Mobile 2003 and later operating systems also come with a native 802.1X client

• Mac OS X has offered native support since 10.3. The iPhone and iPod Touch also support 802.1X

• Android support from 2.2 (Froyo)

Disk Encryption Disk encryption prevents unauthorised access to data storage. The term "full disk encryption" (or whole disk encryption) is often used to signify that everything on a disk is encrypted

Microsoft BitLocker is available only in the Enterprise and Ultimate editions of Windows Vista and Windows 7. Users of other versions of Windows that don't include BitLocker could use a third-party encryption program to satisfy the need for full drive encryption such as TrueCrypt – Free Open-Source Disk Encryption Software

Removable Storage Devices

• Portable storage devices are a big risk to network security

• Firewalls and antivirus software are no defence against the latest forms of computer attack that comes via open USB, eSATA and FireWire ports

• Viruses, worms and trojans get into the corporate network this way

• Valuable data can leave the company in huge quantities

• Microsoft Group policies can't manage USB and FireWire access very easy so recommend using third-party products to lockdown access

Julian Heywood

Development Manager

MIS Active Management Systems

julian.heywood@mis-ams.com

Mark Appleyard

Managing Director

MIS Systems Engineering

mark.appleyard@mis-se.com

Security of data, networks and mobile solutions