faculty: scott greene of evidence solutions, inc. [email protected]
TRANSCRIPT
![Page 1: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/1.jpg)
C15Building a Secure Infrastructure
Faculty:Scott Greene
ofEvidence Solutions, Inc.
![Page 2: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/2.jpg)
1: Take control of remote sessions◦ I do a lot of remote support. For that support, I
use either LogMeIn or TeamViewer. Inevitably, I run into clients who constantly want to “show me” what’s going on, take over the mouse to point out something different, or even use their machine for something else (like replying to an email that should be able to wait). Outside of annoying any support tech, this does one thing — extends the length of time needed to do a job.
10 Things Users do to Drive you Crazy
![Page 3: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/3.jpg)
2: Give too much irrelevant information about an issue◦ What I really want to know is that you clicked on an
attachment that was in an email. I don’t care to know the email was originated by your grandmother on your father’s side and the email had the most darling picture of kittens and puppies playing together in a field of daisies. I also don’t care that you were sitting at your desk, having your usual lunch of yogurt and sliced apples dipped in caramel when everything started to go down the drain. Get to the point, give me the facts, and I will do my job to the best of my ability.
10 Things Users do to Drive you Crazy
![Page 4: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/4.jpg)
Just because a network has been designed well does not mean it is, or will remain, secure.
No audit, internal, external, compliance-related or not, can by itself ensure a network is secure.
The real benefit of an designing a secure infrastructure comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, & more closely aligning information security needs & risk mitigation with business goals.
Disclaimer
![Page 5: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/5.jpg)
Protect the Information
Provide Access
![Page 6: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/6.jpg)
A new web threat is detected every 4.5 seconds.◦ SophosLabs, published in Sophos Security Threat
Report Mid-Year 2011
Why?
![Page 7: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/7.jpg)
Why the focus on the Web?◦ Because it works!
Over the last year, we’ve seen major breaches, at companies including Sony, RSA, and Zappos.com, and several U.S. military contractors.
All from a click on a malicious link.
Why?
![Page 8: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/8.jpg)
Why?
![Page 9: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/9.jpg)
These can help create a Frame Work of security:◦ Health Insurance Portability & Accounting Act
(HIPAA) (1996)◦ Graham-Leach-Bliley (1999)◦ Homeland Security Act (2002)
Federal Information Security Management Act (FISMA)
◦ Federal Information Processing Standard (FIPS) (2010)
◦ Payment Card Industry Data Security Standard (PCI / PCIDSS)
Regulations
![Page 10: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/10.jpg)
Federal Information Processing Standards◦ Publicly available standards developed by the
United States Federal government for use by all non-military government agencies and by government contractors.
◦ Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.)
FIPS
![Page 11: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/11.jpg)
FIPS is used to Manage Risk by selecting and implementing security controls in the organizational information system including:◦ 1) Applying the organization’s approach to managing risk◦ 2) Categorizing the information system and determining the
system impact level in accordance with FIPS 199 and FIPS 200, respectively;
◦ 3) Selecting security controls, including tailoring the initial set of baseline security controls and supplementing the tailored baseline as necessary based on an organizational assessment of risk
◦ 4) assessing the security controls as part of a comprehensive continuous monitoring process.
FIPSThe Process
![Page 12: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/12.jpg)
Categorize◦ the information processed, stored, and
transmitted by that system
FIPSThe Process of Managing Risk
![Page 13: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/13.jpg)
Select◦ an initial set of baseline security controls for the
information system based on the system impact level and minimum security requirements
◦ apply tailoring guidance by supplementing the baseline security controls based on an organizational assessment of risk and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and specify assurance requirements
FIPSThe Process of Managing Risk
![Page 14: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/14.jpg)
Implement◦ the security controls and document how the
controls are employed within the information system and its environment of operation.
FIPSThe Process of Managing Risk
![Page 15: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/15.jpg)
Assess◦ The security controls using appropriate
assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
FIPSThe Process of Managing Risk
![Page 16: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/16.jpg)
Security Categorization
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
(confidentiality x impact) + (integrity x impact) + (availability x impact)
FIPS & FISMAThe Formula
![Page 17: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/17.jpg)
Confidentiality:◦ “the property that data or information is not made
available or disclosed to unauthorized persons or processes.”
FIPS & FISMAThe Formula
![Page 18: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/18.jpg)
Integrity is:◦ “the property that data or information have not
been altered or destroyed in an unauthorized manner.”
FIPS & FISMAThe Formula
![Page 19: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/19.jpg)
Availability is:◦ “the property that data or information is
accessible and useable upon demand by an authorized person.”
FIPS & FISMAThe Formula
![Page 20: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/20.jpg)
Impact◦ N/A◦ Low◦ Moderate◦ High
FIPS & FISMAThe Formula
![Page 21: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/21.jpg)
Access Control (AC):◦ Organizations must limit information system
access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
FIPSMinimum Security Requirements
![Page 22: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/22.jpg)
Awareness and Training (AT):◦ Organizations must:
Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems;
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
FIPSMinimum Security Requirements
![Page 23: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/23.jpg)
Audit and Accountability (AU):◦ Organizations must:
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity;
Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
FIPSMinimum Security Requirements
![Page 24: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/24.jpg)
Certification, Accreditation, and Security Assessments (CA):
Organizations must:◦ Periodically assess the security controls in organizational
information systems to determine if the controls are effective in their application;
◦ Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems;
◦ Authorize the operation of organizational information systems and any associated information system connections;
◦ Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
FIPSMinimum Security Requirements
![Page 25: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/25.jpg)
Configuration Management (CM):◦ Organizations must:
Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;
Establish and enforce security configuration settings for information technology products employed in organizational information systems.
FIPSMinimum Security Requirements
![Page 26: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/26.jpg)
Contingency Planning (CP):◦ Organizations must establish, maintain, and
effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
FIPSMinimum Security Requirements
![Page 27: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/27.jpg)
Identification and Authentication (IA):◦ Organizations must identify information system
users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
FIPSMinimum Security Requirements
![Page 28: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/28.jpg)
Incident Response (IR): ◦ Organizations must:
Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities;
Track, document, and report incidents to appropriate organizational officials and/or authorities.
FIPSMinimum Security Requirements
![Page 29: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/29.jpg)
Maintenance (MA):◦ Organizations must:
Perform periodic and timely maintenance on organizational information systems;
Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
FIPSMinimum Security Requirements
![Page 30: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/30.jpg)
Media Protection (MP):◦ Organizations must:
Protect information system media, both paper and digital;
Limit access to information on information system media to authorized users;
Sanitize or destroy information system media before disposal or release for reuse.
FIPSMinimum Security Requirements
![Page 31: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/31.jpg)
Physical and Environmental Protection (PE):◦ Organizations must:
Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;
Protect the physical plant and support infrastructure for information systems;
Provide supporting utilities for information systems; Protect information systems against environmental hazards; Provide appropriate environmental controls in facilities
containing information systems.
FIPSMinimum Security Requirements
![Page 32: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/32.jpg)
Planning (PL): ◦ Organizations must develop, document,
periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
FIPSMinimum Security Requirements
![Page 33: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/33.jpg)
Personnel Security (PS): ◦ Organizations must:
Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions;
Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers;
Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
FIPSMinimum Security Requirements
![Page 34: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/34.jpg)
Risk Assessment (RA):◦ Organizations must periodically assess the risk
to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
FIPSMinimum Security Requirements
![Page 35: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/35.jpg)
System and Services Acquisition (SA):◦ Organizations must:
Allocate sufficient resources to adequately protect organizational information systems;
Employ system development life cycle processes that incorporate information security considerations;
Employ software usage and installation restrictions;
Ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
FIPSMinimum Security Requirements
![Page 36: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/36.jpg)
System and Communications Protection (SC):◦ Organizations must:
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
FIPSMinimum Security Requirements
![Page 37: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/37.jpg)
System and Information Integrity (SI):◦ Organizations must:
Identify, report, and correct information and information system flaws in a timely manner;
Provide protection from malicious code at appropriate locations within organizational information systems;
Monitor information system security alerts and advisories and take appropriate actions in response.
FIPSMinimum Security Requirements
![Page 38: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/38.jpg)
![Page 39: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/39.jpg)
3: Blame the issue on something I (or another tech) did previously◦ Yes, I’ve worked on your machine before. No, what I did
last time to help you remap your K drive had zero effect on the fact that now you can’t get a network connection. Although they may be related, they are not directly cause and effect. Trust me on this. I’m not trying to pull a fast one on you, and I am 100 percent sure that the K drive issue is not related. But on the off chance that you simply will not believe me, I will do everything I can to show you the two are not related in any way. If you still don’t believe me, I have a list of other consultants who will be happy to have your work — until they’re no longer happy to have your work.
10 Things Users do to Drive you Crazy
![Page 40: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/40.jpg)
4: Lie◦ This one should not need any explanation. But for
those who have yet to experience the liar, let me set the stage. There are times when you log into a user’s machine and discover that something obviously has been done — a profile or program deleted — that can be done only by an end user. When an end user has made such a mistake, he or she will sometimes try to deny doing anything to cause the problem. That’s fine. But most support professionals can see through the thinly veiled lie. We know the truth… so it’s okay to admit it.
10 Things Users do toDrive you Crazy
![Page 41: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/41.jpg)
![Page 42: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/42.jpg)
Monitoring vs. Prevention◦ Monitoring causes the system(s) to report events◦ Prevention causes the system(s) to interrupt
events May require additional integration between vendors
Considerations
![Page 43: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/43.jpg)
Security is Inconvenient Know what you are defending Review the current threats often Users are unsophisticated Anonymous is good at what it does / The
bad guys are good at what they do / It is the only thing they do
Resources / Money / Budget
Know What you are Up Against
![Page 44: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/44.jpg)
Evaluate Risks and Threats◦ What is critical to your business unit?◦ How do you protect it?◦ How do you prevent downtime?◦ How do you get back up and running quickly?
Just because you have technology protecting your network doesn’t mean it is all working
65% of all attacks are internal
Know What you are Up Against
![Page 45: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/45.jpg)
In 2011◦ 39% of email-borne malware consisted of
hyperlinks, not attachments; ◦ That’s up from 24% of email in 2010
- Symantec’s Internet Security Threat Report.
Endpoint Security
![Page 46: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/46.jpg)
Almost half of malicious software communicates out over the Internet within 60 seconds of infecting a computer, and about 80% of those communications use some form of Web protocol.
-Websense.
Endpoint Security
![Page 47: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/47.jpg)
It used to be that Porn was driving this issue Followed closely by gambling In the last two years however the field has
change it is now: It’s religious sites
Endpoint Security
![Page 48: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/48.jpg)
Windows 7 allows for Software Restriction Policies (SRPs)◦ The Path Rule◦ The Hash Rule◦ The Publisher Rule◦ Audit mode◦ Configuring AppLocker◦ Experimenting with AppLocker
Windows 7 and AppLocker
![Page 49: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/49.jpg)
Background of SRPs◦ SRPs have been around since Active Directory 1.0
(Win 2000)◦ Windows has sported Software Restriction
Policies or SRP’s for short.◦SRP’s allowed administrators to configure
their Active Directory networks in one of two ways: A blacklist ( most common ) A whitelist ( most secure )
Windows 7 and AppLocker
![Page 50: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/50.jpg)
Background of SRPs◦A blacklist ( most common ) Allows anything to run except what is on
the black list.◦A whitelist ( most secure )
Only lets items run that are on the white list. What about notepad, Calculator, etc……
Windows 7 and AppLocker
![Page 51: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/51.jpg)
The Path Rule◦ Allows users to run applications from a specific location.◦ It is generally impractical for most organizations◦ Executables live in a single folder on the user’s
workstation (or on the network).◦ Allows for Multiple path rules◦ Becomes unwieldy quickly◦ “It’s OK to run apps that live in \\SW\GOODAPPS”
any user with write permissions can just copy an application to the “goodapps” path and then run it.
◦ In AppLocker, default path rules exist to permit running applications in the Windows folder and the Program Files folder.
Windows 7 and AppLocker
![Page 52: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/52.jpg)
The Hash Rule◦ The hash rule requires that you point Windows to the actual
executable file that you wish to allow or deny in your additional rules, so that Windows can generate a cryptographic hash that is specific to that binary file.
◦ While the hash rule addresses the ease with which path rules can be obfuscated it presents an additional burden for administrators: Plenty of upfront work generating hashes generate new hash rules every executable changes Hashes have a slight negative impact on workstation
performance
Windows 7 and AppLocker
![Page 53: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/53.jpg)
The Publisher Rule◦ Avoids the problem with users circumventing path rules
by renaming executables◦ Allows administrators to allow or deny certificate-based
applications◦ Uses standards like digital signatures◦ Uses publisher rules to specify allowed or disallowed
versions.◦ Can use a range of versions
Windows 7 and AppLocker
![Page 54: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/54.jpg)
Audit Mode versus Enforce Rules◦ Audit mode is a great way of gauging the
potential impact on AppLocker without actually denying anyone the right to run an application. This mode is used for testing.
◦ Audit mode generates a list of applications that will fail and pass under the rules you’ve created
◦ This lets you identify potential problems before that unpleasant phone call from a frustrated users.
◦ This mode help limit the impact of rules on the Brass ( as well as the rest of the users )
Windows 7 and AppLocker
![Page 55: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/55.jpg)
Configuring AppLocker◦ Use the Active Directory Group Policy on the
server◦ Install Remote Server Administration Tools in
Windows 7 This installs an updated GPMC
The RSAT for Windows 7 <> RSAT for Vista
Windows 7 and AppLocker
![Page 56: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/56.jpg)
Experimenting with AppLocker◦ Start by working with a test machine that’s not
connected to your network.◦ Start with local Group Policy settings rather than
network-based settings.◦ Start with the blacklist model in which the default
behavior is to allow everything.◦ Leave the AppID service start type as manual, so
if you get into trouble, you can reboot.
Windows 7 and AppLocker
![Page 57: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/57.jpg)
5: Take control of conversations◦ When I’m trying to explain an issue to an end
user, it really bugs me when that user takes over the conversation, preventing me from being able to effectively communicate either the problem or the solution. Generally, these people tend to have more to say on the issue than necessary and assume what they have to add to the situation is far more important than what they have to learn. If those end users would stop and listen for once, the reoccurring issue I am trying to help them with might not reoccur.
10 Things Users do to Drive you Crazy
![Page 58: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/58.jpg)
Endpoint Security
![Page 59: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/59.jpg)
BlackHole Exploit Kit◦ A type of crimeware Web application developed in Russia to help hackers take advantage of
unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.
◦ Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
◦ The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.
![Page 60: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/60.jpg)
These direct Web attacks typically consist of six stages◦ First: The Lure◦ Second: The Redirection◦ Third: Exploitation via vulnerability◦ Fourth: Install the program◦ Fifth: Contact Command-and-Control◦ Sixth: Start using the compromised system
Endpoint Security
![Page 61: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/61.jpg)
THREAT EXAMPLES IMPACT DEFENSES
Botnet Cutwail and Zeus
Take over system control, record accountuser names & passwords
Web-security gateway; endpoint security; network monitoring; use of security-as-a- service and patching, and removal of browser plug-ins to reduce possible vulnerability
Click fraud
DNSChanger Redirect user browsing
Security-as-a-service, outbound monitoring, endpoint security
Endpoint Security
![Page 62: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/62.jpg)
THREAT EXAMPLES
IMPACT DEFENSES
Exploit kit
Blackhole & Phoenix
Compromise systems & communications
Security-as-a-service, endpoint security, aggressive patching, removal of vulnerable plug-ins,outbound monitoring
Man in the browser
Zeus Compromise secure browser channels, steal $ from bank accounts
Browser security software, endpoint security
Endpoint Security
![Page 63: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/63.jpg)
THREAT EXAMPLES
IMPACT DEFENSES
Phishing Fake Christmas lottery
Steal credentials, make more attacks
Anti-spam, network monitoring, security-as-a-service, browser protection, endpoint security
Rogue application
Virus remover & Antivirus 2009…
Compromise system, require payment forfraudulent services
Endpoint security, reputation engines, installation of software from vendors’ sites
Targeted attack
Oak Ridge National Labs attack
Steal confidential data
Endpoint security, data loss prevention, patching, removal of browser plug-ins
Endpoint Security
![Page 64: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/64.jpg)
Be aware of the hacker’s technology and strategy, and understand how they’re helping attackers better defeat security measures.
Be ready to counter the attacks with layers of responses designed to make it harder for attackers to penetrate your network.
If the crooks do get in, you might at least keep them away from your most valuable servers and data.
Perimeter
![Page 65: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/65.jpg)
Firewalls◦ Block what you don’t need◦ Block Countries where you do not do
business Russia, Ukrain & China
Doesn’t work as well as it used to but still worth doing
◦ Block Inappropriate Sites Gambling, Entertainment, Porn, Religious?
Perimeter
![Page 66: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/66.jpg)
Firewalls◦ Use a unique connection to the outside for:
Mail Servers Web Servers E-Commerce Etc.
Perimeter
![Page 67: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/67.jpg)
Firewall DMZ or no DMZ◦Ensure all unnecessary ports are closed
(port forwarding). As an alternative to, or in tandem with a DMZ option, many hardware-based firewalls allow port forwarding. This occurs when only a specific port may be visible to the outside world. If you are implementing port forwarding, open only those ports that are explicitly needed. Any other publicly visible port should be considered a security risk.
Perimeter
![Page 68: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/68.jpg)
Firewalls◦ Protect various departments / Critical Assets
Network Segmentation Sub-Perimeter firewalls
◦ Protecting machines Sub-Sub Perimeter / Workstation Firewalls
Preferably centrally managed but if that is too expensive, install non-centrally managed products.
Perimeter
![Page 69: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/69.jpg)
Checklist◦ Procedures should be comprehensively
documented.◦ Employees should be trained & tested in their
roles◦ Security patch management should be
examined / tested◦ Penetration testing should be regularly performed◦ Firewall settings should be examined frequently◦ Data should be classified and stored appropriately◦ Wireless setting should be checked / changed◦ Scan for unauthorized WAP’s.
Audits
![Page 70: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/70.jpg)
Checklist◦ Event logs should be thoroughly examined all the
time and during an audit.◦ Test software that deals with sensitive data /
Review source code.
Audits
![Page 71: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/71.jpg)
The wrong data on the wrong server◦ Windows Search◦ dtSearch
Simple Audits
![Page 72: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/72.jpg)
46% of internal security audits find significant security problems
54% of external security audits find significant security problems
Third Party Audit
![Page 73: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/73.jpg)
Audits should be a surprise◦ Prior to audits, IT teams rush around and make
last-minute adjustments to their configurations and processes.
◦ In the real world, however, audit preparation should be treated as an ongoing endeavor.
External Audits can find things like:◦ Malicious users◦ Malicious administrators
Third Party Audit
![Page 74: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/74.jpg)
Develop a well documented network◦ What talks to what when and how
Continuously monitor the network for changes◦ Whitelists, blacklists, hardware and software
Remediate Changes◦ When you detect a change, launch into action!
Assess constantly◦ In large organizations at least part of someone’s
job should be to assess the status of the network.
Monitoring
![Page 75: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/75.jpg)
Nmap Look@LAN Advanced Port Scanner Microsoft Baseline Security Analyzer (hasn’t
recently been updated) LeakTest (Gibson Research) Symantec Security Check
Monitoring Resources
![Page 76: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/76.jpg)
6: Ask the “quick question”◦ This one really bothers me. Without fail, a client
will call me with a “quick question” that inevitably winds up being a 30-minute phone conversation. My time is valuable through the workday and those quick questions add up. Not only that, but many clients use the quick question to avoid having to pay for support on the real issue
10 Things Users do to Drive you Crazy
![Page 77: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/77.jpg)
![Page 78: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/78.jpg)
AntiVirus◦ Use multiple
Each one will pickup different items◦ Monitor Centrally
Users are notorious for selecting “ignore”.◦ Workstation Firewalls
Each and every workstation needs a firewall Use multiple
Layers Layers Layers
![Page 79: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/79.jpg)
Another concern agencies should have is spyware.◦ Spyware is installed surreptitiously on a PC to intercept or
take partial control over the user's interaction with the computer, without the user's informed consent.
◦ Spyware, is generally not intended to be malicious.◦ It reports information about users back to a third party.◦ The information varies from general information about
their system or specifics on their web browsing habits.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
![Page 80: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/80.jpg)
Spyware falls into several categories:◦ 1. Retail and vendor information tracking.
Generally to track where users go on a site or on the vendor’s competitors site.
◦ 2. Tracking collect various types of personal information, such as
Internet surfing habits, sites that have been visited, etc
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
![Page 81: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/81.jpg)
◦ 3. Redirection / Hijacking These types of spyware interfere with user control of
the computer. By installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.
Spyware can change computer settings, resulting in slow connections, different home pages, and loss of Internet or other programs.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
![Page 82: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/82.jpg)
In response to the emergence of spyware, an entire anti-spyware industry has sprung up.
A variety of programs are available for detecting and removing this spyware.
Running anti-spyware software has become a widely recognized element of computer security for Windows computers.
The US Federal Trade Commission has an entire page of advice to consumers about how to lower the risk of spyware infection.
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
![Page 83: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/83.jpg)
Our top choices:◦ Spybot Search and Destroy◦ Zone Alarm – Anti-Spyware◦ Adaware Pro◦ Computer Associates – Anti-Spyware◦ F-Secure
© Evidence Solutions, Inc. 2011.The Computer, Technology, and
Digital Forensics Firm.
Operating System – Anti-Spyware
![Page 84: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/84.jpg)
Strong Passwords ◦ 1,000,000+
The largest Dictionaries of passwords we’ve seen reported
Common names of people or pets are the first passwords tried
Ordinary words are tried next Followed by words & names with one or two digits
tacked on. Finally things like: common substitutions of
numbers and characters for letters 3@SY4M3 – Easy for me r@ts – rats etc.
The Obvious
![Page 85: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/85.jpg)
Strong Passwords◦ Longer is better◦ Odd Structure is better◦ Distinctness◦ Frequency of Change◦ Require:
At least eight characters Include Two or more digits Special Characters Digits and Special Characters Randomly instead of
just the beginning or the end
The Obvious
![Page 86: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/86.jpg)
Wireless◦ WPA2 tied to the infrastructure◦ Scan for new wireless devices
The Obvious
![Page 87: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/87.jpg)
172 Million smart phones were sold in 2010 Leveraging the employee smart phone can
be huge $500 device versus the data stored or
available on the device
Mobile Devices
![Page 88: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/88.jpg)
Benefits◦ The employee bears the cost of the device◦ The employee bears the cost of the service◦ Employees are more connected◦ Employees collaborate more often◦ Communication increases dramatically◦ Faster decision making
Mobile Devices
![Page 89: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/89.jpg)
Mobile DevicesFour things you cannot ignore with mobile devices• 1) Antivirus software on every device
◦ BullGuard◦ Kaspersky◦ ESET◦ LookOut◦ TrendMicro
◦ F-Secure◦ NetQin◦ WebRoot◦ Norton 360
![Page 90: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/90.jpg)
Four things you cannot ignore with mobile devices◦ 2) Protect data on devices
Enforce PIN access Encrypt Sensitive Data Management: Remote Lock, Remote Wipe
Mobile Devices
![Page 91: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/91.jpg)
Four things you cannot ignore with mobile devices◦ 3) Tightly control what can be installed on a
mobile device Known sources
AppStore Google Play Store / Amazon Etc.
Scan before installation
Mobile Devices
![Page 92: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/92.jpg)
Four things you cannot ignore with mobile devices◦ 4) Detect & Prevent Malware
See anti-virus Educate users
If they see something wrong, turn off the device and seek help.
Mobile Devices
![Page 93: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/93.jpg)
Web Browser Configuration / Lockdown◦ All browser plugins should be limited to essential
plug-ins approved by the Agency◦ Active X plugins should be limited
Users should not be expected to be able to determine whether or not adequate security is available for Active X plugins
Browser Security
![Page 94: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/94.jpg)
Web Browser Configuration / Lockdown◦ Web browsers should be configured to limit
vulnerability to intrusion.◦ Active code should be disabled or used only in
conjunction with trusted sites.◦ < Demo browsing with a crippled browser >◦ The browser should always be updated to the
latest secure version.
Browser Security
![Page 95: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/95.jpg)
Web Browser Configuration / Lockdown◦ Privacy
This is a big concern. The greatest threat is the use of cookies by third
party websites and the monitoring of web browsing habits of users by third parties using those same cookies.
Cookies can be disabled, controlled and / or removed using a variety of built-in web browser features or third-party applications.
Browser Security
![Page 96: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/96.jpg)
◦ JavaScript should also be limited or turned off. While JavaScript is used on many Websites turning it
off generally only causes some nuisances when browsing these sites.
Browser Security
![Page 97: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/97.jpg)
OpenDNS Google Public DNS
Browser Security
![Page 98: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/98.jpg)
1. Educate Employees◦ Show them what to watch out for◦ encourage them to report questionable sites and
links. 2. Flexible Policies
◦ Policies should be adaptable to the rapidly changing Web environment.
Four Steps to Better Web Security
![Page 99: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/99.jpg)
3. Secure All Devices◦ Keep patches up to date◦ Remove unneeded plug-ins◦ Use endpoint security◦ Use Browser sandbox.
4. Use Web Filtering◦ Monitor traffic in both directions to catch incoming
threats and infected machines transmitting out.
Four Steps to Better Web Security
![Page 100: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/100.jpg)
![Page 101: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/101.jpg)
7: Chat while I’m concentrating◦ This goes along with dominating the conversation.
Many users, while in the middle of a remote session, want to chat. Sometimes that’s okay, as we are simply waiting for a download or waiting on the progress of a service or application. But when I’m elbows deep in the dirt and grit of trying to resolve a crucial issue, don’t try to chat me up about the weather, the royal wedding, or the price of gas. Please let me resolve the issue at hand (especially one that requires my concentration) and then I will happily chat about whatever (so long as I don’t have a pressing appointment after yours).
10 Things Users do to Drive you Crazy
![Page 102: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/102.jpg)
8: Insist what their “cousin” told them was true◦ I get it. Some companies enlist the help of “Cousin Joe,”
who happens to owe the secretary a favor and “knows a thing or two” about computers. Well, Cousin Joe didn’t do you any favors when he caused even more problems doing what he did. Not that I am going to slam your cousin. But when I say that although Joe’s intentions were good, what he did was counterproductive to solving the issue at hand, please don’t insist that the cousin was in the right and that I am only trying to bilk you out of more money. Of course, if it ever comes to those kinds of words, you will most certainly be looking for a new support specialist.
10 Things Users do to Drive you Crazy
![Page 103: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/103.jpg)
![Page 104: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/104.jpg)
1) Understand your requirements◦ Define your requirements from the inside◦ What to protect?◦ Where is is residing?◦ End Points?
Four DLP Steps
![Page 105: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/105.jpg)
2) Work with the business at hand◦ Understand what managers need
Conduct interviews What do they need access to? Where do they need access to it? Too many false positives may indicate a broken
business process
Four DLP Steps
![Page 106: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/106.jpg)
3) Involve the legal & HR departments◦ Legal can help with:
Compliance issues Helping write an incident plan
◦ HR: Handle an incident created by an employee
Four DLP Steps
![Page 107: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/107.jpg)
4) Implement in Phases◦ Don’t shock the system◦ Monitor each phase
Four DLP Steps
![Page 108: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/108.jpg)
Data Identification◦ This is the first step to implementation◦ Solutions should be able to identifying confidential or
sensitive information.◦ The data identification:
in motion at rest at end points
Data Loss Prevention
![Page 109: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/109.jpg)
Data Identification◦ DLP solution should allow for:
Keywords Dictionaries regular expressions partial document matching fingerprinting
◦ DLP solution should allow you to write your own rules.
Data Loss Prevention
![Page 110: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/110.jpg)
Data Identification◦ The strength of the analysis engine directly
correlates to its accuracy.◦ Each organization may have unique needs,
however.◦ Accuracy depends on many variables
They way the data is stored. The format of the data Encryption of the data
Data Loss Prevention
![Page 111: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/111.jpg)
Data Identification◦ Testing for accuracy
Often Compare results with previous testing Ensure the solution has virtually zero false
positives/negatives.
Data Loss Prevention
![Page 112: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/112.jpg)
Network & Gateway DLP◦ Dedicated hardware/software platforms, typically
at the border.◦ They analyze network traffic to search for
unauthorized information transmissions including: Email IM FTP HTTP
◦ They are generally cost effective.◦ Some Networks systems review data stored
throughout the enterprise to identify areas of risk.
Data Loss Prevention
![Page 113: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/113.jpg)
Host-based DLP systems◦ Run on end-user workstations or servers◦ Generally address internal communications◦ Some can monitor external communications◦ Others can also control information flow within
the organization.◦ Can also control:
Email IM
Data Loss Prevention
![Page 114: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/114.jpg)
Host-based DLP systems◦ Can monitor physical device◦ Can also monitor interaction with portable
devices.◦ Should block sensitive information
transmissions◦ Provide provide feedback to the user with
notifications going to Management◦ Are installed every workstation in the network
Data Loss Prevention
![Page 115: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/115.jpg)
A DLP Product should include:◦ centralized management◦ policy creation◦ enforcement workflow◦ monitoring and protection of content and data.
Data Loss Preventionother considerations
![Page 116: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/116.jpg)
Operational Actions:◦ Quarantine email?◦ Encrypt email?◦ Block email?◦ Notify sender?◦ Notify management / operations?
Data Loss Preventionother considerations
![Page 117: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/117.jpg)
Advanced Data discovery types of DLP systems can move the data to a secure location, if found to be residing on a non-protected share.
Data Loss Preventionother considerations
![Page 118: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/118.jpg)
Most DLP systems integrate with Active Directory.◦ Users◦ Groups◦ etc
Data Loss Preventionother considerations
![Page 119: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/119.jpg)
Severity Level Assignment – Assigns severity level to incidents and is highly configurable.
Custom Attribute Lookup – This makes queries to LDAP or Active Directory server for user identity and additional attributes.
Automated Incident Response – A number of actions can be taken using this feature. Some of the important ones are the ability to comment, block, log, etc.
Data Loss Preventionother considerations
![Page 120: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/120.jpg)
Role-based Access control – This is an interesting feature, in that it determines which incidents a remediator can work on and the amount of details available.
For example, if the violation originated from a staff in the DLP group, it does not do any good assigning the incident to the violator himself.
Data Loss Preventionother considerations
![Page 121: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/121.jpg)
SmartResponse – This provides detailed data to determine the remediation steps for incidents. It also allows for fast incident remediation.
Data Loss Preventionother considerations
![Page 122: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/122.jpg)
Leak Prevention◦ As the system learns data by reviewing existing
data.◦ During the review period someone must monitor
the system.◦ This should be done prior to turning on the Leak
Prevention◦ DLP generally handles: SMTP, HTTP, HTTPS, FTP
and Telnet. Is that enough?
Data Loss Preventionother considerations
![Page 123: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/123.jpg)
◦ The product’s functionality is dedicated to solving the business and technical problems of protecting content through content awareness.
◦ A number of products, particularly email security solutions, provide basic DLP functions, but aren't complete DLP solutions.
Data Loss Preventionother considerations
![Page 124: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/124.jpg)
9: Undo my work◦ Raise your hand if you’re guilty of undoing all that
work the support techs did the very second they left. I’ve seen this happen plenty of times. I’ve had clients actually confess to doing this. What those clients don’t realize is that I will more than likely have to come back and redo what I did prior to this visit — and I’ll also have to fix problems they caused by undoing my work. Do us both a favor and don’t undo my work. This is rarely going to be a smart choice, and the possibility that you’ll be able to resolve the issues created by your tampering are nil.
10 Things Users do to Drive you Crazy
![Page 125: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/125.jpg)
10: Lack the necessary information◦ When end users call for help, 75 percent of the
time they have all of the information necessary for a successful appointment. The other 25 percent? Not so much. In fact, a large portion of that 25 percent require nearly double the normal job time just for fact gathering. So… when you call, please make sure you have all the information needed to complete the appointment. Otherwise, you are wasting my time and running up your bill.
10 Things Users do to Drive you Crazy
![Page 126: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/126.jpg)
![Page 127: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/127.jpg)
What is different about cloud?◦ Cloud computing moves us away from the
traditional model, where organizations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments.
Cloud Security
![Page 128: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/128.jpg)
Cloud Security Today’s Data Centers
◦ We have control◦ They are located at A◦ The data is on servers:
Sagittarius and Aquarius◦ Our admins control
access◦ Our uptime works◦ Our auditors are ok◦ Our security team is
engaged
The Cloud◦ Who has control◦ Where is it located?◦ Where is it stored?◦ Who backs it up?◦ Who has access?◦ How resilient is it?◦ How do auditors do their
job?◦ How does our security
team get involved?
![Page 129: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/129.jpg)
Essential Questions◦ Are you in a shared environment?
Who else uses the servers? What is in place to prevent leakage to the others on
the server? What logging capabilities are available?
Cloud Security
![Page 130: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/130.jpg)
Essential Questions◦ Where does your data actually reside?◦ Can you lose service with an investigation into
data loss from another customer ensues?
Cloud Security
![Page 131: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/131.jpg)
Essential Questions◦ What happens with an DDOS attack occurs?
Cloud Security
![Page 132: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/132.jpg)
Essential Questions◦ Who ensures compliance?
Cloud Security
![Page 133: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/133.jpg)
Essential Questions◦ How well is your data protected?
Cloud Security
![Page 134: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/134.jpg)
Essential Questions◦ Is Encryption in place
Cloud Security
![Page 135: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/135.jpg)
Essential Questions◦ Are all compliance requirements met in the
Cloud?
Cloud Security
![Page 136: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/136.jpg)
Essential Questions◦ Are Event Management options available?
To who? How? How Quickly?
Cloud Security
![Page 137: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/137.jpg)
Essential Questions◦ When an event happens, can your business unit
react as it did when servers were local?
Cloud Security
![Page 138: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/138.jpg)
10 signs that you aren't cut out for IT◦ 1: You lack patience◦ 2: You have no desire to continue your education◦ 3: You refuse to work outside 9-to-5◦ 4: You don’t like people◦ 5: You give up quickly◦ 6: You’re easily frustrated◦ 7: You can’t multitask◦ 8: You have dreams of climbing the corporate
ladder◦ 9: You hate technology◦ 10: You turn off your phone at night
By Jack Wallen; February 24, 2012
10 Signs you aren’t cut out for IT
![Page 139: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/139.jpg)
Evalution I value your comments. Please fill in your
evaluation form found at the end of your packet.
![Page 140: Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com](https://reader038.vdocument.in/reader038/viewer/2022110205/56649cb75503460f9497dc19/html5/thumbnails/140.jpg)
Contact InformationScott Greene, SCFE
Evidence Solutions, Inc866-795-7166