IT Security for the Physical

Security Professional

Dave Tyson, MBA, CPP, CISSPAngela Swan, CISSP

November 18, 2005

Speakers

Dave Tyson CPP, CISSP MBA CSO for City of

Van National CIO

Subcommittee for Info protection

2006 Chair ASIS International IT Security Council

Angela Swan CISSP CUCBC Security City of Van IT

Security Manager Supervised IT

Security for HSBC Bank Canada

Network and security for the New West PD

Agenda Introductions Overview of IT Security – debunk

some myths and terminology Technical stuff Break Enterprise Security Lunch – Keynote Speaker What you can do Where you can help today Some checklists and other

resources

Changing Threat Paradigm for Physical

SecurityPhysical security had been

chiefly responsible for fraud, theft, harassment issues in the workplace

New people in the organization responsible for security “stuff” that may not have specific security backgrounds

The Future…Why should you care?

850 Million end points on the Internet (2004)

2.3 Billion Cell PhonesWhen the 3rd generation

network is fully deployed and all cell phones are internet devices, the internet will be triple the size with fewer protections

HSPD 12

What does this mean on the risk side of the

equation?What gets worse? Fraud Harassment Stalking Identity theft Phishing &

Pharming SPAM Viruses Delivery of

Spyware, Trojan horses and Adware

What gets easier?

What it takes to perpetrate these activities

Committing the same crimes in a new way

The Real Problem

The average Physical Security Professional knows very little about these issues at this time!

Risks are Everywhere

Keystroke LoggersSharepointNational BankIBMBackup tape lossesHundreds of computers

unaccounted for in the federal government

Federal Government

2004 Report to parliament by from Privacy Commissioner details the loss of 330 Computers from agencies and departments such as: RCMP Canadian Space Agency CCRA DND Corrections Refugee Board others

Laptop Theft More than 600,000 laptops reported

stolen in 2004 – Safeware insurance

720 Million Dollars in losses 5.4 Billion Dollars in theft of proprietary information

Chances of having a laptop stolen are 1 in 10 – Gartner Group

80% of all laptop thefts are internal and 73 % of companies do not have laptop specific policies - Gartner

80% of companies surveyed acknowledged financial losses due to computer breaches – CSI/FBI Computer Crime Survey 2005

Caveats

Technology can be complicated, so we may make some generalizations during the presentation to aid in learning

Ask questions as we go because we will build on knowledge learned as session goes on – 2 or 3 slides might be a bit painful, but ask lots of questions and you will get there!

Basic Philosophy

Confidentiality of DataAvailability of DataIntegrity of DataSecurity is a weakest link

discipline – find the vulnerability by asking the correct questions and you can now close the hole

Basic PhilosophySecurity

ConceptPhysical Security

WorldIT Security World

Access Control Buildings / Assets Servers / Data

Authentication Picture IDAlarm Code

User ID / Password

Authorization Access Control List / Badge

Personal RecognitionKeys

Access Control List / Profile

Confidentiality Physical Information Electronic Information

Smoke & Mirrors

Information provides powerIT people generally have little

interest in security or they “know all about it”

In general, security is not well built in to IT systems or is turned off by default for ease of use or setup

Risk assessment is not well done

Debunking the Mystery

IT people generally know more than physical security people about IT Security? (Security mindset is what’s important)

The fields are not concerned with the same issues?

Access Control is Access Control? Loss prevention is still the game:

just the asset is different?

Terminology as a Weapon

ISP VPNUSBVLAN IP PacketsNetworkServer

Be prepared for TLAs….

It’s not as bad as it looks!!

Concentric Circle Theory

Also called defense in depth

Physical Security Architecture Physical Controls Policy, Procedures, Standards Emergency Response Services

Safewalk Investigations

The DilemmaSecurity

CostEase ofuse

Computer and Network Basics

PC / Workstation User computer typically dedicated to a single person’s use

Laptop Effectively a mobile PC

Server A more powerful PC that does the

jobs required by the network

Hard drive A storage device in your computer

Computer and Network Basics

Computer is made up of hardware and software

String computers together by wires or wireless, you have a network

The internet, or Intranet, is really just a big network that people can go to

Computer and Network Basics

Internet – computers you can communicate with outside your network

Intranet – computers you can communicate inside your network

IT Architecture

Logical Controls Firewall

Outside circle – first line of defense Access Controls

Policy, Procedures, StandardsEmergency (Incident) ResponseServices

E-mail Web Surfing

Everybody has a job to do!

Web ServerE-mail ServerFirewallFile Server

Terminology and Concepts

Internet Protocol (IP)E-mailWeb Surfing (HTTP)

ApplicationsDatabasesFirewallDMZ / Segmentation

More Technical Stuff

StorageClient server

Client Server

RouterCabling

Ethernet Fibre Optic

PacketsAddressingModems

Break Time

Common ITS Attacks

Man in the middleBrute ForceSpoofingDenial of ServiceSniffer attacksViruses, Worms and Trojan

Horses

Slammer

Source: www.wired.com

January 25, 2003 First victim 12:30am Eastern Standard Time 12:45am huge sections of the Internet off line Three hundred thousand cable modems in

Portugal went dark, and South Korea fell right off the map: no cell phone or Internet service for 27 million people.

Slammer knocked out more than just the Internet. Emergency 911 dispatchers in Seattle resorted to paper. Continental Airlines, unable to process tickets, canceled flights from its Newark hub.

Total cost of the bailout: more than $1 billion.

Enterprise SecurityPhysical Security of IT AssetsAccess ControlNetwork Security Disaster RecoveryEncryption LegalHuman ResourcesTelecommunicationsSpywareComputer Crime

Physical security of IT assets

LaptopsPDAUSB StorageIPODMonitorsServersCooling and Fire Suppression

Access Control

PerimeterAD – Directory ServicesApplication Access ControlDMZSegmentation

Network Security

PatchingExcessive Services ServersDatabase SecurityModemsWirelessDocumentationDisposal of Technology Assets

Disaster Recovery

Network is mission critical for business resumption Payments, salaries, purchasing

Phones (VOIP)Security systems reliant on

network?Incident Response

Custody of evidence Law enforcement Liaison Review of alarm and access logs

Encryption

File encryption Do not confuse this with password

protecting a file

E-mail encryption If you do not know if it is encrypted,

it isn’t

Digital certificateDigital signatureRemote accessWireless

War driving – for fun and profit

Remote Access Security

Enter your User ID:

Enter your Password:

Access Granted

JSmith

Iw2gstw!

INTERNET

File sharing server

(KaZaa, BearShare, Napster)

On-line video game server

(Quake, Counterstrike, Everquest)

Your CompanyHome User

Home

Wireless

INTERNET

Legal Section 163 - Child Porn Interception - Section 184 (1)

Everyone who, by means of any electro-magnetic, acoustic, mechanical or other device, willfully intercepts a private communication is guilty of an indictable offence…..

Theft of Telecommunications - Section 326 (1)b Everyone commits theft who fraudulently…

uses any telecommunications facility or obtains any telecommunication service

Human Resources

Code of EthicsConfidentiality AgreementsBackground checks on

vendors and ITS consultants

Telecommunications

• Telephone Fraud Phone Wall

Wireless 801.x WiFi Bluetooth RIM – Blackberry Wireless Air-cards Evil Twins “Netstumbler”

• Voice of Internet Protocol (VOIP)

Spyware Broad definition could be: software that -

is installed on a user’s computer to collect information about the user or use of a computer without appropriate notice and consent

makes unauthorized use of users’ computers and Internet connections or

has faulty or weak user-privacy protections Information collected or tracked can

include click-stream data and user’s web browsing habits, online transaction information (such as credit card numbers), user names, passwords, etc.

Keystroke Loggers (a.k.a., Keyloggers or Snoopware)

Software that runs in background, recording all keystrokes of user

Installation Methods of Spyware

Drive-by downloads automatic download to computer, often

without knowledge or consent can be initiated by visiting a web site or

viewing an HTML e-mail message Bundling

installation takes place along with another application e.g., some peer-to-peer file sharing

applications and some screensavers Deception

installation occurs when user clicks on a deceptive window e.g., pop-up window that resembles request

from reputable organization

Negative Effects of Spyware

Loss of privacy, including potential for identity theft

Loss of control, including potential for: redirect of “home” and “search” pages increased number of advertisements hijacking of browser or Internet connection difficulty in removing unwanted software

Decreased desktop productivity potential to slow down a user’s Internet

connection Potential to impact user’s ability to

install applications

Computer Crime

Dramatic increase in cyber crime 20 minutes to 12 seconds in 1

yearIdentity TheftAccess to confidential

information The only change is location of

the asset

LUNCH

What you can do!

Security awarenessWirelessCybercrime reductionData centre securityPersonnel securityThreat and Risk Assessment

Security Awareness

Talk to users about risks of equipment, data, personal information, competitive info Inadvertent disclosure

Repetition is the key – new employee orientation is still important

Evangelize incidents when they do occur

When servers go down find out why? This may be a source of information to support more security

Wireless

Determine if a policy exists at your workplace on wireless – communicate the risks if not

Assist in identifying rogue wireless equipment

Support possible encryption solutions

Cybercrime Reduction Work together to look for signs of cyber

crime – 2 departments are better than 1 Security awareness sessions should

include spyware awareness and how this can effect cyber criminals ability to victimize Firewalls Antivirus Anti spyware Know what you download – read the

Licensing agreement

Data Centre Security

Review data centre environmental controls and procedures HVAC Power Data Tape removal

Networking equipment Cable Rooms Network closets

Personnel Security

System Administrators and DBA’s Increased privledges and access

create potential mission critical risks if employment relationship degrades – prepare differently

Background checks on all persons who will get elevated privledges

Techies have all kinds of information storage devices

Threat and Risk Assessment

Add ITS items to building TRA Open ports in public areas Access to desktops by unauthorized

persons Wireless hotspots Storage areas of IT assets Physical security controls of IT areas Fire suppression issues in data

centres Privacy impacts

ITS Standards

ISO 17799COBITNISTOrange Book

Top 20 ITS Vulnerabilities

Desktop Security Password Choice Password Sharing Insecure User ID and

Password Excessively logged in

machines Wireless USB Storage Portable devices w/o

passwords Access control to

equipment No background checks

on administrators

Patch Installation Excessive Services Stale user pool Unauthorized

privledges Too many power

users Bad installations In-secure coding Plain text

authentication Remote access back

doors Logs not audited

ISO 17799

Security Policy

SecurityOrganization

PersonnelSecurity

AssetClassificationand Control

Physical andEnvironmental

Security

Communications and

OperationsManagement

BusinessContinuityPlanning

SystemDevelopment

andMaintenance

AccessControl

Compliance

Break

Where you can help – Today?

TRACyber InvestigationsLoss Prevention – HardwareConfidentialityDesktop SecuritySecurity Awareness

Security Awareness Checklist

Inappropriate Content Education Filtering

Equipment

Web mail MSN Yahoo

Passwords Selection protection

Hardware Laptops Palm pilots USB Storage

devices LCD, cell phones

Privileges Termination or

leave Transfer

departments

Security Awareness Checklist

Good Practices Locking

workstation when away

Don’t share passwords or ID’s

Naming servers

Dangerous items Keyloggers Wireless

access Easy to

remove storage devices

CD writers

Spyware ChecklistUse defense mechanismsDon’t allow free programs Lock down desktop

Day-to-day tasks do not require Administrator privileges

Recognize deceptive softwareRecognize signs of spyware in

action Slow performance Browser hijacking Pop ups Clicking sounds or lights flashing

when computer not in use

Technical ChecklistNon std ports should be closed unless required to be

open – Who/what is using these ports? i.e. port 51015 is open for no reason

Turn off default or unnecessary services• Echo• Chargen• Discard• HTTP

Move away from clear text authentication services• FTP ( should never communicate with the outside world directly

using plain text authentication)• Telnet

(Use SSH or SFTP instead)

Make sure your running updated versions of software with current patchesEspecially if you are running webservers i.e. apache

Make friends

first

Technical ChecklistNo unencrypted administrator passwords

left on servers

Everything of value needs a password, especially admin accounts

No surfing the web with administration accounts

Reduce the opportunity for arbitrary code to be able to run

Registry should not be writable for non –admin users

Technical Checklist

Avoid allowing anonymous connections

Turn off unnecessary web servers (Tivoli Storage web server, Apache, other)

SNMP community strings – should be disabled or set to private, make sure the version is patched or up to date

Passwords should not be “hard-coded” into applications

Wireless is simply dangerous!

Website Resources

www.securityfocus.com

www.issa.org

www.isaca.org

www.sans.org

Questions?

Angela Swanaswan@telus.net

Dave Tysondave.tyson@vancouver.ca