it security julie schmitz james mote jason tice julie schmitz james mote jason tice

IT SecurityIT SecurityJulie SchmitzJames MoteJason Tice

Julie SchmitzJames MoteJason Tice

AgendaAgenda

• Overview of basic IT security• Human Resources Command-St.

Louis• Inside Financing• Recommendations and Best

Practices• Closing and questions

• Overview of basic IT security• Human Resources Command-St.

Louis• Inside Financing• Recommendations and Best

Practices• Closing and questions

IT Security DefinedIT Security Defined

• “Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals”

-William R. Cheswick

• “Broadly speaking, security is keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals”

-William R. Cheswick

IT Security OverviewIT Security Overview

• Intruders - hackers and crackers• Insiders – fraud case at Financing• Criminals• Online Scam artists• Terrorists

• Intruders - hackers and crackers• Insiders – fraud case at Financing• Criminals• Online Scam artists• Terrorists


• Hacker– Person who enjoys exploring the

details of programmable systems and how to stretch their capabilities

– Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance

– True hacker will look for weaknesses in a system and publish it

• Hacker– Person who enjoys exploring the

details of programmable systems and how to stretch their capabilities

– Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance

– True hacker will look for weaknesses in a system and publish it

Source: FBI Cyber Task Force


• Cracker– One who breaks security on a target

computer system – The term was coined by hackers

around 1985 in defense against the journalistic misuse of the term “hacker”

– Tend to never disclose their findings

• Cracker– One who breaks security on a target

computer system – The term was coined by hackers

around 1985 in defense against the journalistic misuse of the term “hacker”

– Tend to never disclose their findings


Hackers or Crackers?Hackers or Crackers?

How does a Hacker Effect You?

How does a Hacker Effect You?

• Michael Buen and Onel de Guzman– Both are suspected of writing the “I

Love You” virus• David L. Smith

– Melissa virus author– Released March 26, 1999– Caused an estimated $80 million in

damages

• Michael Buen and Onel de Guzman– Both are suspected of writing the “I

Love You” virus• David L. Smith

– Melissa virus author– Released March 26, 1999– Caused an estimated $80 million in

damagesSource: FBI Cyber Task Force

IT Security at your OfficeIT Security at your Office

• Social Engineering• Denial of service attacks (DoS)• E-mail bombs• Password cracking• Web spoofs• Trojan, worm, virus attacks• Antivirus tools

• Social Engineering• Denial of service attacks (DoS)• E-mail bombs• Password cracking• Web spoofs• Trojan, worm, virus attacks• Antivirus tools


Social EngineeringSocial Engineering

• A con game played by computer literate criminals

• Works because people are the weakest link in any security system

• A con game played by computer literate criminals

• Works because people are the weakest link in any security system


Denial of ServiceDenial of Service

• Prevents users from using a computer service.

• A type of DoS attack involves continually sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users

• Ping attacks• DDoS attacks

– Uses multiple computers to coordinate DoS attacks

• Prevents users from using a computer service.

• A type of DoS attack involves continually sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users

• Ping attacks• DDoS attacks

– Uses multiple computers to coordinate DoS attacks


Email BombsEmail Bombs

• A type of denial of service attack• Email bombs involve sending enormous

amounts of email to a particular user, in effect, shutting down the email system

• Many spammers fall victim to this type of attack

• No need to manually send email; downloadable programs will do it for you

• A type of denial of service attack• Email bombs involve sending enormous

amounts of email to a particular user, in effect, shutting down the email system

• Many spammers fall victim to this type of attack

• No need to manually send email; downloadable programs will do it for you


Password CrackingPassword Cracking

• Involves repeatedly trying common passwords against an account in order to log into a computer system

• Freely available “cracking” programs facilitate this process

• Involves repeatedly trying common passwords against an account in order to log into a computer system

• Freely available “cracking” programs facilitate this process


Web SpoofingWeb Spoofing

• “faking the origin”• The attacker creates a false or shadow

copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine

• Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers

• “faking the origin”• The attacker creates a false or shadow

copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine

• Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers


What Should Have Been Displayed

What Should Have Been Displayed

What was DisplayedWhat was Displayed

Trojan, Worm, and VirusTrojan, Worm, and Virus

• A Trojan program does not propagate itself from one computer to another

• A Worm reproduces ITSELF over a network• A Virus, like its human counterpart,

looks for ways to infect other systems or “replicate” itself (i.e., e-mail)

• A Trojan program does not propagate itself from one computer to another

• A Worm reproduces ITSELF over a network• A Virus, like its human counterpart,

looks for ways to infect other systems or “replicate” itself (i.e., e-mail)


TrojansTrojans

• Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc.

• When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password)

• Trojans are malicious files masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc.

• When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password)


TrojanTrojanControlControlTrojanTrojanControlControl

VirusVirus

• A program that replicates without being asked to

• Copies itself to other computers or disks

• Huge threat to companies

• A program that replicates without being asked to

• Copies itself to other computers or disks

• Huge threat to companies


Antivirus ToolsAntivirus Tools

• Any hardware or software designed to stop viruses, eliminate viruses, and/or recover data affected by viruses

• AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets

• Should be used as part of a security policy

• Any hardware or software designed to stop viruses, eliminate viruses, and/or recover data affected by viruses

• AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets

• Should be used as part of a security policy


After the IncidentAfter the Incident

• Identify means to avoid another attack– Download latest patches– Repair compromised systems– Re-educate users– Run anti-virus software

• Stay alert for signs the intruder is still in your system

• Log traffic data

• Identify means to avoid another attack– Download latest patches– Repair compromised systems– Re-educate users– Run anti-virus software

• Stay alert for signs the intruder is still in your system

• Log traffic dataSource: FBI Cyber Task Force

Security BudgetSecurity Budget

The Facts on IT Security Budgets

The Facts on IT Security Budgets

• 62 percent of technology officers feel no pressure to increase spending this year

• 40 percent of their budgets will go toward preventing existing machinery from breaking

• Systems security tends to go unfixed until proven broken

• A simple firewall has become the ultimate security commodity

• Don’t use ROI to configure IT security budget

• 62 percent of technology officers feel no pressure to increase spending this year

• 40 percent of their budgets will go toward preventing existing machinery from breaking

• Systems security tends to go unfixed until proven broken

• A simple firewall has become the ultimate security commodity

• Don’t use ROI to configure IT security budget


$871,000

$901,500

$958,100

$2,747,000

$3,997,500

$4,278,205

$6,734,500

$7,670,500

$10,159,250

$10,601,055

$11,460,000

$26,064,050

$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000

Amount of Loss

Sabotage

System Penetration

Web site defacement

Misuse of public Web applications

Telecom fraud

Unauthorized access

Laptop theft

Financial fraud

Abuse of wireless networks

Insider Net abuse

Theft of proprietary info

Denial of service

Money Lost Due to Different Types of Attacks

Source: Federal Bureau of Investigation / Computer Security Institute – http://www.gocsi.com - viewed 11/4/2004

I.T. SECURITY BRIEF-HUMAN RESOURCES COMMAND

ST. LOUIS

•First established in 1944 at 4300 Goodfellow•First known as the Demobilized Personnel Records Branch after WWII•In 1956, moved to its present location, 9700 Page•In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis•In 1985, Army Reserve Personnel Center (ARPERCEN) was formed.•In 2003, organization was renamed to Human Resources Command (HRC)

•First established in 1944 at 4300 Goodfellow•First known as the Demobilized Personnel Records Branch after WWII•In 1956, moved to its present location, 9700 Page•In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis•In 1985, Army Reserve Personnel Center (ARPERCEN) was formed.•In 2003, organization was renamed to Human Resources Command (HRC)

Human Resources Command

St. Louis Historical Timeline

Human Resources Command

St. Louis Historical Timeline

Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004

• Supports or conducts the Human Resources Life Cycle for over 1.5 million customers• Workforce comprised of over 65% civilians, 30% Active Guard-Reserve soldiers, 5% Active Component soldiers• Of the military workforce, most officers are Majors (O-4) & most non-commissioned officers are Sergeants First Class (E-7s)• 65-acre facility located off Page Avenue• Total of Nine Directorates

• Supports or conducts the Human Resources Life Cycle for over 1.5 million customers• Workforce comprised of over 65% civilians, 30% Active Guard-Reserve soldiers, 5% Active Component soldiers• Of the military workforce, most officers are Majors (O-4) & most non-commissioned officers are Sergeants First Class (E-7s)• 65-acre facility located off Page Avenue• Total of Nine Directorates

Human Resources Command (HRC) St. Louis

Overview

Human Resources Command (HRC) St. Louis

Overview


•To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy.•To provide human resource services to our retired reserve and veterans.

•To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy.•To provide human resource services to our retired reserve and veterans.

Human Resources Command (HRC) Mission

Statement

Human Resources Command (HRC) Mission

Statement


Information Assurance Manager (Rank: Major)

Assistant IAM(Rank: CPT)

IANCO (Rank: MSG)

Civilian(GS-13)Deputy IAM

Civilian (GS-12)Information Tech& Sec Specialist



Information Assurance Office

Information Assurance Office

Source: Information Assurance Office, Human Resources Command, St. Louis

Major:Responsible for Overall IT Security

Captain: Drafts & Submits Policy

Master Sergeant: Verifies Security Clearances; Trng; Account RequestsGS-13: Updates Patches & ACERT Compliance

GS-12: System Security Authorization Agreement; Networthiness Certification

GS-11: InvestigatesComputer forensics;Backup for updates & patches

GS-11: Backup forComputer forensics;Trng; Account Req.;Verifies Sec. Clear.

Information Assurance Manager Duties

Information Assurance Manager Duties


Information Assurance Defined

Information Assurance Defined

• The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users

• Also includes those measures necessary to detect, document, and counter such threats

• This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations

• The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users

• Also includes those measures necessary to detect, document, and counter such threats

• This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations

Source: Army Regulation (AR) 25-2

Chief Information Officer U.S. Army Reserve Command Atlanta, Georgia

InformationAssurance Officer-Human ResourcesCommand-St. Louis

Information Assurance Organization

Information Assurance Organization

InformationAssurance Officers-11 Regional SupportCommands


• All Military must have a Security Clearance• Some civilians must have Security Clearance• Other civilians must have at least a National Agency Check (NAC)• All employees must submit a request for system access

• All Military must have a Security Clearance• Some civilians must have Security Clearance• Other civilians must have at least a National Agency Check (NAC)• All employees must submit a request for system access

In Order to Gain System Access

In Order to Gain System Access


• Pornography• Running Businesses• Unauthorized use of illegal software• Sharing of logons/passwords

• Pornography• Running Businesses• Unauthorized use of illegal software• Sharing of logons/passwords

Common End User Problems

Common End User Problems


• Go to your local Information Mgmt personnel assigned to serve your directorate

• Go to your local Information Mgmt personnel assigned to serve your directorate

What Happens If YouGet Locked Out?

What Happens If YouGet Locked Out?


• Information Security Training• Purchasing automation equipment without authorization• Computer left on 24/7• Having a qualified Information Assurance Manager that is strict• Knowledge of the system

• Information Security Training• Purchasing automation equipment without authorization• Computer left on 24/7• Having a qualified Information Assurance Manager that is strict• Knowledge of the system

Main Concerns of IT Security

Main Concerns of IT Security

Source: Information Assurance Office, Human Resources Command, St. Louis, MO; Information Assurance Officer, 63rd Regional Readiness Command, Los Alamitos, California

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

50000

Mar

-04

Apr

-04

May

-04

Jun-

04

Jul-0

4

Aug

-04

Sep

-04

Nu

mb

er o

f Eve

nts

Events

0

5

10

15

20

25

30

35

40

45

50

Nu

mb

er o

f Eve

nts

Events

45,000 IN APRIL

STOPPED AT GATEWAY

STOPPED AT DESKTOP

Anti-Virus ActivityAnti-Virus Activity


0

5000

10000

15000

20000

25000

30000

35000

40000

45000

50000

Nu

mb

er

of

Att

em

pts

135,000 YTD

Probes and ScansAgainst Network

Probes and ScansAgainst Network


Computer Security ModelComputer Security Model

• Bell-LaPadula Model– Developed by the US Army in the

1970’s– Provides framework for handling data

of different classifications– Known as “multilevel security system”– One of the earliest and most famous

computer security models

• Bell-LaPadula Model– Developed by the US Army in the

1970’s– Provides framework for handling data

of different classifications– Known as “multilevel security system”– One of the earliest and most famous

computer security models

Source: Information Assurance Office, Human Resources Command, St. Louis; http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2 - viewed 11/6/2004

http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2











• IT Security Budget• Business Policy Procedures• Outsource IT providers information

• IT Security Budget• Business Policy Procedures• Outsource IT providers information

Information Unable to Obtain

Information Unable to Obtain


Security challenges at Financing from

theCIO’s perspective

Security challenges at Financing from

theCIO’s perspective

Financing Background InfoFinancing Background Info

• Financing is one of the largest domestic providers of inventory floor financing for several different industrial channels.

• Recent focus to use IT to reduce business costs by processing transactions online.

• IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly.

• Financing is one of the largest domestic providers of inventory floor financing for several different industrial channels.

• Recent focus to use IT to reduce business costs by processing transactions online.

• IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly.

Source: Interview and personal comments from Financing’s CIO – October 2004

Case Study Research Method

Case Study Research Method

• Interviewed CIO to gain their different perspectives on IT security and business.

• Interview lasted approximately 2 hours and consisted of 15 questions.

• Subsequent discussion based on what CIO said were issues of highest concern.

• Interviewed CIO to gain their different perspectives on IT security and business.

• Interview lasted approximately 2 hours and consisted of 15 questions.

• Subsequent discussion based on what CIO said were issues of highest concern.


Most Pressing Security Concerns

Most Pressing Security Concerns

1. Eliminating bad user practices2. Measures to prevent security

breeches3. Ability to quickly recover from

security failures / breeches4. Impact of compliance with SOX

regulations

1. Eliminating bad user practices2. Measures to prevent security

breeches3. Ability to quickly recover from

security failures / breeches4. Impact of compliance with SOX

regulations


Security SpecificsSecurity Specifics

• No specific line item budget amount.– Security costs are encompassed in other

budget items, such as system development & testing, data center operations, etc.

• No dedicated resources focusing solely on security.– Security related activities fall under

responsibility of existing IT staff.

• No specific line item budget amount.– Security costs are encompassed in other

budget items, such as system development & testing, data center operations, etc.

• No dedicated resources focusing solely on security.– Security related activities fall under

responsibility of existing IT staff.Source: Interview and personal comments from Financing’s CIO – October 2004

Security Challenges:End User Security

Security Challenges:End User Security

“Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.”

-Anonymous

“Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.”

-Anonymous

End User Security:Typical Financing User


• Non-technology savvy office clerks and book keepers.

• No on-site IT support to maintain individual system security.

• Many dealers have Broadband access without firewall protection.










•What is so risky about this???




•What is so risky about this???Source: Interview and personal comments from Financing’s CIO – October 2004

End User Security:Typical Financing User (2)

End User Security:Typical Financing User (2)• Known problems with Spyware

and viruses.• Account reps reported seeing

multiple users post their username and password in plain view in their offices.

• Known problems with Spyware and viruses.

• Account reps reported seeing multiple users post their username and password in plain view in their offices.


End User Security:Typical Financing User (2)

End User Security:Typical Financing User (2)• Known problems with Spyware

and viruses.• Account reps reported seeing

multiple users post their username and password in plain view in their offices.•Poor password selection by

users consistently cited as one of the top three IT Security issues.

• Known problems with Spyware and viruses.

• Account reps reported seeing multiple users post their username and password in plain view in their offices.•Poor password selection by

users consistently cited as one of the top three IT Security issues.

Source: Cupps, John; How To Identify and Contain Some of the Information Security Problems Created By Unique Business Environments; http://www.sans.org/rr/whitepapers/casestudies/666.php; viewed 11/3/2004

Password SurveyPassword Survey


• Sit down if you change your password once a week.

• Sit down if you change your password once a week.

• Put your hand down if your password has both letters and numbers in it.

• Put your hand down if your password has both letters and numbers in it.

Password Security Level: StrongPassword Security Level: StrongPassword Security Level: StrongPassword Security Level: Strong


• Sit down if you change your password every month.

• Sit down if you change your password every month.

• Put your hand down if your password is a NOT word in the dictionary

• Put your hand down if your password is a NOT word in the dictionary

Password Security Level: GoodPassword Security Level: Good


• Sit down if you change your password only a few times each year.

• Sit down if you change your password only a few times each year.

• Put your hand down if you use the SAME password on multiple systems.

• Put your hand down if you use the SAME password on multiple systems.

Password Security Level: WeakPassword Security Level: Weak


• Sit down if you NEVER change your password.

• Sit down if you NEVER change your password.

• Put your hand down if your password is simply part of your name or username.

• Put your hand down if your password is simply part of your name or username.

Password Security Level: PoorPassword Security Level: Poor

Bad Habits are Hard To Break

Bad Habits are Hard To Break

• Use familiar words, names that can be easily guessed.

• Use a password that is too short, therefore fewer characters to guess / crack.

• Use the same password on multiple systems.

• Do not change password regularly.• Share passwords with others.• Post passwords somewhere around their

computer.

• Use familiar words, names that can be easily guessed.

• Use a password that is too short, therefore fewer characters to guess / crack.

• Use the same password on multiple systems.

• Do not change password regularly.• Share passwords with others.• Post passwords somewhere around their

computer.

Need for Strong PasswordsNeed for Strong Passwords

Today’s computers are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.

- Rob Lemos

Today’s computers are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.

- Rob Lemos

Source: Lemos, Rob; Hackers can crack most in less than a minute; http://news.com.com/Passwords+The+weakest+link/2009-1001_3-916719.html; viewed 10/27/2004

Improving Passwords at Financing

Improving Passwords at Financing

• 8 Month project to consolidate and enhance application passwords

• Start November 2003, End May 2004

• Completed as a Green Belt project for 2 business and 2 IT project managers

• 8 Month project to consolidate and enhance application passwords

• Start November 2003, End May 2004

• Completed as a Green Belt project for 2 business and 2 IT project managers


Before consolidation . . .Before consolidation . . . Before consolidation . . .Before consolidation . . .

• 3 applications only required a password 3 applications only required a password with 3 characters.with 3 characters.

• Only 1 application had users change their Only 1 application had users change their password annually.password annually.

• Users could only reset their password by Users could only reset their password by calling the support center.calling the support center.

DB DB DB DB DB

After consolidation . . .After consolidation . . .After consolidation . . .After consolidation . . .

• 5 distinct applications now use a Single Sign 5 distinct applications now use a Single Sign On process.On process.

• All applications share 1 common All applications share 1 common authentication source and logon process.authentication source and logon process.

Single Sign On

User BenefitsUser Benefits

• Only have to remember 1 password for all 5 applications.

• Once logged into one application, can jump right into other application.

• Navigation of applications is now much easier for users.

• Only have to remember 1 password for all 5 applications.

• Once logged into one application, can jump right into other application.

• Navigation of applications is now much easier for users.


The Big Question ???The Big Question ???

Did the project ‘Do The Right Thing?’

-or-Did the project ‘Do The Thing

Right?’

Did the project ‘Do The Right Thing?’

-or-Did the project ‘Do The Thing

Right?’

Was ‘The Right Thing’ . . .Was ‘The Right Thing’ . . .• Enabling ‘Single Sign On’ was ‘the right thing to

do’ only when implemented in conjunction with new password rules, recommended by IBM:– Password must have been 8 and 12 characters– Password must have at least 1 number in it.– Password cannot contain elements of user’s name,

company, address, or email address.– New Passwords must be different from prior 12

passwords.– New passwords cannot contain more than 6 repeated

characters from the last password.– Passwords must be changed every 90 days.

• Enabling ‘Single Sign On’ was ‘the right thing to do’ only when implemented in conjunction with new password rules, recommended by IBM:– Password must have been 8 and 12 characters– Password must have at least 1 number in it.– Password cannot contain elements of user’s name,

company, address, or email address.– New Passwords must be different from prior 12

passwords.– New passwords cannot contain more than 6 repeated

characters from the last password.– Passwords must be changed every 90 days.

Additional BenefitAdditional Benefit

• Enhanced applications to allow users to reset their password online if they forgot it.– This eliminated nearly 200 calls per

month to the application support center.

• Enhanced applications to allow users to reset their password online if they forgot it.– This eliminated nearly 200 calls per

month to the application support center.


Results of ProjectResults of Project

• Application security improved through enforcing strong password rules.

• Users initially complained about having to remember a more complicated password; however, these complaints were short lived when users realized they only had to remember a single password for all 5 applications.

• Call center costs reduced by eliminating calls from users who had forgotten their password.

• Application security improved through enforcing strong password rules.

• Users initially complained about having to remember a more complicated password; however, these complaints were short lived when users realized they only had to remember a single password for all 5 applications.

• Call center costs reduced by eliminating calls from users who had forgotten their password.


Further Enhancing Security

Further Enhancing Security

• IT Department publishes articles focusing on security in monthly newsletter to customers.

• Currently considering modifying ‘Single Sign On’ system to use security key validation.

• IT Department publishes articles focusing on security in monthly newsletter to customers.

• Currently considering modifying ‘Single Sign On’ system to use security key validation.


Security Challenges:Preventing BreechesSecurity Challenges:Preventing Breeches

• Technology Use to Enhance On-Line Security All user application traffic is

transported using SSL encryption.

• Technology Use to Enhance On-Line Security All user application traffic is

transported using SSL encryption.


Encryption ExplainedEncryption ExplainedEncryption ExplainedEncryption Explained

INTERNETKEY KEY

Browser Server

My Credit CardMy AddressMy Phone Number

My Credit CardMy AddressMy Phone Number

Jdhd923kJdss938jdsdjdskzyu

Safety of Encryption ???Safety of Encryption ???

True or False:Encryption prevents all third parties

from intercepting transactions?

True or False:Encryption prevents all third parties

from intercepting transactions?

The Answer is False . . .The Answer is False . . .

• In reality, a third party could determine the correct key and decode the encrypted transactions if given enough time.

• The time and effort to crack a 128-bit encryption key is so large, given the limited strength of computing technologies, encrypted data is considered security since the costs to crack the encryption outweigh the potential gains.

• In reality, a third party could determine the correct key and decode the encrypted transactions if given enough time.

• The time and effort to crack a 128-bit encryption key is so large, given the limited strength of computing technologies, encrypted data is considered security since the costs to crack the encryption outweigh the potential gains.

IT Infrastructure & Security

IT Infrastructure & Security

• IT resources for applications are geographically separated across country.

• Applications are run on multiple server clusters.– If a single server goes down, other

servers in the cluster can immediately take over the load from the down server.

• IT resources for applications are geographically separated across country.

• Applications are run on multiple server clusters.– If a single server goes down, other

servers in the cluster can immediately take over the load from the down server.


Application MonitoringApplication Monitoring

• Impossible to predict when a system breech or system outage may occur.

• IT cannot react to a situation until it has occurred.

• Staff needs to be informed as soon as possible when an outage occurs to reduce downtime.

• Fast disaster reaction time is made possible through 24 / 7 application monitoring.

• Impossible to predict when a system breech or system outage may occur.

• IT cannot react to a situation until it has occurred.

• Staff needs to be informed as soon as possible when an outage occurs to reduce downtime.

• Fast disaster reaction time is made possible through 24 / 7 application monitoring.


Application Monitoring (2)Application Monitoring (2)

• All applications are monitored by a third party software tool run from multiple locations.

• Question: Why must the monitoring tool be run from multiple locations?




Application Monitoring (2)Application Monitoring (2)



Answer: To insure that the application is being monitored even if one of the locations crashes.



Answer: To insure that the application is being monitored even if one of the locations crashes.

Key Components of Monitoring

Key Components of Monitoring

• Monitoring tool confirms that the application is up and running and can be accessed by customers. Simulates the same actions as if a user connects to the application through their own web browser.

• Since the monitoring tool is acting like a user, many times it is called a ‘robot’.

• Monitoring tool access the application and invokes the most frequently used traffic flows and transactions performed by users.

• The response time for each traffic flow and transaction is recorded.

• Monitoring tool confirms that the application is up and running and can be accessed by customers. Simulates the same actions as if a user connects to the application through their own web browser.

• Since the monitoring tool is acting like a user, many times it is called a ‘robot’.

• Monitoring tool access the application and invokes the most frequently used traffic flows and transactions performed by users.

• The response time for each traffic flow and transaction is recorded.

Preventing System Outages

Preventing System Outages

• Each robot reports transaction times to a central database.

• A system alarm is sounded if any transaction time slows beyond a predetermined limit.

• Slow transactions point to a possible system problem that needs to be investigated further, possibly caused by a Denial of Service attack, or a hardware problem (broken disk, failed memory/processor, etc).

• Each robot reports transaction times to a central database.

• A system alarm is sounded if any transaction time slows beyond a predetermined limit.

• Slow transactions point to a possible system problem that needs to be investigated further, possibly caused by a Denial of Service attack, or a hardware problem (broken disk, failed memory/processor, etc).

Benefits of System Monitoring

Benefits of System Monitoring

• Reduce application downtime by proactively responding to problems before they cause a system outage.

• Allow for High – Availability Service Level Agreements.

• Quickly determine if reported system outages are caused by network connectivity problems as opposed to application problems.

• Reduce application downtime by proactively responding to problems before they cause a system outage.

• Allow for High – Availability Service Level Agreements.

• Quickly determine if reported system outages are caused by network connectivity problems as opposed to application problems.


Security Challenges:Fraud Prevention

Security Challenges:Fraud Prevention

“Currently so much emphasis has been put on protecting systems from unauthorized access and attack, that many have not considered or made provisions for security and fraud issues created by valid application users themselves.”

- Financing’s CIO, 10/2004

“Currently so much emphasis has been put on protecting systems from unauthorized access and attack, that many have not considered or made provisions for security and fraud issues created by valid application users themselves.”

- Financing’s CIO, 10/2004

Primary Fraud ConcernsPrimary Fraud Concerns

• Applications do not allow transfer of funds to external accounts, minimizing risk of external fraud.

• Higher probability of customers trying to manipulate data stored in system to their advantage.

• Must walk the fine line between respecting the customer while not allowing the customer to take advantage of the company.

• Applications do not allow transfer of funds to external accounts, minimizing risk of external fraud.

• Higher probability of customers trying to manipulate data stored in system to their advantage.

• Must walk the fine line between respecting the customer while not allowing the customer to take advantage of the company.


Application LoggingApplication Logging

• All applications log all user activity from Logon to Logout.

• Also logged are: IP address of computer used for access, hostname of system used for access, browser type, operating system, etc.

• System transactions such an interest calculations and online document requests are also logged. Allows for tracking of calculation or processing errors in back-end systems.

• All applications log all user activity from Logon to Logout.

• Also logged are: IP address of computer used for access, hostname of system used for access, browser type, operating system, etc.

• System transactions such an interest calculations and online document requests are also logged. Allows for tracking of calculation or processing errors in back-end systems.


Business Intelligence & Security

Business Intelligence & Security

• Logs are stored by username in a separate database.

• Current data center capacity allows for live storage of more than 2 years of logs.

• Live database allow for on-demand searching of any user’s activity. Database streamlines investigation process and reduces call center call time.

• Logs are stored by username in a separate database.

• Current data center capacity allows for live storage of more than 2 years of logs.

• Live database allow for on-demand searching of any user’s activity. Database streamlines investigation process and reduces call center call time.


Sample Fraud cases from 2004


Case 1: Fraudulent PaymentsCustomer calls to report that their

bank account has been debited several thousand dollars in excess. The caller suspects someone has broken into the payment system using their account.

Case 1: Fraudulent PaymentsCustomer calls to report that their

bank account has been debited several thousand dollars in excess. The caller suspects someone has broken into the payment system using their account.


Fraud Investigation Process

Fraud Investigation Process

• User calls Support Center to report suspicious problem.

• Call center pulls up all of user’s transactions in suspect period.

• Call center and customer identify suspicious sessions / transactions, by comparing the system log with the customer’s records.

• If fraud is identified, evidence is sent to fraud department for investigation.

• User calls Support Center to report suspicious problem.

• Call center pulls up all of user’s transactions in suspect period.

• Call center and customer identify suspicious sessions / transactions, by comparing the system log with the customer’s records.

• If fraud is identified, evidence is sent to fraud department for investigation.


Problems with Fraud Investigation

Problems with Fraud Investigation

• Fraud department borrows resources from processing department and IT (both support and development) to track down error and determine root cause.

• When fraud is identified, fraud department determines what reparations will be given.

• Fraud investigation has a very high cost.

• Fraud department borrows resources from processing department and IT (both support and development) to track down error and determine root cause.

• When fraud is identified, fraud department determines what reparations will be given.

• Fraud investigation has a very high cost.


Preventing Fraud via Logging

Preventing Fraud via Logging

• Transaction activity database allows for 83% of fraud cases to be resolved in one call to the support center.

• Nearly 65% of suspected fraud cases are not fraudulent and are resolved in less than 20 minutes.

• How does this benefit the company?

• Transaction activity database allows for 83% of fraud cases to be resolved in one call to the support center.

• Nearly 65% of suspected fraud cases are not fraudulent and are resolved in less than 20 minutes.

• How does this benefit the company?


Benefits to CompanyBenefits to Company

• Lower risk, attract additional investment.

• Significant cost savings through minimal fraud investigation.

• Increased shareholder and customer confidence.

• Maintain high company image in light of recent corporate account scandals.

• Lower risk, attract additional investment.

• Significant cost savings through minimal fraud investigation.

• Increased shareholder and customer confidence.

• Maintain high company image in light of recent corporate account scandals.




Case 1: Fraudulent Payments – What happened?

• While a dealer’s bookkeeper (caller) was on vacation in Florida, the dealer owner received a call from their account rep telling them about a special discount program if they made several extra payments that month.

• Consequently the dealership owner logged into the payment system, using the bookkeeper’s username and password that were posted in plain view on a ‘post-it’ note on her monitor, and made several payments.

Case 1: Fraudulent Payments – What happened?

• While a dealer’s bookkeeper (caller) was on vacation in Florida, the dealer owner received a call from their account rep telling them about a special discount program if they made several extra payments that month.

• Consequently the dealership owner logged into the payment system, using the bookkeeper’s username and password that were posted in plain view on a ‘post-it’ note on her monitor, and made several payments. Source: Interview and personal comments from Financing’s CIO – October 2004



Case 1: Fraudulent Payments – Resolution:

• Matter was resolved in one 12 minute call to the call center. Call center rep was able to locate the suspect

transactions, confirm where and when they were made.

The bookkeeper was able to figure out what happened by asking other staff around their office who had used her computer while she was away.

No need to escalate case to fraud department for further investigation.

Case 1: Fraudulent Payments – Resolution:

• Matter was resolved in one 12 minute call to the call center. Call center rep was able to locate the suspect

transactions, confirm where and when they were made.

The bookkeeper was able to figure out what happened by asking other staff around their office who had used her computer while she was away.

No need to escalate case to fraud department for further investigation. Source: Interview and personal comments from Financing’s CIO – October 2004

Security Challenges:Sarbanes-Oxley Act of

2002

Security Challenges:Sarbanes-Oxley Act of

2002 Sarbanes-Oxley Act Defined:• Federal legislation passed in result of

accounting scandals at Enron, WorldCom, etc.

• Requires formal documentation of all processes where securities are exchanged.

• Process documentation must be audited annually to insure it remains current.

• Major changes to business processes may require more auditing.

• Nicknamed SOX for short.

Sarbanes-Oxley Act Defined:• Federal legislation passed in result of

accounting scandals at Enron, WorldCom, etc.

• Requires formal documentation of all processes where securities are exchanged.

• Process documentation must be audited annually to insure it remains current.

• Major changes to business processes may require more auditing.

• Nicknamed SOX for short.

Initial SOX ChallengesInitial SOX Challenges• All five of Financing’s primary

applications were identified as exchanging securities and would be audited for SOX compliance.

• Initial process documentation difficult to complete due to lack of good product documentation and staff changes.

• Technical IT staff struggled to produce quality documentation that could be used for audit purposes. Initially had to borrow resources from business units to draft documents.

• All five of Financing’s primary applications were identified as exchanging securities and would be audited for SOX compliance.

• Initial process documentation difficult to complete due to lack of good product documentation and staff changes.

• Technical IT staff struggled to produce quality documentation that could be used for audit purposes. Initially had to borrow resources from business units to draft documents.


Compliance with SOXCompliance with SOX

• Pros & Cons ???• Pros & Cons ???

Compliance with SOXCompliance with SOX

• Pros:– Avoid legal action

(SOX is a federal law)

– Prevent Corporate fraud

– Insure overall economic stability

– Improve public and shareholder image

• Pros:– Avoid legal action

(SOX is a federal law)

– Prevent Corporate fraud

– Insure overall economic stability

– Improve public and shareholder image

• Cons:– Additional auditing

tasks– Increased

workload for existing resources

– Additional costs for auditing

– Slower development time

• Cons:– Additional auditing

tasks– Increased

workload for existing resources

– Additional costs for auditing

– Slower development time

Maintaining SOX Compliance

Maintaining SOX Compliance

• Ongoing auditing requires further assistance from technical staff to verify system behavior.

• SOX auditing is performed by external vendors, such as KPMG, to insure compliance.

• Any changes to application requirement review of SOX documentation and possible revision, hence, increasing time required to make enhancements.

• Ongoing auditing requires further assistance from technical staff to verify system behavior.

• SOX auditing is performed by external vendors, such as KPMG, to insure compliance.

• Any changes to application requirement review of SOX documentation and possible revision, hence, increasing time required to make enhancements.


SOX CostsSOX Costs

• Majority of SOX auditing costs have fallen within IT budget, as only IT analysts have full knowledge of business processes and how they are being technically implemented, which is necessary for full documentation.

• Costs for SOX auditing have been fully funded while still decreasing IT’s annual budget through shifting more development and support to Financing’s offshore resources.

• Majority of SOX auditing costs have fallen within IT budget, as only IT analysts have full knowledge of business processes and how they are being technically implemented, which is necessary for full documentation.

• Costs for SOX auditing have been fully funded while still decreasing IT’s annual budget through shifting more development and support to Financing’s offshore resources.


SOX Compliance:Lessons LearnedSOX Compliance:Lessons Learned

• Project management must allow sufficient time to allow for SOX documentation.

• Appoint a SOX owner for each application who is responsible for ongoing audits of documentation for that application.

• Encourage all team members to think proactively about SOX compliance. SOX owners are encouraged to include technical staff in their ongoing reviews to help develop strong documentation skills.

• Edit SOX documentation in an on-going fashion.

• Project management must allow sufficient time to allow for SOX documentation.

• Appoint a SOX owner for each application who is responsible for ongoing audits of documentation for that application.

• Encourage all team members to think proactively about SOX compliance. SOX owners are encouraged to include technical staff in their ongoing reviews to help develop strong documentation skills.

• Edit SOX documentation in an on-going fashion.


Security ComparisonSecurity Comparison

Budget Information Not Available.

No line item budget amount. Security tasks are encompassed with other budget items.

Dedicated Security Resources

Dedicated resources responsible for systems and user accounts.

Staff from other IT functions also serve to fulfill security responsibilities.

Security Testing

Information Not Available.

Penetration test is conducted by external vendor annually.

Topic HRC Financing

Security Comparison (2)Security Comparison (2)

Risk Assessment

Risk controlled through maintaining access levels on all users and data.

Business responsible for identifying business areas at risk, IT responsible for technical areas of risk

Security Architecture

Security practices based on well-known models, such as Bell-LaPadula Model

Applications designed in house; hence, architecture team defined security framework based on risks

Review Process

Annual audits are performed by security officers.

Security provisions are reviewed on an on-going basis as part of maintaining SOX docs.

Topic HRC Financing

Security Best Practice Recommendations

Security Best Practice Recommendations

From HRC:• Password policies• Firewall in place to

discourage illegal sites• Ensure you have a

procedure in place to ensure all personnel you let on the network have been fully screened.

• Virus protection • Do Audits

From HRC:• Password policies• Firewall in place to

discourage illegal sites• Ensure you have a

procedure in place to ensure all personnel you let on the network have been fully screened.

• Virus protection • Do Audits

From Financing:• Use a strong password

and change it regularly.• Monitor / Restrict Internet

Access on workstations.• Hire a third party expert

to evaluate security of systems.

• Keep complete logs / backups for recovery purposes.

• Proactively seek new / better security provisions.

From Financing:• Use a strong password

and change it regularly.• Monitor / Restrict Internet

Access on workstations.• Hire a third party expert

to evaluate security of systems.

• Keep complete logs / backups for recovery purposes.

• Proactively seek new / better security provisions.

Sources UtilizedSources Utilized

• http: //archive.ncsa.uiuc.edu• http://www.itsecurity.com/

dictionary.html• https://www.2xcitizen.usar.army.mil/

2xhome.asp• http://www.acerts.net• http://www.infragard.net

• http: //archive.ncsa.uiuc.edu• http://www.itsecurity.com/

dictionary.html• https://www.2xcitizen.usar.army.mil/

2xhome.asp• http://www.acerts.net• http://www.infragard.net

Sources UtilizedSources Utilized

• “FrontLine-Tips and Techniques to Protect Your

Information”; June 2004• United States Army Reserve Information Assurance Office• Human Resources Command-St. Louis Information Assurance Office• Army Regulation (AR) 25-2, 14 November

2004• Army Regulation (AR) 25-1, 30 June 2004

• “FrontLine-Tips and Techniques to Protect Your

Information”; June 2004• United States Army Reserve Information Assurance Office• Human Resources Command-St. Louis Information Assurance Office• Army Regulation (AR) 25-2, 14 November

2004• Army Regulation (AR) 25-1, 30 June 2004

it security julie schmitz james mote jason tice julie schmitz james mote jason tice

Documents

fbi cyber task forcewhat

fbi cyber task forcehackers

security systemsource

computer service

target computer system

type of dos attack

networka virus

type of attackno