security of data, networks and mobile solutionsdoc.housing.org.uk.s3.amazonaws.com/presentations/ts2...
TRANSCRIPT
Julian Heywood
Development Manager
MIS Active Management Systems
Session TS2
Mark Appleyard
Managing Director
MIS Systems Engineering
Security of data, networks and mobile solutions
Session Focus
• Understanding the data security risks in the mobile working environment
• Developing an open, multi-layered approach to mobile security
• Delivering secure mobile working practises to drive productivity and business opportunities
What is mobile working?
8 Rules of Good Security
Nothing is 100% secure
1
Nothing is 100% secure
“The most secure computers are those not connected to the internet and shielded from any interference.”
- Wikipedia - Computer Security
1
Trust No One And No Thing
2
Security should be designed into the system, not added as an afterthought.
3
Don’t Re-Invent The Wheel
4
5
5
Encrypt Everything
5
Usernames & Passwords
Network Protocols
Offsite Data
Database
5
6
Don’t make yourself a target
6
Don’t Neglect The Social Aspect
7
8
http://tinyurl.com/79j4o9o
Good security is like Shrek
8
http://tinyurl.com/79j4o9o
Good security has layers
8
http://tinyurl.com/79j4o9o
Good security has layers
8
Some Vectors of Attack
Unpatched Software
XSS – Cross Site Scripting
SQL Injection
Real Life Examples
MySQL.com
SQL Injection Attack
27th March 2011
Usernames And Passwords Compromised
Gawker.com
Made Themselves A Target
11th December 2010
Whole Server Compromised
Sony PSN
Too Much Trust In Users
26th April 2011
Whole Network Compromised
Black and Berg Security
Made Themselves A Target
8th June 2011
Web Server Compromised
Securing Remote Access to Corporate Resources
• VPN
• Multi-factor Authentication
• Enforced Health Requirement NAP/NAC
• An Integrated Approach to Improve Security
• Secure Virtual Applications & Desktops
• Wireless Considerations
• Portable USB and Encrypted Storage Devices
VPN Connectivity
Hardware based site-to-site IPsec• Secure and can be locked to specific TCP/IP addresses for added protection
• No direct involvement of non-technical users
• Can be scaled to support many users
Client based such as PPTP/L2TP IPsec• Cisco VPN client or Microsoft VPN client
• Often requires installation of software onto device
• Compatibility issues between various vendor products
Browser based SSL VPN• Works with most browsers
• Mostly does not require any software to be installed onto device
• Good compatibility between various vendor products
• Only requires HTTPS (normally open on most networks)
VPN Connectivity
Risks associated with VPN technology
• Spread of viruses, worms, and Trojans
• Split tunnelling
• User credential related risks
• A compromised VPN may go unnoticed for a good deal of time
• Intrusion Detection Systems (IDS) does not monitor traffic on VPNs because it is encrypted
Encryption, authentication and securing the machines of end users are critical components of overall enterprise VPN security
A compromised VPN connection is the equivalent of leaving your front door wide open!
VPN Risk Mitigation
• Session timeouts (10 minutes or less)
• SSL version verification (reject SSL 2.0)
• Discouraging use at public terminals or WiFi
• Security policies and secure access through strong user authentication
• Host identity verification• Host security posture validation (NAP/NAC)• Secure desktop, portals or application publishing
Secure User Authentication
Two factor authentication - "something you have" + "something you know" concept
The simplest security tokens do not need any connection to a computer. The client enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when asked to do so
Enforced Health requirement policiesMicrosoft - Network Access Protection (NAP)Cisco - Network Admission Control (NAC)
Benefits• NAP Enables policy validation, network restriction, network
remediation and on-going compliance• Inspecting client computer health state, limits network access for
noncompliant clients• Secures the network from unauthorised users and systems • Provides highly customizable role-based access to network
resources for employees• NAP/802.1X Enforcement works seamlessly across both wired and
wireless networks
Enforced Health requirement policies
We need to empower users to be productive from virtually any device or location …
An Integrated Approach to Improve Security
Network Administrators are under pressure to provide anywhere-access to messaging, collaboration and other resources. To achieve Secure Anywhere Access IT departments must employ a variety of security strategies.
• It is no longer feasible simply to protect at the perimeter
• Protection and security must exist throughout the network
• Application-agnostic network security recommended
• Determine access control policies and key management strategies to address that risk
• Determine what data is considered sensitive, and where it resides in the organisation
Security vendors are introducing new purpose-built platforms which deliver comprehensive, secure remote access to corporate resources for employees and partners on both managed and unmanaged PCs and mobile devices.
Delivers simple and secure access optimised for applications such as SharePoint, Exchange, and Dynamics CRM.
Integrating a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user's identity – Forefront UAG enforces granular access controls and policies to deliver comprehensive remote access, ensure security, and reduce management costs and complexity.
Citrix Access Gateway
• Simple secure HTTPS access to published apps, full desktops or VDI from web browsers
• Consolidates points of access by combining your traditional IPSecVPN and Secure gateway into a single appliance
• Citrix Access Gateway VPX is a software virtual appliance that you can deploy on any off-the-shelf server in the datacentre
• Secure Virtual Desktops - Give users secure access from anywhere while maximising their productivity
Citrix Access Gateway is a secure application access solution that provides administrators granular application-level control while empowering users with remote access from anywhere.
Citrix Receiver now supports Android and Apple (as well as Windows) so no need to load or install software on device
Wireless Access
• Wired Equivalent Privacy (WEP) – can be hacked in less than 10 mins
• Wi-Fi Protected Access (WPA) more secure than WEP but has now been replaced with WPA2
• WPA2 – Mandatory for Wi-Fi–certified devices since 2006 so no reason not to use it, if your devices are older than this or don’t support WPA2 they should be replaced
• Small businesses can use AES pre-shared keys but for larger Enterprises better to use 802.1X (WPA2 Enterprise)
Many businesses access points are still accepting WEP connections and lots of home networks with no encryption !!!
802.1X Wireless Access Authentication
AES pre-shared keys are OK but for larger Enterprises better to use 801X, this way keys don’t have to be given out – changing when someone leaves or after visitors is unmanageable.
• Windows XP, Vista and Windows 7 have support 802.1X for all network connections by default. Windows Mobile 2003 and later operating systems also come with a native 802.1X client
• Mac OS X has offered native support since 10.3. The iPhone and iPod Touch also support 802.1X
• Android support from 2.2 (Froyo)
Disk Encryption Disk encryption prevents unauthorised access to data storage. The term "full disk encryption" (or whole disk encryption) is often used to signify that everything on a disk is encrypted
Microsoft BitLocker is available only in the Enterprise and Ultimate editions of Windows Vista and Windows 7. Users of other versions of Windows that don't include BitLocker could use a third-party encryption program to satisfy the need for full drive encryption such as TrueCrypt – Free Open-Source Disk Encryption Software
Removable Storage Devices
• Portable storage devices are a big risk to network security
• Firewalls and antivirus software are no defence against the latest forms of computer attack that comes via open USB, eSATA and FireWire ports
• Viruses, worms and trojans get into the corporate network this way
• Valuable data can leave the company in huge quantities
• Microsoft Group policies can't manage USB and FireWire access very easy so recommend using third-party products to lockdown access
Julian Heywood
Development Manager
MIS Active Management Systems
Mark Appleyard
Managing Director
MIS Systems Engineering
Security of data, networks and mobile solutions