IT Security - BlackHat Consultants

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

77 views

Ignorance is not bliss, nor is it an excuse!

IT Security

INFORMATION

SECURITY TRAINING

Ignorance is not bliss, nor is it an excuse!

IT Security

Reason For Training

Information Security
covers the protection of
information against unauthorized disclosure,

transfer, modification, or destruction.



The purpose of this training is to:




Educate users on Information Security basics



Demonstrate minimum levels of due care & due


diligence



Educate users so they can protect their systems from


compromise from known and unknown threats


Ignorance is not bliss, nor is it an excuse!

IT Security

Training Overview



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

The

CIA

Information Security
focuses on 3 key areas,
commonly referred to as the “CIA Triad”:




Confidentiality





Integrity





Availability

Limiting access and disclosure to only authorized users

Trustworthiness of information (uncompromised)

Ability to access data at will

Ignorance is not bliss, nor is it an excuse!

IT Security

CONFIDENTIALITY

INTEGRITY

NON

REPUDIATION

AVAILABILITY

Information Security Triad

Ignorance is not bliss, nor is it an excuse!

IT Security

Alice

Eve

Bob

Situation
: Bob
wants to send Alice an
e
-
mail. Eve wants to stop it.

1.
Bob wants to ensure Eve cannot read it (Confidentiality)

2.
Bob wants to make sure that Alice gets what Bob sends (Integrity
)

3.
Bob needs the e
-
mail system to work (Availability)

4.
Alice wants to make sure that Bob sent the e
-
mail (Non
-
Repudiation)

I


YOU

I


YOU

I
HATE YOU

Real World Example
-

CIA

Ignorance is not bliss, nor is it an excuse!

IT Security

Malicious Software

Malicious Software (malware) is hardware,
software, or firmware that is intentionally
included or inserted into a system for a harmful
purpose.


Examples include:



Viruses



Spyware



Trojan Horses



Worms

Ignorance is not bliss, nor is it an excuse!

IT Security

Phishing

Phishing is entirely focused on identity theft.


It is the act of sending an e
-
mail to a user falsely
claiming to be a legitimate company in an attempt
to scam the user into surrendering private
information. The phishing e
-
mail directs the user
to visit a website where the user is asked to
update personal information.

Phishing scams successfully harvest
passwords, credit card numbers, social
security numbers, and bank account
numbers without ever letting the user
know they were scammed until it is too
late.

Ignorance is not bliss, nor is it an excuse!

IT Security

Router

A router is a device that connects two or more
networks together.

Routers connect your
Local Area Network (LAN) with the Internet.




Ignorance is not bliss, nor is it an excuse!

IT Security

Firewall

A firewall filters all network packets to determine
whether to forward them toward their
destination.

Ignorance is not bliss, nor is it an excuse!

IT Security

Switch

A switch is a device that filters and forwards
packets between LAN segments.


Ignorance is not bliss, nor is it an excuse!

IT Security

Server

A server is a computer or device on a network
that manages network resources.




Ignorance is not bliss, nor is it an excuse!

IT Security

Virtual Private Network (VPN)

VPN Tunnel

Network A

Network B

Switch A

Router A

Firewall A

Switch B

Router B

Firewall B

Modem A

Modem B

A VPN provides remote offices or individual users
with secure access to your company’s network.

Ignorance is not bliss, nor is it an excuse!

IT Security

Layered Defenses

Firewall

Router

Host

Multiple layers of security guard against failure of
a single security component.

Ignorance is not bliss, nor is it an excuse!

IT Security

Endpoint Security

Anti
-
Spyware

Updates

Anti
-
Spam

Anti
-
Virus

Software Firewall

Computers require specialized software and
continuous updates to keep hackers out.

Ignorance is not bliss, nor is it an excuse!

IT Security

Software Patches

Patches are “follow on” releases of

software code to fix weaknesses in

the original program. All software has

flaws and those vulnerabilities are

continuously being discovered.


Common versions of software patches include:



Security Patches



Hotfixes



Service Packs



Critical Updates



Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

How The Network Works

Firewall

Router

Switch

T1 / DSL / Cable Modem

WAP

Ignorance is not bliss, nor is it an excuse!

IT Security

Data Transfer

Network A

Switch A

Router A

Firewall A

Switch B

Router B

Firewall B

Modem A

Modem B

Firewalls regulate data transfer by outbound and
inbound rules. This can keep certain forms of data
from leaving or from entering a network.

Outbound

Rules

Inbound

Rules

Network B

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

Face of Hacking

Hacking is a multi
-
billion dollar industry and it

is
largely the realm of international, organized crime.


Malware

developers no longer hack for just fame
and notoriety. Identity theft has made hacking a
lucrative business and the strategy is to control as
many compromised computers as possible.


Well designed viruses and spyware will go
unnoticed by users and can turn off antivirus
software to elude detection.


Ignorance is not bliss, nor is it an excuse!

IT Security

Botnets: Zombie Armies

Networks of infected
computers (bots or
zombies) are
documented on the
scale of up to 500,000
compromised
machines.


These botnets do the
hacker’s bidding,
allowing for
crime 24/7
on a global scale.


Ignorance is not bliss, nor is it an excuse!

IT Security

Security Challenges

System and network administrators not prepared



Insufficient resources



Lack of formalized training


Critical infrastructures increasingly rely upon the
Internet for operations


Intruders are leveraging the availability of
broadband connections



Vulnerable home computers



Collections of compromised computers are weapons


Ignorance is not bliss, nor is it an excuse!

IT Security

2009



exploiting passwords



exploiting known vulnerabilities



exploiting protocol flaws



examining
code for
new security flaws



defacing web servers



installing sniffer programs



IP source address spoofing



denial of service attacks



widespread, automated
scanning



distributed attacks



building large networks
of compromised
computers (botnets)


1989



exploiting passwords



exploiting
known vulnerabilities

What Has Changed?

Ignorance is not bliss, nor is it an excuse!

IT Security

Attacker Sophistication

Intruders

High

Low

1980

1985

1990

1995

2000

Intruder

Knowledge

Attack

Sophistication

Cross site scripting

password guessing

self
-
replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking

sessions

sweepers

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

“stealth” / advanced
scanning techniques

burglaries

network mgmt. diagnostics

distributed

attack tools

Staged

Auto

Coordinated

2005

Ignorance is not bliss, nor is it an excuse!

IT Security

Vulnerability Exploit Cycle

Advanced

Intruders

Discover New

Vulnerability

Crude

Exploit Tools

Distributed

Novice Intruders

Use Crude

Exploit Tools

Automated

Scanning/Exploit

Tools Developed

Widespread Use

of Automated

Scanning/Exploit

Tools

Intruders
Begin

Using New
Types

of Exploits

Ignorance is not bliss, nor is it an excuse!

IT Security

Overlapping Cycles

The exploitation cycles of various vulnerabilities
will overlap. It is a never
-
ending cycle.

Exploit A

Exploit B

Exploit C

Ignorance is not bliss, nor is it an excuse!

IT Security



Who am I talking about?



What are these people doing?



Where are they coming from?



When are you most vulnerable?



Why are they doing it?



How are they doing it?

Understanding of Threats

Ignorance is not bliss, nor is it an excuse!

IT Security

Who

Is Attacking

Teenage Hacker

Disgruntled Insider

Cyber Criminal

Industrial Spy

Foreign Government

?

Ignorance is not bliss, nor is it an excuse!

IT Security



Theft of services



Denial
-
of
-
service attacks



Unauthorized use / misuse of resources



Illegal transfer or storage of information



Compromise of data (Loss or Alteration)



Financial Loss (Theft)



Endangering human life (Infrastructure Attacks)



Loss of trust in computer networks (Chaos)



Loss of public confidence


What

Are They Doing?

Ignorance is not bliss, nor is it an excuse!

IT Security

Where

Are The Threats?




Domestic

-

All walks of life & education




International

-

1
st
, 2
nd

and 3
rd

world countries

-

Every time zone


24 hours a day




Intruders are prepared and organized


Ignorance is not bliss, nor is it an excuse!

IT Security

When

Are You Vulnerable?

Out
-
of
-
the
-
box Linux PC hooked to Internet in 2002
to test exploits:

[30 seconds]
First port scans detected

[1 hour]
First compromise attempts detected

[12 hours]
PC fully compromised
:



Administrative access obtained



Event logging selectively disabled



System software modified to suit intruder



Attack software installed



PC actively probing for new hosts to compromise

Reference:
www.cert.org/archive/ppt/cyberterror.ppt


Ignorance is not bliss, nor is it an excuse!

IT Security

Why

Are They Doing It?



Money
(Identity Theft)



Access to additional resources



Competitive advantage



Economic



Political



Grievance or
vengeance



Curiosity



Mischief



Attention or
notoriety


It is usually not possible to determine the motive
while you are under attack.

Ignorance is not bliss, nor is it an excuse!

IT Security

Most intrusions result from the exploitation of
known
vulnerabilities
, configuration
errors, or
virus attacks where countermeasures were
available.


The
most
damaging Internet
worm/virus
events
all

were preventable and had prior warning.

How

Do They Do It?

Event

Days of Prior

Warning

Code Red

28

SQL Slammer

184

Nimda

336

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

How Prevalent Is E
-
Crime?

Reported E-crime
None Reported
2005 E
-
Crime Watch Survey
-

Conducted by
CSO magazine in cooperation with the U.S.
Secret Service & CERT® Coordination Center

32%

68%

Ignorance is not bliss, nor is it an excuse!

IT Security

Common E
-
Crimes

0
10
20
30
40
50
60
70
80
90
Virus
Spyware
Phishing
Identity
Theft
Spam
Server
Virus
Spyware
Phishing
Identity Theft
Spam Server
2005 E
-
Crime Watch Survey
-

Conducted by
CSO magazine in cooperation with the U.S.
Secret Service & CERT® Coordination Center

82%

61%

57%

57%

48%

Ignorance is not bliss, nor is it an excuse!

IT Security

E
-
Crime Categories

0
10
20
30
40
50
60
70
80
90
2005
2004
Ignorance is not bliss, nor is it an excuse!

IT Security

Fiscal Impact

0
10
20
30
40
50
60
Operational Losses
Financial Losses
Harm to reputation
2005 E
-
Crime Watch Survey
-

Conducted by
CSO magazine in cooperation with the U.S.
Secret Service & CERT® Coordination Center

55%

28%

12%

Ignorance is not bliss, nor is it an excuse!

IT Security

Tracking Criminals

Outsiders
Insiders
2005 E
-
Crime Watch Survey
-

Conducted by
CSO magazine in cooperation with the U.S.
Secret Service & CERT® Coordination Center

20%

80%

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

Due Care



Information Security policies

are in place to
protect the organization,

its employees, its
partners, and its clients




Ask

your supervisor if you need clarification on
any Information Security topic




Information Security applies to every user

Ignorance is not bliss, nor is it an excuse!

IT Security

Due Diligence



Follow all applicable:



Policies



Procedures



Standards



Guidelines




Report any suspicious computer / network
activity to your supervisor immediately




Report discrepancies / weaknesses to your
supervisor


be proactive!


Ignorance is not bliss, nor is it an excuse!

IT Security

Best Practices



Always use common sense




Only open e
-
mail from senders you know




Keep your computer updated (daily)




Use current virus / spyware definitions





Use appropriate hardware & software


Ignorance is not bliss, nor is it an excuse!

IT Security

Best Practices



Never open e
-
mail from unknown senders




Never download free software




Only visit reputable web sites




Never disable firewall / antivirus software




Never disclose passwords to anyone


Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

Myth #1

MYTH:

“I have virus protection software so I am
already secure."


FACT:

Viruses and security threats are two
completely different things. Your anti
-
virus
software will not tell you about any of the security
threats, such as whether financial or customer
records are exposed to the Internet or whether
your computer is vulnerable to various hacker
attacks.

Ignorance is not bliss, nor is it an excuse!

IT Security

Myth #2

MYTH:

"I have nothing to worry about; there are
too many computers on the Internet

for hackers
to bother with mine.



FACT:

A single hacker can scan thousands of
computers looking for ways to access your private
information in the time it takes you to eat lunch.

Ignorance is not bliss, nor is it an excuse!

IT Security

Myth #3

MYTH:

"Network and computer security is only
important for large businesses.“


FACT:

In reality, nothing could be further from the
truth. Whether you are work in a home office or a
large enterprise, your computer contains valuable
and sensitive information. This could be financial
records, passwords, business plans, confidential
files, and any other private data.

Ignorance is not bliss, nor is it an excuse!

IT Security

Myth #4

MYTH
:
"I know what is running on my computer
network and I am sure that it is secure.“


FACT:
With the increased presence of spyware and
other malicious software easily distributed on the
Internet, it is
impossible

for a user to know
everything that is running on a computer. Virtually
all networked computers have one or more
possible security threats or vulnerabilities.

Ignorance is not bliss, nor is it an excuse!

IT Security

Myth #5

MYTH:
"The best time to deal with network
security is when a problem arises.“


FACT:
The best time to deal with network security
is right now,
before

a problem arises and to
prevent you from ever becoming a victim.
Preventative security measures are immensely

less
expensive than reacting to security breaches.

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security



Intrusions from remote systems can be achieved
in a matter of seconds using automated intruder
tools




Intruders are interested in gaining access to
computing resources to launch attacks as well as
to access confidential data




Intruders often compromise a series of remote
systems, making it difficult to trace their
activities

Network Intrusions

Ignorance is not bliss, nor is it an excuse!

IT Security



Once a computer is compromised, the integrity
of the entire computer must be verified




Most sites do not have an infrastructure that
facilitates verifying the integrity:

-

Software

-

Logs

-

Data




The
economical recourse
for
most businesses:

-

Reinstall
operating system and
applications

-

Apply
all security patches and
updates

Infected? Not What?

Ignorance is not bliss, nor is it an excuse!

IT Security

Section



Definitions



Topologies



Basic Understanding of the Situation



Statistics



Due Care & Due Diligence



Common Myths



Consequences



Summary

Ignorance is not bliss, nor is it an excuse!

IT Security

Summary



Use common sense



Take the time to educate yourself



Follow company Information Security policies



Use the appropriate tools for the job



Use qualified service providers

Ignorance is not bliss, nor is it an excuse!

IT Security

Due Care & Due Diligence

Most growing businesses do not

have any formal information

security policies in place and it is

significant liability issue.


We’ve taken it upon ourselves to turn that trend
around and provide no reason why businesses
cannot implement the policies, procedures,
standards, and guidelines they need to be
properly protected.
We are here to help!