Transcript PPT: Information Security

Information Security
It’s more than just a firewall.
Presented by:
Eric Gruss
Assistant Vice President
Information Technology Manager
Information Security Officer
Reliance Bank
[email protected]
Information Security
Top Down or Bottom Up?
• It doesn’t matter, they meet in the middle. Start
somewhere, and look at everything.
• Remember that it is an Information SYSTEM, you must
look at the complete overall system but also understand
each component as an island in order to achieve the
goal.
• Every facet of an Information System must be examined
in order to understand risk.
Risk Analysis• What sensitive information is housed by
the organization? Is it regulated?
• Where is this information stored? Can or
should it be consolidated?
• Who needs access, when do they need it,
from where will they access it?
• How long can we live without it?
• How much will it hurt if it is leaked?
Risk Analysis• It is only after the risk is understood, that
we can begin to devise a plan to mitigate
it.
• For most of us, there is also a financial
component, you must understand your
exposure to risk, the likely hood that it will
be exploited, and your comfort level with
that. Based on available resources, not all
risks can be completely mitigated.
Firewall• Deny all, permit on exception in BOTH
directions.
• Use names and groups whenever
possible.
• Test it yourself from home- REGULARLY!
Content Filters• Minimum- maintain an access list of sites
to block either at the firewall or via DNS.
• Employ a high quality web content filter
such as Websense.
• Employ a high quality SPAM filter such as
Websense or Messaging Architects or
• at least use a well known RBL like
Spamhaus or Spamcop.
Virtual Local Area Networks• Vlans can be a great tool to segregate and
control access at layer 2/3
Servers• Harden all servers, disable or uninstall
services not required.
• Control local access.
• Control Physical access.
• Monitor System accounts.
User Access Rights• Make every effort to enforce policies through
technology.
• Restrict login access hours.
• Restrict Admin or special user login based on
workstation address.
• Practice the principals of least privilege. All
access is denied unless explicitly permitted.
• Consider adding an auditing product like Blue
Lance or NTP Software File Auditor.
Desktop• Lock boot device to hard disk only, and
password protect bios.
• Disable USB and CD/DVD Recorders if possible.
• Control local access rights.
• MUST have software firewall and anti virus
protection installed and properly configured.
• Use static IP Addresses wherever possible (or
lock IP address by mac address).
• Keep up to date on patches.
• Disable unneeded services.
• No data should be stored locally.
File Level Precautions• Consider using encryption, but understand
the risks.
• File access should be controlled to the
finest granularity that can reasonably be
attained.
Restrict use of Removable
Media• Often this can be accomplished through
the bios.
• On windows machines it can be done
through the registry.
• Third party apps (such as Trigeo) can
control this on a much more granular level.
Control Wireless• Turn off WiFi if not required.
• Consider placing wireless access points
outside the firewall and using isolated Vlan
and VPN.
Control Remote Access• Remote access rights should be well
documented and auditable.
• Use SSL at a minimum, prefer VPN.
• Utilize two factor authentication. (pre
shared key, smart card, fingerprint, and
password)
Backup• Deletion can be nearly as bad as theft.
Maintain good backup practices and test
restore regularly. Move data off site, either
by transporting the tapes or portable disks,
or through backup to offsite locations.
Establish and Document Policies• Most everyone has an internet and email use policy that employees
sign, but what about an information use policy? Policy should state
that data be stored only on secure network storage provided by and
maintained by your information technology department.
• It may seem obvious that your employees are not to copy important
company information and take it home or email it outside the internal
network without permission. However, unless you put such policies
in writing and have workers sign for receipt, you may be hard
pressed to penalize them for violating that policy. Unwritten rules are
much more difficult to enforce.
• Your policies should be specific and give examples of what’s
prohibited. Workers may not understand, unless you spell it out, that
emailing a company document as an attachment to someone
outside the network (or even to their own home account) is just as
much a violation of policy as copying that document to a USB drive
and physically taking it out the door.
• Wording of the policy, however, should make it clear that the
prohibition is not limited solely to the examples you give.
Secure your PDA!
• Poison pill ability?
• Set auto lock timeout.
• Establish what data can be stored.
Disabling USB storage on a
Windows platform:
•
•
•
•
•
•
•
From Explorers folder options ensure that hidden files and folders
are displayed, file extensions are not hidden and simple file
sharing is disabled.
Open up the properties for %systemroot%\Inf\Usbtror.inf
(%systemroot% would normally be ‘C:\Windows’).
Select the security tab and make sure that all options for all users
are set to deny. This must include administrators and SYSTEM.
Repeat the above for %systemroot%\Inf\Usbstor.pnf
If USB storage devices have been used on this machine
previously then open up the registry editor otherwise ignore steps
6 and 7.
Browse to the registry location
‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
UsbStor’.
Open up the registry key ‘Start’ and change the data value to ‘4′.
Close the registry editor.
If you are running Microsoft Windows XP on your desktop system,
consider turning off the following services.
•
•
•
•
•
•
IIS – Microsoft’s Internet Information Services provide the capabilities of a Webserver for your
computer.
NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and videoconferencing
client for Microsoft Windows, but this service in particular is necessary to remote desktop access.
Remote Desktop Help Session Manager – This service is used by the Remote Assistance feature
that you can use to allow others remote access to the system to help you troubleshoot problems.
Remote Registry – The capabilities provided by the Remote Registry service are frightening to
consider from a security perspective. They allow remote users (in theory, only under controlled
circumstances) to edit the Windows Registry.
Routing and Remote Access – This service bundles a number of capabilities together, capabilities
that most system administrators would probably agree should be provided separately. It is rare
that any of them should be necessary for a typical desktop system such as Microsoft Windows XP,
however, so they can all conveniently be turned off as a single service. Routing and Remote
Access provides the ability to use the system as a router and NAT device, as a dialup access
gateway, and a VPN server.
Simple File Sharing – When a computer is not a part of a Microsoft Windows Domain, it is
assumed by the default settings that any and all filesystem shares are meant to be universally
accessible. In the real world, however, we should only want to provide shares to very specific,
authorized users. As such, Simple File Sharing, which only provides blanket access to shares
without exceptions, is not what we want to use for sharing filesystem resources. It is active by
default on both MS Windows XP Professional and MS Windows XP Home editions. Unfortunately,
this cannot be disabled on MS Windows XP Home. On MS Windows XP Professional, however,
you can disable it by opening My Computer -> Tools -> Folder Options, clicking the View tab, and
unchecking the Use simple file sharing (Recommended) checkbox in the Advanced settings:
pane.
•
•
•
•
•
•
If running Microsoft Windows XP, consider turning off
the following services.
SSDP Discovery Service – This service is used to discover UPnP devices on your
network, and is required for the Universal Plug and Play Device Host service (see
below) to operate.
Telnet – The Telnet service is a very old mechanism for providing remote access to a
computer, most commonly known from its use in the bad ol’ days of security for
remote command shell access on Unix servers. These days, using Telnet to remotely
manage a Unix system may be grounds for firing, where an encrypted protocol such
as SSH should be used instead.
Universal Plug and Play Device Host – Once you have your “Plug and Play” devices
installed on your system, it is often the case that you will not need this service again.
Windows Messenger Service – Listed in the Services window under the name
Messenger, the Windows Messenger Service provides “net send” and “Alerter”
functionality. It is unrelated to the Windows Messenger instant messaging client, and
is not necessary to use the Windows Messenger IM network.
On your system, these services may not all be turned on, or even installed. Whether
a given service is installed and running may depend on whether you installed the
system yourself, whether you are using XP Home or XP Professional, and from which
vendor you got your computer if MS Windows XP was installed by a vendor.
With the exception of Simple File Sharing, all of the above listed services can be
disabled from the same place. Simply click on the Start button, then navigate to
Settings -> Control Panel, open Administrative Tools, and from there open the
Services window. To disable any service in the list, double-click on its entry in that
window and change the Startup type: setting. In general, you should change services
you are turning off for security purposes to a “Disabled” state. When in doubt about
whether a given service is necessary for other services, check the Dependencies tab
in the service’s settings dialog.