Transcript evesecures9

Does IT Security
Matter…
Does
Information
Security
Matter?
“A careless word… a needless sinking” 1943
Anton Otto Fischer
1
IT Security and Privacy
GROUP 5:
Natalia Hardey
Christopher Boyce
Christopher Rodelas
Michael Bruns
Irene Budiono
Agenda
1.
Introduction
Video
IT Security at a Glance
Common IT Security Risks & Costs Involved
IT Security Technologies
Legislations
CSO/CISO Roles






2.
Case Studies
Midwestern University
U.S. Army


3.
Summary of Best Practices


4.
Organizations
Individuals
Q &A
3
It’s not just the technology…
http://www.youtube.com/watch?v=dy4VJP-lZpA
4
Recent IT Breaches

July 2008, University of Nebraska at Kearney – SSNs
unaccounted for on university computers

January 2009, White House – “Chinese hackers crack White
House”

January 2009, CheckFree Corp. – Five million E-Pay
records hacked

January 2009, Heartland Payment Systems – Malicious
software on payment processing network

January 2009, U.S. Military – soldiers SSNs found on
thrift-store USB drive
5
Information Security

Information Security Definition
◦ Protecting information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide:
 Confidentiality : Preserving authorized restrictions on access and
disclosure, including means for protecting personal privacy and proprietary
information;
 Integrity: Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity; and
 Availability: Ensuring timely and reliable access to and use of information.
6
Common Security Threats

Vulnerability Issues
◦ CIA Triad
 Confidentiality
 Integrity
 Availability
Mainly Concerned with Information.
◦ Parkerian Hexad.
 CIA Triad
PLUS:
 Possession
 Authenticity
 Utility
Still Concerned with Information.
7
Information Security

Types of Information Security
◦ Products (Physical Security)
◦ People (Personal Security)
◦ Procedures (Organizational Security)
8
Common Security Threats

Behavioral
◦ Often Referred to as ‘Social Engineering’

Phishing Scams
◦ Password Cracking
◦ Disclosure of Financial Information
◦ Disclosure of Personal Information
Often Used in Conjunction with Malware

Malicious Software (Malware)
◦ Spyware and Adware
◦ Bots (Backdoors)
◦ Viruses, Worms, and Trojans
9
n=577
The security practitioners ranked “cloud computing”,
mobility, cybercrime and databreach as major
threats to organizations’ confidential and sensitive
data.
10
Mega Trends – IT Security

Cloud Computing

Mobile Workforce

Cybercrime

Outsourcing

Data Breach
11
Costs of IT Security Incidents to
Organizations
2008 n=144
Although erratic, costs seem to be declining as time progresses
12
Costs of IT Security Incidents to Organizations
Type of Incident
Average Cost per Incident
Financial Fraud
$463,100
Bot Computers
$345,600
Loss of Proprietary Information
$241,000
Loss of Confidential Data
$268,000
Virus Incidents
$40,141
Contrary to what many people believe, viruses are not
the most costly incidents that can affect an organization
http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
13
Security Spending and Justification
(CSI 2008 Summary)
53% of Respondents allocate no more than
5% of their IT Budget to IT Security
 42% Spent less than 1% of their security
dollars on awareness programs
 Low spending due to perceived financial
benefits of security investments

◦

(ROI, NPV, IRR)
Security Insurance
14
IT Security Technology Used

CSI 2008 Summary
TECHNOLOGY
% USE
Anti-virus software
97%
Firewalls
94%
Virtual Private Network (NPV)
85%
Anti-spyware software
80%
Encryption of data in transit
71%
15
Reasons for not reporting an Incident
(CSI 2008 Summary)
On a scale of 1-7 with 1 being least important and 7 being most important
16
Legislation – IT Security
American Recovery and Reinvestment Act
◦ President Barack H. Obama signed into law the American
Recovery and Reinvestment Act of 2009 (ARRA)
◦ A significant portion of the ARRA's stimulus expenditures
and measures are related to health information technology
(HIT) and incentives to adopt electronic health record
(EHR) systems.
17
Legislation – IT Security

FERPA
◦ “The Family Educational Rights and Privacy Act (FERPA)
(20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that
protects the privacy of student education records. The law
applies to all schools that receive funds under an applicable
program of the U.S. Department of Education”
 http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
◦ Outcome:
 Rights transferred from parents once students reach 18, or no
longer in high school.
 Gives “Eligible Students” privacy of their education results.
 Rights to inspect, review, and correct their information.
 Schools must acknowledge parents and eligible students their
rights each year.
18
Legislation – IT Security

HIPAA
◦ Health Insurance Portability and Accountability Act of
1996.
◦ Establish national standards for the security of
electronic health care information.
◦ Outcome:
 Protects patients’ privacy on their personal information.
 Health providers is subject to civil & criminal penalties if they
violate the patients’ rights under HIPAA.
 Up to $25,000 for multiple violations for the same standard
in a calendar year.
 Up to $250,000 and/or 10 years in jail, if knowing any
misuse of patients’ information.
19
Legislation – IT Security
Sarbanes-Oxley Act of 2002
Section 404 of the act addresses
testing of general computer controls,
such as: data center operating
controls, system software controls,
access security controls, and
application system development
and maintenance.
20
LEGISLATION – IT SECURITY

Federal Information Security Management Act (2002)
1. Inventory and Categorization of Information Systems
2. Security Controls
3. Risk Assessment
4. System Security Plan
5. Certification
and Accreditation
6. Continues Monitoring
21
LEGISLATION – IT SECURITY

Federal Information Security Management Act (2008)
 Created the Chief Information Security Officer (CISO) role
 Established the CISO Council
 Enhanced the continuous monitoring process
 Required additional reporting from DHS
22
Why CISO role created?
Enforce Security Standards and Compliances
 Demonstrate to CxOs positive payback for the
organization’s goals & strategy from IT investments
 Control and track IT spending (esp. security costs)
 Assist other senior managers to achieve business goals
and protecting their information
 Comply with annual audit
requirements

23
CASE 1
Midwestern University
24
Company Overview







University Population: 20,000
FY2009 Budget: between $100 & $300
Million
IT Department:Very centralized
Employees: ~60
IT Spend: 7% (higher than average)
IT Security Spend: ~5% of total IT Spend
Customers : Students, Faculty/Staff, Guests,
Patients
25
Organizational Structure
26
Top Threats







Phishing (#1 threat)
Security Awareness
Denial of Service
Password Sharing
Malware, Spyware, Bots, etc
Human error, to which there is no control over
Sabotage
27
Denial of Service
28
Gaining the Upper-hand

Centralization
◦ Forces campus wide policies and procedures

Network Access Control (NAC) System
◦ Authenticates all IP addresses and user names
◦ Continuously ensures that your system is up to date

New threat detection software
◦ Allows for immediate response

Exploiting functionality on legacy software that
went unused due to lack of staff
◦ Legacy: obsolete systems that are still be in use
29
Controls: Student &
Faculty
Type of Control
Student
Faculty
Computers Computers
Connected to the NAC
YES
YES
Administrative rights
NO
YES
Symantec anti-virus
YES
YES
Nightly updates
YES
YES
Security alerted to any virus
immediately
YES
YES
No installs or changes to registry
permitted
YES
NO
Restart returns machine to “frozen
state”
YES
NO
30
Network Access Security
Port locking in place for wired connection
 Wireless access allowed

 Treated as a hostile network
 Stores IP and ID information
 On a different network than University
 Allows wireless usage to grow while
mitigating threats
31
How a NAC Works
32
Examples of Practices
in Place

Products (Physical Security)
◦ Hard drives wiped with GDisk to DOD standards
◦ Stolen property reported to CSO, police
◦ Machines with student data encrypted

People (Personal Security)
◦ Awareness / Education
◦ Staff to assist with issues
◦ Free anti-virus software for personal machines

Procedures (Organizational Security)
◦ SSN Remediation Project
◦ General Usage Agreement
33
Difficulties and Challenges

Largest obstacle is human (users) error

The “Higher Education Culture”
◦ Staff often lack anti-spy/spam software
◦ Staff generally have more sensitive data
◦ Staff have unfettered access

No real restrictions except file sharing
34
Recent Developments

Security awareness is much better
 Promotion, persuasion, mandates

Regulatory issues have become high on
the priority list
 HIPPA, FERPA, Credit Card Transactions
 RIAA suits
35
Biggest Costs
Anti-Spam software is the most expensive
 Data Discovery and Litigation Lawsuits

◦ New Jan ’08 Federal Law requires that all data
related to lawsuits (like a hiring discrimination
lawsuit) must physically be put into secure
locations
Anti-Virus Software
 Firewall and Hardware
 Network Access Control (NAC)
Software

36
New Security Technology

Host-Based Intrusion Prevention System
◦ Combats attacks at the device and server level
◦ Complements existing investments in network-based
IPS without relying on signatures that require nearconstant updates
◦ Currently very expensive and used little

Application Firewall
◦ Limits which software applications have access and
type of traffic (Such as Web Browser vs. P2P Filesharing)
37
Chilling Encrypted Data



Princeton computer security researchers discovered that
spraying an inverted can of "canned air" on RAM chips can
“freeze” the data stored on the chips.
Less than 1 percent of the bits decaying after 10 minutes
without power.
When the DRAM chips were cooled to liquid nitrogen
temperatures, the Princeton group observed decay rates of 0.17
percent after 60 minutes without power.
38
Biggest Lessons Learned
More often than not, it takes a critical situation
for security to be taken seriously
 Human error is always the largest threat
 The security is only as good as the people using
it

39
CASE 2
U.S. Army
40
U.S. Army Signal Corps
Overview
Size
 U.S. Army:
◦
◦
◦
◦
547,000 Active Duty
358,200 Nat’l Guard
206,000 Army Reserve
65,000 Signal Corps
Budget
 U.S. Army: $140.7 Billion (FY09)
41
Signal Corps Mission Statement

The mission of the Signal Corps is to provide and manage
communications and information systems support for the
command and control of combined arms forces. Signal support
includes Network Operations (information assurance, information
dissemination management, and network management) and
management of the electromagnetic spectrum. Signal support
encompasses all aspects of designing, installing, maintaining, and managing
information networks to include communications links, computers, and
other components of local and wide area networks. Signal forces plan,
install, operate, and maintain voice and data communications
networks that employ single and multi-channel satellite, tropospheric
scatter, terrestrial microwave, switching, messaging, video-teleconferencing,
visual information, and other related systems. They integrate tactical,
strategic and sustaining base communications, information processing and
management systems into a seamless global information network that
supports knowledge dominance for Army, joint and coalition operations.
42
US Army Signal Corps
Chain of Command
NETCOM, the 9th Signal Command, has 17,000 soldiers, civilians, and contractors
working for it and the various units under its command
43
U.S. Federal and Department
of the Army ICT Spending
(in Billions $)
Category
Federa
l
Army
Data Processing & Telecommunications
$25.4
$3.1
Communication and Detection
Equipment
15.4
6.7
Automatic Data Processing Equipment
10.4
3.7
Contracts for Fiber Optics
0.12
0.03
44
Structure of Security
Network

DOD Network Structure
3 Types of Networks:
1. DOD Machines on Non-DOD Network
2. DOD Machines on DOD Network
 NIPR Network
 SIPR Network
3. Tactical Networks
 Constraints
 Satellite Bandwidth
 Small Units still communicate primarily by radio.
 Physical Security of Fiber and Cable
45
Structure of Security
Network

DOD Network Security
◦ Software Security
 DOD centrally disseminates security updates for software
 Activity of all users monitored and logged
◦ Physical Security Measures




No USB Devices allowed on DOD Networks
Offices are secured
Checklists exist for users and administrators
Vaulted computers for highly sensitive information
46
Structure of Security
Network

DOD Network Security
◦ Network Security Measures
 Three Layers of Network Security
 DOD
 Army
 Installation – Level
 Password Management
 Passwords must be changed every 90 days
 Can’t roll back to previous 6 passwords
 Network Breaches
 Happen rarely, typically a ‘people problem’, not a network
problem
47
DOD Information
Security

DOD Information Security
◦ Unclassified Info
 Open to all
 Need to Know (Not Subject to FOIA)
◦ Classified Info
All Classified Information is Need to Know
 Secret
 Top-Secret
 Special Security Information
48
Largest IT Threats

What keeps IT Pros in the Army up at night?
◦ People not following security regulations!
◦ People are the weakest link in the Information
Security chain
◦ Software Security/Vulnerabilities aren’t a big concern!
49
Upcoming Technologies

Static Analysis Tools
◦ Used to augment software testing
◦ Looks for errors in code that cause security
vulnerabilities
◦ Doesn’t need to run program
50
Upcoming Technologies

Preventing Internal Theft of Information and
Hardware
◦ Design architecture that runs all processes on
a secure server and accepts only mouse and
keyboard input from users and returns
compressed streaming video




Place limits on video bandwidth and print bandwidth
Firewall all servers, allow only trusted programs to run
Physically secure server location
Don’t allow any processes to run on user terminals
51
Upcoming Technologies

Future Combat Systems
◦ Often derided as “Cell Phones for Soldiers”




Provide secure communications;
Using a self-organizing network,
With Radios that act as both transmitter and receiver,
And provide voice, text, picture, and limited video
communications
◦ Biggest Challenge: TCP/IP is not a sufficiently
capable protocol for FCS wireless ad-hoc or mesh
networks. FCS will require a new network
structure.
52
Consolidation of LandWarNet

Organizational Changes
◦ NETCOM now has technical authority over all
network hardware and software

People Changes
◦ No important changes

Product Changes
◦ There will be a standardized “enterprise software
suite” that will be made available to all Army
personnel
◦ Hardware will be centralized, capabilities
standardized
53
IT
SECURITY
BEST
PRACTICES
54
Best Practices
http://usbglue.com/
55
Best Practices - Organizations




Centralize
Standardize (ERP)
Manage users
Awareness Training
◦ Level of security awareness:
 Education: 9.2%
 Government: 22.2%
Use separate machines to access sensitive
information (case # 2)
 Using Password Manager Helps

◦ Users store passwords securely in either in computer
hard drive, mobile devices, or online website
◦ To Encrypt personal files or data sent via email
56
Awareness Training
Involve Top Management
 Set up topics
 Clearly communicate
goals of each training sessions
 Define and explain each topic to trainee

◦ Ensure they receive training of each topic
(and risks) and that they are equipped with
prevention methods at the end of session

Regular (annual) sessions, and for new
staff
57
Characteristics of Effective Security
Governance









An Enterprise-wide issue
Leaders are accountable
Viewed as a business requirement
Risk-based
Roles, responsibilities, and segregation of duties defined
Addressed and enforced in policy
Adequate resources committed
Staff aware and trained
A development life cycle requirement
58
Information Security Policy within an
Organization (CSI 2008 Summary)
59
Techniques Used to Evaluate Security
Technology (CSI 2008 Summary)
Organizations are using a variety of methods to evaluate security
technologies
60
What this means for CISO(s)?
Information Security is IMPORTANT!!
 Business Success depends on IT (security)
 Work towards IT centralization
 Awareness Training is essential

◦ To keep people aware of current & potential
information risks and how to keep away from
them

Plan the security strategy
61
Security Strategy

“Five Principles of Security”
1.
2.
3.
4.
5.
Planning
Proactive
Protection
Prevention
Pitfalls
62
What Can I Do?
Use multiple strong passwords
 Use Antivirus and Antispyware
software and keep it updated
 Use a firewall
 Download Windows security updates
 Stay informed with current email viruses
and phishing scams

63
Example of a SiteKey
64
Time to crack *your* password
Character Set
Password
Length
26 - Letters
3
0.18 seconds
0.47 seconds
1.41 seconds
4
4.57 seconds
16.8 seconds
1.22 minutes
5
1.98 minutes
10.1 minutes
1.06 hours
6
51.5 minutes
6.05 hours
13.7 days
7
22.3 hours
9.07 days
3.91 months
8
24.2 days
10.7 months
17.0 years
9
1.72 years
32.2 years
8.82 centuries
10
44.8 years
1.16 millennia
45.8 millennia
11
11.6 centuries
41.7 millennia
2,384 millennia
12
30.3 millennia
1,503 millennia
123,946 millennia
36 - Letters and Digits
52 Letters and Digits with
upper and lower case
65
Identity Theft
http://www.youtube.com/watch?v=ZIC57kbD_W8
66
New Future Technology - Fee By
FingerPrint
http://www.youtube.com/watch?v=frnYEJK8XMA
67
Internet Security in a nutshell
Threat
How it
happens
What it does
How to Stop it
Spyware
Downloading files and
installing free or
unknown software
from untrusted
sources.
Computer can become
unstable or unusable,
keystroke logging
Use Anti-spyware,
Regular scans, avoid
the unknown
Virus, worms,
malware,
trojans
Opening unsolicited
email, attachments,
clicking on pop-ups
Files can be destroyed,
hackers can gain control,
replication and distribution
on network
Install and update
anti-virus and firewall
software, avoid the
unknown
Phishing
scams and
identity theft
Replying to or clicking
on links in emails that
appear legitimate but
aren’t, conducting
business on unsecure
sites
Can compromise your
identity, financial
information and security
Encrypted financial
transactions, never
reply to emails asking
for passwords or
personal information,
cookie notification
68
References
Slide 1“A careless word… a needless sinking” Anton Otto Fischer ; Artist, 1943, Office of War Information
Slide 4
Heartland Payment Systems:
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
All others: http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009White House:
Anonymous, (2009), Information Management Journal, Jan/Feb 2009, 43, 1, pg. 10
Slides 6 & 8
http://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003542----000-.html
Slide 7
http://www.zdnetasia.com/techguide/security/0,39044901,62044759,00.htm
Slide 9
http://www.albany.edu/its/security_threats.htm
Slides 10 & 11
http://www.lumension.com/viewDocument.jsp?id=148524
Slide 12-16 & 59-60
http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
69
References
Slide 17 & 20
http://www.iasplus.com/dttpubs/0502soxfpi.pdf
http://www.foley.com/publications/pub_detail.aspx?pubid=5726
Slide 18
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Slide 19
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMo
http://proquest.umi.com/pqdweb?index=11&did=1469228581&SrchMode=1&sid=1&Fmt=6&VInst=P
ROD&VType=PQD&RQT=309&VName=PQD&TS=1240504144&clientId=45249
How to Protect Your Data When You’re on the Web, Adarsh K. Gupta DO, MS (2008)
Slides 21 & 22
http://blog.isc2.org/isc2_blog/2008/10/fisma-2008---wh.html
http://www.sec-oig.gov/Reports/AuditsInspections/2008/451final.pdf
Slide 23
Mechling, J. (2009). What does your CIO really need to know?, Government Finance Review, Feb 2009,
25, 1, pg. 79. Accessed from ABI/INFORM Global database.
Rau, K. G. (2004). Effective Governance of IT: Design Objectives, Roles, and Relationships, Information
Systems Management, Fall 2004, 21, 4, pg. 35. Accessed from ABI/INFORM Global database.
70
References
Slides 25-27, 36-37
Interview
Slide 28
http://static.howstuffworks.com/gif/zombie-computer-3d.jpg
Slide 29
http://www.answers.com/topic/legacy-system
Slide 35
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet090
0aecd802da1b5_ps10264_Products_Data_Sheet.html
Slide 38
Swartz, Nikki. (2008). Chilling Encrypted Data, Information Management Journal, May/June 2008, 42-3,
pg. 12
Slide 41
http://www.army.mil/aps/08/critical_challenges/critical_challenges.html Accessed 21 Apr 09
http://www.gordon.army.mil/Signal/pdf_2009/GoSignal.pdf
Slide 42
http://www.branchorientation.com/signal/mission.html
71
References
Slide 43
http://www.netcom.army.mil/about/docs/NETCOM_Brochure.pdf
Slide 44
http://usaspending.gov/
Slide 50
MILCOM 2008, Improving Software Reliability and Security with Automated Analysis, IEEE Database,
Paul Anderson
Slide 51
MILCOM 2008, Global Virtual Vault: Preventing Unauthorized Physical Disclosure by the Insider, Fisk,
Miller, and Kent, IEEE Database
Slide 52
Striki, McAuley, and Morera. Modeling Topology Dissemination for Routing in Future Force
Networks. MILCOM 2008. 16 – 19 Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009.
http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%
3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&hi
story=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
72
References
Slide 52
Wang, Hag, Schmidt, and Corsaro. Toward an Adaptive Data Distribution Service for Dynamic LargeScale Network-Centric Operation and Warfare (NCOW) Systems. MILCOM 2008. 16 – 19
Nov. 2008. IEEE Explore Database. Accessed 26 Apr 2009.
http://ieeexplore.ieee.org/search/searchresult.jsp?queryText=(future+combat+systems+%3Cin%
3E+metadata)+%3Cand%3E+(4753027+%3Cin%3E+isnumber)&coll2=ieeecnfs&coll3=ieecnfs&hi
story=yes&reqloc=others&scope=metadata&imageField2.x=0&imageField2.y=0
Slides 45-49, 53
Personal Interview with Lt. Col. Warren Griggs.
Slides 56-57
http://www.cp-lab.com/
Rotvold, G. (2008), How to Create a Security Culture in Your Organization, Information Management
Journal, 42, 6, pg. 32. Accessed from ABI/INFORM Database.
Slide 58
Allen, J. H. (2007). Governing for Enterprise Security, Carnegie Mellon University, Software
Engineering Institute.
Slide 61

Mechling, J. (2009). What does your CIO really need to know?, Government Finance Review, Feb
2009, 25, 1, pg. 79. Accessed from ABI/INFORM Global database.
73
References
Slide 62
Pollitt, D. (2005). Energis trains employees and customers in IT security, Human Resource
Management International Digest, 13, 2, p. 25. Accessed from ABI/INFORM Database.
Slide 63
http://www.btcoinc.com/images/security300x350.jpg
http://www.jisclegal.ac.uk/graphics/esecurity.jpg
Slide 65
http://www.oit.osu.edu/networking/osunet/Password_Best_Practices.pdf
Slide 66
http://www.youtube.com/watch?v=ZIC57kbD_W8
Slide 67
http://www.youtube.com/watch?v=frnYEJK8XMA
74