Transcript 2007-09-18 MI-GMIS Infosec Trends

MI-GMIS
September 18th, 2007
Security Topics for Government
Introductions
• Mark Lachniet From Analysts International
• Solutions Architect for the Security Services Group
• Formerly a K-12 administrator and teacher for Walsh
College’s MSIA program
• Certified Information Systems Security Professional
(CISSP), Certified Information Systems Auditor
(CISA)
• Member of the High Tech Crimes Investigation
Association (HTCIA)
• Try to stay away from products and talk about needs
• Despite being on the technical track, many of the
topics I want to discuss have more to do with proper
management and oversight than boxes and software
Goal & Format
• A random assortment of current
issues that seem to be on the minds
of governmental organizations
• Current problems in information
security in general
• Time for free-form discussion (?)
Setting the Stage
• The Computer Security Institute releases a yearly report on
computer crime.
• The new one (2007) is at
http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf
– The average annual loss reported in this year’s survey shot
up to $350,424 from $168,000 the previous year. Not since
the 2004 report have average losses been this high.
– Almost one-fifth (18 percent) of those respondents who
suffered one or more kinds of security incident further said
they’d suffered a “targeted attack,” defined as a malware
attack aimed exclusively at their organization or at
organizations within a small subset of the general
population
– Financial fraud overtook virus attacks as the source of the
greatest financial losses
– Insider abuse of network access or e-mail (such as
trafficking in pornography or pirated software)
Formalizing Security
• For a variety of reasons (maturing IT organizations,
regulatory compliance, etc.) one of the larger areas
of growth is in internal organization
• This includes such things as creating a formal taskforce or workgroup to manage security efforts
• Many organizations have a 5-year plan, sometimes
even specific to I.T. - Why not have one for
information security?
• There are too many things to be done, and too little
time to do it, so staying organized is critical
• One way to do this is to organize a workgroup that
meets regularly to talk specifically about security
Formalizing Security
• Create a group with good representation, possibly including:
–
–
–
–
–
IT (Server, network, workstation, apps)
Human Resources
Legal
Finance
End Users
• Schedule regular meetings (quarterly?)
• Keep minutes of meetings, have an organized secretary
• Keep track of work (assessments completed, audit findings to
be addressed, etc.) so that you have a snapshot of where you
are at all times
• There should be a spreadsheet that tracks every “bad” finding
that you have had and how it was (or will be) addressed
• Identify a long-term plan for security improvement
• Allocate resources (FTE and Capital) to achieve the plan
• Develop a calendar of “stuff to do” on a regular basis
Stuff To Do and Suggested Occurrences
• Suggested Occurrences are highly variable, but this is what I
may recommend to my business customers
–
–
–
–
–
–
–
–
–
–
–
Update the DR / BCP (quarterly)
Exercise the DR / BCP Plan (yearly)
Perform internal vulnerability assessments (yearly)
Perform external vulnerability assessments (quarterly)
Perform assessments of Web Applications (yearly)
Perform comprehensive security audits (yearly)
Review firewall, application and system logs (daily)
Analyze regulatory compliance (PCI, CJIS, financial audits)
Review controls on contracted services, purchases (yearly)
Review data classification and lifecycle controls (yearly)
Perform self-assessments on risk (e.g. risk of building failure, of
data being stolen on a laptop, etc.) (yearly)
– Review password security (yearly)
– Audit operating system and 3rd party application security (yearly)
Comprehensive Assessments
• One thing you can do is to perform a wide-ranging security
assessment (similar to an audit, but typically doesn’t actually
go to machines for sample data)
• This should include not only technical host and network stuff,
but practices and procedures, physical security, etc.
• You can develop your own with free guides on the Internet
(NIST and ISACA.org are a good starting point) or hire an
outsider
• When Analysts does them, we break them into four main focus
areas:
–
–
–
–
Physical Security
Network Security
Logical Security (hosts, Active directory, etc.)
Practices and procedures
• We then identify weaknesses, identify possible improvements,
and rank them in terms of cost (capital and FTE) and gain
Ranking Matrix
• We use a ranking matrix to try to identify the “sweet
spot” (upper right) which is then used as a planning
tool
Least
Cost
C
O
S
T
Most
Cost
LS4, NS6,
PP2
NS2, LS6
LS2
LS1, PP1,
PP7
NS1, LS5,
PP5
NS4, LS3,
LS7, PP6
3
PS2, PS3,
NS5, PP4
PP3
PS1, NS3
1
PS4
5
1
Least Gain
3
Security Gain
5
Most Gain
Physical Security
•
•
•
•
•
•
•
•
•
Facilities / Grounds Physical Security
Server Room & Wiring Closet Physical Security
Server and Workstation Physical Security
Secure Storage and Handling of Electronic and
Printed Data
Disaster Recovery – Alternate Site Considerations
Fire Detection and Suppression
Emergency Backup Power and UPS Systems
Network Availability
Server Availability
Network Security
•
•
•
•
•
•
•
•
•
•
Network Confidentiality and Encryption
Port-Based Access Control
IP Telephony Security
Wireless Security
Internet Border / Firewall Security
Network Intrusion Prevention Systems
Network Protection for SPAM / Malware
Partner / Vendor Data Network Connection Security
Remote Access Security
Network Logging
Logical Security
•
•
•
•
•
•
•
•
System Build and Hardening
Account and Password Security
System Access and Authentication Systems
Malware / Anti-Virus Protection
Host Based Intrusion Prevention Systems
System Logging
E-Mail Servers and Systems
Application Development Practices
Administrative Practices
• Remote Access / Remote Users
Administrative Practices
• Remote Access Training and Awareness
• Information Systems Support Staff
Administrative Procedures
• End User Administrative Policies
• Information Classification
• Information Systems Coordination with
Human Resources
• Separation of Duties
• Vendor / External Organization Management
Administrative Practices
•
•
•
•
•
•
•
•
•
Incident Response Procedures
Change Control Systems
System Documentation
Service Level Agreement (SLA)
Management
Management Planning and Support
Regulatory Compliance
Risk Assessment Strategies
Audit and Security Event Management
Systems
Backup Practices and Storage
Physical Security
•
A simple audit of your physical security may be a good idea. Some
things that I typically find:
– Hinges on the OUTSIDE of the doors, particularly in areas that
are not well lit or that don’t have alarm sensors
– Lack of adequate sensor coverage for alarm systems
– Walls with drop ceilings that could be removed to enter secure
areas over the wall (watch for white powder!)
– Monitoring of ingress / egress points by a live person
– Video surveillance systems
– Sign-in / Sign-out and escort by an employee
– Locks – master keys, locks that are never re-keyed after people
leave, keypad locks that can be “shoulder surfed”
– Review of security alarm logs
– Security of data centers, and electronic media! (I once did an
audit where a county left backups of all their data including law
enforcement laying around on cabinets where it could be stolen
and restored)
Vendor Management
• The security implications of vendors and other third parties
shouldn’t be ignored
• This is especially important when you have:
–
–
–
–
–
–
Vendors with dedicated connections
Vendors with remote access (dial, vpn)
Companies performing application development*
Companies selling you products (RFP)
Vendors providing you services (hosting, ISP, etc.)
Vendors physically in your environment
• Consider writing a policy as to what you expect of these
organizations
• Require them to adhere to certain minimum standards as part of
the contracting / purchasing project. Hit them where the
money is!
• Build a security section into all RFP templates and contracts
• By default, you can probably NOT expect security unless you
are paying extra for it
Managing All the Tools
• It seems like there are a million new tools out there that
you just “have to have”
• Vendors make it seem like their products will solve all of
your problems, and they may well solve many of them,
but they tend to downplay how much effort you will have
to put into managing them!
• First of all, there is training to become comfortable with
the products, and then there is the ongoing maintenance
• For example, with Intrusion Prevention Systems, you
may need to update the signatures weekly, if not daily
• Patching systems require vetting the patches to make sure
they don’t break things
• It practically requires a half time person just to read all of
the logs that are generated by your devices (a practice
which is, of course, required by some regulation or
another)
Logging and Log Analysis
• Keeping and analyzing logs are a critical part of IT
governance, and especially important when it comes
to investigating incidents
• Many places don’t collect adequate logs in the first
place
– Pre win2003 logging is inadequate by default
– Network devices like firewalls often log only to a
temporary local store or not at all
• Logging sources are isolated, have to be read in
many different spots
• Log data is too detailed, impossible for a normal
human to find the “needle in the haystack” before
passing out from boredom
• Systems are not set to the same time
Logging and Log Analysis
• Consider setting up or purchasing a log analysis system
• On the cheap – Snare syslog agents for Windows, Kiwi
Syslog to consolidate, Sawmill to generate HTML reports
• http://lachniet.com/cheaplogging (a bit old)
• Many options for Microsoft (www.gfi.com)
• Consider a Security Incident Management (SIM) product
like Cisco’s MARS, ARCSight, NetIQ, etc.
• There are really two different levels – products that allow
you to parse your logs quickly and find issues, and
products that try to find them for you (SIM)
• With Sawmill, for example, you can get a HTML report
of what your PIX has been doing for the last 24hrs and
scan through it in 10 minutes to identify changes and
issues
• None of these will magically do it all for you!
Application Development
• The focus of hackers is moving from missing patches to poorly
developed applications
• Many, if not most, internally (and externally) developed
applications have security flaws
• This is particularly true of web applications
• There are a variety of ways to hack a web application to get
into the database, and sometimes even the operating system and
network
• Make sure that if you have people doing development that they
follow some minimum standards.
• Consider http://www.owasp.org as a starting point
• Require proof of third-party testing for any applications you
might purchase
• Consider having assessments done on critical systems before
they are implemented (or after major changes)
Web Application Vulnerabilities
Study Shows Most Web Applications Have
Vulnerabilities
(5 February 2004)
A four-year test of more than 250 Web applications found that at least
92% of them were vulnerable to attacks including cross-site scripting,
SQL injection and parameter tampering. WebCohort's Application
Defense Center conducted the test, which looked at applications on "ecommerce, online banking, enterprise collaboration and supply chain
management web sites."
http://www.vnunet.com/News/1152521
BCP / DR
• Business Continuity Planning (BCP) and Disaster Recovery
(DR) still seem to be an area of focus
• Many people are getting hit with audit findings that they only
have DR and not true BCP
• Consider BCP as the business “wrapper” that goes around DR
• A few things that typically go into these updates are
– Business Impact Analysis (start with the business people and
work your way down to assets. Without doing this, how can you
be sure you got all the right technology in your plan?)
– Operational Procedures (where do the bosses meet, how do you
initiate a call tree, who talks to the media, who cuts emergency
PO’s, etc. This is what the boss types need)
• A few very promising technologies for BCP:
–
–
–
–
VMWARE (stick around for the next session!)
SAN (especially with SAN replication to a remote site)
Wide Area Network accelerators (to speed backups, apps)
Faster, cheaper Internet (especially county fiber!)
Information Privacy / Encryption
•
•
•
•
There have been a lot of highly publicized incidents involving stolen
data
For example, laptops getting stolen at airports with hundreds of
thousands of social security numbers or backup tapes that weren’t
encrypted and couldn’t be found or “fell off the truck”
To minimize this, consider some basic protections:
– Identify what kind of sensitive data you have as part of your
information classification
– Collect and store as little as possible
– Ensure that you have adequate security (tested!) on systems that
store and process it
– Ensure that you use encryption to protect it – particularly on
laptops and backup tapes that leave the physical environment
– Create a plan on how to respond if it happens anyway – especially
what to say and who will say it
– Have that “oops letter” already created and ready to send. A slow
response looks bad
One good product for full disk encryption is SecureDoc WinMagic. It
protects the whole hard drive so even forensics can’t get it.
Incident Response
• Its not a matter of if you are going to be hacked….
• Its not just a matter of hacking, either, it could be a proper
disaster, a physical threat, etc.
• When it happens, an organized response to the crisis is
essential! Don’t count on responding calmly and rationally
during the crisis
• Prepare an Incident Response (IR) plan ahead of time with
involvement from key stakeholders
• Identify which people are responsible for which tasks –
consider non-technical tasks such as informing employees,
contacting the media, etc.
• Create a minimum set of documentation to keep throughout the
incident – this will help you to learn from your errors, and may
be necessary for law enforcement
• Create standards (based on information classification) for how
to respond. Re-format the server? Call the cops?
Computer Evidence
• The problem: Organizations have an increasing need for
computer evidence that is admissible in court, and need highend technical assistance for hacking incidents.
– Crime involving technology continues to increase
– Law enforcement is over-burdened and has big backlogs
– Computer data is increasingly becoming central to civil lawsuits
(fraud, problems with the SEC, intellectual property, etc.)
– No standards for forensic methodology, especially for volatile
data (data that is in memory such as network connections that is
lost when the computer is powered down)
– I.T. security consultants do not always have a good understanding
of legal concepts such as the chain of custody
– Information about non-technical crimes is increasingly stored on
PCs and devices such as Cell phones and PDA’s, requiring
specialized software
Computer Evidence
•
One definition of computer forensics is
“Computer Forensics is the use of specialized techniques for recovery,
authentication, and analysis of electronic data when a case involves
issues relating to reconstruction of computer usage, examination of
residual data, authentication of data by technical analysis or
explanation of technical features of data and computer usage. ...”
•
•
•
•
•
•
•
•
Forensics is another area of growth
Very often seen in “fire the naughty surfer” investigations
Often in CO$TLY lawsuits
Integrate into your Incident Response plans
Also important when dealing with electronic media that could
potentially go to law enforcement. If you mess it up, you could very
well blow the case!
Consider joining the HTCIA (htcia.org) and/or working with your
techie cops on some kind of plan
One tip: Don’t mess with it if you aren’t sure what you are doing
Another tip: Keep the hard drives of anyone you find suspicious
Administrator Termination
• I.T. staff members have an unprecedented level of
access to key organizational data, and this access
must be managed when they leave the organization
– Passwords exist on numerous disparate systems, usually not
recorded
– Most organizations have difficulty identifying all of the
steps that need to be taken
– I.T. administrators frequently know the passwords of
regular users
– Dial-up, VPN, Internet-facing systems need to be closed off
ASAP
– I.T. administrators may have organizational property (data,
hardware, software, intellectual property, etc.) that needs to
be retrieved
– In some cases, the termination is hostile, and an immediate
threat is perceived
Administrator Termination
• To address this need, you need to identify all the places where
access is granted in the organization
• Doing this ahead of time (e.g. a master password list, and
detailed list of tasks) is a very good idea
• Doing it on the fly (e.g. Analysts’ ATS service) is a multi-step
process:
–
–
–
–
Evaluate risk – did they make any threats? Are they a “hacker”?
Identify all access (especially remotely accessible)
Change the passwords
Assist / consult on internal staff issues (obtain all property,
perform exit interview, communication to staff about departure,
require a password change for everyone? IT Staffers often know
a lot of user passwords!)
– Obtain employee personal data (hard drive, home directory, email) and analyze for signs of malfeasance such as “time bombs”,
non-compliance with the AUP, existence of hacking tools,
evidence of browsing hacking or threatening web sites, etc.)
Misc. Issues for Government
• Sensitive data systems and networks
–
–
–
–
–
–
LEIN! (See the CJIS policy council)
Fingerprint systems
Concealed weapon databases
Credit card systems (e.g. deed lookups)
Friend of the court
Probate, etc. etc.
• Electronic 911 and IP Telephony
• Coordination with the State of Michigan and nearby
entities
• Consider the MI-ISAC (the focal point of all the USCert and MS-Isac alerts coming into the Michigan)
being run by the State. Contact Rich Resoner at the
state at 517-335-3093
Discussion
Mark Lachniet
Analysts International
(517) 336-1004 (voice)
(517) 336-1100 (fax)
[email protected]
Email me to request copy of presentation.
Or http://lachniet.com/powerpoint