Information Security Summary
Download
Report
Transcript Information Security Summary
Class 10
Information Security Summary
Chapter 9 of the Executive Guide to
Information Security
10 Essential Components of
Information Security
1. “C” level management owns the Information
Security program for appropriate resources
allocations
2. Assign a Full-time, Experienced, Senior-Level
staff responsibility for Information Security
3. Establish Cross-functional Information
Security Governance Board to develop and
enforce policies compliance
4. Establish Metrics and SLAs to monitor
program operation
5. Implement Ongoing Security Improvement
Program
6. Conduct Periodic Independent Audits
7. Layer Security at Gatway, Server, Client
8. Separate Computing Environment into Zone
9. Start with Basic & Improve Program
10.Consider Information Security an Essential
Investment
#
Critical Security Control
Control Description
1
Inventory of Authorized and
Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware
devices on the network so that only authorized devices are given
access, and unauthorized and unmanaged devices are found and
prevented from gaining access.
2
Inventory of Authorized and
Unauthorized Software
Actively manage (inventory, track, and correct) all software on
the network so that only authorized software is installed and can
execute, and that unauthorized and unmanaged software is
found and prevented from installation or execution.
3
Secure Configurations for
Hardware and Software on
Mobile Devices, Laptops,
Workstations, and Servers
Establish, implement, and actively manage (track, report on,
correct) the security configuration of laptops, servers, and
workstations using a rigorous configuration management and
change control process in order to prevent attackers from
exploiting vulnerable services and settings.
4
Continuous Vulnerability
Continuously acquire, assess, and take action on new information
Assessment and Remediation in order to identify vulnerabilities, remediate, and minimize the
window of opportunity for attackers.
5
Malware Defenses
Control the installation, spread, and execution of malicious code
at multiple points in the enterprise, while optimizing the use of
automation to enable rapid updating of defense, data gathering,
and corrective action
#
Critical Security Control
Description
6
Application Software Security Manage the security lifecycle of all in-house developed and
acquired software in order to prevent, detect, and correct
security weaknesses
7
Wireless Access Control
The processes and tools used to track/control/prevent/correct
the security use of wireless local area networks (LANS), access
points, and wireless client systems.
8
Data Recovery Capability
The processes and tools used to properly back up critical
information with a proven methodology for timely recovery of it.
9
Security Skills Assessment
and Appropriate Training to
Fill Gaps
For all functional roles in the organization (prioritizing those
mission-critical to the business and its security), identify the
specific knowledge, skills, and abilities needed to support defense
of the enterprise; develop and execute an integrated plan to
assess, identify gaps, and remediate through policy, organizational
planning, training, and awareness programs.
10
Secure Configurations for
Network Devices such as
Firewalls, Routers, and
Switches
Establish, implement, and actively manage (track, report on,
correct) the security configuration of network infrastructure
devices using a rigorous configuration management and change
control process in order to prevent attackers from exploiting
vulnerable services and settings.
#
Critical Security Control
Control Description
11
Limitation and Control of
Network Ports, Protocols,
and Services
Manage (track/control/correct) the ongoing operational
use of ports, protocols, and services on networked devices
in order to minimize windows of vulnerability available to
attackers.
12
Controlled Use of
Administrative Privileges
The processes and tools used to
track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on computers,
networks, and applications.
13
Boundary Defense
Detect/prevent/correct the flow of information
transferring networks of different trust levels with a focus
on security-damaging data.
14
Maintenance, Monitoring, Collect, manage, and analyze audit logs of events that
and Analysis of Audit Logs could help detect, understand, or recover from an attack.
15
Controlled Access Based
on the Need to Know
The processes and tools used to
track/control/prevent/correct secure access to critical
assets (e.g., information, resources, systems) according to
the formal determination of which persons, computers,
and applications have a need and right to access these
critical assets based on an approved classification.
#
Critical Security Control
Control Description
16
Account Monitoring and
Control
Actively manage the life-cycle of system and application
accounts - their creation, use, dormancy, deletion - in order to
minimize opportunities for attackers to leverage them.
17
Data Protection
The processes and tools used to prevent data exfiltration,
mitigate the effects of exfiltrated data, and ensure the privacy
and integrity of sensitive information.
18
Incident Response and
Management
Protect the organization's information, as well as its reputation,
by developing and implementing an incident response
infrastructure (e.g., plans, defined roles, training,
communications, management oversight) for quickly discovering
an attack and then effectively containing the damage,
eradicating the attacker's presence, and restoring the integrity of
the network and systems.
19
Secure Network Engineering
Make security an inherent attribute of the enterprise by
specifying, designing, and building-in features that allow high
confidence systems operations while denying or minimizing
opportunities for attackers.
20
Penetration Tests and Red Test the overall strength of an organization's defenses
Team Exercises
(the technology, the processes, and the people) by
simulating the objectives and actions of an attacker.
SANS Critical Security Controls for
Effective Cyber Defense
Cyber Threat Watch as of 11/5/2014
https://cyberthreatwatch.wellsfargo.net/CyberThreatWatch/
Apple iTunes Breach Claimed by Anon-Sec
Posted on November 5, 2014 by Daniel Kalusz
•
•
•
Security researchers reported a data dump of approximately 3.8 million users
account with plain text passwords posted to a public website Pastebin. Anonymous
hacktivist group known as Anon-Sec claims to have breached iTunes and they are
in possession of 3.8 million accounts to various organizations. The initial post was
released on November 4, 2014, and was reported by the hackers as just a sample
of the first-thousand of the 3.8 million. Anon-Sec indicates that they will continue
to publicly post the remaining user accounts and clear-text passwords in small
portions until the account data is completely dumped. Currently, the Apple iTunes
data dump may have been attributed to multiple separate attacks over a period of
time using password guessing, brute force, and phishing campaigns, and not a
single breach event.
Apple has not addressed the alleged hack or publicly commented; however, the
usernames and passwords do not follow the current password policy length and
complexity. Therefore, it is suspected that this data dump may have been stolen
from other services such as password managers or online stores that use federated
IDs to Apple iTunes accounts.
CTI Analysis: Anon-Sec may have falsified claims that this data was from an iTunes
breach in an effort to gain notoriety for Guy Fawkes Day (November 5th). The data
could have been from other websites or older username and password lists the
hacker’s bulked together to make it look like a large data breach occurred. CTI will
continue to monitor Pastebin for additional warnings and indicators related to the
alleged data breach
AirHopper — Hacking Into an Isolated Computer Using FM Radio Signals
Posted on November 4, 2014 by Vijay Thavasi muthu
• The researchers in Israel have developed a malware called AirHopper
which uses a keylogger technique and can capture the keystrokes from a
computer using radio signals. The researchers’ claim that a computer with
no connectivity to any network can still transmit the data using radio FM
signals. The new application known as AirHopper works by using the FM
radio receiver included in some mobile phones. AirHopper captures the
keystrokes by intercepting radio transmissions emanating from the
monitor or display unit of an isolated computer. Radio signals that can
transmit modulated data is then received and decoded by the FM radio
receiver built into mobile phones. Researchers have demonstrated in a
video showing the ability of AirHopper to capture the keystrokes from an
isolated computer (air-gap) at a distance of 1-7 meters with a bandwidth
of 13-60 bytes per second
• CTI Analysis: The new technology using FM radio signals does pose a
serious concern with regard to data security. Though it was developed by
the researchers with the intent of protecting against such
attacks/intrusions in near future it can be used/exploited by the people or
organizations with malicious intentions. The frequency level of the
monitor that can be compromised using AirHopper is currently unknown.
CTI will continue to research to determine complexity and feasibility.
Ebola Phishing Scams and Malware Campaigns
Posted on October 31, 2014 by Justin Cunnane
•
•
•
•
•
•
•
•
Malicious campaigns utilizing Ebola-related topics began appearing sporadically
throughout the summer with a significant increase throughout October. These
scams prompted US-Cert to release an advisory warning the public on such
campaigns. The victims are not targeted with spear-phishing campaigns; anyone
with an internet presence could potentially be impacted. A few of the current
campaigns have been observed attempting to infect the user with malware
variants such as the DarkComet RAT and Zeus Trojan as well as leveraging recent
zero-day vulnerabilities in order to gain access and control over the victim’s
machine.
This type of ‘current event’ scam campaign generally breaks down into five
categories of purpose; listed below in order of potential severity to the victim:
Deliver malware
Phish for Basic User Information and Personally Identifiable Information (PII)
419 Scams – scams originating from Nigeria that attempt to trick victims into
providing money as an ‘advanced fee’ in order to receive a large amount of money
Click fraud/Web Traffic Generating
Nuisance/Trolling, but essentially harmless spam
The ongoing Ebola campaigns have touched on all of these categories. Social
networking sites have seen an array of click fraud-related scams that attempt to
lure the user into clicking links by using far-fetched headlines, such as:
Ebola Cont.
• The threat actors play on the victims desire to satisfy
their curiosity, click the link, and be sent through a
series of website redirects that ultimately end with the
victim presented with a scam survey (sometimes
referred to as ‘click fraud’) to fill out or prompts for
downloading software known as potentially unwanted
program (PUP) which are bundles of freeware that,
while not directly malicious, will negatively impact the
victim’s machine via unwanted activities, such as:
• Display pop-up ads
• Change the user’s default settings
• Install unwanted apps such as search bars and tool bars
in browsers
• Automatically redirect users to specific unwanted
browsers and search engines
Ebola Cont.
• The more severe Ebola-related campaigns have been observed
beginning in mid-October and come in the form of email spam with
malicious attachments and/or links. The emails claim to be from
various senders, primarily the World Health Organization (WHO)
under the guise of contacting the victim to provide ‘Ebola Safety
Tips’, which are conveniently provided in an email attachment. One
such campaign infected the user with the DarkComet Remote
Access Trojan (RAT) which essentially allows the attacker access and
control to the victim’s machine enabling them to proceed with a
long list of potentially malicious activity including data exfiltration,
keylogging, executing shell commands and more. Researchers at
Symantec also observed infections in the same manner that
involves malware variants such as Trojan.Zbot (Zeus), Trojan.Blueso,
Backdoor.Breut and W32.SpyRat (worm).
Sony Experia Devices Secretly Sending User Data to Servers in China
Posted on October 31, 2014 by Vijay Thavasi muthu
Sony Smartphones has been found sending User data secretly to the servers in China.
Users running Android version 4.4.2 or 4.4.4 on their phone found communications
with the servers back in China. The users have found a presence of a folder called
Baidu (which some claim to be created automatically and it is considered as spyware).
Deleting this folder yielded no result as the folder gets created again (automatically)
without the users knowledge. Even unchecking the folder from device administrator
has zero effect on this folder. It is claimed that with the help of Baidu folder the
following information can be retrieved:
• Read status and identity of your device
• Make pictures and videos without your knowledge
• Get your exact location
• Read the contents of your USB memory
• Read or edit accounts
• Change security settings
• Completely manage your network access
• Couple with Bluetooth devices
• Know what apps you are using
• Prevent your device from entering sleep mode
• Change audio settings
• Change system settings
Sony Experia Devices Secretly Sending User Data to Servers in China
Cont.
The affected devices includes Sony Experia Z3 and Z3 Compact, though it is not limited
to Sony as users with phones like HTC One M7, HTC One X also have the presence of
Baidu folder in their respective handsets.
• The following steps have been recommended for to disable Baidu Spyware for
Sony Smartphones:
• Backup important data and factory reset the device.
• Turn on the device and go to Settings -> Apps -> Running and Force stop both
“MyXperia” apps.
• Then remove the baidu folder using File Kommander app.
• Go to Settings -> About Phone -> Click 7 times on the Build Number to enable
developer mode.
• Download or Install the Android SDK on your computer and then connect the Sony
device to it using USB cable.
• Run the adb tool terminal : adb shell
• In adb shell, type the command: pm block com.sonymobile.mx.android
• Exit adb shell
• Reboot the device
CTI Analysis: It is unknown exactly how the reported spyware was embedded in the
new devices. Previously, the Huawei and Xiaomi have been discovered have backdoors
and spyware or secretly send data to servers in China on mobile devices.
Xiaomi Phones Secretly Sending Users’ Sensitive Data to Chinese Servers
Posted on October 30, 2014 by Vijay Thavasi muthu
Xiaomi (also known as Apple of China), which is Chinese telecoms equipment supplier made foray into
the Indian market with its mobile phone called RedMi 1S. The phone has a good configuration and is
available at a decent price attracting a lot of buyers. Researchers and users of the phone have found
that Xiaomi RedMi 1S phone is sending data from the phone to the servers in China
“api.account.xiaomi.com” even when the Backup – Data option is turned off. Xiaomi RedMi phone has
been sending data like IMEI of the phone, IMSI Number (through Mi Cloud – like ICloud in IPhone) ,
Contact details , Text messages.
•
Researchers have found that the Xiaomi phones keeps trying to make a connection with an IP
address based in Beijing, China even after turning off the cloud service on the phone called Micloud services (like ICloud in Apple Phone).
•
The Indian Government Agencies have already issued a circular to its personnel asking them to
avoid using the phone. Xiaomi did accept that RedMi 1S phone is sending information (Did not
mention sensitive information) to it servers based in China. They assured that they will route all the
users data to the servers based in Singapore and other locations other than China.
• (http://thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html)
CTI Analysis: Many Chinese products have been reported in the past for suspected backdoor entry and
various organizations and institutions have banned the use of it us about using it. In 2012, ZTE and
Huawei Technologies Co Ltd smartphones were discovered to have a backdoor.
•
ZTE Confirms Security Hole in U.S. Phone
• (https://cyberthreatwatch.wellsfargo.net/CyberThreatWatch/?p=21397)
•
However, it is recommended to keep the people and other community aware of. The US
government is aware of backdoor entry features of Chinese products and has been caution these
new products to prevent personal information being used for any malicious activity.