Information Security Awareness - Concepts, Standards..
Upcoming SlideShare
Loading in...5
×
 

Information Security Awareness - Concepts, Standards..

on

  • 8,173 views

Information Security awareness presentation made at Rajiv Gandhi Institute of Technology on Feb 24, 2010. The presentation Information Security Concepts, Standards, Profession and Career, Risks and ...

Information Security awareness presentation made at Rajiv Gandhi Institute of Technology on Feb 24, 2010. The presentation Information Security Concepts, Standards, Profession and Career, Risks and Case Studies.

Statistics

Views

Total Views
8,173
Views on SlideShare
8,127
Embed Views
46

Actions

Likes
7
Downloads
797
Comments
1

3 Embeds 46

http://www.slideshare.net 43
http://www.lmodules.com 2
http://www.techgig.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • neat presentation of security control and greatful key information.Thanks for your share.
    If you are in need of any scammers related news.please visit my blog http://scambaitings.blogspot.com/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information Security Awareness - Concepts, Standards.. Information Security Awareness - Concepts, Standards.. Presentation Transcript

  • Rajiv Gandhi Institute of Technology February 24, 2009 Information Security … the profession; concepts, risks and more.. Presented by: Dinesh O Bareja CISA, CISM, ITIL Open Security Alliance (www.opensecurityalliance.org)
  • About Me Warming Up Dinesh Bareja BA, CISA, CISM, ITIL, BS 7799 (LA, Imp) Engaged in continuous study and learning Work in Information Security consulting, advisory and technical services; identifying emerging opportunities; strategic business planning; training, mentoring and awareness & more… Past life (pre-.com) was spent in mfg, trdg, exports. . Co founder of Indian Honeynet Project, Open Security Alliance and actively involved with DSCI and other Information Security groups. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • A Starting Thought Warming Up ..... every human endeavour operates partly in light and partly in shadow; and, especially, in those fields that delve deeply into shadow, some succumb to temptation. - Richard Power (Computerworld) RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Covering your mistakes  Warming Up RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Some more (simpler) thoughts Warming Up • We have sidewalks but cannot walk on them ! • In parks they say … keep off the grass! • Cars at home… but driving is a killer • Using computers …. and there is the risk of everything going wrong • ….. • Rules… rules and more rules !! RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • My Rules Warmed Up • Don‘t be shy … ask questions (we have a lot of time) • Feel free to interrupt me • Nod intelligently even if you fall asleep • Correct me if I make a mistake (remember I am in a continuous learning mode) • Hijack this presentation and change it into a debate ! • Don‘t take notes, this slide deck will be available on our website (or on the college file server) • There is no test at the end of this session  You get marks for being a good and interactive audience • Finally – please make sure your cellphones are in shivering mode ! It is bad manners to make any odd sounds when people around you are trying to learn something RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • The What and Why of Information Security • Information Security Domains and Concepts • Standards, Guidelines and Frameworks Proposition • Infosec Profession / Careers • Risks and Awareness RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • … What … Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and for proprietary information protecting information and information systems from Guarding against improper information unauthorized access, Confidentiality modification or Ensuring timely destruction, and use, and reliable includes ensuring access to and information non- disclosure, repudiation and use of disruption, information. authenticity; modification, or destruction Availability Integrity RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • CIA… in more detail • Confidentiality — Sensitive information must be available only to a set of predefined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that a customer's personal or financial information is not obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud. • Integrity — Information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information. • Availability — Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed-upon frequency and timeliness. This is often measured in terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients. • Continuity — Information should be continuously available to the business user and this is ensured thorough appropriate business continuity and disaster preparedness. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • The Need for IT Security, Governance Security Keeping IT Running Aligning Managing IT with Complexity Business Regulatory Value/Cost Compliance Organizations require a structured approach for managing these and other challenges. © ISACA RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Why Information Security • Ensure Availability of Business • Take care of the risk of loss of Confidentiality, Integrity and Availability of Information Assets • Protect Data and Information Systems • Brand and Reputation Loss • Increased Productivity through best practices • Higher levels of assurance • Competitive advantage • Enable Business Continuity and Disaster Recovery And for this we need Security Controls RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Security Controls Computer security is often divided into three distinct master categories, commonly referred to as controls: – Physical – Technical – Administrative Physical Controls - is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are: • Closed-circuit surveillance cameras • Motion or thermal alarm systems • Security guards • Picture IDs • Locked and dead-bolted steel doors • Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals) Administrative Controls - define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: • Training and awareness • Disaster preparedness and recovery plans • Personnel recruitment and separation strategies • Personnel registration and accounting Technical Controls - use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as: • Encryption • Smart cards • Network authentication • Access control lists (ACLs) • File integrity auditing software RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Key Information Security Program Elements Technology Process People RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Key Information Security Program Elements - Training Technology - Awareness Process - HR Policies - Background Checks - Roles / responsibilities - Mobile Computing - Social Engineering - Social Networking - Acceptable Use - Policies - Performance Mgt - System Security - Risk Management - UTM. Firewalls - Asset Management - IDS/IPS - Data Classification - Data Center - Info Rights Mgt - Physical Security - Data Leak Prevention - Vulnerability Assmt - Access Management - Penetration Testing - Change Management -Application Security - Patch Management - Secure SDLC - Configuration Mgmt - SIM/SIEM - Incident Response - Managed Services - Incident Management People RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Essential Information Security Practices • MANAGEMENT COMMITMENT • RISK MANAGEMENT • ASSET INVENTORY AND MANAGEMENT • CHANGE MANAGEMENT • INCIDENT RESPONSE AND MANAGEMENT • CONFIGURATION MANAGEMENT • TRAINING AND AWARENESS • CONTINUOUS AUDIT • METRICS AND MEASUREMENT RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Essential Information Security Practices • VULNERABILITY ASSESSMENT • PENETRATION TESTING • APPLICATION SECURITY TESTING • DEVICE MANAGEMENT • LOG MONITORING, ANALYSIS AND MANAGEMENT • SECURE DEVELOPMENT RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Defining Information Assets Tangible or intangible corporate assets • Hardware • Software • Data • Intellectual Property • Patents • Processes • Device Configurations • Plans • Designs / Blueprints RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Risk Management • Risk is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative). • Risk management : the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. • Risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. • Strategies to manage risk : – Avoidance (eliminate, withdraw from or not become involved) – Reduction (optimise - mitigate) – Sharing (transfer - outsource or insure) – Retention (accept and budget) RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Information Risks, Threats, Vulnerabilities • Web Application • Botnets Vulnerabilities • Spam / Targeted mails • Social Networks • Malware / Virus • Murder • DDOS attacks (Denial of • Reputation Loss Service) • Scams • Phishing, Vishing, Spear- • Identity Theft Phishing • Privacy Violation • Social Engineering • Insider Threat • Software Vulnerabilities • Wireless RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • The driver … Malicious Motivation Criminal Intent Coercion Greed Show Off Revenge Attack Curiosity RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Hackers ‗n‘ Crackers • During the 1960s, the word "hacker" grew to prominence describing a person with strong computer skills, an extensive understanding of how computer programs worked, and a driving curiosity about computer systems. • True hackers are computer programming enthusiasts who pushed computer systems to their limits without malicious intent and followed a hacker code of ethics. • They believed technical information should be freely available to any person, and they abided by a code of ethics that looked down upon destroying, moving, or altering information in a way could cause injury or expense. • Hacking, however, soon became nearly synonymous with illegal activity. Negative publicity surrounding hackers continued to grow. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Hackers ‗n‘ Crackers • While the first incidents of hacking dealt with breaking into phone systems, hackers also began diving into computer systems as technology advanced. • Hacking became increasingly problematic during the 1980s and as a result, in the US the Computer Fraud and Abuse Act was created, imposing more severe punishments for those caught abusing computer systems. In the early 1980s, the FBI made one of its first arrests related to hacking. • As a result, several hacker groups coined the term 'cracker' in 1985 to define a person who broke into computer systems and ignored hacker ethics; however, the media continued to use the word hacker. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Profiling …. the color of your hat ! Black Hat Also known as crackers these are the White Hat ones to watch out for, they send and Also known as friendly hackers are always make viruses, destroy data, and using their knowledge for good reasons deface websites along with other illegal activity and break into peoples machines. This type of hacker has a bad reputation. Grey Hat … Are borderline white/black hats. They Not to forget the sometimes prank unsuspecting users and hatless….. cause general mayhem. While they think this kind of activity is harmless, they may - Script Kiddies face long periods of jail time if they ever get - The Hobbyist found out. - Insider - Countries RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • Information Security is implemented in organizations based on Standards, Guidelines, Frameworks, • Other factors are Laws and Regulations, Customer requirements Standards etc • All require the adoption of best practices RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Common Standards / Frameworks / Guidelines / Regulatory • ISO:27001 – 2005  IT Act and applicable Criminal / • PCI-DSS Civil legislation • CobiT  HIPAA • BS:25999  GLBA • ISO 2000  Sarbanes Oxley • ITIL  Basel II • Clause 49 (SEBI Guideline,  PCAOB Government of India)  SAS 70 • CTCL  Privacy Laws (e.g.PIPEDA) • NERC-CIP  … many more….. • Data Protection Act RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • ISO 27001, BS 25999, CobiT, IIL or ISO 20000 • These are the most widely used and recognized standard for Information Security globally ISO 27001, CobiT etc • Form the foundation of security for various other framework and regulatory requirements RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • ISO 27001: 2005 • ―Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.‖ RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • ISO 27001 Fundamental Principles Maintain and Establish ISMS Improve the Context and Risk ISMS Assessment Act Plan Development, Improvement and Maintenance Cycle Check Do Monitor and Design and Review the Implement the ISMS ISMS RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • ISO 27001 Fundamental Principle Act Plan Check Do RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • ITIL ® • The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM), IT development and IT operations. • ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL is published in a series of books, each of which covers an IT management topic. • Service Strategy • Service Design • Service Transition • Service Operation • Continual Service Improvement RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • CobiT® : Control Objectives for Information and related Technology • IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. This is the basic principle of the COBIT framework, as illustrated by the COBIT cube.  Business-focused  Process-oriented  Controls-based  Measurement- driven © IT Governance Institute RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • CobiT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C O B I T ME1 Monitor and evaluate IT FRAMEWORK PO1 Define a strategic IT plan. performance. INFORMATION PO2 Define the information ME2 Monitor and evaluate architecture. internal control. Efficiency Integrity PO3 Determine technological ME3 Ensure compliance with Effectiveness Availability direction. external requirements. Compliance PO4 Define the IT processes, ME4 Provide IT governance. Confidentiality organisation and Reliability relationships. MONITOR PLAN PO5 Manage the IT investment. AND AND PO6 Communicate management EVALUATE ORGANISE aims and direction. IT PO7 Manage IT human resources. DS1 Define and manage service RESOURCES PO8 Manage quality. levels. PO9 Assess and manage IT risks. DS2 Manage third-party services. PO10 Manage projects. DS3 Manage performance and capacity. DS4 Ensure continuous service. Applications Information DS5 Ensure systems security. AI1 Identify automated solutions. Infrastructure DS6 Identify and allocate costs. People AI2 Acquire and maintain DS7 Educate and train users. application software. DELIVER ACQUIRE DS8 Manage service desk and AND AI3 Acquire and maintain AND incidents. SUPPORT IMPLEMENT technology infrastructure. DS9 Manage the configuration. AI4 Enable operation and use. DS10 Manage problems. AI5 Procure IT resources. DS11 Manage data. AI6 Manage changes. DS12 Manage the physical AI7 Install and accredit solutions environment. and changes. DS13 Manage operations. © IT Governance Institute RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • BS 25999 • The standard for Business Continuity Management. • Part 1 : Code of Practice – Section 1 - Scope and Applicability. – Section 2 - Terms and Definitions. – Section 3 - Overview of Business Continuity Management. – Section 4 - The Business Continuity Management Policy. – Section 5 - BCM Programme Management. – Section 6 - Understanding the organization. – Section 7 - Determining BCM Strategies. – Section 8 - Developing and implementing a BCM response. – Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. – Section 10 - Embedding BCM into the organizations culture. • Part 2 : Specification – Section 1 - Scope. – Section 2 - Terms and Definitions. – Section 3 - Planning the Business Continuity Management System (PLAN). – Section 4 - Implementing and Operating the BCMS (DO) – Section 5 - Monitoring and Reviewing the BCMS (CHECK) – Section 6 Maintaining and Improving the BCMS (ACT) RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Essential Information Security Practices • MANAGEMENT COMMITMENT • RISK MANAGEMENT • ASSET INVENTORY AND MANAGEMENT • CHANGE MANAGEMENT • INCIDENT RESPONSE AND MANAGEMENT • CONFIGURATION MANAGEMENT • TRAINING AND AWARENESS • CONTINUOUS AUDIT • METRICS AND MEASUREMENT RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • General information about data loss and breaches • Snapshot of CERT reported Data Loss Statistics incidences: – 2003 - 137,529 – 2002 - 82,094 – 2001 - 52,658 RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Internet Users Internet User Growth RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • http://www.bankinfosecurity.com/articles.php?art_id=1766 RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Data Breach Timeline RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Size / Business Does Not Matter Data Breach by industry type Number of Employees by Percent of Breaches 13 percent of organizations had recently been merged or acquired Source: Verizon Data Breach Incident Report 2009 RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • Statistics for online habits • Some common risks • What can you do for yourself, the college and the community Profession and Career RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Information Security Certifications ISACA - Information Systems Audit and Control Association • CISA - Certified Information Systems Auditor • CISM - Certified Information Security Manager • CGEIT - Certified in the Governance of Enterprise IT • CRISC - Certified in Risk and Information Systems Control (ISC)² • CISSP - Certified Information Systems Security Professional • SSCP® - Systems Security Certified Practitioner Institute of Internal Auditors • CIA - Certified Internal Auditor • (CGAP®) - The Certified Government Auditing Professional • CFSA® - Certified Financial Services Auditor • CCSA® Certification in Control Self-Assessment PMI • PMP The Security Industry Association (SIA) • CSPM - Certified Security Project Manager (CSPM) RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Information Security Certifications [ITIL] • ITIL Service Management Foundations Certificate • ITIL Service Manager • ITIL Practitioner DRI - Institute for Continuity Management • ABCP - Associate Business Continuity Professional • CBCP - Certified Business Continuity Professional • CFCP - Certified Functional Continuity • MBCP - Master Business Continuity Association of Certified Fraud Examiners (ACFE) • CFE - Certified Fraud Examiner Forensics - EnCase® • EnCE® - EnCase® Certified Examiner (EnCE®) CISCO • CCSP – Cisco Certified Security Professional RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Career Specializations • 1. Computer forensics – Learn forensic investigation tools and techniques to investigate cyber crimes and financial crimes. 2. IT security auditor – Focus on auditing capabilities. As part of this, you must explore platforms like mainframes, SAP, and core banking platforms as your areas of expertise. 3. Application security specialist – Specialize in areas like secure coding, security testing tools and techniques, secure design of web applications, and threat modelling. 4. Compliance specialist – Focus on helping organizations comply to standards and regulations such as ISO 27001, PCI DSS, HIPAA, FDA and Sarbanes-Oxley. 5. Security solutions architect – Specialize in secure network architecture, security solutions procurement and deployment, and hardening of infrastructure. 6. Security trainer – Focus on spreading knowledge about information security, and create awareness at all levels. 7. Cyber law expert – Combine knowledge of the Indian IT Act 2008 with IT knowledge and forensics know-how. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Some Required Skills or Traits • 1. High level of passion - Security changes on an almost daily basis – there are new tools, attack vectors, and vulnerabilities being discovered almost hourly. A security professional can remain ahead of the game only by constantly updating himself, and this requires a high amount of passion for the field. A security professional should not only be well-versed with a wide range of technologies, but also be reasonably acquainted with the basics of psychology, economics, finance, and physical security. 2. Creativity - Be it a penetration test or developing an automated way to carry out a particular activity, a high level of creativity is a must in every aspect of a security professional's job. Thinking out of the box is an almost daily activity for a security professional. 3. A never-say-die attitude - Security issues are typically complex, and often there are no easy solutions. Quite often, the situations are also very high-pressure – the client's been hacked, or someone inside leaked out critical internal data, or systems have to be hardened before going live. A seasoned security professional knows that there is a solution on the other side of every problem. And he is willing to do what it takes to be as resourceful in finding the right solution. 4. Grasp of a wide range of subjects - Security is not just about policies and procedures or buffer overflows or SQL injection. Most security issues stem from, and can be resolved, by human intervention. A security professional should not only be well-versed with a wide range of technologies, but should also be reasonably acquainted with the basics of psychology, economics, finance, and physical security. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Technology Skills • Application Development • Secure SDLC • Networking • Vulnerability Assessment • Penetration Testing On any given day, there are approximately 225 • System Hardening major incidences of security breach • Device Support reported to the CERT Coordination Center at • Wireless Security Carnegie Mellon University. • … RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • Common and uncommon Risks • Statistics about online habits • What can you do for yourself, the college and the community Risks and Awareness RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • What Can You Do • Cyber Security (virus, online habits, filesharing etc)– Cyberethics (copying and use of IP) – Cybersafety (identify protection, cyber bullying etc) • Educate your friends and family (trojans, keyloggers, phishing, scams • Secure home computers and for family/friends (wireless, backup etc) • Take care of your Social Networking risks RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Securing Yourself • Common Sense • Awareness • Regularly Update Patches • Anti Virus, anti spyware… • Be careful on P2P filesharing .. what you download • Read the computer message(s) • Don‘t blindly click next > next > next • Be careful when you read email especially if it belongs to someone else • Don‘t try to open every attachment • Keep your password to yourself • CybeSecurity – Cyberethics – Cybersafety RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • In Simple Words… © Noticebored RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Refer TOI today © Noticebored RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • How many friends are online and in real life RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • So what have you done online lately • I have connected with old friends online • Rekindled a relationship online • Share a secret or two or some personal stuff online RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Some online habits RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Some online habits RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Some online habits RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • © Noticebored RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • What Can You Do • Cyber Security (virus, online habits, filesharing etc)– Cyberethics (copying and use of IP) – Cybersafety (identify protection, cyber bullying etc) • Educate your friends and family (trojans, keyloggers, phishing, scams • Secure home computers and for family/friends (wireless, backup etc) • Take care of your Social Networking risks RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • What Can You Do (2) • Think out of the box • Evaluate tools and technologies as part of your projects • Develop tools and scripts • Share findings with industry, government and law enforcement • Research and study malware trends, defense methods • Create a virtual library of your work so your peers and followers will also benefit • Institutional security policies and procedures • Conduct network assessments in the college from time to time and share the findings with all RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Future trends / opportunities • Social networking compliance assurance • Unified communication • Microblogging • Intelligent search • Mobile apps RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Case Study • Factual Facebook Hack Case Study – http://snosoft.blogspot.com/2009/02/facebook-from- hackers-perspective.html • Twitter Hack • Hotmail Outage leads to malware offering sites • Clicking Blindly RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • • Some information about Open Security Alliance About Us RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Open Security Alliance A small group of professionals working in Information Security got together to discuss life beyond technical stuff which non-techies find difficult to understand. So these guys got together to work under the OSA banner to present risks, threats and vulnerabilities in an easy and understandable language. Just to make sure the non-geek understands the problems as well and gets as scared as the IS guy. • OSA - an open community of individuals who are committed to providing the benefit of their knowledge and expertise to community. • OSA - individual initiatives to undertake research and studies in Information Security (India centric) then provide learning to community. • …. The underlying thought is to Be The Change. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Contact Information • Dinesh O Bareja – M: +91.9769890505 – E: dineshbareja AT gmail DOT com – E: dinesh AT opensecurityalliance DOT org – Twitter: @bizsprite – Linked In (India Information Security Community) RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Conclusion • Questions and Discussion • Thank You ! RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Disclaimer & Copyright • All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. • Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. • We have taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to us at “issues AT opensecurityalliance DOT org • Any omissions, in terms of attribution, may be due to an error on our part and not intentional. This document is a creation of Dinesh Bareja (securians.com) and is released in the public domain under Creative Commons License (Attribution-Noncommercial 2.5 India) http://creativecommons.org/licenses/by-nc-sa/2.5/in/. Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. Feedback is solicited and you can access other topics at our website www.opensecurityalliance.org Contributors: Dinesh O Bareja Reviewers: Vicky Shah Title: Information Security … the profession; concepts, risks and more.. Version: 1.0 / February 2010 RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • References • Educause Video Contest http://www.educause.edu/SecurityVideoContest • CERT • India CERT • NIST • OWASP • SANS RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Social Networking Case Study : Facebook Hack • The threat from social networks comes from social engineering — employees post company information… the attackers collects during reconnaissance … then infiltrates the social network that exists between the employees … then uses that trust to phish for VPN passwords or any other information…. The Facebook hack case study is for an assignment carried out by SnoSoft and presents a unique insight into the threats and Case Study risks exposed on such sites RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 1 : Reconnaissance • Conduct Social and Technical Reconnaissance • Social – 1400 employees identified through the internet of which 900 used social networking sites like Facebook, Orkut, LinkedIn, MySpace etc. – Studied about 200 profiles and created a false identity • Technical – Probed the corporate website and identified Cross Side Scripting vulnerabilities (which the researchers expected and hoped to find) Cross-site scripting ("XSS") vulnerability is most frequently discovered in websites that do not have sufficient input validation or data Case Study validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 2: Setup • Used a client side attack as opposed to a server side attack because it enabled the select ion of only those users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page. • A payload is created and was designed to render a legitimate looking https secured web page that appeared to be a component of the customer's web site. • When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. • In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. • When the users credentials are entered the form submitted them to Case Study http://www.netragard.com and were extracted by an automated tool that had been created. • RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 3: Create Profile • After the payload was created and tested we started the process of building an easy to trust facebook profile. • Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. • A fitting photograph was found by searching google images and used for the fake Facebook profile. • The profile was populated with information about our experiences at work by using combined stories that were collected from real employee facebook profiles. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 3: Create Profile • After the payload was created and tested we started the process of building an easy to trust facebook profile. • Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. • A fitting photograph was found by searching google images and used for the fake Facebook profile. • The profile was populated with information about our experiences at work by using combined stories that were collected from real employee facebook profiles. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 4: Attack Launch • Upon completion we joined the company facebook group. • Joining request was approved in a matter of hours and within twenty minutes of accepted as group members, legitimate customer employees began sending friendship requests. • In addition we made hundreds of outbound requests. • The friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors. • Having collected a few hundred friends, we began chatting. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 5: Attack On • Conversations were based on work related issues that we were able to collect from legitimate employee profiles. • After a period of three days of conversing and sharing links, we posted our specially crafted link to our facebook profile. The title of the link was "Omigawd have you seen this I think we got hacked!” …. and people started clicking on the link and verifying their credentials. • Ironically, the first set of credentials that we got belonged to the hiring manager. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Facebook Hack Step 6: Success • Using those credentials one had access to the web-vpn which in turn gave access to the network. • Those credentials also allowed access to a majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc. The Facebook hack has worked. Case Study RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Hotmail Outage • Tuesday, February 16, 2010 • Hotmail Users Look for Answers in Dangerous Places • An outage of the Windows Live ID service affected a large number of MSN users today including users of the popular Hotmail email service. Hotmail is one of the largest web based email outlets and not surprisingly news of the outage spread quickly as users were not able to access their email. Those hoping to find more information on Google may have ended up with more than they bargained for. Blackhats have once again worked their magic to infect users looking for news related to the outage. In fact, 8 out of the top 10 results for ―hotmail service unavailable‖ returned dangerous URLs. RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Le Twitter hack RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Le Twitter Hack From lalawaq.com RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Clicking Blindly Case Study : Clicking blindly ! Settled in for a nice bit of surfing in the library! Study ! Ah hah ! Just don‘t click the link blindly ! Whoops ! That‘s a big load of malware you just got From EDUCAUSE with sound effects ! RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • You don‘t want to look like this ! Case Study : Clicking blindly ! RGIT, Mumbai 02/24 www.opensecurityalliance.org
  • Case Study : Clicking blindly ! RGIT, Mumbai 02/24 www.opensecurityalliance.org