knowthyself : Internal IT Security in SA

  • 301 views
Uploaded on

Presentation by Charl van der Walt and Roelof Temmingh at IIR in 2000. …

Presentation by Charl van der Walt and Roelof Temmingh at IIR in 2000.

The presentation begins with a discussion on global risks, threats, internal risk and security assessments. Steps to building a strong security culture within an organization are discussed. The presentation ends with a brief overview of intrusion detection systems and their use in internal security.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
301
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Data Confidentiality eg TMNet - customers Branch Software Data Integrity If a figure on page five of a 60-page financial document, say, were changed, it could have disastrous effects -- and be very difficult to discover before the damage is done. Reputation / Credibility Denial of Service Business Continuity
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • RAS: In 1997, Intel fired Barton, who managed an automated manufacturing system called Workstream inside Fab 15 in Aloha, Oregon. When the company fired him, Intel revoked his password and took away his computer. What Intel failed to realize, however, was that Barton could log into the system from his home computer. The next day, at 2:15 a.m., Barton deleted a number of files, which shut down Workstream. "This slowed, but didn't quite stop, the manufacturing process," Robinson said. In all, Barton clogged the manufacturing process for about four hours. The incident cost about $20,000 to remedy, according to estimates from Intel. Federal law provides criminal penalties for damaging computer systems.
  • Comment on our background and the kind of work we do - technology focused

Transcript

  • 1. Internal IT Security in SA Problems & Solutions
  • 2. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5 . Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 3. Introduction
    • About me
    • About Roelof
    • SensePost
    • Objective
    • Approach
    • References:
      • http://wips.sensepost.com/knowthyself.zip
      • http://www.sensepost.com
      • [email_address]
      • [email_address]
  • 4. Understanding the global Risk
    • What we know:
      • There is a threat to our Information Resources
      • The threat has direct financial implications
      • The threat is growing
      • A large part of the threat is internal
      • There are a number of distinguishable trends
    • http://www.gocsi.com/prelea990301.htm
    • http://www.saps.org.za
    • What we don’t know:
      • How accurate are the statistics?
      • Are international statistics relevant in SA?
      • What does this all mean to me?
  • 5. Universal Threats
    • Data Confidentiality
      • Information is the currency of business today
        • Customers, Strategy, Financials, HR, Personal
    • Data Integrity
      • The accuracy and reliability of the information
        • Determines the value of information
    • Reputation / Credibility
      • The market’s perception of your competence
        • Web site defacement
    • Denial of Service
      • Prevent a system from performing their intended function
        • EBay, Yahoo, Edgars
  • 6. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5. Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 7. Understanding your own Risk
    • What is Risk?
      • Valuable resources + exploitable technology
    • What is “Secure”?
      • When the financial losses incurred are at an acceptable level
    • Your “Risk-Profile”:
      • The value of your Information
      • The degree of technological vulnerability
      • A level of loss that is acceptable to you
        • Unique to your organisation. Today.
    • The value of surveys and statistics
      • Highlight the existence of threats
      • Indicate trends and phases
      • Create an awareness
  • 8. Your own unique risk profile
    • IT Security Assessment
      • Make informed decisions on how to spend
        • Time
        • Money
        • People
    • An effective assessment:
      • Independent and Objective
      • Business aware but technology focused
      • Prove its worth
      • Concrete, practical recommendations
      • Finite
      • Honest
      • Recursive...
  • 9. Recursive Security Assessments
    • Delta Testing
      • Monitor the effect of changes
    • New exploits and vulnerabilities
      • Staying secure in a global battlefield
    • Improved Methodologies
      • Tools, techniques, philosophies etc.
    • Innovation
      • A chance to get to know you
    • Extended Scope
      • There’s never enough time
    • Enhanced Scope
      • Moving toward a zero-default environment...
  • 10. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5. Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 11. Welcome to the case study
    • Mind of the cybercriminal
      • journal style, informal
      • methodology
    • Sensitivity
      • examples only
    • Effort vs Exposure
    roelof temmingh
  • 12. CAT5 from me to you
    • Obtaining a IP on the internal network
      • already have one
      • RAS
      • the little black box concept
      • walking in with a notebook
      • Trojans
      • splicing copper
    roelof temmingh
  • 13. Get to know your neighbours
    • The difference between MS and services network
      • MS network is a service (File Sharing)
      • Other services - FTP, HTTP, SQL, SMTP servers.
    • Intelligence gathering
      • Protocols
      • Services
      • Identify important hosts
      • Ping sweep
    roelof temmingh
  • 14. Easy cash
    • The guy next to you
    • Microsoft network
      • network neighbourhood
      • shares are published
    • Services network
      • Anonymous FTP, webpages
    roelof temmingh
  • 15. Scratching the surface
    • Your wannabe admin
    • Microsoft network
      • password guessing
      • offline cracking
      • real time cracking
    • Service network
      • sniffing the network (SMTP,POP3,FTP)
      • default passwords
      • password guessing (known services)
      • portscanning
    roelof temmingh
  • 16. Knocking on the door
    • Your (closet hacker) admin
    • Microsoft network
      • user enumeration
      • brute force id/password
    • Service network
      • vulnerability scanners
      • customized for ports (IDS!)
      • scans for known product problems
      • commercial (ISS, CyberCop)
      • share/freeware (Nessus, whisker)
    roelof temmingh
  • 17. Blowing the door down
    • Your previous administrator turned black hat hacker
    • We are inside, now what?
    • Microsoft network
      • search for XLS, DOC files
      • copy and enjoy
      • application encryption worthless
    • Service network
      • password files
      • passwords to backends (SQL)
      • text copy of databases
      • mailboxes
    • Publish to Internet, sell to competition.
    • Assumed full control
    roelof temmingh
  • 18. Keeping in touch
    • Your previous administrator's current employer
    • Keeping a grip on your network
    • Service network & MS network
      • Rootkits
      • Backdoors
    • Not only from internal
      • Internet
      • RAS
    roelof temmingh
  • 19. questions?
  • 20. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5. Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 21. Setting the Stage - a security culture
    • Assign responsibility
      • Security Officer
    • Empower the Security Officer
      • Authority, Money, People
    • Measure Progress
      • Project Plan, Certification, Audits
    • Develop an IT Security Policy
      • Guide, mandate & measure
      • Should be:
        • Endorsed by management
        • Effectively communicated
        • Specific
        • Enforceable
        • Practical
  • 22. Setting the Stage - a security culture
    • Communicate with key people
      • Emphasise the value of data to business leaders
    • Awareness training and programmess
      • Buy-in at every level is essential
    • Positive / Negative reinforcement
      • Use security as a performance criterion
    • Consider Security Certification
      • Global standards for the implementation and assessment of security…
  • 23. Thoughts on Certification
    • Objective
      • To enforce structure on your security program
      • As a means of assessing your security
      • As a means of measuring against best-of-breed
      • As a means of convincing others of your security
    • Is Certification for you?
      • Recognition
      • Focus
      • Local Presence
      • Cost
      • Endurance
      • Objectivity
  • 24. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5. Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 25. Implementing Solutions - Overview
    • Value your information and IT resources
      • Know what you’re protecting and what its worth
    • Assess your vulnerabilities
      • Know exactly where you stand
    • Evaluate actual risk versus acceptable risk
      • You don’t have to be completely secure
    • Develop a Security Strategy
      • Know where you’re going and where you are
    • Implement Controls
      • 80/20 rule
    • Assess the effect of the changes
      • Security is a cycle
  • 26. Internal Security Cheat Sheet
    • Publish a policy
      • Guide, mandate and measure
    • Content security
      • Viruses, trojans, scripts
    • Zoning
      • Segment data, people, hosts and services
    • Centralise
      • It’s much easier to protect something if its in one place
    • Host & service security
      • Basics!
    • Account Policies
      • Passwords are an essentially weak mechanism
    • Switch to the desktop
      • It’s simple and it works
    • Consider your RAS systems
      • RAS is the soft underbelly of your network
  • 27. Agenda
    • 1. Introduction
    • 2. Considering the global Risk
    • 3. Understanding your own Risk
    • 4. Case Study
    • 5. Setting the Stage
    • 6. Implementing Solutions
    • 7. The role and value of IDS
    • 8. Questions
  • 28. IDS - An Overview
    • Intrusion Detection System
      • Identify and report or react on an unauthorised or malicious action on a host or a network
    • Types of IDS
      • Host
      • Distributed
      • Network
    • Typical Features (NIDS)
      • Packet Sniffing Technology
      • Attack Pattern Library
        • Traffic Patterns , Viruses, Trojans, Signatures
      • Rule Set
        • Source, Destination, Time, Period, Signature
      • Response capabilities
        • Active or Passive
      • Distributed Architecture
      • Centralised Management
  • 29. The Role of IDS
    • Identifying an “Intrusion”
      • Acceptability Parameters:
        • Destination
        • Source
        • Signature
        • Time
        • Period
    • Effective implementation
      • Access to traffic
      • Acceptability Parameters
      • Response Capabilities
    • Good Example - DMZ
      • Finite area to monitor
      • Existing security infrastructure
      • Clearly defined acceptability parameters
      • Limited number of events to respond to
  • 30. IDS & Internal Security
    • For:
      • Large, open environments
        • eg Corporate Extranet or University
      • Effective zoning, segmentation & consolidation
      • Basic issues addressed
      • Dedicated security personnel
    • Against:
      • Technology driven decision
        • There are no point-and-click solutions to security
      • Closed system
      • Acceptability parameters
      • Response capabilities
    • In SA
      • Address basic issues
      • Consolidate valuable resources
      • Do an assessment
      • Make a strategy decision
      • Consider outsourcing
  • 31. questions?