Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Security for the Physical Security Professional


Published on

Published in: Technology, Business

IT Security for the Physical Security Professional

  1. 1. IT Security for the Physical Security Professional Dave Tyson, MBA, CPP, CISSP Angela Swan, CISSP November 18, 2005
  2. 2. Speakers <ul><li>Dave Tyson </li></ul><ul><ul><li>CPP, CISSP </li></ul></ul><ul><ul><li>MBA </li></ul></ul><ul><ul><li>CSO for City of Van </li></ul></ul><ul><ul><li>National CIO Subcommittee for Info protection </li></ul></ul><ul><ul><li>2006 Chair ASIS International IT Security Council </li></ul></ul><ul><li>Angela Swan </li></ul><ul><ul><li>CISSP </li></ul></ul><ul><ul><li>CUCBC Security </li></ul></ul><ul><ul><li>City of Van IT Security Manager </li></ul></ul><ul><ul><li>Supervised IT Security for HSBC Bank Canada </li></ul></ul><ul><ul><li>Network and security for the New West PD </li></ul></ul>
  3. 3. Agenda <ul><li>Introductions </li></ul><ul><li>Overview of IT Security – debunk some myths and terminology </li></ul><ul><li>Technical stuff </li></ul><ul><li>Break </li></ul><ul><li>Enterprise Security </li></ul><ul><li>Lunch – Keynote Speaker </li></ul><ul><li>What you can do </li></ul><ul><li>Where you can help today </li></ul><ul><li>Some checklists and other resources </li></ul>
  4. 4. Changing Threat Paradigm for Physical Security <ul><li>Physical security had been chiefly responsible for fraud, theft, harassment issues in the workplace </li></ul><ul><li>New people in the organization responsible for security “stuff” that may not have specific security backgrounds </li></ul>
  5. 5. The Future… Why should you care? <ul><li>850 Million end points on the Internet (2004) </li></ul><ul><li>2.3 Billion Cell Phones </li></ul><ul><li>When the 3 rd generation network is fully deployed and all cell phones are internet devices, the internet will be triple the size with fewer protections </li></ul><ul><li>HSPD 12 </li></ul>
  6. 6. What does this mean on the risk side of the equation? <ul><li>What gets worse? </li></ul><ul><li>Fraud </li></ul><ul><li>Harassment </li></ul><ul><li>Stalking </li></ul><ul><li>Identity theft </li></ul><ul><li>Phishing & Pharming </li></ul><ul><li>SPAM </li></ul><ul><li>Viruses </li></ul><ul><li>Delivery of Spyware, Trojan horses and Adware </li></ul><ul><li>What gets easier? </li></ul><ul><li>What it takes to perpetrate these activities </li></ul><ul><li>Committing the same crimes in a new way </li></ul>
  7. 7. The Real Problem <ul><li>The average Physical Security Professional knows very little about these issues at this time! </li></ul>
  8. 8. Risks are Everywhere <ul><li>Keystroke Loggers </li></ul><ul><li>Sharepoint </li></ul><ul><li>National Bank </li></ul><ul><li>IBM </li></ul><ul><li>Backup tape losses </li></ul><ul><li>Hundreds of computers unaccounted for in the federal government </li></ul>
  9. 9. Federal Government <ul><li>2004 Report to parliament by from Privacy Commissioner details the loss of 330 Computers from agencies and departments such as: </li></ul><ul><ul><li>RCMP </li></ul></ul><ul><ul><li>Canadian Space Agency </li></ul></ul><ul><ul><li>CCRA </li></ul></ul><ul><ul><li>DND </li></ul></ul><ul><ul><li>Corrections </li></ul></ul><ul><ul><li>Refugee Board </li></ul></ul><ul><ul><li>others </li></ul></ul>
  10. 10. Laptop Theft <ul><li>More than 600,000 laptops reported stolen in 2004 – Safeware insurance </li></ul><ul><ul><li>720 Million Dollars in losses </li></ul></ul><ul><ul><li>5.4 Billion Dollars in theft of proprietary information </li></ul></ul><ul><li>Chances of having a laptop stolen are 1 in 10 – Gartner Group </li></ul><ul><li>80% of all laptop thefts are internal and 73 % of companies do not have laptop specific policies - Gartner </li></ul><ul><li>80% of companies surveyed acknowledged financial losses due to computer breaches – CSI/FBI Computer Crime Survey 2005 </li></ul>
  11. 11. Caveats <ul><li>Technology can be complicated, so we may make some generalizations during the presentation to aid in learning </li></ul><ul><li>Ask questions as we go because we will build on knowledge learned as session goes on – 2 or 3 slides might be a bit painful, but ask lots of questions and you will get there! </li></ul>
  12. 12. Basic Philosophy <ul><li>Confidentiality of Data </li></ul><ul><li>Availability of Data </li></ul><ul><li>Integrity of Data </li></ul><ul><li>Security is a weakest link discipline – find the vulnerability by asking the correct questions and you can now close the hole </li></ul>
  13. 13. Basic Philosophy Electronic Information Physical Information Confidentiality Access Control List / Profile Access Control List / Badge Personal Recognition Keys Authorization User ID / Password Picture ID Alarm Code Authentication Servers / Data Buildings / Assets Access Control IT Security World Physical Security World Security Concept
  14. 14. Smoke & Mirrors <ul><li>Information provides power </li></ul><ul><li>IT people generally have little interest in security or they “know all about it” </li></ul><ul><li>In general, security is not well built in to IT systems or is turned off by default for ease of use or setup </li></ul><ul><li>Risk assessment is not well done </li></ul>
  15. 15. Debunking the Mystery <ul><li>IT people generally know more than physical security people about IT Security? (Security mindset is what’s important) </li></ul><ul><li>The fields are not concerned with the same issues? </li></ul><ul><li>Access Control is Access Control? </li></ul><ul><li>Loss prevention is still the game: just the asset is different? </li></ul>
  16. 16. Terminology as a Weapon <ul><li>ISP </li></ul><ul><li>VPN </li></ul><ul><li>USB </li></ul><ul><li>VLAN </li></ul><ul><li>IP Packets </li></ul><ul><li>Network </li></ul><ul><li>Server </li></ul><ul><li>Be prepared for TLAs…. </li></ul>It’s not as bad as it looks!!
  17. 17. Concentric Circle Theory <ul><li>Also called defense in depth </li></ul><ul><li>Physical Security Architecture </li></ul><ul><ul><li>Physical Controls </li></ul></ul><ul><ul><li>Policy, Procedures, Standards </li></ul></ul><ul><ul><li>Emergency Response </li></ul></ul><ul><ul><li>Services </li></ul></ul><ul><ul><ul><li>Safewalk </li></ul></ul></ul><ul><ul><ul><li>Investigations </li></ul></ul></ul>
  18. 18. The Dilemma Security Cost Ease of use
  19. 19. Computer and Network Basics <ul><li>PC / Workstation User computer typically dedicated to a single person’s use </li></ul><ul><li>Laptop Effectively a mobile PC </li></ul><ul><li>Server A more powerful PC that does the jobs required by the network </li></ul><ul><li>Hard drive A storage device in your computer </li></ul>
  20. 20. Computer and Network Basics <ul><li>Computer is made up of hardware and software </li></ul><ul><li>String computers together by wires or wireless, you have a network </li></ul><ul><li>The internet, or Intranet, is really just a big network that people can go to </li></ul>
  21. 21. Computer and Network Basics <ul><li>Internet – computers you can communicate with outside your network </li></ul><ul><li>Intranet – computers you can communicate inside your network </li></ul>
  22. 22. IT Architecture <ul><li>Logical Controls </li></ul><ul><ul><li>Firewall </li></ul></ul><ul><ul><ul><li>Outside circle – first line of defense </li></ul></ul></ul><ul><ul><li>Access Controls </li></ul></ul><ul><li>Policy, Procedures, Standards </li></ul><ul><li>Emergency (Incident) Response </li></ul><ul><li>Services </li></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>Web Surfing </li></ul></ul>
  23. 23. Everybody has a job to do! <ul><li>Web Server </li></ul><ul><li>E-mail Server </li></ul><ul><li>Firewall </li></ul><ul><li>File Server </li></ul>
  24. 24. Terminology and Concepts <ul><li>Internet Protocol (IP) </li></ul><ul><li>E-mail </li></ul><ul><li>Web Surfing (HTTP) </li></ul><ul><li>Applications </li></ul><ul><li>Databases </li></ul><ul><li>Firewall </li></ul><ul><li>DMZ / Segmentation </li></ul>
  25. 25. More Technical Stuff <ul><li>Storage </li></ul><ul><li>Client server </li></ul><ul><ul><ul><li>Client </li></ul></ul></ul><ul><ul><ul><li>Server </li></ul></ul></ul><ul><li>Router </li></ul><ul><li>Cabling </li></ul><ul><ul><li>Ethernet </li></ul></ul><ul><ul><li>Fibre Optic </li></ul></ul><ul><li>Packets </li></ul><ul><li>Addressing </li></ul><ul><li>Modems </li></ul>
  26. 26. Break Time
  27. 27. Common ITS Attacks <ul><li>Man in the middle </li></ul><ul><li>Brute Force </li></ul><ul><li>Spoofing </li></ul><ul><li>Denial of Service </li></ul><ul><li>Sniffer attacks </li></ul><ul><li>Viruses, Worms and Trojan Horses </li></ul>
  28. 28. Slammer <ul><li>January 25, 2003 </li></ul><ul><li>First victim 12:30am Eastern Standard Time </li></ul><ul><li>12:45am huge sections of the Internet off line </li></ul><ul><li>Three hundred thousand cable modems in Portugal went dark, and South Korea fell right off the map: no cell phone or Internet service for 27 million people. </li></ul><ul><li>Slammer knocked out more than just the Internet. Emergency 911 dispatchers in Seattle resorted to paper. Continental Airlines, unable to process tickets, canceled flights from its Newark hub. </li></ul><ul><li>Total cost of the bailout: more than $1 billion. </li></ul>Source:
  29. 29. Enterprise Security <ul><li>Physical Security of IT Assets </li></ul><ul><li>Access Control </li></ul><ul><li>Network Security </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Encryption </li></ul><ul><li>Legal </li></ul><ul><li>Human Resources </li></ul><ul><li>Telecommunications </li></ul><ul><li>Spyware </li></ul><ul><li>Computer Crime </li></ul>
  30. 30. Physical security of IT assets <ul><li>Laptops </li></ul><ul><li>PDA </li></ul><ul><li>USB Storage </li></ul><ul><li>IPOD </li></ul><ul><li>Monitors </li></ul><ul><li>Servers </li></ul><ul><li>Cooling and Fire Suppression </li></ul>
  31. 31. Access Control <ul><li>Perimeter </li></ul><ul><li>AD – Directory Services </li></ul><ul><li>Application Access Control </li></ul><ul><li>DMZ </li></ul><ul><li>Segmentation </li></ul>
  32. 32. Network Security <ul><li>Patching </li></ul><ul><li>Excessive Services </li></ul><ul><li>Servers </li></ul><ul><li>Database Security </li></ul><ul><li>Modems </li></ul><ul><li>Wireless </li></ul><ul><li>Documentation </li></ul><ul><li>Disposal of Technology Assets </li></ul>
  33. 33. Disaster Recovery <ul><li>Network is mission critical for business resumption </li></ul><ul><ul><li>Payments, salaries, purchasing </li></ul></ul><ul><li>Phones (VOIP) </li></ul><ul><li>Security systems reliant on network? </li></ul><ul><li>Incident Response </li></ul><ul><ul><li>Custody of evidence </li></ul></ul><ul><ul><li>Law enforcement Liaison </li></ul></ul><ul><ul><li>Review of alarm and access logs </li></ul></ul>
  34. 34. Encryption <ul><li>File encryption </li></ul><ul><ul><li>Do not confuse this with password protecting a file </li></ul></ul><ul><li>E-mail encryption </li></ul><ul><ul><li>If you do not know if it is encrypted, it isn’t </li></ul></ul><ul><li>Digital certificate </li></ul><ul><li>Digital signature </li></ul><ul><li>Remote access </li></ul><ul><li>Wireless </li></ul><ul><ul><li>War driving – for fun and profit </li></ul></ul>
  35. 35. Remote Access Security Enter your User ID: Enter your Password : Access Granted JSmith Iw2gstw! INTERNET File sharing server (KaZaa, BearShare, Napster) On-line video game server (Quake, Counterstrike, Everquest) Your Company Home User
  36. 36. Wireless Home INTERNET
  37. 37. Legal <ul><li>Section 163 - Child Porn </li></ul><ul><li>Interception - Section 184 (1) </li></ul><ul><ul><li>Everyone who, by means of any electro-magnetic, acoustic, mechanical or other device, willfully intercepts a private communication is guilty of an indictable offence….. </li></ul></ul><ul><li>Theft of Telecommunications - Section 326 (1)b </li></ul><ul><ul><li>Everyone commits theft who fraudulently…uses any telecommunications facility or obtains any telecommunication service </li></ul></ul>
  38. 38. Human Resources <ul><li>Code of Ethics </li></ul><ul><li>Confidentiality Agreements </li></ul><ul><li>Background checks on vendors and ITS consultants </li></ul>
  39. 39. Telecommunications <ul><ul><li>Telephone Fraud </li></ul></ul><ul><ul><ul><li>Phone Wall </li></ul></ul></ul><ul><ul><li>Wireless </li></ul></ul><ul><ul><ul><li>801.x WiFi </li></ul></ul></ul><ul><ul><ul><li>Bluetooth </li></ul></ul></ul><ul><ul><ul><li>RIM – Blackberry </li></ul></ul></ul><ul><ul><ul><li>Wireless Air-cards </li></ul></ul></ul><ul><ul><ul><li>Evil Twins </li></ul></ul></ul><ul><ul><ul><li>“ Netstumbler” </li></ul></ul></ul><ul><ul><li>Voice of Internet Protocol (VOIP) </li></ul></ul>
  40. 40. Spyware <ul><li>Broad definition could be: software that - </li></ul><ul><ul><li>is installed on a user’s computer to collect information about the user or use of a computer without appropriate notice and consent </li></ul></ul><ul><ul><li>makes unauthorized use of users’ computers and Internet connections or </li></ul></ul><ul><ul><li>has faulty or weak user-privacy protections </li></ul></ul><ul><li>Information collected or tracked can include click-stream data and user’s web browsing habits, online transaction information (such as credit card numbers), user names, passwords, etc. </li></ul><ul><li>Keystroke Loggers ( a.k.a. , Keyloggers or Snoopware) </li></ul><ul><ul><li>Software that runs in background, recording all keystrokes of user </li></ul></ul>
  41. 41. Installation Methods of Spyware <ul><li>Drive-by downloads </li></ul><ul><ul><li>automatic download to computer, often without knowledge or consent </li></ul></ul><ul><ul><li>can be initiated by visiting a web site or viewing an HTML e-mail message </li></ul></ul><ul><li>Bundling </li></ul><ul><ul><li>installation takes place along with another application </li></ul></ul><ul><ul><ul><li>e.g., some peer-to-peer file sharing applications and some screensavers </li></ul></ul></ul><ul><li>Deception </li></ul><ul><ul><li>installation occurs when user clicks on a deceptive window </li></ul></ul><ul><ul><ul><li>e.g., pop-up window that resembles request from reputable organization </li></ul></ul></ul>
  42. 42. Negative Effects of Spyware <ul><li>Loss of privacy, including potential for identity theft </li></ul><ul><li>Loss of control, including potential for: </li></ul><ul><ul><li>redirect of “home” and “search” pages </li></ul></ul><ul><ul><li>increased number of advertisements </li></ul></ul><ul><ul><li>hijacking of browser or Internet connection </li></ul></ul><ul><ul><li>difficulty in removing unwanted software </li></ul></ul><ul><li>Decreased desktop productivity </li></ul><ul><ul><li>potential to slow down a user’s Internet connection </li></ul></ul><ul><li>Potential to impact user’s ability to install applications </li></ul>
  43. 43. Computer Crime <ul><li>Dramatic increase in cyber crime </li></ul><ul><ul><li>20 minutes to 12 seconds in 1 year </li></ul></ul><ul><li>Identity Theft </li></ul><ul><li>Access to confidential information </li></ul><ul><ul><li>The only change is location of the asset </li></ul></ul>
  44. 44. LUNCH
  45. 45. What you can do! <ul><li>Security awareness </li></ul><ul><li>Wireless </li></ul><ul><li>Cybercrime reduction </li></ul><ul><li>Data centre security </li></ul><ul><li>Personnel security </li></ul><ul><li>Threat and Risk Assessment </li></ul>
  46. 46. Security Awareness <ul><li>Talk to users about risks of equipment, data, personal information, competitive info </li></ul><ul><ul><li>Inadvertent disclosure </li></ul></ul><ul><li>Repetition is the key – new employee orientation is still important </li></ul><ul><li>Evangelize incidents when they do occur </li></ul><ul><li>When servers go down find out why? This may be a source of information to support more security </li></ul>
  47. 47. Wireless <ul><li>Determine if a policy exists at your workplace on wireless – communicate the risks if not </li></ul><ul><li>Assist in identifying rogue wireless equipment </li></ul><ul><li>Support possible encryption solutions </li></ul>
  48. 48. Cybercrime Reduction <ul><li>Work together to look for signs of cyber crime – 2 departments are better than 1 </li></ul><ul><li>Security awareness sessions should include spyware awareness and how this can effect cyber criminals ability to victimize </li></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Antivirus </li></ul></ul><ul><ul><li>Anti spyware </li></ul></ul><ul><ul><li>Know what you download – read the Licensing agreement </li></ul></ul>
  49. 49. Data Centre Security <ul><li>Review data centre environmental controls and procedures </li></ul><ul><ul><li>HVAC </li></ul></ul><ul><ul><li>Power </li></ul></ul><ul><ul><li>Data Tape removal </li></ul></ul><ul><li>Networking equipment </li></ul><ul><ul><li>Cable Rooms </li></ul></ul><ul><ul><li>Network closets </li></ul></ul>
  50. 50. Personnel Security <ul><li>System Administrators and DBA’s </li></ul><ul><ul><li>Increased privledges and access create potential mission critical risks if employment relationship degrades – prepare differently </li></ul></ul><ul><li>Background checks on all persons who will get elevated privledges </li></ul><ul><li>Techies have all kinds of information storage devices </li></ul>
  51. 51. Threat and Risk Assessment <ul><li>Add ITS items to building TRA </li></ul><ul><ul><li>Open ports in public areas </li></ul></ul><ul><ul><li>Access to desktops by unauthorized persons </li></ul></ul><ul><ul><li>Wireless hotspots </li></ul></ul><ul><ul><li>Storage areas of IT assets </li></ul></ul><ul><ul><li>Physical security controls of IT areas </li></ul></ul><ul><ul><li>Fire suppression issues in data centres </li></ul></ul><ul><ul><li>Privacy impacts </li></ul></ul>
  52. 52. ITS Standards <ul><li>ISO 17799 </li></ul><ul><li>COBIT </li></ul><ul><li>NIST </li></ul><ul><li>Orange Book </li></ul>
  53. 53. Top 20 ITS Vulnerabilities <ul><li>Desktop Security </li></ul><ul><li>Password Choice </li></ul><ul><li>Password Sharing </li></ul><ul><li>Insecure User ID and Password </li></ul><ul><li>Excessively logged in machines </li></ul><ul><li>Wireless </li></ul><ul><li>USB Storage </li></ul><ul><li>Portable devices w/o passwords </li></ul><ul><li>Access control to equipment </li></ul><ul><li>No background checks on administrators </li></ul><ul><li>Patch Installation </li></ul><ul><li>Excessive Services </li></ul><ul><li>Stale user pool </li></ul><ul><li>Unauthorized privledges </li></ul><ul><li>Too many power users </li></ul><ul><li>Bad installations </li></ul><ul><li>In-secure coding </li></ul><ul><li>Plain text authentication </li></ul><ul><li>Remote access back doors </li></ul><ul><li>Logs not audited </li></ul>
  54. 54. ISO 17799
  55. 55. Break
  56. 56. Where you can help – Today? <ul><li>TRA </li></ul><ul><li>Cyber Investigations </li></ul><ul><li>Loss Prevention – Hardware </li></ul><ul><li>Confidentiality </li></ul><ul><li>Desktop Security </li></ul><ul><li>Security Awareness </li></ul>
  57. 57. Security Awareness Checklist <ul><li>Inappropriate Content </li></ul><ul><ul><li>Education </li></ul></ul><ul><ul><li>Filtering Equipment </li></ul></ul><ul><li>Web mail </li></ul><ul><ul><li>MSN </li></ul></ul><ul><ul><li>Yahoo </li></ul></ul><ul><li>Passwords </li></ul><ul><ul><li>Selection </li></ul></ul><ul><ul><li>protection </li></ul></ul><ul><li>Hardware </li></ul><ul><ul><li>Laptops </li></ul></ul><ul><ul><li>Palm pilots </li></ul></ul><ul><ul><li>USB Storage devices </li></ul></ul><ul><ul><li>LCD, cell phones </li></ul></ul><ul><li>Privileges </li></ul><ul><ul><li>Termination or leave </li></ul></ul><ul><ul><li>Transfer departments </li></ul></ul>
  58. 58. Security Awareness Checklist <ul><li>Good Practices </li></ul><ul><ul><li>Locking workstation when away </li></ul></ul><ul><ul><li>Don’t share passwords or ID’s </li></ul></ul><ul><ul><li>Naming servers </li></ul></ul><ul><li>Dangerous items </li></ul><ul><ul><li>Keyloggers </li></ul></ul><ul><ul><li>Wireless access </li></ul></ul><ul><ul><li>Easy to remove storage devices </li></ul></ul><ul><ul><li>CD writers </li></ul></ul>
  59. 59. Spyware Checklist <ul><li>Use defense mechanisms </li></ul><ul><li>Don’t allow free programs </li></ul><ul><li>Lock down desktop </li></ul><ul><ul><li>Day-to-day tasks do not require Administrator privileges </li></ul></ul><ul><li>Recognize deceptive software </li></ul><ul><li>Recognize signs of spyware in action </li></ul><ul><ul><li>Slow performance </li></ul></ul><ul><ul><li>Browser hijacking </li></ul></ul><ul><ul><li>Pop ups </li></ul></ul><ul><ul><li>Clicking sounds or lights flashing when computer not in use </li></ul></ul>
  60. 60. Technical Checklist <ul><li>Non std ports should be closed unless required to be open – Who/what is using these ports? i.e. port 51015 is open for no reason </li></ul><ul><li>Turn off default or unnecessary services </li></ul><ul><ul><li>Echo </li></ul></ul><ul><ul><li>Chargen </li></ul></ul><ul><ul><li>Discard </li></ul></ul><ul><ul><li>HTTP </li></ul></ul><ul><li>Move away from clear text authentication services </li></ul><ul><ul><li>FTP ( should never communicate with the outside world directly using plain text authentication) </li></ul></ul><ul><ul><li>Telnet </li></ul></ul><ul><li>(Use SSH or SFTP instead) </li></ul><ul><li>Make sure your running updated versions of software with current patches </li></ul><ul><li>Especially if you are running webservers i.e. apache </li></ul>Make friends first
  61. 61. Technical Checklist <ul><li>No unencrypted administrator passwords left on servers </li></ul><ul><li>Everything of value needs a password, especially admin accounts </li></ul><ul><li>No surfing the web with administration accounts </li></ul><ul><li>Reduce the opportunity for arbitrary code to be able to run </li></ul><ul><li>Registry should not be writable for non –admin users </li></ul>
  62. 62. Technical Checklist <ul><li>Avoid allowing anonymous connections </li></ul><ul><li>Turn off unnecessary web servers (Tivoli Storage web server, Apache, other) </li></ul><ul><li>SNMP community strings – should be disabled or set to private, make sure the version is patched or up to date </li></ul><ul><li>Passwords should not be “hard-coded” into applications </li></ul><ul><li>Wireless is simply dangerous! </li></ul>
  63. 63. Website Resources <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  64. 64. Questions? Angela Swan [email_address] Dave Tyson [email_address]