Improving Your Security…For FREE
The CIO Circle July 8, 2009
What’s the catch?
Sorry, you’re going to have to Think….
―Thinking is the hardest work there is…that’s why so few
people do it. ― – Henry Ford
―The only place where success comes before work is in
the dictionary.‖ –Donald Kendall
Copyright 2009 SecureState 2
– B.A. The University of Michigan
Business Communications and Statistics
– M.B.A. Case Western Reserve University
Management Information Systems and Finance
– Ten+ years experience and progressive responsibility in
multiple facets of information systems with specific expertise
in information assurance
– SecureState LLC, CSO, 4 Years
– Past Experience
• Oracle Corporation, Security Service Manager
• Computer Associates Inc., Senior Security Consultant
• Ernst & Young, LLP, Management Consultant
Copyright 2009 SecureState 3
• Ohio Based Company CISSP – Certified Information Systems Security
– Founded 2001 CISM – Certified Information Security Manager
CISA – Certified Information Systems Auditor
QDSP – Qualified Data Security Professional
• 40 Security Professionals GSEC – SANS GIAC Security Essentials
NSA INFOSEC Assessment Methodology (IAM)
Forensics – NTI, EnCase
• Information Assurance & ANSI X9/TG-3
• Audit and business
background (Big X)
• Experts in ethical hacking
across many specialized
Copyright 2009 SecureState 4
Audit and Compliance
• PCI (Payment Card Industry)
• ISO 27001/SAS 70
• SOX, GLBA etc.
• TG-3, NERC/CIP
• INFOSEC (Information System Security Risk Assessment)
Profiling and Attack
• Web Application Security (WAS)
• Attack and Penetration Services (internal, external, client, physical, wireless)
• Wireless Audits
• Architecture Reviews
• Zero-Day Research
• Security Program Manager (SPM)
• Virtual Compliance Officer (VCO)
Forensic Technology Solutions
• Data Forensics/Incident Response
• Reverse Engineering
• Expert Testimony
Copyright 2009 SecureState 5
We have no budget! – Get them to care
• FUD – Fear, Uncertainty and Doubt only works a little bit and
I never (rarely) use it.
• That said, never underestimate the power of a good ―breach‖ story.
• Find a compelling event
• Use assessments and testing
• Get someone outside your organization to say the same thing you say to
your execs…they’ll be more likely to listen
• Learn to love to say the same thing over…and over…and over…
Copyright 2009 SecureState 6
Get it done through Regulations
• By the way Mr. CEO, we’re not
• You do know that if there is a breach, our
state has data breach disclosure laws
• SOX and the SAS now state that audit
firms must sign off on the security of
• We don’t have to be compliant, but our
customer is saying we do
Copyright 2009 SecureState 7
Get the Bullies on your side
• Work with Audit
• Learn what they’re trying to achieve
• You will never be good enough
• Report, report, report
• Do you know what the problems are?
• Do you have a plan to fix them?
Copyright 2009 SecureState 8
Don’t Hold Risk
• You don’t get paid enough to hold the risk of the organization
• Offload it to the board and/or other executive management,
i.e. let them sign off
• Your job is to:
– Identify risk (through assessments)
– Recommend remediation
– Provide assistance in remediation management
Copyright 2009 SecureState 9 9
Make Risk Reduction Simple
Copyright 2009 SecureState 10
Assess. Build. Rinse. Repeat.
Assessments (checks) are the best
route to understand the current
state of your program
Assessments ―get the wheel turning‖
You don’t/can’t know what you’re
doing in security if you’re not
You can enhance your credibility
by putting it into terms the business
Refer to a Framework
NIST – www.csrc.nist.gov/publications/PubsSPs.html
Special Publications in the 800 series present documents of general
interest to the computer security community
NIST 800-53 Security Controls for Federal Information Systems and
ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100)
THE ISO 27001 and ISO 27002 TOOLKIT
Copyright 2009 SecureState 13
Inventory and Classify your Assets
• Do you know everything you have?
• Have you assigned a value to your assets?
• There is a reason you don’t have an armed guard covering
• Make sure the level of protection is commensurate with the value
Copyright 2009 SecureState 14
Simulate a breach, incident, or disaster
• Set up a meeting with all parties involved to pretend we’ve just had a
Breach (or Disaster)
– Who needs to be in there?
– What needs to happen?
– Worst case
– What do we have to do to facilitate
a forensic investigation?
• Data flows
• Network Diagrams
Copyright 2009 SecureState 15
• Companies are always looking to slam a $40k appliance in to solve
the world for them. Unfortunately this doesn’t work.
• Detecting viruses, malware, and threats goes into a formalized
security program that is constantly tested. Penetration tests are
excellent methods in identifying deficiencies within the current
Copyright 2009 SecureState 16
A product example – reshifting budget to get more
Anti-virus is typically thought of as a first line of defense for
detecting a potential outbreak, malware, or viruses.
Anti-virus companies market that they are the end-all-be-all and
can catch anything out there.
It’s estimated that 70% of all malware is currently NOT being
detected by anti-virus.
The truth: No longer a defensible position against attackers.
There are now products that combine zero-update attack
protection, data loss prevention, and signature-based antivirus,
reducing cost (upkeep, etc.) and increasing effectiveness.
Copyright 2009 SecureState 17
Check out Great Sources
CIS Benchmarks –
The CIS Benchmarks are the consensus best practice security
configuration standards both developed and accepted by government,
business, industry, and academia
Payment Card Industry (PCI) Data Security Standard –
Free audit standards
OWASP – Open Web Application Security Standard
www.owasp.org The defacto standard for Web Application Security
―Information Security Policies Made Easy‖ –
Policy book by Charles Cresson Woods ($800)
Copyright 2009 SecureState 18
• Build awareness programs, consistency, ease, available, etc.
• However the main message is: ―Don’t be stupid!‖
• Social Engineering
– Have someone from another office, (or your nephew, grandma,
buddy, etc.) try to social engineer your company
– Tell everyone the stories (e-mail, new hire training, etc.)
Copyright 2009 SecureState 19
• Utilize free tools if you have to
• Some exceptions, but generally it makes more sense to just get
someone else to do it
Copyright 2009 SecureState 20
Utilize Free Tools
MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal
question: How safe it my IT infrastructure? The advisor checks systems for common
misconfigurations and missing security updates, then makes recommendations for improving
safeguards in accordance with Microsoft security standards.
Nessus: This product is considered to be one of the best vulnerability scanners available at any price
— and it happens to be free. The tool explores and maps network systems for potential
weaknesses that could provide an open door to attackers. The Nessus client is compatible with all
Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows.
AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook
and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3
and SMTP protocols.
Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan
horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the
most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250
million downloads so far.
Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network
troubleshooting, analysis, software and protocol development. The tool is compatible with popular
computing platforms, including Windows, Unix and Linux.
*courtesy (mostly from) itsecurity.com
Copyright 2009 SecureState 21
Utilize Free Tools
Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows
you to identify potential security flaws within your wireless environments. It also helps you detect
rogue access points, and test your overall security implementations.
MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible
MailWasher promises to filter and block spam messages while allowing legitimate email to pass
through unimpeded. And it won't cost you a nickel.
Karen's Replicator: Since even the most security-conscious business will need to restore data at some
point, frequent and comprehensive backups are a vital part of any security strategy. Karen's
Replicator can copy files and folders to a backup storage device on either a manual or scheduled
basis. The program can also distribute files across a network and automatically restore damaged
or changed files on a Web server.
Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol
analyzer that enables users to passively detect or actively block various kinds of probes and
attacks. The software's detection capabilities include stealth port scans, operating-system
fingerprinting attempts, buffer overflows and application attacks.
GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the
auspices of the Free Software Foundation's software project. GnuPG can be combined with front
ends that supply compatibility with virtually any operating system — past or present.
Copyright 2009 SecureState 22
Utilize Free Hacker Tools
• Back|Track Live Security Distribution
– Back|Track is the number one security distribution.
– Place CD in computer, reboot, full-fledged hacker environment
with the latest and greatest hacker tools.
Copyright 2009 SecureState 23
Utilize Open-Source Tools
– Exploitation framework created by David Kennedy at SecureState
– Used to effectively test security and exploit vulnerabilities
– Most popular open-source exploitation framework
Copyright 2009 SecureState 24
Utilize Free Forensic Tools
• DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu
Linux-based Computer Forensics live CD.
– It is designed to meet
Copyright 2009 SecureState 25
Utilize Free Forensic Tools
• Helix3 Live CD
– Contains multiple open source forensic tools
Copyright 2009 SecureState 26
Utilize Free Forensic Tools
• Forensic Live CD
Copyright 2009 SecureState 27
Summary of biggest mistakes we see
In general, organizations don’t do enough of the following:
• Relay risk to upper management
• Ask for help on things they have no idea about
• Build consistent, repeatable processes
• Take the time to think it through
Copyright 2009 SecureState 28