knowthyself : Internal IT Security in SA

610 views

Published on

Presentation by Charl van der Walt and Roelof Temmingh at IIR in 2000.

The presentation begins with a discussion on global risks, threats, internal risk and security assessments. Steps to building a strong security culture within an organization are discussed. The presentation ends with a brief overview of intrusion detection systems and their use in internal security.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
610
On SlideShare
0
From Embeds
0
Number of Embeds
32
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Data Confidentiality eg TMNet - customers Branch Software Data Integrity If a figure on page five of a 60-page financial document, say, were changed, it could have disastrous effects -- and be very difficult to discover before the damage is done. Reputation / Credibility Denial of Service Business Continuity
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • RAS: In 1997, Intel fired Barton, who managed an automated manufacturing system called Workstream inside Fab 15 in Aloha, Oregon. When the company fired him, Intel revoked his password and took away his computer. What Intel failed to realize, however, was that Barton could log into the system from his home computer. The next day, at 2:15 a.m., Barton deleted a number of files, which shut down Workstream. "This slowed, but didn't quite stop, the manufacturing process," Robinson said. In all, Barton clogged the manufacturing process for about four hours. The incident cost about $20,000 to remedy, according to estimates from Intel. Federal law provides criminal penalties for damaging computer systems.
  • Comment on our background and the kind of work we do - technology focused
  • knowthyself : Internal IT Security in SA

    1. 1. Internal IT Security in SA Problems & Solutions
    2. 2. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5 . Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    3. 3. Introduction <ul><li>About me </li></ul><ul><li>About Roelof </li></ul><ul><li>SensePost </li></ul><ul><li>Objective </li></ul><ul><li>Approach </li></ul><ul><li>References: </li></ul><ul><ul><li>http://wips.sensepost.com/knowthyself.zip </li></ul></ul><ul><ul><li>http://www.sensepost.com </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
    4. 4. Understanding the global Risk <ul><li>What we know: </li></ul><ul><ul><li>There is a threat to our Information Resources </li></ul></ul><ul><ul><li>The threat has direct financial implications </li></ul></ul><ul><ul><li>The threat is growing </li></ul></ul><ul><ul><li>A large part of the threat is internal </li></ul></ul><ul><ul><li>There are a number of distinguishable trends </li></ul></ul><ul><li>http://www.gocsi.com/prelea990301.htm </li></ul><ul><li>http://www.saps.org.za </li></ul><ul><li>What we don’t know: </li></ul><ul><ul><li>How accurate are the statistics? </li></ul></ul><ul><ul><li>Are international statistics relevant in SA? </li></ul></ul><ul><ul><li>What does this all mean to me? </li></ul></ul>
    5. 5. Universal Threats <ul><li>Data Confidentiality </li></ul><ul><ul><li>Information is the currency of business today </li></ul></ul><ul><ul><ul><li>Customers, Strategy, Financials, HR, Personal </li></ul></ul></ul><ul><li>Data Integrity </li></ul><ul><ul><li>The accuracy and reliability of the information </li></ul></ul><ul><ul><ul><li>Determines the value of information </li></ul></ul></ul><ul><li>Reputation / Credibility </li></ul><ul><ul><li>The market’s perception of your competence </li></ul></ul><ul><ul><ul><li>Web site defacement </li></ul></ul></ul><ul><li>Denial of Service </li></ul><ul><ul><li>Prevent a system from performing their intended function </li></ul></ul><ul><ul><ul><li>EBay, Yahoo, Edgars </li></ul></ul></ul>
    6. 6. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5. Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    7. 7. Understanding your own Risk <ul><li>What is Risk? </li></ul><ul><ul><li>Valuable resources + exploitable technology </li></ul></ul><ul><li>What is “Secure”? </li></ul><ul><ul><li>When the financial losses incurred are at an acceptable level </li></ul></ul><ul><li>Your “Risk-Profile”: </li></ul><ul><ul><li>The value of your Information </li></ul></ul><ul><ul><li>The degree of technological vulnerability </li></ul></ul><ul><ul><li>A level of loss that is acceptable to you </li></ul></ul><ul><ul><ul><li>Unique to your organisation. Today. </li></ul></ul></ul><ul><li>The value of surveys and statistics </li></ul><ul><ul><li>Highlight the existence of threats </li></ul></ul><ul><ul><li>Indicate trends and phases </li></ul></ul><ul><ul><li>Create an awareness </li></ul></ul>
    8. 8. Your own unique risk profile <ul><li>IT Security Assessment </li></ul><ul><ul><li>Make informed decisions on how to spend </li></ul></ul><ul><ul><ul><li>Time </li></ul></ul></ul><ul><ul><ul><li>Money </li></ul></ul></ul><ul><ul><ul><li>People </li></ul></ul></ul><ul><li>An effective assessment: </li></ul><ul><ul><li>Independent and Objective </li></ul></ul><ul><ul><li>Business aware but technology focused </li></ul></ul><ul><ul><li>Prove its worth </li></ul></ul><ul><ul><li>Concrete, practical recommendations </li></ul></ul><ul><ul><li>Finite </li></ul></ul><ul><ul><li>Honest </li></ul></ul><ul><ul><li>Recursive... </li></ul></ul>
    9. 9. Recursive Security Assessments <ul><li>Delta Testing </li></ul><ul><ul><li>Monitor the effect of changes </li></ul></ul><ul><li>New exploits and vulnerabilities </li></ul><ul><ul><li>Staying secure in a global battlefield </li></ul></ul><ul><li>Improved Methodologies </li></ul><ul><ul><li>Tools, techniques, philosophies etc. </li></ul></ul><ul><li>Innovation </li></ul><ul><ul><li>A chance to get to know you </li></ul></ul><ul><li>Extended Scope </li></ul><ul><ul><li>There’s never enough time </li></ul></ul><ul><li>Enhanced Scope </li></ul><ul><ul><li>Moving toward a zero-default environment... </li></ul></ul>
    10. 10. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5. Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    11. 11. Welcome to the case study <ul><li>Mind of the cybercriminal </li></ul><ul><ul><li>journal style, informal </li></ul></ul><ul><ul><li>methodology </li></ul></ul><ul><li>Sensitivity </li></ul><ul><ul><li>examples only </li></ul></ul><ul><li>Effort vs Exposure </li></ul>roelof temmingh
    12. 12. CAT5 from me to you <ul><li>Obtaining a IP on the internal network </li></ul><ul><ul><li>already have one </li></ul></ul><ul><ul><li>RAS </li></ul></ul><ul><ul><li>the little black box concept </li></ul></ul><ul><ul><li>walking in with a notebook </li></ul></ul><ul><ul><li>Trojans </li></ul></ul><ul><ul><li>splicing copper </li></ul></ul>roelof temmingh
    13. 13. Get to know your neighbours <ul><li>The difference between MS and services network </li></ul><ul><ul><li>MS network is a service (File Sharing) </li></ul></ul><ul><ul><li>Other services - FTP, HTTP, SQL, SMTP servers. </li></ul></ul><ul><li>Intelligence gathering </li></ul><ul><ul><li>Protocols </li></ul></ul><ul><ul><li>Services </li></ul></ul><ul><ul><li>Identify important hosts </li></ul></ul><ul><ul><li>Ping sweep </li></ul></ul>roelof temmingh
    14. 14. Easy cash <ul><li>The guy next to you </li></ul><ul><li>Microsoft network </li></ul><ul><ul><li>network neighbourhood </li></ul></ul><ul><ul><li>shares are published </li></ul></ul><ul><li>Services network </li></ul><ul><ul><li>Anonymous FTP, webpages </li></ul></ul>roelof temmingh
    15. 15. Scratching the surface <ul><li>Your wannabe admin </li></ul><ul><li>Microsoft network </li></ul><ul><ul><li>password guessing </li></ul></ul><ul><ul><li>offline cracking </li></ul></ul><ul><ul><li>real time cracking </li></ul></ul><ul><li>Service network </li></ul><ul><ul><li>sniffing the network (SMTP,POP3,FTP) </li></ul></ul><ul><ul><li>default passwords </li></ul></ul><ul><ul><li>password guessing (known services) </li></ul></ul><ul><ul><li>portscanning </li></ul></ul>roelof temmingh
    16. 16. Knocking on the door <ul><li>Your (closet hacker) admin </li></ul><ul><li>Microsoft network </li></ul><ul><ul><li>user enumeration </li></ul></ul><ul><ul><li>brute force id/password </li></ul></ul><ul><li>Service network </li></ul><ul><ul><li>vulnerability scanners </li></ul></ul><ul><ul><li>customized for ports (IDS!) </li></ul></ul><ul><ul><li>scans for known product problems </li></ul></ul><ul><ul><li>commercial (ISS, CyberCop) </li></ul></ul><ul><ul><li>share/freeware (Nessus, whisker) </li></ul></ul>roelof temmingh
    17. 17. Blowing the door down <ul><li>Your previous administrator turned black hat hacker </li></ul><ul><li>We are inside, now what? </li></ul><ul><li>Microsoft network </li></ul><ul><ul><li>search for XLS, DOC files </li></ul></ul><ul><ul><li>copy and enjoy </li></ul></ul><ul><ul><li>application encryption worthless </li></ul></ul><ul><li>Service network </li></ul><ul><ul><li>password files </li></ul></ul><ul><ul><li>passwords to backends (SQL) </li></ul></ul><ul><ul><li>text copy of databases </li></ul></ul><ul><ul><li>mailboxes </li></ul></ul><ul><li>Publish to Internet, sell to competition. </li></ul><ul><li>Assumed full control </li></ul>roelof temmingh
    18. 18. Keeping in touch <ul><li>Your previous administrator's current employer </li></ul><ul><li>Keeping a grip on your network </li></ul><ul><li>Service network & MS network </li></ul><ul><ul><li>Rootkits </li></ul></ul><ul><ul><li>Backdoors </li></ul></ul><ul><li>Not only from internal </li></ul><ul><ul><li>Internet </li></ul></ul><ul><ul><li>RAS </li></ul></ul>roelof temmingh
    19. 19. questions?
    20. 20. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5. Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    21. 21. Setting the Stage - a security culture <ul><li>Assign responsibility </li></ul><ul><ul><li>Security Officer </li></ul></ul><ul><li>Empower the Security Officer </li></ul><ul><ul><li>Authority, Money, People </li></ul></ul><ul><li>Measure Progress </li></ul><ul><ul><li>Project Plan, Certification, Audits </li></ul></ul><ul><li>Develop an IT Security Policy </li></ul><ul><ul><li>Guide, mandate & measure </li></ul></ul><ul><ul><li>Should be: </li></ul></ul><ul><ul><ul><li>Endorsed by management </li></ul></ul></ul><ul><ul><ul><li>Effectively communicated </li></ul></ul></ul><ul><ul><ul><li>Specific </li></ul></ul></ul><ul><ul><ul><li>Enforceable </li></ul></ul></ul><ul><ul><ul><li>Practical </li></ul></ul></ul>
    22. 22. Setting the Stage - a security culture <ul><li>Communicate with key people </li></ul><ul><ul><li>Emphasise the value of data to business leaders </li></ul></ul><ul><li>Awareness training and programmess </li></ul><ul><ul><li>Buy-in at every level is essential </li></ul></ul><ul><li>Positive / Negative reinforcement </li></ul><ul><ul><li>Use security as a performance criterion </li></ul></ul><ul><li>Consider Security Certification </li></ul><ul><ul><li>Global standards for the implementation and assessment of security… </li></ul></ul>
    23. 23. Thoughts on Certification <ul><li>Objective </li></ul><ul><ul><li>To enforce structure on your security program </li></ul></ul><ul><ul><li>As a means of assessing your security </li></ul></ul><ul><ul><li>As a means of measuring against best-of-breed </li></ul></ul><ul><ul><li>As a means of convincing others of your security </li></ul></ul><ul><li>Is Certification for you? </li></ul><ul><ul><li>Recognition </li></ul></ul><ul><ul><li>Focus </li></ul></ul><ul><ul><li>Local Presence </li></ul></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Endurance </li></ul></ul><ul><ul><li>Objectivity </li></ul></ul>
    24. 24. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5. Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    25. 25. Implementing Solutions - Overview <ul><li>Value your information and IT resources </li></ul><ul><ul><li>Know what you’re protecting and what its worth </li></ul></ul><ul><li>Assess your vulnerabilities </li></ul><ul><ul><li>Know exactly where you stand </li></ul></ul><ul><li>Evaluate actual risk versus acceptable risk </li></ul><ul><ul><li>You don’t have to be completely secure </li></ul></ul><ul><li>Develop a Security Strategy </li></ul><ul><ul><li>Know where you’re going and where you are </li></ul></ul><ul><li>Implement Controls </li></ul><ul><ul><li>80/20 rule </li></ul></ul><ul><li>Assess the effect of the changes </li></ul><ul><ul><li>Security is a cycle </li></ul></ul>
    26. 26. Internal Security Cheat Sheet <ul><li>Publish a policy </li></ul><ul><ul><li>Guide, mandate and measure </li></ul></ul><ul><li>Content security </li></ul><ul><ul><li>Viruses, trojans, scripts </li></ul></ul><ul><li>Zoning </li></ul><ul><ul><li>Segment data, people, hosts and services </li></ul></ul><ul><li>Centralise </li></ul><ul><ul><li>It’s much easier to protect something if its in one place </li></ul></ul><ul><li>Host & service security </li></ul><ul><ul><li>Basics! </li></ul></ul><ul><li>Account Policies </li></ul><ul><ul><li>Passwords are an essentially weak mechanism </li></ul></ul><ul><li>Switch to the desktop </li></ul><ul><ul><li>It’s simple and it works </li></ul></ul><ul><li>Consider your RAS systems </li></ul><ul><ul><li>RAS is the soft underbelly of your network </li></ul></ul>
    27. 27. Agenda <ul><li>1. Introduction </li></ul><ul><li>2. Considering the global Risk </li></ul><ul><li>3. Understanding your own Risk </li></ul><ul><li>4. Case Study </li></ul><ul><li>5. Setting the Stage </li></ul><ul><li>6. Implementing Solutions </li></ul><ul><li>7. The role and value of IDS </li></ul><ul><li>8. Questions </li></ul>
    28. 28. IDS - An Overview <ul><li>Intrusion Detection System </li></ul><ul><ul><li>Identify and report or react on an unauthorised or malicious action on a host or a network </li></ul></ul><ul><li>Types of IDS </li></ul><ul><ul><li>Host </li></ul></ul><ul><ul><li>Distributed </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><li>Typical Features (NIDS) </li></ul><ul><ul><li>Packet Sniffing Technology </li></ul></ul><ul><ul><li>Attack Pattern Library </li></ul></ul><ul><ul><ul><li>Traffic Patterns , Viruses, Trojans, Signatures </li></ul></ul></ul><ul><ul><li>Rule Set </li></ul></ul><ul><ul><ul><li>Source, Destination, Time, Period, Signature </li></ul></ul></ul><ul><ul><li>Response capabilities </li></ul></ul><ul><ul><ul><li>Active or Passive </li></ul></ul></ul><ul><ul><li>Distributed Architecture </li></ul></ul><ul><ul><li>Centralised Management </li></ul></ul>
    29. 29. The Role of IDS <ul><li>Identifying an “Intrusion” </li></ul><ul><ul><li>Acceptability Parameters: </li></ul></ul><ul><ul><ul><li>Destination </li></ul></ul></ul><ul><ul><ul><li>Source </li></ul></ul></ul><ul><ul><ul><li>Signature </li></ul></ul></ul><ul><ul><ul><li>Time </li></ul></ul></ul><ul><ul><ul><li>Period </li></ul></ul></ul><ul><li>Effective implementation </li></ul><ul><ul><li>Access to traffic </li></ul></ul><ul><ul><li>Acceptability Parameters </li></ul></ul><ul><ul><li>Response Capabilities </li></ul></ul><ul><li>Good Example - DMZ </li></ul><ul><ul><li>Finite area to monitor </li></ul></ul><ul><ul><li>Existing security infrastructure </li></ul></ul><ul><ul><li>Clearly defined acceptability parameters </li></ul></ul><ul><ul><li>Limited number of events to respond to </li></ul></ul>
    30. 30. IDS & Internal Security <ul><li>For: </li></ul><ul><ul><li>Large, open environments </li></ul></ul><ul><ul><ul><li>eg Corporate Extranet or University </li></ul></ul></ul><ul><ul><li>Effective zoning, segmentation & consolidation </li></ul></ul><ul><ul><li>Basic issues addressed </li></ul></ul><ul><ul><li>Dedicated security personnel </li></ul></ul><ul><li>Against: </li></ul><ul><ul><li>Technology driven decision </li></ul></ul><ul><ul><ul><li>There are no point-and-click solutions to security </li></ul></ul></ul><ul><ul><li>Closed system </li></ul></ul><ul><ul><li>Acceptability parameters </li></ul></ul><ul><ul><li>Response capabilities </li></ul></ul><ul><li>In SA </li></ul><ul><ul><li>Address basic issues </li></ul></ul><ul><ul><li>Consolidate valuable resources </li></ul></ul><ul><ul><li>Do an assessment </li></ul></ul><ul><ul><li>Make a strategy decision </li></ul></ul><ul><ul><li>Consider outsourcing </li></ul></ul>
    31. 31. questions?

    ×