IT Security Strategies for the BYOD Era

Considerations and Evaluations for IT
Security Policies
Possession is 9/10ths of the Law
Brian Bissett
Senior Member
Institute of Electrical and Electronics Engineers (IEEE)
Bio-IT World 2016
1 BioIT World 2016 © Brian Bissett brian.bissett@ieee.org

Overview
Data Requirements (Secure and Useful)
Limitations of DiD (Defense in Depth)
Multi-Factor Authentication (MFA)
Entropy
Types of Attacks
Risk
IT Operational Analytics (ITOA)
Summary

Requirements for Useful Data
Available – Data must be available to authorized
users without interference or obstruction
Accurate – Data is free from Errors.
Authentic – Genuine or Original and free from
reproduction, fabrication, or alteration.
Confidential – Protected from Unauthorized Entities
Utility – The Data has Value

Confidentiality
Integrity
Availability
The CIA Triangle

The Fundamental Problem
Information that is not accessible by a network is of
limited usefulness.
– Metcalfe’s Law: the value of a communications network is
proportional to the square of the number of its users
– Sarnoff's Law: the value of a broadcast network is
proportional to the number of viewers
Information that is accessible by means of a
network can never be guaranteed to be secure.
To have Information that can be utilized effectively
we are forced to operate in a paradigm where trade
offs must be made in usefulness and security.

OSI Vulnerabilities Up & Down Stack

Common Attacks by Layer
1. Physical – Cutting, Keystroke Logging
2. Data Link – Packet Sniffing, MAC Spoofing, MITM
3. Network – Ping Flood, Port Knocking, IPSec Attack
4. Transport – TCP and UDP Flooding
5. Session – Session Hijacking, L2TP, DNS Poisoning
6. Presentation – SSL MITM, SSL DoS
7. Application – Viruses, Trojans, Ransomware, Data
Theft, Cross Site Scripting, SQL injection, Buffer
Overflow, HTTP DoS, Brute Force (Most Vulnerable)

Defense in Depth (DiD)
Defense in Depth is still necessary but requires
supplementation for effective network security.
Defense in Depth relies on Barriers, and Barriers
do not scale with the enterprise.
SQL injection attacks can compromise an entire
enterprise database without any triggering any
alerts.
Defense in Depth must be supplemented by
Dynamic Protection of Users, Data, and Workloads.

NetSPA - NETwork Security and
Planning Architecture
Supplements Defense in Depth for Large Enterprises.
1. Vulnerability Scans: list network vulnerabilities and
provide information on individual hosts and open
ports.
2. Vulnerability Databases: describe prerequisites for
and the effects of exploiting vulnerabilities.
3. Firewall Rules: describe how traffic may or may
not flow through a filtering device.
4. Topology Information: how firewalls and hosts
from vulnerability scans are connected together.

Tracers and Tethers (TnT)
Utilizes the strength of user authentication,
encrypted connections, and continuous monitoring
to secure resources. (Especially Cloud Based)
Tracers – trace through gateways and trust zones.
– track contextual information
Tethers
– tethers to provide root of trust guarantees.
– leverage cryptography.
Behavioral Analysis of “Trusted” Insiders.

Example: Tracers and Tethers

Access Attacks
Backdoors – using a known or newly discovered
mechanism to access a system.
Brute Force – Trying every possible combination
of options for a password. (Time Consuming)
Dictionary – Automated guessing of passwords
using individual or groups of known words.
Spoofing – contacting the system as a trusted
host by modifying IP Packets Source Address.
Social Engineering – You trick an idiot who has
access to allow you into the system.

Data Pilfering and Corruption
Sniffer – Program and/or device that can monitor
data over a network. Can be used for legitimate
purposes (network management and troubleshooting)
or nefarious purposes (theft).
– Aircrack-ng
– Kismet
– Wireshark
– Etc.
Man in the Middle (TCP Hijacking) – grab packets
from the network, modify and reinsert them back into
the network.

Multi-Factor Authentication (MFA)
The Most Secure Networks require a three tier
system of Authentication for User Access:
1. Something you know (e.g. a password).
2. Something you have (e.g. a smart card).
3. Something you are (e.g. a fingerprint).
 Very few Enterprises incorporate all 3
Authentication Factors, most utilize 2.
 Refer to NIST Special Publication 800-63-2.

Password Entropy
Entropy is a measure of the uncertainty
associated with a random variable.
WolframAlpha will calculate the Entropy of a
password: http://www.wolframalpha.com/
Entropy of “password” = 36.19 bits (very weak)
Entropy of “P@s$w0Rd” = 51 bits (fair)
Entropy of “H@rd2Gue$sP@s$w0Rd” = 114.8 bits
(very strong)

Increasing Entropy
Within User Control
Length
Randomness
Enterprise Controlled
Character set
Salt - a random number that is associated with a
user and is added to that user's password.
Pepper - single value unique for a site.

Risk Drivers
Add Users
Low Entropy Passwords and Tokens
Open TCP/IP Ports
Add Applications, Services, or Systems.
Add Administrators
Lower levels of Multi-Factor Authentication
Vulnerabilities are Disclosed
New Architectures Increase Attack Surfaces

User Experience vs. Security

Why Traditional Security is Failing
The BYOD culture and the rise of the Internet of
Things (IoT) means Enterprise IT Departments will
no longer own the devices connected to their
Infrastructure.
In the case of Cloud Services, Administrators may
no longer have control over the Network itself, the
Servers, OS, or Applications being employed by the
end-users.
Enterprise IT systems will constantly be open to
compromise, unable to adequately prevent
advanced target attacks from finding their way into
the infrastructure.

IDS Intrusion Detection System
Device or Software Application that monitors
Network or System activities for malicious activities
or policy violations.
Network Intrusion Detection Systems (NIDS)
Host Intrusion Detection Systems (HIDS)
Statistical anomaly-based IDS - monitor network
traffic and compare it against an established
baseline.
Signature-based IDS - compare against database of
signatures or attributes from known malicious
threats.

The Ultimate Nightmare:
Ransomware

Ransomware Overview
Malware that encrypts all your files and then
extorts money to unlock them.
Infection via Social Engineering using Email
attachments or Webpage Executables.
Not Self-Replicating, cannot spread across
network on its own.
– But it WILL encrypt every file it can access on your
network. Every accessible network file and even Cloud
storage is vulnerable.
Common Variants: CryptoLocker, CryptoWall.
Encryption is too strong to break.

Ransomware Infection
The Ransomware Infection can be removed from
the machine easily enough but . . . .
The files will remain encrypted until unencrypted
with a key.
Once infected only two options:
1. Pay the Ransom and hope you get sent a key.
2. Wipe the Drive and Recover from a Backup.
Most Users Opt for Option Number 2.
Usually when the Ransom is paid, a key is sent.

Protecting from Ransomware
Best Protection: The Virtual Sandbox, products
like Sandboxie.
Sandboxes are virtual environments running a
duplicate of your OS and files.
If Ransomware executes on a Sandbox, it is
deleted with the Sandbox.
HitmanPro will catch and neutralize Ransomware
before it can encrypt your files.
Firewall blocking has shown limited success.

Firewall Blocks to Stop Ransomware
Ransomware must contact a live command and
control server (C&C) to generate keys for encryption.
Only allow outbound traffic on ports used.
Do not allow direct links to IP addresses lacking a
DNS.
Block known-malicious Tor IP addresses.
Employ a Malicious Traffic Detection (MTD)
Mechanism.

Ransomware the $$$ Cost
CryptoWall in 2015: 406,887 infections, $325M.
– Includes Indirect Costs. Lost Revenue, Down Time,
Recovery Time.
CryptoLocker attacks Doubled in 2015.
– More than 50,000 Corporate Machine Infections.
Kyrus Technologies reverse engineered
CryptoLocker. Infected Users can Obtain Keys
here: decryptcryptolocker.com
Many Variants Remain Unbroken.
29 Federal Agencies reported 321 Ransomware
Infections to DHS in just 9 months.

ITOA - IT Operations Analytics
A form of real-time advanced analytics that harness
and process vast volumes of highly diverse data
from applications and endpoints across an
organization’s IT infrastructure.
Advanced targeted attacks are set to render such
prevention-centric security strategies obsolete over
the next five to six years. – Gartner
ITOA can detect sophisticated threats by
recognizing anomalies in the behavior of users and
devices, and identifying deviations from normal
behavior as being potentially malicious activity.

Internet of Things (IoT)
Problem: IoT solutions are being deployed and
retrofitted with security after the fact.
IoT opens up the number of networks one could
access quite dramatically.
Derbycon Security Conference found "thousands" of
medical devices that were vulnerable to remote
attacks via the public internet.
Def Con 23 Hacking Conference: researchers at
Protiviti discussed over 20 vulnerabilities uncovered
in medical devices and support systems.

IoT: Some of Today’s Threats
Hospira Drug pumps contain security flaws that
could allow hackers to give patients a deadly
overdose.
Doctors disabled the wireless features on Vice
President Dick Cheney's heart pump.
U.S. (GAO): Boeing 787 Dreamliner, Airbus A350,
and Airbus A380 are all at risk of hacking, because
cockpits use the same Wi-Fi network as passengers.
Samsung revealed that the mics built into its smart
TVs were continuously recording and transmitting
data to the company.

Cloud Computing
Cloud computing changes the equation of
responsibility for information security.
Any business that holds information about its
customers is the “controller” of that data under the
Data Protection Directive (DPD).
If personal data is stored in a cloud, it remains the
responsibility of the controller.
The controller cannot offload its data protection
responsibilities just by putting data into the cloud.

Cloud Computing Security Models
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Colocation
– Colocation is your hardware in someone else’s Data Center.
– Only Real Estate and Utilities are Outsourced.
– Colocation was the first “Cloud” service.

Summary
Usefulness vs. Security Paradigm is here to stay.
DiD offers limited protection.
Risk increases with Utility.
The rise in advanced persistent threats (APTs)
requires ITOA to detect nefarious activity.
The diversity of appliances being connected to the
Internet is opening more security holes than
conventional strategies are capable of dealing with.

Selected Publications
Automated Data Analysis with Excel
– Softcover: 442 Pages
– Chapman & Hall (June 2007)
– Second Edition Coming in 2016/2017
– ISBN: 1-58488-885-7
Practical Pharmaceutical Laboratory
Automation
– Hardcover: 464 pages
– Publisher: CRC Press (May 2003)
– ISBN: 0849318149

IT Security Strategies for the BYOD Era

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (14)

Similar to IT Security Strategies for the BYOD Era

Similar to IT Security Strategies for the BYOD Era (20)

More from Brian Bissett

More from Brian Bissett (18)

Recently uploaded

Recently uploaded (20)

IT Security Strategies for the BYOD Era

Editor's Notes