Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes
Introduction • This chapter focuses on what companies must do to protect themselves from internal risks. • Before hackers and the internet there were: • Disgruntled workers • Careless administrators • Hostile managers
Introduction cont’ • Current technology amplifies security threats, can be blamed on organizational practices • Effective countermeasures • Secure-use practices • User training
Major Risk Factors • Most likely sources of cyber threats continue to come from within. • Unknown and unseen hackers and thieves are not the most common threat. • It is difficult to accept the reality that a majority of cyber security incidents are traced to company insiders.
Examples • An unwitting employee may spread infected email or be tricked into revealing information through a popular hacker technique – social engineering. • Spoofing-disguising true identity of the sender • Administrators may be unable or unwilling to apply software patches to fix known vulnerabilities.
Limits On The Extent To Which Risk Factors Can Be Controlled • A complete set of updated, well-documented policies and training in security procedures can be time-consuming. • They are not without risks • Selectively enforced policies can be worse than having none at all • If employees send threatening messages to each other and company fail to notify law enforcement, they can be held liable for negligence
Enforcement Of Secure-Use Practices Must Be Consistent With AUP • A clearly written Acceptable Use Policy and documentation of confirmation from employees that they read, understood, and agreed to its terms in addition to the Secure-Use practice can help a company avoid costly lawsuits.
Information security for organizations may not always follow a standard pattern: Develop a business plan Defines goals, objectives, strategy and priorities. Restructure budgets and organizations Information security planning may require a different approach: External events, current threats, technical consideration or trends may require change to be necessary. Security Focus in Organizational Planning Process
Marketing Security as a Business Function • Changes in behavior and attitude are necessary to have security as a priority • Top management must implement, enforce and commit…DLM model again • How to achieve equal status • Centralize authority that is visible and powerful • Coordinate with other forms of risk management: physical security, insurance, and legal functions
Integrating Security and Business Plans • Ensures that most strategic information receive the most protection. • Also promotes security as being fundamental to the success of the business. • Failure to do this will lead to: • A security plan out of sync with the business plan • Security policies not being taken seriously
Developing Information Security Standards • Formal policies and standard documents should be developed for other security functions such as: • Firewall configuration - Archival storage • Remote access procedures - Roles and permissions • Wireless handheld devices - Password maintenance • Maintaining formal policies and standard documents allows for consistency and currency with changes in technology as well the as business environment.
Documentation and Training • Normally documentation and training budgets are set a very low level. This tendency starves the education budget and will tend to subvert the entire program. • When training is implemented correctly and employees know their stake in a secure workplace they are able to recognize and react in a communal fashion, which is usually the most effective method.
Incident Response Policy and Incident Response Teams • Preparation before an incident occurs is necessary for development and readiness • Design policy and teams • Educate everyone of their roles • Conduct test to validate plan’s effectiveness • An incident response policy is the key to readiness. • Needs to be clear and simple for ease of use during the stressful event • Provides guidance on what to do when an attack occurs • Defines the scope of the powers, authority, and discretion that the team has in responding to an attack. • Focuses management attention on security and response issues.
Example: Incident Response Process From http://www.securityfocus.com/ infocus/1467
Developing a Notification Plan • Who do you notify: • Law enforcement • Regulatory authorities • Clearinghouse organizations, such as CERT • Business partners • Bugtraq • The choice is up to the victimized firm. • In 2002, CSI/FBI Computer Crime and Security Survey reported that only 60% of known intrusions were reported to anyone not directly involved and 34% to law enforcement. • These numbers occur because some firms may not want to expose any breaches in their networks to the public, the risk of liability, and delays and costs in formal investigations.
Shut Down Unnecessary Services • Network Administrators should review all active ports. • Ports: interfaces, or entry/exit points, to a network • Common Ports • 80-http • 23-Telnet • 43-SSL • 110-POP3
Set up and Maintain Permissions Securely • Permissions are privileges granted to each user that control what data and applications that user has access to. • Controlled by system admin • Can be from read-only to full admin privileges • Limitations can help distinguish honest and dishonest employees: security by ignorance • Roles, or access-level categories, are an effective way to manage permissions where users are assigned specific access levels to the server
Conduct Background Checks • A thorough background investigation of everyone being considered for a system administrator job should be conducted rigorously prior to employment • Rotating responsibilities among a team makes it difficult to hide dishonesty
Enforce Strong Passwords • Rules for strong passwords: • No default passwords • Minimum 10 characters with symbols and #s • Change at least every 4 months • Any others?
Review Partner Contracts • Network of business partners become an extension of the business’s own network. • Ask for 3rd party certification of info security practices • Build in provisions into contracts that provides protection
Audit and Update • One area of liability that is often ignored is the use of unlicensed software. • Software vendors are entitled to conduct audits to ensure license compliance. • The best way to protect your company is to periodically survey all computers for illegal applications proactively. • Failure to address known vulnerabilities in commercial software become vulnerabilities for hackers to exploit
Physical Security • Ways to keep information physically secure • Use encryption on all offline storage of sensitive data • Make sure all the network devices in the field are in physically secure place • Dispose of old computers with extreme care.
Auditing …. • Acts as a legal deterrent and demonstrates diligence • Similar to financial audits – certify with outside agency • Beyond technology: include documentation, training and personnel …includes Testing • Test response of defensive technology and designated response team • Backup sites should be included
Insurance • Now available to cover liability from virus transmission and confidential info release, business interruption, loss of income from DoS attack • http://www.cfcunderwriting.com/products/esurance.html Staying Current • Need I say more?
Reinforcing Secure-Use Procedures • Warning vs Welcome message • Welcome message must be after warning • Court ruling found incorrect order implies authorization Rewarding Secure Behavior • Rewards are as important as reprimands
Dangerous Email Practices • email forwarding • auto reply/responders allow system to send prepared message automatically to each email it receives • Spammers are guaranteed responses • HTML email • IM
Dangerous Sharing Practices • P2P Network - 2nd most effective way (mail 1st) for malware distribution • Software downloads - spy ware, Trojan horses • Unauthorized users-PCs and PDAs shared with others unfamiliar with AUP • Public networks and wireless networks - open PC to anyone monitoring
Summary • Secure-Use Practices help control risks and dangers through the use of policies and technology • The effectiveness of security practices depends on the relationship to the business culture and diligence of staff • The key is to balance security and capability