Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 Amelia Muccio Director of Emergency Management email@example.com
Objectives • Cybersecurity • Information assurance • FQHCs as target • Cyber threats/risks • Vulnerabilities • Countermeasures • Safeguarding • Promoting a culture of security .
Serious Threat • Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.” • The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”
Who & What is At Risk? • Economy • Defense • Transportation • Medical • Government • Telecommunications • Energy Sector • Critical Infrastructure • Computers/Cable TV/Phones/MP3/Games .
Fundamental Concepts of Information Assurance • Confidentiality (privacy) • Integrity (quality, accuracy, relevance) • Availability (accessibility) • CIA triad
Internet • In 1995, 16 million users (0.4%) • In 2010, 1.6 billion users (23.5%) • Unable to treat physical and cyber security separately, they are intertwined.
How Does an Attack Happen? • Identify the target • Gather information • Plan/Prepare the attack • Attack
Attack Trends • Increasing sophistication • Decreasing costs • Increasing attack frequency • Difficulties in patching systems • Increasing network connections, dependencies, and trust relationships
What Threatens Information? • Misuse • Disasters • Data interception • Computer theft • Identify/Password theft • Malicious software • Data theft/corruption • Vandalism • Human error
Threats • A threat is any potential danger to information and systems • 3 levels of cyber threats • Unstructured • Structured • Highly structured
Unstructured Threats • Individual/small group with little or no organization or funding • Easily detectable information gathering • Exploitations based upon documented flaws • Targets of opportunity • Gain control of machines • Motivated by bragging rights, thrills, access to resources
Structured Threats • Well organized, planned and funded • Specific targets and extensive information gathering to choose avenue and means of attack • Goal-data stored on machines or machines themselves • Exploitation may rely on insider help of unknown flaw • Target drives attack • Organized crime/black hat hackers
Highly Structured Threats • Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked • Stealthy information gathering • Multiple attacks exploiting unknown flaws or insider help • Coordinated efforts from multiple groups • “Cyber warfare”
Web as Weapon • Infrastructure run by computers • Government SCADA system • Overflow dam, disrupt oil supply • Sewage plant in Australia overflowed due to black hat hackers • Cyberterrorism (Bin Laden and Aum Shinrikyo) • Combined attack • Cause power outage and biological attack • EMS disruption and nuclear emergency • Next war fought with code & computers
Hackers and Crackers • White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it. • Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime. • Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys. • GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.
Gray Hats • Adrian Lamo • Find vulnerabilities, inform company • WorldCom, Google, NYTimes, Bank of America, NASA • NYTimes used SSN # as passwords • Edited Yahoo Story • Robert Lyttle • DoD, Pentagon • Both got into trouble!
Early Days…Phone Phreaking • 2600 Hz Tone • Captain Crunch Whistle & 4th E above Middle C • Long whistle reset line, then dial w/whistle • Tricked phone companies/tone dialing • Free long distance and international calls
Risk • Threat + Vulnerability • Likelihood of an undesirable event occurring combined with the magnitude of its impact? • Natural • Manmade • Accidental or Intentional • People are the weakest link
Risk Management • Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level • Protect against: • Physical damage • Human error • Hardware failure • Program error • Cyber attack
Risk Handling Discussion • Risk reduction (countermeasures, HVA) • Risk transference (insurance) • Risk acceptance (may happen) • Risk rejection (do nothing) • Security assessments are an important part of risk management • Penetration testing • Identify all vulnerabilities and threats to information, systems and networks
Contingency Planning Components • How to handle disruption? • Business continuity • Disaster recovery • Incident response
Recovery Strategy • A recovery strategy provides direction to restore IT operations quickly and effectively • Backup methods • Alternate sites • Equipment replacement • Roles and responsibilities • Cost considerations
BCP • A comprehensive written plan to maintain or resume business operations in the event of a disruption • Continue critical business operations • Jeopardize normal operations • Most critical operations • May require alternate sites (hot, warm, cold) • What do we need to KEEP going?
DRP • A comprehensive written plan to return business operations to the pre-disruption state following a disruption • Restore IT functions (prep and restore) • Jeopardize the normal operations • Includes all operations • RETURN TO NORMAL BUSINESS OPERATIONS • WHAT DO WE NEED TO DO IN CASE OF A DISASTER?
Plan Testing, Training and Exercising • Testing is a critical to ensure a viable contingency capability • Conduct plan exercises • TTXs are useful
Policies and Procedures • Establish security culture • Establish best security practices • Define goals and structure of security program • Educate personnel • Maintain compliance with any regulations • Ex: email policy, Internet usage, physical security
Physical Security Countermeasures • Property protection (door, locks, lightening) • Structural hardening (construction) • Physical access control (authorized users) • Intrusion detection (guards, monitoring) • Physical security procedures (escort visitors, logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for suspicious activities)
Personal Security • Practices established to ensure the safety and security of personnel and other organizational assets • It’s ALL about people • People are the weakest link • Reduce vulnerability to personnel based threats .
Personal Security Threat Categories • Insider threats-most common, difficult to recognize • Includes sabotage and unauthorized disclosure of information • Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack • Not aware of the value of information
Social Engineering • Being fooled into giving someone access when the person has no business having the information.
Dumpster Diving and Phishing • DD-rummaging through company’s garbage for discarded documents • Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information • Email appear to come from a legitimate organization (PayPal)
P & P • Acceptable use policy-what actions users may perform while using computers • Personnel controls-need to know, separation of duties • Hiring and termination practices-background checks, orientation, exit interview, escorting procedure
Private Branch Exchange (PBX) Systems • Toll fraud • Disclosure of information • Unauthorized access • Traffic analysis • Denial of Service (DoS)
PBX Threat Countermeasures • Implement physical security • Inhibit maintenance of port access • Enable alarm/audit trails • Remove all default passwords • Review the configuration of your PBX against known hacking techniques
Data Networks • For computers to communicate • Less expensive to use same network • Modems designed to leverage this asset
Modem Threats • Unauthorized and misconfigured modems • Authorized but misconfigured modems
Wardialing • Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access • Identify potential targets
Modem Threat Countermeasures • Policy • Scanning • Administrative action • Passwords • Elimination of modem connections • Use a device to protect telephony-based attacks and abuses
Voice Over Internet Protocol (VoIP) • VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line
VoIP Benefits and Threats • Less expensive • Increased functionality • Flexibility and mobility • Service theft • Eavesdropping • Vishing • Call tampering
VoIP Threat Countermeasures • Physical control • Authentication and encryption • Develop appropriate network architecture • Employ VoIP firewall and security devices
Data Networks • Computers linked together • Hosts (computers, servers) • Switches and hubs • Routers
Common Network Terms • Local Area Network (LAN)-network grouped in one geographic location • Wide Area Network (WAN)-network that spreads over a larger geographic area • Wireless LAN (WLAN)-is a LAN with wireless connections
Data Network Protocols • Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach • User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach • Internet Control Message Protocol (ICMP)-OS to send error messages across networks • Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia
Data Network Threats • Information gathering • Denial of Service (DoS) • Disinformation • Man-in-the-middle • Session hijacking
Information Gathering Threats/Network Scanning • What target is available? • Reduces time on wasted effort (attacker) • One of the most common pre-attack identification techniques is called scanning • Scanning uses ICMP service “PING” • PING SWEEP-echo request to range of addresses (provides list of potential targets) • Are you there? Yes, I am there. • Firewall should protect against
Sniffing • A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network
Denial of Service (DoS) • Degrade and prevent operations/functionality • Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously • Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic
Ping Flood/Ping of Death • Ping flood-too much ping traffic drowns out all other communication • Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash • Host cannot cope with ping packets • Ping of Death relies on a vulnerability of buffer overflow • Buffer overflow-size of input exceeds the size of storage intended to be received