faculty: scott greene of evidence solutions, inc. [email protected]

C15Building a Secure Infrastructure

Faculty:Scott Greene

ofEvidence Solutions, Inc.

[email protected]

mailto:[email protected]

http://www.evidencesolutions.com/


http://www.evidencesolutions.com/

1: Take control of remote sessions◦ I do a lot of remote support. For that support, I

use either LogMeIn or TeamViewer. Inevitably, I run into clients who constantly want to “show me” what’s going on, take over the mouse to point out something different, or even use their machine for something else (like replying to an email that should be able to wait). Outside of annoying any support tech, this does one thing — extends the length of time needed to do a job.

10 Things Users do to Drive you Crazy

2: Give too much irrelevant information about an issue◦ What I really want to know is that you clicked on an

attachment that was in an email. I don’t care to know the email was originated by your grandmother on your father’s side and the email had the most darling picture of kittens and puppies playing together in a field of daisies. I also don’t care that you were sitting at your desk, having your usual lunch of yogurt and sliced apples dipped in caramel when everything started to go down the drain. Get to the point, give me the facts, and I will do my job to the best of my ability.


Just because a network has been designed well does not mean it is, or will remain, secure.

No audit, internal, external, compliance-related or not, can by itself ensure a network is secure.

The real benefit of an designing a secure infrastructure comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, & more closely aligning information security needs & risk mitigation with business goals.

Disclaimer

Protect the Information

Provide Access

A new web threat is detected every 4.5 seconds.◦ SophosLabs, published in Sophos Security Threat

Report Mid-Year 2011

Why?

Why the focus on the Web?◦ Because it works!

Over the last year, we’ve seen major breaches, at companies including Sony, RSA, and Zappos.com, and several U.S. military contractors.

All from a click on a malicious link.

Why?

These can help create a Frame Work of security:◦ Health Insurance Portability & Accounting Act

(HIPAA) (1996)◦ Graham-Leach-Bliley (1999)◦ Homeland Security Act (2002)

Federal Information Security Management Act (FISMA)

◦ Federal Information Processing Standard (FIPS) (2010)

◦ Payment Card Industry Data Security Standard (PCI / PCIDSS)

Regulations

Federal Information Processing Standards◦ Publicly available standards developed by the

United States Federal government for use by all non-military government agencies and by government contractors.

◦ Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.)

FIPS

FIPS is used to Manage Risk by selecting and implementing security controls in the organizational information system including:◦ 1) Applying the organization’s approach to managing risk◦ 2) Categorizing the information system and determining the

system impact level in accordance with FIPS 199 and FIPS 200, respectively;

◦ 3) Selecting security controls, including tailoring the initial set of baseline security controls and supplementing the tailored baseline as necessary based on an organizational assessment of risk

◦ 4) assessing the security controls as part of a comprehensive continuous monitoring process.

FIPSThe Process

Categorize◦ the information processed, stored, and

transmitted by that system

FIPSThe Process of Managing Risk

Select◦ an initial set of baseline security controls for the

information system based on the system impact level and minimum security requirements

◦ apply tailoring guidance by supplementing the baseline security controls based on an organizational assessment of risk and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and specify assurance requirements


Implement◦ the security controls and document how the

controls are employed within the information system and its environment of operation.


Assess◦ The security controls using appropriate

assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.


Security Categorization

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

(confidentiality x impact) + (integrity x impact) + (availability x impact)

FIPS & FISMAThe Formula

Confidentiality:◦ “the property that data or information is not made

available or disclosed to unauthorized persons or processes.”


Integrity is:◦ “the property that data or information have not

been altered or destroyed in an unauthorized manner.”


Availability is:◦ “the property that data or information is

accessible and useable upon demand by an authorized person.”


Impact◦ N/A◦ Low◦ Moderate◦ High


Access Control (AC):◦ Organizations must limit information system

access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

FIPSMinimum Security Requirements

Awareness and Training (AT):◦ Organizations must:

Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems;

Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.


Audit and Accountability (AU):◦ Organizations must:

Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity;

Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.


Certification, Accreditation, and Security Assessments (CA):

Organizations must:◦ Periodically assess the security controls in organizational

information systems to determine if the controls are effective in their application;

◦ Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems;

◦ Authorize the operation of organizational information systems and any associated information system connections;

◦ Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

© Evidence Solutions, Inc. 2011.The Computer, Technology, and

Digital Forensics Firm.


Configuration Management (CM):◦ Organizations must:

Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;

Establish and enforce security configuration settings for information technology products employed in organizational information systems.


Contingency Planning (CP):◦ Organizations must establish, maintain, and

effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.


Identification and Authentication (IA):◦ Organizations must identify information system

users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.


Incident Response (IR): ◦ Organizations must:

Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities;

Track, document, and report incidents to appropriate organizational officials and/or authorities.


Maintenance (MA):◦ Organizations must:

Perform periodic and timely maintenance on organizational information systems;

Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.


Media Protection (MP):◦ Organizations must:

Protect information system media, both paper and digital;

Limit access to information on information system media to authorized users;

Sanitize or destroy information system media before disposal or release for reuse.


Physical and Environmental Protection (PE):◦ Organizations must:

Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;

Protect the physical plant and support infrastructure for information systems;

Provide supporting utilities for information systems; Protect information systems against environmental hazards; Provide appropriate environmental controls in facilities

containing information systems.


Planning (PL): ◦ Organizations must develop, document,

periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.


Personnel Security (PS): ◦ Organizations must:

Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions;

Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers;

Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.


Risk Assessment (RA):◦ Organizations must periodically assess the risk

to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.


System and Services Acquisition (SA):◦ Organizations must:

Allocate sufficient resources to adequately protect organizational information systems;

Employ system development life cycle processes that incorporate information security considerations;

Employ software usage and installation restrictions;

Ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.


System and Communications Protection (SC):◦ Organizations must:

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.


System and Information Integrity (SI):◦ Organizations must:

Identify, report, and correct information and information system flaws in a timely manner;

Provide protection from malicious code at appropriate locations within organizational information systems;

Monitor information system security alerts and advisories and take appropriate actions in response.


3: Blame the issue on something I (or another tech) did previously◦ Yes, I’ve worked on your machine before. No, what I did

last time to help you remap your K drive had zero effect on the fact that now you can’t get a network connection. Although they may be related, they are not directly cause and effect. Trust me on this. I’m not trying to pull a fast one on you, and I am 100 percent sure that the K drive issue is not related. But on the off chance that you simply will not believe me, I will do everything I can to show you the two are not related in any way. If you still don’t believe me, I have a list of other consultants who will be happy to have your work — until they’re no longer happy to have your work.


4: Lie◦ This one should not need any explanation. But for

those who have yet to experience the liar, let me set the stage. There are times when you log into a user’s machine and discover that something obviously has been done — a profile or program deleted — that can be done only by an end user. When an end user has made such a mistake, he or she will sometimes try to deny doing anything to cause the problem. That’s fine. But most support professionals can see through the thinly veiled lie. We know the truth… so it’s okay to admit it.

10 Things Users do toDrive you Crazy

Monitoring vs. Prevention◦ Monitoring causes the system(s) to report events◦ Prevention causes the system(s) to interrupt

events May require additional integration between vendors

Considerations

Security is Inconvenient Know what you are defending Review the current threats often Users are unsophisticated Anonymous is good at what it does / The

bad guys are good at what they do / It is the only thing they do

Resources / Money / Budget

Know What you are Up Against

Evaluate Risks and Threats◦ What is critical to your business unit?◦ How do you protect it?◦ How do you prevent downtime?◦ How do you get back up and running quickly?

Just because you have technology protecting your network doesn’t mean it is all working

65% of all attacks are internal

Know What you are Up Against

In 2011◦ 39% of email-borne malware consisted of

hyperlinks, not attachments; ◦ That’s up from 24% of email in 2010

- Symantec’s Internet Security Threat Report.

Endpoint Security

Almost half of malicious software communicates out over the Internet within 60 seconds of infecting a computer, and about 80% of those communications use some form of Web protocol.

-Websense.

Endpoint Security

It used to be that Porn was driving this issue Followed closely by gambling In the last two years however the field has

change it is now: It’s religious sites

Endpoint Security

Windows 7 allows for Software Restriction Policies (SRPs)◦ The Path Rule◦ The Hash Rule◦ The Publisher Rule◦ Audit mode◦ Configuring AppLocker◦ Experimenting with AppLocker

Windows 7 and AppLocker

Background of SRPs◦ SRPs have been around since Active Directory 1.0

(Win 2000)◦ Windows has sported Software Restriction

Policies or SRP’s for short.◦SRP’s allowed administrators to configure

their Active Directory networks in one of two ways: A blacklist ( most common ) A whitelist ( most secure )


Background of SRPs◦A blacklist ( most common ) Allows anything to run except what is on

the black list.◦A whitelist ( most secure )

Only lets items run that are on the white list. What about notepad, Calculator, etc……


The Path Rule◦ Allows users to run applications from a specific location.◦ It is generally impractical for most organizations◦ Executables live in a single folder on the user’s

workstation (or on the network).◦ Allows for Multiple path rules◦ Becomes unwieldy quickly◦ “It’s OK to run apps that live in \\SW\GOODAPPS”

any user with write permissions can just copy an application to the “goodapps” path and then run it.

◦ In AppLocker, default path rules exist to permit running applications in the Windows folder and the Program Files folder.


The Hash Rule◦ The hash rule requires that you point Windows to the actual

executable file that you wish to allow or deny in your additional rules, so that Windows can generate a cryptographic hash that is specific to that binary file.

◦ While the hash rule addresses the ease with which path rules can be obfuscated it presents an additional burden for administrators: Plenty of upfront work generating hashes generate new hash rules every executable changes Hashes have a slight negative impact on workstation

performance


The Publisher Rule◦ Avoids the problem with users circumventing path rules

by renaming executables◦ Allows administrators to allow or deny certificate-based

applications◦ Uses standards like digital signatures◦ Uses publisher rules to specify allowed or disallowed

versions.◦ Can use a range of versions


Audit Mode versus Enforce Rules◦ Audit mode is a great way of gauging the

potential impact on AppLocker without actually denying anyone the right to run an application. This mode is used for testing.

◦ Audit mode generates a list of applications that will fail and pass under the rules you’ve created

◦ This lets you identify potential problems before that unpleasant phone call from a frustrated users.

◦ This mode help limit the impact of rules on the Brass ( as well as the rest of the users )


Configuring AppLocker◦ Use the Active Directory Group Policy on the

server◦ Install Remote Server Administration Tools in

Windows 7 This installs an updated GPMC

The RSAT for Windows 7 <> RSAT for Vista


Experimenting with AppLocker◦ Start by working with a test machine that’s not

connected to your network.◦ Start with local Group Policy settings rather than

network-based settings.◦ Start with the blacklist model in which the default

behavior is to allow everything.◦ Leave the AppID service start type as manual, so

if you get into trouble, you can reboot.


5: Take control of conversations◦ When I’m trying to explain an issue to an end

user, it really bugs me when that user takes over the conversation, preventing me from being able to effectively communicate either the problem or the solution. Generally, these people tend to have more to say on the issue than necessary and assume what they have to add to the situation is far more important than what they have to learn. If those end users would stop and listen for once, the reoccurring issue I am trying to help them with might not reoccur.


Endpoint Security

BlackHole Exploit Kit◦ A type of crimeware Web application developed in Russia to help hackers take advantage of

unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.

◦ Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.

◦ The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.

These direct Web attacks typically consist of six stages◦ First: The Lure◦ Second: The Redirection◦ Third: Exploitation via vulnerability◦ Fourth: Install the program◦ Fifth: Contact Command-and-Control◦ Sixth: Start using the compromised system

Endpoint Security

THREAT EXAMPLES IMPACT DEFENSES

Botnet Cutwail and Zeus

Take over system control, record accountuser names & passwords

Web-security gateway; endpoint security; network monitoring; use of security-as-a- service and patching, and removal of browser plug-ins to reduce possible vulnerability

Click fraud

DNSChanger Redirect user browsing

Security-as-a-service, outbound monitoring, endpoint security

Endpoint Security

THREAT EXAMPLES

IMPACT DEFENSES

Exploit kit

Blackhole & Phoenix

Compromise systems & communications

Security-as-a-service, endpoint security, aggressive patching, removal of vulnerable plug-ins,outbound monitoring

Man in the browser

Zeus Compromise secure browser channels, steal $ from bank accounts

Browser security software, endpoint security

Endpoint Security

THREAT EXAMPLES

IMPACT DEFENSES

Phishing Fake Christmas lottery

Steal credentials, make more attacks

Anti-spam, network monitoring, security-as-a-service, browser protection, endpoint security

Rogue application

Virus remover & Antivirus 2009…

Compromise system, require payment forfraudulent services

Endpoint security, reputation engines, installation of software from vendors’ sites

Targeted attack

Oak Ridge National Labs attack

Steal confidential data

Endpoint security, data loss prevention, patching, removal of browser plug-ins

Endpoint Security

Be aware of the hacker’s technology and strategy, and understand how they’re helping attackers better defeat security measures.

Be ready to counter the attacks with layers of responses designed to make it harder for attackers to penetrate your network.

If the crooks do get in, you might at least keep them away from your most valuable servers and data.

Perimeter

Firewalls◦ Block what you don’t need◦ Block Countries where you do not do

business Russia, Ukrain & China

Doesn’t work as well as it used to but still worth doing

◦ Block Inappropriate Sites Gambling, Entertainment, Porn, Religious?

Perimeter

Firewalls◦ Use a unique connection to the outside for:

Mail Servers Web Servers E-Commerce Etc.

Perimeter

Firewall DMZ or no DMZ◦Ensure all unnecessary ports are closed

(port forwarding). As an alternative to, or in tandem with a DMZ option, many hardware-based firewalls allow port forwarding. This occurs when only a specific port may be visible to the outside world. If you are implementing port forwarding, open only those ports that are explicitly needed. Any other publicly visible port should be considered a security risk.

Perimeter

Firewalls◦ Protect various departments / Critical Assets

Network Segmentation Sub-Perimeter firewalls

◦ Protecting machines Sub-Sub Perimeter / Workstation Firewalls

Preferably centrally managed but if that is too expensive, install non-centrally managed products.

Perimeter

Checklist◦ Procedures should be comprehensively

documented.◦ Employees should be trained & tested in their

roles◦ Security patch management should be

examined / tested◦ Penetration testing should be regularly performed◦ Firewall settings should be examined frequently◦ Data should be classified and stored appropriately◦ Wireless setting should be checked / changed◦ Scan for unauthorized WAP’s.

Audits

Checklist◦ Event logs should be thoroughly examined all the

time and during an audit.◦ Test software that deals with sensitive data /

Review source code.

Audits

The wrong data on the wrong server◦ Windows Search◦ dtSearch

Simple Audits

46% of internal security audits find significant security problems

54% of external security audits find significant security problems

Third Party Audit

Audits should be a surprise◦ Prior to audits, IT teams rush around and make

last-minute adjustments to their configurations and processes.

◦ In the real world, however, audit preparation should be treated as an ongoing endeavor.

External Audits can find things like:◦ Malicious users◦ Malicious administrators

Third Party Audit

Develop a well documented network◦ What talks to what when and how

Continuously monitor the network for changes◦ Whitelists, blacklists, hardware and software

Remediate Changes◦ When you detect a change, launch into action!

Assess constantly◦ In large organizations at least part of someone’s

job should be to assess the status of the network.

Monitoring

Nmap Look@LAN Advanced Port Scanner Microsoft Baseline Security Analyzer (hasn’t

recently been updated) LeakTest (Gibson Research) Symantec Security Check

Monitoring Resources

6: Ask the “quick question”◦ This one really bothers me. Without fail, a client

will call me with a “quick question” that inevitably winds up being a 30-minute phone conversation. My time is valuable through the workday and those quick questions add up. Not only that, but many clients use the quick question to avoid having to pay for support on the real issue


AntiVirus◦ Use multiple

Each one will pickup different items◦ Monitor Centrally

Users are notorious for selecting “ignore”.◦ Workstation Firewalls

Each and every workstation needs a firewall Use multiple

Layers Layers Layers

Another concern agencies should have is spyware.◦ Spyware is installed surreptitiously on a PC to intercept or

take partial control over the user's interaction with the computer, without the user's informed consent.

◦ Spyware, is generally not intended to be malicious.◦ It reports information about users back to a third party.◦ The information varies from general information about

their system or specifics on their web browsing habits.



Operating System – Anti-Spyware

Spyware falls into several categories:◦ 1. Retail and vendor information tracking.

Generally to track where users go on a site or on the vendor’s competitors site.

◦ 2. Tracking collect various types of personal information, such as

Internet surfing habits, sites that have been visited, etc




◦ 3. Redirection / Hijacking These types of spyware interfere with user control of

the computer. By installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.

Spyware can change computer settings, resulting in slow connections, different home pages, and loss of Internet or other programs.




In response to the emergence of spyware, an entire anti-spyware industry has sprung up.

A variety of programs are available for detecting and removing this spyware.

Running anti-spyware software has become a widely recognized element of computer security for Windows computers.

The US Federal Trade Commission has an entire page of advice to consumers about how to lower the risk of spyware infection.




Our top choices:◦ Spybot Search and Destroy◦ Zone Alarm – Anti-Spyware◦ Adaware Pro◦ Computer Associates – Anti-Spyware◦ F-Secure




Strong Passwords ◦ 1,000,000+

The largest Dictionaries of passwords we’ve seen reported

Common names of people or pets are the first passwords tried

Ordinary words are tried next Followed by words & names with one or two digits

tacked on. Finally things like: common substitutions of

numbers and characters for letters 3@SY4M3 – Easy for me r@ts – rats etc.

The Obvious

Strong Passwords◦ Longer is better◦ Odd Structure is better◦ Distinctness◦ Frequency of Change◦ Require:

At least eight characters Include Two or more digits Special Characters Digits and Special Characters Randomly instead of

just the beginning or the end

The Obvious

Wireless◦ WPA2 tied to the infrastructure◦ Scan for new wireless devices

The Obvious

172 Million smart phones were sold in 2010 Leveraging the employee smart phone can

be huge $500 device versus the data stored or

available on the device

Mobile Devices

Benefits◦ The employee bears the cost of the device◦ The employee bears the cost of the service◦ Employees are more connected◦ Employees collaborate more often◦ Communication increases dramatically◦ Faster decision making

Mobile Devices

Mobile DevicesFour things you cannot ignore with mobile devices• 1) Antivirus software on every device

◦ BullGuard◦ Kaspersky◦ ESET◦ LookOut◦ TrendMicro

◦ F-Secure◦ NetQin◦ WebRoot◦ Norton 360

Four things you cannot ignore with mobile devices◦ 2) Protect data on devices

Enforce PIN access Encrypt Sensitive Data Management: Remote Lock, Remote Wipe

Mobile Devices

Four things you cannot ignore with mobile devices◦ 3) Tightly control what can be installed on a

mobile device Known sources

AppStore Google Play Store / Amazon Etc.

Scan before installation

Mobile Devices

Four things you cannot ignore with mobile devices◦ 4) Detect & Prevent Malware

See anti-virus Educate users

If they see something wrong, turn off the device and seek help.

Mobile Devices

Web Browser Configuration / Lockdown◦ All browser plugins should be limited to essential

plug-ins approved by the Agency◦ Active X plugins should be limited

Users should not be expected to be able to determine whether or not adequate security is available for Active X plugins

Browser Security

Web Browser Configuration / Lockdown◦ Web browsers should be configured to limit

vulnerability to intrusion.◦ Active code should be disabled or used only in

conjunction with trusted sites.◦ < Demo browsing with a crippled browser >◦ The browser should always be updated to the

latest secure version.

Browser Security

Web Browser Configuration / Lockdown◦ Privacy

This is a big concern. The greatest threat is the use of cookies by third

party websites and the monitoring of web browsing habits of users by third parties using those same cookies.

Cookies can be disabled, controlled and / or removed using a variety of built-in web browser features or third-party applications.

Browser Security

◦ JavaScript should also be limited or turned off. While JavaScript is used on many Websites turning it

off generally only causes some nuisances when browsing these sites.

Browser Security

OpenDNS Google Public DNS

Browser Security

1. Educate Employees◦ Show them what to watch out for◦ encourage them to report questionable sites and

links. 2. Flexible Policies

◦ Policies should be adaptable to the rapidly changing Web environment.

Four Steps to Better Web Security

3. Secure All Devices◦ Keep patches up to date◦ Remove unneeded plug-ins◦ Use endpoint security◦ Use Browser sandbox.

4. Use Web Filtering◦ Monitor traffic in both directions to catch incoming

threats and infected machines transmitting out.

Four Steps to Better Web Security

7: Chat while I’m concentrating◦ This goes along with dominating the conversation.

Many users, while in the middle of a remote session, want to chat. Sometimes that’s okay, as we are simply waiting for a download or waiting on the progress of a service or application. But when I’m elbows deep in the dirt and grit of trying to resolve a crucial issue, don’t try to chat me up about the weather, the royal wedding, or the price of gas. Please let me resolve the issue at hand (especially one that requires my concentration) and then I will happily chat about whatever (so long as I don’t have a pressing appointment after yours).


8: Insist what their “cousin” told them was true◦ I get it. Some companies enlist the help of “Cousin Joe,”

who happens to owe the secretary a favor and “knows a thing or two” about computers. Well, Cousin Joe didn’t do you any favors when he caused even more problems doing what he did. Not that I am going to slam your cousin. But when I say that although Joe’s intentions were good, what he did was counterproductive to solving the issue at hand, please don’t insist that the cousin was in the right and that I am only trying to bilk you out of more money. Of course, if it ever comes to those kinds of words, you will most certainly be looking for a new support specialist.


1) Understand your requirements◦ Define your requirements from the inside◦ What to protect?◦ Where is is residing?◦ End Points?

Four DLP Steps

2) Work with the business at hand◦ Understand what managers need

Conduct interviews What do they need access to? Where do they need access to it? Too many false positives may indicate a broken

business process

Four DLP Steps

3) Involve the legal & HR departments◦ Legal can help with:

Compliance issues Helping write an incident plan

◦ HR: Handle an incident created by an employee

Four DLP Steps

4) Implement in Phases◦ Don’t shock the system◦ Monitor each phase

Four DLP Steps

Data Identification◦ This is the first step to implementation◦ Solutions should be able to identifying confidential or

sensitive information.◦ The data identification:

in motion at rest at end points

Data Loss Prevention

Data Identification◦ DLP solution should allow for:

Keywords Dictionaries regular expressions partial document matching fingerprinting

◦ DLP solution should allow you to write your own rules.


Data Identification◦ The strength of the analysis engine directly

correlates to its accuracy.◦ Each organization may have unique needs,

however.◦ Accuracy depends on many variables

They way the data is stored. The format of the data Encryption of the data


Data Identification◦ Testing for accuracy

Often Compare results with previous testing Ensure the solution has virtually zero false

positives/negatives.


Network & Gateway DLP◦ Dedicated hardware/software platforms, typically

at the border.◦ They analyze network traffic to search for

unauthorized information transmissions including: Email IM FTP HTTP

◦ They are generally cost effective.◦ Some Networks systems review data stored

throughout the enterprise to identify areas of risk.


Host-based DLP systems◦ Run on end-user workstations or servers◦ Generally address internal communications◦ Some can monitor external communications◦ Others can also control information flow within

the organization.◦ Can also control:

Email IM


Host-based DLP systems◦ Can monitor physical device◦ Can also monitor interaction with portable

devices.◦ Should block sensitive information

transmissions◦ Provide provide feedback to the user with

notifications going to Management◦ Are installed every workstation in the network


A DLP Product should include:◦ centralized management◦ policy creation◦ enforcement workflow◦ monitoring and protection of content and data.

Data Loss Preventionother considerations

Operational Actions:◦ Quarantine email?◦ Encrypt email?◦ Block email?◦ Notify sender?◦ Notify management / operations?


Advanced Data discovery types of DLP systems can move the data to a secure location, if found to be residing on a non-protected share.


Most DLP systems integrate with Active Directory.◦ Users◦ Groups◦ etc


Severity Level Assignment – Assigns severity level to incidents and is highly configurable.

Custom Attribute Lookup – This makes queries to LDAP or Active Directory server for user identity and additional attributes.

Automated Incident Response – A number of actions can be taken using this feature. Some of the important ones are the ability to comment, block, log, etc.


Role-based Access control – This is an interesting feature, in that it determines which incidents a remediator can work on and the amount of details available.

For example, if the violation originated from a staff in the DLP group, it does not do any good assigning the incident to the violator himself.


SmartResponse – This provides detailed data to determine the remediation steps for incidents. It also allows for fast incident remediation.


Leak Prevention◦ As the system learns data by reviewing existing

data.◦ During the review period someone must monitor

the system.◦ This should be done prior to turning on the Leak

Prevention◦ DLP generally handles: SMTP, HTTP, HTTPS, FTP

and Telnet. Is that enough?


◦ The product’s functionality is dedicated to solving the business and technical problems of protecting content through content awareness.

◦ A number of products, particularly email security solutions, provide basic DLP functions, but aren't complete DLP solutions.


9: Undo my work◦ Raise your hand if you’re guilty of undoing all that

work the support techs did the very second they left. I’ve seen this happen plenty of times. I’ve had clients actually confess to doing this. What those clients don’t realize is that I will more than likely have to come back and redo what I did prior to this visit — and I’ll also have to fix problems they caused by undoing my work. Do us both a favor and don’t undo my work. This is rarely going to be a smart choice, and the possibility that you’ll be able to resolve the issues created by your tampering are nil.


10: Lack the necessary information◦ When end users call for help, 75 percent of the

time they have all of the information necessary for a successful appointment. The other 25 percent? Not so much. In fact, a large portion of that 25 percent require nearly double the normal job time just for fact gathering. So… when you call, please make sure you have all the information needed to complete the appointment. Otherwise, you are wasting my time and running up your bill.


What is different about cloud?◦ Cloud computing moves us away from the

traditional model, where organizations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments.

Cloud Security

Cloud Security Today’s Data Centers

◦ We have control◦ They are located at A◦ The data is on servers:

Sagittarius and Aquarius◦ Our admins control

access◦ Our uptime works◦ Our auditors are ok◦ Our security team is

engaged

The Cloud◦ Who has control◦ Where is it located?◦ Where is it stored?◦ Who backs it up?◦ Who has access?◦ How resilient is it?◦ How do auditors do their

job?◦ How does our security

team get involved?

Essential Questions◦ Are you in a shared environment?

Who else uses the servers? What is in place to prevent leakage to the others on

the server? What logging capabilities are available?

Cloud Security

Essential Questions◦ Where does your data actually reside?◦ Can you lose service with an investigation into

data loss from another customer ensues?

Cloud Security

Essential Questions◦ What happens with an DDOS attack occurs?

Cloud Security

Essential Questions◦ Who ensures compliance?

Cloud Security

Essential Questions◦ How well is your data protected?

Cloud Security

Essential Questions◦ Is Encryption in place

Cloud Security

Essential Questions◦ Are all compliance requirements met in the

Cloud?

Cloud Security

Essential Questions◦ Are Event Management options available?

To who? How? How Quickly?

Cloud Security

Essential Questions◦ When an event happens, can your business unit

react as it did when servers were local?

Cloud Security

10 signs that you aren't cut out for IT◦ 1: You lack patience◦ 2: You have no desire to continue your education◦ 3: You refuse to work outside 9-to-5◦ 4: You don’t like people◦ 5: You give up quickly◦ 6: You’re easily frustrated◦ 7: You can’t multitask◦ 8: You have dreams of climbing the corporate

ladder◦ 9: You hate technology◦ 10: You turn off your phone at night

By Jack Wallen; February 24, 2012

10 Signs you aren’t cut out for IT

Evalution I value your comments. Please fill in your

evaluation form found at the end of your packet.

Contact InformationScott Greene, SCFE

Evidence Solutions, Inc866-795-7166

[email protected]


faculty: scott greene of evidence solutions, inc. [email protected]

Documents