protecting your technology assets

Protecting Your Technology Assets

Understanding and Addressingthe Current Threats to an Organization

From Internet AccessPresented By

Jeff GreenspanDatabase & LAN Solutions, Inc.

Friday, October 7, 2005

[email protected]

What We’ll Cover

• Educators Dilemma: Educate and Protect• Nature of the Threat• Tools to Mitigate Risk

– Firewalls– Anti-Virus and Anti-Spam– Automatic Updates– Disaster Planning and Recovery– Q & A

Top Concerns of Administrators

• Student and Staff Safety

• Educational Excellence

• Greater Expectations, Diminishing Resources

Educator’s Dilemma

Changing Paradigm

• Internet is Still Relatively Young

• Technology Changes Rapidly

• Regulatory Interference Imposition Aspects

• Changing Needs of Students as They AgeFrom Protection to Freedom

• Shifting Responsibilities with Age


What are the Core Components of a Comprehensive Strategy in Schoolto Support the Safe and Responsible Use of the Internet?

• 1. Safe Places for Younger Students• The primary focus for elementary students should be on maintaining a safe and secure

environment.• Elementary students should use the Internet in an environment that specifically restricts

their access to sites that have been previewed to determine their appropriateness. • If it is ever necessary for a student to seek information on the more open Internet, such

access must only occur with “over-the-shoulder” adult supervision. • Elementary students should use electronic communications in a fully open environment,

such as a classroom setting.

• 2. Education and Supervision for Older Students• As students become older, the focus should shift to strategies that will help them learn to

independently make safe and responsible choices and ensure accountability. • Educating students regarding how to avoid the inadvertent access of inappropriate

material and appropriate, effective responses if they accidentally access such materials, especially if the site has “trapped” them and will not allow them to exit, is essential.

• Supervision and monitoring must be sufficient to detect instances of misuse.

• Source: White Paper on Network Monitoring by Nancy Willard, MS, JD


Core Components – Cont’d• 3. Focus on the Educational Purpose: Use of the district

Internet system should be directed to those activities which support education, enrichment, and career development.

• 4. Clear Well Communicated Policy: Students and staff should have a clear understanding of the kinds of activities that are and are not considered acceptable.

• 5. Education About Safe and Responsible Use: Teachers, administrators and students should receive instruction related to the safe and responsible use of the Internet.


Core Components – Cont’d• 6. Supervision and Monitoring• Student use of the Internet should be supervised by

teachers in a manner that is appropriate for the age of the students and circumstances of use.

• Supervision and monitoring must be sufficient to establish the expectation that there is a high probability that instances of misuse will be detected and result in disciplinary action.

• 7. Discipline• Misuse of the Internet by students should be addressed in a

manner that makes use of the “teachable moment” both for the individual student and other students in the school.


Interpreting CIPA

• Must have an approved Internet Safety Policy • Must have at least one public hearing on proposed Policy • Local control over Policy, government may not intervene • Policy must be made available to the Commission for

review • Must have a technology measure in place to enforce Policy • Technology measure limited to visual depictions that are

obscene, child pornography, or harmful to minors • Monitoring is required, but there is a privacy consideration • Source: North Central Education Service District of OR


Implementing CIPA• Most school systems are using filters• Filters have a number of problems

– Can never be 100% effective– Block legitimate material– Not present everywhere (students should still learn how to

deal with the content)– Implementation of filtering in schools often leads to a false

sense of security and the failure to effectively teach students about safe and responsible use

– Delegate control to a third partyProtecting students is only part of the problem!


Nature of the Threat

• 10 Years Ago– Viruses on Floppy

– Social Hacking

– High Cost to Corporations, Low Cost to Individuals

• Today– Viruses are Content-Based,

in Email and on the Web

– Hacking is Criminal-Based

– High Cost to EVERYONE

– YOU are a Target

– Identity Theft is the fastest growing crime

Changing Threat Matrix

Source: Fortinet, Inc.

1970 1980 1990 2000

PHYSICAL

CONNECTION-BASED

CONTENT-BASED

Hardware Theft

Viruses

Trojans

Worms

Banned Content

Spam

SP

EE

D, D

AM

AG

E (

$)

Content Attacks: Fast, Costly, & Indiscriminate


Governance, Compliance & Risk

• New risks to organizations and individuals associated with regulatory compliance.

• Sarbanes-Oxley, GLBA, HIPAA, CIPA…

• Broad objectives, few directives

• More regulations are expected


Where Do Hackers Originate• There are three tiers of hackers:

– Elite, – IT savvy– Script Kiddies

• There are probably 400-500 elite hackers in the world.

• Many work for organized crime in other countries.• Many publish their exploits to create “white

noise” to hide their activities.


No One is Safe• Most victims are “targets of opportunity”• Anyone can be a victim• Cable/DSL users are frequent targets• Hackers have unlimited time• Attackers only need to find one

vulnerability, whereas defenders must protect all systems


Some Results of Being Hacked

• Theft of your data – Files and other Intellectual Property

– Bank account and password data (identity theft)

• Damage to your system– Data modification or deletion

– Operating system corruption and crash

• Use of your system for illegal purposes– attacking others (Denial of Service attacks)

– distributing illegal content.


Troubling Statistics

Source: http://www.cert.org/stats/cert_stats.html

Incidents by Year

0

20000

40000

60000

80000

100000

120000

140000

160000

1999 2000 2001 2002 2003

Series1

Please note that an incident may involve one site or hundreds (or even thousands) of sites. Also, some incidents may involve ongoing activity for long periods of time.

• From the 2004 E-Crime Watch– 43% report increase over 2003– 56% state operational losses– 25% state financial losses– 12% other losses– Only 30% report no e-crime or intrusion– 71% of attacks from outside, 29% inside– “Many companies still seem unwilling to report

e-crime for fear of damaging their reputation “

Troubling Statistics

• iDEFENSE Security Advisory 03.21.05 - Local exploitation of a buffer overflow vulnerability within the Core Foundation Library included by default in Apple Computer Inc.'s Mac OS X could allow an attacker to gain root privileges

• Zdnet News.com 03.29.05 - With eight new variants surfacing in the last week alone, and over a dozen reported since the beginning of March, the Mytob mass-mailing worm, featuring backdoor capabilities, appears to be evolving rapidly.

• Boston.com 03.21.05 - Boston College warns about 120,000 graduates that a computer hacker may have gained access to their personal information by raiding a computer that contained the alumni database.

• Aunty-spam.com 03.25.05 - Two security companies have discovered that there are two worms, one old and revised, and one new, which are targeting MSN Messenger users. Both worms are considered to be medium-to-high risk.

• ChoicePoint


Recent Virus Outbreaks• Netsky Variant 2005-09-26• Bagle Downloader variants 2005-09-20• Bagle Downloader variants 2005-09-19• Trojan variant 2005-09-14• MyTob variant 2005-09-14• MyTob variant 2005-09-14• Bagle variant 2005-09-12• Rechnung Trojan variant 2005-09-11• Bagle variant 2005-09-09• Bobax variant 2005-09-07

• Outbreak => 1. New virus or variant. 2. Damage potential moderate to significant. 3. Widespread distribution


Is there anyone in the room who isn’t convinced that they need to take steps to

protect himself, herself, or his/her company?


Is there any Good News?

• There are tools and techniques you can use to protect yourself.

• Many of these make good business sense.

• Countermeasures should be viewed like any business decision: in context and with a cost-benefit analysis.

• Implement layered security to reduce the most significant risks.

Tell Me What to Do

• Assign responsibility• Assess Risk• Develop Strategies

and Policies to Mitigate the Risks

• Remediate

• Secure Third Parties• Train• Evaluate• Monitor• Not unlike medicine:

diagnose, treat, maintain

HIPAA Requirements

Firewall Technologies

Your Office

Your Neighbor

Your Headquarters

Your Computer

Your Competitor

A Hacker

Source: Sonicwall, Inc.

• NAT – Network Address Translation• Packet Filtering• Proxy Firewalls• Stateful Packet Inspection (SPI)

– Does not inspect content

• Deep Packet Inspection (DPI)– Can inspect and detect SOME content-based threats

• Technology changes almost every day – your staff may think that technologies that have already been hacked are still valid and sufficient.

Firewall Technologies

Firewall Technologies - SPI

Incoming packets that correspond to recent outgoing requests are passed through.

Your Computer

Source: Sonicwall, Inc.

Firewall Technologies - SPI

http://www.freesurf.com/downloads/Gettysburg

Four score and BAD CONTENT our forefathers brou

ght forth upon this continent a new nation,

n liberty, and dedicated to the proposition that all

STATEFUL INSPECTION FIREWALL

Inspects packet headers only – i.e.

looks at the envelope, but not at

what’s contained inside

Packet “headers” (TO, FROM, TYPE

OF DATA, etc.)

Packet “payload” (data)

DATA PACKET ORIENTED – NO CONTENT REVIEW

OKOKOK

Not Scanned

OK

Source: Fortinet, Inc.

Firewall Technologies – DPI

• New technology recently released by many SPI firewall vendors.

• Often associated with Intrusion Detection, Intrusion Prevention, or Anomaly Detection

• Signatures can be written that detect and prevent against known and unknown protocols, applications and exploits

Firewall Technologies - Summary

• Firewalls are the first line of defense against Internet-borne threats.

• Firewalls are necessary but not sufficient, because of the complex nature of content-based threats.

• Firewall vendors also offer other services– Virtual Private Networking

– Gateway AV

– Content Filtering

– Anti-Spyware

– Logging and Reporting

Buying a Firewall

• Two components: appliance & services

• Costs for both increase with # of users

• Appliance technology is based on current threat matrix. Can’t predict future, so appliance life may be limited!

Firewall Technologies - Summary

Anti-Virus and Anti-Spam Technologies

• Single User Anti-Virus Software

• Auto-Managed Anti-Virus Service

• Enforced Anti-Virus Service

• Gateway-based Anti-Virus

Four Types of A/V Protection

Gateway-based Anti-Virus


• AV Vendors like Symantec, Trend and McAfee have standalone email AV gateway products.

• Security appliances like Sonicwall, Fortinet, Watchguard, etc can provides AV checking of all content, including email, web, ftp, etc. They also provide other capabilities (IDP,A/S).

• McAfee’s Webshield appliance is similar.

Why Layering Technologies Works


• Assume 100 virus-laden email messagespackage 1 stops 90%, leaving 10package 2 stops 90%, leaving 1

• Together the two packages are 99% effective.

• Layer security products at your most vulnerable points, like A/V.

• Layering technologies enhances security!

Anti-Spam Protection• Technology is still evolving.• Stand-Alone Systems

– McAfee Spamkiller– Challenge/Response Systems

• Multi-User Systems– I Hate Spam– Service/Host-based, like Postini– RBL Lists: list.dsbl.org, bl.spamcop.net

• Email Security Appliances – IronPort, Barracuda• False positives are always a concern


Technologies are converging• Adding software layers can decrease server stability• Software-based solutions are only as secure as their OS platform,

and far too likely to be disabled by the user• Security appliances are becoming the norm• Many appliance vendors’ solutions encompass multiple

technologies. Sonicwall & Fortinet are great examples.– Merrill Lynch

• “… Fortinet is probably the most prominent private entrant into the market for multi-function security appliances.”

– Needham & Company• “Two of the major trends we see in today’s security marketplace are the

move towards multi-function suites and a shift to hardware-based platforms. Fortinet is at the vanguard of both waves…”


Updates are Critical for Prevention• Set A/V and other systems for automatic

daily updates whenever possible• Don’t forget firmware updates for routers,

servers and security appliances. These must be done manually.

• Workstation and server operating systems, when not patched, provide hackers with free computing power!

Automatic Updates

• Stand-alones and Small Networks: – Windows 98 and up can be configured for Automatic Updates

• Mid-size networks– Microsoft’s Software Update Service (SUS) becomes Windows

Software Update Service (WSUS)– http://www.microsoft.com/windowsserversystem/sus/default.mspx

• Enterprises– Systems Management Server 2003– Novell and Unix also have patch management and application

distribution systems– Many third-party solutions are also available, like Intuit’s Track-

It! Patch Manager

Automatic Updates

Disaster Planning and Recovery

• Plan for Failure

• Every Moving Part WILL Fail

• If it can go WRONG, it WILL

• Develop a Backup and Recovery Plan for Data

• Develop a Disaster Recovery Plan for Your Site

• Expect your plan to fail too

Data Backup and Recovery• Should backup to tape (or multiple media)• Maintain an off-site backup• On-site backups stored in fireproof safe away

from computers please• Test restore on a schedule• Keep check-point backups, and don’t rely on tapes• Backup Schemes

– GFS– Tower of Hanoi

• If this is too hard for you, consider on-line Backup


Disaster Recovery Plan

• How long could your organization survive without access to technology resources

• What would it cost (per day, per hour) if you had no technology resources

• Rule of thumb: spend one to two days worth of costs as insurance against a disaster


Disaster Recovery Plan• Useful to implement off-site access in advance

– Appreciated by employees– Remember to use secure methods– May be subsidized by local agencies

• Develop scenarios and responses– Major failure of equipment– Can’t get into building

• Assign responsibility• Don’t forget telephone technology


Example Plan - Requirements

• Firm with 20 employees

• Must receive info from clients via phone, fax and email

• Must be able to cut checks every day


Example Plan - Solution

• Create a Disaster Recovery Site at a Partner’s Home

• Maintain daily off-site backups at that site• Set up VPN between that site and main

office– If office is inaccessible, can use pcAnywhere

and drive mappings to access data and apps


Example Plan - Solution• Remote site includes secure wireless. Laptops can

be purchased locally if needed. Wireless cards pre-purchased. Fax/printer pre-purchased.

• Remote site includes a workstation with same type of tape drive to recover data if needed

• Accounting application is pre-loaded• Additional phone lines and phones installed and

ready• Verizon ultra-forwarding enabled• Systems TESTED!!!


• Logging

• Management Reporting

• Monitoring – Internal and External

• Security is a Process – Re-evaluate!

• Security is Policy Driven. Where is your written Security Policy Document?

• Teach your children safe and ethical cyberpractices!

Additional Thoughts

Minimum Business Recommendations1. Develop and maintain a Security Policy Document.

2. Educate your Users.1. What types of behaviors are likely to cause problems.

2. What does a virus look like.

3. Who do I talk to when I suspect a problem.

3. Implement an ICSA-certified SPI Firewall.

4. Implement Deep-Packet Inspection technology.

5. Implement layers of anti-virus (gateway, server, desktop), mixing vendor technologies for maximum effectiveness.

Action Plan

Minimum Business Recommendations6. Institute (automate when possible) patch

management1. Antivirus definition files2. Firewall, server and router firmware updates.

7. Develop and maintain a Disaster Recovery Plan.1. Backup Your Data2. Develop a Site Disaster Plan3. Develop a Systems Disaster Plan4. Test your plans

Action Plan

Questions to Ask Your IT Provider

Do we have a firewall in place? What manufacturer and model is it?

What firmware version is running on our firewall, server and router? What are the current versions of firmware for these devices?

Is the firewall ICSA certified? Does it do stateful packet inspection?

Do we have any intrusion detection or intrusion prevention systems in place? Is our network divided into zones?

Does anyone have access to our network via pcAnywhere, terminal services or any other program? Is that access over a VPN?

Do we have any wireless access to our network?

Firewall/Security Appliance Questions


What antivirus software do we use on the desktop? Could a user disable it? Does it get updates automatically? How do you know?

What antivirus do we use on our servers? How often does it update?

Do we host our own email? Do we have any antivirus gateways on our email server and/or on the edge of our network?

Does our antivirus software protect us against worms like Sasser?

Antivirus Questions


How do we decide what OS patches to install?

How do we decide what application patches to install?

Are patches installed automatically, or does the user have to do something to install them?

Patch Management Questions


Do we have a written Disaster Recovery Plan? When was it created, and when was it last updated?

How would we operate if we could not get into our facility?

What are our most critical applications? How do we respond when a server with a critical application fails?

What is our tape backup scheme? Do we have a fireproof safe?

Do we keep tapes off site? Who changes tapes, and what happens when s/he is not here?

Disaster Recovery Questions

Jeff Greenspan

Protecting Your Technology Assets

Q&A

protecting your technology assets

Documents

elementary students

responsible use

open internet

circumstances of use

monitoringstudent use

older studentsas students

safe places

district internet system