CH 13 13.

01 DEFCON2 INFO SECURITY Defcon 5 is nice, defcon 1 all out nuclear war, worst time in defcon 2 Cuban nuclear crisis -risks have been getting larger PWC security capabilities degrading since 2008 Enterprise security news: 2011 to be the worst year for security breaches The 451 Group: theres a broad trend here that the internet is getting more hostile, criminals are more determined Potentially damaging impact of breaches TJX breach- 45.6 million credit cards; 1.3-4.5 billion Avg breach in 2010 costs 3.8 million$ 9 million per breach: 5 yr analysis: Digital Forensics Association Sony PlayStation Network: 77 million had data hacked; angry users Information week: attacks more complex, more expensive to clean up , and 44% more frequent Info Security must be top organizational priority Poor security can have significant immediate costs o Notifying people that data is lost Breaches damage reputation more cost b/c lack of trust Risk of increased legislation o Increase compliance costs 13.02 Five Ws
Who? Outsider Threats The term hacker refers to clever skilled programmer. Today they are people trying to break into anothers computer system. white-hat identify security weaknesses for good purpose Corporate Spies trying to exploit weaknesses and take away competitive advantage Cyber Extortionist someone tries to extort money from somebody else. Ex: New York Life insurance Cyber Terrorist use of information security attacks as tool of terror Cyber Warfare other nations developed military doctrines for fighting war on the internet Ex: US considered cyber warfare in attack plan on Libya Hacking activism use of hacking techniques to force change Insider Threats Disgruntled employees can cause significant damage by giving away information Most malicious insiders use less skilled techniques but can still cause serious damage Social engineering an outsider who exploits the naivety of an insider to gain access -need to teach employees on danger o f being nice Negligence failure to exercise due care failure to lock computer Other error risk has become more significant because of flatter organizations Vertical hierarchy the losses are not that large because multiple layers What can we Do? Principle of least Privilege user given no more privilege than necessary to perform a job -must identify what that person job is? What do they actually need minimum? -Restricting access to certain resources a lot of risk involved Role Based Access Controls identify roles within organization -give certain access to roles NOT individuals - Each role gives a certain accessibility or Ex: manager gives access to look at records of employees

Cloud -when you put your company into the cloud you have a new group of insiders cloud group - important to think about security issues in the cloud What is happening? DDoS distributed denial of service - take out software so you can not provide service Ex: send millions of emails to web so it crashes and have no email Millions of computers used - spamming Hacking & cyber extortion give us $ or else we b/c we have access and tools Bot Net bad guy compromises PC and they have a BOT which can be controlled by a outside force - This allows them to attack nearby computers and it grows - Can tell them to do whatever he or she wants to do - Ex: launch emails or DoS attacks Where? Everywhere Why? - $, corporate espionage, activism cause, political reasons. 13.03 Vulnerabilities How? War driving drive around with wireless card seeking unprotected networks Wireless equivalent privacy easily defeated, ancient protection -guess passwords using social engineering by researching person before hand Brute force using all dictionary words to attack and guess password

Physical threats

-dumpster diving, destruction of property, keep servers in locked rooms - legal fees paid for settlement, not just stealing it but destruction of data ( losing information) shoulder - do not let user education be forgotten Phishing use of a spoofed email address to try and trick somebody to giving you information - Broad spectrum attack, someone will be nave, send out millions of emails Spear phishing attack is highly targeted ex: criminal finds list of all employee email addresses of company x, say corporate email server is being updated and we need new information - Started in around 2008 13.04 Taking Action Layer upon layer of security ex; fortress Patch it to protect it patch management errors and bugs in software always happen fix w/ patch - Actively manage by monitoring apply patches - Ex: Secunia PSI makes it easier to keep pc as safe as possible - Software.ufl.edu has secunia Encryption - Public Key we want to lock the data , door has the data, one key that can lock the door and one key that can unlock the door,,, some people we do not want in so we give them one key Public key- allows to lock or encrypt data does NOT represent a risk b/c can only encrypt 1 person only has the private key decrypts information Data at Rest stored on some type of device 2 strategies: file encryption & whole disk encryption File individual files (by apps) or (programs) whole the whole hard drive (provides greater level of security) Data in motion transmitted from point A to point B 1) VPN 2) IP sec 3) SSL/TLS Mobile Devices - Each mobile device allows opportunity & risk for organization

When you establish policy you want unified management (clearly define roles & responsibility) Policy lays out big picture Standard addresses the details (full compliance w/ policy rules that help implement) Configuration requirements change over time -all devices must be compliant w/ policies and standards

NAC network admission control

-idea is that more and more people BYOD to plug into network - employee owned IT assets that want to get on network (less control) Antivirus & patch are up to date? How? NAC -attach device to network- assesses security of anti-virus and OS version checks w/ machine first -gatekeeper for network -could have separate networks for employees and guests