Presentation is loading. Please wait.

Presentation is loading. Please wait.

U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR-08-2558 Securing Your System Using a Layered Security Approach.

Similar presentations


Presentation on theme: "U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR-08-2558 Securing Your System Using a Layered Security Approach."— Presentation transcript:

1 U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR Securing Your System Using a Layered Security Approach

2 U N C L A S S I F I E D Overview Relative Risks Threat Vectors What attackers need us to do Things Everyone Can do Client protections Summary

3 U N C L A S S I F I E D Goal! Secure your system so you: –Do not lose your identity if system is stolen –Feel comfortable storing and processing personal, financial, business, and sensitive information –Feel comfortable making online transactions

4 U N C L A S S I F I E D Old and New Threats

5 U N C L A S S I F I E D What attackers need from us! Need us to execute a program Need us to NOT securely configure our programs Need us to NOT pay attention Need us to NOT patch Need us to be careless, gullible or curious Need us to NOT understand the technology “It’s that easy because we allow it to be that easy” Frank Abagnale

6 U N C L A S S I F I E D Things we all can learn to DO! Compute as an Unprivileged User if possible Understand Understand Web Browsing Encrypt our Data Know what is connecting in/out Actually do it!

7 U N C L A S S I F I E D Hackers do not like unprivileged users They cannot change system settings They cannot install programs that change system settings They cannot undo security settings Reboot will normally put system back into secure state again.

8 U N C L A S S I F I E D Which is more secure? Storing your credit card in your wallet Or Storing your credit card number on your computer

9 U N C L A S S I F I E D Protecting data at rest (Powered Off) Physical Security Encryption Nothing else will work –Remove the disk –Reset password –Boot off cracker media –T up a Macintosh

10 U N C L A S S I F I E D Harddrive/File Encryption Truecrypt, Guardian Edge, WinMagic, PGP, Pointsec, Cypherix, Calibex, TrueCrypt, Many more! Hardware –Fortezza –Harddrives Windows EFS/BitLocker Apple FileVault Bcrypt Entrust ICE Entrust & PGP

11 U N C L A S S I F I E D Apple FileVault

12 U N C L A S S I F I E D Built-in Windows encryption

13 U N C L A S S I F I E D System Up and You Are Logged In (Includes Sleep Mode) No longer protecting Data –Full disk encryption –Hardware encryption –Windows EFS/BitLocker or FileVault Protecting data until password entered –Encrypted Disk Image (MacOSX) –Entrust, PGP, TrueCrypt, Bcrypt –Other 3 rd party encryption products

14 U N C L A S S I F I E D Entrust/PGP File Encrypt Options

15 U N C L A S S I F I E D Goals of Cryptosystems! Ensure: Confidentiality Integrity Authentication Non-Repudiation

16 U N C L A S S I F I E D Cryptosystems Problems? You might lock yourself out forever! Key Management Key Distribution Password/Passphrase Protection Can’t encrypt/decrypt offline? Speed? Export? (GOV export authorized)

17 U N C L A S S I F I E D What will Defeat Encryption Not protecting the password Sleep mode and fast switching Freeze spray, shutdown/leave Malware –Keyboard Loggers – Infections Not paying attention to warning messages Backups

18 U N C L A S S I F I E D Understanding Clear text is completely unreliable. How do you recognize bogus ? What is URL redirection? How do you protect yourself? Outlook?

19 U N C L A S S I F I E D Why you should not Trust Clear Text e- mail Do not know who sent it Do not know who sees it Do not know where it went Do not know who read it Do not know if content changed Still on server, backups? Sys Admins have full access

20 U N C L A S S I F I E D Encrypting ? Only Intended Recipients can read messages or open files Data has not been modified Data is from the expected source Not seen on the wire Not just SSL/TLS to server PGP/SMIME/Entrust

21 U N C L A S S I F I E D Entrust Encryption Example?

22 U N C L A S S I F I E D PGP/SMIME Encryption Example?

23 U N C L A S S I F I E D SMIME/PGP/Entrust

24 U N C L A S S I F I E D Phishing right here in LA! Guy Lisella “Anytime they ask for personal information, it’s a scam.” Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text ! If unsure, call them.

25 U N C L A S S I F I E D How do you recognize bogus ? Do you know the sender? Is the offer “too good to be true?” Embedded links that point to an address that doesn’t appear right. Your address is not listed on the “TO” or “CC”. The “FROM” & “Return-Path” don’t match. Unexpected attachments.

26 U N C L A S S I F I E D What is wrong?

27 U N C L A S S I F I E D Understanding URLs/Redirection Where you thought you were going: Where you are redirected: Computer name – www Domainname – dncu.org.hi-position.com IP Address – No longer registered, but was XX Directory – register Index file – login.html

28 U N C L A S S I F I E D Look at the header Eudora – Blah, Blah, Blah Outlook – View Options or Right Click Options Webmail – Click on Full Headers Thunderbird – Menu Bar, VIEW/HEADER, ALL

29 U N C L A S S I F I E D Give me the money

30 U N C L A S S I F I E D Stop Right There!

31 U N C L A S S I F I E D client configuration Do NOT auto execute anything Do NOT automatically download HTML graphics Do NOT display graphics in message Do NOT allow executable html content Do NOT display emotions as a graphic Do NOT use Microsoft viewer.

32 U N C L A S S I F I E D Entourage Settings

33 U N C L A S S I F I E D Before and After (Mac Mail)

34 U N C L A S S I F I E D What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect.

35 U N C L A S S I F I E D Virus protection caught it three weeks later, don’t be the first to open it!

36 U N C L A S S I F I E D Which is more secure? Paying for a dinner with a credit card Or Online purchase

37 U N C L A S S I F I E D Compare the two!

38 U N C L A S S I F I E D Web Browser Security Understand how it works SSL/TSL Privacy Settings Security Settings “Warn me” is always a good option when not sure Scripts Understand Threats Internet Explorer?

39 U N C L A S S I F I E D Web Access (SSL/TLS) SSL Developed by Netscape (1994) Certificate Exchange System to System Certificate Authority Should only use SSL 3.0 or TLS 1.0 Is it secure? Redirection Man-in-Middle Attack

40 U N C L A S S I F I E D Keeping Track of State SessionID https://ucfy.ucop.edu/ucfy/BaseServlet;jsessio nid=0000q9ZvjIPe7xWTjxeftFjTqBy:-1 Cookie –Persistent –Non- Persistent Hidden Form Element

41 U N C L A S S I F I E D Firefox Security Settings

42 U N C L A S S I F I E D Man-in-Middle

43 U N C L A S S I F I E D Warning, should I proceed?

44 U N C L A S S I F I E D Secure ???

45 U N C L A S S I F I E D Clearing Privacy Settings (Firefox)

46 U N C L A S S I F I E D Security Settings (Firefox)

47 U N C L A S S I F I E D Firefox - noscript

48 U N C L A S S I F I E D Firefox – noscript (2)

49 U N C L A S S I F I E D Secure Web Transactions Open New Browser Ensure SSLv3/TLS You initiate connection Only go to sites associated with transaction Use noscript and only allow needed scripts Pay attention to error messages Logout when done Close browser and clear settings

50 U N C L A S S I F I E D Personal Application layer firewalls ZoneAlarm Little Snitch/Apple Firewall combo In/Out protection Can distinguish between different programs connecting out on same port Will teach you which applications really connect out from your system

51 U N C L A S S I F I E D Connecting out, Really?

52 U N C L A S S I F I E D Same Port, different program

53 U N C L A S S I F I E D Client Protection Summary User vs Admin Privilege Virus Protection Spyware/Adaware Protection Keep Systems & Applications patched Backup your data Secure Program Settings, don’t Auto execute and turn off autoplay.

54 U N C L A S S I F I E D Client Protection Summary DO NOT open attachments unless you expect them. Don’t click on embedded links Pay attention to warning messages POP-UP blockers Clear privacy settings noscript

55 U N C L A S S I F I E D Client Protection Summary If it’s “too good to be TRUE,” it is! When configuring programs keep personal information to a minimum. Remove programs you don’t need Stay away from shady web sites One-time Credit Card Numbers Shutdown when not using Disconnect from network if you don’t need to be on it.

56 U N C L A S S I F I E D Client Protection Summary Encrypt sensitive information Application Layer Personal Firewall Outlook and Internet Explorer: –Consider replacing these programs. –Keep them patched.

57 U N C L A S S I F I E D Educate Yourself!


Download ppt "U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR-08-2558 Securing Your System Using a Layered Security Approach."

Similar presentations


Ads by Google