Download presentation
Presentation is loading. Please wait.
Published byWeston Tovey Modified over 9 years ago
1
U N C L A S S I F I E D Defense-in-Depth By Richard Hammer LANL LA-UR-08-2558 Securing Your System Using a Layered Security Approach
2
U N C L A S S I F I E D Overview Relative Risks Threat Vectors What attackers need us to do Things Everyone Can do Client protections Summary
3
U N C L A S S I F I E D Goal! Secure your system so you: –Do not lose your identity if system is stolen –Feel comfortable storing and processing personal, financial, business, and sensitive information –Feel comfortable making online transactions
4
U N C L A S S I F I E D Old and New Threats
5
U N C L A S S I F I E D What attackers need from us! Need us to execute a program Need us to NOT securely configure our programs Need us to NOT pay attention Need us to NOT patch Need us to be careless, gullible or curious Need us to NOT understand the technology “It’s that easy because we allow it to be that easy” Frank Abagnale
6
U N C L A S S I F I E D Things we all can learn to DO! Compute as an Unprivileged User if possible Understand E-mail Understand Web Browsing Encrypt our Data Know what is connecting in/out Actually do it!
7
U N C L A S S I F I E D Hackers do not like unprivileged users They cannot change system settings They cannot install programs that change system settings They cannot undo security settings Reboot will normally put system back into secure state again.
8
U N C L A S S I F I E D Which is more secure? Storing your credit card in your wallet Or Storing your credit card number on your computer
9
U N C L A S S I F I E D Protecting data at rest (Powered Off) Physical Security Encryption Nothing else will work –Remove the disk –Reset password –Boot off cracker media –T up a Macintosh
10
U N C L A S S I F I E D Harddrive/File Encryption Truecrypt, Guardian Edge, WinMagic, PGP, Pointsec, Cypherix, Calibex, TrueCrypt, Many more! Hardware –Fortezza –Harddrives Windows EFS/BitLocker Apple FileVault Bcrypt Entrust ICE Entrust & PGP
11
U N C L A S S I F I E D Apple FileVault
12
U N C L A S S I F I E D Built-in Windows encryption
13
U N C L A S S I F I E D System Up and You Are Logged In (Includes Sleep Mode) No longer protecting Data –Full disk encryption –Hardware encryption –Windows EFS/BitLocker or FileVault Protecting data until password entered –Encrypted Disk Image (MacOSX) –Entrust, PGP, TrueCrypt, Bcrypt –Other 3 rd party encryption products
14
U N C L A S S I F I E D Entrust/PGP File Encrypt Options
15
U N C L A S S I F I E D Goals of Cryptosystems! Ensure: Confidentiality Integrity Authentication Non-Repudiation
16
U N C L A S S I F I E D Cryptosystems Problems? You might lock yourself out forever! Key Management Key Distribution Password/Passphrase Protection Can’t encrypt/decrypt offline? Speed? Export? (GOV export authorized)
17
U N C L A S S I F I E D What will Defeat Encryption Not protecting the password Sleep mode and fast switching Freeze spray, shutdown/leave Malware –Keyboard Loggers –E-mail Infections Not paying attention to warning messages Backups
18
U N C L A S S I F I E D Understanding e-mail Clear text e-mail is completely unreliable. How do you recognize bogus e-mail? What is URL redirection? How do you protect yourself? Outlook?
19
U N C L A S S I F I E D Why you should not Trust Clear Text e- mail Do not know who sent it Do not know who sees it Do not know where it went Do not know who read it Do not know if content changed Still on server, backups? Sys Admins have full access
20
U N C L A S S I F I E D Encrypting e-mail? Only Intended Recipients can read messages or open files Data has not been modified Data is from the expected source Not seen on the wire Not just SSL/TLS to server PGP/SMIME/Entrust
21
U N C L A S S I F I E D Entrust Encryption Example?
22
U N C L A S S I F I E D PGP/SMIME Encryption Example?
23
U N C L A S S I F I E D SMIME/PGP/Entrust e-mail
24
U N C L A S S I F I E D Phishing right here in LA! Guy Lisella “Anytime they ask for personal information, it’s a scam.” Legitimate businesses will NEVER ASK for personal information to be transmitted over clear text e-mail! If unsure, call them.
25
U N C L A S S I F I E D How do you recognize bogus e-mail? Do you know the sender? Is the offer “too good to be true?” Embedded links that point to an address that doesn’t appear right. Your email address is not listed on the “TO” or “CC”. The “FROM” & “Return-Path” don’t match. Unexpected attachments.
26
U N C L A S S I F I E D What is wrong?
27
U N C L A S S I F I E D Understanding URLs/Redirection http://computername.domainname/directoryname/indexfile.html Where you thought you were going: http://www.dncu.com/login.aspx?update http://63.214.247.170/login.aspx?update Where you are redirected: http://www.dncu.org.hi-position.com/register/login.html Computer name – www Domainname – dncu.org.hi-position.com IP Address – No longer registered, but was 202.168.210.1XX Directory – register Index file – login.html
28
U N C L A S S I F I E D Look at the e-mail header Eudora – Blah, Blah, Blah Outlook – View Options or Right Click Options Webmail – Click on Full Headers Thunderbird – Menu Bar, VIEW/HEADER, ALL
29
U N C L A S S I F I E D Give me the money
30
U N C L A S S I F I E D Stop Right There!
31
U N C L A S S I F I E D E-mail client configuration Do NOT auto execute anything Do NOT automatically download HTML graphics Do NOT display graphics in message Do NOT allow executable html content Do NOT display emotions as a graphic Do NOT use Microsoft viewer.
32
U N C L A S S I F I E D Entourage Settings
33
U N C L A S S I F I E D Before and After (Mac Mail)
34
U N C L A S S I F I E D What’s Wrong? Unknown sender, not addressed to me, has an attachment I did not expect.
35
U N C L A S S I F I E D Virus protection caught it three weeks later, don’t be the first to open it!
36
U N C L A S S I F I E D Which is more secure? Paying for a dinner with a credit card Or Online purchase
37
U N C L A S S I F I E D Compare the two!
38
U N C L A S S I F I E D Web Browser Security Understand how it works SSL/TSL Privacy Settings Security Settings “Warn me” is always a good option when not sure Scripts Understand Threats Internet Explorer?
39
U N C L A S S I F I E D Web Access (SSL/TLS) SSL Developed by Netscape (1994) Certificate Exchange System to System Certificate Authority Should only use SSL 3.0 or TLS 1.0 Is it secure? Redirection Man-in-Middle Attack
40
U N C L A S S I F I E D Keeping Track of State SessionID https://ucfy.ucop.edu/ucfy/BaseServlet;jsessio nid=0000q9ZvjIPe7xWTjxeftFjTqBy:-1 Cookie –Persistent –Non- Persistent Hidden Form Element
41
U N C L A S S I F I E D Firefox Security Settings
42
U N C L A S S I F I E D Man-in-Middle
43
U N C L A S S I F I E D Warning, should I proceed?
44
U N C L A S S I F I E D Secure ???
45
U N C L A S S I F I E D Clearing Privacy Settings (Firefox)
46
U N C L A S S I F I E D Security Settings (Firefox)
47
U N C L A S S I F I E D Firefox - noscript
48
U N C L A S S I F I E D Firefox – noscript (2)
49
U N C L A S S I F I E D Secure Web Transactions Open New Browser Ensure SSLv3/TLS You initiate connection Only go to sites associated with transaction Use noscript and only allow needed scripts Pay attention to error messages Logout when done Close browser and clear settings
50
U N C L A S S I F I E D Personal Application layer firewalls ZoneAlarm Little Snitch/Apple Firewall combo In/Out protection Can distinguish between different programs connecting out on same port Will teach you which applications really connect out from your system
51
U N C L A S S I F I E D Connecting out, Really?
52
U N C L A S S I F I E D Same Port, different program
53
U N C L A S S I F I E D Client Protection Summary User vs Admin Privilege Virus Protection Spyware/Adaware Protection Keep Systems & Applications patched Backup your data Secure Program Settings, don’t Auto execute and turn off autoplay.
54
U N C L A S S I F I E D Client Protection Summary DO NOT open attachments unless you expect them. Don’t click on embedded links Pay attention to warning messages POP-UP blockers Clear privacy settings noscript
55
U N C L A S S I F I E D Client Protection Summary If it’s “too good to be TRUE,” it is! When configuring programs keep personal information to a minimum. Remove programs you don’t need Stay away from shady web sites One-time Credit Card Numbers Shutdown when not using Disconnect from network if you don’t need to be on it.
56
U N C L A S S I F I E D Client Protection Summary Encrypt sensitive information Application Layer Personal Firewall Outlook and Internet Explorer: –Consider replacing these programs. –Keep them patched.
57
U N C L A S S I F I E D Educate Yourself!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.