Presentation on theme: "CIST 1601 Information Security Fundamentals Chapter 6 Educating and Protecting the User Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft."— Presentation transcript:
CIST 1601 Information Security Fundamentals Chapter 6 Educating and Protecting the User Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Understanding Security Awareness and Training Security awareness and education are critical to the success of a security effort. They include explaining policies, procedures, and current threats to both users and management. Such efforts need to be ongoing, and they should be part of the organization’s normal communications to be effective. Communicating with Users to Raise Awareness Most users aren’t aware of current security threats. If you set a process in place to concisely and clearly explain what is happening and what is being done to correct current threats, you’ll probably find acceptance of your efforts to be much higher. Communication methods that have proven to be effective for disseminating information include internal security websites, news servers, and e ‑ mails. In general, the more you communicate about this in a routine manner, the more likely people will internalize the fact that security is everybody’s responsibility.
Providing Education and Training Your efforts in education must help users clearly understand prevention, enforcement, and threats. The security department will also probably be responsible for a security-awareness program. Your training and educational programs need to be tailored for at least three different audiences: The organization as a whole Should be prevention oriented. Management The focus should be on business impact, such as the liability of the company when a breach happens, the financial damage that can happen, and how this can affect the reputation or credibility of the company. Technical staff
Providing Education and Training Organization Ideally, a security-awareness training program should cover the following areas: Importance of security Responsibilities of people in the organization Policies and procedures Usage policies Account and password-selection criteria Social engineering prevention You can accomplish this training either by using internal staff or by hiring outside trainers. Management Managers are concerned with larger issues in the organization, including enforcing security policies and procedures. Managers will want to know the whys of a security program, as well as how it works. They should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts, enforcement, and how the various departments are affected by security policies. Technical staff The technical staff needs special knowledge about the methods, implementations, and capabilities of the systems used to manage security. Network administrators will want to evaluate how to manage the network, best practices, and configuration issues associated with the technologies they support. Developers and implementers will want to evaluate the impact these measures have on existing systems and new development projects. The training that both administrators and developers need will be vendor specific; vendors have their own methods of implementing security. One of the most important aspects of education is that it needs to reach an appropriate audience.
Training Topics Some guidelines for information to be included in user training may consist of the following points: how to address someone who has her hands full and asks for help getting into a secure area, how to react to someone who has tail-gaited into the building, what to say to a vice president who has forgotten his password and needs it right away, and what to do when an administrator calls and asks for a user’s password. Clean Desk PolicyInformation on a desk can be easily seen by prying eyes and stolen. All sensitive information should be put away when the user is away from their desk. Compliance with Laws, Best Practices, and StandardsUsers must realize that when working with data there are laws, practices, and standards they must adhere to. Ignorance is no excuse. As an administrator it is your job to educate users on any new laws or regulations that are applicable to your environment. Data HandlingData should be accessed only by those users needing to work with it. Dealing with Personally-Owned DevicesYou do not want people plugging in a flash drive, camera, phone, MP3 player, or other device on which company files could get intermingled with personal files. Allowing this to happen can create situations where data can leave the building that shouldn’t as well as introduce malware to the system. Employees should not sync unauthorized smartphones to their workstations. Some smartphones use multiple wireless spectrums and open up the possibility for an attacker in the parking lot to gain access through the phone to the internal network. Ban all social peer-to-peer (P2P) networking. An alert should be sent to the administrator anytime anyone attempts any P2P activity. Personally Identifiable InformationThis data can be anything from the person’s name to a fingerprint, credit card number, or patient record. Users within your organization should understand PII and the reasons to safeguard their own data as well as respect the records of customers and other users.
Training Topics Prevent TailgatingMany social engineering intruders needing physical access to a site will use this method of gaining entry. Educate users to beware of this and other social engineering ploys and prevent them from happening. Planning, training, regular reminders, and firm and clear security policies are important when you’re attempting to minimize vulnerabilities created by social engineering. Safe Internet HabitsUsers should be familiar enough with phishing not to click links or open attachments to files that they weren’t expecting. Always close popups by clicking the X in the upper right corner, not by clicking OK. Software should never be downloaded or installed from unknown sites. Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions. Here's an example of rogue security software that's disguised as a Microsoft alert but that doesn't come from Microsoft.
Training Topics Smart Computing HabitsEvery user should know to never introduce any stray media into their system. A flash drive found in the trashcan can contain the Trojan needed to open a back door into the network. Discourage users from installing any third-party software without the approval of IT. Social Networking DangersSocial networking/media threats tend to fall in the categories of the same old tricks used elsewhere but in a new format. Educate users to exercise the same care and caution in social media as in any other environment. The Need for All Computing to Be SafeMany users take data home to work on it. They need to have security measures on their home computers that protect your company’s data as well. At minimum, home computers need to be running firewalls and updated virus scanners. The Value of Strong PasswordsUsers need to understand that the more difficult they make the password, the more difficulty they add to someone’s attempt to crack it. They should be educated to use complex passwords.
Training Topics Understanding Data Labeling and HandlingUsers need to be aware that different types of data unique to your organization have different values and need to be labeled accordingly. The importance of protecting the data in all forms – online, backups, hard copies, etc. – should be covered as well as reasons why different groups cannot/should not access data outside of their permission category. What to Do When Disposing of Old MediaOld computers, hard drives, flash drives, CDs/DVDs may contain valuable data. Teaching users the basics of data disposal or destroying media (such as with a hammer, drill, or fire) can be one of the most fun, and most memorable, training sessions of the year. Responding to HoaxesA hoax is defined as a deliberately fabricated falsehood. Those who start hoaxes enjoy knowing that they caused a panic, ad the Internet allows them to see the hoax spread with wild abandon. As security administrator, you need to educate users that the best course of action, if they suspect a hoax, is to refuse to panic and contact IT. Assure them you will find out if it is a hoax and let them know. Under no circumstances are they to spread the warning and further propagate the alarm As the administrator, you want to make certain you are taking a proactive stance and educating users on potential problems before they become real issues and revisit key topics often enough that they realize the importance of them.
Classifying Information Information classification is a key aspect of a secure network. The technologies you use must be able to support your organization’s privacy requirements. People and processes must be in place and working effectively to prevent unauthorized disclosure of sensitive information. If you think about all the information your organization keeps, you’ll probably find that it breaks down into three primary categories: Public use Internal use Restricted use The figure to the right shows the typical ratios of how this information is broken down. Notice that 80 percent of the information in your organization is primarily for internal or private use. This information would include memos, working papers, financial data, and information records, among other things. Information categories
Public Information Public information is primarily information that is made available either to the larger public or to specific individuals who need it. Financial statements of a privately held organization might be information that is available publicly, but only to individuals or organizations that have a legitimate need for it. An organization needs to develop policies about what information is available and for what purposes it will be disseminated. It’s also helpful to make sure that members of the organization know who has authorization to make these kinds of disclosures. Good policies help prevent accidents from occurring with sensitive information Limited distribution information isn’t intended for release to the public. This category of information isn’t secret, but it’s private. Limited distribution information can be released to select individuals and organizations, such as financial institutions, governmental agencies, and creditors. By its nature, an End User License Agreements (EULA) is not for absolutely everyone, just those that purchase the software, but it isn’t like a top-secret document. Therefore, it could be classified as “Limited Distribution” The Nondisclosure Agreement (NDA) tells a software beta tester what privacy requirements exist for the product. Marketing materials are examples of information that should be available for full distribution. Larger organizations have a corporate communications department that is responsible for managing this process.
Private Information Private information is intended only for use internally in the organization. This type of information could potentially embarrass the company, disclose trade secrets, or adversely affect personnel. Internal information includes personnel records, financial working documents, ledgers, customer lists, and virtually any other information that is needed to run a business. In the case of personnel and medical records, disclosure to unauthorized personnel creates liability issues. Restricted information could seriously damage the organization if disclosed. It includes proprietary processes, trade secrets, strategic information, and marketing plans. In many cases, this type of information is also placed on a need-to-know basis— unless you need to know, you won’t be informed
Government and Military Classifications Unclassified This classification is used to indicate that the information poses no risk of potential loss due to disclosure. Anybody can gain access to this category of information. Many training manuals and regulations are unclassified. Sensitive but Unclassified This classification is used for low-level security. It indicates that disclosure of this information might cause harm but wouldn’t harm national defense efforts. Confidential This classification is used to identify low-level secrets; it’s generally the lowest level of classification used by the military. It’s used extensively to prevent access to sensitive information. Information that is lower than Confidential is generally considered Unclassified. The Confidential classification, however, allows information to be restricted for access under the Freedom of Information Act. Secret Secret information, if disclosed, could cause serious and irreparable damage to defense efforts. Information that is classified as Secret requires special handling, training, and storage. This information is considered a closely guarded secret of the military or government. The military views the unauthorized disclosure of Secret information as criminal and potentially treasonous. Top Secret The Top Secret classification is the highest classification level. There are rumored to be higher levels of classification, but the names of those classifications are themselves classified Top Secret. Releasing information that is classified as Top Secret poses a grave threat to national security, and therefore it must not be compromised.
Information Access Controls Implicit deny is an access control practice wherein resource availability is restricted to only those users explicitly granted access, remaining unavailable even when not explicitly denied access. Least privilege is an access control method best equated to the phrase “less is more”, where an account is granted no more access rights than the bare minimum needed to perform assigned tasks. Job rotation is an extension of the separation of duties. Rotating administrative users between roles both improves awareness of the mandates of each role and, also ensures that fraudulent activity cannot be sustained.
Noninterference Bell La-Padula Model The Bell La-Padula model is intended to protect confidentiality of information. The Bell La-Padula model was designed for the military to address the storage and protection of classified information. The model is specifically designed to prevent unauthorized access to classified information. This is accomplished by prohibiting users from reading above their security level and preventing them from writing below their security level. If you’re authorized to access Secret information, you aren’t allowed to access Top Secret information, nor are you allowed to write to the system at a level lower than the Secret level. The process of preventing a write down keeps a user from accidentally breaching security by writing Secret information to the next lower level, Confidential. Notice that you can’t read up or write down. This means that a user can’t read information at a higher level than they’re authorized to access. A person writing a file can’t write down to a lower level than the security level they’re authorized to access. The Bell La-Padula model
The Biba Model The Biba model is similar in concept to the Bell La- Padula model, but it’s more concerned with information integrity, an area that the Bell La- Padula model doesn’t address. In this model, there is no write up or read down. In short, if you’re assigned access to Top Secret information, you can’t read Secret information or write to any level higher than the level to which you’re authorized. This keeps higher-level information pure by preventing less reliable information from being intermixed with it. The Biba model was developed primarily for industrial uses, where confidentiality is usually less important than integrity. The Biba model differs from Bell La-Padula in the implementation of a lattice of integrity levels that allows information to flow downward but not upward. The Biba model
The Clark-Wilson Model The approach is a little different from either the Biba or the Bell La-Padula method. In the Clark-Wilson model, data can’t be accessed directly: It must be accessed through applications that have predefined capabilities. This process prevents unauthorized modification, errors, and fraud from occurring. If a user needs access to information at a certain level of security, a specific program is used. This program may only allow read access to the information. If a user needs to modify data, another application would need to be used. This allows a separation of duties in that individuals are granted access only to the tools they need. All transactions have associated audit files and mechanisms to report modifications. Many software-management programs work by using this method of security. The Clark-Wilson model focuses on business applications and consistency. The Clark-Wilson model Access to information is gained by using a program that specializes in access management; this can be either a single program that controls all access or a set of programs that control access.
Information Flow Model The Information Flow model is concerned with the properties of information flow, not only the direction of the flow. Both the Bell La-Padula and Biba models are concerned with information flow in predefined manners; they’re considered Information Flow models. However, this particular Information Flow model is concerned with all information flow, not just up or down. This model requires that each piece of information have unique properties, including operation capabilities. If an attempt were made to write lower-level information to a higher level, the model would evaluate the properties of the information and determine if the operation were legal. If the operation were illegal, the model would prevent it from occurring. The Information Flow Model If the operation were illegal, the model would prevent it from occurring.
Noninterference Model The Noninterference model is intended to ensure that higher- level security functions don’t interfere with lower-level functions. In essence, if a higher-level user were changing information, the lower-level user wouldn’t know or be affected by the changes. This approach prevents the lower-level user from being able to deduce what changes are being made to the system. The Noninterference model Notice that the lower-level user isn’t aware that any changes have occurred above them.
Complying with Privacy and Security Regulations The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) is a relatively new regulation that mandates national standards and procedures for the storage, use, and transmission of personal medical information. HIPAA covers three areas—confidentiality, privacy, and security of patient records—and it’s being implemented in phases to make the transition easier. The penalties for HIPAA violations are very stiff: They can be as high as $250,000 based on the circumstances. Medical practices are required to appoint a security officer. All related parties, such as billing agencies and medical records storage facilities, are required to comply with these regulations. The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also know as the Financial Modernization Act, requires financial institutions to develop privacy notices and to notify customers that they are entitled to privacy. The act prohibits banks from releasing information to nonaffiliated third parties without permission. Many consumer groups have criticized the implementation of this act by financial institutions. Employees need to be trained on information security issues, and security measures must be put into place and tested to verify information privacy. The act requires banks to explain to individual consumers information-sharing policies. Customers have the ability to “opt out” of sharing agreements. The act prohibits institutions from sharing account information for marketing purposes. It also prohibits the gathering of information about customers using false or fraudulent methods. The law went into effect in July 2001. Financial officers and the board of directors can be held criminally liable for violations.
Complying with Privacy and Security Regulations The Computer Fraud and Abuse Act The original law was introduced to address issues of fraud and abuse that weren’t well covered under existing statutes. The law was updated in 1994, in 1996, and again in 2001. This act gives federal authorities, primarily the FBI, the ability to prosecute hackers, spammers, and others as terrorists. The law is primarily intended to protect government and financial computer systems from intrusion. Technically, if a governmental system, such as an Internet server, were used in the commission of the crime, virtually any computer user who could be shown to have any knowledge or part in the crime could be prosecuted. The law is comprehensive and allows for stiff penalties, fines, and imprisonment of up to 10 years for convictions under this statute. The Family Educational Rights and Privacy Act The Family Educational Rights and Privacy Act (FERPA) dictates that educational institutions may not release information to unauthorized parties without the express permission of the student or, in the case of a minor, the parents of the student. This act also requires that educational institutions must disclose any records kept on a student when demanded by that student. This law has had a huge impact on privacy requirements of student records. It jeopardizes the federal funding of schools by government agencies if any violations occur.
Complying with Privacy and Security Regulations The Computer Security Act of 1987 The Computer Security Act requires federal agencies to identify and protect computer systems that contain sensitive information. This law requires agencies that keep sensitive information to conduct regular training and audits, and to implement procedures to protect privacy. All federal agencies must comply with this act. The Cyberspace Electronic Security Act The Cyberspace Electronic Security Act (CESA) gives law enforcement the right to gain access to encryption keys and cryptography methods. The initial version of this act allowed federal law enforcement agencies to secretly use monitoring, electronic capturing equipment, and other technologies to access and obtain information. These provisions were later stricken from the act, although federal law enforcement agencies were given a large amount of latitude to conduct investigations relating to electronic information. This act is generating a lot of discussion about what capabilities should be allowed to law enforcement in the detection of criminal activity.
Complying with Privacy and Security Regulations The Cyber Security Enhancement Act The Cyber Security Enhancement Act of 2002 allows federal agencies relatively easy access to ISPs and other data-transmission facilities to monitor communications of individuals suspected of committing computer crimes using the Internet. The act is also known as Section 225 of the Homeland Security Act of 2002. The Patriot Act The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 was passed partially because of the World Trade Center attack on September 11, 2001. This law gives the U.S. government extreme latitude in pursuing criminals who commit terrorist acts. The definition of a terrorist act is broad. The law provides for relief to victims of terrorism as well as the ability to conduct virtually any type of surveillance of a suspected terrorist. This act is currently under revision, and it will probably be expanded.
Understanding Social Engineering Social Engineering is using human intelligence methods to gain access or information about your organization. It relies on the inherent trust in the human species, and gullibility, as opposed to technology, to gain access to your environment. A skilled con man could acquire this information easily just by talking. Social Engineering is a low-tech attack due to it requiring minimal software and computer skills. In computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. A hacker typically uses social engineering to gain user names and passwords or sensitive documents by non-technical means, such as posing as an employee or dumpster diving. A common approach is initiated by a phone call or an e-mail from a software vendor, telling you that they have a critical fix that must be installed on your computer system. If this patch is not installed right away, your system will crash and you will lose all of your data. For some reason, you have changed your maintenance account password and they can't log on. Your systems operator gives the password to the person and Bingo! There is such a slim chance of a social engineering attack that very often it is the last known risk to the company and is therefore ignored until it happens. A hacker can perform social engineering by using methods such as instant messaging, the telephone, and face-to-face communications. Employees should be trained to require some form of ID before giving sensitive information about a company to a stranger. Knowing what to say and what not to say will go a long way toward preventing this type of attack from being successful. Measures to effectively stay away from social engineering attacks: Get qualified staff Require employees to attend security awareness training Don't tell anyone your password or user ID Use a more complex method of authentication
Types of Social Engineering Attacks Shoulder Surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get such as passwords, credit card numbers or other pertinent information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN, password, type a credit card number, or enter other pertinent information. The best defense against shoulder surfing is to simply survey your environment before entering personal data. Dumpster diving is a common physical access method. Dumpsters may contain information that is highly sensitive in nature. Equipment is sometimes put in the garbage because city laws do not require special disposal. Because intruders know this, they can scavenge through discarded equipment and documents and extract sensitive information from it without ever contacting anyone in the company. Shoulder Surfing (3:23)
Types of Social Engineering Attacks Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic. Eavesdropping also includes attackers listening in on your network traffic. This type of attack is generally passive. Impersonation occurs when intruder masquerades as a repair technician, company guest, or maintenance worker to attempt to gain access into the company's premises. Tailgaiting occurs when an intruder holds the door for an authorized individual after he/she opened it, and then slips in before the door closes. Turnstiles, double entry doors, and security guards are all examples of preventative measures that attempts to defeat tailgating. Impersonation (3:42) Tailgating (4:25)
Types of Social Engineering Attacks Spoofing occurs when an attacker pretends to be something they are not in order to gain access.. In a spoofing attack, which is also referred to as a masquerading attack, a person or program is able to masquerade successfully as another person or program. Spoofing refers to modifying the source IP address field in an IP datagram to imitate the IP address of a packet originating from an authorized source. This results in the target computer communicating with the attacker’s computer and providing access to restricted resources. Spoofing attacks have to do with the misdirection of domain name resolution and Internet traffic. DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Basically, the Internet traffic is misdirected because the DNS server is resolving the domain name to an incorrect IP address. Properly configured DNS security on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning. The latest release of DNS includes measures to defend against DNS cache poisoning. A very common spoofing attack that was popular for many years involved a programmer writing a fake logon program. This program would prompt the user for a user ID and password. Other types of spoofing attacks, apart from IP spoofing, are: E-mail spoofing Web spoofing A man-in-the-middle which is a spoofing as well as a session hijacking attack. This type of attack is usually considered an access attack.
The attacker in this situation impersonates the server to the client attempting to log in. No matter what the client attempts to do, the impersonating system will fail the login. When this process is finished, the impersonating system disconnects from the client. The client then logs in to the legitimate server. In the meantime, the attacker now has a valid user ID and password. Spoofing Attacks A spoofing attack during logon
Types of Social Engineering Attacks Interception can be either an active or a passive process. A passive interception would involve someone who routinely monitors network traffic. From the perspective of interception, this process is a covert process. Active interception might include putting a computer system between the sender and receiver to capture information as it is sent. From the perspective of interception, this process is a covert process. Vishing is a combination of phishing and Voice over IP (VoIP). Spear Phishing The person conducting it uses information that the target would be less likely to question because it appears to be coming from a trusted source. Because it appears far more likely to be legitimate, it cuts through the user’s standard defenses like a spear. Generating the attack requires more work and usually involves contact lists, friend lists, and so on. Whaling is nothing more than phishing or spear phishing but for big users. The whaler identifies one person from whom they can gain all the data they want, usually a manager or owner, and targets the phishing campaign at them.