Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Fundamentals David Veksler. Who is this talk for? Non IT experts Non IT experts Those working with confidential information Those.

Similar presentations


Presentation on theme: "Information Security Fundamentals David Veksler. Who is this talk for? Non IT experts Non IT experts Those working with confidential information Those."— Presentation transcript:

1 Information Security Fundamentals David Veksler

2 Who is this talk for? Non IT experts Non IT experts Those working with confidential information Those working with confidential information Especially in parts of the world with high informational security risks Especially in parts of the world with high informational security risks

3 Why should I care about security? Can’t I just hire someone and/or install software to protect myself? Can’t I just hire someone and/or install software to protect myself?

4 Why should I care about security? In most organizations, any IT administrator can read and alter any other employees without any knowledge or record. In most organizations, any IT administrator can read and alter any other employees without any knowledge or record. Mr Smith was an executive building a new manufacturing plant in China. The support technicians in his IT department have access to the corporate mail server. One of them was hired by a competitor. Before he left, he logged on to the mail server and downloaded the entire mail archive for Mr Smith, including the design plans for the new assembly line. The company did not discover about the leak until the competitor built their own production line and release a competing product on the market. Mr Smith was an executive building a new manufacturing plant in China. The support technicians in his IT department have access to the corporate mail server. One of them was hired by a competitor. Before he left, he logged on to the mail server and downloaded the entire mail archive for Mr Smith, including the design plans for the new assembly line. The company did not discover about the leak until the competitor built their own production line and release a competing product on the market.

5 Why should I care about security? A tiny device with a build-in cellular modem can act as a Trojan horse to open your network to outsiders. A tiny device with a build-in cellular modem can act as a Trojan horse to open your network to outsiders. Widget Corp produces software for sale worldwide. A agent for their competitors walked into one of their offices and installed a plugbot (theplugbot.com). The plugbot was able to sniff a domain password and send it over the built-in cellular modem. From there, the attacker established remote access to the corporate data server. A few months later, Widget Corp's suddenly had a new competitor in the market. Widget Corp produces software for sale worldwide. A agent for their competitors walked into one of their offices and installed a plugbot (theplugbot.com). The plugbot was able to sniff a domain password and send it over the built-in cellular modem. From there, the attacker established remote access to the corporate data server. A few months later, Widget Corp's suddenly had a new competitor in the market.

6 Why should I care about security? "It has become the Wild West on that other side of the globe. There is little or no respect for Intellectual Property. Copyrights and patents are ignored. Accounting issues have recently also come into question for many Chinese companies that have bought U.S. shell corporations to simplify the process of going public in the West. Rough and tumble attitudes must be expected. Any American company doing business in China must anticipate the worst even as it hopes for the best in expanded marketing opportunities." "It has become the Wild West on that other side of the globe. There is little or no respect for Intellectual Property. Copyrights and patents are ignored. Accounting issues have recently also come into question for many Chinese companies that have bought U.S. shell corporations to simplify the process of going public in the West. Rough and tumble attitudes must be expected. Any American company doing business in China must anticipate the worst even as it hopes for the best in expanded marketing opportunities." superconductor-destroyed-for-a-tiny-bribe/ superconductor-destroyed-for-a-tiny-bribe/

7 Why should I care about security? "In terms of outright theft of intellectual property, there is growing evidence that China’s intelligence agencies are involved, as attacks spread from hits on large technology companies to the hacking of startups and even law firms. “The government can basically put their hands in and take whatever they want,” says Michael Wessel, who sits on the U.S.-China Economic and Security Review Commission that reports to Congress. “We need to take more actions and protect our intellectual property.” "In terms of outright theft of intellectual property, there is growing evidence that China’s intelligence agencies are involved, as attacks spread from hits on large technology companies to the hacking of startups and even law firms. “The government can basically put their hands in and take whatever they want,” says Michael Wessel, who sits on the U.S.-China Economic and Security Review Commission that reports to Congress. “We need to take more actions and protect our intellectual property.” Inside the Chinese Boom in Corporate Espionage (http://www.businessweek.com/articles/ /inside-the- chinese-boom-in-corporate-espionage) Inside the Chinese Boom in Corporate Espionage (http://www.businessweek.com/articles/ /inside-the- chinese-boom-in-corporate-espionage)

8 Why should I care about security? “ s the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.” “There have been a large number of corporate spying cases involving China recently… as the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.”

9 Why should I care about security? “ s the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.” “There have been a large number of corporate spying cases involving China recently… as the toll adds up, political leaders and intelligence officials in the U.S. and Europe are coming to a disturbing conclusion. “It’s the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said at a security conference at New York’s Fordham University in January.”

10

11 Contents Part 1: Secure web browsingPart 1: Secure web browsing Part 2: Secure networksPart 2: Secure networks Part 3: Secure and IMPart 3: Secure and IM Part 4: Securing operating systems & mobile devicesPart 4: Securing operating systems & mobile devices Part 5: Securing organizationsPart 5: Securing organizations Conclusion: limitations of security measuresConclusion: limitations of security measures

12 Choosing a web browser Why web browsers matter Internet Explorer: upgrade to 9+ or switch to: ChromeChrome: recommended for personal use Chrome Get HTTPS Everywhere & AdBlock Firefox as a multi-tool

13 Plugging privacy leaks Keep your browser up to date Disable unused plugins AdBlock: it’s not just for blocking ads AdBlock: it’s not just for blocking adsAdBlock Block third party cookies Using Private Mode Cleaning your tracks with CC Cleaner CC CleanerCC Cleaner

14 Securing your surfing Securing your surfing HTTPS Everywhere HTTPS Everywhere OpenDNSOpenDNS/Google DNS Google DNS OpenDNSGoogle DNS DNSCrypt VPN (details later)

15 Advanced: monitoring web traffic Outgoing firewalls: Zone AlarmZone Alarm (Windows) Zone Alarm Little SnitchLittle Snitch (OS X) Little Snitch Monitoring network traffic with Wireshark Wireshark

16 Part 2: Secure Networks: Virtual Private Networks VPN options VPN options PPTP: simple, supported by mobile devices, only safe for personal use L2TP: best for corporations: supports digital certificates Open VPN: free, open-source Open VPN: free, open-source

17 Alternative VPN Solutions LogMeIn HamachiLogMeIn Hamachi: simple ad-hoc and hub and spoke VPN LogMeIn Hamachi SSH TunnelingSSH Tunneling SSH Tunneling SSH Tunneling

18 Browser helpers for VPNs Proxy Switchy Proxy Switchy (Chrome) Proxy Switchy Foxy Proxy Foxy Proxy (Firefox) Foxy Proxy Proxy Scripting – works with Proxy Switchy when configured in Chrome (IE)

19 Advanced: Running your own proxy Why run a proxy locally? Why run a proxy locally? Optimize, secure, accelerate traffic Optimize, secure, accelerate traffic Control access to outside network Control access to outside network PrivoxyPrivoxy (recommended) Privoxy GlimmerBlocker GlimmerBlocker (OS X) GlimmerBlocker SquidSquid (Unix) Squid PolipoPolipo (Unix, Windows, OS X) Polipo

20 Part 3: Secure and IM: Encryption Tools

21 Symmetric encryption

22 Asymmetric encryption

23 Secure Secure Corporate Digital Certificates & Signing Get a free cert at PGP: PGP Desktop,GnuPG PGP DesktopGnuPGPGP DesktopGnuPG

24 Secure Instant Messaging Corporate Instant Messaging: Microsoft: Skype, Lynx, Office Communication Server Personal Instant Messaging Off-The-Record Off-The-Record plugin for: Off-The-Record plugin for: Off-The-Record Pidgin Pidgin (Windows), Adium (OS X) Adium Pidgin Adium

25 Part 4: Securing Operating Systems: OS Hardening

26 Basic OS Hardening Secure your login mechanism Secure your login mechanism Password protect access to your desktop Password protect access to your desktop Admin privileges & user level accounts: run as a user- level account; require password to login Admin privileges & user level accounts: run as a user- level account; require password to login Disable file sharing on the network Disable file sharing on the network Enable automatic updates Enable automatic updates Disable unused user accounts Disable unused user accounts

27 Anti-Virus Options Anti-Virus Options Do you need Anti-Virus software? Do you need Anti-Virus software? Anti-Virus for Individuals Anti-Virus for Individuals Windows Defender Windows Defender Windows Defender Windows Defender Avast Avast Avast Many free options Many free options Many free options Many free options F-Secure, Trend Micro Office Scan F-Secure, Trend Micro Office Scan Tip: Don't use Norton or McAfee! Tip: Don't use Norton or McAfee!

28 Anti-Malware Options Anti-Malware Options Do you need Anti-Malware software? Do you need Anti-Malware software? Recommended Anti-Malware: Recommended Anti-Malware: Microsoft’s Windows Defender Microsoft’s Windows Defender Microsoft’s Windows Defender Microsoft’s Windows Defender Spybot S&D (Free) Spybot S&D (Free) Spybot S&D Spybot S&D Malware Bytes (Free/Pro) Malware Bytes (Free/Pro) Malware Bytes Malware Bytes

29 Whole disk encryption What is it? Do you need it? What is it? Do you need it? True Crypt (multiplatform) True Crypt (multiplatform) True Crypt True Crypt Bitlocker (Windows) Bitlocker (Windows) File Vault (Apple) File Vault (Apple) PGP Whole Disk Encryption PGP Whole Disk Encryption Symantec Endpoint Encryption Symantec Endpoint Encryption

30 Advanced: Tips from the Pros OS Hardening guides from the NSA OS Hardening guides from the NSA Windows: Windows: Windows OS X OS X OS X OS X Security tips from the NSA for all OS’s Security tips from the NSA for all OS’s

31 Advanced: OS Isolation Advanced: OS Isolation Portable (Live) OS Portable apps Virtual Machines Only an “air gap” is safe for mission critical data!

32 OS Specific Considerations OpenBSD: when security is mission-critical OpenBSD: when security is mission-critical Linux Linux Windows Server 2008 Windows Server 2008 Windows XP Windows XP Windows 7 Windows 7 OS X OS X

33 Securing your smartphone Notes on locking: Notes on locking: Only protects against casual theft Only protects against casual theft Cloud storage risks Cloud storage risks Remote wipes Remote wipes

34 Part 5: Secure Organizations: physical security, social engineering, and other considerations

35 Physical security Human factors Physical security Physical security International travel International travel Asset management & theft prevention Asset management & theft prevention

36 Social Engineering Inside threats Inside threats Social engineering Social engineering “Need to access” policies “Need to access” policies

37 Advanced: Threat discovery Process Explorer Process Explorer Process Explorer Process Explorer Rootkit detectors: Rootkit detectors: Microsoft: Rootkit Revealer Microsoft: Rootkit Revealer Microsoft: Rootkit Revealer Microsoft: Rootkit Revealer Avast: GMER Avast: GMER Avast: GMER Avast: GMER RootkitHunter RootkitHunter RootkitHunter

38 Conclusion: Limitations of Information Security Limitations of software measures Limitations of hardware measures Cost vs. benefit of security measures

39 The End Technologies mentioned in this presentation have links to more information – get a copy of the PowerPoint from me


Download ppt "Information Security Fundamentals David Veksler. Who is this talk for? Non IT experts Non IT experts Those working with confidential information Those."

Similar presentations


Ads by Google