Your Users, Friend or Foe? Matthew Sullivan IT Security Manager, the University of Canberra Creator, the Spam and Open Relay Blocking System (SORBS)
About this Talk Provoking discussion. The Network Security Problem. To firewall, or not? Old school, or just forgotten? Some examples. How does it affect you?
Provoking Discussion These slides are not to teach they are to remind. We hear lots of talk about what we should and shouldn’t do, why don’t we ask? Windows Vista –Great new time saving product, –New smarter and, more secure OS, –Or cash cow designed to line the pockets of shareholders? –Or even something to drive the American Economy?
The Network Security Problem Securing against outside attack the priority? Securing against inside attack? Security of the desktop? Securing against stupidity?
To Firewall or not? Everyone has a firewall, or do they? Who thinks they are secure because they are firewalled? Who thinks they are not secure without one?
Old School, or just forgotten? Head count: How many hosts ( 1k)? How many seats ( 1k)? Who is firewalling? Who has email gateways? Who has had a host hacked ( 1yr)? Firewalls are only needed to prevent stupidity Without stupid people we wouldn’t need them. Without nasty people we wouldn’t need them either….
An example (home user). Senior Unix Admin working for Customs Can’t make Zone Alarm work with program. Installs VNC for help. Opens VNC port in firewall. Doesn’t set password. 18 hours later, “hacker attack” RootkitRevealer reveals nothing. Machine under full remote control.
An Example (Professional) Professor, external project. Has 2 servers, RedHat, and Windows 2003 Machines are “Servers” for custom app. ITSec alerted to scanning at 03:30 5 th Feb ‘07 10:00 “Networks” blocked external access. 15:30 6 th Feb ‘07 machine and owner located. Operator and Professor wondering why Windows 2003 was ‘having problems’ 15:35 6 th Feb, machine removed from internal network. 13:00 8 th Feb ITSec asked to examine machine. RootkitRevealer indicated unidentified RootKit. 9 th Feb machine re-installed.
So what’s the Problem? Unix Admin, opens a port in firewall, doesn’t secure service. Professor hasn’t patched Win 2003 server, common IIS exploit used to ‘Root’ server. Both ask ITSec why firewall didn’t stop the “hacker”…?
How does this affect you? So what are the risks here…? A server hacked on the corporate network? A home user, with their computer hacked? A mobile user with a laptop? Another example, the Chinese Laptop.. Staff member takes laptop to China Laptop gets infected with ‘Drive/Share’ virus. Staff member hands USB drive around. 5+ machines get infected…
Conclusion Firewalls don’t make you secure. Good network practices keep you secure. Successful attacks often start inside. Getting inside is the biggest hurdle. Using your staff against you make it easier. VPNs need to be considered carefully. »Enforce controls about what can connect. »Ensure good home hygiene if you use VPNs Monitor your internal network. Consider your internal network “Hostile” if you allow external access. Laptops are equivalent to home machines.
The Last Word Be proactive. Look for problems. »Use scanning tools internally. »Use IDSs. »Give access to those who need it. Don’t make things too difficult for users. »Making it more difficult for users will result in users making it easier for themselves.