Presentation is loading. Please wait.

Presentation is loading. Please wait.

Faculty: Scott Greene of Evidence Solutions, Inc.

Similar presentations

Presentation on theme: "Faculty: Scott Greene of Evidence Solutions, Inc."— Presentation transcript:

1 Faculty: Scott Greene of Evidence Solutions, Inc.

2  1: Take control of remote sessions ◦ I do a lot of remote support. For that support, I use either LogMeIn or TeamViewer. Inevitably, I run into clients who constantly want to “show me” what’s going on, take over the mouse to point out something different, or even use their machine for something else (like replying to an email that should be able to wait). Outside of annoying any support tech, this does one thing — extends the length of time needed to do a job.

3  2: Give too much irrelevant information about an issue ◦ What I really want to know is that you clicked on an attachment that was in an email. I don’t care to know the email was originated by your grandmother on your father’s side and the email had the most darling picture of kittens and puppies playing together in a field of daisies. I also don’t care that you were sitting at your desk, having your usual lunch of yogurt and sliced apples dipped in caramel when everything started to go down the drain. Get to the point, give me the facts, and I will do my job to the best of my ability.

4  Just because a network has been designed well does not mean it is, or will remain, secure.  No audit, internal, external, compliance-related or not, can by itself ensure a network is secure.  The real benefit of an designing a secure infrastructure comes from implementing its recommendations on how security controls can be improved, dealing with any concerns reported, & more closely aligning information security needs & risk mitigation with business goals.

5 Provide Access

6  A new web threat is detected every 4.5 seconds. ◦ SophosLabs, published in Sophos Security Threat Report Mid-Year 2011

7  Why the focus on the Web? ◦ Because it works!  Over the last year, we’ve seen major breaches, at companies including Sony, RSA, and, and several U.S. military contractors.  All from a click on a malicious link.


9  These can help create a Frame Work of security: ◦ Health Insurance Portability & Accounting Act (HIPAA) (1996) ◦ Graham-Leach-Bliley (1999) ◦ Homeland Security Act (2002)  Federal Information Security Management Act (FISMA) ◦ Federal Information Processing Standard (FIPS) (2010) ◦ Payment Card Industry Data Security Standard (PCI / PCIDSS)

10  Federal Information Processing Standards ◦ Publicly available standards developed by the United States Federal government for use by all non-military government agencies and by government contractors. ◦ Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.)

11  FIPS is used to Manage Risk by selecting and implementing security controls in the organizational information system including: ◦ 1) Applying the organization’s approach to managing risk ◦ 2) Categorizing the information system and determining the system impact level in accordance with FIPS 199 and FIPS 200, respectively; ◦ 3) Selecting security controls, including tailoring the initial set of baseline security controls and supplementing the tailored baseline as necessary based on an organizational assessment of risk ◦ 4) assessing the security controls as part of a comprehensive continuous monitoring process.

12  Categorize ◦ the information processed, stored, and transmitted by that system

13  Select ◦ an initial set of baseline security controls for the information system based on the system impact level and minimum security requirements ◦ apply tailoring guidance by supplementing the baseline security controls based on an organizational assessment of risk and local conditions including environment of operation, organization-specific security requirements, specific threat information, cost-benefit analyses, or special circumstances; and specify assurance requirements

14  Implement ◦ the security controls and document how the controls are employed within the information system and its environment of operation.

15  Assess ◦ The security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

16 Security Categorization SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} (confidentiality x impact) + (integrity x impact) + (availability x impact)

17  Confidentiality: ◦ “the property that data or information is not made available or disclosed to unauthorized persons or processes.”

18  Integrity is: ◦ “the property that data or information have not been altered or destroyed in an unauthorized manner.”

19  Availability is: ◦ “the property that data or information is accessible and useable upon demand by an authorized person.”

20  Impact ◦ N/A ◦ Low ◦ Moderate ◦ High

21  Access Control (AC): ◦ Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

22  Awareness and Training (AT): ◦ Organizations must:  Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems;  Ensure that organizational personnel are adequately trained to carry out their assigned information security- related duties and responsibilities.

23  Audit and Accountability (AU): ◦ Organizations must:  Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity;  Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

24  Certification, Accreditation, and Security Assessments (CA):  Organizations must: ◦ Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; ◦ Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; ◦ Authorize the operation of organizational information systems and any associated information system connections; ◦ Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

25  Configuration Management (CM): ◦ Organizations must:  Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles;  Establish and enforce security configuration settings for information technology products employed in organizational information systems.

26  Contingency Planning (CP): ◦ Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

27  Identification and Authentication (IA): ◦ Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

28  Incident Response (IR): ◦ Organizations must:  Establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities;  Track, document, and report incidents to appropriate organizational officials and/or authorities.

29  Maintenance (MA): ◦ Organizations must:  Perform periodic and timely maintenance on organizational information systems;  Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

30  Media Protection (MP): ◦ Organizations must:  Protect information system media, both paper and digital;  Limit access to information on information system media to authorized users;  Sanitize or destroy information system media before disposal or release for reuse.

31  Physical and Environmental Protection (PE): ◦ Organizations must:  Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;  Protect the physical plant and support infrastructure for information systems;  Provide supporting utilities for information systems;  Protect information systems against environmental hazards;  Provide appropriate environmental controls in facilities containing information systems.

32  Planning (PL): ◦ Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

33  Personnel Security (PS): ◦ Organizations must:  Ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions;  Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers;  Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.

34  Risk Assessment (RA): ◦ Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

35  System and Services Acquisition (SA): ◦ Organizations must:  Allocate sufficient resources to adequately protect organizational information systems;  Employ system development life cycle processes that incorporate information security considerations;  Employ software usage and installation restrictions;  Ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.

36  System and Communications Protection (SC): ◦ Organizations must:  Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;  Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

37  System and Information Integrity (SI): ◦ Organizations must:  Identify, report, and correct information and information system flaws in a timely manner;  Provide protection from malicious code at appropriate locations within organizational information systems;  Monitor information system security alerts and advisories and take appropriate actions in response.


39  3: Blame the issue on something I (or another tech) did previously ◦ Yes, I’ve worked on your machine before. No, what I did last time to help you remap your K drive had zero effect on the fact that now you can’t get a network connection. Although they may be related, they are not directly cause and effect. Trust me on this. I’m not trying to pull a fast one on you, and I am 100 percent sure that the K drive issue is not related. But on the off chance that you simply will not believe me, I will do everything I can to show you the two are not related in any way. If you still don’t believe me, I have a list of other consultants who will be happy to have your work — until they’re no longer happy to have your work.

40  4: Lie ◦ This one should not need any explanation. But for those who have yet to experience the liar, let me set the stage. There are times when you log into a user’s machine and discover that something obviously has been done — a profile or program deleted — that can be done only by an end user. When an end user has made such a mistake, he or she will sometimes try to deny doing anything to cause the problem. That’s fine. But most support professionals can see through the thinly veiled lie. We know the truth… so it’s okay to admit it.


42  Monitoring vs. Prevention ◦ Monitoring causes the system(s) to report events ◦ Prevention causes the system(s) to interrupt events  May require additional integration between vendors

43  Security is Inconvenient  Know what you are defending  Review the current threats often  Users are unsophisticated  Anonymous is good at what it does / The bad guys are good at what they do / It is the only thing they do  Resources / Money / Budget

44  Evaluate Risks and Threats ◦ What is critical to your business unit? ◦ How do you protect it? ◦ How do you prevent downtime? ◦ How do you get back up and running quickly?  Just because you have technology protecting your network doesn’t mean it is all working  65% of all attacks are internal

45  In 2011 ◦ 39% of email-borne malware consisted of hyperlinks, not attachments; ◦ That’s up from 24% of email in 2010  - Symantec’s Internet Security Threat Report.

46  Almost half of malicious software communicates out over the Internet within 60 seconds of infecting a computer, and about 80% of those communications use some form of Web protocol.  -Websense.

47  It used to be that Porn was driving this issue  Followed closely by gambling  In the last two years however the field has change it is now:  It’s religious sites

48  Windows 7 allows for Software Restriction Policies (SRPs) ◦ The Path Rule ◦ The Hash Rule ◦ The Publisher Rule ◦ Audit mode ◦ Configuring AppLocker ◦ Experimenting with AppLocker

49  Background of SRPs ◦ SRPs have been around since Active Directory 1.0 (Win 2000) ◦ Windows has sported Software Restriction Policies or SRP’s for short. ◦ SRP’s allowed administrators to configure their Active Directory networks in one of two ways:  A blacklist ( most common )  A whitelist ( most secure )

50  Background of SRPs ◦ A blacklist ( most common )  Allows anything to run except what is on the black list. ◦ A whitelist ( most secure )  Only lets items run that are on the white list.  What about notepad, Calculator, etc……

51  The Path Rule ◦ Allows users to run applications from a specific location. ◦ It is generally impractical for most organizations ◦ E xecutables live in a single folder on the user’s workstation (or on the network). ◦ Allows for Multiple path rules ◦ Becomes unwieldy quickly ◦ “It’s OK to run apps that live in \\SW\GOODAPPS”\\SW\GOODAPPS  any user with write permissions can just copy an application to the “goodapps” path and then run it. ◦ In AppLocker, default path rules exist to permit running applications in the Windows folder and the Program Files folder.

52  The Hash Rule ◦ The hash rule requires that you point Windows to the actual executable file that you wish to allow or deny in your additional rules, so that Windows can generate a cryptographic hash that is specific to that binary file. ◦ While the hash rule addresses the ease with which path rules can be obfuscated it presents an additional burden for administrators:  Plenty of upfront work generating hashes  generate new hash rules every executable changes  Hashes have a slight negative impact on workstation performance

53  The Publisher Rule ◦ Avoids the problem with users circumventing path rules by renaming executables ◦ Allows administrators to allow or deny certificate-based applications ◦ Uses standards like digital signatures ◦ Uses publisher rules to specify allowed or disallowed versions. ◦ Can use a range of versions

54  Audit Mode versus Enforce Rules ◦ Audit mode is a great way of gauging the potential impact on AppLocker without actually denying anyone the right to run an application. This mode is used for testing. ◦ Audit mode generates a list of applications that will fail and pass under the rules you’ve created ◦ This lets you identify potential problems before that unpleasant phone call from a frustrated users. ◦ This mode help limit the impact of rules on the Brass ( as well as the rest of the users )

55  Configuring AppLocker ◦ Use the Active Directory Group Policy on the server ◦ Install Remote Server Administration Tools in Windows 7  This installs an updated GPMC  The RSAT for Windows 7 <> RSAT for Vista

56  Experimenting with AppLocker ◦ Start by working with a test machine that’s not connected to your network. ◦ Start with local Group Policy settings rather than network-based settings. ◦ Start with the blacklist model in which the default behavior is to allow everything. ◦ Leave the AppID service start type as manual, so if you get into trouble, you can reboot.

57  5: Take control of conversations ◦ When I’m trying to explain an issue to an end user, it really bugs me when that user takes over the conversation, preventing me from being able to effectively communicate either the problem or the solution. Generally, these people tend to have more to say on the issue than necessary and assume what they have to add to the situation is far more important than what they have to learn. If those end users would stop and listen for once, the reoccurring issue I am trying to help them with might not reoccur.


59  BlackHole Exploit Kit ◦ A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer. ◦ Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms. ◦ The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.

60  These direct Web attacks typically consist of six stages ◦ First: The Lure ◦ Second: The Redirection ◦ Third: Exploitation via vulnerability ◦ Fourth: Install the program ◦ Fifth: Contact Command-and-Control ◦ Sixth: Start using the compromised system

61 THREATEXAMPLESIMPACTDEFENSES BotnetCutwail and Zeus Take over system control, record account user names & passwords Web-security gateway; endpoint security; network monitoring; use of security-as-a- service and patching, and removal of browser plug-ins to reduce possible vulnerability Click fraud DNSChangerRedirect user browsing Security-as-a-service, outbound monitoring, endpoint security

62 THREATEXAMPLESIMPACTDEFENSES Exploit kit Blackhole & Phoenix Compromise systems & communications Security-as-a-service, endpoint security, aggressive patching, removal of vulnerable plug-ins, outbound monitoring Man in the browser ZeusCompromise secure browser channels, steal $ from bank accounts Browser security software, endpoint security

63 THREATEXAMPLESIMPACTDEFENSES PhishingFake Christmas lottery Steal credentials, make more attacks Anti-spam, network monitoring, security-as-a-service, browser protection, endpoint security Rogue applicatio n Virus remover & Antivirus 2009… Compromis e system, require payment for fraudulent services Endpoint security, reputation engines, installation of software from vendors’ sites Targeted attack Oak Ridge National Labs attack Steal confidential data Endpoint security, data loss prevention, patching, removal of browser plug-ins

64  Be aware of the hacker’s technology and strategy, and understand how they’re helping attackers better defeat security measures.  Be ready to counter the attacks with layers of responses designed to make it harder for attackers to penetrate your network.  If the crooks do get in, you might at least keep them away from your most valuable servers and data.

65  Firewalls ◦ Block what you don’t need ◦ Block Countries where you do not do business  Russia, Ukrain & China  Doesn’t work as well as it used to but still worth doing ◦ Block Inappropriate Sites  Gambling, Entertainment, Porn, Religious?

66  Firewalls ◦ Use a unique connection to the outside for:  Mail Servers  Web Servers  E-Commerce  Etc.

67  Firewall DMZ or no DMZ ◦ Ensure all unnecessary ports are closed (port forwarding). As an alternative to, or in tandem with a DMZ option, many hardware-based firewalls allow port forwarding. This occurs when only a specific port may be visible to the outside world. If you are implementing port forwarding, open only those ports that are explicitly needed. Any other publicly visible port should be considered a security risk.

68  Firewalls ◦ Protect various departments / Critical Assets  Network Segmentation  Sub-Perimeter firewalls ◦ Protecting machines  Sub-Sub Perimeter / Workstation Firewalls  Preferably centrally managed but if that is too expensive, install non-centrally managed products.

69  Checklist ◦ Procedures should be comprehensively documented. ◦ Employees should be trained & tested in their roles ◦ Security patch management should be examined / tested ◦ Penetration testing should be regularly performed ◦ Firewall settings should be examined frequently ◦ Data should be classified and stored appropriately ◦ Wireless setting should be checked / changed ◦ Scan for unauthorized WAP’s.

70  Checklist ◦ Event logs should be thoroughly examined all the time and during an audit. ◦ Test software that deals with sensitive data / Review source code.

71  The wrong data on the wrong server ◦ Windows Search ◦ dtSearch

72  46% of internal security audits find significant security problems  54% of external security audits find significant security problems

73  Audits should be a surprise ◦ Prior to audits, IT teams rush around and make last-minute adjustments to their configurations and processes. ◦ In the real world, however, audit preparation should be treated as an ongoing endeavor.  External Audits can find things like: ◦ Malicious users ◦ Malicious administrators

74  Develop a well documented network ◦ What talks to what when and how  Continuously monitor the network for changes ◦ Whitelists, blacklists, hardware and software  Remediate Changes ◦ When you detect a change, launch into action!  Assess constantly ◦ In large organizations at least part of someone’s job should be to assess the status of the network.

75  Nmap  Look@LAN  Advanced Port Scanner  Microsoft Baseline Security Analyzer (hasn’t recently been updated)  LeakTest (Gibson Research)  Symantec Security Check

76  6: Ask the “quick question” ◦ This one really bothers me. Without fail, a client will call me with a “quick question” that inevitably winds up being a 30-minute phone conversation. My time is valuable through the workday and those quick questions add up. Not only that, but many clients use the quick question to avoid having to pay for support on the real issue


78  AntiVirus ◦ Use multiple  Each one will pickup different items ◦ Monitor Centrally  Users are notorious for selecting “ignore”. ◦ Workstation Firewalls  Each and every workstation needs a firewall  Use multiple

79  Another concern agencies should have is spyware. ◦ Spyware is installed surreptitiously on a PC to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. ◦ Spyware, is generally not intended to be malicious. ◦ It reports information about users back to a third party. ◦ The information varies from general information about their system or specifics on their web browsing habits. © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

80  Spyware falls into several categories: ◦ 1. Retail and vendor information tracking.  Generally to track where users go on a site or on the vendor’s competitors site. ◦ 2. Tracking  collect various types of personal information, such as Internet surfing habits, sites that have been visited, etc © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

81 ◦ 3. Redirection / Hijacking  These types of spyware interfere with user control of the computer. By installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party.  Spyware can change computer settings, resulting in slow connections, different home pages, and loss of Internet or other programs. © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

82  In response to the emergence of spyware, an entire anti-spyware industry has sprung up.  A variety of programs are available for detecting and removing this spyware.  Running anti-spyware software has become a widely recognized element of computer security for Windows computers.  The US Federal Trade Commission has an entire page of advice to consumers about how to lower the risk of spyware infection. © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

83  Our top choices: ◦ Spybot Search and Destroy ◦ Zone Alarm – Anti-Spyware ◦ Adaware Pro ◦ Computer Associates – Anti-Spyware ◦ F-Secure © Evidence Solutions, Inc. 2011. The Computer, Technology, and Digital Forensics Firm.

84  Strong Passwords ◦ 1,000,000+  The largest Dictionaries of passwords we’ve seen reported  Common names of people or pets are the first passwords tried  Ordinary words are tried next  Followed by words & names with one or two digits tacked on.  Finally things like: common substitutions of numbers and characters for letters  3@SY4M3 – Easy for me  r@ts – rats  etc.

85  Strong Passwords ◦ Longer is better ◦ Odd Structure is better ◦ Distinctness ◦ Frequency of Change ◦ Require:  At least eight characters  Include  Two or more digits  Special Characters  Digits and Special Characters Randomly instead of just the beginning or the end

86  Wireless ◦ WPA2 tied to the infrastructure ◦ Scan for new wireless devices

87  172 Million smart phones were sold in 2010  Leveraging the employee smart phone can be huge  $500 device versus the data stored or available on the device

88  Benefits ◦ The employee bears the cost of the device ◦ The employee bears the cost of the service ◦ Employees are more connected ◦ Employees collaborate more often ◦ Communication increases dramatically ◦ Faster decision making

89 Four things you cannot ignore with mobile devices 1) Antivirus software on every device ◦ BullGuard ◦ Kaspersky ◦ ESET ◦ LookOut ◦ TrendMicro ◦ F-Secure ◦ NetQin ◦ WebRoot ◦ Norton 360

90  Four things you cannot ignore with mobile devices ◦ 2) Protect data on devices  Enforce PIN access  Encrypt Sensitive Data  Management: Remote Lock, Remote Wipe

91  Four things you cannot ignore with mobile devices ◦ 3) Tightly control what can be installed on a mobile device  Known sources  AppStore  Google Play Store / Amazon  Etc.  Scan before installation

92  Four things you cannot ignore with mobile devices ◦ 4) Detect & Prevent Malware  See anti-virus  Educate users  If they see something wrong, turn off the device and seek help.

93  Web Browser Configuration / Lockdown ◦ All browser plugins should be limited to essential plug-ins approved by the Agency ◦ Active X plugins should be limited  Users should not be expected to be able to determine whether or not adequate security is available for Active X plugins

94  Web Browser Configuration / Lockdown ◦ Web browsers should be configured to limit vulnerability to intrusion. ◦ Active code should be disabled or used only in conjunction with trusted sites. ◦ ◦ The browser should always be updated to the latest secure version.

95  Web Browser Configuration / Lockdown ◦ Privacy  This is a big concern.  The greatest threat is the use of cookies by third party websites and the monitoring of web browsing habits of users by third parties using those same cookies.  Cookies can be disabled, controlled and / or removed using a variety of built-in web browser features or third-party applications.

96 ◦ JavaScript should also be limited or turned off.  While JavaScript is used on many Websites turning it off generally only causes some nuisances when browsing these sites.

97  OpenDNS  Google Public DNS

98  1. Educate Employees ◦ Show them what to watch out for ◦ encourage them to report questionable sites and links.  2. Flexible Policies ◦ Policies should be adaptable to the rapidly changing Web environment.

99  3. Secure All Devices ◦ Keep patches up to date ◦ Remove unneeded plug-ins ◦ Use endpoint security ◦ Use Browser sandbox.  4. Use Web Filtering ◦ Monitor traffic in both directions to catch incoming threats and infected machines transmitting out.


101  7: Chat while I’m concentrating ◦ This goes along with dominating the conversation. Many users, while in the middle of a remote session, want to chat. Sometimes that’s okay, as we are simply waiting for a download or waiting on the progress of a service or application. But when I’m elbows deep in the dirt and grit of trying to resolve a crucial issue, don’t try to chat me up about the weather, the royal wedding, or the price of gas. Please let me resolve the issue at hand (especially one that requires my concentration) and then I will happily chat about whatever (so long as I don’t have a pressing appointment after yours).

102  8: Insist what their “cousin” told them was true ◦ I get it. Some companies enlist the help of “Cousin Joe,” who happens to owe the secretary a favor and “knows a thing or two” about computers. Well, Cousin Joe didn’t do you any favors when he caused even more problems doing what he did. Not that I am going to slam your cousin. But when I say that although Joe’s intentions were good, what he did was counterproductive to solving the issue at hand, please don’t insist that the cousin was in the right and that I am only trying to bilk you out of more money. Of course, if it ever comes to those kinds of words, you will most certainly be looking for a new support specialist.


104  1) Understand your requirements ◦ Define your requirements from the inside ◦ What to protect? ◦ Where is is residing? ◦ End Points?

105  2) Work with the business at hand ◦ Understand what managers need  Conduct interviews  What do they need access to?  Where do they need access to it?  Too many false positives may indicate a broken business process

106  3) Involve the legal & HR departments ◦ Legal can help with:  Compliance issues  Helping write an incident plan ◦ HR:  Handle an incident created by an employee

107  4) Implement in Phases ◦ Don’t shock the system ◦ Monitor each phase

108  Data Identification ◦ This is the first step to implementation ◦ Solutions should be able to identifying confidential or sensitive information. ◦ The data identification:  in motion  at rest  at end points

109  Data Identification ◦ DLP solution should allow for:  Keywords  Dictionaries  regular expressions  partial document matching  fingerprinting ◦ DLP solution should allow you to write your own rules.

110  Data Identification ◦ The strength of the analysis engine directly correlates to its accuracy. ◦ Each organization may have unique needs, however. ◦ Accuracy depends on many variables  They way the data is stored.  The format of the data  Encryption of the data

111  Data Identification ◦ Testing for accuracy  Often  Compare results with previous testing  Ensure the solution has virtually zero false positives/negatives.

112  Network & Gateway DLP ◦ Dedicated hardware/software platforms, typically at the border. ◦ They analyze network traffic to search for unauthorized information transmissions including:  Email  IM  FTP  HTTP ◦ They are generally cost effective. ◦ Some Networks systems review data stored throughout the enterprise to identify areas of risk.

113  Host-based DLP systems ◦ Run on end-user workstations or servers ◦ Generally address internal communications ◦ Some can monitor external communications ◦ Others can also control information flow within the organization. ◦ Can also control:  Email  IM

114  Host-based DLP systems ◦ Can monitor physical device ◦ Can also monitor interaction with portable devices. ◦ Should block sensitive information transmissions ◦ Provide provide feedback to the user with notifications going to Management ◦ Are installed every workstation in the network

115  A DLP Product should include: ◦ centralized management ◦ policy creation ◦ enforcement workflow ◦ monitoring and protection of content and data.

116  Operational Actions: ◦ Quarantine email? ◦ Encrypt email? ◦ Block email? ◦ Notify sender? ◦ Notify management / operations?

117  Advanced Data discovery types of DLP systems can move the data to a secure location, if found to be residing on a non- protected share.

118  Most DLP systems integrate with Active Directory. ◦ Users ◦ Groups ◦ etc

119  Severity Level Assignment – Assigns severity level to incidents and is highly configurable.  Custom Attribute Lookup – This makes queries to LDAP or Active Directory server for user identity and additional attributes.  Automated Incident Response – A number of actions can be taken using this feature. Some of the important ones are the ability to comment, block, log, etc.

120  Role-based Access control – This is an interesting feature, in that it determines which incidents a remediator can work on and the amount of details available.  For example, if the violation originated from a staff in the DLP group, it does not do any good assigning the incident to the violator himself.

121  SmartResponse – This provides detailed data to determine the remediation steps for incidents. It also allows for fast incident remediation.

122  Leak Prevention ◦ As the system learns data by reviewing existing data. ◦ During the review period someone must monitor the system. ◦ This should be done prior to turning on the Leak Prevention ◦ DLP generally handles: SMTP, HTTP, HTTPS, FTP and Telnet. Is that enough?

123 ◦ The product’s functionality is dedicated to solving the business and technical problems of protecting content through content awareness. ◦ A number of products, particularly email security solutions, provide basic DLP functions, but aren't complete DLP solutions.

124  9: Undo my work ◦ Raise your hand if you’re guilty of undoing all that work the support techs did the very second they left. I’ve seen this happen plenty of times. I’ve had clients actually confess to doing this. What those clients don’t realize is that I will more than likely have to come back and redo what I did prior to this visit — and I’ll also have to fix problems they caused by undoing my work. Do us both a favor and don’t undo my work. This is rarely going to be a smart choice, and the possibility that you’ll be able to resolve the issues created by your tampering are nil.

125  10: Lack the necessary information ◦ When end users call for help, 75 percent of the time they have all of the information necessary for a successful appointment. The other 25 percent? Not so much. In fact, a large portion of that 25 percent require nearly double the normal job time just for fact gathering. So… when you call, please make sure you have all the information needed to complete the appointment. Otherwise, you are wasting my time and running up your bill.


127  What is different about cloud? ◦ Cloud computing moves us away from the traditional model, where organizations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments.

128  Today’s Data Centers ◦ We have control ◦ They are located at A ◦ The data is on servers: Sagittarius and Aquarius ◦ Our admins control access ◦ Our uptime works ◦ Our auditors are ok ◦ Our security team is engaged  The Cloud ◦ Who has control ◦ Where is it located? ◦ Where is it stored? ◦ Who backs it up? ◦ Who has access? ◦ How resilient is it? ◦ How do auditors do their job? ◦ How does our security team get involved?

129  Essential Questions ◦ Are you in a shared environment?  Who else uses the servers?  What is in place to prevent leakage to the others on the server?  What logging capabilities are available?

130  Essential Questions ◦ Where does your data actually reside? ◦ Can you lose service with an investigation into data loss from another customer ensues?

131  Essential Questions ◦ What happens with an DDOS attack occurs?

132  Essential Questions ◦ Who ensures compliance?

133  Essential Questions ◦ How well is your data protected?

134  Essential Questions ◦ Is Encryption in place

135  Essential Questions ◦ Are all compliance requirements met in the Cloud?

136  Essential Questions ◦ Are Event Management options available?  To who?  How?  How Quickly?

137  Essential Questions ◦ When an event happens, can your business unit react as it did when servers were local?

138  10 signs that you aren't cut out for IT ◦ 1: You lack patience ◦ 2: You have no desire to continue your education ◦ 3: You refuse to work outside 9-to-5 ◦ 4: You don’t like people ◦ 5: You give up quickly ◦ 6: You’re easily frustrated ◦ 7: You can’t multitask ◦ 8: You have dreams of climbing the corporate ladder ◦ 9: You hate technology ◦ 10: You turn off your phone at night  By Jack Wallen; February 24, 2012

139  I value your comments. Please fill in your evaluation form found at the end of your packet.

140 Scott Greene, SCFE Evidence Solutions, Inc 866-795-7166

Download ppt "Faculty: Scott Greene of Evidence Solutions, Inc."

Similar presentations

Ads by Google