Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security for the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD.

Published byAusten Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security for the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD."— Presentation transcript:

1

2 Computer Security for the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD

3 Data Security

4 Several Different Problem Areas Wireless security Wireless security Internet security Internet security Wired network security Wired network security

5 Identity theft issues Identity theft issues Confidentiality Confidentiality Any wireless device can be undetectably intercepted given time Any wireless device can be undetectably intercepted given time Federal law enforcement agencies report that wireless and embedded devices are often targets Federal law enforcement agencies report that wireless and embedded devices are often targets

6 Mobile Devices Notebook computers Notebook computers flash drives flash drives Wireless networks Wireless networks Bluetooth – phones, networks, printers Bluetooth – phones, networks, printers GSM cell phones GSM cell phones PDAs and BlackBerry PDAs and BlackBerry

7 Electronic Data Loss Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes Includes identity theft, losses from which topped $48 billion loss in 2008 despite federal statutes Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage Can be more damaging because usually not known ever or for many months in case of breach of confidentiality, identity theft or credit damage

8 Physical Loss or Compromise Data loss can be devastating – Gulf War plans were a classic example Data loss can be devastating – Gulf War plans were a classic example Physical loss affects not only data but entire network security Physical loss affects not only data but entire network security Upside – You know it’s compromised and can react accordingly Upside – You know it’s compromised and can react accordingly

9 Short-Term vs. Long Term Wireless will be the basic network standard in 7 or 8 years Wireless will be the basic network standard in 7 or 8 years Avoid if possible for next 18-24 months – certainly no confidential data Avoid if possible for next 18-24 months – certainly no confidential data Wait for new 802.11i hardware Wait for new 802.11i hardware

10 Curse of the Defaults For ease of set up, most wireless devices ships with all security turned off as basic default For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Most users never enable any security Security never complete – at best slows down and deters intruders Security never complete – at best slows down and deters intruders

11 Hidden Dangers Wi-Fi default is connect to any nearby computer as part of ad hoc network Wi-Fi default is connect to any nearby computer as part of ad hoc network Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network Windows XP default is to bridge between mobile Wi-Fi device and any other connected network interface, possibly exposing your entire network

12 Initial Wi-Fi Setup Change your router setup password to something other than the published default Change your router setup password to something other than the published default Change your SSID to a non- obvious and unpublished name Change your SSID to a non- obvious and unpublished name

13 Add Security to Net Setup Most small networks use basic MS file and printer sharing protocols - these are totally insecure Most small networks use basic MS file and printer sharing protocols - these are totally insecure Default is no password and standard network name Default is no password and standard network name

14 Small Net Setup Choose a non-obvious workgroup name Choose a non-obvious workgroup name Avoid Microsoft defaults such as MSHOME Avoid Microsoft defaults such as MSHOME Don’t settle for the first working network configuration which by default has no security, to aid lay setup Don’t settle for the first working network configuration which by default has no security, to aid lay setup

15 Router Setup Access and configure your Wi-Fi router with a direct Ethernet cable connection Access and configure your Wi-Fi router with a direct Ethernet cable connection Use Internet Explorer and standard IP address 192.168.0.1. or 192.168.1.1 Use Internet Explorer and standard IP address 192.168.0.1. or 192.168.1.1 These are published and known These are published and known

16 Router Setup Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Enable security - some studies found more than 2/3 of all Wi-Fi networks made no changes at all to totally insecure defaults Your aim is to close, at least partially, and otherwise totally open door Your aim is to close, at least partially, and otherwise totally open door

17 Locating the Wi-Fi Router Set up a “DMZ” using a second firewall to protect the internal hard-wired LAN Set up a “DMZ” using a second firewall to protect the internal hard-wired LAN Place all Wi-Fi and Internet connections outside the hard-wired network’s firewall Place all Wi-Fi and Internet connections outside the hard-wired network’s firewall Locate the Wi-Fi router to minimize leakage of signal outside office Locate the Wi-Fi router to minimize leakage of signal outside office

18 Router Setup Don’t advertise – disable the wireless SSID broadcast known as beaconing Don’t advertise – disable the wireless SSID broadcast known as beaconing Do this only after you have completely setup all computers that are to connection to your Wi-Fi network Do this only after you have completely setup all computers that are to connection to your Wi-Fi network

19 Enable Security There are several possibilities – default is no security There are several possibilities – default is no security WEP, a “Weak” encryption with many basic vulnerabilities WEP, a “Weak” encryption with many basic vulnerabilities WPA needs same upgraded hardware WPA needs same upgraded hardware

20 WEP Encryption Lowest common denominator, but with serious systemic weakness Lowest common denominator, but with serious systemic weakness Keys easily vulnerable to cracking regardless of key length Keys easily vulnerable to cracking regardless of key length Rotating keys helps but awkward Rotating keys helps but awkward

21 MAC Address Filtering Every Ethernet device has an unique identifier known as a MAC Every Ethernet device has an unique identifier known as a MAC MAC filtering lists allowed or blocked Ethernet devices – not much help if WEP MAC filtering lists allowed or blocked Ethernet devices – not much help if WEP Easily fooled - done by most routers, firewalls and hacker freeware Easily fooled - done by most routers, firewalls and hacker freeware

22 Access Restrictions Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Newer routers also act as network hubs and allow security policies that can limit undesired types and times of network usage Some benefit but require some knowledge to set up Some benefit but require some knowledge to set up

23 WPA Encryption More secure but less open interim follow on to WEP – keys are automatically and securely rotated More secure but less open interim follow on to WEP – keys are automatically and securely rotated Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware Requires new WPA capable hardware, all of which should be the same brand and model, with upgraded firmware

24 Hardware Firewall Adds some protection against hacking through the wired Internet connection Adds some protection against hacking through the wired Internet connection Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Generally useful and unobtrusive unless using VPN tunnel or other means of remote access Use XP and 802.1X Use XP and 802.1X

25 Basic Hardening Tips Change ALL defaults on ALL devices Change ALL defaults on ALL devices Check for possibly conflicting access points and peer to peer networks – these may be an unguarded backdoor. Check for possibly conflicting access points and peer to peer networks – these may be an unguarded backdoor. Enable at least WEP Enable at least WEP Search for rogue LANs with notebook Search for rogue LANs with notebook

26 Other Hardening Tips If possible, reduce router transmission power to minimum that works If possible, reduce router transmission power to minimum that works Install network traffic transmission monitoring hardware/software Install network traffic transmission monitoring hardware/software Upgrade older Wi-Fi hardware – the network runs at the lowest common denominator Upgrade older Wi-Fi hardware – the network runs at the lowest common denominator

27 The Future is 802.11i Secure wireless connection - strong hardware encryption and authentication Secure wireless connection - strong hardware encryption and authentication New industry standard not fully gelled New industry standard not fully gelled Requires total Wi-Fi network rebuild with new 802.11i hardware throughout entire network Requires total Wi-Fi network rebuild with new 802.11i hardware throughout entire network

28 Long Term Fixes More powerful handsets with stronger encryption More powerful handsets with stronger encryption New versions of WAPI that fix obvious security holes (www.wapiforum.org) New versions of WAPI that fix obvious security holes (www.wapiforum.org) UL-style security ratings for wireless and Internet security products and services (www.ICSA.net) UL-style security ratings for wireless and Internet security products and services (www.ICSA.net)

29 Virtual Private Networks These offer some additional security, particularly with private tunneling software protocols for wireless users These offer some additional security, particularly with private tunneling software protocols for wireless users Look for good performance and lower future costs as DSL networks become more common Look for good performance and lower future costs as DSL networks become more common DSL networks a new approach that could extend to wireless DSL networks a new approach that could extend to wireless

30 Until Then Treat wireless devices like a cell phone Treat wireless devices like a cell phone Wireless known to be possibly insecure Wireless known to be possibly insecure Most confidential data, such as litigation strategy, should not be sent wireless Most confidential data, such as litigation strategy, should not be sent wireless

31 Other Security Tips Call back vs.. direct dial in Call back vs.. direct dial in Intrusion detection software: Black Ice Intrusion detection software: Black Ice Set security configuration and user rights carefully Set security configuration and user rights carefully Change security passwords regularly Change security passwords regularly

32 Internet Security Tips Instant messaging = insecure Instant messaging = insecure Internet itself is definitely more secure than wireless due to packet routing Internet itself is definitely more secure than wireless due to packet routing PGP encryption - easy but not fool-proof PGP encryption - easy but not fool-proof Encrypt passwords and logins, use an authentication server w/ digital signature Encrypt passwords and logins, use an authentication server w/ digital signature

33 Internet Security Tips Dynamic Vs. Static IP networks - low cost option for DSL users Dynamic Vs. Static IP networks - low cost option for DSL users Firewalls- Linksys Ethernet switch, DSL router and hardware firewall. Firewalls- Linksys Ethernet switch, DSL router and hardware firewall. DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls DSL and other inexpensive broadband network routers include hardware firewalls that can block incoming calls

34 Internet Security Tips Commercial personal software firewall such as McAfee Firewall seems very effective Commercial personal software firewall such as McAfee Firewall seems very effective Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ Avoid downloading and using highly interactive programs from untrusted sources. Some programs send data surreptitiously or are insecure, e.g. ICQ

35 Curse of the Defaults For ease of set up, most wireless devices ships with all security turned off as basic default For ease of set up, most wireless devices ships with all security turned off as basic default Most users never enable any security Most users never enable any security Security never complete – at best slows down and deters intruders Security never complete – at best slows down and deters intruders

36 Mobile Wi-Fi Woes Mobile computers often set to “ad hoc” network wireless mode, which can connect with any nearby computer Mobile computers often set to “ad hoc” network wireless mode, which can connect with any nearby computer We saw examples of inadvertent penetration at yesterday’s Wi-Fi session We saw examples of inadvertent penetration at yesterday’s Wi-Fi session Always install Wi-Fi as “infrastructure mode” Always install Wi-Fi as “infrastructure mode”

37 Wi-Fi Is Insecure Many cracking programs available free Many cracking programs available free War-driving and War-chalking War-driving and War-chalking Default installations are totally insecure Default installations are totally insecure

38 Does PDA Mean “Portable Disaster Area”? Some Practical Thoughts about Mobile Security

39 Cell Phone Woes The most primitive portable device - cells are insecure. The most primitive portable device - cells are insecure. GSM security model cracked as early as 1998. GSM security model cracked as early as 1998. Loaning a phone or GSM card for even a few minutes can compromise your security Loaning a phone or GSM card for even a few minutes can compromise your security

40 PDAs PDAs that depend upon Wi-Fi access have the same security problems as notebook computers PDAs that depend upon Wi-Fi access have the same security problems as notebook computers BlackBerry is a proprietary format that can be made substantially more secure BlackBerry is a proprietary format that can be made substantially more secure You need to fix a PDA’s basic Wi-Fi and Bluetooth security holes You need to fix a PDA’s basic Wi-Fi and Bluetooth security holes

41 Mobile Security Holes Wi-Fi and/or Bluetooth typically installed in notebook computers – hundreds of millions sold each year Wi-Fi and/or Bluetooth typically installed in notebook computers – hundreds of millions sold each year Usually enabled by default even when not used Usually enabled by default even when not used A major but non-obvious security hole – I physically turn off power to my wireless devices A major but non-obvious security hole – I physically turn off power to my wireless devices

42 Bluetooth Security Model Theoretically, Bluetooth is not a bad security model but security is unfortunately optional Theoretically, Bluetooth is not a bad security model but security is unfortunately optional Trusted and locked down device pairing possible Trusted and locked down device pairing possible

43 Bluetooth Today Bluetooth sets initially were very low power and hard to intercept Bluetooth sets initially were very low power and hard to intercept Newer models have more power and can be intercepted to 100 meters or more Newer models have more power and can be intercepted to 100 meters or more

44 Bluetooth Security Holes IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions – even industry group admits security holes IEEE has recently published on Web a variety of papers describing proven methods of easily cracking Bluetooth transmissions – even industry group admits security holes Programs like Blue Stumbler and SNARF attack are available on the web Programs like Blue Stumbler and SNARF attack are available on the web

45 Bluetooth Holes Part 2 Windows servers often configure to connect to all Bluetooth devices in range – a major security breach Windows servers often configure to connect to all Bluetooth devices in range – a major security breach Former employees can take connection data Former employees can take connection data

46 Bluetooth Holes Part 3 Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Phone cards or unsecured headsets may be borrowed and company connection data and security compromised Windows registry retains all connection data for all devices ever used Windows registry retains all connection data for all devices ever used

47 Bluetooth Networks “Piconets” sometimes set up automatically that can allow anyone in range to see your files “Piconets” sometimes set up automatically that can allow anyone in range to see your files Discloses your embedded link security information Discloses your embedded link security information Worse if you also have other simultaneous network access Worse if you also have other simultaneous network access

48 Protecting Bluetooth – Part 1 Never use “unit” authentication keys Never use “unit” authentication keys Always use “combination” authentication keys with manual PIN input Always use “combination” authentication keys with manual PIN input Use a longer PIN – minimal 4 digit PIN easily cracked by brute force challenges Use a longer PIN – minimal 4 digit PIN easily cracked by brute force challenges

49 Protecting Bluetooth Part 2 Auto PIN number generation is insecure and allows device impersonation Auto PIN number generation is insecure and allows device impersonation Never establish device pairing or first meeting in a public or other non-secure environment Never establish device pairing or first meeting in a public or other non-secure environment Eavesdropping feasible – link data disclosed to third parties Eavesdropping feasible – link data disclosed to third parties

50 Protecting Bluetooth Part 3 Always enable security mode on all devices Always enable security mode on all devices You are only as secure as the weakest link that may transmit connection information You are only as secure as the weakest link that may transmit connection information Mode 3 security should be used if possible Mode 3 security should be used if possible

51 Protecting Bluetooth Part 4 Use only trusted devices Use only trusted devices Turn off device pairing mode Turn off device pairing mode

52 Protecting Bluetooth Part 5 Bluetooth headsets should use broadband mode and then turn off pairing mode Bluetooth headsets should use broadband mode and then turn off pairing mode Use access policies Use access policies

53 12 Steps to Mobile Security Install anti-virus, firewall and anti- intrusion software (Norton, Zone Alarm) Install anti-virus, firewall and anti- intrusion software (Norton, Zone Alarm) Turn off computers and PDAs when not in use – disable all unused wireless devices including Bluetooth, Wi-Fi, IR Turn off computers and PDAs when not in use – disable all unused wireless devices including Bluetooth, Wi-Fi, IR Keep Windows security patches current Keep Windows security patches current

54 12 Steps - Part 2 Turn off network bridging between wireless and hard wired networks Turn off network bridging between wireless and hard wired networks Use a hard-wired network with a hardware firewall when not mobile Use a hard-wired network with a hardware firewall when not mobile Enable all possible 802.11 security Enable all possible 802.11 security

55 12 Steps Part 3 Always turn off network file and printer sharing when mobile Always turn off network file and printer sharing when mobile NEVER establish Bluetooth pairings and trusted relationships in a non-secure area – authenticate in private and then turn off pairing mode NEVER establish Bluetooth pairings and trusted relationships in a non-secure area – authenticate in private and then turn off pairing mode

56 12 Steps – Part 4 Avoid “ad hoc” network modes Avoid “ad hoc” network modes Use WPA and 802.1X if possible with your Wi-Fi hardware Use WPA and 802.1X if possible with your Wi-Fi hardware

57 And – Number 12 Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure. Remember that all mobile and wireless devices, including Wi-Fi and Bluetooth, are always potentially insecure. ACT ACCORDINGLY ACT ACCORDINGLY

Download ppt "Computer Security for the Appropriately Paranoid A Broad Overview Joseph Kashi, MS, JD."

Similar presentations

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.

LANs and WANs. 2 Chapter Contents Section A: Network Building Blocks Section B: Wired Networks Section C: Wireless Networks Section D: Using LANs Section.
Presentation viewer : _ Mahmoud matter. Ahmed alasy Dr: Rasha Atallah.

Presentation viewer : _ Mahmoud matter. Ahmed alasy Dr: Rasha Atallah.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.

Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Security Awareness Chapter 5 Wireless Network Security.

Security Awareness Chapter 5 Wireless Network Security.
Chapter 12 Network Security.

Chapter 12 Network Security.
Presented by Serge Kpan LTEC 4550.020 Network Systems Administration 1.

Presented by Serge Kpan LTEC Network Systems Administration 1.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?

Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
Wi-Fi Structures.

Wi-Fi Structures.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

Similar presentations

Ads by Google