Chapter 7 Secure-Use Practices: Defensive Best Practices Presented by: Derrick Lowe Ken Dean Quintin King Caroline Hawes

Introduction This chapter focuses on what companies must do to protect themselves from internal risks. Before hackers and the internet there were: –Disgruntled workers –Careless administrators –Hostile managers

Introduction cont’ Current technology amplifies security threats, can be blamed on organizational practices Effective countermeasures –Secure-use practices –User training

Secure Use Practices: Policies

Major Risk Factors Most likely sources of cyber threats continue to come from within. Unknown and unseen hackers and thieves are not the most common threat. It is difficult to accept the reality that a majority of cyber security incidents are traced to company insiders.

Examples An unwitting employee may spread infected or be tricked into revealing information through a popular hacker technique – social engineering. Spoofing-disguising true identity of the sender Administrators may be unable or unwilling to apply software patches to fix known vulnerabilities.

Limits On The Extent To Which Risk Factors Can Be Controlled A complete set of updated, well-documented policies and training in security procedures can be time-consuming. They are not without risks –Selectively enforced policies can be worse than having none at all –If employees send threatening messages to each other and company fail to notify law enforcement, they can be held liable for negligence

Enforcement Of Secure-Use Practices Must Be Consistent With AUP A clearly written Acceptable Use Policy and documentation of confirmation from employees that they read, understood, and agreed to its terms in addition to the Secure-Use practice can help a company avoid costly lawsuits.

Key Secure – Use Procedures and Practices

Security Focus in Organizational Planning Process Information security for organizations may not always follow a standard pattern: –Develop a business plan Defines goals, objectives, strategy and priorities. –Restructure budgets and organizations Information security planning may require a different approach: –External events, current threats, technical consideration or trends may require change to be necessary.

Security as a Business Function Changes in behavior and attitude are necessary to have security as a priority –Top management must implement, enforce and commit…DLM model again How to achieve equal status –Centralize authority that is visible and powerful –Coordinate with other forms of risk management: physical security, insurance, and legal functions Marketing

Integrating Security and Business Plans Ensures that most strategic information receive the most protection. –Also promotes security as being fundamental to the success of the business. Failure to do this will lead to: –A security plan out of sync with the business plan –Security policies not being taken seriously

Developing Information Security Standards Formal policies and standard documents should be developed for other security functions such as: –Firewall configuration - Archival storage –Remote access procedures - Roles and permissions –Wireless handheld devices - Password maintenance Maintaining formal policies and standard documents allows for consistency and currency with changes in technology as well the as business environment.

Documentation and Training Normally documentation and training budgets are set a very low level. This tendency starves the education budget and will tend to subvert the entire program. When training is implemented correctly and employees know their stake in a secure workplace they are able to recognize and react in a communal fashion, which is usually the most effective method.

Incident Response Policy and Incident Response Teams Preparation before an incident occurs is necessary for development and readiness –Design policy and teams –Educate everyone of their roles –Conduct test to validate plan’s effectiveness An incident response policy is the key to readiness. –Needs to be clear and simple for ease of use during the stressful event –Provides guidance on what to do when an attack occurs –Defines the scope of the powers, authority, and discretion that the team has in responding to an attack. –Focuses management attention on security and response issues.

Example: Incident Response Process From infocus/1467

Developing a Notification Plan Who do you notify: –Law enforcement –Regulatory authorities –Clearinghouse organizations, such as CERT –Business partners –Bugtraq The choice is up to the victimized firm. –In 2002, CSI/FBI Computer Crime and Security Survey reported that only 60% of known intrusions were reported to anyone not directly involved and 34% to law enforcement. These numbers occur because some firms may not want to expose any breaches in their networks to the public, the risk of liability, and delays and costs in formal investigations.

Secure-Use Procedures: Technology

Shut Down Unnecessary Services Network Administrators should review all active ports. –Ports: interfaces, or entry/exit points, to a network –Common Ports 80-http 23-Telnet 43-SSL 110-POP3

Set up and Maintain Permissions Securely Permissions are privileges granted to each user that control what data and applications that user has access to. –Controlled by system admin –Can be from read-only to full admin privileges –Limitations can help distinguish honest and dishonest employees: security by ignorance Roles, or access-level categories, are an effective way to manage permissions where users are assigned specific access levels to the server

Conduct Background Checks A thorough background investigation of everyone being considered for a system administrator job should be conducted rigorously prior to employment –Rotating responsibilities among a team makes it difficult to hide dishonesty

Enforce Strong Passwords Rules for strong passwords: No default passwords Minimum 10 characters with symbols and #s Change at least every 4 months Any others?

Review Partner Contracts Network of business partners become an extension of the business’s own network. –Ask for 3 rd party certification of info security practices –Build in provisions into contracts that provides protection

Audit and Update One area of liability that is often ignored is the use of unlicensed software. –Software vendors are entitled to conduct audits to ensure license compliance. –The best way to protect your company is to periodically survey all computers for illegal applications proactively. –Failure to address known vulnerabilities in commercial software become vulnerabilities for hackers to exploit

Physical Security Ways to keep information physically secure –Use encryption on all offline storage of sensitive data –Make sure all the network devices in the field are in physically secure place –Dispose of old computers with extreme care.

Auditing …. Acts as a legal deterrent and demonstrates diligence Similar to financial audits – certify with outside agency Beyond technology: include documentation, training and personnel …includes Testing Test response of defensive technology and designated response team Backup sites should be included

Other Secure Principles and Practices

Insurance Now available to cover liability from virus transmission and confidential info release, business interruption, loss of income from DoS attack cts/esurance.htmlhttp:// cts/esurance.html Staying Current Need I say more?

Reinforcing Secure-Use Procedures Warning vs Welcome message –Welcome message must be after warning –Court ruling found incorrect order implies authorization Rewards are as important as reprimands Rewarding Secure Behavior

Worst Practices

Dangerous Practices forwarding auto reply/responders allow system to send prepared message automatically to each it receives –Spammers are guaranteed responses HTML IM

Dangerous Sharing Practices P2P Network - 2nd most effective way (mail 1st) for malware distribution Software downloads - spy ware, Trojan horses Unauthorized users-PCs and PDAs shared with others unfamiliar with AUP Public networks and wireless networks - open PC to anyone monitoring

Summary Secure-Use Practices help control risks and dangers through the use of policies and technology The effectiveness of security practices depends on the relationship to the business culture and diligence of staff The key is to balance security and capability