First Annual Commonwealth Information Security Conference

About This Presentation

Title:

First Annual Commonwealth Information Security Conference

Description:

First Annual Commonwealth Information Security Conference – PowerPoint PPT presentation

Number of Views:618

Avg rating:3.0/5.0

Slides: 175

Provided by: walterku

Category:

more less

Transcript and Presenter's Notes

Title: First Annual Commonwealth Information Security Conference

1
First Annual CommonwealthInformation Security
Conference
www.vita.virginia.gov
2
Agenda

Walter KucharskiTop 10 Commonwealth Information
Security Issues/Opportunities/Concerns/Risks
John GreenApplication Security Why Firewalls
Arent Enough Anymore
Keynote Gino MenchiniGovernment IT The New
Expectations and Challenges
Randy MarchanyUnintended Consequences Don't
Create New Risks
Eric TaylorIT Seppuku Why Do We Still Suffer
Security Violations
Bob BasketteSocial Engineering Building Bridges
to Confidential Data

3
Commonwealth Information Security Conference

November 2, 2009

4
AGA Top Ten List -- 2009

STIMULUS MONEY -- ARRA
DATA SECURITY
VITA/NORTHROP GRUMMAN
ENTERPRISE APPLICATION/DATA EXCHANGE STANDARDS
MORE TIMELY FINANCIAL INFORMATION

AUDITOR OF PUBLIC ACCOUNTS
5
AGA Top Ten List -- 2009

ADMINISTRATIVE DUTIES CONSOLIDATION
SUCCESSION PLANNING
PERFORMANCE MANAGEMENT / MEASURES
CONTRACT MANAGEMENT
PPEA / PPTA

AUDITOR OF PUBLIC ACCOUNTS
6
The FUTURE -- 2009

Financial statements will need to be completed
and issued with 90 days and the single audit
within 4 months
The State needs newer accounting systems and one
sole enterprise application will probably not be
the answer
Data security concerns will continue to grow
There will be increasing e-commerce and data
exchange between federal, local and state
government
Information technology infrastructure and systems
will become commodities and shared

AUDITOR OF PUBLIC ACCOUNTS
7
Concerns

WHAT IS PRIVACY?
WHAT IS TRANSPARENCY?

AUDITOR OF PUBLIC ACCOUNTS
8
Concerns

DATA SECURITY -- Employees
VITA/NORTHROP GRUMMAN
DATA EXCHANGE STANDARDS
MORE TIMELY FINANCIAL INFORMATION
CONSOLIDATING ADMINISTRATIVE DUTIES

AUDITOR OF PUBLIC ACCOUNTS
9
Concerns

ACCOUNTING/ WORKFLOW SYSTEM CONTROLS WILL REPLACE
MANUAL CONTROLS
E-COMMERCE AND DATA EXCHANGE BETWEEN FEDERAL,
LOCAL AND STATE GOVERNMENT
SHARED INFORMATION TECHNOLOGY INFRASTRUCTURE AND
SYSTEMS AS COMMODITIES

7
AUDITOR OF PUBLIC ACCOUNTS
10
What is an ISO

Paper pusher or Policeman
Management Oversight or One of the Gang
Tail-end Reviewer or System Developer and
Guardian
Risk Manager or Elephant Parade Cleaner

AUDITOR OF PUBLIC ACCOUNTS
11
Application SecurityWhy Firewalls Are Not Enough

John Green
Chief Information Security Officer
Commonwealth of Virginia

www.vita.virginia.gov
www.vita.virginia.gov
12
Todays Agenda

Introduction
Lessons From History
Threats and Vulnerabilities
Opportunities For Mitigation
Resources
Questions

www.vita.virginia.gov
13
Application Vulnerabilities Skyrocketing!

Web vulnerabilities have increased from 1.9 of
all published vulnerabilities in 2006 to over 52
in 2009.
Application vulnerabilities from 2007 to 2008
increased by 154.
WhiteHat Security said about 70 of websites it
scans are likely to have at least one critical
website vulnerability.

www.vita.virginia.gov
Source http//www.ncircle.com/index.php?ssolutio
n_Web-Application-Vulnerability-Statistics
14
Largest Breaches In History
www.vita.virginia.gov
15
Why? Money!

www.vita.virginia.gov
16
Firewall Are No Longer Enough

Firewalls have been around a while
Primary purpose To stop unwanted traffic from
crossing network boundaries
Hackers are walking right through them
Perimeter firewalls are necessary, but no longer
sufficient!
History shows us why

www.vita.virginia.gov
17
Impenetrable Defenses Of France
"We could hardly dream of building a kind of
Great Wall of France, which would in any case be
far too costly. Instead we have foreseen powerful
but flexible means of organizing defense, based
on the dual principle of taking full advantage of
the terrain and establishing a continuous line of
fire everywhere." Maginot
www.vita.virginia.gov
18
21st Century Maginot Line
Internal Networks
Router
Router
Email
Maginot Line Term used now for something that is
confidently relied upon but ends up being
ineffective.
Web
www.vita.virginia.gov
19
May 10, 1940 - What Went Wrong?

Defenses based on past threat
Perimeter protection
No layered defenses
Holes
Ardennes Forest
Belgium was an ally
Maginot Line never fell
Bypassed
Surrendered

www.vita.virginia.gov
20
Firewalls Do Not Stop Todays Threat
Internal Networks
DB Server
DB Server
Router
Router
Email
Web
www.vita.virginia.gov
21
2008 Symantec Threat Report

63 percent of vulnerabilities affected Web
applications, an increase from 59 percent in 2007
There were 12,885 site-specific cross-site
scripting vulnerabilities identified, compared
to17,697 in 2007 of the vulnerabilities
identified in 2008, only 3 percent (394
vulnerabilities) had been fixed at the time of
writing.
The education sector represented the highest
number of known data breaches that could lead to
identity theft, accounting for 27 percent of the
total
The government sector ranked second and accounted
for 20 percent of data breaches that could lead
to identity theft.
Hacking ranked second for identities exposed in
2008, with 22 percent this is a large decrease
from 2007, when hacking accounted for 62 percent
of total identities exposed.

www.vita.virginia.gov
Source http//www.symantec.com/business/theme.jsp
?themeidthreatreport
22
OWASP Top 10 Application Flaws
Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data.
Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users.
Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization.
Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks.
Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes.
Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary
Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.
www.vita.virginia.gov
Source http//www.owasp.org/index.php/Top_10_200
7
23
WASC Application Vulnerability Statistics
Web Application Security Consortium (WASC )
Report 2008 includes data from 12186 web
applications evaluated. Compared to 2007, the
number of sites with wide spread SQL Injection
and Cross-site Scripting vulnerabilities fell by
13 and 20, respectively, however, the number
of sites with different types of Information
Leakage rose by 24. On the other hand, the
probability to compromise a host automatically
rose from 7 to 13 .
www.vita.virginia.gov
Source http//projects.webappsec.org/Web-Applicat
ion-Security-Statistics
24
SQL-injection Information

Can occur whenever client-side data is used to
construct an SQL query without first adequately
constraining or sanitizing the client-side input.
The use of dynamic SQL statements (the formation
of SQL queries from several strings of
information) can provide the conditions needed to
exploit the backend database that supports the
web server.
SQL injections allow for the execution of SQL
code under the privileges of the system ID used
to connect to the backend database.
Malicious code can be inserted into a web form
field or the websites code to make a system
execute a command-shell or other arbitrary
command.
In addition to command execution exploitation,
this vulnerability may allow a malicious
individual to change the content of the back-end
database and therefore the information displayed
by the website.

www.vita.virginia.gov
25
Cross-Site Scripting (XSS)

Allows a malicious individual to utilize a
website address that does not belong to the
malicious individual for malicious purposes.
Cross Site Scripting attacks are the result of
improper filtering of input obtained from unknown
or untrusted sources.
Cross-Site Scripting attacks occur when a
malicious individual utilizes a web application
to send malicious code, generally in the form of
a browser side script, to an unsuspecting user.
The parameters entered into a web form is
processed by the web application and the correct
combination of variables can result in arbitrary
command execution.

www.vita.virginia.gov
26
Cross-Site Scripting (XSS)

The unsuspecting users browser has no way to
know that the script should not be trusted, and
will execute the script.
Because the unsuspecting users browser believes
that the script came from a trusted source, the
malicious script can access any cookies, session
tokens, or other sensitive information retained
by the unsuspecting users browser.
The injected code then takes advantage of the
trust given by the unsuspecting user to the
vulnerable site. These attacks are usually
targeted to all users of a web application
instead of the application itself.

www.vita.virginia.gov
27
Opportunities For Mitigation

Personnel Awareness Training
Systems Development Life Cycle
New Development
Application Procurement
Legacy Applications

www.vita.virginia.gov
28
Systems Development Life Cycle

Project Initiation
Classify the data that the system will process
Determine if sensitive data absolutely must be
collected and/or stored
Perform risk analysis based on known requirements
classification of data
Develop an initial IT System Security Plan
Project Definition
Identify, document incorporate security control
requirements into IT System design specifications
Develop evaluation procedures to validate that
security controls
Update the IT System Security Plan to include
controls
Implementation
Execute the evaluation procedures
Conduct a risk assessment to evaluate overall
system risk
Update the IT System Security Plan to include
controls
Disposition
Require that data retention schedules are adhered
to
Require that electronic media is sanitized prior
to disposal

www.vita.virginia.gov
29
New Development

Push security involvement to the front end of
development
Security Design (for sensitive systems)
Encrypted communication channels
Sensitive information shall not be stored in
hidden fields
Application Development
Application-based authentication shall be
performed for access to data that is not
considered publicly accessible
Support inactivity timeouts on user sessions
Data storage must be separated from the
application interface
Validate all input irrespective of source, focus
on server-side
Implement a default deny policy for access
control
Use the least set of privileges required for
processing
Internal testing must include one of penetration
testing, fuzz testing or source code auditing
Clear cached and temporary data upon exit
Production and Maintenance
Scan internet-facing sensitive applications
periodically for vulnerabilities

www.vita.virginia.gov
30
Applications Procurement

Work to incorporate language into contracts that
includes
General
Personnel, Security Training, Background Checks
Vulnerabilities, Risks and Threats
Application Development
Development Environment
Secure coding, Configuration management,
Distribution, Disclosure, Evaluation
Testing
General, Source Code, Vulnerability and
Penetration Test
Patches and Updates
Tracking Security Issues
Delivery Of The Secure Application
Self Certification
No Malicious Code
Security Acceptance And Maintenance
Acceptance
Investigating Security Issues

www.vita.virginia.gov
Source http//www.sans.org/appseccontract/
31
Legacy Applications

Periodic application vulnerability scanning
Strong configuration management
If vulnerabilities are identified
Each application may have specific challenges
Case by case analysis may reveal options
Easy fix
Virtualization
Host based intrusion prevention
Application firewall technology
Third party integration
Other technology

www.vita.virginia.gov
32
Resources
www.vita.virginia.gov
33
www.OWASP.org
www.vita.virginia.gov
34
2009 CWE/SANS Top 25
www.vita.virginia.gov
35
http//iase.disa.mil/stigs/checklist/
www.vita.virginia.gov
36
http//trustedsignal.com/secDevChecklist.html
Recommended!
www.vita.virginia.gov
37
Organizational Resources

Agency Information Security Officer
Commonwealth Security and Risk Management
Other Resources?
CommonwealthSecurity_at_vita.virginia.gov

www.vita.virginia.gov
38
Conclusions

Largest breaches in history due to application
vulnerabilities
Firewalls are necessary but wont protect
vulnerable applications
SQL injection and Cross Site Scripting top the
lists of vulnerabilities measured and attacked
Many opportunities to address the problem of
insecure code
Plenty of resources to help, USE THEM!

www.vita.virginia.gov
39
GEN. Patton on Usefulness of Firewalls
"Fixed fortifications are monuments to the
stupidity of man."
www.vita.virginia.gov
40
Questions?

Thank You!
John.Green_at_vita.virginia.gov

www.vita.virginia.gov
41
ITS ALL ABOUT SERVICE
DRAFT for Review_v.4
Gino Menchini Managing Director
42
The City of New York

Resident population of over 8 million daytime
population of 10 million
Over 350,000 City employees, 300,000 retirees
New York City Government includes its 5 counties
The 1 million student school system reports to
the Mayor
Annual budget exceeds 59.5 billion dollars
If New York City was a private sector
corporation, it would be in the Top 30 of the
Fortune 500 companies
Over 120 agencies, offices, and organizations
make up The City

43
New York City as a Bellwether Local Government
IT on Steroids

New Breed of Leadership Significant expansion
in the role of IT
Mayor Michael R. Bloomberg Business IT
experience
Younger commissioners, senior staff, and
legislators demand more of IT
Higher expectations on Government from the public
They demand to perform transactions seamlessly
through the Government walk-in, web and call
centers
Publics perception of the competency of an
administration is increasingly shaped by the ease
of access/response

44
The role of IT in Emergency Response and
Preparedness

Focus on Public Safety Technologies
911 CAD systems and infrastructure - 311
First Responder Radio infrastructure
Command and Control Communications
Greater Dependence on
GIS
Email Blackberries
New Technologies
Video Surveillance Systems Sensor systems
Hospital Emergency Room monitoring systems
AVL
Emergency Management Systems
Real time Crime Center
Intelligent Transportation systems
Access control systems
Telecomm carrier infrastructure survivability
post 9/11
Municipal IT infrastructure Redundancy/Survivabi
lity

45
New York City as a Bellwether Local Government
IT on Steroids

IT is now at the decision making table Are we
ready?
Guide and manage a larger volume of IT projects
simultaneously while advancing our IT Strategy
Be prepared to deliver IT projects rapidly high
availability systems
Provide solutions to address the problem of the
day Be relevant

46
NYC Department of Information Technology and
Telecommunications - Then
47
The role of the NYC Department of Information
Technology and Telecommunications - Now
48
New technologies implemented rapidly
49
New York Citys Agencies and IT

Highly diverse range of services, unlike private
sector.
Virtually the entire range of Government Public
Sector Services are provided by New York City
from Child care to Anti-terrorism, Street
cleaning to fresh water reservoirs.
Agencies are organized and staffed to focus on
their area of responsibility and specialization
(silos).
Specialized agency specific IT applications need
to be implemented and supported by agencies.
High availability is required. Security is
expected.

50
Unintended Consequences Dont Create New Risks

Randy Marchany, VA Tech IT Security Office

51
What People Think of Security
Internal Network
The Firewall will protect us!
The Big Bad Internet
52
What I meant is not what I said

Schneiers article
http//www.schneier.com/essay-210.html
Google street view
County records
Account lockout the easy DOS
SSN finders SSN generators?
Fundrace.org
P2P
Spammers and FOIA
Classroom locks?
Emergency Messaging Systems

53
Inside the Twisted Mind.

Security mindset involves thinking how things
can be made to fail
Otherwise, you never notice most security
problems
Designers are so focused on making systems work
that they dont notice how they might fail
They dont notice how those failures might be
exploited

54
Inside the Twisted Mind..

Uncle Miltons Ant Farm
You filled out a card with your address and
theyd mail you some ants but..
Theyll send a tube of live ants to anyone you
tell them to
Smartwater
Liquid with unique id linked to an owner
Ill paint mine on YOUR stuff and then call the
police

55
Inside The Twisted Mind

Auto Dealership Service Centers
Get my car by giving them my name
Get your car by giving them your name
Laser Printers
Use their disks for your storage
City Surveillance
Who watches the watchers?
Can you corrupt stored camera images?

56
(No Transcript)
57
(No Transcript)
58
Account Lockout

Whats the purpose of the lockout?
Log failed attempts?
Multiple entries in a short period of time
usually indicate a brute force attack
Password strength rules in effect?
Designed to prevent guessable passwords

59
Account Lockout

How long does it take to reset the account?
Minutes?
Hours?
Forever?
After hours?
So, what if my attack is to lock you out?

60
Account Lockouts

Account Lockout Policy
25 year defense
Old Unix systems had no password controls so this
was the only defense against brute force guessing
AIX 3.1 (1993) was one of the first with
password controls
Why are we still using a 25 year defense if the
other controls are more effective?

61
SSN Finders or SSN Generators?

Software to search for sensitive data on
computers
Can they be used to generate SSN/CCN?
Freeware
VT Find_SSNs
Cornell Spider
UT-Austin SENF
Commercial
IdentityFinder

62
Inside the Twisted Mind
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
P2P or P_at_!_at_()P

Ban it says the RIAA/MPAA!
Extension divisions use P2P to distribute
videos/recordings to farmers
YouTube
Independent bands use P2P to sell or distribute
their music
Ban P2Pbring on the antitrust lawsuits
Youre restricting my ability to market my
product

68
Spammers and FOIA

A known spammer issued a FOIA request for all U
of Texas faculty, staff and student email address
Same thing happened in VA

69
Antivirus Software Threat?

My job is to test security tools
AV Software deletes my tools because it thinks it
knows better than me.
We know whats good for you. syndrome
Its a race to create the exception list ?

70
Things That Make You Go Hmmm

Locks on doors
Bulletproof doors included?
Likelihood of mugging vs. worse
Dealing with 2 separate incidents
First event happened 7am
Second event happened 930am almost ¾ mile away
from the first event
Insider attack

71
Campus Lockdown?
Yes, its a Airport
Approx. 2 miles
72
(No Transcript)
73
(No Transcript)
74
Understand Your Audience

Security Process without regard to Business
Process
Business Process rule the world
Physical security rules can be translated to
cybersecurity rules
IT people focus on technology not the business
process. Wrong!
Business process doesnt consult IT when buying
new gadgets

75
Use Risk Analysis to Build DR Plan
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
76
We have met the enemy and it is vendors..
77
Its Insecure Out of the Box

Viruses will never be eliminated
Multibillion industry to fight them
Eliminate the threat, we no longer have
multibillion industry.
Wireless cash register software sending data in
the clear
Document imaging systems sending data in the
clear
Govt/LE records digitized by insecure software
Printers, copiers based on NT!

78
Its Insecure Out of the Box

Security vs. Convenience
Let the users debug the code
OS vendors are starting to see the light
Windows XP/2003 with security features enabled
Apple OSX
Linux systems with firewall enabled
Application Vendors still dont get it
Oracle stepped in it
http//news.com.com/Whensecurityresearcherbecom
etheproblem/2010-1071_3-5807074.html

79
Why is this an option? This should be the
default! Wait! I already know the last 4 digits
of my SSN so why have this at all?
80
(No Transcript)
81
(No Transcript)
82
Unlocked Key Mean Transmission In the Clear!
83
Let Me Read Your Email!
84
Why buy the cow when you can get the milk for
free?
85
(No Transcript)
86
(No Transcript)
87
(No Transcript)
88
(No Transcript)
89
(No Transcript)
90
Obtaining Personal Information

Public Records can be accessed from anywhere in
the world.
Local governments are allowing access to
sensitive info via the Web without thinking about
security.

91
County Clerks and Identity Theft

Making legal docs available on the net w/o good
security practices.
A secure www site isnt enough
Tom Delay SSN From Public Records
Jeb Bush SSN From Public Documents
Colin Powell Deed of Trust
Colin Powell SSN from Public Records
Do County Clerks (by extension, the state
legislature) facilitate ID Theft?

92
Whats Going On Here?

Were spending to protect sensitive data
(SSN) but.
State govt is allowing SSN info to be obtained
online so.
Laws need to be coordinated but.
Update VA passed a law (7/1/08) that makes it
illegal to distribute SSN legally obtained from
public govt www sites ?

93
(No Transcript)
94
The Twisted Mind

If youre not doing anything illegal, you
shouldnt care whether youre surveilled
What if I just want to track you?
NY Times article on bored security staff tracking
people on the streets.

95
T-Mobile said the company's computer forensics
and security team were "actively investigating to
determine how Ms. Hilton's information was
obtained."
96
The Twisted Mind

Smart phones and PDAs have become the electronic
equivalent of the sticky note
Put my passwords in the device
What if I drain your battery?

97
Virtualization

Use it to check for unintended consequences
Build test systems then apply Schneiers rule to
them
Lets see a demo..

98
Should We Give Up?

NO! But examine solutions carefully to make sure
you dont introduce a worse threat
Knee-jerk solutions cause worse problems
Apply Schneiers rules to your solution

99
Should We Give Up?

NO! Hold vendors accountable for their bad
security practices
Insecure code
Stolen developer laptop syndrome
They modify their EULA
We just dont buy the product.

100
Should We Give Up?

NO! Increase User Awareness training.
Customize it. What makes sense at VT might not
make sense in your house.
Helps your overall security posture.
If we do security for the end user, theyll never
change their behavior.
All security is local.
A Tip ONeill twist

101
Questions?

Randy Marchany, VA Tech IT Security Office Lab,
1300 Torgersen Hall, VA Tech, Blacksburg, VA
24060
540-231-9523
marchany_at_vt.edu
http//security.vt.edu

102
IT Seppuku Why Do We Still Suffer Security
Violations?
Eric Taylor Enterprise Security Architect
Northrop Grumman
103
Agenda

Introduction
Evolution of computer attacks
The Commonwealth over the last year
How Do We Avoid Security Violations

104
Cybergovernment
105
Cybercommunity
106
Cybereconomy
107
Cybergeeks
108
Cybersickness
109
Cyberbaby
110
Cyberdefense
111
Cyberspace
112
Cyberwarfare
113
Cybersabotage
114
Cybercrime
115
Cybercriminal
116
Cybertherapist
117
Cyberwarrior
118
Cybersuicide
119
Disclaimer

No such thing as a secure system
Security is hard, but the basics are easy and
still need attention.
Attacks are not always technical, non-technical
means can be used
Attacks take the path of least resistance

120
Evolution of computer attacks

Hacking for Fun (1970 1995)
The goal was to gain access
Motivation was mainly curiosity
Methods phreakers, password guessing, bad
configurations, virus, trojan horses, insecure
networks.
Lessons Learned
New Laws Congress passes the Computer Fraud and
Abuse Act

121
Evolution of computer attacks

Casual Hacking (1995 2000)
The goal was to gain access, defacement,
disruption.
The motivation was for showing off, education,
publicity and money.
Methods buffer overflows, email virus/
attachments, AOHell, Back Orifice
Lessons Learned
There is a need for compromise detection
(intrusion detection)
Software security through better tools and
languages

122
Evolution of computer attacks

Hacking (2001 2005)
The goal was to attract attention through
large-scale activities.
Motivation publicity and money
Methods DoS, worms, rootkits, etc..
Lessons Learned
Service Denied
Bill Gates decrees that Microsoft will secure its
products and services, and kicks off a massive
internal training and quality control campaign.

123
Evolution of computer attacks

Professional hacking (2005 - ?? )
The goal for system compromise, identity theft,
information exfiltration, and Advanced Persistent
Threat (APT)
Motivation is
Methods web attacks, phishing / pharming,
spear-phishing, etc..
Malware, drive by downloads, FakeAV
Large-scale botnets, hacker service networks
Conficker worm infiltrated billions of PCs
worldwide

124
Commonwealth over the last year

Malware / Worms
Over a three month period, 1335 total unique
infections (fakeav and others)
Conficker
FakeAV
Mobile Devices
USB drives
Lost Flash drives
Conficker
Stolen or lost Laptops
Unsecure configurations
Systems not locked down before production

125
Commonwealth over the last year

Information leakage
Posting sensitive information to public website
Human Error
Application Security
According to Privacy Clearing house, one incident
in 2009, Virginia provided individual
notifications to 530,000 people
530,000 x .50 265,000 (estimate for stamps
and envelopes)
Social Engineering
Spear phishing user accounts throughout the
Commonwealth

126
Commonwealth Incidents

Malware
66 over the last year
Major Outages
Unauthorized Access Attempts
3 instances of Virginia Agencies in 2009 appear
on the Privacy Clearing House - A Chronology of
Data Breaches website.

127
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
128
The Stop and Rob
Developer
Firewall
Access Control
Application Logic
HTTP/ HTTPS
DATA
129
The Stop and Rob
Charlie 16 to dispatch, we are currently 10-8 at
the Stop and Rob on 2400 block of Jeff Davis.
Firewall
Access Control
Application Logic
Bad Guy
Developer
DATA
130
How Do We AvoidSecurity Violations?

20 Critical Controls, prioritized baseline of
information security measures and controls
Boundary Defense
Avoiding Insecure Network Designs
Patch Management
User Awareness
Least Privilege
End Point or Client Side Security

NOTE - SANS 20 Critical Security Controls -
Version 2.1
131
How Do We AvoidSecurity Violations?

Secure SDLC Processes
Security As Weighted Factor During the
Procurement Process
Application Security
Security Skill Assessment and Appropriate Training

132
Summary

We are still learning our lessons
Attackers are more advanced then ever before
Security must start from the beginning
The Commonwealth is a target

133
Social Engineering Building Bridges to
Confidential Data

Bob Baskette
CISSP-ISSAP, CCNP/CCDP, RHCT
Commonwealth Security Architect

www.vita.virginia.gov
134
Why Information Security Matters

Computer systems have an inherent value to both
the computer system owner and those malicious
individuals who seek the data stored on the
computer systems and the available processing
power the computer systems possess
Malicious individuals may also be interested in
taking over the computer system to store illegal
materials or launch attacks that will be traced
back to the compromised system instead of the
malicious individual

135
Social Engineering

The use of influence and persuasion to deceive
people for the purpose of obtaining information
or persuading a victim to perform some action
Based on the building of inappropriate trust
relationships
Will target Help Desk personnel, onsite
employees, and contractors
Is one of the most potentially dangerous attacks
since it does not directly target technology

136
Factors in Social Engineering

Desire to be helpful
Tendency to trust people
Fear of getting in trouble
Art of Manipulation (the ability to blend-in)

137
Social Engineering Behavioral Types

Scarcity
Belief that an item is in short supply
Commonly used by marketing
Authority
Based on premise of power
Liking
Based on the fact that people tend to help people
they like

138
Social Engineering Behavioral Types

Consistency
Based on the fact that people like to be
consistent
Social Validation
If one person does it, others will follow
Reciprocation
One good turn deserves another

139
Social Engineering Attack Types

Human-based (Person-to-Person)
Computer-Based (Automated)

140
Human-based (Person-to-Person)

Uses the following techniques
Shoulder surfing
Dumpster diving
Impersonation
Intimidation
Using third-party approval

141
Human-based (Person-to-Person)

Impersonation (Masquerading)
Attacker pretends to be someone else
Can impersonate an new employee, valid user,
business client, janitor, delivery person, or
mail room person
Attack carries a higher risk since the attacker
is inside the facility perimeter
Intimidation (Posing as an important user)
Attacker pretends to be an important user
Works on the belief that it is not good to
question authority
Using third person authorization
Attacker convinces the victim that the attacker
has approval from a third party that is an
authoritative source
Works on the belief that most people are good and
truthful

142
Human-based (Person-to-Person)

Reverse Social Engineering
Considered to be the most difficult type of
Social Engineering attack
Requires a tremendous amount of preparation and
skill
Act as help-desk or admin staff to request
information
Can involve sabotaging the victims equipment and
then offering to fix the problem
Can be difficult to execute since the first step
requires the sabotage of a system
Target could be a external utility such as a
phone line
Deliver defective equipment and then offer to
repair
Attach business card to toner box or laptop case

143
Computer-Based (Automated)

Phishing and Spam
Email attachments
Fake websites
Pop-up messages
Drive-by downloads
DNS Cache poisoning
Spoofed SSL-certificates

144
SPAM and the Flying Circus

Spam is the intentional abuse or misuse of
electronic messaging systems to send unsolicited
bulk messages
SPAM is normally associated with e-mail spam, can
be used with other electronic transmission types
such as instant messaging, Usenet newsgroups, Web
search engines, blogs, mobile phone messaging,
Internet forums, and fax transmissions
SPAM remains economically viable because
advertisers have no operating costs beyond the
management of their mailing lists, and it is
difficult to hold senders accountable for their
mass mailings
Today, SPAM is increasingly sourced from bot
networks. Many modern worms install a backdoor
which allows the spammer access to the computer
and use it for malicious purposes
SPAM email-chains are still very popular
promising good fortune if the chain is not broken

145
Phishing Basics

Phishing campaigns use either email or malicious
web sites to solicit personal information from
targeted individuals
Attackers attempt to replicate the look and
format of emails from reputable companies,
government agencies, or financial institutions
The Phishing messages appear to come from popular
social networking sites, auction sites, online
payment processors or IT Administrators to entice
the unsuspecting public to respond
Phishing campaigns that target specific
categories or groups of users are known as Spear
Phishing Campaigns

146
Phishing Basics

People respond without thinking to things that
seem important
Email subjects lines worded to create anxiety or
self-doubt with subject lines such as Do you
trust her/him or Is she/he cheating on you
usually entice immediate action
Email with the subjects such as Your bank
account has been suspended or There is a
problem with your bank account will usually get
instant attention and prompt most people to click
on the listed URL to determine what has happened

147
Pop-up messages

Can prompt victim for numerous types of
information
Can be very successful since the message appears
to be a system message referencing loss of access
or malicious software detection
Has been used successfully to install malicious
software under the pretense of removing malicious
software

148
Drive-By Downloads

Uses legitimate websites to infect end users
The legitimate website is compromised by a
malicious individual to add hidden frames,
malicious URLs, or malicious scripts to the
legitimate website
The users browser retrieves the information
associated with the malicious URL or script and
becomes infected with malicious software
ClickJacking Use of hidden frames on web pages
to entice the user into clicking on malicious URLs

149
DNS Cache Poisoning

Uses DNS responses to redirect users to malicious
websites
Uses multiple techniques to load malicious
IP-address information into legitimate DNS
servers
Removes the need to trick a user into visiting a
malicious website since the malicious IP-address
is provided by a legitimate DNS server

150
SSL Certificate Spoofing

MD5 Hash Collision/Digital Signature transfer
A vulnerability in the Internet Public Key
Infrastructure (PKI) used to issue digital
certificates for secure websites has been
identified
Utilizes a weakness in the MD5 cryptographic hash
function to allow the construction of different
messages with the same MD5 hash
This vulnerability can be used to create a rogue
Certification Authority (CA) certificate trusted
by all common web browsers
This rogue certificate can be used to impersonate
any website on the Internet, including banking
and e-commerce sites secured using the HTTPS
protocol

151
SSL Certificate Spoofing/Piggybacking

Piggybacking SSL Certificates
Allows multiple phishing attacks on a single
certificate
A single compromised Web server with a valid SSL
certificate can be used to host multiple phishing
sites since visitors to the phishing sites
erroneously believe that they have a secure
connection with original website
Visitors could only detect the fake SSL
certificate if they reviewed the certificate or
had access to other visual indicators (secured
with an extended validation SSL certificate)

152
SSL Certificate Spoofing/URL Obfuscation

NULL character attack
Convinces the end-user that a certificate has
been issued to a different domain than the one to
which is was actually issued
The use of NULL characters provides the ability
to put up a certificate on what appears to be the
exact same domain name as the targeted site
This technique utilizes a Man-in-the-Middle
attack and uses the null-character certificate to
create its false certificates as needed
Leading zero attack
Similar to the NULL Character attack
The certificate will attach an invisible zero to
the first hex character in the certificate

153
Social Engineering Mitigation Methods

User Security Awareness and Training
Policies
Procedures

154
Security Awareness Training

Increases the understanding of security and the
threat of Social Engineering
Training should occur during employee enrollment
and at regular intervals
Training could be outsourced to a third-party
since many employees consider third-party input
to be more important

155
Email Security Awareness Training

The best mitigation mechanism for SPAM and
Phishing emails is the delete button
To mitigate the potential threat presented by a
spam email campaign, it is recommended that you
remind your users to never open attachments or
click links contained in unsolicited email
messages
Advise them, if possible, to check with the
person who supposedly sent the email to make sure
that it is legitimate prior to opening any
attachments
Scan any attachments at the network perimeter as
well as the desktop with anti-virus software
before opening the attachment
Never use the contact information provided on a
web site connected directly to the email request

156
Email Security Awareness Training

Also advise users not to reveal personal or
financial information in an email, and not to
respond to email solicitations for this
information
Always examine the URL of a web site. Malicious
web sites may look identical to a legitimate
site, but the URL may use a variation in spelling
or a different domain extension such as .com vs.
.net
An additional step to help mitigate the risk of a
phishing campaign is to limit the administrative
rights of the local users through the
implementation of the Least-Privileged best
practice
Only display functional/group email addresses on
public websites to limit the amount of
SPAM/Phishing emails sent to individuals

157
Physical Security Awareness Training

Ensure all visitors are always escorted
Remind employees not to allow Piggy-Back access
Remind employees not to allow an unknown person
to wander the facility
Never allow a visitor, client, or other persons
to simply connect a computer to the internal
network without prior approval

158
Credential Security Awareness Training

Protection of account credentials
Never give out or share passwords
Use strong passwords for any application
requiring a login
Use unique passwords for every application and
avoid using the same password for similar
applications
Carefully consider the questions used to verify
the user for automated password resets
Most automated systems use a common set of
questions for password reset and the answers to
these questions can be found in public records or
on-line
Place of birth, mothers maiden name, and school
information are available in public records
Friends, color preference, hobbies, and pet
information often found on Social Network sites
Make of first car can be guessed based on
purchasing trends

159
Identity Security Awareness Training

Protection of Personal Identifiable Information
within Social Networks
Select your screen name carefully do not
include any information such as your name, age,
sex, city, or employer
Never post anything you would not want to have
distributed publicly
Never post personally identifying information
such as SSN, first and last name, address,
drivers license, telephone number and e-mail
address
When establishing your account, adjust your
profile until you are comfortable with the amount
of protection provided to maximize your security

160
Policies

Must clarify information access controls
Detail rules for setting up accounts
Define access approval
Define process for changing passwords

161
Policies

Define policy for physical destruction of devices
and media
Hard Drives
CD/DVDs
Define physical control selection and
implementation
Locks
Access controls
How visitors are authorized and escorted

162
Employee Hiring and Termination Policies

Hiring should include background checks,
verifying educational records, and Non-Disclosure
Agreements
Termination should include exit interviews,
review of NDA, suspension of network access, and
checklist for equipment return

163
Help Desk Procedures

Used to make sure that there is a standard
procedure for employee verification
Caller-ID or employee call-back can be used to
verify caller
Can also use Cognitive Passwords
Arcane information that only the user should know

164
Password Change Policy

Require strong passwords
Must not contain any part of account name
Must be at least 8-characters long
Must contain at least three or four
Numbers
Uppercase letters
Lowercase letters
Non-alphanumeric symbols
Require password aging
Prohibit password reuse

165
Employee Identification

ID badges give a clear indication of authorized
personnel
Guests should also wear temporary ID badges
Guests should be required to sign-in and sign-out
Anyone without a badge should be questioned and
escorted to the proper facility personnel

166
Privacy Policies

Employees and customers have a certain
expectation with regard to privacy
The privacy policy should be posted on the public
website

167
Laws and Regulations

4th Amendment to the Unites States Constitution
Electronic Communications Privacy Act of 1986
Protects email and voice communications
HIPPA (Health Insurance Portability and
Accountability Act)
Family Education Rights and Privacy Act
Privacy rights to students over 18
European Union Privacy Law
Protects personal data

168
Data Classification Systems

Can help prevent Social Engineering
Can be used to define what information is most
critical
Can be used to gain end-user compliance
Governmental Information Classification System
Designed to protect confidentiality of
information
Commercial Information Classification System
Focused on the integrity of information

169
Governmental Information Classification System

Unclassified
Information is not sensitive and does not need to
be protected
The loss of information would not cause damage
Confidential
Information is sensitive and the disclosure could
result in some damage
Will require a safeguard against disclosure
Secret
Information that is classified as secret has a
greater important than confidential data
Disclosure would result in serious damage
May result in loss of significant scientific or
technical development
Top-Secret
Information that requires the most protection
Disclosure would be catastrophic

170
Commercial Information Classification System

Public
Similar to unclassified information
Disclosure would not result in damage
Sensitive
Information requires controls to prevent the
release to unauthorized parties
Disclosure would result in some damage
Private
Information is primary personal in nature
Can include employee or medical records
Confidential
Information has the most sensitive rating
Information is required to keep the company
competitive
The information should never be released

171
Commonwealth Security Information Resource Center

http//www.csirc.vita.virginia.gov
Two Main Goals
Create a place to provide security information
that is relative to the Commonwealth
Includes security topics within the COV
government
Addresses topics for those with interests in the
security community
Citizens, businesses, other states, etc.
Create a source for providing threat data to
third parties
Summary threat data for public viewing
Detailed threat data available for appropriate
parties

172
Security Information

Types of information posted
Security advisories
Advisories affecting the Commonwealth government
computing environment
Phishing scams
Attempts to gather information from users that
will be useful for malicious activity
Information security tips
How to integrate security into daily activity
News
The latest news about information security that
would be useful to the government and its
constituents
Threat data
Information showing statistics about the top
attackers targeting the Commonwealth.