Asset Protection

1
Asset Protection
2
Know your assets

• Just like your network, you cant protect what
  you dont know about
• Know what regulations you need to comply with
• HIPAA
• FERPA
• PCI
• Sarbanes-Oxley

3
HIPAA/FERPA

• Probably the most relevant ones for educational
  institutions
• PCI may also be important if you accept any
  credit card payments
• HIPAA protects ePHI (electronic Personal Health
  Information)
• FERPA (Federal Education Records and Privacy Act)

4
HIPAA/FERPA

• Examples of HIPAA/FERPA information
• Fairly obvious
• Student records (FERPA)
• Transcripts/Grades, Schedule of classes
• Personal information
• Name, SSN, Race/Ethnicity
• ePHI (HIPAA)
• Name, SSN, Telephone
• Geographic information greater than state detail
• Biometric identifiers

5
HIPAA/FERPA

• FERPA information can be disclosed in some
  circumstances without consent
• To other school official with a legitimate
  educational interest
• In health/safety emergencies
• HIPAA information can be shared (with consent)
  with business partners/other covered entities to
  provide service

6
Wheres Waldos information?

• Server side
• In a database maintained by school health
  practitioners?
• On the server that stores course and grade
  information?
• Client side
• On a doctors laptop
• On a teachers computer in a spreadsheet/grade
  book application
• Both
• Can local copies of information be downloaded by
  your users?
• If so, how can we protect that?

7
Protecting Waldos Information

• Data at rest
• In databases
• Use column-level encryption
• PROTECT THE KEYS!
• Indexing may become an issue
• On hard drives
• BitLocker encryption (Windows Vista)
• Windows EFS (Windows XP)
• TrueCrypt (http//www.truecrypt.org)
• GPG (GNU Privacy Guard) /PGP (Pretty Good
  Privacy) (http//www.gnupg.org/)
• On thumbdrives
• Easy to lose
• Encrypt the information on them
• TrueCrypt, GPG/PGP work here
• Dont believe everything youre told
• SecuStick
• Backup Servers
• Make sure your backups are also encrypted

8
Protecting Waldos Information

• Data in transit
• Over a LAN
• Encrypt if possible
• Use switches, not hubs
• Switches make it harder for people to intercept
  the data
• But not impossible (ARP spoofing, flooding the
  MAC forwarding table on the switch, etc.)
• Over the internet OR unsecured wireless networks
• Require encryption
• IPSEC tunnels may help with this
• Use HTTPS instead of HTTP but beware of MITM
  attacks
• E-mail is not secure!
• Use Thunderbird Enigmail extension GPG/PGP
• Certificates are free and can be published to key
  servers on the Internet
• Outlook with S/MIME (free certificates available
  on web)
• http//www.instantssl.com/ssl-certificate-products
  /free-email-certificate.html
• Deploy secure wireless!
• Prefer WPA2/WPA, but settle for WEP over
  unencrypted

9
Protecting your assets

• Defense in Depth and Principle of Least Privilege
• Try to protect at every layer possible
• Physical
• Change boot order to skip CD-ROM, Floppy, USB
• Use BIOS passwords
• Lock server racks and cases
• Consider whole disk encryption
• Remember that the passphrase will need to be
  entered at boot time - what happens if there is a
  power outage?
• Perfect example of balancing security and
  usability

10
Protecting your assets

• Application/OS layer
• Run minimal sets of services
• Reduce attack surface
• Use strong passwords (or key/token based
  authentication)
• Enforce these requirements with GPO/PAM
• Patch regularly
• Dont run as administrator (use RunAs, sudo)
• 0-day browser exploits are a problem
• E-mail with preview pane can also be dangerous if
  you allow rich content display

11
Protecting your assets

• Network Layer
• Segment your networks
• Trusted, untrusted, DMZ - VLANs work well for
  this
• Avoid including trusted and untrusted VLANs on
  the same switch to prevent VLAN hopping attacks
  especially access switches
• Use firewalls
• Identify who should be talking to who and how
• Network maps, nmap, and wireshark can be handy
  here
• Create rules to enforce those policies
• Add a default deny rule at the end and LOG what
  hits that rule
• Useful if a new application breaks because it
  cant communicate as expected
• Useful to tell if you are under attack
• Useless if you dont review logs
• Restrict management interfaces (remote desktop,
  SSH)
• Only allow management from trusted networks and
  be as explicit as possible passwords cant be
  brute forced when attackers cant connect
• Dont use passwords where possible (key based
  authentication instead)

12
Bitlocker

• Available in Vista Enterprise and Vista Ultimate
• Full Volume Encryption (not individual files)
• Can leverage TPM hardware to ensure that the
  drive is still in the original system
• Recovery keys can be stored in your Active
  Directory
• Supports multi-factor authentication (e.g. USB
  key)
• Repair can be made more complicated
• If you change boot hardware, you will need to use
  recovery keys
• If you cant boot the machine, another Bitlocker
  capable machine must be used to recover the
  information

13
EFS

• Available in Windows 2000, XP and Vista
• Only available on NTFS partitions
• Moving files to non-NTFS partitions decrypts them
• Opening files on a remote PC decrypts them before
  sending over the network remember to secure
  this channel
• Accomplished using public key cryptography
• Simple to use - check the encrypt box in the
  properties dialog of a file or folder
• If a PC is part of an Active Directory, the
  directory MUST contain a Data Recovery Agent
  (DRA) or else users cannot use EFS!
• Non-domain PCs do not have this problem
• This feature is for the protection of the
  organization the Administrator account for the
  domain is selected as the DRA by default.

14
TrueCrypt

• Windows 2000, XP, Vista, and Linux
• Support for Mac OS X on the way
• Open source (http//www.truecrypt.org)
• Supports a variety of encryption algorithms
• Can be mounted as a drive letter (Windows) or
  block device (Linux)
• This is a nice way of abstracting encryption from
  the end user
• Supports hidden volumes
• One passphrase gets innocuous data
• Another passphrase gets the real data
• Hidden volumes indistinguishable
• Useful when asked to give your passphrase under
  duress
• Unfortunately, does not provide key escrow
• Administrators can not recover a users data if
  the user forgets their passphrase

15
PGP /GPG

• PGP (Pretty Good Privacy) GPG (GNU Privacy
  Guard)
• commercial vs. open source
• Mostly file level encryption
• PGP corporation offers a whole disk solution
• Can also be used for secure e-mail
• Plugins exist for Thunderbird(Enigmail), Outlook
  (GPG4Win)
• How it works
• Sender encrypts contents with recipients public
  key
• Optionally, signs contents with his/her private
  key
• Recipient uses their private key to decrypt
  contents
• Optionally uses senders public key to verify
  signature
• Provides message integrity, authentication,
  non-repudiation
• PGP suite includes nicer tools than GPG
• GPG mostly uses CLI tools

16
SecuStick

• 1GB USB Thumb Drive (sold for approx. 175)
• Classified information will first be encrypted,
  then saved on the SecuStick according to sales
  literature
• Will self destruct if the improper passphrase
  is entered
• Doesnt actually encrypt the data on the USB
  drive
• Verification is performed by an included software
  program
• Software can be trivially modified to always
  return TRUE when determining if presented
  passphrase is correct
• No hardware present capable of damaging internal
  electronics
• Commissioned by French government and approved
  for use by French Intelligence
• See tweakers.net for more information
• Moral of the story?
• Trust no one
• Research the products you buy and know how they
  work

17
Wrap-Up

• Questions?