Generation X, Y, and Z Technology Threats, Risks and Solutions

1
Generation X, Y, and Z Technology Threats, Risks
and Solutions

• Aaron Wilson, SAIC wilsonaa_at_saic.com
• November 15, 2007

2
Agenda

• What are some threats specific to Gen X/Y/Z?
• How about some examples?
• What are some solutions?
• Why involve the Security Team?
• QA

3
Regarding Risks and Solutions

• Risks
• These risks focus on those that overlap with Gen
  X/Y/Z
• Solutions
• Successful solutions start with clearly
  established policies
• This discussion focuses on technological
  enforcement of policies, not the policies
  themselves
• More Technology doesnt always mean More
  Product
• There is no magic bullet or one size fits all
  solution

4
Threat Peer to Peer File Sharing

• Examples Napster, Kazaa, eDonkey, BitTorrent,
  Gnutella
• Allows trading of files across a distributed
  network
• Risks
• Viruses, worms, trojans, spyware
• Illegal content (warez, music)
• Policy circumvention(adult material, games)
• Some products use encryption to hide content and
  activities
• Known to circumvent firewall policies by
  piggybacking other rules
• Reference 2005 All Nippon Airlines
  passcodes for security-access areas leaked by
  file sharing virus Wik
• Solutions
• Intelligent content proxy
• Unified threat management (UTM) systems
• Host-based protection (AV, Firewall, HIPS/HIDS)
• Host-based software inventory/change management

5
Threat Social Networking Sites

• Examples MySpace, YouTube, Facebook, Blogs
• Risks
• Malicious content
• Social engineering based on information exposure
• Reference Alicia Keys MySpace page phished to
  send credit card and security credentials info to
  China Tim07
• Solutions
• Intelligent content proxy
• Website rating technology
• Host-based protection (AV, Firewall, HIPS/HIDS)
• User training for social engineering and phishing

6
Threat Instant Messaging and VoIP

• Examples AIM, Skype, MSN Messenger, ICQ, Yahoo!
  Messenger, IRC
• Sometimes includes file sharing!
• Unencrypted, with some exceptions
• Risks
• Username/password capturing
• Data leak
• All risks associated with file sharing (previous
  slide)
• Social engineering
• Reference IRC users socially engineered to
  access malicious site resulting in compromise of
  their systems Cer02
• Solutions
• Enterprise IM/VoIP solutions encryption, chat
  log, policies
• User training on proper password use

7
Threat Data Leak via Mobile Devices

• Methods
• Thumb drives
• Digital cameras, camera phones
• iPods and PDAs
• Laptops
• Any WiFi device
• Sometimes intentional, sometimes not
• Reference Classified data taken from Los Alamos
  National Laboratory via USB drive Cbs06
• Solutions
• Access lists to enforce data access policies
• Data access logging and auditing
• Company-provided mobile devices
• Physical security, turnstiles, x-rays, RFID
  badges
• Desktop monitoring software

8
Why Involve the Security Team?

• Security Experts
• Long line of experience dealing with these risks
• Security is a horizontal!
• Research the problem and apply the right
  solution(s)
• You and your security team may share similar
  concerns
• Protecting valuable data
• Regulation compliance
• Business continuity/emergency planning
• Auditing and litigation
• Measuring and controlling
• Avoid Effort Duplication
• The security team may have already solved the
  problem
• You may have already solved the problem
• Before you Act
• Requirements and scope review recommended
• Get senior/executive management buy-in!

9
Questions?
10
References

• Cbs06, New Details Emerge in Los Alamos Case,
  Oct 25, 2006, http//www.cbsnews.com/stories/2006/
  10/24/national/main2122004.shtml
• Cer02, Social Engineering Attacks via IRC and
  Instant Messaging, CERT, http//www.cert.org/inci
  dent_notes/IN-2002-03.html
• Tim07, Behind the Alicia Keys MySpace Scam,
  Time, Nov 13, 2007, http//www.time.com/time/busin
  ess/article/0,8599,1683361,00.html?imwY
• Wik, Winny, http//en.wikipedia.org/wiki/Winn
  y