Fraud Is your Network Secure

1
Fraud Is your Network Secure?

• April 26, 2006
• Tom Smith PSRSMO
• Michelle Drolet
• CONQWEST, Inc.

2
Window Seat
3
IntroductionsTom SmithMichelle DroletTom Meyer

4

• Current State Discussion
• Take Action
• Methodologies
• PSRS/PEERS approach
• Current State
• Conclusion

5

• Main Entry fraud Pronunciation
  'frodFunction nounEtymology Middle English
  fraude, from Middle French, from Latin fraud-,
  fraus1 a DECEIT, TRICKERY specifically
  intentional perversion of truth in order to
  induce another to part with something of value or
  to surrender a legal right b an act of
  deceiving or misrepresenting TRICK2 a a
  person who is not what he or she pretends to be
  IMPOSTOR also one who defrauds CHEAT b one
  that is not what it seems or is represented to be

6
Security Landscape today

• Companies have invested in security technology
• 98.2 of organizations use anti-virus
  software90.7 have firewalls in place76.2 use
  anti-Spam software75.0 use anti-Spyware
  software

But 87 experienced some type of incident
7
Incident response was

• 73 installed security updates
• 62 added additional computer security software
• 28 harden corporate policy
• 21 Installed additional computer security
  hardware
• Forced response was due to a lack of knowledge

8
Wheres the Money - 1900?
9
Current State Value Trend
Over 50 of company value has shifted to
non-tangible assets over the past 10 years.
10
Wheres the Money - 2006?
Cash 150,000 to 200,000
Identity Theft Millions
11
Wheres the Money - 2006?
Missouri PSRS / PEERS 27 billionMonthly
payout 110 million (estimated)
12
Why Conduct a Security Assessment?

• Its the Law
• Many organizations must assure the security and
  confidentiality of non-public personal
  information and protect against any anticipated
  threats or hazards to the security or integrity
  of such information. Industries directly
  impacted by the regulations include
• Healthcare
• Financial Services
• Government

13
Why Conduct a Security Assessment?

• Its a good business practice
• Reduce exposure to financial loss or damage to
  intellectual property
• Assure business continuation
• Enhance Client Trust
• Improve productivity and limited disruptions due
  to virus or other types of attack
• Meet audit requirements, especially public
  companies

14
IT CAN TURN A LUMP OF COAL INTO A FLAWLESS
DIAMOND OR AN AVERAGE PERSON INTO A PERFECT
BASKETCASE.
15
Benefits

• Revenue protection and continuation
• Protection from financial Loss
• Enhanced competitive position
• Efficient business continuity
• Controlled Liability
• Regulatory Compliance
• before auditors, attackers and external drivers
  mandate
• an emergency response at a much higher cost

16
Security Management Maturity Model
Proactive
Reactive
Knowledge Discipline
ESM Critical Assets, processes, strategic
direction resiliency Qualitative and
quantitative process-driven security approach
Risk-based Critical Assets Identify threats to
key assets, implement mitigation
actions, qualitative measurement, process-driven
Vulnerabilitybased Vulnerabilities Identify
technology vulnerabilities, mitigate without
considering asset value
Ad Hoc Incident Events Responding to events
Most organizations
Focus Major Activities
Adapted from Managing for Enterprise Security,
Software Engineering Institute, Carnegie Mellon
University 2004
17
Common Network Service Approach

• Vulnerability scanning
• Identify known technology flaws
• Penetration Testing
• Verify security implementation of exposed
  services
• Focuses on known flaws
• Requires expertise (costly to maintain), time
  effort
• Discounts people, policy technology use
• Missing No THREAT visibility (threats cause the
  harm)
• What's being used and how, accidental use,
  malicious use, technology, policy and procedure
  effectiveness?

18
Solution Framework
Strategy, Objectives and Policies Gather
Requirements Assess Business Risk and Justify
Action Plan Establish Clear Objectives and
Provide Direction to Team Select an Architecture
to Meet Policy Requirements
Management Direction
Policy Implementation and Management (Access,
Authentication, Authorization, Accountability and
Audit)
Technology
Firewalls Intrusion Prevention
Virus Protection
Vulnerability Mgmt
Host Security
Application Security
Encryption
Operations Improvement
Policy Accountability, Monitoring, Reporting,
Counter Measures and Disaster Recovery
19
Roles and Responsibilities - Management

• Why?
• Establish a Clear Vision
• Assess the Risk
• Justify the Investment to Mitigate Risks
• Communicate Policies
• Establish Accountability with Defined Metrics

Management Technology Operations
20
Roles and Responsibilities - Technology

• What?
• Design and deploy an effective architecture
• Policy Management for Access Control, Data
  Integrity, Accountability and Audit
• Firewall
• Intrusion Detection
• Virus Protection
• Encryption
• Host Security
• Data Security
• Application Security

Management Technology Operations
21
Roles and Responsibilities - Operations

• How?
• Train Stakeholders
• Demand Accountability top Defined Metrics
• Monitor Compliance to Policy and Standards
• Support Incident Response Teams
• Launch Countermeasures
• Report Attacks and Provide Feedback to Improvement

Management Technology Operations
22
Security Best Practices
Companies need to start Evaluating Assess
Risks and Vulnerabilities Establishing Security
RoadmapSecurity PoliciesImplementation
PlansRemediation Educating Improve Internet
Security SkillCommunicate Policies Enforcing
Compliance AuditTechnology Continued
VigilanceContinued Improvement
Evaluate
Establish
Educate
Enforce
23
PSRS / PEERS task list

• Risk Assessment (including scans)
• Adopt Policies to Mitigate Risk
• Security Committee to Provide Oversight
• Design and Deploy Technical Security Controls
• Firewall
• Intrusion Detection and Prevention
• Virus Protection
• NW Segmentation and ACL
• Access Controls / ID Mgmt
• NW / Security Management
• Vulnerability Management
• Staff Training
• Ongoing Configuration Management
• Monitoring and Reporting

24

• Original Assessment 73 findings
• Risk Low, Medium, High
• Technical or cultural
• Two comprehensive annual assessments
• Three internal assessments per year

25

• Examples
• High - OWA Server not using SSL
• High - OWA Server on internal network
• High - Inadequate Passwords
• Med - Wireless Access Points not Completely
  Secured
• Med - No Intrusion Detection or Prevention
  (IDS/IDP)
• Med - POP3 and IMAP Running and Accessible from
  the Internet
• Low - Not all Desk Tops Have Locking Screen
  Savers
• Low - Privacy Policy Incomplete

26
Migration Intensive effort applied to conduct
risk assessment, develop policies, deploy
controls, and establish accountability.
Sustaining Period Security dependent on
processes and controls
Heroic Period Security dependent on Individuals.
Limited documentation, training and testing.

• Security Premium
• Documentation
• Training
• Policies and Procedures
• Audit and Reporting
• Testing

• Function Growth
• Growth in users
• Expansion of applications
• Extended services

Budget
2002 2003 2004 2005 2006 2007 2008
Time
27
Items addressed to date

• IDP installed
• Security Committee formed
• Draft of Security policies complete
• Established Group Policy settings (see
  following slides)
• Physical security

28
Password Policies

• Previous 10 passwords remembered
• Must change password every 90 days
• Cannot change passwords more frequently than
  every 2 days
• Minimum of 6 characters
• Password must meet complexity requirements
• - Not contain significant portions of the
  user's account name or full name
• - Contain characters from three of the
  following four categories
• English uppercase characters (A through Z)
• English lowercase characters (a through z)
• Base 10 digits (0 through 9)
• Non-alphabetic characters (for example, !,
  , , )

29
Account Policies

• Account lockout after 3 invalid logon attempts
• Account remains locked out until an administrator
  resets account
• Audit logon failures
• Audit object access success and failures
• All local Guest accounts are disabled
• Security banner at logon (This system is
  property of PSRS)

30
Internet Explorer Policies

• Set Security Zones
• - Internet Medium
• - Intranet Low
• - Restricted Sites High
• Privacy (Cookies) set to Medium High
• Home page set to PSRS Intranet site
• Proxy sever set with specific exclusions

31
Windows Policies

• Screen Saver Policies
• - Screen Saver Enabled
• - Screen Saver activated after 10 minutes
  of inactivity
• - Password protect the screen saver
• - Hide Screen Saver tab in Display
  Properties
• Disable Automatic Updates (handled via BigFix
  patch management software)

32
PSRS / PEERS Current State
0 Unaware
1 Ad Hoc
2 Repeatable
3 Documented
4 Managed
5 Optimized
Current State
Optimized Management reviews reports and makes
consistent program adjustments Managed Documented
processes and policies have accountability to
specific metrics that are routinely measured and
reported Documented The repeatable processes are
defined, documented and staff trained. Repeatable
Processes are routinely performed in a similar
fashion by multiple staff members. Ad
Hoc Processes are performed on an individual
basis and risk are dependent on the dedication
and insight of specific staff
33
Concerns

• Internal Fraud
• Added additional logging
• Checks/balances
• Internal Auditor
• External Fraud
• New Pension System

34
Working on presently

• Enhanced network securityofferings (Cisco)
• Physical security
• Addressing most recent assessment findings
• Security Committee
• Security policies
• User/admin
• Data retention / destruction

35
Risk Management Resources

• COBIT http//www.isaca.org/mg.pdf
• FFIEChttp//www.ffiec.gov/ffiecinfobase/html_page
  s/it_01.html
• CERT Octave Risk Assessment Methodology
• http//www.cert.org/octave/methodintro.html
• NIST SP800-30 Risk Assessment Methodology
• http//csrc.nist.gov/publications/nistpubs/800-30
  /sp800-30.pdf
• ISO 17799 Code of Practice for Information
  Security Management
• HIPAAhttp//aspe.hhs.gov/admnsimp/

36
Threat Exposure Impact

• The primary cause of security breaches human
  error is not being adequately addressed. The
  person behind the PC continues to be the primary
  area where weaknesses are exposed.
• -Brian McCarthy, COO, CompTIA
• FactoidHuman error was responsible for nearly
  60 percent of information security breaches

37

• Become Proactive
• Youre not finished after deploying the
  technology
• A continuous process of auditing and planning
• Evaluate policy, verify deployed technologies,
  measure and document use
• Prioritize threats and allocate resources
• Deploy technology in support of policy mission

38
NO MATTER HOW GREAT AND DESTRUCTIVE YOUR PROBLEMS
MAY SEEM NOW, REMEMBER, YOUVE PROBABLY JUST
SEEN THE TIP OF THEM.