How users bypass your security!

Transcription

1 How users bypass your security! IT Days Security issues 20 th November 2014 Tom Leclerc, Security Consultant SAGS - Security Audits and Governance Services, a Telindus Security department Classification: Public How users bypass your security! ITDays th November Slide 1

2 About us Security at Telindus is 27 dedicated consultants Network and Security Solutions 14 consultants Security Audits and Governance Services 8 consultants Security Sales 5 consultants Design and implementation of security infrastructures Consultancy, installation, configuration and maintainance of securtiy solutions Security audits Governance, Risk, Compliance, Education Pentest Source code review Security Training and Awareness / Social Engineering Classification: Public How users bypass your security! ITDays th November Slide 2

3 About us Security Audits and Governance Services Penetration Test (4 consultants) GRC Governance, Risk and Compliance + Education (4 consultants) Governance Align information security program activities with organizational goals and priorities Audits Assess the security of information assets Penetration testing Source code review Education Protect information assets by raising information security awareness Risk Management Identify and assess information security risks in a cost effective manner Compliance Translate regulatory requirements into effective security policies and controls Classification: Public How users bypass your security! ITDays th November Slide 3

4 Example of IT security technologies End point Business Applications Network Remote Workers Anti-virus Data Leakage protection Application firewalls Firewall IDS/IPS VPN IPSec VPN SSL Device encryption Log analyser Database firewalls Web Proxy Mail gateway Strong authentication Multi-factor authentication Technology improves security, but is not sufficient Classification: Public How users bypass your security! ITDays th November Slide 4

5 Security is 80% of organisation, culture and awareness 20% of technology Classification: Public How users bypass your security! ITDays th November Slide 5

6 Users bypass security: Any 3 Anytime Anywhere Anyone Classification: Public How users bypass your security! ITDays th November Slide 6

7 Why do users bypass security? Users bypass security for several reasons: Lazy Distracted Unaware User weaknesses Stressed Overwhelmed Unconcerned User weaknesses become concrete threats under certain conditions Classification: Public How users bypass your security! ITDays th November Slide 7

8 How do users bypass security? Well known attacks Staff overflow Short term memory corruption Commander injection Hurry can Salesman in the middle Denial of action Classification: Public How users bypass your security! ITDays th November Slide 8

9 Staff overflow attack Classification: Public How users bypass your security! ITDays th November Slide 9 11/20/2014

10 Staff overflow attack The staff does not follow security because it is too complex or not convenient enough Consequences Users bypass security by simplifying their actions Severity High Likelihood of exploit Very High Classification: Public How users bypass your security! ITDays th November Slide 10

11 Staff overflow attack The staff does not follow security because it is too complex or not convenient enough Notable examples Password policy too complex / renewals every month Passwords written on post-its Token left near workstations Token pin on post-its Need help for debugging my PC Passwords sent in clear text in s Passwords given over the phone Access to files is too complex from the outside Confidential files copied on personal laptop or USB drives Files sent via personal means Yahoo, Gmail, Dropbox, icloud, Classification: Public How users bypass your security! ITDays th November Slide 11

12 Staff overflow attack mitigation Password policies Be careful with strong but unusable policies Let users choose long password (do not limit users) User will accept a strong policy if you soften the renewal delays Let users keep the password as long as possible The longer they can use it, the better they will apply themselves for a good password Access to resources Provide a secure (but convenient) access to resources Awareness To reach files that are inside To communicate files to the outside Propose secure ways to communicate files that don t pass through s Make users aware that their actions have consequences Explain/show them why security policies are important Classification: Public How users bypass your security! ITDays th November Slide 12

13 Short term memory corruption attack Classification: Public How users bypass your security! ITDays th November Slide 13 11/20/2014

14 Short term memory corruption attack Unaware, distracted, naïve users forget to care about security Consequences Confidential data or access to systems is given to attackers Severity Very high Likelihood of exploit Very high Classification: Public How users bypass your security! ITDays th November Slide 14

15 Short term memory corruption attack Unaware, distracted, naïve users forget to care about security Notable examples Users victim of social engineering attacks Victim of phishing attacks Give confidential credentials over the phone Leave access to computer to anyone claiming to be helpdesk Users install harmful content on their workstations Attachments/links in s Browser plugins Users keep their mistakes hidden Lost phones remain unreported Credentials given away remain untold Documents sent to the wrong destination remain unwarned Classification: Public How users bypass your security! ITDays th November Slide 15

16 Short term memory corruption attack mitigation Awareness Train users to detect social engineering attacks Explain them why informing their IT is important Security procedures Procedures that guide users in their daily life How to sent secure attachments How to communicate passwords How to select a strong password Domain passwords One time passwords Technical measures Limit users as efficient as possible Balance between security and usability Classification: Public How users bypass your security! ITDays th November Slide 16

17 Commander injection attack Classification: Public How users bypass your security! ITDays th November Slide 17 11/20/2014

18 Commander injection attack The superior commands to change a security setting for <insert reason> Consequences Security is weakened for conveniences Severity High Likelihood of exploit Medium Classification: Public How users bypass your security! ITDays th November Slide 18

19 Commander injection attack The superior commands to change a security setting for <insert reason> Notable examples The boss has a new device and can t connect to his icloud account Open the necessary ports The boss tried a door and it was locked Provide access to the server room The boss wants to sync his to his personal computer Disable the filtering protection The boss wants unprotected Wifi hotspot for VIP guests No password, it s too complicated Classification: Public How users bypass your security! ITDays th November Slide 19

20 Commander injection attack mitigation Awareness Explain to boss why changing this security setting is not okay Being able to spoof internal addresses is not secure at all Boss: Just do it, it is crucial for business Demonstrate to boss why changing this security setting is not okay Boss receives from (himself) : It is still business crucial if we can impersonate anyone? Boss: Ok we must fix this problem, we will modify our business procedure Classification: Public How users bypass your security! ITDays th November Slide 20

21 Hurry can attack Classification: Public How users bypass your security! ITDays th November Slide 21 11/20/2014

22 Hurry can attack The urgent situation makes users take reckless actions Consequences Security is bypassed when facing urgent situations Severity High Likelihood of exploit Very High Classification: Public How users bypass your security! ITDays th November Slide 22

23 Hurry can attack The urgent situation makes users take reckless actions Notable examples I have to sent files urgently to my recipient but it won t go through the mail gateway Sends it via gmail, yahoo, dropbox, etc. I forgot my password, need access for a demo for a client Colleague sends password in clear text via Urgent order must be sent Bypass validation process / 4-eye principle, we can verify later (or not) Classification: Public How users bypass your security! ITDays th November Slide 23

24 Hurry can attack mitigation Plan emergency processes Prepare secure emergency scenarios Train users on how to encrypt files Encrypt content in zip files before sending it via public means Train users on how to securely communicate a password Not in clear text of an Ex: SMS, phone, two different ways,... Prepare emergency aftermath processes Document how to go back to a secure situation after an emergency Reset passwords Close the temporarily opened breach Change configuration back to secure Classification: Public How users bypass your security! ITDays th November Slide 24

25 Salesman in the middle attack Classification: Public How users bypass your security! ITDays th November Slide 25 11/20/2014

26 Salesman in the middle attack Economic power of sales creates security exceptions Consequences Security is endangered through exceptions to please a customer Severity High Likelihood of exploit High Classification: Public How users bypass your security! ITDays th November Slide 26

27 Salesman in the middle attack Economic power of sales creates security exceptions Notable examples This big customer needs to have access to an ftp server The customer systems can t be changed, so open this access I must be able to work from my ipad I can t use this VPN, give a me a direct access The customer tool sends where the sender is my address, deactivate the filtering Enable outside servers to send s with the inside domain address ( spoofing) Encrypted s are blocked by the mail server Business cannot wait manual validation, unblock all encrypted s by default without any virus check I need to send an exe file, I don t know how to zip it, please enable.exe files Classification: Public How users bypass your security! ITDays th November Slide 27

28 Salesman in the middle attack mitigation Block exceptions with Commander injection Awareness Make users aware that their actions have consequences Explain/show them why security policies are important Procedure/technical solutions Propose secure alternative solutions Classification: Public How users bypass your security! ITDays th November Slide 28

29 Denial of action attack Classification: Public How users bypass your security! ITDays th November Slide 29 11/20/2014

30 Denial of action attack No actions are taken based on security audits results or vulnerability disclosures Consequences Identified security breaches remain open Severity Very high Likelihood of exploit High Classification: Public How users bypass your security! ITDays th November Slide 30

31 Denial of action attack No actions are taken based on security audits results or vulnerability disclosures Notable examples Known vulnerabilities Unpatched systems remain vulnerable E.g. SSLv3 known as vulnerable but still in use in many systems Pentest recheck Nothing was fixed since the last update Risk management Risk are mishandled and simply put under the rug Classification: Public How users bypass your security! ITDays th November Slide 31

32 Denial of action attack mitigation Culture Take immediate actions to close security breaches in short term E.g. close access, shut down machine, monitor activity Plan actions to fix security breaches in the long term E.g. update system, patch vulnerability, re-implement software Information security management system Awareness Inform, demonstrate the criticality of breaches to the decision makers Top management must be able understand the criticality in order to make changes happen Classification: Public How users bypass your security! ITDays th November Slide 32

33 Conclusion Classification: Public How users bypass your security! ITDays th November Slide 33 11/20/2014

34 Conclusion Users have great power, thus great responsibilities They often don t know/care about it User think they are in a secure environment but actually aren t Users are limited to protect them from many threats but not all of them All users at all levels must be careful Any user can be the source of a security incident Humans have weaknesses, especially in stressful situations Plan such situations Support users in those situation Provide (secure) alternative ways Plan the aftermath Classification: Public How users bypass your security! ITDays th November Slide 34

35 Conclusion 3 steps cure: 1. Awareness Regularly Inform users Regularly teach users 2. Culture Overall enterprise culture where everyone is paying attention to security Play the croissants game Unclaimed printed papers Physical access to the premises (badge verification) 3. Organization Security policies Strong but effective/efficient Risk management Leave no security breach unwatched Classification: Public How users bypass your security! ITDays th November Slide 35

36 Thank you for your attention Click to add chapter title Classification: Public How users bypass your security! ITDays th November Slide 36

37 Questions & Answers Click to add chapter title Classification: Public How users bypass your security! ITDays th November Slide 37

38 Contact information Tom Leclerc (+352) Click to add chapter title Classification: Public How users bypass your security! ITDays th November Slide 38