HOW SECURE IS YOUR ORGANIZATION FROM CYBER CRIME? Presented by

Transcription

1 HOW SECURE IS YOUR ORGANIZATION FROM CYBER CRIME? Presented by

2 PPN PRESENTATION OBJECTIVES To create or increase awareness of some areas of risk exposures as they pertain to information and network security. Provide some top level information relating to the technology based solutions that are commonly employed & the pro s/con s of each. Provide tools, tips and techniques that you can take back to your teams or alternatively use yourself directly. Increase understanding of Ethical Hacking and the important role it plays in the grand scheme of securing your networks and information.

3 WHAT IS CYBER CRIME? Computer crime, or cybercrime, refers to any crime that involves a computer and a network, where the computers may or may not have played an instrumental part in the commission of a crime. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high profile, particularly those surrounding hacking, copyright infringement, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise. On a global level, both governments and non state actors continue to grow in importance, with the ability to engage in such activities as espionage, financial theft, and other cross border crimes sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions, with the International Criminal Court being among the few addressing this threat.

4 WHAT EVERY EXECUTIVE IN EVERY ORGANIZATION DEALS WITH: Risk management challenges understanding your threats and assessing your vulnerabilities Resource allocation decisions prioritize resources to address critical vulnerabilities managing and mitigating risk to critical assets Return on investment objectives

5 RISK MANAGEMENT RISK ATTACHED TO CYBER CRIMES THE RISK IS REAL Your organization is a target no matter how large or small attacks are generally automated and persistent at risk is your data, reputation and corporate well being Many companies have invested valuable resources financial(security products firewalls) and effort (security policies) and still get attacked Only time you will truly know if the security resources you have invested in actually work for you is if they are tested. UNFORTUNATELY, TOO MANY COMPANIES WAIT UNTIL IT IS THE REAL LIVE TEST BY UNETHICAL HACKERS!!

6 RISK MANAGEMENT COSTS ATTACHED TO CYBER CRIME Legal liability to others for computer security breaches Legal liability to others for privacy breaches Loss or damage to data / information Loss of revenue due to a computer attack Extra expense to recover / respond to a computer attack Loss or damage to reputation Identity theft Privacy notification requirements Regulatory actions

7 RISK MANAGEMENT INFORMATION SECURITY AND INSURANCE Traditional insurance policies typically do NOT cover cyber liability risks Some insurance companies now have specific (costly) cyber and privacy policy insurance coverage that deal with them (with the exception of a loss or damage to reputation) Security controls are a foundation for trust the trust an organization s customers, employees, trading partners and stakeholders place in the organization that its data and intellectual property are adequately protected against unauthorized access, disclosure, use or loss. (CICA Information Technology Advisory Committee)

8 RISK MANAGEMENT REGULATORY INFORMATION SECURITY AND PRIVACY USA: State Security Breach Notification Laws Health Insurance Portability and Accountability Act ( HIPAA ) Gramm Leach Bliley Act Fair Credit Reporting Act Fair and Accurate Credit Transactions Act ( FACT Act ) Sarbanes Oxley Act Telemarketing and Consumer Fraud and Abuse Prevention Act Telephone Consumer Protection Act / Controlling the Assault of Non Solicited Pornography and Marketing Act ( CAN SPAM Act ) Privacy Act National Association of Insurance Commissioners / Model Privacy Laws USA Patriot Act

9 RISK MANAGEMENT REGULATORY INFORMATION SECURITY AND PRIVACY CANADA: Privacy Act Personal Information Protection and Electronic Documents Act ( PIPEDA ) Bill C 198 Personal Health Information Protection Act ( PHIPA Ontario) provincial AND MORE TO COME..

10 RISK MANAGEMENT PCI: WHAT S REQUIRED & WHAT IT MEANS TO BUSINESS? PCI requires all merchants to verify compliance with PCI standards, regardless of size, and failure to do so may result in a merchant being fined and/or terminated from the processing services. If a merchant s systems are breached and they are not complying with PCI requirements, the merchant may be responsible for all costs associated with inappropriately used credit cards. PCI standards consider any network, server or application connected to the systems that store, process or transmit to be the credit card systems. Merchants that collect credit card information from e commerce websites are required to have strong security processes to develop and monitor the websites. Merchants must regularly monitor and test their networks. This includes annual penetration testing on both the network and application layer. Merchants have typically found it difficult to meet the PCI standard requirements for monitoring and testing its network. PPN can now make this much more cost effective for small to medium size enterprises.

11 RISK MANAGEMENT CICA, AICPA: WHAT ARE THEY SAYING? Legislation are placing increased responsibility on organizations to implement procedures that ensure the privacy, confidentiality and integrity of their information and information systems. Penetration testing can help provide the assurance management and its auditors need on the information security components an organization uses to protect its information assets. (CICA Information Technology Advisory Committee) The AICPA, in its annual list of Top Technology Initiatives for 2009, listed Information Security Management; Privacy Management; and Secure Data File Storage, Transmission and Exchange as the top three issues that companies need to address.

12 RISK MANAGEMENT NATIONAL CYBER SECURITY PARTNERSHIP ( NCSP ): WHAT ARE THEY SAYING? get ready for the next big corporate governance issue.if you don t move the issue of network security into the boardroom fast you may soon find yourself at the receiving end of some pretty nasty regulatory, not to mention legal, consequences. For years, computer and network security has been left to information technology folks. Most try to do the right thing, but that s not an easy task when IT departments are largely under funded and neglected by management. (2004 CA Magazine article the Next Governance Grenade)

13 RISK MANAGEMENT TIPS, TOOLS & TECHNIQUES Understand the data of your business with respect to importance, sensitivity, liability and risk. Tailor your security solutions to address key areas of concern and exposure. Consult with your insurance broker in an attempt to understand your current exposure. Understand what specific options are available to you as a business for your strategic planning purposes. If you utilize the services of a web site hosting agent, review your agreement with them to fully understand your responsibilities under that agreement and the extent to which you are liable if your web site is exploited and third party damages result. Understand where the liability lies with respect to services acquired through third party service providers (web developers, integrators and contractors). Introduce risk mitigation techniques as required.

14 PROVEN PRIVATE NETWORKS (PPN) ADDRESSES KEY MGMT REQUIREMENTS KEEP IN MIND EXECUTIVE MANAGEMENT S FOCUS ON RISK MANAGEMENT, RESOURCE ALLOCATION, RETURN ON INVESTMENT With the use of Core Impact Pro, PPN assists organizations to efficiently determine, through an automated and consistent penetration testing approach, where the real critical systems security exposures are, discovered and ranked according to the likelihood and impact on the organization, resulting in more effective management decisions relating to unacceptable levels of risk and limited resource allocation

15 TECHNOLOGY MANAGEMENT INTRUSION DETECTION (IDS) & PREVENTION (IPS) SYSTEMS IDS a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. IPS the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack s content.

16 TECHNOLOGY MANAGEMENT INTRUSION DETECTION (IDS) & PREVENTION (IPS) SYSTEMS (cont d) The challenges/problems with these technologies include: Noise can severely limit Intrusion detection systems effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high falsealarm rate. Too few attacks It is not uncommon for the number of real attacks to be far below the false alarm rate. Real attacks are often so far below the false alarm rate that they are often missed and ignored. Signature updates Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.

17 TECHNOLOGY MANAGEMENT FIREWALLS Firewalls are part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices that is configured to permit or deny network transmissions based upon a set of rules and other criteria. Can be implemented in either hardware or software, or a combination of both. Frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which inspects each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques: Packet filter: Inspects each packet passing through the network and accepts or rejects it based on user defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation. Circuit level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

18 TECHNOLOGY MANAGEMENT SCANNING VS TESTING Type of Test Strengths Weaknesses Network Scanning Fast (compared to vulnerability scanners or penetration testing) Efficiently scans hosts, depending on number of hosts in network Many excellent freeware tools available Highly automated (for scanning component) Low cost Does not directly identify known vulnerabilities (although will identify commonly use Trojan ports [e.g., 31337, 12345, etc]) Generally used as a prelude to penetration testing not as final test Requires significant expertise to interpret results Vulnerability Scanning Penetration Testing Can be fairly fast depending on number of hosts scanned Some freeware tools available Highly automated (for scanning) Identifies known vulnerabilities Often provides advice on mitigating discovered vulnerabilities High cost (commercial scanners) to low (freeware scanners) Easy to run on a regular basis Tests network using the methodologies and tools that attackers employ Verifies vulnerabilities Goes beyond surface vulnerabilities and demonstrates how these vulnerabilities can be exploited iteratively to gain greater access Demonstrates that vulnerabilities are not purely theoretical Can provide the realism and evidence needed to address security issues Social engineering allows for testing of procedures and the human element network security Has high false positive rate Generates large amount of traffic aimed at a specific host (which can cause the host to crash or lead to a temporary denial of service) Not stealthy (e.g., easily detected by IDS, firewall and even end users [although this may be useful in testing the response of staff and altering mechanisms]) Can be dangerous in the hands of a novice (particularly DoS attacks) Often misses latest vulnerabilities Identifies only surface vulnerabilities Requires great expertise Very labour intensive Slow, target hosts may take hours/days to crack Due to time required not all hosts on medium or large sized networks will be tested individually Dangerous when conducted by inexperienced testers Certain tools and techniques may be banned or controlled by agency regulations (e.g., network sniffers, password crackers, etc.) Expensive

19 TECHNOLOGY MANAGEMENT SYSTEMS DEVELOPMENT LIFECYCLE (SDLC) A typical systems lifecycle would include the following activities: 1. Initiation the system is described in terms of its purpose, mission, and configuration. 2. Development and Acquisition the system is possibly contracted and constructed according to documented procedures and requirements. 3. Implementation and Installation the system is installed and integrated with other applications, usually on a network. 4. Operational and Maintenance the system is operated and maintained according to its mission requirements. 5. Disposal the system s lifecycle is complete and it is deactivated and removed from the network and active use.

20 TECHNOLOGY MANAGEMENT SYSTEMS DEVELOPMENT LIFECYCLE (SDLC) (cont d) Evaluation of system security can and should be conducted at different stages of system development. Security evaluation activities include, but are not limited to: risk assessment, certification and accreditation (C&A), system audits, and security testing at appropriate periods during a system s life cycle. These activities are geared toward ensuring that the system is being developed and operated in accordance with an organization s security policy. Network security testing, as a security evaluation activity, must fit into the system development life cycle.

21 TECHNOLOGY MANAGEMENT TIPS, TOOLS & TECHNIQUES Follow technology deployment best practices as much as realistically possible. Everyone understands that budgets are not bottom less pits. Trade offs need to be understood. Understand using a cost risk benefit process where best to allocate security related budgets. Secure your wireless devices including PDA s and wireless network adapters and routers. Increase encryption level. Too many companies out there have no or very little encryption. 3rd parties are useful for supplying unbiased results. Manage the retirement of technologies. Too much data is thrown out in the garbage or donated to recipient organizations. TEST YOUR NETWORK before a hacker does it for you. Employ a four vector attack on network infrastructures: Users, Wireless, WWW, and Internal Network.

22 SUMMARY The risks attached to cyber crime are real. The costs are significant. In some cases the costs can include the ability of the organization to continue as a going concern. Some form of testing should be completed on an ongoing scheduled basis or when configuration changes are made to the network. Consider the following analogy would someone responsible for corporate reporting distribute financial results from a complex Crystal Report after it was modified without testing it first for accuracy? Why would someone responsible for network security deploy technology without testing it first to ensure it is secure? Penetration testing is the most conclusive test an organization can conduct on its security infrastructure. At the end of the day business decisions involve compromises. There will always be budget constraints. Penetration testing results are comprehensive and stress the network in a way that other solutions can not offer.

23 SOME ORGANIZATIONS THAT USE CORE IMPACT PRO

24 The Gonzalez Attacks REAL LIFE EXAMPLE THE GONZALEZ ATTACKS Albert Gonzalez: Convicted for Heartland Payment Systems breach and theft of 40 million+ credit card numbers, costing Heartland $130 million. 1. Compromised web application via SQL Injection. 2. Gained access to web database server. 4. Established persistent control. 5. Installed sniffer. 6. Identified other systems on the network. 7. Identified destination of credit card transaction traffic. 8. Accessed database containing card numbers. 3. Found no information of value on web server database.

25 Comprehensive Testing with CORE IMPACT COMPREHENSIVE TESTING WITH CORE IMPACT Real world, multistaged testing reveals exposures within and across infrastructure layers by taking the attacker s approach. 1. Identify target web pages via Information Gathering Module. 2. Dynamically generate customized SQL injection exploits. 3. Gain access to web database server. 5. Deploy Persistent OS Agent. 6. Run Traffic Sniffer Module. 7. Run Information Gathering Module 8. Leverage Banner Grabber to learn about apps on target system. 9. Run relevant application exploits to compromise system. 10. Run Get Sensitive Data Module to identify credit card numbers. 4. Run Get Database Schema module. Determine database contains nothing of value.

26 PROVEN PRIVATE NETWORKS (PPN) ADDRESSES KEY MGMT REQUIREMENTS KEEP IN MIND EXECUTIVE MANAGEMENT S FOCUS ON RISK MANAGEMENT, RESOURCE ALLOCATION, RETURN ON INVESTMENT With the use of Core Impact Pro, PPN assists organizations to efficiently determine, through an automated and consistent penetration testing approach, where the real critical systems security exposures are, discovered and ranked according to the likelihood and impact on the organization, resulting in more effective management decisions relating to unacceptable levels of risk and limited resource allocation