How users bypass your security!

Similar documents
Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ICANWK406A Install, configure and test network security

Protecting Your Organisation from Targeted Cyber Intrusion

8 Steps for Network Security Protection

8 Steps For Network Security Protection

a. StarToken controls the loss due to you losing your Internet banking username and password.

Information Security Basic Concepts

Cyber Essentials. Test Specification

F G F O A A N N U A L C O N F E R E N C E

Basic Security Considerations for and Web Browsing

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Using Entrust certificates with VPN

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Web App Security Audit Services

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Chapter 15: Computer and Network Security

Business Internet Banking / Cash Management Fraud Prevention Best Practices

Uncover security risks on your enterprise network

Presented by: Mike Morris and Jim Rumph

A Systems Engineering Approach to Developing Cyber Security Professionals

Business ebanking Fraud Prevention Best Practices

Research Information Security Guideline

Endpoint Security VPN for Windows 32-bit/64-bit

Locking down a Hitachi ID Suite server

Remote Access Securing Your Employees Out of the Office

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

INSTANT MESSAGING SECURITY

Malicious Mitigation Strategy Guide

2012 Data Breach Investigations Report

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Cybersecurity Health Check At A Glance

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Networking: EC Council Network Security Administrator NSA

How To Protect Your Network From Attack From A Hacker (For A Fee)

Targeted attacks: Tools and techniques

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

New Systems and Services Security Guidance

EURECOM VPN SSL for students User s guide

13 Ways Through A Firewall

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Spear Phishing. October 12, 2015 TLP: WHITE.

Small Business IT Risk Assessment

Compliance in 5 Steps

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Setting Up Scan to SMB on TaskALFA series MFP s.

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

CMPT 471 Networking II

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

MIGRATIONWIZ SECURITY OVERVIEW

HomeNet. Gateway User Guide

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Data Access Request Service

Estate Agents Authority

Best Practices Guide to Electronic Banking

What is Web Security? Motivation

Office 365 Windows Intune Administration Guide

Top tips for improved network security

Common Cyber Threats. Common cyber threats include:

A New Era. A New Edge. Phishing within your company

How To Protect Yourself From A Hacker Attack

Accessing TP SSL VPN

Directory and File Transfer Services. Chapter 7

ing from The E2 Shop System address Server Name Server Port, Encryption Protocol, Encryption Type, SMTP User ID SMTP Password

UF IT Risk Assessment Standard

Global Partner Management Notice

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

The Ministry of Information & Communication Technology MICT

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Incident Response Plan for PCI-DSS Compliance

BlackShield ID Agent for Remote Web Workplace

Firewall Design Principles Firewall Characteristics Types of Firewalls

Secure FAQs for External Stakeholders

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Instructions Microsoft Outlook Express Page 1

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

Criteria for web application security check. Version

IT Security Risks & Trends

ABB s approach concerning IS Security for Automation Systems

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

Jort Kollerie SonicWALL

Client Server Registration Protocol

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Transcription:

How users bypass your security! IT Days Security issues 20 th November 2014 Tom Leclerc, Security Consultant SAGS - Security Audits and Governance Services, a Telindus Security department Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 1

About us Security at Telindus is 27 dedicated consultants Network and Security Solutions 14 consultants Security Audits and Governance Services 8 consultants Security Sales 5 consultants Design and implementation of security infrastructures Consultancy, installation, configuration and maintainance of securtiy solutions Security audits Governance, Risk, Compliance, Education Pentest Source code review Security Training and Awareness / Social Engineering Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 2

About us Security Audits and Governance Services Penetration Test (4 consultants) GRC Governance, Risk and Compliance + Education (4 consultants) Governance Align information security program activities with organizational goals and priorities Audits Assess the security of information assets Penetration testing Source code review Education Protect information assets by raising information security awareness Risk Management Identify and assess information security risks in a cost effective manner Compliance Translate regulatory requirements into effective security policies and controls Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 3

Example of IT security technologies End point Business Applications Network Remote Workers Anti-virus Data Leakage protection Application firewalls Firewall IDS/IPS VPN IPSec VPN SSL Device encryption Log analyser Database firewalls Web Proxy Mail gateway Strong authentication Multi-factor authentication Technology improves security, but is not sufficient Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 4

Security is 80% of organisation, culture and awareness 20% of technology Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 5

Users bypass security: Any 3 Anytime Anywhere Anyone Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 6

Why do users bypass security? Users bypass security for several reasons: Lazy Distracted Unaware User weaknesses Stressed Overwhelmed Unconcerned User weaknesses become concrete threats under certain conditions Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 7

How do users bypass security? Well known attacks Staff overflow Short term memory corruption Commander injection Hurry can Salesman in the middle Denial of action Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 8

Staff overflow attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 9 11/20/2014

Staff overflow attack The staff does not follow security because it is too complex or not convenient enough Consequences Users bypass security by simplifying their actions Severity High Likelihood of exploit Very High Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 10

Staff overflow attack The staff does not follow security because it is too complex or not convenient enough Notable examples Password policy too complex / renewals every month Passwords written on post-its Token left near workstations Token pin on post-its Need help for debugging my PC Passwords sent in clear text in emails Passwords given over the phone Access to files is too complex from the outside Confidential files copied on personal laptop or USB drives Files sent via personal means Yahoo, Gmail, Dropbox, icloud, Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 11

Staff overflow attack mitigation Password policies Be careful with strong but unusable policies Let users choose long password (do not limit users) User will accept a strong policy if you soften the renewal delays Let users keep the password as long as possible The longer they can use it, the better they will apply themselves for a good password Access to resources Provide a secure (but convenient) access to resources Awareness To reach files that are inside To communicate files to the outside Propose secure ways to communicate files that don t pass through emails Make users aware that their actions have consequences Explain/show them why security policies are important Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 12

Short term memory corruption attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 13 11/20/2014

Short term memory corruption attack Unaware, distracted, naïve users forget to care about security Consequences Confidential data or access to systems is given to attackers Severity Very high Likelihood of exploit Very high Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 14

Short term memory corruption attack Unaware, distracted, naïve users forget to care about security Notable examples Users victim of social engineering attacks Victim of phishing attacks Give confidential credentials over the phone Leave access to computer to anyone claiming to be helpdesk Users install harmful content on their workstations Attachments/links in emails Browser plugins Users keep their mistakes hidden Lost phones remain unreported Credentials given away remain untold Documents sent to the wrong destination remain unwarned Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 15

Short term memory corruption attack mitigation Awareness Train users to detect social engineering attacks Explain them why informing their IT is important Security procedures Procedures that guide users in their daily life How to sent secure email attachments How to communicate passwords How to select a strong password Domain passwords One time passwords Technical measures Limit users as efficient as possible Balance between security and usability Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 16

Commander injection attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 17 11/20/2014

Commander injection attack The superior commands to change a security setting for <insert reason> Consequences Security is weakened for conveniences Severity High Likelihood of exploit Medium Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 18

Commander injection attack The superior commands to change a security setting for <insert reason> Notable examples The boss has a new device and can t connect to his icloud account Open the necessary ports The boss tried a door and it was locked Provide access to the server room The boss wants to sync his email to his personal computer Disable the email filtering protection The boss wants unprotected Wifi hotspot for VIP guests No password, it s too complicated Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 19

Commander injection attack mitigation Awareness Explain to boss why changing this security setting is not okay Being able to spoof internal email addresses is not secure at all Boss: Just do it, it is crucial for business Demonstrate to boss why changing this security setting is not okay Boss receives email from boss@company.lu (himself) : It is still business crucial if we can impersonate anyone? Boss: Ok we must fix this problem, we will modify our business procedure Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 20

Hurry can attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 21 11/20/2014

Hurry can attack The urgent situation makes users take reckless actions Consequences Security is bypassed when facing urgent situations Severity High Likelihood of exploit Very High Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 22

Hurry can attack The urgent situation makes users take reckless actions Notable examples I have to sent files urgently to my recipient but it won t go through the mail gateway Sends it via gmail, yahoo, dropbox, etc. I forgot my password, need access for a demo for a client Colleague sends password in clear text via email Urgent order must be sent Bypass validation process / 4-eye principle, we can verify later (or not) Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 23

Hurry can attack mitigation Plan emergency processes Prepare secure emergency scenarios Train users on how to encrypt files Encrypt content in zip files before sending it via public means Train users on how to securely communicate a password Not in clear text of an email Ex: SMS, phone, two different ways,... Prepare emergency aftermath processes Document how to go back to a secure situation after an emergency Reset passwords Close the temporarily opened breach Change configuration back to secure Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 24

Salesman in the middle attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 25 11/20/2014

Salesman in the middle attack Economic power of sales creates security exceptions Consequences Security is endangered through exceptions to please a customer Severity High Likelihood of exploit High Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 26

Salesman in the middle attack Economic power of sales creates security exceptions Notable examples This big customer needs to have access to an ftp server The customer systems can t be changed, so open this access I must be able to work from my ipad I can t use this VPN, give a me a direct access The customer tool sends email where the sender is my email address, deactivate the filtering Enable outside servers to send emails with the inside domain address (email spoofing) Encrypted emails are blocked by the mail server Business cannot wait manual validation, unblock all encrypted emails by default without any virus check I need to send an exe file, I don t know how to zip it, please enable.exe files Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 27

Salesman in the middle attack mitigation Block exceptions with Commander injection Awareness Make users aware that their actions have consequences Explain/show them why security policies are important Procedure/technical solutions Propose secure alternative solutions Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 28

Denial of action attack Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 29 11/20/2014

Denial of action attack No actions are taken based on security audits results or vulnerability disclosures Consequences Identified security breaches remain open Severity Very high Likelihood of exploit High Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 30

Denial of action attack No actions are taken based on security audits results or vulnerability disclosures Notable examples Known vulnerabilities Unpatched systems remain vulnerable E.g. SSLv3 known as vulnerable but still in use in many systems Pentest recheck Nothing was fixed since the last update Risk management Risk are mishandled and simply put under the rug Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 31

Denial of action attack mitigation Culture Take immediate actions to close security breaches in short term E.g. close access, shut down machine, monitor activity Plan actions to fix security breaches in the long term E.g. update system, patch vulnerability, re-implement software Information security management system Awareness Inform, demonstrate the criticality of breaches to the decision makers Top management must be able understand the criticality in order to make changes happen Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 32

Conclusion Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 33 11/20/2014

Conclusion Users have great power, thus great responsibilities They often don t know/care about it User think they are in a secure environment but actually aren t Users are limited to protect them from many threats but not all of them All users at all levels must be careful Any user can be the source of a security incident Humans have weaknesses, especially in stressful situations Plan such situations Support users in those situation Provide (secure) alternative ways Plan the aftermath Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 34

Conclusion 3 steps cure: 1. Awareness Regularly Inform users Regularly teach users 2. Culture Overall enterprise culture where everyone is paying attention to security Play the croissants game Unclaimed printed papers Physical access to the premises (badge verification) 3. Organization Security policies Strong but effective/efficient Risk management Leave no security breach unwatched Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 35

Thank you for your attention Click to add chapter title Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 36

Questions & Answers Click to add chapter title Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 37

Contact information Tom Leclerc tom.leclerc@telindus.lu (+352) 53.28.20.9987 Click to add chapter title Classification: Public How users bypass your security! ITDays 2014 20 th November Slide 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information