BCS - NottinghamBCS - NottinghamOffshoring-and-SecurityOffshoring-and-Security

(In Reverse Order)(In Reverse Order)

John WalkerJohn Walker FBCS CITP CISM MICAF PG.CertFBCS CITP CISM MICAF PG.Cert

British Computer Society Registered Security SpecialistBritish Computer Society Registered Security Specialist

Head of Operational SecurityHead of Operational Securityjohn.walker@uk.experian.com

GenesisGenesisExamples (Viruses):

Brain – from PakistanJerusalem – IsraelCascade – West GermanyVienna – AustriaPing-Pong - Italy

First virus discovered in the Russia = DOS 6.2 - Vienna

Virus Developers Quarterly – raw source code

1993 - Polymorphism arrives as a real threat

1995 - Is Windows NT susceptible to virus infections? (VB March 1995 ISSN 0956-9979)

Landscape – About the TaskLandscape – About the Task• Virus Writers, Hackers, and SpyWare folk have learned Project Management Skills (not the case early 2004)

• Mobile Computing, Extended Perimeters of Operations bring withthem there own set of problems

• Viruses – From a sample of 1,500 Windows Users, 44% confirmedthey had suffered virus infection (I think that number is LOW)COMOUTING 27 Jan 2005

• Regulation and Governance – there is a lot of it

• 25% of that same sample had suffered Spyware, or Phishing AttacksI am assuming the other 75% were aware that they were clean?

• Trojans – MS Windows Media Player – WmvDownloader.a& WmvDownloader.b

• DDoS - New Security Considerations - VoIP - spIM

Consider . . . (Consider . . . (Something OldSomething Old))How many holes do you think software could have?

Consider Windows XP:

40 Million: Is the number of lines of code in Windows XP (60M? in SP2).5 per 1,000: With high quality coding, you still have an estimated 5 bugs in every thousand lines of a program.

200: The number of security holes in WinXP (if only 1 out of 1,000) are remotely exploitable. Might be -much- higher... Source: Win2knews

The same consideration may be applied to other Applications – just look at the history of exploits!

The Brothers The Brothers SPAMSPAM & & spIMspIMLoads of SPAM: Prescription Drugs Healthcare, Begging Letters Easy ways to make money The usual stuff (images) Low cost, ripped off software

Loads of spIM: Possibly the first IM based attack to be mounted was against AOL, using the AOL IM. This scam has the subject Confirm AOL billing info and attempts to convince the user to reveal their AOL username and password. The communication goes on to advise that if the user does not follow instructions, payments to AOL can't be processed.

Phone a Friend - Phone a Friend - VoIPVoIP

In the next generation of security threats, it is highly likely that VoIP will be/is a target!

Proof of concepts do exist (USA) that allow hackers to manipulate communications by inserting their ‘own’ choice of words into liveConversations – consider the ramifications.

Bottom line – as with any other Network Based System, VoIP needs tobe secured – don’t just think of it as a new telephone system

See: www.facetime.com for information on VoIP Security

Here’s Looking at You – Here’s Looking at You – SpyWare SpyWare ((Something BorrowedSomething Borrowed))

• Code of computers (none authorised)• Pop-ups• Redirection• Affiliate money makers• Slowing PC’s• Crashing PC’s• Keystroke Monitors• And more . . . . . . .

Based on trends to date, expected to rise by a factor of 10

Lets Go Lets Go PhishingPhishing

Project managed attackers - Spyware can act as triggers (Crimeware).This malware runs, it may start collecting data when a user visits a selected site.  These emails try to drive users to the real site to log in, which will activate the spyware. 

An example

Not Forgetting Not Forgetting VirusesViruses andand

WormsWorms• Now an accepted way of life for any user of a computer, no matter at home, or in the office

• They spread fact, and can have high impact of system availability

• Prediction - They will get smarter, do not have to be destructive, whynot leverage their power to work for the attacker – imagination willbe the only limitation here

• You got AV in place – so what, that does not ensure you will remainInfection free

W32/Rbot_GR (Peeping Tom) – locates, and uses Web CamsTo look into your personal space.

Hidden ContentHidden Content – Whatever you – Whatever you wish wish ((Something NewSomething New))

Every picture tells a Storey

The file C:\xxx Settings\xxx\Local Settings \TemporaryInternet Files \Content.IE5 \xxx\xxx is infected with Mr-Nasty.gen - Known Virus, Detected with Scan Engine 4.4.00DAT version 4.0.4422. The file wassuccessfully deleted.(from PC0xxxxxxxx IP xx.xxx.xxx.xxx user xxxx running VirusScan 4.5.1 SP1 OAS)

Hidden ContentHidden Content – Whatever – Whatever you wish you wish ((Something Potentially BlueSomething Potentially Blue))

Every picture tells a Storey – AND SOME MAY BE NOTSO ACCEPTABEL

OR

The Need to Move - The Need to Move - MobilisationMobilisation

The Mobilisation of the workforce dictates that what has been seen thus far as the preserve of Perimeter Security to underpin and deter attacks has now had a quantum shift, encompassing such areas as:

WiFi (802.11b/g, Bluetooth, Smart Phones and PDA’s,

Outsourcing – how will it affect the Perimeter of Security, or what hasbeen thus far accepted as the organisational ‘Area of Control’(will it push it or pull it?

Legislation & ControlsLegislation & Controls - - ChallengesChallenges

Gramm-Leach-Billy Act of 1999 (GLBE)Securities and Exchange Commission (SEC) Compliance issues (17a-4)NASDSarbanes-Oxley ActUSA Patriot ActHIPAA PrivacyHIPPA SecurityFDA’s Electronic Recordings/Signatures (ERES-21CFR11)Mental Hygiene Law Sec. 33.13

AndComputer Security ActNIST

And . . . . . . . . . . . . . . . . . . . . . . . . . .There are MORE

Build Them Secure – Build Them Secure – or or SufferSuffer

Probably one of the most important aspects (the FIRST) of technical security is that of how systems are built:

Have an agreed Baseline Build for all systems, including Workstation,Mobiles (Laptops etc), Servers, and any other device that serves a Production environment – you also need to consider Phones, and PDA’s

Remember – out of the box, does not necessarily support security

If you outsource, or use Third Party Services Providers –don’t forget this may also apply to them

This is something old, but still gets missed

AlertingAlerting – Key Stuff – Key Stuff

High importance should be placed against obtaining earlyreports of Vulnerability Alerts – if not in place, how do you knowwhat you are at risk from

Don’t forget this is equally important for any systems outside thePerimeter of the Organisation – home users, and say OutsourcedSystems/applications can also support insecurities and vulnerabilities- so make sure you encompass them in the plan

Out of sight/site, should not be out mind

Patch and Fix – Patch and Fix – or or DieDie

Closely following Alerting –Patch and Fix

Lots of stuff to consider here – Most important aspect is to stay connection to those security alerts

This is as important as deploying Anti Virus signatures- Yet it still seems to take a back seat

It Don’t Have to be ExpensiveIt Don’t Have to be Expensive

It is not always necessary to spend high numbers to achieve Operational Security - consider:

What do you own - already

What can you leverage from the O/S and applications

LOW cost, HIGH Functionality

However, if you have a financial pot with no bottomplease feel free to discount these ideas

It Don’t Have to be Expensive It Don’t Have to be Expensive ((What you can LeverageWhat you can Leverage))

1. SNORT:1. SNORT: Good IDS, very effective (use the language)Good IDS, very effective (use the language)

2. Office 2003:2. Office 2003: Document Security Document Security

3. AP Logging:3. AP Logging: Review them on a regular basisReview them on a regular basis

4. Vulnerability Alerts:4. Vulnerability Alerts: There are many good free ones (take a There are many good free ones (take a look at OSVB)look at OSVB)

5. Use Free Encryption:5. Use Free Encryption: Turn on NTFS for NT, 2000, and XP – Turn on NTFS for NT, 2000, and XP – better than nothing (EFS for 2000 >>)better than nothing (EFS for 2000 >>)

6. WiFi - WEP:6. WiFi - WEP: Not great, but better than nothing Not great, but better than nothing

7. O/S Options:7. O/S Options: Eventtriggers (Win2k, XP, 2003) Eventtriggers (Win2k, XP, 2003)

It Don’t Have to be Expensive It Don’t Have to be Expensive ((SpyWareSpyWare))

Anti-SPAM is no longer to be considered a nice to have, but isA MUST. MS have produced a very functional tool.

Here in its Beta Release

It Don’t Have to be Expensive It Don’t Have to be Expensive ((Log AnalysisLog Analysis))

Sawmill – LOW Cost, HIGH Functionality

Drill Down

Security TestingSecurity Testing – – Who, When, Who, When, WhyWhy

It is essential that in any project, or application lifecycle, the elementof security is both acknowledged and addressed (for the ex Government People in the audience – remember Memorandum No10

For HIGH assurance this should be done:

• During development phases

• Post time of deployment

• After any change has been applied

• Periodically

When conducting testing, for best effect and value, use a known methodology such as - OWASP

PolicyPolicy and and GovernanceGovernance has its has its Place . . Place . . BUTBUT

• Security Policies are very important to underpin the security mission of any business – they are the rules that all should abide By – and if not, there will/may be consequences. However, remember:

• Security Policies are passive – just because you have one, does not make you secure – so don’t fool yourself

• They underpin the day-to-day operations and practices, however, in an operational sense, they have no real value.

• They do not proactively avoid an insecurity occurring, they only advise the rules - they will not tell you when things go wrong, but they may be used after-the-fact.

Governance should help the business, not grind it to a holt

What Next – What can helpWhat Next – What can help

MSc in IT Security – Fred Piper – Royal Holloway

IISP – Institute of Information Security Professionals – Jan 2006

CISM – Certified Information Security Manager

CISSP – Certified Information Security Professional

BCS Membership – Professional Development (is key)

Read, read, and . . . Read – it is a fast moving area – to keep up

Future of IT SecurityFuture of IT Security

Drivers are high – it is now a Main Board topic, and key to the business

Personal opinion – I feel it will become a Main Board position

The area of expertise will grow – needs technical underpinning

I believe that it is a science (a mix of physiology and technology)

It is a challenge – can be pressured – has an element of ‘the book stops here’ – but is also rewarding and enjoyable

One quality required is, ‘decision makers are key’

OutsourcingOutsourcing

Lets talk:

Security

Challenges

Leverage

Mapping Process and Procedure

Are they IN or OUT?

Skills

Value

Risk Assessments – post not pre

Contracts and SLA

Team Work

Compliance and Governance

OutsourcingOutsourcing – Security – Security

Outsourcing is now on the up, and many organisation have enteredinto contracts - but the security model needs to be Considered!

• Any pre-deployment Risk Assessments to take into account, not what is today, but what will be tomorrow

• How do the pre, and post deployment perimeters compare – has the companies boundary of operations moved?

• Where do you deploy your security defences? (dependent on the aforementioned factors)

• Do your policies and baselines work – are Minimum Controls achievable, and maintained?

Brief Brief QAQA

QuestionsQuestions