Cyber Criminal Methods & Prevention Techniques

ByLarry.Boettger@Berbee.comMatt.Jach@Berbee.com

Meeting Agenda

Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation Costs

FBI / CSI Statistics

Every Year Dollars are Lost due to Cyber Criminal Activity

Greatest Loss = Proprietary Information

Second Greatest Loss = Denial of Service

Availability

Integrity Availability

Confidentiality

Security

Elements to Protect

Everything is a Target

PublicPrivate

Internal Network

Server

Application

Vulnerability AssessmentsFirewalls & ProxiesIntrusion DetectionVPN Remote Access

Vulnerability AssessmentsIntrusion DetectionWireless Design ConsultingIntrusion PreventionAuthentication & Authorization

Perimeter

Vulnerability AssessmentsIntrusion PreventionPatch ManagementAnti-Virus & Anti-SPAMMobile Client SecurityServer HardeningAuthentication & Authorization

Data

Authentication ManagementIdentity ManagementData Privacy

Vulnerability AssessmentsCode ReviewsApplication Hardening

Polices, Procedures & Awareness

Policy AssessmentsOperational Framework ConsultingTraining & Consulting

Security Management

Centralized Tool IntegrationCentralized Monitoring

Cyber Criminals Motives

Financial Rewards Politics Show Off Personal Gratification They know they can

Intruder Methods

Web Site Research User Groups Email Staff Call Modems Read Trash Impersonated Someone You Trust Scan Your Systems War Drive Your Wireless

Intruder Methods Cont.

Use Known and Unknown Exploits Viruses, Trojans & Worms Phishing Attack Partner Networks to Gain Access to Yours Sniff Your Traffic Brute Force Passwords Spam You Denial of Service

Most Common Items to Protect

Intellectual Property Customer’s And Staff’s Privacy Confidential Data System Availability Reputation Regulatory Challenges

Assessment Benefits

Roadmap Establishes Baseline Strengthens Security Provides Due Diligence Efficient Formal Audits Finds the Weak Areas

How To Identify and Prioritize Risk Holistic Approach

Comprehensive reviews (infrastructure, server, application, etc.)Based on Organizational Security Policy, and taking full life cycle into accountConsider people and processes, as well as technology

Sensible, accessible documentationHelpful to executive decision-makers: explanation of risk in business termsHelpful to managers: project plans, prioritization of tasksHelpful to technical staff: clear standards, specific recommendations

Threat Modeling Identifying assets Identifying threats Making qualitative (or quantitative) assessments of risk

Top Ten Security Risks

1. Policies & Procedures2. Security Awareness3. Access and Authorization4. Patch Management5. Mis-Configured Systems & Applications6. Encryption & Digital Signatures7. Incident Handling Processes8. Disaster Recovery & Business Continuity9. Physical Safeguards10.Intentional Bypassing of Security Controls

Security Policies

Communicate Your Organizations Commitment to Security

Provide a Baseline and Roadmap for Security Controls

Demonstrate Due Diligence

All Pertinent Security Control Information Communicated

Realistic – Manageable

Enforceable

Security Awareness

A well trained user will assist your security efforts

Time needs to be invested in user training

A well trained user usually requires less help desk support

Access & Authorization Weak Passwords

Sharing Accounts

Not Enforced

Easy to Exploit

Prevention• Strong Security Policies• Utilize OS Complex Password Configuration• Implement Technical Authorization, Authentication

and Accounting Mechanisms (AAA)• Implement Two-Factor Authentication

Patch Management

Hard to Manage

Less Window of Opportunity

Exploits are coming too fast

Can Break System

Require Resources

Prevention• Strong Patch Management Mechanisms – Automate• Add Intrusion Prevention Mechanisms

Mis-Configured Systems

Assure only needed or updated Services

Strengthen SNMP Strings

Secure Wireless Networks

Remove Default Settings

Filter Outgoing Access at Firewall

Encryption / Digital Signatures

Protects Against:

• Forging

• Impersonation/Spoofing

• Eavesdropping

• Intercepting

• Denial of Receipt or Send (Non-Repudiation)

Incident Handling Process

Intrusion Prevention/Detection

Anti-virus Mechanisms

Logging/Auditing

Strong Policies and Documentation

Disaster Recovery & Business Continuity

Formal Plan

Prioritized Systems

Standard Backup Process

Tested Backups

Redundant Systems

Physical Safeguards

Visitor Badges

Building & Data Center Access/Monitoring

Fire Prevention/Suppression & Detection

UPS Testing and Load

Installing • Modems• Wireless Networks• Gotomypc or other remote access items• Unauthorized Software – Games, Screensavers,

etc

Prevention• Strong Security Policies• Centralized and Managed Intrusion Prevention

Mechanisms• Implement Network Admission Control

Intentional By-Passing of Security Controls

Importance of NIST & ISO-17799

National Institute of Standards & Technology Referenced Throughout Most Regulations

Policies and Procedures Are Critical to NIST Best Practices

ISO-17799 is Industry Recognized Standard for Security

ISO-17799 Covers 10 Areas of Security Each ISO-17799 Area Has Individual Security Items If You Follow NIST and ISO-17799 You Would Have

a Strong Security Posture and Should Pass Almost Every Audit

Combine NIST 800-26 Levels and ISO-17799

ISO-17799 Covered Areas

Security Policies Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance

NIST Legend

Level 1 – control objective documented in a security policy

Level 2 – security controls documented as procedures

Level 3 – procedures have been implemented

Level 4 – procedures and security controls are tested and reviewed

Level 5 – procedures and security controls are fully integrated into a comprehensive program.

ISO-17799 Graph Sample

Business Continuity

0

1

2

3

4

5

6

Business ContinuityManagement Process

Business Continuity &Impact Analysis

Writing & ImplementingContinuity Plan

Business ContinuityPlanning Framework

Testing Maintaining &Reassessing BC Plan

Actual Practice

Peer Comparison

NIST Level

Remediation Costs

It is important to budget for remediation

A security assessment without remediation efforts is a waste of time and money

Remediation usually involves resource time and product cost

It is important to budget for one time and reoccurring costs

Remediation – First Steps

Prioritize Risks and Remediation Steps

Align Business and IT Strategies

Establish Resources – Internal, External, Products

Establish Internal SLAs between IT and Business Units

Internet Links & Question/Answers

Thank You

www.berbee.com www.cisco.com www.ibm.com www.microsoft.com www.rsa.com www.gocsi.com www.sans.org www.nist.gov