General Security Guidelines

Best Practices for Everyone

Presented at:Nextbridge LHR C1June 1, 2012

Topics we will cover in this presentation

• What is Information• What is Information Security• What is Risk• Corporate Security• How we are linked with Corporate Security• User Responsibilities• Web Application Vulnerabilities (Case Study)• Questions

WHO IS AT THE CENTRE OF

SECU RITY

U-R3

What is Information?

Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected

Information can be

Created Stored Destroyed

Processed

Transmitted

Used/Misused

Corrupted Lost Stolen

Information can be…

Printed or written on

paperStored

electronically

Transmitted by post or using electronics

means

Shown on corporate

videos

What is Information Security?

?

What is Information Security?

The quality or state of being secure to be free from danger

Security is recognized as essential to protect vital processes and the systems that provide those processes

Security is not something you buy, it is something you do

Business survival depends upon Information Security

What information

Security does

Protects information

from a range of threats

Ensures business

continuity

Minimizes financial

lossOptimizes return on

investmentsIncreases business

opportunities

What is Risk?

Risk

• A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset

Threat

• Something that can potentially cause damage to the organization, IT Systems or network

Vulnerability

• A weakness in the organization, IT Systems, or network that can be exploited by a threat

High User Knowledge of IT

SystemsTheft,

Sabotage, Misuse

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Doing without Knowing

Sources…!Sources

Source

External Hackers

Internal Hackers

Terrorist

Poorly trained employees

MotivationChallenge Ego Game Playing

Deadline Financial problems

Disenchantment

Revenge Political

Unintentional errors Programming errors Data entry errors

ThreatSystem hacking

Social engineering Dumpster diving

Backdoors Fraud Poor documentation

System attacks Social engineering Letter

bombs Viruses Denial of

serviceCorruption of data Malicious code introduction System bugs

unauthorized access

Corporate Security

Corporate Security is responsibility of everyone

Corporate Security

Policy

People

Risk ManagementLegalization

Compliance

Technology

User Responsibilities

15

Good

Practic

es

•Follow Security Procedures•Wear Identity Cards and Badges•Ask unauthorized visitor his credentials•Attend visitors in Reception and Conference Room only

Avoid the

se

•Bring visitors in operations area without prior permission•Bring hazardous and combustible material in secure area•Practice “Piggybacking”•Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so.

16

Good

Practic

es

•Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)•Use passwords that can be easily remembered by you•Change password regularly•Use password that is significantly different from earlier passwords

Avoid the

se

• Use passwords which reveals your personal information or words found in dictionary

• Write down or Store passwords

• Share passwords over phone or Email

• Use passwords which do not match above complexity criteria

User Responsibilities

17

Good

Practic

es

•Use internet services for business purposes only

Avoid the

se

• Do not access internet through dial-up connectivity

• Do not use internet for viewing, storing or transmitting obscene or pornographic material

• Do not use internet for accessing auction sites

• Do not use internet for hacking other computer systems

• Do not use internet to download / upload commercial software / copyrighted material

18

Good

Practic

es

•Use official mail for business purposes only•Follow the mail storage guidelines to avoid blocking of E-mails•If you come across any junk / spam mail, do the following•Remove the mail.•Inform the security help desk•Inform the same to server administrator•Inform the sender that such mails are undesired

Avoid the

se

• Do not use official ID for any personal subscription purpose

• Do not send unsolicited mails of any type like chain letters or E-mail Hoax

• Do not send mails to client unless you are authorized to do so

• Do not post non-business related information to large number of users

• Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender

Report Security Incidents (IT and Non-IT) to Helpdesk through

• E-mail to mis@nxb.com.pk• Telephone : Ext#611• Reporting through helpdesk system @ http://mis.vteamslabs.com

e.g.: IT Incidents: Mail Spamming, Virus attack, Hacking, etc. Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media

•Do not discuss security incidents with any one outside organization• Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents

19

Human Wall is better than Firewall

Lets build a human wall around our firewall

21

Best Practices

Best Practices

• Ensure your Desktops are having latest antivirus updates

• Ensure your system is locked when you are away

• Always store laptops/ media in a lockable place

• Be alert while working on laptops during travel

• Download data from known and trusted websites

• Do not use inline attachment reading in your email clients

• Do not click any URL not known to you• Ensure sensitive business information is

under lock and key when unattended• Ensure back-up of sensitive and critical

information assets• Verify credentials, if the message is received

from unknown sender• Always switch off your computer before

leaving for the day• Keep your self updated on information security aspects

Do not let this Happen

Web Application Vulnerabilities

No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer

Five Evil Sisters

Remote code

execution

SQL injection

Format string

vulnerabilities

Cross Site Scripting

(XSS)

Username enumeratio

n

Web Application Vulnerabilities

Remote Code Execution

This vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. At times, it is difficult to discover this vulnerability during penetration testing assignments but such problems are often revealed while doing a source code review. However, when testing Web applications it is important to remember that exploitation of this vulnerability can lead to total system compromise with the same rights as the Web server itself. Rating: Highly Critical

SQL Injection

SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise

Rating: Highly Critical

Format String Vulnerability

This vulnerability results from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C's printf().

A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory.

Format string vulnerability attacks fall into three general categories: denial of service, reading and writing.

Rating: Highly Critical

Cross Site Scripting

The success of this attack requires the victim to execute a malicious URL which is crafted in such a manner to appear to be legitimate at first look

When visiting such a crafted URL, an attacker can effectively execute something malicious in the victim's browser. Some malicious JavaScript, for example, will be run in the context of the web site which possesses the XSS bug

Rating: Highly Critical

Username Enumeration

Username enumeration is a type of attack where the backend validation script tells the attacker if the supplied username is correct or not. Exploiting this vulnerability helps the attacker to experiment with different usernames and determine valid ones with the help of different error messages

Rating: Critical

Case Study

In this slide, we will cover the following about the subject

• What is it about?• Background of the happening• Refer to PDF Reports• Conclusions

Now its your turn to speak

GENERAL SECURITY GUIDELINESBest Practices for Everyone

Designed & Presented by:Abdul RehmanSenior System Administrator

Presented at:Nextbridge LHR C1May 17, 2012