Security For Free
- 1. Improving Your Security…For FREE Stephen Marchewitz CSO SecureState The CIO Circle July 8, 2009 1
- 2. What’s the catch? Sorry, you’re going to have to Think…. ―Thinking is the hardest work there is…that’s why so few people do it. ― – Henry Ford …And Do… ―The only place where success comes before work is in the dictionary.‖ –Donald Kendall Copyright 2009 SecureState 2
- 3. About me Stephen Marchewitz – B.A. The University of Michigan Business Communications and Statistics – M.B.A. Case Western Reserve University Management Information Systems and Finance – Ten+ years experience and progressive responsibility in multiple facets of information systems with specific expertise in information assurance – SecureState LLC, CSO, 4 Years – Past Experience • Oracle Corporation, Security Service Manager • Computer Associates Inc., Senior Security Consultant • Ernst & Young, LLP, Management Consultant Copyright 2009 SecureState 3
- 4. SecureState Overview • Ohio Based Company CISSP – Certified Information Systems Security – Founded 2001 CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor QDSP – Qualified Data Security Professional • 40 Security Professionals GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) Forensics – NTI, EnCase • Information Assurance & ANSI X9/TG-3 Protection • Audit and business background (Big X) • Experts in ethical hacking across many specialized areas Copyright 2009 SecureState 4
- 5. SecureState Overview Audit and Compliance • PCI (Payment Card Industry) • ISO 27001/SAS 70 • SOX, GLBA etc. • TG-3, NERC/CIP • INFOSEC (Information System Security Risk Assessment) Profiling and Attack • Web Application Security (WAS) • Attack and Penetration Services (internal, external, client, physical, wireless) • Wireless Audits • Architecture Reviews • Zero-Day Research • Training Risk Management • Security Program Manager (SPM) • StateScan • SecureTime • Virtual Compliance Officer (VCO) Forensic Technology Solutions • Data Forensics/Incident Response • Reverse Engineering • Expert Testimony Copyright 2009 SecureState 5
- 6. We have no budget! – Get them to care • FUD – Fear, Uncertainty and Doubt only works a little bit and I never (rarely) use it. • That said, never underestimate the power of a good ―breach‖ story. • Find a compelling event • Use assessments and testing • Get someone outside your organization to say the same thing you say to your execs…they’ll be more likely to listen • Learn to love to say the same thing over…and over…and over… and over... Copyright 2009 SecureState 6
- 7. Get it done through Regulations • By the way Mr. CEO, we’re not PCI compliant • You do know that if there is a breach, our state has data breach disclosure laws • SOX and the SAS now state that audit firms must sign off on the security of the systems • We don’t have to be compliant, but our customer is saying we do Copyright 2009 SecureState 7
- 8. Get the Bullies on your side • Work with Audit • Learn what they’re trying to achieve • You will never be good enough • Report, report, report • Do you know what the problems are? • Do you have a plan to fix them? Copyright 2009 SecureState 8
- 9. Don’t Hold Risk • You don’t get paid enough to hold the risk of the organization • Offload it to the board and/or other executive management, i.e. let them sign off • Your job is to: – Identify risk (through assessments) – Recommend remediation – Provide assistance in remediation management Copyright 2009 SecureState 9 9
- 10. Make Risk Reduction Simple Copyright 2009 SecureState 10
- 11. Assess. Build. Rinse. Repeat. Assessments (checks) are the best route to understand the current state of your program Assessments ―get the wheel turning‖ You don’t/can’t know what you’re doing in security if you’re not checking first. You can enhance your credibility by putting it into terms the business can understand 11 11
- 12. Get advice Copyright 2009 SecureState 12
- 13. Refer to a Framework NIST – www.csrc.nist.gov/publications/PubsSPs.html Special Publications in the 800 series present documents of general interest to the computer security community NIST 800-53 Security Controls for Federal Information Systems and Organizations ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100) THE ISO 27001 and ISO 27002 TOOLKIT Copyright 2009 SecureState 13
- 14. Inventory and Classify your Assets • Do you know everything you have? • Have you assigned a value to your assets? • There is a reason you don’t have an armed guard covering petty cash • Make sure the level of protection is commensurate with the value Copyright 2009 SecureState 14
- 15. Simulate a breach, incident, or disaster • Set up a meeting with all parties involved to pretend we’ve just had a Breach (or Disaster) – Who needs to be in there? – What needs to happen? – Worst case – What do we have to do to facilitate a forensic investigation? • Logging • Data flows • Network Diagrams • Monitoring Copyright 2009 SecureState 15
- 16. Question Products • Companies are always looking to slam a $40k appliance in to solve the world for them. Unfortunately this doesn’t work. • Detecting viruses, malware, and threats goes into a formalized security program that is constantly tested. Penetration tests are excellent methods in identifying deficiencies within the current security program. Copyright 2009 SecureState 16
- 17. A product example – reshifting budget to get more Antivirus: Anti-virus is typically thought of as a first line of defense for detecting a potential outbreak, malware, or viruses. Anti-virus companies market that they are the end-all-be-all and can catch anything out there. It’s estimated that 70% of all malware is currently NOT being detected by anti-virus. The truth: No longer a defensible position against attackers. There are now products that combine zero-update attack protection, data loss prevention, and signature-based antivirus, reducing cost (upkeep, etc.) and increasing effectiveness. Copyright 2009 SecureState 17
- 18. Check out Great Sources CIS Benchmarks – The CIS Benchmarks are the consensus best practice security configuration standards both developed and accepted by government, business, industry, and academia (http://www.cisecurity.org/benchmarks.html) Payment Card Industry (PCI) Data Security Standard – Free audit standards https://www.pcisecuritystandards.org/ OWASP – Open Web Application Security Standard www.owasp.org The defacto standard for Web Application Security ―Information Security Policies Made Easy‖ – Policy book by Charles Cresson Woods ($800) Copyright 2009 SecureState 18
- 19. Build Awareness • Build awareness programs, consistency, ease, available, etc. • However the main message is: ―Don’t be stupid!‖ • Social Engineering – Have someone from another office, (or your nephew, grandma, buddy, etc.) try to social engineer your company – Tell everyone the stories (e-mail, new hire training, etc.) Copyright 2009 SecureState 19
- 20. Free but… • Utilize free tools if you have to • Some exceptions, but generally it makes more sense to just get someone else to do it Copyright 2009 SecureState 20
- 21. Utilize Free Tools MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal question: How safe it my IT infrastructure? The advisor checks systems for common misconfigurations and missing security updates, then makes recommendations for improving safeguards in accordance with Microsoft security standards. Nessus: This product is considered to be one of the best vulnerability scanners available at any price — and it happens to be free. The tool explores and maps network systems for potential weaknesses that could provide an open door to attackers. The Nessus client is compatible with all Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows. AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3 and SMTP protocols. Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250 million downloads so far. Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network troubleshooting, analysis, software and protocol development. The tool is compatible with popular computing platforms, including Windows, Unix and Linux. *courtesy (mostly from) itsecurity.com Copyright 2009 SecureState 21
- 22. Utilize Free Tools Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows you to identify potential security flaws within your wireless environments. It also helps you detect rogue access points, and test your overall security implementations. MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible MailWasher promises to filter and block spam messages while allowing legitimate email to pass through unimpeded. And it won't cost you a nickel. Karen's Replicator: Since even the most security-conscious business will need to restore data at some point, frequent and comprehensive backups are a vital part of any security strategy. Karen's Replicator can copy files and folders to a backup storage device on either a manual or scheduled basis. The program can also distribute files across a network and automatically restore damaged or changed files on a Web server. Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol analyzer that enables users to passively detect or actively block various kinds of probes and attacks. The software's detection capabilities include stealth port scans, operating-system fingerprinting attempts, buffer overflows and application attacks. GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the auspices of the Free Software Foundation's software project. GnuPG can be combined with front ends that supply compatibility with virtually any operating system — past or present. Copyright 2009 SecureState 22
- 23. Utilize Free Hacker Tools • Back|Track Live Security Distribution – Back|Track is the number one security distribution. – Place CD in computer, reboot, full-fledged hacker environment with the latest and greatest hacker tools. Copyright 2009 SecureState 23
- 24. Utilize Open-Source Tools • Fast-Track – Exploitation framework created by David Kennedy at SecureState – Used to effectively test security and exploit vulnerabilities • Metasploit – Most popular open-source exploitation framework Copyright 2009 SecureState 24
- 25. Utilize Free Forensic Tools • DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu Linux-based Computer Forensics live CD. – It is designed to meet police, investigators, system administrator and Computer Forensics specialist’s needs – http://www.deftlinux.net/ Copyright 2009 SecureState 25
- 26. Utilize Free Forensic Tools • Helix3 Live CD – http://www.e-fense.com/helix3-download.php – Contains multiple open source forensic tools Copyright 2009 SecureState 26
- 27. Utilize Free Forensic Tools • Forensic Live CD – http://www.forensiclivecd.com Copyright 2009 SecureState 27
- 28. Summary of biggest mistakes we see In general, organizations don’t do enough of the following: • Relay risk to upper management • Ask for help on things they have no idea about • Assess • Build consistent, repeatable processes • Take the time to think it through Copyright 2009 SecureState 28
- 29. Thank you! ―Never sacrifice opportunity for security!‖ Questions? Copyright 2009 SecureState 29