About Mark Lachniet
►
►
►
►
►
►
►
►
Mark Lachniet, Security Engineer at CDW
Current secretary of the Michigan High Tech Crime
Investigator’s Association (HTCIA)
Licensed Private Investigator in the State of Michigan
Numerous security and technology certifications:
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
GIAC Certified Forensic Analysts Gold (GCFA)
Work both in prevention (gap analysis, penetration testing
projects) and in response (incident response and forensics)
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Preventative Controls
►
►
Have a formal I.T. Risk Management function:
» A group of people who are empowered, financed, and formally tasked
with security, meet regularly, and maintain a task list of security needs,
audit findings and projects
Have an information classification and handling system:
» Identify what you have, and exactly how it must be handled (with an
emphasis on identifying regulated data and their requirements)
» Do not trust interview-only inventories! Perform internal pentests to find
the stuff nobody told you about
» Assignment: back at work, have your I.T. people run a keyword search
of all user home directories looking for the words ‘password’ and ‘SSN’.
Review the results – what will the passwords get you into?
» Carefully control how data is stored and transmitted (encryption) as well
as stored (data retention laws) and destroyed.
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Preventative Controls
►
►
►
Maintain Incident Response Procedures
» Once you have a handle on what data you actually have, maintain a
workable plan to respond to an incident that stakeholders are trained on
» Think beyond “oops letters” and of issues like forensic preservation of
evidence, how to limit the scope of a compromise, etc.
Avoid administrative privileges:
» Do not let users have administrative access to systems unless it is
absolutely necessary!
» Simply being logged in as a non-admin user can stop the majority of
attacks from succeeding
Use strong passwords:
» Aside from the obvious complexity issue, use a password safe program
with encryption rather than a word or excel file (which can be trivially
broken)
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Preventative Controls
►
►
Use Data Loss Prevention Systems
» Use an Internet appliance to identify and stop leakage through the
Internet (e-mail, FTP sites, IM software, unencrypted traffic)
» Use an internal appliance to find sensitive data on unprotected file
shares
» Use server and host based clients to identify and block data leaks and
unknown attacks on user workstations
Perform regular penetration tests
» This is more than just Qualys, Nessus and PCI checks
» Need actual hands-on time from security engineers to find your REAL
vulnerability to attack
» Should be done both internally (wireless, internal network, etc.) and
externally (over the Internet)
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Preventative Controls
►
►
►
Manage the risks of partners
» Network connections such as full-time partner connections
» How data is shared and used (especially test data)
» Formulating security requirements into contracting and purchasing
» Requiring the use of Acceptable Use Policies, NDA’s and other
contractual methods
Manage the risk of end users
» End-user browsing is probably the #1 source of security compromises
» Anti-virus is practically useless now, you need much, much more
» System patching (especially third party applications such as Adobe
Acrobat and Flash) is critical
Training and budget
» You cannot afford NOT to train your people!
» Focus more on training and less on products
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Encourage Maturity In Operations
►
►
►
►
In general, the more organized you are, the better your security will be,
the less likely you are to suffer a breach, and the less expensive I.T.
will be to the organization!
Consider adopting the ITIL standards in areas such as documentation,
change control, etc.
Also formally define your security polices, expectations, procedures
(e.g. server hardening, application development, database security,
remote access, etc.)
Consider the Capability Maturity Model – where are you on security?
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Reactive Controls
►
►
►
►
Discover the breach
» Many attacks go undiscovered – determine how YOU will discover
yours – log review? Security products? News reports?
Preserve evidence
» Make sure you don’t mess up evidence by shoddy investigations
» Preserve log files in servers, network devices, ISP’s, etc
» Be aware of forensic best practices (i.e. chain of custody)
Keep records
» Keep written records of what you do – you may need them years from
now if it goes to court
Manage internal an external communications
» Do you know who to call for forensic help? Law enforcement?
» Who is allowed to talk about the incident? Internally? Externally?
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
The Lucrative World of Malware
and “Bot Herding”
►
►
People are making money! Millions of dollars!
There are entire economies based on computer crime:
» Hackers: Produce new exploits in common software and sell
the “0 day” exploits to Bot Herders
» Bot Herders: Use the new exploits to distribute malware to
end users. These are used for Denial of Service extortion,
spamming, stealing network or PII information, click
advertisement abuse, etc. They sell their harvested
information to criminals.
» Criminals: Use their obtained credit card and bank account
information to perpetuate financial crimes and pay for further
development
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
Symantec Threat Report 2009
►
One very real problem is that there is a proliferation of malware, and
Anti-Virus simply cannot keep up with all the new versions
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
The List Not to Be On – datalossdb.org
►
►
Attrition.org used to maintain a list of “hacked” organizations, but
they were unable to keep up, changed name and did breaches instead
Now they are focusing on data breaches – see: http://datalossdb.org/
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.
The List Not to Be On – datalossdb.org
CDW — Proprietary and Confidential. Copying Restricted. For internal use only.