2. What’s the catch?
Sorry, you’re going to have to Think….
―Thinking is the hardest work there is…that’s why so few
people do it. ― – Henry Ford
…And Do…
―The only place where success comes before work is in
the dictionary.‖ –Donald Kendall
Copyright 2009 SecureState 2
3. About me
Stephen Marchewitz
– B.A. The University of Michigan
Business Communications and Statistics
– M.B.A. Case Western Reserve University
Management Information Systems and Finance
– Ten+ years experience and progressive responsibility in
multiple facets of information systems with specific expertise
in information assurance
– SecureState LLC, CSO, 4 Years
– Past Experience
• Oracle Corporation, Security Service Manager
• Computer Associates Inc., Senior Security Consultant
• Ernst & Young, LLP, Management Consultant
Copyright 2009 SecureState 3
4. SecureState Overview
• Ohio Based Company CISSP – Certified Information Systems Security
– Founded 2001 CISM – Certified Information Security Manager
CISA – Certified Information Systems Auditor
QDSP – Qualified Data Security Professional
• 40 Security Professionals GSEC – SANS GIAC Security Essentials
NSA INFOSEC Assessment Methodology (IAM)
Forensics – NTI, EnCase
• Information Assurance & ANSI X9/TG-3
Protection
• Audit and business
background (Big X)
• Experts in ethical hacking
across many specialized
areas
Copyright 2009 SecureState 4
5. SecureState Overview
Audit and Compliance
• PCI (Payment Card Industry)
• ISO 27001/SAS 70
• SOX, GLBA etc.
• TG-3, NERC/CIP
• INFOSEC (Information System Security Risk Assessment)
Profiling and Attack
• Web Application Security (WAS)
• Attack and Penetration Services (internal, external, client, physical, wireless)
• Wireless Audits
• Architecture Reviews
• Zero-Day Research
• Training
Risk Management
• Security Program Manager (SPM)
• StateScan
• SecureTime
• Virtual Compliance Officer (VCO)
Forensic Technology Solutions
• Data Forensics/Incident Response
• Reverse Engineering
• Expert Testimony
Copyright 2009 SecureState 5
6. We have no budget! – Get them to care
• FUD – Fear, Uncertainty and Doubt only works a little bit and
I never (rarely) use it.
• That said, never underestimate the power of a good ―breach‖ story.
• Find a compelling event
• Use assessments and testing
• Get someone outside your organization to say the same thing you say to
your execs…they’ll be more likely to listen
• Learn to love to say the same thing over…and over…and over…
and over...
Copyright 2009 SecureState 6
7. Get it done through Regulations
• By the way Mr. CEO, we’re not
PCI compliant
• You do know that if there is a breach, our
state has data breach disclosure laws
• SOX and the SAS now state that audit
firms must sign off on the security of
the systems
• We don’t have to be compliant, but our
customer is saying we do
Copyright 2009 SecureState 7
8. Get the Bullies on your side
• Work with Audit
• Learn what they’re trying to achieve
• You will never be good enough
• Report, report, report
• Do you know what the problems are?
• Do you have a plan to fix them?
Copyright 2009 SecureState 8
9. Don’t Hold Risk
• You don’t get paid enough to hold the risk of the organization
• Offload it to the board and/or other executive management,
i.e. let them sign off
• Your job is to:
– Identify risk (through assessments)
– Recommend remediation
– Provide assistance in remediation management
Copyright 2009 SecureState 9 9
11. Assess. Build. Rinse. Repeat.
Assessments (checks) are the best
route to understand the current
state of your program
Assessments ―get the wheel turning‖
You don’t/can’t know what you’re
doing in security if you’re not
checking first.
You can enhance your credibility
by putting it into terms the business
can understand
11 11
13. Refer to a Framework
NIST – www.csrc.nist.gov/publications/PubsSPs.html
Special Publications in the 800 series present documents of general
interest to the computer security community
NIST 800-53 Security Controls for Federal Information Systems and
Organizations
ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100)
THE ISO 27001 and ISO 27002 TOOLKIT
Copyright 2009 SecureState 13
14. Inventory and Classify your Assets
• Do you know everything you have?
• Have you assigned a value to your assets?
• There is a reason you don’t have an armed guard covering
petty cash
• Make sure the level of protection is commensurate with the value
Copyright 2009 SecureState 14
15. Simulate a breach, incident, or disaster
• Set up a meeting with all parties involved to pretend we’ve just had a
Breach (or Disaster)
– Who needs to be in there?
– What needs to happen?
– Worst case
– What do we have to do to facilitate
a forensic investigation?
• Logging
• Data flows
• Network Diagrams
• Monitoring
Copyright 2009 SecureState 15
16. Question Products
• Companies are always looking to slam a $40k appliance in to solve
the world for them. Unfortunately this doesn’t work.
• Detecting viruses, malware, and threats goes into a formalized
security program that is constantly tested. Penetration tests are
excellent methods in identifying deficiencies within the current
security program.
Copyright 2009 SecureState 16
17. A product example – reshifting budget to get more
Antivirus:
Anti-virus is typically thought of as a first line of defense for
detecting a potential outbreak, malware, or viruses.
Anti-virus companies market that they are the end-all-be-all and
can catch anything out there.
It’s estimated that 70% of all malware is currently NOT being
detected by anti-virus.
The truth: No longer a defensible position against attackers.
There are now products that combine zero-update attack
protection, data loss prevention, and signature-based antivirus,
reducing cost (upkeep, etc.) and increasing effectiveness.
Copyright 2009 SecureState 17
18. Check out Great Sources
CIS Benchmarks –
The CIS Benchmarks are the consensus best practice security
configuration standards both developed and accepted by government,
business, industry, and academia
(http://www.cisecurity.org/benchmarks.html)
Payment Card Industry (PCI) Data Security Standard –
Free audit standards
https://www.pcisecuritystandards.org/
OWASP – Open Web Application Security Standard
www.owasp.org The defacto standard for Web Application Security
―Information Security Policies Made Easy‖ –
Policy book by Charles Cresson Woods ($800)
Copyright 2009 SecureState 18
19. Build Awareness
• Build awareness programs, consistency, ease, available, etc.
• However the main message is: ―Don’t be stupid!‖
• Social Engineering
– Have someone from another office, (or your nephew, grandma,
buddy, etc.) try to social engineer your company
– Tell everyone the stories (e-mail, new hire training, etc.)
Copyright 2009 SecureState 19
20. Free but…
• Utilize free tools if you have to
• Some exceptions, but generally it makes more sense to just get
someone else to do it
Copyright 2009 SecureState 20
21. Utilize Free Tools
MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal
question: How safe it my IT infrastructure? The advisor checks systems for common
misconfigurations and missing security updates, then makes recommendations for improving
safeguards in accordance with Microsoft security standards.
Nessus: This product is considered to be one of the best vulnerability scanners available at any price
— and it happens to be free. The tool explores and maps network systems for potential
weaknesses that could provide an open door to attackers. The Nessus client is compatible with all
Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows.
AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook
and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3
and SMTP protocols.
Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan
horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the
most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250
million downloads so far.
Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network
troubleshooting, analysis, software and protocol development. The tool is compatible with popular
computing platforms, including Windows, Unix and Linux.
*courtesy (mostly from) itsecurity.com
Copyright 2009 SecureState 21
22. Utilize Free Tools
Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows
you to identify potential security flaws within your wireless environments. It also helps you detect
rogue access points, and test your overall security implementations.
MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible
MailWasher promises to filter and block spam messages while allowing legitimate email to pass
through unimpeded. And it won't cost you a nickel.
Karen's Replicator: Since even the most security-conscious business will need to restore data at some
point, frequent and comprehensive backups are a vital part of any security strategy. Karen's
Replicator can copy files and folders to a backup storage device on either a manual or scheduled
basis. The program can also distribute files across a network and automatically restore damaged
or changed files on a Web server.
Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol
analyzer that enables users to passively detect or actively block various kinds of probes and
attacks. The software's detection capabilities include stealth port scans, operating-system
fingerprinting attempts, buffer overflows and application attacks.
GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the
auspices of the Free Software Foundation's software project. GnuPG can be combined with front
ends that supply compatibility with virtually any operating system — past or present.
Copyright 2009 SecureState 22
23. Utilize Free Hacker Tools
• Back|Track Live Security Distribution
– Back|Track is the number one security distribution.
– Place CD in computer, reboot, full-fledged hacker environment
with the latest and greatest hacker tools.
Copyright 2009 SecureState 23
24. Utilize Open-Source Tools
• Fast-Track
– Exploitation framework created by David Kennedy at SecureState
– Used to effectively test security and exploit vulnerabilities
• Metasploit
– Most popular open-source exploitation framework
Copyright 2009 SecureState 24
25. Utilize Free Forensic Tools
• DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu
Linux-based Computer Forensics live CD.
– It is designed to meet
police, investigators,
system administrator
and Computer
Forensics specialist’s
needs
– http://www.deftlinux.net/
Copyright 2009 SecureState 25
26. Utilize Free Forensic Tools
• Helix3 Live CD
– http://www.e-fense.com/helix3-download.php
– Contains multiple open source forensic tools
Copyright 2009 SecureState 26
27. Utilize Free Forensic Tools
• Forensic Live CD
– http://www.forensiclivecd.com
Copyright 2009 SecureState 27
28. Summary of biggest mistakes we see
In general, organizations don’t do enough of the following:
• Relay risk to upper management
• Ask for help on things they have no idea about
• Assess
• Build consistent, repeatable processes
• Take the time to think it through
Copyright 2009 SecureState 28