Information Security Fall Semester 2016 - Course Wrap Up Summary

Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas Davis, CISSP, CISA
Lecture 17, Course Summary

Agenda
• Today’s chocolate bars---best
for last----Caramel!
• Housekeeping – Written
Assignments
• Discuss Team Presentations
• Course Summary Presentation
• Student Evaluations
• Meet with your team, to work on
your final presentation
11/29/2016 UNIVERSITY OF WISCONSIN 2

Security Controls
Security controls are safeguards or
countermeasures to avoid, detect,
counteract, or minimize security risks to
physical property, information, computer
systems, or other assets.

C I A
We will never forget that Information Security is
comprised of
• Confidentiality
• Integrity
• Security
We must work to balance all three, in order to
have effective security

Categories of Controls
Computer security is divided into three distinct
master categories, commonly referred to
as controls:
• Physical
• Technical
• Administrative

Information Security is
Made of Four Ingredients
Solid security requires:
• Hardware
• Software
• People
• Procedures
All working in tandem (together)

Let’s Watch the Story
Written Assignment #1
Don’t worry about taking notes, you can watch the video again, later
https://www.youtube.com/watch?v=TEYRLDvJaxo
https://www.youtube.com/watch?v=Fw8ZorTB7_o

Ashley Madison!
We talked about Ashley Madison!
• What happened?
• Who were the victims?
• What are the implications?

Common Technical
Weaknesses in IT
We discussed the most common corporate IT weakenesses:
Incorrect firewall configurations
Unpatched web server vulnerabilities
Databases which accept requests from any source
Lack of intrusion detection systems
Lack of intrusion prevention systems
Failure to disable unused protocols
Failure to teach proper secure software coding to
programmers
Failure to sanitize data

Defense in Depth
We learned about Defense in Depth, using multiple
controls, in case one fails
• Use better granular control for both processes and
people’s access rights
• Better physical security
• Perform routine monitoring and auditing
• Develop staff who are more proficient in the tools
and methods of information security

So Many Definitions!
We learned the differences between:
• Vulnerability
• Threat
• Risk
• Exposure

Obscurity does Not Equal Security

Planning for IT Security
The three planning areas of IT security and the
area we do not wish to work in
• Strategic
• Tactical
• Operational

IT Risk Analysis
We learned to do an IT Risk Analysis
• Identify assets and their values
• Identify vulnerabilities and threats
• Quantify the probability and business
impact of these potential threats
• Provide an economic balance
between the impact of the threat and the
cost of the countermeasure

Hiring Practices
• Job skill screening
• Reference check
• Non-disclosure agreement (NDA) signed
• Education verification
• Criminal background check
• Credit report check
• Sex offender check
• Drug screening
• Professional license check
• Immigration status check
• Social Security Number trace to ensure
validity

Employee Controls
Rotation of Duties
No one person should stay in one
position for an uninterrupted period of
time, as this may enable them to have
too much control over a segment of
business
Mandatory vacation policy

Termination Practices
• Each company needs a set of pre-defined
termination procedures
• Example:
• Once terminated, the employee must be
escorted out of the facility by their manager
• Employee must immediately surrender keys,
employee badge, etc.
• Employee must be asked to complete an exit
interview and return company property
• The terminated employee’s online accounts
must be disabled immediately upon
termination

Three Types of
Security Policies Exist
Regulatory
Advisory
Informative

How Due Diligence
Due Care are Related
Due diligence is the understanding of
the threats and risks, while due care is
the countermeasures which the
company has put in place to address the
threats and risks

Data Classification
Types (typical)
• Public
• Sensitive
• Private
• Confidential
Some models may differ in number of
levels and/or how they are referred to

Security Awareness
Training Program
One for senior management
One for staff
One for technical employees
• Responsibilities of everyone
• Potential Liabilities if program is not
followed
• Expectations of everyone

Assignment #2
Responding to a
National Security Letter
National Security Letters (NSLs) are an
extraordinary search procedure which gives
the FBI the power to compel the disclosure
of customer records held by banks,
telephone companies, Internet Service
Providers, and others. These entities are
prohibited, or "gagged," from telling
anyone about their receipt of the NSL,
which makes oversight difficult. The
Number of NSLs issued has grown
dramatically since the Patriot Act expanded
the FBI's authority to issue them.

"Deer is suspicious of Trump's claim
that a 400 pound guy on a bed may
have cybered us."

Guest Speaker
FBI Special Agent Byron Franz
• Over 15 years experience working on national
security investigations
• Prior to working in Milwaukee, Byron spent
10 years in Indianapolis, where he was a
member of the SWAT team
• Led investigation of an Iraqi agent of Saddam
Hussein
• BA degree in International Relations and
Russian and a JD from UW Law School

Identification, Authentication
Authorization and Accountability
Identification – Who you say you are
Authentication – verifying that you are
who you claim to be
Authorization – decision of what you are
allowed to access, read, change, add,
delete
Accountability – proof of what a person,
process or Angry Bird has done

Centralized Identity
Management VS Federated
Centralized Identity Management – a
single entity is responsible for
authentication and authorization.
Facebook for example
Federated Identity Management – a set
number of various organizations are
deemed “trusted” For example Eduroam

Methods to Steal Passwords
Electronic monitoring
Access the password file
Brute force attacks
Dictionary attacks
Social engineering

Major Categories of Access
Controls
Deterrent – A warning on a website,
forbidding unauthorized access
Preventive – Username and
password controlled access
Detective – logs are audited in real-
time and an alarm goes off after 10
incorrect login attempts
There are four other categories of access
controls, but, not important for our
discussion

Pre Sales Engineer Tom Hunt
Spent a Lecture With Us

Bob Turner, UW-Madison
Spoke About Careers in IT Security

Single Best Piece of
Technical Advice You Can Provide
• Remove, or at a minimum, turn off
USB port access on all end user
computing devices
• USB allows access even when the
screen is “locked”
• USB is small, easy to move in and out
of a building, with enormous capacity
• USB can carry dangerous self-
installing payload
• USB ports are often out of sight, and
not noticed on back of computer,
when flash drive is inserted

How to Recognize When IP
and Trade Secret Theft is Occurring
• Excessive printing taking place
• Use of unapproved encryption software
• Spike in e-mail and USB storage/transfer
volumes
• Increase in foreign IP traffic
• Unusual network and building access times
• Unexplained wealth or affluence
• Unusual foreign travel
• Disillusionment/entitlement due to missed
promotions or other perceived grievances
• Increased amount of non-business-related
activities (i.e., web surfing, job hunting,
social media etc.)

Today’s Movie Feature!
• Based on a true story of an attempted theft of trade
secrets
• Happens to involve China, but could just as easily
have been a competitor in Minnesota or Texas
• Focus on the story, techniques and
implications, not the nationalities of the people
in the story

Assignment #3
• Assignments 1 and 2
were essay based
• Assignment 3 is more
straightforward, question
and answer based
• Please label your answers
accordingly (1,2,3, etc)
• Due date is Oct 25th, but I
will accept them on Oct
27th as well

Memory Management
For a secure operating environment, an
operating system must exercise proper
memory management. A memory
management system has five basic
responsibilities:
• Relocation
• Protection
• Sharing
• Logical Organization
• Physical Organization

Memory Leaks
https://www.youtube.com/watch?v=67m5jwoNkfo

Four Major Physical
Security Threats
• Natural environmental
• Supply system
• Human made
• Politically motivated
Good security program protects against
all of these, in layers

Physical Access Control
For Visitors
• Limit the number of entry points
• Force all guests to sign-in at a common location
• Reduce entry points even more, after hours and
on weekends
• Validate a government issued picture ID before
allowing entry
• Require all guests to be escorted by a full time
employee
• Encourage employees to question strangers

I went to Disney World, While
You Took an Exam!

5 Core Steps in a Physical
Security System
• Deter
• Delay
• Detect
• Assess
• Respond

Laptops Are One of the
Most Frequently Stolen Physical
Assets
• Inventory the laptops
• Harden the Operating system
• Password protect BIOS
• Register laptops with vendor
• Don’t check laptop as baggage!
• Don’t leave laptop unattended
• Engrave the laptop visibly
• Use a physical cable and lock
• Backup data
• Encrypt hard disk
• Store in secure place when not in use

A Note About Credit Card
Reader Physical Security
https://www.youtube.com/watch?v=Xip
jYIbBj7k
• Physical access to credit card
transaction equipment is one of the
greatest physical security threats
facing most small businesses in the
United States, but most people never
give it a second thought

Cloud Security
Cloud Security refers to a
broad set of policies,
technologies, and
controls deployed to
protect data,
applications, and the
associated infrastructure
of cloud computing.

Cloud Service Models
Software as a Service
Platform as a Service
Infrastructure as a Service

Cloud Deployment Models
Private
Public
Hybrid

Bring Your Own Device
BYOD (bring your own device) is the
increasing trend toward employee-owned
devices within a business. Smartphones are
the most common example but employees
also take their own tablets, laptops and USB
drives into the workplace.

Lost Devices, Sold Devices
Memorized Passwords
• BYOD has resulted in data breaches. For example, if an
employee uses a smartphone to access the company
network and then loses that phone or sells that phone,
untrusted parties could retrieve any unsecured data on
the phone.
• Another type of security breach occurs when an employee
leaves the company, they do not have to give back the
device, so company applications and other data may still
be present on their device
• If passwords are cached (remembered) by the phone,
anyone who has access to the device can now access the
password protected resources

Personal Privacy
Drawing the Line
IT Security departments that
wish to monitor usage of
personal devices must
ensure that they only
monitor work related
activities or activities that
accesses company data or
information

Malware Infections
Organizations who wish to adopt a BYOD
policy must also consider how they will
ensure that the devices which connect to the
organization’s network infrastructure to
access sensitive information will be protected
from malware.

Patching Many Different
Models of BYODs
BYOD policy must be prepared
to have the necessary systems
and processes in place that will
apply the patches to protect
systems against the known
vulnerabilities to the various
devices that users may choose to
use.

Mobile Device Management
Solutions
Several market and policies have emerged
to address BYOD security concerns,
including mobile device management
(MDM), containerization and app
virtualization
• Containerization
• Virtualization

MDM May Result in Privacy
and Usability Concerns
While MDM provides organizations with
the ability to control applications and
content on the device, research has revealed
controversy related to employee privacy
and usability issues that lead to resistance
in some organizations

Phone Number
Ownership
A key issue of BYOD which is often
overlooked is BYOD's phone number
problem, which raises the question of the
ownership of the phone number. The issue
becomes apparent when employees in sales
or other customer-facing roles leave the
company and take their phone number with
them. Customers calling the number will
then potentially be calling competitors
which can lead to loss of business for BYOD
enterprises

Lack of BYOD Policy
• Research reveals that only 20% of
employees have signed a BYOD policy
• Why not have them agree online, in order
to gain network access? Offer them a
carrot (network access) to agree.
• Businesses need to get out of the idea of
using legacy paper forms for such things

BYOD Inventory
Firms need an efficient inventory
management system that keeps track of
which devices employees are using, where
the device is located, whether it is being
used, and what software it is equipped with

Make Sure the Employees Know
If sensitive, classified, or criminal data lands
on a U.S. government employee's device, the
device is subject to confiscation

Scalability and Capability
of Corporate Networks
Many organizations today lack proper network
infrastructure to handle the large traffic which will
be generated when employees will start using
different devices at the same time

Summary
• Both Cloud and BYOD are relatively new to
organizations
• Both Cloud and BYOD blur the lines of where an
organization’s control over data resides
• Both Cloud and BYOD extend the information
assets beyond historic organizational geographic
boundaries
• Both Cloud and BYOD are security concerns, in
an attempt to maintain Confidentiality, Integrity
and Availability

Session Overview
Introduction and Warning
The Deep Web Defined
Dynamic Content
Unlinked Content
Private Web
Contextual Web
Limited Access Content
Scripted Content
Non-HTML Content
Deep Web Search Engines & Tor Client
Examples of what can found on the Deep Web
Exciting Documentary Video
Question and Answer session

Grams Sample Search
Crunchy Dutch Moonrocks

Deep Web
Dangerous Web

Class Discussion
You love the Internet. However, you favorite sites, such as Facebook,
Amazon, and wisc.edu are just the surface. There is another world out
there: the Deep Web
The Deep Web is where online information is password protected, or
requires special software to access—and it’s massive, yet it’s almost
completely out of sight. The Deep Web contains a hidden world, a
community where malicious actors unite in common nefarious purpose.
Should the government control or forbid certain sites? Why? Do you
think buying the following items on the Internet is possible? If it is
possible, should they be forbidden? How and why?
• Drugs (both prescription and clearly the clearly illegal type)
• Forged identity papers
• Weapons, explosives and ammunition
• Hired assassins
• Human organs

The EU and Privacy
• The European Union (EU) has some of the
most stringent data privacy rules
• When it comes to data collection, the EU
has six privacy principles which all
countries and businesses within those
countries must follow

European Privacy Principles
1. The reason for gathering
the information must be
specified at the time of
collection
2. Data cannot be used for
other purposes
3. Un-necessary data should
not be collected

Privacy: The Need For Better
Laws
• Data aggregation and data retrieval technologies
advancement -- Large data warehouses
• Loss of borders – Private data flows from country
to country with ease
• Convergent technology advances – Gathering,
mining and distributing information has become
much easier

Laws, Directives
and Regulations
Covers many different areas for many
different reasons
• Privacy
• Computer Misuse
• Software copyright
• Data protection
• Controls on cryptography

Laws, Directives
and Regulations
• Laws, directives and regulations usually
provide only broad guidance and not
detailed instructions
• Environments are just too diverse to get
specific in terms of the details of laws,
directives and regulations
• Let’s look at some examples

Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (often
shortened to SOX) is legislation passed by the
U.S. Congress to protect shareholders and the
general public from accounting errors and
fraudulent practices in the enterprise, as well
as improve the accuracy of corporate
disclosures.

HIPAA
HIPAA is the federal Health Insurance
Portability and Accountability Act of 1996.
The primary goal of the law is to make it
easier for people to keep health insurance,
protect the confidentiality and security of
healthcare information and help the
healthcare industry control administrative
costs.

GLB (GLBA)
The Gramm-Leach-Bliley Act (GLB Act or
GLBA), also known as the Financial
Modernization Act of 1999, is a federal law
enacted in the United States to control the
ways that financial institutions deal with the
private information of individuals.

CFAA
The Computer Fraud and Abuse Act (CFAA) of
1986 is United States legislation that made it a
federal crime to access a protected computer
without proper authorization.

Federal Privacy Act of 1974
The Privacy Act of 1974, a
United States federal law,
establishes a Code of Fair
Information Practice that
governs the collection,
maintenance, use, and
dissemination of personally
identifiable information about
individuals that is maintained in
systems of records by federal
agencies.

PCI-DSS (PCI)
Short for Payment Card Industry (PCI) Data
Security Standard (DSS), PCI DSS is a
standard that all organizations, including
online retailers, must follow when storing,
processing and transmitting their customer's
credit card data.

1. Validate Input and Output
All data input and output should be checked very
carefully for appropriateness. This check should be to
see if the data is what is expected (length, characters).
Making a list of bad characters is not the way to go; the
lists are rarely complete. A secure program should know
what it expects, and reject other input. For example, if
an input field is for a Social Security Number, then any
data that is not a string of nine integers is not valid. A
common mistake is to filter for specific strings or
payloads in the belief specific problems can be
prevented.

2. Fail Securely (Closed)
Applications should default to secure operation. That is, in the
event of failure or misconfiguration, they should not reveal more
information than necessary with regard to:
 Error messages (for efficient debugging purposes)
 The application configuration (directory, version/patch
levels)
 The operating environment (network addressing, OS
version/patch levels)
As well, they should not allow transactions or processes to continue
 With more privileges than normal
 With more access than normal
 Without proper validation of input parameters and output
results
 Bypassing any monitoring or logging facilities

3. Keep it Simple
While it is tempting to build elaborate and complex
security controls, the reality is that if a security system is
too complex for its user base, it will either not be used
or users will try to find measures to bypass it. Often the
most effective security is the simplest security. Do not
expect users to enter 12 passwords.

4. Use and Reuse Trusted Components
Invariably other system designers (either on your
development team or on the Internet) have faced the
same problems as you. They may have invested a large
amount of time on research and developing robust
solutions to the problem. In many cases they will have
improved components through an iterative process and
learned from common mistakes along the way. Using
and reusing trusted components make sense both from
a resource stance and from a security stance. When
someone else has proven they got it right; take
advantage.

5. Defense in Depth
Relying on one component to perform its function 100%
of the time is unrealistic. While we hope to build
software and hardware that works as planned,
predicting the unexpected is difficult . Good systems
don’t predict the unexpected, but plan for it. If one
component fails to catch a security event, a second one
would.

6. Only as Secure as the Weakest Link
We’ve all seen it, “This system is 100% secure, it uses
128 bit SSL”. While it may be true that the data in
transit from the user’s browser to the web server has
appropriate security controls, more often that not the
focus of security mechanisms is at the wrong place. As
in the real world where there is no point in placing all of
your locks on your front door to leave the backdoor
swinging in its hinges, you need to think carefully about
what you are securing. Attackers are lazy and will find
the weakest point and attempt to exploit it.

7. Security by Obscurity Won’t Work in
the Long Run
It’s naïve to think that hiding things from prying eyes
doesn’t buy you some amount of time. Lets face it some
of the biggest exploits unveiled in software have been
obscured for years. But obscuring information is very
different from protecting it. You are relying on the fact
that no one stumbles onto your obfuscation. This
strategy doesn’t work in the long term and has no
guarantee of working in the short term.

8. Least Privilege
Systems should be designed in such a way that they run
with the least amount of system privilege they need to
do their job. This is the need to know approach. If a user
account doesn’t need root privileges to operate, don’t
assign them in the anticipation they may need them.
Giving the pool man an unlimited bank account to buy
the chemicals for your pool when you’re on vacation is
unlikely to be a positive experience.

9. Compartmentalization
Similarly compartmentalizing users, processes and data
helps contain problems if they do occur.
Compartmentalization is an important concept widely
adopted in the information security realm. Imagine the
same pool man scenario. Giving the pool man the keys
to the house while you are away so he can get to the pool
house, may not be a wise move. Containing his access to
the pool house limits the types of problems that may
occur if something was to happen.

Telecommunications and
Network Security Overview
• TCP/IP and other protocols
• LAN, WAN, MAN, intranet, extranet
• Cable types and data transmission
types
• Network devices and services
• Communications security
management

TCP and UDP
Two Major Protocols For
Transmission Over IP

Reliabaility TCP
TCP is connection-oriented protocol.
When a file or message send it will get
delivered unless connections fails. If
connection lost, the server will request
the lost part. There is no corruption
while transferring a message.

Reliability UDP
UDP is connectionless protocol.
When you a send a data or
message, you don't know if it'll get
there, it could get lost on the way.
There may be corruption while
transferring a message.

Ordered Delivery TCP
Ordered: If you send two messages
along a connection, one after the other,
you know the first message will get
there first. You don't have to worry
about data arriving in the wrong order

No Ordered Delivery UDP
If you send two messages out, you
don't know what order they'll arrive
in

TCP is a Heavyweight
Protocol
Heavyweight: - when the low level
parts of the TCP "stream" arrive in the
wrong order, resend requests have to
be sent, and all the out of sequence
parts have to be put back together, so
requires a bit of work to piece together

UDP is a Lightweight Protocol
Lightweight: No ordering of messages, no
tracking connections, etc. It's just fire and
forget! This means it's a lot quicker, and the
network card / OS have to do very little
work to translate the data back from the
packets.

The 5 Types of Physical
Network Topologies
• Bus
• Ring
• Star
• Tree
• Mesh

Network Cabling
Coaxial Cable
Coaxial cable, or coax (pronounced 'ko.æks),
is a type of cable that has an inner conductor
surrounded by a tubular insulating layer,
surrounded by a tubular conducting shield.
Many coaxial cables also have an insulating
outer sheath or jacket.

Network Cabling
Twisted Pair
Twisted pair cabling is a type of wiring in
which two conductors of a single circuit are
twisted together for the purposes of
canceling out electromagnetic interference
from external sources; for instance,
electromagnetic radiation from unshielded
twisted pair cables, and crosstalk between
neighboring pairs.

Network Cabling
Fiber Optic
A technology that uses glass (or plastic)
threads (fibers) to transmit data.
A fiber optic cable consists of a
bundle of glass threads, each of which is
capable of transmitting messages
modulated onto light waves. Fiber
optics has several advantages over
traditional metal communications lines:

Wireless Best Practices
• Protect your network with password
and encryption
• Change default SSID (name of
network)
• Disable broadcast SSID (name of
network)
• Place the Access Point at the center of
the building to avoid external access
• Configure the Access Point to only
allow known MAC (hardware)
addresses into the network

Configuration and Change
Management
Policies should:
1. Document how all changes are made and
approved
2. Guidelines should be different based upon the
kind of data being managed
3. Disruptions in service must be planned and
approved in advance
4. Contingency plans must be in place to address
planned outages

Change Control Process
Process:
1. Submit request for change to take place
2. Formal approval of the change
3. Formal documentation of the change
4. Assurance of testing must be presented to the
group approving the change
5. Implement the change
6. Report results to management

Examples of Change Controlled
Events
New computers installed
New applications installed
Changes in system configurations implemented
Patches and system updates
New networking equipment installed
Company IT infrastructure merged with that of
another company which was acquired

Physical Media Controls
1. Protect from unauthorized access
2. Protect from environmental issues such as
flooding, overheating, etc.
3. Media should be labeled
4. Media should be sanitized when they reach the
end of their use/life.
5. Tracking number, chain of custody of media
6. Location of backups
7. Keep history of any changes to media
(replacements, etc)

Vulnerability Testing
Goals:
1. Evaluate your company’s true and actual
security posture vs your company’s stated and
or assumed security posture
2. Confirms known vulnerabilities and identifies
new vulnerabilities
3. Tests how your company reacts to attacks of
information systems

We Watched Some
Interesting Videos
• Glen Duffy Shriver Story (Game of
Pawns, about student spy)
• The Company Man (story of industrial
espionage)
• United States of Secrets (dramatic inside
story of mass surveillance in America)
• The Spy Factory (an eye-opening
documentary on the National Security
Agency)
• Short Youtube videos, throughout
semester

We Ate a Lot of Chocolate!

We Took All Our Knowledge
and Put It into Our Team Project!
• Put forth your best effort
• Better too long than too short
• Send me a copy
• I print them out and give them to the
Chair of the OIM Department. I smile
and say “This is what the students
learned this semester” when I present
the copies of your presentations

Things to Remember
• I am proud of all of you…We covered a LOT of
material this semester
• Everyone did a GREAT job being involved with class
participation
• Your written assignments were fantastic, showed
concern, thought, originality, honesty and
intelligence
• You ARE every bit as smart as the people you will be
working for…They are just older, not smarter
• If things are not right in your job, do what is right,
speak your mind, assess the situation for what it
REALLY is, not what you would like it to be----and
then ACT IN YOUR OWN BEST INTEREST

Thank You! Happy Holidays!

Information Security Fall Semester 2016 - Course Wrap Up Summary

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (13)

Similaire à Information Security Fall Semester 2016 - Course Wrap Up Summary

Similaire à Information Security Fall Semester 2016 - Course Wrap Up Summary (20)

Plus de Nicholas Davis

Plus de Nicholas Davis (16)

Dernier

Dernier (20)

Information Security Fall Semester 2016 - Course Wrap Up Summary