Authentication
Business Logic
Current Headlines
FBI Issues Water Supply Cyberterror Warning Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns.
By Kevin Poulsen, www.securityfocus.com
Current Headlines
Microsoft Store Offline After Insecurity Exposed. By Brian McWilliams, Newsbytes Jan 11 2002 5:52PM PT An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data.
www.securityfocus.com
8
Current Headlines
NASA Hacker Gets 21 Months Jason 'Shadow Knight' Diekman cracked JPL, Stanford University and others. By Dick Kelsey, Newsbytes Feb 5 2002 5:28PM PT www.securityfocus.com
Headlines
Lloyd's of London To Offer Hacker Insurance Lloyd's of London, one of world's largest insurance firms, has partnered with San Jose, Californiabased Counterpane Security, Inc. to offer insurance against business losses due to mischief by hackers.
By Lori Enos E-Commerce Times July 10, 2000
10
Prediction
Denial of service attacks against companies such as Yahoo! and Amazon.com illustrated the susceptibility of even wellestablished organizations to hacker attacks. Security incidents had not been widely reported prior to the broadband explosion, however, the Gartner Group predicts that by 2004, service providers will witness a 200 percent increase in the cost of responding to security incidents due to broadband connections. Pamela Warren, Nortel/Shasta
11
12
13
Internal They:
vDisgruntled employees vContractors, vendors, temps, etc.
15
With the explosion of on-line services, controlling access to personal information is critical!
The demands of consumers and the requirements of many government regulations such as US Code Title 47 and HIPAA make it mandatory that information be protected.
18
19
How Do I Begin?
It isnt magic; but dont start from scratch. Resources: Reference Books The Internet Consultation Off The Shelf Software
22
Awareness
Initial awareness program
vExisting information dissemination methods vSpecial security awareness presentations
23
Implementation
Physical Constraints
v Locks
Time Locks Cipher Locks
24
Implementation
Electronic Access
vProximity Badges vBiometrics (the Oldest Form of Authentication)
Fingerprint Voice Recognition Retinal Scan Face Recognition
Implementation
Monitoring for Adherence to Established Practices and Policies.
v Access logs (paper and electronic). v Two man accountability. v Visitor sign-in and escort. v Monitoring and review of video surveillance. v Regular audits (internal and external). v Mechanized scans of logs for anomalies.
26
Implementation
Computer Access Controls.
v Logon ID and Password v Digital Certificate/Smart Card v Hard Token (i.e. SecureID) v Biometrics v Integrated with Physical Access Method? v Logging! (with Review) v Regular Audits of Access Lists
27
Implementation
Access Authorization
v Role based v Specific Individual v Dependent on Authentication Mechanism v High Level
Corporate Directory CORBASec ADO (Access Decision Object) CORBA RAD (Resource Access Decision)
28
vGranular
Policy Implementation
Integration of Physical and Computer Security Policies and Procedures. Usability Studies. Log, Review, Audit. Consider Outside Certification. Nothing Can Replace the Human Mind and the Human Eye for Monitoring and Review.
29
Logging
Turn on logging! Allocate headcount to review logs. Train reviewer(s). Policy should dictate actions specifically.
vShut down intruder(s) immediately or vTrack intruder to determine intent/build case. v Honeypot?
30
Enforcement
Manual
vReview system logs vNetwork/platform scans vVarious periodic audits
Automatic
vPlatform password restrictions vFirewalls, proxies, etc. vVarious policy enforcement tools
31
Policies
Must Be Documented Clear, Concise, Well Indexed, Available Consider Online, Web Based Various Products Can Jump Start the Creation and Maintenance of Policies Regular Reviews Communication, Communication, Communication!
32
Some Resources
ICSA White Paper on Computer Crime Statistics
v http://www.trusecure.com/html/tspub/whitepapers/ crime.pdf http://www.securityfocus.com/vulns/stats.shtml
33
More Resources
Information Security Policies Made Easy Version 7; by Charles Cresson Wood Secrets & Lies Digital Security in a Networked World; by Bruce Schneier http://csrc.nist.gov http://www.security-policy.org http://www.msb.edu/faculty/culnanm/ gippshome.html
34
Marty Byrne
info@2ab.com 2AB, Inc. 205-621-7455 www.2ab.com
35