Information Security 101: What your business needs to know

Alistair Ross
hoodie-hacker

The Essentials of Information Security

In this presentation we are going to cover the essentials of how to protect your intellectual property, primarily when it relates to information that your business depends upon. From a technical perspective, only a smaller part of this presentation deals with the tools to protect your business; although the bias of this guide will be towards Linux tooling, the principals relate to any computer system and operating system. Desktops/Workstations, Mac, Windows or Linux; securing every part of your workplace ICT is incredibly important. Almost all businesses rely on ICT as the bloodline to all segments of its operations.

Format and intended audience

This guide is in presentation format, so that you may present it to workplace colleagues who would like training or to grow knowledge in security principles, methods and tooling.

The intended audience is for ICT professionals in businesses, but is still appropriate to anyone interested in IS (Information Security).

If you would like to see the slide outline, scroll to below the presentation.

Let Alistair present it for you!

If you are interested in the having the author providing your business an engaging presentation, training, consultation or support on any of the topics covered in this presentation, or with business information systems in general (sp. Linux and Open Source) then please get in touch. Alistair has years of presentation skills and is a senior technical leader, having worked for reputable business like Amazon and GE as well as medium sized companies worldwide.

Slide Deck

This slideshow could not be started. Try refreshing the page or viewing it in another browser.

Slide outline

The following topics were covered within the presentation:

  • Why is Information Security important?
    • The interest profile in your business
      • Your information is everything, and it’s vulnerable!
      • Data exfiltration.
    • The interest profile in your infrastructure.
      • The value of free compute power to attackers.
    • The harm it can cause your business:
      • Loss of intellectual property, and,
      • Loss of reputation, market share and brand.
      • Extortion & Ransom (including loss of direct bank funds).
  • Things you should know:
    • Definition of Information Security, the CIA triad:
      • Confidentiality: Protection of your information from unauthorised access.
      • Integrity: Information is as it should be, not modified in an unauthorised (or even mistaken) way.
      • Availability: Ensuring the information you have is always available.
    • Main elements of security:
      • People
      • Process
      • Technology
    • Having a policy. When it is important and when it is a burden.
    • A firewall is not the answer: Defence in depth.
    • When, not if you get exploited.
    • Trust: Your business is built on it, yet:
      • Your staff and vendors can be hostile!
        • They may not be aware of an attempt upon them.
        • They can install software, open docs & go to sites that does bad things.
        • The may intentionally do bad.
    • The Cloud != Secure
  • Who would be interested in exploiting my ICT systems?
    • Targeted Attackers
      • Staff/Disgruntled ex-staff
      • Hired hitters
      • Opportunists
    • Non Targeted Attackers
      • Script Kiddies
    • Bots/Spambots.
  • What sort of attacks can be made?
    • Social Engineering:
      • Phishing
      • People based data exit (intentional and non-intentional). – Data leaving out of the door (and into the cloud).
      • Ransom/Blackmail.
      • In person, by post, personal e-mail and telephone.
    • Physical Exploits
      • HID (Human Interface Devices) (ex. Rubber Ducky, Bash Bunny)
      • LAN Network Tapping (ex. Great Scott Throwing Star Lan Tap)
      • WiFi (ex. The WiFi pineapple)
    • Network and Internet based Exploits.
      • Vulnerability exploiting
      • DNS, DHCP Poisoning/Redirection
      • SSL offloading and obfuscation
      • MITM Attacks (Man in the middle)
      • (D)DoS Attacks
      • Ransomware & Malware
      • Brute-Force
  • How can I protect against each type of attack?
    • Social:
      • Verify, Verify and Trust.
    • Physical:
      • Lock and Keys
      • Log out of your machine when you walk away (or at least lock it with a password).
      • Dispose of data responsibly (shred, computer recycling).Authentication Mechanisms, Auditability.
    • Network and Internet based exploit protection.
      • Password, 2FA, Token. Encryption.
        • End user authentication, directories.
        • Passwords on switches, firewalls, SANs, servers and cloud accounts are even more important.
        • Auditing of administrative users. Ensuring network access levels are appropriate.
      • Monitoring and Scanning, Log analysis.
      • Patching/Updating.
      • If it’s open to the Internet, why?
        • Closing ports/services.
        • Proxy/Reverse Proxy
        • Source IP Limitation
        • VPN Connections
        • Amazon/Azure/cloud: VPC, etc.
        • Stop version information being shown (eg status.html, phpinfo.php).
      • Encryption
        • Asymetric encryption: Plaintext -> Public Key -> Cipher Text -> Private Key -> Plaintext).
        • Validity checking with MD5 hashing.
        • Certificate authorities – who to trust (the Trusted Authorities List) – and when it can go wrong.
        • Encrypted messaging/e-Mail.
      • Network Controls (eg insecure WiFi and Firewalling)
        • Don’t connect automatically to free/open public WiFi hotspots, or those using WEP.
        • Trusting that WiFi SSID really is the SSID it says it is.
      • Policies and Training your staff: Admin/Ops Staff, Management, Developers.
        • Password strength, 2 Factor Authentication, Enforcement thereof.
        • Avoid storing restricted data on mobile devices and removable devices (eg USB sticks).
          • Theft
          • Misuse
          • Mobile Vulnerabilities: Executables and Drive-bys (bluetooth etc)
          • Personal devices in the workplace.
        • Insecure messaging systems (Yes, that means you, E-mail!), personal email accounts for work.
        • Sharing passwords, sending passwords in ‘the clear’.
        • Cloud storage and Cloud applications:
          • Cloud vendors integrity and how they look after your security (password strength etc).
          • Cloud vendors going out of business
          • Cloud vendor’s policies regarding your information.
          • Clicking on shortened links, email attachments, macros, popups, pop-unders, misguiding links.
        • HR and IT ops: Onboarding, offboarding and hiring.
        • Getting non IT staff to report any suspected security risk or breach.
        • Get your executive board to provide guidance on data classification; use a RASCI matrix which takes into account the value of each level of asset, ordered by criticality to the business operation and reputation.
        • Inventory all the things (Software, Hardware, IP addresses, People )
          • What is authorised vs what is not authorised.
        • For developers: Code review, Use tooling.
      • IT Staff must routinely schedule security audits (daily, weekly. Monthly may be too late!). Consider:
        • Patch levels,
        • CVE Vulnerability list, cross check against externally visible applications at least.
        • Executing / Analysing reports from security tooling.
    • Tooling:
      • NMAP Port Scanning.
        • Common Port numbers (/etc/services).
      • OpenVAS Vulnerability Scanning.
      • OSSec Intrusion Detection.
      • Kali Linux and the MetaSploit Framework (Windows, Mac, Linux).
      • TCPDump/Wireshark
      • SecurityOnion
      • Tripwire file auditing
      • SELinux / AppArmor
      • For Programmers:
        • General SQL injection methods
        • General data input and HTML based form methods
        • General XSS (Cross-Site Scripting) methods
        • OWASP (Open Web Application Security Project).
        • Damn Vulnerable Web App (PHP)
        • BrakeMan (Ruby on Rails Apps)
      • For end users – the last line of defence:
        • Windows GPO (Group Policy) to enforce policies.
        • Anti-Virus, Anti-Malware.
        • Personal firewall.
  • Planning for the worst
    • When (not if) an attack happens, how do we get back to business?
      • Halt and think – Don’t panic.
        • Firewall block immediately
      • Perform forensic analysis/gather evidence
        • Finding running processes and file handles (procfs, lsof).
        • Packet analysis (strace, )
        • Log gathering
        • Looking for suspect and hidden files (/tmp, /opt. Doing a find based on mtime).
      • Report findings to business stakeholders.
        • Business due diligence and when to report to authorities.
      • Recover from backups or invoke BC Plan?
  • Further Reading
    • SANS Top 20 Critical Security Controls
    • Kevin Mitnick’s book on Social Engineering
    • OWASP Top 10 Vulnerabilities
    • CVE Vulnerabilities List

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.