Site icon The Ultimate Linux Newbie Guide

Information Security 101: What your business needs to know

Alistair Ross

The Essentials of Information Security

In this presentation we are going to cover the essentials of how to protect your intellectual property, primarily when it relates to information that your business depends upon. From a technical perspective, only a smaller part of this presentation deals with the tools to protect your business; although the bias of this guide will be towards Linux tooling, the principals relate to any computer system and operating system. Desktops/Workstations, Mac, Windows or Linux; securing every part of your workplace ICT is incredibly important. Almost all businesses rely on ICT as the bloodline to all segments of its operations.

Format and intended audience

This guide is in presentation format, so that you may present it to workplace colleagues who would like training or to grow knowledge in security principles, methods and tooling.

The intended audience is for ICT professionals in businesses, but is still appropriate to anyone interested in IS (Information Security).

If you would like to see the slide outline, scroll to below the presentation.

Let Alistair present it for you!

If you are interested in the having the author providing your business an engaging presentation, training, consultation or support on any of the topics covered in this presentation, or with business information systems in general (sp. Linux and Open Source) then please get in touch. Alistair has years of presentation skills and is a senior technical leader, having worked for reputable business like Amazon and GE as well as medium sized companies worldwide.

Slide Deck

This slideshow could not be started. Try refreshing the page or viewing it in another browser.

Information Security 101

What your business needs to know

A guide to the why’s, the how’s and the what’s of protecting your business against information security risks.

(C) Copyright Alistair Ross 2017 | www.linuxnewbieguide.org


Topics covered in this presentation:

  • Why is Information Security important?
  • Things you should know
  • Who would be interested in exploiting my ICT systems?
  • What sort of attacks can be made?
  • How can I protect against each type of attack?
  • Tooling
  • Planning for the worst
  • Further Reading.

Why is Information Security Important?

  • The harm it can cause your business:
    • Loss of intellectual property.
    • Loss of reputation, market share and brand.
    • Extortion & Ransom (including loss of direct bank funds).


Risk Profiling

  • Firstly, let’s discuss the the risk profile in your business.
    • From your business owner’s perspective:
    • Your information is everything, it is the lifeblood of modern business.
  • The interest profile in your infrastructure:
    • The value of ‘free’ compute power to attackers.

Things you should know 1/4:

  • Definition of Information Security, the CIA triad:
    • Confidentiality: Protection of your information from unauthorised access.
    • Integrity: Information is as it should be, not modified in an unauthorised (or even mistaken) way.
    • Availability: Ensuring the information you have is always available.

Things you should know 2/4:

The three main elements to security are:

People

Process

Technology

 

Things you should know 3/4:

  • Your organisation should have an IS policy.
    • Although, remember that if you make it onerous on your staff, they will work around it at every opportunity. Security is all about effective compromise.
  • Simply having a firewall is not the answer: Defence in depth is needed.
  • It is a matter of when, not if you get exploited.

Things you should know 4/4:

  • Trust. Your business is built on it, yet:
    • Your staff and vendors can be hostile!
      • They may not be aware of an attempt upon them.
      • They can install software, open docs & go to sites that do ‘bad things’.
      • The may intentionally do bad.
  • Just because it’s in the Cloud does not mean it is secure. It is only as good as the people that put it in the cloud, and the company operating the cloud service.

Who would be interested in exploiting my ICT systems?

  • Targeted Attackers
    • Staff/Disgruntled ex-staff
    • Hired hitters
    • Opportunists
  • Non Targeted Attackers
    • Script Kiddies
  • Bots/Spambots.

What sort of attacks can be made?

  • Social Engineering:

  • Phishing
  • People based data exit (intentional and non-intentional). – Data leaving out of the door (and into the cloud).
  • Ransom/Blackmail.
  • In person, by post, personal e-mail and telephone.

What sort of attacks can be made? (cont…)

  • Physical Exploits

    • HID (Human Interface Devices) (ex. Rubber Ducky, Bash Bunny)
    • LAN Network Tapping (ex. Great Scott Throwing Star Lan Tap)
    • WiFi (ex. The WiFi pineapple)
    • Stealing paper documents etc.

What sort of attacks can be made (cont…)

  • Network and Internet based Exploits

    • Vulnerability exploiting
    • DNS, DHCP Poisoning/Redirection
    • SSL offloading and obfuscation
    • MITM Attacks (Man in the middle)
    • (D)DoS Attacks
    • Ransomware & Malware
    • Brute-Force / Dictionary and Rainbowtable attacks

How can I protect against each type of attack?

Social Engineering:

  • Training, training, training!
  • Verify all the sources of requests.
  • Be aware of information you are releasing (public or otherwise).
    • Does/should the person asking really need that information?
  • Determine which of your assets are most valuable to criminals.
  • Stay strong, don’t break. Report it straight away.

Physical:

  • Lock and Keys
  • Log out of your machine when you walk away (or at least lock it with a password).
  • Dispose of data responsibly (shred, computer recycling).Authentication Mechanisms, Auditability.

How can I protect against each type of attack? (cont…)

Network and Internet based exploit protection:

  • Password, 2FA, Token. Encryption.
    • End user authentication, directories.
    • Passwords on switches, firewalls, SANs, servers and cloud accounts are even more important.
    • Auditing of administrative users. Ensuring network access levels are appropriate.

(cont…)

  • Monitoring and Scanning, Log analysis.
  • Patching/Updating.
  • If it’s open to the Internet, first ask why. Then do:
    • Close un-necessary ports/services.
    • Proxy/Reverse Proxy
    • Source IP Limitation (firewall)
    • VPN Connections
    • Amazon/Azure/cloud: VPC, etc.
    • Stop version information being shown (eg status.html, phpinfo.php).

(cont…)

  • Encryption
    • Asymetric encryption: Plaintext -> Public Key -> Cipher Text -> Private Key -> Plaintext).
    • Validity checking with MD5 hashing.
    • Certificate authorities – who to trust (the Trusted Authorities List) – and when it can go wrong.
    • Encrypted messaging/e-Mail.

(cont…)

  • Network Controls (eg insecure WiFi and Firewalling)
    • Don’t connect automatically to free/open public WiFi hotspots, or those using WEP.
    • Trusting that WiFi SSID really is the SSID it says it is.

Policies and Training your staff

  • Password strength, 2 Factor Authentication, Enforcement thereof.
  • Avoid storing restricted data on mobile devices and removable devices (eg USB sticks).
    • Theft
    • Misuse
    • Mobile Vulnerabilities: Executables and Drive-bys (bluetooth etc)
    • Personal devices in the workplace.

Policies and Training your staff (cont…)

  • Insecure messaging systems (Yes, that means you, E-mail!), personal email accounts for work.
  • Sharing passwords, sending passwords in ‘the clear’.
  • Cloud storage and Cloud applications:
    • Cloud vendors integrity and how they look after your security (password strength etc).
    • Cloud vendors going out of business
    • Cloud vendor’s policies regarding your information.
  • Clicking on shortened links, email attachments, macros, popups, pop-unders, misguiding links.

Policies and Training your staff (cont…)

  • HR and IT ops: Onboarding, offboarding and hiring.
  • Getting non IT staff to report any suspected security risk or breach.
  • Get your executive board to provide guidance on data classification; use a RASCI matrix which takes into account the value of each level of asset, ordered by criticality to the business operation and reputation.
  • Inventory all the things (Software, Hardware, IP addresses, People )
    • What is authorised vs what is not authorised.
  • For developers: Code review, Use tooling.

Policies and Training your staff (cont…)

  • IT Staff must routinely schedule security audits (daily, weekly. Monthly may be too late!). Consider:
    • Patch levels,
    • CVE Vulnerability list, cross check against externally visible applications at least.
    • Executing / Analysing reports from security tooling.

Tooling

  • Port Scanning: NMAP, ShieldsUp!
    • Common Port numbers (/etc/services).
  • OpenVAS – Vulnerability Scanning.
  • OSSec – Intrusion Detection.
  • Kali Linux – (pen testing distro) and the MetaSploit Framework (Windows, Mac, Linux).
  • SecurityOnion – Linux Distro for intrusion detection and security monitoring.
  • TCPDump/Wireshark packet analysis tools.
  • Tripwire – file change auditing.
  • Fail2Ban – Temporary IP based access lock out via firewall.
  • SELinux / AppArmor

Tooling (cont…)

  • For Programmers:
    • General SQL injection methods
    • General data input and HTML based form methods
    • General XSS (Cross-Site Scripting) methods
    • OWASP (Open Web Application Security Project).
    • Damn Vulnerable Web App (PHP)
    • BrakeMan (Ruby on Rails Apps)

Tooling (cont…)

  • For end users – the last line of defence:
    • Windows GPO (Group Policy) to enforce policies.
    • Anti-Virus, Anti-Malware.
    • Personal firewall.

Planning for the worst

  • Make a plan, which comprises the following (at least)…
  • When an attack happens, how do we get back to business?
    • Halt and think – Don’t panic.
      • Firewall block the server immediately.
      • Make a copy of the disk and work on the copy.

Planning for the worst (cont…)

  • Perform forensic analysis/gather evidence
    • Finding running processes and file handles (procfs, lsof).
    • Find suspect processes (ps auxwww)
    • Process analysis (strace, ltrace )
    • Log gathering
    • Looking for suspect and hidden files (/tmp, /dev. Doing a find based on mtime).
    • Logged in users (who/w, last)
    • New user accounts (indicates poor skills!) /etc/passwd.

Planning for the worst (cont…)

  • Report findings to business stakeholders.
    • Business due diligence and when to report to authorities.
    • Chain of custody. Make no changes, plan to use as evidence in court.
    • Assisting your executive with the message to your clients.
  • Recover from backups or invoke BC Plan?

Further Reading

  • SANS Top 20 Critical Security Controls
  • Kevin Mitnick’s book on Social Engineering
  • OWASP Top 10 Vulnerabilities
  • CVE Vulnerabilities List

Key Learnings/Action Points

Information Security is important.

  • Don’t let it be an afterthought!

People, Process and Technology:

  • A winning formula for getting I.S. right

  • People: Education, Social Engineering, Physical Exploits, Extortion, Lock & Key.
  • Process: Inventory, Policy.
  • Technology: Service Exploits, Tooling (inc Automated), Monitoring & Alerting.

  • Just having a firewall is not the answer. Defence in depth!

Slide outline

The following topics were covered within the presentation:

  • Why is Information Security important?
    • The interest profile in your business
      • Your information is everything, and it’s vulnerable!
      • Data exfiltration.
    • The interest profile in your infrastructure.
      • The value of free compute power to attackers.
    • The harm it can cause your business:
      • Loss of intellectual property, and,
      • Loss of reputation, market share and brand.
      • Extortion & Ransom (including loss of direct bank funds).
  • Things you should know:
    • Definition of Information Security, the CIA triad:
      • Confidentiality: Protection of your information from unauthorised access.
      • Integrity: Information is as it should be, not modified in an unauthorised (or even mistaken) way.
      • Availability: Ensuring the information you have is always available.
    • Main elements of security:
      • People
      • Process
      • Technology
    • Having a policy. When it is important and when it is a burden.
    • A firewall is not the answer: Defence in depth.
    • When, not if you get exploited.
    • Trust: Your business is built on it, yet:
      • Your staff and vendors can be hostile!
        • They may not be aware of an attempt upon them.
        • They can install software, open docs & go to sites that does bad things.
        • The may intentionally do bad.
    • The Cloud != Secure
  • Who would be interested in exploiting my ICT systems?
    • Targeted Attackers
      • Staff/Disgruntled ex-staff
      • Hired hitters
      • Opportunists
    • Non Targeted Attackers
      • Script Kiddies
    • Bots/Spambots.
  • What sort of attacks can be made?
    • Social Engineering:
      • Phishing
      • People based data exit (intentional and non-intentional). – Data leaving out of the door (and into the cloud).
      • Ransom/Blackmail.
      • In person, by post, personal e-mail and telephone.
    • Physical Exploits
      • HID (Human Interface Devices) (ex. Rubber Ducky, Bash Bunny)
      • LAN Network Tapping (ex. Great Scott Throwing Star Lan Tap)
      • WiFi (ex. The WiFi pineapple)
    • Network and Internet based Exploits.
      • Vulnerability exploiting
      • DNS, DHCP Poisoning/Redirection
      • SSL offloading and obfuscation
      • MITM Attacks (Man in the middle)
      • (D)DoS Attacks
      • Ransomware & Malware
      • Brute-Force
  • How can I protect against each type of attack?
    • Social:
      • Verify, Verify and Trust.
    • Physical:
      • Lock and Keys
      • Log out of your machine when you walk away (or at least lock it with a password).
      • Dispose of data responsibly (shred, computer recycling).Authentication Mechanisms, Auditability.
    • Network and Internet based exploit protection.
      • Password, 2FA, Token. Encryption.
        • End user authentication, directories.
        • Passwords on switches, firewalls, SANs, servers and cloud accounts are even more important.
        • Auditing of administrative users. Ensuring network access levels are appropriate.
      • Monitoring and Scanning, Log analysis.
      • Patching/Updating.
      • If it’s open to the Internet, why?
        • Closing ports/services.
        • Proxy/Reverse Proxy
        • Source IP Limitation
        • VPN Connections
        • Amazon/Azure/cloud: VPC, etc.
        • Stop version information being shown (eg status.html, phpinfo.php).
      • Encryption
        • Asymetric encryption: Plaintext -> Public Key -> Cipher Text -> Private Key -> Plaintext).
        • Validity checking with MD5 hashing.
        • Certificate authorities – who to trust (the Trusted Authorities List) – and when it can go wrong.
        • Encrypted messaging/e-Mail.
      • Network Controls (eg insecure WiFi and Firewalling)
        • Don’t connect automatically to free/open public WiFi hotspots, or those using WEP.
        • Trusting that WiFi SSID really is the SSID it says it is.
      • Policies and Training your staff: Admin/Ops Staff, Management, Developers.
        • Password strength, 2 Factor Authentication, Enforcement thereof.
        • Avoid storing restricted data on mobile devices and removable devices (eg USB sticks).
          • Theft
          • Misuse
          • Mobile Vulnerabilities: Executables and Drive-bys (bluetooth etc)
          • Personal devices in the workplace.
        • Insecure messaging systems (Yes, that means you, E-mail!), personal email accounts for work.
        • Sharing passwords, sending passwords in ‘the clear’.
        • Cloud storage and Cloud applications:
          • Cloud vendors integrity and how they look after your security (password strength etc).
          • Cloud vendors going out of business
          • Cloud vendor’s policies regarding your information.
          • Clicking on shortened links, email attachments, macros, popups, pop-unders, misguiding links.
        • HR and IT ops: Onboarding, offboarding and hiring.
        • Getting non IT staff to report any suspected security risk or breach.
        • Get your executive board to provide guidance on data classification; use a RASCI matrix which takes into account the value of each level of asset, ordered by criticality to the business operation and reputation.
        • Inventory all the things (Software, Hardware, IP addresses, People )
          • What is authorised vs what is not authorised.
        • For developers: Code review, Use tooling.
      • IT Staff must routinely schedule security audits (daily, weekly. Monthly may be too late!). Consider:
        • Patch levels,
        • CVE Vulnerability list, cross check against externally visible applications at least.
        • Executing / Analysing reports from security tooling.
    • Tooling:
      • NMAP Port Scanning.
        • Common Port numbers (/etc/services).
      • OpenVAS Vulnerability Scanning.
      • OSSec Intrusion Detection.
      • Kali Linux and the MetaSploit Framework (Windows, Mac, Linux).
      • TCPDump/Wireshark
      • SecurityOnion
      • Tripwire file auditing
      • SELinux / AppArmor
      • For Programmers:
        • General SQL injection methods
        • General data input and HTML based form methods
        • General XSS (Cross-Site Scripting) methods
        • OWASP (Open Web Application Security Project).
        • Damn Vulnerable Web App (PHP)
        • BrakeMan (Ruby on Rails Apps)
      • For end users – the last line of defence:
        • Windows GPO (Group Policy) to enforce policies.
        • Anti-Virus, Anti-Malware.
        • Personal firewall.
  • Planning for the worst
    • When (not if) an attack happens, how do we get back to business?
      • Halt and think – Don’t panic.
        • Firewall block immediately
      • Perform forensic analysis/gather evidence
        • Finding running processes and file handles (procfs, lsof).
        • Packet analysis (strace, )
        • Log gathering
        • Looking for suspect and hidden files (/tmp, /opt. Doing a find based on mtime).
      • Report findings to business stakeholders.
        • Business due diligence and when to report to authorities.
      • Recover from backups or invoke BC Plan?
  • Further Reading
    • SANS Top 20 Critical Security Controls
    • Kevin Mitnick’s book on Social Engineering
    • OWASP Top 10 Vulnerabilities
    • CVE Vulnerabilities List