Information Security Its more than just a firewall

Information Security It’s more than just a firewall.

Presented by: Eric Gruss Assistant Vice President Information Technology Manager Information Security Officer Reliance Bank EGruss@Reliance. Bank. com

Information Security Top Down or Bottom Up? • It doesn’t matter, they meet in the middle. Start somewhere, and look at everything. • Remember that it is an Information SYSTEM, you must look at the complete overall system but also understand each component as an island in order to achieve the goal. • Every facet of an Information System must be examined in order to understand risk.

Risk Analysis • What sensitive information is housed by the organization? Is it regulated? • Where is this information stored? Can or should it be consolidated? • Who needs access, when do they need it, from where will they access it? • How long can we live without it? • How much will it hurt if it is leaked?

Risk Analysis • It is only after the risk is understood, that we can begin to devise a plan to mitigate it. • For most of us, there is also a financial component, you must understand your exposure to risk, the likely hood that it will be exploited, and your comfort level with that. Based on available resources, not all risks can be completely mitigated.

Firewall • Deny all, permit on exception in BOTH directions. • Use names and groups whenever possible. • Test it yourself from home- REGULARLY!

Free Software Firewall. Zone Alarm Free If you are looking for a free (for individual and not-for-profit use) all-in-one security suite that includes a Firewall tool, Zone Alarm is hard to beat. Zone Alarm includes a new Defense. Net feature that leverages the real-time threat data from millions of community users that aids to detect and block threats. Firestarter (free) Firestarter, on the other hand, is a very good Linux firewall tool that is perfect for new users. Even though this firewall tool is powerful enough for desktops, servers, and gateways, it is still easy enough for any level of user to leverage. This tool also allows Internet connection sharing and can set up DHCP for a local network. And for the advanced user, Firestarter offers advanced kernel tuning for firewall rules.

Free Software Firewall. PCTools Firewall Plus (free) During the installation of Firewall Plus there is a very crucial step that allows the user to choose between simple or advanced. By choosing the Advanced option the user will have far more control over how they can use and interact with the Firewall. Another nice feature of PCTools Firewall Plus it that it will detect when the machine has been attached to a new network. Once the new network has been detected the user can then set the trust level for each network they join. Gufw (free) This particular firewall tool is an Ubuntu Linux-only tool that rivals Firestarter for ease of use. Gufw is merely an easy-to-use frontend for UFW (Uncomplicated Fire Wall) and allows you to block preconfigured, common services. You will not find nearly the control that you have in Firewall Builder or even the amount of features you will find in Firestarter. But for those who need a bare-bones, simple firewall on an Ubuntu machine, Gufw is perfect.

Content Filters • Minimum- maintain an access list of sites to block either at the firewall or via DNS. • Open. DNS. org • Employ a high quality web content filter such as Websense. • Employ a high quality SPAM filter such as Websense or Messaging Architects or • at least use a well known RBL like Spamhaus or Spamcop.

Virtual Local Area Networks • Vlans can be a great tool to segregate and control access at layer 2/3 • Create access list to control traffice flow between Vlans

Servers • Harden all servers, disable or uninstall services not required. • Software Firewall and Anti. Virus • Control local access. • Control Physical access. • Monitor System accounts.

User Access Rights • Make every effort to enforce policies through technology. • Restrict login access hours. • Restrict Admin or special user login based on workstation address. • Practice the principals of least privilege. All access is denied unless explicitly permitted. • Consider adding an auditing product like Blue Lance or NTP Software File Auditor.

Desktop • Lock boot device to hard disk only, and password protect bios. • Disable USB and CD/DVD Recorders if possible. • Control local access rights. • MUST have software firewall and anti virus protection installed and properly configured. • Use static IP Addresses wherever possible (or lock IP address by mac address). • Keep up to date on patches. • Disable unneeded services. • No data should be stored locally.

File Level Precautions • Consider using encryption, but understand the risks. • File access should be controlled to the finest granularity that can reasonably be attained.

Restrict use of Removable Media • Often this can be accomplished through the bios. • On windows machines it can be done through the registry. • Third party apps (such as Trigeo) can control this on a much more granular level.

Control Wireless • Turn off Wi. Fi if not required. • Consider placing wireless access points outside the firewall and using isolated Vlan and VPN.

Control Remote Access • Remote access rights should be well documented and auditable. • Use SSL at a minimum, prefer VPN. • Utilize two factor authentication. (pre shared key, smart card, fingerprint, and password)

Backup • Deletion can be nearly as bad as theft. Maintain good backup practices and test restore regularly. Move data off site, either by transporting the tapes or portable disks, or through backup to offsite locations.

Establish and Document Policies • Most everyone has an internet and email use policy that employees sign, but what about an information use policy? Policy should state that data be stored only on secure network storage provided by and maintained by your information technology department. • It may seem obvious that your employees are not to copy important company information and take it home or email it outside the internal network without permission. However, unless you put such policies in writing and have workers sign for receipt, you may be hard pressed to penalize them for violating that policy. Unwritten rules are much more difficult to enforce. • Your policies should be specific and give examples of what’s prohibited. Workers may not understand, unless you spell it out, that emailing a company document as an attachment to someone outside the network (or even to their own home account) is just as much a violation of policy as copying that document to a USB drive and physically taking it out the door. • Wording of the policy, however, should make it clear that the prohibition is not limited solely to the examples you give.

Secure your PDA! • Poison pill ability? • Set auto lock timeout. • Establish what data can be stored.

Disabling USB storage on a Windows platform: • • From Explorers folder options ensure that hidden files and folders are displayed, file extensions are not hidden and simple file sharing is disabled. Open up the properties for %systemroot%InfUsbtror. inf (%systemroot% would normally be ‘C: Windows’). Select the security tab and make sure that all options for all users are set to deny. This must include administrators and SYSTEM. Repeat the above for %systemroot%InfUsbstor. pnf If USB storage devices have been used on this machine previously then open up the registry editor otherwise ignore steps 6 and 7. Browse to the registry location ‘HKEY_LOCAL_MACHINESYSTEMCurrent. Control. SetServices Usb. Stor’. Open up the registry key ‘Start’ and change the data value to ‘ 4′. Close the registry editor.

If you are running Microsoft Windows XP on your desktop system, consider turning off the following services. • • • IIS – Microsoft’s Internet Information Services provide the capabilities of a Webserver for your computer. Net. Meeting Remote Desktop Sharing — Net. Meeting is primarily a Vo. IP and videoconferencing client for Microsoft Windows, but this service in particular is necessary to remote desktop access. Remote Desktop Help Session Manager – This service is used by the Remote Assistance feature that you can use to allow others remote access to the system to help you troubleshoot problems. Remote Registry – The capabilities provided by the Remote Registry service are frightening to consider from a security perspective. They allow remote users (in theory, only under controlled circumstances) to edit the Windows Registry. Routing and Remote Access – This service bundles a number of capabilities together, capabilities that most system administrators would probably agree should be provided separately. It is rare that any of them should be necessary for a typical desktop system such as Microsoft Windows XP, however, so they can all conveniently be turned off as a single service. Routing and Remote Access provides the ability to use the system as a router and NAT device, as a dialup access gateway, and a VPN server. Simple File Sharing – When a computer is not a part of a Microsoft Windows Domain, it is assumed by the default settings that any and all filesystem shares are meant to be universally accessible. In the real world, however, we should only want to provide shares to very specific, authorized users. As such, Simple File Sharing, which only provides blanket access to shares without exceptions, is not what we want to use for sharing filesystem resources. It is active by default on both MS Windows XP Professional and MS Windows XP Home editions. Unfortunately, this cannot be disabled on MS Windows XP Home. On MS Windows XP Professional, however, you can disable it by opening My Computer -> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple file sharing (Recommended) checkbox in the Advanced settings: pane.

• • • If running Microsoft Windows XP, consider turning off the following services. SSDP Discovery Service – This service is used to discover UPn. P devices on your network, and is required for the Universal Plug and Play Device Host service (see below) to operate. Telnet – The Telnet service is a very old mechanism for providing remote access to a computer, most commonly known from its use in the bad ol’ days of security for remote command shell access on Unix servers. These days, using Telnet to remotely manage a Unix system may be grounds for firing, where an encrypted protocol such as SSH should be used instead. Universal Plug and Play Device Host – Once you have your “Plug and Play” devices installed on your system, it is often the case that you will not need this service again. Windows Messenger Service – Listed in the Services window under the name Messenger, the Windows Messenger Service provides “net send” and “Alerter” functionality. It is unrelated to the Windows Messenger instant messaging client, and is not necessary to use the Windows Messenger IM network. On your system, these services may not all be turned on, or even installed. Whether a given service is installed and running may depend on whether you installed the system yourself, whether you are using XP Home or XP Professional, and from which vendor you got your computer if MS Windows XP was installed by a vendor. With the exception of Simple File Sharing, all of the above listed services can be disabled from the same place. Simply click on the Start button, then navigate to Settings -> Control Panel, open Administrative Tools, and from there open the Services window. To disable any service in the list, double-click on its entry in that window and change the Startup type: setting. In general, you should change services you are turning off for security purposes to a “Disabled” state. When in doubt about whether a given service is necessary for other services, check the Dependencies tab in the service’s settings dialog.