Computer security is an ever changing environment. It is essential that you stay educated on how to protect yourself and your organization!

1. Computer Network Security For Small to Medium Sized Organizations Speaker: James Dempsey Contact: Sales@itscurrie.com Phone: 209-578-9739

2. Why are we here?

3. Getting started Please turn off cell phones Bathrooms

4. Myth: “I don’t have anything a hacker would be interested in.”

5. “Money is driving the growth of targeted attacks against financial institutions, enterprises, and governmental agencies” - ComputerWeekly.com

6. Revenues from cybercrime, at $1 trillion annually, are now exceeding those of drug crime. This was the testimony from AT&T’s Chief Security Officer Edward Amoroso, which he gave to a US Senate Commerce Committee - ComputerWeekly.com

7. Myth: “Hackers are usually just geeky kids screwing around.”

8. C2C – Criminal-to-Criminal Criminal #1 creates a crimeware toolkit with easy, step by step instructions… and sells it Criminal #2 buys the toolkit, and uses it to collect private data… and sells it Criminal #3 buys the private data, and exploits it for profit

9. What is at risk Your money Hackers steal from companies all the time Your data Your identity Once your system has been compromised, you have lost control of your personal information. Your hard earned reputation

10. MalWare / SpyWare Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner's informed consent. - Wikipedia

11. It’s all in our heads? Have you been hacked? How does that make your feel…

12. Dealing With Specifics… How, exactly, can this affect my organization?

14. The setup… Sign Designs is a well established, responsible local company They work with the Bank of Stockton, a well know and responsible institution They contract with an independent, local computer consultant All employee’s have internet and email access They did not embrace a proactive security/stability maintenance program They have never had any form of network security audit or review

15. On July 23, 2009, Sign Designs lost nearly $100,000 when cyber-crooks initiated a series of transfers to 17 accomplices at 7 banks around the country. - http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

16. The Repercussions Employee moral issues – was it an inside job? The FBI is interviewing all employees The FBI confiscates key equipment, causing further business disruption The banks seldom return money stolen from businesses in this fashion If confidential data is stolen as well, the business must report the theft to all affected clients, vendors, and employees

17. SB-1386 Senate Bill 1386, operative since July 1, 2003, require all businesses to report any loss of confidential data. “a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Fines of up to $250,000 and/or 5 year prison sentence

18. Attack Profile #1 Malware specializing in on-line banking hacking

19. Zeus –Crimeware for sale Zeus is a Trojan “kit” Average black market price: $700 Very mature with > 70,000 variants

21. May not disassemble / study the binary code of the bot builder.

22. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.

23. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.

24. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.“In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to anti-virus companies.”

25. Zeus – Helps a hacker to: Detect when banking information is being entered View screen shots real-time and remotely control what is shown on the monitor Steal passwords and other log-in information using advanced key loggers Encrypt stolen information, then transmit it to the attacker’s servers

26. Zeus according to Symantec: http://www.youtube.com/watch?v=CzdBCDPETxk&feature=related

27. URLZone –More Complex… Checks with a central server for updated instructions, regularly Watch for HTTPS web traffic If the Web site matches the banking portal targeted, the malware will capture screenshots from the victim’s computer and send them to a command and control server http://www.finjan.com/MCRCblog.aspx?EntryId=2345 http://blogs.techrepublic.com.com/security/?p=2464&tag=nl.e036

28. URLZone –Very specific… When the user confirms the financial transaction, URLZone changes the account number and amount The banking portal receives the transaction information and completes the transfer URLZone presents transaction information the user expects to avoid suspicion. As far as the victim knows, the transaction was a success, which it was. It’s just that the amount of money is most likely different and the money was transferred to a money mule account, not where the victim intended

29. Attack Profile Crimeware toolkit for “drive-by” download #1 #2 Malware specializing in on-line banking hacking

30. LuckySploit A webpage is “armed” with LuckySploit It checks to see if visiting computers are missing security patches in: Internet Explorer, FireFox, Opera Adobe Flash, Acrobat Reader Numerous Microsoft vulnerabilities Exploits identified vulnerabilities to deliver the “payload” http://www.finjan.com/MCRCblog.aspx?EntryId=2213

31. Attack Profile Crimeware toolkit for “drive-by” download #1 #2 #3 A way to trick you into getting to my hacked webpage

32. Spam + Social Engineering

33. Spam + Social Engineering

34. Attack Profile #3 Website armed with LuckySploit #2 #1 URLZone Trojan Social Engineering

35. How can you protect yourself Be proactive about software patch management Use business-class anti-virus / anti-malware software Filter your email Deploy a business-class firewall Restrict internet access Use Group Policies to control workstation security A password policy is a must! Understand and secure all remote access points Wireless Access Points (watch for rogues!)

36. There is a big difference between being Proactive and Reactive

37. Patch Management Know where you are vulnerable! All Microsoft software – workstations and servers All Mac’s Key 3rd party applications Adobe Acrobat Adobe Flash Player Java iTunes QuickTime

38. Microsoft Patch Management Manual deployment Very time consuming Difficult to do consistently Automatic deployment – independent workstations Success must be tested monthly using special tools No granular control May impact internet bandwidth of multiple PC’s download simultaneously WSUS Free from Microsoft! All workstations report success failure to a central console You can choose what patches to deploy You can choose to have only the server download the patches Server pushes patches to workstations May take 20-60GB of hard disk space – Use an inexpensive USB drive

39. 3rd Party Applications The secret to success: You need a plan! Updates can be pushed out through Group Policy Create an update checklist spreadsheet

40. Antivirus Software The reality… It is intrusive It slows down your computers and network It must be monitored and maintained It occasionally creates compatibility issues There are annual renewal fees … and you can’t live without it. Period.

41. Business Class Antivirus Workstation status and licensing can be managed from a central software “console” You don’t need to touch 20 workstations to check status’ Central policies can be “pushed” down from the server IE: All workstation are to do a full scan once per week, and users aren’t able to cancel the scan You can “Exclude” critical files and directories from virus scans This can help performance significantly, and prevents instability and corruption issues

42. Business Class Antivirus Scan Policies Real Time Scanning Protecting your system 24/7 Typically scans only the most dangerous file types and locations Scheduled Scanning Typically scans everything, beginning to end Has a performance impact on the workstation Users can be broken into groups with scans occurring at convenient times

43. Email -A Primary Portal Minimize your exposure by breaking your users into groups Group A – Internal email access only Group B – Can receive email from “outside” the company

44. Spam Filtering Spam has become a primary delivery point for malicious code Several things to watch for: Hyperlinks that direct you to unknown places on the web Attachments that carry a malicious payload Social Engineering – The art of tricking a human into performing an action or providing information they typically wouldn’t IE: Critical Microsoft Patch!

45. Spam Filtering Methods of protection Install spam filter software on each workstation Install spam filter software on your e-mail server Route all company email through a spam filter “appliance” Barracuda Route all email through a spam filter service (a 3rd party) Spam-a-Side Only cleaned emails will be received by the company Lock your firewall down to only receive email from the host

46. Business Class Firewall

47. Why simple a home-class firewall isn’t always sufficient First door to your right! Gee, thanks! That was easy… An email server Well then surely you must be a safe secure message from a legitimate source! Where to? Umm… Trusted Network Resources The Cruel, Hard World ( a/k/a: The Internet ) E-Mail (?) Web Request E-Mail FTP Locked! Locked! A basic firewall “pin holed” to allow public email

48. A Business Class Firewall Looks Inside the Data Packet Gee, ok… Don’t you trust me? An email server Is that an attachment? That type isn’t allowed. It stays at the door. Soon. Please step behind the privacy screen and hand me those latex gloves… Where to? Umm… *Squeak!* Ok. I’ll need your name, ID#, shoe size, and a DNA sample. Trusted Network Resources The Cruel, Hard World ( a/k/a: The Internet ) E-Mail (?) Web Request E-Mail FTP Locked! Locked! A Business-Class firewall “pin holed” to allow public email

49. Firewalls Oversimplified Three major firewall classes: #1 - Simple home/small bus ($80-$200) Helps to hide you on the internet “Locks the doors” from the public side #2 – Business Class ($450-$900) “Layer 7 protection” – It looks inside the data packets to be sure they aren’t “mal-formed” Strips out inappropriate content (IE: Dangerous attachments) Includes extra layers of protection Web Blocking Antivirus Boarder Protection #3 – Corporate Class ($1200-$???) Much greater bandwidth The ability to support many branch offices and VPN connections Advanced security, routing, and configuration features

50. Firewalls – What do you need? Simple firewalls work if you: Have no “in-bound” data traffic Have another way to control internet usage Web blockers don’t just prevent internet abuse… Business Class firewall is appropriate if you: Host Email, public Web Server, or FTP Server Need to control outbound access as well as inbound Have a server and need to control web access based upon Active Directory Group membership

51. Myth: “Only people who go to ‘bad’ websites get spyware.”

52. Restricting Web Access Only give access to people who really need it Restrict people to explicitly approved sites Use a Web Blocker Break your users into groups. IE: Management – Full Access Day Crew – Partial Access Night Crew – Restrict to only approved sites Consider a web usage monitor - Cymphonix

53. Choosing a Firewall

54. Password Policies Passwords are the keys to your network Policies are centrally controlled through Group Policy: Password changes – How often? Account Lockout If you strike out 10 times, you’re locked out for 10 minutes Password Complexity

55. Security is an active part of your company culture… or it isn’t …

56. There are two ways to learn about network security vulnerabilities: A Trained Professional A Trained Professional - or -

57. Engaging a Professional Begin with a network audit Clearly define responsibilities Choose an engagement method

58. Methods of Engagement Reactive “I’ll call for help if I think I’ve been hacked” Scheduled, proactive maintenance Allocates time and resources to address core issues Be sure there is a plan that addresses all issues Work with the consultant! Ask questions! Managed services A true partnering and aligning of business models

59. Several More Security Myths I have a firewall so I’m protected I have virus protection software so I’m OK I can protect myself once and be OK forever My Mac doesn’t have all of these security issues

60. Serious Suggestions Audit your internal network Audit external access Restrict access as much as possible Update everything, proactively, regularly Use strong passwords Implement a proactive maintenance plan Engage a professional

61. Questions?

62. Please!!! Please fill out the evaluation form! On the bottom of the evaluation, there is an opportunity to request more info about network security Survey Next seminar topic