Security Liaison Meeting

Transcription

Security Liaison Meeting
Security Liaison Meeting
September 22, 2011
Agenda
•
•
•
•
•
•
•
•
Welcome
Review of Role of the Security Liaison
Current Threats: Hallmark?
Using IM? Know the Risks
Fake Anti-Virus: Scareware
Remote Access Best Practices
The SL Toolkit
Security Liaison Questions and Concerns
The Security Liaison
• Appointed by Vice Presidents, Deans and Directors
• Understands responsibility for two way
communications, to the department and to the ITU
• Understands the balance between security and
business needs
• Pursues clarity in policy development and revisions
• Understands the impact of policy on departmental
business process and communicates areas of
concern
The Role of the
Security Liaison
• Point of contact in their unit for security recommendations and
requests coming from the VPIT. Responsible for disseminating this
information to the unit’s leadership and their offices.
• Point of contact in their unit for security incidents, suspected and real.
Act as a conduit to the Computer Security Incident Response Team
(CSIRT).
• Initiate Security Risk Assessments by contacting the IT Security Office.
• Inform the VPIT and the President's Chief of Staff of possible gaps in
training and support programs necessary to carry out requirements set
forth in Policies and Directives.
• Review proposed Security Policies. Provide guidance on how to put a
new or revised policy into practice.
Current Threats: Hallmark?
Malicious Downloads hosted by
Webservers are the most significant
current threat.
Hackers Take the Easy Path
• It is now much easier to get an end user to
click on a control on a web site than to find
and exploit a vulnerability in a modern
computer system.
• Compromised end user systems are then
leveraged to:
– harvest credentials, SSN #s and credit card info
– distribute phishing email
– attack other systems
The Hackers Initial Target:
Trusted Web Sites with High Traffic
• FireEye, a malware detection appliance we use,
recorded the following session recently.
• This is an abbreviated record of an alert reported by
FireEye. FireEye only sends an alert when it detects
malicious traffic or a malicious event.
Referer
http://www.hallmark.com/online/hoopsandyoyo/downloads/h
yy-screensavers.aspx
Get
/hoopsandyoyo/images/downloads/screensavers/hyycatsaver_setup.exe
AcceptEncoding
gzip, deflate
What Was In That Download?
Type
Mode/
Class
Details (Path/Message/Protocol/Hostname/Qtype/ListenPort
etc.)
Process
Started
C:\malware.exe
Packed: yes GUI: yes
Parentname: C:\WINDOWS\system32\cmd.exe
Command Line: c:\malware.exe
MD5: b9605749e1fc50ec6bba23c2f4743ebc
SHA1: 25f908d2895bc85bcfd692cc2477e4607dbbe0e6
Folder
Created C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1
File
Created C:\WINDOWS\system32\Macromed\Flash\SET3.tmp
Regkey
Setval
\REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543500\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000000
Looks Suspicious..
Type
Mode/Cl
ass
Details(Path/Message/Protocol/Hostname/Qtype/ListenPort
etc.)
File
Rename
Old Name:
C:\WINDOWS\system32\Macromed\Flash\SET4.tmp
New Name:
C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
Imagepath:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1\flashax.exe
MD5: 2ca63cad2f563abbb25d7aec50ea8f29
SHA1: 4415b3b7880062485456b7401cd2b7fc2edd476c
File
Date
Change
C:\WINDOWS\system32\Macromed\Flash\SET3.tmp
Malicious
Alert
Misc
Anomaly
Message: System file timestamps modified Detail: Malware
modifying system file timestamps
Yep, It’s Malware.
Type
Mode/Cl
ass
Details (Path/Message/Protocol/Hostname/Qtype/ListenPort
etc.)
File
Rename
Old Name:
C:\WINDOWS\system32\Macromed\Flash\SET4.tmp
New Name:
C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
Imagepath:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1\flashax.exe
MD5: 2ca63cad2f563abbb25d7aec50ea8f29
SHA1: 4415b3b7880062485456b7401cd2b7fc2edd476c
Malicious
Alert
Misc
Anomaly
Message: System services modified Detail: Malware renaming
exe/dll/sys/vxd file into the WINDOWS or SYSTEM32 directory
Lessons Learned
• While most web based malware is distributed
through questionable web sites, even trusted
sites can harbor malware.
• The Internet is still the wild, wild west. Users
need to become and remain knowledgeable
about the risks.
• Most often, it is end user behavior that leads
to identity theft and computers participating
in bot networks.
Threats Continue
Threats Continue
Using IM? Know the Risks
• Identities can be elusive or ambiguous – it can
be difficult to identify the "person” with
whom you are talking. Accounts may be
compromised, users may forget to log out, or
an account may be shared by multiple people.
Are you sure you know who is really on the
other end of that “chat”?
Using IM? Know the Risks
Cyber criminals trying to convince someone to
run a program or click on a link is a common
attack, but it can be especially effective
through IM and chat rooms. In a setting where
you are comfortable, a malicious piece of
software or an attacker has a better chance of
convincing you to fall into the trap.
Using IM? Know the risks
You don't know who else might be seeing the
conversation - Online interactions are easily
saved, and if you're on a free commercial
service, the “chat” may be archived on a
server. You have no control over what happens
to those logs. Is someone looking over the
shoulder of the person you're talking to?
Using IM? Know the risks
Default security settings may be inappropriate The default security settings in chat software
tend to be relatively permissive to make it
more open and "usable," and this can make
you more susceptible to attacks.
Using IM? Know the risks
Be conscious of what information you reveal Be wary of revealing personal information
unless you know who you are really talking to.
You should not be discussing or sending
anything that might be sensitive university
information over public IM or chat services
(even if you are talking to someone you
know).
Using IM? Know the Risks
Source
• Authors: Mindi McDowell, Allen Householder
• Copyright 2004 Carnegie Mellon University
• United States Computer Emergency Readiness Team (USCERT) (www.us-cert.gov)
Fake Anti Virus Offers or
Scareware
Scareware
Scareware
Scareware
Scareware
• Source for “Scareware”
Remote Access Best Practices
• Accessing Mason resources (desktop
computer, a printer, a server) remotely must
be done via a controlled network
• “Rogue” devices or programs used for remote
access lead to problems for the user, others on
the network, and resources accessed.
Remote Access Best Practices
• New policy in final stages of approval
• Users must use Virtual Private Network (VPN) or
access through an approved device
• VPN accounts are available at
http://tsd.gmu.edu/net/Forms/F0021_A.html
• Office computers should not be left “logged in”
Security Liaisons
• Questions and Concerns

Similar documents