docSecurity Liaison Meeting
download 
Report Transcription
Security Liaison Meeting
Security Liaison Meeting September 22, 2011 Agenda • • • • • • • • Welcome Review of Role of the Security Liaison Current Threats: Hallmark? Using IM? Know the Risks Fake Anti-Virus: Scareware Remote Access Best Practices The SL Toolkit Security Liaison Questions and Concerns The Security Liaison • Appointed by Vice Presidents, Deans and Directors • Understands responsibility for two way communications, to the department and to the ITU • Understands the balance between security and business needs • Pursues clarity in policy development and revisions • Understands the impact of policy on departmental business process and communicates areas of concern The Role of the Security Liaison • Point of contact in their unit for security recommendations and requests coming from the VPIT. Responsible for disseminating this information to the unit’s leadership and their offices. • Point of contact in their unit for security incidents, suspected and real. Act as a conduit to the Computer Security Incident Response Team (CSIRT). • Initiate Security Risk Assessments by contacting the IT Security Office. • Inform the VPIT and the President's Chief of Staff of possible gaps in training and support programs necessary to carry out requirements set forth in Policies and Directives. • Review proposed Security Policies. Provide guidance on how to put a new or revised policy into practice. Current Threats: Hallmark? Malicious Downloads hosted by Webservers are the most significant current threat. Hackers Take the Easy Path • It is now much easier to get an end user to click on a control on a web site than to find and exploit a vulnerability in a modern computer system. • Compromised end user systems are then leveraged to: – harvest credentials, SSN #s and credit card info – distribute phishing email – attack other systems The Hackers Initial Target: Trusted Web Sites with High Traffic • FireEye, a malware detection appliance we use, recorded the following session recently. • This is an abbreviated record of an alert reported by FireEye. FireEye only sends an alert when it detects malicious traffic or a malicious event. Referer http://www.hallmark.com/online/hoopsandyoyo/downloads/h yy-screensavers.aspx Get /hoopsandyoyo/images/downloads/screensavers/hyycatsaver_setup.exe AcceptEncoding gzip, deflate What Was In That Download? Type Mode/ Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process Started C:\malware.exe Packed: yes GUI: yes Parentname: C:\WINDOWS\system32\cmd.exe Command Line: c:\malware.exe MD5: b9605749e1fc50ec6bba23c2f4743ebc SHA1: 25f908d2895bc85bcfd692cc2477e4607dbbe0e6 Folder Created C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1 File Created C:\WINDOWS\system32\Macromed\Flash\SET3.tmp Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543500\Software\Microsoft\Windows\CurrentVersion \Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000000 Looks Suspicious.. Type Mode/Cl ass Details(Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) File Rename Old Name: C:\WINDOWS\system32\Macromed\Flash\SET4.tmp New Name: C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe Imagepath: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1\flashax.exe MD5: 2ca63cad2f563abbb25d7aec50ea8f29 SHA1: 4415b3b7880062485456b7401cd2b7fc2edd476c File Date Change C:\WINDOWS\system32\Macromed\Flash\SET3.tmp Malicious Alert Misc Anomaly Message: System file timestamps modified Detail: Malware modifying system file timestamps Yep, It’s Malware. Type Mode/Cl ass Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) File Rename Old Name: C:\WINDOWS\system32\Macromed\Flash\SET4.tmp New Name: C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe Imagepath: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STF1\flashax.exe MD5: 2ca63cad2f563abbb25d7aec50ea8f29 SHA1: 4415b3b7880062485456b7401cd2b7fc2edd476c Malicious Alert Misc Anomaly Message: System services modified Detail: Malware renaming exe/dll/sys/vxd file into the WINDOWS or SYSTEM32 directory Lessons Learned • While most web based malware is distributed through questionable web sites, even trusted sites can harbor malware. • The Internet is still the wild, wild west. Users need to become and remain knowledgeable about the risks. • Most often, it is end user behavior that leads to identity theft and computers participating in bot networks. Threats Continue Threats Continue Using IM? Know the Risks • Identities can be elusive or ambiguous – it can be difficult to identify the "person” with whom you are talking. Accounts may be compromised, users may forget to log out, or an account may be shared by multiple people. Are you sure you know who is really on the other end of that “chat”? Using IM? Know the Risks Cyber criminals trying to convince someone to run a program or click on a link is a common attack, but it can be especially effective through IM and chat rooms. In a setting where you are comfortable, a malicious piece of software or an attacker has a better chance of convincing you to fall into the trap. Using IM? Know the risks You don't know who else might be seeing the conversation - Online interactions are easily saved, and if you're on a free commercial service, the “chat” may be archived on a server. You have no control over what happens to those logs. Is someone looking over the shoulder of the person you're talking to? Using IM? Know the risks Default security settings may be inappropriate The default security settings in chat software tend to be relatively permissive to make it more open and "usable," and this can make you more susceptible to attacks. Using IM? Know the risks Be conscious of what information you reveal Be wary of revealing personal information unless you know who you are really talking to. You should not be discussing or sending anything that might be sensitive university information over public IM or chat services (even if you are talking to someone you know). Using IM? Know the Risks Source • Authors: Mindi McDowell, Allen Householder • Copyright 2004 Carnegie Mellon University • United States Computer Emergency Readiness Team (USCERT) (www.us-cert.gov) Fake Anti Virus Offers or Scareware Scareware Scareware Scareware Scareware • Source for “Scareware” Remote Access Best Practices • Accessing Mason resources (desktop computer, a printer, a server) remotely must be done via a controlled network • “Rogue” devices or programs used for remote access lead to problems for the user, others on the network, and resources accessed. Remote Access Best Practices • New policy in final stages of approval • Users must use Virtual Private Network (VPN) or access through an approved device • VPN accounts are available at http://tsd.gmu.edu/net/Forms/F0021_A.html • Office computers should not be left “logged in” Security Liaisons • Questions and Concerns
