IT Security

IT SecurityJulie SchmitzJames MoteJason Tice

Agenda• Overview of basic IT security• Human Resources Command-St.

Louis• Inside Financing• Recommendations and Best

Practices• Closing and questions

IT Security Defined• “Broadly speaking, security is

keeping anyone from doing things you do not want them to do to, with, or from your computers or any peripherals”

-William R. Cheswick

IT Security Overview• Intruders - hackers and crackers• Insiders – fraud case at Financing• Criminals• Online Scam artists• Terrorists

IT Security Overview• Hacker

– Person who enjoys exploring the details of programmable systems and how to stretch their capabilities

– Hackers tend to view themselves as very knowledgeable computer programmers, sometimes to the point of arrogance

– True hacker will look for weaknesses in a system and publish it

Source: FBI Cyber Task Force

IT Security Overview• Cracker

– One who breaks security on a target computer system

– The term was coined by hackers around 1985 in defense against the journalistic misuse of the term “hacker”

– Tend to never disclose their findingsSource: FBI Cyber Task Force

Hackers or Crackers?

How does a Hacker Effect You?

• Michael Buen and Onel de Guzman– Both are suspected of writing the “I

Love You” virus• David L. Smith

– Melissa virus author– Released March 26, 1999– Caused an estimated $80 million in

damagesSource: FBI Cyber Task Force

IT Security at your Office• Social Engineering• Denial of service attacks (DoS)• E-mail bombs• Password cracking• Web spoofs• Trojan, worm, virus attacks• Antivirus tools


Social Engineering• A con game played by computer

literate criminals• Works because people are the

weakest link in any security system


Denial of Service• Prevents users from using a computer

service.• A type of DoS attack involves continually

sending phony authentication messages to a targeted server, keeping it constantly busy and locking out legitimate users

• Ping attacks• DDoS attacks

– Uses multiple computers to coordinate DoS attacks


Email Bombs• A type of denial of service attack• Email bombs involve sending enormous

amounts of email to a particular user, in effect, shutting down the email system

• Many spammers fall victim to this type of attack

• No need to manually send email; downloadable programs will do it for you


Password Cracking• Involves repeatedly trying common

passwords against an account in order to log into a computer system

• Freely available “cracking” programs facilitate this process


Web Spoofing• “faking the origin”• The attacker creates a false or shadow

copy of a reputable web site; all network traffic between the victim’s browser and the shadow page are sent through the attacker’s machine

• Allows the attacker to acquire information such as passwords, credit card numbers, and account numbers


What Should Have Been Displayed

What was Displayed

Trojan, Worm, and Virus• A Trojan program does not propagate

itself from one computer to another• A Worm reproduces ITSELF over a network• A Virus, like its human counterpart,

looks for ways to infect other systems or “replicate” itself (i.e., e-mail)


Trojans• Trojans are malicious files

masquerading as harmless software upgrades, programs, help files, screen savers, pornography, etc.

• When the user opens file, the Trojan horse runs in the background and can cause damage to the computer system (hard drive damage, total access, username and password)


TrojanTrojanControlControl

Virus• A program that replicates without

being asked to• Copies itself to other computers or

disks• Huge threat to companies


Antivirus Tools• Any hardware or software designed to

stop viruses, eliminate viruses, and/or recover data affected by viruses

• AV tools refer to software systems deployed at the desktop or on the server to eliminate viruses, worms, trojans, and some malicious applets

• Should be used as part of a security policy


After the Incident• Identify means to avoid another

attack– Download latest patches– Repair compromised systems– Re-educate users– Run anti-virus software

• Stay alert for signs the intruder is still in your system

• Log traffic dataSource: FBI Cyber Task Force

Security Budget

The Facts on IT Security Budgets

• 62 percent of technology officers feel no pressure to increase spending this year

• 40 percent of their budgets will go toward preventing existing machinery from breaking

• Systems security tends to go unfixed until proven broken

• A simple firewall has become the ultimate security commodity

• Don’t use ROI to configure IT security budget


$871,000

$901,500

$958,100

$2,747,000

$3,997,500

$4,278,205

$6,734,500

$7,670,500

$10,159,250

$10,601,055

$11,460,000

$26,064,050

$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000

Amount of Loss

Sabotage

System Penetration

Web site defacement

Misuse of public Web applications

Telecom fraud

Unauthorized access

Laptop theft

Financial fraud

Abuse of wireless networks

Insider Net abuse

Theft of proprietary info

Denial of service

Money Lost Due to Different Types of Attacks

Source: Federal Bureau of Investigation / Computer Security Institute – http://www.gocsi.com - viewed 11/4/2004

I.T. SECURITY BRIEF-HUMAN RESOURCES COMMAND

ST. LOUIS

•First established in 1944 at 4300 Goodfellow•First known as the Demobilized Personnel Records Branch after WWII•In 1956, moved to its present location, 9700 Page•In 1971, Reserve Components Personnel Center at Ft. Benjamin Harrison merged with St. Louis•In 1985, Army Reserve Personnel Center (ARPERCEN) was formed.•In 2003, organization was renamed to Human Resources Command (HRC)

Human Resources Command

St. Louis Historical Timeline

Source: https://www.2xcitizen.usar.army.mil/2xhome.asp - viewed 11/1/2004

• Supports or conducts the Human Resources Life Cycle for over 1.5 million customers• Workforce comprised of over 65% civilians, 30% Active Guard-Reserve soldiers, 5% Active Component soldiers• Of the military workforce, most officers are Majors (O-4) & most non-commissioned officers are Sergeants First Class (E-7s)• 65-acre facility located off Page Avenue• Total of Nine Directorates

Human Resources Command (HRC) St. Louis

Overview


•To provide the highest quality human resources life cycle management in the functional areas of structure, acquisition, distribution, development, deployment, compensation, sustainment and transition for all Army Reserve Soldiers, resulting in a trained and ready force in support of the national military strategy.•To provide human resource services to our retired reserve and veterans.

Human Resources Command (HRC) Mission

Statement


Information Assurance Manager (Rank: Major)

Assistant IAM(Rank: CPT)

IANCO (Rank: MSG)

Civilian(GS-13)Deputy IAM

Civilian (GS-12)Information Tech& Sec Specialist



Information Assurance Office

Source: Information Assurance Office, Human Resources Command, St. Louis

Major:Responsible for Overall IT Security

Captain: Drafts & Submits Policy

Master Sergeant: Verifies Security Clearances; Trng; Account RequestsGS-13: Updates Patches & ACERT Compliance

GS-12: System Security Authorization Agreement; Networthiness Certification

GS-11: InvestigatesComputer forensics;Backup for updates & patches

GS-11: Backup forComputer forensics;Trng; Account Req.;Verifies Sec. Clear.

Information Assurance Manager Duties


Information Assurance Defined

• The protection of systems and information in storage, processing, or transit from unauthorized access or modification; denial of service to unauthorized users; or the provision of service to authorized users

• Also includes those measures necessary to detect, document, and counter such threats

• This regulation designates IA as the security discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations

Source: Army Regulation (AR) 25-2

Chief Information Officer U.S. Army Reserve Command Atlanta, Georgia

InformationAssurance Officer-Human ResourcesCommand-St. Louis

Information Assurance Organization

InformationAssurance Officers-11 Regional SupportCommands


• All Military must have a Security Clearance• Some civilians must have Security Clearance• Other civilians must have at least a National Agency Check (NAC)• All employees must submit a request for system access

In Order to Gain System Access


• Pornography• Running Businesses• Unauthorized use of illegal software• Sharing of logons/passwords

Common End User Problems


• Go to your local Information Mgmt personnel assigned to serve your directorate

What Happens If YouGet Locked Out?


• Information Security Training• Purchasing automation equipment without authorization• Computer left on 24/7• Having a qualified Information Assurance Manager that is strict• Knowledge of the system

Main Concerns of IT Security

Source: Information Assurance Office, Human Resources Command, St. Louis, MO; Information Assurance Officer, 63rd Regional Readiness Command, Los Alamitos, California

0

5000

10000

15000

20000

25000

30000

35000

40000

45000

50000

Mar

-04

Apr

-04

May

-04

Jun-

04

Jul-0

4

Aug

-04

Sep

-04

Num

ber o

f Eve

nts

Events

0

5

10

15

20

25

30

35

40

45

50

Num

ber o

f Eve

nts

Events

45,000 IN APRIL

STOPPED AT GATEWAY

STOPPED AT DESKTOP

Anti-Virus Activity


0

500010000

15000

20000

2500030000

35000

40000

4500050000

Num

ber o

f Atte

mpt

s

135,000 YTD

Probes and ScansAgainst Network


Computer Security Model• Bell-LaPadula Model

– Developed by the US Army in the 1970’s

– Provides framework for handling data of different classifications

– Known as “multilevel security system”– One of the earliest and most famous

computer security models

Source: Information Assurance Office, Human Resources Command, St. Louis; http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2 - viewed 11/6/2004

http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2











• IT Security Budget• Business Policy Procedures• Outsource IT providers information

Information Unable to Obtain


Security challenges at Financing from

theCIO’s perspective

Financing Background Info• Financing is one of the largest domestic

providers of inventory floor financing for several different industrial channels.

• Recent focus to use IT to reduce business costs by processing transactions online.

• IT operates 5 different customer facing applications handling in excess of 4 billion dollars in transactions monthly.

Source: Interview and personal comments from Financing’s CIO – October 2004

Case Study Research Method

• Interviewed CIO to gain their different perspectives on IT security and business.

• Interview lasted approximately 2 hours and consisted of 15 questions.

• Subsequent discussion based on what CIO said were issues of highest concern.


Most Pressing Security Concerns

1. Eliminating bad user practices2. Measures to prevent security

breeches3. Ability to quickly recover from

security failures / breeches4. Impact of compliance with SOX

regulationsSource: Interview and personal comments from Financing’s CIO – October 2004

Security Specifics• No specific line item budget amount.

– Security costs are encompassed in other budget items, such as system development & testing, data center operations, etc.

• No dedicated resources focusing solely on security.– Security related activities fall under

responsibility of existing IT staff.Source: Interview and personal comments from Financing’s CIO – October 2004

Security Challenges:End User Security

“Security is a 50/50 proposition. A system can be perfectly secure; however, if users don’t properly use the provided security features, then there might as well be no security at all.” -Anonymous

End User Security:Typical Financing User

• Non-technology savvy office clerks and book keepers.

• No on-site IT support to maintain individual system security.

• Many dealers have Broadband access without firewall protection.


End User Security:Typical Financing User

• Non-technology savvy office clerks and book keepers.

• No on-site IT support to maintain individual system security.

• Many dealers have Broadband access without firewall protection.•What is so risky about

this???Source: Interview and personal comments from Financing’s CIO – October 2004

End User Security:Typical Financing User (2)• Known problems with Spyware

and viruses.• Account reps reported seeing

multiple users post their username and password in plain view in their offices.


End User Security:Typical Financing User (2)• Known problems with Spyware

and viruses.• Account reps reported seeing

multiple users post their username and password in plain view in their offices.•Poor password selection by

users consistently cited as one of the top three IT Security issues.

Source: Cupps, John; How To Identify and Contain Some of the Information Security Problems Created By Unique Business Environments; http://www.sans.org/rr/whitepapers/casestudies/666.php; viewed 11/3/2004

Password Survey

Password Survey• Sit down if you

change your password once a week.

• Put your hand down if your password has both letters and numbers in it.

Password Security Level: StrongPassword Security Level: Strong


change your password every month.

• Put your hand down if your password is a NOT word in the dictionary

Password Security Level: GoodPassword Security Level: Good


change your password only a few times each year.

• Put your hand down if you use the SAME password on multiple systems.

Password Security Level: WeakPassword Security Level: Weak


NEVER change your password.

• Put your hand down if your password is simply part of your name or username.

Password Security Level: PoorPassword Security Level: Poor

Bad Habits are Hard To Break

• Use familiar words, names that can be easily guessed.

• Use a password that is too short, therefore fewer characters to guess / crack.

• Use the same password on multiple systems.

• Do not change password regularly.• Share passwords with others.• Post passwords somewhere around their

computer.

Need for Strong Passwords

Today’s computers are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.

- Rob Lemos

Source: Lemos, Rob; Hackers can crack most in less than a minute; http://news.com.com/Passwords+The+weakest+link/2009-1001_3-916719.html; viewed 10/27/2004

Improving Passwords at Financing

• 8 Month project to consolidate and enhance application passwords

• Start November 2003, End May 2004

• Completed as a Green Belt project for 2 business and 2 IT project managers


Before consolidation . . .Before consolidation . . .

• 3 applications only required a password with 3 applications only required a password with 3 characters.3 characters.

• Only 1 application had users change their Only 1 application had users change their password annually.password annually.

• Users could only reset their password by Users could only reset their password by calling the support center.calling the support center.

DB DB DB DB DB

After consolidation . . .After consolidation . . .

• 5 distinct applications now use a Single Sign 5 distinct applications now use a Single Sign On process.On process.

• All applications share 1 common All applications share 1 common authentication source and logon process.authentication source and logon process.

Single Sign On

User Benefits• Only have to remember 1

password for all 5 applications.• Once logged into one application,

can jump right into other application.

• Navigation of applications is now much easier for users.


The Big Question ???Did the project ‘Do The Right

Thing?’-or-

Did the project ‘Do The Thing Right?’

Was ‘The Right Thing’ . . .• Enabling ‘Single Sign On’ was ‘the right thing to

do’ only when implemented in conjunction with new password rules, recommended by IBM:– Password must have been 8 and 12 characters– Password must have at least 1 number in it.– Password cannot contain elements of user’s name,

company, address, or email address.– New Passwords must be different from prior 12

passwords.– New passwords cannot contain more than 6

repeated characters from the last password.– Passwords must be changed every 90 days.

Additional Benefit• Enhanced applications to allow

users to reset their password online if they forgot it.– This eliminated nearly 200 calls per

month to the application support center.


Results of Project• Application security improved through

enforcing strong password rules.• Users initially complained about having to

remember a more complicated password; however, these complaints were short lived when users realized they only had to remember a single password for all 5 applications.

• Call center costs reduced by eliminating calls from users who had forgotten their password.


Further Enhancing Security• IT Department publishes articles

focusing on security in monthly newsletter to customers.

• Currently considering modifying ‘Single Sign On’ system to use security key validation.


Security Challenges:Preventing Breeches

• Technology Use to Enhance On-Line Security All user application traffic is

transported using SSL encryption.


Encryption ExplainedEncryption Explained

INTERNETKEY KEY

Browser Server

My Credit CardMy AddressMy Phone Number

My Credit CardMy AddressMy Phone Number

Jdhd923kJdss938jdsdjdskzyu

Safety of Encryption ???True or False:Encryption prevents all third parties

from intercepting transactions?

The Answer is False . . .• In reality, a third party could determine

the correct key and decode the encrypted transactions if given enough time.

• The time and effort to crack a 128-bit encryption key is so large, given the limited strength of computing technologies, encrypted data is considered security since the costs to crack the encryption outweigh the potential gains.

IT Infrastructure & Security

• IT resources for applications are geographically separated across country.

• Applications are run on multiple server clusters.– If a single server goes down, other

servers in the cluster can immediately take over the load from the down server.


Application Monitoring• Impossible to predict when a system breech

or system outage may occur.• IT cannot react to a situation until it has

occurred.• Staff needs to be informed as soon as

possible when an outage occurs to reduce downtime.

• Fast disaster reaction time is made possible through 24 / 7 application monitoring.


Application Monitoring (2)• All applications are monitored by a

third party software tool run from multiple locations.

• Question: Why must the monitoring tool be run from multiple locations?


Application Monitoring (2)• All applications are monitored by a

third party software tool run from multiple locations.

• Question: Why must the monitoring tool be run from multiple locations?

Answer: To insure that the application is being monitored even if one of the locations crashes.

Key Components of Monitoring

• Monitoring tool confirms that the application is up and running and can be accessed by customers. Simulates the same actions as if a user connects to the application through their own web browser.

• Since the monitoring tool is acting like a user, many times it is called a ‘robot’.

• Monitoring tool access the application and invokes the most frequently used traffic flows and transactions performed by users.

• The response time for each traffic flow and transaction is recorded.

Preventing System Outages

• Each robot reports transaction times to a central database.

• A system alarm is sounded if any transaction time slows beyond a predetermined limit.

• Slow transactions point to a possible system problem that needs to be investigated further, possibly caused by a Denial of Service attack, or a hardware problem (broken disk, failed memory/processor, etc).

Benefits of System Monitoring

• Reduce application downtime by proactively responding to problems before they cause a system outage.

• Allow for High – Availability Service Level Agreements.

• Quickly determine if reported system outages are caused by network connectivity problems as opposed to application problems.


Security Challenges:Fraud Prevention

“Currently so much emphasis has been put on protecting systems from unauthorized access and attack, that many have not considered or made provisions for security and fraud issues created by valid application users themselves.”- Financing’s CIO, 10/2004

Primary Fraud Concerns• Applications do not allow transfer of funds to

external accounts, minimizing risk of external fraud.

• Higher probability of customers trying to manipulate data stored in system to their advantage.

• Must walk the fine line between respecting the customer while not allowing the customer to take advantage of the company.


Application Logging• All applications log all user activity from

Logon to Logout.• Also logged are: IP address of computer used

for access, hostname of system used for access, browser type, operating system, etc.

• System transactions such an interest calculations and online document requests are also logged. Allows for tracking of calculation or processing errors in back-end systems.


Business Intelligence & Security

• Logs are stored by username in a separate database.

• Current data center capacity allows for live storage of more than 2 years of logs.

• Live database allow for on-demand searching of any user’s activity. Database streamlines investigation process and reduces call center call time.


Sample Fraud cases from 2004

Case 1: Fraudulent PaymentsCustomer calls to report that their

bank account has been debited several thousand dollars in excess. The caller suspects someone has broken into the payment system using their account.


Fraud Investigation Process

• User calls Support Center to report suspicious problem.

• Call center pulls up all of user’s transactions in suspect period.

• Call center and customer identify suspicious sessions / transactions, by comparing the system log with the customer’s records.

• If fraud is identified, evidence is sent to fraud department for investigation.


Problems with Fraud Investigation

• Fraud department borrows resources from processing department and IT (both support and development) to track down error and determine root cause.

• When fraud is identified, fraud department determines what reparations will be given.

• Fraud investigation has a very high cost.


Preventing Fraud via Logging

• Transaction activity database allows for 83% of fraud cases to be resolved in one call to the support center.

• Nearly 65% of suspected fraud cases are not fraudulent and are resolved in less than 20 minutes.

• How does this benefit the company?


Benefits to Company• Lower risk, attract additional

investment.• Significant cost savings through

minimal fraud investigation.• Increased shareholder and customer

confidence.• Maintain high company image in light

of recent corporate account scandals. Source: Interview and personal comments from Financing’s CIO – October 2004


Case 1: Fraudulent Payments – What happened?

• While a dealer’s bookkeeper (caller) was on vacation in Florida, the dealer owner received a call from their account rep telling them about a special discount program if they made several extra payments that month.

• Consequently the dealership owner logged into the payment system, using the bookkeeper’s username and password that were posted in plain view on a ‘post-it’ note on her monitor, and made several payments. Source: Interview and personal comments from Financing’s CIO – October 2004


Case 1: Fraudulent Payments – Resolution:

• Matter was resolved in one 12 minute call to the call center. Call center rep was able to locate the suspect

transactions, confirm where and when they were made.

The bookkeeper was able to figure out what happened by asking other staff around their office who had used her computer while she was away.

No need to escalate case to fraud department for further investigation. Source: Interview and personal comments from Financing’s CIO – October 2004

Security Challenges:Sarbanes-Oxley Act of

2002 Sarbanes-Oxley Act Defined:• Federal legislation passed in result of

accounting scandals at Enron, WorldCom, etc.• Requires formal documentation of all

processes where securities are exchanged.• Process documentation must be audited

annually to insure it remains current.• Major changes to business processes may

require more auditing.• Nicknamed SOX for short.

Initial SOX Challenges• All five of Financing’s primary

applications were identified as exchanging securities and would be audited for SOX compliance.

• Initial process documentation difficult to complete due to lack of good product documentation and staff changes.

• Technical IT staff struggled to produce quality documentation that could be used for audit purposes. Initially had to borrow resources from business units to draft documents.


Compliance with SOX• Pros & Cons ???

Compliance with SOX• Pros:

– Avoid legal action (SOX is a federal law)

– Prevent Corporate fraud

– Insure overall economic stability

– Improve public and shareholder image

• Cons:– Additional auditing

tasks– Increased

workload for existing resources

– Additional costs for auditing

– Slower development time

Maintaining SOX Compliance

• Ongoing auditing requires further assistance from technical staff to verify system behavior.

• SOX auditing is performed by external vendors, such as KPMG, to insure compliance.

• Any changes to application requirement review of SOX documentation and possible revision, hence, increasing time required to make enhancements.


SOX Costs• Majority of SOX auditing costs have

fallen within IT budget, as only IT analysts have full knowledge of business processes and how they are being technically implemented, which is necessary for full documentation.

• Costs for SOX auditing have been fully funded while still decreasing IT’s annual budget through shifting more development and support to Financing’s offshore resources.


SOX Compliance:Lessons Learned

• Project management must allow sufficient time to allow for SOX documentation.

• Appoint a SOX owner for each application who is responsible for ongoing audits of documentation for that application.

• Encourage all team members to think proactively about SOX compliance. SOX owners are encouraged to include technical staff in their ongoing reviews to help develop strong documentation skills.

• Edit SOX documentation in an on-going fashion.


Security Comparison

Budget Information Not Available.

No line item budget amount. Security tasks are encompassed with other budget items.

Dedicated Security Resources

Dedicated resources responsible for systems and user accounts.

Staff from other IT functions also serve to fulfill security responsibilities.

Security Testing

Information Not Available.

Penetration test is conducted by external vendor annually.

Topic HRC Financing

Security Comparison (2)

Risk Assessment

Risk controlled through maintaining access levels on all users and data.

Business responsible for identifying business areas at risk, IT responsible for technical areas of risk

Security Architecture

Security practices based on well-known models, such as Bell-LaPadula Model

Applications designed in house; hence, architecture team defined security framework based on risks

Review Process

Annual audits are performed by security officers.

Security provisions are reviewed on an on-going basis as part of maintaining SOX docs.

Topic HRC Financing

Security Best Practice Recommendations

From HRC:• Password policies• Firewall in place to

discourage illegal sites• Ensure you have a

procedure in place to ensure all personnel you let on the network have been fully screened.

• Virus protection • Do Audits

From Financing:• Use a strong password

and change it regularly.• Monitor / Restrict Internet

Access on workstations.• Hire a third party expert

to evaluate security of systems.

• Keep complete logs / backups for recovery purposes.

• Proactively seek new / better security provisions.

Sources Utilized• http: //archive.ncsa.uiuc.edu• http://www.itsecurity.com/

dictionary.html• https://www.2xcitizen.usar.army.mil/

2xhome.asp• http://www.acerts.net• http://www.infragard.net

Sources Utilized• “FrontLine-Tips and Techniques to Protect

Your Information”; June 2004• United States Army Reserve Information Assurance Office• Human Resources Command-St. Louis Information Assurance Office• Army Regulation (AR) 25-2, 14 November

2004• Army Regulation (AR) 25-1, 30 June 2004

IT Security

Documents

fbi cyber task forcewhat

fbi cyber task forcehackers

security systemsource

computer service

target computer system

type of dos attack

networka virus

type of attackno