General Security Guidelines
Best Practices for Everyone
Presented at:Nextbridge LHR C1June 1, 2012
Topics we will cover in this presentation
• What is Information• What is Information Security• What is Risk• Corporate Security• How we are linked with Corporate Security• User Responsibilities• Web Application Vulnerabilities (Case Study)• Questions
WHO IS AT THE CENTRE OF
SECU RITY
U-R3
What is Information?
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
Information can be
Created Stored Destroyed
Processed
Transmitted
Used/Misused
Corrupted Lost Stolen
Information can be…
Printed or written on
paper
Stored electronicall
y
Transmitted by post or using electronics
means
Shown on corporate
videos
What is Information Security?
?
What is Information Security?
The quality or state of being secure to be free from danger
Security is recognized as essential to protect vital processes and the systems that provide those processes
Security is not something you buy, it is something you do
Business survival depends upon Information Security
What information
Security does
Protects information
from a range of threats
Ensures business
continuity
Minimizes financial
lossOptimizes return on
investmentsIncreases business
opportunities
What is Risk?
Risk
• A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset
Threat
• Something that can potentially cause damage to the organization, IT Systems or network
Vulnerability
• A weakness in the organization, IT Systems, or network that can be exploited by a threat
High User Knowledge of IT
SystemsTheft,
Sabotage, Misuse
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Doing without Knowing
Sources…!Sources
Source
External Hackers
Internal Hackers
Terrorist
Poorly trained employees
MotivationChallenge Ego Game Playing
Deadline Financial problems
Disenchantment
Revenge Political
Unintentional errors Programming errors Data entry errors
ThreatSystem hacking
Social engineering Dumpster diving
Backdoors Fraud Poor documentation
System attacks Social engineering Letter
bombs Viruses Denial of
serviceCorruption of data Malicious code introduction System bugs
unauthorized access
Corporate Security
Corporate Security is responsibility of everyone
Corporate Security
Policy
People
Risk ManagementLegalization
Compliance
Technology
User Responsibilities
15
Good
Practic
es
•Follow Security Procedures•Wear Identity Cards and Badges•Ask unauthorized visitor his credentials•Attend visitors in Reception and Conference Room only
Avoid the
se
•Bring visitors in operations area without prior permission•Bring hazardous and combustible material in secure area•Practice “Piggybacking”•Bring and use pen drives, zip drives, iPods, other storage devices unless and otherwise authorized to do so.
16
Good
Practic
es
•Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)•Use passwords that can be easily remembered by you•Change password regularly•Use password that is significantly different from earlier passwords
Avoid the
se
• Use passwords which reveals your personal information or words found in dictionary
• Write down or Store passwords
• Share passwords over phone or Email
• Use passwords which do not match above complexity criteria
User Responsibilities
17
Good
Practic
es
•Use internet services for business purposes only
Avoid the
se
• Do not access internet through dial-up connectivity
• Do not use internet for viewing, storing or transmitting obscene or pornographic material
• Do not use internet for accessing auction sites
• Do not use internet for hacking other computer systems
• Do not use internet to download / upload commercial software / copyrighted material
18
Good
Practic
es
•Use official mail for business purposes only•Follow the mail storage guidelines to avoid blocking of E-mails•If you come across any junk / spam mail, do the following•Remove the mail.•Inform the security help desk•Inform the same to server administrator•Inform the sender that such mails are undesired
Avoid the
se
• Do not use official ID for any personal subscription purpose
• Do not send unsolicited mails of any type like chain letters or E-mail Hoax
• Do not send mails to client unless you are authorized to do so
• Do not post non-business related information to large number of users
• Do not open the mail or attachment which is suspected to be virus or received from an unidentified sender
Report Security Incidents (IT and Non-IT) to Helpdesk through
• E-mail to [email protected]• Telephone : Ext#611• Reporting through helpdesk system @ http://mis.vteamslabs.com
e.g.:
IT Incidents: Mail Spamming, Virus attack, Hacking, etc.
Non-IT Incidents: Unsupervised visitor movement, Information leakage, Bringing unauthorized Media
•Do not discuss security incidents with any one outside organization
• Do not attempt to interfere with, obstruct or prevent anyone from reporting incidents
19
Human Wall is better than Firewall
Lets build a human wall around our firewall
21
Best Practices
Best Practices
• Ensure your Desktops are having latest antivirus updates
• Ensure your system is locked when you are away
• Always store laptops/ media in a lockable place
• Be alert while working on laptops during travel
• Download data from known and trusted websites
• Do not use inline attachment reading in your email clients
• Do not click any URL not known to you• Ensure sensitive business information is
under lock and key when unattended• Ensure back-up of sensitive and critical
information assets• Verify credentials, if the message is received
from unknown sender• Always switch off your computer before
leaving for the day• Keep your self updated on information security aspects
Do not let this Happen
Web Application Vulnerabilities
No language can prevent insecure code, although there are language features which could aid or hinder a security-conscious developer
Five Evil Sisters
Remote code
execution
SQL injection
Format string
vulnerabilities
Cross Site Scripting
(XSS)
Username enumeratio
n
Web Application Vulnerabilities
Remote Code Execution
This vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. At times, it is difficult to discover this vulnerability during penetration testing assignments but such problems are often revealed while doing a source code review. However, when testing Web applications it is important to remember that exploitation of this vulnerability can lead to total system compromise with the same rights as the Web server itself. Rating: Highly Critical
SQL Injection
SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise
Rating: Highly Critical
Format String Vulnerability
This vulnerability results from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C's printf().
A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory.
Format string vulnerability attacks fall into three general categories: denial of service, reading and writing.
Rating: Highly Critical
Cross Site Scripting
The success of this attack requires the victim to execute a malicious URL which is crafted in such a manner to appear to be legitimate at first look
When visiting such a crafted URL, an attacker can effectively execute something malicious in the victim's browser. Some malicious JavaScript, for example, will be run in the context of the web site which possesses the XSS bug
Rating: Highly Critical
Username Enumeration
Username enumeration is a type of attack where the backend validation script tells the attacker if the supplied username is correct or not. Exploiting this vulnerability helps the attacker to experiment with different usernames and determine valid ones with the help of different error messages
Rating: Critical
Case Study
In this slide, we will cover the following about the subject
• What is it about?• Background of the happening• Refer to PDF Reports• Conclusions
Now its your turn to speak
GENERAL SECURITY GUIDELINESBest Practices for Everyone
Designed & Presented by:Abdul RehmanSenior System Administrator
Presented at:Nextbridge LHR C1May 17, 2012