Computer Security and You

Published on July 2016 | Categories: Types, Presentations | Downloads: 31 | Comments: 0 | Views: 215
of 10
Download PDF   Embed   Report

Some good pointers on securing your computer

Comments

Content

Computer security and you
Jeremy Horne, Ph.D.

The required mindset
Almost on a weekly basis the average user is notified that a security patch needs to be downloaded for a major application. iven what we have seen of the average development environment, this is not surprising, as the seriousness re!uired for developing secure software seems to be lacking. Just about everyone has heard about the "#$%&'# (orm, supervisory control and data ac!uisition )"*ADA+ problems, and the various security sites warning of the thousands of pieces of malware released daily by just about every computer savvy sociopathic hack out there. ,ne might think of the computer world as an electronic battleground , where even seemingly the most secure sites are attacked, sometimes with success. -or e.ample, the /eri"ign site 0http122www.verisign.com2 3 was hacked successfully in 4565, but this company wasn7t aware of it until a year later 0http122www.theregister.co.uk245642542542verisign8hacking8attack2 3. #he internet simply isn7t the carefree fun filled playground that it was 69 years ago. #here are rogue states that have legions of trained hackers who are tasked specifically to create software to compromise computers to steal information, spy on others, and simply to wreck systems. #hink of the computer world as one vast prison, where the inmates have 4:2;2<=9 to think of ways to compromise systems and otherwise make a person7s life miserable. #hink of it as a world of the all against the all, the state of nature. ,nce you get oriented in this way, then you are prepared to do what is necessary to create a secure computer system. #his chapter, like the rest, is a process>oriented one, where it is acknowledged that threats to computer systems and the measures to combat them is a world unto itself and re!uires a coterie of Ph.D.s to track. (e have to rely for the most part on judgments of the professionals to take action to defend ourselves. However, there is a set of measures that can be taken that can afford the best protection possible. Again, we refer to standardi?ation and best industry practices, both because professionals are constantly involved in keeping up to date on the latest developments. (e have the view that the best security for everyone is the best that there is to offer. @t is in the interest of every computer user, regardless of status to help maintain the web, the virtual society, as secure as the real one. #hink of this as a worldwide neighborhood watch. (ith today7s technologies there really is no e.cuse for sloppy security. (e have stated earlier that many computer system development environment are procedural pigpens with little maturity, discipline, or competence, and end user is pretty much at the mercy of the rogue who would take advantage of the weaknesses to prey on others. "ecurity is 4:2;2<=9>62: @t &'/'A ceases. #his phrase cannot be emphasi?ed enoughB (e think of security in terms of the military, "tate Department, or the &"A and their means of keeping unauthori?ed persons out of their systems is sacrosanct or foolproof. Computer security and you Page 1 of 10

However, be aware that there have been break>ins, and security sometimes is loose as a goose, with standards, procedures, and monitoring loaded with holes. Cear in mind, also, that security measures are only as good as the education, training, and attentiveness of those creating and maintaining them. #his is all to say that those creating these measures have the same access to the same resources that bolster their integrity that the public has, i.e., courses, standards, various security websites and accompanying research, conferences, and open dialogue. #he imagination to institute good security is constrained only insofar as a person will allow it to be. "ecurity integrity varies from organi?ation to organi?ation, and it is incumbent on that organi?ation to be up>to>date with the best industry practices in the field. ,ne should keep the adage in mind1 The only secret existing is the deodorant. #he only thing left is to minimi?e the stink of intrusion. (e are going to walk you through a process to ensure that you have the best security measures available. Dou won7t have a silver bullet, but you will be ranked among the top organi?ations in security management. #his is not a manual on what to do about security but a process>oriented discussion about how to be knowledgeable and implement security measures. (e should treat the assemblage of hardware, software, personnel, and general development environment as a system, just as @",2@'* 694EE specifies, and consider with protective measures what is acceptable to pass back and forth across its boundaries. #his is the model for developing an appropriate security cloak.

Basic housekeeping
,ne should do all the obvious things first1 Fake sure all applications have the latest updates, including patches. @f you don7t know these terms, you need to look them up and learn about them. • • • • • • • • • • Anti /irus G installed and up>to>date, preferably with automatic updates turned on Phishing and spear phishing "pam Aootkits Heyloggers Iogic bombs (orms *ross scripting "pyware Jero day threats Computer security and you Page 2 of 10

K among othersB Here is a non>e.haustive list of specific security measures that should be instituted. • • • Putting each in auto update mode is wise, but check periodically to see that the auto feature is turned on. Luirks may be in the system to turn it off, or malware may have crept into your system to do so. 'stablish an acceptable use policy, a sample of which is in the Appendix of this book. #he major issues of which a user is aware are included and are self> e.planatory. $pdate all programs including operating systems and applications regularly. @f you get a notice from Adobe, for e.ample, go to the website manually and check for updates. *onstantly be aware of ?ero>day threats )JD#+ and use common sense about opening anything. *onsider every aspect of your cyber e.perience being in an environment of JD#s. Dou are in an electronic battlefield. /iruses are less of a threat than before. Forphing worms and adaptive malware are emerging as the main threats. (e now are in the age of neural>netware that can be built into malicious programs. &'/'A send password by e>mail -irewalls G make sure the firewall is turned on. Fake sure data is stored in different area from applications and then those are separate from the ," Production, testing, and development machines Aemote access G ensure strict policies on remote access. Personal devices and computers G restrict them or prohibit them altogether from interacting with the sensitive systems. @f they are to interact have them physically checked by the security manager. Iocked sites after a period of inactivity. 'stablish access through biometric )such as fingerprint reader+ common access card )*A*+ with good password system, or similar system. (e seriously recommend #he ,pen (eb Application "ecurity Project ),(A"P+ Testing Guide v3.0 for security testing that is open source and downloadable without cost0https122www.owasp.org2inde..php2,(A"P8#esting8Project 3. #here is the ,(A"P #op #en )https122www.owasp.org2inde..php2*ategory1,(A"P8#op8#en8Project +





• • • • • •

• • • •

Computer security and you Page 3 of 10

security concerns for web security, as well as issues set forth by our security manual. • Don7t forget the 49=>bit encryption as set forth in the Advanced 'ncryption "tandard )A'"+ as specified by $.". -@P" P$C 6M; )-@P" 6M;+. All outgoing bit streams are encrypted. All electronic information on computers or devices leaving the facility is encrypted. Access to devices outside the facility is through biometric access. Aemovable storage G have this severely controlled by the security office. *ross scripting prevention, as well as ad and pop>up blocking are essential. Do your registry cleaning often. #here are disk cleaning, scan disk, and defragmentation )among others+ as maintenance measures,. How is paper destroyedN ,ne good method is crosscut shredding, with a ma.imum <26=O . 6 62EO shred si?e. (hen no longer serviceable, physically destroy digital storage devices with the same crosscut shredding and recycle them. 'stablish and maintain an intrusion detection2intrusion prevention system. @nclude social engineering in your security awareness program. #his factor accounts for the majority of security problemsB 'stablish and monitor computer access rights. 'stablish secure "ocket Iayer policies. *reate and maintain regularly )by a security review+ a security manual different than policy and procedures manual. 'stablish a security department with a certified officer who is continuously updated. #here should be a security certificate renewal program, where employees7s security training is documented. #raining of employees should be every = months on line, = months in person staggered at =5 month interval '.am and observation should be by a certified employee. *reate a vulnerability management system, with threat and vulnerability assessment tools, and manage the data they collect. Regularly test security controls. Internal integrity needs to be maintained but with outside validation. Put this in the security manual. Furthermore, test the controls on an ongoing basis.

• • • • • • • • • • • • • •

• •

Computer security and you Page 4 of 10

There should be no time gaps in the testing. Testing should consists of monitoring. • • Faintain system logs. @f you are using open source, make sure all security measures are applied to it. &ever allow outside personnel to develop your security system, unless they are bonded, trusted, and so forth. Fake sure that your router has a password. -actory default passwords can be found on>line. *hange yours from the default to something uni!ue. As to passwords, when possible, make them of at least 65 characters > 4 uppercase, 4lowercase, 4 numbers, and 4 characters. *hange at least every 695 days. *omputers that can be rubber hosed get hit most often. Allow no transfers of data through automated mechanisms. "ome sites have reporting tools which are protected by secure socket layer )""I+ as well as a username and password. @s the disk backup of the organi?ation continuity plan data encryptedN How is it secureN Provide for a secure off>site backup. "peaking of back>ups, ensure that there is secure on>site, as well as off>site backup of all organi?ational data. Do all disk backups with P P encryption, which utili?es a 49= A'" key. Passphrases should be :5P characters. Cack up data on storage devices as well, using the same security measures. /iruses are less of a threat than before. Forphing worms and adaptive malware are emerging as the main threats. (e now are in the age of neural>netware that can be built into malicious programs. *onstantly be aware of ?ero>day threats )JD#+ and use common sense about opening anything. *onsider every aspect of your cyber e.perience being in an environment of JD#s. Dou are in an electronic battlefield.

• •

• • • • • • • •

General policy guidelines
Heep your @nformation "ecurity Policy overnance Program electronically, as well as in hard copy form, made available to all those whom the policy covers and on a need to know basis. Have a policy and procedures manual that incorporates security. )As somewhat of an aside, that manual should incorporate the standards set forth in the Project Management Body of Know edge and the @", M555 series !uality management standards.+ Also, have a security manual that describes how those policies are carried out. #his latter manual is available only to those directly involved with carrying out policy. Faintain a list of who either has the manual or access to it. @nasmuch as you are managing personal information you consider to be of the highest degree of criticality, in Computer security and you Page 5 of 10

general, follow the practices consistent with $.". Department of Defense or similar security conscious organi?ation when practicable. @n addition, ensure that your practices are conformant with or e.ceed those of the *enter for Disease *ontrol )*D*+ and -ood and Drug Administration )-DA+. @ncorporated by reference in your policy and security manuals 46 *-A Part 66 with respect to electronic versions of record keeping and electronic signatures, as well as HH" security concerns. -ollow the best practices set forth by #he @nformation "ecurity -orum )@"-+ 0https122www.securityforum.org2 3, these being incorporated in the security manual and policy and procedures manual when the personnel outside the immediate security domain needs to know. "ubscribe to the free O"ans &ewsCitesO at http122www.sans.org2 )which also has many links to other security publications+. #his organi?ation publishes on a regular basis news of break>ins and basic techni!ues used. @t is a valuable resource in triggering one to e.amine more closely various aspects of system security. -or e.ample, if data is stored on>line, is it encryptedN (hat about data on portable devices, such as laptops and memory sticksN Almost daily there are instances where a laptop is stolen or access is gained to online data that is not encrypted. Arcane e.amples of security breaches are reported, such as thieves being able to retrieve electromagnetic fingerprints left on printers. @n speaking of this, how many people have thought of upgrading software coupled with the printer, such as layout design applicationsN #his goes for other firmware, as well. o to http122www.uscert.org2 for security information. Also, #he !"#T *yber "ecurity 'ngineering )*"'+ 0www.cert.org$ 3, the $.". overnment *omputer 'mergency Aeadiness #eam 0http122www.us>cert.gov2 3, and *arnegie Fellon7s *'A# *oordination *enter )*'A#2**+ at the "oftware 'ngineering @nstitute 0http122www.sei.cmu.edu2 3. *reate and employ an organi?ation continuity plan to manage outages and disasters. ,ne form of guidance is the set of procedures set forth by the $.". Department of Homeland "ecurity, as well as the Critish "tandards @nstitution )C"@+ C*P Q C" 49MMM>6. Do an impact analysis as part of your plan, as in doing audits every si. months. Do an independent 'Third Party' audit on security governance, processes, and controls e.g. !ysTrust, "ebTrust, etc.#. $ne should validate the other. Have a process in place to review emerging privacy2protection regulations and industry security standards to ensure compliance with them. Aeview these in conformity with your security policies and procedures set forth in your manual. @n particular, be are mindful of #he Health @nsurance Portability and Accountability Act )H@PAA+. @f you are an @", organi?ation, be prepared for audits *onduct network penetration tests and have a monitoring system that acts as an ongoing penetration test. Also conduct such tests on a monthly basis, and adjust the penetration tests according to what you find. Do the same for e.ternal application penetration tests. Computer security and you Page 6 of 10

Have standards and procedures in place to protect and control intellectual property rights and the rights of copyrighted material. Aeference these in your security manual. Have in your security and system administration manuals a current list of all software installed in your system, with a note on version and updates. *reate and maintain a record retention program with appropriate security. Put this in your policies and procedures manual. @n addition, we focus on the re!uirements specified in 46 *-A Part 66, H@PPA, and HH" rules. $pdate all programs including operating systems and applications regularly. @f you get a notice from Adobe, for e.ample, go to the website manually and check for updates. All in all, if your organi?ation has the resources, it is best to have an on>board security e.pert whose job it is full>time to maintain the security of the system and its environment and to up>to>date at all times on the latest that the security world has to offer.

Standards
-ollowing are some major standards and their provisions. @", 4;556 )@"F"+ and @",2@'* 4;554 #he !ommon !riteria for %nformation Tec&no ogy 'ecurity "va uation )abbreviated as *ommon *riteria or **+ is an international standard )@",2@'* 69:5E+ for computer security certification. &ote the following about HH" security. Title 45 Pu!lic "elfare PAA# 6;5QH'AI#H @&-,AFA#@,& #'*H&,I, D "#A&DAAD", @FPI'F'&#A#@,& "P'*@-@*A#@,&", A&D *'A#@-@*A#@,& *A@#'A@A A&D *'A#@-@*A#@,& PA, AAF" -,A H'AI#H @&-,AFA#@,& #'*H&,I, D "ubpart CQ"tandards and @mplementation "pecifications for Health @nformation #echnology

§ 170.210 Standards for health information technology to protect electronic health information created maintained and e!changed.
#he "ecretary adopts the following standards to protect electronic health information created, maintained, and e.changed1

Computer security and you Page # of 10

(a) "ncryption and decryption of e ectronic &ea t& information*(+) Genera . Any encryption algorithm identified by the &ational @nstitute of "tandards and #echnology )&@"#+ as an approved security function in Anne. A of the -ederal @nformation Processing "tandards )-@P"+ Publication 6:5G4 )incorporated by reference in R6;5.4MM+. (,) "xc&ange. Any encrypted and integrity protected link. (-) #ecord actions re ated to e ectronic &ea t& information. #he date, time, patient identification, and user identification must be recorded when electronic health information is created, modified, accessed, or deletedS and an indication of which action)s+ occurred and by whom must also be recorded. (c) .erification t&at e ectronic &ea t& information &as not -een a tered in transit. 'tandard. A hashing algorithm with a security strength e!ual to or greater than "HAG6 )"ecure Hash Algorithm )"HAG6+ as specified by the &ational @nstitute of "tandards and #echnology )&@"#+ in -@P" P$C 6E5G< ),ctober, 455E++ must be used to verify that electronic health information has not been altered. (d) #ecord treatment/ payment/ and &ea t& care operations disc osures. #he date, time, patient identification, user identification, and a description of the disclosure must be recorded for disclosures for treatment, payment, and health care operations, as these terms are defined at :9 *-A 6=:.956. http%&&ecfr.gpoaccess.gov&cgi&t&te't&te't(id') c*ecfr+sid*,-fd.bb/00-a-1a2/3/fa/3ba42-dd2b+rgn*div2+vie w*te't+node*/35-6,.4.,./.2,.0.07.3+idno*/3+cc*ecfr 8IP66 and 9I!T security are at% http%&&www.nist.gov&healthcare&security&hiesecurity.cfm

"iscellaneous #esources
#here are1 @",2@'* 66;;5>914566)'+ 0https122docs.google.com2viewerN urlThttp122webstore.iec.ch2preview2info8isoiec66;;5> 9U49;Ced6.5U49;Den.pdfVembeddedTtrueVchromeTtrue 3 And K

Security standards and regulations


"arbanes>,.ley Act )",%+

Computer security and you Page $ of 10

• • •

Health @nsurance Portability and Accountability Act )H@PAA+ @''' P65;: @",2@'* ;5=:1455< %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 !&ec2 c&aracter systems @",2@'* M;M=>414554 %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 3igita signature sc&emes giving message recovery 00 Part ,4 %nteger factori5ation -ased mec&anisms @",2@'* M;M=><1455= %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 3igita signature sc&emes giving message recovery 00 Part 34 3iscrete ogarit&m -ased mec&anisms @",2@'* M;M;>616MMM %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 Message Aut&entication !odes (MA!s) 00 Part +4 Mec&anisms using a - oc2 cip&er @",2@'* M;M;>414554 %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 Message Aut&entication !odes (MA!s) 00 Part ,4 Mec&anisms using a dedicated &as&0 function @",2@'* M;ME>616MM; %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part +4 Genera @",2@'* M;ME>416MMM %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part ,4 Mec&anisms using symmetric encip&erment a gorit&ms @",2@'* M;ME><16MME %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part 34 Mec&anisms using digita signature tec&ni1ues @",2@'* M;ME>:16MMM %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part 64 Mec&anisms using a cryptograp&ic c&ec2 function @",2@'* M;ME>91455: %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part 74 Mec&anisms using 5ero02now edge tec&ni1ues @",2@'* M;ME>=14559 %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 "ntity aut&entication 00 Part 84 Mec&anisms using manua data transfer @",2@'* 6:EEE>616MME %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 3igita signatures wit& appendix 00 Part +4 Genera @",2@'* 6:EEE>416MMM %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 3igita signatures wit& appendix 00 Part ,4 %dentity0-ased mec&anisms @",2@'* 6:EEE><1455= %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 3igita signatures wit& appendix 00 Part 34 3iscrete ogarit&m -ased mec&anisms @",2@'* 6;;MM14559 %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 !ode of practice for information security management





• •

• • • • • •

• • •



Computer security and you Page % of 10



@",2@'* 4;55=1455; %nformation tec&no ogy 00 'ecurity tec&ni1ues 00 #e1uirements for -odies providing audit and certification of information security management systems ramm>Ieach>Cliley Act P*@ Data "ecurity "tandard )P*@ D""+

• •

Acceptable $se Policy &etwork ,perations http122www.itil>officialsite.com2 Fore security information1 http122www.us>cert.gov2 http122www.cert.org.m.2inde..html http122www.seguridad.unam.m.2inde..html http122www.malware.unam.m.2 http122www.citi?encorps.gov2cert2 http122www.cert.org2 http122cert.inteco.es2cert2@&#'*,*'A#862SjsessionidT<<-5:<9'ACM;;;'<C<=M44-*D ;*9AA'5NpostActionTget*ertHome

Computer security and you Page 10 of 10

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close