transparencias - ACSIC - Universitat de les Illes Balears
Anuncio
Gestión de la información
Ha de dar soporte a :!
Grado de Ingeniería Informática, Universitat de les Illes Balears
IT Security Management
@IsaacLera!
isaac.lera@uib.es!
❖
Planificación!
❖
Aprovisionamiento!
❖
Instalación!
SEGURIDAD
❖
Operación!
RIESGO
❖
Mantenimiento !
INFORMACIÓN
❖
Administración
CONTROL DE COSTES
Marco de la gestión
Isaac Lera - Grau d’informàtica
Information Protection
❖
2
Caso
El bien más importante es la INFORMACIÓN!
❖
Clientes: contacto, pagos,… y proveedores; procesos,
métodos, etc.!
❖
Etiquetado, distribución, duplicación, liberación,
almacenamiento, y métodos de distribución.!
❖
Información confidencial, especializada o secreta.!
❖
Regulación: personal, salud y financiera.
“Egghead Software was hurt by a December 2000
revelation that hackers had accessed its systems and
potentially compromised customer credit card data (3.7
million credit card numbers) The company filed for
bankruptcy in August 2001. After a deal to sell the
company to Fry's Electronics for $10 million fell through,
its assets were acquired by Amazon.com for $6.1 million.”
http://en.wikipedia.org/wiki/Egghead_Software
Isaac Lera - Grau d’informàtica
3
Isaac Lera - Grau d’informàtica
4
Seguridad Básica: “Three D”
Propuestas…
❖
❖
❖
Un empleado nuevo en la oficina pueden descargar ficheros en
cierto horario de trabajo pero no puede subir ficheros durante
su periodo de prueba para prevenir que filtre o comparta
información.!
Durante las horas de trabajo evitar el acceso a páginas web
categorizadas de entretenimiento para adultos.!
Por legislación del U.S. Treasury está permitido controlar
(registrar) las conversaciones de personas que trabajan en
entornos financieros para evitar sabotajes, uso de información
privilegiada, “casos: Transmitir o Almacenar”
Isaac Lera - Grau d’informàtica
Security Program
❖
Defense: evitar la entrada!
❖
Detection: registrar y monitorizar la presencia!
❖
Deterrence: disuadir (leyes, métodos,…)
5
Isaac Lera - Grau d’informàtica
6
Isaac Lera - Grau d’informàtica
8
Weakest link
Perspective
Reflexión
Ejemplo
Por lo general, ¿cuál es el elemento más débil de la
cadena?!
RESPONSIBILITIES!
All employees, contractors, consultants, service providers, and temporary
workers are responsible for following these practices.!
!
Human Resources
What to do:!
Security Awareness!
Comunicación Nivel de estudios, concienciación de lo que no se puede
divulgar, el impacto que ocasionaría y beneficio personal.!
•
Protect the organization’s intellectual property and keep it confidential!
•
Report any unauthorized or inappropriate use, or any security concerns!
•
Follow the guidance in the Information Classification, Labeling, and
Handling policy
!
Isaac Lera - Grau d’informàtica
9
Isaac Lera - Grau d’informàtica
Ejemplo
10
Ejemplo
What not to do:!
•
Do not forward, provide access, store, distribute, and/or process confidential information to unauthorized
people or places, or post confidential information on Internet bulletin boards, chat rooms, or other
electronic forums !
•
Do not access information resources, records, files, information, or any other data when there is no proper,
authorized, job-related need !
•
Do not provide false or misleading information to obtain access to information resources !
•
Do not use any account and/or password that has not been assigned to you !
•
Do not perform any conduct which may harm the organization’s reputation !
•
Do not view offensive websites, send or forward offensive email !
•
Do not place personal files on the organization’s computing servers !
•
Do not connect any equipment not owned and managed by the organization to the organization’s
network !
•
Do not install personally owned software or non-licensed software on the organization’s computers
Isaac Lera - Grau d’informàtica
Internet Usage Monitoring All connections to the
Internet must be monitored for the following activities: !
11
•
Attempts to access restricted web sites!
•
Transfers of very large files!
•
Excessive web browsing!
•
Unauthorized hosting of web servers by employees!
•
Transfers of the organization’s data to or from the Internet
Isaac Lera - Grau d’informàtica
12
Ejemplo
Actividad
Personal Web Sites Employees may not run personal web sites on the organization’s!
equipment.!
Ethical Use of the Internet Personal Internet use must conform to the corporate
standard of ethics.!
Fotocopias…
Non-Corporate Usage Agreement Outside organizations must sign a usage
agreement before connecting to the corporate data resources.!
Una policies - Una opinión
Employee Usage Agreement All employees must sign a usage agreement.!
Personal Use of Telephones Corporate phone systems may be used for limited, local,
personal calls, as long as this usage does not interfere with the performance of the
corporate business.
Isaac Lera - Grau d’informàtica
13
Computer Security Institute (CSI) attack-type statistics from
2010 survey
Security Controls
Several categories:!
Isaac Lera - Grau d’informàtica
15
•
Preventative Block security threats before they can exploit a vulnerability!
•
Detective Discover and provide notification of attacks or misuse when
they happen!
•
Deterrent: Discourage outsider attacks and insider policy violations!
•
Corrective Restore the integrity of data or another asset!
•
Recovery Restore the availability of a service!
•
Compensative In a layered security strategy, provide protection even
when another control fails
Isaac Lera - Grau d’informàtica
16
Implementations
Casos
Implementations of each category:!
Physical
•
Physical Controls that are physically present in the “real
world” !
•
Administrative Controls defined and enforced by management !
•
Logical/technical Technology controls performed by machines !
•
Operational Controls that are performed in person by people !
•
Virtual Controls that are triggered dynamically when certain
circumstances arise
Isaac Lera - Grau d’informàtica
Logical/Technical
Operational
Virtual
Listas
Preventative
“Puertas”
Firewall
Vigilante
Detective
Cámaras
Registro
Vigilante
Vigilante
Deterrent
Normativa
Mensajes
Corrective
Multas
Redundancia
Recovery
Backups
Compensative
Manual
17
Buenas prácticas
COBIT de ISACA!
Administrative
Planes
Isaac Lera - Grau d’informàtica
18
ISO 27000 series: Controls
❖
Risk Assessment and Treatment The use of risk assessment as a basis for selecting appropriate
security controls. !
❖
Security Policy The clear expression of management intent for information protection. !
❖
Organization of Information Security Defining and staffing the roles and functions needed by the
security program. !
❖
Asset Management The responsibility and classification of assets, including data. !
❖
Human Resources Security Ensuring that the behaviors of trusted inside employees don’t defeat
the security controls, because the majority of security problems come from insiders, not outsiders. !
❖
Physical and Environmental Security Creating secure areas and protecting equipment. !
❖
Communications and Operations Management Maintaining a safe, reliable, and correct IT
environment (including the parts outside the direct control of the organization, provided by third
parties). Malware protection, backups, and network security are included here. !
❖
Access Control User controls and responsibilities, including access controls for the networks,
operating systems, and applications, along with mobile computing.
www.isaca.org/Knowledge-Center/cobit/Pages/Overview.aspx!
ISO 27000 series!
❖
ISO/IEC 27001:2013 Information technology -- Security techniques -Information security management systems -- Requirements!
❖
ISO/IEC 27040:2015 Information technology -- Security techniques -Storage security!
❖
…!
800.53 NIST National Institute of Standards and Technology!
csrc.nist.gov/publications/PubsSPs.html!
Isaac Lera - Grau d’informàtica
19
Isaac Lera - Grau d’informàtica
20
ISO 27000 series: Controls
❖
ISO 27000 series: Examples
Information Systems Acquisition, Development, and
Maintenance Security requirements, ensuring integrity and
confidentiality, change management in development and support
processes, and vulnerability management. !
❖
Information Security Incident Management Reporting security
issues and vulnerabilities, and managing incidents. !
❖
Business Continuity Management Information security aspects
of business continuity. !
❖
❖
Access Control!
❖
Awareness and Training!
10.3 Perform capacity planning and resource monitoring
for proactive allocation of resources. !
•
10.4 Protect against malware.!
•
10.5 Establish reliable backups.!
•
10.6 Establish network security controls
NIST 800 Series: guías
❖
Physical and Environmental Protection!
❖
SP 800-113: Guide to SSL VPNs !
❖
Planning!
❖
❖
Personnel Security!
SP 800-111: Guide to Storage Encryption Technologies
for End User Devices !
❖
SP 800-101: Guidelines on Cell Phone Forensics !
❖
SP 800-98: Guidelines for Securing Radio Frequency
Identification (RFID) Systems !
❖
SP 800-95: Guide to Secure Web Services !
❖
…
Audit and Accountability!
❖
Security Assessment and Authorization!
❖
Configuration Management!
❖
Risk Assessment!
❖
Contingency Planning!
❖
System and Services Acquisition!
❖
Identification and Authentication!
❖
System and Communications Protection!
❖
Incident Response!
❖
System and Information Integrity!
❖
Program Management!
❖
•
21
800-53 NIST: Security control families
❖
10.2 Manage third-party service delivery. !
Compliance Legal requirements, compliance with policies,
standards, and specifications, and audit considerations.
Isaac Lera - Grau d’informàtica
❖
•
Maintenance!
Media Protection!
Isaac Lera - Grau d’informàtica
23
Secure Design Principles
❖
Confidencialidad, Integridad, Availability (CIA)!
❖
Confidentiality, Integrity, Availability, Accountability,
Accuracy, Authenticity, Awareness, Completeness,
Consistency, Control, Democracy, Ethics, Legality,
Defense Models, Non-repudiation, Ownership, Physical
Possession, Reassessment, Relevance, Response,
Responsibility, Risk Assessment, Security Design and
Implementation, Security Management , Timeliness,
Utility
Isaac Lera - Grau d’informàtica
Defense models
Lollipop Model
25
Defense measures I
❖
❖
❖
❖
Password Protect Booting and CMOS/BIOS!
Disable booting from USB and CD!
Harden the Operating System!
Patches updated!
❖
Use and antivirus scanner!
❖
❖
Isaac Lera - Grau d’informàtica
26
Isaac Lera - Grau d’informàtica
28
Defense measures II
Secure the Physical Environment!
❖
Onion Model
Use firewall software!
Secure Network Share Permissions
Isaac Lera - Grau d’informàtica
27
❖
Use Encryption!
❖
Securely Configure Applications!
❖
Securing email!
❖
blocking dangerous file types!
❖
blocking file attachments!
❖
Install applications to nonstandard directories and ports!
❖
Lock down applications!
❖
Secure P2P services!
❖
Implement static ARP Tables!
❖
Configure port rate limiting!
❖
Use DHCP Snooping and Dynamic ARP inspection
Security Program
Security Program: Phases
1. Requirements gathering!
1. Regulatory requirements (industry specific)!
❖
Purpose: ¿A quién concierne el plan?!
❖
Responsabilidades: ¿A quién va dirigido?!
2. Advisory requirements (best practices)!
3. Informative requirements (organization specific)!
2. Project definition and proposal based on requirements!
❖
Scope: ¿Dónde debería de ser aplicado?!
3. Policy development!
❖
Contenido
4. Review and approval!
5. Publication and distribution!
6. Ongoing maintenance (and revision)
Isaac Lera - Grau d’informàtica
29
Isaac Lera - Grau d’informàtica
Plan de seguridad
30
Plan de seguridad
Elementos presentes:!
•
Human resources > “Premios y penas”!
•
Legal!
•
Information Technology!
•
Physical Security!
Categoría de políticas:!
Audiencia: empleados, subcontratados, o temporales;
consultores, proveedores de HW/SW, partners, clientes que
usan los recursos de información de la organización.
Isaac Lera - Grau d’informàtica
31
•
Legislativo/Normativa: Reglas al respecto de lo qué
es requerido y por qué. Obligatorio!
•
Advisory !
•
Informative: para unidades de negocio, partners,
comerciales, clientes
Isaac Lera - Grau d’informàtica
32
Category: Unclassified public
Category: Proprietary
Information is not confidential and can be made public without any implications for
Company. Loss of availability due to system downtime is an acceptable risk.
Integrity is important but not vital.!
Information is restricted to management approved internal access and protected
from external access. Unauthorized access could influence Company's
operational effectiveness, cause an important financial loss, provide a significant
gain to a competitor, or cause a major drop in customer confidence. Information
integrity is vital.!
Ejemplos:!
•
Product brochures widely distributed!
•
Information widely available in the public domain, including publicly available
Company web site areas!
Ejemplos:!
•
Passwords and information on corporate security procedures!
Sample downloads of Company software that is for!
•
Know-how used to process client information!
•
sale!
•
Standard Operating Procedures used in all parts of Company’s business!
•
Financial reports required by regulatory !
•
•
Newsletters for external transmission
All Company-developed software code, whether used internally or sold to
clients
•
Isaac Lera - Grau d’informàtica
33
Isaac Lera - Grau d’informàtica
34
Category: Client Confidential Data
Category: Company Confidential Data
Information received from clients in any form for processing in
production by Company. The original copy of such information must
not be changed in any way without written permission from the client.
The highest possible levels of integrity, confidentiality, and restricted
availability are vital.!
Information collected and used by Company in the conduct of its business to employ
people, to log and fulfill client orders, and to manage all aspects of corporate finance.
Access to this information is very restricted within the company. The highest
possible levels of integrity, confidentiality, and restricted availability are vital. !
Ejemplos:!
Ejemplos:!
•
•
•
Client media!
Electronic transmissions from clients!
Product information generated for the client by Company
production activities as specified by the client
Isaac Lera - Grau d’informàtica
35
•
Salaries and other personnel data!
•
Accounting data and internal financial reports!
•
Confidential customer business data and confidential contracts!
•
Non disclosure agreements with clients\vendors!
•
Company business plans
Isaac Lera - Grau d’informàtica
36
+ Security
❖
DATA: !
•
Databases, Aplications, Networks, Computers, Storage (local, removable,
networked), data printed !
•
Information Rights Management!
•
Encryption!
❖
Network: Patching, Switch, Access Control, Firewall (malware, intrusion detection
- prevention, web content, filtering, email), VPNs (IPSec, PPTP, L2TP, SSL,…);
Wireless Networks, VoIP, !
❖
SO: Unix, Windows, !
❖
Infrastructure: email, web servers, dns servers, proxy servers, !
❖
J2EE security, .NET,
Seguridad:
Autenticación y
Autorización
La autenticación establece quién está conectado;
la autorización especifica que puede hacer.
> Administración <
Autenticación
Passwords
Procesos para probar que se es quien se dice ser.!
Dos partes: !
•
un identidad pública (username) y !
•
una respuesta privada!
Almacenamiento local y comparación!
Almacenamiento centro y comparación!
!
Reto y respuesta!
•
algo que sabes (password, PIN): fácil de interceptar,
compartir, anotaciones personales, !
Kerberos!
•
algo que eres (biométrico)!
One-time password (OTP)
•
algo que tienes (tarjeta)
Isaac Lera - Grau d’informàtica
39
Isaac Lera - Grau d’informàtica
40
Passwords: almacenamiento local
Passwords: almacenamiento central
Algunas veces está cifrado y otras no:!
•
WordPress con MySQL -> No!
Circula sin cifrar por: telnet, FTP, rlogin… ! vsftpd!!!!!
•
Transmission : Torrent Server -> Sí!
•
UNIX:!
Challenge Handshake Authentication Protocol (CHAP)
usando mensajes MD5 (un hash combinado del id, secret,
challenge)!
❖
/etc/passwd >> User y /etc/shadow >> pass -Cifrado!
Administrador ha de proveer de servicios de
recuperación, de cambio y comunicación de cambios.
http://docs.oracle.com/cd/E19683-01/817-0204/pppsvrconfig.reference-21/index.html
Si la máquina es obtenida por un ladrón…
Isaac Lera - Grau d’informàtica
41
Isaac Lera - Grau d’informàtica
42
Kerberos
Kerberos desarrollado en el MIT!
“The Kerberos protocol uses strong cryptography so that a client
can prove its identity to a server (and vice versa) across an
insecure network connection. After a client and server has used
Kerberos to prove their identity, they can also encrypt all of their
communications to assure privacy and data integrity as they go
about their business"
http://web.mit.edu/kerberos/
http://www.kerberos.org/software/tutorial.html
Isaac Lera - Grau d’informàtica
44
One Time Password
AIMS!
❖
The user's password must never travel over the network;!
❖
The user's password must never be stored in any form on the client machine: it must be immediately discarded after
being used;!
❖
The user's password should never be stored in an unencrypted form even in the authentication server database;!
❖
The user is asked to enter a password only once per work session. Therefore users can transparently access all the
services they are authorized for without having to re-enter the password during this session. This characteristic is
known as Single Sign-On;!
❖
Authentication information management is centralized and resides on the authentication server. The application servers
must not contain the authentication information for their users. This is essential for obtaining the following results:!
Cada comunicación requiere un password nuevo!
1. The administrator can disable the account of any user by acting in a single location without having to act on the
several application servers providing the various services;!
•
Time-based keys: {PIN + code/60s }!
•
Sequential keys: Challenges mediante MD5 o SHA-1!
Comunicación basada en certificados:!
2. When a user changes its password, it is changed for all services at the same time;!
3. There is no redundancy of authentication information which would otherwise have to be safeguarded in various
places;!
❖
Not only do the users have to demonstrate that they are who they say, but, when requested, the application servers
must prove their authenticity to the client as well. This characteristic is known as Mutual authentication;!
❖
Following the completion of authentication and authorization, the client and server must be able to establish an
encrypted connection, if required. For this purpose, Kerberos provides support for the generation and exchange of an
encryption key to be used to encrypt data.
SSL/TLS!
•
El servidor se autentifica con un cliente.
Isaac Lera - Grau d’informàtica
Autorización
❖
NIST!
User Rights o privilegios (derecho a hacer) - deriva en
diferentes permisos (derecho sobre unos determinados
recursos)!
❖
Role-Based Authorization (RBAC) - grupos!
❖
Access Control List (ACLs) - !
•
SP 800-120: Recommendation for EAP Methods Used in Wireless Network Access Authentication !
•
SP 800-63: Electronic Authentication Guideline !
•
SP 800-38B: Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication !
•
SP 800-38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for
Authentication and Confidentiality !
•
SP 800-25: Federal Agency Use of Public Key Technology for Digital Signatures and Authentication !
COBIT •
!
"rpc-whitelist": “127.0.0.1,192.168.*.*"!
Isaac Lera - Grau d’informàtica
47
DS5.3: !
•
Ensure that all users and their activity on IT systems are uniquely identifiable. !
•
Enable user identities via authentication mechanisms. !
•
Confirm that user access rights to systems and data are in line with defined and documented
business needs and that job requirements are attached to user identities. !
46
End…
