So the first thing we do is we look at our connective ity,
internal networks, external networks, um, you know, network connected to each other connected to the Internet. We've got to evaluate and look at all the means that these networks are accessible. It would be much more secure if we didn't have access to the Internet. It would be much more secure if we had
a singularly constrained network
if all the computers in this building were connected to each other and nobody else. Now again, from a business perspective, we know we can't do that.
But that does add security. So at the very least, what we can do is we can limit pathways out to the Internet, make sure people aren't getting out to the Internet and 10 different ways. Make sure that they go through a trusted source, a proxy server, perhaps
that inspects their Outward Bound requests and make sure it meets the internal criteria
that inspects any traffic coming in. You know that we have these inspection devices that connect their networks in a proxy can be there lots of uses for the term proxy, but ultimately, when we talk about a proxy or an application proxy. It's just a elevated type of firewall, and the idea is
from an untrusted network to a trusted network without being inspected.
Okay, so or the strategies we have in place guarding network access? Are they working
for the most sensitive networks? You know, not every computer in your environment needs access to the Internet.
The computers that don't need access should be segmented from a security standpoint and should not be physically connected. We always want to follow that idea of the principle of Lise privilege. If this system doesn't need an inter Internet access, it doesn't get Internet access because that's a huge vulnerability that you're opening up to.
Okay, so look at our networks, their network and activities. Follow that principle of Lise privilege, make sure trusted networks or separate separated from untrusted on that there's some sort of inspection device monitoring that
wireless again. It would be great if I didn't allow access to anybody without them physically being plugged into a port on the wall. But today's business environment, at least in many companies, demands wireless connectivity and that ability to Rome. Well, if we're going to support that
First of all, we need to make sure that we're using secure mechanisms to connect to our wireless network.
Ah, first of all, we want to make sure that we protect those connections using W p A. To later on when we get telecommunications. Will talk about weap, which was the predecessor. Stood for Wired equivalent. Privacy Web. That's how we used to encrypt wireless traffic. Absolutely worthless.
Um, as a matter of fact, it's pretty much been worthless since it was ratified in approved.
But it was the best game in town for a while, so wept with something that we used and we'll pick apart. We'll talk about the vulnerabilities Wet brings to the table later on in other modules. But Webb was a choice Web being exploited so easily gave way to wife. I've protected access. Probably heard of w P A.
Now what? We're honest. W p A. To which provides much greater security than the two predecessors did.
If we're gonna allow people to connect to our wireless network, we don't want plain text credentials. We don't want plain text data. We're gonna enable w. P a two for security and encryption
authentication later this week or later, during the Siri's, we're gonna talk about Radius and a radius server, providing central authentication for things like wireless devices and other mechanisms. So we want to make sure we have good, strong authentication policy.
People connecting wirelessly to the network should have to provide strong authentication.
All right, um, device configurations are our network devices configured securely, and one of the first things that we think about with secure configuration is we think about getting rid of default configurations. Most devices come out of the box working, so to speak,
you know, Cisco Devices for a long time. User name was administrator password with Cisco. Well, that's great. I can get it up and running very, very quickly. The downside is, everybody knows with the user name and passwords are. I was reading an article about a couple of students that were riding a high school paper
on security vulnerabilities, associate ID with teller machines,
and it was a great article, and I wish I could do this article justice. But essentially what they did is they did some research
about what was available publicly available on the Internet about configuration settings of ATMs, And one of the things was a default code toe access maintenance mode with a teller machine for a specific vendor.
Well, surely there is no bank on the planet that would implement an A T. M with its default configurations. Right? That would never happen.
So of course, thes two students went, tried it.
What do you think the chances are that it worked? And they were able to access maintenance mode?
Yep. Absolutely. It was with their local bank. It was the 1st 1 they tried. Well, these were good ethical guys, and they went to the bank manager and they said we got a problem here. And what was the bank managers thought? He's got 2 16 year old guys sitting in his office saying, Hey, you're a team can be compromised.
The bank manager essentially threw him out. You know, it wasn't rude, but he was like, Yeah, yeah, thanks. You know, that's fine.
What they did is they actually went out to the parking lot, compromised the 80 m, impede it of all its cash, and thank goodness that they were ethical,
brought the cash right directly into the bank manager and said, Do you have time for us. Now
all of a sudden, the bank manager has an ear and has a couple of minutes to spare for these two young guys. But I thought that was really fascinating because you just assume
that people know you don't leave password as password. You don't leave. The administrative account is administrator if you follow the news at all. One of the recent trends are one of the recent attacks. Really. They're more pranks, but they can have much sinister effects.
Has been hijacking Thea Department of Transportation, road signs.
And as you've probably seen these, you know, the one that amused me is this was happening Austin or something. One of the street signs the deity signs was hijacked to read caution Zombies ahead.
Now, I don't anticipate people hit the brakes turned around because of the potential for zombies. But if you think about it especially, you know, I think about this being from the greater metro D C area. If I'm driving down for 95 I see a sign that says,
um, exit 46 Closed highway closed ahead, detour on exit 44. I'm getting off the highway. You can sit in traffic in D. C for eight hours easily. That's not going to be me. So just by simply hijacking one of these devices, you can reroute hundreds or thousands of vehicles,
and obviously that could have a much more sinister impact.
The point I'm trying to make is when you see attacks like this, this isn't some advanced, persistent threat coming out of China, where they're trying to hijack the U. S. Government's road signs. This is some 16 year old kid who's bored, stumbles across this machine, finds the console unlocked
administrative accounts using the password of password
or, if they're really secure, password one that's always my favorite. But what we're seeing is people that don't take the time. And how long does it take to change a password?
Ah, but then people will forget it. Fine. They forget the password, and they're locked out
right? You don't leave a system available to compromise because it's too hard.
So device configurations get away from the default settings. The default settings are just that All devices air configured that way to begin a startup procedure so that you can start to configure them properly.
Also, many devices come with. A lot of service is loaded that you don't need
one of the as. My fact, the first thing you should ever consider when you're trying to lock down the system or hard this system. If it's not an essential service, remove it.
If it's not something you need, get it off. Their all that presents is a vulnerability.
So for device configuration, be smart. You strong passwords change device settings. If it's a service that's an able that isn't necessary, get rid of it.
Patched the devices or update the devices is necessary. These security updates close security vulnerabilities.
you know. And when we failed to make the state these changes, that's where vulnerabilities lie. When I do my assessment, I want to make sure that my devices air well configured.
train, train, train your people in addition to telling your people what to do, help them understand why it's important so many times and i t security. We have the because I said so mentality and, uh, that that's not an effective way to get your users on your team.
One of the first classes I ever taught in this has been 20 years ago was a class to a group of nurses at it. Wait Medical Hospital. This was in Raleigh, North Carolina,
and I had a group of people nurses that were going from the Windows 31 operating System Tau Windows 95. So I know that stating myself a little bit, But at that time a lot of people didn't have good computer skills the way many people do today. This group was was particularly unskilled with computers
as, and we spent the first part of the morning discussing the miracle of the right click.
Now that's not that's not to make fun of me by. Nobody had skills, you know, 20 years ago, the way we do today. And it was a great group of folks and we were hammering through it. We were getting the information, but they were not computer savvy.
Now, at lunchtime, I had to go. I remember very clearly I was going to eBay, and I was just goofing off. It was lunchtime. I was I was bidding on something. I want to see my bid and just totally goofing off. And when I tried to connect to eBay, the hospital's proxy server blocked me and it said We've blocked this site
good enough for me. I'm just goofing off. That doesn't bother me. I'll goof off home. But what happened was at that time, as soon as I got that message, one of the nurses and class happened to be walking past my system and she said, Oh, that happens to us all the time. Go to this website www dot proxy seven dot com,
and when you type in when you go to that site, type in the address you want to go and that'll get you there.
So this is a woman that did not know a right click from a hole in the ground. And yet she knew howto bypass her company's proxy server settings howto filter a request through an Internet proxy to fool her internal proxy.
I was stunned. My jaw hit the ground, but the thing is,
she didn't think she was hacking the system. She didn't think she was even committing a security violation.
If a door is closed to go to the back door or you go to the next door, you know, and that's all she thought she was doing and she said. We did this all the time. Yeah, that pesky security setting that bothers us all the time. So if we don't train our people, why we do what we do,
You know, it's not just because in security we like to tell people no, because going to these websites presents the potential for loss to our organization. Rather than having people try to outsmart you or figure out ways around your security mechanisms, get your staff on your team.
So security awareness training isn't just a list of do's and don'ts.
Educate people. Let them see the threats and the potential for loss that are out there and then get them on your team. It's much easier to fight with your team than against your team.
other things. Do we have both proactive and reactive controls in place? Are we preventing and deterring attacks? But then also do we have an equal number of attacks of controls on the inside? In case an attack is successful Intrusion detection systems, audit longs
alerts and alarms that are triggered in case something has happened.
We need both proactive and reactive controls.
Budget four Security now Sadly, not always do we have all the budget that we want. Senior management has to be on board. And believe me when I say
every organization will spend money on security,
every organization will
and their two ways you can spend money on security up front or on the back end.
I mentioned, I think, earlier that I teach project management classes and we focus on quality well, very tight, parallel with quality and security. When I talk about production environments where you're trying to produce a quality product quality is gonna cost you money. You can pay up front by using good equipment,
good materials, putting good processes in place,
training your people.
But if you don't spend money there because it's too expensive, you're gonna pay on the back end with warranty work, loss of reputation,
refunds and on and on and on. It's the same idea. With security. I can implement any virus programs. I can have good firewalls. I could have good training strategy, good processes and audits and all of those good things up front. Or I can say it's not gonna happen to me. And then where do I pay for security
fines for not being in compliance, loss of customer confidence, loss of man hours. So senior management has to understand
security costs, money one way or the other. You can't get away without paying for security.
And I've already talked about outsourcing and the risks associated with outsourcing. Just my final reminder here, just because you outsourced does not eliminate your portion of risk. You're transferring that risk to another company, but you still are ultimately liable for the protection of the data.
So it's your responsibility to make sure the company to whom you've out sourced
meets the requirements you need.