Chapter 1 - Network Security-ITT

7/24/2019 Chapter 1 - Network Security-ITT

1/32

INFORMATION SYSTEMSSECURITY


2/32

Setting the Scene Security is one of the oldest probleth!t

go"ernents #coerci!l org!ni$!tions !nd!lost e"ery person h!s to f!ce

The need of security e%ists since infor!tionbec!e ! "!lu!ble resource

Introduction of coputer systes to businessh!s esc!l!ted the security proble e"en ore

The !d"!nces in net&or'ing !nd speci!lly indistributed systes !de the need for

security e"en gre!terThe Coputer Security Institute report# notesth!t in ye!r ())* coputer crie costs &hereincre!sed to ore th!n +,) illion doll!rsinthe USA !lone-


3/32

.ro/ling Ad"ers!ries

0eneies1

Ad"ers!ries th!t t!rget corpor!te syste !re nuerous2 These c!n be gener!l cl!ssi/ed in the follo&ing c!tegories2

3!c'ers

Eployees0both !licious !nd unintention!l1

Terrorists groups 4o"ernents

Opposing Industries


4/32

Security

So no& &e 'no& th!t &e need security-

5UT &h!t is security !ny&!y 6 M!ny people f!il to underst!nd the e!ning of the &ord-

M!ny corpor!tions inst!ll !n !nti"irus soft&!re# !nd7or !/re&!ll !nd belie"e they !re protected-

Are they 6


5/32

Consider soe c!ses 2 An intern!l eployee &!nts to re"enge the cop!ny !nd so

publishes pri"!te corpor!te infor!tion on the internet-

The terrorist !tt!c' on the t&in to&ers 0in USA1 h!d !s ! result !nycorpor!tions to close- 8hy 6

An eployee forgets his l!ptop in ! c!f9- This l!ptop cont!ins !llcorpor!te pri"!te infor!tion-

3O8 CAN A FIRE8A:: .ROTECT FROM T3E.RE;IOUS 6


6/32

8h!t is Infor!tion Security 6The protection of infor!tion 7 d!t! !nd its

critic!l eleents including systes !ndh!rd&!re th!t use# store# !nd tr!nsit

infor!tion to ensure continu!l oper!tion ofbusiness &ithout interruption-


7/32

Ch!r!cteristics of Coputer Intrusion

Any computer system can be a target - Hardware, Software, Storage, Data,

People/User

Any system is most vulnerable at its weakest point - Any system is most

vulnerable at its weakest point. A robber intent on stealing from a ouse will not

attempt to penetrate a two-in!-ti!k metal door if a window gives easier a!!ess

Intrusion- An in!ident of unautori"ed a!!ess to data, !omputer system or #$e%uipment.

Principle of Easiest Penetration- An intruder must be e&pe!ted to use any

available means of penetration. Penetration may not ne!essarily be by te most

obvious means, nor via te one we ave te most defense against.

$is prin!iple implies tat !omputer se!urity spe!ialists must !onsider -All the

means of penetration, penetration analysis must be repeated especially whenever

the system or its security change, do not underestimate the attacker/think like an

attacker, strengthening one aspect of a system might weaken another


8/32

;ulner!bilities# Thre!ts# Att!c's# !nd Controls

A vulnerabilityis ! &e!'ness in the securitysyste 0for e%!ple# in procedures# design# oripleent!tion1# th!t ight be e%ploited toc!use loss or h!r-

A threatto ! coputing syste is ! set of

circust!nces th!t h!s the potenti!l to c!use lossor h!r-

A hu!n &ho e%ploits ! "ulner!bility coits !nattackon the syste-

3o& do &e !ddress these probles6 8e use ! control!s ! protecti"e e!sure- Th!t is# !

control is !n !ction# de"ice# procedure# or techni


9/32

;ulner!bilities# Thre!ts !n Att!c's

'all olding ba!k water

$reat is water to te left of te wall (a treat to te man)- water !ould rise and overflow onto te man

*ulnerability is te !ra!k in te wall

#f te water rises to or beyond te level of te !ra!k, it wille&ploit te vulnerability and arm te man.


10/32

Thre!ts 8e c!n "ie& !ny thre!t !s being one of four 'inds2

interception# interruption# odi/c!tion# !nd f!bric!tion-


11/32

Thre!ts

An interceptione!ns th!t soe un!uthori$ed p!rtyh!s g!ined !ccess to !n !sset-

In !n interruption# !n !sset of the syste becoeslost# un!"!il!ble# or unus!ble-

If !n un!uthori$ed p!rty not only !ccesses butt!pers &ith !n !sset# the thre!t is ! modifcation-

Fin!lly# !n un!uthori$ed p!rty ight cre!te !abricationof counterfeit ob=ects on ! coputing

syste-


12/32

Thre!ts to Infor!tion Security


13/32

Method# Opportunity#

!nd Moti"e A !licious !tt!c'er ust h!"e three things

(MOM)2

method:the s'ills# 'no&ledge# tools# !nd other

things &ith &hich to be !ble to pull o> the !tt!c' ?no&ledge of systes !re &idely !"!il!ble

opportunity:the tie !nd !ccess to !ccoplishthe !tt!c'

Systes !"!il!ble to the public !re !ccessible tothe

Motive:! re!son to &!nt to perfor this !tt!c'!g!inst this syste


14/32

Security 4o!ls

Security 4o!ls

8hen &e t!l' !bout coputer security# &e e!n th!t &e !re!ddressing three iport!nt !spects of !ny coputer@rel!tedsyste2 confdentiality# integrity,!nd availability (CIA)

Confdentialityensures th!t coputer@rel!ted !ssets !re!ccessed only by !uthori$ed p!rties-

Re!ding# "ie&ing# printing# or e"en 'no&ing their e%istence

Secrecy or pri"!cy

Integritye!ns th!t !ssets c!n be odi/ed only by!uthori$ed p!rties or only in !uthori$ed &!ys-

8riting# ch!nging# deleting# cre!ting

Availabilitye!ns th!t !ssets !re !ccessible to !uthori$edp!rties !t !ppropri!te ties- For this re!son# opposite of!"!il!bility is soeties 'no&n !s denial o service-


15/32

Security 4o!ls 0Contd1


16/32

;ulner!bilities of Coputing

Systes Hardware Vulnerabilities

adding devi!es, !anging tem, removing tem, inter!epting tetraffi! to tem, or flooding tem wit traffi! until tey !an no longer

fun!tion. (many oter ways to arm te ardware).

Software Vulnerabilities

Software !an be repla!ed, !anged, or destroyed mali!iously, or it

!an be modified, deleted, or mispla!ed a!!identally. 'eterintentional or not, tese atta!ks e&ploit te software+svulnerabilities.


17/32

ata !ulnerabilities

d!t! h!"e ! de/nite "!lue# e"en though th!t"!lue is often diBcult to e!sure-

E%2 con/denti!l d!t! le!'ed to ! copetitor

!y n!rro& ! copetiti"e edge

E%(2 Dight coordin!te d!t! used by !n !irpl!neth!t is guided p!rtly or fully by soft&!re

C!n cost hu!n li"es if odi/ed


Systes 0Contd-1


18/32

"rinciple o Ade#uate "rotection$Coputerites ust be protected only until they losetheir "!lue- They ust be protected to ! degree

consistent &ith their "!lue- This principle s!ys th!t things &ith ! short life c!n

be protected by security e!sures th!t !ree>ecti"e only for th!t short tie-


Systes 0Contd-1


19/32

Other E%posed Assets

%et&orks

Net&or's !re speci!li$ed collections of h!rd&!re#soft&!re# !nd d!t!-

C!n e!sily ultiply the probles of coputersecurity

Insecure sh!red lin's

In!bility to identify reote users 0!nonyity1

'ey "eople

.eople c!n be cruci!l &e!' points in security- Ifonly one person 'no&s ho& to use or !int!in !p!rticul!r progr!# trouble c!n !rise if th!tperson is ill# su>ers !n !ccident# or le!"es theorg!ni$!tion 0t!'ing her 'no&ledge &ith her1-


20/32

Methods of efense Preventit# by bloc'ing the !tt!c' or closing the "ulner!bility

Preventive controls can be as simple as locks and access codes to sensitive areas of a building orpasswords for confidential information

Deterit# by !'ing the !tt!c' h!rder but not ipossible

Defectit# by !'ing !nother t!rget ore !ttr!cti"e 0or this one less so1

ExampleHoney Pots

Detectit# either !s it h!ppens or soe tie !fter the f!ctA security camera is a example of a detective control. A store manager who wants to monitor the use ofcash drawer by a particular clerk can easily look at video of the clerks actions throughout the day todetect potential theft.

An access log fileand an alert systemcan !uickly detect and notify management of attempts byemployees or outsiders to access unauthori"ed information or parts of a building.

Recoverfro its e>ects 0!-'-! correcti"e controls1#ack up data so that it could be restored to continue the functioning of the system in the event of a crash.


21/32

Methods of efenseA sample log file (to detect)


22/32

Controls A"!il!ble

Control !ttept to pre"ent the e%ploit!tion of !"ulner!bility

Coputer Security h!s lots of controls

Siple or iBculty

Ine%pensi"e or E%pensi"e

Type of Control

- Encryption for!l n!e for the scr!bling process

e!ls &ith con/denti!lly !nd integrity

Cle!rte%t

Cipherte%t

.rotocols


23/32

(1 Soft&!re Controls

.rogr!s ust be secure to pre"ent !tt!c's

.rogr! Controls2

Intern!l .rogr! Controls @ p!rts of the progr! th!t enforce securityrestrictions# such !s !ccess liit!tions in ! d!t!b!se !n!geent progr!

Oper!ting Syste !nd Net&or' Syste Controls @ liit!tions enforced bythe oper!ting syste or net&or' to protect e!ch user fro !ll other users

Independent Control .rogr!s @ !pplic!tion progr!s# such !s p!ss&ordchec'ers# intrusion detection utilities# or "irus sc!nners# th!t protect!g!inst cert!in types of "ulner!bilities

e"elopent Controls @


24/32

) "olicies and "rocedures Soeties# &e c!n rely on !greed@on

procedures or policies !ong users r!ther th!n

enforcing security through h!rd&!re orsoft&!re e!ns- such !s cop!ny e!il usepolicy !nd internet use policy-

Must be &ritten !nd tr!ining should be pro"ided

) "hysical Controls loc's on doors# gu!rds !t entry points# b!c'up

copies of iport!nt soft&!re !nd d!t!# !ndphysic!l site pl!nning th!t reduces the ris' ofn!tur!l dis!sters-

Controls A"!il!ble 0Contd1


25/32

E>ecti"eness of Controls

A&areness o "roblem

.eople using controls ust be con"inced of the need forsecurity- Th!t people &ill &illingly cooper!te &ith security

re


26/32

*ikelihood o +se

Of course# no control is e>ecti"e unless it is used-

"rinciple o -ectiveness$

Controls ust be used !nd used properly to be e>ecti"e- They ustbe eBcient# e!sy to use# !nd !ppropri!te-

This principle iplies th!t coputer security controls ust beeBcient enough# in ters of tie# eory sp!ce# hu!n !cti"ity# orother resources used# th!t using the control does not seriously !>ect

the t!s' being protected- Controls should be selecti"e so th!t theydo not e%clude legiti!te !ccesses-

E>ecti"eness of Controls0Contd1

depends on-


27/32

E>ecti"eness of Controls0Contd1

Overlapping Controls (layered deense)

Se"er!l di>erent controls !y !pply to !ddress ! single"ulner!bility 0good1

"eriodic .evie&

Gust &hen the security speci!list /nds ! &!y to secure !ssets!g!inst cert!in 'inds of !tt!c's# the opposition doubles its

e>orts in !n !ttept to defe!t the security ech!niss-Thus# =udging the e>ecti"eness of ! control is !n ongoingt!s'-

depends on-


28/32

Soci!l Engineering

The act of obtaining or attempting to obtain secure data by deceiving an

individual into revealing secure information.

Social engineering is successful because its victims inherently want to trust

other people and are naturally helpful.

The victims of social engineering are tricked into releasing information that

they do not realie will be used to attack a computer network.

!or e"ample# an employee in an enterprise may be tricked into revealing a

coworker$s personal information such as employee number# address# contact

numbers or salary to someone who is pretending to be somebody thatrepresent or known to the coworker.


29/32

Soci!l Engineering----


30/32

.eople !re the 8e!'est :in'

Se!urity !an be no stronger tan its weakest link. ften te weakest link in se!urity is not te!nology, but te people wo

use it.

A #$ network may be prote!ted by firewalls, intrusion dete!tion andoter state-of-te-art se!urity te!nologies. And yet, all it takes is one

person+s intentional or unintentional (!areless) a!tivity and suddenlyentire network se!urity or information se!urity as a wole !ould be atrisk.

$erefore it is re%uired tat se!urity professionals and managementnot to overlook te weakest link in se!urity systems tat being teuman fa!tor.

#t is easy to be!ome overly !onfident solely in te use of advan!edalgoritms and te!nology. ut History sows relian!e on an advan!edte!nology is lost if te people operating te system are not fully

trained and managed.


31/32


A US !ompany !arried out an e&periment. #t s!attered unautori"edUS drives and disks in te !ar parks of US government agen!ies.Some 01 of workers wo found tese devi!es plugged tem into teiroffi!e !omputers. $is per!entage rose to 201 wen an offi!ial logo

was printed on te devi!e.

All of tese agen!ies ad poli!ies stri!tly forbidding te unautori"edintrodu!tion of USs, but te employees plugged tem in anyway.


32/32


ter 3&amples4.

y using wat5s known as 6so!ial engineering5, a!kers e&ploitunsuspe!ting people wo in good fait open up teir doors tounwanted strangers su! as giving away passwords

'riting passwords down on sti!ky notes atta!ed to te !omputer+smonitor, or on witeboards nearby be!ause tey find diffi!ult toremember passwords

7eaving P8s unlo!ked wile out at lun!

7eaving laptop !omputers / US drives !ontaining !onfidentialinformation unse!ured or unattended in publi! pla!es

Documents

Chapter 1 - Network Security-ITT