Information System 365/765Lecture 12

Network Security, Change Control, Outsourcing

Today’s Chocolate BarSnickers – AGAIN!

• In 1930, the Mars family introduced its second product, Snickers, named after one of their favorite horses

• Snickers is the best selling chocolate bar of all time and has annual global sales of US$2 billion

Nutty Cisco Video

• Watch video• Think about what you would

do to protect you server area, using your knowledge gained so far in the class

• Split into groups of four, come up with a mini presentation

• Talk to class for 3 minutes

Network Security

• Why didn’t we talk about this on day one?

• Bringing it all together• protect the network and the

network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness

Network Security vs. Computer Security

• Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense.

• Computer security is more like providing means to protect a single PC against outside intrusion.

Network Security

• Prevents users from ever being exposed to attacks

• Protection of all entry points and shared resources

• Printers, Network attached storage (NAS), Iphones, etc.

• Attacks stop at entry points, BEFORE they spread

Computer Security

• Focused on an individual host• A computer’s security is

vulnerable to people who have higher access privileges than the protection mechanism.

• While this is also true with Network Security, it is less likely.

Attributes Of A Secure Network

• Authentication• Authorization• Firewall• Intrusion Prevention System• Antivirus• Honeypots• Monitoring

Authentication

• Providing proof that you are who you claim to be

Authorization

• Determining the level of access that a given individual should have

• Authorization is done after authentication

Firewall• An integrated collection of

security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Intrusion Prevention System

• An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.

Antivirus and Anti-Malware

• Scans and cleanses data in storage and as it travels across the network, so end users are not exposed to this type of threat

Honeypots

• Essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools.

Security Management

• Depends on environment• Small, medium and large

businesses, educational institutions, government.

Small Business• A basic firewall. • For Windows users, basic antivirus

and anti-spyware/anti-malware software.

• When using a wireless connection, use a robust password.

• Use the strongest security supported by your wireless devices, such as WPA or WPA2.

Medium Business• A strong firewall • Strong Antivirus software and

Internet Security Software. • For authentication, use strong

passwords and change it on a monthly basis.

• When using a wireless connection, use a robust password.

• Raise awareness about physical security to employees.

• Use an optional network analyzer or network monitor.

Large Business• A strong firewall and proxy to keep

unwanted people out. • A strong Antivirus software

package and Internet Security Software package.

• For authentication, use strong passwords and change it on a weekly/bi-weekly basis.

• When using a wireless connection, use a robust password.

• Exercise physical security precautions to employees.

Large Business• Prepare a network analyzer or network

monitor and use it when needed. • Implement physical security

management like closed circuit television for entry areas and restricted zones.

• Security fencing to mark the company's perimeter.

• Fire extinguishers for fire-sensitive areas like server rooms and security rooms.

• Security guards can help to maximize security.

Educational Institutions• An adjustable firewall • Strong Antivirus software and Internet

Security Software packages. • Wireless connections that lead to

firewalls. • Children's Internet Protection Act

compliance. • Supervision of network to guarantee

updates and changes based on popular site usage.

• Constant supervision by teachers, librarians, and administrators to guarantee protection against attacks by both internet and sneakernet sources.

Federal Government• A strong strong firewall and proxy to

keep unwanted people out. • Strong Antivirus software and Internet

Security Software suites. • Strong encryption, usually with a 256 bit

key. • Whitelist authorized wireless connection,

block all else. • All network hardware is in secure zones. • All host should be on a private network

that is invisible from the outside. • Put all servers in a DMZ, or a firewall

from the outside and from the inside. • Security fencing to mark perimeter and

set wireless range to this.

Change Control

• A general term describing the procedures used to ensure that changes (normally, but not necessarily, to IT systems) are introduced in a controlled and coordinated manner

Goals of Change Management

• Minimal disruption to services • Reduction in back-out

activities • Economic utilization of

resources involved in implementing change

• Ensure that a product, service or process is only modified in line with the identified necessary change

Why Is Change Control Important In IS Security?

• It is particularly related to software development because of the danger of unnecessary changes being introduced without forethought, introducing faults (bugs) into the system or undoing changes made by other users of the software. Later it became a fundamental process in quality control.

The Change Control Process

• Record / Classify • Assess • Plan • Build / Test • Implement • Close / Gain Acceptance.

Record and Classify• A formal request is received for

something to be changed, known as the "Change Initiation".

• Someone then records and classifies or categorizes that request. Part of the classification would be to assign a Category to the change, i.e. is the change a "major business change", "normal business change" or "minor business change".

Assigning a Priority

• Emergency• Expedited• Normal

Assessment

• The impact assessor make their risk analysis typically by answering a set of questions concerning risk, both to the business and to the IT estate, and follow this by making a judgment on who or whom should carry out the change.

Build and Test

• Plan their change in detail, and also construct a regression plan, if it all goes wrong

• The plan should be checked out by an independent reviewer

• Build the solution, which will then be tested

• Seek approval and maybe a review and request a time and date to carry out the implementation phase.

Implementation• The Change Manager

approves the change with an “Authority to Implement” flag

• The change can then be implemented but only at the time and date agreed

• Following Implementation, it is usual to carry out a “Post Implementation Review”

• When the client agrees all is OK, the change can be closed.

Outsourcing Related Security Issues

• Two main issues with collaborative design (outsourcing) revolve around TRUST:– Confidentiality (of product design data

in storage or in transit)– Access Control (read, write, delete

privileges)

• Suppliers can be competitors, or have close relationships with competitors

Potential Threats of Outsourcing

• Theft of trade secrets, or intellectual property

• Introduction of viruses/malware to the network

• Lack of understanding of corporate systems could result in damage or data loss

• Loss of control over sharing of sensitive data

Potential Threats of Outsourcing• Spoofing: A competitor uses

manager’s or outsourcer’s ID to gain access to valuable product data to use in their own designs

• Tampering: Changing the product information in the database to ruin the final product design. Changing access controls allowing competing companies access to each other’s information

• Repudiation: User goes in and performs a malicious act (submits false product data) and says that it was not him who did it

Countermeasures

• Electronic Vault• Engineering Change Control• Release-Management Process• Flexible Access Control• Data Set Access Control• Scheduled Access Control

Electronic Vault

• Keeps files in native formwhile still encrypting files• End-to-end security

– Encryption– Access Control

• Creates tamper-evident audit trails (any and all access to a document is logged)

Electronic Vault AdvantagesDocument accuracy – Maintains print streams in native format

• Document quality – Streams are compressed in electronic vault

without loss of resolution

• Flexibility – Easy to enhance, modify, combine, engineer

streams

Electronic Vault Advantages (cont.)

Speed– Loaded into vault with almost no

disruption of operationsLong-term viability– Since native format is allowed,

electronic vault can be used in the future

Engineering Change Control

• Defines and controls the process of reviewing and approving changes to the product data

• Prevents tampering with accountability factor

• New version of data is released in database to allow for reversal if necessary

Release-Management Process

• Data released when approved• Access based on project, password, and

other controls that user defines• Allows for auditing and tracking of

information• Creates relationships among product data• Prevents information leaking of competing

suppliers actions

Flexible Access Control

• Role-based• Allows for project to have

users change groups and roles• Enables distributed design

data access and sharing

Scheduled Access Control

• Schedule for suppliers to work on certain resources

• Privileges granted at certain periods when they are needed in the design process

• Revoked when not needed

Data Set Access Control

• Data are assigned roles• Different views of data based on

how organizations and individuals behave in a task

• Least Privilege Security Principle

Access Control Diagram

Security Principles Applied

• Practice defense in depth– Role based access control, data based

access control, electronic vault, release management

• Follow the principle of least privilege– Access controls only allow privileges to

those who need it

Security Principles Applied (cont.)

• Compartmentalize– Various versions of data. Information split up based

on part of design for users who will need access to it• Promote privacy

– Accountability so users will want to keep passwords and information secret

• Be reluctant to trust– System is based on least privilege and does not

disclose information until necessary