1 network security protecting the pipeline. presented by marc vael 15 may 1998 isaca

1

Network Security

Protecting the pipeline.

Presented by Marc Vael

15 May 1998 ISACA

2

IntroductionNetwork security challengesNetwork security solutionsNetwork audit considerationsFuture of network securityConclusions

Table of contents

3

IntroductionIntroductionNew security threatsNetwork security challengesNetwork security solutionsNetwork audit considerationsFuture of network securityConclusions

Table of contents

4

Introduction

Purpose– Identifying major risks and

challenges relating to security in networked systems.

– Introduce techniques which can help make networks more secure

5

Introduction

Current Top 10 IT trends helping executing organisational mission– Electronic Commerce & Internet– Groupware, Intranet & Knowledge Mgt– Business Intelligence & Data warehousing– Network computing– Object Orientation– IT asset management– IT security management– ERP Packages boom– Telecommunication deregulations– Outsourcing evolution

6

Current Telecommunication Trends– Internet (I2, NGI)– Decentralization of telecom hardware– Centralization of telecom management– Proliferation of network services– Wide Area Networking– Information Dependencies– Third-Party Connectivity– Socialization

Introduction

7

Main management concerns :– Investment in Technology– Information Accessibility– Visibility– Susceptible to Targeting – Strategic Business Component– Technology Dynamics

Introduction

8

Main management concerns : Investment in Technology– Typical IT Expenditures Include:

• Hardware• Software• Network• Personnel

Introduction

9

Main management concerns : Information Accessibility– Proprietary Data– Customer Information– Trade Secrets– Sales, Pricing, Billings, Vendors, etc.– Security Parameters– R&D Projects– Network Configurations and Addresses– Electronic Trading Partner Information

Introduction

10

Main management concerns : Visibility– Failure of Systems May Cause

External Impact

• Financial Loss• Information Compromise• Depletion of Market Share• Regulatory Sanction

Introduction

11

Main management concerns : Susceptible to Targeting – Information Vandalism,

Compromise, Alteration

• Worms • Viruses• Sniffers• Spoofing

Introduction

12

Main management concerns : Strategic Business Component– Achieve Business Objectives

• Maintain Competitive Advantage• New Products and Services• Business Partnerships

Introduction

13

Main management concerns : Technology Dynamics– Effective Support of User Needs

• Technology Changes• User Requirement Changes

Introduction

14

Main Network Objectives

– Message received as sent

– Delivery on time

– Message protected as needed

Introduction

15

Introduction

New security threatsNew security threatsNetwork security challengesNetwork security solutionsNetwork audit considerationsFuture of network securityConclusions

Table of contents

16

What is wrong with Security in companies?

90%

40%35%

20%15%

Based on : Intrusion Detection

•Users do not change passwords frequently enough•User access to information is too broad•Inconsistent application of security rules for new users•Passwords are easily guessed•User identifications are inactive

New security threats

17

Major Security Problems?– Viruses 75%– In-advertant errors 70%– Non-disaster downtime 60%– Malicious acts by employees 40%– Natural disasters 30%– External malicious acts 20%– Industrial espionage 10%

Based on : Information Week


18

Due to C/S computing and focus on system security, security policies need to be extended beyond traditional computer access. PC security has become as important as network equipment.

Network security tools and strategies do not eliminate the security management tasks and awareness / training programs. – Damage control procedures in case of

security breaches– Change management control

Network Security : Challenges

19

“No organisation is an island” Third parties have “access” to business systems :– business partners– vendors– consultants– customers– off-site employees

Information and knowledge on networks has become more and more valuable.


20

Networks are designed to maximize ease of connection and should be considered as completely open

Due to the Internet (boom since 1992), specific business services have been and are still created / used every day

E-mail is used by almost all companiesMore and more services of companies

are outsourced. Also network management can be outsourced.


21

Location of insecurityLocation of insecurity90 % : within the organization

- unconscious / unknown - known (misusage, fraud)

10 % : outside the organization (mostly disgruntled or ex-employees)

- eavesdropping and burglary - copying and theft of data - viruses and backdoors - modification and destruction


22

PREVIOUSPREVIOUS

Application

System Software

Access

Access pathsAccess paths

PRESENTPRESENTAccess here!Access here!

Access here!Access here!



Network



23

Transfer$ 10.000 to the

account ofRobert Y.

Message sent Message received

Eavesdropping and/or Eavesdropping and/or manipulating of data during the manipulating of data during the communicationcommunication

InterceptionInterception


24

Denial of serviceDenial of service

When someone decides to make your environment useless by:- attacks- disrupting- crashing- jamming- flooding

Due to distributed nature of the network => very hard to prevent “upstream” disruption of your network OR of the network your network connects to.Solution = Business Continuity Planning


25


Major Network Security Problems– Physical damage– Unauthorized disclosure of confidential,

proprietary or other sensitive information– Fraud, account and access laundering.– Computer viruses– Repudiation of electronic transactions– Loss of audit trails– Storage and exchange of illegal material.– Companies prefer to hide security failures– Public embarrassment.

26

Operations risks – Implementation costs– Network may not meet expectations– Unauthorized processing / access– Excessive reliance on external

parties– Information compromise– Service degradation


27

External users in-bound– Masquerading (spoofing)– Browsing (sniffing)– Unauthorized Access

• Compromise• Alteration

Internal users out-bound– Incidental Access– Possible liability (to business

partners)– Unauthorized transactions

Network risks : Risks due to external connectivity

28

File Transfer– Lost Data– Mis-sent Data– Viruses or Worms– Non-Business Use– Forged Mail

Network risks : Risks due to external connectivity

29

Major Security Trends?– Comprehensive corporate security strategy :

including central security administration, records management, external access controls, information security awareness and personnel security agreements

– Business Continuity Planning– Internet : including monitoring of activities– Strong PC controls : including secure access,

message authentication codes, single sign-on (SSO) software and PC hardware security devices

– Client/Server computing : including monitoring of networks (LAN, MAN, WAN)

– IT Incident response strategy


30

IntroductionNew security threatsNetwork security challenges

Network security solutionsNetwork audit considerationsFuture of network securityConclusions

Table of contents

31

Classify all security goals according to business risks

Prevent damage or loss of business assets Plan security in all projects from the start Consider all factors

(data/information/knowledge, people, hardware, software, facilities)

Economic efficiency of security (TCO) Overall widespread measures Reduction of external dependency Synchronization of technical, organisational and

personnel measures Training of users in security awareness and

measures Anticipate evolution in IT environment

Main business security commandments

32

Network Security

ASSESS NETWORK RISK MANAGEMENT

CONTROLS

UNDERSTAND THE NETWORK SECURITY

DETERMINERESIDUAL

RISK

MANAGERESIDUAL

RISK

A Structured Approach...

33

Integrity (accuracy and authenticity)Goal : safeguard critical data from deliberate or

accidental unauthorized modification or deletionrisk associated with the authorization,

completeness and accuracy of transactions as they are entered into, processed by, summarized by and reported on by the various application systems deployed by an organization.

Solid identification between each partyNon-repudiation

undeniable determination to prove the origin or delivery of a message / data

MAIN NETWORK RISK OBJECTIVESMAIN NETWORK RISK OBJECTIVES

Network Security Elements

34

Confidentiality / Access Goal : shield personal and valuable data

from deliberate or accidental unauthorized disclosure.

risk that access to information will be inappropriately granted or refused. Inappropriate people may be able to access confidential information.

Network accessApplication system accessFunctional accessProcessing environment access



35

AvailabilityGoal : prevent denial of service and

unauthorized withholding to the IT system and data to bona fide users

risk that information will not be available when needed

Relevancerisk that information is not relevant to the

purpose for which it is collected, maintained or distributed.



36

MAIN NETWORK RISK OBJECTIVESMAIN NETWORK RISK OBJECTIVES Infrastructure

risk that the organization does not have an effective IT infrastructure to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion.

Organizational planningApplication system definition, deployment

and change managementPhysical securityComputer and network operations


37

Protect our “Turf” : protect the company, its information/knowledge and its reputation from inappropriate resource usage, security vulnerabilities/risks and legal liability

Ensure that employees use the network efficiently and effectively to perform their tasks.

MAIN CONTROL OBJECTIVESMAIN CONTROL OBJECTIVES


38

1. Awareness and estimation of all the network risks

2. Development of a Network Security Policy

Network security : strategy

39

NETWORK SECURITY ELEMENTSNETWORK SECURITY ELEMENTS

Network Security : strategy

Network Incident

Response

Network Incident

Response

Network Security

Implementation

Network Security

Implementation

Network Security Education &

Change

Network Security Education &

Change

Network Security

Network Security

NetworkSecurity Policy & Procedures

NetworkSecurity Policy & Procedures

Network Security

Detection

Network Security

Detection

40

Corporate security policy– High level security blueprint with a

clear business orientation on how the organization uses, enforces and manages security (services and mechanisms)

– Security types• paranoid : no external connections, everything

is forbidden• prudent : everything is forbidden except what

explicitly is allowed• permissive : allow everything except what

explicitly is forbidden• promiscuous : everything is allowed


41

Network security management & administration– Network Organization– Network Capacity Planning

• network budget• network personnel• network technology

– Network Security Administration• “Ethics of Computer Security”• Information classification• Employee / Consultant disclosure form• Risk acceptance• Planning & implementation


42

POLICY & PROCEDURESDevelop and implement a comprehensive

network security policy based on risk assessment– business critical processes – identification of real issues – business continuity processes

Policies are short, general and difficult to change

Procedures are long, easy to change and product related

NETWORK SECURITY CHECKLISTNETWORK SECURITY CHECKLIST

Network Security : Strategy elements

43

Network security implementation– network processes and devices to

become secure including• identification• authentification• encryption• firewalls • host based security

– outsourcing of security services• network security audits • network security policy and risk determination • network implementation security monitoring • network security forensics and recovery


44

IMPLEMENTATIONDecide on budgets and responsibilities Inventory of existing security and gap analysisPlan and deploy specific security devices Test and ensure compliance with Network

Security Policies and ProceduresSecurity implementation verification by third

partyDevelop checklists and detailed

documentationDevelop password or authentication system



45

Network security detection– ability to see when intruders are

hacking into the network (in real-time) via network scanning & intrusion detection tools and techniques

– also used to test the strengths of • OS and NOS• servers and web servers• network connections

– fixing vulnerabilities via patches, security products or turning off vulnerable processes


46

DETECTION Install real-time intrusion detection systems

to alarm IT managers when attacks are started

Establish counter attack and clean-up scenario’s

Testing and verification via penetration study Continuous monitoring and evaluation of

(log) network informationUpdate of network documentation



47

Network incident response– cost reduction in the event of an

incident or a successful attack – most common prevention technique :

data backup to prevent data loss– network incident security team :

emergency helpdesk action– legal enforcement (law)– external help for intrusion prevention– communication strategy (internal &

external)


48

INCIDENT RESPONSEBack up systems regularly and store this

data in a secure off-site locationEstablish the company reaction on

intrusions or violations of security policy



49

Network security education and change– feedback system for (network) security

policy : dynamic approach due to changes in

• technology• business objectives• IT structure• attacker behaviour

– second best weapon : trained personnel• security awareness• training on network security techniques• regular updates on network security


50

EDUCATION & CHANGEEvaluate weak points, threats and risks in

network via security audits on a regular basisUpgrade security vulnerability areas in hosts,

OS, applications, connected devices, programs, etc.

Education of network security awareness & expertise (on security techniques & behavior) on a regular basis (just like any technology) for – users– IT systems & network people– IT management



51

Business Continuity Plans for NetworkNetwork Security Planning and Risk ManagementInternal traffic isolationPassword protection for routers & bridgesInternal firewalls for data & network segmentsNetwork management toolsNetwork access logs and audit trailsNetwork documentation (inventory,maps,etc.)Management support for security risk

TYPICAL MISSING ELEMENTSTYPICAL MISSING ELEMENTS


52

Sell network security internallyDefine the network security goals / planEvaluate the current network security positionChoose specific battles (“added value”)Project management of each battle

MAIN THINGS TO DOMAIN THINGS TO DO


53

PHYSICAL security PHYSICAL security

PROCEDURAL securityPROCEDURAL security

TECHNICAL securityTECHNICAL security


54

Be cautious about the network connections : shield the access to network server computers and applications Consider isolating sensitive systems (either partially or completely)

Network Security Elements : Physical security

55


Physical access to network equipment should be extremely limited– front-ends and network servers– wiring closets and patch panels– encryption devices– cabling– PBX

Access to network analysis tools should be carefully controlled

Susceptibility of communications media being used to wiretapping should be considered

For extremely sensitive networks eavesdropping risks using electronic emanations should be considered.

56

Other vulnerable systems– Modems– Voice / PBX systems– EFT / POS– E-mail servers– EDI servers– Internet servers


57

Something you know– simplest, least expensive and weakest

mean of user identification (passwords like PIN code, birth date)

Something you own– stronger mean of user identification: any

mechanism that must be in your possession to provide network access (smart card, ATM bank card, hard or soft token)

Something you are– mechanisms which rely on unique biological

characteristics to provide network access (fingerprints, voice print or retinal scan)

Network Security Elements : Access security principles

58

Virus precautions :- viruses are often introduced to the system accidentally and can spread rapidly to the

high degree of interconnectivity in today’s networks

- Increasing movement towards “open” systems, Internet and common applications tends to make them more vulnerable to computer viruses

Network Security Elements : Procedural security

59

Most common virus types :- macro virus : VB applications to infect suite of products like Office 97- polymorphic virus : changes when creating copies of itself. Clones are as functional or better than the original to defeat antivirus software (AVS).- stealth virus : hide from system by keeping an eye on system resources and avoid detection by telling the system or AVS they don’t exist- trojan horse : program which pretends to be something it is not. Can create copies or reformat harddisk upon execution


60

Practical Virus Protection Measures

Educate users about virus risks and safe computing practices

Use access control software to restrict access to the system and protect critical program & data files

Consider isolating critical systems as much as possible Use both virus scanners & integrity shells to detect

viruses before they can do significant damage Develop reasonable policies for downloading and

testing media and software from outside sources Maintain proper backups of important program & data

files Develop a plan for isolating and eliminating viruses as

soon as they are detected


61

Monitoring (controls on access and usage)

Hardware controls : monitor security on all host systems attached to the network

Software controls : carefully and continuously review new versions of Internet software, Operating Systems software

Policy controls : penalties for violations


62

Workstation Virus Control Physical

Access Logical

Access

“The technologies needed to provide the appropriate network protection and support critical processes”.

These include various security mechanisms, at various levels :

End-User Computing Access Administrati

on Monitoring

Network Applications Access Authorization Function

Segregation Monitoring

Network Database Access Fallback /

Recovery Administration Monitoring

Network Infrastructure Access /

Authentication Intrusion Detection Firewall Monitoring Dial Up Encryption

Network Servers Data Access Firewall Monitoring Change

Control

Network Security Elements : Technical security

63

Most important technical security features :

Encryption methods Message authentication codes (MACs) Digital (electronic) signatures Callback devices Firewalls Token devices Smart cards

Enter PIN


64

ENCRYPTION is the main protection technique UNENCRYPTED COMMUNICATION = text on a postcard

Encryption for user and data authentication :– Digital Signatures (eg. RSA)– Trusted Third Party Certificates (eg. Kerberos, VeriSign,

Belsign)

Traditional problems connected with encryption:– Encryption and Key management : uniform deployment,

proprietary solutions, secure key exchange, certification process, key storage

– User transparancy : complex manipulations in order to use encryption correctly

– National legislation issues : from prohibited to allowed (especially when moving to Extranet usage)

Network Security : Encryption techniques

65

– Private Key (Secret Key) : the same key for encryption and decryption. Tends to be fast and is good for data encryption. However, the key management issues associated with private key can be significant.E.g. DES = Data Encryption Standard (IBM) IDEA = International Data Encryption Algorithm

– Public Key : a publicly known key for encryption and a private key for decryption. The solution for secure distribution of the encryption key. Tends to be slow and is generally only useful for encrypting small amounts of data (such as passwords and PINs.) E.g. RSA = Rivest, Shamir, Adleman PGP = Pretty Good Privacy (Phil Zimmerman)

Network Security : Encryption techniques

66

Remark : the secret key has to be known by the Remark : the secret key has to be known by the sendersender and the and the recipientrecipient. .

DecryptMessageMessage MessageMessageEncryptedEncrypted

MessageMessage

User AUser A User BUser B

Encrypt

Network Security : Private Key Encryption

67

Decrypt

User B’sUser B’sPublicPublic

KeyKey

User B’sUser B’sPrivatePrivate

KeyKey

MessageMessage MessageMessageEncryptedEncrypted

messagemessage


Encrypt

Remark : high powered encryption techniques are Remark : high powered encryption techniques are not everywhere legally allowednot everywhere legally allowed

Network Security : Public Key Encryption

68

Network Security : Key management considerations

Effective key management procedures are essential to an effective encryption scheme

Often at least two sets of keys are used : – Terminal key :

• remains the same over long time periods

• stored in Tamper Resistant Module (TRM) once it has been loaded into the terminal

• used to encrypt session key– Session key :

• changes each session

69

Using this method, the message is encrypted from point of origin to destination, but data link header is in clear text thus no protection against traffic analysis.

Key management issues can be significant since it requires encoding & decoding devices to be in synch, particular if you talk to a number of systems each with a different key

Network

EncryptionDevice

EncryptionDevice

Network Security : End-to-End (off-line) encryption

70

Applied independently per network link, it is the responsibility of the network provider.

Simple to implement but potentially expensive since encryption devices are required for each link.

Message is encrypted and decrypted in each node in the path but data is unprotected in intermediate node

IntermediateNodes

LinkEncryptors

LinkEncryptors

EncryptedTraffic

Traffic Unencrypted Between These

Points

Network Security : Link (on-line) encryption

71

MACs are a tool which can help ensure data integrity.

Message Data MAC

GenerateCryptographic

Checksum (MAC)

SecretKey

Attach to Message

Network Security : Message Authentication Codes (MAC)

72

Network Security : Message Authentication Codes (MAC)

Purpose = ensure that a message supposedly sent by A to B did in fact come from A and was not altered by anyone else before it reached B

Usually authentication is accomplished by applying some computation to the message (checksum) which only A and B know about

MAC are obtained by encrypting significant fields of a message using the DES algorithm and transmitting the result along with the message. Since the sender and receiver share a common key, the receiver can decipher the MAC and authenticate the message.

73

Used for the certification of messages.

Decrypt

User A’sUser A’sPrivatePrivate

KeyKey

User A’sUser A’sPublicPublic

KeyKey

Message Message or dataor data

ConfirmedConfirmedmessage ormessage or

datadata

DigitalDigital

SignatureSignature


Encrypt

Network Security : Digital signatures

74

Easy to implement and relatively inexpensive. Provides good protection for network dialup ports. Does not provide any protection for other types of

network access. Tends to be inflexible and slow. Can be fooled by a determined hacker if not

configured properly. Can include supplemental password controls as

well.

Modem ModemCallbackDevice

Network Security : Callback devices

75

Firewall =Firewall =

any one of several ways of protecting one network from another “untrusted” network. For example, protecting the network ofMarketing towards the network of R&D

BASIC PRINCIPLES : BASIC PRINCIPLES :

* Keep everything outside from getting in.

* Permit users inside to get outside when allowed to.

Network Security : Firewalls

76

Firewall examplesFirewall examples

* Checkpoint Firewall-1* Network-1 Firewall/Plus* Raptor Eagle* TIS Gauntlet* Digital AltaVista Firewall* Technologic Interceptor

Network Security : Firewalls

77

Offer vast improvements over traditional password controls through intelligence.

Enables passwords to be changed with each use.

Can be used in connection with Secure Gateways.

Can be fairly expensive because of the management implications (two or more parties involved) depending upon the number of users.

E.g. Vasco

Enter PIN

1 2 3

4 5 6

7 8 9 0

ENTER

CM

R

=

+

-

Network Security : Token devices

78

Include an embedded microprocessor and memory.

Can serve as secure storage for lengthy sequences of digits (such as private keys used to generate a digital signature for example).

Can process logic designed to validate a user’s PIN, etc.

Can provide similar functions to a token device , but a smart card reader is needed.

Again management issues.

E.g. Utimaco.

EmbeddedMicroprocessor

Smart KeySmart Key

1045 2300 5698 34701045 2300 5698 3470

Network Security : Smart Cards

79

HPG (Handheld Password Generators)– Generate a unique password for each

access attempt– Similar to handheld calculator in size and

appearance– Generally require the user to supply some

secret information (such as a PIN)– Designed to self-destruct if tampered with– Provide much more effective access

control than a password alone– Can be fairly expensive and inconvenient

depending on the user population


80

Network security policy to ensure information and knowledge protectionSecurity implementation and analysis on firewalls, encryption, passwords,

SSO and other security technologiesSecurity detection programNetwork security education and awareness program around risks and

precautionsNetwork incident response team

– handle network intrusions, viruses, security breaches– trace attack patterns to close security holes

MAIN NETWORK SECURITY STEPSMAIN NETWORK SECURITY STEPS

Conclusions

1 network security protecting the pipeline. presented by marc vael 15 may 1998 isaca

Documents

introduction t current

introduction t purpose

t main management concerns

needed introduction

isaca slide

secure slide

asset management

information vandalism